Ngày đăng: 14/05/2018, 13:37
LNCS 9965 Augusto Sampaio Farn Wang (Eds.) Theoretical Aspects of Computing – ICTAC 2016 13th International Colloquium Taipei, Taiwan, ROC, October 24–31, 2016 Proceedings 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9965 More information about this series at http://www.springer.com/series/7407 Augusto Sampaio Farn Wang (Eds.) • Theoretical Aspects of Computing – ICTAC 2016 13th International Colloquium Taipei, Taiwan, ROC, October 24–31, 2016 Proceedings 123 Editors Augusto Sampaio Centro de Informática Universidade Federal de Pernambuco Recife, Pernambuco Brazil Farn Wang Department of Electrical Engineering National Taiwan University Taipei Taiwan ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-46749-8 ISBN 978-3-319-46750-4 (eBook) DOI 10.1007/978-3-319-46750-4 Library of Congress Control Number: 2016952524 LNCS Sublibrary: SL1 – Theoretical Computer Science and General Issues © Springer International Publishing AG 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, speciﬁcally the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microﬁlms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a speciﬁc statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Preface This volume contains the papers presented at ICTAC 2016, the 13th International Colloquium on Theoretical Aspects of Computing, held during October 24–31, 2016, in Taipei, Taiwan, ROC The International Colloquium on Theoretical Aspects of Computing (ICTAC) is a series of annual events founded in 2004 by the United Nations International Institute for Software Technology Its purpose is to bring together practitioners and researchers from academia, industry, and government to present research results and exchange experiences and ideas Beyond these scholarly goals, another main purpose is to promote cooperation in research and education between participants and their institutions from developing and industrial regions The city of Taipei, where this edition of ICTAC took place, is the capital and the largest city of Taiwan, ROC (Republic of China) The National Taiwan University (NTU), host of the colloquium, is the top university in Taiwan with 17,000 undergraduate students and 15,000 graduate students The Department of Electrical Engineering of NTU, where most ICTAC 2016 sessions have been held, is the leading research group in Taiwan and has technical contributions to Taiwan’s world-renowned giants, including TSMC, MediaTek, Quanta Computers, etc ICTAC 2016 was sponsored by Microsoft Research, Springer, EasyChair, the Ministry of Science and Technology (ROC), the Ministry of Education (ROC), the Ministry of Economical Affairs (ROC), the Taipei Municipal Government, and the National Taiwan University In this edition of ICTAC, we had four invited speakers: Hsu-Chun Yen, from the National Taiwan University; Leonardo de Moura, from Microsoft Research, USA; Heike Wehrheim, form Universität Paderborn, Germany; and Wen-Lian Hsu, from Academia Sinica, Taiwan They delivered keynote speeches as well as tutorials ICTAC 2016 received 60 submissions from 26 different countries Each submission was reviewed by at least three members of the Program Committee, along with help from external reviewers Out of these 60 submissions, 23 regular papers were accepted The committee also accepted one short paper and one tool paper Apart from the paper presentations and invited talks, ICTAC 2016 continued the tradition of previous ICTAC conferences in holding a ﬁve-course school on important topics in theoretical aspects of computing We thank all the authors for submitting their papers to the conference, and the Program Committee members and external reviewers for their excellent work in the review, discussion, and selection process We are indebted to all the members of the Organizing Committee, including Dr Churn-Jung Liau (Academia Sinica), Prof Jonathan Lee (NTU), Dr Yu-Fang Chen (Academia Sinica), and Prof Fang Yu (National Cheng-Chi University), for their hard work in all phases of the conference, as well as to Filipe Arruda and Gustavo Carvalho, who helped enormously with managing EasyChair and several other operational aspects of the reviewing and proceedings VI Preface creation process We also acknowledge our gratitude to the Steering Committee for their constant support We are also indebted to EasyChair that greatly simpliﬁed the assignment and reviewing of the submissions as well as the production of the material for the proceedings Finally, we thank Springer for their cooperation in publishing the proceedings, and for the sponsorship of the two best paper awards August 2016 Augusto Sampaio Farn Wang Organization Program Committee Bernhard K Aichernig Farhad Arbab Mauricio Ayala-Rincon Mario Benevides Ana Cavalcanti Yu-Fang Chen Gabriel Ciobanu Hung Dang Van Ana De Melo Rocco De Nicola Razvan Diaconescu Jin Song Dong José Luiz Fiadeiro John Fitzgerald Marcelo Frias Martin Fränzle Lindsay Groves Kim Guldstrand Larsen Zhenjiang Hu Jie-Hong Roland Jiang Cliff Jones Luis Lamb Martin Leucker Zhiming Liu Dominique Mery Alexandre Mota Mohammadreza Mousavi Tobias Nipkow Jose Oliveira Catuscia Palamidessi Paritosh Pandya António Ravara Camilo Rueda Jacques Sakarovitch Augusto Sampaio Sven Schewe TU Graz, Austria CWI and Leiden University, The Netherlands Universidade de Brasilia, Brazil Universidade Federal Rio de Janeiro, Brazil University of York, UK Academia Sinica, Taiwan Romanian Academy, Institute of Computer Science, Iasi, Romania UET, Vietnam National University, Vietnam University of Sao Paulo, Brazil IMT - Institute for Advanced Studies Lucca, Italy IMAR, Romania National University of Singapore, Singapore Royal Holloway, University of London, UK Newcastle