Keywords

1 Introduction

The maintenance of legacy systems is known to be a very costly task, and the lack of knowledge hampers the possibility of a reimplementation with more modern technologies. Legacy systems may have been actively operating for decades, but their behavior is known only to a handful of people. It is therefore important to have automated means to reverse-engineer and understand their behavior, for example in the form of state machines or temporal properties.

We focus on understanding systems that exhibit self-stabilizing behaviors, i.e. that are typically in a stable state, and respond to external stimuli by reaching stability in a possibly different state. As an industrially relevant example, consider legacy Railway Interlocking Systems based on Relay technology (RRIS): these are electro-mechanical circuits for the control of railway stations, with thousands of components that respond to the requests of human operators to activate the shunting routes for the movement of the trains. They support a computational model based on “run-to-completion”, where a change in a part of the circuit (e.g. a switch closing) may change the power in another part of the circuit, and in turn operate other switches, until a stable condition is (hopefully) reached. This is very different in spirit from typical “cycle-based” control implemented in computer-based systems such as SCADA.

In this paper, we tackle the problem of extracting abstract specifications of the possible behaviors of an infinite-state timed transition system. The idea is to understand how the system evolves from a stable state, in response to a given stimulus, to the next stable state. In addition, we are interested in knowing under which conditions the transitions are possible and which are the effects on selected state variables. All this information is presented in the form of an extended finite state machine, which can be seen as a collection of temporal specifications satisfied by the system.

We make the following contributions. First, we propose the general framework of Abstraction Modulo Stability, a white-box analysis of self-stabilizing systems with run-to-completion behavior. The set of abstract states is the grid induced by a set of given predicates of interest. The framework is generic and parameterized with respect to the notion of stability. Different notions of stability are possible, depending on several factors: remaining in a region is possible (for some paths) or necessary (for all paths); whether the horizon of persistence in the stable region is unbounded, or lower-bounded on the number of discrete transitions and/or on the actual time. The framework also takes into account the notion of reachability in the concrete space, in order to limit the amount of spurious behaviors in the abstract description. We illustrate the relations holding between the corresponding abstractions, depending on the strength of the selected notion of stability.

Second, we present a practical algorithm to compute stability abstractions. We face two key difficulties. In the general case, one abstract transition is associated to a sequence of concrete transitions, of possibly unbounded length, so that a fix point must be reached. Furthermore, we need to make sure that the sequence is starting from a reachable state. Contrast this with the standard SMT-based computation of predicate abstractions [15], where one transition in the abstract space corresponds to one concrete transition, and reachability is not considered.

Third, we show how to lift to the abstract space other relevant variables from the concrete space, so that each abstract transition is associated with guards and effects. This results in a richer abstraction where the abstract states (typically representing control modes) are complemented by information on the data flow of the additional variables (typically representing the actual control conditions in a given mode).

We experimentally evaluate the approach on several large RRIS implementing the control logic for shunting routes and switch controls. This research is strongly motivated by an ongoing activity on the migration of the Italian Railway Network from relay-based interlocking to computer-based interlocking [3]. Stability abstraction is the chosen formalism to reverse engineer the RRIS, and to automatically provide the actual specifications for computer-based interlocking. We demonstrate the effectiveness of the proposed algorithms, and the crucial role of reachability in terms of precision of the abstractions.

Related Works. This work has substantial differences with most of the literature in abstraction. For example, Predicate Abstraction (PA) [11] can be directly embedded within the framework; furthermore, PA does not take into account concrete reachability; finally, an abstract transition is the direct result of a concrete transition, and not, as in our case, of a sequence of concrete transitions.

In [5] the authors propose to analyze abstract transitions between invariant regions with an approximated approach. In comparison, we propose a general framework, parameterized on the notion of stability. Additionally, we propose effective algorithms to construct automata from concrete behaviors only, and that represent symbolically the guards and the effects of the transitions.

The idea of weak bisimilarity [19], proposed for the comparison of observable behaviors of CCS, is based on collapsing sequences of silent, internal actions. The main difference with our approach is that weak bisimilarity is not used to obtain an abstraction for reverse engineering. Furthermore, in Abstraction Modulo Stability, observability is a property of states, and the silent actions are collapsed only when passing through unobservable (i.e., unstable) states.

Somewhat related are the techniques for specification mining, that have been extensively studied, for example in hardware and software. For example, DAIKON [9] extracts candidate invariant specifications from simulations. In our approach, the abstraction directly results in temporal properties that are guaranteed to hold on the system being abstracted. Yet, simulation-based techniques might be useful to bootstrap the computation of Abstraction Modulo Stability.

The work in [1] proposes techniques for the analysis of RRIS, assuming that a description of the stable states is already given. There are two key differences: first, the analysis of transient states is not considered; second, the extraction of a description in terms of stable states is a manual (and thus inefficient and error prone) task. For completeness, we mention the vast literature on the application of formal methods to railways interlocking systems (see e.g. [6, 12, 13, 17, 18]). Aside from the similarity in the application domain, these works are not directly related, given their focus on the verification of the control algorithms.

Structure of the Paper. In Sect. 2 we present the background notions. In Sect. 3 we present the framework of Abstraction Modulo Stability. In Sect. 4 we present the algorithms for computing abstraction. In Sect. 5 we present the experimental evaluation. In Sect. 6 we draw some conclusions and present the directions of future work.

2 Background

We work in the setting of Satisfiability Modulo Theories (SMT) [4], with quantifier-free first order formulae interpreted over the theory of Linear Real Arithmetic (LRA). We use PQ to denote sets of Boolean variables, pq to denote truth assignments, and the standard Boolean connectives \(\wedge , \vee , \lnot , \rightarrow \) for conjunction, disjunction, negation and implication. \(\top \) and \(\bot \) define true and false respectively. For a set of variables V, let \(\varPsi _\mathcal {T} (V)\) denote the set of first-order formulae over a theory \(\mathcal {T} \) with free variables in V. When clear from context we omit the subscript. Let \(V' \mathrel {\buildrel \mathrm {.} \over {=}}\{ v' \mathrel {|}v \in V \}\). For a formula \(\phi \in \varPsi (V)\), let \(\phi '\) denote \(\phi [V / V']\), i.e. the substitution of each variable \(v \in V\) with \(v'\).

