On the expressive power of invariants in parametric timed automata
\'Etienne Andr\'e, Didier Lime, Mathias Ramparison

TL;DR
This paper introduces a syntactic restriction on parametric timed automata that preserves expressiveness while enabling decidable parameter synthesis, offering a practical trade-off between complexity and expressiveness.
Contribution
It proposes a new subclass of PTAs with only invariants, allowing exact parameter synthesis under certain constraints, balancing expressiveness and decidability.
Findings
Decidability of reachability in the new formalism.
Exact synthesis of parameter valuations for reachability.
Applicability demonstrated through a case study.
Abstract
The verification of systems combining hard timing constraints with concurrency is challenging. This challenge becomes even harder when some timing constants are missing or unknown. Parametric timed formalisms, such as parametric timed automata (PTAs), tackle the synthesis of such timing constants (seen as parameters) for which a property holds. Such formalisms are highly expressive, but also undecidable, and few decidable subclasses were proposed. We propose here a syntactic restriction on PTAs consisting in removing guards (constraints on transitions) to keep only invariants (constraints on locations). While this restriction preserves the expressiveness of PTAs (and therefore their undecidability), an additional restriction on the type of constraints allows to not only prove decidability, but also to perform the exact synthesis of parameter valuations satisfying reachability. This…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFormal Methods in Verification · Petri Nets in System Modeling · Logic, programming, and type systems
On the expressive power of invariants in parametric timed automata††thanks: This is the author version of the manuscript of the same name published in the proceedings of the 24th International Conference on Engineering of Complex Computer Systems (ICECCS 2019).
The final version is available at ieeexplore.ieee.org. This work is partially supported by the ANR national research program PACS (ANR-14-CE28-0002) and by ERATO HASUO Metamathematics for Systems Design Project (No. JPMJER1603), JST.
Étienne André
Université Paris 13, LIPN, CNRS,
*UMR 7030, F-93430,
*Villetaneuse, France
JFLI, CNRS, Tokyo, Japan
National Institute of Informatics, Tokyo, Japan
Didier Lime
École Centrale de Nantes, LS2N, CNRS,
*UMR 6004,
*Nantes, France
Mathias Ramparison
Université Paris 13, LIPN, CNRS,
*UMR 7030, F-93430
*Villetaneuse, France
Abstract
The verification of systems combining hard timing constraints with concurrency is challenging. This challenge becomes even harder when some timing constants are missing or unknown. Parametric timed formalisms, such as parametric timed automata (PTAs), tackle the synthesis of such timing constants (seen as parameters) for which a property holds. Such formalisms are highly expressive, but alsolinecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: enlevé: highly undecidablelinecolor=purple,backgroundcolor=purple!25,bordercolor=purple]DL: juste undecidable? Que veut dire le highly?linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: je sais pas trop ; on peut enlever ? ’fin l’idée c’était que plein de choses étaient indécidables, and few decidable subclasses were proposed. We propose here a syntactic restriction on PTAs consisting in removing guards (constraints on transitions) to keep only invariants (constraints on locations). While this restriction preserves the expressiveness of PTAs (and therefore their undecidability), an additional restriction on the type of constraints allows to not only prove decidability, but also to perform the exact synthesis of parameter valuations satisfying reachability. This formalism, that seems trivial at first sight as it benefits from the decidability of the reachability problem with a better complexity than Timed Automata (TAs), suffers from the undecidability of the whole TCTL logic that TAs, on the contrary enjoy. We believe our formalism allows for an interesting trade-off between decidability and practical expressiveness and is therefore promising. We show its applicability in a small case study.linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: OK?
linecolor=red,backgroundcolor=red!25,bordercolor=red]Instructions: ICECCS 10 pages double column, including references and appendix
linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: hello linecolor=purple,backgroundcolor=purple!25,bordercolor=purple]DL: hello linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: hello
I Introduction
The verification of systems combining hard timing constraints with concurrency is challenging. This challenge becomes even harder when some timing constants are missing or unknown. Parametric timed formalisms tackle the synthesis of such timing constants (seen as parameters) for which a property holds. A well-known such formalism is parametric timed automata [AHV93], a formalism extending finite-state automata with clocks [AD94], that can be compared to either integer constants or to integer-valued or real-valued parameters along guards (over transitions) or in invariants (in locations). Such formalisms are highly expressive, but also highly undecidable, and only a few decidable subclasses were proposed.
In the PTA literature, the main problem studied is -emptiness (“is the set of valuations for which a given location is reachable for at least one run empty?”): it is “robustly” undecidable in the sense that, even when varying the setting, undecidability is preserved. For example, -emptiness is undecidable even for a single bounded parameter [Mil00], even for a single rational-valued or integer-valued parameter [Ben+15], even with only one clock compared to parameters [Mil00], or with strict constraints only [Doy07] (see [And19] for a survey). Decidability can be obtained using two main directions.
First, reducing the number of clocks may lead to decidability: for example, decidability is ensured in some restrictive settings such as over discrete time with a single parametric clock (i. e., compared to parameters in at least one guard) [AHV93], or over discrete or dense time with one parametric clock and arbitrarily many non-parametric clocks [BO14, Ben+15], or over discrete time with two parametric clocks and a single parameter [BO14]. But the practical power of these restrictive settings remains unclear.
