# **Verifying Timed Reachability Properties**

#### Lecture #17 of Advanced Model Checking

Joost-Pieter Katoen

Lehrstuhl 2: Software Modeling & Verification

E-mail: katoen@cs.rwth-aachen.de

June 30, 2014

 $\textcircled{C} \mathsf{JPK}$ 



# Timelock, time-divergence and Zenoness

• A path is *time-divergent* if its execution time is infinite

$$ExecTime(s_0 \xrightarrow{d_0} s_1 \xrightarrow{d_1} \ldots) = \sum_{i=0}^{\infty} d_i = \infty$$

- *TA* is *timelock-free* if no state in *Reach*(*TS*(*TA*)) contains a timelock a state contains a timelock whenever no time-divergent paths emanate from it
- *TA* is *non-Zeno* if there does not exist an initial Zeno path in *TS*(*TA*) a path is Zeno if it is time-convergent and performs infinitely many actions



#### Some abbreviations

"Always" is obtained in the following way:

$$\exists \Box^J \Phi = \neg \forall \Diamond^J \neg \Phi \quad \text{and} \quad \forall \Box^J \Phi = \neg \exists \Diamond^J \neg \Phi$$

 $\exists \Box^J \Phi$  asserts that for some path during the interval J,  $\Phi$  holds  $\forall \Box^J \Phi$  requires this to hold for all paths Standard  $\Box$  and  $\diamond$ -operator are obtained as follows:

$$\Diamond \Phi = \Diamond^{[0,\infty)} \Phi$$
 and  $\Box \Phi = \Box^{[0,\infty)} \Phi$ 



#### The $\implies$ relation

For infinite path fragments in TS(TA) performing  $\infty$  many actions let:

$$s_0 \xrightarrow{d_0} s_1 \xrightarrow{d_1} s_2 \xrightarrow{d_2} \dots$$
 with  $d_0, d_1, d_2 \dots \ge 0$ 

denote the equivalence class containing all infinite path fragments induced by execution fragments of the form:



where  $k_i \in \mathbb{N}$ ,  $d_i \in \mathbb{R}_{\geq 0}$  and  $\alpha_i \in Act$  such that  $\sum_{j=1}^{k_i} d_i^j = d_i$ .

For  $\pi \in s_0 \xrightarrow{d_0} s_1 \xrightarrow{d_1} \ldots$  we have  $ExecTime(\pi) = \sum_{i \ge 0} d_i$ 



#### **Semantics of timed reachability**

For time-divergent path  $\pi \in s_0 \xrightarrow{d_0} s_1 \xrightarrow{d_1} \ldots$ , we have:

$$\pi \models \diamondsuit^J \Psi$$
 iff  $\exists i \ge 0. s_i + d \models \Psi$  for some  $d \in [0, d_i]$  with  
 $\sum_{k=0}^{i-1} d_k + d \in J$  and

where for  $s_i = \langle \ell_i, \eta_i \rangle$  and  $d \ge 0$  we have  $s_i + d = \langle \ell_i, \eta_i + d \rangle$ 



## Timed reachability for timed automata

- Let *TA* be a timed automaton with clocks *C* and locations *Loc*
- The satisfaction set  $Sat(\forall \diamondsuit^{J} \Phi)$  is defined by:

$$Sat(\forall \diamond^{J} \Phi) = \{ s \in Loc \times Eval(C) \mid \forall \pi \in Paths_{div}(s), \pi \models \diamond^{J} \Phi \}$$

The satisfaction set for  $\exists \diamondsuit^J \Phi$  is defined analogously

• TA satisfies  $\forall \diamond^J \Phi$  iff  $\forall \diamond^J \Phi$  holds in all initial states of TA:

 $TA \models \forall \diamond^J \Phi$  if and only if  $\forall \ell_0 \in Loc_0. \langle \ell_0, \eta_0 \rangle \models \forall \diamond^J \Phi$ 

where  $\eta_0(x) = 0$  for all  $x \in C$ 



## Characterizing timelock

- TCTL semantics is also well-defined for *TA* with timelock
- A state has a timelock if no time-divergent paths emanate from it
- A state is *timelock-free* if and only if it satisfies ∃□true
  - some time-divergent path satisfies  $\Box$  true, i.e., there is  $\ge 1$  time-divergent path
  - note: for fair CTL, the states in which a fair path starts also satisfy  $\exists \Box$  true
- *TA* is timelock-free iff  $\forall s \in Reach(TS(TA))$ :  $s \models \exists \Box true$
- Timelocks can thus be characterised by a timed reachability property