A finite state automaton is a tuple \(\mathcal {A} = \langle Q, L, Q_0, R\rangle \) where: Q is a finite set of states; L is the alphabet; \(Q_0 \subseteq Q\) is the set of initial states; \(R \subseteq (Q \times L \times Q)\) is the labeled transition relation. We also consider automata with transitions annotated by guards and effects expressed as SMT formulae over given sets of variables. For \((q_1, \ell , q_2) \in R\), we write \(q_1 \overset{{\ell }}{\longrightarrow }_{\mathcal {A}} q_2\). Let \(\mathcal {A} _1\) and \(\mathcal {A} _2\) be two automata defined on the same set of states Q and on the same alphabet L including a label \(\tau \): we say that \(\mathcal {A} _1\) weakly simulates \(\mathcal {A} _2\), and we write \(\mathcal {A} _1 \mathrel {\lesssim }\mathcal {A} _2\), if whenever \(q \overset{{\ell }}{\longrightarrow }_{\mathcal {A} _1} q'\), then \(q \overset{{\ell }}{\longrightarrow }_{\mathcal {A} _2} \overset{{\tau }}{\longrightarrow }^{*}_{\mathcal {A} _2} q'\), where \(\overset{{\tau }}{\longrightarrow }^{*}\) is a (possibly null) sequence of transitions labeled with \(\tau \).

A symbolic timed transition system is a tuple \(\mathcal {M} = \langle V, C, \varSigma , \mathrm {Init}, \mathrm {Invar}, \mathrm {Trans} \rangle \), where: V is a finite set of state variables; \(C \subseteq V\) is a set of clock variables; \(\varSigma \) is a finite set of boolean variables encoding the alphabet; \(\mathrm {Init} (V)\), \(\mathrm {Invar} (V)\), \(\mathrm {Trans} (V,\varSigma ,V')\) are SMT formulae describing the initial states, the invariant and the transition relation respectively. The clocks in C are real-valued variables. We restrict the formulae over clock variables to atoms of the form \(c \bowtie k\), for \(c \in C\), \(k \in \mathbb {R}\) and \(\bowtie \in \{\le , <, \ge , >, =\}\). The clock invariants are convex. We allow the other variables in V to be either boolean or real-valued.

A state is an assignment for the V state variables, and let S denote the set of all the interpretations of V. We assume a distinguished clock variable \( time \in C\) initialized with \( time = 0\) in \(\mathrm {Init} \), representing the global time.

The system evolves following either a discrete or a timed step. The timed transition entails that there exists \(\delta \in \mathbb {R}_{\scriptscriptstyle {+}}\) such that \(c' = c + \delta \) for each clock variable \(c \in C\), and \(v' = v\) for all the other variablesFootnote 1. The discrete transition entails that \( time ' = time \) and can change the other variables instantaneously.

A valid trace \(\pi \) is a sequence of states \((s_0, s_1, \dots )\) that all fulfill the \(\mathrm {Invar} \) condition, such that \(s_0 \models \mathrm {Init} \) and for all i, \((s_i, \ell _i, s_{i+1}) \models \mathrm {Trans} (V, \varSigma , V')\) for some \(\ell _i\) assignment to \(\varSigma \). We denote with \(\mathrm {Reach} (\mathcal {M})\) the set of states that are reachable by a valid trace in \(\mathcal {M} \). We adopt a hyper-dense semantics: in a trace \(\pi \), time is weakly monotonic, i.e. \(s_i. time \le s_{i+1}. time \). We disregard Zeno behaviors, i.e. every finite run is a prefix of a run in which \( time \) diverges.

The states in which time cannot elapse, i.e. which are forced to take an instantaneous discrete transition, are called urgent states. We assume the existence of a boolean state variable \( urg \in V\) which is true in all and only the urgent states. Namely, for every pair of states \((s_i, s_{i+1})\) in a path \(\pi \) where \(s_i. urg \) is true, then \((s_i. time = s_{i+1}. time )\).

We consider CTL+P [16], a branching-time temporal logic with the future and past temporal operators. A history \(h = (s_0,...,s_n)\) for \(\mathcal {M} \) is a finite prefix of a trace of \(\mathcal {M} \). For a CTL+P formula \(\psi \), write \(\mathcal {M}, h \models \psi \) meaning that after h, \(s_n\) satisfies \(\psi \) in \(\mathcal {M} \). Operators \(\mathrm {AG}\psi \), \(E(\psi _1 \mathrel {\mathrm {U}}\psi _2)\), \(H \psi \) are used with their standard interpretations (in every future \(\psi \) will always hold, there exists a future in which \(\psi _1\) holds until \(\psi _2\), in the current history \(\psi \) always held, respectively).

3 The Framework of Abstraction Modulo Stability

3.1 Overview

We tackle the problem of abstracting a concrete system in order to mine relevant high-level properties about its behavior.

We are interested in how the system reacts to stimuli: when an action is performed, we want to skip the intermediate steps that are necessary to accomplish an induced effect, and evaluate how stable conditions are connected to each other. The definition of stability is the core filter that defines which states we want to observe when following a run-to-completion process, i.e., the run triggered by a stimulus under the assumption that the inputs remain stationary. In practice, several definitions of stability are necessary, each of them corresponding to a different level of abstraction.

An additional element of the desired abstraction is that relevant properties regard particular evaluations of the system. We consider a defined abstract space which intuitively holds the observable evaluations on the system, on which we will project the concrete states.

In this section we describe a general framework for Abstraction Modulo Stability, which is parametric with respect to the abstract domain and the definition of stability. The result will be a finite state system which simulates the original model, by preserving only the stable way-points on the abstract domain, and by skipping the transient (i.e., unstable and unobservable) states.

Finally, we define how the obtained abstract automata can be enriched with guards and effects for each transition.

Fig. 1.
figure 1

A timed transition system representing a tank of water.

Full size image

Example 1

Consider as running example the timed transition system \(\mathcal {S} \) shown in the right hand side of Fig. 1 which models a tank receiving a constant incoming flow of water, with an automatic safety valve.