Second, restricting the syntax may also lead to decidability, notably on two main subclasses: in [Hun+02], L/U-PTAs are proposed as a subclass where parameters are partitioned into upper-bound parameters (only compared to clocks as upper-bounds, i. e., of the form or , where is a clock and a parameterlinecolor=purple,backgroundcolor=purple!25,bordercolor=purple]DL: pas clair: de quel côté on met paramètres et horloges? je mettrais directement “ or where x is a clock and p a parameter”linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: fixed) and lower-bound parameters. While L/U-PTAs benefit from the decidability of -emptiness [JLR15, BL09], -emptiness (“is the set of valuations for which a given location is reachable for all runs empty?”) is undecidable [JLR15]; even more annoying, it is impossible to achieve exact synthesis, even for : that is, it is not possible in general to compute the set of parameter valuations for which a given location is reachable. A second restriction of the syntax is proposed in [ALR19]: in reset-PTAs, whenever a clock is compared to a parameter, all clocks must be reset (possibly to parameters, which extends the original PTA syntax). While exact synthesis over bounded rational-valued parameters can be achieved for , resetting all clocks as soon as one clock is compared to a parameter is a strong practical restriction, and is dedicated to systems that have some cyclic, repetitive behavior.linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: OK? Délicat de critiquer trop frontalement notre précédent papier mais… linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: ça va c’est cool quand meme linecolor=purple,backgroundcolor=purple!25,bordercolor=purple]DL: Nice.
Contribution
In this work, we propose an original subclass of parametric timed automata, with interesting practical results. We restrict the expressive power by disallowing guards in the model, therefore leaving the model with only invariants.
On the one hand, we show that this model of PTAs with only invariants (PTAsI) is at least as expressive as the original PTAs, and therefore inherits its notorious undecidability results.
On the other hand, by restraining the shape of the constraints in these invariants, giving PTAs with only invariants and upper-bound constraints (PTAs), we get decidability results independently of the number of clocks or parameters used. In addition, we show that we can synthesize the exact set of parameters for which reachability () properties hold. This result is particularly welcome, as existing classes for which decidability of the emptiness problems hold does usually not guarantee the possibility to perform synthesis: the best-known existing subclass of PTAs, i. e., L/U-PTAs, benefit from decidability results [Hun+02, BL09] but synthesis cannot be achieved, even over integer-valued parameters [JLR15].
Our formalism of PTAs is the first of its kind to allow for exact synthesis over unbounded, rational-valued parameters (in contrast to [Hun+02, BL09, ALR19]) without imposing conditions on the number of clocks or parameters (in contrast to [BO14, Ben+15]), nor imposing frequent resets (in contrast to [ALR19]). This makes this formalism promising, together with a still interesting expressive power. In fact, we show that for more complex properties (e. g., nested TCTL formulas), PTAs become undecidable, which shows that our formalism is far from featuring a trivial expressiveness.linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: super We also exemplify our formalism on a case study, where we model a data streaming protocol using PTAs.
Outline
Section II recalls the necessary preliminaries, introduces the class of PTAs without guards (PTAsI) and the problems of interest. Section III proves that reachability is undecidable for PTAI. Section IV introduces an additional restriction (PTAs), and proves decidability of the emptiness problems of reachability, together with the possibility to perform synthesis. In contrast, we show that TCTL-emptiness is undecidable for PTAs, making it an expressive formalism at the border between decidability and undecidability. Section V exemplifies our formalism on a case study. Section VI concludes the paper and proposes some perspectives.
II Preliminaries
II-A Clocks, parameters and parametric clock constraints
We assume a set of clocks, i. e., real-valued variables that evolve at the same rate. A clock valuation is a functionlinecolor=purple,backgroundcolor=purple!25,bordercolor=purple]DL: ça ne semble pas très bien marcher l’espace initial dans LongVersionlinecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: en fait longeversion + commentaires c’est moche, mais sans les commentaires, tout va bien. Bon, j’ai simplifié puisque de toute façon on ne fait que du long ici . We identify a clock valuation with the point of . We write for the clock valuation assigning [math] to all clocks. Given , denotes the valuation s.t. , for all . Given , we define the reset of a valuation , denoted by , as follows: if , and otherwise.
We assume a set of parameters, i. e., unknown constants. A parameter valuation is a function .
We assume and . A parametric clock constraint is a constraint over defined by a set of inequalities of the form , with and . Given , we write if the expression obtained by replacing each with and each with in evaluates to true.
II-B Parametric timed automata
Let be a set of atomic propositions. We first recall PTAs [AHV93].
Definition 1**.**
A PTA is a tuple , where:
- •
* is a finite set of actions,*
- •
* is a finite set of locations,*
- •
* is a label function ,*
- •
* is the initial location,*
- •
* is a finite set of clocks,*
- •
* is a finite set of parameters, *
- •
* is the invariant, assigning to every a parametric clock constraint ,*
- •
* is a finite set of edges (or transitions) where are the source and target locations, , is a set of clocks to be reset, and the guard is a parametric clock constraint.*
Given a parameter valuation , we denote by the non-parametric structure where all occurrences of a parameter have been replaced by . We denote as a timed automaton any structure .111Technically and strictly speaking, we should use a rescaling of the constants to avoid comparisons of clocks with rationals: by multiplying all constants in by the least common multiple of their denominators, we obtain an equivalent (integer-valued) TA, as defined in [AD94]. A bounded PTA is a PTA with a bounded parameter domain that assigns to each parameter a minimum integer bound and a maximum integer bound. That is, each parameter ranges in an interval , with . Hence, a bounded parameter domain is a hyperrectangle of dimension .
