Extending Regular Expressions with Duration Constraints for

Extending Regular Expressions with Duration Constraints for Modelling and Verifying Hybrid Systems Li Xuandong, Zheng Tao, Hou Jianmin, and Zheng Guoliang y State Key Laboratory of Novel Software Technology Department of Computer Science and Technology Nanjing University, Nanjing Jiangsu, P.R.China 210093 July 22, 1998

Abstract

In this paper, we introduce the formalism of duration-constrained regular expressions to model real-time and hybrid systems, which is an extension of regular expressions with duration constraints. It is equivalent in expressive power to a class of linear hybrid automata called loop-closed automata in which any variable tested in a loop is reset or tested to exact values in the same loop. Based on duration-constrained regular expressions, we give the basic idea to attack some veri cation problems of loop-closed automata, and show some results we have gotten.

1 Introduction Hybrid systems are real-time systems that allow continuous state changes, over time periods of positive duration, as well as discrete state changes, in zero time. The behaviour of hybrid systems can be expressed by timed sequences. A timed sequence (s1; t1 )^(s2; t2 )^ : : : ^(sm ; tm ) represents a behaviour of a system that the system starts at the state s1, stays there for t1 time units, then changes to s2 and stays in s2 for t2 time units, and so on. The values t1 ; t2; : : : ; tm have to satisfy some time constraints enforced by the system. Since the number of timed sequences to express the behaviour of a system may be in nite, we have to nd a notion as a nite representation of behaviour of systems. In this paper, we introduce duration-constrained regular expressions for describing the behaviour of hybrid system, which is an extension of regular expressions with duration constraints. We use Duration Calculus (DC) [1] to describe duration constraints. DC is a logic to specify and reason about requirements for real-time and hybrid systems. It is an extension of Interval Temporal Logic which can be used to reason about integrated constraints over time-dependent and Boolean value states without explicit mention of absolute time. In DC, states are modeled as Boolean functions from reals (representing continuous time) to f0; 1g, where 1 denotes state presence, and 0 denotes state absence. For a state s, interval variable This work is supported by the National Natural Science Foundation of China and International Institute for Software Technology, The United Nations University (UNU/IIST).

y [email protected]; [email protected]; [email protected]

91

92

Duration Calculus Workshop, ESSLLI'98

R s of DC is a function from bounded and closed intervals to reals which stands for the accumulated presence time (duration) of Rstate s over intervals. For bounded interval [a; b] R R R b b (b a), s[a; b]=^ s(t)dt. It follows that 1[a; b]=^ 1dt = (b , a), i.e. the length of [a,b]. A a

duration constraint is of the form

a

R

a P ci si b m

i=1

where sis are states and a, b, ci s are real numbers. The formalism of hybrid automata [2,3,5,6] has become a standard model for real-time and hybrid systems. The model-checking problem for real-time and hybrid systems is very dicult, even for a well-formed class of hybrid systems - the class of linear hybrid automata - the problem is still undecidable in general. So an important question for the analysis and design of real-time and hybrid systems is identi cation of subclasses of such systems and corresponding restricted classes of analysis problems that can be settled algorithmically. For a class of linear hybrid automata called loop-closed automata in which any variable tested in a loop is reset or tested to exact values in the same loop, we can show that the formalism of duration-constrained regular expressions is equivalent in expressive power to this class of linear hybrid automata so that based on duration-constrained regular expressions, we can attack some veri cation problems of this class of linear hybrid automata. The paper is organised as follows. In the next section, we introduce the notion of durationconstrained regular expressions. Section 3 gives the basic idea to attack some veri cation problems based on duration-constrained regular expressions. Some veri cation results for loop-closed automata are shown in section 4. The last section is the conclusion of the paper.

2 Duration-Constrained Regular Expressions While a regular expression over a set of states/transitions (alphabet) is a nite representation of a (in nite) set of sequences of states/transitions, a duration-constrained regular expression (DRE) will be a nite representation of a set of timed sequences of states. Let S be a nite set of states, R+ be the set of nonnegative real numbers. A nite sequence (s1 ; t1 )^(s2; t2 )^ : : : ^(sm; tm ) of elements in S R+ is called a timed sequence over S . In this paper, we use ^ to denote the concatenation of the sequences. For a timed sequence = (s01; t1 )^(s02 ; t2)^ : : : ^(s0m ; tm ), the integrated duration of state si can be calculated as