\(\mathcal {S} \) has a clock variable c which monitors the velocity of filling and emptying processes, and reads an input boolean variable \(\mathrm {in.flow}\). The status of this variable is controlled by the environment \(\mathcal {E} \), shown in the left hand side of the figure. In the transition relation of \(\mathcal {E} \), the variables in \(\varSigma \) encode the labels for the stimuli, which are variations of the input variable \(\mathrm {in.flow}\). In particular, if \(\varSigma = \tau \), then \(\mathrm {in.flow}\) is unchanged, and we say that the system \(\mathcal {S} \) is not receiving any stimulus. \(\mathcal {S}\) reacts accordingly to the updated \(\mathrm {in.flow}'\). The discrete transitions of \(\mathcal {S} \) are labeled with guards and with resetting assignments on the clock variable (in the form [guards]/resets). The system starts in the Empty location. A discrete transition reacts to a true \(\mathrm {in.flow}\) jumping in Filling and resetting \(c':=0\). The invariant \(c \le 10\) of Filling forces the system to transit to a Warning location after 10 time units, corresponding to the time needed to reach a critical level. Warning is urgent: as soon as \(\mathcal {S}\) reaches this state, it is forced to take the next discrete transition. The urgency of location Warning models the causality relation between the evaluation on the level of water and the instantaneous opening of a safety valve. Due to the latter, in location Full the system dumps all the incoming water and keeps the level of water stable. If the input is closed, \(\mathcal {S} \) transits in Emptying. In this condition, water is discharged faster: after 2 time units the system is again in Empty. Transitions between Filling and Emptying describe the system’s reaction to a change of the input while in charging/discharging process.

We consider as predicates of interest exactly the five locations of the system. The stability abstraction of the composed system is meant to represent the stable conditions reached after the triggering events defined by \(\varSigma \).

3.2 Abstraction Modulo Stability

Consider a symbolic timed transition system \(\mathcal {M} = \langle X, C, \varSigma , \mathrm {Init}, \mathrm {Invar}, \mathrm {Trans} \rangle \) whose discrete transitions are labeled by assignments to \(\varSigma \) representing stimuli. A stimulus corresponds to a variation of some variables \(I \subseteq V\) which we call input variables. Namely, we can picture \(\mathcal {M} \) as a closed system partitioned into an environment \(\mathcal {E} \) which changes the variables I, and a open system \(\mathcal {S} \) which reads the conditions of the updated variables I and reacts accordingly: \(\mathrm {Trans} (X, \varSigma , X') = \mathrm {Trans} _\mathcal {E} (I, \varSigma , I') \mathrel {\wedge } \mathrm {Trans} _\mathcal {S} (V, I', V')\), with \(V = X \mathrel {\setminus }I\).

In particular, we assume a distinguished assignment \(\tau \) to the labels \(\varSigma \), corresponding to the absence of stimuli: \(\mathrm {Trans} _\mathcal {E} [\varSigma / \tau ] = (I \leftrightarrow I')\). The transition labeled with \(\tau \) is the silent or internal transition. It corresponds to the discrete changes which keep the inputs stationary (i.e., unchanged) and the timed transitions. We write \({\mathcal {M}}^\tau \) for the restriction of \(\mathcal {M} \) which evolves only with the silent transition \(\tau \), i.e., under the assumption that no external interrupting action is performed on \(\mathcal {S} \), so that \(I \leftrightarrow I'\) is entailed by the transition relation. We assume that \(\mathcal {M} \) is never blocked waiting for an external action: this makes \({\mathcal {M}}^\tau \) always responsive to \(\tau \) transition. Moreover, we assume that Zeno behaviors are not introduced by this restriction.

We define a framework for abstracting \(\mathcal {M} \) parametric on an abstract domain \(\varPhi \) and a stability definition \(\sigma \).

Abstract Domain. Between the variables of the system \(\mathcal {M} \), consider a set of boolean variables \(P \subseteq X\) representing important predicates. The abstract domain \(\varPhi \) is the domain of the boolean combinations of \(P \) variables.

Stability Definition. Let \(\sigma (X)\) be a CTL+P formula providing a stability criterion.

Definition 1

(\(\sigma \)-Stability). A concrete state s with history \(h = (s_0, \dots , s)\) is \(\sigma \)-stable if and only if

$$ {\mathcal {M}}^\tau , h \models \sigma . $$

Note that the stability is evaluated in \({\mathcal {M}}^\tau \), i.e. under the assumption that the inputs are stationary: at the reception of an external stimulus, a \(\sigma \)-stable might move to a new concrete state which does not satisfy \(\sigma \). We say that a state s is \(\sigma \)-stable in a region \(p \in \varPhi \) if it is \(\sigma \)-stable and \(s \models p\).

The states for which \({\mathcal {M}}^\tau , (s_0, \dots , s) \not \models \sigma \), are said \(\sigma \)-unstable. These states might be transient during a convergence process which leads to the next stable state. In the following we will omit the prefix \(\sigma \) when clear from context.

Definition 2

(Abstraction Modulo \(\sigma \)-Stability). Given a concrete system \(\mathcal {M} = \langle X, C, \varSigma , \mathrm {Init}, \mathrm {Invar}, \mathrm {Trans} \rangle \), with \(P \subseteq X\) boolean variables, the abstraction modulo \(\sigma \)-stability of \(\mathcal {M} \) is a finite state automaton \(\mathcal {A} _\sigma = \langle \varPhi , 2^\varSigma , \mathrm {Init} _\sigma , \mathrm {Trans} _\sigma \rangle \). For each \(p_0 \in \varPhi \), \(p_0 \models \mathrm {Init} _\sigma \) if and only if there exists a state \(s_0 \in S\) such that \(s_0 \models \mathrm {Init} \), and with \(h_0 = (s_0)\)

$$ {\mathcal {M}}^\tau , h_0 \models {\mathrm {E}}(\lnot \sigma \mathrel {\mathrm {U}}(\sigma \wedge p_0)). $$

For each \(p_1, p_2 \in \varPhi \), \(\ell \in 2^\varSigma \), the triple \((p_1, \ell , p_2) \models \mathrm {Trans} _\sigma \) if and only if there exist states \(s_0, s_1, s_2 \in S\) and histories \(h_1 = (s_0, \dots , s_1)\), \(h_2 = (s_2)\) such that \((s_1, \ell , s_2) \models \mathrm {Trans} \), and such that

$$ {\mathcal {M}}^\tau , h_1 \models \sigma \wedge p_1, \qquad {\mathcal {M}}^\tau , h_2 \models {\mathrm {E}}(\lnot \sigma \mathrel {\mathrm {U}}(\sigma \wedge p_2)). $$

Abstract automaton \(\mathcal {A} _\sigma \) simulates with a single abstract transition a run of the concrete system \(\mathcal {M} \) that connects two \(\sigma \)-stable states with a single event and possibly multiple steps of internal \(\tau \) transitions. We call such convergence process a run-to-completion triggered by the initial event.

