Verification and Parameter Synthesis for Real-Time Programs using Refinement of Trace Abstraction
VVerification and Parameter Synthesis for Real-TimePrograms using Refinement of Trace Abstraction ∗ Franck CassezDepartment of ComputingMacquarie UniversitySydney, Australia Peter Gjøl JensenDepartment of Computer ScienceAalborg UniversityDenmarkKim Guldstrand LarsenDepartment of Computer ScienceAalborg UniversityDenmarkJuly 24, 2020
Abstract
We address the safety verification and synthesis problems for real-time systems.We introduce real-time programs that are made of instructions that can perform as-signments to discrete and real-valued variables. They are general enough to captureinteresting classes of timed systems such as timed automata, stopwatch automata,time(d) Petri nets and hybrid automata. We propose a semi-algorithm using refine-ment of trace abstractions to solve both the reachability verification problem and theparameter synthesis problem for real-time programs. All of the algorithms proposedhave been implemented and we have conducted a series of experiments, comparingthe performance of our new approach to state-of-the-art tools in classical reachabil-ity, robustness analysis and parameter synthesis for timed systems. We show thatour new method provides solutions to problems which are unsolvable by the currentstate-of-the-art tools.
Model-checking is a widely used formal method to assist in verifying software systems. Awide range of model-checking techniques and tools are available and there are numerous ∗ A preliminary version of this work appeared in [13]. a r X i v : . [ c s . F L ] J u l uccessful applications in the safety-critical industry and the hardware industry – in ad-dition the approach is seeing an increasing adoption in the general software engineeringcommunity. The main limitation of this formal verification technique is the so-called stateexplosion problem . Abstraction refinement techniques were introduced to overcome thisproblem. The most well-known technique is probably the
Counter Example Guided Ab-straction Refinement (CEGAR) method pioneered by Clarke et al. [19]. In this method thestate space is abstracted with predicates on the concrete values of the program variables.The (counter-example guided) trace abstraction refinement (TAR) method was proposedlater by Heizmann et al. [26, 27] and is based on abstracting the set of traces of a programrather than the set of states. These two techniques have been widely used in the con-text of software verification. Their effectiveness and versatility in verifying qualitative (orfunctional) properties of C programs is reflected in the most recent
Software Verification competition results [8].
Analysis of timed systems.
Reasoning about quantitative properties of programs re-quires extended modeling features like real-time clocks.
Timed Automata [2] (TA), intro-duced by Alur and Dill in 1989, is a very popular formalism to model real-time systems withdense-time clocks. Efficient symbolic model-checking techniques for TA are implemented inthe real-time model-checker
Uppaal [5]. Extending TA, e.g., with the ability to stop andresume clocks (stopwatches), leads to undecidability of the reachability problem [14, 29]which is the basic verification problem. As a result, semi-algorithms have been designed toverify extended classes of TA e.g., hybrid automata , and are implemented in a number ofdedicated tools [23, 25, 28]. However, a common difficulty with the analysis of quantitativeproperties of timed automata and extensions thereof is that specialized data-structures areneeded for each extension and each type of problem. As a consequence, the analysis toolshave special-purpose efficient algorithms and data-structures suited and optimized onlytowards their specific problem and extension.In this work we aim to provide a uniform solution to the analysis of timed systemsby designing a generic semi-algorithm to analyze real-time programs which semanticallycaptures a wide range of specification formalisms, including hybrid automata. We demon-strate that our new method provides solutions to problems which are unsolvable by thecurrent state-of-the-art tools. We also show that our technique can be extended to solvespecific problems like robustness and parameter synthesis.
Related work.
The trace abstraction refinement (TAR) technique was proposed by Heiz-mann et al. [26, 27]. Wang et al. [35] proposed the use of TAR for the analysis of timedautomata. However, their approach is based on the computation of the standard zones which comes with usual limitations: it is not applicable to extensions of TA (e.g., stop-watch automata) and can only discover predicates that are zones. Moreover, their approachhas not been implemented and it is not clear whether it can outperform state-of-the-arttechniques e.g., as implemented in
Uppaal .Several works have investigated CEGAR techniques in both timed and hybrid set-2ings [1, 21, 24, 34]. The CEGAR technique has also been extended to parameter-synthesis [24].As proved by Heizmann et al. [26], such methods are special cases of the TAR framework.The
IC3 [10] verification approach has also been deployed for the verification of hybridsystems [9] but relies on a fix-point computation over a combined encoding of the transition-function, rather than a trace-subtraction approach. IC3 approaches and the likes have alsobeen used for parameter synthesis [7, 9, 18]. While similar fundamental techniques areleveraged in these approaches (e.g. [7] utilizes Fourier-Motzkin-elimination), we note thatour refinement method (TAR) is radically different in nature. IC3 is an iterative fix-pointcomputation over an up-front and complete encoding of the transition-function.Since the publication of a preliminary version of this paper [13], Kafle et al. [31] havedemonstrated a novel method of parameter synthesis for timed systems via ConstrainedHorn Clauses (CHC). While their approach shows promising results for the Fischers pa-rameter synthesis examples from [13], it currently relies on manual translation of a givenproblem into CHC format, hindering its applicability to large systems.As mentioned earlier, our technique allows for a unique and logical (predicates) rep-resentation of sets of states accross different models (timed, hybrid automata) and prob-lems (reachability, robustness, parameter synthesis), which is in contrast to state-of-the-arttools such as
Uppaal [5],
SpaceEx [25],
HyTech [28],
PHAver [23], verifix [32], sym-rob [33] and
Imitator [3] that rely on special-purpose polyhedra libraries to realize theircomputation.We propose a new technique which is radically different to previous approaches andleverages the power of SMT-solvers to discover non-trivial invariants for a large class ofreal-time systems including the class of hybrid automata. All the previous analysis tech-niques compute, reduce and check the state-space either up-front or on-the-fly, leadingto the construction of significant parts of the state-space. In contrast our approach isan abstraction refinement method and the refinements are built by discovering non-trivialprogram invariants that are not always expressible using zones, or polyehdra. For instancethey can express constraints that combine discrete and continuous variables of the system.This enables us to use our algorithm on non-decidable classes like stopwatch automata,and successfully (i.e., the algorithm terminates) check instances of these classes. A simpleexample is discussed in Section 2.
Our contribution.
We propose a variant of the trace abstractions refinement (TAR)technique to solve the reachability problem and the parameter synthesis problem for real-time programs. Our approach combines an automata-theoretic framework and state-of-the-art Satisfiability Modulo Theory (SMT) techniques for discovering program invariants.We demonstrate on a number of case-studies that this new approach can compute answersto problems unsolvable by special-purpose tools and algorithms in their respective domain.This paper is an extended version of [13] in which we first introduced TAR for real-timeprograms. In this extended version, we provide a comprehensive introduction illustrated bymore examples, extensions of the original algorithms from [13] and the proofs of theoremsand lemmas. 3
Motivations
Real-Time Programs.
Figure 1 is an example of a real-time program P . It is definedby a finite automaton A (Figure 1, top) which is the control flow graph (CFG) of P , andsome continuous and discrete instructions (bottom). The control flow graph A acceptsthe regular language L ( A ) = i.t .t ∗ .t : the program starts in (control) location ι and iscompleted when (cid:96) (accepting location) is reached. The program variables are x, y, z whichare real numbers. This real-time program is the specification of a stopwatch automatonwith 2 clocks, x and z , and one stopwatch y . The variables are updated according to thefollowing rules: • Each edge’s label defines a guard g (a condition on the variables) for which the edgeis enabled, and an update u which is an assignment to the variables when the edgeis taken. For instance the edge t can be taken when the valuation of the variable x is 1 and when it is taken, x is reset. This corresponds to a discrete transition of theprogram. • Each location is associated with a rate vector r that defines the derivatives of thevariables. The default derivative for a variable is 1 (we omit the rates for x, z inthe Figure). For instance in location (cid:96) the derivatives are (1 , ,
1) (order is x, y, z ).When the program is in location (cid:96) the variables x, y, z increase at a rate definedby their respective derivatives: x, z increase by 1 each time unit, and y is frozen(derivative is 0). This corresponds to a continuous transition of the program. ι (cid:96) (cid:96) (cid:96) A Edge Guard Update i True x:=y:=z:=0 t True z:=0 t x==1 x:=0 t x-y>=1 and z<1 -Discrete Instructions Location Rate ι dy/dt=1 (cid:96) dy/dt=1 (cid:96) dy/dt=0 (cid:96) dy/dt=0 Continuous Instructions i t t t Figure 1: Real-time program P : CFG A of P (top) with the accepting location (cid:96) andits instructions (bottom).A sequence of program instructions w = a .a . · · · .a n ∈ L ( A ) defines a (possiblyempty) set of timed words , τ ( w ), of the form ( a , δ ) . · · · ( a n , δ n ) where δ i ≥ , i ∈ [0 ..n ] isthe time elapsed between two discrete transitions. For instance, the timed words associated4ith i.t .t are of the form ( i, δ ) . ( t , δ ) . ( t , δ ), for all δ i ∈ R ≥ , i ∈ { , , } such that thefollowing constraints (predicates that define that each transition can be fired after δ i timeunits) can be satisfied : x = y = z = δ ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Time elapsing δ in ι ∧ True (cid:124) (cid:123)(cid:122) (cid:125)
Guard of i ( C ) x = y = z = 0 + δ ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Update of i and time elapsing δ in (cid:96) ∧ True (cid:124) (cid:123)(cid:122) (cid:125)
Guard of t ( C ) x = x + δ ∧ y = y ∧ z = 0 + δ ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Update of t and time elapsing δ in (cid:96) ∧ x − y ≥ ∧ z < (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C )These constraints encode the following semantics: i is taken after δ time units and atthat time x, y, z are equal to δ and hence x , y , z are the values of the variables whenlocation (cid:96) is entered. The program remains in (cid:96) for δ time units. When t is taken after δ time units, the values of x, y, z is given by x , y , z . Finally the program remains δ time units in (cid:96) and t is taken to reach (cid:96) which is the end of the program. It follows thatthe program can execute i.t .t (or in other words, i.t .t is feasible) if and only if we canfind δ , δ , δ such that C ∧ C ∧ C is satisfiable. Hence the set of timed words associatedwith i.t .t is not empty iff C ∧ C ∧ C is satisfiable. Language Emptiness Problem.
