T R A C E - A U T O M A T A : A F O R M A L F R A M E W O R K F O R U S I N G A B S T R A C T I O N T O V E R I F Y H Y B R I D S Y S T E M S B y A n d r e w Kenneth M a r t i n : B.Sc. (Hons) ( C o m p u t i n g and Information Science) Queen's Univers i ty at K i n g s t o n M . S c . (Computer Science) Universi ty of B r i t i s h C o l u m b i a A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF T H E REQUIREMENTS FOR T H E DEGREE OF D O C T O R OF PHILOSOPHY, in T H E FACULTY OF GRADUATE STUDIES DEPARTMENT OF COMPUTER SCIENCE We accept this thesis as conforming to the required standard T H E UNIVERSITY OF BRITISH COLUMBIA November 1996 © A n d r e w Kenneth M a r t i n , 1996 In presenting this thesis in partial fulfilment of the requirements for an advanced degree at the University of British Columbia, I agree that the Library shall make it freely available for reference and study. I further agree that permission for extensive copying of this thesis for scholarly purposes may be granted by the head of my department or by his or her representatives. It is understood that copying or publication of this thesis for financial gain shall not be allowed without my written permission. Department of w p p h , r Soiew-JL The University of British Columbia Vancouver, Canada Date flat/,. 7,r. /4f£ DE-6 (2/88) Abstract This dissertation presents a new framework, trace-automata, for verifying hybrid systems. In addit ion, a simple, general theory of abstraction is presented, based on the idea of approxima-tions that are liberal or conservative wi th respect to an abstraction funct ion. Th is theory gives rise to a sound technique whereby hybrid systems are verified by constructing discrete approx-imations of both the implementation and the specification, and verifying that the approximate implementation satisfies the approximate specification. Trace-automata are language accepting, infinite tape automata , extended to allow multiple tapes, and to allow tapes that consist of continuous traces over the reals, as well as tapes that consist of sequences of discrete symbols. H y b r i d systems are represented by automata that read some continuous tapes and some discrete tapes. Trace-automata are used to represent both the implementation and the specification of the system to be verified. Verification corresponds to demonstrating that the language accepted by the implementation is contained in that accepted by the specification. H y b r i d systems are verified by constructing and verifying discrete approximations. A b -straction functions map continuous traces to discrete sequences. A liberal approximation of the system implementation is verified against a conservative approximation of the system specifi-cat ion. F r o m this verification, it can be concluded that the original hybrid model satisfies the original specification. T h e dissertation describes a general technique for constructing discrete, l iberal approxima-tions of trace-automata representing differential equations and inclusions. In addit ion, trace-automata themselves can encode abstraction functions, wi th the result that trace-automata language containment can also be used to establish that an approximation is l iberal or conser-vative as the case may be. 11 These techniques are i l lustrated with an example verification based upon the Phi l ips A u d i o C o n t r o l Protocol wi th two agents, each capable of both t ransmit t ing and receiving. The veri-fication is novel in that it is based upon a detailed model of the analog electrical behaviour of the bus. i i i Table of Contents Abstract ii List of Tables vi i List of Figures ix Acknowledgements xi 1 Introduction 1 1.1 M o t i v a t i o n 1 1.2 T r a c e - A u t o m a t a 2 1.3 Abst rac t ion and A p p r o x i m a t i o n 3 1.4 Language Containment 5 1.5 A p p r o x i m a t i n g H y b r i d Systems 6 1.6 Overview 7 2 Related W o r k 11 2.1 M o d e l l i n g H y b r i d Systems 11 2.1.1 T i m e d A u t o m a t a 12 2.1.2 Phase Transit ion Systems 14 2.1.3 H y b r i d A u t o m a t a 16 2.1.4 H y b r i d Systems 18 2.1.5 A c t i v i t y Transit ion Graphs 19 2.1.6 D u r a t i o n Calculus 20 2.1.7 Constra int Nets 21 iv 2.2 Abstrac t ion and approximation 22 3 Trace A u t o m a t a 25 3.1 T r a c e - A u t o m a t a 26 3.2 H i d i n g and Composi t ion 34 3.3 Expressibi l i ty 43 3.4 A Trace -Automata Description Language 46 4 Abstract ion, A p p r o x i m a t i o n and Language Containment 52 4.1 Abstrac t ion and A p p r o x i m a t i o n 52 4.2 T r a c e - A u t o m a t a A p p r o x i m a t i o n 56 4.3 Approx imat ions , Compos i t ion , and Restrict ion 62 4.4 Encoding Abstrac t ion Functions 65 4.5 A Containment Checking A l g o r i t h m for Smooth Discrete F in i te T r a c e - A u t o m a t a 70 4.6 Summary 81 5 Implementation 83 5.1 Numbers , Variables, and Symbolic A r i t h m e t i c 84 5.1.1 Symbolic Boolean Functions 84 5.1.2 Representing Sets and Relations 86 5.1.3 Symbolic Integers 88 5.1.4 Fixed-point Numbers 91 5.2 Discrete T r a c e - A u t o m a t a 93 5.3 Testing for Language Containment 99 5.3.1 Explor ing the Reachable State-Space 99 5.3.2 Checking for Violat ions 101 5.3.3 Construct ing a Counter -Example 101 5.3.4 A M o r e Efficient A l g o r i t h m 102 5.4 Approx imat ions of Continuous A u t o m a t a 104 6 A Verification Example 116 6.1 A u d i o C o n t r o l Bus 118 6.2 M o d e l l i n g the A n a l o g Channel 124 6.3 A M o d e l of the Bus 130 6.4 Discrete Components 140 6.4.1 Timers 141 6.4.2 Coders 155 6.5 Specification 163 6.6 Verification Summary 167 7 Conclusions and Future W o r k 171 7.1 Conclusions 171 7.2 Future W o r k 177 Bibliography 182 vi List of Tables 3.1 A 1-bit counter 30 3.2 A n edge detector 32 3.3 A n integrator 32 3.4 A n analog switch 34 3.5 A transliteration 34 3.6 A trace automaton wi th mixed behaviours 35 3.7 The automaton m s t range with tape a hidden 36 3.8 A hybrid system 45 3.9 A transport delay 46 4.10 A n example specification 78 4.11 A n incompatible implementation 78 4.12 A k element F I F O 79 5.13 A liberal approximation of y = 2x 108 5.14 The discrete-time interpretation of a continuous-time transliteration of y = 2x . . 114 6.15 A transistor model 127 6.16 A Schmidt trigger 131 6.17 Component values used in the bus model 133 6.18 Trade off between value discretization granularity and accuracy 136 6.19 Tradeoff between t ime discretization granularity and accuracy 137 6.20 Value discretization parameters 137 6.21 A p p r o x i m a t e sizes of sub-component models expressed in O B D D nodes 137 6.22 A hand built approximation of the bus 138 v i i 6.23 The abstraction function for gate voltages 139 6.24 Clock-cycle model of the t imer 141 6.25 A time translator translates from <5-tokens to clock-tokens 143 6.26 A time translator translates between ^-tokens and 5/k-tokens 145 6.27 A hand-built approximation of the t imer 148 6.28 The abstract t imer, extended by adding tapes to resolve non-determinism . . . . 152 6.29 Simple agent wi th no collision detection 157 6.30 F lawed transmitter wi th collision detection 159 6.31 Correct collision detecting transmitter 162 6.32 A u d i o Protoco l Specification 163 6.33 A n abstraction function for the host interface 165 6.34 A trace automaton that tests for fairness 166 vi i i List of Figures 3.1 C = (A-U(N))u(AnB)u(B = U{M)) 39 3.2 Composi t ion of two trace-automata 43 4.3 Abst rac t ing a real-trace by a sequence if integer-pairs 59 4.4 The tapes read by an abstraction encoding 66 4.5 Tapes are added to resolve non-determinism . . . 75 4.6 Compos ing a buffer wi th a specification 79 5.7 A liberal approximation of the real-time transliteration of y = 2x is parameter-ized by the discretization function I l l 5.8 The definition of an integrator is parameterized by discretization functions . . . . 1 1 3 5.9 F L representation of a continuous time discrete-value l iberal approximation of the transliteration y = 2x 115 6.10 Schematic diagram of the bus 120 6.11 Transmitter state machine 122 6.12 Receiver state machine 122 6.13 A capacitor 125 6.14 A simple circuit 125 6.15 Schmidt trigger input is divided into regions 128 6.16 A non-monotonic signal may cause a temporary shift in the threshold voltage . . 129 6.17 A trace-automata model of the bus 132 6.18 A n a l o g components of a two-agent bus 133 6.19 Using matching automata to construct a discrete-time approximat ion 135 6.20 Translat ion between real-time and clocked time 143 ix 6.21 Translation between 6-tokens and S/k-tokens 145 6.22 A real-time model of the t imer is formed by composing the clock-time model with translators 147 6.23 The timer model is verified against a hand-built approximation 151 6.24 A collision goes undetected! 160 6.25 Behaviour of the fixed algorithm 161 x Acknowledgements I have been fortunate to have had the opportuni ty of working in an absolutely outstanding department. Throughout the seven years that I have spent here, there has always been just the right mix of intellectual excitement, collegiality, and human kindness. T h e credit for this properly belongs to each and every department member: faculty, staff and students. Thus , I am indebted to each one of you, for your own contribution towards making the Computer Science department at U B C the st imulat ing and supportive place that it is. T h a t being said, I would like to extend special thanks to C a r l Seger, my research supervisor, for having enough faith in me to agree to supervise this research, which is largely unrelated to his own; for maintaining that fa i th , in the face of setbacks and disappointments; for pushing me when I needed a push; for encouraging me when I needed encouragement; for the many late nights that he spent reading draughts of this thesis; and for teaching me how to write . I cannot imagine how I could have finished this work without Car l ' s support . Thanks also go to the other members of my supervisory committee, M a r k Greenstreet, A l a n M a c k w o r t h , Nicholas Pippenger for reading the first draughts of my thesis so promptly, and for providing me wi th such helpful corrections and comments. I am also indebted to my friends and colleagues in the ISD lab, especially M a r k A a g a a r d , Er i c B o r m , Nancy Day, M i k e Donat , M a r k Greenstreet, Scott Hazelhurst , Jeff Joyce, and D a v i d Weih for the many, many hours they have spent listening to me try to explain my research problem of the day, for s t imulat ing "coffee break" discussions, for unfailing encouragement during the last agonizing months, but most of all for helping to make research fun . M y experience as a graduate student was everything that I had hoped it would be, largely as a result of knowing and working wi th these people. x i I would like to thank my good friend Ian Cavers, for his sound advice and constant sup-port ; for noon-time walks, which kept me sane during the last months of wr i t ing up; and for rejuvenating weekends on Bowen Island. F ina l ly , I would like to thank my wife, D a w n , for the strength and motivation to persevere past set-backs and failures that , without her, would surely have defeated me. x i i Chapter 1 Introduction 1.1 Mot ivat ion In general, the problem of verification is that of demonstrating that the implementation of a system satisfies a given specification. Th is dissertation addresses specific instances of this problem in which the system consists of interacting continuous and discrete components. Th is situation arises in practise when a digital device, such as a computer, is used to control a continuous physical process, or when digital circuits are combined wi th circuits that exhibit non-digital behaviours. M u c h of the difficulty arises because such systems consist of two different types of compo-nents, requiring different types of analysis. T h e digi ta l components are natural ly modelled us-ing discrete mathematics . A n a l o g components, such as the plant being controlled, are normally modelled and analyzed using the tools of continuous analysis. A methodology for modelling and analyzing hybr id systems must account for both types of components, and their interactions. O f course the actual implementation of any system, being a physical object, is not amenable to mathematical analysis of any k ind . Instead, the relevant features of the implementat ion must be captured in a mathematical model . It is this model that is the subject of the analysis. Thus a necessary first step in verifying any system, in general, and a hybrid system in part icular , is the construction of such a model . Similarly, a necessary first step towards a practical methodology for verifying hybr id systems is a framework in which such models can be constructed. Once such a model has been obtained, one would like to compare it against a specification. Recently, considerable progress has been made towards practical methods wi th which models of digital systems can be verified in this way. One might reasonably hope to make use of 1 Chapter 1. Introduction 2 these techniques in the verification of hybrid systems. Unfortunately the techniques in question depend heavily on the discrete nature of the models. W h i l e digital systems can be represented natural ly using these discrete models, continuous components cannot. T h u s the problem is twofold. F i r s t , a framework is needed in which hybrid systems can natural ly be modelled. Second, techniques are needed for verifying systems that are modelled in this framework. 1.2 Trace -Automata T h i s dissertation presents a new verification framework called trace-automata as a solution to these problems. Implementations and specifications are represented as language accepting automata with multiple tapes. Unl ike conventional finite-state machines, trace-automata can be defined that read tapes consisting of continuous traces over real values. O f course, trace-automata can also be defined that read the more conventional tapes consisting of sequences of symbols from a finite domain . Moreover , hybrid systems can be represented by multi- tape trace-automata, with some continuous tapes and some discrete. W i t h i n the trace-automata framework, verification corresponds to demonstrat ing that the language accepted by the implementation is contained in that accepted by the specification. Informally, the language accepted by the implementation represents the set of behaviours that the system under development is capable of exhibit ing. Similarly, the language accepted by the specification represents the set of behaviours that the system is permitted to engage i n . T h e language containment relationship establishes that the system is only capable of exhibit ing behaviours that are permitted. In any verification it is important to ensure that that the formal representation of the implementation faithfully describes the actual system under development. It should be possible to validate the formal representation. In general, this process must necessarily be informal , since it involves comparing a formal representation wi th an actual or proposed device. Nonetheless, the trace-automata framework lends itself to this informal process. Chapter 1. Introduction 3 Complicated devices or systems are typical ly built f rom simple components. Trace-automata support a parallel composit ion operator that allows the formal representation of a complex system to reflect this structure. Simple components are modelled independently A d d i t i o n a l trace-automata model the constraints imposed by the manner in which these parts are connected together in the system. A model of the complete system under development is obtained by composing the trace-automata representations of its parts, and of their connections. A l t h o u g h the aggregate automaton, representing the entire system, wi l l generally be highly complex, the components from which it is built wi l l be simple, and hence can be validated independently. 1.3 Abstract ion and A p p r o x i m a t i o n M u c h of the thesis is based upon a very general notion of abstraction and approximat ion that is applicable to any formalism based upon language containment. In general terms, the methodology is as follows. A verification problem is ini t ia l ly posed - to demonstrate that the language accepted by an implementation L(m) is contained in that accepted by a specification L(s). Suppose, however, that for some reason, it is impract ical to verify this containment directly. The implementat ion or specification may be too complicated, or may be expressed over a domain , like hybr id systems, for which no decision procedure exists. T h e general strategy is to construct new, tractable machines in and s in such a way that L{fh) C L(s) implies L(m) C L(s). In general, the machines ih and s may accept languages drawn from entirely different uni-verses than those accepted by m and s. For example, m and s may be continuous machines, while ih and s are discrete. We call the domain in which m and s operate the concrete domain , while that of in and s is called the abstract. A n abstraction function is a (possibly partial) func-tion that maps f rom behaviours in the concrete domain to behaviours in the abstract domain . Its pre-image provides a concrete interpretation of abstract behaviour-sets. A n abstract machine ih is said to be a liberal approximation (with respect to an abstraction function) of the concrete machine m if the pre-image of L(ih) contains L(m). In a sense Chapter 1. Introduction 4 fh, when interpreted in the concrete domain , over estimates the language of TO. Conversely, an abstract machine s is said to be a conservative approximation of the concrete machine s if the pre-image of L(s) is contained in L(s). Chapter 4 establishes that the implicat ion L(fh) C L(s) => L(m) C £ ( s ) holds if and only if in is a liberal approximat ion of m and s is a conservative approximation of s wi th respect to a (possibly partial) abstraction funct ion. In fact more generally, it is shown that if M and S are sets from any universe U, and if M and S are sets from some, possibly different universe U, then the implicat ion M C S ==> M C S holds if and only if there is a possibly part ia l function tp : U H-> U such that M is contained in the pre-image of M, and the pre-image of S is contained in S. In general, it is difficult to construct useful discrete liberal approximations of large and complex hybrid or continuous trace-automata. Here, however the theory of l iberal and conser-vative approximat ion connects elegantly wi th the trace-automata modell ing framework. Recall that complex system models are constructed by composing simple models of their components. It turns out that , provided that the approximations satisfy certain conditions, the property of being a l iberal approximation is preserved by composit ion. A s a result, if fh\ is a liberal approximation of m i , and if fhi is a l iberal approximation of rri2, then the composit ion of fhi and TO2 is a l iberal approximation of m\ composed with m-i- Thus , given l iberal approximations of its components, it is possible to build an approximation of a complex system that is liberal by construct ion. A second advantage of trace-automata is that , having multiple tapes, they are capable of rep-resenting abstraction functions. Furthermore, under many conditions, such a trace-automaton can be composed with an approximation fh yielding a machine that accepts the pre-image of L(fh). A s a result, a language containment checking algorithm for trace-automata can be used, not only for verification that L(fh) C L(s)., but also to confirm that fh is a l iberal approximation of TO and that s is a conservative approximation of s. Chapter 1. Introduction 5 1.4 Language Containment The dissertation presents a conservative language containment checking algori thm for discrete trace-automata. The algori thm is conservative in that it may, under certain conditions, give false negative results. T w o of the conditions that give rise to false negatives are specific to trace-automata. Sound techniques are given to circumvent these conditions. T h e third is more general, and involves the problem of a non-deterministic specification.. M a n y other language containment checking algorithms also suffer from failure in the face of a non-deterministic specification. A l t h o u g h , in principle, it is possible to construct a deterministic trace-automaton that is equivalent to any given non-deterministic one, such a construction would generally result in an exponential increase in the size of the state-space. The dissertation introduces a new technique for dealing with non-deterministic specifications that exploits the abil i ty of trace-automata to read multiple tapes. In essence, the language containment algorithm verifies that the reachable state set in the product machine, formed by the parallel composition of implementation and specification, is a simulation relation. If the specification is non-deterministic, the reachable state set itself may not be a s imulat ion, even though a subset of it is. T h e technique involves adding addit ional communicat ion between the two machines that reduces the size of the reachable state set. In essence, the addit ional communicat ion allows the implementation to act as an oracle, guiding the non-deterministic choices made by the specification. A s a result of the language containment checking a lgori thm, it is possible, for finite, discrete machines, to verify that one machine is a l iberal or conservative approximation of another. In the case of machines wi th continuous behaviours, the dissertation focuses on the technique of constructing finite discrete approximations of them - l iberal in the case of an implementation and conservative in the case of a specification. Chapter 1. Introduction 6 1.5 A p p r o x i m a t i n g H y b r i d Systems The remainder of the dissertation explores this strategy, part icularly in the case of hybrid systems. Abs t rac t ion functions are used to map continuous-time behaviours to sequences of discrete symbols. H y b r i d systems are verified by constructing discrete liberal approximations of their implementations with respect to these abstraction functions. These approximations are then verified against conservative specifications using the language containment checker for discrete trace-automata. Real-t ime, real-valued traces are abstracted by first part i t ioning them into sections of con-stant length. Each section is then represented by a pair of discrete (e.g. integer) tokens that describe the range of values achieved by the trace during that section. In this way, the real-t ime, real-valued trace is abstracted by a sequence of pairs of discrete tokens. Each pair of tokens summarizes the trace during a fixed-length interval. Th is general abstraction technique represents a family of abstraction functions parameterized by the choice of interval-length and the mapping from real to discrete values. Approx imat ions wi th respect to this family of abstractions are investigated in depth for two classes of machines that can be combined to represent systems of differential equations and inclusions. A t the heart of such a representation is a machine called an integrator. It accepts two real-time real-valued tapes, x and x' if and only if the trace contained on tape x can be obtained by integrating the trace contained on tape x' wi th respect to t ime. A discrete l iberal approximation is given of the integrator machine, parameterized by the choice of abstraction function wi th in the family just described. The dissertation also investigates a class of machines called transliterations. A translitera-tion accepts an arbi trary but fixed number of tapes, provided that the traces on them satisfy a given relation pointwise. A general technique is presented for constructing discrete l iberal ap-proximations of such machines based on these abstraction functions. Furthermore, it is shown that the approximat ion that results is the "best" approximation possible. T h a t is to say, the language accepted by the approximation constructed this way is contained in that accepted by Chapter 1. Introduction 7 every other liberal approximation based on the same abstraction funct ion. The techniques outlined in the dissertation allow one to build discrete l iberal approxima-tions of such machines to a level of precision determined by the choice of abstraction funct ion. There is some investigation, in the context of a specific example, of the trade-off that is made here between accuracy and representation size. A more accurate model based on a finer-grained abstraction function has a larger representation. Less accurate models have smaller represen-tations, but may be too liberal to prove that the system is correct. Thus liberal approximations of large systems may be obtained by composing l iberal approx-imations of the system's components. Such approximations may be standard approximations of continuous components such as integrators or transliterations. Hand-bui l t approximations of continuous components may also be used, but it must be proved that they^ are l iberal . In the case of discrete approximations of discrete components, this can be done automatical ly by encoding the abstraction function as a trace-automaton and using the language containment checker. In the case of continuous components, the proof must be constructed by hand. A l l of the techniques developed in the dissertation are i l lustrated in the verification of an example from the literature, commonly referred to as the " P h i l i p s A u d i o C o n t r o l P r o t o c o l . " Previous work on this example is extended by considering agents that are capable both of trans-m i t t i n g and of receiving, and by incorporat ing a detailed electrical model of the transmission medium. Since no previously published work has addressed the issue of collision detection, we developed our own collision detection a lgori thm, in which the verification effort uncovered a bug. The bug was of particular interest because it resulted from interaction between the digital model of the a lgori thm, the analog behaviour of the bus, and the tendency of the clocks that drive the digi ta l components to vary from their nominal frequencies. A revised version of the algori thm has successful been verified. 1.6 Overview The major theses advanced in this dissertation are as follows. Chapter 1. Introduction 8 1. T h a t hybrid systems can be verified using discrete liberal approximations with respect to a (possibly partial) abstraction funct ion. Th is is supported principally by the example in Chapter 6. A hybr id system model is constructed consisting of two digital agents commu-nicating over an analog channel. The model combines a continuous model representing the electrical behaviour of the bus, discrete models of the agents, and hybrid models of the interface circuitry. A discrete liberal approximation of this system is then constructed and used as the basis for verification. A subtle error in the protocol is discovered that prevents certain collisions from being detected. A revised version of the protocol is successfully verified. .2. T h a t trace-automata are a suitable formalism in which to do this because • they can represent continuous, discrete, and hybrid systems; • they allow complex systems to be described by composing models of their simple components, thus allowing the model to be validated; • liberal approximations of such a composit ional model can be obtained by composing liberal approximations of the components; • they can be used to encode abstraction functions so that language containment checking can be used to demonstrate that more complex hand built approximations of larger systems are l iberal ; • since the same formalism is used to represent the specification as is used to represent the implementat ion, trace-automata support multi-level verification. In addition to support ing these theses, the dissertation makes the following contributions. 1. Trace-automata: a verification framework that supports multiple independent t ime lines, by allowing multiple tapes. The time-lines are independent in the sense that the semantic interpretation of a model in the formalism does not establish a relationship between the t iming of events on different tapes. Chapter 1. Introduction 9 2. A simple general theory of abstraction based upon the idea of approximations that are liberal or conservative wi th respect to a (possibly partial) abstraction funct ion. 3. The idea of using the modelling framework to describe, not only models and specifications of the system under development, but also to describe abstraction functions themselves. Th is allows the same mechanism that is used to conduct verification wi th in the framework to establish that an approximation is l iberal or conservative as the case may be. 4. A general technique for abstracting real-time real-valued traces wi th sequences of discrete values. 5. A general technique for constructing discrete liberal approximations of systems of differ-ential equations based upon these abstractions. W h e n the research began, the state of the art in the automatic verification was a semi-decision procedure valid only for systems in which continuous variables followed trajectories wi th piece-wise constant derivatives. D u r i n g the last few years, these methods have been broadened to allow systems in which such variables follow trajectories that lie wi th in envelopes, the upper and lower bounds of which have piece-wise constant derivatives. Various techniques have been advanced that allow the approximation of more general problems by systems described by such envelopes. These techniques require considerable informal reasoning outside of the formal framework to accomplish this t ransformation. Th is reasoning must be performed for each system, and requires explicit descriptions of and solutions to the differential equations that govern the behaviour of the continuous system variables. The techniques that are described in this dissertation also use approximat ion to verify hybrid systems. Informal reasoning, however is more general. Rather than reasoning about particular differential equations, approximations are developed of the components, transliterations and integrators, f rom which descriptions of such equations are buil t . A s a result, such reasoning does not need to be performed for each system to be verified. Rather , the results presented in this dissertation can be used to approximate hybrid systems built f rom arbi trary differential Chapter 1. Introduction 10 equations and inclusions. The equations do not have to be solved explicit ly. The remainder of the dissertation is organized as follows. Chapter 2 gives a short overview of related work in the field of hybrid system verification and abstraction in relation to language containment. Chapter 3 describes the trace-automata modell ing framework. Chapter 4 presents the theory of conservative and liberal approximation in the abstract, applies that theory to the trace-automata modell ing framework, and presents the conservative language containment checking algorithm for discrete automata . Chapter 5 describes the verification system that has been implemented. Chapter 6 presents the verification of the audio control protocol . F i n a l l y Chapter 7 discusses some avenues for future research. Chapter 2 Related W o r k 2.1 Model l ing H y b r i d Systems A number of other authors have developed frameworks for modelling hybrid systems indepen-dently and concurrently wi th us. M a n y of these were introduced or discussed in [ G N R R 9 3 ] . In most of these frameworks, the system is modelled using an automata-l ike construction, while in others the system is described in a temporal logic. M o s t of the automata-l ike constructions are extensions of earlier constructions for mod-elling discrete systems. They generally inherit the terminology and notation from their discrete predecessor. There is considerable similarity, however, in the way these extensions are accom-plished. Generally, a state is a type-consistent assignment of values to a finite set of variables V = Vd U Vc that is partit ioned into discrete variables Vj, and continuous variables Vc. Often the discrete variable-set Vj, consists of a single variable called a location that ranges over the set of vertices in a finite directed graph. The automaton can be understood to proceed by alternating between phases of discrete and continuous change. D u r i n g a discrete phase, t ime does not progress. Discrete variables change according to a transit ion relation as wi th conventional discrete transit ion systems generating a sequence of states. D u r i n g a continuous phase, t ime progresses continuously. The discrete variables do not change, while the continuous variables change according to continuous functions associated wi th the discrete component of the state. The result of such an evolution is a sequence of alternating continuous and discrete phases. Some frameworks that are derived from discrete frameworks wi th interleaving semantics allow any finite number of discrete transitions in a single discrete phase. Others, f rom a background 11 Chapter 2. Related Work 12 favouring explicit simultaneity, allow only one. In the latter case, the alternating phase structure collapses to yield a sequence of continuous phases in which successive phases are separated by a single discrete transi t ion. Some authors l imit their consideration to behaviours that are of finite durat ion . Those that consider infinite behaviours generally l imit their consideration to those for which the continuous phases part i t ion the reals. Th is restriction appears in some form or other in almost every consideration of this problem. It was named "non-zenoness" by A b a d i and L a m p o r t in [AL92] . Here we review T i m e d A u t o m a t a [AD90], Extended D u r a t i o n Calculus of [CRH93}, Phase Transit ion Systems [ M M P 9 2 , M P 9 3 ] , H y b r i d A u t o m a t a [ A C H H 9 3 a ] , A c t i v i t y Transit ion Graphs [ H M P 9 3 ] , H y b r i d Systems [NSY92 , N O S Y 9 3 ] , and Constraint Nets [ZM92a]. 2.1.1 T i m e d A u t o m a t a One of the earliest works that attempted to model the real-time behaviour of computations was that of A l u r and D i l l [AD90]. A l u r and D i l l introduced a time structure called a Progressive Time Sequence. A progressive time sequence is a monotonic sequence of real numbers beginning with zero, that increases without bound. A behaviour is a pair of equal length sequences (p, t) called a timed trace. The first component, p, is a conventional sequence of action-sets; the second, t, is a progressive time-sequence. Thus , a real-valued t ime-stamp is associated wi th every action-set p{. The t imed sequence domain of A l u r and D i l l is capable of dist inguishing between execution sequences differing, not only in the ordering of events, but also in the real-valued time delays between them. M o s t other semantics for the real-time behaviour of discrete systems have been built along these lines. A l u r and D i l l develop an automaton construction for accepting languages of t imed traces. In this construction the conventional (finite state) w-automaton is augmented wi th a finite set of real-valued clocks that , unless reset, increase their value with derivative 1 as real-time progresses. T i m e elapses between transit ions, which themselves take no t ime. W i t h each Chapter 2. Related Work 13 transition is associated an enabling condit ion, that is a boolean combination of comparisons between clock values and integers. A transit ion whose condition is satisfied is said to be enabled; only enabled transitions can be taken. Transitions are also annotated with a (possibly empty) set of clocks, each of which are reset to zero when the transit ion is taken. A machine constructed this way is called a t imed automaton. W h e n coupled wi th B i i ch i (resp. M u l l e r ) acceptance conditions it is called a t imed B i i ch i (resp. Mul ler ) automaton. A l u r and D i l l show that testing language emptiness for t imed B i i ch i automata is decidable. Moreover, since deterministic t imed M u l l e r automata are closed under composition and com-plementation, testing whether the language accepted by a t imed Bi i ch i automaton is contained in that accepted by a deterministic t imed M u l l e r automaton is decidable as well . O n the other hand, testing for language inclusion between arbitrary B i i c h i automata is not. Given a language of t imed traces (p,t), one can construct the un-timed version of the language by projecting each trace onto its p component. T h e decidability results for language emptiness are obtained by showing how to construct a B i i ch i automaton that accepts the un-timed version of the language accepted by a given timed B i i c h i automaton. The construction is achieved by observing that the state of a t imed B i i ch i automaton during a computat ion is characterized by the state of the underlying B i i ch i automaton and the values of the clocks. Clearly there are an infinite number of such states. However, it is sufficient to know only the integral port ion of each clock's value, and the relative ordering amongst the clocks to predict future events. The integral port ion of each clock's value identifies which transitions are enabled. The ordering of the clock's values identifies the order in which subsequent transitions wi l l become enabled. T h u s the state-space can be parti t ioned into a finite number of classes, the members of which are equivalent wi th respect to subsequent reachability. It is this observation that is at the heart of model-checking algorithms for real-time and hybrid systems. Chapter 2. Related Work 14 2.1.2 Phase Transition Systems In [ M M P 9 2 ] the authors argue that while sets of timed sequences are sufficient to express invariants, they cannot express bounded response. They propose the following more general model . A progressive t ime sequence 9 = 9Q9I... (with weak monotonicity) induces a time-structure Tg. Tg is a set of ordered pairs (i,t) called moments , 1 where i corresponds to an index in the time-sequence 9, and t is a real-valued t ime. A pair (i,t) is a moment in the time structure if one of the following two conditions holds. Ei ther t = 9{, in which case (i, t) is said to be a discrete moment, or 9{ < t < in which case (i, t) is said to be a continuous moment. A hybrid trace (9, p) consists of a progressive time sequence 9, and function p mapping moments from the associated time structure Tg to states of a phase transit ion system. A phase transit ion system is a six-tuple, (V, 0 , T , A , / , u), where V = Vc U Vj, is a set of variables, 0 is a set of ini t ia l states, T is a finite set of transitions, A is a finite set of activities, / labels each transit ion T £ T wi th a non-negative real-valued lower-bound lT. Likewise u labels each transit ion r wi th a non-negative upper bound uT in R U {oo}. The set of states, S , is the set of type-consistent assignments o f values to the variables V. A transit ion r £ T maps each state s € £ to a possibly empty set of states r ( s ) C E . A transit ion r is said to be enabled in s if r (s ) is non-empty. The transit ion r may be taken if it has been enabled for at least lT. t ime units. It must be taken if it has been enabled for uT t ime units. A n act ivity is a conditional differential equation a —> y = r , where a is a predicate over the discrete variables Vrf, y is a continuous variable, and r is an expression over V. The conditions a attached to activities constraining the same variable y must be mutual ly exclusive. The formal semantics of phase transit ion systems in terms of hybrid traces is straightforward and as expected. Instead of transcribing it here, I give an informal interpretation. The state of a phase transit ion system evolves in alternating continuous and discrete phases. Throughout a continuous phase, t ime advances. The values of the discrete variables remain constant, hence 'The word 'moment' is used in the vernacular sense, as in 'moment in time' as opposed, to the mathematical sense as in 'moment about the mean' Chapter 2. Related Work 15 the set of activities whose conditions are satisfied is fixed throughout. The continuous variables evolve according this set of differential equations, at most one of which constrains each variable. Those that are constrained by no equations, may evolve according to any arbi trary function of t ime provided that it is continuous over the phase. A s a continuous phase progresses, transitions may be enabled or disabled as the continuous state components change. The continuous phase ends when a transit ion is taken. A transit ion r may be taken when it has been enabled continuously without being taken for more than lT t ime units. It must be taken when it has been enabled continuously without being taken for as much as uT time units. W h e n a transit ion is taken, the state changes discontinuously from s to some state s' € T(S), but the time remains unchanged. A n y (finite) number of such transitions may be taken in succession, between continuous phases. Thus , the system evolves by alternating phases of continuous and discrete change. In a con-tinuous phase, t ime progresses, and the continuous variables change in a continuous way. Some continuous variables may be unconstrained, but st i l l must behave continuously. Those that are constrained must evolve according to a single differential equation. The discrete variables remain unchanged. Phases of continuous change are separated by finite sequences of discrete transitions. For each such transi t ion, a lower and upper bound may be specified on the time dur ing which it can be continuously enabled without being taken. T h e authors give several example specifications and models of a simple cat and mouse example, using hybrid state-charts and temporal logic. They propose a deduction rule for proving invariant properties of phase transit ion systems and use it to show that the cat in the above mentioned example cannot catch the mouse under appropriate start ing conditions. The authors then consider an alternative sampling approach for representing the behaviour of a hybrid system. In this model , only discrete moments f rom the t ime-structure are considered. The authors demonstrate by example that invariant properties hold in such sampling semantics if and only if they hold in the underlying continuous semantics. They also give an example of a simple liveness property that is valid in the continuous model but not in the associated Chapter 2. Related Work 16 sampling model . Th is deficiency in the sampling semantics is addressed in [MP93] . Here, the phase transit ion system is augmented by a set of important events, for which moments are required. Liveness properties phrased in terms of these events are now valid in the sampling semantics if and only if they are valid in the continuous semantics. 