Let us first recall the concrete semantics of TAs.
Definition 2** (Concrete semantics of a TA).**
Given a PTA , and a parameter valuation , the concrete semantics of is given by the timed transition system , with
- •
,
- •
**
- •
* consists of the discrete and (continuous) delay transition relations:*
- –
*discrete transitions: , if , there exists , , and . *
- –
delay transitions: , with , if .
Moreover we write for a combination of a delay and discrete transition where if .
Given a TA with concrete semantics , we refer to the states of as the concrete states of . A run of is a possibly infinite alternating sequence of states of and edges starting from the initial state of the form , such that for all , , and . Given a state , we say that is reachable if appears in a run of , or simply that is reachable in , if there exists a state that is reachable. By extension, we say that a label is reachable in if there exists a state that is reachable such that .
Given a parameter valuation and a run of we define the length of a run as the number of edges in .linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: j’ai viré la notation , non utilisée
A maximal run is a run that is either infinite (i. e., contains an infinite number of discrete transitions), or that cannot be extended by a discrete transition. Given a run of , gives the total sum of the delays along .
II-C A new syntactic restriction
We now introduce the first main restriction of our formalism, that consists in removing guards from PTAs.
Definition 3**.**
A PTA with only invariants (PTAI)* is a PTA where, in each transition, is always true, i. e., is an empty set of inequalities.*
II-D Timed CTL
TCTL [ACD93] is the quantitative extension of CTL where temporal modalities are augmented with constraints on duration. Formulae are interpreted over TTS.
Given and , a TCTL formula is given by the following grammar:
[TABLE]
reads “always”, reads “exists”, and reads “until”.
Standard abbreviations include Boolean operators as well as for , for and for . ( reads “eventually” while reads “globally”.)
Definition 4** (Semantics of TCTL).**
Given a TA , the following clauses define when a state of its TTS satisfies a TCTL formula , denoted by , by induction over the structure of (semantics of Boolean operators is omitted):
* if there is a maximal run in with () a prefix of *s.t. , , and if s.t. , , and 2. 2.
* if for each maximal run in there exists () a prefix of *s.t. , , and if s.t. , .
In the classical until is extended by requiring that be satisfied within a duration (from the current state) verifying the constraint “”. Given , a PTA and a TCTL formula , we write when .
We define flat TCTL as the subset of TCTL where, in and , must be a formula of propositional logic (a Boolean combination of atomic propositions).
II-E Problems
In this paper, we address the following problems:
**TCTL-emptiness problem:
**Input: a PTAI and a TCTL formula
Problem: is the set of valuations such that empty?
**TCTL-synthesis problem:
**Input: a PTAI and a TCTL formula
Problem: synthesize the set of valuations such that .
We will focus notably on the TCTL formula “” expressing reachability [AD94]. That is, -emptiness asks whether the set of parameter locations for which a given location is reachable for at least one run is empty or not. Similarly, -synthesis asks to synthesize these valuations.
III The power of invariants in PTAs
In this section, we show that the expressive power of invariants in PTAs is surprisingly high: in fact, we show that a PTA with guards but without invariants can be transformed to an equivalent PTAI. As most undecidability results for PTAs hold even without invariants, our transformation shows that PTAI are (at least) as expressive as PTAs—and therefore as undecidable too. Notably, the simplest problem for PTAs (-emptiness) is undecidable for PTAsI.
III-A Transforming guards into invariants
Let us describe our transformation from a PTA without invariants to a PTAI . For each edge of , we add in a new location with invariant and replace with a transition that is always true from to with action and no reset: . Then we add a unique transition from to that is always true, without action and with the original resets of : ( denotes the silent action; note that actions do not matter much in our setting anyway as we are concerned with reachability properties).
Example 1**.**
*An example of this transformation is given in Fig. 1. The transition (say ) from to in Fig. 1(a) is translated into
-
a new transition from to a new location with as invariant the guard of the original transition , i. e., , and
-
a new transition from to with the same reset as the one of the original transition , i. e., .
This translation is exemplified in Fig. 1(b).*
The guard on the transition from to is translated similarly.
III-B Characterization of the transformation
We show that, for any run of , there exists in a run twice as long, whose states of index are identical to states of index of the original run, for each between 0 and the length of the run minus 1.
Lemma 1**.**
Let be a PTA without invariant, and a parameter valuation. There is a run in iff there is a run in .
Proof.
Let be a run of ending in a concrete state . We build by induction on , a run in of length taking the same sequence of edges as w.r.t. our transformation and ending in the same concrete state222Note that the fact that the length is even is a consequence of the construction: with two edges, first from to and the second from to , if the former can be taken then is satisfied, and the run cannot stay forever in because of and is forced to take the latter to ..
If , then consists only of the initial location of which has no invariant, so we can stay there forever as in the initial location of . So any run of length 0 of is a run of and conversely.