University, UK Buenos Aires Institute of Technology, Argentina Carl von Ossietzky Universität Oldenburg, Germany Victoria University of Wellington, NZ Computer Science, Aalborg University, Denmark NII, Japan National Taiwan University, Taiwan Newcastle University, UK Federal University of Rio Grande Sul, Brazil University of Lübeck, Germany Birmingham City University, UK Université de Lorraine, LORIA, France Universidade Federal de Pernambuco, Brazil Halmstad University, Sweden TU München, DE Universidade Minho, Portugal Inria, France TIFR, India Universidade Nova de Lisboa, Portugal Universidad Javeriana, Colombia CNRS/Telecom ParisTech, France Federal University of Pernambuco, Brazil University of Liverpool, UK VIII Organization Martin Schäf Emil Sekerinski Hiroyuki Seki Tetsuo Shibuya Andrzej Tarlecki Kazunori Ueda Frank Valencia Farn Wang Jim Woodcock Hsu-Chun Yen Shoji Yuen Naijun Zhan Lijun Zhang Huibiao Zhu SRI International, USA McMaster University, Canada Nagoya University, Japan The University of Tokyo, Japan Warsaw University, Poland Waseda University, Japan LIX, Ecole Polytechnique, France National Taiwan University, Taiwan University of York, UK National Taiwan University, Taiwan Nagoya University, Japan Institute of Software, Chinese Academy of Sciences, China Institute of Software, Chinese Academy of Sciences, China East China Normal University, China Additional Reviewers Accattoli, Beniamino Aman, Bogdan Bistarelli, Stefano Bollig, Benedikt Bouyer-Decitre, Patricia Bucchiarone, Antonio Ciancia, Vincenzo Dang, Duc-Hanh De Moura, Flavio L.C Decker, Normann Foster, Simon Goulão, Miguel Hafemann Fragal, Vanderson Hanazumi, Simone Helouet, Loic Hsu, Tzu-Chien Höfner, Peter Hölzl, Johannes Imai, Keigo Jensen, Peter Gjøl Lengal, Ondrej Li, Guangyuan Li, Qin Liu, Bo Liu, Wanwei Lluch Lafuente, Alberto Mikučionis, Marius Montrieux, Lionel Moreira, Nelma Nantes-Sobrinho, Daniele Naumowicz, Adam Nguyen, Thi Huyen Chau Nishida, Naoki Nyman, Ulrik Ody, Heinrich Olsen, Petur Popescu, Andrei Rocha, Camilo Rot, Jurriaan Sanchez, Huascar Sato, Shuichi Scheffel, Torben Schumi, Richard Serre, Olivier Singh, Neeraj Song, Fu Strathmann, Thomas Sun, Meng Taromirad, Masoumeh Ter Beek, Maurice H Thomsen, Michael Kirkedal Thorn, Johannes Ting, Gan Tiplea, Ferucio Truong, Hoang Tu, Kuan-Hua Tutu, Ionut Ventura, Daniel Wang, Hung-En Wang, Shuling Wiedijk, Freek Wolter, Uwe Worrell, James Xie, Wanling Yokoyama, Tetsuo Zhao, Hengjun Invited Papers ML Pattern-Matching, Recursion, and Rewriting 465 Library FoCaLiZe Coverage Coq Dedukti stdlib 163335 99.42% 1314934 4814011 extlib 158697 100% 162499 283939 contribs 126803 99.54% 966197 2557024 term-proof 24958 99.62% 227136 247559 ejcp 13979 95.16% 28095 239881 iterators 80312 88.33% 414282 972051 Fig Size (in bytes) comparison of Focalide with the Coq backend Library Zenon ZMod Coq Dedukti Zenon + Coq ZMod + Dedukti stdlib 11.73 32.87 17.41 1.46 29.14 34.33 extlib 9.48 26.50 19.45 1.64 28.93 28.14 contribs 5.38 9.96 26.92 1.17 32.30 11.13 term-proof 1.10 0.55 24.54 0.02 25.64 0.57 ejcp 0.44 0.86 11.13 0.06 11.57 0.92 iterators 2.58 3.85 6.59 0.27 9.17 4.12 Fig Time (in seconds) comparison of Focalide with the Coq backend Zenon is not very eﬃcient on proofs requiring computation because all reduction steps are registered as proof steps in Zenon leading to huge proofs which take a lot of time for Zenon to ﬁnd and for Coq to check For example, if we deﬁne a polymorphic datatype type wrap (’a) = | Wrap (’a), we can deﬁne the isomorphism f : ’a -> wrap(’a) by let f (x) = Wrap(x) and its inverse g : wrap(’a) -> ’a by let g(y) = match y with | Wrap (x) -> x The time taken for our tools to deal with the proof of (g ◦ f)n (x) = x for n from 10 to 19 is given in Fig 4; as we can see, the Coq backend becomes quickly unusable whereas Deduction modulo is so fast that it is even hard to measure it Value of n Zenon Coq Zenon Modulo Dedukti 10 31.48 4.63 0.04 0.00 11 63.05 11.04 0.04 0.00 12 99.55 7.55 0.05 0.00 13 197.80 10.97 0.04 0.00 14 348.87 1020.67 0.04 0.00 15 492.72 1087.13 0.04 0.00 16 724.46 > 2h 0.04 0.00 17 1111.10 1433.76 0.04 0.00 18 1589.10 > 2h 0.07 0.00 19 2310.48 > 2h 0.04 0.00 Fig Time comparison (in seconds) for computation-based proofs 466 R Cauderlier and C Dubois Related Work The closest related work is a translation from a fragment of Coq kernel to Dedukti [1] Pattern-matching is limited in Coq kernel to ﬂat patterns so it is possible to deﬁne a single match symbol for each inductive type, which simpliﬁes greatly the compilation of pattern-matching to Dedukti To handle recursion, ﬁlter functions playing the role of our CBV combinator are proposed Because of dependent typing, they need to duplicate their arguments Moreover, we deﬁne the CBV operator by ad-hoc polymorphism whereas ﬁlter functions are unrelated to each other Compilation techniques for pattern-matching to enriched λ-calculi have been proposed, see e.g [12,13,16] We diﬀer mainly in the treatment of matching failure A lot of work has also been done to compile programs (especially functional recursive deﬁnitions [11,14]) to rewrite systems The focus has often been on termination preserving translations to prove termination of recursive functions using termination checkers for term rewrite systems However, these translations not preserve the semantics of the programs so they can hardly be adapted for handling translations of correctness proofs Conclusion We have extended the compiler of FoCaLiZe to a new output language: Dedukti Contrary to previously existing FoCaLiZe outputs OCaml and Coq, Dedukti is not a functional programming language but an extension of a dependently-typed λ-calculus with rewriting so pattern-matching and recursion are not trivial