Dependable software systems engineering 9781614998099, 9781614998105

Cyber-physical systems closely combine and coordinate subsystems consisting of both computational and physical elements.

576 134 5MB

English Pages 257 Year 2017

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Dependable software systems engineering
 9781614998099,  9781614998105

Citation preview

DEPENDABLE SOFTWARE SYSTEMS ENGINEERING

NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in cooperation with NATO Emerging Security Challenges Division. Sub-Series A. B. C. D. E.

Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics

Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press

http://www.nato.int/science http://www.springer.com http://www.iospress.nl

Sub-Series D: Information and Communication Security – Vol. 50 ISSN 1874-6268 (print) ISSN 1879-8292 (online)

Dependable Software Systems Engineering

Edited by

Alexander Pretschner Technische Universität München, Germany

Doron Peled Bar Ilan University, Israel

and

Thomas Hutzelmann Technische Universität München, Germany

Amsterdam • Berlin • Washington, DC Published in cooperation with NATO Emerging Security Challenges Division

Proceedings of the NATO Advanced Study Institute on Dependable Software Systems Engineering Marktoberdorf, Germany 3–12 August 2016

© 2017 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-61499-809-9 (print) ISBN 978-1-61499-810-5 (online) Library of Congress Control Number: 2017952273 Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: [email protected] For book sales in the USA and Canada: IOS Press, Inc. 6751 Tepper Drive Clifton, VA 20124 USA Tel.: +1 703 830 6300 Fax: +1 703 830 2300 [email protected]

LEGAL NOTICE The author(s) of this publication is/are solely responsible for its content. This publication does not reflect the opinion of the publisher. The publisher cannot be held liable for any loss or damage that may occur because of this publication. PRINTED IN THE NETHERLANDS

v

Preface Almost all technical systems nowadays are in large part software systems themselves, or interface with software systems. The ubiquity of software systems requires them not to harm their environment (safety); and at the same time makes them vulnerable to security attacks with potentially considerable economic, political, and physical damage. A better understanding of security and safety; improving the general quality of complex software systems (cyber defense and new technologies to support the construction of information technology infrastructure) and the respective development processes and technologies are crucial challenges for the functioning of society. Security and safety, or reliability, both are essential facets of the trustworthiness of modern cyber-physical systems. Cyber-physical systems more and more tightly combine and coordinate subsystems consisting of both computational and physical elements. Such systems become indispensable in the domains of aerospace, automotive, industry automation, and consumer appliances. Protecting data within these systems from attacks by external attackers (security), and protecting the environment from misbehaviour of these systems (safety) are two subjects traditionally considered separately. However, a closer look reveals that the techniques for construction and analysis of software-based systems used in both security and safety are not necessarily fundamentally different. Along these lines, the 2016 Marktoberdorf summer school on software engineering, the 37th of its kind, was concerned with engineering dependable software systems. RAJEEV ALUR and KONSTANTINOS MAMOURAS lectured on Regular Functions: Foundations and Application to Quantitative Policies over Streaming Data. Their concern is the following. When should a function mapping strings to strings, or strings to numerical costs, or more generally, strings/trees/infinitestrings to a set of output values with a given set of operations, be considered regular? In earlier work, they had proposed a new machine model of cost register automata, a class of write-only programs, to define such a notion of regularity. The class of regular functions has appealing theoretical properties analogous to regular languages: it is closed under a variety of function transformations, analysis questions such as equivalence and type checking are decidable, and has exact logical and algebraic characterizations. Accordingly, they first gave an overview of theoretical results. Then, they focused on applying this theory to design and implementation of a policy language. Decision making in cyber-physical systems often requires dynamic monitoring of a data stream to compute performance-related quantitative properties. Alur and Mamouras therefore proposed Quantitative Regular Expressions as a highlevel declarative language for modular specifications of such quantitative policies. This language is rooted in the theory of regular functions, and every policy described in this language can be compiled into a space-efficient streaming imple-

vi

mentation. They described a prototype system that is integrated within an SDN controller and show how it can be used to specify and enforce dynamic updates for traffic engineering as well as in response to security threats. Alur and Mamouras concluded by outlining the rich opportunities for both theoretical investigations and practical systems for real-time decision making in IoT applications. BERND FINKBEINER lectured on Reactive Synthesis. Reactive synthesis automates the construction of reactive systems, such as hardware circuits, communication protocols, and embedded controllers. Instead of programming an implementation, the developer writes a formal specification of the desired system properties, for example in a temporal logic. Checking whether the specified properties are realizable and the construction of the actual implementation is taken care of by the synthesis algorithm. In this series of lectures, Finkbeiner traced the developments triggered by Alonzo Church’s original formulation of the synthesis problem almost sixty years ago, from the early solutions in the 1960s to the practical tools that have come out in the past few years. The lectures gave an overview on the automata- and game-theoretic foundations, explored the spectrum of logics for the synthesis of reactive systems, from reduced logics with simpler synthesis problems like GR(1) to advanced logics such as strategy and coordination logic, and discussed the ideas behind efficient synthesis approaches like bounded synthesis. The topics of RADU GROSU’s series of lectures were the Logical Foundations of Cyber-Physical Systems. The technological developments of the past two decades have nurtured a fascinating convergence of computer science and electrical, mechanical and biological engineering. Nowadays, computer scientists work hand in hand with engineers to model, analyze and control complex systems, that exhibit discrete as well as continuous behavior. Examples of such systems include automated highway systems, air traffic management, automotive controllers, robotics and real-time circuits. They also include biological systems, such as immune response, bio-molecular networks, gene regulatory networks, proteinsignaling pathways and metabolic processes. The more pervasive and more complex these systems become, the more the infrastructure of our modern society relies on their dependability. Traditionally however, the modeling, analysis and control theory of discrete systems is quite different from the one of continuous systems. The first is based on automata theory, a branch of discrete mathematics, where time is typically abstracted away. The second is based on linear systems theory, of differential (or difference) equations, a branch of continuous mathematics where time is of essence. Grosu’s course was focused on the principles underlying their combination. By the end of this course students had been provided with detailed knowledge and substantial experience in the mathematical modeling, analysis and control of hybrid systems. CONNIE HEITMEYER was concerned with Formal Requirements Models for System Safety and Security. To capture software system requirements, one must elicit and analyze the required externally visible behavior of the system to be built within some physical context. Moreover, the system requirements should be modeled and specified in terms of required system services and environmental assumptions. System requirements may be expressed in two different ways: as properties of the externally visible system behavior or as an operational sys-

vii

tem model. In either case, the system requirements are represented in terms of quantities in the system environment. Obtaining consistent, complete, and correct requirements models is difficult but extremely critical. Incorrect and incomplete requirements have been repeatedly identified as a major cause of project cost overruns, delivery delays, and failure to meet users expectations of the system. This series of lectures provided a systematic formal approach to the modeling, specification, validation, and verification of requirements for high assurance systemssystems where compelling evidence is needed that the system satisfies critical properties, such as security, safety, timing, and fault-tolerance properties. The objective of this approach for a given system is a complete, consistent, correct, and properly organized set of software requirements, including environmental assumptions. The approach is model-based and relies in part on the use of formal specifications for specific kinds of analyses. KIM LARSEN’S lectures covered the range From Timed Automata to Stochastic Hybrid Games – Model Checking, Synthesis, Performance Analysis and Machine Learning. Timed automata and games, priced timed automata and energy automata have emerged as useful formalisms for modeling real-time and energy-aware systems as found in several embedded and cyber-physical systems. During the last twenty years the real-time model checker UPPAAL has been developed allowing for efficient verification of hard timing constraints of timed automata. Moreover a number of significant branches exists, e.g. UPPAAL CORA providing efficient support for optimization, and UPPAAL TIGA allowing for automatic synthesis of strategies for given safety and liveness objectives. Also the branch UPPAAL SMC, provides a highly scalable new engine supporting (distributed) statistical model checking of stochastic hybrid automata, and most recently the new branch UPPAAL STRATEGO supporting safe and optimal strategies for stochastic hybrid games by combining symbolic methods with machine learning. The lectures reviewed the various branches of UPPAAL and their concerted applications to a range of real-time and cyber-physical examples including schedulability and performance evaluation of mixed criticality systems, modeling and analysis of biological systems, energy-aware wireless sensor networks, smart grids and smart houses and battery scheduling. ¨ PETER MULLER lectured on Modular Program Verification. Modular program verification constructs a correctness proof for each program component in isolation, without considering its clients or the implementations of the components it builds on. Modularity makes verification scalable, allows one to give correctness guarantees for individual components such as libraries, and reduces the re-verification effort required by program changes. Modular verification is especially difficult for heap-manipulating programs, where components may interact in subtle ways through shared memory, and for concurrent programs, where thread interleavings complicate reasoning. M¨ uller presented a verification approach that addresses these challenges using a notion of access permissions for memory locations. He introduced a permissionbased program logic (similar to separation logic) and explained how to automate verification in this logic using standard SMT solvers. In particular, he presented the Viper verification infrastructure, which allows one to express verification prob-

viii

lems in an intermediate language and provides several back-ends that automate the verification effort. The topics of DORON PELED’s lecture were Model checking and runtime verification. Automatic verification is used extensively to detect design and programming errors. Peled looked at various model checking techniques: from explicit states techniques, based on graph algorithms and automata theory, to methods based on efficient SAT solvers. Alternative methods and heuristics serve applications with different characteristics, e.g., software and hardware systems. In addition, he looked at runtime verification techniques that inspect the progress of executions as they unfold. ALEXANDER PRETSCHNER lectured on Defect-Based Testing. Intuition and text books suggest that “good” tests are those that unveil faults. Hypothesizing that there are correct programs, this means that there are no good tests for correct programs. A modified definition of good test cases then demands that tests unveil potential faults, and furthermore do so with good cost effectiveness. In this set of lectures, he studied the theoretical and empirical defect detection ability of partition-based testing, specifically coverage-based testing, both when used for test case selection and test case assessment. He then presented a theory of defect-based testing and showed how faults can be defined as a syntactic transformation and/or a characterization of the failure domain of a program. To show the applicability of this model, he presented how this theory captures defect models including simple division-by-zero or stuck-at-1 faults, but also limit testing, testing strategies for finite state machines, testing strategies for object-oriented software, performance as well as security testing, common concurrency faults, and combinatorial testing. By means of examples, he showed how to operationalize these defect models for test case generation in the context of security testing and testing embedded systems. GRIGORE ROSUE presented K – a semantic framework for programming languages and formal analysis tools. K is a rewrite-based executable semantic framework in which programming languages, type systems and formal analysis tools can be defined using configurations, computations and rules. Configurations organize the state in units called cells, which are labeled and can be nested. Computations carry computational meaning as special nested list structures sequentializing computational tasks, such as fragments of program. Computations extend the original language abstract syntax. K (rewrite) rules make it explicit which parts of the term they read-only, write-only, read-write, or do not care about. This makes K suitable for defining truly concurrent languages even in the presence of sharing. Computations are like any other terms in a rewriting environment: they can be matched, moved from one place to another, modified, or deleted. This makes K suitable for defining control-intensive features such as abrupt termination, exceptions or call/cc. Several real languages have been defined in K, such as C (ISO C11 standard), Java (1.4), JavaScript (ES5), Python, Scheme, Verilog, and dozens of prototypical or classroom ones. The lessons taught attendees how to define a language or a type system in K, and then how to automatically obtain an executable model of the defined language or system which is amenable to formal analysis. Major real language

ix

semantics defined in K were also discussed, as well as commercial formal analysis tools based on them, such as the the RV-Match ISO C11 undefinedness checker. JOHN RUSHBY was concerned with Assurance Cases for Dependable Software Systems. There are uncertainties in the world, so it is impossible to claim that a dependable system will be perfect; instead one can claim that its serious failures will be very rare. For example, the top-level claim for critical airplane software is that catastrophic failure conditions are not expected to occur in the operational lifetime of all airplanes of the type concerned. This can be interpreted as catastrophic failure rate less than one in a billion hours. One cannot experimentally validate such tiny probabilities during development. Instead, one attempts to eliminate faults using good engineering practice, testing, and formal methods. What is the relationship between failure rates and attempted elimination of faults? And how does one “build the case” that our software is dependable? Rushby’s lectures focused on the topic of an “Assurance Case,” where a structured argument is used to justify claims about system dependability, based on evidence about its design, implementation, and behavior. This involved considerations of evidence and argumentation, runtime monitoring, trust in tools, and related topics. Along the way Rushby introduced interactive theorem proving (assuming no one else does so) and will conclude with future challenges, such as assurance for automated driving. MANFRED BROY gave a guest lecture on An Integrated Service-Oriented Modeling Approach of Functionality and Architecture of Multifunctional Systems where he starts from the observation that distributed interacting real time systems are the dominating paradigm in software intensive applications of today. Instances are advanced embedded systems such as found in cars, airplanes, or robots as well as distributed information systems and global networks, such as the Internet. It is essential in the development of those systems to model the following aspects: system interface behavior und functional architecture, assumptions about the system contexts, structured views on component architecture and the interaction of the components. Broy presented a service-oriented approach in terms of an integrated modeling framework for interactive distributive systems with particular emphasis on requirements and architecture modeling introducing service layers and layered architecture. Finally, MARK RYAN lectured on Security-focussed protocols, and verification challenges. His lectures considered examples of security-focussed protocols, such as those used in internet-based voting, cryptocurrencies (like Bitcoin), secure messaging, and also the internet of things. The design and intended properties of these protocols was discussed, along with challenges for verifying them.This volume does not contain lecture notes for this series of lectures. We thank all the lecturers, the staff, and hosts in Marktoberdorf. Specifically, Traudl Fichtl from TU M¨ unchen was instrumental in organizing the school. With the help of Helma Pillar, she helped make the 2016 Marktoberdorf summer school a most rewarding experience, both academically and personally. The Editors

This page intentionally left blank

2016 Marktoberdorf summer school on software engineering. xi

This page intentionally left blank

xiii

Contents Preface

v

An Introduction to the StreamQRE Language Rajeev Alur and Konstantinos Mamouras

1

Reactive Synthesis: Towards Output-Sensitive Algorithms Bernd Finkbeiner and Felix Klein

25

Computing the Next-State Function of a Requirements Model C.L. Heitmeyer, E.I. Leonard and M.M. Archer

44

From Timed Automata to Stochastic Hybrid Games Model Checking, Synthesis, Performance Analysis and Machine Learning Kim G. Larsen, Uli Fahrenberg and Axel Legay

60

Viper: A Verification Infrastructure for Permission-Based Reasoning Peter Müller, Malte Schwerhoff and Alexander J. Summers

104

Automata Based Validation Techniques Doron Peled

126

Defect-Based Testing Alexander Pretschner

141

Temporal Logic as Filtering Alena Rodionova, Ezio Bartocci, Dejan Nickovic and Radu Grosu

164

ॶ: A Semantic Framework for Programming Languages and Formal Analysis Tools Grigore Rosu

186

Assurance and Assurance Cases John Rushby

207

Subject Index

237

Author Index

239

This page intentionally left blank

Dependable Software Systems Engineering A. Pretschner et al. (Eds.) IOS Press, 2017 © 2017 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-810-5-1

1

An Introduction to the StreamQRE Language Rajeev ALUR and Konstantinos MAMOURAS Department of Computer and Information Science University of Pennsylvania Philadelphia, PA 19104, USA Abstract. Real-time decision making in emerging IoT applications typically relies on computing quantitative summaries of large data streams in an efficient and incremental manner. We give here an introduction to the StreamQRE language, which has recently been proposed for the purpose of simplifying the task of programming the desired logic in such stream processing applications. StreamQRE provides natural and high-level constructs for processing streaming data, and it offers a novel integration of linguistic constructs from two distinct programming paradigms: streaming extensions of relational query languages and quantitative extensions of regular expressions. The former allows the programmer to employ relational constructs to partition the input data by keys and to integrate data streams from different sources, while the latter can be used to exploit the logical hierarchy in the input stream for modular specifications. Keywords. data stream processing, Quantitative Regular Expressions

Introduction The last few years have witnessed an explosion of IoT systems in applications such as smart buildings, wearable devices, and healthcare [1]. A key component of an effective IoT system is the ability to make decisions in real-time in response to data it receives. For instance, a gateway router in a smart home should detect and respond in a timely manner to security threats based on monitored network traffic, and a healthcare system should issue alerts in real-time based on measurements collected from all the devices for all the monitored patients. While the exact logic for making decisions in different applications requires domain-specific insights, it typically relies on computing quantitative summaries of large data streams in an efficient and incremental manner. Programming the desired logic as a deployable implementation is challenging due to the enormous volume of data and hard constraints on available memory and response time. The recently proposed language StreamQRE [2] (pronounced StreamQuery) is meant to assist IoT programmers: it makes the task of specifying the desired decisionmaking logic simpler by providing natural and high-level declarative constructs for processing streaming data, and the proposed compiler and runtime system facilitates deployment with guarantees on memory footprint and per-item processing time. The StreamQRE language extends quantitative regular expressions—an extension of clas-

2

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

sical regular expressions for associating numerical values with strings [3], with constructs typical in extensions of relational query languages for handling streaming data [4,5,6,7,8,9,10,11]. The novel integration of linguistic constructs allows the programmer to impart to the input data stream a logical hierarchical structure (for instance, view patient data as a sequence of episodes and view network traffic as a sequence of Voice-over-IP sessions) and also employ relational constructs to partition the input data by keys (e.g., patient identifiers and IP addresses). The basic object in the language is a streaming query, which is modeled as a partial function from sequences of input data items to an output value (which can be a relation). We present the syntax and semantics of the StreamQRE language with type-theoretic foundations. In particular, each streaming query has an associated rate that captures its domain, that is, as it reads the input data stream, the prefixes that trigger the production of the output. In the StreamQRE calculus, the rates are required to be regular, captured by symbolic regular expressions, and the theoretical foundations of symbolic automata [12] lead to decision procedures for constructing well-typed expressions. Regular rates also generalize the concept of punctuations in streaming database literature [6]. The StreamQRE language has a small set of core combinators with clear semantics. An atomic query processes individual items. The constructs split and iter are quantitative analogs of concatenation and Kleene-iteration, and integrate hierarchical pattern matching with familiar sequential iteration over a list of values. The global choice operator or allows selection between two expressions with disjoint rates. The combination operator combine allows combining output values produced by multiple expressions with equivalent rates processing input data stream in parallel. The key-based partitioning operator map-collect is a generalization of the widely used map-reduce construct that partitions the input data stream into a set of sub-streams, one per key, and returns a relation. Finally, the streaming composition operator  streams the sequence of outputs produced by one expression as an input stream to another, allowing construction of pipelines of operators. The core StreamQRE constructs can be used to define a number of derived patterns that are useful in practice, such as tumbling and sliding windows [6], selection, and filtering. The language has been implemented as a Java library that supports the basic and derived constructs [13]. We show how to program in StreamQRE using an illustrative example regarding monitoring patient measurements, the recent Yahoo Streaming Benchmark for advertisement-related events [14], and the NEXMark Benchmark for auction bids [15]. These examples illustrate how hierarchically nested iterators and global case analysis facilitate modular stateful sequential programming, and key-based partitioning and relational operators facilitate traditional relational programming. The two styles offer alternatives for expressing the same query in some cases, while some queries are best expressed by intermingling the two views. Organization. The remaining paper is organized as follows. Section 1 introduces the syntax and semantics of the StreamQRE language, and explains how each construct is used with an illustrative example regarding monitoring patient measurements. Section 2 shows how to use StreamQRE to program some common stream transformation. Section 3 presents some example queries for the Yahoo Streaming Benchmark, and Section 4 gives queries for the NEXMark Benchmark.

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

3

1. The StreamQRE Language As a motivating example, suppose that a patient is being monitored for episodes of a physiological condition such as epilepsy [16], and the data stream consists of four types of events: (1) An event B marking the beginning of an episode, (2) a time-stamped measurement M(ts, val) by a sensor, (3) an event E marking the end of an episode, (4) and an event D marking the end of a day. Given such an input data stream, suppose we want to specify a policy f that outputs every day, the maximum over all episodes during that day, of the average of all measurements during an episode. A suitable abstraction is to impart a hierarchical structure to the stream: daily summary episode summary

The data stream is a sequence of days (illustrated as diamonds), where each day is a sequence of episodes (illustrated as rectangles), and each episode is a nonempty sequence of corresponding measurements (shown as circles) between a begin B marker (shown as an opening bracket) and an end E marker (shown as a closing bracket). The end-of-day marker is shown as a star. The regular expression ((B · M+ · E)∗ · D)∗ over the event types B, M, E and D specifies naturally the desired hierarchical structure. For simplicity, we assume that episodes do not span day markers. The policy f thus describes a hierarchical computation that follows the structure of this decomposition of the stream: the summary of each episode (pattern B·M+ ·E) is an aggregation of the measurements (pattern M) it contains, and similarly the summary of each day (pattern (B · M+ · E)∗ · D) is an aggregation of the summaries of the episodes it contains. In order for the policy to be fully specified, the hierarchical decomposition (parse tree) of the stream has to be unique. Otherwise, the summary would not be uniquely determined and the policy would be ambiguous. To guarantee uniqueness of parsing at compile time, each policy f describes a symbolic unambiguous regular expression, called its rate, which allows for at most one way of decomposing the input stream. The qualifier symbolic means that the alphabets (data types) can be of unbounded size, and that unary predicates are used to specify classes of letters (data items) [12]. The use of regular rates implies decidability of unambiguity. Even better, there are efficiently checkable typing rules that guarantee unambiguity for all policies [17,18,19]. To define quantitative queries, we first choose a typed signature which describes the basic data types and operations for manipulating them. We fix a collection of basic types, and we write A, B, . . . to range over them. This collection contains the type Bool of boolean values, and the unit type Ut whose unique inhabitant is denoted by def. It is also closed under the cartesian product operation × for forming pairs of values. Typical examples of basic types are the natural numbers Nat, the integers Int, and the real numbers R. We also fix a collection of basic operations on the basic types, for example the k-ary operation op : A1 × · · · × Ak → B. The identity function on D is written as idD : D → D, and the operations π1 : A × B → A and π2 : A × B → B are the left and right projection respectively. We assume that the collection of operations contains all identities and pro-

4

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

jections, and is closed under pairing and function composition. To describe derived operations we use a variant of lambda notation that is similar to Java’s lambda expressions [20]. That is, we write (A x) -> t(x) to mean λ x:A.t(x) and (A x, B y, C z) -> t(x, y, z) to mean λ x:A, y:B, z:C.t(x, y, z). For example, the identity function on D is (D x) -> x, the left projection on A × B is (A x, B y) -> x, the right projection on A × B is (A x, B y) -> y, and (D x) -> def is the unique function from D to Ut. We will typically use lambda expressions in the context of queries from which the types of the input variables can be inferred, so we will omit them as in (x, y) -> x. For every basic type D, assume that we have fixed a collection of atomic predicates, so that the satisfiability of their Boolean combinations (built up using the Boolean operations: and, or, not) is decidable. We write ϕ : D → Bool to indicate that ϕ is a predicate on D, and we denote by trueD : D → Bool the predicate that is always true. The predicate ((Int x) -> x > 0) : Int → Bool is true of the strictly positive integers. Example 1. For the example patient-monitoring stream described previously, suppose that we now allow the stream to contain information for several patients. The data type DP for this multiple-patient monitoring stream is the tagged (disjoint) union: DP = {D} ∪ {B(p), E(p) | p ∈ PID} ∪ {M(p,t, v) | p ∈ PID, t ∈ T, and v ∈ V}, where PID is the set of patient identifiers, T is the set of timestamps, and V is the set of scalars for the measurements. The projection functions typ : DP → {D, B, E, M}, pId : DP → PID, ts : DP → T and val : DP → V get the type, patient identifier, timestamp, and value of a data item respectively (when undefined, the functions simply return some default value). For a data item x ∈ DP , we write x.typ, x.pId, x.ts and x.val to denote the application of these functions. Symbolic regular expressions. For a type D, we define the set of symbolic regular expressions over D [21], denoted RED, with the following grammar: r ::= ϕ |

[predicate on D]

ε|

[empty sequence]

r r |

[nondeterministic choice]

r·r |

[concatenation]

r∗ .