Suppose now that we have built for size and consider a run with edges. Then consists of a run , ending in with edges followed by a delay and finally a discrete transition along the edge to the concrete state . From the induction hypothesis, we can build an equivalent run in of length ending in , Let be the clock valuation obtained from after the delay . By construction, if constraints defined by the guard of are satisfied by then in , we can take the transition without guards from to as . Once in , we cannot stay forever because of . We can also immediately in a [math]-delay take the transition from to and clocks in are reset so , and we obtain a run of length in ending in .
For the other direction, starting from a run in , the initial step of the induction is similar. Let be a run of of length ending in a concrete state . Then consists of a run , ending in with edges followed by a first delay , then a discrete transition to , and a possible delay and finally a discrete transition to . Let be the edge in corresponding to w.r.t. our construction of , with guard and the same resets as in . Suppose now that we have built by induction hypothesis in for size equivalent to a run in ending in , Let be the clock valuation obtained after the delay from and after the delay from . By construction, if constraints defined by are satisfied by then . The first transition in to can be taken, similarly can already be taken in . After the delay , we still have therefore we still have . The second transition in to can be taken, similarly can still be taken in . Clocks are reset along so and we obtain a run of length in ending in . ∎
III-C Undecidability for PTAsI
Theorem 1**.**
-emptiness is undecidable for PTAsI.
Proof.
From Lemma 1, for any valuation , reachability of a location in and is equivalent. Therefore, -emptiness holds for iff -emptiness holds for . As -emptiness is undecidable for PTAs without invariant [AHV93], -emptiness is undecidable for PTAsI. ∎
IV A new decidable subclass
We now consider PTAsI with only upper-bound invariants.
Definition 5**.**
A PTA with only upper-bound invariants (PTA) is a PTAI where each inequality in an invariant is of the form .
An example of PTA is given in Fig. 6.
PTAs can be seen as a subclass of L/U-PTAs, a formalism for which -emptiness is decidable [Hun+02, BL09] while -emptiness is undecidable [JLR15]. In addition, the synthesis of (even integer-valued) parameters for which holds in L/U-PTAs cannot be done [JLR15]. PTAs can also be seen as a subclass of U-PTAs [BL09], i. e., L/U-PTAs with only upper-bound parameters, a formalism for which -emptiness is decidable [Hun+02, BL09] while -emptiness is open, and full TCTL-emptiness is undecidable [ALR18]; in addition, -synthesis of integer-valued parameter can be achieved [BL09], but the possibility to perform or not the exact synthesis of rational-valued parameters for remains open.
The main differences between PTAs and U-PTAs are
the absence of guards in PTAs, and 2. 2.
the possibility only for U-PTAs to involve constraints of the form or in clock constraints, provided is a constant (no parameter can be used as a lower-bound constraint).
In this section, we will see that these differences will allow not only for positive decidability results but will also make exact synthesis possible.
IV-A Reachability ()
IV-A1 -emptiness
We first show that, while matching the decidability of L/U-PTAs (and U-PTAs) for -emptiness, the complexity of -emptiness for PTA is not the same as for U-PTAs, which is PSPACE-complete for integer parameter valuations [BL09]; in our case, given a PTA and a special parameter valuation that sets all parameters to , it is sufficient to test in the reachability of a given location in a [math]-delay (a run of duration 0), which is linear in the number of locations of .linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: plutôt que…? That is, we do not perform a symbolic analysis (using the region graph [AD94] or the zone graph [BY03]) of some TA, but we directly syntactically analyze our PTA.
Formally, let be the parameter valuation such that . In the following lemma, we will show that there exists a valuation such that there exists a run in reaching a given location iff there exists a 0-delay run in reaching . By 0-delay run, we mean for which the sum of the delays along the edges is 0. This will allow us to only test 0-delay runs in to decide -emptiness.
Lemma 2**.**
Let be a PTA and a goal location. There exists a parameter valuation and a run in reaching iff there exists a 0-delay run in reaching .
Proof.
Assume there exists a parameter valuation and a run in reaching . We first show that there exists a 0-delay run in reaching (and, in fact, going through the same locations and edges as , with only the delay being replaced with 0). This is immediate from the syntax of PTAs: since we only allow invariants of the form , then nothing can constrain a run to spend a certain amount of time in a location. Therefore, can follow the same locations and edges as in without letting any time elapse. This gives that there exists a 0-delay run in reaching .
We will now show that this run is also a run of . This is not entirely immediate, as and have different invariants, coming from different parameter valuations. Indeed, in case of invariants of the form , a 0-delay run is blocked in this location whenever (as the constraint is never satisfiable due to the non-negative nature of clocks). However, by definition, does not pass through any location with an invariant of the form , with , since this is a valid run of . That is, for any location along with an invariant containing an inequality of the form , . We can finally conclude by observing that, in , no such invariant blocking a 0-delay run exists since, by definition of , all parameters evaluate to 1. Therefore is also a run reaching in .
The opposite direction is trivial. It suffices to pick and, since there exists a 0-delay run in reaching , then there exists a run (in 0-delay) in reaching .
∎
From Lemma 2, we state the following theorem.
Theorem 2**.**
-emptiness is decidable in NLOGSPACE for PTA.
Proof.
Let be a PTA and be a target location. From Lemma 2, there exists a parameter valuation and a run in reaching iff there exists a 0-delay run in reaching . That is, it suffices to test only the existence of at least one 0-delay run in to decide -emptiness in .