Observe that the abstraction is led by the definition of \(\sigma \)-stability. It preserves only the abstract regions in which there is a \(\sigma \)-stable state. The transient states are not exposed, hence disregarding also the behaviors of \(\mathcal {M} \) in which a new external stimuli interrupts a convergence still in progress. In other words, it represents the effects of stimuli accepted only in stable conditions.

In this way, \(\mathcal {A} _\sigma \) satisfies invariant properties that would have been violated in \(\sigma \)-unstable states, transient along an internal run-to-completion.

Reachability-Aware Abstraction. Abstractions modulo stability can be tightened by considering only concrete reachable states in \(\mathcal {M} \). In fact, in the setting of reverse engineering, considering unreachable states may result in an abstraction that includes impossible behaviors that have no counterpart in the concrete space. This is done by enforcing that the first state of \(h_1\) in Definition 2 to be reachable in \(\mathcal {M} \). This is an orthogonal option to the choice of the stability definition \(\sigma \).

3.3 Instantiating the Framework

The level of abstraction of \(\mathcal {A} _\sigma \), i.e., the disregarded behaviors, is directly induced by the chosen definition of \(\sigma \). Its adequacy depends on both the application domain and the objective of the analysis. We now explore some possibilities that we consider relevant in practice.

Predicate Abstraction. Firstly, we show that the Abstraction Modulo Stability framework is able to cover the known predicate abstraction [11, 14]. With a trivial stability condition

$$\begin{aligned} \sigma _1 \mathrel {\buildrel \mathrm {.} \over {=}}\top , \end{aligned}$$

every concrete state s is stable and is projected in the abstract region it belongs to (\(p = \exists (X \mathrel {\setminus }P) \mathrel {.}s\)). In this way, all concrete transitions (including the timed ones) are reflected in the corresponding \(\mathcal {A} _{\sigma _1}\).

Non-urgent Abstraction. Urgent states are the ones in which time cannot elapse, and are forced to transit with a discrete transition. They are usually exploited to decompose a complex action made of multiple steps and to faithfully model the causality along a cyclical chain of events. Unfortunately, by construction, urgent states introduce transient conditions which may be physically irrelevant. In practice, in the analysis of the system’s behaviors, one may want to disregard the intermediate steps of a complex instantaneous action.

To this aim, we apply the Abstraction Modulo Stability framework and keep only the states in which time can elapse for an (arbitrarily small) time bound T.

$$ \sigma _2(X) \mathrel {\buildrel \mathrm {.} \over {=}}\lnot urg . $$

The obtained abstract automaton \(\mathcal {A} _{\sigma _2}\) has transitions that correspond to instantaneous run-to-completion processes, skipping urgent states until time is allowed to elapse.

Fig. 2.
figure 2

Abstractions modulo \(\sigma _1\) and \(\sigma _2\) on the tank running example.

Full size image

Example 2

On the left hand side of Fig. 2 we show the abstraction of the tank system obtained using \(\sigma _1\). An abstract transition connects two predicates (recall that in this example predicates correspond to concrete locations) if they are connected in \(\mathcal {S} \), by either a discrete or a timed transition.

On the right hand side of Fig. 2 we show the abstraction obtained using \(\sigma _2\). With respect to \(\mathcal {A} _{\sigma _1}\), here location Warning is missing, since time cannot elapse in it, and an abstract transition connects directly Filling to Full.

Eq-predicate Abstractions. Let \( Eq (P)\) be a formula expressing implicitly that the interpretations of the abstract predicates are not changing during a transition (either a discrete or a timed step).

We now address the intuitive definition: “a stable state is associated with behaviors that preserve the abstract predicates for enough time, i.e., if the system is untouched, then the predicates do not change value for a sufficient time interval”. One can choose to measure the permanence of s in \(p \in \varPhi \) in terms of number of steps (e.g., at least K concrete steps, with \(K \in \mathbb {N}_{\scriptscriptstyle {+}}\)), or in terms of continuous-time (e.g., for at least T time, with \(T \in \mathbb {R}_{\scriptscriptstyle {+}}\)), or both.

This intuitive definition can be interpreted both backward and forward. In this paragraph we illustrate the backward perspective.

Consider the doubly bounded definition

$$ \sigma _{3}^{T, K}(X) \mathrel {\buildrel \mathrm {.} \over {=}}{\mathrm {H}}^{> T, > K} Eq (P), $$

where: \({\mathcal {M}}^\tau , h \models \sigma _3^{T,K}\), if and only if \(h = (s_0 \dots s_i)\), with \(i \ge K\) and for some \(p \in 2^P\)

$$ \left( \begin{aligned}&\forall j \in [(i-K), i] \mathrel {:}s_j \models p \ \mathrel {\wedge } \\&s_i. time - s_{i-K}. time > T \\ \end{aligned}\right) . $$

Such characterization of stability captures the states that have been in the same predicate assignment for at least K steps and at least T time has elapsed in such frame. Several variants of this definition are possible, e.g. by using only one bound.

This definition is referred to as backward since we consider the history of the system: a stable state has a past trajectory that remained in the same abstract region for enough time/steps. It is practically relevant in contexts where it is useful to highlight the dwell time of the system in a given condition. The only visible behaviors are the ones that were exposed for sufficient time/steps.

