Checking Timed Bisimulation with Bounded Zone-History Graphs -- Technical Report
Lars Luthmann, Hendrik Göttmann, Isabelle Bacher, Malte Lochau
aa r X i v : . [ c s . F L ] S e p c (cid:13) L. Luthmann, H. Göttmann, I. Bacher, and M. LochauThis work is licensed under theCreative Commons Attribution License.
Checking Timed Bisimulation with Bounded Zone-HistoryGraphs – Technical Report
Lars Luthmann ∗ Real-Time Systems LabTU Darmstadt, Germany [email protected]
Hendrik Göttmann
Real-Time Systems LabTU Darmstadt, Germany [email protected]
Isabelle Bacher
Real-Time Systems LabTU Darmstadt, Germany [email protected]
Malte Lochau ∗ Model-based Engineering GroupUniversity of Siegen, Germany [email protected]
Timed automata (TA) are a well-established formalism for specifying discrete-state/continuous-timebehavior of time-critical reactive systems. Concerning the fundamental analysis problem of com-paring a candidate implementation against a specification, both given as TA, it has been shown thattimed trace equivalence is undecidable, whereas timed bisimulation equivalence is decidable. Thecorresponding proof utilizes region graphs, a finite, but generally very space-consuming characteri-zation of TA semantics. Hence, most practical TA tools utilize zone graphs instead, a symbolic andgenerally more efficient representation of TA semantics, to automate analysis tasks. However, zonegraphs only produce sound results for analysis tasks being reducible to plain reachability problemsthus being too imprecise for checking timed bisimilarity. In this paper, we propose bounded zone-history graphs, a novel characterization of TA semantics facilitating an adjustable trade-off betweenprecision and scalability of timed-bisimilarity checking. Our tool T IM B R C HECK is, to the best ofour knowledge, the only currently available tool for effectively checking timed bisimilarity and evensupports non-deterministic TA with silent moves. We further present experimental results gainedfrom applying our tool to a collection of community benchmarks, providing insights into trade-offsbetween precision and efficiency, depending on the bound value.
Background and Motivation.
Timed automata (TA) are frequently used to specify discrete-state/continuous-time behavior of time-critical reactive (software) systems [2, 7]. TA therefore extend la-beled state-transition graphs of classical automata models by a set C of clocks constituting constantlyand synchronously increasing, yet independently resettable numerical read-only variables. Clock valuesare referenced within clock constraints in order to specify boundaries for time intervals to be satisfied byoccurrences of actions in valid runs of a TA model.A fundamental analysis problem arises from the comparison of a candidate implementation againsta specification, both given as TA. It has been shown that timed trace inclusion is undecidable, whereas timed (bi-)simulation is decidable thus making timed bisimilarity a particularly useful equivalence notionfor verifying time-critical behaviors [9, 27]. The original proof is based on region graphs , a finite, butgenerally very space-consuming representation of TA semantics (i.e., having O ( | C | ! · k | C | ) many regions,where k is the maximum constant occurring in a clock constraint). Instead, most recent practical TAanalysis tools use zone graphs , constituting a symbolic and, on average, more efficient representation ∗ This work was funded by the Hessian LOEWE initiative within the Software-Factory 4.0 project.
Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Reportof TA semantics as compared to region graphs. However, zone graphs only produce sound results foranalysis tasks being reducible to plain (location-)reachability problems thus being too imprecise forchecking timed bisimilarity [28].
Conceptual Contributions.
In this paper, we propose a novel characterization of TA semantics, called bounded zone-history graphs . Zone histories enrich plain zone graphs exactly by the additional infor-mation required for sound timed bisimilarity-checking, yet still yielding a finite representation of TAsemantics. However, in order to control the size of bounded zone-history graphs in case of larger in-put models, our approach further incorporates a bound parameter b to restrict the length of histories.This bound parameter thus facilitates an adjustable trade-off between precision and scalability of timed-bisimilarity checking. Our technique further handles non-deterministic
TA and supports weak and strong bisimilarity of non-deterministic timed (safety) automata with silent τ -moves. Tool Support and Reproducibility.
Our tool T IM B R C HECK supports the U
PPAAL file format forinput models and is available on our complementary web page . This web page also contains all exper-imental data and further information for reproducing the evaluation results. Additionally, we provide arich collection of test cases (i.e., pairs of input models) constituting particularly sophisticated TA frag-ments which we used to exhaustively test our tool implementation. Experimental Evaluation.
Our experimental results gained from applying T IM B R C HECK to a collec-tion of community benchmarks [3, 21, 19, 10, 15] provide insights into trade-offs between precision andefficiency of checking timed bisimilarity using bounded zone-history graphs. In particular, our resultsindicate, that a value of 3 for bound parameter b appears to be a reasonable trade-off between precisionand scalability for the subject systems under consideration. Moreover, as expected, checking TA withnon-deterministic behavior requires considerably more computational effort than deterministic cases. Related Work.
The notion of timed bisimulation goes back to the works of Moller and Tofts [22] aswell as Yi [29] both originally defined on real-time extensions of the process algebra CCS. Similarly,Nicollin and Sifakis [23] define timed bisimulation on ATP (Algebra of Timed Processes). However,none of these works initially incorporated a technique for effectively checking bisimilarity. The pioneer-ing work of ˇCer¯ans [9] includes the first decidability proof of timed bisimulation on TA, by providing afinite characterization of bisimilarity-checking on a finite representation of TA semantics, called regiongraphs. The improved (i.e., less space-consuming) approach of Weise and Lenzkes [28] employs a varia-tion of zone graphs, called FBS graphs, which also builds the basis for our notion of zone-history graphs.Guha et al. [14, 12] also follow a zone-based approach for bisimilarity-checking on TA as well as theweaker notion of timed prebisimilarity, by employing so-called zone-valuation graphs and the notion ofspans as also used in our approach. Moreover, Tanimoto et al. [26] employ timed bisimulation to checkif a given behavioral abstraction preserves time-critical system behavior.Nevertheless, all these approaches neither facilitate an adjustable trade-off between precision andscalability for checking timed bisimilarity nor provide any practical tool support. The only currentlyavailable tool for checking timed bisimilarity we are aware of is called C
AAL [4] which is, however,inherently incomplete as it does not utilize a finite representation of TA semantics. .Luthmann, H.Göttmann, I.Bacher, and M.Lochau 3 In this section, we introduce the notational foundations of timed automata and timed bisimulation.
Syntax. A timed automaton (TA) consists of finite state-transition graph whose states are called loca-tions (including a distinguished initial location ) and whose edges, denoting transitions between locations,are called switches [2]. Switches are either labeled with names from a finite alphabet Σ of visible actions ,or by a distinguished symbol τ Σ , denoting internal actions (silent moves). We range over Σ by σ andover Σ τ = Σ ∪ { τ } by µ .A TA further consists of a finite set C of clocks , defined over a numerical clock domain T C (e.g., T C = N for modeling discrete time and T C = R + for modeling dense time ), where we consider T C = N in all upcoming examples. Clocks may be considered as constantly and synchronously increasing yetindependently resettable variables over T C . Clocks allow for measuring and restricting time intervalscorresponding to durations—or delays between occurrences—of actions in valid runs of a TA. Thoserestrictions are expressed by clock constraints ϕ to denote guards for switches and invariants for loca-tions. Guards restrict time intervals in which particular switches are enabled, whereas invariants restricttime intervals in which TA runs are permitted to reside in particular locations. In addition, each switchis labeled with a subset of clocks R ⊆ C to be reset . Definition 1 (Timed Automaton) . A TA is a tuple ( L , ℓ , Σ , C , I , E ) , where • L is a finite set of locations with initial location ℓ ∈ L, • Σ is a finite set of actions such that τ Σ , • C is a finite set of clocks such that C ∩ Σ τ = /0 , • I : L → B ( C ) is a function assigning invariants to locations, and • E ⊆ L × B ( C ) × Σ τ × C × L is a relation defining switches .The set B ( C ) of clock constraints ϕ over C is inductively defined as ϕ : = true | c ∼ n | c − c ′ ∼ n | ϕ ∧ ϕ , where ∼ ∈ { <, ≤ , ≥ , > } , c , c ′ ∈ C , n ∈ T C . We denote TA defined over sets C and Σ by A where we may omit an explicit mentioning of C and/or Σ if clear from the context. We further denote switches ( ℓ, g , µ , R , ℓ ′ ) ∈ E by ℓ g , µ , R ℓ ′ for conve-nience. Clock constraints neither contain operators for equality nor disjunction as both are equivalentlyexpressible by the given grammar (e.g., switch guard x = x ≤ ∧ x ≥
2, and x < ∨ x > x < x >
2, respectively).Moreover, we consider diagonal-free
TA with clock constraints only containing atomic constraints ofthe form c ∼ n as for every TA, a language-equivalent diagonal-free TA can be constructed [8]. Hence,we include difference constraints c − c ′ ∼ n into B ( C ) solely for the sake of a concise representationof our subsequent constructions. Similarly, we assume location invariants being unequal to true to be downward-closed (i.e., only having clauses of the form c ≤ n or c < n ). However, as two actual re-strictions, we limit our considerations to (1) constants n ∈ Q as real-valued bounds would obstructfundamental decidability properties of TA, as well as to (2) so-called timed safety automata not includ-ing distinguished acceptance locations for employing Büchi accepting-trace semantics for infinite TAruns [17, 2]. Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Report Semantics.