2.1.3 H y b r i d A u t o m a t a In [ A C H H 9 3 a , ACH+95] the behaviours of a hybrid system are modelled by the set of hybrid traces accepted by a hybrid automaton. T h e notation and formal definitions differ slightly between the two presentations. Here presentation here follows the presentation of [ A C H + 9 5 ] . A hybrid automaton H = [Loc, Var, Lab, Edg, Act, Inv) is a finite directed graph with vertices Loc called locations. Associated with the graph is a set of data states V, the set of possible assignments of real values to a finite set of variables Var. The system state can thus be represented as a pair (l,v) where / £ Loc is the current control location and v £ V is the current state of the date variables. The set Lab is a finite set of synchronization labels that are used for communicat ion in parallel composit ion. The graph has a finite set of edges Edg. Each edge e = {l,a,u,,l') of the graph consists of a source location /, a destination /', a synchronization label a £ Lab, and a transit ion relation C V X V. The system can make a discrete transit ion from state (/, v) to (/', v1) provided that there is an edge (I, a, fJ,,l'), wi th v,v' £ /J,. T h e authors require that for each location / £ Loc, there is a stutter transit ion (/, r , Id, I), where Id is the identity relation on the state-set V. A labelling Act assigns a set of C°° functions from R+ to S called activities to each location in Q. The activities of each location must be t ime- invariant 2 so that if / £ Act(l), then the function f + t defined by (/ + £)(£') = f(t + t') must be in Act(l) also. A labelling Inv assigns an invariant set Inv(l) C V to each location /. The system evolves either by allowing time to progress, or by making a discrete transi t ion. A s time progresses at location /, the data state evolves continuously according to one of the 2 T h i s corrects an omission in [ACHH93a], ensuring that the runs of a hybrid automaton are closed under stuttering. Chapter 2. Related Work 17 functions / £ Act(l), so that t t ime units after the transition into location /, the state has the value f(t). C o n t r o l can remain in location I as long as the data state continues to satisfy the invariant Inv(l). A run is a finite or infinite sequence (ao, lo, Io, fo, a'0), (a\,li, Ii, fi, a[)... of data states <7;,CTt- £ £ / } , locations /; £ Q, real intervals and activities / ; such that the intervals part i t ion the reals. Such a run uniquely determines a trace r mapping from time (the reals) to states. A run is a finite or infinite sequence (lo,vo) (/i,t>i) ••• such that u; = / ; (0) , fi(t) £ Inv(l) for 0 < t < and there are an edges (/,-, a;, /,-+i) wi th (u,-,u,- +i) £ / i ; for each i . T h e authors define linear hybrid systems, a restricted sub-class of the systems described by hybrid automata , for which semi-decisions procedures are given for state-space reachability. A linear hybrid system is one in which the invariants and transit ion relations can be defined by linear combinations of the variables in Var wi th rational coefficients, and for which the activities are sets of functions wi th constant rat ional slopes. B y part i t ioning time into intervals, the framework admits a straightforward notion of "single s tep" . A state a' is reachable from another a if a and a' are contained in adjacent intervals of a run . Based on this notion of single step, the authors propose two methods for verifying a hybrid automaton with respect to invariants. Essentially, this amounts to a reachability problem: " C a n states that do not satisfy the invariant be reached by finitely many single steps from an ini t ia l configuration?" T w o verification algorithms are given both of which are extensions of previously published algorithms for discrete real-time systems. The algorithms are based on an equivalence relation that is induced on the state-space of the system by a given reachability problem. T w o states are identified by this relation if they can be reached from the ini t ia l configuration by the same sequence of single steps. The algorithms terminate when this equivalence relation is finite, but fail to do so when it is not. Chapter 2. Related Work 18 The first algorithm is a fixed point computat ion based on the model-checking algori thm of [HNSY92] . Equivalence classes are successively added to a set of reached states unti l either a fixed point is reached, or a definitive answer is obtained to the reachability question. The second algorithm is based on minimizat ion as suggested for discrete real-time systems in [ A C H + 9 2 ] . Successive approximations are used in an attempt to find the coarsest part i t ion of the state-space that simultaneously respects the next-state relation and the hazardous state-set. The algorithm terminates when this part i t ion is finite, in which case the reachability question can be decided. In both cases, the algorithms rely on being able to decide whether containment relations hold between state-sets, and whether state-sets are empty. T h a t this can be done algorithmical ly is guaranteed for linear hybrid automata , since in this case all the state-sets encountered by the algorithms wil l be defined by linear formulas. Examples of these techniques are given using the water-level monitor , the leaky gas burner and the mutual exclusion protocol . 2.1.4 H y b r i d Systems A similar approach to verification is taken in [NOSY93] , using a slightly different modell ing approach. A guarded assignment in the continuous variables is associated wi th each graph edge. The edge cannot be taken unless the guard is satisfied. If it is taken, the assignment is performed. D u r i n g a continuous phase, control remains at a constant vertex v, while the con-tinuous variables are updated continuously and deterministically based on an update function tpv associated with control location v. Associated with each vertex is a ' t ime can progress' pred-icate tcpv whose boolean value depends on the value of the continuous variables when control enters the location, and the time that has elapsed since. C o n t r o l may leave the location, ending the continuous phase, when the guard on a departing edge becomes satisfied. T h e continuous phase must end when the tcpv predict becomes unsatisfied. The verification algorithms for real-time discrete systems of [HNSY92] are extended to yield a semi-decision procedure for linear hybr id systems in an approach that is similar to [ACHH93a] Chapter 2. Related Work 19 as described in section 2.1.3. 2.1.5 A c t i v i t y Transition Graphs In [HMP93] the authors propose designing hybrid systems by stepwise refinement. Towards this end, they suggest three different ways to describe hybrid systems. The semantics of their systems are defined in terms of phases. A phase, is a pair (b, / ) where b is a non-zero real number, and / is a type consistent family of functions fx mapping the interval / = (0, 6) to the reals R, that are piecewise smooth on the interval / . T w o phases are said to be indistinguishable if they have the same length b, and if their functions / disagree on only a finite number of points. A simple temporal logic is defined, the formulas of which are interpreted over phases. The logic is is able to discriminate between phases precisely up to dist inguishabil i ty in the above sense. The logic consists of local formulas, that refer to the left and right l imits of the functions fx or their derivatives at the right and left ends of the intervals respectively. Temporal logic formulas are formed from local formulas by the usual boolean operators, as well as universal quantif ication over variables, and the temporal 'chop' operator. In analogy with discrete transit ion systems the authors define Abst rac t Phase Transit ion systems, consisting of a set of variables V, phases P, in i t ia l phases PQ, final phases Pf, and transitions T • Each transit ion r G T is a binary relation on P. A finite phase sequence P o , P i , —iPn is a r u n fragment of the phase transit ion system if po G Po, Pi G P, and p t-,p;+i G r. A run fragment is complete if each pi £ Pf. A n infinite phase sequence is a run if every finite prefix is a run-fragment and if it diverges. A n abstract phase transit ion system satisfies a temporal logic formula if all run fragments satisfy i t . A c t i v i t y Transit ion Graphs ( A T G s ) are used to specify Abstrac t Phase Transit ion systems ( A P T s ) . Such a graph consists of a finite set of real-valued data variables V, a finite set of locations L, and a finite set of edges E. Each location / £ L is labelled by an ini t ia l condit ion /u.1 (/) that is a state-formula over Vn; an act ivi ty p,2 that is specified by a hybrid temporal Chapter 2. Related Work 20 formula over V, and a final condition ^3 that is specified by a state formula over V. Each edge is labelled by a guarded command n(e) = (7 —> a ) , where the guard, 7, is a state formula over V, and a is an assignment to some of the variables of V. A method of stepwise refinement is i l lustrated with the water-tank example. The method essentially involves forming nested A T G s by replacing the act ivity associated with a location by an A T G . 2.1.6 Durat ion Calculus A different approach was taken in the development of the durat ion calculus [ C H R 9 1 , HC92] . A -durat ion calculus interpretation consists of 1. a closed, bounded interval I = [b, e] of the non-negative reals. 2. a set of boolean valued functions fv over the interval I, one for each of a finite set of state variables v £ V. T h e functions fv are required to be of finite variabil ity. T h a t is, they may have only a finite number of discontinuities on any bounded interval [b,e]. A durat ion calculus interpretation can be expressed as a finite prefix of a t imed trace. A s a result of finite variability, the functions /„ part i t ion the interval [6, e] into a finite sequence of open, bounded intervals over which their value remains constant. Thus each such interval can be represented as a pair, (p,x), where p is a state assigning a boolean value to each variable v £ V, and x is the end-point of the interval. The sequence of such pairs is a t imed action sequence, precisely characterizing the interpretation. Th is time structure of moments T$ portions a linear behaviour into alternating discrete and continuous phases. A discrete phase is a maximal subsequence of discrete moments wi th a common time t. A continuous phase is an open interval of moments wi th times between those of successive discrete phases. Th is view of behaviour alternating between continuous change and discrete transit ion is to be found throughout the l iterature. Chapter 2. Related Work 21 The durat ion calculus of [CHR91] was extended to hybrid systems with real-valued variables in [CRH93] . The presentation assumes the first order predicate calculus, and MT, a first-order theory of real analysis. Expressions in MT are either either states or assertions. In interpretation I assigns a real-valued (resp. {0, l }-valued) function, of real-valued time to each state (resp. assertion) of MT. Formulas in the extended durat ion calculus are interpreted with respect to open bounded intervals (b, e) of real t ime. The ini t ia l (b.s) and final (e.s) values of MT states, the length / = e — 6 of the interval in question, and a set of global variables x form primit ive durat ion terms. D u r a t i o n terms can be combined using the real-valued operators of MT. A t o m i c durat ion formulas are built from durat ion terms by application of the relational operators from MT, or from assertions P of MT by applying the "almost everywhere" operator \P]. D u r a t i o n formulas are built from these atomic formulas by negation, dis junction, chop, and variable quantif icat ion. The extended calculus is i l lustrated using the cat and mouse example, from [ M M P 9 2 ] 2.1.7 Constraint Nets A completely different approach to hybrid system specification [ZM92a] and verification [ZM92b] is given by Zhang and M a c k w o r t h . They use a formalism called constraint-nets to represent hybrid systems. Essentially, a constraint net represents the evolution of a system state as a set of mappings from algebraically defined time-structures to variable domains, both of which must have certain algebraic properties. These mappings represent the shared inputs and outputs of a set of transductions, and must be causally related with respect to the t ime structures. Semantically, a constraint net is described by the least fixed point of a set of equations. The existence of such a fixed-point is guaranteed by the algebraic properties of the time-structures and variable domains. Chapter 2. Related Work 22 2.2 Abstract ion and approximation T h e idea of using approximations has been presented in other contexts by several other re-searchers. K u r s h a n [Kur87, Kur89] uses language homomorphisms to reduce language con-tainment verification problems C{D) C C(T) to simpler problems C(D') C £ ( T " ) , so that the latter inclusion implies the former. Burch [Bur92] generalizes this approach in the context of trace algebras. In his framework, a trace algebra is an algebra with composit ion and projection operators satisfying a small set of axioms. A trace is an element in the domain of such a trace algebra. Verification amounts to showing that the trace-set of an implementation is contained in the trace-set of a specification. B u r c h uses homomorphisms with respect to the operations in his algebras to construct mapping functions ipu and tpi f rom concrete domains to abstract ones. A verification problem is abstracted by mapping the specification with ipu and the implemen-tat ion with ipi. The abstraction is conservative in that a successful concrete verification can be inferred from a successful abstract verification. Burch calls the pair (tpu^l) a conservative approximat ion. The theory is applied to a variety of trace structures all of which associate varying amounts of t iming information with discrete events. Burch shows how to construct conservative approx-imations from traces in which time is represented by real numbers, to traces in which time has discrete values. A second-method, based on power-set algebras over trace algebras, is used to construct conservative approximations from discrete time traces with explicit simultaneity, to traces with interleaving semantics. In both of these cases, the behaviour is represented as a sequence of discrete events, wi th real-valued t ime-stamps. Burch does not consider systems in-volving continuous traces of real t ime. Nor is the theory applied to hybrid models wi th multiple t ime scales. Clarke et al. [CGL92] describe an approach to abstraction in the context of finite-state t ran-sition systems. Programs and their abstractions are modelled as such systems. A n abstraction is defined by a surjection from the concrete state-space to the abstract. Specifications are given in subsets of the temporal logic CTL. A t o m i c state formulas in the logic refer only to the Chapter 2. Related Work 23 abstract state. The abstraction surjection provides a natural interpretation of such formula in the concrete domain . T h u s the surjection provides both a translation for models, and a trans-lation for specifications. The authors show that such abstractions are conservative when the specification language is l imited to MCTL*, a subset of CTL wi th only universal path quantif i-cat ion, and restricted temporal operators. A class of mappings are identified that define exact abstractions for CTL*. A similar , but slightly more general approach to state abstraction is also described in [McI93]. In the context of circuit analysis, K u r s h a n and M c M i l l a n [ K M 9 1 ] pursue an approach that is similar to ours. They provide a well defined connection between analog models of example circuits, and the languages accepted by discrete non-deterministic w-automata . The connection is defined by a function called a support map, that maps from continuous functions of real time to u>-sequences of discrete symbols. A n a l o g properties of real circuits are modelled as systems of ordinary differential equations. A non-deterministic w-automaton is constructed so that the language that it accepts contains at least the image of every solution to these equations. Specifications are given as w-automata , called tasks, in the discrete domain . A discrete model satisfies a specification if the language that it accepts is contained in that accepted by the task. For pragmatic reasons, circuit verification is generally performed using discrete models. However, the connection between these discrete models, and the analog properties of the circuits is often unclear. K u r s h a n and M c M i l l a n ' s work address specifically this problem. They develop a particular method for modell ing circuits as systems of differential equations, mapping solutions of such equations to discrete w-sequences, and constructing w-automata whose languages are (using our terminology) l iberal approximations of the solutions of such equations with respect to this mapping. T h e authors suggest that larger circuits could be handled, by part i t ioning the system of differential equations, modell ing the parti t ions, and composing the results, but this idea is not pursued in detai l . In the context of hybrid systems, [AM94] develop an abstraction function that maps be-haviours of dynamica l systems in Rn to discrete transit ion systems. A discretization function Chapter 2. Related Work 24 ip is defined that maps disconnected convex sets in Rn to discrete values Q. A continuous-t ime trajectory xi is mapped to a sequence ((g 0 , ^o, uo), (<7i, ^ 1 , ^ 1 ) , • • -)- Each q is an element of the discrete value-set Q, whereas each and U{ represent bounds on the times during which In [PV94b], two techniques for replacing a hybrid automaton H wi th a new automaton H' are described. The first replaces differential equations that govern the evolution of the continuous variables during continuous phases, wi th differential inclusions wi th constant rational bounds. The second replaces differential equations 6 wi th a clock (a continuous variable wi th constant derivative equal to 1). A set valued refinement function h maps values of the clock variable t to intervals real-valued intervals. It must be established manually that for all t, 9(xo,t) C h(t) for some ini t ia l value set Xo, and that each location is entered wi th init ial values x C xo(l). The authors observe that the reachable state set of the original is contained in the pre-image of the reachable state set of the abstraction. Essentially the same construction has also been described in [HH95]. Chapter 3 Trace A u t o m a t a This chapter presents the verification framework trace-automata. System implementations and specifications are represented by language-accepting automata with multiple tapes. The lan-guage accepted by the implementation represents the set of behaviours that the system might exhibit . The language accepted by the specification represents the set of behaviours that the system is permitted to exhibit . Verification amounts to demonstrating that the language ac-cepted by the implementation is contained in that accepted by the specification. In addit ion to reading tapes that contain sequences of discrete symbols, trace-automata can also read tapes containing continuous traces of real values. Such tapes can be used to represent the continuous-time behaviour of analog systems. Furthermore, since trace-automata can read multiple tapes, it is possible to define an automaton that reads some tapes containing sequences of discrete symbols, and other tapes containing continuous traces. In this way, the behaviour of hybrid systems can be represented. Trace-automata can be composed in parallel . In such a composit ion, communicat ion takes place by the sharing of tapes. It would, in many cases, be desirable if such a composit ion corresponded to language intersection, so that if M and N read the same set of tapes, then the language accepted by their composit ion L(M\\N) would equal the intersection L(M) D L(N). In general, however, only the weaker containment relation L(M \\ N) C L(M) O L(N) holds. A u t o m a t a for which the stronger equality holds are said to be compatible. In general, compat-ibi l i ty is a non-tr ivia l global property, and thus hard to establish. However, a combination of local properties and a purely syntactic global property can be used to establish compat ibi l i ty in many cases. 25 Chapter 3. Trace Automata 26 In addit ion to composit ion, we introduce an existential hiding operator that allows tapes to be local . In some cases, it is desirable that hiding correspond to a projection of the automaton's language onto the remaining tapes. In general, however, it is possible for the language that results from hiding to be larger than that which results from projection. If the machine involved satisfies a fairness condit ion, however, then hiding does indeed correspond to projection. The same syntactic and local properties that establish compatibi l i ty can also be used to establish fairness. T h e remainder of the chapter is organized as follows. Section 3.1 presents the trace-automata formal ism, i l lustrated with a number of examples. Section 3.2 presents the trace-automata operations: composition and hiding. Section 3.3 shows how models in the formalism hybrid automata [ A C H + 9 5 ] can be represented by trace-automata. F ina l ly , Section 3.4 sets out the tabular notation that is used throughout this dissertation to describe trace-automata. 3.1 Trace -Automata Let £ be any, possibly infinite, set. A sequence over £ is a function from the non-negative integers Z-° to £ . Similarly, strings over E are functions from a finite subrange [0, n) if the integers to £ . Throughout this dissertation, strings are writ ten by enclosing a list of their elements in angle brackets. For example, if E = {a, b, c, d}, the str ing (a, c, b, d) maps the integer 0 to a, 1 to c, 2 to b and 3 to d. T h e notation \w\ denotes the length of the str ing w. Thus , If w : Z[0, n) i-> £ is a s tr ing, mapping the non-negative integers less than n to E , then \w\ = n. To emphasize the choice of t ime-domain, Z, the term finite (resp. infinite) 2 - t race wi l l be used to refer to strings (resp. sequences). The notation E 2 wi l l be used to denote the set of all (finite and infinite) E-value 2-traces . Z-traces are used to represent the relative order of events that occur over time in a system. Their use is part icularly natural for models where time is discrete. To develop a framework that also admits continuous t ime, the above definitions are modified by replacing the integers Z wi th the reals 1Z. The resulting structures are called 7^-traces. Just as a 2 - t race maps from Chapter 3. Trace Automata 27 the non-negative integers to a set E , so an infinite IZ-trace maps from the non-negative reals to £ . Similarly, a finite IZ-trace maps from a left-open interval lZ[0,r) of the reals to £ , just as a str ing maps from a left-open interval Z[0,n) of the naturals to E . T h e notation E 7 2 is used to denote the set of all (finite and infinite) E-valued 7H-traces. Just as wi th strings, if w : 7\l[0,r) i—> E is a finite 7^-trace, the notation \w\ = r denotes its length. Trace concatenation is denoted by juxtaposi t ion . If u and v are <&-traces — where <& is either the integers Z or the reals TZ — and u is finite, then their concatenation, uv is the following trace: If u is an infinite $-trace then uv = u. The result is finite iff u and v are both finite. The symbol e denotes the trace wi th length 0. Observe that the concatenation operation is closed, associative, and has identity e. If w is a sequence of finite traces the infinite concatenation W — W1W2W3 • • • is defined as follows. Let Wn denote the finite concatenation Wn = w0wi • • -wn. If \Wn\ converges to a l imit / as n —> 0 0 , then W is a finite trace wi th length /. Observe that for any 0 < t < /, there must be an n such that for all integers m > n, \Wm\ > t. Alternately, if \Wn\ does not converge W is an infinite trace, and for any t > 0 there is a smallest n such that \Wm\ > t for all m > n. In both cases, let n(t) be the smallest such n, and define W(t) = Wn^(t). A signature D is a triple D = (II, E , $ ) where • n is a finite set of distinct names that wi l l be used to index a collection of input tapes. • $ associates a t ime-domain <&a (either the reals or the integers) wi th each tape-name a 6 IT • E associates a range of values £ a wi th each tape-name a G II. A signature names a set of tapes II, and assigns the type " E a - v a l u e d $ a - t r a c e " to each tape-name a 6 II. If D is a signature the notation fI(_D) (resp. E(L>) and $ ( D ) ) wi l l be used to u{t) if i e $[0, |u|) v(t — \u\) if v is infinite or if t G \U\ + |u|) Chapter 3. Trace Automata 28 refer to the tape-names (resp. value-domain assignments and t ime-domain assignments) of D. If D is a signature, and A C 11(D) is a subset of the tape-names of D, then D\A = (A, T,\A, $ U ) denotes the restriction of D to the tapes named in A . Sometimes it is more convenient to specify which tape-names are to be removed, rather than which are to be retained. The notation D\A is used as an abbreviation for D\(T\(D)-A)- If I? is a signature, and a G II (Z)) is a tape-name, and a' G' n ( D ) — {a}, then the notation Z?[a'/a] denotes the signature D wi th tape a renamed a'. T w o signatures D and D' are type consistent if they assign the same types to the tapes that they have in common. T h a t is, if a is a tape in H(D) D n ( D ' ) , then £ ( D ) a = T,(D')A and $(D)A = <&(D')A. T y p e consistent signatures D and D' can be combined yielding a new signature D®D' defined as follows: n(D@D') = n ( £ > ) u n ( D ' ) E(D®D')A = if a e U{D) then £ ( D ) n else E{D')a ${D®D')A = if a E 11(D) then $ ( £ > ) 0 else $(£>')<> A behaviour W of the signature D assigns a £ ( Z ) ) a valued $ ( D ) a - t r a c e denoted WA to each tape a G If. A behaviour is finite (resp. infinite) if each tape is assigned a finite (resp. infinite) trace. The set of all finite (resp. infinite) behaviours of D is denoted by D* (resp. DW). A mixed behaviour assigns finite traces to some tapes, and infinite traces to others. The notation D°° is used to denote the set of all behaviours, f inite, infinite, or mixed. The notations for domain-restrict ion and renaming extend naturally from signatures to behaviours. If W £ D°° is a behaviour of D and if A C 11(D), then W\A is the behaviour in (D\A)CC' such that (W r |^) a = WA for each a £ A . Similarly, if a G n ( D ) is a tape name, and a' G" n ( D ) , then W[ a // a ] is a behaviour in - D p / a ] that is identical to W except that WA has been renamed to Wai. Behaviours wi th the same signature can be concatenated component-wise. If U and V are (possibly mixed) behaviours wi th signature D, then UV is a behaviour that assigns the trace concatenation UAVA to each tape a G 11(D). The unique behaviour that associates Chapter 3. Trace Automata 29 each variable o G 11(D) with the empty-trace is denoted by €£>. The restriction and hiding operators extend natural ly to sets of behaviours. If L C D°° is a set of behaviours, and A C U(D), the notation L\A refers to the set of behaviours that is formed by restricting each behaviour in L . Similarly, L \ A = L \ N { D ) _ A . A trace-automaton M is a 4-tuple, M = (D, S, I, A ) , in which D is a signature, 5 is a set of states, I C S is a set of in i t ia l states, and A C 5 x 5 x D * i s a transit ion relation. The notation D(M) (resp. S(M), I{M), A ( M ) ) wi l l be used to refer to the signature (resp. states, in i t ia l states, transit ion relation) associated wi th a particular trace-automaton M. Similarly, the notation f l ( M ) wil l be used as a short-hand to refer to the names 11(D) in the signature D(M). A run of m is a sequence of states so, s i , S 2 , . . . G S(M), and a sequence of finite behaviours wi, w 2 , o f D*(M) such that SQ G I{M), and ( s ; _ i , s,-, w;) G A ( M ) for each i > 0. T h e following notation wi l l be used to depict such a run . A behaviour W is in L(M), the language accepted by M, if and only if 1. W is infinite and 2. W is the concatenation of the behaviours w\,W2, ••• that form a run of M. A finite or mixed behaviour W that is the concatenation of the behaviours W1W2 • • • is called a degenerate behaviour of M, and is not in L(M). The choice to exclude mixed behaviours may seem strange, and deserves some motivat ion. It is expected that the increasing index of a continuous-time tapes wi l l correspond to the advancement of t ime. Thus , a behaviour that assigned a finite trace to such a tape would correspond to the stoppage of t ime itself. For discrete traces, it is well understood (c.f. [Eme90], p. 1006) that no expressiveness is lost by l imi t ing oneself to infinite traces. The reason is that L \ A = { W \ A I W G L} Chapter 3. Trace Automata, 3 0 ' Table 3.1: A 1-bit counter rncl D q: {0,1}* , r : {0, i f S s : { 0 , l } I s = 0 A •s s' q r 0 0 (0) (0) 0 1 (1) (0) 1 1 (0) (1) 1 0 (1) (1) finite traces can be modelled with the use of a special symbol _L. To represent a finite sequence, s imply append to it an infinite sequence of _Ls. Example 1: A 1-bit binary counter To illustrate the features of trace-automata, we give several examples. Table 3.1, which defines a discrete 1-bit binary counter, is an example of a standard tabular notation that wi l l be employed throughout this dissertation. The notation is developed informally throughout this chapter, and is presented more formally in Section 3.4. T h e table begins wi th a title that names the automaton being described, in this case mc\. T h e title is followed by boxes describing, in t u r n , each of the components D, S, I, and A . T h e first box describes the signature D. It lists the tapes q and r that this automaton wil l read, along with their value and time domains. In this case, £ associates the value-domain {0,1} and <& associates the t ime-domain Z wi th each tape of the tapes p and q. The second box gives the state-set S by l ist ing a set of state variables and their associated types. The automaton mc\ has a single state variable s, whose values are drawn from the set {0,1}. The state-set S is the product of the types of the state variables. The third box gives the ini t ia l state-set 7 as a predicate over the state variables. In this case the automaton begins Chapter 3. Trace Automata 31 in the state where s = 0. F i n a l l y the state-transition relation is given, as a predicate over the state variables, primed and unprimed, and the tape names. In this particular example, this predicate is given in tabular "sum of products" form. Each row represents a possible assignment of values to the variables that satisfy the predicate. For example, the table given for mc\ represents the predicate: 0 A s' = 0 A q = (0) A r = <o» v (* = 0 A s' = 1 A q = (1) A r = <0» V (s = 1 A s' = 1 A q = (0) A r = ( i ) ) v (8 = 1 A s' = 0 A 9 = (1) A r = <1» Recall that angle brackets are used to enclose the ordered elements of a str ing, so that (0) denotes a sequence of length 1 whose first (and only) element is 0. The trace-automata formalism does not explicit ly formalize the notion of "output . " Instead, the question of which tapes are considered to be "outputs" and which are considered to be " inputs" is left as a matter of interpretation. In the preceding example, suppose that we consider the tape q to be an " input , " and the tape r to be an "output . " Viewed in this way, we can see that the automaton counts, (mod 2) the number of ones that appear on its " i n p u t . " Notice also, that when viewed this way, the automaton is a Moore machine[Moo56]: the next state is a function of the current state and input symbol ; the "output " symbol produced is a function of the current state. Chapter 3. Trace Automata 32 Table 3.2: A n edge detector ^edge D P • {o , ir, S s : {0,1} I s = = 0 A •s s' p q 0 0 (0) <o) 0 1 (1) (i) 1 0 (0) <o> 1 1 (1) (0) Table 3.3: A n integrator " l i n t D x : n K , x : TZn S s : TZ I A \x\ = |x| A V r G ^ [ 0 , • x(r) = s + | Q r x(t)dt A s' = s + x(t)dt Example 2: A n Edge Detector The second example can be interpreted as an edge-detector. Consider the tape p to represent the " i n p u t " and the tape q to represent the "output . " Each t ime the " i n p u t " p takes on the value 1, after first taking on the value 0, the "output " q takes oh the value 1. Notice that under this interpretation, the automaton is a M e a l y machine[Mea55]: the next state and the "output " symbol are both functions of the current state and the input symbol . Example 3: A n Integrator The first two examples were discrete; al l of the tapes were 2-traces . In contrast the third example is a continuous integrator; all of its tapes are 7^-traces. It accepts a behaviour W if Chapter 3. Trace Automata 33 and only if Wx and Wx are the same length, and if the trace Wx can be obtained by integrating the trace Wx. A l t h o u g h we view the machine as an integrator, and hence view x as its " i n p u t " and x as its "output , " we could equally well see the machine as a differentiator, wi th " i n p u t " x and "output" x. The formalism itself imposes no notion of direction or causality. T h e empty ini t ia l state-set box indicates that the init ial state set is unconstrained. The machine can start in any of its states - that is no init ial value is specified a priori. Example 4: A Switch The fourth example is a hybrid model; some of its inputs are 7^-traces, while some - in this case one - are Z-traces . The model describes an analog switch. The machine has no state-variables as indicated by the empty "state-set" box. Formal ly , the machine's state-space is a singleton set, the sole member of which is the beginning and ending state for every transi t ion. The tabular notion for boolean expressions is extended to allow unlabelled columns. Such a column contains boolean expressions (as opposed to sets of values). Each row stil l represents a conjunction of boolean expressions. The entire table st i l l represents the dis junction of the rows. For example the first row represents the following conjunction. c = (0) A io = io A i\ = i\ A o = io A = |*oI = 1 To understand the model, the reader should view the parameters io and ii and c as " inputs , " while viewing the parameter o as an "output . " O n each transi t ion, the switch consumes unit-length traces from its two continuous " inputs" io and i i , and one symbol from its discrete " i n p u t " c. If the symbol 0 is consumed from c, then the trace consumed from o must equal that consumed from io. Conversely, if the symbol 1 is consumed, then the trace consumed from o must equal that consumed from i\. Example 5: A Transliteration Final ly , we give an example of a class of machines called transliterations. A transl i teration is a stateless machine that reads its inputs at the same rate, enforcing, pointwise, a relationship Chapter 3. Trace Automata 34 Table 3.4: A n analog switch ^switch D ^o : •.nn,ix :nn,o:TZn,c: {0 ,1} ' S_ c i0 i i 0 (0) i0 i\ io N i l = 1 *o i = 1 (1) i0 i\ H I = \io\ = 1 Table 3.5: A transliteration m~ D a:HK,b: 1ZK S I A a = b between the traces[ZM92a]. The machine m = , presented in Table 3.5, accepts any behaviour W of {a, b} satisfying \Wa\ = \Wb\ and Wa{t) = Wb(t) for all t 6 TZ[0,\Wa\). 3.2 H i d i n g and Composi t ion T h e restriction notation can be extended from individual behaviours to automata in the obvious way. If M is an automaton, and A C I 1 ( M ) , we use the notation M\A to denote the automaton defined as follows. D(M\A) D ^ D(M)\A S(M\A) dd S(M) I{M\A) tf I(M) Chapter 3. Trace Automata 35 Table 3.6: A trace automaton with mixed behaviours ^strange ~a~ZT7bTz7r D S_ a b (1) (1) 0 (2) A{M\A) = f {(s, s', w) \ 3v € D(M)* • (w = v\A). A (s, s', w') G A ( M ) } T h e following propositions are immediate consequences of the definitions of restriction and language acceptance. Proposit ion 3.2.1 If W € L(M\A) then there is a run so S\ ^> S2 • • • of M such that W = (W1W2---)\A-Proposit ion 3.2.2 Suppose M is a trace-automaton and A C I"I(M). For any behaviour WeDu,ifWeL{M),thenW\AeL{M\A). Phrased another way, proposition 3.2.2 says that L(M)\A C L(M\A).. One might hope that the containment could be strengthened to equality. It cannot, however because of the possibility of mixed behaviours. For example, consider the machine depicted in Table 3.6. It accepts behaviours W such that Wa is an infinite trace of Is, and Wi, contains an infinite number of Is, and a finite or infinite number of 2s. It cannot accept a behaviour for which has only a finite number of Is, because then Wa would have only a finite number of symbols and, by definition, only infinite behaviours are in the language accepted by a trace-automaton. Table 3.7 shows the restriction M\^y It can accept traces Wb that contain only a finite number of Is, provided they contain an infinite number of 2s. Thus i(m s t r ange)|{()} % £ ( " i s t r a n g e | { E > } ) -The property that m s t r a n g e lacks, which would prevent this anomaly, is fairness. Chapter 3. Trace Automata 36 Table 3.7: The automaton m strange wi th tape a hidden "^strangel {6} D b : Z* S I A b (1) (2) Definition 3.2.3 Fairness: Let M be a trace-automaton and let A be a proper subset ofU(M). The automaton M is A-fair if it has no degenerate behaviours W such that W\A is infinite. Note that every trace-automaton is 0-fair, since for any behaviour W, W\$ = W. A trace-automaton is said to be fair (without qualification) if it is A- fa i r for every proper subset A C n ( M ) . T h a t is, every degenerate behaviour must be finite. The automaton M s t r a n g e is not {a}-fair. Proposit ion 3.2.4 If M is A-fair, and B-fair, then it is A D B-fair The proposition follows immediately from the observation that I 1 ( M ) — A is a subset of I1 (M) — (A n B). Note that M is not necessarily A U B - f a i r . To see this, let a be a tape in A — B, and let b be a tape in B — A. Suppose that all the runs of M are infinite, except for W, which assigns finite traces to a and b, and infinite traces to every other tape. M is A - f a i r , since W is its only degenerate run, and W\A is not infinite. Likewise, M is .B-fair. • M is not A U B- fa i r , however, since W\AuB is infinite. L e m m a 3.2.5 If M is A-fair, then L(M\A) = L(M)\A. Proof: Proposi t ion 3.2.2 establishes L(M)\A C L(M\A). To show L{M\A) C L{M)\A, let U be any behaviour in L(M\A). There is a behaviour W of M such that U = W\A (Proposit ion 3.2.1). Since M is A - f a i r , W cannot be degenerate, so W € L(M) and W\A e L(M)\A. • Chapter 3. Trace Automata 37 L e m m a 3.2.5 establishes that machines wi th appropriate fairness conditions do not suffer from the hiding anomaly. The following lemma establishes that A-fairness is preserved by hiding. L e m m a 3.2.6 If M is A-fair, and B C A, then M\B is A - B-fair. Proof: Let W be an arbitrary, degenerate behaviour of M\g. We must show that W\A_B LS n ° t infinite. There is a behaviour U of M such that W = U\g. Since B C A, W\A-B — U\A Since W is degenerate, U must also be degenerate. Since M is A- fa i r , and U is degenerate, U\A is not infinite. Thus W\A_g is not infinite. • The renaming notation is extended from behaviours to trace-automata. If M is a trace-automaton with signature D, a G Tl(M), and a' g I I ( M ) , then m[ a ' / a ] is the automaton M with tape a renamed to a'. It is denned in the obvious way: D(M[a,/a]) d^f D(M)[a,/a] S{M[a,,a]) d ^ S(M) I(M[a,/a]) t f I(M) A ( A f [ o 7 o ] ) d ^ f {(s,s',w)\3veD(M)*-(w = v[a,/a]) A (s,s',v)e A ( M ) } Proposit ion 3.2.7 W G L(M[ai/a]) if and only if there is a V G L(M) such that W = V[ a '/a] or, equivalently, V = W[a/aiy Large models are built composing smaller components. If M and N are trace-automata wi th type-consistent signatures then the composition M\\N = (D, S, I, A) is defined as follows. D d= D{M)®D(N) S = 5 ( M ) x S(N) I = I{M).xI(N) A =f {((m,n),(m',n'),w) \ (m,m',w\n{M)) G A ( M ) A (n,n',w\u(N)) G A (AT)} Chapter 3. Trace Automata 38 It is an immediate consequence of the definitions of composit ion and fairness that fairness is preserved by composit ion. L e m m a 3.2.8 If M is A-fair, and N is B-fair, then M\\N is A-fair, B-fair, A D B-fair, and C-fair, lohere C = (A - Ti(N)) U (A n B ) U ( B - II ( M ) ) . Proof: M\\N is A - f a i r , since any degenerate run W of M\\ N such that W\A LS infinite would give rise to a degenerate run W|n(jw) such that W | n ( A f ) - y i w a s infinite. Likewise M \\ N is B - fa i r , and by Proposi t ion 3.2.4 it is A D B - f a i r . The set C = ( A - n ( i V ) ) U ( B n A ) U ( B - I I ( M ) ) corresponds to the shaded areas in Figure 3.1. We must show that M\\N has no degenerate behaviours W such that W\c is infinite. Suppose, wi th an eye towards contradiction that W is a degenerate behaviour of M\\N and that W\Q is infinite. T h a t is, suppose that every tape in the un-shaded regions of Figure 3.1 has an infinite trace, but some tape in one of the shaded regions has a finite trace. The restriction W|n(M) is a behaviour of M. The region II(M") — A is un-shaded, so J ^ l n f M ) - ^ is infinite. Since M is A - f a i r , every trace of A must also be infinite. Similarly, every trace of B must be infinite. Since C C A U B , every trace of C is infinite. Thus W cannot be a degenerate behaviour of M. • A s one might expect, there is a relationship between the language accepted by such a composit ion, and those accepted by the components. Proposit ion 3.2.9 Let M and N be trace-automata with type consistent signatures. For all traces W G ( £ > ( M ) ® D { N ) ) » , W e L(M\\N) => W \ N { M ) e L{M) A W\N[N) 6 L(N). One might hope that the implicat ion could be strengthened to equivalence, but in general this is not the case. To see this, consider the following example. Example 6: Incompatible Machines Let M and N be two stateless trace-automata each of which read 2-traces from a single input tape a. A u t o m a t o n M consumes the symbol x f rom its tape, one symbol at a t ime: def (s,s',w) e A ( M ) = wa = (x) Chapter 3. Trace Automata 39 A - TT(N) A Pi B B - TT(M) Figure 3.1: C = (A - II(iV)) U ( A n B ) U ( B = n ( M ) ) O n the other hand, automaton A'" consumes the symbol x f rom its tape, but insists on receiving them two at a t ime: (s, s', w) G A{N) d= wa = (x, x) Clearly the behaviour wa = (x,x,x,...) is in both languages, yet this incompat ibi l i ty between the rates at which they consume their inputs prevents the composit ion M \\ N f rom accepting anything. Definition 3.2.10 Compatibility: Let M and N be type consistent trace-automata and let C — I1(M) Pi n ( iV) be the tapes that they have in common. The automata M and N are compatible if and only if for every pair of behaviours U G L(M) and V G L(N) such that U\c — V\c, there are runs mo — • mi —>. m,2 and Vl V2 nQ —y n\ —> n2 • • • Chapter 3. Trace Automata 40 of M and N respectively such that uoui ••• = [/, V0V1 • • • = V and that each U{\c = Vi\c T h e following proposition follows as an immediate consequence of this definit ion. Proposit ion 3.2.11 If M and N are compatible trace-automata, then for all traces W G (D{M)®D{N))", W G L{M\\N) = W\n{M) G L(M) A W\n{N) G L(N) Models of complex systems are built from components. Such models form the basis of verifi-cat ion, and it is important that these models be faithful to the system that they are supposed to represent, trace-automata are intended to be understood on the basis of the language that they accept. Thus , component models wi l l be validated on this basis. A component machine TO wi l l be understood to model a real component if it accepts the behaviours that the real component is capable of. However if two component models are incompatible , their composition may be less than the intersection of their languages. Thus , as in E x a m p l e 6 above, by combining two incompatible component models, some behaviours of the real system may be left out. Definition 3.2.12 Smooth: An automaton is smooth with respect to a tape a if for any tran-sition (s, s', W) and any prefix u of Wa, there are transitions (s, s", U) and (s", s', V) such that ua = U, and W = UV. A n automaton is said to be smooth (without qualification) if it is smooth with respect to all of its tapes. Note that an automaton is smooth with respect to a discrete-time tape a if every transit ion reads either 0 symbols or 1 symbol from a. The automaton M f rom the preceding example satisfies the smoothness criterion vacuously. Every transit ion consumes the single symbol x from its input tape, hence for any transit ion, the empty-trace and (x) itself are the only prefixes u. T h e automaton N is not smooth, since it cannot consume its input symbols one at a time. If two machines have a single tape in common, and they are smooth with respect to that tape, then they are compatible. Often, however, it is convenient for two machines to share more than a single tape. In this case, even if both machines are smooth with respect to each Chapter 3. Trace Automata 41 tape individual ly , they may st i l l not be compatible. For example, consider the following two machines. B o t h machines read 2-traces from tapes a and b. Every transit ion of Machine mx reads exactly one symbol from tape a and one symbol from tape b. Machine my alternates, first reading one symbol from both tapes simultaneously, and then reading a single symbol from tape 6, and no symbols from tape a. B o t h machines are smooth in the two tapes a and b. However, machine mx reads tapes a and b at the same rate, whereas machine my reads tape b twice as fast as tape a. A s a result, the two machines are not compatible. C o m p a t i b i l i t y can be assured by restricting attention to compositions in which the compo-nents consume their common tapes at the same rate. Th is restriction would be satisfied by mx in the above example, because all of its transitions read a single symbol from each of the tapes, a and b, that it shares with my. The machine my does not satisfy this restriction, because some of its transitions read one symbol from b, but none from a. Definition 3.2.13 Multi-track tape: A subset A of the tapes n ( M ) of an automaton M is said to be a mult i - track tape if every transition of M reads a trace of the same length from each tape in A. Proposition 3.2.14 Let Mi and M2 be smooth trace-automata. Let C = I I ( M i ) n U(M2) be the tapes that they have in common. If C is contained in a multi-track tape A\ C I I ( M i ) , and is also contained in a multi-track tape A2 C Ii{M2), then M\ and M2 are compatible, and Ai U A2 is a multi-track tape of Mi \\M2. The tabular notation for trace-automata, introduced informally in the preceding examples, can be extended to accommodate the notion of mult i - track tapes. For example, re-consider the 1-bit counter from Example 1. It consumes both of its tapes p and q at the same rate, so they could be combined into a mult i - track tape. T h i s is denoted in the signature, by enclosing the tape names and value domains for each mult i - track tape in square brackets. T h e t ime domain is then given for the entire mult i - track tape. For example the mult i - track version of the signature Chapter 3. Trace Automata 42 from Example 1 would be given as follows. D [q: {0 ,1} , r : {0, l } f The signature, given in this way, introduces the addit ional implic i t constraint \q\ = |r| into the transit ion relation. For example, if the signature of the integrator from Example 3 were given as follows, then the conjunct |x| = |x| could have been omitted from the transit ion relation predicate. D [x : TZ, x : 7Z] M u l t i - t r a c k tapes are important , both for hiding and composit ion. T h e equality L(M\A) = L(M)\A is only guaranteed to hold if M is A - f a i r . Note that if A is a proper subset of a mult i - track tape, then M is A - f a i r . Thus , any proper subset of a mult i - track tape can be hidden with no anomalous consequences. Similarly, the equivalence W € L(M \\ N) = W\ri(M) £ L(M) A W|n(jv) G L(N) is only guaranteed to hold of M and N are compatible. If M and N are both smooth with respect to their shared tapes, and if their shared tapes are tracks on a single mult i - track tape of each, then M and N are compatible and can be composed without fear of anomalous results. W h i l e the tabular notation is useful for describing simple automata , it becomes hard to read when machines are complicated. Instead, we shall rely on i l lustrations that show the structure of a composite machine in terms of its simple components. For example, F igure 3.2 shows the composit ion of mci and m e c i g e f rom Examples 1 and 2 respectively. The machines are represented as boxes with attachment points at the perimeter for each of their variables. Component machines are drawn nested inside the box representing their composit ion. Lines are drawn to indicate "connections" between components. The obvious renaming — unnecessary in this example — is presumed to take place, so that variables that are connected by such a line share a unique name. D o m a i n restriction is indicated by the absence of a line connecting the component variables to the perimeter of the box representing the composi t ion. In this example, restriction to the set {p, r} is shown. Chapter 3. Trace Automata 43 m edge||TOcl ^edge p q q 1 r F igure 3.2: Composi t ion of two trace-automata Note that the machines m e c i g e and m c i share only a single common input tape q. Moreover, both machines are smooth wi th respect to q. A s a result, they are compatible, hence the composition accepts the intersection of the languages accepted by the two components. 