It can be easily seen that if a history h satisfies \(\sigma _{3}^{ T_2, K}\), then it also satisfies \(\sigma _{3}^{ T_1, K}\), with \(T_1 \le T_2\).

Notably, for the instantiations of \(\sigma _3\) with \(K=1\), a state is stable if it has just finished a timed transition elapsing at least T time. In the following, we omit the superscript K from \(\sigma _3^{T,K}\) when \(K=1\). We have that if a history h satisfies \(\sigma _{3}^{T}\), then it also satisfies \(\sigma _2\). Namely, while every urgent state (i.e., a transient state for \(\sigma _2\)) is transient also for \(\sigma _{3}^{T}\), for \(\sigma _{3}^{T}\) also become transient the non-urgent states that are accidentally traversed in 0 time, for example because an exiting discrete transition is immediately enabled.

Future Eq-predicate Abstractions. In contrast to the backward evaluation of \(\sigma _3\), one can think of assessing stability forward, by looking at the future(s)Footnote 2 of the state. A possible definition in this perspective would be

$$ \sigma _4(X) \mathrel {\buildrel \mathrm {.} \over {=}}\mathrm {AG} Eq (P), $$

asking that, as long as only \(\tau \) transitions are taken, the system will never change the evaluation of predicates. Namely, once a state is \(\sigma _4\)-stable, it can change the predicates only with an external event, and the abstract states in \(\mathcal {A} _{\sigma _4}\) are closed under \(\tau \) transitions. This is similar in spirit to the notion of \(P\)-stable abstraction of [5], with the difference that in the latter arbitrary regions are considered.

Within this perspective, alternative definitions can be obtained by interchanging the existential/universal path quantifiers (e.g., \({\mathrm {E}}{\mathrm {G}} Eq (P)\) characterizes a state for which there exists a future that never changes the predicate evaluations), or by bounding the “globally” operator (e.g., \(\mathrm {AG}^{> K} Eq (P)\) captures a state which is guaranteed to expose the same evaluations of predicates in the next K steps). Observe that all these variants would assess \(\sigma \)-stability of a state before it has actually proven to expose the same predicates for enough time/steps.

Fig. 3.
figure 3

Abstractions modulo \(\sigma _{3}^{T=7}\) and \(\sigma _4\) on the tank running example.

Full size image

Example 3

On the left hand side of Fig. 2 we show the abstraction obtained with \(\sigma _{3}^{T, K}\) definition, using \(T = 7\) and \(K=1\). State Emptying is unstable, since time cannot elapse in it more than T time: namely, from Full, at the reception of the stimulus which opens \(\mathrm {in.flow}\), all the \(\tau \)-paths lead to Empty in less than T time. On the other hand, Fing is kept, since the system may stay in this location for enough time to be considered relevant.

On the right hand side of Fig. 2 we show the abstraction obtained with \(\sigma _4\). Here, the stable states are only Empty and Full: the others are abstracted since they are not invariant for the \(\tau \) internal transition. Each external event directly leads to the end of a timed process which converges in the next stable state. Note that in this setting, an abstract transition labeled with \(\tau \) can only be self loops. Here, \(\mathcal {A} _{\sigma _4}\) corresponds to the \(P\)-stable abstraction because the chosen abstract domain \(\varPhi \) is able to express the “minimally stable” regions [5] of \(\mathcal {M} \).

Observe that \(\mathcal {A} _{\sigma _4}\) would be also obtained by increasing the time bound of \(\sigma _3^T\), e.g., with \(T=15\).

As the examples show, different stability definitions induce abstract automata with different numbers of states and transitions. The following proposition states what is the effect on the abstract automata of making stricter the stability definition. Let us write \(p_1 \overset{{\ell }}{\longrightarrow }_\sigma p_2\) meaning that \((p_1, \ell , p_2) \models \mathrm {Trans} _\sigma \) in \(\mathcal {A} _\sigma \).

Proposition 1

Let \(\sigma \) and \(\sigma '\) be two stability definitions such that every history that is \(\sigma \)-stable, is also \(\sigma '\)-stable, and let \(\mathcal {A} _{\sigma }\) and \(\mathcal {A} _{\sigma '}\) be the corresponding abstractions modulo stability of the same concrete model \(\mathcal {M} \). Then, \(\mathcal {A} _{\sigma }\) weakly simulates \(\mathcal {A} _{\sigma '}\).

Proof

By definition, if \(p_1 \overset{{\ell }}{\longrightarrow }_\sigma p_2\), then there exists \((s_1, \ell , s_2) \models \mathrm {Trans} \) with (1) \({\mathcal {M}}^\tau , h_1 \models \sigma \wedge p_1 \), and (2) \({\mathcal {M}}^\tau , h_2 \models {\mathrm {E}}(\lnot \sigma \mathrel {\mathrm {U}}(\sigma \wedge p_2)\), with \(h_1 = (s_0 \dots , s_1)\) and \(h_2 = (s_2)\). Since every \(\sigma \)-stable history is also \(\sigma '\)-stable, from (1) we obtain that \({\mathcal {M}}^\tau , h_1 \models \sigma ' \wedge p_1\), and from (2) we derive

$$ \begin{aligned} {\mathcal {M}}^\tau , h_2 \models \mathrm {EF}(\sigma \wedge p_2)&\implies {\mathcal {M}}^\tau , h_2 \models \mathrm {EF}(\sigma ' \wedge p_2) \\&\implies {\mathcal {M}}^\tau , h_2 \models {\mathrm {E}}(\lnot \sigma ' \mathrel {\mathrm {U}}(\sigma ' \mathrm {EX}(\lnot \sigma ' ... \mathrel {\mathrm {U}}(\sigma ' \wedge p_2)...))) \end{aligned} $$

Hence, \(p_1 \overset{{\ell }}{\longrightarrow }_{\sigma '}\overset{{\tau }}{\longrightarrow }_{\sigma '}^{*} p_2\) and \(\mathcal {A} _{\sigma } \mathrel {\lesssim }\mathcal {A} _{\sigma '}\).