to compile to Dedukti However, we have shown that ML pattern-matching can easily and eﬃciently be translated to Dedukti using destructors We plan to further optimize the compilation of pattern-matching, in particular to limit the use of dynamic error handling For recursion, however, eﬃciency comes at a cost in term of normalization because we can not fully enforce the use of the call-by-value strategy without loosing linearity Our treatment of recursive deﬁnitions generalizes directly to mutual recursion but we have not implemented this generalization Our approach is general enough to be adapted to other functional languages because FoCaLiZe language for implementing functions is an ML language without speciﬁc features FoCaLiZe originality comes from its object-oriented mechanisms which are invisible to Focalide because they are statically resolved in an earlier compilation step Moreover, it can also easily be adapted to other rewriting formalisms, especially untyped and polymorphic rewrite engines because features speciﬁc to Dedukti (such as higher-order rewriting or dependent typing) are not used We have tested Focalide on existing FoCaLiZe libraries and have found it a decent alternative to the Coq backend whose adoption can enhance the usability of FoCaLiZe to a new class of proofs based on computation ML Pattern-Matching, Recursion, and Rewriting 467 As Dedukti is used as the target language of a large variety of systems in the hope of exchanging proofs; we want to experiment the import and export of proofs between logical systems by using FoCaLiZe and Focalide as an interoperability platform Acknowledgements This work has been partially supported by the BWare project (ANR-12-INSE-0010) funded by the INS programme of the French National Research Agency (ANR) References Assaf, A.: A framework for deﬁning computational higher-order logics Ph.D the´ sis, Ecole Polytechnique (2015) Assaf, A., Burel, G.: Translating HOL to Dedukti In: Kaliszyk, C., Paskevich, A (eds.) Proceedings Fourth Workshop on Proof eXchange for Theorem Proving EPTCS, vol 186, Berlin, Germany, pp 74–88 (2015) Bonichon, R., Delahaye, D., Doligez, D.: Zenon: an extensible automated theorem prover producing checkable proofs In: Dershowitz, N., Voronkov, A (eds.) LPAR 2007 LNCS (LNAI), vol 4790, pp 151–165 Springer, Heidelberg (2007) doi:10 1007/978-3-540-75560-9 13 Burel, G.: A shallow embedding of resolution and superposition proofs into the λΠcalculus modulo In: Blanchette, J.C., Urban, J (eds.) PxTP 2013 3rd International Workshop on Proof Exchange for Theorem Proving EasyChair Proceedings in Computing, vol 14, Lake Placid, USA, pp 43–57 (2013) Cauderlier, R.: Object-oriented mechanisms for interoperability between proof systems Ph.D thesis, Conservatoire National des Arts et M´etiers, Paris (draft) Cauderlier, R., Dubois, C.: Objects and subtyping in the λΠ-calculus modulo In: Post-proceedings of the 20th International Conference on Types for Proofs and Programs (TYPES 2014) Leibniz International Proceedings in Informatics (LIPIcs), Schloss Dagstuhl, Paris (2014) Cauderlier, R., Halmagrand, P.: Checking Zenon Modulo proofs in Dedukti In: Kaliszyk, C., Paskevich, A (eds.) Proceedings 4th Workshop on Proof eXchange for Theorem Proving EPTCS, vol 186, Berlin, Germany, pp 57–73 (2015) Cousineau, D., Dowek, G.: Embedding pure type systems in the λΠ-calculus modulo In: Rocca, S.R.D (ed.) TLCA 2007 LNCS, vol 4583, pp 102–117 Springer, Heidelberg (2007) doi:10.1007/978-3-540-73228-0 9 Delahaye, D., Doligez, D., Gilbert, F., Halmagrand, P., Hermant, O.: Zenon Modulo: when Achilles outruns the tortoise using deduction modulo In: McMillan, K., Middeldorp, A., Voronkov, A (eds.) LPAR-19 LNCS, vol 8312, pp 274–290 Springer, Heidelberg (2013) doi:10.1007/978-3-642-45221-5 20 10 Dubois, C., Pessaux, F.: Termination proofs for recursive functions in FoCaLiZe In: Serrano, M., Hage, J (eds.) TFP 2015 LNCS, vol 9547, pp 136–156 Springer, Heidelberg (2016) doi:10.1007/978-3-319-39110-6 11 Giesl, J., Raﬀelsieper, M., Schneider-Kamp, P., Swiderski, S., Thiemann, R.: Automated termination proofs for Haskell by term rewriting ACM Trans Program Lang Syst 33(2), 7:1–7:39 (2011) 12 Kahl, W.: Basic pattern matching calculi: a fresh view on matching failure In: Kameyama, Y., Stuckey, P.J (eds.) FLOPS 2004 LNCS, vol 2998, pp 276–290 Springer, Heidelberg (2004) doi:10.1007/978-3-540-24754-8 20 468 R Cauderlier and C Dubois 13 Klop, J.W., van Oostrom, V., de Vrijer, R.: Lambda calculus with patterns Theoret Comput Sci 398(1–3), 16–31 (2008) Calculi, Types and Applications: Essays in honour of M Coppo, M Dezani-Ciancaglini and S Ronchi Della Rocca 14 Lucas, S., Pe˜ na, R.: Rewriting techniques for analysing termination and complexity bounds of Safe programs In: LOPSTR 2008, pp 43–57 (2008) 15 Pessaux, F.: FoCaLiZe: inside an F-IDE In: Dubois, C., Giannakopoulou, D., M´ery, D (eds.) Proceedings 1st Workshop on Formal Integrated Development Environment, F-IDE 2014 EPTCS, vol 149, Grenoble, France, pp 64–78 (2014) 16 Peyton Jones, S.L.: The Implementation of Functional Programming Languages Prentice-Hall International Series in Computer Science Prentice-Hall, Inc., Upper Saddle River (1987) 17 Saillard, R.: Type checking in the λΠ-calculus modulo: theory and practice Ph.D thesis, MINES Paritech (2015) Parametric Deadlock-Freeness Checking Timed Automata ´ Etienne Andr´e1,2(B) Universit´e Paris 13, Sorbonne Paris Cit´e, LIPN, CNRS, UMR 7030, F-93430 Villetaneuse, France ea.ndre13@lipn13.fr ´ Ecole Centrale de Nantes, IRCCyN, CNRS, UMR 6597, Nantes, France Abstract Distributed real-time systems are notoriously diﬃcult to design, and must be veriﬁed, e g., using model checking In particular, deadlocks must be avoided as