The timed language , T L ( P ), accepted by P is theset of timed words associated with all the (untimed) words w accepted by A i.e., T L ( P ) = ∪ w ∈L ( A ) τ ( w ).The language emptiness problem is a standard problem in Timed Automata theory [2]and is stated as follows for real-time programs: given a real-time program P , is T L ( P ) empty? It is known that the emptiness problem is decidable for some classes of real-time pro-grams like Timed Automata [2], but undecidable for more expressive classes like StopwatchAutomata [29]. It is usually possible to compute symbolic representations of sets of reach-able valuations after a sequence of transitions. However, to compute the set of reachablevaluations we may need to explore an arbitrary and unbounded number of sequences. Henceonly semi-algorithms exist to compute the set of reachable valuations. For instance, using
PHAver to compute the set of reachable valuations for P does not terminate (Table 1).To force termination, we can compute an over-approximation of the set of reachable val-uations. Computing an over-approximation is sound (if we declare an over-approximationof a timed language to be empty the timed language is empty) but incomplete i.e., it mayresult in false positives (we declare a timed language non empty whereas it is empty).This is witnessed by the column “ Uppaal ” in Table 1 where
Uppaal over-approximatessets of valuations in the program P using DBMs. After i.t , the over-approximation is0 ≤ y ≤ x ∧ ≤ z ≤ x (this is the smallest DBMs that contains the actual set of valuations We assume the program starts in ι and all the variables are initially zero. i.t ). This over-approximation intersects the guard x − y ≥ ∧ z < t which enables t . Using this over-approximate set of valuations we would declare that (cid:96) is reachable in P but this is an artifact of the over-approximation. Neither
Uppaal nor
PHAver can prove that
T L ( P ) = ∅ .Sequence PHAver Uppaal i.t z = x − y ∧ ≤ z ≤ x ≤ y ≤ x ∧ ≤ z ≤ xi.t .t z = x − y + 1 ∧ ≤ x ≤ z ≤ x + 1 0 ≤ z − x ≤ ∧ ≤ yi.t . ( t ) z = x − y + 2 ∧ ≤ x ≤ z − ≤ x + 1 1 ≤ z − x ≤ ∧ ≤ yi.t . ( t ) z = x − y + 3 ∧ ≤ x ≤ z − ≤ x + 1 2 ≤ z − x ≤ ∧ ≤ y . . . . . . . . . i.t . ( t ) k z = x − y + k ∧ ≤ x ≤ z − k + 1 ≤ x + 1 k − ≤ z − x ≤ k ∧ ≤ y . . . . . . . . .Table 1: Symbolic representation of reachable states after a sequence of instructions. Up-paal concludes that
T L ( A ) (cid:54) = ∅ due to the over-approximation using DBMs. PHAver does not terminate.
Trace Abstraction Refinement for Real-Time Programs.
The technique we in-troduce can discover arbitrary abstractions and invariants that enable us to prove
T L ( P ) = ∅ . Our method is a version of the trace abstraction refinement (TAR) technique introducedin [26] and is depicted in Figure 2. L = ∅ ? Is τ ( w ) non empty? T L ( P ) = ∅ T L ( P ) (cid:54) = ∅ L := L ( CF G ( P )) Yes No, let w ∈ L Yes L := L \ InFeasible ( w ) NoFigure 2: Trace Abstraction Refinement Loop for Real-Time ProgramsLet us first introduce how the trace abstraction refinement algorithm (Figure 2) operateson a real-time program P :1. the algorithm starts using the control flow graph of P , CF G ( P ), and initially L = L ( CF G ( P )).2. if L = ∅ then T L ( P ) is empty and the algorithm terminates (green block). Uppaal terminates with the result “the language may not be empty”.
6. otherwise, there is w ∈ L . We check whether τ ( w ) is empty or not: • If it is not empty then
T L ( P ) is not empty and the algorithm terminates (redblock). • Otherwise, we can find a regular language over the alphabet of CF G ( P ), InFeasible ( w ), that satisfies: 1) w ∈ InFeasible ( w ) and 2) ∀ v ∈ InFeasible ( w ), T L ( v ) = ∅ . In the next iteration of the algorithm, we look for a candidatetrace in L \ InFeasible ( w ), i.e., we refine the trace abstraction L by subtracting InFeasible ( w ) from it.Assume the algorithm terminates after k iterations. In this case we were able to builda finite number of regular languages L = InFeasible ( w ) , L = InFeasible ( w ) , · · · , L k = InFeasible ( w k ) such that ∀ ≤ i ≤ k, T L ( L i ) = ∅ . If we terminate with T L ( P ) = ∅ then L ( CF G ( P )) ⊆ ∪ ki =1 L i . Otherwise if we terminate with τ ( w k +1 ) (cid:54) = ∅ we found a witnesstrace w k +1 ∈ L ( CF G ( P )) \ ∪ ki =1 L i such that τ ( w k +1 ) (cid:54) = ∅ i.e., a feasible timed trace. Example 1: Stopwatch Automaton.
We illustrate the algorithm using our program P : • we initially let L = L ( CF G ( P )). Since w = i.t .t ∈ L ( CF G ( P )) and thus w ∈ L the check L = ∅ fails. We therefore check whether τ ( w ) = ∅ which can be done byencoding the corresponding set of timed traces as described by Equations ( C )–( C )and then check whether C ∧ C ∧ C is satisfiable (e.g., using an SMT-solver and thetheory of Linear Real Arithmetic). C ∧ C ∧ C is not satisfiable and this establishes τ ( w ) = ∅ . • from the proof that C ∧ C ∧ C is not satisfiable, we can obtain an inductiveinterpolant that comprises of two predicates I , I – one for each conjunction – overthe variables x, y, z . An example of an inductive interpolant is I = x ≤ y and I = x − y ≤ z . These predicates are invariants of any timed word of the untimedword w , and can be used to annotate the sequence of transitions w with pre- andpost-conditions (Equation 1), which are Hoare triples of the form { C } a { D } : { True } i { I } t { I } t { False } (1)A triple { C } a { D } is valid if whenever we start in a state s satisfying C , and executeinstruction a , the resulting new state s (cid:48) is in D . { C } a { False } means that no stateexists after executing a from C , i.e., the trace a is infeasible. The inductiveness ofthe interpolants is due to the fact that each triple { C } a { D } in the sequence (1) is avalid Hoare triple. Hoare triples (and validity) generalise to sequences of instructions σ in the form { C } σ { D } . How this language is built is defined in Section 4. This is the pair returned by Z3 for C ∧ C ∧ C . { I } ( t ) ∗ { I } is a valid Hoare triple, if we combinethis fact with Equation 1 we obtain a regular set of traces annotated with pre/post-conditions as per Equation 2. { True } i { I } t { I }{ I }{ I } ( t ) ∗ ( t ) ∗ ( t ) ∗ { I }{ I }{ I } t { False } (2)This implies that the regular set of traces i.t . ( t ) ∗ .t does not have any associatedtimed traces: for each word w ∈ i.t . ( t ) ∗ .t , τ ( w ) = ∅ and as L ( CF G ( P )) ⊆ i.t . ( t ) ∗ .t we can conclude that T L ( A ) = ∅ . Example 2: Extended Timed Automaton.