The operational semantics of a given TA, defining all its valid (timed) runs, may be definedin terms of
Timed Labeled Transition Systems (TLTS) [16]. A TLTS state is a pair h ℓ, u i of active location ℓ ∈ L and clock valuation u ∈ C → T C assigning to each clock c ∈ C the amount of time u ( c ) elapsedsince the last reset of c . Thereupon, TLTS comprise two kinds of transitions : (1) passage of time ofduration d ∈ T C while (inactively) residing in location ℓ , leading to an updated clock valuation u ′ , and(2) instantaneous executions of switches ℓ g , µ , R ℓ ′ , leading from location ℓ to ℓ ′ , accompanied by anoccurrence of action µ ∈ Σ τ .Given clock valuation u , by u + d with d ∈ T C , we denote the updated clock valuation mappingeach clock c ∈ C to the new value u ( c ) + d . By [ R ] u , with R ⊆ C , we further denote the updatedclock valuation mapping each clock c ∈ R to value 0 ( clock reset ) while preserving the values u ( c ′ ) ofall other clocks c ′ ∈ C \ R . Finally, by u ∈ ϕ , we denote that clock valuation u satisfies clock constraint ϕ ∈ B ( C ) . Concerning τ -labeled transitions, we distinguish between strong and weak TLTS semantics,where τ -transitions are invisible in the latter case. Definition 2 (Timed Labeled Transition System) . The TLTS of TA A over Σ is a tuple ( S , s , ˆ Σ , ։ ) ,where • S = L × ( C → T C ) is a set of states with initial state s = h ℓ , [ C ] i ∈ S, • ˆ Σ = Σ ∪ ∆ is a set of transition labels , where ∆ = T C with ( Σ ∪ { τ } ) ∩ ∆ = /0 , and • ։ ⊆ S × ( ˆ Σ ∪ { τ } ) × S is a set of strong transitions being the least relation satisfying the rules: – h ℓ, u i d h ℓ, u + d i if ( u + d ) ∈ I ( ℓ ) for d ∈ T C , and – h ℓ, u i µ h ℓ ′ , u ′ i if ℓ g , µ , R ℓ ′ , u ∈ g, u ′ = [ R ] u, u ′ ∈ I ( ℓ ′ ) and µ ∈ ( Σ ∪ { τ } ) .By ⊆ S × ˆ Σ × S, we denote a set of weak transitions being the least relation satisfying the rules: • s σ s ′ if s τ n s σ s τ m s ′ with n , m ∈ N , • s d s ′ if s d s ′ , • s s ′ if s τ n s ′ with n ∈ N , and • s d + d ′ s ′ if s d s ′′ and s ′′ d ′ s ′ . We only consider TA with strongly convergent
TLTS (i.e., without infinite τ -sequences) and referto the TLTS semantics of TA A as S A or simply as S if clear from the context. In addition, if notexplicitly stated, we consider strong TLTS semantics, where the corresponding weak version can byobtained by replacing ։ by in the following. Example 1.
Figure 1 shows two sample TA specifying (simplified) coffee machines with correspondingTLTS extracts shown in Figures 1c and 1d. In state h Warm Up , x = i , we can only let further time passwhereas in h Warm Up , x = i , we have to choose coffee due to the invariant. In contrast, as neitherlocation Idle nor
Fill Cup has an invariant, we may wait for an unlimited amount of time thus resultingin infinitely many consecutive TLTS states. Further note that the TLTS in Fig. 1d contains a τ -transitionwhich is only visible in the strong case. We next revisit the notion of timed bisimulation to semantically compare different TA defined over thesame alphabet. A timed (bi-)simulation relation may be defined by directly adapting the classical notion.Luthmann, H.Göttmann, I.Bacher, and M.Lochau 5
Idle Warm Up x ≤ x : = x ≥ x ≥ x : = (a) Coffee Machine Idle ′ Warm Up ′ y ≤ ′ Internal ′ press y : = y ≥ y : = τ sugar y ≥ y : = (b) Coffee Machine ′ h Warm Up , x = ih Fill Cup , x = ih Idle , x = i h Warm Up , x = ih Fill Cup , x = ih Fill Cup , x = i press 1 1 coffee1sugar 1 (c) TLTS of Fig. 1a h Warm Up ′ , y = ih Internal ′ , y = ih Idle ′ , y = i h Warm Up ′ , y = ih Internal ′ , y = ih Internal ′ , y = i h Fill Cup ′ , y = ih Fill Cup ′ , y = i press 1 1 coffee1sugar 1 ττ (d) TLTS of Fig. 1b Figure 1: TA of Two Similar Coffee Machines (Figs. 1a and 1b) and TLTS (Figs. 1c and 1d)of (bi-)simulation on LTS to TLTS. State s ′ of TLTS S A ′ timed simulates state s of TLTS S A if everytransition enabled in s , either labeled with action µ ∈ Σ τ or delay d ∈ ∆ , is also enabled in s ′ and the targetstate in S A ′ , again, timed simulates the respective target state in S A . Hence, TA A ′ timed simulates A if initial state s ′ timed simulates initial state s and A ′ and A are timed bisimilar if the timed simulationrelation is symmetric. Definition 3 (Timed Bisimulation [28]) . Let A , A ′ be TA over Σ with C ∩ C ′ = /0 and R ⊆ S × S ′ suchthat for all ( s , s ′ ) ∈ R it holds that • if s µ s with µ ∈ Σ τ , then s ′ µ s ′ and ( s , s ′ ) ∈ R and • if s d s with d ∈ ∆ then s ′ d s ′ with ( s , s ′ ) ∈ R . A ′ (strongly) timed simulates A , denoted A ⊑ A ′ , iff ( s , s ′ ) ∈ R . In addition, A ′ and A are (strongly) timed bisimilar , denoted A ≃ A ′ , iff R is symmetric.Weak timed (bi-)simulation can, again, be obtained by replacing ։ with in all definitions (whichwe will omit if not relevant). Example 2.
Consider, again, A and A ′ in Figs. 1a and 1b. Strong timed (bi-)simulation does not holdbetween both models due to the τ -step in A ′ . In contrast, for the weak case, we have A ⊑ A ′ as everyaction and delay of A is also permitted by A ′ (cf. TLTS in Figs. 1c and 1d). Similarly, A ′ ⊑ A alsoholds such that A and A ′ are weakly timed bisimilar. We conclude this section by repeating the well-known result that systems being strong (timed) similarare also weak (timed) similar.
Lemma 1. If A ′ strongly timed simulates A , then A ′ weakly timed simulates A [29].Proof. We prove Lemma 1 by contradiction. Assume TA A and A ′ with A ′ strongly timed simulating A and A ′ not weakly timed simulating A . In this case, we require TLTS states h ℓ , u i ∈ S and h ℓ ′ , u ′ i ∈ S ′ being reachable by a τ -step such that for each h ℓ ′ , u ′ i η h ℓ ′ , u ′ i ∈ ։ ′ with η ∈ ˆ Σ there exists a h ℓ , u i η h ℓ , u i ∈ ։ . Due to the definition of weak transitions (see Def. 2), we also require a transition h ℓ , u i η h ℓ , u i ∈ ։ not being enabled in h ℓ , u i to prove that A ′ strongly timed simulates A and A ′ weakly timed simulates A . However, as these two assumptions are contradicting, it holds that A ′ weakly timed simulates A if A ′ strongly timed simulates A . Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Report As TLTS are, in general, infinite-state and infinitely-branching LTS, they are only of theoretical interest,but do not facilitate effective timed (bi-)similarity checking. In [9], a finite, yet often unnecessarilyspace-consuming characterization of timed bisimilarity is given using region graphs instead of TLTS. Incontrast, Weise and Lenzkes [28] use so-called full backward stable (FBS) graphs , an adaption of thesymbolic zone-graph representation [11] of TA semantics enriched by transition labels. Zone graphsare, in most cases, less space-consuming than region graphs. We will also built upon FBS graphs in thefollowing, but propose a novel definition, called (bounded) zone-history graphs , to permit a more concisecharacterization and scalable checking of timed (bi-)simulation. A symbolic state of TA A is a pair h ℓ, ϕ i consisting of a location ℓ ∈ L and a zone ϕ ∈ B ( C ) , where ϕ represents the maximum set D = { u : C → T C | u ∈ ϕ } of clock valuations u satisfying clock constraint ϕ . Hence, symbolic state h ℓ, ϕ i comprises all TLTS states h ℓ, u i ∈ S of S A with u ∈ D , where we mayuse ϕ and D interchangeably in the following. The construction of a zone graph for a timed automatonis based on two operations on zones: • D ↑ = { u + d | u ∈ D , d ∈ T C } denotes the future of zone D , and • R ( D ) = { [ R ] u | u ∈ D } denotes the application of a set of clock resets R ⊆ C on zone D .By D , we denote the initial zone in which all clock values are mapped to constant 0. For each switch ℓ g , µ , R ℓ ′ , a corresponding transition h ℓ, D i µ h ℓ ′ , D ′ i is added with target zone D ′ derived from sourcezone D by considering the future D ↑ of D , further restricted by rgw switch guard g , the location invariantsof ℓ and ℓ ′ as well as the clock resets R . Definition 4 (Zone Graph) . The zone graph of TA A over Σ is a tuple ( Z , z , Σ , ) , where • Z = L × B ( C ) is a set of symbolic states with initial state z = h ℓ , D i , • Σ is a set of actions , and • ⊆ Z × Σ τ × Z is the least relation satisfying the rule: h ℓ, D i µ h ℓ ′ , D ′ i if ℓ g , µ , R ℓ ′ and D ′ = R ( D ↑ ∧ g ∧ I ( ℓ )) ∧ I ( ℓ ′ ) . Although zone graphs according to Def. 4 are, again, not necessarily finite, an equivalent, finite zone-graph representation for any given TA can be obtained (1) by constructing an equivalent diagonal-free