From the nature of PTAs, there exists a 0-delay run in iff there exists in the automaton seen as a graph a syntactic path from to that features no state with an invariant involving a comparison of the form , for some . We can therefore consider as a directed graph, in which we remove all the edges to locations where there is an invariant containing a comparison of the form for some . In this obtained oriented graph, we perform the reachability of from which is NLOGSPACE [Pap94], so is -emptiness for PTA. ∎
IV-A2 -synthesis
We will show that, in order to compute -synthesis, it suffices to test (syntactically, without semantic analysis) each automaton obtained by replacing each parameter valuation with either 0 or 1. This is a strong result, as -synthesis cannot be performed for L/U-PTAs with either integer or rational valued parameters [JLR15], and can only be performed for U-PTAs over integer-valued parameters [BL09]. linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: ben si, non ? linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: non EXPTIME pour la synthèse We first define an equivalence relation for parameter valuations.
Definition 6**.**
Let be two parameter valuations. We say that if, for each parameter , iff (i. e., iff ).
Lemma 3**.**
Let be a PTA and a goal location. Let be two parameter valuations such that .
There exists a run in reaching iff there exists a 0-delay run in reaching .
Proof.
The proof reuses the same technique as in Lemma 2.
Assume there exists a parameter valuation and a run in reaching . From the reasoning used in the proof of Lemma 2, there exists a 0-delay run in reaching (and, in fact, going through the same locations and edges as , with only the delay being replaced with 0).
We will now show that this run is also a run of . Following again the reasoning used in the proof of Lemma 2, by definition, does not pass through any location with an invariant of the form , with , since this is a valid run of . That is, for any location along with an invariant containing an inequality of the form , . We can finally conclude by observing that, in , no such invariant blocking a 0-delay run exists since, from the fact that , iff for all . Therefore is also a run reaching in .
The opposite direction is similar. Since there exists a 0-delay run in , then following the same reasoning as above and since , then this same 0-delay run is also a run of .
∎
From Lemma 3, it suffices to test one valuation in each of the regions defined by Definition 6. Each region being defined by or , for each parameter , it suffices to test both 0 and a non-zero value, e. g., 1. We end up with a set of parameter valuations. This gives the following theorem.
Theorem 3**.**
We can compute the set -synthesis of parameter valuations for PTA within exponential time w.r.t. the size of the input.
Proof.
From Lemma 3, given a PTA it suffices to test the existence of at least one 0-delay run for one parameter valuation in each of the regions defined by Definition 6, i. e., from the set . From the proof of Theorem 2, this can be achieved syntactically by solving a reachability problem in the graph of . If the answer to the reachability problem is positive for this parameter valuation, the whole region is added to the result. That is, considering two parameters and , and the valuation such that and , the added region is . However, iterate similarly for all valuations in gives different valuated automata and we have to test the reachability for each of them. Therefore, to compute -synthesis, we obtain a complexity exponential in time. ∎
This result makes the subclass of PTA very interesting, as a subclass of PTAs where -synthesis can be performed. Rare subclasses such as reset-update-to-parameter PTAs [ALR19] enjoy this possibility (and only on bounded parameters), while well-known L/U-PTAs enjoy the only decidability of -emptiness while -synthesis has been proven intractable [JLR15].
IV-B Undecidability of TCTL-emptiness
While -emptiness is decidable for PTA, one can wonder whether this extends to the whole TCTL-emptiness problem. We exhibit in this section a nested TCTL formula (by opposition to flat TCTL formula, e. g., or ), namely ap for some atomic property ap and prove that -emptiness is undecidable for (possibly bounded) PTA. The formula was already used to prove the TCTL-emptiness of U-PTAs in [ALR18]. This implies the undecidability of the whole TCTL-emptiness problem for (possibly bounded) PTA.
Theorem 4**.**
The -emptiness problem is undecidable for bounded PTA.
Proof.
We reduce from the boundedness problem for two-counter machines (i. e., whether the value of the counters remains bounded along the execution), which is undecidable [KC10]. Recall that a two-counter machine is a finite state machine with two integer-valued counters . Two different instructions are considered, we present those for , those for are similar:
when in state , increment and go to ; 2. 2.
when in state , if go to , otherwise decrement and go to .
We assume w.l.o.g. that the machine halts iff it reaches a special state .
General explanation of the encoding
Let and be two labels. We define a PTA that, under some conditions, will encode the machine, and for which \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}}-emptiness holds iff the counters in the machine remain bounded. We will reuse an encoding originally from [ALR16, proof of theorem 1], and apply a few modifications. In fact, recall that PTA disallow the use of comparisons of the form , or with a constant.
We label our transitions with: for the locations already present in [ALR16] (depicted in yellow in our figures), and for the newly introduced locations (depicted in white in our figures). In [ALR16], the gadgets use edges of the form of Fig. 2(a) to encode the two-counter machine instructions. To define a PTA, we replace each of these edges by a special construction given in Fig. 2(b) using only inequalities of the form and with either a constant or a parameter. Non guarded transitions are depicted as dotted edges. We will show that a run will exactly encode the two-counter machine if all transitions (resp. ) to a location labeled with are in fact taken when the clock valuation is exactly equal to (resp. ). Those runs are further denoted by \rho_{\hbox{\pagecolor{yellow}\circ}}. In the transformed version given in Fig. 2(b), due to the invariant runs exist that take the guard “too early” (i. e., before ). Those are denoted by . But, in that case, observe that in , one can either take the transition to or to (as the invariant to satisfy is ) and then, go to . Therefore on this gadget, \mathsf{EG}\mathsf{AF}_{=0}$$\circ is true at iff the guard from to is taken at the very last moment. In our gadgets encoding the counters, there will be for each location with invariant an associated location with invariant , with only a transition to . Note that \mathsf{AF_{=0}}{\hbox{\pagecolor{yellow}\circ}}{} is trivially truelinecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: en fait seulement AF=0 in and as both locations are labeled with (many runs also exist from to and do not encode properly the machine; they will be discarded in our reasoning later).