The following example (Figure 3) il-lustrates how extensions of timed automata with constraints that mix discrete and realvariables can be analyzed. The real-time program P (Figure 3) is given by the CFG(left) and the instructions (right): it specifies a timed automaton with 2 clocks x, y (realvariables) and one integer variable i . This is an extended version of timed automata as ι (cid:96) (cid:96) A Edge Guard Update t x ≥ t True x:= 0; i := i + 1 t y < i -Discrete Instructions t t t Figure 3: Real-time program P : CFG A of P (left) with accepting location (cid:96) and itsinstructions (right).the constraint y < i mixes integer and real variables (clocks) and this is not permittedin the standard definition of timed automata. Initially all the variables are set to 0. Theobjective is to prove that location (cid:96) is unreachable and thus that T L ( P ) = ∅ . Note that Uppaal does allow this specification but is unable to prove that (cid:96) is unreachable because i is unbounded.Our method is able to discover invariants that mix integer and real variables and canprove that (cid:96) is unreachable as follows:1. the first iteration of the TAR algorithm starts with L = L ( CF G ( P )). The check L = ∅ is negative as w = t .t ∈ L . However every timed word in τ ( w ) must satisfythe following constraints that correspond to taking t and then t : x = y = δ ∧ δ ≥ ∧ i = 0 (cid:124) (cid:123)(cid:122) (cid:125) Time elapsing δ in ι ∧ x ≥ (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C (cid:48) ) x = x + δ ∧ y = y + δ ∧ i = i ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Update of t and time elapsing δ in (cid:96) ∧ y < i (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C (cid:48) ) The rates table is omitted as all the variables are clocks with rate 1. (cid:48) ∧ C (cid:48) is not satisfiable and hence T L ( t .t ) = ∅ and thus we can safely remove w from L . We can extract interpolants from the proof of unsatisfiability of C (cid:48) ∧ C (cid:48) and we establish the following sequence of valid Hoare triples: { x = y = i = 0 } t { x = y ∧ x ≥ i } t { False } (3)2. the second iteration of the TAR algorithm starts with an updated L = L ( CF G ( P )) \{ w } . Again L is not empty and for instance w = t .t .t .t is in L . The encodingfor checking the emptiness of τ ( w ) is: x = y = δ ∧ δ ≥ ∧ i = 0 (cid:124) (cid:123)(cid:122) (cid:125) Time elapsing δ in ι ∧ x ≥ (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C (cid:48)(cid:48) ) x = x + δ ∧ y = y + δ ∧ i = i ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Update of t and time elspsing δ in (cid:96) ∧ True (cid:124) (cid:123)(cid:122) (cid:125)
Guard of t ( C (cid:48)(cid:48) ) x = 0 + δ ∧ y = y + δ ∧ i = i + 1 ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Time elapsing δ in ι ∧ x ≥ (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C (cid:48)(cid:48) ) x = x + δ ∧ y = y + δ ∧ i = i ∧ δ ≥ (cid:124) (cid:123)(cid:122) (cid:125) Time elapsing δ in (cid:96) ∧ y < i (cid:124) (cid:123)(cid:122) (cid:125) Guard of t ( C (cid:48)(cid:48) ) C (cid:48)(cid:48) ∧ C (cid:48)(cid:48) ∧ C (cid:48)(cid:48) ∧ C (cid:48)(cid:48) is unsatisfiable and hence T L ( t .t .t .t ) = ∅ . We can extractinterpolants from the proof of unsatisfiability and we establish the following sequenceof valid Hoare triples. { x = y = i = 0 } t { y ≥ i } t .t { y ≥ i } t { False } (4)As can be seen as { y ≥ i } t .t { y ≥ i } holds we can generalize this sequence to anarbitrary number of iterations of t .t : { x = y = i = 0 } t { y ≥ i }{ y ≥ i }{ y ≥ i } ( t .t ) + ( t .t ) + ( t .t ) + { y ≥ i }{ y ≥ i }{ y ≥ i } t { False } (5)which entails that T L ( t . ( t .t ) + .t ) = ∅ . This implies that we can remove t . ( t .t ) + .t from L .3. observe that L = ∅ in the next iteration of TAR as L ( CF G ( P )) \ ( { t .t } ∪ t . ( t .t ) + .t ) = ∅ given that L ( CF G ( P )) = t . ( t .t ) ∗ .t . We have thus provedthat T L ( P ) = ∅ as any word of instructions in L ( CF G ( P )) induces an infeasibletrace and the algorithm terminates.In the rest of the paper, we provide a formal development of the methods we have intro-duced so far. 9 Real-Time Programs
Our approach is general enough and applicable to a wide range of timed systems called real-time programs . As an example, timed, stopwatch, hybrid automata and time Petrinets are special cases of real-time programs.In this section we formally define real-time programs . Real-time programs specify thecontrol flow of instructions , just as standard imperative programs do. The instructions canupdate variables by assigning new values to them. Each instruction has a semantics andtogether with the control flow this precisely defines the semantics of real-time programs.
A finite automaton over an alphabet Σ is a tuple A = ( Q, ι, Σ , ∆ , F ) where Q is a finiteset of locations s.t. ι ∈ Q is the initial location, Σ is a finite alphabet of actions, ∆ ⊆ ( Q × Σ × Q ) is a finite transition relation, F ⊆ Q is the set of accepting locations. A word w = α .α . · · · .α n is a finite sequence of letters from Σ; we let w [ i ] = α i be the i -th letterof w , | w | be the length of w which is n + 1. Let (cid:15) be the empty word and | (cid:15) | = 0, and letΣ ∗ be the set of finite words over Σ. The language , L ( A ), accepted by A is defined in theusual manner as the set of words that can lead to F from ι .Let V be a finite set of real-valued variables. A valuation is a function ν : V → R . Theset of valuations is [ V → R ].We denote by β ( V ) the set of constraints (or Boolean predicates) over V and given ϕ ∈ β ( V ), we let Vars ( ϕ ) be the set of unconstrained variables in ϕ . Given a valuation, we letthe truth value of a constraint (Boolean predicate) ϕ be denoted by ϕ ( ν ) ∈ { True , False } ,and write ν | = ϕ when ϕ ( ν ) = True and let (cid:74) ϕ (cid:75) = { ν | ν | = ϕ } .An update µ ⊆ [ V → R ] × [ V → R ] is a binary relation over valuations. Given anupdate µ and a set of valuations V , we let µ ( V ) = { ν (cid:48) | ∃ ν ∈ V and ( ν, ν (cid:48) ) ∈ µ } . We let U ( V ) be the set of updates on the variables in V .Similar to the update relation, we define a rate function ρ : V → R (rates can benegative), i.e., a function from a variable to a real number . A rate is then a vector ρ ∈ R V . Given a valuation ν and a timestep δ ∈ R ≥ the valuation ν + ( ρ, δ ) is defined by:( ν + ( ρ, δ ))( v ) = ν ( v ) + ρ ( v ) × δ for v ∈ V . Let Σ = β ( V ) × U ( V ) × R ( V ) be a countable set of instructions – and intentionally also thealphabet of the CFG. Each α ∈ Σ is a tuple ( guard, update, rates ) denoted by ( γ α , µ α , ρ α ).Let ν : V → R and ν (cid:48) : V → R be two valuations. For each pair ( α, δ ) ∈ Σ × R ≥ we define We can allow rates to be arbitrary terms but in this paper we restrict to deterministic rates or boundedintervals. α,δ −−−→ : ν α,δ −−−→ ν (cid:48) ⇐⇒ . ν | = γ α (guard of α is satisfied in ν ) , . ∃ ν (cid:48)(cid:48) s.t. ( ν, ν (cid:48)(cid:48) ) ∈ µ α (discrete update allowed by α ) and3 . ν (cid:48) = ν (cid:48)(cid:48) + ( ρ α , δ ) (continuous update as defined by α ).The semantics of α ∈ Σ is a mapping (cid:74) α (cid:75) : [ V → R ] → [ V → R ] and for ν ∈ [ V → R ] (cid:74) α (cid:75) ( ν ) = { ν (cid:48) | ∃ δ ≥ , ν α,δ −−−→ ν (cid:48) } . (6)It follows that: Fact 1 ∃ δ ≥ , ν α,δ −−−→ ν (cid:48) ⇐⇒ ν (cid:48) ∈ (cid:74) α (cid:75) ( ν ) . This mapping can be straightforwardly extended to sets of valuations K ⊆ [ V → R ] asfollows: (cid:74) α (cid:75) ( K ) = (cid:91) ν ∈ K (cid:74) α (cid:75) ( ν ) . (7) Let K be a set of valuations and w ∈ Σ ∗ . We inductively define the (strongest) postoperator Post ( K, w ) as follows:
Post ( K, (cid:15) ) = K Post ( K, α.w ) =
Post ( (cid:74) α (cid:75) ( K ) , w )The post operator extends to logical constraints ϕ ∈ β ( V ) by defining Post ( ϕ, w ) = Post ( (cid:74) ϕ (cid:75) , w ). In the sequel, we assume that, when ϕ ∈ β ( V ), then (cid:74) α (cid:75) ( (cid:74) ϕ (cid:75) ) is also definableas a constraint in β ( V ). This inductively implies that Post ( ϕ, w ) can also be expressed asa constraint in β ( V ) for sequences of instructions w ∈ Σ ∗ . A timed word (over alphabet Σ) is a finite sequence σ = ( α , δ ) . ( α , δ ) . · · · . ( α n , δ n ) suchthat for each 0 ≤ i ≤ n , δ i ∈ R ≥ and α i ∈ Σ. The timed word σ is feasible if and only ifthere exists a set of valuations { ν , . . . , ν n +1 } ⊆ [ V → R ] such that: ν α ,δ −−−−→ ν α ,δ −−−−→ ν · · · ν n α n ,δ n −−−−→ ν n +1 . We let
Unt ( σ ) = α .α . · · · .α n be the untimed version of σ . We extend the notion feasible to an untimed word w ∈ Σ ∗ : w is feasible iff w = Unt ( σ ) for some feasible timed word σ . Lemma 1
An untimed word w ∈ Σ ∗ is feasible iff Post ( True , w ) (cid:54) = False. roof 1 We prove this Lemma by induction on the length of w . The induction hypothesisis: ν α ,δ −−−−→ ν α ,δ −−−−→ ν · · · ν n α n ,δ n −−−−→ ν n +1 ⇐⇒ ν n +1 ∈ Post ( { ν } , α .α . · · · .α n ) which is enough to prove the Lemma.Base step. If w = (cid:15) , then Post ( { ν } , (cid:15) ) = { ν } .Inductive step. Assume ν α ,δ −−−−→ ν α ,δ −−−−→ ν · · · ν n α n ,δ n −−−−→ ν n +1 α n +1 ,δ n +1 −−−−−−→ ν n +2 .By induction hypothesis, ν n +1 ∈ Post ( { ν } , α .α . · · · .α n ) , and ν n +2 ∈ (cid:74) α n +1 (cid:75) ( ν n +1 ) . Bydefinition of Post this implies that ν n +2 ∈ Post ( { ν } , α .α . · · · .α n .α n +1 ) . The specification of a real-time program decouples the control (e.g., for Timed Automata,the locations) and the data (the clocks or integer variables). A real-time program is a pair P = ( A P , (cid:74) · (cid:75) ) where A P is a finite automaton A P = ( Q, ι, Σ , ∆ , F ) over the alphabet Σ,∆ defines the control-flow graph of the program and (cid:74) · (cid:75) provides the semantics of eachinstruction.A timed word σ is accepted by P if and only if:1. Unt ( σ ) is accepted by A P and,2. σ is feasible.The timed language , T L ( P ), of a real-time program P is the set of timed words acceptedby P , i.e., σ ∈ T L ( P ) if and only if Unt ( σ ) ∈ L ( A P ) and σ is feasible. Remark 1
We do not assume any particular values initially for the variables of a real-timeprogram (the variables that appear in I ). This is reflected by the definition of feasibility that only requires the existence of valuations without containing the initial one ν . Whenspecifying a real-time program, initial values can be explicitly set by regular instructionsat the beginning of the program. This is similar to standard programs where the firstinstructions can set the values of some variables. The (timed) language emptiness problem asks the following:Given a real-time program P , is T L ( P ) empty? Theorem 1
T L ( P ) (cid:54) = ∅ iff ∃ w ∈ L ( A P ) such that Post ( True , w ) (cid:54)⊆ False.
Proof 2
T L ( P ) (cid:54) = ∅ iff there exists a feasible timed word σ such that Unt ( σ ) is acceptedby A P . This is equivalent to the existence of a feasible word w ∈ L ( A P ) , and by Lemma 1,feasibility of w is equivalent to Post ( True , w ) (cid:54)⊆ False. Σ can be infinite but we require the control-flow graph ∆ (transition relation) of A P to be finite. .7 Useful Classes of Real-Time Programs Timed Automata are a special case of real-time programs. The variables are called clocks. β ( V ) is restricted to constraints on individual clocks or difference constraints generated bythe grammar: b , b ::= True | False | x − y (cid:49) k | x (cid:49) k | b ∧ b (8)where x, y ∈ V , k ∈ Q ≥ and (cid:49) ∈ { <, ≤ , = , ≥ , > } . We note that wlog. we omit locationinvariants as for the language emptiness problem, these can be implemented as guards.An update in µ ∈ U ( V ) is defined by a set of clocks to be reset . Each pair ( ν, ν (cid:48) ) ∈ µ issuch that ν (cid:48) ( x ) = ν ( x ) or ν (cid:48) ( x ) = 0 for each x ∈ V . The valid rates are fixed to 1, andthus R ( V ) = { } V . Stopwatch Automata can also be defined as a special case of real-time programs. Asdefined in [14], Stopwatch Automata are Timed Automata extended with stopwatches which are clocks that can be stopped. β ( V ) and U ( V ) are the same as for Timed Automatabut the set of valid rates is defined by the functions of the form R ( V ) = { , } V (the clockrates can be either 0 or 1). An example of a Stopwatch Automaton is given by the timedsystem A in Figure 1.As there exists syntactic translations (preserving timed languages or reachability) thatmap hybrid automata to stopwatch automata [14], and translations that map time Petrinets [6, 16] and extensions [12, 11] thereof to timed automata, it follows that time Petrinets and hybrid automata are also special cases of real-time programs. This shows thatthe method we present in the next section is applicable to a wide range of timed systems.What is remarkable as well, is that it is not restricted to timed systems that have a finitenumber of discrete states but can also accommodate infinite discrete state spaces. Forexample, the real-time program P in Figure 3, page 8 has two clocks x and y and anunbounded integer variable i . Even though i is unbounded, our technique discovers theloop invariant y ≥ i of the ι and (cid:96) locations – an invariant is over a real-time clock y andthe integer variable i . It allows us to prove that T L ( P ) = ∅ as the guard of t never canbe satisfied ( y < i ). In this section we give a formal description of a semi-algorithm to solve the language empti-ness problem for real-time programs. The semi-algorithm is a version of the refinement oftrace abstractions (TAR) approach [26] for timed systems. While difference constraints are strictly disallowed in most definitions of Timed Automata, the methodwe propose retain its properties regardless of their presence. .1 Refinement of Trace Abstraction for Real-Time Programs We have already introduced our algorithm in Figure 2, page 6. We now give a preciseformulation of the TAR semi-algorithm for real-time programs, in Algorithm 1. It is essen-tially the same as the semi-algorithm as introduced in [26] – we therefore omit theoremsof completeness and soundness as these will be equivalent to the theorems in [26] and areproved in the exact same manner.
Algorithm 1:
RTTAR – Trace Abstraction Refinement for Real-Time Programs
Input :
A real-time program P = ( A P , (cid:74) · (cid:75) ). Result: ( True , − ) if T L ( P ) = ∅ , and otherwise ( False , w ) if
T L ( P ) (cid:54) = ∅ with w ∈ L ( A P )and Post ( True , w ) (cid:54)⊆ False – or non-termination.
