The synthesized repairs that lead to a TA \(T_\iota \) change the original TA T in fundamental ways, both syntactically and semantically. This brings up the question whether the synthesized repairs are admissible. In fact, one of the key questions is what notion of admissibility is meaningful in this context.
A timed trace [7] is a sequence of timed actions \(\xi = (t_1, a_1), (t_2, a_2), \ldots \) that is generated by a run of a TA, where \(t_i \le t_{i+1}\) for all \(i \ge 1\). The timed language for a TA T is the set of all its timed traces, which we denote by \(\mathcal{L}_T(T)\). The untimed language of T consists of words over T’s alphabet \(\varSigma \) so that there exists at least one timed trace of T forming this word. Formally, for a timed trace \(\xi = (t_1, a_1),(t_2, a_2)\ldots \), the untime operator \(\mu (\xi )\) returns an untimed trace \(\xi _{\mu } = a_1 a_2 ...\). We define the untimed language \(\mathcal{L}_{\mu }(T)\) of the TA T as \(\mathcal{L}_{\mu }(T) = \{ \mu (\xi ) \mid \xi \in \mathcal{L}_T(T) \}\).
Let B be a Büchi automaton (BA) [10] over some alphabet \(\varSigma \). We write \(\mathcal{L}(B) \subseteq \varSigma ^\omega \) for the language accepted by B. Similarly, we denote by \(\mathcal{L}_f(B) \subseteq \varSigma ^*\) the language accepted by B if it is interpreted as a nondeterministic finite automaton (NFA). Further, we write \(\text {pref}(\mathcal{L}(B))\) to denote the set of all finite prefixes of words in \(\mathcal{L}(B)\).
For a given NFA or BA M, the closure \(\texttt {cl}(M)\) denotes the automaton obtained from M by turning all of its states into accepting states. We call M closed iff \(M=\texttt {cl}(M)\). Notice that a Büchi automaton accepts a safety language if and only if it is closed [1].
Admissibility Criteria. From a syntactic point of view the repair obtained from a satisfying assignment \(\iota \) of the MaxSMT instance ensures that \(T_\iota \) is a syntactically valid TA model by, for instance, placing non-negativity constraints on repaired clock bounds. In case repairs alter right hand sides of clock constraints to rational numbers, this can easily be fixed by normalizing all clock constraints in the TA.
From a semantic perspective, the impact of the repairs is more profound. Since the repairs affect time bounds in location invariants and transition guards, as well as clock resets, the behavior of \(T_\iota \) may be fundamentally different from the behavior of T.
-
First, the computed repair for one property \(\varPi \) may render another property \(\varPi '\) violated. To check admissibility of the synthesized repair with respect to the set of all properties \(\widehat{\varPi }\) in the system specification, a full re-checking of \(\widehat{\varPi }\) is necessary.
-
Second, a repair may have introduced zenoness and timelock [4] into \(T_\iota \). As discussed in [4], there exists both an over-approximating static test for zenoness as well as a model checking based precise test for timelocks that can be used to verify whether the repair is admissible in this regard.
-
Third, due to changes in the possible assignment of time values to clocks, reachable locations in the TA T may become unreachable in \(T_\iota \), and vice versa. On the one hand, this means that some functionalities of the system may no longer be provided since part of the actions in T will no longer be executable in \(T_\iota \), and vice versa. Further, a reduction in the set of reachable locations in \(T_\iota \) compared to T may mean that certain locations with property violations in T are no longer reachable in \(T_\iota \), which implies that certain property violations are masked by a repair instead of being fixed. On the other hand, the repair leading to locations becoming reachable in \(T_\iota \) that were unreachable in T may have the effect that previously unobserved property violations become visible and that \(T_\iota \) possesses functionality that T does not have, which may or may not be desirable.
It should be pointed out that we assess admissibility of a repair leading to \(T_\iota \) with respect to a given TA model T, and not with respect to a correct TA model \(T^*\) satisfying \(\varPi \).