they either yield a system subject to potential blocking, or denote an ill-formed model Timed automata are a powerful formalism to model and verify distributed systems with timing constraints In this work, we investigate synthesis of timing constants in timed automata for which the model is guaranteed to be deadlock-free Introduction Distributed real-time systems are notoriously diﬃcult to design due to the intricated use of concurrency and timing constraints, and must therefore be veriﬁed, e g., using model checking Model checking is a set of techniques to formally verify that a system, described by a model, veriﬁes some property, described using formalisms such as reachability properties or more complex properties expressed using, e g., temporal logics Checking the absence of deadlocks in the model of a real-time system is of utmost importance First, deadlocks can lead the actual system to a blockade when a component is not ready to receive any action (or synchronization label) Second, a speciﬁcity of models of distributed systems involving time is that they can be subject to situations where time cannot elapse This situation denotes an ill-formed model, as this situation of time blocking (“timelock”) cannot happen in the actual system due to the uncontrollable nature of time Timed automata (TAs) [1] are a formalism dedicated to modeling and verifying real-time systems where distributed components communicate via synchronized actions Despite a certain success in verifying models of actual distributed systems (using e g., Uppaal [10] or PAT [12]), TAs reach some limits when verifying systems only partially speciﬁed (typically when the timing constants are not yet known) or when timing constants are known with a limited precision only (although the robust semantics can help tackling some problems, see e g., [11]) Parametric timed automata (PTAs) [2] leverage these drawbacks by This work is partially supported by the ANR national research program PACS (ANR-14-CE28-0002) c Springer International Publishing AG 2016 A Sampaio and F Wang (Eds.): ICTAC 2016, LNCS 9965, pp 469–478, 2016 DOI: 10.1007/978-3-319-46750-4 27 470 ´ Andr´e E allowing the use of timing parameters, hence allowing for modeling constants unknown or known with some imprecision We address here the problem of the deadlock-freeness, i e., the fact that a discrete transition must always be taken from any state, possibly after elapsing some time TAs and PTAs are both subject to deadlocks: hence, a property proved correct on the model may not necessarily hold on the actual system if the model is subject to deadlocks Deadlock checking can be performed on TAs (using e g., Uppaal); however, if deadlocks are found, then there is often no other choice than manually reﬁning the model in order to remove them We recently showed that the existence of a parameter valuation in a PTA for which a run leads to a deadlock is undecidable [4]; this result also holds for the subclass of PTAs where parameters only appear as lower or upper bounds [8] This result rules out the possibility to perform exact deadlock-freeness synthesis In this work, we propose an approach to automatically synthesize parameter valuations in PTAs (in the form of a set of linear constraints) for which the system is deadlock-free If our procedure terminates, the result is exact Otherwise, when stopping after some bound (e g., runtime limit, exploration depth limit), it is an over-approximation of the actual result In this latter case, we propose a second approach to also synthesize an under-approximation: hence, the designer is provided with a set of valuations that are deadlock-free, a set of valuations for which there exist deadlocks, and an intermediate set of unsure valuations Our approach is of particular interest when intersected with a set of parameter valuations ensuring some property: one obtains therefore a set of parameter valuations for which that property is valid and the system is deadlock-free Outline We brieﬂy recall necessary deﬁnitions in Sect We introduce our approach in Sect 3, extend it to the synthesis of an under-approximated constraint in Sect 4, and validate it on benchmarks in Sect We discuss future works in Sect Preliminaries Throughout this paper, we assume a set X = {x1 , , xH } of clocks A clock valuation is w : X → R+ We write for the valuation that assigns to each clock Given d ∈ R+ , w + d denotes the valuation such that (w + d)(x) = w(x) + d, for all x ∈ X We assume a set P = {p1 , , pM } of parameters, i e., unknown constants A parameter valuation v is v : P → Q+ In the following, we assume ∈ {} A constraint C (i e., a convex polyhedron) over X ∪ P is a conjunction of inequalities of the form lt 0, where lt denotes a linear term of the form 1≤i≤H αi xi + 1≤j≤M βj pj + d, with xi ∈ X, pi ∈ P , and αi , βj , d ∈ Z Given a parameter valuation v, v(C) denotes the constraint over X obtained by replacing each parameter p in C with v(p) Likewise, given a clock valuation w, w(v(C)) denotes the expression obtained by replacing each clock x in v(C) with w(x) We say that v satisfies C, denoted by v |= C, if the Parametric Deadlock-Freeness Checking Timed Automata 471 set of clock valuations satisfying v(C) is nonempty We say that C is satisfiable if ∃w, v s.t w(v(C)) evaluates to true We deﬁne the time elapsing of C, denoted by C , as the constraint over X and P obtained from C by delaying all clocks by an arbitrary amount of time We deﬁne the past of C, denoted by C , as the constraint over X and P obtained from C by letting time pass backward by an arbitrary amount of time (see e g., [9]) Given R ⊆ X, we deﬁne the reset of C, denoted by [C]R , as the constraint obtained from C by resetting the clocks in R, and