Var : R : a regular language, initially R = ∅ . w : a word in L ( A P ), initially w = (cid:15) . T : A finite automaton, initially empty. while L ( A P ) (cid:54)⊆ R do Let w ∈ L ( A P ) \ R ; if Post ( True , w ) (cid:54)⊆ False then /* w is feasible and w is a counter-example */ return ( False , w ); else /* w is infeasible, compute an interpolant automaton based on w */ Let T = ITA ( w ); /* Add T to refinement and continue */ Let R := R ∪ L ( T ); return ( True , − ); The input to the semi-algorithm
TAR-RT is a real-time program P = ( A P , (cid:74) · (cid:75) ). Aninvariant of the semi-algorithm is that the refinement R , which is subtracted to the initialset of traces, is either empty or containing infeasible traces only. In the coarsets, initialabstraction, all the words L ( A P ) are potentially feasible. In each iteration of the algorithm,we then chip away infeasible behaviour (via the set R ) of A P , making the set difference L ( A P ) \ R move closer to the set of feasible traces, thereby shrinking the overapproximationof feasible traces ( L ( A P ) \ R ).Initially the refinement R is the empty set. The semi-algorithm works as follows: Step 1 line 1, check whether all the (untimed) traces in L ( A P ) are in R . If this is thecase, T L ( P ) is empty and the semi-algorithm terminates (line 8). Otherwise (line 2),there is a sequence w ∈ L ( A P ) \ R , goto Step 2; Step 2 if w is feasible (line 3) i.e., there is a feasible timed word σ such that Unt ( σ ) = w , then σ ∈ T L ( P ) and T L ( P ) (cid:54) = ∅ and the semi-algorithm terminates (line 4).Otherwise w is not feasible, goto Step 3;14 tep 3 w is infeasible and given the reason for infeasibility we can construct (line 6)a finite interpolant automaton , ITA ( w ), that accepts w and other words that areinfeasible for the same reason. How ITA ( w ) is computed is addressed in the sequel.The automaton ITA ( w ) is added (line 7) to the previous refinement R and the semi-algorithm starts a new round at Step 1 (line 1).In the next paragraphs we explain the main steps of the algorithms: how to check feasibilityof a sequence of instructions and how to build ITA ( w ). Given a arbitrary word w ∈ Σ ∗ , we can check whether w is feasible by encoding the side-effects of each instruction in w using linear arithmetic as demonstrated in Examples 1and 2.We now define a function Enc for constructing such a constraint-system characterizingthe feasibility of a given trace. We first show how to encode the side-effects and feasibilityof a single instruction α ∈ Σ. Recall that α = ( γ, µ, ρ ) where the three components arerespectively the guard, the update, and the rates. Assume that the variables in α are X = { x , x , · · · , x k } . We can define the semantics of α using the standard unprimed and primed variables ( X (cid:48) ). We assume that the guard and the updates can be defined bypredicates and write α = ( ϕ ( x ) , µ ( x, x (cid:48) ) , ρ ( x )) with: • ϕ ( x ) ∈ β ( X ) is the guard of the instruction, • µ ( x, x (cid:48) ) a set of constraints in β ( X ∪ X (cid:48) ), • ρ : X → Q defines the rates of the variables.The effect of α from a valuation x (cid:48)(cid:48) , which is composed of 1) discrete step if the guard istrue followed by the updates leading to a new valuation x (cid:48) , and 2) continuous step i.e., timeelapsing δ , leading to a new valuation x , can be encoded as follows: Enc ( α, x (cid:48)(cid:48) , x (cid:48) , x, δ ) = ϕ ( x (cid:48)(cid:48) ) ∧ µ ( x (cid:48)(cid:48) , x (cid:48) ) ∧ x = x (cid:48) + ( ρ, δ ) ∧ δ ≥ K ( x ) be a set of valuations that can be defined as constraint in β ( X ). It follows that (cid:74) α (cid:75) ( K ( x )) is defined by: ∃ δ, x (cid:48)(cid:48) , x (cid:48) such that K ( x (cid:48)(cid:48) ) ∧ Enc ( α, x (cid:48)(cid:48) , x (cid:48) , x, δ ) (10)In other terms, (cid:74) α (cid:75) ( K ( x )) is not empty iff K ( x (cid:48)(cid:48) ) ∧ Enc ( α, x (cid:48)(cid:48) , x (cid:48) , x, δ ) is satisfiable .We can now define the encoding of a sequence of instructions w = α .α . · · · .α n ∈ Σ ∗ .Given a set of variables W , we define the corresponding set of super-scripted variables W k = { w j , w ∈ W, ≤ j ≤ k } . Instead of using x, x (cid:48) , x (cid:48)(cid:48) we use super-scripted variables The union of the variables in γ, µ, ρ . x denotes the vector of variables { x , x , · · · , x k } . k (and y k for the intermediate variables x (cid:48) ) to encode the side-effect of each instructionin the trace: Enc ( w ) = n (cid:94) i =0 Enc ( α i , x i , y i , x i +1 , δ i )It is straighgforward to prove that the function Enc : Σ ∗ → β ( X n +1 ∪ Y n ∪ { δ } n )constructs a constraint-system characterizing exactly the feasibility of a word w : Fact 2
For each w ∈ Σ ∗ , Post ( True , w ) (cid:54)⊆ False iff Enc ( w ) is satisfiable. If the terms we build are in a logic supported by SMT-solvers (e.g., Linear Real Arithmetic)we can automatically check satisfiability. If
Enc ( w ) is satisfiable we can even collect some model which provides witness values for the δ k . Otherwise, if Enc ( w ) is unsatisfiable, thereare some options to collect some reasons for unsatisfiability : unsat cores or interpolants.The latter is discussed in the next section.An example of an encoding for the real-time program P (Figure 1) and the sequence w = i.t .t is given by the predicates in Equation ( C )–( C ). Hence the sequence w = i.t .t is feasible iff Enc ( w ) = C ∧ C ∧ C is satisfiable. Using a SMT-solver, e.g., withZ3, we can confirm that Enc ( w ) is unsatisfiable. The interpolating solver Z3 can alsogenerate a sequence of interpolants, I = x ≤ y and I = x − y ≤ z , that provide a generalreason for unsatisfiability and satisfy: { True } i { I } t { I } t { False } . We can use the interpolants to build interpolant automata as described in the next section.
When it is determined that a trace w is infeasible, we can easily discard such a single traceand continue searching for a different one. However, the power of the TAR method is togeneralize the infeasibility of a single trace w into a family (regular set) of traces. Thisregular set of infeasible traces is computed from a reason of infeasibility of w and is formallyspecified by an interpolant automaton , ITA ( w ). The reason for infeasibility itself can bethe predicates obtained by computing strongest post-conditions or weakest-preconditionsor anything in between but it must be an inductive interpolant .Given a conjunctive formula f = C ∧ · · · ∧ C m , if f is unsatisfiable, an inductiveinterpolant is a sequence of predicates I , . . . , I m − s.t: • True ∧ C = ⇒ I , The interpolating feature of Z3 has been phased out from version 4.6.x. However, there are alternativetechniques to obtain inductive interpolants e.g., using unsat cores [22]. Strongest post-conditions and weakest pre-conditions can provide inductive interpolants rue I I (cid:48) I (cid:48) I (cid:48) I (cid:48) False I (cid:48) t t t t t t t ii Figure 4: Interpolant automaton for L ( ITA ( w )) ∪ L ( ITA ( w • I m − ∧ C m = ⇒ False , • For each 0 ≤ n < m − I n ∧ C n +1 = ⇒ I n +1 , and the variables in I n appear in both C n and C n +1 i.e., Vars ( I n ) ⊆ Vars ( C n ) ∩ Vars ( C n +1 ).If the predicates C , C , · · · , C m encode the side effects of a sequence of instructions α .α . · · · , α m , then one can intuitively think of each interpolant as a sufficient condi-tion for infeasibility of the post-fix of the trace and this can be represented by a sequenceof valid Hoare triples of the form { C } a { D } : { True } α { I } α { I } · · · { I m − } α m { False } Consider the real-time program P of Figure 3 and the two infeasible untimed words w = i.t .t and w = i.t .t .t .t . Some inductive interpolants for w and w can be given by: I = y ≥ x ∧ ( k = 0), I = y ≥ k for w and I (cid:48) = y ≥ x ∧ k ≤ I (cid:48) = y ≥ ∧ k ≤ I (cid:48) = y ≥ k + x , I (cid:48) = y ≥ k + 1 for w . From the inductive interpolants one can obtainvalid Hoare triples by de-indexing the predicates in the inductive interpolants as shownin Equations 11-12: { True } i { π ( I ) } t { π ( I ) } t { False } (11) { True } i { π ( I (cid:48) ) } t { π ( I (cid:48) ) } t { π ( I (cid:48) ) } t { π ( I (cid:48) ) } t { False } (12)where π ( I k ) is the same as I k where each indexed variable x j replaced by x . As can beseen in Equation 12, the sequence contains two occurrences of t : this suggests that aloop occurs in the program, and this loop may be infeasible as well. Formally, because Post ( π ( I (cid:48) ) , t ) ⊆ I (cid:48) , any trace of the form i.t .t . ( t .t ) ∗ .t .t is infeasible. This enablesus to construct an interpolant automaton ITA ( w ) accepting the regular set of infeasibletraces i.t .t . ( t .t ) ∗ .t .t . Overall, because w is also infeasible, the union of the languagesaccepted by ITA ( w ) and ITA ( w ) is a set of infeasible traces as defined by the finiteautomaton in Figure 4.Given w such that Enc ( w ) is unsatisfiable we can always find an inductive interpolant:the strongest post-conditions Post ( True , w [ i ]) or (the weakest pre-conditions from False )defines an inductive interpolant. More generally, we have: This is a direct result of the encoding function
Enc . The interpolants can only contain at most oneversion of each indexed variables. emma 2 Let w = α .α . · · · .α m ∈ Σ ∗ . If Enc ( w ) = C ∧ C ∧ · · · ∧ C m is unsatisfiableand I , · · · , I m − is an inductive interpolant for Enc ( w ) , the following sequence of Hoaretriples { True } α { π ( I ) } α { π ( I ) } · · · α m − { π ( I m − ) } α m { False } is valid. Proof 3
The proof follows from the encoding Enc ( w ) and the fact that each I k is includedin the weakest pre-condition wp ( False , α k +1 .α m ) which can be proved by induction using theproperty of inductive interpolants. Let us formalize the interpolant-automata construction. Let w = α .α . · · · .α m ∈ Σ ∗ , Enc ( w ) = C ∧ · · · ∧ C m and assume Post ( True , w ) ⊆ False i.e.,
Enc ( w ) is unsatisfiable(Fact 2).Let I , . . . I m − be an inductive interpolant for C ∧ · · · ∧ C m . We can construct aninterpolant automaton for w , ITA ( w ) = ( Q w , q w , Σ w , ∆ w , F w ) as follows: • Q w = { True , False , π ( I ) , · · · , π ( I m − ) } , (note that if two de-indexed interpolants arethe same they account for one state only), • Σ w = { α , α , · · · , α m } , • F w = { False } , • ∆ w satisfies following conditions:1. ( True , α , π ( I )) ∈ ∆ w ,2. ( π ( I m − ) , α m , False ) ∈ ∆ w ,3. ∀ a ∈ Σ w , ∀ ≤ k, j ≤ m −
1, if
Post ( π ( I k ) , a ) ⊆ π ( I j ) then ( π ( I k ) , a, π ( I j )) ∈ ∆ w .Notice that as Post ( π ( I k ) , α k +1 ) ⊆ π ( I k +1 ) the word w itself is accepted by ITA ( w ) and ITA ( w ) is never empty. Theorem 2 (Interpolant Automata)
Let w be an infeasible word over P , then for all w (cid:48) ∈ L ( ITA ( w )) , w (cid:48) is infeasible. Proof 4
This proof is essentially the same as the original one in [26]. The proof uses rule 3in the construction of ITA ( w ) : every word accepted by ITA ( w ) goes through a sequence ofstates that form a sequence of valid Hoare triples and end up in False. It follows that if w (cid:48) ∈ ITA ( w ) , Post ( True , w (cid:48) ) ⊆ False. .4 Union of Interpolant Automata In the TAR algorithm we construct interpolant automata at each iteration and the currentrefinement R is the union of the regular languages L ( ITA ( w k )) for each infeasible w k . Theunion can be computed using standard automata-theoretic operations. This assumes thatwe somehow forget the predicates associated with each state of an interpolant automaton.In this section we introduce a new technique to re-use the information computed ineach ITA ( w k ) and obtain larger refinements.Let A = ( Q, q , Σ , ∆ , F ) be a finite automaton such that each q ∈ Q is a predicate in ϕ ( X ). We say that A is sound if the transition relation ∆ satisfies: ( I, α, J ) ∈ ∆ impliesthat (cid:74) α (cid:75) ( I ) ⊆ J (or Post ( I, α ) ⊆ J ).Let R = ( Q R , { True } , Σ R , ∆ R , { False } ) be a sound finite automaton that accepts onlyinfeasible traces. Let w ∈ Σ ∗ with w infeasible. The automaton ITA ( w ) = ( Q w , { True } , Σ w , ∆ w , { False } )built as described in section 4.3 is sound. We can define an extended union , R (cid:93) ITA ( w ) =( Q R ∪ Q w , { True } , Σ R ∪ Σ w , ∆ R (cid:93) ITA ( w ) , { False } ) of R and ITA ( w ) with:∆ R (cid:93) ITA ( w ) = { ( p, α, p (cid:48) ) } | ∃ ( q, α, q (cid:48) ) ∈ ∆ R ∪ ∆ w s.t. p ⊆ q and p (cid:48) ⊇ q (cid:48) } . It is easy to see that L ( R (cid:93) ITA ( w )) ⊇ L ( R ) ∪ L ( ITA ( w )) but also: Theorem 3
Let w (cid:48) ∈ L ( R (cid:93) ITA ( w )) . Then Post ( True , w (cid:48) ) ⊆ False.