R v = P tu ; u2i

whereP i = Rfuj(1 u m) ^ (s0u ) si )g. Consequently, satis es a duration constraint a mi=1 ci si b if and only if

a

Pm ci( P tu) b :

i=1

u2i

A timed sequence (s1; t1 )^(s2 ; t2)^ : : : ^(sm ; tm) represents a behaviour of a system that the system starts at the state s1, stays there for t1 time units, then changes to s2 and stays in s2 for t2 time units, and so on. The values t1; t2 ; : : : ; tm have to satisfy some time constraints enforced by the system. These time constraints can be described by duration constraints. By incorporating duration constraints into regular expressions, we get duration-constrained

93

Extending Regular Expressions with Duration Constraints

regular expressions. De nition 1. For an DRE R, its language over a nite set S of states is denoted by L(R).

DREs are de ned recursively as follows: 1. " is an DRE, and L(") = f"g.

2. If s 2 S , then s is an DRE, and L(s) = f(s; t) j t 2 R+ g. 3. If R1 and R2 are DREs, then R1 ^R2 is an DRE, and

L(R1^R2) = f1 ^2 j 1 2 L(R1); 2 2 L(R2 )g : 4. If R1 and R2 are DREs, then R1 R2 is an DRE, and

L(R1 R2 ) = L(R1 ) [ L(R2 ) : 5. If R1 and R2 are DREs, then R1 R2 is an DRE, and

L(R1 R2 ) = L(R1 ) \ L(R2 ) : 6. If R is an DRE, then R is an DRE, and

L(R ) = f1 ^ : : : ^m j m 0 and

Vm (i 2 L(R))g ;

i=1

where 1 ^ : : : ^m =^ when m = 0.

P R 7. If R is an DRE, then (R; a mi=1 ci si b) is a DRE, and

L((R; a P ci R si b)) i=1 Pm R = f j 2 L(R) satis es a ci si bg ; m

i=1

where each si 2 S (1 i m). DREs form a very simple formalism to model real-time and hybrid systems. We can use DREs to describe the behaviour of linear hybrid automata. For a class of linear hybrid automata called loop-closed automata in which any variable tested in a loop is reset or tested to exact values in the same loop, we can prove that it is equivalent in expressive power to DREs. Here the detailed proof is omitted because of space consideration. For example, Figure 1 shows a loop-closed automaton in which the initial location is v1 and nal location is v6 , and its behaviour can be expressed by the following DRE R:

R = (s1 ; 2 R s1 = 5)^(R1 ^s2^s5; 15 2 R s2 + R s3 , 3 R s4 + 0:5 R s5 )

R

R

R

R

where R1 = (s2 ^s3^s4; 5 2 s2 + s3) (s2^s3^s4; 3 ,2 s3 + s4) :

94


S3 .x=1 . y=-2 . z=1 V3

x 5

M

y 3

y:=0

-

S4 . x=0 . y=1 . z=-3 V4

x:=0

+

-

S1 S6 S5 .S2 . . . x=2 x=1 x=0 x=3 . y=-1 . y:=0- y=2 z=5- y=2 . z 20 . y=0 . x:=0 . z=2 .z=0.5 .z=2 z=2 V2 V5 V6 V1 Figure 1: A loop-closed automaton

3 The Basic Idea to Attack Veri cation Problems for Loopclosed Automata In this section, based on duration-constrained regular expressions, we give the basic idea to attack some veri cation problems for loop-closed automata. For loop-closed automata, we attempt to solve the veri cation problems for reachability; linear duration invariants. We consider a typical reachability problem: Given a nal location s, is there a behaviour of the automaton terminating at location s. Suppose R is an DRE representing the behaviour of the automaton terminating at location s. Then the reachability problem can be solved by checking the emptiness of R which means L(R) = ;. Linear duration invariants described in [4,6] form a class of Duration Calculus formulas. A linear duration invariant is of the form

R

T 1t)

Vk ( Pn cij R Si Mj ) ;

j =1 i=1

where T , t, cij , Mj are real numbers (T may be 1), and Si are system states. It consists of two parts: one is a premise, which represents a time interval; the other is a conclusion, which is a group of linear inequalities of integrated durations of system states. The meaning of a linear duration invariant is that: if the system is observed for a time interval satisfying the premise, then the duration of the system states must satisfy the consequence. It turns out that many real-time properties can be written as a linear duration invariant. By the de nition ot linear duration invariants, a timed sequence (s1; t1 )^(s2; t2 )^ : : : ^(sm; tm ) satis es a linear duration invariant k n R R T 1 t ) V ( P cij Si Mj ) ; j =1 i=1


if and only if

T ( ) t )