Our PTA uses one parameter and three parametric clocks . Each state of the two-counter machine is encoded by a location of . Each increment instruction of the two-counter machine is encoded into a PTA fragment. The decrement instruction is a modification of the one in [ALR16] using the same modifications as the increment gadget.
Given , our encoding is such that when in with then (resp. ) represents the value of the counter (resp. ) encoded by (resp. ) with small enough so (resp. ). The two branches in the gadgets handle both cases and .
Increment gadget
Depicted in Fig. 3. We assume , in which case our PTA is bounded (if is unbounded, then our construction proves the unbounded case). In the following, we write as the tuple . The initial encoding when is . From , we prove that there is a unique run, going through the upper branch of the gadget, that reaches without violating our property. It is the one that takes each transition to a location with an invariant at the exact moment , the transition to a location with an invariant at the exact moment and transition to a location with an invariant at the exact moment . The other runs, that take the transitions “too early” are removed as they violate the property; indeed, if a run takes a transition before the “last moment” allowed by the invariant (e. g., ), then it can possibly take the successor state with invariant () and go to . That is, does not hold, because not all runs go in 0-time to a location.
So, for each transition, many runs can take it, but we only consider from now on the only one that takes the transition at the last moment, i. e., when the clock is exactly equal to the parameter/constant it is compared to. The same applies at each transition. This gives the following run for the increment gadget:
(\hbox{\pagecolor{yellow}\ell^{i}},w)\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\ell_{0}^{i},(1-v(a)\mathtt{c}_{1},1-v(a)\mathtt{c}_{2},0))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{1}^{i}},(1-v(a)\mathtt{c}_{1},1-v(a)\mathtt{c}_{2},0))\stackrel{{\scriptstyle v(a)\mathtt{c}_{2}}}{{\longrightarrow}}(\ell_{2}^{i},(1-v(a)\mathtt{c}_{1}+v(a)\mathtt{c}_{2},1,v(a)\mathtt{c}_{2}))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{3}^{i}},(1-v(a)\mathtt{c}_{1}+v(a)\mathtt{c}_{2},0,v(a)\mathtt{c}_{2}))\stackrel{{\scriptstyle v(a)-v(a)\mathtt{c}_{2}+v(a)\mathtt{c}_{1}}}{{\longrightarrow}}(\ell_{4}^{i},(1+v(a),v(a)-v(a)\mathtt{c}_{2}+v(a)\mathtt{c}_{1},v(a)+v(a)\mathtt{c}_{1}))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{5}^{i}},(0,v(a)-v(a)\mathtt{c}_{2}+v(a)\mathtt{c}_{1},v(a)+v(a)\mathtt{c}_{1}))\stackrel{{\scriptstyle 1-v(a)-v(a)\mathtt{c}_{1}}}{{\longrightarrow}}(\ell_{6}^{i},(1-v(a)-v(a)\mathtt{c}_{1},1-v(a)\mathtt{c}_{2},1))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell^{j}},(1-v(a)(\mathtt{c}_{1}+1),1-v(a)\mathtt{c}_{2},0)).
We apply the same reasoning on the lower branch of Fig. 3.
Decrement and 0-test gadget
The decrement and 0-test gadget, depicted in Fig. 4, is similar to the one of [ALR16] and undergoes the same modifications as in Fig. 3, the increment gadget. Assume the same requirements as for the increment gadget. From , following the same reasoning as for the increment gadget we prove that there is a unique run, going through the upper branch of the decrement gadget, that reaches without violating our property.
Assume we are in a configuration where and suppose . We can enter the configuration as the invariant ensures no time has elapsed; in its short form, the run that reaches correctly, i. e., satisfying our property is:
(\hbox{\pagecolor{yellow}\ell^{i}},w)\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\ell_{1}^{i},(1-v(a)\mathtt{c}_{1},1-v(a)\mathtt{c}_{2},0))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{2}^{i}},(1-v(a)\mathtt{c}_{1},1-v(a)\mathtt{c}_{2},0))\stackrel{{\scriptstyle v(a)\mathtt{c}_{1}}}{{\longrightarrow}}(\ell_{3}^{i},(1,1-v(a)\mathtt{c}_{2}+v(a)\mathtt{c}_{1},v(a)\mathtt{c}_{1}))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{4}^{i}},(0,1-v(a)\mathtt{c}_{2}+v(a)\mathtt{c}_{1},v(a)\mathtt{c}_{1}))\stackrel{{\scriptstyle v(a)-v(a)\mathtt{c}_{1}+v(a)\mathtt{c}_{2}}}{{\longrightarrow}}(\ell_{5}^{i},(v(a)-v(a)\mathtt{c}_{1}+v(a)\mathtt{c}_{2},v(a)+1,v(a)+v(a)\mathtt{c}_{2}))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell_{6}^{i}},(v(a)-v(a)\mathtt{c}_{1}+v(a)\mathtt{c}_{2},0,v(a)+v(a)\mathtt{c}_{2}))\stackrel{{\scriptstyle 1-v(a)\mathtt{c}_{2}}}{{\longrightarrow}}(\ell_{7}^{i},(1-v(a)\mathtt{c}_{1}+v(a),1-v(a)\mathtt{c}_{2},v(a)+1))\stackrel{{\scriptstyle 0}}{{\longrightarrow}}(\hbox{\pagecolor{yellow}\ell^{j}},(1-v(a)(\mathtt{c}_{1}-1),1-v(a)\mathtt{c}_{2},0)).