keeping the other clocks unchanged We denote by C↓P the projection of C onto P , i e., obtained by eliminating the clock variables (e g., using Fourier-Motzkin) A guard g is a constraint deﬁned by inequalities x z, where z is either a parameter or a constant in Z A parametric zone is a polyhedron in which all plt, where xi ∈ X, xj ∈ X constraints are of the form x plt or xi − xj and plt is a parametric linear term over P , i e., a linear term without clocks (αi = for all i) Given a parameter constraint K, ¬K denotes the (possibly non-convex) negation of K We extend the notation v |= K to possibly nonconvex constraints in a natural manner (resp ⊥) denotes the constraint corresponding to the set of all (resp no) parameter valuations Definition A PTA A is a tuple A = (Σ, L, l0 , X, P, I, E), where: (i) Σ is a finite set of actions, (ii) L is a finite set of locations, (iii) l0 ∈ L is the initial location, (iv) X is a set of clocks, (v) P is a set of parameters, (vi) I is the invariant, assigning to every l ∈ L a guard I(l), (vii) E is a set of edges e = (l, g, a, R, l ) where l, l ∈ L are the source and target locations, a ∈ Σ, R ⊆ X is a set of clocks to be reset, and g is a guard Given a parameter valuation v, we denote by v(A) the non-parametric timed automaton where all occurrences of a parameter pi have been replaced by v(pi ) Definition (Semantics of a TA) Given a PTA A = (Σ, L, l0 , X, P, I, E), and a parameter valuation v, the concrete semantics of v(A) is given by the timed transition system (S, s0 , →), with – S = {(l, w) ∈ L × RH + | w(v(I(l))) evaluates to true}, s0 = (l0 , 0) – → consists of the discrete and (continuous) delay transition relations: e • discrete transitions: (l, w) → (l , w ), if (l, w), (l , w ) ∈ S, there exists e = (l, g, a, R, l ) ∈ E, ∀x ∈ X : w (x) = if x ∈ R and w (x) = w(x) otherwise, and w(v(g)) evaluates to true d • delay transitions: (l, w) → (l, w + d), with d ∈ R+ , if ∀d ∈ [0, d], (l, w + d ) ∈ S e Moreover we write (l, w) → (l , w ) for a sequence of delay and discrete d e transitions where ((l, w), e, (l , w )) ∈ → if ∃d, w : (l, w) → (l, w ) → (l , w ) Given a TA v(A) with concrete semantics (S, s0 , →), we refer to the states of S as the concrete states of v(A) A concrete run (or simply a run) of v(A) is an alternating sequence of concrete states of v(A) and edges starting from the em−1 e0 e1 s1 → · · · → sm , such that for initial concrete state s0 of the form s0 → 472 ´ Andr´e E l1 x ≤ p1 + l1 x ≥ p2 a a x := l2 x ≤ 10 (a) PTA deadlocked for some valuations x≤p a a l2 (b) PTA deadlocked for all valuations Fig Examples of PTAs with potential deadlocks all i = 0, , m − 1, ei ∈ E, and (si , ei , si+1 ) ∈ → Given a state s = (l, w), we say that this state has no successor (or is deadlocked) if, in the concrete semantics of v(A), there exists no discrete transition from s of from a successor of s obtained by taking exclusively continuous transition(s) from s If no state of v(A) is deadlocked, then v(A) is deadlock-free Example Consider the PTA in Fig 1a (invariants are boxed): deadlocks can occur if the guard of the transition from l1 to l2 cannot be satisﬁed (when p2 > p1 + 5) or if the invariant of l2 is not compatible with the guard (when p2 > 10) In Fig 1b, the system may risk a deadlock for any parameter valuation as, if the guard is “missed” (if a run chooses to spend more than p time units in l1 ), then no transition can be taken from l1 Parametric Deadlock-Freeness Checking Let us ﬁrst recall the symbolic semantics of PTAs (from, e g., [9]) A symbolic state is a pair (l, C) where l ∈ L is a location, and C its associated parametric ∧ I(l0 )) zone The initial symbolic state of A is sA = (l0 , ( 1≤i≤H xi = 0) The symbolic semantics relies on the Succ operation Given a symbolic state s = (l, C) and an edge e = (l, g, a, R, l ), the successor of s via e is the symbolic ∩ I(l ) We write Succ(s) state Succ(s, e) = (l , C ), with C = [(C ∧ g)]R for ∪e∈E Succ(s, e) We write Pred for Succ−1 Given a set S of states, we write Pred(S) for s∈S Pred(s) A symbolic run of a PTA is an alternating sequence of symbolic states and em−1 e1 e0 edges starting from the initial symbolic state, of the form sA ⇒ s1 ⇒ · · · ⇒ sm , such that for all i = 0, , m − 1, ei ∈ E, and si+1 = Succ(si , ei ) The symbolic states with the Succ relation form a state space, i e., a (possibly inﬁnite) directed graph, the nodes of which are the symbolic states, and there exists an edge from si to sj labeled with ei iﬀ sj = Succ(si , ei ) Given a concrete em−1 e0 e1 (respectively symbolic) run (l0 , 0) → (l1 , w1 ) → · · · → (lm , wm ) (respectively em−1 e0 e1 (l1 , C1 ) ⇒ · · · ⇒ (lm , Cm )), its corresponding discrete sequence is (l0 , C0 ) ⇒ em−1 e0 e1 l0 ⇒ l1 ⇒ · · · ⇒ lm Two runs (concrete or symbolic) are said to be equivalent if their associated discrete sequences are equal Parametric Deadlock-Freeness Checking Timed Automata 473 Deadlock-Freeness Synthesis We now introduce below our procedure PDFC, that makes use of an intermediate, recursive procedure DSynth Both are written in a functional form in the spirit of, e g., the reachability and unavoidability synthesis algorithms in [9] Given s = (l, C), we use sC to denote C The notation g(s, s ) denotes the guard of the edge from s to s DSynth(s, Passed) = ⎧ ⎪ ⎨⊥ s ∈Succ(s) ⎪ ⎩∪ s \ C if s ∈ Passed DSynth(s , Passed ∪ {s}) s ∈Succ(s) sC ∧ g(s, s ) ∧ sC ↓P ) ↓P otherwise PDFC(A) = ¬DSynth(sA , ∅) First, we use a function DSynth(s, Passed) to recursively synthesize the parameter valuations for which a deadlock may occur This function takes as argument the current state s together with the list Passed of passed states If s belongs to Passed (i e., s was already met), then no parameter valuation is