[iteration]

The concatenation symbol · is sometimes omitted, that is, we write rs instead of r · s. The expression r+ (iteration at least once) abbreviates r · r∗ . We write r : RED to indicate the r is a regular expression over D. Every expression r : RED is interpreted as a set r ⊆ D∗ of finite sequences over D. ϕ  {d ∈ D | ϕ(d) = true} ε  {ε}

r s  r ∪ s

r∗  



n n≥0 r

r · s  r · s

For subsets X,Y ⊆ D∗ , we define X · Y = {uv | u ∈ X and v ∈ Y } and X n is given by induction on n as follows: X 0 = {ε} and X n+1 = X n · X. Two expressions are said to be equivalent is they denote the same language.

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

time

←−−−−−−−−−−−−−−−−−−

data item

stream seen so far

current output (if any)

ε

f (ε)

d1

d1

f (d1 )

d2

d1 d2

f (d1 d2 )

d3

d1 d2 d3

f (d1 d2 d3 )

d4

d1 d2 d3 d4

f (d1 d2 d3 d4 )

d5

d1 d2 d3 d4 d5

f (d1 d2 d3 d4 d5 )

5

···

Figure 1. A streaming transformation f specifies the output for every prefix of the stream.

Example 2. The symbolic regular expression ((Nat x) -> true)∗ · ((Nat x) -> x > 0) over the type Nat of natural numbers denotes all sequences that end with a strictly positive number. Unambiguity. The notion of unambiguity for regular expressions [17] is a way of formalizing the requirement of uniqueness of parsing. The languages L1 , L2 are said to be unambiguously concatenable if for every word w ∈ L1 · L2 there are unique w1 ∈ L1 and w2 ∈ L2 with w = w1 w2 . The language L is said to be unambiguously iterable if for every word w ∈ L∗ there is a unique integer n ≥ 0 and unique wi ∈ L with w = w1 · · · wn . The definitions of unambiguous concatenability and unambiguous iterability extend to regular expressions in the obvious way. Now, a regular expression is said to be unambiguous if it satisfies the following: 1. For every subexpression e1 e2 , e1 and e2 are disjoint. 2. For every subexpression e1 · e2 , e1 and e2 are unambiguously concatenable. 3. For every subexpression e∗ , e is unambiguously iterable. Checking whether a regular expression is unambiguous can be done in polynomial time. For the case of symbolic regular expressions this results still holds, under the assumption that satisfiability of the predicates can be decided in unit time [3]. Example 3. Consider the finite alphabet Σ = {a, b}. The regular expression r = (a + b)∗ b(a + b)∗ denotes the set of sequences with at least one occurrence of b. It is ambiguous, because the subexpressions (a+b)∗ b and (a+b)∗ are not unambiguously concatenable: the word w = ababa matches r, but there are two different splits w = ab · aba and w = abab · a that witness the ambiguity of parsing. The regular expressions a∗ b(a + b)∗ and (a + b)∗ ba∗ are both equivalent to r, and they are unambiguous. Streaming transformations. The basic object in the StreamQRE language is the query, which describes the transformation of an input stream into an output stream. At any given moment in time, only a finite number of data items have arrived, therefore a stream transformation can be modeled as a function from D∗ , where D is the type of input data items, to C, where C is the type of the outputs. In other words, the transformation describes how to aggregate the entire stream seen so far into an output value. As the input stream gets extended with more and more items, the emitted outputs form a stream of elements of C. We want to allow for the possibility of not having an output with every new element arrival, therefore a streaming transformation is modeled as a partial function D∗  C. See Figure 1 for an illustration.

6

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Example 4. For example, suppose we want to describe a filtering transformation on a stream of integers, where only the nonnegative numbers are retained and the negative numbers are filtered out. The function f : Int∗  Int that describes this transformation is defined on the nonempty sequences v1 v2 . . . vn with vn ≥ 0, and the value is the last number of the sequence, i.e. the current item.

time

←−−−−−−−−−−−−−−−−−−−−

data item

stream seen so far

current output (if any)

ε 3

3

−2

3 −2

3

4

3 −2 4

4

8

3 −2 4 8

8

−1

3 −2 4 8 −1

5

3 −2 4 8 −1 5

5

···

The set of stream prefixes for which this function is defined is denoted by the symbolic regular expression ((Int x) -> true)∗ · ((Int x) -> x > 0). After having consumed the input stream 3 −2 4 8 −1 5, the overall output stream is 3 4 8 5. The rate of a transformation describes which stream prefixes trigger the production of output. In some other formalisms, such as transducers [22,23] and synchronous languages [24], output is typically produced at every new data item arrival. In StreamQRE, on the other hard, output does not have to be produced with every new item. For example, after processing n data items, the output stream generally consists of k ≤ n items. Streaming Queries. We now introduce formally the language of Streaming Quantitative Regular Expressions (QREs) for representing stream transformations. For brevity, we also call these expressions queries. A query represents a streaming transformation whose domain is a regular set over the input data type. The rate of a query f, written R(f), is a symbolic regular expression that denotes the domain of the transformation that f represents. The definition of the query language has to be given simultaneously with the definition of rates (by mutual induction), since the query constructs have typing restrictions that involve the rates. We annotate a query f with a type QRED,C to denote that the input stream has elements of type D and the outputs are of type C. Figure 2 shows the full formal syntax of streaming queries. The decidability of type checking follows from results in [17,18,19] and it is also discussed in [3]. Example 5 (Rate of a query). In the patient monitoring example described in the beginning of this section, the statistical summary of a patient’s measurements should be output at the end of each day, and thus, depends only on the types of events in a regular manner. The rate in this case is the regular expression ((B · M+ · E)∗ · D)∗ . The tag B in this expression is abbreviation for the predicate (x -> x.typ = B). We also write ¬B to stand for the predicate (x -> x.typ = B). Similar abbreviations are considered for the tags M, E and D. We will be using these abbreviations freely from now on, since their meaning is obvious from the context.

7

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

satisfiable ϕ : D → Bool

op : D → C

atom(ϕ, op) : QRED,C R(atom(ϕ, op)) = ϕ

c∈C (empty) eps(c) : QRED,C R(eps(c)) = ε

(atomic)

f : QRED, A g : QRED, B op : A × B → C R(f) and R(g) are unambiguously concatenable split(f, g, op) : QRED,C R(split(f, g, op)) = R(f) · R(g)

(concatenation)

init : QRED, B body : QRED, A op : B × A → B R(body) is unambiguously iterable R(init) and R(body)∗ are unambiguously concatenable iter(init, body, op) : QRED, B

(iteration)

R(iter(f, g, op)) = R(f) · R(g)∗

f : QRED,C

g : QRED,C

R(f) and R(g) are disjoint

or(f, g) : QRED,C R(or(f, g)) = R(f) R(g) f : QRED, A

op : A → B

apply(f, op) : QRED, B R(apply(f)) = R(f) f : QRED, A

g : QRED, B

op : A × B → C

(choice)

(application)

R(f), R(g) equivalent

combine(f, g, op) : QRED,C R(combine(f, g, op)) = R(f)

(combination)

f : QRED,C g : QREC, E (streaming composition) f  g : QRED, E ϕS : D → Bool m : D → K f : QRED,C r : RED R(f) ⊆ r \ ϕS∗ r = s[(¬ϕS )∗ ϕS /ϕS ], where the only predicate s : RED can contain is ϕS (key-based partitioning) map-collect(ϕS , m, f, r) : QRED, MapK,C R(map-collect(ϕ, m, f, r)) = r Figure 2. The syntax of Streaming Quantitative Regular Expressions.

Atomic queries. The basic building blocks of queries are expressions that describe the processing of a single data item. Suppose ϕ : D → Bool is a predicate over the data item type D and op : D → C is an operation from D to the output type C. Then, the atomic query atom(ϕ, op) : QRED,C, with rate ϕ, is defined on single-item streams that satisfy the predicate ϕ. The output is the value of op on the input element.

8

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Notation: It is very common for op to be the identity function, and ϕ to be the always-true predicate. So, we abbreviate the query atom(ϕ, (D x) -> x) by atom(ϕ), and the query atom((D x) -> true) by atom(). Example 6. For the stream of monitored patients, the query that matches a single measurement item and returns its value is f = atom(x -> x.typ = M, x -> x.val). The type of f is QREDP , V and its rate is M. Empty sequence. The query eps(c) : QRED,C, where c is a value of type C, is only defined on the empty sequence ε and it returns the output c. Iteration. Suppose that init : QRED, B describes the computation for initializing an aggregate value of type B, and body : QRED, A describes a computation that we want to iterate over consecutive subsequences of the input stream, in order to aggregate the values (of type A) sequentially using an aggregator op : B × A → B.

More specifically, we split the input stream w into subsequences w = u w1 w2 . . . wn , where u matches init and each wi matches body. We apply init to u and body to each of the wi , thus producing the output values b0 and a1 a2 · · · an with b0 = init(u) and ai = body(wi ). Finaly, we combine these results using the list iterator left fold with start value b0 and aggregation operation op : B × A → B by folding the list of values a1 a2 · · · an . This can be formalized with the combinator fold : B × (B × A → B) × A∗ → B, which takes an initial value b ∈ B and a stepping map op : B × A → B, and iterates through a sequence of values of type A: fold(b, op, ε) = b

fold(b, op, γa) = op(fold(b, op, γ), a)

for all sequences γ ∈ A∗ and all values a ∈ A. E.g., fold(b, op, a1 a2 ) = op(op(b, a1 ), a2 ). The query g = iter(init, body, op) : QRED, B describes the computation of the previous paragraph. In order for g to be well-defined as a function, every input stream w that matches g must be uniquely decomposable into w = uw1 w2 . . . wn with u matching init and each wi matching body. This requirement can be expressed equivalently as follows: the rate R(body) is unambiguously iterable, and the rates R(init), R(body)∗ are unambiguously concatenable. These sequential iterators can be nested imparting a hierarchical structure to the input data stream facilitating modular programming. In the single-patient monitoring stream, for example, we can associate an iterator with the episode nodes to summarize the sequence of measurements in an episode, and another iterator with the day nodes to summarize the sequence of episodes during a day. Example 7. For the stream of monitored patients, the query g below matches a sequence of measurements and returns the sum of their values.

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

f : QREDP , V = atom(x -> x.typ = M, x -> x.val)

// rate M

g : QREDP , V = iter(eps(0), f, (x, y) -> x + y)

// rate M∗

9

Combination and application. Assume the queries f and g describe stream transformations with outputs of type A and B respectively that process the same set of input sequences, and op is an operation of type A × B → C. The query combine(f, g, op) describes the computation where the input is processed according to both f and g in parallel and their results are combined using op. Of course, this computation is meaningful only when both f and g are defined on the input sequence. So, we demand w.l.o.g. that the rates of f and g are equivalent. This binary combination construct generalizes to an arbitrary number of queries. For example, we write combine(f, g, h, (x, y, z) -> op(x, y, z)) for the ternary variant. In particular, we write apply(f, op) for the case of one argument. Example 8 (Average). For the stream of monitored patients, the query h below matches a nonempty sequence of measurements and returns the average of their values. f1 : QREDP , V = atom(x -> x.typ = M, x -> x.val)

// rate M

g1 : QREDP , V = iter(f1 , f1 , (x, y) -> x + y)

// rate M+

f2 : QREDP , V = atom(x -> x.typ = M, x -> 1)

// rate M

g2 : QREDP , V = iter(f2 , f2 , (x, y) -> x + y)

// rate M+

h : QREDP , V = combine(g1 , g2 , (x, y) -> x/y)

// rate M+

The query g1 computes the sum of a nonempty sequence of measurements, and the query g2 computes the length of a nonempty sequence of measurements. An alternative implementation uses a single iteration construct and an accumulator that is the pair of the running sum and the running count. f : QREDP , V × V = atom(x -> x.typ = M, x -> (x.val, 1))

// rate M

g : QREDP , V × V = iter(f , f , (x, y) -> x + y)

// rate M+

h : QREDP , V = apply(g , x -> π1 (x)/π2 (x))

// rate M+

The + operation in g is componentwise addition of pairs of values. The query h computes the average by diving the running sum by the running count. Example 9 (Standard Deviation). For a sequence x1 , x2 , . . . , xn of numbers, the mean is the simple average μ = (∑i xi )/n, and the standard deviation is σ = (∑i (xi − μ)2 )/n. Equivalently, we can calculate the quantity σ · n as follows: σ · n = ∑i (xi2 + μ 2 − 2μxi ) = (∑i xi2 ) + nμ 2 − 2μ(∑i xi ) = (∑i xi2 ) − (∑i xi )2 /n. So, both the mean and the standard deviation can be calculated from the quantities ∑i xi and ∑i xi2 and the count n. This suggests the following query for the streaming computation of the standard deviation for a sequence of patient measurements:

10

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

f1 : QREDP , V = atom(x -> x.typ = M, x -> 1)

// rate M

g1 : QREDP , V = iter(f1 , f1 , (x, y) -> x + y)

// rate M+

f2 : QREDP , V = atom(x -> x.typ = M, x -> x.val)

// rate M

g2 : QREDP , V = iter(f2 , f2 , (x, y) -> x + y)

// rate M+

f3 : QREDP , V = atom(x -> x.typ = M, x -> x.val · x.val)

// rate M

g3 : QREDP , V = iter(f3 , f3 , (x, y) -> x + y)

// rate M+

h : QREDP , V = combine(g1 , g2 , g3 , (x, y, z) -> z − y2 /x)

// rate M+

The query g1 computes the running count, the query g2 computes the running sum ∑i xi , and the query g3 computes the running sum of squares ∑i xi2 . Example 10 (Integration). For the single-patient monitoring stream, assume that the diagnosis depends on the average value of the piecewise-linear interpolant of the sampled measurements. Computing this quantity corresponds to integrating the interpolant over the interval of the measurements. That is, the quantitative summary of a given sequence (t1 , v1 ), (t2 , v2 ), . . . , (tn , vn ) of timestamped values with t1 < t2 < · · · < tn is An =

n−1 (v + v 1 i i+1 )(ti+1 − ti ) ·∑ . (tn − t1 ) i=1 2

To compute the quantity Sn = ∑n−1 i=1 (vi + vi+1 )(ti+1 − ti ) incrementally we must maintain the vector Xn = (tn , vn , Sn ), where tn is the last timestamp, vn is the last value, and Sn is the running sum. We then put X1 = (t1 , v1 , 0) and Xn+1 = (tn+1 , vn+1 , Sn + (vn + vn+1 )(tn+1 − tn )). From Xn = (tn , vn , Sn ) and the first timestamp t1 we can then compute An = Sn /2(tn −t1 ). f : QREDP , DP  = atom(x -> x.typ = M)

// rate M

g1 : QREDP , T = iter(apply(f, x -> x.ts), f, (x, y) -> x)

// rate M+

op = (T×V×V x, DP y) -> (y.ts, y.val, π3 (x) + (π2 (x) + y.val)(y.ts − π1 (x)) g2 : QREDP , T×V×V = iter(apply(f, x -> (x.ts, x.val, 0)), f, op) // rate M+ op = (T x, T×V×V y) -> if (π1 (y) − x > 0) then π3 (y)/2(π1 (y) − x) else π2 (y) h = combine(g1 , g2 , op ) // rate M+ The query g1 passes along the first timestamp, and the query g2 calculates the vector Xn . The top-level query h calculates the average of the piecewise-linear interpolant when n ≥ 2, and returns the value v1 when n = 1.

11

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Quantitative concatenation. Suppose that we want to perform two streaming computations in sequence: first execute the query f : QRED, A, then the query g : QRED, B, and finally combine the two results using the operation op : A × B → C.

More specifically, we split the input stream into two parts w = w1 w2 , process the first part w1 according to f with output f(w1 ), process the second part w2 according to g with output g(w2 ), and produce the final result op(f(w1 ), g(w2 )) by applying op to the intermediate results. The query split(f, g, op) : QRED,C describes this computation. In order for this construction to be well-defined as a function, every input w that matches split(f, g, op) must be uniquely decomposable into w = w1 w2 with w1 matching f and w2 matching g. In other words, the rates of f and g must be unambiguously concatenable. The binary split construct extends naturally to more than two arguments. For example, the ternary version would be split(f, g, h, (x, y, z) -> op(x, y, z)). Example 11. For the stream of monitored patients, we say that a measurement is highrisk if its value exceeds 50. The query h : QREDP , V below matches a sequence of measurements containing at least one high-risk measurement, and returns the maximum value after the last occurrence of a high-risk measurement. f1 : QREDP , Ut = atom(x -> x.typ = M, x -> def)

// rate M

g1 : QREDP , Ut = iter(eps(def), f1 , (x, y) -> def)

// rate M∗

f2 : QREDP , Ut = atom(x -> x.typ = M and x.val > 50, x -> def)

// M(v > 50)

f3 : QREDP , V = atom(x -> x.typ = M and x.val ≤ 50, x -> x.val) // M(v ≤ 50) g3 : QREDP , V = iter(eps(−∞), f3 , (x, y) -> max(x, y)) h : QREDP , V = split(g1 , f2 , g3 , (x, y, z) -> z)

// M(v ≤ 50)∗

// M∗ · M(v > 50) · M(v ≤ 50)∗

The query g1 processes a sequence of measurements and returns nothing, the query f2 processes a single high-risk measurement and returns nothing, and the query g3 processes a sequence of non-high-risk measurements and returns the maximum value. The top-level query h executes g1 , f2 and g3 in sequence and returns the output of g3 . Global choice. Given queries f and g of the same type with disjoint rates r and s, the query or(f, g) applies either f or g to the input stream depending on which one is defined. The rate of or(f, g) is the union r s. This choice construction allows a case analysis based on a global regular property of the input stream. In our patient example, suppose we want to compute a statistic across days, where the contribution of each day is computed differently depending on whether or not a specific physiological event occurs sometime during the day. Then, we can write a query summarizing the daily activity with a rate capturing good days (the ones without any significant event) and a different query with a rate capturing bad days, and iterate over their disjoint union.

12

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Example 12. For the stream of monitored patients, we describe a query that processes a nonempty sequence of episodes (hence, with rate (B · M+ · E)+ ) and outputs at the end of each episode its summary. The summary of the episode is the average of all measurements if there are no high-risk measurements (high-risk: value exceeds 50), otherwise it is the average of only the high-risk measurements. We start with query g, which processes a nonempty sequence of non-high-risk measurements and returns the sum/count: ϕ : DP → Bool = x -> x.typ = M and x.val ≤ 50

// predicate on DP

f : QREDP , V×V = atom(ϕ, x -> (x.val, 1))

// rate M(v ≤ 50)

g : QREDP , V×V = iter(f, f, (x, y) -> x + y)

// rate M(v ≤ 50)+

Similarly, the query h below processes a sequence with at least one high-risk measurement and returns the sum and count of the high-risk measurements. The idea for describing this computation comes from the following observation: the language over the alphabet Σ = {a, b} that contains at least one occurrence of b is denoted by the ambiguous expression (a + b)∗ b(a + b)∗ , which is equivalent to the unambiguous a∗ (ba∗ )+ . f∗1 : QREDP , Ut = iter(eps(def), atom(ϕ), (x, y) -> def) // rate M(v ≤ 50)∗ ψ : DP → Bool = x -> x.typ = M and x.val > 50

// predicate on DP

f2 : QREDP , V×V = atom(ψ, x -> (x.val, 1)) g : QREDP , V×V = split(f2 , f∗1 , (x, y) -> x)

// M(v > 50) // r  M(v > 50) · M(v ≤ 50)∗

g : QREDP , V×V = iter(g , g , (x, y) -> x + y) h : QREDP , V×V = split(f∗1 , g , (x, y) -> y)

// rate r+ // rate M(v ≤ 50)∗ · r+

We have written the queries g and h which process sequences of measurements differently based on the occurrence of high-risk measurements. The top-level query m : QREDP , V is then given below: k : QREDP , V×V = or(g, h)

// rate M+

fB : QREDP , DP  = atom(x -> x.typ = B)

// rate B

fE : QREDP , DP  = atom(x -> x.typ = E)

// rate E

ep : QREDP , V = split(fB , k, fE , (x, y, z) -> π1 (y)/π2 (y)) m : QREDP , V = iter(ep, ep, (x, y) -> y)

// rate B · M+ · E // rate (B · M+ · E)+

To see why the rate of or(g, h) is M+ , it suffices to notice that the regular expressions (a b)+ and a+ a∗ (ba∗ )+ are equivalent. Key-based partitioning. The input data stream for our running example contains measurements from different patients, and suppose we have written a query f that computes a summary of data items corresponding to a single patient. Then, to compute an aggregate across patients, the most natural way is to partition the input stream by a key, the patient

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

13

Figure 3. Partitioning a stream into several parallel sub-streams according to a key (letter in box).

identifier in this case, supply the corresponding projected sub-stream to a copy of f, one per key, and collect the set of resulting values. In order to synchronize the per-key computations, we specify a predicate ϕS : D → Bool which defines the synchronization elements. The rest of the elements, which satisfy the negation ¬ϕS , are the keyed elements. We typically write K for the set of keys, and map : D → K for the function that projects the key from an item (the value of map on synchronization items is irrelevant). For the patient input data type of Example 1 we choose: ϕS = (x -> x.typ = D) and K = PID. The partitioning ensures that the synchronization elements are preserved so that the outputs of different copies of f are synchronized correctly (for example, if each f outputs a patient summary at the end of the day, then each sub-stream needs to contain all the end-of-day markers). Note that the output of such a composite streaming function is a mapping T : MapK,C from keys to values, where C is the output type of f and T (k) is the output of the computation of f for key k. This key-based partitioning operation is our analog of the map-reduce operation [25] and lends naturally to distributed processing. We describe the partitioning of the input stream using terminology from concurrent programming. For every key k, imagine that there is a thread that receives and processes the sub-stream with the data items that concern k. This includes all synchronization items, and those keyed data items x for which map(x) = k. So, an item of D is sent to only one thread (as prescribed by the key), but an item satisfying ϕS is sent to all threads. See Figure 3 for an illustration of the partitioning into sub-streams. Each thread computes independently, and the synchronization elements are used for collecting the results of the threads. We specify a symbolic regular expression r over D, which enforces a rate of output for the overall computation. For example, if r = (((¬D)∗ · D)2 )∗ then we intend to have output every other day. The rate should only specify sequences that end in a synchronization item. Suppose f : QRED,C is a query that describes the per-key (i.e., per-thread) computation, and r is the overall output rate that we want to enforce. Then, the query map-collect(ϕS , map, f, r) : QRED, MapK,C describes the simultaneous computation for all keys, where the overall output is given whenever the stream matches r. The overall output is the map obtained by collecting the outputs of all threads that match. W.l.o.g. we assume that the rate of f is contained in r, and that it only contains streams with at least one occurrence of a keyed data item. The rate r should only depend on the occurrence of synchronization elements, so we demand that r = s[(¬ϕS )∗ ϕS /ϕS ] where the only predicate that s : RED is allowed to contain is ϕS . We write s[ψ/ϕ] to denote the result of replacing every occurrence of ϕ in s with ψ. For example, if s = D∗ (indicating output at every day marker) and ϕS = D,