Corollary 1

For every bounds \(T_1 \le T_2 \in \mathbb {R}_{\scriptscriptstyle {+}}\)

$$ \mathcal {A} _{\sigma _{3}^{T_2}} \mathrel {\lesssim }\mathcal {A} _{\sigma _3^{T_1}} \mathrel {\lesssim }\mathcal {A} _{\sigma _2} \mathrel {\lesssim }\mathcal {A} _{\sigma _1} $$

3.4 Extending with Guards and Effects

Abstract transitions in \(\mathcal {A} _\sigma \) are labeled with the stimulus that has triggered the abstracted run-to-completion process. Recall that a stimulus \(\ell \in 2^\varSigma \) is connected to a (possibly null) variation of the inputs I by \(\mathrm {Trans} _\mathcal {E} (I, \varSigma , I')\). A guard for an abstract transition \((p_1, \ell , p_2)\) is a formula on \(I'\) variables entailed by \(\mathrm {Trans} _\mathcal {E} [\varSigma / \ell ]\) which describes the configurations of inputs that, starting from \(p_1\) with event \(\ell \), lead to \(p_2\). In order to enrich the description of the effects of an abstract transition, we also consider a subset of state variables \(O \subseteq V\), called output variables. Observe that an abstract transition may be witnessed by multiple concrete paths, each with its own configuration of inputs and outputs. Hence, we can keep track of a precise correlation between guards and effects with a unique relational formula on I and O variables. This formula is obtained as a disjunction of all the configurations of inputs and outputs in the concrete states accomplishing stability in \(p_2\) (since the configuration of I set by the stimulus is preserved by \(\tau \) along the run-to-completion process).

Example 4

The stability abstractions shown in Figs. 2 and 3 are equipped with guard constraints, as evaluations on the original input variable \(\mathrm {in.flow}\), (shown in square brackets near the label of the stimuli).

4 Algorithms for Stability Abstractions

In order to build the abstract automaton structure we have to check whether there exists a (reachable) \(\sigma \)-stable state in \(p_1\), with \((s_1, \ell , s_2) \models \mathrm {Trans} \) and \({\mathcal {M}}^\tau , s_2 \models {\mathrm {E}}(\lnot \sigma \mathrel {\mathrm {U}}(\sigma \mathrel {\wedge } p_2))\), for every pair \((p_1, p_2) \in \varPhi \times \varPhi \). Reachability analysis and (C/)LTL model checking for infinite state systems are undecidable problems. The work in [5] computes overapproximations of the regions that are invariant for silent transitions (i.e., addresses an unbounded stability criterion \(\mathrm {AG}\phi \)), exploiting the abstract interpretation framework. This approach also overapproximates multiple stable targets that may be given by the non-determinism of the concrete system.

Here, instead, we deal precisely with the non-determinism of the underlying concrete system by collecting information about actual, visible consequences of an action, by focusing on bounded stability definitions. In fact, we consider stability criteria that do not require fixpoint computations in the concrete system, and we under-approximate the reachability analysis fixing a bound for unstable paths. Namely, our algorithm follows an iterative deepening approach, which considers progressively longer unstable run-to-completion paths, seeking for the next stable condition.

Intuitively we search for concrete witnesses for an abstract transition \((p_1, \ell , p_2)\) by searching for a concrete path connecting a concrete \(\sigma \)-stable state \(s_1\) in \(p_1\) and a \(\sigma \)-stable state in \(p_2\), with a bounded reachability analysis from \(s_1\).

Notice that the algorithm builds a symbolic characterization for the stability automaton. In fact, instead of enumerating all \((p_1, p_2) \in \varPhi \times \varPhi \) and check if they are connected by some concrete path, we incrementally build a formula characterizing all the paths of \({\mathcal {M}}^\tau \) connecting two \(\sigma \)-stable states. Then, we project such formula on the P variables, hence obtaining symbolically all the abstract transitions having a witness of that length. This intuition is similar to [15] to efficiently compute predicate abstractions.

Moreover, having a formula representing finite paths of \({\mathcal {M}}^\tau \) connecting two \(\sigma \)-stable states, we can extract guards and effects with a projection on I and O variables. Namely, while checking the existence of an abstract transition, we also synthesize the formula on I and O annotating it.

A significant characteristic of our approach, also with respect to the classical instantiation of predicate abstraction, is that we refine the abstract transitions by forcing the concrete states to be reachable from the initial condition.

In the following we describe the general algorithm for computing abstractions parametric on the stability definition \(\sigma \), and then show how the criteria proposed in Sect. 3.3 can be actually passed as parameter.

4.1 Symbolic Algorithm for Bounded Stability

Consider the symbolic encoding of automaton \(\mathcal {M} = \langle X, C, \varSigma , \mathrm {Init}, \mathrm {Invar}, \mathrm {Trans} \rangle \),Footnote 3 and a classification of the variables in X distinguishing \(P \) boolean predicates variables, I input variables, O output variables.

We address the computation of the formulae \(\mathrm {Init} _\sigma (P)\) and \(\mathrm {Trans} _\sigma (P, I, O, P ')\), for a stability definition provided as a formula \(\sigma (X_0,\dots , X_n)\) with \(n \in \mathbb {N}\).

The algorithm performs a reachability analysis based on two bounds:

  • \(U \in \mathbb {N}\), as the bound for the length for unstable paths.

  • \(L \in \mathbb {N}\), with \(L \ge n + 1\), as the bound for the length of the run witnessing an abstract transition, starting from the initial state, used for the reachability-aware refinement.

figure a

Computation of \(\mathrm {Trans} _\sigma \). Pseudocode 1 shows the algorithm for extraction of the transition relation \(\mathrm {Trans} _\sigma \). It builds a formula

$$ \mathrm {Init} (X_0) \mathrel {\wedge } \bigwedge \limits _{0 \le h \le j} \mathrm {Trans} (X_h, X_{h+1}) \mathrel {\wedge } \left( \begin{gathered} \sigma (X_{i-n},..., X_{i}) \mathrel {\wedge } \bigwedge _{i-n \le h< i} I_h = I_{h+1} \mathrel {\wedge } \\ \bigwedge \limits _{i< h < j} (I_h = I_{h+1} \mathrel {\wedge } \lnot \sigma (X_{h-n},...,X_{h})) \mathrel {\wedge } \\ \sigma (X_{j-n},..., X_{j}) \end{gathered} \right) $$

for each ij with \(0 \le j - i \le U\) and \(j < L\). The procedure exploits the incrementality of the SMT solvers which organize assertions in a stack: the push/pop interface allows the addition of layers, in which to insert new formulae with the assert primitive. In this way, we can progressively build the path and avoid its recomputation for every pair ij. Namely, for each \(j < L\), firstly we build the path until j (line 6) and assert \(\sigma \)-stability in j (line 9). Then we progressively try i going backward (in order to better exploit incrementality), constrain the I variables to be unchanged, and \(\sigma \)-unstability (lines 11–12).