Proof 5
Each transition ( p, α, p (cid:48) ) in R (cid:93) ITA ( w ) corresponds to a valid Hoare triple. It iseither in ∆ R or ∆ w and then is valid by construction or it is weaker than an establishedHoare triple in ∆ R or ∆ w . This theorem allows us to use the (cid:93) operator in Algorithm 1 instead of the standard unionof regular languages. The advantage is that we re-use already established Hoare triples tobuild a larger refinement at each iteration.
Satisfiability can be checked with an SMT-solver (and decision procedures exist for usefultheories). In the case of timed automata and stopwatch automata, the feasibility of a tracecan be encoded in linear arithmetic. The corresponding theory, Linear Real Arithmetic(LRA) is decidable and supported by most SMT-solvers. It is also possible to encodenon-linear constraints (non-linear guards and assignments). In the latter cases, the SMT-solver may not be able to provide an answer to the SAT problem as non-linear theories areundecidable. However, we can still build on a semi-decision procedure of the SMT-solver,and if it provides an answer, get the status of a trace (feasible or not).
Let us now construct a set of criteria on a real-time program P = (( Q, q , Σ , ∆ , F ) , (cid:74) · (cid:75) ) s.t.our proposed method is guaranteed to terminate.19 emma 3 Termination The algorithm presented in Figure 2 terminates if the followingthree conditions hold.1. For any word σ ∈ Σ ∗ , then (cid:74) σ (cid:75) is expressible within a decidable theory (supported bythe solver), and2. the statespace of P has a finite representation, and3. the solver used returns interpolants within the finite statespace representation. Proof 6
First consider the algorithm presented in Figure 2, then we can initially state thatfor each iteration of the loop R grows and thus the NFA representing R ( A R ) must also. Asper the construction presented in Section 4.4 we can observe that the transition-functionof A R will increase by at least one in each iteration in Step 3. If not, the selection of σ between step 1 and step 2 is surely violated or the construction of ITA in step 3 is.From Conditions 2 and 3 we have that the statespace is finitely representable and thatthese representatives are used by the solver. Thus we know that the interpolant automataalso has a finite set of states as per the construction of Section 4.4. Together with the finite-ness of the set of instructions, this implies that the transition-function of the interpolantautomata must also be finite. Hence, the algorithm can (at most) introduce a transitionbetween each pair of states with each instruction, but must at least introduce a new one inevery iteration. As this termination condition relies on the solver, it is heavily dependent on the con-struction of the solver. However, if we consider the class of real-time programs capturedby Timed Automata, we know that condition 1 is satisfied (in fact it is Linear Real Arith-metic), condition 2 is satisfied via the region-graph construction. This leaves the con-struction of a solver satisfying condition 3, which in turn should be feasible already fromcondition 2, but is practically achievable for TA via extrapolation-techniques and differ-ence bound matrices (or for systems with only non-strict guards; timed-darts or integerrepresentatives).
In this section we show how to use the trace abstraction refinement semi-algorithm pre-sented in Section 4 to synthesize good initial values for some of the program variables,and to check robustness of timed automata. We first define the
Maximal Safe Initial State problem and then show how to reduce parameter synthesis and robustness to special casesof this problem.
Given a real-time program P , the objective is to determine a set of initial valuations I ⊆ [ V → R ] such that, when we start the program in I , T L ( P ) is empty.20iven a constraint I ∈ β ( V ), we define the corresponding assume instruction by: Assume ( I ) = ( I, Id , P = ( Q, q , Σ , ∆ , F ) be a real-time program and I ∈ β ( V ). We define the real-timeprogram Assume ( I ) .P = ( Q, { ι } , Σ ∪ { Assume ( I ) } , ∆ ∪ { ( ι, Assume ( I ) , q ) } , F ).The maximal safe initial state problem asks the following: Given a real-time program P , find a maximal I ∈ β ( V ) s.t. T L ( Assume ( I ) .P ) = ∅ . Let w ∈ L ( Assume ( I ) .P ) be a feasible word. It follows that Enc ( w ) must be satisfi-able. We can define the set of initial values for which Enc ( w ) is satisfiable by project-ing away all the variables in the encoding Enc ( w ) except the ones indexed by 0. Let I = ∃ ( Vars ( Enc ( w )) \ X ) . Enc ( w ) be the resulting (existentially quantified) predicateand π ( I ) be the corresponding constraint on the program variables without indices. Welet ∃ i ( w ) = π ( I ). It follows that ∃ i ( w ) is the maximal set of valuations for which w isfeasible. Note that existential quantification for the theory of Linear Real Arithmetic iswithin the theory via Fourier–Motzkin-elimination – hence the computation of ∃ i ( w ) byan SMT-solver only needs support for Linear Real Arithmetic when P encodes a linearhybrid, stopwatch or timed automaton. The TAR-based semi-algorithm for the maximal safe initial state problem is presentedin Figure 5. The semi-algorithm in Figure 5 works as follows: T L ( Assume ( I ) .P ) = ∅ ?Maximal safe init is II := True I := I ∧ ¬∃ i ( Unt ( σ ))YesNo Let σ ∈ T L ( Assume ( I ) .P ) Figure 5: Semi-algorithm
SafeInit .1. initially I = True
2. using the semi-algorithm 1, check whether
T L ( Assume ( I ) .P ) is empty3. if so P does not accept any timed word when we start from (cid:74) I (cid:75) ; This idea of using Fourier-Motzkin elimination has already been proposed [7] in the context of timedPetri nets.