returned Otherwise, the ﬁrst part of the second case computes the union over all successors of s of DSynth recursively called over these successors; the second part computes all parameter valuations for which a deadlock may occur, i e., the constraint characterizing s minus all clock and parameter valuations that allow to exit s to some successor s , all this expression being eventually projected onto P Finally, PDFC (“parametric deadlock-freeness checking”) returns the negation of the result of DSynth called with the initial state of A and an empty list of passed states We show below that PDFC is sound and complete Note however that, in the general case, the algorithm may not terminate, as DSynth explores the set of symbolic states, of which there may be an inﬁnite number Proposition Assume PDFC(A) terminates with result K Let v |= K Then v(A) is deadlock-free Proof (sketch) Consider a run of v(A), and assume it reaches a state s = (l, w) with no discrete successor From [8], there exists an equivalent symbolic run in A reaching a state (l, C) As DSynth explores all symbolic states, (l, C) was explored in DSynth too; since s has no successor, then w belongs to the second part of the second line of DSynth Hence, the projection onto P was added to the result of DSynth, and hence does not belong to the negation returned by PDFC Hence v |= K, which contradicts the initial assumption Proposition Assume PDFC(A) terminates with result K Consider a valuation v such that v(A) is deadlock-free Then v |= K Proof (sketch) Following a reasoning dual to Proposition Finally, we show that PDFC outputs an over-approximation of the parameter set when stopped before termination Proposition Fix a maximum number of recursive calls in DSynth Then PDFC terminates and its result is an over-approximation of the set of parameter valuations for which the system is deadlock-free 474 ´ Andr´e E Algorithm BwUS(K, G) input : result K of DSynth, parametric state space G output: Constraint over the parameters guaranteeing deadlock-freeness 10 11 12 K+ ← K Marked ← {s | s has unexplored successors in G} Disabled ← ∅ while Marked = ∅ foreach (l, C) ∈ Marked K + ← K + ∪ C↓P ; preds ← Pred(Marked) \ Disabled Marked ← ∅ foreach s ∈ preds K + ← K + ∪ sC \ s ∈Succ(s) sC ∧ g(s, s ) ∧ sC ↓P ) ↓P if sC ↓P ⊆ K + then Marked ← Marked ∪ {s} ; Disabled ← Disabled ∪ Marked return ¬K ; Marked ← Marked \ Disabled + Proof Observe that, in DSynth, the deeper the algorithm goes in the state space (i e., the more recursive calls are performed), the more valuations it synthesizes Hence bounding the number of recursive calls yields an under-approximation of its expected result As PDFC returns the negation of DSynth, this yields an over-approximation Under-approximated Synthesis A limitation of PDFC is that either the result is exact, or it is an over-approximation when stopped earlier than the actual ﬁxpoint (from Proposition 3) In the latter case, the result is not entirely satisfactory: if deadlocks represent an undesired behavior, then an over-approximation may also contain unsafe parameter valuations More valuable would be an underapproximation, as this result (although potentially incomplete) ﬁrmly guarantees the absence of deadlocks in the model Our idea is as follows: after exploring a part of the state space in PDFC, we obtain an over-approximation In order to get an under-approximation, we can consider that any unexplored state is unsafe, i e., may lead to deadlocks Therefore, we ﬁrst need to negate the parametric constraint associated with any state that has unexplored successors But this may not be suﬃcient: by removing those unsafe states, their predecessors can themselves become deadlocked, and so on Hence, we will perform a backward-exploration of the state space by iteratively removing unsafe states, until a ﬁxpoint is reached We give our procedure BwUS (backward under-approximated synthesis) in Algorithm BwUS takes as input (1) the (under-approximated) result of DSynth, i e., a set of parameter valuations for which the system contains a deadlocked run, and (2) the part of the symbolic state space explored while running DSynth Parametric Deadlock-Freeness Checking Timed Automata s0 × s0 s0 s1 s2 s1 s2 s1 s2 s3 s4 s3 s4 s3 s4 × × × (a) Partial state space × 475 × (b) Iteration × × × (c) Iteration Fig Application of Algorithm The algorithm maintains several variables Marked denotes the states that are potentially deadlocked, and the predecessors of which must be considered iteratively Disabled denotes the states marked in the past, which avoids to consider several times the same state K + is an over-approximated constraint for which there are deadlocks; since the negation of K + is returned (line 12), then the algorithm returns an under-approximation Initially, K + is set to the (underapproximated) result of DSynth, and all states that have unexplored successors in the state space (due to the early termination) are marked While there are marked states (line 4), we remove the marked states by adding to K + the negation of the constraint associated with these states (line 5) Then, we compute the predecessors of these states, except those already disabled (line 6) By deﬁnition, all these predecessors have at least one marked (and hence potentially deadlocked) successor; as a consequence, we have to recompute the constraint leading to a deadlock from each of these predecessors This is the purpose of line 9, where K + is enriched with the recomputed valuations for which a deadlock may occur from a given predecessor s, using the same computation as in DSynth Then, if the constraint associated with the current predecessor s is included in K + , this means that s is unreachable for valuations in ¬K + (recall