95

Vk ( Pn cij ( P tu) Mj ) ;

j =1 i=1

u2i

where =^ fu j (1 u m) ^ (s ) S )g. A hybrid automaton satis es a linear duration invariant if and only if any timed sequences expressing its behaviour satis es the linear duration invariant. Now let us consider the problem checking an DRE. First we introduce two concepts about DREs. A simple DRE is an DRE in which there is no occurrence of the combinators , , and . By a normal form we mean an DRE of the form i

u

i

R1 R2 : : : Rm ; where Rj s are simple DREs. Then, we consider the simple case of the problem: checking a simple DRE. We know that for a simple DRE R, there are s1; s2 ; : : : ; sm such that any timed sequence 2 L(R) has the form = (s1; t1 )^(s2; t2 )^ : : : ^(sm ; tm ) where t1; t2 ; : : : ; tm must satisfy a group C1 of linear inequalities. So, on one hand, the problem checking the emptiness of R can be solved by checking if the group C1 of linear inequalities has no solution, which can be solved by linear programming. On the other hand, by the de nition of linear duration invariants, checking R for a linear duration invariant

R

T 1t)

Vk ( Pn cij R Si Mj )

j =1 i=1

is equivalent to the problem: nding the maximum value of the linear function

Pn cij ( P tu)

i=1

u2i

subject to the linear constraints C1 and t t1 + t2 + : : : + tm T and checking whether it is not greater than Mj for all j = 1; : : : ; k, which can be solved by linear programming. The above result can be generalised to normal forms. For any normal form N = R1 R2 : : : Rm , since each Ri (1 i m) is a simple DRE, the problem checking N is equivalent to the problem checking each Ri (1 i m), which can be solved by linear programming. Now we consider the problem checking a general DRE. The basic idea is to nd a normal form for a DRE such that they are equivalent for the problem. That is

for a general DRE R, if we can eectively nd a normal form N such that L(R) = ; if and only if L(N ) = ;, then we can check the emptiness of R eectively; for a general DRE R, for a linear duration invariant D, if we can eectively nd a normal form N such that R j= D if and only if N j= D, then we can check R j= D eectively.

4 Some Veri cation Results on DREs In this section, based on DREs, we introduce some veri cation results for loop-closed automata we have gotten.

96


For the class of loop-close automata whose behaviour can be represented by the class of DREs in which any duration constraint is of the form R R R a s1 + s2 + : : : + sm b and in which there is no occurrence of the combinator , in [8] we showed that the satisfaction problem for linear duration invariants can be solved by linear programming. This class of automata is a class of timed automata. In [9], we considered the class of loop-closed automata whose behaviour can be represented by a class of DREs whose elements are called S1DRE, which is de ned as follows. De nition 2. S1DREs over a nite set S = fs1 ; s2; : : : ; sm g of states form a subclass of

DREs which are de ned recursively as follows: 1. " is an S1DRE. 2. If s is a state, then s is an S1DRE. 3. If R1 and R2 are S1DREs, then R1 ^R2 and R1 R2 are S1DREs. 4. If R is an S1DRE, then R is an S1DRE. P R 5. If R is an S1DRE, then (R; a mi=1 si b) is an S1DRE. 6. If R is an S1DRE in which there is no occurrence of the combinators and , then R P m (R; a i=1 ci si b) is an S1DRE where a; b and ci are real numbers. We solved the satisfaction problem of this class of loop-closed automaton for linear duration invariants. In [10], we considered a larger class of loop-closed automata whose behaviour can be expressed by a class of DREs whose elements are called S2DRE, which is de ned as follows. De nition 3. S2DREs over a nite set S = fs1 ; s2; : : : ; sm g of states form a subclass of

DREs which are de ned recursively as follows: 1. " is an S2DRE. 2. If s is a state, then s is an S2DRE. 3. If R1 and R2 are S2DREs, then R1 ^R2 and R1 R2 are S2DREs. 4. If R is an S2DRE, then R is an S2DRE. 5. For each i (1 i n), let Ri be an S2DRE, and Si = fsi1 ; si2; : : : ; sim g be the set of states occurring in Ri P such that for each i; j (1 i, j n, i 6= j ), Si \ Sj = ;. For each R m i (1 i n), let i = j=1 sij . Then Pni=1 ci11 b1) (R1 ^R2 ^ : : : ^Rn; a1 P