14

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

then r = s[(¬ϕS )∗ ϕS /ϕS ] = ((¬D)∗ D)∗ . These restrictions do not affect expressiveness, but are useful for efficient evaluation. Example 13. Suppose we want to output at the end of each day a table with summaries for the patients that had at least one episode within the day. Assuming that the data stream consists of items for a single patient, we first write the query that produces the episode summary for a single patient: fM : QREDP , V×V = atom(x -> x.typ = M, x -> (x.val, 1))

// rate M // rate M+

g : QREDP , V×V = iter(f, f, (x, y) -> x + y) fB : QREDP , DP  = atom(x -> x.typ = B)

// rate B

fE : QREDP , DP  = atom(x -> x.typ = E)

// rate E

h : QREDP , V = split(fB , g, fE , (x, y, z) -> π1 (y)/π2 (y))

// rate B · M+ · E

The query h, matches a full episode and returns the average of the measurements of the episode. The daily summary is then given by: k : QREDP , V = iter(h, h, (x, y) -> max(x, y))

// rate (B · M+ · E)+

l : QREDP , V = split(k, atom(x -> x.typ = D), (x, y) -> x)

// rate (B · M+ · E)+ · D

The query l matches days with at least one episode and outputs the maximum episode summary. The top-level query for the stream that concerns all patients is then: m = map-collect(x -> x.typ = D, x -> x.pId, l, (¬D)∗ · D)

// rate (¬D)∗ · D

n = iter(m, m, (x, y) -> y)

// rate ((¬D)∗ · D)+

The synchronization items for the query m : QREDP , MapPID, V are the day markers, and the keys are the patient identifiers. The rate of l satisfies the typing restrictions of the definition, because every sequence that matches l contains at least one keyed item and also matches the overall rate (¬D)∗ · D. So, the query m processes a single day and outputs the table of daily summaries for all patients that have had an episode in the day. Finally, the query n iterates m for every consecutive day. Streaming composition. A natural operation for query languages over streaming data is streaming composition: given two streaming queries f and g, f  g represents the computation in which the stream of outputs produced by f is supplied as the input stream to g. Such a composition is useful in setting up the query as a pipeline of several stages. We allow the operation  to appear only at the top-level of a query. So, a general query is a pipeline of -free queries. At the top level, no type checking needs to be done for the rates, so we do not define the function R for queries f  g. Example 14. Suppose the input stream concerns a single patient, and we want to compute at the end of each day the minimum and maximum measurement within the day. The first stage of the computation filters out the irrelevant B and E markers:

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

f : QREDP , DP  = atom(x -> x.typ = M or x.typ = D)

// rate M D

g : QREDP , Ut = iter(eps(def), atom(), (x, y) -> def)

// rate (M D B E)∗

h : QREDP , DP  = split(g, f, (x, y) -> y)

15

// rate (M D B E)∗ · (M D)

The query h matches any sequence that ends in a measurement or day marker and returns the last item. Thus, h filters out B and E items. For the second stage of the computation, we assume that the stream consists of only M and D items. k : QREDP , V = atom(x -> x.typ = M, x -> x.val)

// rate M

l : QREDP , V = iter(eps(−∞), k, (x, y) -> max(x, y))

// rate M∗

m : QREDP , V = split(l, atom(x -> x.typ = D), (x, y) -> x)

// rate M∗ · D

n : QREDP , V = iter(m, m, (x, y) -> y)

// rate (M∗ · D)+

The top-level query is then the pipeline h  n and its domain is ((M B E)∗ · D)+ .

2. Common Patterns The core language of Figure 2 is expressive enough to describe many common stream transformations. We present below several derived patterns, including stream filtering, stream mapping, and aggregation over windows. Iteration at least once. Let f : QRED, A be a query with output type A, init : A → B be the initialization function, and op : B × A → B be the aggregation function. The query iter1 (f, init, op), with output type B, splits the input stream w unambiguously into consecutive parts w1 w2 . . . wn each of which matches f, applies f to each wi producing a sequence of output values a0 a1 a2 . . . an , i.e. ai = f(wi ), and combines the results a1 a2 . . . an using the list iterator left fold with start value init(a0 ) ∈ B and accumulation operation op : B × A → B.

The construct iter1 can be encoded using iter as follows: iter1 (f, init, op)  iter(apply(f, init), f, op). The type of iter1 (f, init, op) is QRED, B and its rate is R(f)+ . We use the abbreviation iter1 (f, op) for the common case where A = B and init is the identity function.

16

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Matching without output. Suppose r is an unambiguous symbolic regex over the data item type D. The query match(r), whose rate is equal to r, does not produce any output when it matches. This is essentially the same as producing def as output for a match. The match construct can be encoded as follows: match(ϕ)  atom(ϕ, x -> def) match(r1 r2 )  or(match(r1 ), match(r2 )) match(r1 · r2 )  split(match(r1 ), match(r2 ), (x, y) -> def) match(r∗ )  iter(eps(def), match(r), (x, y) -> def) An easy induction establishes that R(match(r)) = r. Stream filtering. Let ϕ be a predicate over the type of input data items D. We want to describe the streaming transformation that filters out all items that do not satisfy ϕ. We implement this with the query filter(ϕ), which matches all stream prefixes that end with an item satisfying ϕ. ∗ ), atom(ϕ), (x, y) -> y) filter(ϕ)  split(match(trueD ∗ · ϕ. The type of filter(ϕ) is QRED, D and its rate is trueD Stream mapping. The mapping of an input stream of type D to an output stream of type C according to the operation op : D → C is given by the following query: map(op)  split(match(true∗D ), atom(trueD , op), (x, y) -> y). Its type is QRED,C and its rate is true∗D · trueD = true+ D. Example 15. Using filtering, mapping and streaming composition we can implement the average of a sequence of scalars with a very common idiom: f : QREV, V × V = map(x -> (x, 1)) g : QREV × V, V × V = iter1 (atom(), (x, y) -> x + y) h : QREV × V, V = map(x -> π1 (x)/π2 (x))

// rate V+ // rate (V × V)+ // rate (V × V)+

and the top-level query is the pipeline f  g  h, whose type is QREV, V. Iteration exactly n times. Let n ≥ 1 and f : QRED, A be a query to iterate exactly n times. The aggregation is specified by the initialization function init : A → B (for the first value) and the aggregation function op : B × A → B. The construct itern describes iteration (and aggregation) exactly n times, and can be encoded as follows: iter1 (f, init, op)  apply(f, init) itern+1 (f, init, op)  split(itern (f, init, op), f, op) The type of itern (f, init, op) is QRED, B and its rate it R(f)n (n-fold concatenation).

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

17

Pattern-based tumbling windows. The term tumbling windows is used to describe the splitting of the stream into contiguous non-overlapping regions [6]. Suppose we want to describe the streaming function that iterates f at least once and reports the result given by f at every match. The following query expresses this behavior: iter-last(f)  iter(f, f, (x, y) -> y). The rate of iter-last(f) is equal to R(f)+ . Example 16. Suppose that the query f : QREDP , V has rate r = (B · M+ · E)∗ · D and computes the daily summary for a single patient. Then, the query iter-last(f) has rate r+ and computes the daily summary at the end of every day. Finally, the query iter-last(f)  iter1 (atom(), (x, y) -> max(x, y)) computes at the end of every day the maximum daily summary so far. Notice that this query can be equivalently expressed without  as iter1 (f, (x, y) -> max(x, y)). Sliding windows (slide by pattern). To express a policy such as “output the statistical summary of events in the past ten hours every five minutes” existing relational query languages provide an explicit sliding window primitive [6]. We can support this primitive, which can be compiled into the base language by massaging the input data stream with the introduction of suitable tags (marking five-minute time intervals in this example). The insertion of the tags then allows to express both the window and the sliding using very general regular patterns. Let n ≥ 1 be the size of the window, and f : QRED, A be the query that processes a unit pattern. The aggregation over the window is specified by the function init : A → B for initialization and the aggregation function op : B × A → B. We give a query that computes the aggregation over the last n units of the stream (or over all units if the stream has less than n units): g = or(iter1 (f, init, op), . . . , itern−1 (f, init, op)) h = split(match(R(f)∗ ), itern (f, init, op), (x, y) -> y) and wnd(f, n, init, op) = or(g, h) with rate R(f)+ .

3. The Yahoo Streaming Benchmark The Yahoo Benchmark [14] specifies a stream of advertisement-related events for an analytics pipeline. It specifies a set of campaigns and a set of advertisements, where each ad belongs to exactly one campaign. The static map from ads to campaigns is computed ahead-of-time and stored in memory. Each element of the data stream is of the form (userId, pageId, adId, eventType, eventTime), indicating the interaction of a user with an advertisement, where eventType is one of {view, click, purchase}. The component eventTime is the timestamp of the event.

18

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

3.1. First Yahoo query The basic benchmark query (described in [14]) computes, at the end of every second, a map from each campaign to the number of views associated with that campaign within the last second. For each event tuple, this involves a lookup to determine the campaign associated with the advertisement viewed. The reference implementation published with the Yahoo benchmark involves a multi-stage pipeline: (a) (b) (c) (d)

stage 1: filter view events, stage 2: project the ad id from each view tuple, stage 3: lookup the campaign id of each ad, stage 4: compute for every one-second window the number of events (views) associated with each campaign.

The query involes key-based partitioning on only one property, namely the derived campaign id of the event. We present three ways of expressing this query in StreamQRE. We assume w.l.o.g. that the stream also contains events S that serve as end-of-second markers. Implementation (I) We reproduce faithfully the reference implementation of the Yahoo benchmark [14] by constructing the following multi-stage pipeline: (1) (2) (3) (4)

query g1 : filter view and end-of-second events, query g2 : project the ad id from each view tuple, query g3 : lookup the campaign id of each advertisement, query g7 : compute for every one-second window the number of events (views) associated with each campaign.

We write ADID for the type of ad identifiers, CID for the type of campaign identifiers, and DY for the data type of the input events. g1 : QREDY , DY  = filter(x -> x = S or x.isView) g2 : QREDY , ADID ∪ {S} = map(x -> if (x = S) then S else x.adId) g3 : QREADID ∪ {S}, CID ∪ {S} = map(x -> if (x = S) then S else lookup(x.adId)) g4 : QRECID ∪ {S}, Nat = iter(eps(0), atom(x -> x = S), (x, y) -> x + 1) g5 : QRECID ∪ {S}, Nat = split(g4 , atom(x -> x = S), (x, y) -> x) g6 : QRECID ∪ {S}, Nat = map-collect(x -> x = S, x -> x.cId, g5 , (¬S)∗ · S) g7 : QRECID ∪ {S}, Nat = iter-last(g6 )

The function lookup : ADID → CID models the mapping of an ad to the campaign it belongs to, and x.isView abbreviates the boolean expression (x.eventType = view). The auxiliary query g5 , with rate (¬S)∗ · S, calculates the length of event sequences of a single campaign for one second. With g7 we perform (every second) key-based partitioning based on the campaign id cId. The top-level query to compute the number of views for each campaign per second is the pipeline

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

19

g8 = g 1  g 2  g 3  g 7 . Since the domain of g1  g2  g3 is DY∗ · (x -> x.isView or x = S), and g7 reports at every S marker, the domain of g8 is DY∗ · S (output at the end of every second). Implementation (II) The stages g1 , g2 and g3 of the pipeline of implementation (I) can be collapsed into a single query h3 as follows: h1 : QREDY , CID ∪ {S} = atom(x -> x.isView, x -> lookup(x.adId)) h2 : QREDY , CID ∪ {S} = or(h1 , atom(x -> x = S, x -> S)) h3 : QREDY , CID ∪ {S} = split(match(((DY x) -> true)∗ ), h2 , (x, y) -> y) The benchmark query can now be written as a two-stage pipeline h4 = h3  g7 . Implementation (III) The previous implementation uses the streaming composition operator to simplify the map-collect part of the query. The channel handling the events of each campaign assumes that all incoming events correspond to views, and therefore simply counts the number of tuples flowing in. We can eliminate the streaming composition by inspecting the event type of each incoming tuple during per-campaign processing: k1 : QREDY , Nat = atom(x -> x.isView, x -> 1)

// rate V (view)

k2 : QREDY , Nat = atom(x -> not (x.isView or x = S), x -> 0)

// rate ¬(V S)

k3 : QREDY , Nat = or(k1 , k2 )

// rate ¬S

k4 : QREDY , Nat = iter(eps(0), k3 , (x, y) -> x + y)

// rate (¬S)∗

k5 : QREDY , Nat = split(k4 , atom(x -> x = S), (x, y) -> x)

// rate (¬S)∗ · S

So, k5 counts the number of views in a stream of the form (¬S)∗ · S. We now have a third way of representing the benchmark query: k6 : QREDY , MapCID, Nat = map-collect(x -> x = S, x -> lookup(x.adId), k5 , (¬S)∗ · S) k7 : QREDY , MapCID, Nat = iter-last(k6 ). In implementations (I) and (II) the queries only looked up the campaign ids for view events, while query k7 computes the campaign id for each incoming tuple. It therefore makes more campaign id lookups. 3.2. Second Yahoo query We extend the Yahoo benchmark with a more complex query. An important part of organizing a marketing campaign is quantifying how successful ads are. We define success as the number of users who purchase the product after viewing an ad for it. Our query outputs, at the end of every second, a map from campaigns to the most successful ad of the campaign so far, together with its success score.

20

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Assume that we have fixed a specific ad and a specific user, and the stream consists only of events for these. The pattern for success, given by the regular expression r = (¬V)∗ · V · (¬P)∗ · P · DY∗ · S, indicates that the user purchases the product after seeing the ad for it. For simplicity, we have written V to denote the occurrence of view events, and P for purchase events. The trailing pattern DY∗ · S is used for matching until the end of an end-of-second marker. Now, suppose that we have fixed a specific ad, and we want to compute its score: the number of users that have purchased the product after viewing the ad. g1 : QREDY , MapUID, Ut = map-collect(x -> x = S, x -> x.userId, match(r), DY∗ · S) g2 : QREDY , Nat = apply(g1 , x -> x.size) where UID is the set of user identifiers, and size : MapK,C → Nat returns the size of a map data structure (number of keys that are mapped to some value). The rate of g2 is DY∗ · S, that is, g2 produces at the end of every second the success score of the ad. Moreover, we observe that the specified rate D∗Y · S is equivalent to ((¬S)∗ S)+ . Given the event stream of a single campaign, we can divide it into sub-streams of individual ads, compute the success score for each one of them, and thus determine the most successful ad of the campaign: g3 : QREDY , MapADID, Nat = map-collect(x -> x = S, x -> x.adId, g2 , D∗Y · S) g4 : QREDY , ADID × Nat = apply(g3 , x -> x. argmax), where argmax : MapK,C → K × C (for a type C that is linearly ordered) calculates the key-value pair (k, c) that has the maximum value. In query g4 , it calculates the pair (adId, score) for the ad with the maximum score. Finally, we use the map-collect construct to map each campaign id to the most successful ad: g5 : QREDY , MapCID, ADID × Nat = map-collect(x -> x = S, x -> x.cId, g4 , D∗Y · S) The rates of g1 , g2 , g3 , g4 and g5 are all equal to D∗Y · S. They produce output at every S marker occurrence in the stream.

4. The NEXMark Streaming Benchmark The Niagara Extension to XMark benchmark (NEXMark) [15] concerns the monitoring of an on-line auction system, such as eBay. Four kinds of events are recorded in the event stream: (a) Person events, which describe the registering of a new person to the auction system, (b) Item events, which mark the start of an auction for a specified item, (c) Close events, which mark the end of an auction for a specified item, and (d) Bid events, which record the bids made for items that are being auctioned.

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

21

Person(personId, name, ts) Item(itemId, sellerId, initPrice, ts, dur, category) Close(itemId, ts) Bid(itemId, bidderId, bidIncrement, ts) Every event contains the field ts, which is the timestamp of when the event occurred. Every new auction event (of type Item) specifies an initial price initPrice for the item, the duration dur of the auction, and the category to which the item belongs. Every bid event contains the bid increment, that is, the increment by which the previous bid is raised. So, to find the current bid for an item we need to add the initial price of the item together with all the bid increments for the item so far. We will describe two out of the five queries that are considered in [2], and which are minor variants of some of the queries of the NEXMark benchmark: Query. Calculate the number of currently open auctions. The output should be updated at every auction start and close. f : QREDN , DN  = filter(x -> x.isItem or x.isClose) g : QREDN , Nat = map(x -> if (x.isItem) then +1 else −1) h : QRENat, Nat = iter(eps(0), atom(), (x, y) -> x + y) k : QREDN , Nat = f  g  h We write DN for the input data type of the NEXMark benchmark. Query. Find the item with the most bids in the last 24 hours. The output should be updated every minute. We assume that the stream has end-of-minute markers M. First, suppose that we process a stream consisting only of bid events that ends with an end-of-minute marker. We compute a bid count for every item that appears: f : QREDN , Nat = iter(eps(0), atom(x -> x.isBid), (x, y) -> x + 1) // B∗ g : QREDN , Nat = split(f, atom(x -> x = M), (x, y) -> x)

// rate B∗ · M

h : QREDN , MapIID, Nat = map-collect(x -> x = M, x -> x.itemId, g, (¬M)∗ · M) // rate (¬M)∗ · M k : QREDN , MSetIID = apply(h, x -> x.toMSet())

// rate (¬M)∗ · M

The type of item identifiers is IID, and toMSet : MapK, Nat → MSetK is an operation that turns a map object into a multiset. Now, we write the top-level query: l : QREDN , MSetIID = wnd(k, 24 · 60, x -> x, (x, y) -> x  y) m : QREDN , DN  = filter(x -> x.isBid or (x = M))

// rate ((¬M)∗ · M)+ // rate D∗N · (B M)

n : QREDN , IID×Nat = m  apply(l, x -> x. argmax) We write  to denote multiset union. The function argmax : MSetC → C × Nat returns the member of the multiset with the highest count.

22

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

// Process a single measurement : rate M QRe < DPatients , DPatients > meas = Q . atomic ( x -> x . isMeasurement () , x -> x ) ; // Sum of sequence of measurements : rate M * QRe < DPatients , Double > sum = Q . iter ( Q . eps (0.0) , meas , (x , y ) -> x + y . getValue () ) ; // Length of sequence of measurements : rate M * QRe < DPatients , Integer > count = Q . iter ( Q . eps (0) , meas , (x , y ) -> x +1) ; // Average of sequence of measurements : rate M * QRe < DPatients , Double > measAvg = Q . combine ( sum , count , (x , y ) -> x / y ) ; Iterator < DPatients > stream = ... // input stream // evaluator for the query Eval < DPatients , Double > e = measAvg . getEval () ; // execution loop Double output = e . start () ; // returns null , if undefined while ( stream . hasNext () ) { DPatients d = stream . next () ; output = e . next ( d ) ; // returns null , if undefined } Figure 4. Computing the average of a nonempty sequence of measurements.

5. The StreamQRE Library in Java StreamQRE has been implemented as a Java library [13] in order to facilitate the easy integration with user-defined types and operations. The implementation covers all the core constructs of Figure 2, and also provides optimizations for the derived constructs of Section 2 (stream filtering, stream mapping, sliding windows, etc.). Figure 4 gives a simple example that illustrates how to program with the StreamQRE Java library. The query measAvg describes the computation of the average of a sequence of measurements (for the patient data stream). The method getEval, which stands for “get evaluator”, is used to obtain an object that encapsulates the evaluation algorithm for the query. On this evaluator object, the methods start and next are used to initialize the algorithm and consume data items respectively.

6. Conclusion We have given an introduction to the StreamQRE language [2], a high-level formalism for processing streaming data. The query language integrates two paradigms for pro-

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

23

gramming with streams: streaming relational languages with windowing constructs, and state-machine-based models for pattern-matching and performing sequence-aware computations. The language consists of a small but powerful core language, which has a formal denotational semantics and a decidable type system. The expressiveness of the language has been illustrated by encoding common patterns and programming significant examples. A query of the StreamQRE language can be compiled into a streaming algorithm with strong efficiency guarantees [2], both for space usage and processing time per element. An experimental evaluation of StreamQRE is reported in [2], which shows that the StreamQRE implementation is competitive with popular streaming engines such as RxJava [26], Esper [27], and Flink [28].

Acknowledgements We thank our collaborators Zachary Ives, Sanjeev Khanna and Mukund Raghothaman. This research was supported by NSF Expeditions award CCF 1138996.

References [1]

[2]

[3]

[4] [5]

[6]

[7] [8]

[9]

[10]

[11]

R. Alur, E. Berger, A. Drobnis, L. Fix, K. Fu, G. Hager, D. Lopresti, K. Nahrstedt, E. Mynatt, S. Patel, J. Rexford, J. Stankovic, and B. Zorn. Systems computing challenges in the Internet of Things. In Computing Community Consortium Whitepaper, 2016. Konstantinos Mamouras, Mukund Raghothaman, Rajeev Alur, Zachary G. Ives, and Sanjeev Khanna. StreamQRE: Modular specification and efficient evaluation of quantitative queries over streaming data. 2017. manuscript. Rajeev Alur, Dana Fisman, and Mukund Raghothaman. Regular programming for quantitative properties of data streams. In Proceedings of the 25th European Symposium on Programming (ESOP ’16), pages 15–40, 2016. Shivnath Babu and Jennifer Widom. Continuous queries over data streams. ACM Sigmod Record, 30(3):109–120, 2001. Daniel J. Abadi, Don Carney, Ugur Cetintemel, Mitch Cherniack, Christian Convey, Sangdon Lee, Michael Stonebraker, Nesime Tatbul, and Stan Zdonik. Aurora: A new model and architecture for data stream management. The VLDB Journal, 12(2):120–139, 2003. Jin Li, David Maier, Kristin Tufte, Vassilis Papadimos, and Peter A. Tucker. Semantics and evaluation techniques for window aggregates in data streams. In Proceedings of the 2005 ACM SIGMOD International Conference on Management of Data, SIGMOD ’05, pages 311–322. ACM, 2005. Arvind Arasu, Shivnath Babu, and Jennifer Widom. The CQL continuous query language: Semantic foundations and query execution. The VLDB Journal, 15(2):121–142, 2006. Barzan Mozafari, Kai Zeng, and Carlo Zaniolo. High-performance complex event processing over XML streams. In Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data, SIGMOD ’12, pages 253–264. ACM, 2012. Mohamed Ali, Badrish Chandramouli, Jonathan Goldstein, and Roman Schindlauer. The extensibility framework in Microsoft StreamInsight. In Proceedings of the 27th IEEE International Conference on Data Engineering (ICDE ’11), pages 1242–1253, 2011. M. Hirzel, H. Andrade, B. Gedik, G. Jacques-Silva, R. Khandekar, V. Kumar, M. Mendell, H. Nasgaard, S. Schneider, R. Soul, and K. L. Wu. IBM Streams Processing Language: Analyzing big data in motion. IBM Journal of Research and Development, 57(3/4):7:1–7:11, 2013. Mandana Vaziri, Olivier Tardieu, Rodric Rabbah, Philippe Suter, and Martin Hirzel. Stream processing with a spreadsheet. In Proceedings of the 28th European Conference on Object-Oriented Programming (ECOOP ’14), pages 360–384. Springer Berlin Heidelberg, 2014.