3.3 Expressibility Trace-automata are at least as expressive as other hybrid-system modelling frameworks from the literature. A s a canonical example for comparison, consider the hybrid-system framework as described in [ A C H + 9 5 ] that generalizes earlier accounts frameworks described in [ M M P 9 2 ] and [ A C H H 9 3 a ] . A hybrid system A is described by a tuple: A = (Loc, Var, Lab, Edg, Act, Inv) in which • Loc is a finite set of vertices called locations • Var is a finite set of real valued variables. T h e set of valuations of Var is denoted by V. • Lab is a finite set of synchronization labels including the stutter label r . • Edg is a finite set of edges called transitions. Each transit ion e = (l,a,/j,,l') consists of source and destination locations / , / ' £ Loc, a label a £ Lab, and a transit ion relation H C V2. Edg must include the stutter transit ion (l,r,Id,l) for each location / £ Loc, where Id is the identity relation over V. Chapter 3. Trace Automata 44 • Act is a labelling function that assigns a set of activities to each location / G Loc. A n act ivi ty is a function from 1Z+ (representing time) to V. In our terminology, it is a V-va lued 7\Vtrace. The set of traces assigned to each location must be time invariant. If / is an act ivity of location / (/ G Act(l)) and t is a non-negative real, then g{x) = f(x +1) must also be an act ivity of location I (g G Act(l)). • Inv assigns an invariant Inv (I) C V to each location /. A run of a hybrid system is a finite or infinite sequence (/„, V0) .-»*? (/!, Vl) ^)\ (Z2, V2) ^% . . . such for each i , the following conditions hold: 1. fi G Act(ll) and 2. / i(0) = V{ and 3. V i G K[0,ti] • Inv{li){fi{t)) and 4. there is an edge (/,-, a,-,/i,-,/,- +i) G such that (fi(ti), /,-+i(0)) G Each state (/i+i, u,- + i ) is called a successor of the state (/,-, u,-) The presentation in [ A C H + 9 5 ] gives no semantic account of such a r u n . There are, however, obvious examples of distinct runs that should be considered equivalent. For example, consider two runs p and p' that differ only in their choice of act ivity i. T h e activities in question, /,• and f- , are identical up to and including t ime - i.e. V i < i,- • fi(t) = f-(t). A reasonable semantics should not distinguish between these two runs. N o test that could be performed upon the hybrid system would be capable of determining which function /,• or / / was chosen. In earlier accounts of hybrid systems [ACHH93a] a run induces a trace r mapping real-valued time to system states. In this generalization, however, such a mapping is not uniquely defined at every point. We suggest the fol lowing semantic account. A hybrid system run induces Chapter 3. Trace Automata 45 Table 3.8: A hybrid system MA D a : ( 7 ^ ° x S ) V : ^ S s:L,v:V I A 3f : Act{l) - (r -< / ) A v = / ( 0 ) A a=((|r| , / , / (|r|)>A V t : ^ [ 0 , | r | ] . / n t ; ( 0 ( / («)) A 3a,/I • [l, a, p,l') e Edg A{f(\T\),v') e A* a sequence a = oo,<Ji, representing the discrete transitions, and a trace r representing the system state as a function of real t ime. W h e n discrete transitions move the system through a sequence of states instantaneously at t ime t, r(t) reflects last state in the sequence. Let i(t) be a function associating an index with each time t. Let T{ = Y2o~1 U measure accumulated t ime. We define i(t), the index associated with time t as the largest integer such that t > T^ty We then define r(t) = /,•(<)(T,-(t) — t). The other states in the sequence are recorded in a, so that 0~i — (tj, l{, fi(t{)). We translate the system into a trace-automaton m ^ , described in Table 3.8. The trace-automaton has state-space S = L x V. It consumes two tapes, a mapping mapping discrete-time onto TZ+ x S and r mapping real time onto V. Its in i t ia l state-set I is the entire state space S. It can make a transit ion from state (/, v) to state (/', v') provided that (/, v) is a successor of (/', v') in the hybrid system - that is /', v' can be reached from I, v by first allowing continuous evolution (possibly for 0 time) and then taking a discrete transi t ion, (possibly a stuttering transit ion) . The values taken on by the continuous state-variables Var up to, but not including, the time of the transit ion are recorded in the continuous-time trace r . A time-stamped account of the transitions taken are recorded in the discrete-time trace a. Trace-automata state-spaces are not restricted to lZn for finite n. For example, a trace-automaton could have states ranging over the set of all real-valued 1Z traces. Because of this, they can express some languages that hybrid systems can not. For example, t race-automata can Chapter 3. Trace Automata 46 Table 3.9: A transport delay VIA D x : n K , x d : HK S s : Ku I \s\ = 6 A XS1 — SXd model of real-time transport delay, or, in principle, the propagation of waves on a transmission line. Table 3.9 shows a model of a c5 t ime-unit transport delay. 3.4 A Trace -Automata Description Language It is intended that this dissertation focus pr imari ly on the semantics of trace-automata as a suitable basis for the verification of hybrid systems. The syntax of a trace-automata description language is very much a secondary consideration. Nonetheless, some notation is required if only as a way to present examples. Thus , in this section, a small language for describing trace-automata is defined. The intention is not to give a definitive formal definition of the language " trace-automata." Rather , the goal is to introduce a notation in which examples can be presented clearly and unambiguously. A t the top level, a trace-automaton is described by a named set of five boxes as fol-lows. M T SymbolDecs D SigDecl S StateSpaceDec I B o o l E x p r A B o o l E x p r A t the top, outside the boxes is the automaton's name. This name wi l l be used to refer to Chapter 3. Trace Automata 47 the automaton in the text of the dissertation, and in algebraic formulas. The five boxes that follow contain descriptions of symbolic names, the signature, the state-space, the ini t ia l state-set, and the transit ion relation respectively. O f these five, the last four correspond exactly to the preceding mathematical description of trace-auto mat a. S y m b o l Declaration The first box, is s imply a convenient way to introduce some names for integer constants. It introduces sets of symbolic values that are used in the subsequent trace-automaton description. It contains a list of named symbolic value sets. Each set consists of a list of symbolic names. Each name may appear in only one such list. It is understood that each name in a list represents a unique integer, although the same integer may be represented by names in different lists. For example, the following declares two symbolic types B and K. B : {H, L, X} , K : {Vh, h, m, /, VI} B consists of the symbols H, L, and X. It would have been an error for any of these symbols to have appeared in the list of symbols for K. It is understood that each symbol represents an integer value that is unique wi th in its type. For example H and X must represent different values, but the values represented by H and h could be the same. Signature T h e purpose of the signature box is to name the tapes that the automaton wil l read, and to specify their types. It consists of a c o m m a separated list of tape declarations. Each declaration contains a tape name, followed by a colon, followed by a type for the tape's values that is superscripted by the time domain . Alternately, a mult i - track tape can be declared by listing its track-names and the types of their values within square brackets. In this case, a single t ime-domain is given for the entire multi- track tape. TapeDecl ::= Varname : T y p e B a s i c T y p e | [Varname : T y p e , Varname : T y p e , V a r n a m e : T y p e ] B a s i c T y p e Chapter 3. Trace Automata 48 The basic types, denoted Bas icType are the integers Z and the reals 71. M o r e complex data types, denoted T y p e , are constructed as follows. Basic types may be qualified by specifying an interval sub-range, so that 2[0,3] represents the four integers from 0 to 3 inclusive. Similarly, 7£[2, 4] represents the closed interval of the reals from 2 to 4, while 7Z[2,A) represents the same interval, less the right boundary point 4. In addi t ion , a subrange of the integers may be specified by the name of a symbolic value set, or a list of symbolic values from such a set. C o m p o u n d types may be formed from the cross product of basic types or their subranges. A signature is a list of tape declarations. For example the following signature declares three tapes. D x : B z , y: (Z X K)z, z : ft[0,4] K The first tape x contains Z-traces of the integers identified by H, L, and X - recall that B was declared earlier as the name of symbolic value set. The second tape y contains -2-traces of pairs, each consisting of an integer and a real value. The final tape z contains 7^-traces of real values in the range of 0 to 4. Formally, the declaration corresponds to the signature D = ( I I , E , $ ) , where II = {x,y,z}, T,x = B, Ey = (Z x 71), E 2 = ft[0,4], # x = Z, ®y = Z, and <S>Z = Tl. Statespace The next box describes the automaton's state-space. It consists of a list of state-variable declarations. For example following declares three state variables. S r : 71, s : Z, t : TZ The variable r is real valued, s has integer values, while t represents finite real-valued 7^-traces. The states of the trace-automaton are the set of type consistent assignments of values to these state variables. Predicates B o t h the ini t ia l state set and the transit ion relation are described by boxes labelled 7 and A containing boolean expressions over a l imited set of free variables. In both cases, empty boxes Chapter 3. Trace Automata 49 represent the boolean expression True. I B o o l E x p r A B o o l E x p r For the ini t ia l state set, the free variables are l imited to the state variables declared in the state-space description. The init ial state set is the set of assignments of values to the state-variables that satisfy the expression. For the transit ion relation, the free-variable set consists of the state variables, primed ver-sions of the state variables, and the tape names declared in the signature. Recall that the transit ion relation A is subset of A C S X S X.D*, Where S is the automaton's state set, and D* is the set of assignments of finite traces to its tapes that are consistent wi th its signature. Each element (s, s', w) of A represents a 'before'-state s, an 'after'-state s', and a behaviour w. The transit ion relation is the set of (type consistent) assignments of values to the state-variables (representing the before state), primed state-variables (representing the after state) and tapes, (representing the finite-behaviour) that satisfy the boolean expression. Recall that €£> is the behaviour that assigns the empty trace to every tape in D. T h e transit ion relation is augmented to contain the stuttering transit ion (s, s, CD) for every s 6 S, even if such a transit ion is not explici t ly allowed by the transit ion predicate. Furthermore, the relation is restricted to require that \a\ — \b\ for every pair of tapes a and b that are declared as tracks on a mult i - track tape in the signature. The standard arithmetic operators may be used to construct integer and real expressions f rom numeric state variables or constants. Such numeric values may be compared using the standard comparison operators <, <, = etc. Symbolic values and variables may only be com-pared for equality with variables that range over values from the same set. N o dependence upon the actual mapping from symbolic values to integers can be introduced, for example by testing if one such variable is larger than another, or by assigning an integer constant to such a variable and then comparing it against a symbolic constant. Tapes and state variables that represent traces denote finite length traces. Traces of the Chapter 3. • Trace Automata 50 pref pref same type can be compared with the prefix operator •< • A < B holds when ever the trace A is a prefix of B. Traces can also be compared for equality. T w o traces are equal if they are prefixes of each other. T h e juxtaposi t ion of two traces denotes their concatenation. If A is a trace, |A| denotes its length. A Trace W may be indexed W(t) by a value t in its t ime domain , yielding a value in its value domain that can be used in numeric expressions. Sets of values can be described using the interval notation that was used in the declaration of variables and traces, or by s imply l isting their values wi th in braces. The values in such lists may themselves be expressions, possibly referring to variables. Boolean expressions can be combined using the standard boolean operators, A , V , ->, etc. In addit ion, typed universal and existential quantif ication is allowed. For example, 3x : 7£[0,4]-x + y = z is satisfied by any assignment of values to y and z such that 0 < z — y < 4. It is often convenient to use a tabular format to describe boolean expressions. The first row of such a table is called a heading. It contains the name of a state-variable or a tape for each column, except the last which may be blank. In subsequent rows, each column with a non-blank heading contains an expression representing a set of values from type of the variable in the heading. Columns with a blank headings contain boolean expressions. Each cell wi th heading v and contents e represents the boolean expression v £ e. Each row in the body of the table represents the conjunction of the expressions in its cells. T h e entire table represents the dis junction of the rows in its body. In a table cell, set expressions may be preceded by the temporal operators • or O . A cell wi th heading w, representing a trace, and contents d e represents the boolean expression V i : $[0, \w\) • w(t) £ e, where $ is the t ime-domain of w. S imilar ly a cell wi th the contents Oe represents the boolean expression 3t : $[0, \w\) • w{i) £ e. F ina l ly , if w is an 7^-trace variable, and it appears as an argument to the operator / , then the addit ional constraint is imposed that w be Riemann integrable. T h a t is, an expression containing / w a s a sub-expression is not satisfied by any assignment of values to variables that assigns a trace to w that is not integrable. To preserve the monotonicity of the underlying Chapter 3. Trace Automata 51 boolean logic, any expression containing / must appear under an even number of logical nega-tions. For example, the transition predicate -<(3x : TZ • x = Jy) would be syntactical ly invalid, however V.T : TZ • x <> /y is acceptable, although unsatisfiable. Chapter 4 Abstrac t ion , A p p r o x i m a t i o n and Language Containment A central theme of this thesis is the use of abstraction. Section 4.1 steps back from the details of trace-automata, and presents the essential ideas of approximation and abstraction in a more general context. The subsequent sections of this chapter deal wi th the application of the general theory to the specifics of trace-automata. 4.1 Abstract ion and A p p r o x i m a t i o n Suppose that B is a universe of possible behaviours. For instance, in the trace-automata framework B = Du could be the set of infinite behaviours from a given signature D. S imilar ly let B be a possibly (although not necessarily) different such universe. For example, the set of infinite behaviours from a different signature D. A n abstraction B x B i s a relation between behaviours in B and behaviours in B. The problem at hand is to establish a containment relation MCS (4.1) between a set S C B representing behaviours allowed by a specification and a set M C B representing possible behaviours of an implementation. One strategy for at tacking this problem is to construct a simpler problem MCS (4.2) in the abstract domain B (ie. M and S are subsets of B) so that the t r u t h of containment 4.1 is implied by containment 4.2. In the literature, attention has focussed pr imari ly on mappings or functions that construct such simpler problems. Such mappings are variously called conservative approximations [Bur92], conservative connections [Lon93], or language homomorphisms [Kur87, 52 Chapter 4. Abstraction, Approximation and Language Containment 53 Kur89] . Here, the terms are used slightly differently. A n approximation is a behaviour-set in the abstract domain B that is intended to represent a behaviour-set in the concrete domain . A n abstraction tp C B x B is a relation between abstract behaviours in B and concrete behaviours in B. If ip is an abstraction relation, and Z C B is a concrete behaviour-set, then ipZ denotes the post-image of Z under tp. TpZd= {z: B \ 3z £ Z • (z, z) £ xp) Similarly, if Z C B is an abstract behaviour-set then tp~lZ denotes the pre-image of Z under $-lZ d= {z : B \ 3z £ Z • (z, z) £ ijj} Proposit ion 4.1.1 For any relation tp, the operations post-image and pre-image are monotonic with respect to set inclusion T h a t is to say, if X C Z then ipX C x/>Z, and if X C Z then V - 1 A C ^ Z ; - 1 ^ . Let be a concrete behaviour-set, and let X be an abstract behaviour set. Definition 4.1.2 Liberal approximation: X is a liberal approximation of X with respect to ip if and only if X C il)~xX In other words a l iberal approximation is an over-estimate of X. Definition 4.1.3 Conservative approximation: X is a conservative approximation of X with respect to ip if and only if ip~lX C X In other words a conservative approximation is an under-estimate of X. Let if; C B X B be a binary relation. The domain of ip is the pre-image of B. Dom(V>) = f The relation tp is a function if every element .T G Dom(^) has a unique image x, such that (x ,x ) £ ip. If is a funct ion, and if x is in its domain , the notation ip(x) refers to this unique Chapter 4. Abstraction, Approximation and Language Containment 54 image x. The relation ip is a total function if it is a function and Dom(t/>) = B. A function that is not total is said to be partial. It turns out, as the next theorem shows, that that no generality is lost by considering only abstractions that define (possibly partial) functions from B t o 5 . T h e o r e m 4.1.4 Let M be a non-empty set. The implication MCS => MCS holds if and only if M is a liberal approximation of M and S is a conservative approximation of S with respect to some (possibly partial) abstraction function ip. Proof: To prove the " i f " part , assume that ip is a (possibly partial) abstraction function wi th respect to which M is a liberal approximation of M and 5 is a conservative approximation of S. Assume MCS. Since pre-image is monotonic we can conclude ip~lM C t/j~1S. Since M is a liberal approximation of M, M C ip~1M. Since S is a conservative approximation of S, ip'1S C S. Thus it is established that M C ip^M C ip~1§ C S. B y transi t ivi ty of set inclusion, MCS. To prove the "only i f " part , assume that M is non-empty, and that MCS =4> MCS. If X and X are subsets of B and B respectively, the notation X H-> ,^ X wi l l be used as a short-hand for the assertion that if X is empty, then X f l D o m ( ^ ) = 0, and if X is nonempty, then X C D o m (?/>), and ipX C X. In other words, if X is empty, then no elements of X have images. If X is non-empty then every element of X has an image in X. T h e sets M and S part i t ion B into four possible regions: M — S, S — M, S f l M and B - (5 U M). Likewise, M and S part i t ion B. Let t/; be an abstraction function such that: 1. M - S ^ M - S 2. S - M r-ty 5 - M 3. 5 - (5 U M ) ^ B - ( S U M ) f M if M C 5 4. 5 n M ^ M — S otherwise Chapter 4. Abstraction, Approximation and Language Containment 55 Each constraint l imits the function's behaviour over different partit ions of the domain , thus they cannot be inconsistent and such a function tp exists. O n l y regions of S, the parti t ions S — M and S f) M have images in S. Thus tp~lS C S, and thus S is a conservative approximat ion of S with respect to tp. It remains to be shown that M C tp~lM by showing that every element of M has an image in M. Th is amounts to showing that for each of the arrows 1 and 4 above, the sets on the right hand sides are only empty if the corresponding sets on the left-hand sides are empty as well . Suppose that M — S, the left-hand side of arrow 1 is non-empty. Then M % S and by assumption M % S hence M - S, the right-hand side of arrow 1, is non empty also. The right-hand side of arrow 4 is never empty. If M S then M — S must contain a witness. B y assumption M is non-empty. Thus , each element of M has an image in M and as a result, M C ip-i-M. • L e m m a 4.1.5 For any (possibly partial) abstraction function tp, the pre-image operation dis-tributes over set intersection. Proof: Let X and Y be arbi trary sets in B. Let x be an arbitrary element in the pre-image ip~x{X C\Y) of their intersection. Then x S Dom(ip), ip(x) is unique, and tp(x) G X D Y. Since ip(x) G X, x £ tp~lX. S imilar ly x G ip~lY. A s a result, x G tp~lX n ip~lY, proving tp-^x n Y) C ip~lX n tp'1?. Let x be any member of ip~lX D tp~lY. Then x G D o m ( ^ ) , tp(x) G A ' and ^(a;) G Y. A s a result, G l f l f hence a; G tp^XDY, proving tp^Xntp'1? C ^ ( I n ? ) . • Note that the proof that tp~lX D ^ A _ 1 y C ^ _ 1 A n - ^ _ 1 y rests on the existence of a unique image ip(x) for each x G tp_1XDtp-1?. If ^ were a relation, so that each x could have multiple abstractions, then the containment would not, in general, hold. Corollary 4.1.6 If X is a conservative (resp. liberal) approximation of X with respect to a (possibly partial) abstraction function tp and ifY is a conservative (resp. liberal) approximation Chapter 4. Abstraction, Approximation and Language Containment 56 of Y, with respect to ip, then X DY is a conservative (resp. liberal) approximation of X C\Y •with respect to ip. L e m m a 4.1.5 and its corollary are so important that from this point forward, we restrict atten-t ion to abstractions that define (possibly partial) functions. Theorem 4.1.4 assures us that no generality is lost by doing so. 4.2 T r a c e - A u t o mat a A p p r o x i m a t i o n T h e preceding section gave a relatively general theory of abstraction and approximation in the context of behaviour sets. A n abstraction is a (possibly partial) function from a concrete behaviour domain to an abstract one. A n approximation is an abstract behaviour-set intended to represent a given concrete behaviour set. Given an abstraction function ip, an approximation X of the concrete behaviour set X is said to be liberal if its pre-image under ip includes X. It is said to be conservative if its pre-image is included in X. In this section, the theory of conservative and liberal approximation is applied to trace-automata. The implementation M and the specification S wi l l both be trace-automata. The verification problem wi l l be to show that L(M) C L(S). Often, the specification can be phrased without reference to all of the tapes of M. T h a t is, it may be that LT(5) C L T ( M ) . In this case, the problem wi l l be to establish that I/(M)|n(s) C L(S). Let D = ( I 1 , E , $ ) and D = ( I 1 , E , $ ) be two trace-automata domains that share the same variable-set II. Suppose that for each variable a G II, we have defined an abstraction function ipa that maps traces of the tape a in the original signature D to traces of the same tape in the abstract signature D. The functions ipa, which map traces to traces are combined to produce the abstraction function tp f rom behaviours in Dw to behaviours in in the obvious way, so that {ip{W))a = f ifia(Wa) for each o G II. A function built in this way is a separable abstraction funct ion. It is separable, in that the traces of individual variables are abstracted independently. Definition 4.2.1 Separable abstraction function: let D and D be signatures with II(D) = Chapter 4. Abstraction, Approximation and Language Containment 57 U(D). An abstraction function ip : Dw D u is separable if for each tape a £ n(Z?) there is a function ipa such that tp(W)a = ipa(Wa)-The notation for restriction extends naturally to separable abstraction functions. If tp : Du Z ) w is a separable abstraction function, and A C II, then ip\A : D\AW'.>->• -D|^ is defined by (V 7 !A)a = Tpa for each a £ A . Proposi t ion 4.2.2 follows as an immediate consequence of this definit ion. Proposit ion 4.2.2 / / ip is a separable abstraction function and w — ip(w), then w\A = TP\A(W\A)-Abstract ing Real-valued 7H-traces Recall the integrator from Table 3.3. It reads two tapes x and x, each containing a real-valued 7£-° - t race . The paragraphs that follow develop a liberal approximation of this integrator. T h e approximation also reads tapes x and x, however in the abstract domain the tapes contain Z-° traces over a set of discrete values. The abstraction of each tape involves discretizations of both the value domains and the time-domains. T i m e is discretized by choosing a fixed constant 5. Each 7^-trace w is partit ioned into a sequence wo,w\,... of finite traces, each of length 5. T h e value domain is discretized by defining a non-decreasing 1 function / that maps the reals to the integers. For example, the floor function / ( r ) = [ r j would be such a funct ion. Since / is non-decreasing, the inverse f~1(x) = {r | / ( r ) = a;} maps each integer x to an interval of the reals. For example in the case of the floor funct ion, the inverse / _ 1 ( a ; ) maps each integer x onto the half-open interval lZ[x, x +1 ) . In general, the intervals given by the inverse may be closed, open, or half-open like those induced by the floor funct ion. G i v e n such a discretization / of the value domain , an abstraction function ip[f] is defined that maps each such sub-trace Wj onto the min imum and m a x i m u m values of f(wj(t)) as t 'Non-decreasing is used here in the conventional sense. A function / is non-decreasing if for every x and y, x<y^ f(x) < /(«/). Chapter 4. Abstraction, Approximation and Language Containment 58 ranges between 0 and S. lj = min0<i<«$ f(wj(t)) and Uj = max0<t<5 f(wj(t))) For example, let f(r) = [ r j , and let w be a trace of length 8. If w(t) ranges-from 2.5 to 4.5 for 0 < t < S, then f(w(t)) wi l l range from 2 to 4, so that ip[f](w) — (2,4). Alternately, if w(t) ranges from 2 to 2.5, then for all 0 < t < 5, f(w(t)) = 2. Thus , ij)[f](w) = (2, 2). Given discretizations of time and value domain , defined by 5 and / respectively, the ab-straction function tp[S, f] is defined that maps each infinite trace w onto a sequence of pairs {lj,Uj) The sequence is obtained by first part i t ioning w into a sequence of traces Wj, each of which is of length 5 and is abstracted by the pair (lj, Uj) — 4>[f]{wj). tp[S, f](w) =f ({l0, uQ), (/I, u i ) , . . . ) where lj = mmjS<t<y+1)s f(w(t)) and Uj = m a x j f < , < ( j + 1 ) 5 f(w(t))) This process is i l lustrated in Figure 4.3. The horizontal axis represents t ime, and is divided into intervals of length 5. The vertical axis represents the values of the trace. It is also divided into intervals, each of which is abstracted by an integer - a, ...,g. T h a t is, the letters a, ...,g name the intervals separated by horizontal lines, rather than points on the axis. The combined effect of the value and time discretization is to part i t ion the space into rectangular regions. The shaded regions represent those through which the real-trace w passes. In the first t ime interval, the trace remains wi th in the interval abstracted by d. Thus , ip[f](wo) = (d,d). In the second interval , the trace ranges from the interval abstracted by b to the one abstracted by e. Thus , i,[f](Wl) = (b,e). A p p r o x i m a t i n g the Integrator In this subsection, a liberal approximation of an integrator is developed. The subsection is highly technical, and may be skipped by the casual reader. Chapter 4. Abstraction, Approximation and Language Containment 59 g / f fk:::::' ' . .^.y. • \\:;:||||||||$ e d c / \ —~— y i / \ / \ / L . . . . . b 1 1 a t (d,d) (b,e) (c,f) (f,g) ! (d,g) i i (c,e) Figure 4.3: A b s t r a c t i n g a real-trace by a sequence if integer-pairs Recall that the integrator, shown in Table 3.3 on page 32 consumes two real-time real-valued traces x and x, provided that x is the Riemann integral of x. The automaton has a single real-valued state-variable s that records the partial integration in-between transitions. Let / be the following discretization funct ion. ( f i l if x > 0 /(*) = [ |xj if x < 0 We develop a discrete liberal approximation of the integrator, wi th respect to the abstraction function \P that maps each 7H-trace x to the 2- t race ip[l,f](x), and each 7H-trace x to the Z- t race ip[l, f](x). The automaton fh reads two tapes x and x, each containing 2-traces of integer pairs. The state set S(fh) wi l l be the integers. Let A ( m ) be the universal state-transition relation: A(m) = S(m) X S(m) X D*. Clearly, wi th this transition relation, fh wi l l accept any behaviour; L(fh) = . The model fh is a l iberal approximation of the integrator m , but it is the poorest l iberal approximation possible, and is not very useful. Chapter 4. Abstraction, Approximation and Language Containment 60 To improve the approximation the transition relation is made smaller. Let W be an arbitrary behaviour in Dw. Observe that if the integrator m accepts W it can do so by means of a chain Wi w2 so —> s1 —> • • • such that Wi associates x and x wi th non-empty traces of length one. Such a chain matches, the part i t ioning used by the abstraction function Recal l that vf; maps each of these sub-traces to a pair of integers. If fh is to be a liberal approximation of TO, we must be-sure that it has a chain ^ Wi ^ w2-so —> s i —> where Wj = ip(Wj) for each 1 < j < k. To do this, we define a state abstraction funct ion, / for this example, that maps from S(m) to S(fh)., and ensure the particular chain in which Sj = f(sj) is a chain of fh. Let / _ 1 be the interval valued inverse of / . (x - 1, x\ if x > 0 f~\z) = \ [0,0] if x = 0 [x, x + 1) if x < 0 If X is an interval of the reals, let CC(x) represent its closure. If X and Y are intervals of the reals, let X l+l Y represent the smallest interval that contains both X and Y, and let X © Y represent the smallest interval that contains every sum x + y, for x £ X and y £ Y. S imilarly, let X QY represent interval subtract ion. Let = be a binary predicate over intervals defined by X=Y = f 3x £ X, y £ Y • x = y. S imilar ly let X<Y = f 3x £ X, y £ Y • x < y. Let X>Y be defined in the analogous fashion. The development wi l l proceed by defining a series of constraints that can be added to the transition relation. We show that if (s,s ' ,W) is a transit ion of M wi th \W\ — 1, then (f(s), f(s'), \P(W)) satisfies each constraint. Let (s,s ' ,W) be an arbitrary transi t ion of M wi th \W\ = 1. Let s = f(s), s' = f(s'), ( / ,«) = 1>[f\(Wx), and (/ ,«) = ^[f](Wx). C I f~\l) < f-\u) Chapter 4. Abstraction, Approximation and Language Containment 61 C 2 r \ i ) < r \ u ) ca f-\s') e r \ s ) = f-\i)vf-\u) C 4 f~\s) = / - V ) ^ / - 1 ^ ) C 5 f~\s') = C£(f-\l)Uf-\u)) C 6 « > 0 = > f~\u) < f~\s) 0 f-\u) C 7 /' < o = > / - V ) > r 1 ^ ) e C 8 u > 0 / " H Z ) > / - ^ s ' ) e f-\u) C Q / < o / - ! ( « ) < / - ^ s ' ) e C I O / > 0 = > = / - ! ( / ) C l l /' > 0 / - ^ s ' ) = CC{r\u)) c i 2 « < o ^ r ^ s ) = r\u) C 1 3 « < 0 => f~\s') = CC(f-\l)) Constra ints C l and C 2 follow immediately from the definition of ip[f] and that / is a non-decreasing funct ion. Note that every value achieved by Wx lies in the interval f~\l) W / - 1 ( w ) . Constra int C 3 is s imply an expression of the mean value theorem. Similarly, every value achieved by Wx lies in the interval f~\l) W f~\u). Constraint C 4 follows f rom the fact that s = Wx(0). Constra int C 5 follows from the fact that s' = limt-+iWx(t). Since every point of Wx must lie in l±l f~\u), the l imit must lie in the closure. Suppose Constra int C 6 does not hold. Then u > 0, hence for some z € [0,1), Wx(z) > 0. Let z\ be such a z. W i ( z i ) > 0 (4.3) Chapter 4. Abstraction, Approximation and Language Containment 62 A l s o , there must exist a t ime t £ [0,1) such that for every z £ [0,1), Wx(t) > s + Wx(z). Let t\ be such a t ime. Subtract ing s from both sides gives Vz£ [0,1) •Wx{t1)-s>Wi(z) (4.4) Subst i tut ing zi for z in (4.4) and combining with (4.3) gives Wx(ti) — s > 0. Since s = Wx(0), ti cannot be 0. F r o m the mean value theorem, there is a z £ (0,1) satisfying (4.5). Wx(t) - s = (ti)Wx(z) (4.5) Let Z2 be such a z. Since 0 < ti < 1, this gives Wx(ti) — s < Wx(z2) contradict ing (4.4) and establishing that Constraint C 6 holds. Constraints C 7 through C 9 can be established in a similar fashion. Constraints C10 and C l l follow from the observation that if Wx is a non-decreasing funct ion, then s £ / _ 1 ( 0 a n < ^ s ' € CC(f~l(u)). S imilarly, Constraints C12 and C13 follow from the corresponding observations when Wx is a non-increasing function. The transit ion relation for the integrator approximation is obtained from the conjunction of all of these constraints. We have developed a discrete liberal approximation of the continuous integrator. For every behaviour W in the language L(m), we identified a run of m . In part icular , we observed that W could be accepted by a run , each transit ion of which read tapes of length 1 from x and x. We then established that , if s = f{s), s' = f{s'), (/,«) = ip[f]{Wx), and ( / ,« ) = ip[f]{Wx), then Thus any transit ion (s,s',W), where Wx = ( ( / , « ) ) and Wx = ^(/, ii)^, would satisfy each constraint. Being satisfied individual ly , the constraints are satisfied jointly. Thus any such transit ion is in the transit ion relation and the result is a l iberal approximation of the original . 4.3 Approximations , Composi t ion , and Restriction The previous section i l lustrated a technique for building l iberal approximations of continuous trace-automata. A n approximat ion of the integrator was constructed incrementally by adding constraints to the transit ion relation. Each constraint could be justified independently. Chapter 4. Abstraction, Approximation and Language Containment 63 In spite of this technique, it is generally difficult to develop useful l iberal approximations of complicated models directly. Fortunately, it does not appear necessary to do so. Us ing the composition and hiding operations for trace-automata, complicated models can be constructed from simple ones. In this section it is shown that l iberal approximations of these components can be composed to yield liberal approximations of their composit ion. Thus , each simple component can be approximated separately, using the technique developed above. The results can be combined automatical ly to yield a liberal approximation of the entire system. To formalize this notion, we need a way to combine abstraction functions. If M i is a liberal approximation of M\ wi th respect to some abstraction function ipi and if M 2 is a l iberal approximation of M2 wi th respect to an abstraction function tp2, it would be nice to be able to conclude that M\ \\ M2 was a liberal approximation of M j \\ M2 wi th respect to some abstraction formed by combining tpi and ip2. It m a Y happen that Mi and M 2 share some common tapes. Likewise, Mi and M 2 may have tapes in common. Clearly, it wi l l only make sense to combine abstraction functions that treat these common tapes in a consistent way. Definition 4.3.1 Consistent abstraction functions: Let Di and D2 (resp. Di and D2) be type-consistent signatures. Let A = H(Di) n U(D2). Abstraction functions tpi : H-> and V>2 : D% D2 are consistent if for every trace w 6 (Di@ , one of the following three conditions holds. 1. w|n(£>i) has no image under tpi or 2. w|n(D 2) has no image under tp2 or 3- ^ i M n ( D , ) ) l ; f = ^ 2 M n ( D 2 ) ) l ; f Definition 4.3.2 Let ifii : i-> Df and tp2 : D2 H-> D2 be consistent abstraction functions. The combination tpid&fa 2 S defined as follows: • Dom(V>i©^ 2 ) = {w : {Di®D2)u | w \ u { D l ) G D o m ( ^ i ) A w \ n { D a ) G D o m ( ^ 2 ) } Chapter 4. Abstraction, Approximation and Language Containment 64 For all w £ D o m ^ i © ^ ) , and for all a £ U(Di®D2), ^ i ( w l n ( D i ) ) a ifaeDi { '02(w|n(D2))a ifae D2 The first part of the definition defines the domain of the combination - recall that abstraction functions may not be tota l . A behaviour wil l have an image under the combination V i © ^ if> when restricted the the appropriate tapes, it has an image under both ip\ and ip2. The second part of the definition s imply says that if a behaviour has an image, then it is just as would be expected. For each tape in f l ( D i ) , the combination assigns the same trace as would be assigned by ip\. S imilar ly for each tape in Yl(D2), the combination assigns the trace that would be assigned by i/>2- Since the two component functions are consistent, both ip\ and ip2 must assign the same trace to any tape in the intersection n ( D i ) f l H(D2). T h e o r e m 4.3.3 If Mi and M2 are compatible, Mi is a liberal approximation of Mi under the abstraction ipi, and M2 is a liberal approximation of M2 under the abstraction tp2, then Mi \\ M2 is a liberal approximation of Mi \\M2 under the abstraction Tpi®tp2. Proof: Let W be a behaviour in L(MX \\ M2). Then W\N^ML) £ L(Mi) and W\T\(M2) € L(M2)(Proposition 3.2.9). Since Mi is a liberal approximation of Mi wi th respect to ipi, ^i (W|n(Af , ) ) e L(Mi). S imilarly, V>2(W|n(M2)) e L(M2). Let ip = ipi®?p2. B y definition, ^ W l n f M O = MW\u{Ml)), and V W I n ( j g 2 ) = ^ W n ( M 2 ) ) - Thus , ^ ( W ) \ N { M L ) £ L(Mi) and 4>(W)\n(M2) £ L(M2). Since, Mi and M2 are compatible, we can conclude that tp(W) £ L ( M i ||M 2 ) (Proposi t ion 3.2.11). • T h e o r e m 4.3.4 If Si and S2 are compatible, Si is a conservative approximation of Si under the abstraction ipi, and S2 is a conservative approximation of S2 under the abstraction ip2, then Si \\S2 is a conservative approximation of Si \\S2 under the abstraction i/ 'i©i/ 72-Proof: Let W be a behaviour in L(§i \\S2). Then H ^ L j . £ L(§i) and, by Proposi t ion 3.2.9, ^ I f i f S ) ^ L(S2). Suppose there is a behaviour W such that that ip(W) = W. Then Chapter 4. Abstraction, Approximation and Language Containment 65 V , i (W|n(Si)) = Wlrj jSj) and ^ ( W l n ^ ) ) = W|n(s 2 ) ' Since ^ ' s a conservative approxima-tion of S'i wi th respect to ipi, W\ri(Sl) G L(Si). S imilar ly Vl^|n(s2) ^ ^ { ^ 2 ) - Since 5 i and S 2 are compatible, W G £• (S i || S 2 ) (Proposit ion 3.2.11). • Theorem 4.3.3 allows us to construct l iberal approximations of composite systems by ap-proximat ing their components independently. Provided the approximations are compatible, they can be combined to yield a l iberal approximation of the composite system. Theorem 4.3.4 allows us to construct conservative approximations of composite specifications, provided that the specifications are formed by composing compatible automata . Conservative approximations of the components can be developed independently, and combined to yield an conservative ap-proximation of the composite specification. T h e o r e m 4.3.5 Let M be a liberal approximation of M with respect to a separable2 abstraction function ip. If M is A-fair, then M\A is a liberal approximation of M\A. Proof: Let V be a behaviour in L(M\A). Since M is A- fa i r , V G I ( M ) ^ ( L e m m a 3.2.5). So, by definit ion, there is a W such that V = W\A and W G L(M). Since M is a l iberal approximation of M, there is a W such that W = ip(W) and W G L(M). Since ip is separable, W\A = ip\A(W\A)(Proposition 4.2.2), and W\A G L(M\A)(Proposition 3.2.2). Thus ip\A{V) G L(M\A) as required. • 4.4 E n c o d i n g Abstract ion Functions Besides representing specifications and implementations, trace-automata can be used to encode abstraction functions. Let D and D be type-consistent signatures. Let ip be a (possibly partial) abstraction function mapping from Dw to Dw. A trace-automaton $ that satisfies the following three conditions is called an encoding of ip. Definition 4.4.1 Encoding: A trace-automaton \P is an encoding of the abstraction function ip : Dw i-» Dw if it satisfies the following conditions. 