# Verifying timed reachability

• Timed reachability problem:  $TA \models \forall \Diamond^J \Phi$  for non-Zeno TA

$$TA \models \forall \diamond^J \Phi$$
 i

timed automaton



uncountable transition system

- Zeno paths are excluded as they could be false alarms
- Idea: take a finite quotient of TS(TA) wrt. a tailored bisimulation
  - $TS(TA) / \cong$  is a *region* transition system and denoted RTS(TA)
- Transform  $\forall \diamondsuit^J \Phi$  into an "equivalent" reachability property  $\forall \diamondsuit \widehat{\Phi}$
- Then:  $TA \models \forall \diamondsuit^J \Phi$  iff





# **Eliminating timing parameters**

- Eliminate all intervals  $J \neq [0, \infty)$  from timed reachability
  - introduce a fresh clock, z say, that does not occur in TA
- Formally: for any state s of TS(TA) it holds:

$$s \models \exists \diamondsuit^J \Phi \quad \text{iff} \quad \underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \exists \diamondsuit \left( (z \in J) \land \Phi \right)$$

- where  $TA \oplus z$  is TA (over C) extended with  $z \not\in C$ 

#### atomic clock constraints are atomic propositions, i.e., a CTL formula results



#### Correctness

Let  $TA = (Loc, Act, C, \hookrightarrow, Loc_0, Inv, AP, L)$ . For clock  $z \notin C$ , let

$$TA \oplus z = (Loc, Act, C \cup \{z\}, \hookrightarrow, Loc_0, Inv, AP, L).$$

For any state s of TS(TA) it holds that:

1. 
$$s \models \exists \diamondsuit^J \Psi$$
 iff  $\underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \exists \diamondsuit ((z \in J) \land \Psi)$ 

2. 
$$s \models \forall \diamondsuit^{J} \Psi$$
 iff  $\underbrace{s\{z := 0\}}_{\text{state in } TS(TA \oplus z)} \models \forall \diamondsuit ((z \in J) \land \Psi)$ 



## Constraints on clock equivalence $\cong$

(A) Equivalent clock valuations satisfy the same clock constraints g:

$$\eta \cong \eta' \Rightarrow (\eta \models g \text{ iff } \eta' \models g)$$

(B) Time-divergent paths of equivalent states are "equivalent"

- this property guarantees that equivalent states satisfy the same path formulas
- (C) The number of equivalence classes under  $\cong$  is finite



## **Clock equivalence**

- Correctness criteria (A) and (B) are ensured if equivalent states:
  - agree on the integer parts of all clock values, and
  - agree on the ordering of the fractional parts of all clocks
- $\Rightarrow$  This yields a denumerable infinite set of equivalence classes
  - Observe that:
    - if clocks exceed the maximal constant with which they are compared their precise value is not of interest
- $\Rightarrow$  The number of equivalence classes is then finite (C)



#### **Clock equivalence: definition**

Clock valuations  $\eta, \eta' \in Eval(C)$  are *equivalent*, denoted  $\eta \cong \eta'$ , if either:

- for all  $x \in C$ :  $\eta(x) > c_x$  iff  $\eta'(x) > c_x$ , or
- for any  $x, y \in C$  with  $\eta(x), \eta'(x) \leq c_x$  and  $\eta(y), \eta'(y) \leq c_y$  it holds:
  - $-\lfloor \eta(x) \rfloor = \lfloor \eta'(x) \rfloor$  and  $frac(\eta(x)) = 0$  iff  $frac(\eta'(x)) = 0$ , and

 $-\operatorname{frac}(\eta(x)) \leqslant \operatorname{frac}(\eta(y)) \quad \text{iff} \quad \operatorname{frac}(\eta'(x)) \leqslant \operatorname{frac}(\eta'(y)).$ 

$$s\cong s'$$
 iff  $\ell=\ell'$  and  $\eta\cong\eta'$ 



# Regions

• The *clock region* of  $\eta \in Eval(C)$ , denoted  $[\eta]$ , is defined by:

$$[\eta] = \{ \eta' \in \textit{Eval}(C) \mid \eta \cong \eta' \}$$

• The state region of  $s = \langle \ell, \eta \rangle \in TS(TA)$  is defined by:

$$[s] = \langle \ell, [\eta] \rangle = \{ \langle \ell, \eta' \rangle \mid \eta' \in [\eta] \}$$



# Example $c_x=2$ , $c_y=1$



#### Bounds on the number of regions

The *number of clock regions* is bounded from below and above by:

$$|C|! * \prod_{x \in C} c_x \leqslant | \underbrace{\text{Eval}(C)/\cong}_{\text{number of regions}} | \leqslant |C|! * 2^{|C|-1} * \prod_{x \in C} (2c_x + 2)$$

where for the upper bound it is assumed that  $c_x \ge 1$  for any  $x \in C$ 

the number of state regions is |Loc| times larger



#### Proof



#### **Preservation of atomic properties**

1. For  $\eta, \eta' \in Eval(C)$  such that  $\eta \cong \eta'$ :

 $\eta \models g$  if and only if  $\eta' \models g$  for any  $g \in ACC(TA \cup \Phi)$ 