TA only containing atomic clock constraints of the form x ∼ r [8], and (2) by constructing for this TA a k-bounded zone-graph representation according to Def. 4 where all zones being bound by a maximumglobal clock ceiling k using k -normalization [25, 24]. The comparison of zones of two different TA during timed bisimilarity-checking is based on the notionof spans [13]. The span of clock c ∈ C in zone D is the interval ( lo , up ) between the minimum valuation lo and maximum valuation up of c in D . The span of zone D is the least interval covering the spans ofall clocks in D . By ∞ , we denote upward-open intervals (i.e., d < ∞ for all d ∈ T C ), where ∞ behaves incalculations as usual..Luthmann, H.Göttmann, I.Bacher, and M.Lochau 7 ℓ ℓ ℓ a x ≤ x ≤ x : = (a) A ℓ ′ ℓ ′ ℓ ′ a y ≤ z : = z ≤ y : = z : = (b) A ′ h ℓ , x = , ε ih ℓ , x ≤ , ( x ≤ ∧ χ ≥ ∧ χ = x ) ih ℓ , x ≤ , ( x ≤ ∧ χ ≥ ∧ χ = x ) · ( x ≤ ∧ χ ≥ ∧ χ = x ) i··· abc (c) Z H h ℓ ′ , y = ∧ y = z , ε ih ℓ ′ , y ≤ ∧ z = ∧ y ≤ z + , ( y ≤ ∧ z = ∧ y ≤ z + ∧ χ ≥ ∧ χ = y ∧ χ ≤ z + ) ih ℓ ′ , y ≥ ∧ z ≤ ∧ y ≤ z + , ( y ≥ ∧ z ≤ ∧ y ≤ z + ∧ χ ≥ ∧ χ = y ∧ χ ≤ z + ) · ( y ≥ ∧ z ≤ ∧ y ≤ z + ∧ χ ≥ ∧ χ ≤ y ∧ χ = z ) i··· abc (d) Z H ′ Figure 2: False Positive using Plain Zone Graphs for Checking Timed BisimilarityWe further introduce two operators for comparing spans sp and sp : sp (cid:22) sp denotes that sp is contained in sp , whereas sp ≤ sp denotes that the relative length of sp is shorter than sp . Please notethat we overload the notion of spans to likewise refer the set of elements within the interval defined by aspan. Hence, span ( lo , up ) denotes the set of elements n with n ≥ lo ∧ n ≤ up . Definition 5 (Span) . Given zone D and c ∈ C, we use the following notations. • span ( c , D ) = ( lo , up ) ∈ T C × ( T C ∪ { ∞ } ) is the smallest interval such that ∀ u ∈ D : u ( c ) ≥ lo ∧ u ( c ) ≤ up. • span ( lo , up ) = { n ∈ T C | n ≥ lo ∧ n ≤ up } . • ( lo , up ) ≺ ( lo ′ , up ′ ) ⇔ lo > lo ′ ∧ up < up ′ . • ( lo , up ) (cid:22) ( lo ′ , up ′ ) ⇔ lo ≥ lo ′ ∧ up ≤ up ′ . • ( lo , up ) ≤ ( lo ′ , up ′ ) ⇔ up − lo ≤ up ′ − lo ′ . Based on the notion of spans, we are able compare timing constraints of action occurrences of twodifferent TA independent of the names of locations and clocks. However, due to non-observability ofclock resets, it is not sufficient for timed (bi-)simulation checking to just compare spans of pairs ofpotentially similar symbolic states one-by-one as will be illustrated by the following example.
Example 3.
Considering TA A and A ′ in Figs. 2a and 2b, the span of action a is ( , ) in both TA dueto the switch guards. Additionally, the span for action b is ( , ) in both TA. However, in A , we mayonly wait for 5 time units before performing b if we have instantaneously (i.e., with 0 delay) performed abefore, whereas in A ′ , the delay for performing b is independent of previous delays due to the reset of z.Hence, A ≃ A ′ does not hold. In [28], this issue is tackled by further considering so-called good sequences of FBS graphs in aseparate post-check. In contrast, we propose an alternative solution being more aligned with the conceptsof (bi-)simulation equivalence relations on state-transition graphs (i.e., by enriching symbolic states withadditionally discriminating information).
Similar to the notion of causal history as, for instance, proposed for history-preserving event-structuresemantics [5], we extend symbolic states h ℓ, D i to triples h ℓ, D , H i further comprising a zone history H ∈ B ( C ) ∗ to memorize sequences of clock constraints corresponding to the zones of predecessorstates. When stepping from zone D to zone D ′ , the history H is updated to H ′ according to the updates Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Reportapplied to D leading to D ′ . By introducing a fresh clock χ C which is never explicitly reset, we measurethe respective spans of histories H in order to compare the sequences of intervals through which thecurrent states are reachable from their predecessors. By H · H ′ and H ′ · H , respectively, we denote the concatenation of further elements H in front of, or after, history sequences H ′ , where ε denotes the empty sequence with H · ε = ε · H = H . Definition 6 (Zone History) . Let H ∈ B ( C ∪ { χ } ) ∗ with χ / ∈ C be a zone history . The update of history H for a switch ℓ g , µ , R ℓ ′ leading from zone D to D ′ = R ( D ↑ ∧ g ∧ I ( ℓ )) ∧ I ( ℓ ′ ) is recursively defined as • update ( H , D , D ′ ) = R ( H ↑ ∧ g ∧ I ( ℓ )) ∧ I ( ℓ ′ ) · update ( H ′ , D , D ′ ) if H = H · H ′ , • update ( H , D , D ′ ) = R (( D ∧ χ = ) ↑ ∧ g ∧ I ( ℓ )) ∧ I ( ℓ ′ ) if H = ε . We are now ready to define a zone-history graph of TA A by extending plain zone graphs (see Def. 4)with zone histories. The initial state z = h ℓ , D , ε i comprises initial location ℓ , initial zone D and the empty history. The target state h ℓ ′ , D ′ , H ′ i of a transition h ℓ, D , H i µ h ℓ ′ , D ′ , H ′ i corresponding to aswitch ℓ g , µ , R ℓ ′ is reached by updating zone D to D ′ as described before, and by additionally updatinghistory H to H ′ = update ( H , D , D ′ ) . We write z i to refer to states h ℓ i , D i , H i i (i.e., every element ofstate z i has index i ).Please note that this construction only serves as a theoretical baseline as it would, again, yield an in-finite zone-history graph whenever the respective TA contains cyclic paths (thus leading to an infinitelygrowing history-component of zones). In order to handle cyclic behavior, we will present an algorithmfor pruning (possibly infinite) zone-history graphs into finite ones for effectively checking timed bisimi-larity. Definition 7 (Zone-History Graph) . The zone-history graph of a TA A with χ / ∈ C over Σ is a tuple ( Z , z , Σ , ) , where • Z = L × B ( C ) × B ( C ∪ { χ } ) ∗ is a set of symbolic states with z = h ℓ , D , ε i , • Σ is a set of actions , and • ⊆ Z × Σ τ × Z is the least relation satisfying the rule:z µ z ′ if ℓ g , µ , R ℓ ′ , D ′ = R ( D ↑ ∧ g ∧ I ( ℓ )) ∧ I ( ℓ ′ ) , and H ′ = update ( H , D , D ′ ) .We apply Algorithm 1 to generate a finite zone-history graph from ( Z , z , Σ , ) . Before we describe Algorithm 1 for pruning zone-history graphs in more detail (as well as the oper-ators used in this algorithm), we first provide an example of an infinite zone-history graph.
Example 4.
Figures 2c and 2d show extracts from the (infinite) zone-history graphs of TA A and A ′ ,respectively (cf. Figs. 2a and 2b), where A ′ has two clocks, y and z. The initial state of Z H ′ starts inlocation ℓ ′ and zone y = ∧ y = z. Considering the switch labeled with a, y ≤ and reset of z, we trackclock differences in zone-history graphs (e.g., y = z in the initial state) as usual, and update differenceconstraints in case of clock resets [11, 28]. Due to y ≤ , the difference between y and z may increase,thus resulting in y ≤ z + . The updated zone history yields χ ≤ with span ( , ) . Next, we update theexisting entry of the zone history and append a new entry for the current step. As both A and A ′ containcycles, we proceed by adding states with updated histories, such that the resulting zone-history graphswill become infinite. We next introduce the auxiliary operators used in Algorithm 1. By | H | , we denote the length ofsequence H and by H ↓ k , k >
0, we denote the postfix of H of length k (or whole H if k ≥ | H | ).In this way, we compare sequences of spans of two histories of differing lengths by only considering a.Luthmann, H.Göttmann, I.Bacher, and M.Lochau 9respective postfix of the longer one. To this end, we compare spans of histories by comparing the zonesof the respective zone histories. In particular, we use H ≺ H ′ and H (cid:22) H ′ to denote an element-by-element comparison of the spans of clock χ (i.e., the additional clock introduced in Def. 6). Please notethat we utilize the generic symbol E ∈ {≺ , (cid:22)} only for the sake of a compact definition. Definition 8 (Comparison of Zone Histories) . Let H , H ′ ∈ B ( C ∪ { χ } ) ∗ with χ / ∈ C be zone histories .The comparison of the spans of histories H and H ′ is recursively defined by • H E H ′ if H = H ′ = ε , • H E H ′ ⇔ span ( χ , H ) E span ( χ , H ′ ) ∧ H ′′ E H ′′′ if | H | = | H ′ | ∧ H = H · H ′′ ∧ H ′ = H ′ · H ′′′ , and • H E H ′ ⇔ H ↓ k E H ′ ↓ k if | H | 6 = | H ′ | and k = min ( | H | , | H ′ | ) ,where E ∈ {≺ , (cid:22)} . We illustrate the comparison of zone histories by the following example.