21. Otherwise, there is a witness word σ ∈ T L ( Assume ( I ) .P ), implying that I ∧ Enc ( Unt ( σ ))is satisfiable. It follows that ∃ i . Enc ( Unt ( σ )) cannot be part of the maximal set. It isused to strengthen I and repeating from step 2.If the semi-algorithm terminates, it computes exactly the maximal set of values forwhich the system is safe ( I ), captured formally by Theorem 4. Theorem 4
If the semi-algorithm SafeInit terminates and outputs I , then:1. T L ( Assume ( I ) .P ) = ∅ and2. for any I (cid:48) ∈ β ( V ) , T L ( Assume ( I (cid:48) ) .P ) = ∅ implies I (cid:48) ⊆ I . Proof 7
The fact that
T L ( Assume ( I ) .P ) = ∅ follows from termination.The fact that I is maximal is an invariant of the semi-algorithm: at the beginning, I = True and is clearly maximal. At each iteration, we may subtract a set of valuations K fromthe previously computed I , but these valuations are all such that T L ( Assume ( ν ) .P ) (cid:54) = ∅ for any ν ∈ K by definition of existential quantification.Hence every time a set of valuations is removed by strengthening I only unsafe initialvaluations are removed. It follows that if safeInit terminates, I is maximal. Let P = ( Q, q , Σ , ∆ , F ) be a real-time program over a set of variables X ∪ U such that: ∀ u ∈ U, ∀ ( g, µ, ρ ) ∈ ∆ , ( ν, ν (cid:48) ) ∈ µ = ⇒ ν ( u ) = ν (cid:48) ( u ) and ρ ( u ) = 0. In words, variables in U are constant variables. Note that they can appear in the guard g .The parameter synthesis problem asks the following: Given a real-time program P , find a maximal set I ∈ β ( U ) s.t. T L ( Assume ( I ) .P ) = ∅ . The parameter synthesis problem is a special case of the maximal safe initial state problem.Indeed, solving the maximal safe initial state problem allows us to find the maximal setof parameters such that
T L ( P ) = ∅ . Let I be a solution to the maximal safe initialstate problem. Then ∃ ( Vars ( P ) \ U ) .I is a maximal set of parameter values such that T L ( P ) = ∅ . Another remarkable feature of our technique is that it can readily be used to check robust-ness of real-time programs and hence timed automata. In essence, checking robustnessamounts to enlarging the guards of a real-time program P by an ε >
0. The resultingprogram is P ε .The robustness problem asks the following: For now assume there is a unique maximal solution. P , is there some (cid:15) >
0, s.t.
T L ( P (cid:15) ) = ∅ .Using our method we can solve the robustness synthesis problem which asks thefollowing:Given a real-time program P , find a maximal (cid:15) >
0, s.t.
T L ( P (cid:15) ) = ∅ .This problem asks for a witness (maximal) value for (cid:15) .The robustness synthesis is a special case of the parameter synthesis problem where (cid:15) is a parameter of the program P .Note that in our experiments (next section), we assume that P is robust and in thiscase we can compute a maximal value for (cid:15) . Proving that a program is non-robust re-quires proving feasibility of infinite traces for ever decreasing (cid:15) . We have developed sometechniques (similar to proving termination for standard programs) to do so but this is stillunder development. We have conducted three sets of experiments, each testing the applicability of our pro-posed method (denoted by rttar ) compared to state-of-the-art tools with specializeddata-structures and algorithms for the given setting. All experiments were conducted onAMD EPYC 7551 Processors and limited to 1 hour of computation. The rttar tool usesthe
Uppaal parsing-library, but relies on Z3 [20] for the interpolant computation. Ourexperimental setup is available online [30]. The real-time programs, P of Figure 1 and P of Figure 3 can be analyzed with ourtechnique. The analysis ( rttar algorithm 1) terminates in two iterations for the program P , a stopwatch automaton. As emphasized in the introduction, neither Uppaal (over-approximation with DBMs) nor
PHAver can provide the correct answer to the reachabilityproblem for P .To prove that location 2 is unreachable in program P requires to discover an invariantthat mixes integers (discrete part of the state) and clocks (continuous part). Our techniquesuccessfully discovers the program invariants. As a result the refinement depicted in Fig-ure 4 is constructed and as it contains L ( A P ) the refinement algorithm RTTAR terminatesand proves that 2 is not reachable. A P can only be analyzed in Uppaal with significantcomputational effort and bounded integers. 23 mitator-2.12 rttar A1 DNF 0.08
Sched2.100.0
Sched2.50.0 fischer_2
DNF 0.26 fischer_2_robust
DNF 0.25 fischer_4
DNF 47.96 fischer_4_robust
DNF 50.26Table 2: Results for parameter-synthesis comparing rttar with
Imitator . Time is givenin seconds. DNF marks that the tool did not complete the computation within an hour.Figure 6: A
Uppaal template for a single process in Fischers Algorithm. The variables e , a and b are parameters for (cid:15) , lower and upper bounds for clock-values respectively. We compare the rttar tool to
Imitator [3] – the state-of-the-art parameter synthesistool for reachability . We shall here use the semi-algorithm presented in Section 5 For thetest-cases we use the gadget presented initially in Figure 1, a few of the test-cases usedin [4], as well as two modified versions of Fischers Protocol, shown in Figure 6. In thefirst version we replace the constants in the model with parameters. In the second version(marked by robust), we wish to compute an expression, that given an arbitrary upper andlower bound yields the robustness of the system – in the same style as the experimentspresented in Section 6.3, but here for arbitrary guard-values.As illustrated by Table 2 the performance of rttar is slower than Imitator when
Imitator is able to compute the results. On the other hand, when using
Imitator toverify our motivating example from Figure 1, we observe that
Imitator never terminates,due to the divergence of the polyhedra-computation. This is the effect illustrated in Table 1.When trying to synthesize the parameters for Fischers algorithm, in all cases,
Imitator We compare with the
EFSynth -algorithm in the
Imitator tool as this yielded the lowest computationtime in the two terminating instances. ttar robust symrob csma_05 ∞ N/A N/A
M3c ∞ Table 3: Results for robustness analysis comparing rttar with symrob . Time is given inseconds. N/A indicates that symrob was unable to compute the robustness for the givenmodel.times out and never computes a result. For both two and four processes in Fischersalgorithm, our tool detects that the system is safe if and only if a < ∨ b < ∨ b − a > a < ∨ b < b − a > b − a > rttar algorithm is that the system isrobust iff (cid:15) ≤ ∨ a < ∨ b < ∨ b − a − (cid:15) > (cid:15) = 0 (modulo the initialnon-zero constraint on (cid:15) ) reduces to the constraint-system obtained in the non-robust case. To address the robustness problem for a real-time program P , we use the semi-algorithmpresented in Section 5 and reduce the robustness-checking problem to that of parameter-synthesis. Notice the delimitation of the input-problems to robust-only instances fromSection 5.4.As Table 3 demonstrates, symrob [33] and rttar do not always agree on the results.Notably, since the TA M3 contains strict guards, symrob is unable to compute the ro-bustness of it. Furthermore, symrob under-approximates (cid:15) , an artifact of the so-called“loop-acceleration”-technique and the polyhedra-based algorithm. This can be observed inthe modified model M3c , which is now analyzable by symrob , but differs in results com-pared to rttar . This is the same case with the model denoted a . We experimented with (cid:15) -values to confirm that M3 is safe for all the values tested – while a is safe only for valuestested respecting (cid:15) < . We can also see that our proposed method is significantly slowerthan the special-purpose algorithms deployed by symrob , but in contrast to symrob , itcomputes the maximal set of good paramaters.25 Conclusion
We have proposed a version of the trace abstraction refinement approach to real-time pro-grams. We have demonstrated that our semi-algorithm can be used to solve the reachabilityproblem for instances which are not solvable by state-of-the-art analysis tools.Our algorithms can handle the general class of real-time programs that comprises ofclassical models for real-time systems including timed automata, stopwatch automata,hybrid automata and time(d) Petri nets.As demonstrated in Section 6, our tool is capable of solving instances of reachabilityproblems, robustness, parameter synthesis, that current tools are incapable of handling.For future work we would like to improve the scalability of the proposed method,utilizing well known techniques such as extrapolations, partial order reduction [17] andcompositional verification [15]. Another short-term improvement is to use unsat cores tocompute interpolant automata as proposed in [22]. Furthermore, we would like to extendour approach from reachability to more expressive temporal logics.
Acknowledgments.
The research was partially funded by Innovation Fund Denmarkcenter DiCyPS and ERC Advanced Grant LASSO. Furthermore, these results was madepossible by an external stay partially funded by Otto Mønsted Fonden.
References [1] Rajeev Alur, Thao Dang, and Franjo Ivanˇci´c. Reachability analysis of hybrid systemsvia predicate abstraction. In Claire J. Tomlin and Mark R. Greenstreet, editors,
Hybrid Systems: Computation and Control , pages 35–48, Berlin, Heidelberg, 2002.Springer Berlin Heidelberg.[2] Rajeev Alur and David L. Dill. A theory of timed automata.
