An Inverse Method for Parametric Timed Automata

Étienne André, Thomas Chatain, Laurent Fribourg, Emmanuelle Encrenaz
2008 Electronical Notes in Theoretical Computer Science  
Given a timed automaton with parametric timings, our objective is to describe a procedure for deriving constraints on the parametric timings in order to ensure that, for each value of parameters satisfying these constraints, the behaviors of the timed automata are time-abstract equivalent. We will exploit a reference valuation of the parameters that is supposed to capture a characteristic proper behavior of the system. The method has been implemented and is illustrated on various examples of
more » ... nchronous circuits. André, Chatain, Encrenaz and Fribourg is more general than timing constraint graphs as it allows for composition of systems and choice of actions. The timing bounds involved in the action guards and location invariants of our timed automata are not constants, but parameters. Those parametric timed automata allow to model various kinds of timed systems, e.g. communication protocols or asynchronous circuits. We will also assume that we are given an initial set of values for the parameters that form the so-called "reference parameter valuation", which corresponds to values for which the system is known to behave properly. Our goal is to compute a constraint K on the parameters, satisfied by the reference valuation, guaranteeing that, under any valuation satisfying K, the system behaves in the same manner: for any two valuations of the parameters satisfying K, the behaviors of the timed automata are (time-abstract) equivalent, i.e., the traces of execution (or runs) viewed as alternating sequences of actions and locations are identical. Our procedure consists in generating growing paths starting from the initial state. When one generates a path ending in a state incompatible with the reference values, the path is discarded by refining appropriately the current constraint K on parameters. The generation procedure is then restarted until a new incompatible state is produced, and so on, iteratively until no incompatible state is generated. Comparison with Related Work. The synthesis of constraints has been studied in the context of parametric timed automata or hybrid systems, e.g. in [4], or in [13] where the authors use a prototype extension of Uppaal [14] for linear parametric model checking. Note that [4] is able to infer non-linear constraints. Another interesting related work on parametric timed automata is the 2nd part of [13] , which shows decidability results for the verification of a special class, called "L/U automata". This class is somehow restricted: for example, it does not allow for systems with guards of the form x = p (i.e., x ≤ p ∧ p ≤ x), where x is a clock and p a parameter, because parameters must appear either as lower bounds or as upper bounds of clocks, but not both. Furthermore, the way for synthesizing constraints is indirect: one needs to guess a constraint, then check that an appropriate instance of the system is correct under this constraint, from which the general correctness is inferred by an equivalence theoretical result. Two subclasses of L/U automata, called lower-bound and upper-bound parametric timed automata, are also considered in [17], with decidability results. As pointed out in [12], a major strength of tool HyTech is its ability to perform parametric analysis. One can synthesize constraints on parameters for which a given "bad" state is reachable (see, e.g., Fisher's mutual exclusion protocol in [12] ). This is done by computing the set Post * (s init ) of reachable states, intersecting with the bad states, and eliminating the non-parameter variables. The synthesis of constraints has also been studied in the context of asynchronous circuits, mainly by Myers and co-workers on the one hand (see, e.g., [18] ), and by Clariso and Cortadella on the other hand (see, e.g., [6, 7] ). They also proceed by analyzing failure traces and generating timing constraints that prevent the occurrence of such failures. A basic difference between the two works is that Myers et al 's approach is not fully parametric, but appeals to a numeric ILP (Integer Linear
doi:10.1016/j.entcs.2008.12.029 fatcat:ulq32or55remxbxybyrqwehb2u