Example 5.
Consider the following zone histories (where we omit all clocks except χ for the sake ofreadability): • H = ( χ > ) · ( χ ≥ ) · ( χ ≥ ∧ χ ≤ ) • H ′ = ( χ > ) · ( χ ≥ ∧ χ ≤ ) • H ′′ = ( χ ≥ ∧ χ ≤ ) Comparing these zone histories, it holds that H (cid:22) H ′ , H ′′ ≺ H , and H ′′ ≺ H ′ . In contrast, H (cid:22) H ′′ , H ′ (cid:22) H ′′ , and H ′ (cid:22) H do not hold. Moreover, we define respective comparison operators on zone histories potentially having differentlengths. First, H ≍ H ′ compares histories H and H ′ by considering the longest possible postfixes ofboth zone histories. Definition 9 (Postfix-Equality of Zone Histories) . Let H , H ′ ∈ B ( C ∪ { χ } ) ∗ be zone histories . H and H ′ are equal, denoted by H ≍ H ′ , iff H (cid:22) H ′ and H ′ (cid:22) H . Second, H ≍ (cid:9) H ′ further cuts postfixes in case of periodic zone histories. The usage of thisoperator will be explained in more detail later on (see Algorithm 1). Definition 10 (Cut-Equality of Zone Histories) . Let H , H ′ ∈ B ( C ∪ { χ } ) ∗ with χ / ∈ C be zone histories .The periodic comparison of the spans of histories H and H ′ is recursively defined by • H E (cid:9) H ′ ⇔ H ↓ k E H ′ ↓ k if k = min ( | H | , | H ′ | , | ω | ) with ω = | H | − | H ′ | and • H ≍ (cid:9) H ′ if H E (cid:9) H ′ and H ′ E (cid:9) H ,where E ∈ {≺ , (cid:22)} . We, again, illustrate the application of these operators by the following example.
Example 6.
Consider, again, the zone histories presented in Example 5. For instance, H ≍ H ′ doesnot hold as H ′ (cid:22) H does not hold. However, it holds that H ≍ (cid:9) H ′ as this operator only com-pares a postfix of length | H | − | H ′ | = instead of H ≍ H ′ which would consider a postfix of length min ( | H | , | H ′ | ) = . Algorithm 1:
Generating Finite Zone-History Graphs
Input : zone-history graph ( Z , z , Σ , ) Output: finite zone-history graph ( Z ′ , z , Σ , ′ ) procedure MAIN ′ : = /0 Z ′ : = { z } c Z : = { z } while c Z = /0 do z ← c Z // pick element without removing it foreach z µ z ′ do if ∃h ℓ, D , H ′′ i ∈ Z ′ : ( H ≍ (cid:9) H ′′ ∧ H = H ′′ ) ∧∃h ℓ ′ , D ′ , H ′′′ i ∈ Z ′ : H ′′′ ≍ (cid:9) H ′ then ′ : = ′ ∪ { z µ ′ h ℓ ′ , D ′ , H ′′′ i} else ′ : = ′ ∪ { z µ ′ z ′ } Z ′ : = Z ′ ∪ { z ′ } c Z : = c Z ∪ { z ′ } c Z : = c Z \ { z } return ( Z ′ , z , Σ , ′ ) Next, we describe Algorithm 1 for pruning zone-history graphs. In particular, the algorithm takesas input a (potentially infinite) zone-history graph ( Z , z , Σ , ) and returns a finite zone-history graph ( Z ′ , z , Σ , ′ ) with equivalent behavior. To this end, the algorithm stops the unrolling of cyclic behaviorbased on a cut criterion on zone histories as described above. We start by initializing transition relation ′ , the set of states Z ′ , and a working set c Z containing states which have not yet been processed (seelines 2–4). The main loop iterates over this working set c Z until c Z = /0 (lines 5–14). As a first step of thewhile-loop, we pick a state z ∈ c Z (without removing it) from the working set (line 6). Then, we checktwo conditions for each transition z µ z ′ from transition relation (line 8).1. Does there already exist some state h ℓ, D , H ′′ i ∈ Z ′ satisfying H ≍ (cid:9) H ′′ and H = H ′′ ? There-with, we check whether a state h ℓ, D , H ′′ i 6 = z has already been reached in a previous step havingan equivalent history w.r.t. ≍ (cid:9) .2. Does there already exist a state h ℓ ′ , D ′ , H ′′′ i ∈ Z ′ satisfying H ′ ≍ (cid:9) H ′′′ ?For both properties, we utilize operator ≍ (cid:9) (see Def. 10) for history comparison as this operatoronly compares the postfix of histories reaching back to the last iteration of cyclic behavior (thus cutting histories in case of regularity). If this is the case, we add a transition from z to the previously reachedstate h ℓ ′ , D ′ , H ′′′ i (line 9). In this way, history unrolling is cut whenever states with similar location-zonepairs and compatible zone-history postfixes have already been reached before. Otherwise (lines 10–13),we add the transition and its target state to ′ and Z ′ , respectively (lines 11–12). Furthermore, we addthe newly explored target state z ′ to the working set c Z (line 13). Finally, when c Z = /0 eventually holds,the while-loop terminates and we return the finite zone-history graph ( Z ′ , z , Σ , ′ ) (line 15). Intuitively,Algorithm 1 always eventually terminates (which we will prove later in this section) as traversing a loop.Luthmann, H.Göttmann, I.Bacher, and M.Lochau 11multiple times always results in the exact same postfix in the respective zone-history component (suchthat the zone histories are equivalent w.r.t. ≍ (cid:9) ). Example 7.
Consider, again, the TA in Fig. 2a and the corresponding (infinite) zone-history graph inFig. 2c as described in Example 4. Here, the target state of the next transition labeled with c does notmeet the cut criterion, but rather imposes further loop unrolling which results in adding the target stateinto the zone-history graph. This newly added state has the same location as the initial state (i.e., ℓ ) aswell as the same zone (i.e., x = ) due to the reset of clock x. From here, traversing the switch labeledwith action a for the second time results in the new history elementx ≤ ∧ χ ≥ ∧ χ = xwhich is appended to the zone history. In line 8 of Algorithm 1, we then check whether H ≍ (cid:9) H ′′ holds. In this case, H is the zone history of the current state where we just appended the new elementas described above. Furthermore, H ′′ is the state comprising location ℓ of the zone-history graph inFig. 2c. As min ( | H | , | H ′′ | , | H | − | H ′′ | ) = , we only have to compare the postfix of length 1 of H and H ′′ . As these postfixes (i.e., the history element described above and the history element depicted inFig. 2c) are equivalent w.r.t. ≍ (cid:9) , the condition in line 8 of Algorithm 1 is satisfied such that we can nowcut the zone history and by adding a transition leading back to the already existing state thus resultingin a finite zone-history graph. Next, we formally prove that zone-history graphs resulting from applying Algorithm 1 are alwaysfinite.
Propostion 1.
Let A be a TA. Then, zone-history graph Z H A is finite.Proof. Zone graphs ( Z , z , Σ , ) (without histories) are not necessarily finite but it has been shown thatan equivalent finite zone graph ( Z , z , Σ , k ) can be obtained by constructing a k-bounded zone graphwith all zones being bound by a maximum global clock ceiling k using k -normalization [25, 24]. Hence, itremains to be shown that when adding histories, k -normalized zone-history graphs ( Z , z , Σ , k ) remainfinite. Here, histories H are constructed in a way such that H is eventually cut. In particular, wheneverthere already exists a state with the same location ℓ and an equivalent zone D , we check if H ≍ (cid:9) H ′ and do not add a new state in this case (i.e., we add a transition to the existing state h ℓ, D , H i insteadof adding the new state h ℓ, D , H ′ i , see lines 8–9 of Algorithm 1). To this end, H ≍ (cid:9) H ′ comparesthe postfix of H and H ′ of length n = min ( | H | , | H ′ | , | ω | ) with ω = | H | − | H ′ | (see Def. 10). As aresult, we only compare the newest n elements of a history when unrolling a loop, where n is the numberof locations on the loop. Therefore, the history eventually becomes regular as we only compare thepostfix of length n and TA are finite state-transition graphs (see Def. 1).A proof concerning the correctness of this construction in terms of behavior preservation will followlater on this section. To handle TA with non-deterministic behavior (including τ -steps) we require one more concept as illus-trated by the following example. Example 8.