24 [12]

[13] [14]

[15] [16] [17] [18]

[19] [20] [21]

[22] [23] [24] [25] [26] [27] [28]

R. Alur and K. Mamouras / An Introduction to the StreamQRE Language

Margus Veanes, Pieter Hooimeijer, Benjamin Livshits, David Molnar, and Nikolaj Bjorner. Symbolic finite state transducers: Algorithms and applications. In Proceedings of the 39th Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL ’12), pages 137–150. ACM, 2012. StreamQRE library. http://www.seas.upenn.edu/~mamouras/StreamQRE/. Sanket Chintapalli, Derek Dagit, Bobby Evans, Reza Farivar, Thomas Graves, Mark Holderbaugh, Zhuo Liu, Kyle Nusbaum, Kishorkumar Patil, Boyang Jerry Peng, and Paul Poulosky. Benchmarking streaming computation engines: Storm, Flink and Spark streaming. In First Annual Workshop on Emerging Parallel and Distributed Runtime Systems and Middleware, 2016. Pete Tucker, Kristin Tufte, Vassilis Papadimos, and David Maier. NEXMark: A benchmark for queries over data streams, 2002. Brian Litt and Zachary Ives. The international epilepsy electrophysiology database. In Proceedings of the Fifth International Workshop on Seizure Prediction, 2011. Ronald Book, Shimon Even, Sheila Greibach, and Gene Ott. Ambiguity in graphs and expressions. IEEE Transactions on Computers, C-20(2):149–153, 1971. Richard Edwin Stearns and Harry B. Hunt III. On the equivalence and containment problems for unambiguous regular expressions, regular grammars and finite automata. SIAM Journal on Computing, 14(3):598–611, 1985. Leonardo De Moura and Nikolaj Bjørner. Satisfiability modulo theories: Introduction and applications. Communications of the ACM, 54(9):69–77, 2011. Java’s lambda expressions. https://docs.oracle.com/javase/tutorial/java/javaOO/ lambdaexpressions.html. Margus Veanes, Peli de Halleux, and Nikolai Tillmann. Rex: Symbolic regular expression explorer. In Proceedings of the 3rd International Conference on Software Testing, Verification and Validation (ICST ’10), pages 498–507. IEEE, 2010. Jacques Sakarovitch. Elements of Automata Theory. Cambridge University Press, 2009. Manfred Droste, Werner Kuich, and Heiko Vogler, editors. Handbook of Weighted Automata. Springer, 2009. Albert Benveniste, Paul Caspi, Stephen A. Edwards, Nicolas Halbwachs, Paul Le Guernic, and Robert de Simone. The synchronous languages 12 years later. Proceedings of the IEEE, 91(1):64–83, 2003. Jeffrey Dean and Sanjay Ghemawat. MapReduce: Simplified data processing on large clusters. Communications of the ACM, 51(1):107–113, 2008. ReactiveX: An API for asynchronous programming with observable streams. http://reactivex. io/. Esper for Java. http://www.espertech.com/esper/. Apache Flink: Scalable batch and stream data processing. https://flink.apache.org/.

The author(s) of this publication is/are solely responsible for its content. This publication does not reflect the opinion of the publisher. The publisher cannot be held liable for any loss or damage that may occur because of this publication.

Dependable Software Systems Engineering A. Pretschner et al. (Eds.) IOS Press, 2017 © 2017 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-810-5-25

25

Reactive Synthesis: Towards Output-Sensitive Algorithms Bernd Finkbeiner and Felix Klein Universit¨ at des Saarlandes Abstract. Reactive synthesis is a technology for the automatic construction of reactive systems from logical specifications. In these lecture notes, we study different algorithms for the reactive synthesis problem of lineartime temporal logic (LTL). The classic game-based synthesis algorithm is input-sensitive in the sense that its performance is asymptotically optimal in the size of the specification, but it produces implementations that may be larger than necessary. We contrast this algorithm with output-sensitive algorithms for reactive synthesis, i.e., algorithms that are optimized towards the size or structural complexity of the synthesized system. We study the bounded synthesis algorithm, which produces an implementation with a minimal number of states, and the bounded cycle synthesis algorithm, which additionally guarantees that the number of cycles of the implementation is minimal. Keywords. reactive systems, synthesis, temporal logic, output-sensitive algorithms

1. Introduction Hardware circuits, communication protocols, and embedded controllers are typical examples of reactive systems [13], i.e., computer systems that maintain a continuous interaction with their environment. Reactive systems play a crucial role in many applications in transport systems, building technology, energy management, health care, infrastructure, and environmental protection. Designing reactive systems is difficult, because one needs to anticipate every possible behavior of the environment and prepare an appropriate response. Synthesis is a technology that constructs reactive systems automatically from a logical specification: that is, after the specification of the system is complete, no further manual implementation steps are necessary. The developer focuses on “what” the system should do instead of “how” it should be done. Because synthesis analyzes objectives, not implementations, it can be applied at an early design stage, long before the system has been implemented. The vision is that a designer analyzes the design objectives with a synthesis tool, automatically identifies competing or contradictory requirements and obtains an error-free prototype implementation. Coding and testing, the most expensive stages of development, are eliminated from the development process. The automatic synthesis of implementations from specifications is one of the grand challenges of computer science. Its pursuit dates back at least to Alonzo

26

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

Church [5] and has ignited research on many fundamental topics, notably on the connection between logics and automata, on algorithmic solutions of infinite games over finite graphs [4], and on the theory of automata over infinite objects [17]. It is only in the last decade, however, that the theoretical ideas have been translated into practical tools (cf. [14,6,3,2,8]). The tools have made it possible to tackle real-world design problems, such as the synthesis of an arbiter for the AMBA AHB bus, an open industrial standard for the on-chip communication and management of functional blocks in system-on-a-chip (SoC) designs [1]. A common argument against synthesis is its complexity. It is natural to compare synthesis with the verification problem, where the implementation is already given, and one needs to check whether the specification is satisfied. For both synthesis and verification, the most commonly used specification language is lineartime temporal logic (LTL). Measured in the size of an LTL specification, the synthesis of a single-process finite-state machine is 2EXPTIME-complete, while the corresponding verification problem is in PSPACE. But is this comparison between verification and synthesis fair? The high complexity of synthesis is due to the fact that there exist small LTL formulas that can only be realized by very large implementations. As a result, synthesis “looks” much more expensive than verification, because the size of the implementation is an explicit parameter in the complexity of verification, and left implicit in the complexity of synthesis. This paper gives an introduction to a new class of synthesis algorithms, whose performance is measured not only in the size of the specification, i.e., the input to the synthesis algorithm, but also in the size and complexity of the implementation, i.e., the output of the synthesis algorithm. Such algorithms are called output sensitive. The prototypical output-sensitive synthesis approach is bounded synthesis. In bounded synthesis, we look for an implementation where the number of states is limited by a given bound. By incrementally increasing the bound, bounded synthesis can be used to find a minimal implementation. We first describe the classic game-theoretic approach to synthesis in Section 4, and then the bounded synthesis approach in Section 5. The two approaches differ fundamentally. The game-based approach is to translate the given LTL formula into an equivalent deterministic automaton, and then use the state space of the deterministic automaton to define a two-player game. In this game, the “output player” sets the outputs of the system and attempts to satisfy the specification, i.e., ensures that the resulting play is accepted by the automaton, and the “input player” sets the inputs and attempts to ensure that the play violates the specification, i.e., is rejected by the automaton. This game can be solved automatically, and a winning strategy for the output player can, if it exits, be translated into an implementation that is guaranteed to satisfy the specification. Unfortunately, the translation from LTL to deterministic automata is doubly exponential, which results in the 2EXPTIME complexity. In bounded synthesis, the LTL formula is not translated to a deterministic automaton; instead, its negation is translated to a nondeterministic automaton. This translation is single, rather than double exponential. The nondeterministic automaton suffices to check if a given implementation is correct: the implementation is correct if its product with the automaton does not contain an accepting path. In bounded synthesis, we “guess” an implementation of bounded size and make sure it is correct. This is done via

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

27

propositional constraint solving: we build a constraint system that is satisfiable if and only if an implementation that is correct with respect to the automaton. The reduction of the synthesis problem to a constraint solving problem opens the possibility to add further constraints in order to focus the search towards the most desirable solutions. In Section 6, we describe such an extension: bounded cycle synthesis. In addition to the number of states, bounded cycle synthesis also bounds the number of cycles in the implementation. This leads to implementations that are not only small but also structurally simple.

2. The Synthesis Problem In reactive synthesis, we transform a temporal specification into an implementation that is guaranteed to satisfy the specification for all possible inputs of the environment. In the following, we consider formulas of linear-time temporal logic ˙ that is partitioned into a set (LTL) over a set of atomic propositions AP = I ∪O of inputs I and a set of outputs O. A trace t is an infinite sequence over subsets of the atomic propositions. We define the set of traces TR := (2AP )ω . An LTL formula describes a subset of TR. The idea is that in each step of a computation, the inputs are chosen by the environment, and the outputs are chosen by the system under construction. In a correctly synthesized system, all possible sequences satisfy the LTL formula. Linear-time temporal logic (LTL). Linear-time temporal logic (LTL) [16] combines the usual Boolean connectives with temporal modalities such as the Next operator and the Until operator U. The syntax of LTL is given by the following grammar: ϕ ::= p | ¬ϕ | ϕ ∨ ϕ |

ϕ | ϕUϕ

where p ∈ AP is an atomic proposition. ϕ means that ϕ holds in the next position of a trace; ϕ1 U ϕ2 means that ϕ1 holds until ϕ2 holds. There are several derived operators, such as ϕ ≡ true U ϕ, ϕ ≡ ¬ ¬ϕ, and ϕ1 W ϕ2 ≡ (ϕ1 U ϕ2 ) ∨ ϕ1 . ϕ states that ϕ will eventually hold in the future and ϕ states that ϕ holds globally; W is the weak version of the until operator. We use the following notation to manipulate traces: let t ∈ TR be a trace and i ∈ N be a natural number. t[i] denotes the i-th element of t. Therefore, t[0] represents the starting element of the trace. Let j ∈ N and j ≥ i, then t[i, j] denotes the sequence t[i] t[i + 1] . . . t[j − 1] t[j], and t[i, ∞] denotes the infinite suffix of t starting at position i. Let p ∈ AP and t ∈ TR. The semantics of an LTL formula is defined as the smallest relation |= that satisfies the following conditions:

28

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

t |= p

iff

p ∈ t[0]

t |= ¬ψ

iff

t |= ψ

t |= ψ1 ∨ ψ2

iff

t |= ψ1 or t |= ψ2

t |=

iff

t[1, ∞] |= ψ

iff

there exists i ≥ 0 : t[i, ∞] |= ψ2

ψ

t |= ψ1 U ψ2

and for all 0 ≤ j < i we have t[j, ∞] |= ψ1 Example 1 Suppose, for example, we are interested in constructing an arbiter circuit. Arbiters are used when more than one client needs access to some shared resource, such as a communication bus. To access the resource, the client sends a request signal R and waits until it receives a grant signal G from the arbiter. The task of the arbiter is to answer each request with a grant without giving grants to the two clients at the same time. In LTL, an arbiter with two clients can be specified as a conjunction of three properties: (¬G1 ∨ ¬G2 ) (R1 → G1 ) (R2 → G2 )

(mutual exclusion) (response 1) (response 2)

The mutual exclusion property states that at every point in time x, at most one grant signal can be set; the response properties state that if a request is made at some point in time, then there must exist a point in time, either immediately or later, where the corresponding grant signal is set. Implementations. We represent the result of the synthesis process as a finite˙ of atomic propositions be, as before, parstate machine. Let the set AP = I ∪O titioned into the inputs I and the outputs O. A Mealy machine over I and O has the form M = (S, s0 , δ, γ) where S is a finite set of states, s0 ∈ S is the initial state, δ : S × 2I → S is the transition function, and γ : S × 2I → 2O is the output function. The output of the Mealy machine thus depends on the current state and the last input letter. A path of a Mealy machine is an infinite sequence p = (s0 , σ0 )(s1 , σ1 )(s2 , σ2 ) . . . ∈ (S × 2AP )ω of states and sets of atomic propositions that starts with the initial state s0 and where δ(sn , I ∩ σn ) = sn+1 and γ(tn , I ∩ σn ) = O ∩ σn for all n ∈ N. We refer to the projection of a path p to its second component π = σ0 σ1 σ2 . . . ∈ Σω , as a computation of the Mealy machine. The Mealy machine satisfies the LTL formula ϕ, denoted by M |= ϕ, if all its computations satisfy ϕ. Example 2 Figure 1 shows two Mealy machines that implement the arbiter specification from Example 1. The Mealy machine shown on the left carefully answers every request and only issues a grant if there is an open request. The machine on the right always issues the grant to the same client, initially to the first client, and switches to the other client as soon as there is a request from the other client. Both machines satisfy the specification from Example 1.

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

29

∅→∅ {R1 } → {G1 } {R2 } → {R2 }

1}

{G → 1}

} 1 {G

}→ 2 {R

}→

2

∅,

∅,

} 2 {G

{R

,R 1 {R

s0

∅, {R1 } → {G1 }

∅, {R2 } → {G2 }

{R2 }, {R1 , R2 } → {G1 } t0

t1 {R1 }, {R1 , R2 } → {G2 }

{R2 }, {R1 , R2 } → {G1 } s1

s2 {R1 }, {R1 , R2 } → {G2 }

Figure 1. Two Mealy machines implementing the arbiter specification.

Realizability and Synthesis. We say that an LTL formula ϕ is realizable if there exists a Mealy machine M over the same inputs I and outputs O as ϕ such that M |= ϕ. The synthesis problem of an LTL formula ϕ is to determine whether ϕ is realizable and, if the answer is yes, to construct a Mealy machine M such that M |= ϕ.

3. Model checking Before we address the synthesis problem, we take a quick detour into model checking. In model checking, the implementation is already given and we are interested in determining whether the implementation is correct. Given a Mealy machine M and an LTL formula ϕ, model checking determines whether M satisfies ϕ. In case of a negative answer, model checking produces a counterexample, i.e., a trace t ∈ (2AP )ω that is a computation of M that does not satisfy ϕ. To model check a given Mealy machine, we translate the negation of the specification into an equivalent automaton, and then check the intersection of the Mealy machine with that automaton for language emptiness. LTL specifications can be represented as B¨ uchi automata. A nondeterministic B¨ uchi automaton over the alphabet Σ is a tuple A = (Q, q0 , Δ, F ), where Q is a finite set of states, q0 ∈ Q is an initial state, Δ ⊆ Q×Σ× Q a set of transitions, and F ⊆ Q a subset of accepting states. A nondeterministic B¨ uchi automaton accepts an infinite word w = w0 w1 w2 . . . ∈ Σω iff there exists a run r of A on w, i.e., an infinite sequence r0 r1 r2 . . . ∈ Qω of states such that r0 = q0 and (ri , wi , ri+1 ) ∈ Δ for all i ∈ N, such that rj ∈ F for infinitely many j ∈ N. The set of sequences accepted by A is called the language L(A) of A. Example 3 Consider the negation of the arbiter specification from Example 1, i.e., the LTL formula

30

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

∗ q0 R1 G1

R2 G2

G1 G2

q1

q2

q3

G1



G2

Figure 2. Nondeterministic B¨ uchi automaton corresponding to the negation of the arbiter specification. The states depicted as double circles (q1 , q2 , and q3 ) are the accepting states in F . The abbreviations R1 G1 , G1 G2 , R2 G2 , G1 , G2 are used to indicate, in Boolean notation, letters of the alphabet 2AP . E.g., R1 G1 represents the letters {R1 , R2 , G2 }, {R1 , R2 }, {R1 , G2 }, and {R1 }. The symbol ∗ represents all letters of the alphabet, i.e., all subsets of {R1 , R2 , G1 , G2 }.

t1 , q3 

t0 , q0 

t1 , q0 

t0 , q1 

Figure 3. Product of the simple Mealy machine shown on the right in Fig. 1 with the B¨ uchi automaton from Fig. 2.

∨ ∨

(G1 ∧ G2 ) (R1 ∧ ¬G1 ) (R2 ∧ ¬G2 ) .

A nondeterminstic B¨ uchi automaton that accepts exactly the traces that satisfy this formula, i.e., all traces that violate the arbiter specification, is shown in Fig. 2. 0 ,Δ Let A¬ϕ = (Q¬ϕ , q¬ϕ uchi automaton that accepts all se¬ϕ , F¬ϕ ) be a B¨ AP ω quences in (2 ) that satisfy ¬ϕ, and therefore violate ϕ. In model checking, we verify the Mealy machine M against a specification ϕ by building the product M × A¬φ of the Mealy machine M = (S, s0 , δ, γ) over 0 ,Δ inputs I and outputs O, and the B¨ uchi automaton A¬φ = (Q¬ϕ , q¬ϕ ¬ϕ , F¬ϕ ) I∪O . The product is a directed graph (V, E) with vertices V = with alphabet 2 T × Q and edges E ⊆ V × V , where (s, q, s , q  ) ∈ E iff there is an input i ∈ 2I such that δ(s,i) = s and q  ∈ Δ¬ϕ (q,i ∪ γ(s,i)). The Mealy machine satisfies ϕ iff there is no path in M × A¬φ that visits an accepting state of A¬φ infinitely often.

Example 4 Figure 3 shows the product M × A¬ϕ of the small Mealy machine M shown on the right in Fig. 1 with the B¨ uchi automaton A¬ϕ from Fig. 2. The only infinite paths are the self-loops from t0 , q0  and t1 , q0  and the path that oscillates forever between t0 , q0  and t1 , q0 . These paths do not visit any accepting states. M thus satisfies ϕ.

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

G1

G2

R1

G1 G2 R1 , G1 G2 R2 , G1 G2 R1 R2

G1 G2 , G1 G2 R1 G1 G2 R2 , G1 G2 R1 R2

s3 0

31

s2 3

G1 G2

1G 2R 1

G

G1 G2 R2

1G 2G 2

G

G1 G2 R1 , G1 G2 R1 R2

G 1G 2

s5 5

R1

G1 G2 R2

s4 1

G 1G 2

R2 R1 G2 G1

G1 G2 R1

G1 G2 R1

s6 0

G

G

1G 1G 2 2R 2

G1 G2 G1 G2 , G1 G2 R2

2 2R G 1G

G1 G2 G1 G2

s7 1

G1 G2

Figure 4. Deterministic parity automaton corresponding to the arbiter specification. The colors of the states are shown in the lower part of the state labels.

4. Game-based Synthesis In the classic game-based approach to synthesis [17], the problem is analyzed in terms of a two-player game. The game is played between two players: the input player Player I determines the inputs to the system with the goal of violating the specification. The output player Player O controls the outputs of the system with the goal of satisfying the specification. A winning strategy for Player I can be translated into an implementation that is guaranteed to satisfy the specification. To solve the synthesis problem, we must therefore check whether Player I has a winning strategy. In order to turn the specification into a game, we translate the LTL formula into a deterministic automaton that accepts all traces that satisfy the formula. An automaton is deterministic if each state and input has unique successor state, i.e., the set of transitions Δ is a total function from Q × Σ to Q. Since deterministic B¨ uchi automata are not expressive enough to represent every possible LTL specification, we must use a more expressive acceptance condition such as the parity condition. Whereas a B¨ uchi acceptance condition identifies a set F ⊆ S of accepting states, which have to be visited infinitely often, a parity condition c : S → N labels every state with a natural number. We call such a number the color of the state. A run of a parity automaton is accepting if the smallest color that appears infinitely often as a label of the states of the run is even. This introduces a hierarchy in the acceptance condition, as from some point on, every odd color has to be answered by a smaller even color. The B¨ uchi acceptance condition

32

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

is a special case of the parity condition, where the accepting states are colored with 0 and the remaining states are colored with 1. Example 5 Figure 4 shows a deterministic parity automaton, whose language consists of all traces that satisfy the arbiter specification from Example 1. The colors of the states are shown in the lower part of the state labels. The deterministic automaton is then translated into an infinite game over a finite graph. A game graph is a directed graph (V, E) with vertices V and edges E. ˙ O are partitioned into the vertices VI controlled by Player I The vertices V = VI ∪V and the vertices VO controlled by Player O. A parity game (V, E, c) consists of a game graph (V, E) and a parity condition c : V → N. To play the game, a token is placed on some initial vertex v, which is then moved by the player owning the vertex to one of its successors v  , i.e., such that (v, v  ) ∈ E. This is repeated ad infinitum, resulting in an infinite sequence of vertices, called a play of the game. If the underlying color sequence, i.e., the sequence resulting by the reduction of the vertices to their labels, satisfies the parity condition, Player O wins the game, otherwise Player I wins the game. The game for the synthesis problem is obtained from the deterministic automaton by separating the moves of Player I, namely the choice of the inputs I to the system, and the moves of Player O, i.e., the choice of the outputs O. We are interested in finding a winning strategy for Player O, i.e., an appropriate choice of output after every possible prefix of a play. We call such a prefix a history of the play. A useful property of parity games is that they are memoryless determined, which means that if one of the players has a winning strategy, then there also exists a winning strategy that only depends on the last vertex of the history, ignoring the previously visited vertices. For parity games, it is possible to automatically compute the set of vertices from which Player O has a winning strategy. This set of vertices is called the winning region. If the vertex corresponding to the initial state of the automaton is in the winning region, then there exists a solution to the synthesis problem. Example 6 Figure 5 shows the parity game for the synthesis problem of the arbiter specification from Example 1. The game was constructed by first translating the LTL formula into the deterministic automaton shown in Fig. 4, and then separating the moves of the input and output players. In Fig. 5, vertices controlled by Player I are depicted as rectangles, vertices controlled by Player O as circles. The winning region of Player O is marked by the highlighting. Since the initial vertex is in the winning region, the specification can be realized. The (memoryless) winning strategy is indicated by the thick edges. Game-based synthesis is asymptotically optimal in the size of the input. However, the synthesized implementations are often much larger than necessary. Compare, for example, the size of the winning strategy in Fig. 5 with the small Mealy machine on the right in Fig. 1.

33

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

4 2 7

0

1 6 8

3

5 3

6

7

9

1

4 1

0

8

1

3

Figure 5. Parity game resulting from the deterministic parity automaton depicted in Fig. 4. Vertices controlled by Player I are depicted as rectangles, vertices controlled by Player O as circles. The highlighted states mark the winning region of Player O. The winning strategy is indicated by the thick edges.

5. Bounded Synthesis In bounded synthesis [12], we set a bound on the number of states of the synthesized Mealy machine. By incrementally increasing the bound, we can use bounded synthesis to find a Mealy machine with a minimal number of states. The Mealy machine is found as a solution of a constraint system. To ensure that all solutions of the constrain system satisfy the specification, we encode not only the states, transitions, and outputs of the Mealy machine, but, additionally, an annotation of the states of the Mealy machine that ensures that the given LTL specification is satisfied. This annotation essentially ensures that the model checking of the Mealy machine succeeds, i.e., that the language of the product with the B¨ uchi automaton corresponding to the negation of the specification is empty. Let V, E be the product of a Mealy machine M and a B¨ uchi automaton A¬ϕ for the negation of the specification. An annotation λ : S × Q → {⊥} ∪ N is a function that maps nodes from the run graph to either unreachable ⊥ or a natural number k. An annotation is valid if it satisfies the following conditions:

34

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

t0 , q3 

t0 , q2 

t1 , q2 

t1 , q1 

λ:⊥

λ:⊥

λ:⊥

λ:⊥

t1 , q3 

t0 , q0 

t1 , q0 

t0 , q1 

λ:1

λ:0

λ:0

λ:1

Figure 6. Annotated product of the simple Mealy machine shown on the right in Fig. 1 with the B¨ uchi automaton from Fig. 2.