We apply the same reasoning on the lower branch of Fig. 4.
Initial gadget
In Fig. 5, the initial gadget ensures the same way as presented before that the counters are both initialized to 0. Recall that , and . The unique run that does not violate reaches exactly when , ensuring .
Simulating the 2-counter machine
Now, let us consider the runs \rho_{\hbox{\pagecolor{yellow}\circ}} that take each transition to a location where there is an invariant at the very last moment; note that other runs violate the property anyway.
- •
If the counters of the two-counter machine remain bounded then,
- –
either the two-counter machine halts by reaching and there exist parameter valuations (typically a sufficiently small value for to encode the value of the counters during the computation). In the constructed PTA, once valuated with there is a (unique)linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: oui? linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: ok run simulating correctly the machine, reaching and staying there forever.
In this first case, \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}} holds for these valuations: hence \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}}-emptiness is false;
- –
or the two-counter machine loops forever, never reaches , with values of the counters remaining bounded. There exist small parameter valuations that encode the maximal value of the counters. In the constructed PTA, once valuated with there is an infinite (unique)linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: ? linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: ok run in the PTA simulating correctly the machine. As this run is infinite, we infinitely often visit the decrement and/or the increment gadget(s).
In this second case, \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}} also holds for these valuations: hence \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}}-emptiness is again false.
- •
Conversely, if the counters of the two-counter machine are unbounded, then for any valuation, all runs end in . This happens either because all the runs took on purpose an unguarded transition to or because they blocked due to the fact that counters are unbounded, and therefore, for any arbitrarily small valuation, one of the guards will eventually block the run and send it to thanks to the unguarded transitions. That is, it is possible, e. g., in of Fig. 3, when the value of becomes strictly greater than after a sufficient number of steps. It is no longer possible to take the transition to because of the invariant and there is no choice other than reach again. Hence there is no parameter valuation for which \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}} holds, so \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}}-emptiness is true.
We conclude that \mathsf{EGAF}_{=0}{\hbox{\pagecolor{yellow}\circ}}-emptiness is true iff the values of the counters of the two-counter machine are unbounded. ∎
In this section, we have proved the following properties about PTA. Our first result here is that the -emptiness for PTA is less than the same reachability problem in classical TAs without parameters.
Paradoxically, this simpler complexity for one TCTL decision problem () does not make PTA a trivial subclass of (P)TAs at all. On the contrary, we proved that the decidability of -emptiness does not extend to the whole TCTL logic by exhibiting a TCTL formula for which deciding the emptiness of parameter valuations satisfying it is undecidable, while model-checking TCTL logic is decidable in TAs [ACD93].
V Proof of concept: Case study
To illustrate the usability of PTAs, we describe in this section a case study modeled and verified using PTAs.
Software support
PTAs are natively supported by IMITATOR [And+12], which is a parametric model checker performing parameter synthesis for parametric timed automata, extended with some useful features such as synchronization, global variables, etc.
Description
The idea here is to model a Real-time Transport Protocol (RTP) using PTAs. RTP is a network protocol usually used to deliver video, audio over a network. RTP is mainly used in Voice over IP, teleconference and since the last few years in systems that involve media streaming.
RTP is typically running over User Datagram Protocol (UDP), which can broadcast data to several clients, and is faster as TCP (Transmission Control Protocol) as it does not provide guarantees for message delivery.
Fig. 6 represents a simplified version of an RTP protocol combined with a Real-Time Control Protocol (RTCP). A server sends audio and video data to a client, and the client has the possibility to pause the data stream or ask for more data when its buffer is empty. We use two clocks to model the protocol. {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x} represents the server, while {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}y} represents the client. In each location, the first word represents the state of the client, while the second represents the state of the server. The automaton starts in location {\color[rgb]{0,0,1}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,1}\mathrm{\ell_{1}}} as the client is waiting for its data stream. On the {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathrm{begin}} action, the server first opens the channel for the video within {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{v}} units of time, and the channel for the audio within {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{s}}-{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{v}} units of time, assuming otherwise audio and video would not be synchronized at reception by the client. Then data is streamed for at most {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{send}} units of time to prevent overflowing the bandwidth, in location . At this moment, the server stops sending for an undetermined amount of time. In the meantime, the client’s buffer is being emptied. When running {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathrm{outOfData}}, the client switches to location as the server is still sending data. {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}y} is reset and the system has the possibility to switch to location again if the server is still streaming data, i. e., the constraint {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x}<{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{send}} is still satisfied. While in , the client can choose to {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathrm{interrupt}} the data stream. When in location , the client still uses the data of the buffer, but has to request more data at some point, i. e., while {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}y}<{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{rced}} is satisfied. The procedure from {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathrm{start}} is similar to the previously described one.