2 Reca l l that, by definition, if rj> is separable, then I1(M) = I I ( M ) . Chapter 4. Abstraction, Approximation and Language Containment 66 T T ( D ) / The abstraction M U S T read tapes that are not shared / \ \ The abstraction M A Y read tapes that are shared / : \ T T ( D ) \ The abstraction M U S T read tapes that are not shared / \ The abstraction M U S T N O T read any other tapes Figure 4.4: The tapes read by an abstraction encoding 1. ( n ( D ) u n ( z ? ) ) - ( n ( D ) n n ( D ) ) c n ( * ) c n ( D ) u n ( S ) 2. £ > ( * ) = ( D © / 3 ) | n w 3. for any behaviour W G (D@D)W, the following equivalence holds. ( W | n w G = (W\n{B) = iP(W\n{D))) The first condit ion, i l lustrated in Figure 4.4, s imply says that the encoding $ must at least read the tapes that D and D do not share, and must not read any tapes that are in neither D nor D. The second condit ion just says that the tapes that $ does read must have the same types Chapter 4. Abstraction, Approximation and Language Containment 67 as they do in the signatures D and D. The third condit ion says that "5 must faithfully encode the abstraction funct ion. In particular, if W|n(.o) has no image under tp, then W|n($) ^ L(^). The following proposition is an immediate consequence of this definit ion. Proposit ion 4.4.2 If * is an encoding of tp : Dw i-> Dw, then for any w G Dw and w G D", w = ip(w) if and only if there is a unique W G (D©.D) W such that W|n(*). £ ^ l n ( D ) = ^ and W\u^ = t/5. The abil i ty to encode abstraction functions as trace-automata provides a way to determine that an abstract machine M is a liberal or a conservative approximation of a concrete machine M as the case may be. Suppose that a language containment checking algori thm is available. Let M and M be trace-automata with type-consistent signatures. Let ip be an abstraction function mapping from D ( M ) W to D(M)UJ. Let 9 be a trace-automata encoding of tp. One might hope that L((M || ^ )\n(M)) would be the pre-image of L(M) under tp. If this were so, one could confirm that M was a liberal approximation of M by simply checking that L(M) C L((M || * )|n(M))- Unfortunately, this is not, in general, the case. A s the proof of L e m m a 4.4.3 shows, however, it is the case that L(M\\ \P)|n(M) 1 S contained in the pre-image of L(M); the two are equal if M and ^ are compatible. L e m m a 4.4.3 If M is a trace-automaton, and is an encoding of an abstraction function tp : D0W i-> D(M)W, for some signature D0 consistent with D(M), then L(M \\ *)|n(£> 0) ^ tp~1L(M) with equality holding when >J/ and M are compatible. Proof: Let w be any behaviour in || M ) | n ( D 0 ) . Then there is a W G L(M || such that w = W\n(Do). F r o m Proposi t ion 3.2.9 we have W | n ( * ) € and G L(M). F r o m the definition of encoding, W l r r ^ = hence w G tp~lL(M). Suppose that M and $ are compatible. Let w be any behaviour in tp~1L(M). There is a behaviour w G L(M) such that w = ip(v). F r o m Proposi t ion 4.4.2 there is a (unique) behaviour W G ( A ) © - D ( M ) ) " such that W\U(y) € £ ( # ) , W|n(A>) = w a n d ^ I n f M ) = ™* Chapter 4. Abstraction, Approximation and Language Containment 68 Since G L(M), and W|n(ip) S L^), and M and * are compatible it follows that W e L(V\\M). Thus, we L(V\\M)\n{M). ' • A s was demonstrated in Chapter 3, L(M\\^)\u(M) a n d L((M\\9)|n(M)) a r e n ° t necessarily the same. The problem, as discussed in Chapter 3 stems from the possibility that M and $ have infinite runs that correspond to mixed behaviours - behaviours that assign infinite traces to some tapes, but finite traces to others. If, however, M || $ is I I ( M ) — I l ( M ) - f a i r , then L((M\\ tf)|n(M)) = L(M || tt)|n(M)(Lemma 3.2.5). Thus , in this case one can confirm that M is a l iberal approximation of M by s imply checking that L(M) C L ( ( M | | vP)ln(M))- For example, if $ has only a single mult i - track tape, then $ is n ( M ) - I I ( M ) - f a i r and thus, by L e m m a 3.2.8, M | | vp is I I ( M ) - n (M) - fa i r . T h e o r e m AAA Let M and M be trace-automata with type consistent signatures, and let be an encoding of an abstraction function tp : D ( M ) W (->• D(M)W. If*S>\\M is U(M) - U(M)-fair, and L(M) C L((^||M)|n(M))> ^ e n M is a liberal approximation of M with respect to ip. Proof: L e m m a 3.2.5 establishes L((^ \\ M)|n(M)) = -^(^ II ^OIn(M)- L e m m a 4.4.3 establishes L ( * | | M ) | n ( M ) C V - 1 L ( M ) . Thus L ( M ) C ip'lL(M) as required. • G i v e n a language containment checker, it should be straightforward to check that L(M) C L((*S> || M)|n(M))- If ^ ar>d ^ a r e b° th finite-state discrete automata however, checking that * || A? is n ( M ) - I l ( M ) - f a i r is not much more difficult. In general, let M be a finite-state discrete trace-automaton. Let a and 6 be two tapes of M. Observe M has infinite runs that assign a finite behaviour to tape a, and an infinite behaviour to tape b, if and only if it has a cycle that reads no symbols from tape a, but reads at least one symbol from tape b. For any finite k, one can construct a finite-state trace-automaton that , when composed with M , decides whether M has path that reads more that k symbols from 6 without reading from a. Thus , in general, fairness can can be demonstrated by a finite-state trace-automaton. Chapter 4. Abstraction, Approximation and Language Containment 69 The situation for conservative approximation is much simpler, as the following theorem shows. T h e o r e m 4.4.5 Let \Ty be an encoding ofip. If S andty are compatible, and if L((^\\S)\Y\(S)) ^ L(S) then S is a conservative approximation of S with respect to ip. Proof: Since and S are compatible, the stronger version of L e m m a 4.4.3 applies giving iP~lL{S) = L ( * || S)|n(s)- Proposi t ion 3.2.2 gives 5 ( * || S)\N(S) C / , ( ( * || 5)| n ( s) ) - T h u s tp~1L(S) C L(S) as required. • A s a result, of these theorems, a language containment checker can be used to establish that an automaton M is a l iberal , or a conservative approximation of another automaton M with respect to' an abstraction function ip. The abstraction function is encoded as a trace-automaton \Ty. To show that M is a liberal approximation of M , it must be shown that L(M) C || A?)|n(M)), and t n a t * \\M is U(M) - n (A?) - fa i r . If M and * are finite-state, then the fairness property, if it holds, can be established by using a finite-state trace-automaton to test that \P || M has no runs assigning infinite behaviours to the tapes in I I ( M ) , while assigning a a finite behaviour to a tape in I I ( M ) . Alternately, if M and $ are compatible, one can establish that M is a conservative approximation of M s imply by demonstrating that L((V\\M)\n{M))CL(M). Suppose, in a verification problem, there are two machines M i and M2, and a specification S. The task is to demonstrate L(M\ \\M2) C L(S). furthermore, suppose that , using the above techniques, it has been established that machines M i and M2 are l iberal approximations of M i and M2 wi th respect to abstraction functions ip\ and ip2 that are encoded as $ 1 and ^ 2 respectively. Let S be a purported conservative approximation of S wi th respect to ipi®ip2. To establish that S is conservative using the above techniques, requires an encoding of ip\®ip2. The following theorem establishes that , under reasonable circumstances, such an encoding can be obtained by combining $ 1 and ty2. Chapter 4. Abstraction, Approximation and Language Containment 70 T h e o r e m 4.4.6 If <3>i and $ 2 are compatible, and if ip\ and tp2 are consistent, then ^1 || $ 2 encodes V 'i©V '2- • Proof: Let JD = Di©L>2, let D = DiQD?, and let V> = V ' l © ^ - Let T47 be an arbi trary behaviour in (D@D)W. To show that $ 1 1 | $ 2 encodes we must establish the following equivalence. ^ I n t ^ u n ^ ) € | | * 2 ) = ( W | n ( S ) = i>{W\n[D)) Suppose W|n(* ! )un(* 2 ) e - £ ( * i | | * 2 ) - Then T4^|n(*L) G £ ( # 1 ) by Proposi t ion 3.2.9 hence, from the definition of encoding, W ^ g ^ = ipi{W\n^Dl)). Similarly, W\n^ = ^ ( W l n f D j ) ) - Since rpi and ^ 2 are compatible, W j n ^ = ^(W|n(£>)). ; Conversely, suppose W l ^ g ) = V K ^ I n t D ) ) - Then W\u^^ = ipi{W\n(Dl), since ^ = V i © ^ , hence W|n(tfi) G £ ( $ 1 ) by the definition of encoding. Similar ly W|n(ip 2) £ £ ( ^ 2 ) - Since and <J/2 are compatible, Proposi t ion 3.2.11 gives W/|n(#1)un(<I>2) G II ^ 2 ) - ' a 4.5 A Containment Checking A l g o r i t h m for Smooth Discrete Finite Trace -Automata The remainder of this chapter addresses the problem of checking that the language accepted by one trace-automaton 5 is contained in that of another M. We define a s imulation rela-tion M < S that is, in general, stronger than language containment. T h a t is, M •< S =>• L(M) C L(S). A n algorithm is then presented for checking that this s imulation relation holds between discrete, finite, smooth trace-automata. Th is immediately yields a conservative check for language containment. Condit ions are then identified under which simulation and language containment are equivalent. F ina l ly , sound techniques are given which can be used to transform many language containment problems L(M) C L(S) into ones L(M') C L(S') which satisfy these conditions. The simulation relation X , and the algorithm for checking that it holds are essentially adaptations from [ C B M 8 9 ] . Before the algori thm can be presented and justif ied, some terms must be defined. Recall from Chapter 3 that a run of a trace-automaton M is a sequence of transitions Chapter 4. Abstraction, Approximation and Language Containment 71 consistent with the transit ion relation and start ing in an ini t ia l state. The concatenation W = w\W2-- is in the language L(M) if and and only if W is an infinite behaviour and M has Definition 4.5.1 Action-set AM{X): A discrete behaviour is an action if it labels each tape with a trace of length 0 or 1. If x is a state of the automaton M, the action-set of x, denoted A-M(X) is the set of actions w for which there is a successor state x', so that (x, x', iv) G A ( M ) . Proposit ion 4.5.2 Any discrete behaviour W can be expressed as the concatenation of a se-quence of actions. To see this, let W be any discrete behaviour. For each tape a, let the trace Wa be the se-quence (ao,ai,...). Let A ; be an action that labels each tape a wi th the sequence (a,-). Then concatenation A o A i • • • equals W. Definition 4.5.3 Simple run: A run SQ S\ • • • is simple if each W{ is an action. D u r i n g each transit ion of a simple run, the automaton reads at most 1 token from each of its tapes. The following proposition follows directly from the definition of smoothness. Proposit ion 4.5.4 If M is a smooth discrete automaton, then every behaviour in L(M) can be accepted by a simple run. Definition 4.5.5 Reachable states RSS(M): A state x of M is reachable if it appears (with finite index) in a run of M. It is reachable v i a W , for some finite behaviour W, if there is a string of transitions such that W = w\W2 • • -Wk, and SQ G I{M), and each s,-, w;) G A(M). The set RSS(M) Definition 4.5.6 Lockup free: Define the language L(x) of a state x of M as the set of infinite behaviours that can be read by a run that starts with x. An automaton M is lockup-free if L(x) is non-empty for every reachable state x G RSS(M). is the set of all such reachable states. Chapter 4. Abstraction, Approximation and Language Containment 72 Definition 4.5.7 Deterministic: An automaton is deterministic if for each finite behaviour W, there is at most one state that is reachable via W. Definition 4.5.8 Simulation <: An automaton S can simulate an automaton M, written M -< S, if and only if 7 ( 5 ) is non empty, and A ^ / ( m ) C A s ( s ) for every (m,s) G RSS(M\\S). L e m m a 4.5.9 Let M and S be smooth discrete trace-automata. If S can simulate M (M •< S), then L(M) C L(S). Proof: Let W be a behaviour in L(M). Since W G L(M), M has a simple run mo mi —^> ... that accepts W (Prop. 4.5.4). Define the sequence s n , S i , . . . recursively, by letting So be any ini t ia l state of S, and lett ing s;_|_i be any state of S satisfying (s,-, s;+i, u>,+i) G A ( S ) . If the sequence So,S\,... is well defined, then SQ s i —^» s2 • • • is a run of S that accepts W, establishing that W G L(S). We show by induction on i that each s,- is chosen f rom a nonempty set that depends only upon its predecessors, and thus s is well defined. B y assumption, I(S), the set from which SQ is chosen is non-empty. Suppose that for k < i, is chosen from a non-empty set. Then the state (m,-,s,-) is in RSS(M\\S) since it can be reached v ia wiw2...Wi as witnessed by the transitions (mo, So) (m\,Si) ••• (m,-,s,-). T h e next action is in Ajvf(m,) hence, by the assumption that A M ^ T B ) ^ A 5 ( x s ) for every (xm,xs) G i ? 5 5 ' ( M | | 5 ) , it is in As(si). So, there is a state y satisfying (s,-,y, Wi+i) G A ( 5 ) , establishing that s t + i is chosen from a non-empty set that depends only on s,-. Thus , the sequence s is well defined, and constitutes a run of S that accepts 14 7 . • L e m m a 4 . 5 . 1 0 If L(M) C Z / ( 5 ) , M anc/ 5 are compatible, and S is deterministic, and M is lockup-free, then S can simulate M. Proof: Let (m, s) be a state in RSS(M\\S). Let W be a finite behaviour by which it is reached. Let Z be an action that is in A M ( " I , S ) . Let m' be any state of M such that (M,M',Z) G A ( M ) . Since M is lockup-free, there is an infinite behaviour U that M can go on from m' to Chapter 4. Abstraction, Approximation and Language Containment 73 accept. Thus , WZU £ L(M). B y assumption, L(M) C so W Z i y e L(S). Since 5 is deterministic, the state that it is in after consuming W is uniquely determined to be s. Thus , Z must be in As(m,s), otherwise it could not go on to accept WZU. • L e m m a 4.5.9 establishes that an algorithm for checking simulation is a conservative algo-r i thm for checking language containment. Furthermore, L e m m a 4.5.10 establishes that if 5 is deterministic , M is lockup-free, and M and 5 are compatible, then simulation and language containment are equivalent. A l g o r i t h m 4.5.1 Let RSS{Z) = let NSR = {{z, z') | 3w • [z, z', w) £ A(Z)} in let R(X) = {x' \3x-x e X A (x, x') .6 NSR} in \etR*{X) = let X' = R{X) in if (X' C X) then X else R*{X U X') R*{I{Z)) Let A(Z) = {(z, w) | 3z' • (z, z', w) e A(Z)} Let CHECK{M,S) = {(m,s,w) | (m,s ) e RSS{M\\S) A (m, w) £ A ( m ) A (s,w)tA(s)} The function CHECK(M, S) in A l g o r i t h m 4.5.1 checks that M can simulate 5 . A representa-tion for trace-automata transit ion relations and state-sets is assumed that admits the standard set operations - union, intersection, projection, and comparison. Such a representation is de-scribed in detail in Chapter 5. The function RSS(Z) uses a fixed-point calculation to compute the reachable state-set of its argument machine Z. T h e calculation is guaranteed to terminate for machines wi th finite state sets. T h e function A(Z) computes the set of all s tate/act ion pairs (z, w) for its argument machine Z, such that the action w can be performed in the state z. Chapter 4. Abstraction, Approximation and Language Containment 74 The function CHECK(M, S) computes the set of all reachable states (m, s) in the composition M || 5 and actions w such that the model M can perform w in m, but the specification cannot perform w in s. If this set turns out to be empty, then Ajw(m) C A$(s) for all reachable states (m,s) and the simulation relation is verified. Conversely any elements in the set provide a counter-example to show that the simulation relation does not hold. A s described, the function CHECK provides a set of counter-examples. Each counter-example is in the form of a reachable state (in the product machine) and an action that the model can perform in that state, but the specification cannot. A more useful counter-example would provide a fully instantiated run from some ini t ia l state to this point. Such a run can be constructed straightforwardly by computing init ial ly, not just the reachable state-set, but the entire sequence of reachable state-sets encountered as the fixed-point calculation iterates. Th is sequence can then be used to guide the instantiat ion from the counter-example back to an ini t ia l state. Th is computat ion is explored further in Section 5.3.3. Simulat ion and language containment are equivalent as long as the specification is deter-ministic , and compatible wi th the implementation which must be lock-up free. In practice, it is generally reasonable to design models that are lock-up free. The models, after a l l , are supposed to represent the evolution of a reactive system over t ime. Lock-up would correspond to the system entering a state f rom which no future action was possible. The first two conditions, that the specification be deterministic and compatible wi th the model, are excessively restrictive. Fortunately, wi th only pathological exceptions, it is possible to circumvent these restrictions using two simple techniques. Non-determinism Non-determinism in the specification can prevent the simulation relation from holding, even when language containment does. Consider, for example, the two identical machines m and s pictured in upper half of F igure 4.5. F r o m state 0, each makes a non-deterministic choice between state A and state B. Once the choice of state A (resp. B) is made, the machine is Chapter 4. Abstraction, Approximation and Language Containment 75 Figure 4.5: Tapes are added to resolve non-determinism Chapter 4. Abstraction, Approximation and Language Containment 76 committed to read the symbol a (resp. b). The two machines are identical , so they accept the same language. However, the simulation relation does not hold. In the composit ion ( M | | 5 ) , any of the following states are reachable. {(0,0),(A,A),(A,B),(B,A),(B,B)} However, from state (A,B), M can read the symbol a, while S cannot. Similarly, from state (B, A), M can read the symbol b, while S cannot. In practice, one would like to be able to make use of non-deterministic specifications, so some way must be found to deal wi th this shortcoming. The classical construction from automata theory defines a deterministic machine S' that accepts the same language as S. Th is is done by allowing the state-space of 5 ' to be the power-set of that of S. Each state of 5" represents a set of states of S. The obvious drawback is the exponential relationship between the size of the state-space of S and that of S'. Potent ial ly \S'\ = 2 l s L Moreover, it is not obvious that deterministic finite-state trace-automata accept as large a class of languages as that accepted by non-deterministic finite-state trace-automata. A more practical approach is to enlarge the signature D of S and M to include some addi-t ional tapes that wi l l be used as oracles to guide the specification's non-deterministic choices. In the example, a tape could be added to both model and specification that guides the choices made by the specification, so that they are consistent wi th those made the the model . The resulting machines are i l lustrated in lower half of F igure 4.5. They now read two tapes. The original contains a sequence of the symbols a and 6. The new tape contains a sequence of the sym-bols A and B, identifying which state the model is entering when it makes a non-deterministic choice. N o w , the only reachable states in the composition are {(0,0) , (A, A), (B, B)}, and the simulation relation holds. The following theorem justifies this approach. T h e o r e m 4.5.11 Let C C Yl(M). If M < S then L(M\C) C L(S\C). Proof: The proof parallels that of L e m m a 4.5.9. Let W be a behaviour in L(M\c). Since W G L(M\c), M\c has a simple run mo —^> m i —^» ... that accepts W. F r o m the definition Chapter 4. Abstraction, Approximation and Language Containment 77 of automata restriction, there must be a corresponding simple run mo —> nil —> ... such that each w[\c = w,-. Note that the concatenation W = w^w^ • • • may not be an infinite behaviour, since for some tape a A , W'a could be finite. Thus , W might not be in the language L(M). Nonetheless, 5 has a simple run so — ^ Si —^> .... Hence SQ — S i ... is a run of S\c, establishing W € L(S\c)- a New, deterministic machines M' and 5 ' are constructed that accept behaviours over a larger signature D'. Let A = n ( D ) be the tapes in the signature of M and 5 . Let A ' = H(D') be the tapes in the signature of M' and 5 ' , so that A C A ' . Theorem 4.5.11 establishes that if M' < S', then L(M'\A) C ^ ( 5 ' ^ ) . A s long as M 7 and 5" have been constructed so that L(M) C ^ ( M ' U ) and L(5'|/i') C L(S), then we can conclude that L(M) C L(S). In Figure 4.5, M (resp. 5 ) is identical to M ' (resp. 5 ' ) , with the added tape hidden. Thus , by showing M' ^ 5 ' , we have shown that L(M) C L(S). Buffers False negative results can also occur if the specification and implementation are not compatible wi th each other. Let M and S be trace-automata representing an implementation and a spec-ification respectively. The algorithm compares the behaviours of the composit ion M \\ S wi th those of M alone. Recall that if M and S are not compatible, then M || 5 may accept a smaller language than the intersection L(M) f l L(S). A s a result, even if L[M) C L(S), we may have L(M) % L(M\\S). For example, consider the machines 51 and M l defined in Tables 4.10 and 4.11 respec-tively. Machine 51 accepts traces a and b provided that a can be obtained from b by ex-tract ing the symbols wi th even index (starting from 0). For example, a = (0 ,1 , 0 , 1 , . . . ) , b = ( 0 , 2 , 1 , 2 , 0 , 2 , 1 , 2 , . . . ) and a = (0 ,1 , 0 , 1 , . . . ) , b = ( 0 , 0 , 1 , 1 , 0 , 0 , 1 , 1 , . . . ) would both be be-haviours accepted by 5 1 . Machine M l accepts traces a and b provided that b can be obtained from a by repeating each symbol . For example, a = (0 ,1 , 0 , 1 , . . . ) , b = (0, 0 , 1 , 1 , 0, 0 ,1 ,1 , . . . ) would be accepted by M , but a = (0 ,1 , 0 , 1 , . . . ) , b = (0, 2 , 1 , 2, 0, 2 , 1 , 2 , . . . ) would not. The Chapter 4. Abstraction, Approximation and Language Containment 78 Table 4.10: A n example specification 51 D a: {0,1,2}* , 6 : {0 ,1 ,2}* S s : { 0 , l } I s = 0 s s' a b A 0 1 a a \a\ = 1 1 0 (} b \b\ = l Table 4.11: A n incompatible implementation M l D a : {0 ,1 ,2 }* , 6 : {0 ,1 ,2}* S i : { 0 , l , 2 } , s : { 0 , l , 2 } I a = 0 A t s t' s' a b 0 s 1 s' (s') () 1 s 2 s () (s) 2 s 0 s () (s) language containment i - ( M l ) C L(Sl) holds, but the machines are not compatible. The speci-fication 51 must read a symbol from b dur ing the same transit ion that reads a symbol from a, whereas M l reads the symbol from a f irst, and then reads the two symbols f rom b. Start ing from their in i t ia l states, M l can perform actions, for example consuming a 0 from tape a and nothing from tape b, that 51 cannot. Thus , M ^ 5 . W i t h the exception of some fairly pathological situations, this problem can be resolved by composing the specification with special trace-automata called buffers. A buffer B is a smooth, fair trace-automaton that reads two tapes, say a and a', wi th $ a = 3 v and E a = £ 0 / . It accepts any traces W e 79(73)^ such that Wa — Wai. A F I F O with finite storage such as is given in Table 4.12 is a typical example of a buffer. In the example, s imply composing 51 with a one-stage F I F O as i l lustrated in Figure 4.6 Chapter 4. Abstraction, Approximation and Language Containment 79 Table 4.12: A k element F I F O B 5 | s:Z* I | 5 = 6 A I \s\ < k A Is'l < k A s s' a a' ax xa' a a' \a\ < 1 A \a'\ < 1 Figure 4.6: Composing a buffer wi th a specification Chapter 4. Abstraction, Approximation and Language Containment 80 resolves the incompatibi l i ty. The new specification (511| •B)\a[a/a'] is constructed by composing 5 1 with a buffer B that reads tapes tapes a and a', hiding tape a, and renaming tape a' to a. T h e resulting machine can read first a symbol from a (internally a') and store it the F I F O . Subsequently, the component 51 can read this symbol from the F I F O v ia the hidden tape a, while reading the corresponding symbol from tape b. Thus , the new specification is compatible wi th M l and, indeed, M l < 5 1 . The following lemmas and theorems establish the soundness of this procedure. L e m m a 4.5.12 Let B be a buffer with tapes a and a!, and let S be any trace-automaton, then L((S || -B)\ a[a/a']) = L(('S\\B)\ai). That is in the composition of S with a buffer B, hiding tape a, and then renaming a' to a gives the same language as simply hiding a'. Proof: Let W be any trace in L((S \\ B)\ai). B y definition W is infinite. (5 || B) has a run So s i s 2 • • • such that (v\v2 • • -)\ai = ^ ( P r o p o s i t i o n 3.2.1). Let So s\ s 2 • • • be 1 1 1 , vl\a[a/a>) v2\a[a/a'] . . . such a run, and let V = v\v2 • • •• Note that s o —-? S i — 4^ • • • i s a run o i (b || i>)\ a[a/a'] a n d that V\a[a/aq = u i \ a [ a / a ' ] U 2 \ a [ a / a ' ] •"'• T h u s > P r o v i d e d V i s infinite, V \ a [ a / a q 6 L({S \\ B)\a[a/a,]. It is already established that V\ai = W. To show that W G L((S\\B)\a[a/ai]) we show that V is infinite and that V \ a [ a / a ' j = V\a>. V\ai is infinite, since V\ai — W. The buffer B is fair (hence {a'}-fair), so 5 || B is {a'}-f a i r ( L e m m a 3.2.8) and Vai is also infinite. Since V is infinite, V G L(S \\ B) and V\ a [ a / a ' ] G L((S\\B)\a[a/al]. Since V G L(S\\B), V\{a,a>} G L{B)(Proposition 3.2.9). T h u s Va = V'a, and V\a[a/a>] = V\a, = W. Conversely, let W be any trace in L((S\\ 5 ) \ a [ a / a ' ] ) - F r o m Proposi t ion 3.2.7 conclude that W[ai/a] G L((S\\B)\a). F rom Proposi t ion 3.2.1 conclude that there is a run s o Si s 2 • • • of 5 || B such that (viv2---)\a = W[a>/a]. Let s 0 S i s 2 • • • be such a run and let V = V\v2---. T h e trace V\ a is infinite, since V \ a = ^ [a ' /a] a n d G L((S || -B)\a[a/a'})- Since B is {a}-fair, (5 || 5 ) is {a}-fair, so Va must also be infinite. Thus V G L(S || B ) and, by Proposi t ion 3.2.2, V\ 0 ; G L((S\\B\a,). B y Proposi t ion 3.2.9 y | { a ) a / } G L ( B ) (recall that B is a buffer), hence Va = Va,, so V\ B , = V\a[a,/a] = W[a,/a][a/al] = W. Thus , W G L((S\\B\a,. • Chapter 4. Abstraction, Approximation and Language Containment 81 T h e o r e m 4 .5 .13 If B is a buffer with tapes a and a', and if S is a trace-automaton with a G n (5) , then L((S\\B)\a[a/a']) C L(S\ai), with equality holding if a' G" 11(5), and S is smooth with respect to a. Proof: L e m m a 4.5.12 establishes that L((S \\ B)\a[a/a>]) = L((S || B)\ai). Suppose that a' G n (5) . Then L{S \\ B) C L(S)(Proposition 3.2.9), hence L(S \\ B)\a, C L(5)\a,(projection is monotonic) . L(S)\ai C L(S\ai)(Proposition 3.2.2), so by transit ivi ty, L(S\\B)\ai C L(S\ai) O n the other hand, suppose that a' £ LT(5). In this case S\a = 5 . Let V be any behaviour in L(S\ \ B)\a/. Then there is a W G L(S || B) such that V = W\ai. Proposi t ion 3.2.2 establishes W\ai, hence V is in L(S). Conversely let V be any behaviour in L(S). Let W be the behaviour in [D(S)®D{B))" defined as follows: w x d d Va if x = a' V r otherwise Clearly, W|n(s) € Since W a = W a », W|{ 0 i a » j G Z ( B ) . 5 and B share only a single tape a, wi th respect to which they are both smooth, so 5 and B are compatible. A s a result, Proposi t ion 3.2.11 allows us to conclude that W G L(S\\B), hence V G L(S\\B)\ai. • In the example depicted Figure 4.6, the original specification 5 1 does not read tape a', so the stronger version of Theorem 4.5.13 applies. It says that L(S1) = L(Sl'), so that proving L(M1) C L ( S l ' ) is equivalent to proving that L(M1) C L(Sl). H a d the tape a' been read by 51 in addit ion to the tape a, then the weaker c o n d i t i o n ' Z - ( S l ' ) C L(Sl\ai) would have held. In that case, proving that L(M1) C L(Sl') would have been sufficient to establish that £ ( M 1 ) C L ( 5 1 V ) . 4.6 S u m m a r y A s a result of this chapter, there are now three techniques for establishing that one model is a l iberal approximation of another. For very simple components, such as the integrator, one can construct a rigorous, although str ict ly speaking informal , argument that a machine Chapter 4. Abstraction, Approximation and Language Containment 82 is a liberal approximat ion. Th is was the approach taken in Section 4.2. In Section 4.3 it was established that a liberal approximation of a composit ion could be obtained by. composing liberal approximations of the components, provided that the component approximations were compatible. If a machine Mh is obtained by hiding some tapes h, and M is fair wi th respect to a strict superset of those tapes, then those same tapes may be hidden in a machine M that is a l iberal approximation of M wi th respect to a separable abstraction funct ion. T h e result, Mh wil l be a l iberal approximation of Mh wi th respect to the same abstraction funct ion, restricted to the tapes that remain. Section 4.4 pointed out that trace-automata can be used to represent abstraction functions themselves, as well as modell ing the system under development. Us ing this technique, it was shown how a language containment checker could be used to verify that one machine is a liberal or conservative approximation of another, as the case may ; be F inal ly , Section 4.5 presented a conservative language containment checking algori thm for smooth, finite, discrete trace-automata. It is conservative, in the sense that it checks a relation M < S, that is stronger than language containment, so that M < S => L(M) C L(S). T h e algorithm is precise ( M •< S = L(M) C L(S)) if S and M are compatible, S is deterministic , and M is lock-up free. The technique of adding addit ional communicat ion between the specification and implementation was advanced as a way of dealing with non-deterministic specifications. A new M' and a deterministic S' are constructed that read some addit ional tapes X. They are constructed in such a way that L(M) C L(M{X) and that L(S{X) C L(S) ^- typical ly M = M^x and S = S[x. It is shown that M' < S' implies L(M{X) C L(S[X). Thus containment L(M) C L(S) can then be inferred from M' < S' as established by the a lgor i thm. To resolve the problem introduced by incompatibi l i ty between the specification and imple-mentation, buffers can be added. Buffers are fair two-tape trace-automata that read the same sequence of symbols from both tapes. T h e addit ion of such a buffer allows a specification some addit ional lat i tude about when it reads tokens f rom a buffered tape, although the sequence of symbols that it reads from each tape remains unaltered. Theorem 4.5.13 establishes the soundness of this technique. Chapter 5 Implementation M a n y of the ideas in this thesis have been implemented in a series of libraries for the program-ming language F L [Seg93]. It should be stressed that the result is not intended to be a robust tool . Rather , it is a collection of libraries that allow one to represent and experiment wi th trace-automata and abstraction functions. Functions are provided that compile a tabular representation of smooth discrete finite trace-automata into an efficient internal representation based upon ordered binary decision d i -agrams [Bry86]. The tabular representation is sufficiently close to that described in Section 3.4 that translation from one to the other is essentially t r i v i a l . Once compiled, trace-automata can be composed using an implementation of the composition operator. Tapes can be hidden using the hiding operator. A language containment checker has been implemented based upon the algorithm from Section 4.5. The basic algorithm is opt imized, to avoid constructing the composit ion of the specification and implementation explicit ly. Indeed, the implementation itself can consist of an implic i t composit ion, represented by a list of trace-automata. Support is also provided for generating counter-example traces. Abst rac t ion functions that map from continuous to discrete traces are represented by giving their value and time discretizations. A value discretization is expressed by giving its interval-valued inverse. A uniform time discretization is expressed by giving the reciprocal of its length. T h a t is, if t ime is to be discretized by part i t ioning traces into intervals of length 5, this is expressed by giving the reciprocal 1/8. A n interval ari thmetic package is provided that allows one to manipulate the intervals 83 Chapter 5. Implementation 84 resulting from the inverse value-discretization functions. A general technique is described that allows one to build liberal approximations of arbitrary transliterations of n-ary relations R over the reals. Furthermore, it is established that the approximations that result are the best possible approximations. T h a t is, the language accepted by such an approximation is contained in that accepted by any other approximation that is l iberal wi th respect to the same abstraction funct ion. A version of the integrator approximation that was developed in Section 4.2 is provided that is parameterised by the choice of abstraction funct ion. Since arbi trary systems of differential equations and inclusions can be represented by networks of integrators and transliterations, this allows one to construct discrete liberal approximations of such systems. 5.1 N u m b e r s , Variables, and Symbolic Ar i thmet ic 5.1.1 Symbolic Boolean Functions A n ordered binary decision diagram ( O B D D s ) is a data-structure for maintaining a canonical representation for boolean-valued functions of a fixed set of boolean valued variables[Bry86]. T h e F L type Bool represents the set of such functions. In this text, F L objects of type Bool are called symbolic functions, since they cannot be evaluated directly, to distinguish them from the more tradi t ional executable functions that form the mainstay of any functional program. Even though F L provides no direct mechanism for evaluating symbolic functions, it is convenient to give an operational account for their semantics using a hypothetical evaluation function as Chapter 5. Implementation 85 follows. Eval(T, E) True Eval(F, E) False £ l u a / ( v a r i a b l e v, E) £W(NDT p, E) = -iEval(p, E) Eval(p AND q,E) = Eval(p, E) A Eval(q, E) £ W ( s u b s t [ (u 1 , e i ) , (u2 ,e2 ) , . . . , (u„ ,e n ) ] p, E) E v a l ( p , E [ x i / v u X 2 / v 2 ^ X n / v n ] ) where x{ = Eval{ei,E) Evaluat ion takes place wi th respect to an environment that maps from variables to the boolean values True and False. The constant functions (T and F), play the role of the familiar boolean constants. They evaluate to True and False respectively in any environment E. The language maintains a one-to-one correspondence between O B D D variables and strings. T h a t is, each str ing, "abc" for example, names a unique O B D D variable. T h e primit ive (ex-ecutable) function v a r i a b l e returns a symbolic function whose result coincides wi th that of the variable named by its argument. For example, the code-fragment l e t X = v a r i a b l e " x " binds X to a symbolic function of the variable named " x " . The function X, if it could be evaluated, would return the value true in any environment in which the variable named " x " were bound to true. It would return the value false in any environment in which the variable named " x " were bound to false. Symbolic functions can be manipulated using the standard boolean operators. The code-fragment NOT p would evaluate to True in any environment in which p would evaluate to False. Similarly, the fragment p AND q would evaluate to True in any environment in which p and q would both evaluate to True. There is also support for subst i tut ion. If v\, v 2 , v n are unique variables, and e i , e 2 , e n and p are symbolic functions, then s u b s t [{vi,ei),(v2,e2),...,(vn,en)] p returns the result of sub-s t i tut ing each of the functions e,- for the variables u,- in p. A n existential quantif ication operator is defined, whose semantics can be expressed in terms of subst i tut ion. Let p be any symbolic Chapter 5. Implementation 86 funct ion. The function c a l l 1 EXISTS "x" p is equivalent to the fol lowing expression. (subst [( Mx",T)] p) OR (subst[("x",F)] p) Since O B D D s provide a canonical representation for symbolic functions, such functions can be compared. The infix function ===2 returns T if its two arguments are identical symbolic functions, and F otherwise. p === q if and only if Eval(p, E) = Eval(q, E) for all environments E Thus , the following code fragment evaluates to T. l e t x = variable "x"; let y = variable "y"; let z = variable "z"; NOT (x AND y) === (NOT x) OR (NOT y); Wherever possible, in the text that follows, the more conventional notation of mathematics wi l l be used in place of the machine-readable notation of F L . Thus , the symbols A , V , -> and 3 wi l l be used in place of the F L functions AND, OR, NOT, and EXISTS. Similarly, if P is a symbolic function, list of symbolic functions, and v = vi,.., vn is a list of variables of the same length, then the notation -P[x/V] W u ' be used in place of the F L code for subst i tut ion. 5.1.2 Representing Sets and Relations Symbolic functions can be used to represent sets of ordered boolean n-tuples for fixed values of n. For example, consider the fol lowing set of triples. {(a,b,c):B3 | (a © 6) A c} = {(T, F,T), (F,T,T)} 'The actual function provided as a primitive in F L accepts a set of variables, encoded as a B D D for reasons of efficiency. 2 I n standard F L , this function is named ==. However, in the implementation described here, it has been renamed === so that == can be used to compare symbolic integers Chapter 5. Implementation 87 This set would be represented by the following F L construct ion. ( [ " a ' V ' b ' V ' c " ] . ( ( v a r i a b l e " a " ) XOR ( v a r i a b l e " b " ) ) AND ( v a r i a b l e " c " ) ) The representation has two components. A list of boolean variables, [ "a" , " b " , " c " ] , called a descriptor in the sequel, gives a mapping from variable names to positions in the tuple. T h e choice of variable names is arbitrary. A symbolic funct ion, whose value depends only on those variables listed, represents the characteristic function of the set in question. Checking for membership in a set that is represented this way can be performed by sub-st i tut ion. For example, let A = (Ad,Aj) be as defined above, so that Ad = [ " a " , " b " , " c " ] . The test [T,F,T] £ A, would be performed by evaluating Aj^r,F,T]/["a","b" ,"c"]]- M o r e generally, let (Sd,Sj) be the representation of some set S. The query x £ 5 , is answered by evaluating S/[x/$d], i.e. subst i tut ing the values x for the variables Sd in the characteristic function Sf. Note that the list x can contain symbolic functions as well as the constant functions T and F, in which case the result may also be symbolic . The standard set operators can be built f rom the boolean operators and the membership test already defined. For example, the union of two sets of ?i-tuples, A and B, is given by A U B = {x : Bn | x £ A V x £ B ) A typical expression of this sort comes up in the algori thm for checking language containment. Suppose that S is a set of n-tuples representing a set of states in some trace-automata. Suppose that A is a set of (2n + m)-tuples representing the transit ion relation. The set of states S' that are reachable in one transit ion from S is given by an expression wi th the following form. S' = {s' : Bn | 3s : Bn, w : Bm • s £ S A ss'w £ A } Suppose that representations ( A d , A / ) and (Sd,Sj) have already been constructed for A and S respectively. To construct a representation for 5 ' , descriptors s^, s'd, and Wd, of length n, n and m respectively, are constructed with unique variables. S' is then represented by the pair Chapter 5. Implementation 88 (s'd,S'j), where S'j is given by the following expression. S'j = 3sdWd • ( % d / S d ] A &f[sds'dwd/*d]} The choice of variables in the descriptors Sd, s'd and Wd is essentially arbitrary, provided that they are unique. A n efficient choice, however, would be to use the variables f r o m - A j , so that Sds'^Wd = Ad- If this choice were made, then the substitution A^SdSi Wdjwould not need to be performed, since it would only be subst i tut ing variables for themselves. 5.1.3 Symbolic Integers A t the heart of the trace-automata implementation is a package that implements symbolic integer arithmetic using a twos-complement bit-vector encoding. A n integer is encoded as a list of booleans using the the signed two's complement representation. A r i t h m e t i c and comparison operations are performed on these bit-vectors by sign extending both arguments unti l they are the same length, then performing the standard twos-complement operation, and finally, in the case of an arithmetic operation, reducing the result to canonical form by deleting repeated leading bits. For example, the following sequence shows the addit ion of 4 and —1. [F,T,F,F] + [T] - 1 is sign-extended [F, T, F, F] + [T, T , T , T] addition is performed [F, F, F, T, T) result is reduced [F, T, T] The package includes functions that translate from integers to bit-vectors ( i n t 2 b v ) , and vice versa ( b v 2 i n t ) ; functions implementing the standard ari thmetic operators, addit ion, sub-tract ion, mult ipl icat ion, etc. defined on bit-vectors; and functions implementing the standard comparison operators < , < , > , > = etc. for integers. Since F L booleans can be symbolic functions, this representation immediately gives rise to symbolic integers. For example the following vector encodes a symbolic integer, whose value depends upon the variables " a " , " b " , and " c " . Chapter 5. Implementation 89 [variable "a", variable "b", variable "c"] The package provides functions for creating such "integer variables". For example, the func-t ion call bvMakeVar 4 "x" returns a bit-vector of four boolean variables named " x . O " , " x . l " , " x . 2 " , and " x . 