2. For  $s, s' \in TS(TA)$  such that  $s \cong s'$ :

$$s \models a$$
 if and only if  $s' \models a$  for any  $a \in AP'$ 

where AP' includes all propositions in  $T\!A$  and atomic clock constraints in  $T\!A$  and  $\Phi$ 



#### **Clock equivalence is a bisimulation**

Clock equivalence is a bisimulation equivalence over AP'



#### Proof



## **Region automaton: intuition**

- Region automaton = quotient of TS(TA) under  $\cong$
- State regions are states in quotient transition system under  $\cong$
- Transitions in region automaton "mimic" those in TS(TA)
- Delays are abstract
  - the exact delay is not recorded, only that some delay took place
  - if any clock x exceeds  $c_x$ , delays are self-loops
- Discrete transitions correspond to actions



## A simple example







#### Unbounded and successor regions

- Clock region  $r_{\infty} = \{ \eta \in \textit{Eval}(C) \mid \forall x \in C. \ \eta(x) > c_x \}$  is *unbounded*
- r' is the successor (clock) region of r, denoted r' = succ(r), if either:

1. 
$$r = r_{\infty}$$
 and  $r = r'$ , or

2. 
$$r \neq r_{\infty}$$
,  $r \neq r'$  and  $\forall \eta \in r$ :

 $\exists d \in \mathbb{R}_{>0}. \ (\eta + d \in r' \text{ and } \forall 0 \leqslant d' \leqslant d. \eta + d' \in r \cup r')$ 

- The successor region:  $succ(\langle \ell, r \rangle) = \langle \ell, succ(r) \rangle$
- Note: the location invariants are ignored so far!



#### Characterizing time convergence

For non-zero *TA* and  $\pi = s_0 s_1 s_2 \dots$  a path in *TS*(*TA*):

(a)  $\pi$  is *time-convergent*  $\Rightarrow \exists$  state region  $\langle \ell, r \rangle$  such that for some *j*:

 $s_i \in \langle \ell, r \rangle \; \text{ for all } i \geqslant j$ 

(b) If  $\exists$  state region  $\langle \ell, r \rangle$  with  $r \neq r_{\infty}$  and an index j such that:

 $s_i \in \langle \ell, r \rangle$  for all  $i \ge j$ 

then  $\pi$  is *time-convergent* 

time-convergent paths are paths that only perform delays from some time instant on



#### **Region automaton**

For non-zero *TA* with  $TS(TA) = (S, Act, \rightarrow, I, AP, L)$  let:

$$RTS(TA, \Phi) = (S', Act \cup \{\tau\}, \rightarrow', I, AP', L')$$
 with

•  $S' = S/\cong = \{ [s] \mid s \in S \}$  and  $I' = \{ [s] \mid s \in I \}$ , the state regions

• 
$$L'(\langle \ell, r \rangle) = L(\ell) \cup \{ g \in AP' \setminus AP \mid r \models g \}$$

• 
$$\rightarrow'$$
 is defined by:  $\xrightarrow{\ell \xrightarrow{g:\alpha,D}} \ell' \quad r \models g \quad \text{reset } D \text{ in } r \models Inv(\ell')$   
 $\langle \ell, r \rangle \xrightarrow{\alpha} \langle \ell', \text{ reset } D \text{ in } r \rangle$ 

and 
$$\frac{r \models \mathit{Inv}(\ell) \quad \mathit{succ}(r) \models \mathit{Inv}(\ell)}{\langle \ell, r \rangle \stackrel{\tau}{\longrightarrow}' \langle \ell, \mathit{succ}(r) \rangle}$$



#### **Example: simple light switch**







#### **Correctness theorem** [Alur and Dill, 1989]





## Characterizing timelock freedom

Non-Zeno TA is timelock-free

iff RTS(TA) has no reachable terminal states

timelocks can thus be checked by a reachability analysis of RTS(TA)



#### Example







## **Time complexity**

Model checking timed reachability on TA is **PSPACE-complete** 



## Other verification problems

- 1. The timed CTL model-checking problem is **PSPACE-complete**
- 2. Model checking safety, or  $\omega$ -regular properties on TA is PSPACE-complete
- 3. Model checking LTL and CTL against TA is **PSPACE-complete**
- 4. The model-checking problem for timed LTL is undecidable
- 5. The satisfaction problem for timed CTL is undecidable

all facts without proof