In Fig. 3, we have A ≃ A ′ as both TA permit action a within span ( , ) and both switchesof A ′ labeled with a can be simulated by A . However, the single switch of A cannot be simulated ℓ ℓ a x ≤ (a) A ℓ ′ ℓ ′ ℓ ′ a y > ∧ y ≤ y ≤ (b) A ′ h ( ℓ ,ℓ ′ ) , x = , ε ih ( ℓ ,ℓ ′ ) , x ≤ , H ih ( ℓ ,ℓ ′ ) , x > ∧ x ≤ , H i aa (c) Z H h ( ℓ ,ℓ ′ ) , x = , ε ih ( ℓ ,ℓ ′ ) , y ≤ , H ′ ih ( ℓ ,ℓ ′ ) , y > ∧ y ≤ , H ′ i aa (d) Z H ′ Figure 3: Example for State Splitting due to Non-determinism by either of the two switches of A ′ . Hence, generating comparable zone-history graphs for timed-bisimilarity checking may require splitting of states in case of non-determinism with overlapping spansof guards, as shown in Figs. 3c and 3d for A and A ′ . We call this construction composite zone-historygraph. The (in general non-symmetric) construction of a composite zone-history graph
Z H A ⊗ A ′ for TA A with respect to A ′ is based on the zone-history graph Z H A × A ′ for the (synchronous) parallel prod-uct A × A ′ , comprising only behavior shared by A and A ′ . Additionally, Z H A ⊗ A ′ also comprisesall further behavior of Z H A potentially not enabled by Z H A ′ such that the result is (1) bisimilar to Z H A and (2) facilitates a (bi-)simulation check with Z H ′ A even in the presence of non-deterministicbehavior. In order to construct the composite zone-history graph Z H A ⊗ A ′ , we first define the parallelproduct A × A ′ . Definition 11 (Parallel Product) . Let A , A ′ be TA over Σ with C ∩ C ′ = /0 . The parallel product A × A ′ = ( L × L ′ , ( ℓ , ℓ ′ ) , Σ , C ∪ C ′ , I × , E × ) is a TA with I × ( ℓ, ℓ ′ ) = I ( ℓ ) ∧ I ( ℓ ′ ) and E × being the least relationsatisfying:(1) ( ℓ , ℓ ′ ) g ∧ g ′ , σ , R ∪ R ′ × ( ℓ , ℓ ′ ) ∈ E × if ℓ g , σ , R ℓ ∈ E ∧ ℓ ′ g ′ , σ , R ′ ℓ ′ ∈ E ′ ,(2) ( ℓ , ℓ ′ ) g , τ , R × ( ℓ , ℓ ′ ) ∈ E × if ℓ g , τ , R ℓ ∈ E, and(3) ( ℓ , ℓ ′ ) g ′ , τ , R ′ × ( ℓ , ℓ ′ ) ∈ E × if ℓ ′ g ′ , τ , R ′ ℓ ′ ∈ E ′ . Next, we introduce two auxiliary transition relations from which we derive the transition relation ⊗ of Z H A ⊗ A ′ . Here, × denotes the transition relation of Z H A × A ′ (i.e., the zone-history graphof A × A ′ ), whereas refers to the transition relation of Z H A . Definition 12.
Let A and A ′ be TA, ( Z , z , Σ , ) be the zone-history graph of A , and ( Z ′ , z ′ , Σ ′ , ′ ) be the zone-history graph of A × A ′ . By = and × = ′ we denote two auxiliary transitionrelations of A w.r.t. A ′ . As described above, the parallel product only contains behavior being common to A and A ′ . Inorder to ensure that the composite zone-history graph Z H A ⊗ A ′ contains the same behavior as thezone-history graph Z H A , we further have to add behavior of A not being enabled in A ′ to Z H A ⊗ A ′ . Example 9.
Consider, again, the TA depicted in Fig. 3 and let us assume that the switch of A ′ labeledwith guard y ≥ would be missing. In this case, the zone-history graph of A × A ′ does not contain allbehavior of A , such that we have to add the missing behavior to ensure that the composite zone-historygraph of A w.r.t. A ′ is bisimilar to the zone-history graph of A . To identify the behavior of zone-history graph
Z H A already being contained in Z H A ⊗ A ′ , weemploy the notion of a (bi-)simulation relation. However, as the (timed) behavior of one transition in Z H A may be simulated by a combination of multiple transitions in Z H A ⊗ A ′ labeled with the sameaction, we first have to combine the histories of this set of transitions in Z H A ⊗ A ′ . To this end, we.Luthmann, H.Göttmann, I.Bacher, and M.Lochau 13define an operator for joining histories. In particular, we compose sets H of histories into a single one inan incremental manner, where two histories H , H ′ are combined by element-wise disjunction of theircomponents.In general, disjunction leads to constraints corresponding to non-convex polyhedra (as opposed toconvex polyhedra obtained by clock constraints described in Def. 1). As comparing non-convex poly-hedra (e.g., checking if two polyhedra intersect) is less efficient than comparing convex polyhedra, theconstruction of a composite zone-history graph is computationally much more complex than constructingzone-history graphs for deterministic TA. In fact, those non-convex constraints solely occur during thoseparticular checks determining whether additional states must be added. In contrast, all other constraintsemerging during zone-history graph construction, including those specifying the individual componentsof histories, always remain convex. In the following, we first consider the case where | H | = | H ′ | . Definition 13 (History Join) . Let H ∈ B ( C ) ∗ be a set of histories. Function join : 2 B ( C ) ∗ → B ( C ) ∗ isrecursively defined by • join ( /0 ) = ε , • join ( { H } ∪ H ) = H ˙ ∨ join ( H ) , • H ˙ ∨ ε = H, and • ( H · H ) ˙ ∨ ( H ′ · H ′ ) = ( H ∨ H ′ ) · ( H ˙ ∨ H ′ ) if | H | = | H ′ | . In order to join two histories H and H ′ of different length (i.e., | H | 6 = | H ′ | ), we expand the shorterhistory to length k = max ( | H | , | H ′ | ) . To this end, we use the notation H ↑ k to add constant elements false ∈ B ( C ) , being the neutral element of disjunction, as additional prefixes to H until H has length k . Definition 14.
Let H , H ′ ∈ B ( C ∪ { χ } ) ∗ be zone histories. • H ˙ ∨ H ′ ⇔ H ↑ k ˙ ∨ H ′ ↑ k if | H | 6 = | H ′ | and k = max ( | H | , | H ′ | ) , • H ↑ k = H if | H | ≥ k, and • H ↑ k = false · H ↑ k − if | H | < k. Next, we define the function histories to define composite zone-history graphs in a compact way.Function histories takes as input symbolic state z , symbolic transition relation , and action µ ∈ Σ τ andreturns the histories of all states being reachable from z under action µ . Definition 15.
Let z ∈ Z = L × B ( C ) × B ( C ) ∗ be a symbolic state, ∈ Z × Σ τ × Z be a symbolictransition relation, and µ ∈ Σ τ be an action. Function histories : Z × ( Z × Σ τ × Z ) × Σ τ → B ( C ) ∗ denotes the set of histories H ∈ B ( C ) ∗ being reachable from z with µ , such that H ′ ∈ H if z µ h ℓ ′ , D ′ , H ′ i . We are now able to define composite zone-history graphs by considering the aforementioned transi-tion relations and × (see Def. 12) for TA A and A ′ . For transition relation ⊗ of the compos-ite zone-history graph Z H A ⊗ A ′ , we require × ⊆ ⊗ . In addition, transition h ( ℓ , ℓ ′ ) , D , H i µ h ( ℓ , ℓ ′ ) , D , H i is also part of ⊗ if the (timed) behavior of this transition is not covered by a transi-tion (or a combination of transitions) in × (see Example 9). Hence, ⊗ contains the behavior of theparallel product and the behavior exclusive to A .4 Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Report Definition 16 (Composite Zone-History Graph) . Let A , A ′ be TA over Σ with C ∩ C ′ = /0 , A × A ′ =( L × L ′ , ( ℓ , ℓ ′ ) , Σ , C ∪ C ′ , I × , E × ) be the parallel product (see Def. 11), and × and be auxiliarytransition relations (see Def. 12). The composite zone-history graph Z H A ⊗ A ′ = ( Z , z , Σ , ⊗ ) of A w.r.t. A ′ is a zone-history graph, where • Z = ( L × L ′ ) × B ( C ∪ C ′ ) × B ( C ∪ C ′ ∪ { χ } ) ∗ is a set of symbolic states with initial state z = h ( ℓ , ℓ ′ ) , D , ε i ∈ Z , • Σ is a set of actions and • ⊗ ⊆ Z × Σ τ × Z is the least relation satisfying – z µ ⊗ z ′ if z µ × z ′ and – z µ ⊗ h ( ℓ , ℓ ′ ) , D , H i if z µ h ( ℓ , ℓ ′ ) , D , H i∧ join ( H ) ≺ H , where H = histories ( z , × , µ ) . This construction allows us to establish a symbolic version of (strong) timed (bi-)simulation on zone-history graphs such that state z ′ simulates state z if (1) z ′ enables the same actions µ ∈ Σ τ as z , and (2)the span of history H ′ includes the span of H , respectively. Moreover, we have to compare the spansallowed for residing in related states. As before, we perform this check by introducing a fresh clock χ and checking the span of χ . As composite zone-history graphs are, by construction, proper zone-historygraphs, the following definitions and results are likewise applicable. Definition 17 (Symbolic Timed Bisimulation) . Let A , A ′ be TA over Σ with C ∩ C ′ = /0 , χ , χ ′ / ∈ C ∪ C ′ ,symbolic states Z , Z ′ , and R ⊆ Z × Z ′ such that for all ( z , z ′ ) ∈ R • if z µ z with µ ∈ Σ τ , then z ′ µ z ′ and ( z , z ′ ) ∈ R and • span ( χ , ( D ∧ χ = ) ↑ ∧ I ( ℓ )) ≤ span ( χ ′ , ( D ′ ∧ χ ′ = ) ↑ ∧ I ′ ( ℓ ′ )) ∧ H (cid:22) H ′ . A ′ (strongly) timed simulates A iff ( z , z ′ ) ∈ R . A ′ and A are (strongly) timed bisimilar , denoted A ≃ A ′ , iff R is symmetric. We overload ⊑ and ≃ on zone-history graphs, accordingly, and we, again, obtain weak versions ofthose definition as before. Concerning correctness and decidability of symbolic timed bisimulation onzone-history graphs, we first prove that the composite zone-history graph is semantic-preserving and finite . Propostion 2.