Functional Equivalence. While various variants of semantic admissibility may be considered, we are focusing on a notion of admissibility that ensures that a repair does not unduly change the functional behavior of the modeled system while adhering to the timing constraints of the repaired system. We refer to this as functional equivalence. The functional capabilities of a timed system manifest themselves in the sets of action or transition traces that the system can execute. For TAs T and \(T_\iota \) this means that we need to consider the languages over the action or transition alphabets that these TAs define. Considering the timed languages of T and \(T_\iota \), we can state that \(\mathcal{L}_T(T) \ne \mathcal{L}_T(T_\iota )\) since the repair forces at least one timed trace to be purged from \(\mathcal{L}_T(T)\). This means that equivalence of the timed languages cannot be an admissibility criterion ensuring functional equivalence. At the other end of the spectrum we may relate the de-timed languages of T and \(T_\iota \). The de-time operator \(\alpha (T)\) is defined such that it omits all timing constraints and resets from any TA T. Requiring \(\mathcal{L}(\alpha (T)) = \mathcal{L}(\alpha (T_\iota ))\) is tempting since it states that when eliminating all timing related features from T and from the repaired \(T_\iota \), the resulting action languages will be identical.
However, this admissibility criterion would be flawed, since the repair in \(T_\iota \) may imply that unreachable locations in T will be reachable in \(T_\iota \), and vice versa. This may have an impact on the untimed languages, and even though \(\mathcal{L}(\alpha (T)) = \mathcal{L}(\alpha (T_\iota ))\) it may be that \(\mathcal{L}_{\mu }(T) \ne \mathcal{L}_{\mu }(T_\iota )\). To illustrate this point, consider the running example in Fig. 2 and assume the invariant in location dbServer.reqReceiving to be modified from \(z \le 2\) to \(z \le 1\) in the repaired TA \(T_\iota \). Applying the de-time operator to \(T_\iota \) implies that the location dbServer.timeout, which is unreachable in \(T_\iota \), becomes reachable in the de-timed model. Since dbServer.timeout is reachable in T, the TA T and \(T_\iota \) are not functionally equivalent, even though their de-timed languages are identical. Notice that for the untimed languages \(\mathcal{L}_{\mu }(T) \ne \mathcal{L}_{\mu }(T_\iota )\) holds since no timed trace in \(\mathcal{L}_T(T_\iota )\) reaches location timeout, even though such a timed trace exists in \(\mathcal{L}_T(T)\). In detail, \(\mathcal{L}_\mu (T)\) contains the untimed trace \(\varTheta _0\varTheta _1\varTheta _2\varTheta _3\varTheta _4\) that is missing in \(\mathcal{L}_\mu (T_i)\) and where \(\varTheta _4\) is the transition towards the location dbServer.timeout. As consequence, we resort to considering the untimed languages of T and \(T_\iota \) and require \(\mathcal{L}_{\mu }(T) = \mathcal{L}_{\mu }(T_\iota )\). It is easy to see that \(\mathcal{L}_{\mu }(T) = \mathcal{L}_{\mu }(T_\iota ) \Rightarrow \mathcal{L}(\alpha (T)) = \mathcal{L}(\alpha (T_\iota ))\). In other words, the equivalence of the untimed languages ensures functional equivalence.
Admissibility Test. Designing an algorithmic admissibility test for functional equivalence is challenging due to the computational complexity of determining the equivalence of the untimed languages \(\mathcal{L}_{\mu }(T)\) and \(\mathcal{L}_{\mu }(T_\iota )\). While language equivalence is decidable for languages defined by Büchi Automata, it is undecidable for timed languages [3]. For untimed languages, however, this problem is again decidable [3]. The algorithmic implementation of the test for functional equivalence that we propose proceeds in two steps.
-
First, the untimed languages \(\mathcal{L}_\mu (T)\) and \(\mathcal{L}_\mu (T_\iota )\) are constructed. This requires an untime transformation of T and \(T_\iota \) yielding Büchi automata representing \(\mathcal{L}_\mu (T)\) and \(\mathcal{L}_\mu (T_\iota )\). While the standard untime transformation for TAs [3] relies on a region construction, we propose a transformation that relies on a zone construction [14]. This will provide a more succinct representation of the resulting untimed languages and, hence, a more efficient equivalence test.
-
Second, it needs to be determined whether \(\mathcal{L}_\mu (T) = \mathcal{L}_\mu (T_\iota )\). As we shall see, the obtained Büchi automata are closed. Hence, we can reduce the equivalence problem for these \(\omega \)-regular languages to checking equivalence of the regular languages obtained by taking the finite prefixes of the traces in \(\mathcal{L}_\mu (T)\) and \(\mathcal{L}_\mu (T_\iota )\). This allows us to interpret the Büchi automata obtained in the first step as NFAs, for which the language equivalence check is a standard construction [15].