From locations and the location is reachable, when the server is not streaming and the client’s buffer is empty. This is the bug state of the system. We are interested in computing the concrete parameter valuations of {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{send}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{rced}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{s}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{v}} s.t. the system can reach the “bad” state —that is, we aim at performing (-synthesis.
Experiments
We modeled the case study in Fig. 6 in the input language of IMITATOR. Experiments were conducted with IMITATOR 2.11 “Butter Kouign-amann”, on a 2.4 GHz Intel Core i5 processor with 2 GiB of RAM in a VirtualBox environment running Ubuntu.linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: running which os? 333Models and results are available at https://www.imitator.fr/static/ICECCS19/
The synthesis time is less than 1 second with four parameters.
Applying IMITATOR to Fig. 6, we obtain the following result for (-synthesis:
[TABLE]
That is, for almost all parameter valuations, there exists an execution of the system such that it reaches the bad location . This is not surprising, as it depends on the rate of data exchanged and of the connection quality to the network.linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: ça te va ? je suis pas trop sûr… linecolor=orange,backgroundcolor=orange!25,bordercolor=orange]: oui In other words, this bug state can be reached in any case as the data stream can be blocked at any time, i. e., the client may have to wait for the video to load.
A more interesting question is to study whether all runs of some valuations may eventually reach the bug location. This would be worrying, as it would denote that the protocol has no chances of success for these valuations. Therefore, we focus on ()-synthesis. This time, we obtain that the set of valuations for which all runs eventually reach is empty, and therefore no valuation makes the protocol entirely unsuccessful.
linecolor=blue,backgroundcolor=blue!25,bordercolor=blue]ÉA: dommage que la synthèse ne montre pas d’accumulation de contraintes (du genre , car ça aurait pu arriver, en tout cas pour
VI Conclusion
We proposed a new parametric timed formalism to reason about timed systems with some uncertain or unknown timing constants, with two interesting positive results. First, the emptiness of the valuation set for which at least one run reaches a location i. e., -emptiness, is decidable in linear time which is better than solving the reachability problem for TAs, as it is PSPACE-complete. Second, we showed that exact synthesis can be achieved in exponential time.
In contrast, we showed that (nested) TCTL-emptiness is undecidable, making PTAs, as model-checking TCTL is decidable for TAs, a formalism at the border between decidability and undecidability.
Our formalism seems to allow for promising practical applications as shown by Section V, where we successfully modeled a simple data streaming protocol.
Future work
On the theoretical side, the emptiness of some flat TCTL formulas remains open for PTAs, notably , and -emptiness. Improving the complexity of -synthesis is also an interesting direction.
More practically, we are interested in proposing dedicated efficient synthesis algorithms for PTAs (independently of the underlying decidability).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[ACD 93] Rajeev Alur, Costas Courcoubetis and David L. Dill “Model-Checking in Dense Real-Time” In Information and Computation 104.1 Academic Press, 1993, pp. 2–34 DOI: 10.1006/inco.1993.1024 · doi ↗
- 2[AD 94] Rajeev Alur and David L. Dill “A theory of timed automata” In Theoretical Computer Science 126.2 Essex, UK: Elsevier Science Publishers Ltd., 1994, pp. 183–235 DOI: 10.1016/0304-3975(94)90010-8 · doi ↗
- 3[AHV 93] Rajeev Alur, Thomas A. Henzinger and Moshe Y. Vardi “Parametric real-time reasoning” In STOC San Diego, California, United States: ACM, 1993, pp. 592–601 DOI: 10.1145/167088.167242 · doi ↗
- 4[ALR 16] Étienne André, Didier Lime and Olivier H. Roux “Decision Problems for Parametric Timed Automata” In ICFEM 10009 , Lecture Notes in Computer Science Tokyo, Japan: Springer, 2016, pp. 400–416 DOI: 10.1007/978-3-319-47846-3˙25 · doi ↗
- 5[ALR 18] Étienne André, Didier Lime and Mathias Ramparison “TCTL model checking lower/upper-bound parametric timed automata without invariants” In FORMATS 11022 , Lecture Notes in Computer Science Beijing, China: Springer, 2018, pp. 1–17 DOI: 10.1007/978-3-030-00151-3˙3 · doi ↗
- 6[ALR 19] Étienne André, Didier Lime and Mathias Ramparison “Parametric updates in parametric timed automata” In FORTE 11535 , Lecture Notes in Computer Science Copenhagen, Denmark: Springer, 2019, pp. 39–56 DOI: 10.1007/978-3-030-21759-4˙3 · doi ↗
- 7[And+12] Étienne André, Laurent Fribourg, Ulrich Kühne and Romain Soulat “IMITATOR 2.5: A Tool for Analyzing Robustness in Scheduling Problems” In FM 7436 , Lecture Notes in Computer Science Paris, France: Springer, 2012, pp. 33–36 DOI: 10.1007/978-3-642-32759-9˙6 · doi ↗
- 8[And 19] Étienne André “What’s decidable about parametric timed automata?” In International Journal on Software Tools for Technology Transfer 21.2 Springer, 2019, pp. 203–219 DOI: 10.1007/s 10009-017-0467-0 · doi ↗