Let A , A ′ be TA over Σ . Then it holds that (1) Z H A ≃ Z H A ⊗ A ′ , and (2) Z H A and Z H A ⊗ A ′ are finite.Proof. Let A and A ′ be TA over Σ . We prove the two parts of Proposition 2 separately.1. By definition, Z H A × A ′ contains exactly the shared behavior of Z H A and Z H A ′ (see rela-tion × of Def. 12). In addition, the remaining behavior being exclusive to Z H A is added by re-lation as contains exactly the behavior of A . Furthermore, the requirement join ( H ) ≺ H ensures that transitions of are added to ⊗ if and only if the respective behavior is not alreadycontained in ⊗ through × (see Def. 16). Hence, it directly follows that Z H A ≃ Z H A × A ′ due to A ≃ A ′ as shown with bisimilarity of the corresponding TLTS.2. Finiteness of Z H A has already been proven in Proposition 1. Hence, it remains to be shown thatalso Z H A ⊗ A ′ is finite. For the construction of Z H A ⊗ A ′ , we first generate the zone-historygraphs of A as well as A × A ′ , which are finite (see Proposition 1). To obtain Z H A ⊗ A ′ , wethen add transitions from Z H A to Z H A ⊗ A ′ iff behavior of A is uncovered. As the zone-history graphs of A as well as A × A ′ are finite, also Z H A ⊗ A ′ is finite..Luthmann, H.Göttmann, I.Bacher, and M.Lochau 15 h Idle , x = , ε i h Warm Up , x = , H ih Fill Cup , x = , H i··· press coffeesugar (a) Coffee Machine h Warm Up ′ , y = , H ′ ih Fill Cup ′ , y = , H ′ ih Internal ′ , y ≥ , H ′ ih Idle ′ , y = , ε i··· press coffee τ sugar (b) Coffee Machine ′ Figure 4: Zone-History Graphs for TA Depicted in Fig. 1Thereupon, we are now able to show correctness of symbolic timed (bi-)simulation.
Theorem 1.
Let A , A ′ be TA over Σ . Then it holds that (1) A ⊑ A ′ ⇔ Z H A ⊗ A ′ ⊑ Z H A ′ ⊗ A , and(2) Z H A ⊗ A ′ ⊑ Z H A ′ ⊗ A is decidable.Proof. Let A , A ′ be TA over Σ . We prove the two parts of Theorem 1 separately.1. It holds, by construction of composite zone-history graphs, that × = ′× up to renaming of loca-tions and clocks (see Def. 16). Hence, w.l.o.g., we have to show that behavior in (i.e., beingexclusive to Z H A × A ′ ) cannot be simulated by Z H A ′ × A . This follows directly from the firstcondition of Def. 17 and the fact that transitions are added to iff the corresponding behavior isexclusive (see second rule for ⊗ in Def. 16). Furthermore, exclusive behavior of A cannot besimulated by A ′ when considering timed bisimulation on TLTS (see Defs. 1, 2, and 3). Finally, wehave to consider that clock resets hide clock constraints in the sense that a clock constraint x ∼ n is not visible in a zone after x is reset. However, by comparing zone histories H and H ′ , weensure that the impact of previous clock constraints remains observable by using the fresh clock χ for tracking respective changes to clock differences including those potentially being hidden bysubsequent clock resets. Therefore, it holds that A ⊑ A ′ ⇔ Z H A × A ′ ⊑ Z H A ′ × A . Note,that k -normalization does not impact the bisimilarity check as checking bisimilarity relies on thecomparison of histories. In particular, loops (being the reason for k -normalization) result in thecomparison of the postfix of length n = min ( | H | , | H ′ | , | ω | ) with ω = | H | − | H ′ | of histories H and H ′ (see Def. 6). As a result, we only compare the newest n elements of a history whenunrolling a loop, where n is the number of locations on the loop. Therefore, the history eventu-ally becomes regular as we only compare the postfix of length n , such that we do not apply anyapproximation to histories.2. As composite zone-history graphs are finite (see Proposition 2), there are finitely many transitionsand spans to check (see Def. 17). Hence, Z H A × A ′ ⊑ Z H A ′ × A is decidable. Example 10.
The extract from the zone-history graphs in Fig. 4 correspond to the TA in Fig. 1. Startingfrom the initial state of coffee machine (cf. Fig. 4a) with zone x = , the zone of the subsequent state isx = due to the reset, whereas the following state has zone x = due to the invariant of location Warm Up and the guard of switch coffee . Additionally, H = ( x = ∧ χ ≥ x ) as x is reset, and H = ( x = ∧ χ ≥ x ) · ( x = ∧ χ ≥ x ) due to the guard and invariant. All elements of H ′ and H ′ equal ( y = ∧ χ ≥ y ) while H ′ = ( y ≥ ∧ χ ≥ y ) · ( y ≥ ∧ χ ≥ y ) · ( y ≥ ∧ χ = y ) . Hence, both TA are not strongly but weakly bisimilar as, e.g., H (cid:22) H ′ and H ′ (cid:22) H (as span ( χ , x = ∧ χ ≥ x ) = span ( χ , y = ∧ χ ≥ y ) = ( , ∞ ) ).Furthermore, TA in Fig. 4b may immediately produce sugar after action coffee due to silent steps. As shown in Proposition 2, zone-history graphs are finite and allow for precise checking of timedbisimilarity. However, in case of larger TA models with many locations and clocks, complex clockconstraints and frequent clock resets, zone-histories graphs may become very large thus obstructingeffective timed bisimilarity-checking by practical tools. To also handle realistic models, we next define6 Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Reportbounded zone-history graphs to enable potentially imprecise, yet arbitrarily scalable timed bisimilarity-checking.
For controlling the size of zone-history graphs, we introduce a bound parameter b ∈ N restricting eachhistory sequence H produced by the update -operator (Def. 6) during zone-history graph construction to H ↓ b (i.e., memorizing a maximum number of b previous history elements). By A ≃ b A ′ , we denotethat the b -bounded zone-history graphs of TA A and A ′ are timed bisimilar. Hence, A ≃ ∞ A ′ denotesthe unbounded case being equivalent to A ≃ A ′ , whereas A ≃ A ′ denotes timed bisimilarity-checkingon plain zone graphs according to Def. 4. Theorem 2.
Let A , A ′ be TA over Σ .1. There exists b < ∞ such that A ≃ b A ′ ⇔ A ≃ A ′ .2. A ≃ b A ′ ⇒ A ≃ b ′ A ′ iff b ≥ b ′ .Proof. We prove (1) and (2) separately.1. As A ≃ A ′ is decidable (see Theorem 1) and (composite) zone-history graphs have a finite length(see Proposition 2), the length of the respective zone history is finite. Hence, there exists b < ∞ where b may have the length of the longest zone history when computing A ≃ A ′ .2. If it holds that A ≃ b A ′ , then it also holds that A ≃ b ′ A ′ iff b ≥ b ′ as A ≃ b ′ A ′ considers a shorterhistory (where the leading elements of the history are equal to considering b ). Here, recognizing aTA A ′ as not bisimilar would require an element in the zone history to be unequal.However, identifying a minimal, yet sufficiently large b meeting the first property a-priori is not obvi-ous. In contrast, if A b A ′ holds for some b , then A ≃ A ′ does also not hold, whereas A ≃ b A ′ maybe false positive only if histories exceed bound b at least once during zone-history-graph construction. Example 11.