that we will return the negation of K + ), and therefore s should be marked at the next iteration, denoted by the local variable Marked (line 10) Finally, all currently marked states become disabled, and the new marked states are all the marked predecessors of the currently marked states with the exception of the disabled states to ensure termination (line 11) The algorithm returns eventually the negation of the over-approximated K + (line 12), which yields an under-approximation Example Let us apply Algorithm to a (ﬁctional) example of a partial state space, given in Fig 2a We only focus on the backward exploration, and rule out the constraint update (constraints are not represented in Fig 2a anyway) s3 and s4 have unexplored successors (denoted by ×), and both states are hence unsafe as they might lead to deadlocks along these unexplored branches Initially, Marked = {s3 , s4 } (depicted in yellow with a double circle in Fig 2a), 476 ´ Andr´e E and no states are disabled First, we add s3C ↓P ∪ s4C ↓P to K + Then, preds is set to {s1 , s2 } We recompute the deadlock constraint for both states (using line in Algorithm 1) For s2 , it now has no successors anymore, and clearly we will have s2C ↓P ⊆ K + , hence s2 is marked For s1 , it depends on the actual constraints; let us assume in this example that s1 is still not deadlocked for some valuations, and s1 remains unmarked At the end of this iteration, Marked = {s2 } and Disabled = {s3 , s4 } For the second iteration, we assume here (it actually depends on the constraints) that s1 will not be marked, leading to a ﬁxpoint where s2 , s3 , s4 are disabled, and the constraint ¬K + therefore characterizes the deadlock-free runs in Fig 2c (Alternatively, if s1 was marked, then s0 would be eventually marked too, and the result would be ⊥.) First note that BwUS necessarily terminates as it iterates on marked states, and no state can be marked twice thanks to the set Disabled In addition, the result is an under-approximation of the valuation set yielding deadlock-freeness: indeed, it only explores a part of state space, and considers states with unexplored successors as deadlocked by default, yielding a possibly too strong, hence under-approximated, constraint Experiments We implemented PDFC in IMITATOR [3] (which relies on PPL [5] for polyhedra operations), and synthesized constraints for which a set of models of distributed systems are deadlock-free.1 Our benchmarks come from teaching examples (coﬀee machines, nuclear plant, train controller), communication protocols (CSMA/CD, RCP), asynchronous circuits (and–or [7], ﬂip-ﬂop), a distributed networked automation system (SIMOP) and a Wireless Fire Alarm System (WFAS) [6] If an experiment has not ﬁnished within 300 s, the result is still a valid over-approximation according to Proposition 3; in addition, IMITATOR then runs Algorithm to also obtain an under-approximation We give in Table from left to right the numbers of PTA components,2 of clocks, of parameters, and of symbolic states explored, the computation time in seconds (TO denotes no termination within 300 s) for PDFC and BwUS (when necessary), the type of constraint (nncc denotes a non-necessarily convex constraint diﬀerent from or ⊥) and an evaluation of the result soundness Analyzing the experiments, several situations occur: the most interesting result is when an nncc is derived and is exact; for example; the constraint synthesized by IMITATOR for Fig 1a is p1 + ≥ p2 ∧ p2 ≤ 10, which is exactly the Experiments were conducted on Linux Mint 17 64 bits, running on a Dell Intel Core i7 CPU 2.67 GHz with GiB Binaries, models and results are available at www imitator.fr/static/ICTAC16/ The synchronous product of several PTA components (using synchronized actions) yields a PTA IMITATOR performs this composition on-the-ﬂy Parametric Deadlock-Freeness Checking Timed Automata 477 Table Synthesizing parameter valuations ensuring deadlock-freeness Case study Fig 1a Fig 1b and–or circuit coﬀee machine coﬀee machine CSMA/CD protocol ﬂip-ﬂop circuit nuclear plant RCP protocol SIMOP Train controller WFAS |A| 1 5 |X| 1 3 |P | 3 States 5,265 9,042 51 38 20 13 2,091 22,894 11 14,614 PDFC 0.012 0.005 TO TO 0.198 0.105 0.093 0.014 10.63 TO 0.025 TO BwUS K Soundness nncc exact ⊥ exact 171 [nncc− , nncc+ ] under/over-app 8.4 [nncc− , nncc+ ] under/over-app nncc exact ⊥ exact ⊥ exact nncc exact ⊥ exact 121 nncc over-app nncc exact 69.1 [nncc− , nncc+ ] under/over-app valuation set ensuring the absence of deadlocks In several cases, the synthesized constraint is ⊥, meaning that no parameter valuation is deadlock-free; this may not always denote an ill-formed model, as some case studies are “ﬁnite” (no inﬁnite behavior), typically some of the hardware case studies (e g., ﬂip-ﬂop); this may also denote a modeling process purposely blocking the system (to limit the state space explosion) after some property (typically reachability) is proved correct or violated When no exact result could be synthesized, our second procedure BwUS allows to get both an under-approximated and an over-approximated constraint (denoted by [nncc− , nncc+ ]) This is a valuable result, as it contains valuations guaranteed to be deadlock-free, others guaranteed to be deadlocked, and a third unsure set An exception is SIMOP, where BwUS derives ⊥, leaving the designer with only an over-approximation This result remains valuable as the parameter valuations not belonging to the synthesized constraint necessarily lead to deadlocks, an information that will help the designer to reﬁne its model, or to rule out these valuations Concerning the performances of BwUS, its overhead is signiﬁcant, and depends on the number of dimensions (clocks and parameters) as well