3 " . Thus , the result can be viewed as a symbolic integer variable, that ranges over the values —8, — 7 , 6 , 7. Such symbolic integers can be manipulated by the arithmetic and comparison functions defined for bit-vectors. For example, the following code-sequence binds z to a bit-vector representing the addit ion of the two 8-bit integer variables " x " and " y " : l e t x = bvMakeVar 8 "x"; let y = bvMakeVar 8 "y"; let z = bvAdd x y; Each component of the bit-vector z that results wi l l be a symbolic function of the variables "x .O" ... "x .7" and "y.O" ... "y .7 " . Consider the conditions under which the result z is less than x. Clearly, this can occur only when y is negative - that is its sign bit y.O is T. Thus , the following code fragment returns the value T. (variable "y.O") === (bvLess z x) The package also includes functions that instantiate integer variables. In particular the function call bvGreatest y p returns the greatest instantiat ion of the symbolic value y that is consistent wi th the boolean function p. For example, fol lowing the code-fragment returns — 1, the greatest value for y that makes z less than x. bvGreatest y (bvLess z x); Conversely, bvLeast y p returns the smallest instantiation of y that is consistent wi th p. The package also has support for conditional expressions involving integers in the form of a choice operator bvChoose. For example, the following code returns a symbolic integer representing the m i n i m u m of x and y. Chapter 5. Implementation 90 bvChoose (bvLess x y) x y Integer substi tution is supported by the function bvSubst. Let v be list of unique integer variables, let e be a list wi th the same length as v of symbolic integer values, such that each value e ; can be accommodated by the variable U j , and let p by a symbolic boolean funct ion. The call subst v e p wi l l return the result of subst i tut ing each values e; for the variable u, in p. If v is not a list of unique integer variables, or if some value e; cannot be accommodated by the variable t;,-, then a run-time error results. Thus , the following code-fragment returns the value T. let x = bvMakeVar 8 "x"; let p = bvLess x (int2bv 10); bvSubst [int2bv 4] [x] p; Thus , bui lding on top of the existing support for symbolic boolean functions, a package is defined that implements symbolic integers. The package encodes integer values and variables as vectors of symbolic boolean functions. Symbolic integer variables are declared by specifying a name for the variable, and the number of bits to include in the representation. Symbolic integers can be manipulated using arithmetic , comparison, and choice operators defined on bit-vectors, yielding symbolic results. Moreover, symbolic integer values can be substituted for integer variables in boolean functions. A s a result, sets of integer n-tuples can be represented and manipulated using the descriptors and characteristic functions just as sets of boolean n-tuples were manipulated in Section 5.1.2. For example, the set of pairs of integers between —8 and 7 for which the first integer is less than the second could be represented by the following code: l e t x = bvMakeVar 4 "x"; let y = bvMakeVar 4 "y"; let d = [x,y]; let f = bvLess x y; Chapter 5. Implementation 91 ( d , f ) To test whether a particular pair, say [2, 3] is in the set, the fol lowing substitution is performed: b v S u b s t [ i n t 2 b v 2 , i n t 2 b v 3] [d] f ; 5.1.4 Fixed-point N u m b e r s The symbolic integer representation described above is extended to include a larger subset of the rationals. In this new fixed-point representation, each integer is combined with a scalar multipl ier that must be a power of two. Each such multiplier 2X is represented by its exponent x. T h u s a fixed-point number is encoded as a pair of integers, (n,x), representing the rational number n * 2X. The fixed-point package defines $ as an overloaded infix operator that pairs any combination of integers and bit-vectors, returning a f ixed-point number. For example, the number 5 * 2 3 can be writ ten as 5$3. The symbol " is defined as a unary negation operator, that promotes standard integers to bit-vectors. So, the number 5 * 2 ~ 3 can be wri t ten as 5$ ~3. F ina l ly , the symbol ' is defined a prefix function that promotes integers to fixed-points. T h u s the notation '4 is an abbreviation for4$0, both of which represent the number 4 * 2° . O n l y the mantissa is allowed to be symbolic in the fixed-point representation. T h i s is enforced by the $ operator. F ixed-point variables can be created much as integer variables can. Such a variable is specified by call ing the function makeVar, giving a name and a prototype value. The result wi l l be a fixed-point value whose exponent is f ixed, and equal to that of the prototype. The mantissa wi l l be an integer variable wi th sufficient bits to represent the mantissa of the prototype. If the prototype mantissa is positive, the variable wi l l range over the integers from 0 up to, but not including, the smallest power of two that is greater than the prototype mantissa. For example, the code fragments MakeVar " x " (3 $ 1) and MakeVar " x " (2 $ 1) both return a fixed-point variable that ranges over the values {0 * 2 ,1 * 2, 2 * 2, 3 * 2}. If the prototype mantissa is negative, (i.e., —k for some positive k), then the variable wi l l range over the integers from the greatest power of two less than or equal to — k, up to but Chapter 5. Implementation 92 not including the smallest power of two greater than k. For example, the code fragments MakeVar "x" ("4 $ 1) and MakeVar "x" ("3 $ 1) both return a fixed-point variable that ranges over the values {—4 * 2, —3 * 2 , 2 * 2 , 3 * 2}. A s wi th the bit-vector representation of integers, the standard arithmetic and comparison operations are provided for fixed-points. However, since fixed-points are the main representation for numbers, their operators are bound to the symbols that are conventionally used to represent them. Thus , for example, the code-fragment 4$3 + 1$ "2 can be used to add the two numbers 4 * 2 3 and 1 * 2 ~ 2 yielding 129 * 2 ~ 2 . A d d i t i o n and subtraction is performed on fixed-point numbers wi th differing exponents by first converting the operand wi th the larger exponent so that its exponent is equal that of the other operand. Then the operation is performed on the mantissas. M u l t i p l i c a t i o n is performed by mult ip ly ing the mantissas and adding the exponents. N o attempt is made to reduce the results to a canonical fo rm. A s a result, comparison operations must convert their operands so that they have the same exponents. A s wi th booleans and integers, fixed-point subst i tut ion is supported. Let v be list of unique fixed-point variables, let e be a list wi th the same length as v of symbolic f ixed-point values, such that each value e, can be accommodated by the variable u,-, and let p be a symbolic boolean funct ion. T h e call Subst v e p wi l l return the result of subst i tut ing each value e; for the variable u,- in p. Thus , the following code-fragment returns the value T. l e t x = MakeVar ('15) "x"; let p = x < '10; bvSubst C'8] [x] p; If v is not a list of unique fixed-point variables, or if some value e; cannot be accommodated by the variable then a run-t ime error results. Thus , from the bui l t - in representation for boolean functions, the fixed-point package builds a representation for fixed-point numbers. A n y rat ional number of the form n * 2X can be Chapter 5. Implementation 93 represented. The package provides functions for performing symbolic ar i thmetic wi th fixed-precision symbolic variables, for existentially quantifying such variables, and for subst i tut ing values for variables in symbolic functions. Observe that the fixed-point representation subsumes the integer and boolean representations described above. Henceforth, f ixed-point representation wi l l be assumed for all numbers and booleans. In the tabular notation for trace-automata, the symbol T wi l l be used to refer to the type fixed-point. Using the descriptor/characterist ic function representation, sets of fixed-point n-tuples can be represented and manipulated, as has been described for booleans and integers. In the following sections, these capabilities are taken as pr imit ive . 5.2 Discrete Trace -Auto mat a Based upon the symbolic fixed-points described above, the package t r a c e _ a u t o m a t a defines a representation for discrete trace-automata. The implementation described here is restricted to discrete automata that are smooth. Thus , each transit ion of such an automaton wi l l consume either zero or one symbols from each of its input tapes. Recal l f rom Chapter 3 that a trace-automaton is defined by a signature, a state-set, an ini t ia l state set, and a transit ion relation. A discrete input tape is created or declared by a call to the function SimpleTape. T h e function is supplied with arguments representing the name of the tape, a prototype fixed-point value, and a pretty-printer funct ion that wi l l be used to print counter-example traces when a verification fails. For example consider the following code-fragment. l e t x = S i m p l e T a p e " t p l " ( ' 3 ) p p l n t The str ing " t p l " is a name for the tape. Recall that the symbol " ' " promotes integers to fixed-points, so that ' 3 is the fixed-point number 3 * 2° . Assuming that symbol p p l n t is bound to a pretty printer for integers, the code wi l l bind x to a discrete tape named " t p l " that contains sequences of integers (fixed-points wi th zero exponents) in the range 0 to 3. A trace-automata signature is represented as a list of tapes declared this way. Chapter 5. Implementation 94 The function StateVar declares such a state-variable. It accepts the same arguments as the SimpleTape function - a name, a prototype-value, and a pretty-printer . It returns a discrete state variable capable of taking on any of the values represented by the prototype. A trace-automata state-space is given as a list of such state-variables. A trace-automaton is created wi th a call to the function makeTA. The function accepts three arguments. A signature, a state-space, and a trace-automata table generator. The trace-automata table generator is a function that generates a description of the transit ion relation and the initial-state set of a trace-automaton. These descriptions are encoded in a special structure called a trace-automata table. Ul t imate ly , the function makeTA returns a structure consisting of the signature, the state-space, a symbolic boolean function representing the ini t ia l state set, and a symbolic boolean function representing the transit ion relation. A s an i l lustrat ion, consider the following simple machine my. It has two tapes, named " a " and " b " each of which contain discrete traces of the integers 0 and 1. The machine ensures that the ith symbol consumed from " b " matches the 2ith symbol consumed from " a . " The tapes " a " and " b " and the state-variable " x " can be defined by the following code-fragment: l e t tapeA = SimpleTape "a" C D pplnt; le t tapeB = SimpleTape "b" ( ' 1 ) pplnt; le t statV = StateVar "x" ( ' 1 ) pplnt; The trace-automaton is then defined by the following code. Note that the double-slash / / introduces a comment that extends unti l the end of the line. l e t myTableGen ( [x], Ex ' ] , [Ea],Eb]]) TAT [([['0]],[],[],T)] E / / x tape a tape b side condition ([['0]],[['!]],[ [['0],['l]] EE]] ] , T), ( [ [ ' ! ] ] , C C'0]],[ [ [ ' ! ] ] , EE'i ] ] , T), Chapter 5. Implementation 95 ( [ [ ' ! ] ] , [ [ ' ( ) ] ] , [ [ [ ' 0 ] ] , CC'O] ], T) ] ; l e t m_y = makeTA [tapeA,tapeB] [stateV] myTableGen; Recall that a transit ion relation is a subset of S X S X D*, where S represents the state-space and D* is a finite behaviour of its signature D. The arguments to m a k e T A establish an order amongst the state-variables that make up the automaton's state-space, and the tapes that make up its signature. Given this order, the transit ion relation can be specified by giving a set of tuples, each of the following form, where n is the number of state-variables in its state-space, m is the number of tapes in its signature, each s, and s[ are fixed-point numbers, and each d{ is a finite trace of fixed-point numbers. The third argument to m a k e T A is a trace-automata table generator. T h i s is a funct ion, myTableGen in the example, that accepts a single argument - a tuple of three lists. The first list is a symbolic representation of the the state of the trace-automaton before making a transi t ion. It consists of a list of symbolic f ixed-point variables, one for each state variable. The second list is a symbolic representation of the state of the trace-automaton after making a transi t ion. The third is a list of finite traces, each of length 1, one from each tape in the trace-automaton's signature. They represent the first symbols on each tape just prior to the transi t ion. The table-generator returns two boolean expression tables combined wi th the type constructor TAT. The first table describes the ini t ia l state set of the automaton. The second table describes the transit ion relation. The tables are essentially nested-list representations of the a n d / o r tables that were first introduced in Chapter 3. For example, the transit ion relation is presented as a list of transitions. Each transit ion is described by four components: a list of possible values for each of the state variables before the transi t ion, a list of possible values for each of the state variables after the Chapter 5. Implementation 96 transi t ion, a list of possible traces to be consumed from each of the tapes during the transit ion, and an arbitrary boolean expression. T h e relation is formed by the dis junction of the predicates represented by each transi t ion. A transit ion pairs each "variable" (before-state variable, after-state variable or tape) x with a list of possible "values" v\, v 2 , v n . It represents the conjunction of the predicates x £ {v\, v2, • • • ) vn} formed by each such pair ing. For example, the transitions in myTableGen represent the following characteristic function - given using the a n d / o r table format. Sl di d2 0 1 <0),<1> 0 1 0 (0) <o> 1 0 (1) (1) S imi lar ly the first table, in this case wi th only one entry, represents the initial-state set {si | s i = 0}. T h e entries in the tables are not l imited to constants, but may contain references to the function's arguments. Formally , the arguments introduce existentially quantified variables that are impl ic i t ly tied to the corresponding component of the relation being defined. For example, an equivalent definition is given by myTableGen2 below l e t myTableGen2 ( [x] , [x'] , [ [a] , [b]]) = TAT [ ( [ [ ' 0 ] ] , [ ] , [ ] , T ) ] [ / / x x' tape a tape b ( [ [ ' 0 ] ] , [ [ ' 1 ] ] , [ [[a]] , [[]] ] , T ) , ( [ [ ' 1 ] ] , [ [ ' 0 ] ] , [ [ [a] ] , CCa] ] , T ) , ] ; Chapter 5. Implementation 97 Formally , the definition corresponds to the following characteristic funct ion. 3a:, x', a, b • S\ = x A . s[ = x' A d i G (a) , () A d2e(b),{) A S i s i di d2 0 1 (a) 0 1 0 (a) (a) Recall that transitions have a fourth component, an arbi trary boolean expression whose discussion was postponed earlier. The value of this expression is conjoined wi th the predicate defined by the transi t ion. For example, myTableGen3 is a t h i r d , equivalent definition of the table generator. l e t myTableGen3 ( [x] , Cx ' ] , [ [a] , [b]]) = TAT [ ( [ [ ' 0 ] ] , [ ] , [ ] , T ) ] [ / / x x' tape a tape b ( C C ' 0 ] ] , [ [ ' 1 ] ] , [ [[ a]] , [ [ ] ] ] , T ) , ( [ [ ' 1 ] ] , [ [ ' 0 ] ] , [ [[ a ] ] , [[ b] ] , a == b ) , ] ; Chapter 5. Implementation 98 The formal definition is given by the following expression. 3x, x', a, b • S j = x A s\ = x' A dle{(a),Q} A €{<&),<>} A Sl di d2 0 1 1 0 (a) (a) 0 T (b) a = b Given a list of tapes, a list of state-variables, and a table-generator funct ion, the imple-mentation of makeTA is straight-forward. F r o m each state variable i , symbolic "before" and "after" variables are created by appending special symbols the the state-variable name. The "before" variable s; is generated by appending the character " " ' to the variable name. S imi-larly the "after" variable s'{ is generated by appending the character " ' " to the variable name. For example, in the definition of my above, the "before" state variable would be generated by the call makeVar "x"1 ( ' 1 ) ; the "after" state variable would be generated by the call makeVar "x"' 'CD The finite traces di are represented by a pair of fixed-point variables - one ranging over {0,1} representing the length, and the other representing the value. T h e variable representing the value is s imply given the name of the trace, whereas the variable representing length is given the name of the trace with the symbol "#" appended. For example, length of the trace consumed from tape a would be represented by the variable makeVar "a#" CD. The symbol consumed (if any) would be represented by the variable makeVar " a " CD. These variables are passed as arguments to the table-generator. T h e resulting table structure is then used to construct symbolic boolean functions repre-senting the initial-state-set and the transit ion-relat ion. The result is a representation consisting Chapter 5. Implementation 99 of characteristic functions for the ini t ia l state set and transit ion relations, and lists of of trace-variables, and state-variables from which descriptors are constructed as required. T h e implementation supports the operations of composit ion and hiding in the obvious way. Compos ing two automata amounts to no more than taking the union of their state-variables, taking the union of their tapes, forming the conjunction of their next-state-relations, and form-ing the conjunction of their initial-state-sets. The implementation provides an infix binary operator CC that does exactly that . H i d i n g a tape involves removing it f rom the list of tapes, and existentially quantifying the variables representing it in the transit ion relation. The i m -plementation provides a function H i d e v m that given an automaton m and a list of tapes v returns the result of hiding v in m . 5.3 Testing for Language Containment In Chapter 4, an algorithm was presented for testing language containment. The algorithm was conservative, in that it could yield false negative results if the automata in question were not compatible, or if the specification was non-deterministic. Based upon a forward breadth-first exploration of the reachable state-space of the composition of specification and implementat ion, it consists of three steps. T h e set of reachable states in the product machine m\\s is computed. Then it is checked that there is no state in this set from which m can perform an action that s cannot. F ina l ly , should this check fa i l , a counter-example is generated. 5.3.1 Explor ing the Reachable State-Space In the implementation presented here, a sequence of symbolic functions, So, S \ , S n called the reachable state chain is computed. Each function in the sequence represents a set of reachable states. The first function So represents the ini t ia l state set of the composit ion m || s. Each subsequent function 5i+i represents the set of states that do not appear earlier in the sequence, and are reachable in one transit ion from the preceding set 5,-. Since m and s are both finite-state automata , the sequence has only a finite number of elements, the union of which gives Chapter 5. Implementation 100 the set of reachable states in the composit ion. T h e check that m can perform no action that s cannot can be accomplished by checking each state-set in the sequence. Should any check fai l , the sequence allows a counterexample-trace to be generated efficiently. A t the heart of the implementation is the function S tep M Sj that takes a trace-automaton M and a symbolic function 5 / representing a set S of states, and returns the set of states S' that can be reached from S in one transi t ion. T h a t is, it computes the following set. Let d z be the lists of "before" variables, "after" variables, and "trace" variables that are impl ic i t in M, the representation of the trace-automaton. The set A is represented by its characteristic funct ion, Aj that is given explici t ly as part of M, and the implic i t descriptor A ^ = xx'z. The set S is represented by the characteristic function Sj, and the implic i t descriptor Sd = x. A s discussed in Section 5.1.2, the computat ion of S'j can be performed by choosing descriptors Sd, s'd and u>d and evaluating the following expression. The descriptors Sd, and are chosen equal to x , x ' and z respectively. Thus , sd = Sd and Sds'dw = Ad- A s a result, the substitution of sd for Sd and Sd-s'dWd for Ad amount to replacing variables wi th themselves and can be omit ted . T h e following expression results. The actual implementation of S tep returns a result wi th the implic i t descriptor x instead of a;', requiring a final substitution of x for x'. Given this implementation of S t e p , it is straight-forward to construct the reachable state chain. The second argument r e a c h e d to the recursive function r s s represents the set of states that have been seen so far at each recursive cal l . S'= {s' \3s,w • (s e S A ss'w G A ) } 3xz • (Sj A A ; ) {3xz • {Sj A A J ) ) [ X / A Chapter 5. Implementation 101 l e t reachableStateChain m = let I = in i t i a l S t a t e s m in letrec rss S reached = ( S === F) => [] | let S' = step m S in S:(rss (S> AND (NOT reached)) (reached OR S')) in rss I I; 5.3.2 Checking for Violations Once the reachable state chain has been constructed, it is straight-forward to check each state-set to confirm that the implementation m is not capable of performing any action prohibited by the specification s. Construct symbolic representations of the sets Am and As defined as follows. Am = {{x,w) \3x'• (x,x',w) £ Am} As = {(x, w) | 3x' • (x, x', w) G A s} Then confirm that for each state-set 5,- in the reachable chain of m \\ s, the following set F8- is empty. Fi = {{{xs, xm),w) | (xs, xm) G Si A -(xm, w) G Am A (xs, w) G" As} 5.3.3 Constructing a Counter -Example If one of the violation checks fails, a counter-example is constructed. Let j be the index of the the first non-empty set F ; . The example is a sequence of j + 1 states s and actions w that lead f rom an ini t ia l state to the failure. M o r e precisely (SJ,WJ) G Fj, each (SJ, S j + i , wA G A(m||s), and each Si G Si. The functions Greatest or Least can be used to instantiate a particular element (SJ, Wj) of Fj. Each preceding element (s;, Wi) for i < j can be constructed by choosing Chapter 5. Implementation 102 an element in the following set based on {(s, w) | s e Si A ( s , s i + 1 , Wi) G A (TO ll s)} 5.3 .4 A M o r e E f f i c i e n t A l g o r i t h m The preceding language containment algorithm suffers from two major drawbacks. It requires that the machine m||s be constructed explicit ly. If m and s are both large to begin w i t h , the explicit representation of their composition wi l l generally be unreasonably large. The algorithm can also result in very long reachable-state-chains. For example, to explore the state-space of the audio control protocol (to be described in Chapter 6) requires several thousand transitions. If there is l i t t le sharing amongst the B D D s in the chain, such long chains wi l l require excessive amounts of memory. Furthermore they yield very long counter-examples that are hard to interpret. The improved algorithm relies on two observations about trace-automata. F i r s t , trace-automata communicate only by shared tapes: they share no state variables. T h u s , in a com-posit ion, the state-spaces of the components are independent. Let M = TOI || TO2 || • • -|| mn be the composition of n trace-automata. It is not generally necessary to construct M explicit ly in order to construct its reachable-state chain. Recall the function S tep M S that computes the set set S' of states reachable from states in S in one transit ion of M. Th is section shows how to compute S' f rom a list TOI, TO2,mn of components of M, without actually constructing M. Recall the definition of S1. S' = {s | 3s, w (s e S A (s,s',w) e A ( M ) ) } The improved version of S tep constructs a sequence of sets Z defined (and computed) recursively as follows. Z i = {w,s'vs2, ...,sn | 3 s i • (si,s2, ...,sn) £ S A (s1,s'1,w) £ A ( T O I ) } Si, •••,««) € Z t - _ i A ( 'n Si, s 'i:w) e A (TO,)}; 1 < i < n Chapter 5. Implementation 103 Each set Z{ is obtained from its predecessor by replacing the states of machine i , as they were before making a transit ion, wi th those that result after a transit ion is taken. It is straight-forward to show that 5", the set of states that result from the composit ion making a transit ion is just the projection of Zn. s' = {(*;,...,<) ^ - K s ; , . . . , * ; ) ezn} The proof is by induction on n, the number of automata . T h e base case, n = 1, is t r i v i a l . The inductive step relies only on the independence of state variables and the associativity of automata composit ion. In the revised implementation of S t e p , each set Z{ is represented using the before-variables of all the automata as descriptors. A s a result, each step requires one existential quantification and one subst i tut ion. Zis = (Bsi-Zi-ij A A ^ , - ) , ) A model of a complete system is typical ly generated by composing models of its many components. M a n y of the tapes that form the connections between components may not be involved in the system specification, and can be hidden in the final model . In the audio-control protocol that wi l l be discussed in Chapter 6, the tapes representing the analog channel can be hidden. T h e specification is wri t ten entirely in terms of the communicat ion between agents and their environments. The result of such hiding is often an automaton that can make many transitions without consuming any of its visible tapes. For example, each transit ion in the audio control system represents the passage of one micro-second. C o m m u n i c a t i o n between the timers and the agents occurs approximately once in 220 micro-seconds. T h u s the port ion of the model consisting only of the bus model and the timers, wi th the internal tapes hidden, can typical ly make about 220 transitions without consuming any of its visible tapes. Invisible transitions such as these are generally called r - transi t ions . Every trace-automaton is capable of stuttering - making a r - t rans i t ion that leaves the state unaltered. Each automaton in a composit ion has an independent state space. A s a result, the Chapter 5. Implementation 104 set of states that could be reached from some state of M by r- transit ions alone, is the same that results from allowing each component of M to make r- transit ions independently. Let M = m\ j] m.2 || • • -mn be a composition of n trace-automata. Let S t e p T ( 5 ) , be a function that returns the set of states of M that are reachable from some state in S in one r - t rans i t ion . S tep T (5 ) = {s' | 3s -s £ S A (s ,s ' , r) £ A ( m ) } • Note that S C S t e p T ( 5 ) , since M is always capable of s tutter ing. Let 5 * be the set of states reachable from S by zero or more r- transi t ions. The set S* can be expressed as a least f ixed-point as follows: S* = M S ' - S u S t e P r ( S ' ) Rather than building the entire reachable state-chain, the improved algorithm does not record the intermediate state-sets that result from r- transi t ions. Before, each set S , - + 1 represented the new states that could be reached from the set Si by a single transi t ion. The improved algori thm builds a chain in which each set Si+\ represents the new states that can be reached from Si by a single transit ion, followed by zero or more r-transitions. T h i s results in a much shorter chain, that requires less space for its representation, and that can be generated more efficiently. The cost is some increased difficulty in generating counter-examples. Whereas before, the "gap" between a set Si and its successor S,-+i was a single transi t ion, successive state sets may now be separated by many r- transi t ions. If this is the case, a number of back-tracking steps wi l l be required to generate each stage in the counterexample. 5.4 Approximations of Continuous A u t o m a t a In previous sections, a representation for discrete finite-state trace-automata has been presented. Here, we present an extension that facilitates the representation of discrete abstractions of continuous traces. Recall that a discrete abstraction of a continuous trace involves a discretization of both values and t ime. T i m e is discretized by dividing each 7^-trace w into pieces, w = WQWI • • •, Chapter 5. Implementation 105 such that each iu; has length 8 for some fixed constant 8. Real values are discretized by part i t ioning the reals, and representing each part i t ion by a fixed-point number. Each symbol in the discrete abstraction consists of a pair of such fixed-point numbers - the min imum and m a x i m u m discretizations of the values achieved by the corresponding piece of the real-trace. If / is a value discretization function, the notation ip[f] denotes the function that maps the finite traces w; to such pairs. If 8 is the length of the pieces into which w is part i t ioned, then ip[8, f] denotes the function that maps w to the sequence (ip[f]{wo), i>[f]{w\), •••)• Recal l that a value discretization function / is a non-decreasing function from the reals to the integers. The floor f(x) = [x\ is a famil iar example of such a discretization. If / is a value discretization, then ip[f] maps finite real-valued 7^-traces w to pairs (l,u) such that / and u are respectively the m i n i m u m and m a x i m u m discretizations of w. I = m i n i e 7 Z [ 0 , | w | ) f{w{t)) u = m a x t e n [ o M ) f(w(t)) For example, suppose that w is the finite-length TvVtrace wi th length \w\ = 1, defined by w(t) = 2t. T h e trace w defines a part ia l function from 7Z[0,1) to 1Z[0, 2). Let f(x) = [x\. Then ip[f](w) = (0,1). The smallest discretization of a value achieved by w is 0. The largest is 1, since w never actually achieves the value 2, and for any 0 < e < l , [2 — ej = l . O n the other hand, let f(x) = |Y|. Then tp[f](w) = (0,2). A s a direct consequence of this definition, the interval-valued inverse function / _ 1 has some useful properties. Let (/, u) = '[/'[/K^) for non-decreasing / and for w of length 8 > 0. P r o p o s i t i o n 5 .4 .1 I < u P r o p o s i t i o n 5 .4 .2 There are times t\ and tu in TZ[0,8) such that w(ti) € / - 1 ( 0 and w(tu) 6 Value discretization functions are represented in the implementation by constructing their interval-valued inverses explicitly. T h a t is, a value discretization is represented by an F L func-tion that maps from fixed-point numbers to real intervals. A package is provided that defines Chapter 5. Implementation 106 a representation for intervals of reals wi th fixed-point boundaries. Each interval is represented by a pair of fixed-point numbers, representing the boundaries, and a pair of booleans indicat ing whether the boundaries are open (F ) or closed (T). For example the half-open real-interval ft[2,4) would be represented by the F L structure ( ( ' 2 ,T) , ('4, F ) ) . In addit ion, the package provides a function i U n i o n that computes the least-upper bound, denoted l+J, of two intervals wi th respect to the set-inclusion ordering. Given two intervals A and B, the interval A l+J B is the smallest interval that contains both A and B. P r o p o s i t i o n 5 .4 .3 If (l,u) = ip[f](w) is the abstraction of trace w of length 8 > 0, then for all timest £7Z[0,8), w{t) £ f ' 1 ^ ) ^ f'^u). For example, let w(t) = 3 i be the trace with length = 1 from before, and let f(x). = [ x j , so that V [ / ] < » = (0,2). The inverses are / _ 1 ( 0 ) = ^ [ °> !)> a n d / - 1 ( 2 ) = 7Z[2,3) respectively. Thus , the union / _ 1 ( 0 ) 1+1 / _ 1 ( 2 ) is the interval 7£[0 ,3) . The proposit ion simply asserts that V i £ TZ[0,1) • w{t) G ft[0,3). A n rc-ary relation over the reals, R C 7ln induces a corresponding n-ary relation over sets of reals R that is defined as follows. (Xi,...,Xn) G R = 3xi G Xn,...xn G X n ' \X\, • ••, Xn ) G R Sets X\...Xn are in R if and only if they each have members x \ , x n in R. Functions are provided by the interval package for constructing such relations R. For ex-ample, the comparator i L e q A B is satisfied by any intervals A and B for which there exist reals a £ A and b £ B such that a < b. The operation i P l u s A B returns the smallest interval C such that for every a £ A and b £ B there exists a c G C such that a + b = c. Thus , the comparison i L e q ( i P l u s A B) D is satisfied by intervals A, B, and D for which there exist reals a £ A, b £ B, and d £ D such that a + b < d. The F L function s2i defines a family of uniform value-discretization functions by represent-ing their inverses. Each positive fixed-point number m * 2 e maps to the interval TZ((m — 1) * 2 e , m * 2 e ] , while each negative fixed-point m * 2 e represents the interval 7l[m * 2 e , (m + 1) * 2 e ) . Chapter 5. Implementation 107 The fixed-point numbers 0 * 2 e represent the point-interval 7£[0,0] . Suppose a; is a fixed-point variable. T h a t is, its mantissa is an integer variable, and its exponent is a fixed integer e. The function s2i maps the values that such a variable can attain, to adjacent non-overlapping intervals. For example, let x have exponent e = 1, and a 3 bit mantissa. It is thus capable of attaining the following set of values {—8, —6, —4, —2, 0, 2,4,6}. The image s 2 i x would be the corresponding set of intervals, { [ - 8 , - 6 ) , [ - 6 , - 4 ) , [ -4 ,2) , [-2, 0), [0], (0, 2], (2,4], (4, 6]}. The constant exponent e dictates the granularity of the discretization - each interval has length 2 e . If / is such a discretization, then ip[5, f] defines a partial function from real-valued 7^-traces to traces of fixed-point pairs. It is part ia l , because / only discretizes a finite sub-interval of the reals - 1Z[—8,6] in the above example. T h i s may be acceptable, if it can be established independently that no system behaviour ever produces a trace that exceeds these boundaries. To represent traces where bounds cannot be established a-priori, the fixed-point number representation is extended to provide representations for +oo and —oo. Note , that these rep-resentations are intended only for use as the boundaries of intervals, and are not provided for general use in the definition of automata . A s a result, no semantics need be defined for such problematic operations as adding +oo to —oo, since such operations are never performed. T h e function i n f _ s 2 i , is just like s 2 i , except that it maps the greatest and least value attainable by its argument to unbounded intervals. For example i n f _ s 2 i would map x above to the intervals { [ -oo , - 6 ) , [-6, - 4 ) , [ -4 ,2 ) , [-2, 0), [0], (0, 2], (2,4], (4,oo]}. Recall that transliterations are stateless trace-automata that consume all of their tapes at the same rate, enforcing a pointwise relationship between them. For. example, let R = {(y,x) | y — 2x). The trace-automaton M Y = 2 X that consumes two traces x and y, enforcing V i G TZ • y(t) — 2x(t) would be a continuous-time transliteration of R. In the sequel, a general procedure for construct ing l iberal approximations for transliterations is derived. Moreover, it is shown that this procedure yields the best possible approximation for the given abstraction functions. T h a t is to say, given an abstraction function ip, the language accepted by the machine M that is obtained by this procedure is contained in that of any other approximat ion that is Chapter 5. Implementation 108 Table 5.13: A liberal approximation of y = 2x M Y = 2 . D S I A 3xi,xu,yi,yu • Xt = A Xu = (xu) A Y = (yi) A Yu = (yu) A yi < Vu A xi < xu A (fyHvi), (/^WW/;1^))) e {(y,x) | y = 2x} A (fyHVu), (f-1(xi)Vfx1(xu)))e{(y,x)\y = 2x}A. (UyHvi)wfyHvu)), fcHxi)) e {(J/ .x)\ y = 2x}A (UyHyd^fyHyu)), f^(xu)) e {(y,x) \ y = 2x} l iberal wi th respect to ip. Let S be a fixed positive real. Let fx and fy be discretization functions, mapping from the reals to fixed-point numbers. Let ipx = ip[S, fx], and let ipy = ip[S, fy]. We wi l l show that the discrete automaton M Y - 2 X defined in Table 5.13 is a liberal approximat ion of M Y - 2 X with respect to ipx@ipy. M o r e generally, consider an n tape transliteration representing an arbi trary relation R C 7ZN. Suppose that discretization functions / i , . . . , / n have been defined so that their inverses are available. Let 8 be a fixed positive real constant defining a time discret ization. Theorem 5.4.5, which follows, gives a way to construct a l iberal approximation of the continuous transliteration representing R wi th respect to any abstraction function ip[S, fi](&ip[5, f2](&- • -®ip[5, fn] derived from these discretizations. Moreover, it says that the approximation so constructed is the best possible approximation with these abstractions. Let MR be an n tape transliteration of R. For each tape i, let ipi = tp[S, fi\. Define ip~l(l, u) as the set of all values x that could be in the range of a trace that is abstracted by (/, u). W h e n / < u this is exactly the set ff1 (I) 1+) f~l{u). ip~x{l,u) d= {x \ 3xi,xu • I = f(xi) A u = f(xu) A xi < x < xu} Chapter 5. Implementation 109 I 0 otherwise Let $ = i>\®i>2®- • -(Stpn- Let MR be a discrete transliteration of n tapes, each'of which contain fixed-point pairs, and let AR be its transit ion relation. For each i, let Du and D „ ; be defined as follows: Du = { ( / i , u i ) , ( / „ , u n ) | U < Ui A Dui = {(/ i , u i ) , ( / „ , u n ) I < U{ A (^ ,r1('i> - . c ' l t 1 - ! . ' 1 ' - ! ) ' r V . } . ^ r + i C ' + i , ^ I ) - - . i - ^ ^ " » ) ) G A} (5.7) Let the .D be their intersection. D= f | (A.nD™) (5.8) l < i < n The following proposition follows immediately from the definition of D P r o p o s i t i o n 5.4.4 If ((/j, t t i ) , . . . , ( / „ , u n ) ) G £>, £/ien i/iere are traces Wi,ui2, •• -,wn such that i>[fi]{wi) = {k, Ui) for each i. T h e o r e m 5.4.5 If D C AR, then MR is a liberal approximation of MR under the abstraction Proof: Let w\,...,wn be traces of length 8 that satisfy R pointwise. Let (h,ui),(ln,un) be their abstractions. We must show that (( / i , M i ) , ( / „ , un)) G A R . For each i, Proposi t ion 5.4.1 says that (/,• < it ; ) , and Proposi t ion 5.4.2 says that at some time , Wi(ti') G f~l{li) and at some time t,-u, tu,-(i,-u) G f~l(ui). Let and t j u be such times. Proposi t ion 5.4.3 says that for all times G 7£[0 ,#) , hence for and t,-u in part icular , w,-(£,) G ip'1 {h,Ui). Since fl holds pointwise between the traces w, the tuple (xi...xn) where Xj = Wj(t'n) witnesses that ((li,ui),(ln,un)) G Du. Similarly, the tuple (x\...xn) where Xj = Wj(tiu) witnesses that ((Ii, ui),(/„, un)) G Dui. T h u s {{h,ui),(ln, un)) is in D, hence in AR. as required. • Chapter 5. Implementation 110 A s a result of this theorem, it is easy to construct l iberal approximations of transliterations. The interval arithmetic package provides the the necessary building blocks to build relations R. A set of inverses f~l of uniform value discretizations / are available from the function s 2 i . Given these tools, Theorem 5.4.6, which follows, establishes that the approximation obtained by lett ing A = D is the most conservative l iberal approximation possible, given the choice of abstraction funct ion. Th is is exactly what has been done in Table 5.13. T h e o r e m 5 .4 .6 If M is any liberal approximation of MR with respect to and AR = D, then L(MR) C L(M). Proof: Let W be any behaviour in L(MR). W can be expressed as the concatenation of of finite behaviours W ( 0 ) , W ( l ) , . . . each of which labels each tape with a str ing of length 1. Each behaviour W(j) assigns, to each tape i, a 2 - t race consisting of a single pair (U(j), Ui(j)). Since AR = D, each n-tuple u\(j)),(ln(j), un(j))) is in D. A s a result, by Proposi t ion 5.4.4 there are finite ^ - t races w\(j),W2(j), each of length 5, such that each ip[fi\(wi(j)) = (h(j), Ui(j)) for each 1 < i < n and j > 0. For each j , let W(j) be the (finite) behaviour that assigns the trace Wi(j) to each tape i, and let W be the concatenation VF(0)T47(1) • • •. T h e trace W is equal to ^ ( V F ) . Since M is a l iberal approximation of MR wi th respect to ^7, W must be in L(M). • It is generally possible to define approximations that are parameterized by the choice of discretization functions. For example, the code implementing the transli teration y = 2x is presented in F igure 5.7. In the function y _ i s _ 2 _ x , the arguments yi, yu, xi, and xu are each interval valued. T h e first two arguments to the the table generator, y _ i s _ 2 _ x _ T b l , are inverse discretization functions that are applied to the fixed-point variables yi, yu, x/, and xu to yield these intervals. Thus , when supplied wi th inverse discretization functions, s 2 i for example, the function generates a trace-automata table. Value discretizations are also useful for describing abstract state variables. For example, consider the integrator that was first introduced in Chapter 4. There, a l iberal approximation Chapter 5. Implementation 111 l e t y_is_2_x ([yl,yu],[xl,xu]) = il e q y l yu AND il e q x l xu AND ieq y l (imult ('2) (iunion x l xu) AND ieq yu (imult ('2) (iunion x l xu) AND ieq (iunion y l yu) (imult ('2) xl) AND ieq (iunion y l yu) (imult ('2) xu); let y_is_2_x_Tbl ydsc xdsc ( [ ] , [ ] , [[yl ,yu] , [xl ,xu]] ) = let y l i = ydsc y l in let yui = ydsc yu in let x i i = xdsc x l in let xui = xdsc xu in TAT C([],[],[],T)] [ (• , • ,[[[yl.yu]],[[xl.xu]]],y_is_2_x ( [ y l i . y u i ] , [ x i i , x u i ] ) ) ] ; l e t tapeY = AbstractTape "y" y_protoType fp2str; le t tapeX = AbstractTape "x" x_protoType fp2str; le t M = makeTA [tapeY,tapeX] [] (y_is_2_x_Tbl s2i s 2 i ) ; Figure 5.7: A l iberal approximat ion of the real-time transli teration of y = 2x is parameterized by the discretization function Chapter 5. Implementation 112 was constructed based upon a particular discretization functions. F igure 5.8 shows a discrete liberal integrator approximation in which the discretization functions for both state and traces have been parameterized. The time-discretization is also provided by the parameter delta. Just as wi th the transliteration, an F L function, i n t e g r a t o r is defined that computes the characteristic function of the next-state-relation for an integrator wi th 5 = 1. It represents the constraints C 1 - C 1 3 from Section 4.2. The arguments s, s', dl, du, I and u are all interval valued. The table generator, I n t e g r a t o r T b l for the integrator constructs these intervals from the inverse discretizations s d s c , x d s c and d x d s c of the state and trace variables - scaled as appropriate for the time-step given by that argument d e l t a . Fol lowing the same arguments that were used in Section 4.2, it can be shown that the resulting machine is a l iberal approximation of integration for any time-discretization S and any value discretizations sdsc, xdsc, and dxdsc. A M o r e Efficient Representation for Transliterations In the preceding section, Theorem 5.4.5 showed how to construct discrete l iberal approximations of transliterations. W h i l e direct application of this result yields good approximations, it does not lead to a very efficient representation of them. For example, in Table 5.13, the relation y = Ix on which the transliteration is based appears four times. In practice, when a number of transliterations are to be composed, w i t h intermediate values hidden, it is more efficient to use an intermediate approximat ion, that discretizes values but leaves time continuous. For example, suppose M = ( m i || • • • || mn) \ A , where m i , . . . , m n are continuous transliterations. Rather than composing fully discrete approximations m l r . .,fhn to obtain a l iberal approximation M = {rh\ || • • • || mn) \ A , the approximation is done in two steps. F i r s t , approximations m i , . . . , m ^ are built that , rather than being fully continuous, operate on continuous t ime, but wi th discrete values. T h e n , the composition M' = ( m i || • • -|| m^)|^ is formed. It wi l l also operate wi th continuous t ime and discrete values. F i n a l l y a fully discrete approximat ion M is constructed from M'. Chapter 5. Implementation 1 // "integrator" i s an encoding of contstraints CI - C13 from Section 4.2 let integrator s s' [dl.du] [l,u] = (i l e q 1 u) AND // CI (il e q dl du) AND // C2 (ieq (iadd s' (inegate s)) (iunion dl du)) AND // C3 (ieq s (iunion 1 u)) AND // C4 (ieq s' (iclosure (iunion 1 u))) AND // C5 let ds_is_non_neg = il e s s (c2i CO)) ( i i n t e r i o r dl) in let ds_is_non_pos = il e s s ( i i n t e r i o r du) (c2i CO)) in let i n f l e c t i o n = NOT (ds_is_non_neg OR ds_is_non_pos) i n (infl e c t i o n IMPLIES ( (i l e q u (iadd s du)) AND // C6 (il e q (iadd s dl) 1) AND // C7 (il e q (iadd s' (inegate du) ) 1) AND // C8 (il e q u (iadd s' (inegate dl))) // C9 )) AND (ds_is_non_neg IMPLIES ((ieq s 1) AND (i l e q (iclosure u) s'))) AND // CIO and C l l (ds_is_non_pos IMPLIES ((ieq s'(iclosure 1)) AND (ieq s u))); // C12 and C13 le t IntegratorTbl delta sdsc xdsc dxdsc ([s],[s'],[dx,x]) = let s_dxdsc a = imult delta (dxdsc a) in let Z = integrator (sdsc s) (sdsc s') (map s_dxdsc dx) (map xdsc x) in TAT [(C[s] ] , [ ] , [ ] , ieq (sdsc s) (c2i CO)))] [ ( [ [ s]] )[[s ' ] ] , C C d x] )[x]] )Z) ] • T; let tapeX = AbstractTape "x" x_protoType fp2str; l e t tapeDx = AbstractTape "dx" dx_protoType fp2str; l e t stateS = StateVar "s" s_protoType fp2str; l e t mint = makeTA [tapeX,tapeDx] [stateS] (IntegratorTbl delta s2i s2i s2i ) ; Figure 5.8: The definition of an integrator is parameterized by discretization functions Chapter 5. Implementation 114 Table 5.14: The discrete-time interpretation of a continuous-time transliteration of y = 2x M D x :JrZ,y: Fz S I A 3wx, wy-x = (wx) A y - (wy) A (wx, wy) G R To represent a transliteration that operates in continuous time it suffices to represent the relation R that is to hold pointwise. If the transliteration operates over discrete values, the relation can be represented symbolical ly using the descriptor/characterist ic function represen-tat ion. Compos ing two such machines amounts to little more than intersecting their transit ion relations. H i d i n g a tape amounts to a projection of the transit ion relation onto those that remain. In fact, the representation that was developed for discrete trace automata , and the operations representing composition and hiding that were developed for it can be used directly to represent such a transl i teration. For example, consider the transliteration MR of y — 2x that was discussed earlier. A real-time discrete-value approximation of it would be represented by the F L code in Figure 5.9. A l t h o u g h the same representation is used as would be used for a discrete trace-automaton, it must be interpreted differently. A " t rans i t ion" represents only the relation that must hold pointwise between the continuous-time tapes, rather than the consumption of a non-empty trace. A s a result, the composition of a continuous-time transliteration represented this way with a fully-discrete approximation would be meaningless. To complete the discretization, time must also be discretized, resulting in the famil iar (/, u) pairs. Th is can be done by building a "matching" automaton. Let R be an n-ary relation over the reals. Let MR be a continuous-time transli teration of R. Let M' be the F L representation of a liberal continuous-time discrete-value approximation of MR. If it were interpreted as a discrete-time trace-automaton, M' would represent a machine M'R that consumes words (wi),(wn) f rom each of its n tapes x \ , x n provided that {fi1[w{),f~1(wn)) G R. For example, if the F L machine M' f rom above were Chapter 5. Implementation 115 l e t simple_y_is_2_x_Tbl ydsc xdsc ( [ ] , [ ] , CCy] , [x]]) = let y i = ydsc y in let x i = xdsc x in TAT [( • , [ ] , [ ] , T ) ] C ( • , • , [ [ [ > ] ] , [[x]]],ieq y (imult >2x)) 3; l e t tapeY = SimpleTape "y" y_protoType fp2st r ; l e t tapeX = SimpleTape "x" x_protoType fp2st r ; l e t M = makeTA [tapeY.tapeX] [] (y_is_2_x_Tbl s2i s 2 i ) ; Figure 5.9: F L representation of a continuous time discrete-value l iberal approximation of the transli teration y = 2x interpreted as a discrete automaton, it would represent the machine given in table 5.14 Define an automaton Mu that reads two sets tapes, x\, ..,xn, and x[, ...,x'n. D u r i n g each transi t ion, Mu wi l l read a word (WJ) from each tape Xj, and the pair ((lj,Uj)) f rom each tape x'j, provided that , W{ = /; and that lj < Wj < Uj for every j ^ i. S imilar ly Mui reads (WJ) and ((lj, Uj)) f rom tapes XJ and x'j provided that W{ = U{ and that lj < Wj < Uj for every j / i. For each i, the composition M R ; , - = (M'R || M/ , )| Y I ) . . I Y R I gives a machine whose transit ion relation is described by Equat ion 5.6. Similarly, the composition M R U , - = (M'R || M U T - )| Y I ] . . . I Y N gives a machine whose transit ion relation is described by Equat ion 5.7. Each is a liberal approximation of the original M R , under the abstraction yi = ip[fi,S\(x{). The machine M R is formed by composing all of the machines MR„, - and all of the machines M R / ; . Its transit ion relation is given by Equat ion 5.8. Thus , from Theorem 5.4.5 it is the best l iberal approximation that is possible wi th this abstraction funct ion. A weaker (more liberal) approximation can be constructed, if desired, by omit t ing some of the machines MR/,- or M R u , f rom the composit ion. C h a p t e r 6 A V e r i f i c a t i o n E x a m p l e This chapter describes using the trace-automata verification, system on a real example. The verification problem, known as the Phi l ips A u d i o C o n t r o l Pro toco l , originated at Phi l ips , and has been studied previously by Boscher et al [BPV94] and by H o and W o n g - T o i [ H W T 9 5 ] . Several agents are to communicate using Manchester encoding over a shared serial line. A s a result of efforts to keep the implementation inexpensive, the communicat ion medium has less than ideal analog properties. O u r treatment of the problem differs from earlier treatments in two respects. F i r s t , we address the problem of collision detection and recovery which, unt i l very recently [ B G K + 9 6 ] , has been ignored in the l i terature. Given that several agents are communicat ing asynchronously, wi th no protocol to ensure otherwise, it is bound to occur that sometimes two agents transmit different messages at the same time. A robust implementation must deal wi th such collisions. Second, we develop a realistic analog electrical model of the transmission medium. Thus , we can be assured that analog effects wi l l not invalidate our verification. Indeed, the verification effort found a bug in our original collision detection algorithm that occurs as a result of just such analog effects. Correct ing the bug required a significant change in the transmission a lgor i thm, the new version of which has been successfully verified. ' Th is verification introduces the modell ing technique of time translation. A n interesting challenge of verifying the A u d i o C o n t r o l Protocol is that various components are most natural ly modelled using different abstractions of t ime. It is natural to describe the behaviour of the various analog components in terms of an absolute continuous time scale. O n the other hand, the digital components are natural ly described using discrete time, where each step corresponds 116 Chapter 6. A Verification Example 117 to a periodic local event such as a clock cycle or an interrupt. In this part icular system, there are a number of digi ta l devices, each driven by an independent clock which can drift f rom its nominal frequency by as much as ± 5 % . Thus , each agent is most naturally modelled using an abstraction of t ime that is different f rom, although loosely related to that used for the others. The technique of t ime translation constructs a trace-automaton to represent the relationship between two different time abstractions. T h i s automaton, called a time translator can be composed wi th a model using one time abstraction, yielding a l iberal approximat ion of that model wi th respect to another. Translators are used in this verification to translate from the discrete time-scales used by individual agents, to the continuous time-scale used by the analog components. The verification of the complete system is multi- level . Individual components are modelled init ial ly using a high level of precision. S imply composing all of the system components and t ry ing to verify the result directly would not be feasible. Instead, simple intermediate models of certain groups of components are built by hand. The language containment checker is used to verify that these intermediate models are l iberal approximations of the component groups they represent. T h e intermediate models are then used in place of these component groups in the system verif ication. To our knowledge, this is the only reported attempt at a multi-level verification of a hybrid system. The remainder of this chapter is organized as follows. Section 6.1 describes the A u d i o C o n t r o l Pro toco l verification problem in more detail . Section 6.2 describes the way various components in the analog circuit are modelled. Section 6.3 describes the verification of a hand-built model of the analog bus. Th is model is considerably simpler than the bus-model derived from the indiv idual components, and is used throughout the rest of the verif ication. Section 6.4 describes the way that the agents are modelled, and how time-translators are used to reconcile local t ime abstractions with the time-scale used by the bus. A s with the analog bus model, it turns out to be worthwhile to construct a simpler hand-built approximation of some parts of the algorithms, and to verify that against the model constructed by composit ion with the time Chapter 6. A Verification Example 118 translator. Section 6.5 describes the specification. Section 6.6 summarizes the results from this example. 6.1 A u d i o Contro l Bus A s the principal example in support of this thesis, we present a verification of a hybrid system, inspired by the Phi l ips A u d i o Contro l Protoco l , as reported by [BPV94] and subsequently by [ H W T 9 5 ] . S imply stated the problem is to verify the design of a local area network that wi l l allow audio components to communicate control information. The problem presented here is essentially as described in [ B P V 9 4 ] . Several audio system components, (stereos, CD-players , V C R s etc.) are to communicate over a shared serial bus using Manchester encoding. A s a result of the need to keep the implemen-tat ion inexpensive, the communicat ion must be accomplished using very little extra hardware. M o s t of the protocol is implemented in software that runs in spare cycles on processors that must be present anyway. Manchester encoding works by part i t ioning time into equal-length bit-slots. The bit 1 (resp. 0) is transmitted by causing a rising (resp. falling) edge to occur in the middle of a bit-slot. To transmit two successive Is, an addit ional (falling) edge is required between the two rising edges. It is generated at the boundary between the two bit-slots. Likewise, a rising edge is generated at the boundary between the bit-slots of consecutive 0s. The protocol implementation has to overcome a number of difficulties. 1. Since the various agents operate using local independent clocks, the protocol must deal wi th significant uncertainty about the t iming of events. Accord ing to [BPV94] , Phi l ips allows for a ± 5 % uncertainty in the t iming of all events. 2. The communications medium has less than ideal analog properties, so that it is not possible to determine wi th any accuracy when fall ing edges occur. A s a result, the imple-mentation can only depend upon the t iming of rising edges. Chapter 6. A Verification Example 119 3. A receiving agent does not know when the first bit-slot of an incoming message begins. Th is problem is resolved by requiring the voltage on the bus to be low during idle periods, and requiring every message to begin with a 1. A receiver can thus be assured that the first rising edge occurs in the centre of a bit-slot. 4. S imilar ly a receiving agent does not know the length of a message in advance. This makes it impossible to distinguish a message that ends in 1 from a message that ends in 10. Th is is resolved by requiring every message to end in 0. 1 5. Different senders may begin t ransmit t ing at approximately the same t ime, so that bus collisions may occur. 6. There may be significant delay in rising edges as well as fall ing edges For simplicity, previous authors have ignored the complications arising from problems 5 and 6 by restricting their attention to a situation in which one transmitter and one receiver communicate over a bus with negligible delay in rising edges. We extend the previous work on this problem in several new ways. 1. We model agents that are capable both t ransmit t ing and receiving. 2. We use a detailed electrical model of the bus that includes delays resulting from slope of rising and fal l ing edges 3. The transmission algorithm includes the abil i ty to detect and recover f rom collisions. To arrive at an accurate model of the delays associated with rising and fal l ing edges, we have developed a possible electrical design for the bus (Figure 6.10). T h e bus itself, is modelled as an RC load that is actively driven high and passively floats low. The agents are modelled as digital devices that are driven by independent periodic events. The inter-event period may stray from its nominal value by up to ± 5 % . T h e analog voltage on the channel is digitized by ' A minor simplification has been made here. The original specification requires messages to be either odd in length, or end in 00. Chapter 6. A Verification Example Agent 1 Agent 2 Agent n Cbus Rbus: F igure 6.10: Schematic diagram of the bus Chapter 6. A Verification Example 121 a Schmidt trigger. Agents sample the output of this trigger once per cycle. The model includes delays associated with rising and fall ing edges, as well as those associated with transistor and Schmidt-trigger latency. The agents are modelled by a pair of trace-automata. One, called the timer, is responsible for keeping track of the passage of time and interfacing with the bus. The other, called the coder is responsible for implementing the encoding and decoding algorithms. The two work together in the following way. Let Q be one quarter of the nominal length of a bit-slice (222^s). Once every Q t ime units, the timer signals the state of the bus to the coder. The coder responds by instruct ing the timer whether to drive the bus during the subsequent time period. In the absence of a rising edge, these interactions occur once every quarter of a bit-slice, as measured by the t imer. If a rising edge occurs, then the next communicat ion is postponed until one quarter of a bit-slice after the rising edge. The timer is essentially a counter that measures time by counting periodic systems events - clock cycles if it is implemented in hardware, or periodic interrupts if it is implemented in software. In response to each such event, the bus voltage is sampled. If a rising edge is detected - the previously sampled voltage was low, and the current voltage is high - the counter is reset. Otherwise it is incremented. W h e n it reaches a preset value (representing a quarter of a bit-slice) the counter is reset and the codeer port ion of the algorithm is signalled - presumably by an interrupt mechanism for a hardware t imer, or by procedure call for a software t imer. The coder is best pictured as a M e a l y machine. The basic state-machines for Manchester encoding and decoding without collision detection are given in Figures 6.11 and 6.12 respec-tively. In Figure 6.11, the labels below the arcs indicate whether the timer is instructed to drive the bus high H or allow the bus to float low L. The labels above the arcs indicate the bit-value that the agent is to transmit - 51 meaning "send a 1", 50 means "send a 0", and SE means "signal the end of the message". Note that the model captures the protocol requirements that messages must begin wi th 1 and end wi th 0. In Figure 6.12, the solid arcs indicate transitions taken when the timer has detected no Chapter 6. A Verification Example 122 Figure 6.12: Receiver state machine Chapter 6. A Verification Example 123 rising edge. The broken arcs indicate transitions that are taken when the timer has detected a rising edge. The labels indicate the decoded bits - Rl represents 1, RO represents 0, and RE represents the end of a message. The state Idl is shared by both sending and receiving algorithms. F r o m this state, an agent can begin t ransmit t ing by generating a rising edge, or can begin receiving by detecting a rising edge. Collision Detection Because the bus essentially implements a "wired or" gate, and because the decoding algorithm depends only on the t iming of rising edges, it is possible to detect collisions while preserving the integrity of one of the coll iding messages. Thus , in a collision, one of the messages wi l l always be transmitted in fu l l , while the other messages wi l l be aborted. Agents that are sending such a message, must inform their hosts of the point at which the collision occurs, and must immediately change to receiving mode. T h i s requires some addit ional communicat ion between t ransmit t ing agent and its host. In addit ion to receiving requests to send messages 5 1 , 5 0 , SE, the agent informs the host, using the Rl, RO, RE symbols, whenever a bit has been successfully t ransmit ted. Thus , for example the sequence (Si, Rl, SO, RO, SE, RE) would represent the successful transmission of the message 10. The sequence (Si, Rl, SO, Rl, RO, RE) would represent an attempted transmission of a message beginning with 10, that collided with a message which was received as 110. The question is whether the message 110 is what was sent by the other transmitter . We have investigated two transmission algorithms wi th collision detection. T h e first, which turns out to be flawed, attempts to detect collisions in part by inspecting the voltage on the bus just prior to generating a rising edge. If the bus voltage is already high, then a collision is deemed to have occurred. T h e counter-example trace that resulted from at tempting to verify this a lgor i thm, however, shows it to be flawed. The second, which we have proved correct, does not perform strict Manchester encoding. Nonetheless, it works correctly wi th the existing decoding algori thm and reliably detects collisions entirely by noting the occurrence of spurious Chapter 6. A Verification Example 124 rising edges. Col l is ion detection is discussed in detail in Section 6.4.2. 6.2 Model l ing the A n a l o g Channel A n a l o g electrical components are modelled by trace-automata that accept a real-time tapes representing voltage and current. To simplify the representation of various numerical param-eters, we adopt, throughout the presentation, some unconventional unit prefixes. The prefix k, (e.g. R = 5kQ) wi l l refer to mult ipl icat ion by 2 1 0 (1024). Similarly, m , /.t and n refer to mult ipl icat ion by 2 ~ 1 0 , 2 ~ 2 0 , and 2 ~ 3 0 respectively. Resistors Resistors are modelled by trace-automata, wi th two tracks, one representing the voltage drop across the resistor, one representing the current flowing through i t . The automaton is a translit-eration representing O h m ' s law. If the resistor being modelled were ideal, the transliteration would be the function V = IR. M o r e realistically, the resistance wi l l be known only to a given tolerance, and may vary within this tolerance over t ime, for example, due to temperature variations or aging of components. A resistor whose resistance is R(l ± e) is modelled by a transliteration of the inequality I(R — eR) < V < I(R+ eR). Capacitors Capacitors are also two terminal devices, whose voltage is the (scaled) result of integrating current over t ime. Thus , a capacitor is represented as an integrator, combined wi th a translit-eration to scale the current. Such a combination is i l lustrated in Figure 6.13. A s wi th the resistance, capacitance wi l l not be known precisely, but only to a given tolerance. A s a result the transliteration wi l l generally represent a pair of inequalities V'Cmin < I < V'Cmax rather than the function V' = I/C. Circuits Chapter 6. A Verification Example 125 V = I/C x' = i / C y x' ^ X V Figure 6.13: A capacitor V = IR I V R V R x'=I/C I x' C x' ^ X r vc V R R Trace automaton vc \_ _y Circuit Figure 6.14: A simple circuit Chapter 6. A Verification Example 126 Complex circuits can be formed by combining simple circuits. The relationship between the currents and voltages of the components, and those of the circuit nodes are described by Kirchof f ' s laws. The equations that arise are captured by a standard family of transliterations of the following form, where x \ , x n refer to the n tapes that the automaton reads, and each S{ is either 1 or —1. s\xi + s2x2 H snxn = K In the graphical depiction these automata are named = K " , where K is instantiated by a constant. T h e symbol © at the attachment point for tape i indicates that s,- = —1. The absence of such a bubble indicates that st- = 1. For example, F igure 6.14 represents a capacitance and a resistance in series. T h e trace-automata at the top and the bot tom represent the resistor and capacitor respectively. The transliteration at the right represents Kirchof f ' s voltage law V R + V c — V = 0. Kirchof f ' s current law J R = JQ could have been represented by the transliteration J R — J c = 0, but a shared tape is equivalent and simpler. Transistors W h i l e , in principle, it would be possible to give a differential equation model of the transistors that drive the bus, it would not be practical ; nor should it be necessary. Dr iven by digital signals, the transistors are used simply as voltage-controlled switches. The correctness of the design should not depend on a precise characterization of their analog behaviour while switching. It is enough that the dr iv ing transistors behave like a closed switch when the gate is fully charged (at logic level 1), and like an open switch when the gate is fully discharged (at logic level 0), and like a resistor of varying unspecified resistance while the gate is in an intermediate state. Th is means that , when the gate is at logic level 1, the source-drain voltage must be 0, while the source-drain current is unconstrained. W h e n the gate is at logic level 0, the source-drain current must be 0, while the source-drain voltage is unconstrained. W h e n the gate is in an intermediate state, the source-drain voltage must be of the same sign as the current. Chapter 6. A Verification Example 127 Table 6.15: A transistor model Q T G:{L,X,H} D [g : G, v : Tl, i : Tl]'1 S I A V i : K[0, \g\) • {{v{t) < 0) A (i(t) < 0) V (v{t) > 0) A (i(t) > 0)) A (g(t) = L=^ i(t) = 0) A (g(t) = H ^ v(t) = 0) Table 6.15 shows the transistor represented as a transl i terat ion. T h e gate charge is repre-sented by a continuous-time trace over the discrete values L,X, and H. The voltage and current are represented by continuous-time traces wi th real values. The transliteration s imply requires that the voltage and current always have the same sign, that when the gate is L, no current flows, and when the gate is H, no voltage appears across the transistor. Schmidt-Trigger One normally thinks of a (non-inverting) Schmidt trigger as having two states, conventionally labelled 1 and 0. W h e n the trigger is in state 1, the output voltage is close to the supply voltage. Once it is in state 1, the trigger wi l l remain there as long as the input remains above a threshold voltage, VTO- If the input falls below the threshold voltage Vro> then the trigger makes a transit ion to state 0. W h i l e the trigger is in state 0, the output is close to ground potential . Once in this state, the trigger wi l l remain there as long as the output remains below a threshold voltage V y i - If the input voltage is raised above this threshold voltage, the trigger toggles to state 1, and the output voltage rises unti l it is close to the supply voltage again. In actuality, the Schmidt trigger state-space is continuous. In a typical six transistor C M O S design, there are three state-holding nodes associated with the trigger, so that the state can be described by a vector in R3. In principle, one could construct a detailed analog model of a given trigger, but that would be arduous at best, and ought not to be necessary. The correctness of Chapter 6. A Verification Example 128 \ vh VT1 h m V T O 1 vl F igure 6.15: Schmidt trigger input is divided into regions a circuit using the trigger wi l l not generally depend on such a precise characterization of the trigger's behaviour. Rather than building a continuous model of the Schmidt trigger, it is more appropriate to model the trigger as a hybrid device, wi th continuous input and discrete output . Each transit ion of the hybrid model wi l l consume a single token from its discrete " o u t p u t " , and a trace of length 5, from its continuous " i n p u t " . T h e parameter, <5 represents an upper bound on the trigger's switching t ime. T h a t is, the model wi l l faithfully represent any Schmidt-trigger that guarantees to take no longer than § to switch from one state to the other. The discrete "output" is a sequence of the tokens L, H, and X. Each token represents a summary of the output voltage during the transi t ion. T h e token L represents a period throughout which the output remains below the threshold identified by the logic family as a logical 0. The token H represents a period during which the output remains above the threshold required for a logical 1. The token X represents a period during which the output achieves some intermediate value between logical 0 and logical 1. The continuous range of input voltages is divided into five intervals, named vh, h, m, I, vl, standing respectively for "very h i g h " , " h i g h " , " m e d i u m " , " l o w " , and "very l o w " as il lustrated in F igure 6.15. The region m is the interval between the thresholds VTI and VJQ. The region Chapter 6. A Verification Example 129 v h ' Output V T L h V T i : Input m VT0_ j vl r sO wO si Figure 6.16: A non-monotonic signal may cause a temporary shift in the threshold voltage vh contains voltages that are far enough above V x i to guarantee that start ing in state 0, the trigger wi l l reach state 1 in time less than 5. Similarly, the region vl represents the voltages that are far enough below VTO to guarantee that , s tart ing in state 1, the trigger wi l l reach state 0 in time less than 5. The regions h and / separate vh and vl respectively from m . For example, suppose the Schmidt-trigger is in state 1, and consider its behaviour during the next time period of length S. If the input voltage remains in the region vl for the entire period, then at the end,the trigger wi l l be in state 0 and the output voltage wil l be at logic 0. If the input voltage does not remain in the region vl, but enters / at some time during the interval, the trigger may move to state 0, and the output may drop. However, it could also wind up in some intermediate (and unstable) state between 0 and 1. The automaton has five states, named sO, wO, M, wl, and s i . The states sO and s i , read "strong zero" and "strong one" are the stable states in which the output is close to ground and supply potential respectively. Once in state sO, the trigger wi l l remain there unless the input rises above V x i - Similarly, once in state s i , the trigger wi l l remain there unless the input falls below VTO-The states wO and wl are weaker versions of sO and s i respectively. Consider the events Chapter 6. A Verification Example 130 depicted in Figure 6.16. The trigger is in state sO and, for a short t ime, the input rises above VT\. The output may not change, but the internal state may change enough to temporari ly lower the threshold VT\ to say V^x. A s a result, the state may subsequently change to s i , even though the input falls and remains below the nominal threshold Vj\. The state ivO reflects this condit ion. In this state, the output is low, and the automaton can do everything that it could do in state sO. In addit ion, it can move towards state s i even when the input lies entirely in the TO region. Similarly, the state wl is a weaker version of the state 1. T h e state M represents any state in which the output is neither low nor high. A l t h o u g h such a state would be highly unstable, equil ibrium is possible for just the right input value. Table 6.16 gives the formal definition for the Schmidt trigger automata . 6.3 A Model of the Bus Figure 6.17 shows the trace-automata representation of the analog components for a two-agent bus. F igure 6.10 shows the corresponding schematic d iagram. The model is created by composing the models already derived for the various components, wi th transliterations representing the equations that result from the connections. The machines Dl and D2 represent the dr iv ing c ircuitry - a transistor and resistance in series - for the two agents. Because the transistor and resistor are connected in series, the currents flowing through them must be identical - e.g., ipi = IQI = IR\. The voltage across the series combination is equal to the sum of the voltages across the resistor and the transistor - e.g., VQI -\-VRI — V£>\ = 0. The two drivers form a network with the bus capacitor and resistor Cb and Rb, g iving rise to the following equations. ^ R b u s = F C b u s = VBus ^ D a = ^ D b = ^ D + ^ B u s = y++ 7 D a + 7 D b _ 7 C b u s ~ 7 R b u s = 0 The first two are modelled by shared tapes. The second by summation transliterations. Chapter 6. A Verification Example 131 Table 6.16: A Schmidt trigger rrist T 1 B : {L, X, H} , S : {sO, wO, M, wl, si} D \ i: Tl''co : B* 5 1 s : S I s = sO A = 5 A s s' 0 i sO sO L sO wO L 0(h\&vh) A ->Ovh sO M X O(hWvh) A -iDvh sO si, wl X 0(h\±)vh) sO sO, wO, wl X 0(h\±}vh) A 0(l\t)vl) wO sO L -iDvh wO wO L ->C\vl A - i D u / i wO M X 0(mH)vh) A -iDvh wO si, wl X 0(m\i)vh) wO sO, wO, wl X 0(m\±)vh) A 0(/i±lu/) M M X Om M wO X 0(/l+l m) M sO X 0(u/l+l m) M wl X 0(h\Sm) M si X O(vhHim) wl si H wl wl H -iDvh A -idvl wl M X O(mWui) A -idvl wl sO, wO X 0(ml±lu/) wl si, wO, wl X 0(m\Hvl) A O(hWvh) si si H si wl H 0(l\Hvl) A ->Dvl si M X 0(l\±)vl) A -••«/ si sO, wO X 0(/Wol) si si, wO wl X 0(lWvl) A 0(h\t)vh) Chapter 6. A Verification Example 132 gta gtb BusMod XL Da i Qa v V Q a i Ra v 1 = 0 V R a Db i Qb v V Q b i Rb v 1 = 0 V R b Figure 6.17: A trace-automata model of the bus Chapter 6. A Verification Example 133 IDb Qb}\—gtb V Q b i _ VD Rb V R b ICbu iRbu VBL Figure 6.18: A n a l o g components of a two-agent bus Table 6.17: Component values used in the bus model l k f i < Ra < 1.125kfi l k f i < Rb < 1.125kfi 12kQ < Rhus < 16kQ 4nf < C b u s < 8nf V++ = 3 V Chapter 6. A Verification Example 134 Once the many internal connections are hidden, the bus is s imply a transliteration XL connected to an integrator. Table 6.17 shows the component values that were used in the bus model . To build a liberal approximation of this circuit , one simply has to choose appropriate abstraction functions. Approximat ions of the transliterations and the integrator can then be constructed using the techniques from Section 5.4. To approximate XL, real-time, discrete valued approximations are constructed for each transliteration in the model . These are then composed, and internal connections are hidden. The result, XL' is a real-time discrete valued approximation of XL. M a t c h i n g automata are then constructed to convert from real-time to discrete t ime. Recal l , that for each tape i, one can construct the matching automata Mu and Mu{. Each matching automaton represents the requirement that , during each interval , the tape i achieve some value in its m i n i m u m and m a x i m u m discretization. To model the bus, it suffices to construct the matching automata M\vi and Muvi that constrain the voltage derivative. These automata are composed independently with the transliteration model XL'. The two results are composed, as i l lustrated in Figure 6.19, yielding a l iberal discrete t ime, discrete valued approximat ion of XL. A liberal approximation of the Schmidt-trigger is built by hand. It is practically identical to the hybrid model given in Table 6.16. It has the same state-space, and reads the same tapes. The only difference is that the tape i, rather than containing a continuous trace, now contains sequences of (l,u) pairs. One pair is read during each transi t ion. Let / be the value discretization function used to approximate the Schmidt-trigger input Vbus. It is a simple matter to l iberally approximate the temporal logic formulas that label the transitions of mst. For example, the formula Ox, where x is an interval is approximated by xC\(f~1 (u)) / 0. The formula -IOX is approximated by W C x). There are some tradeoffs, however to be made in the choice of abstraction funct ion. In general, "finer" discretizations lead to more accurate models. O n the other hand, "coarser" discretizations lead to smaller models. Thus , the choice of discretization wi l l be a trade-off between precision and size. We have conducted some experiments to quantify the effects of these Chapter 6. A Verification Example 135 gta gtb v' VBus Figure 6.19: Using matching automata to construct a discrete-time approximat ion Chapter 6. A Verification Example 136 Table 6.18: Trade off between value discretization granularity and accuracy B i t s D e l t a M o d e l Size Transit ions to cross flS ( O B D D nodes) I V 0.5V 18 2 190k 69-71 114-116 16 2 64k 69-71 114-116 14 2 17k 69-72 113-117 12 2 5k 68-73 111-120 10 2 2.4k 64-77 102-131 8 2 764 52-oo 85-oo Ideal 70.3 114.67 two parameters - space and time granularity - on the accuracy of the model and the size of its representation. Table 6.18 compares the tradeoff between model accuracy and representation size. It shows the accuracy of various l iberal approximations of a model representing an 8nf capacitor discharging through a 16kfi resistor. The capacitor is ini t ia l ly charged to a voltage of 3 volts - that is, the ini t ia l state-set of the integrator was set at 3.0. The table shows the range of times at which various l iberal approximations predict the voltage can cross I V and 0.5V. Times are expressed in multiples of the time discretization 8 = 2p,s. The first column shows the number of bits that were used in the discretization of each numeric value. In a model using n bits the capacitor voltage, for example, is represented by an n bit variable, representing the voltage range between 0 and 4 ( 2 ^ n 1 ) using intervals of length 4 * 2~n. T h e final row of the table gives the t ime predicted by the closed-form solution to the precise differential equation v' = v/rc that describes the circuit wi th exact component values. Table 6.19 shows the effect of t ime-discretization on accuracy. Note that the width of the interval of uncertainty scales very closely wi th the granularity of the t ime discretization 8. T h i s is doubtless due the the highly stable nature of negative exponential equations. Table 6.20 describes the discretization functions that were used to build a l iberal approxi-mation of the audio bus. T i m e was discretized by choosing 8 = l ^ s . Table 6.21 shows the sizes of the various sub-component models that result. Notice that considerable reduction in model -size can be obtained by hiding traces. A s a result, the final model, wi th only the gate-input Chapter 6. A Verification Example Table 6.19: Tradeoff between time discretization granularity and accuracy Bi ts D e l t a M o d e l Size T i m e to cross I V 0.5V ( O B D D nodes) Transit ions Transitions /.IS 18 1 225k 139-142 139- -142 229-231 229 - 231 18 2 190k 69-71 138- -142 114-116 228 - 232 18 4 144k 34-36 136- -144 57-59 228 - 236 18 8 96k 17-19 136- -152 28-30 224 - 240 18 16 89k 8-10 128- -160 14-16 224 - 256 Table 6.20: Value discretization parameters Name Description B i t s Granular i ty Vql, Vql Voltage across transistors 3 0.5V Vrl, Vrl Voltage across dr iv ing resistors 11 2 m V iRl, iR2 Driver current 9 8 / i A Vd Voltage across drivers 9 2 m V iRb Current through bus resistance 8 8/iA iCb Current through bus capacitance 9 16//A V Derivative of bus voltage 9 4 m V / / t s vCb Bus Voltage 11 2 m V Table 6.21: A p p r o x i m a t e sizes of sub-component models expressed in O B D D nodes Name Description Size D 1 . D 2 D r i v i n g resistor and transistor 250 each X L 1 Transliteration component of bus model 190k / Integrator 14k XL1\\S Integrator and XI1 combined 220k ( X L 1 H J V Integrator and X I 1 wi th v' hidden 33k . S t l , S t 2 Schmidt Triggers 380 each BusMod F i n a l bus model 17k Chapter 6. A Verification Example 138 Table 6.22: A hand built approximation of the bus BusSpec D S_ [gta : {L, H, X} , gtb : {L, H, X} , va : {L, H, X} , vb : {L, H, X}Y t : Z[0, DnT], d :{L,H},a: {L, H, X, Y} : b : {L, H, X, Y} t = DnT A d = L A a = L A b = L let aNonlncr a a' va let bNonlncr = b b' vb H H (H) H H (H) H X H X X Y (X) X Y H, X, Y, L L (L) H, X, Y, L L (L) let Z = aNonlncr A bNonlncr t d a b t' d' a' b' gta gtb va vb DnT L a b DnT L L L (L) (L) (L) (L) DnT L a b 0 H a' b' (H), (X) gtb (a') (b') DnT L a b 0 H a' b' gta (H) AX) (a') (V) t L a b t+1 L a' b' (L) (L) va vb t < DnT A Z t L a b 0 H a' b' (H), (X) gtb (a') {b') t < DnT t L a b 0 H a' b' gta (H) AX) (a') (V) t < DnT UpT H a b UpT H H H gtb (H) (H) UpT H a b UpT H H H gta (H) (H) (H) UpT H a b 0 L H H (L), (X) (X) (H) (H) t H a b * + l H a' b' gtb (a') (b') t < UpT t H a b t + 1 H a' V gta (H) (a') (b') t < UpT t H a b 0 H a' b' (L), (X) (L), (X) (a') t < UpT and Schmidt-trigger output exposed is relatively smal l . A s small as it is, the final model is st i l l too large to be used in the ful l system verification. Fortunately, it contains considerably more information than is actually needed. For example, it contains a detailed description of the negative exponential trajectories of the bus voltage as the capacitor charges and discharges. A l l that really matters for this verification is the t iming of rising and fal l ing edges as seen at the Schmidt trigger outputs . To allow the verification to proceed, a simpler model of the bus (Table 6.22) was built by Chapter 6. A Verification Example 139 Table 6.23: T h e abstraction function for gate voltages BusAbst T D_ T_ B:{L,X,H} [gt:(BxB),gt:BY gt gt (H,H) H (L,L) L (L,X),(L,H),(X,X), (X,H) X hand. It has four state variables - t is a counter used to enforce a m a x i m u m delay between the generation of an edge and when it is seen. The constant UpT = 14/fs represents the m a x i m u m time between the generation of a rising edge and the response of the Schmidt-triggers. T h e constant DnT = 180/xs represents the m a x i m u m time between the generation of a fall ing edge and the response of the Schmidt-triggers. The variable d represents the sign of the voltage derivative - H means the bus voltage is increasing, L means it is decreasing. T h e variables a and b represent the states of the two Schmidt-triggers. A d m i t t e d l y , this table is complicated, and even after a thorough inspection is is difficult to be sure that it represents a liberal approximation of the bus. The automatic language containment checker can verify this automatically, however, in about 10 minutes on our D E C - 3 0 0 0 server. The approximation reads tapes representing the gate-inputs and Schmidt-trigger outputs . Recal l , however that the gate-inputs read by the bus model were discretizations of continuous traces. Thus , in the discrete approximation of the bus model , they consist of the famil iar (l,u) pairs. The hand-built approximation abstracts such pairs by a single token. Table 6.23 shows a trace-automata encoding of the abstraction funct ion, that maps from these (/, u) pairs to single tokens. The pair (H, H) is abstracted by the token H, T h e pair (L, L) Chapter 6. A Verification Example 140 is abstracted by the token L, The pairs (L,X), (L,H), (X, X) and (X,H) are abstracted by the token X. T h e abstraction is a part ial funct ion. For example, no abstraction is given for the pair {H, L). T h e two tapes gt and gt representing the gate and its abstraction are declared as tracks on a single mult i - track tape. A s as result, the abstraction is certain to be fair . Us ing the technique from Section 4.3 we can establish that the hand-buil t approximation BusSpec is a l iberal approximation of the discrete bus model BusMod. A n encoding of the abstraction function is obtained by composing two copies of BusAbst. One, BusAbsta with gt and gt renamed to gta and gta respectively. One BusAbsta with with gt and gt renamed to gtb and gtb. Since BusAbst is | ^ i | - f a i r , BusAbsta is j g i a j - f a i r and BusAbs% is jgffrj-fair. Thus , BusAbsta || BusAbstb is {gta,gifrj-fair. A s a result, it suffices to compose BusMod with the abstraction encodings and confirm the following language containment. L(BusMod) C L (^{BusSpec\\ BusAbsta\\ BusAbstb)^~ta ~tb^ Since this hand-built model, BusSpec, is deterministic and compatible wi th the bus-model generated from components, it is easy to verify this language containment automatically. N o buffers or extra tapes are needed. The verification takes about 10 minutes. T h e hand-built model BusSpec represents the bus in the subsequent verification of the protocol . 