Function \(\mathrm {S.}\textsc {project-on}() \) (line 16) performs an existential quantification of the formula currently present in the solver stack. We preserve variables \(P _i\) and \(P _j\), which characterize the two stable states connected by the transition. Variables \(I_{j}\) and \(O_j\) are also preserved: in this way, we extract the guards and the effects formulae directly within the building of the abstract transition. Notice that, due to the input stability hypothesis preserved during the unstable path, the input configuration read in j is the same read immediately following the external event in \(i+1\).

Every found contribute \(\mathrm {Trans}_\sigma ^{(i,j)} \) is then merged in a single \(\mathrm {Trans} _\sigma \), after substitution of the variables in \(P, I, O, P '\). Observe that an important optimization is to block the negation of the already computed formula \(\mathrm {Trans} _\sigma \) (shifted in the current i, j indices) before each projection (line 15), in order to avoid recomputing the same transitions.

Reachability-Awareness. A reachability-unaware version would drop the first part of the formula characterizing the path from 0 to \(i-n\).

The described algorithm is reachability-aware, meaning that every considered stable state is, by construction, reachable from the initial condition \(\mathrm {Init} \). This is important to extract actually concretizable behaviors, and is a main difference with respect to the classical predicate abstraction technique: it is well known that mere the projection on the boolean predicates of the single transition relation may introduce several spurious behaviors.

Note that the reachability-aware improvement is based on concrete reachability. In contrast, the algorithm of [5], exploits abstract reachability until fixpoint in the abstract automaton, possibly incurring in further overapproximations induced by the use of convergence accelerators.

Computation of \(\mathrm {Init} _\sigma \). The algorithm for the extraction of the initial state \(\mathrm {Init} _\sigma \) is similar: it builds a formula

$$ \mathrm {Init} (X_0) \mathrel {\wedge } \bigwedge \limits _{0 \le h \le i} \left( \mathrm {Trans} (X_h, X_{h+1}) \mathrel {\wedge } I_h = I_{h+1}\right) \mathrel {\wedge } \sigma (X_{i-n},..., X_{i}) $$

for every \(i \le U\). \(\mathrm {Init} _\sigma \) is the collection of the contributes \(\mathrm {Init}_\sigma ^{(i)} \), obtained by fixing a stable slot in the last position i and projecting on \(P _i\) variables.

4.2 Instantiating the Algorithm

The bounded stability definitions presented in Sect. 3 can be unrolled and expressed in the form \(\sigma (X_0,\dots ,X_n)\) Predicate Abstraction. \(\sigma _1(X_0) = \top \) trivially needs only the current variables. Observe that in this case we can use a \(U = 1\) bound, since the unstability constraint is always unsatisfiable.

Non-urgent Abstraction. Having a classification of urgent conditions, also \(\sigma _2(X_0) = \lnot urg _0\) can be established looking only at the current variables (it only needs \(n = 0\)).

Eq-predicate Abstraction. More generally, given K and T bounds, we encode that the abstract region has not changed for the last K steps and that at least T time has elapsed using \(n = K\) and

$$ \sigma _{3}^{T,K}(X_0\dots X_K) = \bigwedge \limits _{h< K} (P _h = P _{h+1}) \mathrel {\wedge } ( time _0 + T < time _K). $$

5 Experimental Evaluation

We evaluate the applicability and the adequacy of stability abstractions for the reverse engineering of real-world Relay-based Railway Interlocking Systems.

Relay-Based Railway Interlocking Systems (RRIS). RRIS are complex electro-mechanical circuits used for the control stations and train traffic. Such systems receive stimuli from an external environment, including both human operators (e.g., performing actions on buttons) and physical entities (e.g., a train passing on some sensors). In response, they control railway elements, like signaling lights or railway switches. Internally, they use relays to propagate signals: relays are electro-mechanical components which, when activated, change the position of an associated contact after a (possibly null) delay.

The controlling logic implemented by RRIS is hidden by complex legacy internal optimizations performed over the years by numerous electro-mechanical engineers. For this reason, it is hard to understand their high-level behavior and highlight the connections between stimuli and observable railway properties.

The experimental evaluation is based on real-world RRIS schematics that are intended to control level crossing and shunting routes. Using the tool norma  [2], the considered RRIS have been modeled and automatically converted in timed transition systems in the syntax of Timed nuXmv  [7]. The obtained models involve several real-valued variables (modeling voltages and currents in the circuits), changing accordingly to the configuration of the boolean variables (modeling the switches of the circuit). The discrete state changes when an external event updates the position of a switch, or as a consequence of the activation of an internal relay. Hence, these systems react to an external variation with a chain of internal transitions. The duration of the triggered run-to-completion process is important: urgent states are widely used to model the causality relation between the activation of an instantaneous relay and the action performed on the associated switch; timed relays may impose a low delay, so that the internal response is actually very fast and almost non observable.

Abstraction Modulo Stability of RRIS. The Timed nuXmv model checker was used to convert the models produced by norma in untimed transition systems in SMV. The algorithm presented in Sect. 4 has been implemented using the pySMT library [10] and the MathSAT5 SMT solver [8]. It requires in input a classification of the variables X, selecting the predicates \(P \), the inputs I and the outputs O, which can be directly provided by railway domain experts. We choose as \(P \) the status of some relays or (boolean variables associated with) linear predicates on the electrical variables, representing, as an example, the status of a lamp.