• the initial vertex s0 , q0  is labeled by a natural number: λ(t0 , q0 ) = ⊥, and • if a vertex s, q is annotated with a natural number, i.e., λ(t, q) = k = ⊥, then for every i ∈ 2I and q  ∈ Δ¬ϕ (q,i ∪ γ(s,i), q  ), the successor pair τ (s,i), q  ) is annotated with a greater or equal number, which needs to be strictly greater if q  is a rejecting state. That is, λ(t , q  ) > k if q  ∈ F and ≥λ(t , q  ) ≥ k otherwise. Example 7 Figure 6 shows the annotated product of the simple Mealy machine from the right in Fig. 1 with the B¨ uchi automaton from Fig. 2. One can verify that the annotation is correct by checking every edge individually. For example, the annotation has to increase from t0 , q0  → t1 , q3  and from t1 , q0  → t0 , q1  as q1 and q3 are rejecting. The existence of a Mealy machine with a corresponding annotation of the product graph can be expressed as a propositional constraint. For this purpose, we encode the Mealy machine and the annotation with Boolean variables. • trans(t, ν, t ) for all t, t ∈ S and ν ∈ 2I , for the transition function δ : S × 2I → S of the Mealy machine M = (S, s0 , δ, γ). • output(t, ν, x) for all t ∈ S, ν ∈ 2I and x ∈ O, for the output function δ : S × 2I → S. • rgstate(t, q) for all t ∈ T and q ∈ Q, to encode the reachable states of the product graph G of M and A¬ϕ , i.e., those state pairs t, q where λ(t, q) = ⊥. • annotation(t, q, i) for all t ∈ T , q ∈ Q and 0 < i ≤ log(n · k), where n is the bound on the size of the Mealy machine and k is the number of states of the B¨ uchi automaton. The variables encode the numerical annotation of a state pair (t, q) of G. We use a logarithmic number of bits to encode the annotated value in binary. Given an LTL formula ϕ and a bound n on the states of the Mealy machine, we solve the bounded synthesis problem by checking the satisfiability of the propositional formula FBS (ϕ, n), consisting of the following constraints: • The pair of initial states s0 , q0  for some arbitrary, but fixed, s0 is reachable and annotated with 1.

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

35

rgstate(s0 , q0 ) ∧ annotation(1, 1) = 1 • Each annotation of a vertex of the product graph bounds the number of visited accepting states, not counting the current vertex itself: 

rgstate(t, q) →

t∈T, q∈Q





output(t, σ) →

σ∈2Σ



trans(t, I ∩ σ, t ) →

t ∈T

rgstate(t , q  ) ∧ annotation(t, q) ≺q annotation(t , q  )

q  ∈Δ(q,σ)

where ≺q equals < if q ∈ R and equals ≤ otherwise. The formula output(t, σ) ensures that the output corresponds to the output function of the Mealy machine, i.e., output(t, σ) =

 x∈O∩σ

output(t, I ∩ σ, x) ∧



¬output(t, I ∩ σ, x).

x∈Oσ

Theorem 1 (Bounded Synthesis [12]) For an LTL formula ϕ and a bound n ∈ N, the propositional formula FBS (ϕ, n) is satisfiable if and only if there is a Mealy machine M with |M| = n that satisfies ϕ. The propositional constraint can be solved by a standard SAT solver. In addition to the encoding as a propositional constraint, the bounded synthesis problem has also been reduced to the satisfiability of quantified Boolean formulas (QBF) and dependency quantified Boolean formulas (DQBF) [7], as well as to satisfability modulo theories (SMT) [11]. Such encodings are more concise than the encoding as a Boolean formula. Even though the satisfiability problems of these logics are more expensive than propositional satisfiability, in particular the QBF encoding has proven advantageous in experiments (cf. [8]). Another powerful optimization is lazy synthesis [9], which avoids the full construction of the constraint system. Lazy synthesis alternates between constraint solving, where a model is constructed for an incomplete constraint system, and verification, where errors in the previously constructed model are identified and used to extend the constraint system.

6. Bounded Cycle Synthesis Bounded cycle synthesis [10] extends bounded synthesis by bounding not only the number of states, but also the number of cycles of the Mealy machine. Bounded cycle synthesis allows us to find implementations that are not only small but also structurally simple. A cycle is a path of a Mealy machine that ends in the same state it started in. Even Mealy machines with a small number of states can have many cycles: the number of cycles can be exponential in the number of states.

36

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

The explosion of the number of circles is in fact worse than the explosion of the number of states: while a realizable LTL formula has an implementation with at most doubly exponentially many states, there exist LTL formulas where the number of cycles in the Mealy machine is triply exponential [10]. This makes the number of cycles a particularly interesting metric for output-sensitive synthesis algorithms. Let G = (V, E) be a directed graph. A (simple) cycle c of G is a a tuple (C, η), consisting of a non-empty set C ⊆ V and a bijection η : C → C such that • ∀v ∈ C. (v, η(v)) ∈ E and • ∀v ∈ C. n ∈ N. η n (v) = v ⇔ n mod |C| = 0, where η n denotes n times the application of η. In other words, a cycle of G is a path through G that starts and ends at the same vertex and visits every vertex of V at most once. We say that a cycle c = (C, η) has length n iff |C| = n. We extend the notion of a cycle of a graph G to Mealy machines M = (T, tI , δ, λ), such that c is a cycle of M iff c is a cycle of the graph (T, E) for E = {(t, t ) | ∃ν ∈ 2I . δ(t, ν) = t }. Thus, we ignore the input labels of the edges of M. The set of all cycles of a Mealy machine M is denoted by C(M). 6.1. Counting Cycles A classical algorithm for counting the number of cycles of a directed graph is due to Tiernan [18]. We review this algorithm here as a preparation for the bounded cycle synthesis encoding. Algorithm 1. Given a directed graph G = (V, E), we count the cycles of G using the following algorithm: (1) Initialize the cycle counter c to c := 0 and some set P to P := ∅. (2) Pick some arbitrary vertex vr of G, set v := vr and P := {vr }. / P \ {vr }: (3) For all edges (v, v  ) ∈ E, with v  ∈ (3a) If v  = vr , increase c by one. (3b) Oherwise, set v := v  , add v  to P and recursively execute (3). Afterwards, reset P to its value before the recursive call. (4) Obtain the sub-graph G , by removing vr from G: (4a) If G is empty, return c. (4b) Otherwise, continue from (2) with G . The algorithm starts by counting all cycles that contain the first picked vertex vr . This is done by an unfolding of the graph into a tree, rooted in vr , such that there is no repetition of a vertex on any path from the root to a leaf. The number of vertices that are connected to the root by an edge of E then represents the corresponding number of cycles through vr . The remaining cycles of G do not contain vr and, thus, are cycles of the sub-graph G without vr , as well. Hence, we count the remaining cycles by recursively counting the cycles of G . The algorithm terminates as soon as G becomes empty.

37

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

1

(1) + (2) s0

s1

s1

c := 0, v := s0 , vr := s0 P := {s0 }

4

(3) + (3a) (s2 , s0 )

s0

c := 1, v := s0 , vr := s0 P := {s0 }

5

(3) + (3b) (s2 , s1 )

s1

c := 2, v := s2 , vr := s0 P := {s0 , s2 }

7

(4) + (2) s0

s1

s1

s2

s0

s2

s2

c := 3, v := s1 , vr := s1 P := {s1 }

c := 1, v := s2 , vr := s0 P := {s0 , s2 }

6

(3) + (3a) (s1 , s0 )

s1

c := 2, v := s1 , vr := s0 P := {s0 , s1 , s2 }

8

(3) + (3b) (s1 , s2 )

s1

s2

s0

s0

s2

3

(3) + (3b) (s0 , s2 )

s0

s0

s2

s1

2

(3) + (3a) (s0 , s0 )

s2

c := 3, v := s1 , vr := s0 P := {s0 , s1 , s2 }

9

(3) + (3a) (s2 , s1 )

s0

s2

c := 3, v := s2 , vr := s1 P := {s1 , s2 }

s1

s2

c := 4, v := s2 , vr := s1 P := {s1 , s2 }

Figure 7. Execution of Tiernan’s algorithm for the larger Mealy machine on the left in Fig. 1.

The algorithm, as described so far, has the disadvantage that the number of unfolded trees is exponential in the size of the graph, even if none of their vertices is connected to the root, i.e., even if there is no cycle to be counted. This drawback can be avoided by first reducing the graph to all its strongly connected components (SCCs) and then counting the cycles of each SCC separately [19,15]. This reduction is sound, as a cycle never leaves an SCC of the graph. The improved algorithm is exponential in the size of G, and linear in the number of cycles m. Furthermore, the time between two detections of a cycle, during the execution, is bounded linear in the size of G. Example 8 To see Tiernan’s algorithm in action, we count the number of simple cycles of the larger Mealy machine on the left in Fig. 1. The execution is shown in Fig. 7. In this example, we do not need to apply the reduction to individual

38

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

SCCs, because the Mealy machine consists of a single SCC. As result we obtain that the Mealy machine has four simple cycles. 6.2. The Bounded Cycle Synthesis Encoding Like in the bounded synthesis approach, we solve the bounded cycle synthesis problem via a reduction to propositional satisfiability. We extend the constraint system from bounded synthesis with additional constraints that ensure that the number of cycles, as determined by Tiernan’s algorithm, does not exceed the given bound. We call a tree that witnesses m cycles in G, all containing the root r of the tree, a witness-tree Tr,m of G. Formally, a witness-tree Tr,m of G = (V, E) is a labeled graph Tr,m = ((W, B ∪R), τ ), consisting of a graph (W, B ∪R) with m = |R| and a labeling function τ : W → V , such that: 1. The edges are partitioned into blue edges B and red edges R. 2. All red edges lead back to the root: R ⊆ W × {r} 3. No blue edges lead back to the root: B ∩ W × {r} = ∅ 4. Each non-root has at least one blue incoming edge: ∀w ∈ W \ {r}. ∃w ∈ W. (w, w ) ∈ B 5. Each vertex has at most one blue incoming edge: ∀w1 , w2 , w ∈ W. (w1 , w) ∈ B ∧ (w2 , w) ∈ B ⇒ w1 = w2 6. The graph is labeled by an unfolding of G: ∀w, w ∈ B ∪ R. (τ (w), τ (w )) ∈ E, 7. The unfolding is complete: ∀w ∈ W. ∀v  ∈ V. (τ (w), v  ) ∈ E ⇒ ∃w ∈ W. (w, w ) ∈ B ∪ R ∧ τ (w ) = v  8. Let wi , wj ∈ W be two different vertices that appear on a path from the root to a leaf in the r-rooted tree (W, B)1 . Then the labeling of wi and wj differs, i.e., τ (vi ) = τ (vj ). 9. The root of the tree is the same as the corresponding vertex of G, i.e., τ (r) = r. Lemma 1 ([10]) Let G = (V, E) be a graph consisting of a single SCC, r ∈ V be some vertex of G and m be the number of cycles of G containing r. Then there is a witness-tree Tr,m = ((W, B ∪ R), τ ) of G with |W | ≤ m · |V |. Lemma 2 ([10]) Let G = (V, E) be a graph consisting of a single SCC and let Tr,m be a witness-tree of G. Then there are at most m cycles in G that contain r. 1 Note

that the tree property is enforced by Conditions 3 – 5.

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

s0

s1

s2

s2

39

s2

s1 Figure 8. The forest of witness trees proving prove the overall number of four cycles in the larger Mealy machine of Fig. 1.

From Lemma 1 and 2 we derive that Tr,m is a suitable witness to bound the number of cycles of an implementation M. Furthermore, from Lemma 1, we also obtain an upper bound on the size of Tr,m . Example 9 Figure 8 shows the witness trees for the larger Mealy machine on the left of Fig. 1. Each red edge, leading back to s0 and s1 on the first tree level, captures one cycle of the machine. Thereby, the properties of the tree enforce that all cycles are captured by these trees. We now encode the bound on the number of cycles as a propositional constraint. First, we construct a simple directed graph G out of the implementation M. Then, we guess all the sub-graphs, obtained from G via iteratively removing vertices, and split them into their corresponding SCCs. Finally, we guess the witness-tree for each such SCC. In order to keep the encoding compact, we introduce some further optimizations. First, we do not need to introduce a fresh copy for each SCC, since the SCC of a vertex is always unique. Thus, it suffices to guess an annotation for each vertex. Second, we have to guess n trees Tri ,mi , i = 1 . . . n, each consisting of at most mi · n vertices, such that the sum of all mi is equal to the overall number of cycles m. One possible solution would be to overestimate each mi by m. Another possibility would be to guess the exact distribution of the cycles over the different witness-trees Tri ,mi . In our encoding, we guess all trees together in a single graph bounded by m · n. We annotate each vertex with its corresponding witness-tree Tri ,mi . Instead of bounding the number of red edges separately for each Tri ,mi by mi , we just bound the number of all red edges in the whole forest by m. In this way, we not only reduce the size of the encoding, but also avoid additional constrains that would be needed to sum up the different witness-tree bounds i to m. Let T be some ordered set with |T | = n and S = T × {1, 2, . . . , m}. We use T to denote the vertices of G and S to denote the vertices of the forest of Tri ,mi s. Further, we use M = T ×{1} to denote the roots and N = S \M to denote the nonroots of the corresponding trees. We introduce the following Boolean variables: • edge(t, t ) for all t, t ∈ T , denoting the edges of the abstraction of M to G.

40

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

∗ → {G1 } t0

t1 ∗ → {G2 }

Figure 9. The implementation of the arbiter specification with the smallest number of states and cycles.

• bedge(s, s ) for all s ∈ S and s ∈ N , denoting a blue edge. • redge(s, s ) for all s ∈ S and s ∈ M , denoting a red edge. • wtree(s, i) for all s ∈ S, 0 < i ≤ log(n), denoting the witness-tree for each s. Thereby, each tree is referenced by a unique number encoded in binary using a logarithmic number of bits. • visited(s, t) for all s ∈ S and t ∈ T , denoting the set of all vertices t, already visited at s, since leaving the root of the corresponding witness-tree. • rbound(c, i) for all 0 < c ≤ m, 0 < i ≤ log(n · m), denoting an ordered list of all red edges, bounding the red edges of the forest. • scc(k, t, i) for all 0 < k ≤ n, t ∈ T, and 0 ≤ i < log n, denoting the SCC of t in the k-th sub-graph of G. The sub-graphs are obtained by iteratively removing vertices of T , according to the pre-defined order. This way, each sub-graph contains exactly all vertices that are larger than the root. Note that, by the definition of S, we introduce m explicit copies for each vertex of G. This is sufficient, since each cycle contains each vertex at most once. Thus, the labeling τ of a vertex s can be directly derived from the first component of s. Given the respective bounded synthesis encoding for the specification ϕ and a bound n on the states of the resulting implementation M, and a bound m on the number of cycles of M, we encode the bounded cycle synthesis problem as the propositional formula F = FBS (ϕ, n) ∧ FCS (n, m) ∧ FM→G (ϕ, n) ∧ FSCC (n) The constraints of FBS (ϕ, n) represent the bounded synthesis encoding. The constraints of FM→G (ϕ, n) simplify the representation of the Mealy machine M to G. The constraints of FCS (A, n, m) bound the cycles of the system and are presented in Table 1. The constraints of FSCC (n) enforce that each vertex is labeled by a unique SCC [10]. Theorem 2 (Bounded Cycle Synthesis [10]) For an LTL formula ϕ and a pair of bounds n, m ∈ N, the propositional formula F is satisfiable if and only if there is a Mealy machine M with |M| = n and |C(M)| = m that satisfies ϕ. Example 10 Using our encoding, we can now search for the implementation of the arbiter specification from Example 1 with the smallest number of states and, additionally, smallest number of cycles. It turns out that neither Mealy machine from Fig. 1 is the minimal solution. The smallest implementation for the arbiter specification, with respect to the number of states and cycles is shown in Fig. 9.

B. Finkbeiner and F. Klein / Reactive Synthesis: Towards Output-Sensitive Algorithms

 r∈T



s∈S, (r,1)∈M



s∈S, s ∈N



s ∈N



(t,c)∈S, r∈T,



(t,c)∈S, (t ,c )∈N



(t,c)∈S, r∈T, t≥r

 (t,c)∈S, r,t ∈T, t≥t

 r∈T

Table 1. Constraints of the SAT formula FCS (A, n, m). wtree((r, 1)) = r redge(s, (r, 1)) → wtree(s) = r bedge(s, s ) → wtree(s) = wtree(s ) exactlyOne( {bedge(s, s ) | s ∈ S} ) redge((t, c), (r, 1)) → edge(t, r) bedge((t, c), (t , c )) → edge(t, t ) edge(t, r) ∧ scc(r, t) = scc(r, r) ∧ wtree((t, c)) = r → redge((t, c), (r, 1)) edge(t, t ) ∧ scc(r, t) = scc(r, t ) ∧ wtree((t, c), t ) c)) = r ∧ visited((t, bedge((t, c), (t , c )) →

 

(t,c)∈S, s∈N

 s∈S, s ∈M

 0 , j).3 Thus, R can be represented as R = < r1 , r2 , . . . , rI , rI+1 , . . . , rK , rK+1 , . . . , rP >, where

RI = < r1 , r2 , . . . , rI >, ri ∈ IR,

is the subsequence of monitored variables, RY = < rI+1 , rI+2 , . . . , rK >, ri ∈ GR ∪ MR, is the subsequence containing terms and modes, and RO = < rK+1 , rK+2 , . . . , rP >, ri ∈ OR, is the subsequence of controlled variables. 2.7. Table Functions In our model, the functions defining the values of the dependent state variables, i.e., the controlled variables, terms, and mode classes, describe the deterministic part of the system behavior. Each dependent state variable ri is defined by a state function Fi , which is either a table function or a nonstandard function (see [19] for a definition of nonstandard functions). Since there are I monitored variables, there are a total of P − I table and nonstandard functions. The functions defined by condition tables and by event tables make up the two broad classes of table functions in SCR requirements specifications. The mode transition tables are a special form of event tables. Each variable ri defined by a table function may be associated with a mode class, M j , 1 ≤ j ≤ N. To represent the relation between a variable and a mode class, we define a partial function μ such that such that for i, I + 1 ≤ i ≤ P, Mμ(i) is the mode class associated with ri . Presented below for each of three table types—condition tables, event tables, and mode transition tables—is a typical format, the relation ρi that the table defines, and a set of properties. For each relation ρi , we show how to derive the table function Fi . Modes

Conditions

m1 ... mn

c1,1 ... cn,1

c1,2 ... cn,2

... ... ...

c1,p ... cn,p

ri

v1

v2

...

vp

Table 1. Typical Format for a Condition Table. 3 In

this exposition, we choose one particular topological sort R. However, any topological sort will result in the same semantics for this model.

52

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

Table Function for Condition Tables. Table 1 shows a typical format for a condition table with n + 1 rows and p + 1 columns. Each condition table describes the value of a controlled variable or term ri by means of a relation ρi on modes, conditions, and values. This relation ρi is defined by ρi = {(m j , c j,k , vk ) ∈ Mμ(i) ×Ci × TY(ri )}, where 1 ≤ j ≤ n, 1 ≤ k ≤ p; Ci is a set of conditions defined on variables in RF; and each c j,k is a condition in a row containing mode m j and a column containing value vk . The relation ρi must satisfy the following properties: 1. The m j are unique; the vk are unique. 2. ∪nj=1 m j = Mμ(i) (All modes in the mode class are included). p 3. For all j: ∨k=1 c j,k = true (Coverage: The disjunction of the conditions in each row of the table is true). 4. For all j, k, l, k = l: c j,k ∧ c j,l = false (Disjointness: The pairwise conjunction of the conditions in each row of the table is always false). To make explicit variable ri ’s dependencies on other variables, we consider an alternate, functional description called Fi of the value of ri . The four properties above ensure that Fi is a total function: Properties 1 and 4 ensure that Fi is a function, while Properties 2 and 3 guarantee totality. Fi is a single-state function with U = TY(ri ) and the new state dependencies set, {yi,1 , yi,2 , . . . , yi,ni }, where the name of the associated mode class is yi,1 = rk such that TY(rk ) = Mμ(i) and yi,2 , . . . , yi,ni are variables that appear in some condition c j,k that is an entry in the condition table. The value of the dependent variable ri is defined by ri = Fi (yi,1 , . . . , yi,ni ). The function Fi , which is called a condition table function, is defined by ⎧ v if ∨nj=1 (yi,1 = m j ∧ c j,1 ) ⎪ ⎪ ⎪ 1 ⎪ ⎨ v2 if ∨nj=1 (yi,1 = m j ∧ c j,2 ) Fi (yi,1 , . . . , yi,ni ) = . .. ⎪ ⎪ ⎪ ⎪ ⎩ v if ∨n (y = m ∧ c ). p j j,p j=1 i,1

To represent Fi more concisely, each statement yi,1 = m j can be included in the associated condition. That is, for all j and for all k, if cˆ j,k denotes the condition yi,1 = m j ∧ c j,k , then Fi is defined by ⎧ v1 if ∨nj=1 cˆ j,1 ⎪ ⎪ ⎪ ⎪ ⎨ v2 if ∨nj=1 cˆ j,2 Fi (yi,1 , . . . , yi,ni ) = . .. ⎪ ⎪ ⎪ ⎪ ⎩ v if ∨n cˆ . p j=1 j,p

While most condition tables have an associated mode class, condition tables may also define variables that do not depend on any mode class. In such cases, there is only one row of conditions (n = 1), the modes are omitted from the table, none of the parameters yi, j is a mode class name, and the expressions yi,1 = m j are omitted from the definition of Fi .

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

Modes

53

Events

m1 ... mn

e1,1 ... en,1

e1,2 ... en,2

... ... ...

e1,p ... en,p

ri

v1

v2

...

vp

Table 2. Typical Format for an Event Table.

Table Function for Event Tables. Table 2 shows a typical format for an event table with n + 1 rows and p + 1 columns. An event table describes the value of a controlled variable or term ri by means of a relation ρi on modes, augmented conditioned events, and values. An augmented conditioned event is either a conditioned event or “never” (an artifact of the tabular format). The presence of “never” in row j, column k of an event table indicates that in the mode in row j no event can change ri ’s value to the value in column k. In an expression, “never” is interpreted as the logical constant false. The relation ρi is defined by ρi = {(m j , e j,k , vk ) ∈ Mμ(i) × Ei × TY(ri )}, where 1 ≤ j ≤ n, 1 ≤ k ≤ p; Ei is the set comprised of conditioned events defined on the variables in RF and “never”; and each e j,k is an event (or “never”) in a row containing mode m j and a column containing value vk . The relation ρi satisfies the following properties: 1. The m j are unique; the vk are unique. 2. For all j, k, l, k = l: e j,k ∧ e j,l = false (Disjointness: The pairwise conjunction of the events in each row of the table is always false). As with condition tables, we make explicit ri ’s dependency on other variables by expressing the relation ρi in an alternate, functional form Fi . The two properties above ensure that Fi is a function. In practice, the One Input Assumption and the constraints imposed by the NAT relation on the monitored variables may be required to demonstrate Disjointness. The “no change” part of Fi ’s definition (see below) guarantees totality. Fi is a two-state function with U = TY(ri ) and with the new state dependencies set {yi,1 , . . . , yi,ni } and the old state dependencies set {xi,1 , xi,2 , . . . , xi,mi }. The latter set contains the name of the associated mode class xi,1 = rk where TY(rk ) = Mμ(i) . The value of the dependent variable ri in the new state is defined by ri = Fi (xi,1 , . . . , xi,mi , yi,1 , . . . , yi,ni ). The function Fi , which is called an event table function, is defined by ⎧ v1 ⎪ ⎪ ⎪ ⎪ ⎪ v ⎪ ⎨ 2   Fi (xi,1 , . . . , xi,mi , yi,1 , . . . , yi,ni ) = ... ⎪ ⎪ ⎪v ⎪ p ⎪ ⎪ ⎩ ri

if ∨nj=1 (xi,1 = m j ∧ e j,1 ) if ∨nj=1 (xi,1 = m j ∧ e j,2 ) if ∨nj=1 (xi,1 = m j ∧ e j,p ) otherwise (i.e., no change),

where if none of the e j,k evaluates to true, then the variable defined by Fi undergoes “no change”, that is, retains its value in the old state. As with condition tables, we can represent Fi more concisely by including each statement xi,1 = m j in the associated condition. That is, for all j and for all k, if eˆ j,k denotes the condition xi,1 = m j ∧ e j,k , then Fi is defined by

54

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

Current Mode

Event

New Mode

m1

e1,1 ... e1,k1

m1,1 ... m1,k1

...