6.4 D i s c r e t e C o m p o n e n t s The communications algorithm is implemented as a clocked digital device called an agent. This could be dedicated hardware, software, or a combination of both . T h e agent is partitioned into two components, called the timer and the coder. The timer measures t ime by counting clock cycles, and detects rising edges. The coder represents the communications a lgori thm. It is responsible for deciding when to drive and not to drive the bus, and for decoding incoming signals. Chapter 6. A Verification Example 141 Table 6.24: Clock-cycle model of the t imer A^timer D 1 [bx : {L, H} , by : {L, H}]*, [ax : {L, H},ay: {L, H, R}]* ~ S 1 t : Z[0,Q - l},x : {L, H} ,y : {L, H, R} I \ t = f) A x = L A y = L y y' by let Zy2 = y y' by R R (L), (H) R,H,L • L (L) H H (H) R,H H (H) H,L L (L) L R (H) L R (H) let Zup = (y = L) A (y' = R) t x y . t' x' y' bx by ax ay t x L t x y Q - l x y 0 x R t + 1 x y' 0 x' y' <«> (H) 0 0 <*> by () () (x>) by (x') (y) Zyl A t < Q - 1 A ^Zup Zy2 6.4.1 T i m e r s T h e main task of the t imer is to measure the passage of t ime by counting periodic system events - presumably clock cycles if it is implemented in hardware, or interrupts if in software. W h e n a preset t ime has elapsed, it communicates wi th the coder port ion of the algori thm, informing it of whether or not an edge has occurred. A t this t ime, it is also instructed by the coder whether to drive the bus or not unt i l the next communicat ion occurs. The t imer must synchronize with rising bus edges, by resetting its counter when such edges are detected. Discrete components are most naturally modelled as state-machines, whose states change in response to periodic local events, such as interrupts or clock edges. The trace-automata representation of the t imer port ion of an agent, given in Table 6.24 , is an example of just such a state-machine. A detailed account of its operation wi l l be given later on in this section. For the moment, it suffices to understand the intended meaning of the tokens that it reads from its tapes. The tapes ax, and ay, represent its communicat ion w i t h the coder. The tapes bx Chapter 6. A Verification Example 142 and by, represent communicat ion with the bus. The tape bx represents communicat ion with the gate of the the dr iv ing transistor while by represents communicat ion with the output of the Schmidt-trigger. Each pair of tokens read from bx and by account for one clock-edge. T h e token read from bx represents the timer's output to the transistor gate during the subsequent clock cycle. The token read from by represents the Schmidt-trigger output sampled at the time of the clock edge. M o r e specifically, the consumption of the token H (resp. L) from bx means that the output (connected to the gate of the transistor dr iv ing the bus) wi l l be driven high (resp. low) during the upcoming clock cycle. The consumption of the token H (resp. L) f rom by means that the Schmidt trigger output was not logical 0 (resp. not logical 1) at the t ime of the clock edge. For example, a Schmidt-trigger output of intermediate value at the time of the clock edge, may be seen as either L or H. O n the other hand, the Schmidt-trigger and the dr iv ing transistor, have been modelled using an abstraction of t ime in which each token they read represents a fixed t ime-interval 5. Construct ing a model of the complete system from these components requires a reconciliation of the two different views of the same signals. Th is is done by composing the discrete model of the t imer wi th a time translator, a trace-automaton that captures the relationship between the clock-time tokens of the t imer model, and the c5-tokens of the bus model . Suppose that c5 is much smaller than the clock period, which is known to lie, possibly varying, between m8 and /Ju5, where pi and /i„ are integer constants. In-this case a translator approximation can be built by simply counting c5-tokens, each of which represent a t ime-period of length 5. Such a machine is shown in table 6.25 The tapes cx and cy represent the <5-tokens from the bus - cx the transistor gate, cy the Schmidt-trigger output . The tapes bx and by represent the clocked-version of these signals. Each transit ion reads a S token from tapes cx and cy. The state-variable t counts the number of tokens read. The first transition in the table represents ^-periods in which no clock edge occurs. The second transit ion represents 5-periods in which a clock edge does occur, and can Chapter 6. A Verification Example 143 D _S_ T~ Table 6.25: A time translator translates from <5-tokens to clock-tokens M t t 2 [cx : {L, H, X} , cy : { L , H, X}]*, [bx : {L, H},by: {L, H}]* t : Z[0,fiu],x : {L,H,U,D} t = 0 A x — L let Z a ; l a; x' cx let Z x 2 = X x1 cx bx L (L) L L (L) (L) H H (H) H H (H) (H) D L (X), (L) L U (L), (X) (H) U H W, (H) H D (H), (X) (L) let Zy = cy by (L), (X) (L) (H),(X) (H) t x f x' cx cy bx by t X t X t + 1 x' 0 x' cx cy () () cx cy bx .by Zxl A t < fj,u Zx2 A Zy A p,i < t T. | T. T. T. T,/X X/H H ax ay by H <L> <H> H X <H> <L> _L 1 Digital output signal Synchronsized input Asynchronous input Clock Figure 6.20: Translat ion between real-time and clocked time Chapter 6. A Verification Example 144 only be taken when u-i < t < u.u. W h e n a clock edge occurs, tokens are read from bx and by. The token read from by represents a sampled value f rom cy. If L is read from cy, then L must be read from by. If H is read f rom cy, then H must be read from by. If X is read from cy, representing a period of t ransi t ion, then either L or H can be read from by.2 The token read from bx represents an output that wi l l be asserted by the clocked circuit during the next clock cycle. T h e state variable x is used to store this output value in-between clock edges. It is updated according to the predicates Zxl, and Zx2. If the current value of x is L, and the new output signal bx is also L, then x wi l l remain low, and L must be read from cx both by this transit ion and by the subsequent transitions unti l the next clock edge. Similarly, if the current value of x is H and the new output signal is H, then x w i l l remain high. Suppose, on the other hand, the output signal differs from its previous value, as stored in the state variable x. Then the model requires the analog signal to achieve its new value, either in the current <5-time period (the one in which the clock edge occurred), or in the fol lowing time period. Thus , for example, if the the previous token read from bx was L, and the current one is H, the token read from cx could be L or X. The next token read from cx could be X or H. Subsequent tokens, unt i l the next clock cycle, must be H. F igure 6.20 shows a typical set of signals. The translator, M t t i , relies on having a clock-period that is much smaller than 8, so that there are many ^-tokens per clock cycle. A s is the case in the system at hand, it may not be desirable to choose 8 to be much smaller than the clock-period. In this situation a second translator is used that partit ions each time-interval of length 8 into k smaller intervals of length 8/k. Table 6.26 shows such a translator. The tapes dx and dy contain the <$-tokens from the bus. The tapes cx and cy contain the <5/fc-tokens. T h e translator reads k tokens from cx and cy for each token read from dx and dy. 2 A small simplification is made here. The translation assumes that any such output from the Schmidt trigger can be resolved to either H or L. A circuit that does this is, in-fact, a physical impossibility - this is an instance of the synchronization problem. Chapter 6. A Verification Example 145 Table 6.26: A time translator translates between <5-tokens and <5/A;-tokens M t u d z : { £ , # , A } V / y : { L , t f , X f , [cx : {L, H, X} , cy : { L , #, X}]z t : 2 [0 , Ac - 1], x : {X, H,X},y: {L, H, X} t = 0 A x = L A y = L let Zx = X x' cx let Zy = y' cy A X (L), (H), (X) X w, (H), (X) L L (L) H (H) L X (H) .<*> L (L) H H (H) H X (L), (X) t x y t' x' y' dx dy cx cy 0 x y t x y k — 1 x y 1 x' y' t + 1 x' y 0 x' y 0 (y') <*') cy () () cx cy (x') () cx cy Zy Zx A Zy A 0 <t < k - l Zx A Zy dx L i 1 X i 1 H i i cx i | L 1 | L 4 1 L >L 4 1 L 1 I x i I H i > H i I H i I H l H i > H cy i 4 > H i 1>H i i >x i >x i >X i i >L >L i >L dy i > H i > x i > L 0 1 2 3 0 1 2 3 0 l 2 3 0 L L L L L x X X H H H H H H H H X x x X L L L L Figure 6.21: Translat ion between <5-tokens and 5/k-tokens Chapter 6. A Verification Example 146 In principle, there should be no difference between the treatment of channel x and that of channel y. Each symbol L (resp. H) read from dx must correspond to a sequence of k Ls (resp. k Hs) read from cx. S imilarly, each symbol L (resp. H) read from dy must correspond to a sequence of k Ls (resp. k Hs) read from cy. Each symbol X read from dx (resp. dy) corresponds to a sequence of k tokens from cx (resp. cy), the value of which is unconstrained. In practice, the channels x and y are treated differently in order to ensure that the M i t t i , when composed with the t imer model ( M t t 2 || M t i m e r ) , ' s lock-up free. The tapes cx and dx represent the output from the t imer, connected to cx. Thus , the k tokens are read from cx first, and then a consistent token is read from dx. Similarly, the tapes cy and dy represent the output from the Schmidt-trigger that is connected to dy. Thus the token is read from dy f irst, and then a consistent trace of k tokens is read from cy. Figure 6.21 shows a typical pattern of signals, along wi th the corresponding translator states. The translator states are shown by the three rows of boxes at the bot tom, labelled t, x, and y. The vertical lines that separate them represent the transit ions. The bullets identify the tokens that the transit ion consumes. For example, the first transit ion reads tokens from cx, cy and dy. The 8 token H read from the input-channel dy represents the Schmidt trigger input throughout a period of length 8. Its value is recorded in the state variable y. The remaining k — 1 tokens (3 more in the figure) that correspond to this t ime period are then read from tapes cx and cy. The tokens read from cy must all be consistent wi th the token that was read f rom dy and recorded in the state variable y. In this case, they must all be H. The state variable x records whether the tokens from cx were all low (L), all high (H) or varying (X). F i n a l l y the output <5-token dx is read. It must be consistent wi th the tokens read from cx. A model of the t imer that reads ^-tokens is built by composing the two translators M t t i and Mtt2 wi th the discrete t imer model timerl. Such a composit ion is shown in Figure 6.22 Each component is simple, and can be understood independently. T h e timer model M t i m e r is just the M o o r e machine representing a digital circuit . T h e t ime-translators are generic enough that they could be provided as primit ive components by a tool . Chapter 6. A Verification Example 147 Timer Model ttl dx cx dy cy tt2 cx bx cy by timer bx ax by ay delta tokens delta/k tokens Clock Tokens Figure 6.22: A real-time model of the t imer is formed by.composing the clock-time model with translators For the A u d i o C o n t r o l Protoco l , we propose and verify the following implementation pa-rameters. T h e timer M t i m e r counts 114 clock cycles between communications wi th the coder. T h a t is, it views Q, one quarter of a bit-slice as 114 clock cycles. The clock has a nominal period of 2.105/ts. Since the actual period <f> may vary by as much as ± 5 % , this gives a range of 4> £ [2fj,s,2.21fis]. Recal l , that (non-traditionally) 1/xs = 2~20s ~ 0.954 * 10~ 6 s . Thus , 1140 lies in the range [217.4* 10~ 6 s , 240 * 10~ 6 s] . To represent these parameters, Mtti divides each 1/is-token into 19, each representing 1/19/zs. M t t 2 then represents the clock-period as a range of between 38 jg[is and 48jg/is. W h i l e the combination of these components represents an accurate model of the t imer, the result has an excessively large representation. For example, it involves three variables that are used as counters, where it turns out that one wi l l do. Table 6.27 shows a hand-buil t version of the t imer that makes one transit ion for each time-interval of length 5. It has a single counter that counts ^-tokens. A s a result, its state-space is significantly smaller, and it has a much smaller O B D D representation. It reads tokens from dx and dy, representing fixed-length time periods, rather than the clock-period tokens read by the synchronous t imer f rom bx and by. For the verification of the A u d i o C o n t r o l P r o t o c o l , the parameters Tmm = 227 and T m a x = 251 were used, to represent a range of times (228/iS to 252//s) that could elapse while the real timer Chapter 6. A Verification Example 148 Table 6.27: A hand-built approximation of the timer M a b s _ timer D S_ [dx : {L, H, X},dy: {L, H, X}^, [ax : {L, H} , ay: {L, H, R}]< s:Z[0,2],t: Z[0, T m a x ] , x : {L, H,U,D},y: {L, H, R} 0 / \ t = 0 / \ x = L / \ y = L let Zxl — X x' dx let Zx2 = X x' dx ax L L (L) L L (L) (L) H H (H) H H .(H) (H) D L (X), (L) L U (L), (X) (H) U H (X), (H) H D (H), (X) (L) let Zyl y y' dy let Zy2 = y y' dy R R (L), (H), (X) R, H, L L (L), (X) H H (H), (X) R, H H (H), (X) H, L L (L), (X) L R (H), (X) L R (H), (X) let Zup =(y = L) A (y1 = R) s t x y s' t' x' y' dx dy ax ay 0,1 t x y 1,2 t x y 1,2 t x L 1,2 t x y s+1 t+1 x' y 0 t+1 x' y' 0 0 x' R 0 0 x' y' dx dy (} () (*) dy () (> dx dy () () dx dy (x') (y) Zxl A t < T m a x Zxl A Zyl A t < T m a x A ^Zup Zxl A Zyl Zx2 A Zy2 A T m i n < t < T m a x Chapter 6. A Verification Example 149 is counting 114 clock cycles. A more detailed description of its operation is given s tar t ing on Page 150. Admit ted ly , the machine M a b s - t i m e r is complicated. It is hard to be sure by inspection that it represents a liberal approximation of the t imer. Fortunately, the language containment checking algorithm can be used to demonstrate its correctness. T h a t is, one can prove that the abstract t imer M a b s _ t i m e r is a l iberal approximation of the concrete timer Mtti || M u 2 || M t i m e r by demonstrating the language containment L ( M t t i || Mtt2 || Aftimer) C Z - ( M a b s - t i m e r ) - Viewed another way, one can prove that the t imer model, M t t i || Mtt2 | | M t i m e r , satisfies the specification M a b s _ timer-Recall , however, that the containment checking algori thm can give false negatives. These can occur either because the implementation has some short finite paths wi th no infinite complet ion, because the specification and implementation are incompatible, or because the specification is non-deterministic. The translators have been designed to avoid the first of these problems. It is the desire to avoid lock-up that caused the translator models to treat inputs and output differently. For example, Mtti reads the input dy from the Schmidt-trigger before the k pairs of 5/k-tokens from cx and cy, while reading the output from the gate dx afterwards. Th is , however, gives rise to the second of the two problems - an incompatibi l i ty between the specification and the implementat ion. Whereas the implementation reads dy first and then dx, T h e specification reads tokens from dx and dy simultaneously. Moreover, the specification reads tokens f rom ax and ay, representing communicat ion with the agent, synchronously wi th tokens from dx and dy, whereas the implementat ion is capable of reading the corresponding tokens dur ing different transitions. B o t h of these problems can be solved easily using the standard technique of adding buffers to the specification. The specification is also non-deterministic, which could also cause the language containment check to fa i l . T h i s arises f rom two sources. The specification chooses non-deterministically how high to increment its counter before resetting it to 0 and communicat ing wi th the agent. It Chapter 6. A Verification Example 150 also has to decide non-deterministically how to interpret the X tokens read from dy. These tokens are inherently ambiguous, and may be interpreted as either L or H. Moreover , since clock edges may be separated by a period greater than 5, some tokens from dy are to be ignored altogether, modell ing the possibility that no clock edge occurs during the time period that they represent. Since the specification does not know precisely when clock edges wi l l occur, the choice of which tokens to ignore must also be made non-deterministically. In all three cases the non-determinism, if un-addressed, wi l l cause the language-containment check to fai l , resulting in a false-negative result. A s was discussed in Section 4.5, the remedy is to guide the non-deterministic choices made by the specification so that they are consistent wi th those made by the implementat ion. Th is can be done by adding some addit ional tapes to the specification, and connecting these to the implementat ion. T h e tapes inform the specification which non-deterministic choice to make. T h i s process is i l lustrated in Figure 6.23. The timer model, TimerO at the top of the figure, is obtained by composing Mtti, M t t 2 , and M t i m e r - Internal tapes have been hidden, wi th the exception of by, which is needed as an oracle in the verification. The model T i m e r l is the abstract t imer, wi th some extra tapes, composed with the necessary buffers. The automatic language containment checker can verify that Z,(Timer0) C L ( T i m e r l ) . T h e model T imer2 is the abstract t imer, without the buffers, and with the primed tapes hidden. Theorem 4.5.13 asserts X ( T i m e r l ) C X ( T i m e r 2 ) . Thus , by transi t ivi ty it is established that X(TimerO) C L ( T i m e r 2 ) . T h e timer TimerO is {&y}-fair, since it has no runs that assign a finite trace to by, and an infinite trace to dx or dy - such a trace would correspond to a stopped system clock. Thus , theorem 4.3.5 allows us to conclude that £ ( T i m e r O ^ ) C J L ( T i m e r 2 \ ^ ) . Thus , T imer2 is a l iberal approximat ion of TimerO, and can be used in its place for the rest of the verification. T h e T i m e r Verification in Detail This subsection explores the details of the t imer model, M t i m e r > its approximat ion , M a b s - t i m e n and how the addit ion of buffers and extra tapes allow the automatic verification that Mabs- t imer Chapter 6. A Verification Example 151 dx dy dx dy Compositional Timer Model TimerO ttl I dx dy cx cy tt2 cx cy bx by timer -bx by ax ay by Abstract Timer Model (with added tapes and buffers) Timer 1 dy' buffer I dx dy Abstract Timer by by' ay ay by' buffer buffer by Abstract Timer Model (with primed tapes hidden) dx dy Timer2 Abstract Timer dx ax ay' dy by by' ay ay ay ax ay ay by Figure 6.23: The t imer model is verified against a hand-buil t approximation Chapter 6. A Verification Example 152 Table 6.28: The abstract t imer, extended by adding tapes to resolve non-determinism ^Jabs—timer D [dx : {L, H, X} , dy : {L, H, X}]*, [ax : {L, H},ay: {L, H, R}}< [by : {L, H}]z, [by' : {L, H}]z, [ay' : {L, H, R}]z S_ ~T_ s:Z[0,2],t: Z[0, T m a x ] , x : {L, H,U,D},y: {L, H, R} , c : { 0 , l } s = QAt = OAx = L A y = L A c = 0 let Zxl = X x' dx let Zx2 = X x' dx ax L L (L) L L (L) (L) H H (H) H H (H) (H) D L (X), (L) L U (L), (H) (X) U H (X), (H) H D (H), (L) (X) let Zyl = y y' dy by let Zy2 = y y' dy by R R (L), (H), (X) (L), (H) R, H, L L (L), (X) (L) H H (H) AX) (H) • R, H H (H), (X) (H) H,L L (L), (X) (L) L R (H), (X) (H) L R (H) AX) (H) let Zup =(y = L) A (y' = R) let ZI = Zxl A t < T m a x let Z2 = Zxl A Zyl A t < T m a x A ^Zup let Z3 = Zxl A Zyl let Z 4 = Zx2 A Zy2 A T m i n < t < Tn let Z5 = \by'\ - 1 A \ay'\ = 1 let Z6 = \by'\ = 1 s t X y c s' t' x' y' d dx dy ax ay by by' ay' o, 1 t X y 0 s+1 t + 1 x' y 0 dx dy 0 0 0 0 0 ZI 1, 2 t X y 0 0 t + 1 x' y' 0 dx dy 0 0 by by' 0 Z2 1, 2 t X L 0 0 0 x' R 0 dx dy 0 0 by by' 0 Z3 1, 2 t X y c 0 0 x' y' 0 dx dy ax (y) by by' ay' ZA s t X y c 2 t X y I 0 0 0 0 0 by' ay' Z 5 s t X y c 2 t X y c 0 0 0 0 0 by' 0 Z 6 Chapter 6. A Verification Example 153 is l iberal approximation of M t j m e r | | M t t i II Aftt2- The rest of this dissertation does not depend upon the contents of this section. A s a result, this section may safely be skipped by the casual reader. A discrete clock-time model of the t imer is given in Table 6.24. T h e machine has three state variables. The variable t is used to measure the passage of t ime by counting clock cycles. The variable x represents whether or not the agent is currently dr iv ing the bus - H means the bus is being dr iven, L means it is not. The variable y records whether a rising edge has been observed since the last communicat ion with the agent or, if not, the most recently observed state of the bus. The value R means that a rising edge has been observed, L means that the bus is low and no rising edge has,been observed, H means that the bus is high and no rising edge has been observed. To simplify the transit ion table, some predicates over the inputs and state variables are defined first. Then the transit ion table is given by referring to these predicates. Each transit ion in the main table represents a single clock cycle. T h e first transit ion rep-resents the detection of a rising edge. Th is occurs when the previous value observed on the bus was low (y = L), and H is read from tape by. In response, the fact that a rising edge has occurred is recorded (y' = R), and the t imer is reset t' = 0. If no rising edge is detected, or if one has already occurred, and if t has not yet reached the value Q, then t is incremented by the second transit ion in the table. The auxi l iary predicate Zyl shows how the state-variable y is updated based on the input by f rom the Schmidt-trigger. T h e final transit ion in the table resets t to zero when it has reached the value Q. The agent is informed of the bus state v i a the token on ay, and a new instruction is obtained v ia the token on ax - H instructs the t imer to drive the bus, L instructs the t imer not to drive the bus. The auxi l iary predicate Zy2 describes how the state-variable y is updated. A hand-buil t abstraction of the t imer is given in Table 6.27. Recall f rom Subsection 6.2 that the Schmidt-trigger model may produce as many as two X tokens as it moves from state s i to sO (or vice-versa). T h e overall model must be accurate enough to ensure that no rising edge is detected by the t imer during such a transit ion, which represents a falling edge. Th is Chapter 6. A Verification Example 154 is accomplished by choosing 5 to be less than one-half the clock-period, so that only one of the X tokens is sampled. To reflect this behaviour, the t imer model can read, but ignore, a symbol from tape dy by taking the first transit ion in the table. The state-variable s is used to keep track of the number of consecutive transitions that have "skipped" tokens in this way. The model is designed to ensure that at least every second token is skipped, and that no more than two tokens are skipped consecutively. The model wi l l be correct, therefor, only if the clock-period is greater than 25 and less than 35. The abstract t imer, wi th the necessary tapes added, is given in Table 6.28. T h e tapes dy, by, and ax, and ay are buffered copies of the same tapes read by TimerO. T h e tape by is used to resolve some of the non-determinism by providing an interpretation of the X symbols that the abstract t imer reads from its tape by. The tapes by1 and ay' are the unbuffered versions of by and ay are used to alert M a b s - t i m e r that buffered symbols are available to be read from by and ay respectively. To see how this works, consider the behaviour of the system as a typical pair of tokens are read from dx and dy. Each action taken by the model Mtti \\ Mtt2 \\ M t i m e r must be matched by a corresponding action taken by the specification M a b s - t i m e r composed with the buffers. The token from dy is read first by M t t i - The abstract t imer M a b s - t i m e r cannot read a token from dy without consuming one from dx, but M a b s - t i m e r l can read the token from dy, s toring it in the buffer. Machines M t t i and Mtt2 may then read some tokens from their shared tape. If no clock-edge occurs, then no tokens are read from tapes read by T i m e r l so T i m e r l s imply stutters. F ina l ly , when its counter reaches k — 1, Mtti wi l l read a token from dx. The same token is read by M a b s _ t i m e r 5 along wi th the token from dy that was stored in the buffer. Since no tokens are available from buffers attached to ax, ay, or by, M a b s - t i m e r must take the first transit ion in its table, effectively ignoring the value of the token read from dy. If, on the other hand, a clock edge does occur, then M t i m e r wi l l make a transi t ion, reading a token from by. If its counter was equal to Q — 1, tokens wi l l also be read from ax and ay. Chapter 6. A Verification Example 155 The abstract t imer M a b s - t i m e r makes a corresponding transit ion. The token that M t i m e r read from by is read by M a b s - t i m e r on by' and is also stored in the buffer. If Mtimer reads no tokens from ax and ay, then M a b s - t i m e r makes the s ixth transit ion in its table, setting c to 0. If, on the other hand, M t i m e r reads tokens from ax and ay, then Mabs- t imer must take the fifth transit ion in its table, setting c to 1. The tokens on ax and ay are stored in the buffers. In either case, s is set to 2 so that the next transition cannot ignore the incoming token from dy. After k transit ions, M t t l reads a token from dx. N o w , the abstract t imer must make one of the first four transitions in its table. If TimerO reads no symbol from by, (because no clock edge occurs), then M a b s - t i m e r must take the first t ransi t ion. If the counter in M ^ m e r had reached Q and been reset to 0, then c wi l l have been set to 1, forcing M a b s - t i m e r to take the fourth transi t ion. If the counter in M t i m e r has not reached Q, then there wi l l be no symbols available to be read from tapes ax and ay, forcing M a b s - t i m e r to take the th i rd or the fourth transit ion, depending upon the token read from dy. Thus , the question of how high to increment the counter before resetting is resolved. S im-ilarly, the question of whether to ignore the token read from dy is resolved, since if s is 2, the first t ransi t ion, which ignores the value, cannot be taken. The question of how to interpret the X symbol is resolved by referring to the value of the token read from by. 6.4.2 Coders Coders are each modelled by a discrete trace-automaton wi th two tapes. One tape h represents communicat ion between the coder and its host. One tape, wi th two tracks ax and ay, represents communicat ion between the coder at its t imer. C o m m u n i c a t i o n between coder and host is described by a sequence of the tokens Rl, RO, RE, SI, SO, and SE. T h e tokens Rl, RO, and RE represent message bits that have been received f rom the bus, or confirmation of bits that have been successfully t ransmit ted. The tokens 5 1 , 5 0 , and SE represent send requests. Chapter 6. A Verification Example 156 Communica t ion between coder and timer is described by a two-track tape. One track ay is used by the timer to inform the host of the state of the bus. T h e tokens L and H mean that the bus voltage is respectively low and high, and that no rising edge has occurred in the last Q t ime units. The token R means that a rising edge was been detected Q t ime units ago. The other ax is used to instruct the t imer whether to drive the bus or not. T h e token H means that the bus is to be driven high. The token L means that the bus is to be allowed to float low. T h e coders can switch dynamical ly between receiving and t ransmit t ing modes. The re-ceiving mode consists of nine possible states, labelled r l , . . . , r 9 . The behaviour of the coder in receiving mode is i l lustrated in Figure 6.12. The dashed arrows indicate transitions that are taken when the timer has detected a rising edge on the bus. The solid arrows indicate transitions that are taken in the absence of such an edge. The algorithm works s imply by measuring the time that elapses between rising edges. Start-ing from idle, the init ial rising edge is assumed to be the rising edge that occurs in the middle of a 1 bit-slice - the protocol requires all messages to begin with 1. If a rising edge occurs in states r3 , r4 , r7 , r8 , or r9 , it occurs near the middle of a bit-slice, and thus is also assumed to represent a 1. If a rising edge occurs in states r5 or r6 , it is nearer the division between two bit-slices, and thus is assumed to represent the rising edge that occurs between successive Os. T h e basic transmission algori thm without collision detection (Figure 6.11) is simple enough. It consists of twelve states divided into three groups of four. T h e states s l l , . . . , s l 4 represent the stages required to send a 1. Similarly, the states s01, . . . , s04 and s E l , s E A represent respectively the stages of sending a 0 and signalling the end of a message. S tar t ing from the idle state, if asked to send a 1 - recall that messages must begin wi th 1 - the algorithm moves first to states s l 3 and then to s l 4 , instruct ing the t imer to drive the bus high for two transitions (2Q t ime units) . The next bit must be 1 or 0 - messages cannot end wi th 1 - causing a transit ion to s l l or sOl respectively. If the transit ion is made to s O l , the bus remains driven high. If the transit ion is made to s l l it is allowed to float low in preparation for the upcoming rising edge. F r o m s04 after sending a 0 is complete, the next bit can be 1, 0, or the message can end, Chapter 6. A Verification Example 157 Table 6.29: Simple agent wi th no collision detection Mag D\ [ax: {L,H},ay : {L, H, U}]2 ,h : {S1,S0,SE,R1,R0,RE,T}Z 5 s : {Idl, s l l , s l 2 , s l 3 , s l 4 , s O l , s02, s03, s04, sEl,sE2, sES, sE4, r l , r2 , r 3 , r 4 , r 5 , r 6 , r 7 , r 8 , r 9 } 7 I s = Idl A s s' ax ay h sll sl2 (L) (L) (H) (U) 0 sl2 s l 3 (H) (L) (H) (U) 0 s l 3 s l 4 (H) (L) (H) (U) 0 s l 4 s l l (L) (L) (II) (U) (si) s l 4 sOl (H) (L) (H) (U) (SO) sOl s02 (H) (L) (H) (U) 0 s02 s03 (L) (L) (H) (U) 0 s03 s04 (L) (L) (H) (U) 0 s04 s l l (L) (L) (H) (U) (51) s04 sOl (H) (L) (H) (U) (50) s04 sEl (L) (L) (H) (U) (SE) sEl sE2 (L) (L) (H) (U) 0 sE2 sE2 (L) (L) (H) (U) 0 sEZ sE2 (L) (L) (H) (U) 0 sE4 Idl (L) (L) (H) (U) 0 r l r2 (L) (L) (H) (U) (Rl) r2 r3 (L) (L) (H) (U) 0 r3 r4 (L) (L) (H) 0 r4 r5 (L) (L) (H) 0 r5 r6 (L) (L) (H) (RO) r6 r7 (L) (L) (H) 0 r7 r8 (L) (L) (H) 0 r8 r9 (L) (L) (H) 0 r9 Idl (L) (L) (H) (RE) r3 rl (L) (U) 0 r4 rl (L) (U) 0 r5 r3 (L) (U) 0 r6 r3 (L) (U) 0 r7 r l (L) (U) 0 r8 r l (L) (U) {) r9 r l (L) (U) 0 Idl s l 3 (H) (L) (51) Idl r l (L) (U) <-L> Chapter 6. A Verification Example 158 resulting in transitions to s l l , s O l , or sEl respectively. Table 6.29 gives the tabular description of the coder depicted in Figures 6.11 and 6.12. There is one subtle technical consideration in the translation from the informal diagrams to a trace-automaton. Recall that the languages that trace-automata accept consist only of infinite behaviours. A naive trace-automata encoding of the coder wi l l only model behaviours in which, as time progresses towards infinity, an infinite number of tokens are transmitted across the bus. O f course, in reality, it is entirely possible that at some point between messages, all the agents stop t ransmit t ing permanently, and thus generate only a finite sequence of tokens. The consumption of the token _L in the transit ion from Idle to Idle allows such behaviours to be represented by the finite token sequence, followed by an infinite sequence of JLs. Collision Detection A d d i n g collision detection complicates things significantly, so that a graphical representation becomes vir tual ly impossible to read. For this reason, only tabular presentations wi l l be given. The first collision detection scheme that we attempted to verify turned out to be incorrect. Under certain circumstances, it fails to detect a collision. The transmitter port ion of the coder is shown in Table 6.30. A rising edge detected by the timer for which the coder is not responsible is deemed to indicate a coll ision, and control is transfered to the appropriate state in the receiving mode. For example the second line from the bot tom of the table represents the switch to receiving mode caused by the occurrence of a rising edge when the transmitter is in state s04 or sEl. Conversely, a collision is also deemed to have occurred if the bus voltage is not low (L) just prior to generating a rising edge. For example, the th i rd line from the bottom represents the transfer to receiving mode if the bus voltage is not low just prior to t ransmit t ing the rising edge of a 1. Figure 6.24 shows graphically why this algorithm fails. Agents A and B both transmit messages. Agent A ' s message begins wi th 10, whereas agent 5 ' s message begins wi th 11. B o t h agents transmit the common first bit 1, generating their in i t ia l rising edge simultaneously. Chapter 6. A Verification Example 159 Table 6.30: Flawed transmitter wi th collision detection Mag D\ [ax: {L,H},ay : {L, H, U}]z ,h : {S1,S0,SE;R1,R0,RE,T}Z S I s : {Idl,sll,sl2,sl3,sU,s01,s02,s03,sO4,sEl,sE2,sE3,sE4:, r l , r 2 , r 3 , r 4 , r 5 , r 6 , r 7 , r 8 , r 9 } 7 I s = Ml A s s' ax - ay h Idl sl3 (H) (L) (51) sll sl2 (L) (L) (H), (U) 0 sl2 sl3 (H) (L) 0 s l 3 slA (H) (L) (H), (U) {Rl) s l 4 sll (L) (L) , (H), (U) (51) slA sOl {H) (L) , (H), (U) (50) s O l s02 (H) (L) , (H), (U) 0 s02 s03 (L) (L) , (H), <U) 0 s03 s04 {L) (L) . > - (U) (R0) s04 s l l (L) (L) > <#> (51) s04 sOl (H) (L) , (7f) (50) s04 sEl (L) (L) , (7f) ( S £ ) sEl sE2 (L) (L) , ( i f ) 0 sE2 sE3 (L) (L) , ( t f ) 0 sE3 sEA (L) (L) , (H) (RE) sEA Idl (L) (L) ,(H) 0 sl2 r5 (L) (H) 0 s04, sEl r3 (L) (U) 0 sl2,sE2,sE3,sEA r l (L) (U) 0 Chapter 6. A Verification Example 160 Trigger threshold voltage Figure 6.24: A collision goes undetected! Between the two bit-slices, 2Q t ime units later, agent B stops dr iv ing the line, in preparation for the rising edge of the second 1 of its message. Agent A continues to drive the line, in anticipation of the falling edge associated with its second character 0. Agent A ' s clock is running fast, so it t ransmits the 0 by releasing the line slightly in advance of the centre of the bit-slice. Now no agent is dr iv ing the line so the voltage begins to drop. Agent B ' s clock happens to be slow, so it does not attempt to generate the rising edge until sometime after the centre of the second bit-slice. D u r i n g the time that passes between A ' s release of the line, and 73's rising edge, the bus voltage drops to just below the Schmidt-trigger threshold. A s a result, B ' s Schmidt trigger changes state, recognizing the voltage drop, while A ' s Schmidt-trigger does not. Agent B sees the line as low, since its Schmidt-trigger has changed state. A s a result, it makes the transit ion from state s l 2 to s l 3 and drives the line high, instead of making the switch to receiving mode that it would have done had it seen the line as high. Since A ' s Schmidt trigger has not yet responded to the fall in bus voltage, A ' s t imer wi l l not detect the rising edge that B generated. Thus it wi l l not detect the collision either. Gate A GateB Line Voltage 1 0 1 1 1 Chapter 6. A Verification Example 161 0 1 Gate A 1 1 GateB Vt Line Voltage \ Figure 6.25: Behaviour of the fixed algorithm This failure is caused by the interaction of digital and analog components. A naive bus model which, for example, assumed that every agent has the same view of the bus would not detect this problem. Moreover, for small bus capacitances, the problem does not arise when the two clocks were maximal ly skewed. A s a result, analog simulation with maximal clock skew may also fail to detect the problem. A t the heart of the problem is the race that develops as a result of having one agent A stop dr iv ing the bus at the same (nominal) time as another agent B starts to drive i t . Thus , the most sensible way to fix the algorithm is to remove this race. Notice that the transmission algorithm is symmetric in the sense that it tries to fai thfully follow Manchester encoding rules by generating rising and fall ing edges in the centre of 1 and 0 bit-slices. Th is , in spite of the admission that fal l ing edges have unsatisfactory delays associated wi th them so that the decoding algori thm attends only to rising edges. A more appropriate transmission algori thm drives the line only long enough to generate a clean rising edge. Fal l ing edges may be generated as soon as possible after the rising edge. Chapter 6. A Verification Example 162 Table 6.31: Correct collision detecting transmitter Mag D | [ax : {L, H},ay: {L, 77, U}]z, h : {51 , 50 , SE, Rl, RO, RE, A_}z S I s : {Idl, sll, sl2, s l 3 , s l 4 , s O l , s02, s03, s04, sEl, sE2, sE3, sEA, rl, r2, r 3 , r 4 , r 5 , r 6 , r l , r 8 , r 9 } I I s = Zdl : s s' ax ay h /<« s l 3 (77) (L) (51) s l l s l 2 (L) (L) (H) 0 s l 2 s l 3 (77) (L) (H) 0 s l 3 s l 4 (L) (L) (H) ,(U) (7?1) s l 4 s l l (L) (L) (H) ,(U) (51) s l 4 sOl (L) (L) (H) AU) (50) sOl s02 (L) (L) (H) 0 s02 s03 (L) (L) (H) 0 s03 s04 (L) (L) (H) (7?0) s04 s l l (L) (L) (H) (51) s04 s O l (H) (L) (H) (50) s04 sEl (L) (L) (H) (SE) sEl sE2 (L) (L) (H) 0 sE2 sE3 (L) (L) (H) 0 sE3 sEA (L) (L) (H) (RE) sEA Idl (L) (L) (H) 0 sll,sOA,sEl r3 (L) (U) 0 s!2,s02,s03,sE2,sE3,sEA r l (L) (U) 0 Chapter 6. A Verification Example 163 Table 6.32: A u d i o Protocol Specification spec T T : {S1,S0,SE,R1,R0,RE,L} D a:Tz,b:T* S s:{0,l} I s = 0 s s' a b A s s s 1 s 1 s 0 0 0 (S1),(S0),(SE),() ( 5 1 ) , (50 ) , (SE),() (Rl) (Rl) (RO) (RO) (RE) (RE) <-L> (-L) This transmission scheme allows collisions to be detected based on the occurrence of spu-rious rising edges alone. The resulting coder algorithm is given in Table 6.31. F igure 6.25 shows the behaviour of this new algorithm in the same circumstances that caused the failure in F igure 6.24. 6.5 Specification The correctness specification for the system is remarkably straight-forward. It comes down to the requirement that , the sequence of tokens Rl RO and RE observed by each host be identical . If the system satisfies this requirement, then the hosts wi l l all see the same messages. B y itself, this does not guarantee that the message seen is the same as one that was sent. Notice , however, that a transmitter , having read 5 1 , must read Rl, unless some other agent causes a rising edge. Similarly, a transmitter , having read 50 or SE must read RO or RE respectively unless some other agent causes a rising edge. In all cases, if such a rising edge occurs, interfering wi th the transmission, the transmitter switches to receiving mode. Receivers never drive the bus, and thus cannot generate rising edges. Thus , at least one agent successfully transmits and receives its entire message. Chapter 6. A Verification Example 164 In comparison, [BGK+96] verify a slightly simpler a lgori thm, in which a sender, upon de-tecting a collision, s imply reverts to the idle state rather than switching modes and receiving the rest of the message. They show that wi th two dedicated transmitters and one dedicated receiver, if transmitter A successfully transmits its entire message, then that message is received by the receiver. The do not show that either transmitter ever successfully transmits a message. This specification is easily expressed by the trace-automaton given in Table 6.32. The first line in the transit ion table causes the specification to ignore the 5 tokens. The subsequent lines ensure that the R tokens occur in matched pairs. The specification also encodes a liveness requirement - that if the stream of tokens stops permanently, it must do so between messages. The halt ing of the stream is heralded by an infinite sequence of .Ls. W h i l e a message is in progress, the specification is in state s = 1. In this state, the token _L is not permitted to occur. Once the message end has been detected by both agents, the specification moves to state s = 0 and the token ± is allowed. Note that the specification depends only upon the R tokens, and not upon the 5 tokens. Th is suggests that the 5 tokens could be dispensed w i t h , both in the specification and in the coder model . Let tp be an abstraction function that maps sequences of the tokens 5 1 , 5 0 , SE, Rl, RO, RE, and _L, to sequences containing only the tokens Rl, RO, RE and J_ by simply deleting all occurrences of the tokens 5 1 , 5 2 , and SE. Let M be the (correct) coder from Section 6.4.2. Let M be the same automaton, wi th every transit ion that reads an 5 token replaced with one reading the empty trace instead, and with the tape h renamed to h. Similarly, let 5 be the specification in Table 6.32. Let 5 be the same specification, wi th the first row removed from the table, and tape h renamed to h. For this example, it is quite feasible to verify the system directly, without removing the 5 tokens. However, as an i l lustrat ion of the techniques developed in Section 4.4, we show that that 5 is a conservative approximation of 5 , and that M is a l iberal approximation of M. Table 6.33 shows the abstraction function encoded as a trace-automaton. Note , that this is a part ia l abstraction funct ion, because certain sequences - those that contain only a finite Chapter 6. A Verification Example 165 Table 6.33: A n abstraction function for the host interface $ T : {RO, Rl, RE, SO, Si, SE, 1 } , T : {RO, Rl, RE, 1} T h : T z , h : T z h h (S0,S1,SE) 0 (RO) (RO) (Rl) (Rl) (RE) (RE) <-L> 0 - > number of the tokens RO, Rl, RE, and _L are not mapped to infinite sequences. To check that the model M is a l iberal approximation of M, we first establish that M, hence M||<I' is K-fair . Then we use the language containment checker to establish the following containment. L(M)CL((M\\9)$) (6.9) T h e testing automaton, shown in Table 6.34 is used to show that M is / i-fair. It works by monitor ing the behaviour of M. W h e n ever M reads a token f rom ax, the tester increments a counter. W h e n ever M reads a token from h, the tester resets the counter to 0. If the counter ever reaches a preset m a x i m u m value of i i ' (4 in this case), the tester outputs an infinite sequence of l s on its output tape e. To use the tester, one s imply composes it wi th M, hides all the tapes but e, and checks to ensure that the resulting language L((M \\T)\e) is empty. If it is, then we have established that M has no (reachable) cycle that reads tokens from ax and none from h. Thus , it must be /i-fair. T h e actual verification involves two coder models, obtained from M by renaming tapes. Let Ma = M[hataxaiaya/hiaXiay] and let Mb = M[hbtaxbtayb/htax,ay] be two such coders. Similarly, let Ma = M r t ,-r- let Mb = M,~ , , let * a = 1> r , , r n and let * 6 = [na,axa,aya/n,ax,ay\' [hb,axb,ayb/n,ax,ay] [na,na/h,n\ Chapter 6. A Verification Example 166 Table 6.34: A trace automaton that tests for fairness T T\ B:{L,X,H},T:{R1,R0,RE,±} ~D | e : {1}Z ,ax : Bz ,'h :fz " 5 | c : Z[0,K] I | c = 0 f A l I c c' e c c + 1 c 0 A" A" () \h\ = 0 A |aa;| = 1 0 W = i (1> ^[hbUb/hhy ^a a n d ^ ^ e ^ n e abstraction functions encoded by \Pa and \T/{, respectively. Since tya and \T/(, share no common tapes, they are tr ivial ly compatible. Furthermore, the abstractions ipa and tpb that they encode are t r iv ia l ly consistent. M is a l iberal approximation of M wi th respect to the function encoded by <J>. Ma, Ma and \ l / a (resp. Mb, Mb and \T/(,) were obtained from M, M and <3/ by s imply renaming tapes. Thus , Ma (resp. Mb) is a l iberal approximation of Ma (resp. Mb) wi th respect to ^ a (resp. tpb)- Theorem 4.3.3 establishes that Ma \\Mb is a l iberal approximation of Ma \\Mb wi th respect to ipaQipb-To check that the specification, 5 is a conservative approximation of 5 wi th respect to i>a®i>b is s traightforward. Theorem 4.4.6 establishes that \T/a || ^f, encodes the composit ion ipaQipb- One s imply uses the language containment checker to confirm the following language containment. i ( ( 5 | | * a | | * t ) N { M } ) C I ( C ) The final step in the verification is to establish that the composition of the hand-built bus model, the timers, the coders and the agents satisfies the specification S. T h i s has been accomplished by composing the specification wi th single state buffers - one for each of the tapes ha and Kb. Th is final language containment check required less than 2 hours on our D E C - 3 0 0 0 server. Chapter 6. A Verification Example 167 6.6 Verification S u m m a r y The audio control protocol has been verified with collision detection for two agents, each of which is capable of switching dynamical ly between sending and receiving modes. To accomplish this, the verification was done in several steps. A t the bot tom, or most concrete level, an analog model of the bus itself was constructed. Th is was a hybrid model, wi th continuous time models of the passive components, and hybrid models of the Schmidt-triggers. T h i s bus-model consisted of a network of transliterations, and an integrator. Value dis-cretizations were defined that mapped continuous voltages and currents to discrete values. Based upon these discretizations, continuous-time discrete-space liberal approximations of the transliterations were constructed automatically. These approximations were composed and internal connections hidden. F ina l ly , a t ime discretization constant was provided, and discrete-time discrete-value liberal approximations were constructed using the matching automata tech-nique from Section 5.4. This yielded a discrete-time discrete-space l iberal approximation of the circuit consisting of the transistors, resistors and capacitor. The hybrid model of the Schmidt-triggers was translated by hand, into a fully discrete model . In principle, this transformation could probably be automated, but as yet such a process has not been established. The resulting Schmidt-trigger models were combined with the electrical model to yield a complete liberal model of the bus. T h e model that resulted, however, was too complex to be used in the remaining verification. To overcome this hurdle, a hand-built approximation was constructed. The automatic language containment checker was able to verify that this