Table 1 and 2 report the number of variables X, \(P \), I, O for each benchmark. Column \(\varPhi \) reports the size of the resulting abstract domain, obtained by considering all the consistent combinations of \(P \) predicates (with respect to the invariant of the model).

We show the results of the Abstraction Modulo Stability considering the stability definitions described in Sect. 3.3, using the algorithm of Sect. 4 with bounds \(L=40\) and \(U=15\). All the experiment ran on a 2.4 GHz CPU, with time out (to) set to 15 h, and memory limit set to 20 GB.

Columns “\(\mathcal {A} _\sigma \)states” and “\(\mathcal {A} _\sigma \)trans” hold the number of abstract states and transitions respectively, computed counting the configurations of the predicate variables in the abstract automaton \(\mathcal {A} _\sigma \). As stated in Corollary 1, the corresponding abstract automata have progressively less states.

Stability abstractions were used by railway experts from the Italian Railway Network company (RFI) to understand two main families of legacy RRIS.

Table 1. Result of the abstraction of routesN RRIS benchmarks with different stability definitions.
Full size table

Routes. routesN is a RRIS regulating the activation/deactivation of N shunting routes concurring for the same resources. The implemented logic takes care of avoiding the simultaneous activation of conflicting routes. In such RRIS the inputs are the switches controlled by a human operator, attempting to enable/disable a route; the outputs are the status of some internal entities that we want to monitor; the predicates are the status of lamps representing whether the routes have been registered.

In the routes benchmarks the delays used in the run-to-completion processes are very small, so that in the abstract automata obtained (Table 1) there is no difference between \(\sigma _{3}^{T=1}\) and \(\sigma _{3}^{T=7}\) (i.e., if a state has stayed in the same predicate for 1 time unit, then it can also stay there for 7). These abstract automata clearly highlight what are the consequences of the requests of a human operator with respect to the active/inactive status of the routes involved. As an example, the abstraction routes02 (a circuit handling two routes) has only 4 stable states which show that the routes are incompatible and one of them has priority on the other, and disregards all the intermediate steps that the concrete system needs to progressively check the availability of the resources. These steps are visible with a less strict stability definition, like \(\sigma _1\) or \(\sigma _2\).

Table 1 also evaluates the effectiveness of the reachability refinement. When dropping the prefix starting from the initial states of the concrete system, the algorithm would consider several spurious behaviors. Especially in these benchmarks, the resulting abstract automaton would also show the unreachable states (e.g., the ones in which two routes are in conflict), therefore reducing the relevance for the reverse engineering purpose. Moreover, the reach.unaware computation may be harder to compute as it has to explore more transitions and more models in the guards and effects formulae.

Table 2. Result of the abstraction of r-switch RRIS benchmarks with different stability definitions.
Full size table

Railway Switch. r-switch is a RRIS modeling a railway switch. It has several externally controlled switches and only 4 relevant observations, defining its abstract state. The schema can be instantiated as nominal (N) or faulty (F), by injecting faulty behaviors in some physical components. We consider three versions: r-switch1 interacts with a free environment, showing a wide number of circuit configurations; r-switch2 and r-switch3, instead, exploit some assumptions on the environment and expose less inputs, and, although using different internal implementations, are supposed to guarantee the same controlling logic.

Table 2 reports the features of the abstract automata obtained for these benchmarks. Here, during a run-to-completion process, some states dwell in the same predicate for a time \(1 \le t \le 7\), so that are visible in \(\sigma _{3}^{T=1}\) but skipped by \(\sigma _{3}^{T=7}\) when reporting the corresponding abstract transition.

Again, the reach.unaware option reports more transitions. The difference is especially evident in the nominal versions, as the faulty concrete system already covers more behaviors. Even when the number of abstract transitions is the same, the reach.aware option reports more precise guards and effects, i.e., each annotating formula on I and O has less models.

By looking at the abstract automata, the user could recover what are the triggering reasons that make the system reach certain states (e.g., the ones that are shown in r-switch1 and not in r-switch2). Namely, \(\mathcal {A} _\sigma \) could highlight the enabling conditions for certain behaviors, which may apply far from the final observable consequence and were hard to inspect by hand. In this way, the user could also collect what assumptions are needed to avoid certain behaviors (e.g., in understanding what changes were made from r-switch1 to r-switch2 or r-switch3 schemas).

Finally, as expected, r-switch2 and r-switch3 have exactly the same abstract automata for every stability definition and nominal/faulty configuration, since they are two different implementations for the same observable properties.

P-Stable Abstractions. We also tried the implementation of [5], for approximated \(P\)-stable abstractions (\(\sigma _4\)), which uses BDDs and convex polyhedra. On small handcrafted models like the tank system used as running example we could run all the approaches and confirm the output automata described in Sect. 3. Nonetheless, in the analysis of RRIS the approach of [5] turned out to be impractical, and was unable to deal with any of the considered RRIS models, due to the high number of variables.

More importantly, in our case studies, \(\sigma _4\) would likely result in abstractions that are too aggressive, hiding states that are practically interesting, such as the ones that emerge from the analysis of run-to-completion processes with non negligible duration.

6 Conclusions

In this paper we presented a framework for the reverse engineering of legacy systems. Starting from a symbolic timed transition system, the framework supports the construction of abstractions in the form of state machines with guards and effects over transitions. The abstractions are parameterized on the notion of stability. We propose an SMT-based algorithm for abstraction computation, and we instantiate it over several notions of stability.

The results have been evaluated within an industrial project with the Italian Railway Network, on reverse-engineering tasks of complex relay-based interlocking circuits. The experimental analysis demonstrated that the approach is practical, and able to construct abstractions for complex real-world circuits. Taking reachability into account allowed us to produce tighter, more informative representations of the system under inspection. Railway signaling engineers involved in the project considered the proposed approach adequate in terms of expressiveness and able to provide substantial support in understanding the legacy RRIS.

In the future, we will define an “anytime” version of algorithms, so that the abstraction can be incrementally visualized as the computation proceeds, and leverage parallelization to increase the efficiency. Given the positive feedback from the RFI experts, we plan to integrate the proposed abstraction techniques abstraction within a RRIS modeling front-end, and to apply them on a larger set of interlockings.