Let us assume b = in Fig. 2. Here, the history contains the constraint χ ≤ for the statesof Z H and
Z H ′ comprising ℓ and ℓ ′ , respectively. In states containing ℓ and ℓ ′ , respectively,we have χ ≤ on both sides as we only consider the tailing history elements due to b = . Hence, A ≃ A ′ . In contrast, b ≥ yields the correct result A b A ′ as we also consider the differing firsthistory elements χ ≤ and χ ≤ of the states containing ℓ and ℓ ′ thus revealing the effect of the resetof z in A ′ . We implemented the concepts for checking (weak and strong) timed bisimilarity as described in theprevious section which we will describe in more detail in the following.Our tool is called T IM B R C HECK ( tim ed b isimila r ity check er) and uses U PPAAL [20], a widely usedtool environment for TA modeling and analysis, as a front-end. To this end, T IM B R C HECK supports theU
PPAAL file format for input TA models. After parsing two given input TA models, our tool generates(bounded) zone-history graphs for a predefined bound value b and performs a timed-bisimilarity checkbetween both models. Our tool also supports input models having non-deterministic behavior as well as τ -transitions by constructing the corresponding composite (bounded) zone-history graphs as describedabove..Luthmann, H.Göttmann, I.Bacher, and M.Lochau 17Internally, T IM B R C HECK utilizes difference bound matrices (DBM) [6, 11, 7] as a common datastructure to represent and manipulate zones and zone histories. Unfortunately, DBM can only repre-sent constraints corresponding to convex polyhedra (i.e., clock constraints described by the grammar inDef. 1). As a consequence, operations on DBM do not include union (or disjunctive constraints, respec-tively) which is, however, required for joining histories during the construction of composite zone-historygraphs (see Def. 13). Hence, for this particular step during the construction of composite zone-historygraphs (i.e., the last bullet point in Def. 16), we make use of an external call to an ILP-solver. Theseadditional calls may drastically impact the overall performance of timed bisimilarity checking in case ofnon-deterministic TA as compared to deterministic models (cf. Section 5). These checks are conductedas follows: Given a history H of TA A and a joint history H ′ of the respective composite zone-historygraph, we have to check whether H is included in H ′ . To this end, we consider an element-wise con-junction of the respective histories H and H ′ , where we negate the elements of H ′ , and then checkthe resulting conjunction for satisfiability. For instance, if H is the first element of H and H ′ the firstelement of H ′ , we check if H ∧ ¬ H ′ is satisfiable. If this is the case, then the behavior of Z H A isnot yet completely included in Z H A × A ′ , and we need to add the respective transition of Z H A to Z H A × A ′ . However, if H ∧ ¬ H ′ is not satisfiable, then the behavior of Z H A is already included in Z H A × A ′ . In our implementation, we utilize IBM ILOG CPLEX for these checks [18].In contrast to the theoretical constructions described in the previous section, T IM B R C HECK is obvi-ously not able to first construct a (potentially) infinite zone-history graph before applying Algorithm 1for pruning it to a finite zone-history graph. Instead, we incrementally interleave Algorithm 1 with zone-history graph construction in order to perform on-the-fly pruning. To this end, we apply the check inline 8 whenever a new state is potentially added to the zone-history graph.Our tool implementation can be used to conduct experimental timed bisimilarity checking usingdifferent bound values b as will be described in the next section. In this section, we present experimental results gained from applying our tool implementation (see Sec-tion 4) of the previously presented technique to a collection of TA models. In particular, we consider thefollowing research questions.
Research Questions.
Our tool T IM B R C HECK allows us to investigate the impact of parameter b (seeSect. 3) on efficiency and precision of timed-bisimilarity checking. Intuitively, we expect that increasingthe value of b has a negative impact on performance, but a positive impact on precision. We expect thatthere exists a value for b yielding the best trade-off between both criteria on average. In contrast, as ourapproach does only potentially yield false positives but no false negatives, we do not have to investigaterecall measures (see Theorem 2).In addition, we expect the presence of non-deterministic behavior in input models to (negatively)impact performance of timed-bisimilarity checking as compared to the deterministic case, due to theadditional effort caused by the composite zone-history graph construction (see Def. 16). In contrast, weexpect that the presence or absence of non-determinism does, in contrast to the value of b , not directlyimpact precision. To summarize, we consider the following research questions. • RQ1 (Efficiency).
How does the value of b as well as the presence/absence of non-deterministic behavior impact computational effort of timed-bisimilarity checking?8 Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Report • RQ2 (Precision).
How does the value of b as well as the presence/absence of non-deterministic behavior impact precision of timed-bisimilarity checking? • RQ3 (Trade-off).
Which value for b constitutes, on average, the best efficiency/precision trade-off for timed-bisimilarity checking? Methods and Experimental Design.
For systematically investigating and comparing the impact ofdifferent values of b , we execute the experimental runs with ten different instantiations of parameter b ,namely 0, 1, 2, 3, 4, 5, 10, 20, 25, and 30. As our baselines, we consider two cases: • b = • b = ∞ (tracking history information of unbounded length) guarantees precise results, but presum-ably causes the highest computational effort.To keep overall runtime of experiments realistic, we enforce a time-out of 30 minutes for checking timedbisimilarity, thus potentially leading to no final results for particular combinations of subject systemsand values of b . In addition, to keep the overall number of experimental results comprehensible, weonly consider strong bisimilarity-checking for scenarios without internal behavior and weak bisimilarity-checking, otherwise. Subject Systems.
We consider five different TA models taken from community benchmarks, frequentlybeing used in recent experimental evaluation of TA analysis techniques: • Train-Gate-Controller (TGC) [3]: railroad gate controller for a simple level crossing. • Gear Controller (GC) [21]: component of the control system operating in a modern vehicle. • Collision Avoidance (CA) [19]: protocol for communication among users using an Ethernet-likemedium. • Root Contention Protocol (RCP) [10]: IEEE 1394 root contention protocol of the FireWire bus. • Audio/Video Components (AVC) [15]: messaging protocol for communication between AV com-ponents.Unfortunately, none of the community benchmarks we found originally includes any non-determinismor τ -steps. Hence, in order to also investigate the impact of the presence of non-determinism andsilent moves in our evaluation, we manually adapted these five models by sporadically adding non-deterministic choices as well as τ -steps. Overall, this results in 10 TA models, of which 5 models aredeterministic and 5 models include non-determinism and τ -steps. Table 1 provides an overview of keyproperties of the considered models, including the number of locations, switches and clocks and thenumber of (syntactic) occurrences of clock resets within switch guards. Here, numbers within bracketsdenote the properties of the adapted non-deterministic variants of the models for those cases where therespective property differs from the original model. Based on these original models, we consider twoexperimental settings for executing timed-bisimilarity checking.1. We simply copy the model and perform timed-bisimilarity checks between the original model andits one-to-one copy (which should therefore succeed).2. We further mutate the copied model to obtain a rich corpus of similar, yet slightly differing modelsand perform bisimilarity checks between the original model and its mutations (which may eithersucceed or fail)..Luthmann, H.Göttmann, I.Bacher, and M.Lochau 19Table 1: Subject Systems TGC GC CA RCP AVC
14 (15) 23 (24) 6 (7) 10 18 (19)
18 (20) 28 (32) 13 (15) 26 (28) 30 (33)
26 34 15 26 32
11 15 9 2 1
For the second setting, we employ an existing framework providing canonical mutation operatorsfor TA [1]. In contrast to classical mutation testing which is used for evaluating effectiveness of testingtechniques or test suites, equivalent mutants are not problematic in our setting, but even desirable toinvestigate efficiency and precision for both negative as well as positive cases. We therefore selected twooperators presumably having the highest probability to produce slightly different, yet similar mutants,namely: • operator invert resets flips the reset set R of a switch (i.e., R becomes C \ R ) and • operator change guards changes a comparison operator in a guard of a switch (e.g., ≤ becomes ≥ ).We exhaustively applied both operators to all 10 subject systems. From the resulting overall numberof 268 mutants, 76 are equivalent (w.r.t. timed bisimilarity) to the original model (see Table 1). Ourevaluation comprises an overall number of 2029 runs of T IM B R C HECK of which 512 should be (true)positives (including the 5 identical copies) and 1517 should be (true) negatives in case of optimallyprecise results. However, we do not have measurement results for every mutant and every value of b dueto our maximum time-out of 30 minutes. Data Collection.
To answer
RQ1 , we measure (1) CPU time and (2) memory consumption, aggregatedover all mutants of each subject system. Concerning (1), we sum up the CPU times required for generat-ing the (bounded) zone-history graphs and for subsequent bisimilarity checks. According to Theorem 2,the result of bounded timed-bisimilarity checking for a bound value b < ∞ may yield false positives, butno false negatives. Hence, to answer RQ2 , we only have to count the number of false positives. Weexecuted all experiments on an Intel Core i7-8700k machine with 6x3.7GHz, 4GB RAM and Windows10. Our tool is implemented in Java using AdoptOpenJDK 11.0.6.10.
Results and Discussion.
The measurement results for
RQ1 (efficiency) are shown in Fig. 5. The givenvalues correspond to the sums of CPU times as described above. Non-deterministic subject systems withinternal behavior are marked with index τ . As a first observation, the CPU time required for the timed-bisimilarity check (having a peak value of 74ms, but in most cases performing much faster) is neglectableas compared to the CPU time required for the bounded zone-history graph construction (ranging up toour time-out of 30 minutes). Hence, we do not consider the CPU times independently but instead sumup the CPU times in Fig. 5.For all deterministic subject systems except for RCP and AVC, the average CPU time is less than200ms, whereas generating the zone-history graphs for RCP takes up to 34 seconds for b ≥
10. Further-0 Checking TimedBisimulation with Bounded Zone-History Graphs –Technical Report − b C P U T i m e ( s ec ond s ) CA CA τ GC GC τ RCP RCP τ TGC TGC τ AVC AVC τ Figure 5: Measurement Results for
RQ1 − .