as the number states in the state space However, it still remains smaller than the forward exploration (300 s) in all case studies, which therefore remains reasonable to some extent It seems the most expensive operation is the computation of the deadlock constraint (line in Algorithm 1); this has been implemented in a straightforward manner, but could beneﬁt from optimizations (e g., only recompute the part corresponding to successor states that were disabled at the previous iteration of BwUS) Perspectives We proposed here a procedure to synthesize timing parameter valuations ensuring the absence of deadlocks in a real-time system; we implemented it in IMITATOR 478 ´ Andr´e E and we have run experiments on a set of benchmarks When terminating, our procedure yields an exact result Otherwise, thanks to a second procedure, we get both an under- and an over-approximation of the valuations for which the system is deadlock-free Our deﬁnition of deadlock-freeness addresses discrete transitions; however, in case of Zeno behaviors (an inﬁnite number of discrete transition within a ﬁnite time), a deadlock-free system can still correspond to an ill-formed model Hence, performing parametric Zeno-freeness checking is also on our agenda Moreover, we are very interested in proposing distributed procedures for deadlock-freeness synthesis so as to take advantage of the power of clusters Finally, we believe our backward algorithm BwUS could be adapted to obtained under-approximated results for other problems such as the unavoidability synthesis in [9] References Alur, R., Dill, D.L.: A theory of timed automata Theor Comput Sci 126(2), 183–235 (1994) Alur, R., Henzinger, T.A., Vardi, M.Y.: Parametric real-time reasoning In: STOC, pp 592–601 (1993) ´ Fribourg, L., Kă Andre, E., uhne, U., Soulat, R.: IMITATOR 2.5: a tool for analyzing robustness in scheduling problems In: Giannakopoulou, D., M´ery, D (eds.) FM 2012 LNCS, vol 7436, pp 33–36 Springer, Heidelberg (2012) doi:10.1007/ 978-3-642-32759-9 ´ Lime, D.: Liveness in L/U-parametric timed automata (2016, submit4 Andr´e, E., ted) https://hal.archives-ouvertes.fr/hal-01304232 Bagnara, R., Hill, P.M., Zaﬀanella, E.: The parma polyhedra library: toward a complete set of numerical abstractions for the analysis and veriﬁcation of hardware and software systems Sci Comput Program 72(1–2), 3–21 (2008) Beneˇs, N., Bezdˇek, P., Larsen, K.G., Srba, J.: Language emptiness of continuoustime parametric timed automata In: Halld´ orsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B (eds.) ICALP 2015 LNCS, vol 9135, pp 69–81 Springer, Heidelberg (2015) doi:10.1007/978-3-662-47666-6 Claris´ o, R., Cortadella, J.: Veriﬁcation of concurrent systems with parametric delays using octahedra In: ACSD, pp 122–131 IEEE Computer Society (2005) Hune, T., Romijn, J., Stoelinga, M., Vaandrager, F.W.: Linear parametric model checking of timed automata JLAP 52–53, 183–220 (2002) Jovanovi´c, A., Lime, D., Roux, O.H.: Integer parameter synthesis for timed automata IEEE Trans Softw Eng 41(5), 445–461 (2015) 10 Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell Int J Softw Tools Technol Transf 1(1–2), 134–152 (1997) 11 Markey, N.: Robustness in real-time systems In: SIES, pp 28–34 IEEE Computer Society Press (2011) 12 Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards ﬂexible veriﬁcation under fairness In: Bouajjani, A., Maler, O (eds.) CAV 2009 LNCS, vol 5643, pp 709– 714 Springer, Heidelberg (2009) doi:10.1007/978-3-642-02658-4 59 Author Index Madeira, Alexandre 422 Marmsoler, Diego 235 Martins, Manuel A 422 McIver, Annabelle 121 Amálio, Nuno 255 André, Étienne 469 Babari, Parvaneh Barbosa, Luis S Benevides, Mario Brenas, Jon Haël 370 385, 422 R.F 441 315 Nazier Mosaad, Peter 405 Neves, Renato 385 Nguyen, Ngoc-Khai 82 Cauderlier, Raphaël 459 Cavalcanti, Ana 255 Obua, Steven 333 Dang, Duc-Hanh 82 de Melo, Ana C.V 158 de Moura, Flávio L.C 179 Demaille, Akim 351 Droste, Manfred 370 Dubois, Catherine 459 Păsăreanu, Corina S 158 Perchy, Salim 214 Perevoshchikov, Vitaly 370 Pietkiewicz-Koutny, Marta 103 Echahed, Rachid 315 Rabehaja, Tahiry 121 Rueda, Camilo 214 Fleuriot, Jacques 333 Fontaine, Allyx 69 Foster, Simon 295 Fränzle, Martin 405 Schwammberger, Maike Scott, Phil 333 Strecker, Martin 315 Struth, Georg 121 Given-Wilson, Thomas 139 Gleirscher, Mario 235 Guttmann, Walter 51 Guzmán, Michell 214 Haeusler, Edward Hermann Halmagrand, Pierre 196 Hanazumi, Simone 158 Hennicker, Rolf 422 Hilscher, Martin 274 Kleijn, Jetty 103 Koutny, Maciej 103 Travkin, Oleg Truong, Anh-Hoang 441 82 Valencia, Frank D 214 Van Hung, Dang 82 Wehrheim, Heike Woodcock, Jim 255, 295 Xue, Bai 405 Yen, Hsu-Chun 25 Legay, Axel 139 Li, Yi 33 Lopes, Bruno 441 274 Zemmari, Akka 69 Zeyda, Frank 295 ... International Colloquium on Theoretical Aspects of Computing, held during October 2 4–3 1, 2016, in Taipei, Taiwan, ROC The International Colloquium on Theoretical Aspects of Computing (ICTAC) is a series of. .. http://www.springer.com/series/7407 Augusto Sampaio Farn Wang (Eds.) • Theoretical Aspects of Computing – ICTAC 2016 13th International Colloquium Taipei, Taiwan, ROC, October 2 4–3 1, 2016 Proceedings 123 Editors Augusto Sampaio... presentations and invited talks, ICTAC 2016 continued the tradition of previous ICTAC conferences in holding a ﬁve-course school on important topics in theoretical aspects of computing We thank all the
- Xem thêm -
Xem thêm: Theoretical aspects of computing – ICTAC 2016 13th international colloquium , Theoretical aspects of computing – ICTAC 2016 13th international colloquium , 1 Syntax, Proof System and Set Theory, 2 Translating Formulæ from B to PFOL, 1 D"3223379 -logic: Syntax and Semantics, 2 Turning D"3223379 -logic into an Institution