Automata for Untimed Languages. The construction of an automaton representing an untimed language, here referred to as an untime construction, has so far been proposed based on a region abstraction [3]. The region abstraction is known to be relatively inefficient since the number of regions is, among other things, exponential in the number of clocks [4]. We therefore propose an untime construction based on the construction of a zone automaton [14] which in the worst case is of the same complexity as the region automaton, but on the average is more succinct [7].
Definition 3
(Untimed Büchi Automaton). Assume a TA T and the corresponding zone automaton
\(\varTheta _Z)\). We define the untimed Büchi automaton as the closed BA \(B_T = (S, \varSigma ,\rightarrow , S_0,F)\) obtained from
such that \(S = S_Z\), \(\varSigma = \varSigma _Z \setminus \{\delta \}\) and \(S_0 = \{s_Z^0\}\). For every transition in \(\varTheta _Z\) with a label \(a \in \varSigma \) we add a transition to \(\rightarrow \) created by the rule
with \(z^\uparrow = \{ v + d | v \in z, d \in \mathbb {R}_{\ge 0}\}\). In addition, we add self-transitions
to every state \((l,z) \in S_{B}\).
The following observations justify this definition:
-
A timed trace of T may remain forever in the same location after a finite number of action transitions. In order to enable B to accept this trace, we add a self-transition labeled with \(\tau \) to \(\rightarrow \) for each state \(s \in S\) in \(B_T\), and later define s as accepting. These \(\tau \)-self-transitions extend every finite timed trace t leading to a state in \(S_\tau \) to an infinite trace \(t.\tau ^\omega \).
-
The construction of the acceptance set F is more intricate. Convergent traces are often excluded from consideration in real-time model checking [4]. As a consequence, in the untime construction proposed in [3], only a subset of the states in S may be included in F. A repair may render a subgraph of the location graph of T that is only reachable by divergent traces, into a subgraph in \(T_\iota \) that is only reachable by convergent traces. However, excluding convergent traces is only meaningful when considering unbounded liveness properties, but not when analyzing timed safety properties, which in effect are safety properties. As argued in [7], unbounded liveness properties appear to be less important than timed safety properties in timed systems. This is due to the observation that divergent traces reflect unrealistic behavior in the limit, but finite prefixes of infinite divergent traces, which only need to be considered for timed safety properties, correspond to realistic behavior. This observation is also reflected in the way in which, e.g., UPPAAL treats reachability by convergent traces. In conclusion, this justifies our choice to define the zone automaton in the untime construction as a closed BA, i.e., \(F = S\).
Theorem 2
(Correctness of Untimed Büchi Automaton Construction). For an untimed Büchi automaton \(B_T\) derived from a TA T according to Definition 3 it holds that \(\mathcal{L}(B_T) = \mathcal{L}_\mu (T)\).
Equivalence Check for Untimed Languages. Given that the zone automaton construction delivers closed BAs we can reduce the admissibility test \(\mathcal{L}_{\mu }(T) = \mathcal{L}_{\mu }(T_\iota )\) defined over infinite languages to an equivalence test over the finite prefixes of these languages, represented by interpreting the zone automata as NFAs. The following theorem justifies this reduction.
Theorem 3
(Language Equivalence of Closed BA). Given closed Büchi automata B and \(B'\), if \(\mathcal{L}_{\text {f}}(B) = \mathcal{L}_{\text {f}}(B')\) then \(\mathcal{L}(B) = \mathcal{L}(B')\).
Discussion. One may want to adapt the admissibility test so that it only considers divergent traces, e.g., in cases where only unbounded liveness properties need to be preserved by a repair. This can be accomplished as follows. First, an overapproximating non-zenoness test [4] can be applied to T and \(T_\iota \). If it shows non-zenoness, then one knows that the respective TA does not include convergent traces. If this test fails, a more expensive test needs to be developed. It requires a construction of the untimed Büchi automata using the approach from [3], and subsequently a language equivalence test of the untimed languages accepted by the untimed BAs using, for instance, the automata-theoretic constructions proposed in [9].