51 Value of b P r ec i s i on CA CA τ GC GC τ RCP RCP τ TGC TGC τ AVC AVC τ Figure 6: Measurement Results for
RQ2 more, we already reached the time-out of 30 minutes for AVC for b =
10. In contrast, the computationaleffort for the non-deterministic subject systems heavily increases with increasing values of b . As a result,we were only able to check these subject systems for smaller values of b (ranging from b ≤ τ to b ≤
10 for TGC τ ). This can be explained through the additional computational effort for generating com-posite zone-history graphs. We observe very similar tendencies for the memory consumption, rangingfrom 40MB to 200MB for deterministic systems, and going up to more than 1GB for non-deterministicsystems (which we omitted in Fig. 5).To summarize, T IM B R C HECK performs quite well for deterministic systems, whereas the results fornon-deterministic systems indicate a worst-case exponential growth of the overall computational effort(which is, however, inherent to the underlying theoretical problem).The measurements for
RQ2 (precision) are shown in Fig. 6. Furthermore, the box-plots in Fig. 7illustrate statistical distributions of the precision for each value of b . Here, precision ranges from 0 to 1and denotes the ratio of true positive results to the overall number of positive results. Hence, a highernumber of false positives (i.e., non-bisimilar TA are reported as bisimilar) results in lower precision.Interestingly, the median value for b = b = b ≥
10, we observe no more false positives(except for one outlier for b = . . . . . . . . . V a l u e o f b Figure 7: Summary of Results for
RQ2 b =
5. However, we used a time-out of 30 minutes such that the box plot for b = b . Furthermore, in case of GC τ , there is no valuefor b without false positives for which the timed bisimilarity check terminates before reaching the time-out. In contrast, as expected, the presence/absence of non-determinism does not have a direct impact onprecision.Finally, based on these results, we can conclude for RQ3 (trade-off) that b = Threats to Validity.
We first discuss internal threats. The scope of our experimental setting is limitedto the class of safety TA. However, any non-trivial TA extension [27] obstructs essential properties of theunderlying zone graphs, obviously making our approach more imprecise or even inapplicable. Concern-ing the usage of mutation operators to synthetically generate variations of our subject systems, we rely onsmall and locally restricted changes as usual. Nevertheless, our experiments show that those mutationsmay produce both TA which are equivalent to the original TA as well as TA which are not, thus indicatingmutation to be an appropriate tool for our experiments. Finally, to ensure correctness of (a) our theoryand (b) our tool implementation, we (a) provide correctness proofs and (b) exhaustively tested our toolon a rich collection of test cases in terms of particularly sophisticated pairs of TA fragments (which arealso available on our accompanying web page ).We identified as external threats (a) a lack of comparison to other tools and (b) the relatively small setof subject systems. Concerning (a), there currently exists, to the best of our knowledge, no competitivetool that provides a functionality being comparable to T IM B R C HECK . Concerning (b), we selected ourset of subject systems from well-established community benchmarks of reasonable size and complexitywhich are frequently used in experiments involving analysis techniques for TA. However, we plan in afuture work to consider further case studies, especially including real-world systems. We presented a novel formalism, called bounded zone-history graphs, for precise, yet scalable timed-bisimilarity checking of non-deterministic TA with silent moves. Our tool T IM B R C HECK currentlysupports checking strong bisimilarity as well as weak bisimilarity for deterministic and non-deterministicTA provided in the U
PPAAL file format. Our experimental evaluation shows promising potential inscaling bisimilarity checking for deterministic TA also to larger-scaled models without seriously harmingprecision. As a future work, we plan to extend our tool and our accompanying experiments to moreadvanced classes of TA [27]. In addition, we are interested in adapting our technique to incorporatefurther crucial notions of behavioral equivalences beyond timed bisimulation.
References [1] Bernhard K. Aichernig, Klaus Hörmaier & Florian Lorber (2014):
Debugging with Timed Automata Muta-tions . In: SAFECOMP’14, LNCS 8666, Springer, pp. 49–64, doi:10.1007/978-3-319-10506-2_4.[2] Rajeev Alur & David Dill (1990):
Automata for Modeling Real-Time Systems . In: ICALP’90, LNCS 443,Springer, pp. 322–335, doi:10.1007/BFb0032042.[3] Rajeev Alur, Thomas A. Henzinger & Moshe Y. Vardi (1993):
Parametric Real-time Reasoning . In:STOC’93, ACM, pp. 592–601, doi:10.1145/167088.167242.[4] Jesper R. Andersen, Mathias M. Hansen & Nicklas Andersen (2015): C
AAL . Tech-nical Report, Aalborg University, Department of Computer Science. Available at http://caal.cs.aau.dk/docs/CAAL2_EPG.pdf .[5] Paolo Baldan, Andrea Corradini & Ugo Montanari (1999):
History Preserving Bisimulation forContextual Nets . In: WADT’99, LNCS 1827, Springer Berlin Heidelberg, pp. 291–310,doi:10.1007/978-3-540-44616-3_17.[6] Richard Bellman (1957):
Dynamic Programming . Princeton University Press.[7] Johan Bengtsson & Wang Yi (2003):
Timed Automata: Semantics, Algorithms and Tools . In: ACPN’03,LNCS 3098, Springer, pp. 87–124, doi:10.1007/978-3-540-27755-2_3.[8] Béatrice Bérard, Antoine Petit, Volker Diekert & Paul Gastin (1998):
Characterization of the Expres-sive Power of Silent Transitions in Timed Automata . Fundamenta Informaticae 36(2, 3), pp. 145–182,doi:10.3233/FI-1998-36233.[9] K¯arlis ˇCer¯ans (1992):
Decidability of Bisimulation Equivalences for Parallel Timer Processes . In: CAV’92,LNCS 663, Springer, pp. 302–315, doi:10.1007/3-540-56496-9_24.[10] Aurore Collomb-Annichini & Mihaela Sighireanu (2001):
Parameterized Reachability Analysis of the IEEE1394 Root Contention Protocol using TReX .[11] David L Dill (1989):
Timing Assumptions and Verification of Finite-State Concurrent Systems . In: CAV’89,LNCS 407, Springer, pp. 197–212, doi:10.1007/3-540-52148-8_17.[12] Shibashis Guha, Shankara Narayanan Krishna, Chinmay Narayan & S Arun-Kumar (2013):
A UnifyingApproach to Decide Relations for Timed Automata and their Game Characterization . In: EXPRESS/SOS’13,EPTCS 120, arXiv, doi:10.4204/EPTCS.120.5.[13] Shibashis Guha, Chinmay Narayan & S. Arun-Kumar (2012):
Deciding Timed Bisimulation for Timed Au-tomata Using Zone Valuation Graph .[14] Shibashis Guha, Chinmay Narayan & S. Arun-Kumar (2012):
On Decidability of Prebisimulation for TimedAutomata . In: CAV’12, LNCS 7358, Springer, pp. 444–461, doi:10.1007/978-3-642-31424-7_33. .Luthmann, H.Göttmann, I.Bacher, and M.Lochau 23 [15] Klaus Havelund, Arne Skou, Kim G. Larsen & Kristian Lund (1997):
Formal Modeling and Analy-sis of an Audio/Video Protocol: An Industrial Case Study Using
UPPAAL. In: RTSS’97, pp. 2–13,doi:10.1109/REAL.1997.641264.[16] Thomas A. Henzinger, Zohar Manna & Amir Pnueli (1991):
Timed Transition Systems . In: REX’91, LNCS600, Springer, pp. 226–251, doi:10.1007/BFb0031995.[17] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis & Sergio Yovine (1994):
Symbolic Model Checkingfor Real-Time Systems . InformationandComputation 111(2), pp. 193–244, doi:10.1006/inco.1994.1045.[18] IBM Corp. (2017):
IBM ILOG CPLEX Optimization Studio CPLEX User’s Manual . .[19] Henrik E. Jensen, Kim G. Larsen & Arne Skou (1996): Modelling and analysis of a collision avoidanceprotocol using Spin and Uppaal . In: DIMACS’96.[20] Kim G. Larsen, Paul Pettersson & Wang Yi (1997): U
PPAAL in a nutshell . STTT 1(1), pp. 134–152,doi:10.1007/s100090050010.[21] Magnus Lindahl, Paul Pettersson & Wang Yi (2001):
Formal design and analysis of a gear controller . STTT3(3), pp. 353–368, doi:10.1007/BFb0054178.[22] Faron Moller & Chris Tofts (1990):
A Temporal Calculus of Communicating Systems . In: CONCUR’90,LNCS 458, Springer, pp. 401–415, doi:10.1007/BFb0039073.[23] Xavier Nicollin & Joseph Sifakis (1994):
The Algebra of Timed Processes, ATP: Theory and Application .InformationandComputation114(1), pp. 131–178, doi:10.1006/inco.1994.1083.[24] Paul Pettersson (1999):
Modelling and Verification of Real-Time Systems Using Timed Automata: Theoryand Practice . Ph.D. thesis.[25] Tomas G. Rokicki (1994):
Representing and Modeling Digital Circuits . Ph.D. thesis.[26] Tadaaki Tanimoto, Suguru Sasaki, Akio Nakata & Teruo Higashino (2004):
A Global Timed BisimulationPreserving Abstraction for Parametric Time-Interval Automata . In: ATVA’04, LNCS 3299, Springer, pp.179–195, doi:10.1007/978-3-540-30476-0_18.[27] Md Tawhid Bin Waez, Juergen Dingel & Karen Rudie (2013):
A survey of timed automata for the develop-ment of real-time systems . ComputerScienceReview 9, pp. 1–26, doi:10.1016/j.cosrev.2013.05.001.[28] Carsten Weise & Dirk Lenzkes (1997):
Efficient Scaling-Invariant Checking of Timed Bisimulation . In:STACS’97, LNCS 1200, Springer, pp. 177–188, doi:10.1007/BFb0023458.[29] Wang Yi (1990):