...

...

mn

en,1 ... en,kn

mn,1 ... mn,kn

Table 3. Typical Format for a Mode Transition Table.

⎧ v1 ⎪ ⎪ ⎪ ⎪ ⎪ v ⎪ ⎨ 2 Fi (xi,1 , . . . , xi,mi , yi,1 , . . . , yi,ni ) = ... ⎪ ⎪ ⎪ ⎪ vp ⎪ ⎪ ⎩ ri

if ∨nj=1 eˆ j,1 if ∨nj=1 eˆ j,2 if ∨nj=1 eˆ j,p otherwise (i.e., no change).

Like condition tables, some event tables may not have an associated mode class. In such cases, there is only one row of conditions (n = 1), the modes are omitted from the table, none of the xi, j and yi, j are mode class names, and the expressions xi,1 = m j are eliminated from the definition of Fi . Table Function for Mode Transition Tables. Table 3 shows a typical format for a mode transition table. Each mode transition table is associated with a variable ri ∈ MR, which is in turn associated with the mode class Mμ(i) . Since there are N mode classes, there are N mode transition tables, one per mode class. A mode transition table describes a mode class ri ∈ MR by means of a relation ρi between modes, conditioned events, and modes. This relation is defined by ρi = {(m j , e j,k , m j,k ) ∈ Mμ(i) × Ei × Mμ(i) }, where 1 ≤ j ≤ n, 1 ≤ k ≤ k j ; Ei is the set comprised of “never” and conditioned events defined on the variables in RF; and each e j,k is an event (or “never”) in a row containing mode m j and a column containing a new mode m j,k . The relation ρi has the following properties: 1. 2. 3. 4.

The m j are unique. For all k = l, m j,k = m j,l . For all j and for all k, m j = m j,k (No Self-Loops). For all j, k, l, k = l: e j,k ∧ e j,l = false (Disjointness: For each mode m j , the pairwise conjunction of the conditioned events e j,k in the rows of the table for the current mode m j is always false).

A mode transition table with the format in Table 3 which satisfies the above properties is a special case of an event table. Thus the function defined by a mode transition table may be described as an event table function. To transform a mode transition table for a mode class ri in the form of Table 3 into an event table in the form of Table 2, we first create an event table with n + 1 rows and n + 1 columns. (We assume that | TY (ri ) | = n.) Next, the contents of the first column of the mode transition table, which contains modes

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

55

m1 through mn , are copied into the first column of the event table; the name of the mode class ri is entered in the first column of row n + 1 of the event table; and the modes m1 through mn are entered into columns 2 through n + 1 of row n + 1 of the event table. Finally, for each mi, j , 1 ≤ i ≤ n, 1 ≤ j ≤ ki , we have mi, j = mk for some k, 1 ≤ k ≤ n. Thus, we insert ei, j into row i column k + 1. For an example of the transformation of a mode transition table into an event table, see [1]. 2.8. System Transform To define the system transform, we require a series of value functions Vi and a series of partial states zi . Let s be a state and suppose monitored event e = @T(r = v) occurs in state s. Each value function Vi , 1 ≤ i ≤ P, defines the value of variable ri ∈ RF and has the form Vi : E m × S → TY(ri ). We define a series of partial states zi 4 as  0/ for i = 1 zi = zi−1 ∪ {(ri−1 ,Vi−1 (e, s))} for i = 2, 3, . . . , P + 1. The complete new state zP+1 is computed by computing each zi in turn. Each zi contains the first i − 1 variable/value pairs of zP+1 . Given the monitored event e = @T(r = v) and state s, the value functions for the monitored variables are computed from the monitored event and the values of the monitored variables in state s. Formally, for all i, 1 ≤ i ≤ I, such that ri ∈ IR is a monitored variable, the value function Vi is defined by  v if ri = r Vi (e, s) = s(ri ) otherwise. This incorporates the formal meaning of the One Input Assumption. Given the monitored event e = @T(r = v) and state s, the value functions for the dependent variables are computed using the table functions Fi , the partial states zi , and, in the case of variables defined by event tables, the state s. Formally, for all i, I + 1 ≤ i ≤ P, such that ri ∈ RF \ IR is defined by a condition table function Fi , the value functions Vi are defined by Vi (e, s) = Fi,zi , where Fi,zi denotes the evaluation of the single-state function Fi in partial state zi . For all i, I + 1 ≤ i ≤ P, such that ri ∈ RF \ IR is defined by an event table function Fi , the value functions Vi are defined by Vi (e, s) = Fi,s,zi , where Fi,s,zi denotes evaluation of two-state function Fi in state s and partial state zi . The system transform T is defined by the (P + 1)st partial state. That is, T (e, s) = zP+1 . 4 Each

zi also depends on the state s and the input event e, but for simplicity this dependence is left implicit in the notation.

56

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

3. The SCR Tools and Their Practical Application 3.1. The SCR Tools: An Overview Based on the 1996 SCR requirements model [16], NRL has developed many tools to support the creation and analysis of SCR requirements specifications. The original SCR toolset includes a specification editor for creating the specification, a consistency checker for checking it for well-formedness (e.g., no missing cases, no unwanted nondeterminism), a dependency graph browser for displaying the dependencies among the state variables, a simulator for symbolically executing the specification to ensure that it captures the specifier’s intent, and a model checker, such as SPIN [26], for analyzing the requirements specification for application properties. To make model checking feasible, the user can apply abstraction methods to the specification prior to model checking [17,6]. Additional tools supporting the SCR method include an invariant generator [27,28] for automatically generating invariants from the specification, the TAME (Timed Automata Modeling Environment) interface [3,4] to the mechanical proof system PVS for proving application properties, and a validity checker [7], which uses decision procedures for consistency checking and for verifying application properties. Other SCR tools support the automatic generation of tests [12] and the automatic synthesis of source code [32,38] from SCR requirements specifications. For an example that demonstrates the application of many of the above tools to the requirements specification of an automobile cruise control system, see reference [13]. Recently, two new tools have been developed. The first is an extension of the SCR simulator that integrates the original SCR simulator with a customized 3D autonomy simulator [31]. The second is a new tool that synthesizes formal SCR requirements models from user scenarios [20,18] represented in a notation similar to Message Sequence Charts. In addition, while not yet implemented, new algorithms for invariant generation, more powerful than our earlier techniques, have been defined [30]. 3.2. Applying the SCR Method to Practical Systems: Two Examples The practical utility of the SCR method has been demonstrated for many real-world systems. For example, our group at NRL used the SCR tools, two abstraction methods, and the SPIN model checker to expose several serious errors in a contractor-produced software requirements specification (SRS) for a Weapons Control Panel (WCP) [17]. The SRS is quite large, containing over 250 variables. Incorrect behavior of the WCP can lead to serious accidents, such as the premature or unintended release of a weapon, serious injury to an operator, or major damage to a weapon. To prevent behavior that could result in such accidents, the SRS contains precise prose descriptions of six safety properties that the WCP must satisfy to operate safely. In less than a week, we were able to translate the SRS and the six properties into the SCR notation, apply two abstraction methods to make model checking feasible, and to run the SPIN model checker to check each property. Model checking and our abstraction methods demonstrated that the contractor SRS violated all six safety properties! Moreover, based on color diagrams of the panel made available by the contractor, we developed a graphical interface for the WCP that allows operators, familiar with similar systems, to validate that the SRS captures the intended system behavior. The operators could perform the validation simply by running scenarios through the SCR simulator—knowledge of the SCR notation was not needed. Notable is that the application of SCR to the WCP SRS required less than one personmonth of effort.

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

57

In many cases, simply translating requirements into a formal notation such as SCR exposes serious defects. As an example, consider our application of SCR to the Fault Detection, Isolation, and Recovery (FDIR) module of the Thermal Radiator Rotary Joint Manager (TRRLM) software [15]. The function of the FDIR module is to position the thermal radiators of the International Space Station in an on-edge orientation to the sun to maximize heat dissipation from the radiators. FDIR processing for TRRLM is safetycritical because failure of the TRRLM to detect, isolate, and recover from faults could lead to serious damage to the radiators. To obtain the SCR requirements model, we extracted information about the required FDIR behavior from two requirements documents provided by NASA: 1) a table listing failure conditions and the required response to each condition, and 2) a finite state diagram of the FDIR modes, mode transitions, and input events triggering the transitions. Translating the NASA requirements documents to SCR required less than one week. In the process—and without the use of any tools—we found two serious defects in the NASA documents, both validated as actual defects by NASA. 4. Concluding Remarks This chapter has presented an excerpt from our new formal requirements model. The purpose of the new model is to define the semantics which underlies the SCR tabular notation and to provide a formal foundation for the the SCR tools. As stated in Section 1, this new requirements model is based on the results of the A-7 project in the late 1970s and research in the mid-1990s by Parnas on the Four Variable Model and by us in our initial formal requirements model and by our subsequent experience applying the SCR requirements method to practical systems. Like us, McMaster University researchers have used tables to specify the required behavior of practical systems, but in different areas, such as program documentation and generation of test oracles from program documentation [37]. In our research, tables and their semantics are just one part of the overall problem. Equally important for us is the composition of the functions defined by the tables to compute the next-state function of the underlying state machine. The model presented in this paper describes the untimed behavior of a computer system. Further, it describes system behavior, not software behavior. We are currently extending the model presented in Section 2 in three major ways. First, we are developing a timed version of the model that represents time as a monitored quantity and allows time-dependent descriptions of the monitored and controlled quantities. Adding time to the model allows us to describe how monitored variables change with respect to time; to describe time-driven events, e.g., time-outs, that may cause a mode change or a change in value of a controlled quantity; and to associate each controlled variable with a schedule specifying when the controlled variable’s value must change. Second, we are extending the model to represent both the required system and the required software behavior. Once I/O devices have been selected to sample the monitored quantities and to compute the controlled quantities, the system software can be partitioned into three components: an Input Driver, which transforms input data read by the input devices into estimates of monitored quantity values; an Output Driver, which uses the output data items to update controlled quantity values; and a Device-Independent component, which transforms the estimates of the monitored quantities into estimates of the controlled quantities using the next-state function defined in Section 2.8. Our new formal requirements model can be easily generalized to represent each of these components. For an overview of our approach to defining both the required system and software behavior, see [22].

58

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

An objective of the third extension of the model is to help manage the complexity of practical systems. To do so, we specify the required system behavior in two phases. In the first phase, the required normal (also called nominal) system behavior is specified. A critical assumption during this initial phase is that no faults occur. During the second phase, the no-faults assumption is lifted, and, for each fault that may occur, the system’s required fault handling behavior—often called the system’s FDIR (Fault Detection, Isolation, and Recovery) behavior—is specified. A formal model based on this incremental approach to formally defining the required behavior of a large complex system is presented in [29]. To date, our requirements model has provided a solid foundation for a suite of analysis tools which can detect many errors in the requirements specification automatically and which can allow humans to verify, using push-button methods (such as model checking) or interactive theorem proving to verify that the specification satisfies important system properties, such as well-formedness properties, safety properties, and security properties. These tools are designed to make the cause of detected errors understandable, thereby facilitating error correction. Such an approach should lead to the production of high quality requirements specifications, which should in turn produce systems that are more likely to perform as required and less likely to lead to accidents. Such high-quality specifications should also lead to significant reductions in software development costs. Acknowledgments The Office of Naval Research supported this research. We gratefully acknowledge Ralph Jeffords who contributed major ideas to the new formal SCR requirements model. References [1] [2] [3] [4]

[5] [6] [7] [8] [9] [10] [11] [12] [13]

R. Abraham. Evaluating generalized tabular expressions in software documentation. Master’s thesis, McMaster Univ., Hamilton, Ontario, Canada, Feb. 1997. (CRL Report 346). T. A. Alspaugh, S. R. Faulk, K. H. Britton, R. A. Parker, D. L. Parnas, and J. E. Shore. Software requirements for the A-7E aircraft. Technical Report NRL-9194, NRL, Wash., DC, 1992. M. Archer and C. Heitmeyer. Human-style theorem proving using PVS. In Proc., Theorem Proving in Higher Order Logics: 10th Internat. Conf., TPHOLs, pages 33–48, Murray Hill, NJ, 1997. Springer. M. Archer, C. Heitmeyer, and S. Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers, Eindhoven, Netherlands, July 1998. Eindhoven University of Technology. Eindhoven University Technical Report. G. Berry and G. Gonthier. The Esterel synchronous programming language: Design, semantics, implementation. Science of Computer Programming, 19, 1992. R. Bharadwaj and C. Heitmeyer. Model checking complete requirements specifications using abstraction. Automated Software Engineering Journal, 6(1), Jan. 1999. R. Bharadwaj and S. Sims. Salsa: Combining constraint solvers with BDDs for automatic invariant checking. In Proc. Tools and Algorithms for Construction and Analysis of Systems (TACAS 2000), 2000. D. Craigen et al. An international survey of industrial applications of formal methods. Technical Report NRL-9581, Naval Research Lab., Wash., DC, 1993. S. Easterbrook and J. Callahan. Formal methods for verification and validation of partial specifications: A case study. Journal of Systems and Software, 1997. S. R. Faulk. State Determination in Hard-Embedded Systems. PhD thesis, Univ. of NC, Chapel Hill, NC, 1989. S. R. Faulk, L. Finneran, J. Kirby, Jr., S. Shah, and J. Sutton. Experience applying the CoRE method to the Lockheed C-130J. In Proc. 9th Annual Conf. on Computer Assurance (COMPASS ’94), 1994. A. Gargantini and C. Heitmeyer. Automatic generation of tests from requirements specifications. In Proc. ACM 7th ACM SIGSOFT Symp. on Foundations of Software Eng. (ESEC/FSE99), 1999. C. Heitmeyer, M. Archer, R. Bharadwaj, and R. Jeffords. Tools for constructing requirements specifications: The SCR toolset at the age of ten. Computer Systems: Science and Engineering, 20(1), 2005.

C.L. Heitmeyer et al. / Computing the Next-State Function of a Requirements Model

[14] [15] [16] [17] [18] [19] [20] [21] [22]

[23] [24] [25] [26] [27] [28] [29]

[30] [31]

[32] [33] [34] [35] [36] [37] [38]

[39]

59

C. Heitmeyer, M. Archer, E. Leonard, and J. McLean. Applying formal methods to a certifiably secure software system. IEEE Trans. Software Engineering, 34(1):82–98, 2008. C. Heitmeyer and R. Jeffords. Applying a formal requirements method to three NASA systems: Lessons learned. In Proc. 2007 IEEE Aerospace Conf., 2007. C. Heitmeyer, R. Jeffords, and B. Labaw. Automated consistency checking of requirements specifications. ACM Transactions on Software Engineering and Methodology, 5(3):231–261, April–June 1996. C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), Nov. 1998. C. Heitmeyer and E. Leonard. Obtaining trust in autonomous systems: Tools for formal model synthesis and validation. In FormaliSE (ICSE 2015), Florence, Italy, 2015. C. Heitmeyer, E. Leonard, and M. Archer. A formal model for the SCR requirements method and notation. Technical report, Naval Research Lab, Wash., DC, 2017. To be published. C. Heitmeyer, M. Pickett, E. I. Leonard, M. Archer, and others. Building high assurance human-centric decision systems. Automated Software Engineering, 22(2), Feb. 2015. C. L. Heitmeyer and J. McLean. Abstract requirements specifications: A new approach and its application. IEEE Trans. Softw. Eng., SE-9(5):580–589, Sept. 1983. C. L. Heitmeyer, S. Shukla, M. M. Archer, and E. I. Leonard. On model-based software development. In J. Munch and K. Schmid, editors, Perspectives on the Future of Software Engineering, pages 49–60. Springer, Berlin, Germany, 2013. K. Heninger, D. L. Parnas, J. E. Shore, and J. W. Kallander. Software requirements for the A-7E aircraft. Technical Report 3876, Naval Research Lab., Wash., DC, 1978. K. L. Heninger. Specifying software requirements for complex systems: New techniques and their application. IEEE Trans. Softw. Eng., SE-6(1):2–13, Jan. 1980. S. D. Hester, D. L. Parnas, and D. F. Utter. Using documentation as a software design medium. Bell System Tech. J., 60(8):1941–1977, Oct. 1981. G. J. Holzmann. The model checker SPIN. IEEE Trans. on Software Eng., 23(5), 1997. R. Jeffords and C. Heitmeyer. Automatic generation of state invariants from requirements specifications. In Proc. ACM SIGSOFT Sixth Int’l Symp. on Foundations of Softw. Eng. (FSE-6), 1998. R. D. Jeffords and C. L. Heitmeyer. An algorithm for strengthening state invariants generated from requirements specifications. In Proc. of the Fifth IEEE Internat. Symp. on Requirements Eng., 2001. R. D. Jeffords, C. L. Heitmeyer, M. Archer, and E. I. Leonard. Model-based construction and verification of critical systems using composition and partial refinement. Formal Methods in System Design, 37(2):265–294, 2010. E. Leonard, M. Archer, C. Heitmeyer, and R. Jeffords. Direct generation of invariants for reactive models. In 10th ACM Conf. on Formal Methods and Models for System Design (MEMOCODE), 2012. E. Leonard, C. Heitmeyer, and V. Chen. Integrating a formal requirements modeling simulator and an autonomy software simulator to validate the behavior of unmanned vehicles. In Spring Simulation Multi-Conference (SpringSim’15), 2015. E. I. Leonard and C.Heitmeyer. Program synthesis from formal requirements specifications using APTS. Higher-Order and Symbolic Computation, 16(1-2), 2003. S. Meyers and S. White. Software requirements methodology and tool study for A6-E technology transfer. Technical report, Grumman Aerospace Corp., Bethpage, NY, July 1983. S. Miller. Specifying the mode logic of a flight guidance system in CoRE and SCR. In Proc. 2nd ACM Workshop on Formal Methods in Software Practice (FMSP’98), 1998. D. L. Parnas, G. Asmis, and J. Madey. Assessment of safety-critical software in nuclear power plants. Nuclear Safety, 32(2):189–198, April–June 1991. D. L. Parnas and J. Madey. Functional documentation for computer systems. Science of Computer Programming, 25(1):41–61, Oct. 1995. D. K. Peters and D. L. Parnas. Using test oracles generated from program documentation. IEEE Trans. Softw. Eng., 24(3):161–173, Mar. 1998. T. Rothamel, C. Heitmeyer, E. Leonard, and Y. A. Liu. Generating optimized code from SCR specifications. In ACM Conf. on Languages, Compilers, and Tools for Embedded Systems (LCTES 2006), 2006. J. M. Voas and K. Schaffer. Insights on formal methods in cybersecurity. IEEE Computer, 49(5), 2016.

The author(s) of this publication is/are solely responsible for its content. This publication does not reflect the opinion of the publisher. The publisher cannot be held liable for any loss or damage that may occur because of this publication.

60

Dependable Software Systems Engineering A. Pretschner et al. (Eds.) IOS Press, 2017 © 2017 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-810-5-60

From Timed Automata to Stochastic Hybrid Games Model Checking, Synthesis, Performance Analysis and Machine Learning Kim G. Larsen a,c,1 , Uli Fahrenberg b , Axel Legay c a Department of Computer Science, Aalborg University, Denmark b LIX, Ecole Polytechnique, University Paris-Saclay, France c Irisa / INRIA Rennes, France Abstract. This article aims at providing a concise and precise Travellers Guide, Phrase Book or Reference Manual to the timed automata modeling formalism introduced by Alur and Dill [8,9]. The paper gives comprehensive definitions of timed automata, priced (or weighted) timed automata, and timed games and highlights a number of results on associated decision problems related to model checking, equivalence checking, optimal scheduling, the existence of winning strategies. Also the article provides the stochastic semantic extension of timed automata and timed games enabling statistical model checking as well as optimal synthesis using reinforcement learning. Keywords. Timed automaton, region, zone, reachability, bisimilarity; priced timed automaton, weighted timed automaton, optimal reachability, optimal infinite run, conditional optimality; timed game, winning strategy; stochastic timed automata, statistical model checking; stochastic timed games, optimal winning strategies.

1. Introduction The model of timed automata, introduced by Alur and Dill [8, 9], has by now established itself as a classical formalism for describing the behaviour of real-time systems. A number of important algorithmic problems has been shown decidable for it, including reachability, model checking and several behavioural equivalences and preorders. By now, real-time model checking tools such as Uppaal [21,82] and Kronos [38] are based on the timed automata formalism and on the substantial body of research on this model that has been targeted towards transforming the early 1 Corresponding Author: Kim G. Larsen, Department of Computer Science, Aalborg University, Selma Lagerlöfs Vej 300, 9220 Aalborg Øst, Denmark. E-mail: e-mail: [email protected]

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

61

results into practically efficient algorithms — e.g. [16, 17, 23, 25] — and data structures — e.g. [24, 78, 81]. The maturity of a tool like Uppaal is witnessed by the numerous applications — e.g. [47, 58, 67, 71, 76, 80, 85, 87] — to the verification of industrial case-studies spanning real-time controllers and real-time communication protocols. More recently, model-checking tools in general and Uppaal in particular have been applied to solve realistic scheduling problems by a reformulation as reachability problems — e.g. [1, 64, 70, 88]. Aiming at providing methods for performance analysis, a recent extension of timed automata is that of priced or weighted timed automata [10,22], which makes it possible to formulate and solve optimal scheduling problems. Surprisingly, a number of properties have been shown to be decidable for this formalism [10, 22, 35,59,83]. The recently developed Uppaal-Cora tool provides an efficient tool for solving cost-optimal reachability problems [77] and has been applied successfully to a number of optimal scheduling problems, e.g. [18, 26, 66]. Most recently, substantial efforts have been made on the automatic synthesis of (correct-by-construction) controllers from timed games for given control objectives. From early decidability results [13,90] the effort has lead to efficient on-thefly algorithms [42,100] with the newest of the Uppaal toolset, Uppaal-Tiga [19], Uppaal-SMC [53, 55] and Uppaal Stratego [49, 50] providing efficient tool implementations with several industrial applications e.g. [73, 79, 102]. This survey paper aims at providing a concise and precise Travellers Guide, Phrase Book or Reference Manual to the land and language of timed automata. The article gives comprehensive definitions of timed automata, weighted timed automata, and timed games and highlights a number of results on associated decision problems related to model checking, equivalence checking, optimal scheduling, the existence of winning strategies, and statistical model checking. The intention is that the paper should provide an easy-to-access collection of important results and overview of the field to anyone interested. The authors would like to thank the students of the Marktoberdorf and Quantitative Model Checking PhD schools for their useful comments and help in weeding out a number of errors in the first two editions of this survey [61, 63], as well as an anonymous reviewer who provided many useful remarks for the invited paper [62] at FSEN 2009. 2. Timed automata In this section we review the notion of timed automata introduced by Alur and Dill [8, 9] as a formalism for describing the behaviour of real-time systems. We review the syntax and semantics and highlight the, by now classical, region construction underlying the decidability of several associated problems. Here we illustrate how regions are applied in showing decidability of reachability and timed and untimed (bi)similarity. However, the notion of region does not provide the means for efficient tool implementations. The verification engine of Uppaal instead applies so-called zones, which are convex unions of regions. We give a brief account of zones as well as their efficient representation and manipulation using difference-bound matrices.