Theor. Comput. Sci. ,126(2):183–235, April 1994.[3] ´Etienne Andr´e, Laurent Fribourg, Ulrich K¨uhne, and Romain Soulat. Imitator 2.5: Atool for analyzing robustness in scheduling problems. In Dimitra Giannakopoulou andDominique M´ery, editors,
FM 2012: Formal Methods: 18th International Symposium,Paris, France, August 27-31, 2012. Proceedings , pages 33–36, Berlin, Heidelberg, 2012.Springer Berlin Heidelberg.[4] ´Etienne Andr´e, Giuseppe Lipari, Hoang Gia Nguyen, and Youcheng Sun. Reachabilitypreservation based parameter synthesis for timed automata. In Klaus Havelund, Ger-ard Holzmann, and Rajeev Joshi, editors,
NASA Formal Methods: 7th InternationalSymposium, NFM 2015, Pasadena, CA, USA, April 27-29, 2015, Proceedings , pages50–65, Cham, 2015. Springer International Publishing.[5] G. Behrmann, A. David, K.G. Larsen, J. Hakansson, P. Petterson, Wang Yi, andM. Hendriks. Uppaal 4.0. In
QEST’06 , pages 125–126, 2006.266] B´eatrice B´erard, Franck Cassez, Serge Haddad, Didier Lime, and Olivier H. Roux.Comparison of the expressiveness of timed automata and time petri nets. In PaulPettersson and Wang Yi, editors,
Formal Modeling and Analysis of Timed Systems,Third International Conference, FORMATS 2005, Uppsala, Sweden, September 26-28,2005, Proceedings , volume 3829 of
Lecture Notes in Computer Science , pages 211–225.Springer, 2005.[7] B´eatrice B´erard and Laurent Fribourg. Reachability analysis of (timed) petri netsusing real arithmetic. In Jos C. M. Baeten and Sjouke Mauw, editors,
CONCUR’99Concurrency Theory , pages 178–193, Berlin, Heidelberg, 1999. Springer Berlin Hei-delberg.[8] Dirk Beyer, Marieke Huisman, Fabrice Kordon, and Bernhard Steffen, editors.
Toolsand Algorithms for the Construction and Analysis of Systems - 25 Years of TACAS:TOOLympics, Held as Part of ETAPS 2019, Prague, Czech Republic, April 6-11,2019, Proceedings, Part III , volume 11429 of
Lecture Notes in Computer Science .Springer, 2019.[9] Marco Bozzano, Alessandro Cimatti, Alberto Griggio, and Cristian Mattarei. Effi-cient anytime techniques for model-based safety analysis. In Daniel Kroening andCorina S. P˘as˘areanu, editors,
Computer Aided Verification , pages 603–621, Cham,2015. Springer International Publishing.[10] Aaron R. Bradley. Sat-based model checking without unrolling. In Ranjit Jhala andDavid Schmidt, editors,
Verification, Model Checking, and Abstract Interpretation ,pages 70–87, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.[11] J. Byg, M. Jacobsen, L. Jacobsen, K.Y. Jørgensen, M.H. Møller, and J. Srba. TCTL-preserving translations from timed-arc Petri nets to networks of timed automata.
TCS ,2013. Available at http://dx.doi.org/10.1016/j.tcs.2013.07.011.[12] B´eatrice B´erard, Franck Cassez, Serge Haddad, Didier Lime, and Olivier H. Roux.The expressive power of time Petri nets.
Theoretical Computer Science , 474:1–20,2013.[13] Franck Cassez, Peter Gjøl Jensen, and Kim Guldstrand Larsen. Refinement of traceabstraction for real-time programs. In Matthew Hague and Igor Potapov, editors,
Reachability Problems , pages 42–58, Cham, 2017. Springer International Publishing.[14] Franck Cassez and Kim Guldstrand Larsen. The impressive power of stopwatches.In Catuscia Palamidessi, editor,
CONCUR 2000 - Concurrency Theory, 11th Inter-national Conference, University Park, PA, USA, August 22-25, 2000, Proceedings ,volume 1877 of
Lecture Notes in Computer Science , pages 138–152. Springer, 2000.[15] Franck Cassez, Christian M¨uller, and Karla Burnett. Summary-based inter-proceduralanalysis via modular trace refinement. In Venkatesh Raman and S. P. Suresh, editors,27 , vol-ume 29 of
LIPIcs , pages 545–556. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik,2014.[16] Franck Cassez and Olivier Henri Roux. Structural translation from time petri nets totimed automata.
Journal of Software and Systems , 79(10):1456–1468, October 2006.[17] Franck Cassez and Frowin Ziegler. Verification of concurrent programs using traceabstraction refinement. In Martin Davis, Ansgar Fehnker, Annabelle McIver, andAndrei Voronkov, editors,
Logic for Programming, Artificial Intelligence, and Rea-soning - 20th International Conference, LPAR-20 2015, Suva, Fiji, November 24-28,2015, Proceedings , volume 9450 of
Lecture Notes in Computer Science , pages 233–248.Springer, 2015.[18] A. Cimatti, A. Griggio, S. Mover, and S. Tonetta. Parameter synthesis with ic3. In , pages 165–168, Oct 2013.[19] Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith.Counterexample-guided abstraction refinement. In E. Allen Emerson and A. PrasadSistla, editors,
Computer Aided Verification, 12th International Conference, CAV2000, Chicago, IL, USA, July 15-19, 2000, Proceedings , volume 1855 of
Lecture Notesin Computer Science , pages 154–169. Springer, 2000.[20] Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In
Proceed-ings of the Theory and Practice of Software, 14th International Conference on Toolsand Algorithms for the Construction and Analysis of Systems , TACAS’08/ETAPS’08,pages 337–340, Berlin, Heidelberg, 2008. Springer-Verlag.[21] Henning Dierks, Sebastian Kupferschmid, and Kim G Larsen. Automatic abstractionrefinement for timed automata. In
International Conference on Formal Modeling andAnalysis of Timed Systems , pages 114–129. Springer, 2007.[22] Daniel Dietsch, Matthias Heizmann, Betim Musa, Alexander Nutz, and AndreasPodelski. Craig vs. newton in software model checking. In Eric Bodden, WilhelmSch¨afer, Arie van Deursen, and Andrea Zisman, editors,
Proceedings of the 2017 11thJoint Meeting on Foundations of Software Engineering, ESEC/FSE 2017, Paderborn,Germany, September 4-8, 2017 , pages 487–497. ACM, 2017.[23] Goran Frehse. Phaver: Algorithmic verification of hybrid systems past hytech. InManfred Morari and Lothar Thiele, editors,
Hybrid Systems: Computation and Con-trol , volume 3414 of
Lecture Notes in Computer Science , pages 258–273. SpringerBerlin Heidelberg, 2005.[24] Goran Frehse, Sumit Kumar Jha, and Bruce H. Krogh. A counterexample-guidedapproach to parameter synthesis for linear hybrid automata. In Magnus Egerstedt28nd Bud Mishra, editors,
Hybrid Systems: Computation and Control , pages 187–200,Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.[25] Goran Frehse, Colas Le Guernic, Alexandre Donz´e, Scott Cotton, Rajarshi Ray,Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler.Spaceex: Scalable verification of hybrid systems. In Ganesh Gopalakrishnan andShaz Qadeer, editors,
Computer Aided Verification , volume 6806 of
Lecture Notes inComputer Science , pages 379–395. Springer Berlin Heidelberg, 2011.[26] Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. Refinement of trace ab-straction. In Jens Palsberg and Zhendong Su, editors,
Static Analysis, 16th Interna-tional Symposium, SAS 2009, Los Angeles, CA, USA, August 9-11, 2009. Proceedings ,volume 5673 of
Lecture Notes in Computer Science , pages 69–85. Springer, 2009.[27] Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. Software model checkingfor people who love automata. In Natasha Sharygina and Helmut Veith, editors,
CAV ,volume 8044 of
LNCS , pages 36–52. Springer, 2013.[28] Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-toi. Hytech: A model checkerfor hybrid systems.
Software Tools for Technology Transfer , 1:460–463, 1997.[29] Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya. What’s de-cidable about hybrid automata?
Journal of Computer and System Sciences , 57(1):94– 124, 1998.[30] Peter Gjøl Jensen, Franck Cassez, and Kim Guldstrand Larsen. Repeatability for”Verification and Parameter Synthesis for Real-Time Programs using Refinement ofTrace Abstraction”, July 2020.[31] Bishoksan Kafle, John P. Gallagher, Graeme Gange, Peter Schachte, HaraldSøndergaard, and Peter J. Stuckey. An iterative approach to precondition inferenceusing constrained horn clauses.
CoRR , abs/1804.05989, 2018.[32] Piotr Kordy, Rom Langerak, Sjouke Mauw, and Jan Willem Polderman. A sym-bolic algorithm for the analysis of robust timed automata. In Cliff B. Jones, PekkaPihlajasaari, and Jun Sun, editors,
FM 2014: Formal Methods - 19th InternationalSymposium, Singapore, May 12-16, 2014. Proceedings , volume 8442 of
Lecture Notesin Computer Science , pages 351–366. Springer, 2014.[33] Ocan Sankur. Symbolic quantitative robustness analysis of timed automata. In Chris-tel Baier and Cesare Tinelli, editors,
Tools and Algorithms for the Construction andAnalysis of Systems - 21st International Conference, TACAS 2015, Held as Part of theEuropean Joint Conferences on Theory and Practice of Software, ETAPS 2015, Lon-don, UK, April 11-18, 2015. Proceedings , volume 9035 of
Lecture Notes in ComputerScience , pages 484–498. Springer, 2015.2934] Ashish Tiwari. Abstractions for hybrid systems.
Formal Methods in System Design ,32(1):57–83, Feb 2008.[35] Weifeng Wang and Li Jiao. Trace abstraction refinement for timed automata. InFranck Cassez and Jean-Fran¸cois Raskin, editors,
Automated Technology for Veri-fication and Analysis - 12th International Symposium, ATVA 2014, Sydney, NSW,Australia, November 3-7, 2014, Proceedings , volume 8837 of