hand-built approximation was a liberal approximat ion of the discrete bus model . In a sense, the hand-built approximation became an intermediate specification, that the automatical ly derived model was shown to satisfy. A model of the agent was constructed in two parts, a coder and a t imer. The timer has two tapes, or communicat ion channels. One tape represents communicat ion wi th the bus. The other tape represents communicat ion wi th the coder. C o m m u n i c a t i o n wi th the bus is understood to occur regularly as a result of some periodic local event such as a local clock edge. Chapter 6. A Verification Example 168 Communica t ion with the agent is initiated by the t imer when its internal counter reaches a pre-set value representing one quarter of a bit-slice. It is also understood to be synchronized by the local clock event. The models of the agents could not be composed with the model of the bus to yield a liberal approximation of the entire system because the channels that connect them use different abstractions. The tokens consumed by the bus-model represent a summarizat ion of a fixed-length (5) interval of t ime, whereas the tokens consumed by the agent-model represent time-periods based on a local clock whose period varies by up to ± 5 % from its nominal value. To reconcile these two abstractions a time translator was buil t . T h e result, however was large and complex, wi th a great deal of redundancy in its state space. A s with the bus model , using the t imer model constructed this way would be impract ica l . Just as was done with the bus model, a hand-built l iberal approximation was constructed that could be verified against the composit ional model automatically. In this case, however there were some issues of compat ibi l i ty and non-determinism that needed to be overcome. Here the technique from Chapter 4 of composing the specification with buffers, and using addit ional connections to resolve non-deterministic choices was used to advantage. The result is a simple hybrid approximation of the t imer that can be composed with the local-time coder model on the one hand, and the real-time bus model on the other, yielding a liberal approximat ion of the entire system. The final stage of the verification was to show that the language accepted by the resulting trace-automaton was contained in the that accepted by the simple specification. T h e model , and the specification are not compatible, however. The specification consumes the R tokens (which are required to match) simultaneously from each of the agents. T h e agent model , however wi l l admit the possibility that these tokens are produced at slightly different times by the different agents, as their local clocks become unsynchronized. It would , of course be possible to write a semantically equivalent specification that was compatible wi th the agents, but the result would be complicated and hard to validate. A better, and by now famil iar , solution is s imply Chapter 6. A Verification Example 169 to compose the simple specification from Table 6.32 wi th buffers, one for each agent. Single stage buffers suffice for this verification. T h e result could then be verified by the automatic containment checker. A l l of the verifications were performed on a D E C - 3 0 0 0 server, model 800 equipped wi th 256Mb of main memory. The verification of the low-level bus model against the hand-buil t approximation took approximately 10 m i n . The verification of the low-level t imer model against the hand-buil t approximation took approximately 7 hours. F i n a l system verification of the abstract bus model , the abstract timers, and the agents against the system specification required slightly less than 2 hours. The combined total for all three stages was thus approximately 9 hours. M o d e l sizes and verification times are fairly sensitive to the choice of O B D D variable order-ing. In the verification of the low-level bus model , the models were first built using an ordering that interleaved the individual bits of the numeric variables, s tart ing wi th the most-significant bits first. For example, if a, b and c were 2, 3, and 4-bit numeric variables, such an ordering would be d\, b2, C3 , cio, b\, c2, bo, c i , CQ. Where ai (resp. b2, C3) is the most-significant bit of a (resp. b, c), and ao (resp. bo, CQ) is the least significant bit . Once the final composite models had been generated using this ordering, a dynamic re-ordering algorithm was run . T h e resulting ordering was used in the final verification. Generat ing the composite models took 1 minute, and 30 seconds. Re-ordering the variables took 2 minutes and 45 seconds, and reduced the combined size of the model and specification from 97,000 nodes to 20,000 nodes. R u n n i n g the language containment check took 6 minutes and 15 seconds. In the verification of the timers, and the system verification, no ini t ia l ordering was specified. The dynamic ordering process was used exclusively to generate O B D D variable orderings. The times given above include the time taken to construct the models and perform the variable ordering, although in both cases the actual t ime taken was dominated by the t ime required for the language containment check. The verification performed here differs from other published attempts in several key respects. Chapter 6. A Verification Example 170 In [HWT95] , H o and Wong-Toi use H Y T E C H [ A C H H 9 3 b ] to verify a system consisting of a single dedicated transmitter , and a single dedicated receiver communicat ing over an ideal transmission medium. They establish that , under these conditions, transmitted messages wi l l be received correctly as long as the clock-drift is no greater than (5.88%). They also establish a bound on the time that can elapse between the transmission of a message and its reception. Their verification does not establish that the transmitter waits for sufficiently long between successive messages for the receiver to detect the end of the first message. They do not address the issue of bus collisions. Nor do they address the issue of delays in rising bus edges. Correct reception of bits is specified by augmenting the receiver automaton, so that is informed of the bits that are actually sent. If these do not match those received, it enters an error location. Verification amounts to checking that this error location is unreachable. Similarly, the t iming property is verified by introducing a t imer variable, and checking that it cannot exceed the prescribed bound. In [BGK+96} a model consisting of two dedicated transmitters and one dedicated receiver is verified using U P P A A L . N o description is given of the bus model that was used. In [ B G K + 9 6 ] a transmitter that detects a collision simply gives up, and returns to its idle state. In contrast, our transmitters switch to receiving mode, and correctly receive the remainder of the message. The verification presented here is based upon a more realistic electrical model of the bus, and more realistic models of the agents than have been used in earlier attempts. In both [HWT95] and [ B G K + 9 6 ] , the models used are more appropriately viewed as intermediate specifications. Neither account gives a concrete implementat ion, either of the agents, nor of the bus itself. Agents are given as hybrid automata , in which continuous variables measure the passage of real-value, absolute t ime. In contrast, the verification given here is of an actual implementation model . Agents are described using models for which clock or interrupt driven implementations are readily apparent. Chapter 7 Conclusions and Future W o r k 7.1 Conclusions This dissertation has presented the formalism trace-automata and investigated its appropriate-ness for using abstraction to verify hybrid systems. A simple general theory of abstraction in the context of language containment verification was presented. The concepts of liberal and con-servative approximation were shown be be fundamental to this theory. The interaction between trace-automata operations and these concepts was investigated and circumstances under which trace-automata operations preserve them were identified. We established practical techniques for demonstrating language containment for discrete finite-state trace-automata. General tech-niques for constructing such trace-automata to approximate systems of differential equations were established. F ina l ly , these techniques were used in the verification of an example hybrid system. Trace-Automata Trace-automata are language accepting machines that read multiple tapes. Some tapes may contain discrete-time sequences (2-traces) . Others may contain continuous-time /^-traces. Dis -crete systems can be modelled by trace-automata that read only discrete tapes. Continuous systems can be modelled by trace-automata that read only continuous tapes. H y b r i d systems can be modelled by trace-automata that read both discrete and continuous tapes. A parallel composit ion operator allows one to build models of complicated systems by com-posing models representing system components. To validate component models independently, 171 Chapter 7. Conclusions and Future Work 172 based only upon the languages that they accept, one requires that composition should be equiv-alent to language intersection. W h i l e this is not, in general, the case, it is the case when the automata in question are compatible. C o m p a t i b i l i t y is a non-tr ivial global property, and thus hard to establish in general. However, it can be assured by a combination of purely local properties, and a syntactic global property that is easy to establish. A hiding operator allows tapes to become local . For the purpose of constructing specifi-cations, it would be desirable if this hiding operator corresponded to language projection. In general, this correspondence can be established only if the automaton in question satisfies a fairness condit ion. The same local properties that were used to establish compatibi l i ty can also be used to establish fairness. Alternately, fairness can be established by a testing automaton that is constructed for the purpose. Abstract ion The basic abstraction paradigm is to replace a verification problem, establishing MCS, wi th a simpler problem, establishing MCS. Section 4.1 explored this paradigm in a very general context. The results are applicable to any formalism based upon language containment and, more specifically, to trace-automata. The section defined the terms liberal and conservative approximat ion. A set M is a l iberal approximation of M wi th respect to an abstraction function if its pre-image contains M. S imilar ly S is a conservative approximation of S if its pre-image is contained in S. It was shown that the implicat ion MCS => MCS holds if and only if M is a l iberal approximation of M and 5 is a conservative approximation S wi th respect to a (possibly partial) abstraction funct ion. A p p r o x i m a t i o n , both liberal and conservative, interacts wi th the trace-automata operations, so that , provided the appropriate fairness and compatibi l i ty conditions are satisfied, l iberal ap-proximations of components M and can be composed to yield a l iberal approximation of the composit ion of M and N. Likewise conservative approximations can be composed yielding Chapter 7. Conclusions and Future Work 173 conservative approximations of the composit ion. Th is allows one to compose l iberal approxima-tions of the components of a system to yield a liberal approximation of the system as a whole. S imilar ly conservative approximations of the components of a specification can be combined to yield a conservative approximation of the specification as whole. Abstract ing Continuous Systems A n abstraction funct ion, ip[5, f] mapping real-valued 7^-traces to sequences of integer-pairs was defined, based on discretizations of the value and the time domains. The value domain is discretized by a non-decreasing function / from the reals to the integers. Such a function partit ions the reals so that the pre-image of each integer in its range is a connected interval . The time domain is discretized by div iding it into finite traces of equal length 6. Each infinite 7Z trace is abstracted by a sequence of pairs representing the m i n i m u m and m a x i m u m value discretization of its values during each 5 interval. A liberal approximation of an integrator was developed based upon such an abstraction funct ion. A transli teration M is a trace-automaton that enforces a pointwise relationship R between the traces on each of its tapes. W h e n combined with integrators, transliterations can repre-sent arbi trary systems of differential equations. Section 5.4 established a general technique for constructing l iberal approximations of transliterations wi th respect to abstraction function The value domain of the transliteration is discretized first, and a l iberal approximation M' is constructed that reads continuous-time traces of integer values. The transliteration that is being approximated may be a composition of many components, wi thin which some tapes are hidden. The continuous time-discrete value approximations of these components are composed at this stage, and their local tapes are hidden. F inal ly , the t ime-domain of the remaining tapes is discretized. A set of machines M'u and M'ui are constructed, where i ranges over the tapes that remain un-hidden. A n y subset of this set may be composed, yielding a liberal approximation of the original machine M. Moreover, Chapter 7. Conclusions and Future Work 11A if the entire set is composed, the result is the best liberal approximation possible based on the chosen discretizations. T h a t is, the language that it accepts is contained in that accepted by any other liberal approximation. Combined with a parameterized version of the integrator approximation that was developed in Section 4.2 this gives a general technique for constructing discrete liberal approximations of arbi trary systems of differential equations. Language Containment Checking A conservative algorithm for checking language containment for discrete finite-state trace-automata was described in Section 4.5. The algorithm is essentially an adaptat ion of that given by [CBM89] in the context of sequential circuit verification. The algori thm is conserva-tive, in the sense that it may give false negative results, but wi l l not give false positives. The technical conditions under which it is precise are identified, but in practice, they are not likely to be satisfied. In particular, the specification wi l l often be non-deterministic and incompatible wi th the implementat ion. Pract ica l techniques are described that mitigate these shortcomings. The problem of non-deterministic specifications can be alleviated by endowing both spec-ification and implementation with some addit ional (shared) tapes. The containment checking algori thm operates by pursuing a symbolic breadth-first search of the states that are reachable in the product machine. Essentially it performs a symbolic simulation of the two machines The addit ional tapes are used by the specification as an oracle wi th which to discover the choices made by the implementation during this s imulat ion. The specification can then make its choices accordingly. The soundness of this technique was established by Theorem 4.5.11. The problem of incompatibi l i ty can be resolved by composing the specification wi th special trace-automata called buffers. Incompatibi l i ty occurs when the implementation and specifica-tion are both capable of reading the same symbols from each of their tapes, but must do so in a different order. For example, the implementation may read from tape a f irst, and then from tape 6, while the specification reads from tape b first and then from tape a. A buffer is a fair trace-automaton that reads two tapes, say a and a'. It requires that the sequence of symbols Chapter 7. Conclusions and Future Work 175 read from both tapes be identical In the process of reading the tapes, it may allow one tape, say a to get ahead of the other a', storing the extra symbols read from a in its internal state. B y equipping the specification with the buffer, one allows it to read the symbols from a f irst, storing them in the buffer to be retrieved after the symbol from b is read. In addit ion to using the language containment checker to check the containment L(ih) C L ( s ) , it can also be used to establish that m is a l iberal approximation of m and that s is a conservative approximation of s when m and s are finite-state discrete automata . The abstrac-tion function is encoded as a trace-automaton Provided that the appropriate compatibi l i ty and fairness conditions are met, it can be established that ih is a l iberal approximation of m by showing that the language of m is contained in the language of \I/ || m , wi th the tapes that m does not read hidden. Similarly, it can be established that s is a conservative approximation of s by showing that the language of \I/ || s is contained in the language of s. Example Verification These techniques were used to verify a realistic implementation of the Phi l ips A u d i o C o n t r o l Pro toco l . The analog bus was modelled using continuous trace-automata. Each analog com-ponent was modelled by a trace-automaton with tapes representing voltage and current as real-valued functions of real t ime. The interface components, transistors and Schmidt triggers were represented by hybrid trace-automata. T h e agents were represented by a combination of discrete trace-automata. Simple models were given of the clock-driven Moore-machines de-scribing the agents' behaviour during each local clock-cycle. Var ia t ion in the local clock speed was accounted for by time translators - trace-automata that described the relationship between sequence of clock-time tokens and sequences of 5-time tokens. The analog bus model consisted of transliterations and an integrator. Continuous-t ime, discrete value approximations of the transliterations in the bus model were constructed auto-matically. Tapes that represented local currents and voltages were hidden. The machines Mn and Mui were then constructed from the recipe developed in Section 5.4, and composed to yield Chapter 7. Conclusions and Future Work 176 a fully discrete liberal approximation of the transliterations. Th is was composed with a discrete l iberal approximation of the integrator, derived in Section 4.2, to yield a l iberal approximation of the bus. The resulting discrete automaton, however was too large to be used in the system verification, so a liberal approximation of it was constructed by hand. The (l,u) pairs repre-senting gate-inputs in the automatical ly derived bus model were abstracted by a single symbol in the hand built approximation. Th is abstraction function was encoded by a trace-automaton, and the language containment checker was used to establish that the hand built approximation was a l iberal approximation of the approximation derived automatically. Similarly, it was verified that hand-built approximations of the timers and coders were liberal approximations of the original models, and that a hand-built approximation of the specification was conservative. F ina l ly , these liberal approximations of the implementation were verified against the conservative approximation of the specification. S u m m a r y of Results Trace-automata are a suitable framework for using abstraction to verify hybrid systems. They allow the representation of hybrid systems by using tapes containing continuous-time traces to represent continuous behaviours, and tapes containing discrete-time sequences to represent discrete behaviours. The operations composit ion and hiding preserve the properties of being a l iberal and conservative approximation that we have established are fundamental to verification using abstract ion. Since the same formalism is used both for specification and for implemen-tat ion, trace-automata can be used in multi-level verification. T h e verification of the audio control protocol is a concrete example of this procedure. The following list summarizes the main results of this investigation. • A simple, general theory of abstraction in the context of verification based upon language-containment. Establ ishing L(M) C L(S) allows the conclusion of L(M) C L(S) if and only if M is a l iberal approximation of M, and 5 is a conservative approximation of S with respect to a (possibly partial) abstraction funct ion. Chapter 7. Conclusions and Future Work 111 • T h a t trace-automata composit ion preserves the property of being a liberal approximation provided that approximations being composed are compatible. • T h a t trace-automata composit ion preserves the property of being a conservative approx-imation provided that the specifications being composed are compatible. • T h a t trace-automata hiding preserves the property of being a l iberal approximation pro-vided the abstraction function is separable. • T h a t it can be established that an approximation is l iberal (or conservative) as the case may be by encoding the abstraction function as a trace-automaton and checking for language containment. • A sound technique, based upon adding "oracle" tapes, for demonstrat ing language con-tainment when the specification is non-deterministic. • A sound technique, based upon adding buffers, for demonstrating language containment when the implementation and specification are incompatible. • A general technique for constructing liberal approximations of systems of differential equa-tions and inclusions when continuous traces are abstracted by independent discretizations of the time and value domains. • A sound verification of an implementation of the audio control protocol wi th collision detection using detailed, realistic models of the analog behaviour of the bus. 7.2 Future W o r k Algori thms for Language Containment T h e main focus of this work is the development of a framework in which composit ion preserves abstraction, so that systems can be verified by approximat ing their components, and verifying Chapter 7. Conclusions and Future Work 178 the resulting discrete system. Other researchers (c.f. [ A C H H 9 3 a , A C H + 9 5 , PV94a]) have focussed on developing techniques for verifying specific classes of hybrid systems directly. It may be possible to adapt these techniques to establishing language containment for re-stricted classes of trace-automata. Th is would be an important result because, not only would it give a way to verify restricted classes of hybrid trace-automata directly without the need for abstraction, but, by encoding abstraction functions such as ip[8, /] as hybrid trace-automata, it could also provide an addit ional way to establish that approximations are liberal or conservative as the case may be. Theoretical Questions It would be interesting to establish an accurate characterization of the class of languages that can be accepted by trace-automata under various restrictions. It seems likely that the projection of any language accepted by a finite-state, smooth, trace-automaton onto a single tape is a;-regular, and that any w-regular language can be described by such a projection. The requirement that every tape have an infinite number of symbols is very close the the B i i ch i acceptance condit ion that every run visit a distinguished set of final states infinitely often. For this reason it also seems likely that the deterministic finite-state trace-automata accept a str ict ly smaller class of languages than those accepted by their non-deterministic counterparts. A n accurate characterization of the classes of languages accepted by various trace-automata families should also establish the classes of abstraction functions that can be encoded by trace-automata. A t first glance, it might appear as if trace-automata are l imited to expressing safety prop-erties. W i t h the appropriate interpretation, however, trace-automata can also express bounded response properties. For example, consider a single-tape discrete model in which each symbol consumed represents the passage of a fixed interval of t ime. It is assumed that the model correctly represents the system under investigation. Unless the system is capable of causing time itself to stand s t i l l , the model must have at least one trace in its language. G i v e n this assumption, bounded response - for example the requirement that every x be followed by a y Chapter 7. Conclusions and Future Work 179 within k t ime units, can easily be expressed by trace-automata specification. In short, if one can reasonably assume that a model has at least one behaviour in its language, one can require a particular behaviour by forbidding all others. Various temporal logics (see [Eme90] for a survey) are commonly used to specify properties for discrete, and real-time systems. These logics can be divided into two classes, based upon the models used to interpret their formulas. Linear-t ime temporal logics are interpreted with respect to linear sequences. A t each instant, a unique future is assumed for each interpretation. Thus , like single tape trace-automata, they specify sets of linear sequences. Branching-t ime temporal logics are interpreted with respect to infinite trees. A t each instant, a number of futures is possible within a given interpretation. Thus , branching t ime logics specify sets of computat ion trees. There appear to be no published accounts of logics that are interpreted with respect to multiple independent linear time-lines. Thus , there are no temporal logics that are naturally interpreted with respect to behaviours, as described here. The development of such a logic would be a natural extension of this research. Section 4.5 introduced the techniques of adding extra tapes to mitigate the problem of non-deterministic specifications, and adding buffers to mitigate the problem of incompatibi l i ty. A s yet no practical problem has been encountered that these techniques cannot circumvent. Nonetheless it would be interesting to know under which restrictions these techniques are com-plete as well as sound. Improving the Accuracy of Approximations One difficulty that arises using the techniques outlined here is the lack of precision that re-sults from approximat ing components individual ly . Using the abstraction function ip[S, f], for example, the time at which an event occurs can only be resolved to 6 t ime units. The t iming of an event that is not instantaneous, the charging of a transistor gate for example, cannot be resolved more finely than 26 t ime units, since the event could straddle the boundary between Chapter 7. Conclusions and Future Work 180 two tokens. W h e n a number of components that form a causal chain are approximated inde-pendently, each component adds an addit ional 28 t ime-units of uncertainty in the t iming of events. If such chains are long, this cumulative effect wi l l become unacceptable. O f course, one could mitigate the problem by choosing a smaller c5. However, it might be possible to solve the problem using more sophisticated techniques. Suppose that a general purpose delay element can be defined, so that the actions in question can be modelled by composing a component that changes instantly wi th such a delay unit . It may be possible to identify constraints under which the delay units in a chain can freely be moved along the chain without affecting the language accepted by the composit ion. Th is could allow the delays to be aggregated into a single delay unit that could be approximated independently, thus avoiding this compounding effect. Applicat ion to Other Domains One of the novel features of trace-automata is the idea of multiple independent time-lines. Traces on different tapes are independent in the sense that the trace-automata semantics defines no connection between the t iming of events on one time-line, and that of events on another. It is generally appropriate to model signals using different tapes when the relative t iming of events on the different tapes is irrelevant to the correctness of the system. For example, the model of the audio control implementation represented the streams of communicat ion between each agent and its host on separate tapes. A s a result, the language that model accepts contains no information about the relative t iming of events on these two channels. B y looking at the language accepted, one can establish that both hosts see the same stream of tokens. One cannot discover whether agent A sees a token before or after agent B sees the corresponding token. O f course, a run of a trace-automaton wi l l read the tokens f rom the tapes in a very specific order, but this order is lost when simply looking at the language that is accepted. In a sense, a trace-automata run represents all the possible interleavings of tokens from all of its tapes, provided the relative order of the tokens on each tape remains unaltered. Th is use of a single run Chapter 7. Conclusions and Future Work 181 to represent a whole family of interleavings may be useful in s implifying verification problems in fully discrete domains as well as in the domain of hybrid systems. For example, [Wei96] observes that for speed independent circuits wi th output choice, the relative ordering of the actions of different components is irrelevant to the correctness of the circuit . This observation is used to verify a self-timed vector multiplier . Weih observes that the relative order in which individual circuit elements change state is not relevant to the circuit 's behaviour. Only the actual sequences of states through which each component passes is of consequence. Us ing this observation, he is able to use a model in which the relative order is pre-determined to represent the actual circuit , which admits many possible interleavings. Veri fying the deterministic version is considerably more efficient, and allows the correctness of the original to be concluded. Bibliography [ACH+92] R . A l u r , C . Courcoubetis , N . Halbwachs, D . L . D i l l , and H . Wong-Toi . M i n i -mizat ion of t imed transit ion systems. In CONCUR 92: Theories of Concurrency, volume 630 of LNCS, pages 340-354. Springer-Verlag, 1992. [ACH+95] R . A l u r , C . Courcoubeits , N . Halbwachs, T . A . Henzinger, P . - H . H o , X . Nico l l in , A . Ol ivero, J . Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems. Theoretical Computer Science, 138(1):3^34, February 1995. [ A C H H 9 3 a ] R . A l u r , C . Courcoubetis , T . A . Henzinger, and P. H o . H y b r i d automata : A n algorithmic approach to the specification and verification of hybrid systems. In R . Grossman, A . Nerode, R . R a v n , and H . Rischel , editors, Hybrid Systems, volume 736 of LNCS, pages 209-229. Springer-Verlag, 1993. [ A C H H 9 3 b ] R . A l u r , C . Courcoubetis , T . A . Henzinger, and Pei -Hsin H o . A u t o m a t i c symbolic verification of embedded systems. In Utth Annual Real-Time Systems Symposium, pages 2-11. I E E E C o m p . Soc. Press, 1993. [AD90] Rajeev A l u r and D a v i d D i l l . A u t o m a t a for modeling real-time systems. In M . S. Paterson, editor, Proc. of International Conference on Automata, Languages and Programming, volume 443 of LNCS, pages 322-335, Ju ly 1990. [AL92] M a r t i n A b a d i and Leslie L a m p o r t . A n old-fashioned recipe for real t ime. In J . W . de Bakker , C . H u i z i n g , W . P. de Roever, and G . Rozenberg, editors, Real-Time: Thory in Practice (Proc. REX workshop, June 1991), volume 600 of LNCS, pages 1-26. Springer-Verlag, 1992. [AM94] Eugene A s a r i n and Oded M a l e r . O n some relations between dynamical systems and transit ion systems. In Serge A b i t e b o u l and E l i Shamir , editors, Automata, Languages and Programming, volume 820 of LNCS, pages 59^72, New York , July 1994. European Associat ion for Theoretical Computer Science, Springer-Verlag. [BGK+96] Johan Bengtsson, W . O . D a v i d Giff ioen, K a r e J . Kristoffersen, K i m G . Larsen, Fredrik Larsson, P a u l Pettersson, and Want Y i . Verif ication of an audio protocol wi th bus collision using U P P A A L . In Rajeev A l u r and Thomas A . Henzinger, editors, Computer Aided Verification, 8th International Conference, volume 1102 of LNCS, pages 244-256. Springer Verlag, 96. [ B P V 9 4 ] Doeko Bosscher, Indra Polak , and Fr i ts Vaandrager. Verif ication of an audio con-trol protocol . In J . Lagmaack, W . - P . de Roever, and J . V y t o p i l , editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of LNCS, pages 170-192. Springer-Verlag, September 1994. 182 Bibliography 183 [Bry86] R . E . B r y a n t . Graph-based algorithms for boolean function manipulat ion. IEEE Transactions on Computers, C-35(2):677-691, August 1986. [Bur92] Jerry R . B u r c h . Trace Algebra for Automatic Verification of Real-Time Concurrent Systems. P h D thesis, Carnegie M e l l o n University, P i t t sburgh , P A , A u g u s t 1992. [CBM89] Oliver Coudert , Chr is t ian Berthet , and Jean Chris tophe M a d r e . Verif ication of synchronous sequential machines using boolean functional vectors. In Luc J . M . Claesen, editor, Proceedings of the IMEC-IFIP International Workshop on Ap-plied Formal Methods for Correct VLSI Design, pages 111-128, Leuven, Be lg ium, September 1989. Organizing Commit tee of the I M E C - I F I P workshop. [CGL92] E d m u n d M . Clarke , O r n a G r u m b e r g , and D a v i d E . L o n g . M o d e l checking and abstract ion. In Proceedings of the 19th Annual ACM Symposium on Principles of Programming Languages, January 1992. [CHR91] Zhou Chaochen, C . A . R . Hoare, and Anders P. R a v n . A calculus of durations. Information Processing Letters, 40(5):269-276, December 1991. [CRH93] Zhou Chaochen, Anders P. R a v n , and Michae l R . Hansen. A n extended durat ion calculus for hybrid real-time systems. In R . Grossman, A . Nerode, R . R a v n , and H . Rischel, editors, Hybrid Systems, volume 736 of LNCS, pages 36-59. Springer-Verlag, 1993. [Eme90] E . A l l e n Emerson. Temporal and Modal Logic, volume 2 of Handbook of Theoretical Computer Science, chapter 6, pages 997-1072. Elsevier Science Publishers, 1990. [ G N R R 9 3 ] Robert L . Grossman, A n i l Nerode, Anders P. R a v n , and Hans Rischel , editors. Hybrid Systems, volume 736 of LNCS, New-York , 1993. Springer-Verlag. [HC92] Michae l R . Hansen and Zhou Chaochen. Semantics and completeness of dura-t ion calculus. In J . W . de Bakker , C . H u i z i n g , W . P . de Roever, and G . Rozen-berg, editors, Real-Time: Theory in Practice, volume 600 of LNCS, pages 209-225. Springer-Verlag, 1992. [HH95] T h o m a s A . Henzinger and Pei -Hsin H o . A l g o r i t h m i c analysis of nonlinear hybrid systems. In Proceedings of the Seventh International Conference on Computer Aided Verification (CAV 1995), volume 939 of LNCS, pages 225-238. Springer-Verlag, 1995. [HMP93] Thomas A . Henzinger, Zohar M a n n a , and A m i r Pnuel i . Towards refining tem-poral specifications into hybrid systems. In Robert L . Grossman, A n i l Nerode, and Anders P . R a v n , editors, Hybrid Systems, volume 736 of LNCS, pages 60-76. Springer-Verlag, 1993. [HNSY92] T h o m a s A . Henzinger, Xavier Nico l l in , Joseph Sifakis, and Sergio Yovine . S y m -bolic model checking for real-time systems. In Proc. 7th IEEE Symp. on Logic In Computer Science, pages 394-406. I E E E Computer Society Press, 1992. Bibliography 184 [HWT95] Pe i -Hsin H o and Howard Wong-Toi . A u t o m a t e d analysis of an audio control pro-tocol . In P. Wolper , editor, GAV 95: Computer-aided Verification, volume 939 of LNCS, pages 381-394. Springer-Verlag, 1995. [KM91] R . P. K u r s h a n and K . L . M c M i l l a n . Analys is of digital circuits through sym-bolic reduction. IEEE Transtactions on Computer-Aided Design, 10(11):1356-1371, November 1991. [Kur87] R . P. K u r s h a n . Reducibi l i ty in analysis of coordination. In P. V a r a i y a and A . B . K u r z h a n s k i , editors, Discrete Event Systems: Models and Applications, volume 430 of LNCIS, pages 414-453. I I A S A , Springer-Verlag, A u g u s t 1987. [Kur89] R . P . K u r s h a n . Analys is of discrete event coordinat ion. In J . W . de Bakker and W . - P . de Roever and G . Rozenberg, editor, Stepwise Refinement of Distributed Systems, volume 430 of LNCS, pages 414-453. R E X Pro ject , Springer-Verlag, M a y 1989. [Lon93] D a v i d E . L o n g . Model Checking, Abstraction, and Compositional Verification. C M U - C S - 9 3 1 7 8 , Carnegie M e l l o n University, Computer Science Dept , C M U , P i t t s -burgh P A , Ju ly 1993. [McI93] A n t h o n y M c l s a a c . A formalizat ion of abstraction in L A M B D A . In Car l - Johan Seger and Jeffrey Joyce, editors, HUG 93; HOL Users's Group Workshop, volume 780 of LNCS, pages 227-252, New Y o r k , 1993. Springer-Verlag. [Mea55] G . H . Mealy . A method for synthesizing sequential circuits. Bell System Technical Journal, 34(5), M a y 1955. [ M M P 9 2 ] Oded M a l e r , Zohar M a n n a , and A m i r Pnuel i . F r o m timed to hybrid systems. In J . W . de Bakker , C . H u i z i n g , W . P . de Roever, and G . Rozenberg, editors, Real-Time: Theory in Practice, volume 600 of LNCS, pages 447-484. Springer-Verlag, 1992. [Moo56] E . F . M o o r e . Gedanken experiments on sequential machines. In Automata Studies. Princeton Universi ty Press, Pr inceton , N . J . , 1956. [MP93] Zohar M a n n a and A m i r Pnuel i . Veri fying hybrid systems. In Robert L . Grossman, A n i l Nerode, and Anders P . R a v n , editors, Hybrid Systems, volume 736 of LNCS, pages 4-35. Springer-Verlag, 1993. [NOSY93] X . Nico l l in , A . Ol ivero, J . Sifakis, and S. Yovine. A n approach to the descrip-t ion and analysis of hybrid systems. In Robert L . Grossman, A n i l Nerode, and Anders P . R a v n , editors, Hybrid Systems, volume 736 of LNCS, pages 149-178. Springer-Verlag, 1993. [NSY92] Xavier Nico l l in , Joseph Sifakis, and Sergio Yovine. C o m p i l i n g real-time speci-fications into extended automata . IEEE Transactions on Software Engineering, 18(9):794-804, September 1992. Bibliography 185 [PV94a] A n u j P u r i and P r a v i n Vara iya . Decidabi l i ty of hybrid systems with rectangu-lar differential inclusions. In D a v i d L . D i l l , editor, 6th International Conference on Compuer Aided Verification (CAV'94), volume 818 of LNCS, pages 95-104. Springer Verlag, June 1994. [PV94b] A n u j P u r i and P r a v i n Vara iya . Verification of hybrid systems using abstractions. In Pnos Antsakl i s et al, editor, Hybrid Systems II, volume 999 of LNCS. Springer Verlag, 1994. [Seg93] Car l - Johan H . Seger. Voss — a formal hardware verification system user's guide. Technical Report TR93-45 , Department of Computer Science, The Universi ty of Br i t i sh C o l u m b i a , 1993. [Wei96] D a v i d T . W e i h . Formal verification of asynchronous data-path circuits. Master ' s thesis, Universi ty of Br i t i sh C o l u m b i a , , Department of Computer Science, 1996. [ZM92a] Y i n g Zhang and A l a n K . M a c k w o r t h . Constraint nets: A semantic model for real-time embedded systems. Technical Report 92-10, Universi ty of Br i t i sh C o l u m b i a , Dept . of C o m p u t e Science, Vancouver, B . C . , C a n a d a , October 1992. [ZM92b] Y i n g Zhang and A l a n K . M a c k w o r t h . W i l l the robot do the right thing? Tech-nical Report 92-31, Department of Computer Science, The University of Br i t i sh C o l u m b i a , November 1992.
- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- Trace-automata : a formal framework for using abstraction...
Open Collections
UBC Theses and Dissertations
Featured Collection
UBC Theses and Dissertations
Trace-automata : a formal framework for using abstraction to verify hybrid systems Martin, Andrew Kenneth 1996
pdf
Page Metadata
Item Metadata
Title | Trace-automata : a formal framework for using abstraction to verify hybrid systems |
Creator |
Martin, Andrew Kenneth |
Date Issued | 1996 |
Description | This dissertation presents a new framework, trace-automata, for verifying hybrid systems. In addition, a simple, general theory of abstraction is presented, based on the idea of approximations that are liberal or conservative with respect to an abstraction function. This theory gives rise to a sound technique whereby hybrid systems are verified by constructing discrete approximations of both the implementation and the specification, and verifying that the approximate implementation satisfies the approximate specification. Trace-automata are language accepting, infinite tape automata, extended to allow multiple tapes, and to allow tapes that consist of continuous traces over the reals, as well as tapes that consist of sequences of discrete symbols. Hybrid systems are represented by automata that read some continuous tapes and some discrete tapes. Trace-automata are used to represent both the implementation and the specification of the system to be verified. Verification corresponds to demonstrating that the language accepted by the implementation is contained in that accepted by the specification. Hybrid systems are verified by constructing and verifying discrete approximations. Abstraction functions map continuous traces to discrete sequences. A liberal approximation of the system implementation is verified against a conservative approximation of the system specification. From this verification, it can be concluded that the original hybrid model satisfies the original specification. The dissertation describes a general technique for constructing discrete, liberal approximations of trace-automata representing differential equations and inclusions. In addition, trace-automata themselves can encode abstraction functions, with the result that trace-automata language containment can also be used to establish that an approximation is liberal or conservative as the case may be. These techniques are illustrated with an example verification based upon the Philips Audio Control Protocol with two agents, each capable of both transmitting and receiving. The verification is novel in that it is based upon a detailed model of the analog electrical behaviour of the bus. |
Extent | 8713850 bytes |
Subject |
Hybrid computers Hybrid computers - Programming |
Genre |
Thesis/Dissertation |
Type |
Text |
FileFormat | application/pdf |
Language | eng |
Date Available | 2009-03-27 |
Provider | Vancouver : University of British Columbia Library |
Rights | For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use. |
DOI | 10.14288/1.0051028 |
URI | http://hdl.handle.net/2429/6614 |
Degree |
Doctor of Philosophy - PhD |
Program |
Computer Science |
Affiliation |
Science, Faculty of Computer Science, Department of |
Degree Grantor | University of British Columbia |
GraduationDate | 1996-11 |
Campus |
UBCV |
Scholarly Level | Graduate |
AggregatedSourceRepository | DSpace |
Download
- Media
- 831-ubc_1997-19616X.pdf [ 8.31MB ]
- Metadata
- JSON: 831-1.0051028.json
- JSON-LD: 831-1.0051028-ld.json
- RDF/XML (Pretty): 831-1.0051028-rdf.xml
- RDF/JSON: 831-1.0051028-rdf.json
- Turtle: 831-1.0051028-turtle.txt
- N-Triples: 831-1.0051028-rdf-ntriples.txt
- Original Record: 831-1.0051028-source.json
- Full Text
- 831-1.0051028-fulltext.txt
- Citation
- 831-1.0051028.ris
Full Text
Cite
Citation Scheme:
Usage Statistics
Share
Embed
Customize your widget with the following options, then copy and paste the code below into the HTML
of your page to embed this item in your website.
<div id="ubcOpenCollectionsWidgetDisplay">
<script id="ubcOpenCollectionsWidget"
src="{[{embed.src}]}"
data-item="{[{embed.item}]}"
data-collection="{[{embed.collection}]}"
data-metadata="{[{embed.showMetadata}]}"
data-width="{[{embed.width}]}"
async >
</script>
</div>
Our image viewer uses the IIIF 2.0 standard.
To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.831.1-0051028/manifest