62

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

2.1. Syntax and semantics Definition 2.1. The set Φ(C) of clock constraints ϕ over a finite set (of clocks) C is defined by the grammar ϕ ::= x  k | ϕ1 ∧ ϕ2

(x ∈ C, k ∈ Z,  ∈ {≤, }).

The set Φ+ (C) of extended clock constraints ϕ is defined by the grammar ϕ ::= x  k | x − y  k | ϕ1 ∧ ϕ2

(x, y ∈ C, k ∈ Z,  ∈ {≤, }).

Remark 2.2. The clock constraints in Φ(C) above are also called diagonal-free clock constraints, and the additional ones in Φ+ (C) are called diagonal. We restrict ourselves to diagonal-free clock constraints here; see Remark 2.44 for one reason. For additional modelling power, timed automata with diagonal constraints can be used, as it is shown in [9,30] that any such automaton can be converted to a diagonal-free one; however the conversion may lead to an exponential blow-up. Definition 2.3. A timed automaton is a tuple (L, 0 , F, C, Σ, I, E) consisting of a finite set L of locations, an initial location 0 ∈ L, a set F ⊆ L of final locations, a finite set C of clocks, a finite set Σ of actions, a location invariants mapping I : L → Φ(C), and a set E ⊆ L × Φ(C) × Σ × 2C × L of edges. Here 2C denotes the set of subsets (i.e. the power set) of C. We shall write  −−−→  for an edge (, ϕ, a, r,  ) ∈ E. In figures, resets are written as assignment to zero, e.g. x := 0. ϕ,a,r

Example 2.1. Figure 1 provides a timed automaton model of an intelligent light switch. Starting in the “Off” state, a press of the button turns the light on, and it remains in this state for 100 time units (i.e. until clock x = 100), at which time the light turns off again. During this time, an additional press resets the clock x and prolongs the time in the state by 100 time units. Pressing the button twice, with at most three time units between the presses, triggers a special bright light. Definition 2.4. A clock valuation on a finite set C of clocks is a mapping v : C → R≥0 . The initial valuation v0 is given by v0 (x) = 0 for all x ∈ C. For a valuation v, d ∈ R≥0 , and r ⊆ C, the valuations v + d and v[r] are defined by (v + d)(x) = v(x) + d  0 for x ∈ r, v[r](x) = v(x) for x ∈ / r. Extending the notation for power set introduced above, we will in general write B A for the set of mappings from a set A to a set B. The set of clock valuations on C is thus RC ≥0 .

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

63

press? Bright x ≤ 100

x := 0

x = 100 x := 0 x := 0 Off

press? x := 0

x := 0 x = 100

Light x ≤ 100

x≤3 press? press? x>3 x := 0

Figure 1.: A light switch modelled as a timed automaton. Definition 2.5. The zone of an extended clock constraint in Φ+ (C) is a set of clock valuations C → ≥0 given inductively by

R

R≥0 | v(x)  k}, x − y  k = {v : C → R≥0 | v(x) − v(y)  k}, and x  k = {v : C →

ϕ1 ∧ ϕ2  = ϕ1  ∩ ϕ2 . We shall write v |= ϕ instead of v ∈ ϕ. Definition 2.6. The semantics of a timed automaton A = (L, 0 , F, C, Σ, I, E) is the transition system A = (S, s0 , Σ ∪ ≥0 , T = Ts ∪ Td ) given as follows:

R



s0 = (0 , v0 ) S = (, v) ∈ L × C ≥0 v |= I()

ϕ,a,r a → ( , v  ) ∃ −−−→  ∈ E : v |= ϕ, v  = v[r] Ts = (, v) −

d Td = (, v) − → (, v + d) ∀d ∈ [0, d] : v + d |= I()

R

Remark 2.7. The transition system A from above is an example of what is known as a timed transition system, i.e. a transition system where the label set includes ≥0 as a subset and which satisfies certain additivity and time determinacy properties. We refer to [2] for a more in-depth treatment. Also note that the semantics A contains no information about final states (derived from the final locations in F ); this is mostly for notational convenience.

R

64

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

x := 0

y := 0 a

0

b x≤2

y≤2

c x≥4∧y ≤2

1 Figure 2.: A timed automaton with two clocks. Definition 2.8. A (finite) run of a timed automaton A = (L, 0 , F, C, Σ, I, E) is a finite path ρ = (0 , v0 ) → · · · → (k , vk ) in A. It is said to be accepting if k ∈ F . Example 2.1 (continued). The light switch model from figure 1 has as state set S = {Off} ×

R≥0 ∪ {Light, Bright} × [0, 100]

where we identify valuations with their values at x. A few example runs are given below; we abbreviate “press?” to “p”: p

150

100

(Off, 0) −−→ (Off, 150) − → (Light, 0) −−→ (Light, 100) − → (Off, 0) p

10

p

1

p

100

→ (Light, 0) −→ (Light, 10) − → (Light, 0) −−→ (Light, 100) − → (Off, 0) (Off, 0) − p

100

→ (Light, 0) − → (Light, 1) − → (Bright, 0) −−→ (Bright, 100) − → (Off, 0) (Off, 0) − 2.2. Reachability We are concerned with the following problem: Given a timed automaton A = (L, 0 , F, C, Σ, I, E), is any of the locations in F reachable? We shall later define the timed language generated by a timed automaton and see that this reachability problem is equivalent to emptiness checking: Is the timed language generated by A non-empty? Example 2.2 (cf. [2, Ex. 11.7]). Figure 2 shows a timed automaton A with two clocks and a final location 1 . To ask whether 1 is reachable amounts for this automaton to the question whether there is a finite sequence of a- and b-transitions from 0 which brings clock values into accordance with the guard x ≥ 4 ∧ y ≤ 2 on the edge leading to 1 . An immediate obstacle to reachability checking is the infinity of the state space of A. In general, the transition system A has uncountably many states, hence straight-forward reachability algorithms do not work for us.

65

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

Notation 2.9. The derived transition relations in a timed automaton A = (L, 0 , F, C, Σ, I, E) are defined as follows: For (, v), ( , v  ) states in A, we say that δ

d

→ ( , v  ) if (, v) − → ( , v  ) in A for some d > 0, • (, v) − α a   • (, v) − → ( , v ) if (, v) − → ( , v  ) in A for some a ∈ Σ, and δ

α

• (, v)  ( , v  ) if (, v) (− →∪− →)∗ ( , v  ). Definition 2.10. The set of reachable locations in a timed automaton A = (L, 0 , F, C, Σ, I, E) is

Reach(A) =  ∈ L ∃v : C →

R≥0 : (0 , v0 )  (, v) .

Hence we can now state the reachability problem as follows: Problem 2.1 (Reachability). Given a timed automaton A = (L, 0 , F, C, Σ, I, E), is Reach(A) ∩ F = ∅ ? Definition 2.11. Let A = (L, 0 , F, C, Σ, I, E) be a timed automaton. A relation C R ⊆ L× C ≥0 × L × ≥0 is a time-abstracted simulation provided that for all (1 , v1 ) R (2 , v2 ),

R

R δ

→ (1 , v1 ) there exists some (2 , v2 ) such that (1 , v1 ) R • for all (1 , v1 ) − δ

(2 , v2 ) and (2 , v2 ) − → (2 , v2 ), and a • for all a ∈ Σ and (1 , v1 ) − → (1 , v1 ), there exists some (2 , v2 ) such that a     (1 , v1 ) R (2 , v2 ) and (2 , v2 ) − → (2 , v2 ).

R is said to be F -sensitive if additionally, (1 , v1 ) R (2 , v2 ) implies that 1 ∈ F if and only if 2 ∈ F . A time-abstracted bisimulation is a time-abstracted simulation which is also symmetric; we write (1 , v1 ) ≈ (2 , v2 ) whenever (1 , v1 ) R (2 , v2 ) for a time-abstracted bisimulation R. Note that ≈ is itself a time-abstracted bisimulation, which is easily shown to be an equivalence relation and hence symmetric, reflexive and transitive. Observe also that a time-abstracted (bi)simulation on A is the same as a standard δ

→ and (bi)simulation on the transition system derived from A with transitions − a − →. Likewise, the quotient introduced below is just the standard bisimulation quotient of this derived transition system. Definition 2.12. Let A = (L, 0 , F, C, Σ, I, E) be a timed automaton and R ⊆ C L× C ≥0 × L × ≥0 a time-abstracted bisimulation which is also an equivalence. The quotient of A = (S, s0 , Σ ∪ ≥0 , T ) with respect to R is the transition system AR = (SR , s0R , Σ ∪ {δ}, TR ) given by SR = S/R, s0R = [s0 ]R , and with transitions

R

R

δ

R

δ

→ π  whenever (, v) − → ( , v  ) for some (, v) ∈ π, ( , v  ) ∈ π  , and • π− a a  • π− → π whenever (, v) − → ( , v  ) for some (, v) ∈ π, ( , v  ) ∈ π  . The following proposition expresses that F -sensitive quotients are sound and complete with respect to reachability.

66

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

y

y {b}



2

2 {a, b}

{a} 2

{a, c} 4

x

2

4

x

Figure 3.: Time-abstracted bisimulation classes for the two-clock timed automaton from Example 2.2. Left: equivalence classes for switch transitions only; right: equivalence classes for switch and delay transitions.

Proposition 2.13 ([5]). Let A = (L, 0 , F, C, Σ, I, E) be a timed automaton, R ⊆ C L× C ≥0 × L × ≥0 an F -sensitive time-abstracted bisimulation and  ∈ F . Then  ∈ Reach(A) if and only if there is a reachable state π in AR and v : C → ≥0 such that (, v) ∈ π.

R

R

R

Example 2.2 (continued). We shall now try to construct, in a naïve way, a timeabstracted bisimulation R for the timed automaton A from Figure 2 which is as coarse as possible. Note first that we cannot have (0 , v) R (1 , v  ) for any / F . On the other hand it is easy to v, v  : C → ≥0 because 1 ∈ F and 0 ∈  see that we can let (1 , v) R (1 , v ) for all v, v  : C → ≥0 , which leaves us with constructing R on the states involving 0 . α → first: If v, v  : C → ≥0 are such that We handle switch transitions −  v(y) ≤ 2 and v (y) > 2, the state (0 , v) has an a-transition available while the state (0 , v  ) has not, hence these cannot be related in R. Similarly we have to distinguish states (0 , v) from states (0 , v  ) where v(x) ≤ 2 and v  (x) > 2 because of b-transitions, and states (0 , v) from states (0 , v  ) where v(x) < 4 and v  (x) ≥ 4 because of c-transitions. Altogether this gives the five classes depicted to the left of Figure 3, where the shading indicates to which class the boundary belongs, and we have written the set of available actions in the classes. δ → into account, one has to partition the When also taking delay transitions − state space further: From a valuation v in the class marked {a, b} in the left of the figure, a valuation in the class marked {a} can only be reached by a delay transition if v(y) < v(x); likewise, from the {a} class, the {a, c} class can only be reached if v(y) ≤ v(x) − 2. Hence these two classes need to be partitioned as shown to the right of Figure 3. It can easily be shown that no further partitioning is needed, thus we have defined the coarsest time-abstracted bisimulation relation for A, altogether with eight equivalence classes.

R

R

R

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

67

2.3. Regions Motivated by the construction in the example above, we now introduce a timeabstracted bisimulation with a finite quotient. To ensure finiteness, we need the maximal constants to which respective clocks are compared in the invariants and guards of a given timed automaton. These may be defined as follows. Definition 2.14. For a finite set C of clocks, the maximal constant mapping cmax : C → ZΦ(C) is defined inductively as follows:  k if y = x cmax (x)(y  k) = 0 if y = x

cmax (x)(ϕ1 ∧ ϕ2 ) = max c(x)(ϕ1 ), c(x)(ϕ2 ) For a timed automaton A = (L, 0 , F, C, Σ, I, E), the maximal constant mapping is cA : C → Z defined by

ϕ,a,r cA (x) = max cmax (x)(I()), cmax (x)(ϕ)  ∈ L,  −−−→  ∈ E . Notation 2.15. For d ∈ R≥0 we write d and d for the integral, respectively fractional, part of d, so that d = d + d. Definition 2.16. For a timed automaton A = (L, 0 , F, C, Σ, I, E), valuations v, v  : C → R≥0 are said to be region equivalent, denoted v ∼ = v  , if • v(x) = v  (x) or v(x), v  (x) > cA (x), for all x ∈ C, and • v(x) = 0 iff v  (x) = 0, for all x ∈ C, and • v(x) ≤ v(y) iff v  (x) ≤ v  (y) for all x, y ∈ C. Proposition 2.17 ([5]). For a timed automaton A = (L, 0 , F, C, Σ, I, E), the equivalence relation ∼ = defined on states of A by (, v) ∼ = ( , v  ) if  =  and  ∼ v = v is an F -sensitive time-abstracted bisimulation. The quotient A∼ = is finite. The equivalence classes of valuations of A with respect to ∼ = are called regions, and the quotient A∼ is called the region automaton associated with A. = Proposition 2.18 ([9]). The number of regions for a timed automaton A with a set C of n clocks is bounded above by  n! · 2n · (2cA (x) + 2). x∈C

Example 2.2 (continued). The 69 regions of the timed automaton A from Figure 2 are depicted in Figure 4. Propositions 2.13 and 2.17 together now give the decidability part of the theorem below; for PSPACE-completeness see [7, 45]. Theorem 2.19. The reachability problem for timed automata is PSPACE-complete.

68

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

y

2

2

4

x

Figure 4.: Clock regions for the timed automaton from Example 2.2. 2.4. Behavioural refinement relations We have already introduced time-abstracted simulations and bisimulations in Definition 2.11. As a corollary of Proposition 2.17, these are decidable: Theorem 2.20. Time-abstracted simulation and bisimulation are decidable for timed automata. Proof: One only needs to see that time-abstracted (bi)simulation in the timed automaton is the same as ordinary (bi)simulation in the associated region automaton; indeed, any state in A is untimed bisimilar to its image in A∼ = . The result follows by finiteness of the region automaton.  The following provides a time-sensitive variant of (bi)simulation. Definition 2.21. Let A = (L, 0 , F, C, Σ, I, E) be a timed automaton. A relation C R ⊆ L× C ≥0 × L × ≥0 is a timed simulation provided that for all (1 , v1 ) R (2 , v2 ),

R

R d

→ (1 , v1 ), d ∈ • for all (1 , v1 ) −

d

R≥0 , there exists some (2 , v2 ) such that

→ (2 , v2 ), and (1 , v1 ) R (2 , v2 ) and (2 , v2 ) − a   • for all (1 , v1 ) − → (1 , v1 ), a ∈ Σ, there exists some (2 , v2 ) such that a     (1 , v1 ) R (2 , v2 ) and (2 , v2 ) − → (2 , v2 ). A timed bisimulation is a timed simulation which is also symmetric, and two states (1 , v1 ), (2 , v2 ) ∈ A are said to be timed bisimilar, written (1 , v1 ) ∼ (2 , v2 ), if there exists a timed bisimulation R for which (1 , v1 ) R (2 , v2 ). Note that ∼ is itself a timed bisimulation on A, which is easily shown to be an equivalence relation and hence transitive, reflexive and symmetric. A A A A A Definition 2.22. Two timed automata A = (LA , A 0 , F , C , Σ , I , E ) and B = B B B B B B B (L , 0 , F , C , Σ , I , E ) are said to be timed bisimilar, denoted A ∼ B, if B (A 0 , v0 ) ∼ (0 , v0 ) in the disjoint-union transition system A B.

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

69

Timed simulation of timed automata can be analogously defined. The following decidability result was established for parallel timed processes in [44]; below we give a version of the proof which has been adapted for timed automata. Theorem 2.23. Timed similarity and bisimilarity are decidable for timed automata. Before the proof, we need a few auxiliary definitions and lemmas. The first is a product of timed transition systems which synchronizes on time, but not on actions: Definition 2.24. The independent product of the timed transition systems A = A A B B B B (S A , sA ≥0 , T ), B = (S , s0 , Σ ∪ ≥0 , T ) associated with timed 0 ,Σ ∪ A B automata A, B is A × B = (S, s0 , Σ ∪ Σ ∪ ≥0 , T ) given by

R

R R

B S = SA × SB s0 = (sA 0 , s0 )

a a T = (p, q) − → (p , q) a ∈ Σ, p − → p ∈ T A

b b → (p, q  ) b ∈ Σ, q − → q ∈ T B ∪ (p, q) −

d d d ∪ (p, q) − → (p , q  ) d ∈ ≥0 , p − → p ∈ T A , q − → q ∈ T B

R

We need to extend region equivalence ∼ = to the independent product. Below, ⊕ denotes vector concatenation (direct sum); note that (p1 , q1 ) ∼ = (p2 , q2 ) is not the same as p1 ∼ = p2 and q1 ∼ = q2 , as fractional orderings xA   xB , for xA ∈ C A , xB ∈ C B , have to be accounted for in the former, but not in the latter. Hence (p1 , q1 ) ∼ = (p2 , q2 ) implies p1 ∼ = p2 and q1 ∼ = q2 , but not vice-versa. Definition 2.25. For states pi = (pi , v pi ) in A and qi = (qi , v qi ) in B for i = 1, 2, we say that (p1 , q1 ) ∼ = (p2 , q2 ) iff p1 = p2 ∧ q1 = q2 and v p1 ⊕ v q1 ∼ = p2 q2 v ⊕v .

Note that the number of states in A×B ∼ is finite, with an upper bound =

: given by Proposition 2.18. Next we define transitions in A × B ∼ =



will be denoted X, X  . The equivalence Notation 2.26. Regions in A × B ∼ = class of a pair (p, q) ∈ A × B is denoted [p, q].

Definition 2.27. For X, X  ∈ A × B ∼ we say that = a

• X− → X  for a ∈ Σ if for all (p, q) ∈ X there exists (p , q) ∈ X  such that a (p, q) − → (p , q) in A × B, b

→r X  for b ∈ Σ if for all (p, q) ∈ X there exists (p, q  ) ∈ X  such that • X− b

→ (p, q  ) in A × B, and (p, q) − δ

• X − → X  if for all (p, q) ∈ X there exists d ∈ d

→ (p , q  ). that (p, q) −

R≥0 and (p , q ) ∈ X  such

70

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games



Definition 2.28. A subset B ⊆ A × B ∼ is a symbolic bisimulation provided = that for all X ∈ B,

a a → X  for some X  ∈ A × B ∼ , then X  − →r X  for some • whenever X − = X  ∈ B,

a a →r X  for some X  ∈ A × B ∼ , then X  − → X  for some • whenever X − = X  ∈ B, and

δ • whenever X − → X  for some X  ∈ A × B ∼ , then X  ∈ B. =



admits a symbolic bisimulaNote that it is decidable whether A × B ∼ = tion. The following proposition finishes the proof of Theorem 2.23.

admits a symbolic bisimulation if Proposition 2.29. The quotient A × B ∼ = and only if A ∼ B.

, the set Proof (cf. [44]): For a given symbolic bisimulation B ⊆ A × B ∼ =

RB = (p, q) [p, q] ∈ B ⊆ A × B is a timed bisimulation. For the other direction, one can construct bisimulation from a timed bisimulation

a symbolic  R ⊆ A × B by BR = [p, q] (p, q) ∈ R . 2.5. Language inclusion and equivalence Similarly to the untimed setting, there is also a notion of language inclusion and equivalence for timed automata. We need to introduce the notion of timed trace first. Note that we restrict to finite timed traces here; similar results are available for infinite traces in timed automata with Büchi or Muller acceptance conditions, see [9]. Definition 2.30. A timed trace over a finite set of actions Σ is a finite sequence ((t1 , a1 ), (t2 , a2 ), . . . , (tk , ak )), where ai ∈ Σ and ti ∈ ≥0 for i = 1, . . . , k, and ti < ti+1 for i = 1, . . . , k − 1. The set of all timed traces over Σ is denoted T Σ∗ .

R

In a pair (ti , ai ), the number ti is called the time stamp of the action ai , i.e. the time at which event ai occurs. Remark 2.31. Timed traces as defined above are also known as strongly monotonic timed traces, because of the assumption that no consecutive events occur at the same time. Weakly monotonic timed traces, i.e. with requirement ti ≤ ti+1 instead of ti < ti+1 , have also been considered, and there are some subtle differences between the two; see [93] for an important example. Definition 2.32. A timed trace ((t1 , a1 ), . . . , (tk , ak )) is accepted by a timed automaton A = (L, 0 , F, C, Σ, I, E) if there is an accepting run t

a

t −t

1 1 2 1 (0 , v0 ) −→ (0 , v0 + t1 ) −→ (1 , v1 ) −− −→ ···

ak−1

tk −tk−1

a

k (k , vk ) · · · −−−→ (k−1 , vk−1 ) −−−−−→ (k−1 , vk−1 + tk − tk−1 ) −→

in A. The timed language of A is L(A) = {τ ∈ T Σ∗ | τ accepted by A}.