(R1 ^R2 ^ : : : ^Rn ; a2 ni=1 cP i2 2 b2 )

: : : (R1 ^R2^ : : : ^Rn; am ni=1 cim m bm ) is an S2DRE where for any i (1 i n) and j (1 j m), if there is an occurrence of the combinator in Ri and cij 6= 0, then c1j ; c2j ; : : : ; cnj are nonegative. We showed that for this class of loop-closed automata, the reachability problem and the satisfaction problem for linear duration invariants are decidable. i

i


S3 .x=1 . y=-2 . z=1 V3

x 5

M

y 3

-

97

S4 . x=0 . y=1 . z=-3 V4

x:=0

+

-

S1 S6 S5 .S2 . . . x=2 x=1 x=0 x=3 . y=-1 . y:=0- y=2 z=5- y=2 . z 20 . y=0 . x:=0 . z=2 .z=0.5 .z=2 z=2 V2 V5 V6 V1

Figure 2: A hybrid automaton whose language cann't be expressed by DREs

5 Conclusion In this paper, we introduce duration-constrained regular expressions to model real-time and hybrid systems. This formalism is equivalent in expressive power to a class of linear hybrid automata called loop-closed automata in which any variable tested in a loop is reset or tested to exact values in the same loop so that based on duration-constrained regular expressions, we can attack some veri cation problems of this class of linear hybrid automata. We are inspired by the work in [7] in which timed regular expressions of the same expressive power as timed automata is introduced. The formalism of timed regular expressions is an extension of regular expressions with time intevals, which is equivalent in expressive power to the class of duration-constrained regular expressions in which any duration constraint is of the form R R R a s1 + s2 + : : : + sm b : It seems that not any timed automaton is loop-closed, but in fact for any timed automaton which is not loop-closed, we can construct a loop-closed timed automaton which accepts the same language. It should be noted that not any linear hybrid automaton has its language to be expressed by a duration-constrained regular expression. The reason is that the duration constraints can be put for a xed DRE only so that the scope of a duration constraint in a repetition is just in a step of the repetition. For example, for the automaton in Figure 2 which is constructed from the automaton in Figure 1 by moving the reset action y := 0 labelled on the transition from v2 to v3 , its language can not be expressed by any duration-constrained regular expression.

References [1] Zhou Chaochen, C.A.R. Hoare, A.P. Ravn. A Calculus of Durations. In Information Processing Letter, 40, 5, 1991, pp.269-276.

98


[2] Thomas A. Henzinger. The theory of hybrid automata. In Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science (LICS 1996), pp. 278-292. [3] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H.Ho, X. Nicollin, A. Olivero, J. Sifakis, S. Yovine. The algorithmic analysis of hybrid systems. In Theoretical Computer Science, 138(1995), pp.3-34. [4] Zhou Chaochen, Zhang Jingzhong, Yang Lu and Li Xiaoshan. Linear Duration Invariants. In Formal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 863, pp.88-109. [5] Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya. What's Decidable About Hybrid Automata? In Proc. of the 27th Annual ACM Symposium on Theorey of Computing (STOC), 1995, pp.373-382. [6] Y. Kesten, A. Pnueli, J. Sifakis, S. Yovine. Integration Graphs: A Class of Decidable Hybrid Systems. In Hybrid System, LNCS 736, pp.179-208. [7] Eugene Asarin, Paul Caspi, Oded Maler. A Kleene Theorem for Timed Automata. In Proceedings of Logic in Computer Science, IEEE Comp. Soc., 1997. [8] Li Xuandong, Dang Van Hung. Checking Linear Duration Invariants by Linear Programming. In Concurrence and Parallelism, Programming, Networking, and Security, LNCS 1179, Springer, 1996, pp.321-332. [9] Li Xuandong, Dang Van Hung, and Zheng Tao. Checking Hybrid Automata for Linear Duration Invariants. In Advances in Computing Science - ASIAN'97, LNCS 1345, Springer, 1997, pp.166-1180. [10] Li Xuandong, Zheng Tao, Hou Jianmin, Zhao Jianhua, and Zheng Guoliang. Hybrid Regular Expressions. In Hybrid Systems: Computation and Control, LNCS 1386, Springer, 1998, pp.384-399.