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

71

It is clear that L(A) = ∅ if and only if none of the locations in F is reachable, hence Theorem 2.19 provides us with the decidability result in the following theorem. Undecidability of universality was established in [9]; we give an account of the proof below. Theorem 2.33. For a timed automaton A = (L, 0 , F, C, Σ, I, E), deciding whether L(A) = ∅ is PSPACE-complete. It is undecidable whether L(A) = T Σ∗ . Proof: We show that the universality problem for a timed automata is undecidable by reduction from the Σ11 -hard problem of deciding whether a given 2-counter machine M has a recurring computation. Let the timed language Lu be the set of timed traces encoding recurring computations of M . Observe that Lu = ∅ if and only if M does not have such a computation. We then construct a timed automaton Au which accepts the complement of Lu , i.e. L(Au ) = T Σ∗ \ Lu . Hence the language of Au is universal if and only if M does not have a recurring computation. Recall that a 2-counter, or Minsky, machine M is a finite sequence of labeled instructions {I0 , · · · , In } and counters x1 and x2 , with Ii for 0 ≤ i ≤ n − 1 on the form  if xc = 0 then goto Ij Ii : xc := xc + 1; goto Ij or Ii : else xc = xc -1; goto Ik for c ∈ 1, 2, with a special In : Halt instruction which stops the computation. The language Lu is designed such that each Ii and the counters x1 and x2 are represented by actions in Σ. A correctly encoded computation is represented by a timed trace where “instruction actions” occur at discrete intervals, while the state (values of x1 and x2 ) is encoded by occurrences of “counter actions” in-between instruction actions (e.g. if xi = 5 after instruction Ij , then action xi occurs 5 times within the succeeding interval of length 1). When counters are incremented (or decremented), one more (or less) such action occurs through the next interval, and increments and decrements are always from the right. Additionally we require corresponding counter actions to occur exactly with a time difference of 1, such that if xi occurs with time stamp a then also xi occurs with time stamp a + 1, unless xi is the rightmost xi action and Ii at time stamp a is a decrement of xi . Figure 5 shows a increment of x1 (from 4 to 5) using actions 1 and 2. We obtain Au as a disjunction of timed automata A1 , . . . , Ak where each i A violates some property of a (correctly encoded) timed trace in Lu , either by accepting traces of incorrect format or inaccurate encodings of instructions. Consider the instruction: (p): x1 := x1 +1 goto (q), incrementing x1 and jumping to q. A correct encoding would be similar to the one depicted in Figure 5 where all 1’s and 2’s are matched one time unit later, but with an additional 1 action occurring. In order to accept all traces except this encoding we must consider all possible violations, i.e. • not incrementing the counter (no change), • decrementing the counter,

72

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

1 Ii+1

Ii 1111

2222 1

Ii+2

11111

2222

1 time

Figure 5.: Timed trace encoding a increment instruction Ii+1 of a 2-counter machine. • incrementing the counter more than once, • jumping to the wrong instruction, or • incrementing the wrong counter, and construct a timed automaton having exactly such traces. Figure 6 shows the timed automaton accepting traces in which instruction p yields no change of x1 .  Turning our attention to timed trace inclusion and equivalence, we note the following. Proposition 2.34. Let A and B be timed automata. If A is timed simulated by B, then L(A) ⊆ L(B). If A and B are timed bisimilar, then L(A) = L(B). By a standard argument, Theorem 2.33 implies undecidability of timed trace inclusion and equivalence, a result first shown in [8]. Theorem 2.35. Timed trace inclusion and equivalence are undecidable for timed automata. There is also a notion of untimed traces for timed automata. Definition 2.36. The untiming of a set of timed traces L ⊆ T Σ∗ over a finite set of actions Σ is the set

U L = w = (a1 , . . . , ak ) ∈ Σ∗ ∃t1 , . . . , tk ∈ ≥0 : ((t1 , a1 ), . . . , (tk , ak )) ∈ L .

R

Hence we have a notion of the set U L(A) of untimed language of a timed automaton A. One can also define an untime operation U for timed automata, forgetting about the timing information of a timed automaton and thus converting it to a finite automaton; note however that U L(A)  L(U A) in general. Lemma 2.37 ([9]). For A a timed automaton, U L(A) = L(A∼ = ) provided that δ-transitions in A∼ = are taken as silent. As a corollary, sets of untimed traces accepted by timed automata are regular : Theorem 2.38 ([9]). For a timed automaton A = (L, 0 , F, C, Σ, I, E), the set U L(A) ⊆ Σ∗ is regular. Accordingly, whether U L(A) = ∅ is decidable, and so is whether U L(A) = Σ∗ . Also untimed trace inclusion and equivalence are decidable.

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

Σ

2

1 z := 0

Σ

1

p

73

1 z=1

Σ \ {1}

Figure 6.: Timed automaton which violates the encoding of the increment instruction. 2.6. Zones and difference-bound matrices As shown in the above sections, regions provide a finite and elegant abstraction of the infinite state space of timed automata, enabling us to prove decidability of reachability, timed and untimed bisimilarity, untimed language equivalence and language emptiness. Unfortunately, the number of states obtained from the region partitioning is extremely large. In particular, by Proposition 2.18 the number of regions is exponential in the number of clocks as well as in the maximal constants of the timed automaton. Efforts have been made in developing more efficient representations of the state space [24, 29, 81], using the notion of zones from Definition 2.5 on page 4 as a coarser and more compact representation of the state space. An extended clock constraint over a finite set C may be represented using a directed weighted graph, where the nodes correspond to the elements of C k → xj corresponds to a together with an extra “zero” node x0 , and an edge xi − constraint xi − xj ≤ k (if there is more than one upper bound on xi − xj , k is the minimum of all these constraints’ right-hand sides). The extra clock x0 is fixed at value 0, so that a constraint xi ≤ k can be represented as xi − x0 ≤ k. Lower bounds on xi − xj are represented as (possibly negative) upper bounds on xj − xi , and strict bounds xi − xj < k are represented by adding a flag to the corresponding edge. The weighted graph in turn may be represented by its adjacency matrix, which in this context is known as a difference-bound matrix or DBM. The above technique has been introduced in [56]. Example 2.3. Figure 7 gives an illustration of an extended clock constraint together with its representation as a difference-bound matrix. Note that the clock constraint contains superfluous information. Zone-based reachability analysis of a timed automaton A uses symbolic states of the type (, Z), where  is a location of A and Z is a zone, instead of the region-based symbolic states of Proposition 2.17.

RC≥0 , and r ⊆ C, define • the delay of Z by Z ↑ = {v + d | v ∈ Z, d ∈ R≥0 } and

Definition 2.39. For a finite set C, Z ⊆

• the reset of Z under r by Z[r] = {v[r] | v ∈ Z}.

Lemma 2.40 ([68, 104]). If Z is a zone over C and r ⊆ C, then Z ↑ and Z[r] are also zones over C.

74

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

Z=

-4

⎧ x1 ≤ 3 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ x1 − x2 ≤ 10 ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ x1 − x 2 ≥ 4

x1

3

⎪ x1 − x 3 ≤ 2 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ x3 − x 2 ≤ 2 ⎪ ⎪ ⎪ ⎪ ⎩ x3 ≥ −5

10

x2

2

2 x0

x3 5

Figure 7.: Graph representation of extended clock constraint. Extended clock constraints representing Z ↑ and Z[r] may be computed efficiently (in time cubic in the number of clocks in C) by representing the zone Z in a canonical form obtained by computing the shortest-path closure of the directed graph representation of Z, see [78]. Example 2.3 (continued). Figure 8 shows two canonical representations of the difference-bound matrix for the zone Z of Figure 7. The left part illustrates the shortest-path closure of Z; on the right is the shortest-path reduction [78] of Z, essentially obtained by removing redundant edges from the shortest-path closure. The latter is useful for checking zone inclusion, see below. The zone automaton associated with a timed automaton is similar to the region automaton of Proposition 2.17, but uses zones for symbolic states instead of regions: Definition 2.41. The zone automaton associated with a timed automaton A = (L, 0 , F, C, Σ, I, E) is the transition system AZ = (S, s0 , Σ ∪ {δ}, T ) given as follows:



s0 = 0 , v0  S = (, Z)  ∈ L, Z ⊆ C ≥0 zone

δ T = (, Z)  , Z ↑ ∧ I()

ϕ,a,r a ∪ (, Z)   , (Z ∧ ϕ)[r] ∧ I( )  −−−→  ∈ E

R

The analogue of Proposition 2.13 for zone automata is as follows: Proposition 2.42 ([104]). A state (, v) in a timed automaton A = (L, 0 , F, C, Σ, I, E) is reachable if and only if there is a zone Z ⊆ C ≥0 for which v ∈ Z and such that (, Z) is reachable in AZ .

R

The zone automaton associated with a given timed automaton is infinite and hence unsuitable for reachability analysis. Finiteness can be enforced by employing normalization, using the fact that region equivalence ∼ = has finitely many equivalence classes:

75

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

-4 x1

3 3 x0

-4 x2

4 -2

x1

x2

-1

2

-2 2

7

1 5

x3

3 3

2

2

x0

x3

Figure 8.: Canonical representations. Left: shortest-path closure; right: shortestpath reduction. Definition 2.43. For a timed automaton A and a zone Z ⊆ of Z is the set {v : C → ≥0 | ∃v  ∈ Z : v ∼ = v }

R

RC≥0 , the normalization

The normalized zone automaton is defined in analogy to the zone automaton from above, and Proposition 2.42 also holds for the normalized zone automaton. Hence we can obtain a reachability algorithm by applying any search strategy (depth-first, breadth-first, or another) on the normalized zone automaton. Remark 2.44. For timed automata on extended clock constraints, i.e. with diagonal constraints permitted, it can be shown [28, 33] that normalization as defined above does not give rise to a sound and complete characterization of reachability. Instead, one can apply a refined normalization which depends on the difference constraints used in the timed automaton, see [28]. In addition to the efficient computation of symbolic successor states according to the  relation, termination of reachability analysis requires that we can efficiently recognize whether the search algorithm has encountered a given symbolic state. Here it is crucial that there is an efficient way of deciding inclusion Z1 ⊆ Z2 between zones. Both the shortest-path-closure canonical form as well as the more space-economical shortest-path-reduced canonical form [78], cf. Example 2.3, allow for efficient inclusion checking. In analogy to difference-bound matrices and overcoming some of their problems, the data structure called clock difference diagram has been proposed [81]. However, the design of efficient algorithms for delay and reset operations over that data structure is a challenging open problem; generally, the design of efficient data structures for computations with (unions of) zones is a field of active research, see [3, 12, 92] for some examples.

3. Weighted timed automata The notion of weighted — or priced — timed automata was introduced independently, at the very same conference, by Behrmann et.al. [22] and Alur et.al. [10].

76

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

y≤4 1

a

x := 0 P =1

R=4

x≤2∧y ≥3 2

c

P =4

R=2

x := 0

b

3

y≤4

Figure 9.: A weighted timed automaton with two clocks. In these models both edges and locations can be decorated with weights, or prices, giving the cost of taking an action transition or the cost per time unit of delaying in a given location. The total cost of a trace is then simply the accumulated (or total) weight of its discrete and delay transitions. As a first result, the above two papers independently, and with quite different methods, showed that the problem of cost-optimal reachability is computable for weighted timed automata with non-negative weights. Later, optimal reachability for timed automata with several weight functions was considered in [84] as well as optimal infinite runs in [35, 59]. Definition 3.1. A weighted timed automaton is a tuple A = (L, 0 , F, C, Σ, I, E, R, P ), where (L, 0 , F, C, Σ, I, E) is a timed automaton, R : L → Z a location weight-rate mapping, and P : E → Z an edge weight mapping. The semantics of A is the weighted transition system A = (S, s0 , Σ ∪ R≥0 , T, w), where (S, s0 , Σ ∪ R≥0 , T ) is the semantics of the underlying timed automaton (L, 0 , F, C, Σ, I, E), and the transition weights w : T → R are given as follows:

d → (, v + d) = d R() w (, v) −

ϕ,a,r a → ( , v  ) = P  −−−→  w (, v) −

with v |= ϕ, v  = v[r] e

→ to illustrate We shall denote weighted edges and transitions by symbols − w an edge or a transition labeled e with weight w. 3.1. Optimal reachability The objective of optimal reachability analysis is to find runs to a final location with the lowest total weight as defined below. Example 3.1. Figure 9 shows a simple weighted timed automaton with final location 3 . Below we give a few examples of accepting runs, where we identify valuations v : {x, y} → R≥0 with their values (v(x), v(y)). The total weights of the runs given here are 17 and 11; actually the second run is optimal in the sense of Problem 3.1 below:

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games 3

a

c

12

1

4

77

(1 , 0, 0) −→ (1 , 3, 3) − → (2 , 0, 3) − → (3 , 0, 3) a

3

b

c

1

6

0

4

→ (2 , 0, 0) − → (2 , 3, 3) − → (2 , 0, 3) − → (3 , 0, 3) (1 , 0, 0) − Definition 3.2. The total weight of a finite run ρ = s0 −−→ s1 −−→ · · · −−→ sk in a k w1 w2 wk weighted transition system is w(ρ) = i=1 wk . We are now in a position to state the problem with which we are concerned here: We want to find accepting runs with minimum total weight in a weighted timed automaton A. However due to the possible use of strict clock constraints on edges and in locations of A, the minimum total weight might not be realizable, i.e. there might be no run which achieves it. For this reason, one also needs to consider (infinite) sets of runs and the infimum of their members’ total weights: Problem 3.1 (Optimal

reachability). Given a weighted timed automaton A, com pute W = inf w(ρ) ρ accepting run in A and a set P of accepting runs for which inf ρ∈P w(ρ) = W . The key ingredient in the proof of the following theorem is the introduction of weighted regions in [22]. A weighted region is a region as of Definition 2.16 enriched with an affine cost function describing in a finite manner the cost of reaching any point within it. This notion allows one to define the weighted region automaton associated with a weighted timed automaton, and one can then show that optimal reachability can be computed in the weighted region automaton. PSPACE-hardness in the below theorem follows from PSPACE-hardness of reachability for timed automata. Theorem 3.3 ([22]). The optimal reachability problem for weighted timed automata with non-negative weights is PSPACE-complete. Similar to the notion of regions for timed automata, the number of weighted regions is exponential in the number of clocks as well as in the maximal constants of the timed automaton. Hence a notion of weighted zone — a zone extended with an affine cost function — was introduced [77] together with an efficient, symbolic A∗ -algorithm for searching for cost-optimal tracing using branch-and-bound techniques. In particular, efficient means of generalizing the notion of symbolic successor to incorporate the affine cost functions were given. During the symbolic exploration, several small linear-programming problems in terms of determining the minimal value of the cost function over the given zone have to be dealt with. Given that the constraints of these problems are simple difference constraints, it turns out that substantial gain in performance may be achieved by solving the dual problem of minimum-cost flow [96]. The newly emerged branch Uppaal-Cora provides an efficient tool for cost-optimal reachability analysis, applying the above data structures and algorithms and allowing the user to guide and heuristically prune the search.

78

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

1 R = (1, 4)

a

x≥2∧y ≥1

2 R = (2, 1)

y := 0

x≤2

y := 0

b

x≤3 y≤2

3

Figure 10.: A doubly weighted timed automaton with two clocks. 3.2. Multi-weighted timed automata The below formalism of doubly weighted timed automata is a generalization of weighted timed automata useful for modeling systems with several different resources. Definition 3.4. A doubly weighted timed automaton is a tuple A = (L, 0 , F, C, Σ, I, E, R, P ) where (L, 0 , F, C, Σ, I, E) is a timed automaton, R : L → rate mapping, and P : E → Z2 an edge weight mapping.

Z2 a location weight-

The semantics of a doubly weighted timed automaton is a doubly weighted transition system defined similarly to Definition 3.1, and the total weight of finite runs is defined accordingly as a pair; we shall refer to the total weights as w1 and w2 respectively. These definitions have natural generalizations to multi-weighted timed automata with more than two weight coordinates. The objective of conditional reachability analysis is to find runs to a final location with the lowest total weight in the first weight coordinate while satisfying a constraint on the other weight coordinate. Example 3.2. Figure 10 depicts a simple doubly weighted timed automaton with final location 3 . Under the constraint w2 ≤ 3, the optimal run of the automaton can be seen to be 1/3

5/3

a

b

(1 , 0, 0) −− −→ (1 , 1/3, 1/3) − → (2 , 1/3, 0) −− −−→ (2 , 2, 5/3) − → (3 , 2, 0) 1 4 10 5 (3,3)

with total weight

(

11 3

3

,3)

,3 .

The precise formulation of the conditional optimal reachability problem is as follows, where we again need to refer to (possibly infinite) sets of runs: Problem 3.2 (Conditional optimal reachability). Given a doubly weighted timed automaton A and M ∈ Z, compute W = inf w1 (ρ) ρ accepting run in A, w2 (ρ) ≤ M } and a set P of accepting runs such that w2 (ρ) ≤ M for all ρ ∈ P and inf ρ∈P w(ρ) = W . Theorem 3.5 ([83, 84]). The conditional optimal reachability problem is computable for doubly weighted timed automata with non-negative weights and without weights on edges.

79

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

x=3 H R=2 x≤3

x := 0

d y≥2

x, y := 0

a

x=3 M R=5 x≤3

L R=9

d y≥2

x, y := 0

a

P =2

P =1

Figure 11.: A weighted timed automaton modelling a simple production system. The proof of the above theorem rests on a direct generalization of weighted to doubly-weighted zones. An extension can be found in [84], where it is shown that also the Pareto frontier, i.e. the set of cost vectors which cannot be improved in any cost variable, can be computed. 3.3. Optimal infinite runs In this section we shall be concerned with computing optimal infinite runs in (doubly) weighted timed automata. We shall treat both the limit ratio viewpoint discussed in [35] and the discounting approach of [59, 60]. Example 3.3. Figure 11 shows a simple production system modelled as a weighted timed automaton. The system has three modes of production, High, Medium, and Low. The weights model the cost of production, so that the High production mode has a low cost, which is preferable to the high cost of the Low production mode. After operating in a High or Medium production mode for three time units, production automatically degrades (action d) to a lower mode. When in Medium or Low production mode, the system can be attended to (action a), which advances it to a higher mode. The objective of optimal-ratio analysis is to find an infinite run in a doubly weighted timed automaton which minimizes the ratio between the two total weights. This will be formalized below. w

w

w

z1

z2

zk

1 2 k s1 −−→ · · · −−→ sk in a Definition 3.6. The total ratio of a finite run ρ = s0 −−→

doubly weighted transition system is k wk . Γ(ρ) = i=1 k i=1 zk w

w

z1

z2

1 2 s1 −−→ · · · is The total ratio of an infinite run ρ = s0 −−→

Γ(ρ) = lim inf Γ(s0 → · · · → sk ). k→∞

A special case of optimal-ratio analysis is given by weight-per-time models, where the interest is in minimizing total weight per accumulated time. The example provided in this section is a case of this. In the setting of optimal-ratio analysis, these can be modelled as doubly weighted timed automata with R2 () = 1 and P2 (e) = 0 for all locations  and edges e.

80

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

Example 3.3 (continued). In the timed automaton of Figure 11, the following cyclic behaviour provides an infinite run ρ: 3

3

d

1

d

→ (H, 3, 3) − → (M, 0, 3) − → (M, 3, 6) − → (L, 3, 6) − → (H, 0, 0) − 3

a

a

(L, 4, 7) − → (M, 0, 0) − → (M, 3, 3) − → (H, 0, 0) − → ··· Taking the weight-per-time viewpoint, the total ratio of ρ is Γ(ρ) = 4.8. Problem 3.3 (Minimum infinite

ratio). Given a doubly weighted timed automaton A, compute W = inf Γ(ρ) ρ infinite run in A and a set P of infinite runs for which inf ρ∈P Γ(ρ) = W . The main tool in the proof of the following theorem is the introduction of the corner-point abstraction of a timed automaton in [35]. This is a finite refinement of the region automaton of Definition 2.16 in which one also keeps track of the corner points of regions. One can then show that any infinite run with minimum ratio must pass through corner points of regions, hence these can be found in the corner-point abstraction by an algorithm first proposed in [74]. The technical condition in the theorem that the second weight coordinate be strongly diverging means that any infinite run ρ in the closure of the timed automaton in question satisfies w2 (ρ) = ∞, see [35] for details. Theorem 3.7 ([35]). The minimum infinite ratio problem is computable for doubly weighted timed automata with non-negative and strongly diverging second weight coordinate. For discount-optimal analysis, the objective is to find an infinite run in a weighted timed automaton which minimizes the discounted total weight as defined below. The point of discounting is that the weight of actions is discounted with time, so that the impact of an event decreases, the further in the future it takes place. In the definition below, ε is the empty run, and (, v) → ρ denotes the concatenation of the transition (, v) → with the run ρ. Definition 3.8. The discounted total weight of finite runs in a weighted timed automaton under discounting factor λ ∈ [0, 1[ is given inductively as follows: wλ (ε) = 0

a wλ (, v) − → ρ = P + wλ (ρ)

P



d wλ (, v) − → ρ = R()



d 0

λτ dτ + λd wλ (ρ) d

a1

1 The discounted total weight of an infinite run ρ = (0 , v0 ) −→ (0 , v0 + d1 ) −→ P1 (1 , v1 ) − → · · · is

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

81



ak wλ (ρ) = lim wλ (0 , v0 ) − → · · · −−→ (k , vk ) k→∞

Pk

provided that the limit exists. Example 3.3 (continued). The discounted total weight of the infinite run ρ in the of Figure 11 satisfies the following equality, where It =  t τtimed automaton 1 t λ dτ = − (1 − λ ): ln λ 0 wλ (ρ) = 2I3 + λ3 (5I3 + λ3 (9I1 + λ(1 + 5I3 + λ3 (2 + wλ (ρ))))) With a discounting factor of λ = .9 for example, the discounted total weight of ρ would hence be wλ (ρ) ≈ 40.5. Problem 3.4 (Minimum discounted weight). automaton

Given a weighted timed A and λ ∈ [0, 1[, compute W = inf wλ (ρ) ρ infinite run in A and a set P of infinite runs for which inf ρ∈P wλ (ρ) = W . The proof of the following theorem rests again on the corner-point abstraction, and on a result in [11]. The technical condition that the timed automaton be time-divergent is analogous to the condition on the second weight coordinate in Theorem 3.7. Theorem 3.9 ([59]). The minimum discounted weight problem is computable for time-divergent weighted timed automata with non-negative weights and rational λ.

4. Timed games Recently, substantial effort has been made towards the synthesis of winning strategies for timed games with respect to safety and reachability control objectives. From known region-based decidability results, efficient on-the-fly algorithms have been developed [42, 100] and implemented in the newest branch Uppaal-Tiga. For timed games, as for untimed ones, transitions are either controllable or uncontrollable (i.e. under the control of an environment), and the problem is to synthesize a strategy for when to take which (enabled) controllable transitions in order that a given objective is guaranteed regardless of the behaviour of the environment. Definition 4.1. A timed game is a tuple (L, 0 , F, C, Σc , Σu , I, E) with Σc ∩Σu = ∅ and for which the tuple (L, 0 , F, C, Σ = Σc ∪ Σu , I, E) is a timed automaton. Edges with actions in Σc are said to be controllable, those with actions in Σu are uncontrollable. Example 4.1. Figure 12 provides a simple example of a timed game. Here, Σc = {c1 , c2 , c4 } and Σ2 = {u1 , u2 , u3 }, and the controllable edges are drawn with solid lines, the uncontrollable ones with dashed lines.

82

K.G. Larsen et al. / From Timed Automata to Stochastic Hybrid Games

1

x > 1 u1

x=5

x=0

x=4 x=5

x=0

x=p0 , where bound defines how to bound the runs. The three ways to bound them are 1) implicitly by time by specifying I1 /Int I2 requires I2 =/=Int 0 rule I1 + I2 => I1 +Int I2 rule I1 I1 E rule if false then _ else E => E

[strict(1)]

Let Binder The let binder is a derived construct, because it can be defined using λ . syntax Exp ::= "let" Id "=" Exp "in" Exp rule let X = E in E':Exp => (lambda X . E') E

[macro]

Letrec Binder We prefer a definition based on the μ construct. Note that μ is not really necessary, but it makes the definition of letrec easier to understand and faster to execute. syntax Exp ::= "letrec" Id Id "=" Exp "in" Exp | "mu" Id "." Exp [binder] rule letrec F:Id X:Id = E in E' => let F = mu F . lambda X . E in E' [macro] rule mu X . E => E[(mu X . E) / X] endmodule

Compiling the Definition and Executing LAMBDA Programs The K definition of LAMBDA is now complete. We can compile it using the command $ kompile lambda.k

Then we can execute programs using the krun command. For example, if the file factorial.lambda contains the LAMBDA program letrec f x = if x | syntax Block ::= | syntax Stmt ::= | |

Int | Id AExp "/" AExp [left, strict] AExp "+" AExp [left, strict] "(" AExp ")" [bracket] Bool AExp "