ebook img

Better abstractions for timed automata PDF

0.28 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Better abstractions for timed automata

Better abstractions for timed automata F. Herbreteau, B. Srivathsan and I. Walukiewicz Univ. Bordeaux, CNRS, LaBRI, UMR 5800 F-33400 Talence, France Email: {fh, sri, igw}@labri.fr Abstract—Weconsiderthereachabilityproblemfor timedau- equivalence classes of clock valuations [1]. Their definition tomata. A standard solution to this problem involves computing is parameterized by a threshold up to which the clock values a search tree whose nodes are abstractions of zones. These 2 should be considered. A great improvement in efficiency has abstractionspreserveunderlyingsimulationrelationsonthestate 1 been obtained by adopting zones instead of regions. These space of the automaton. For both effectiveness and efficiency 0 reasons,theyareparametrized bythemaximal lowerandupper are sets of valuations defined by conjunctions of differences 2 bounds (LU-bounds) occurring in the guards of the automaton. between pairs of clocks. They can be efficiently implemented p We consider the a4LU abstraction defined by Behrmann et using difference bound matrices (DBMs) [10]. A challenge e al. Since this abstraction can potentially yield non-convex sets, with zone based approach is that they are not totally com- S it has not been used in implementations. We prove that a 4LU patible with regions, and moreover a forward exploration abstraction isthebiggest abstraction with respect to LU-bounds 4 that is sound and complete for reachability. We also provide algorithm can produce infinitely many zones. The union of an efficient technique to use the a abstraction to solve the regionsintersectinga zoneis a naturalcandidatefora finitary ] 4LU O reachability problem. abstraction. Indeed this abstraction would make the forward exploration algorithm terminate. However such an union of L I. INTRODUCTION regions is not necessarily a zone, so it is not clear how to . s Timed automata are finite automata extended with clocks representit. For this reason a numberof abstraction operators c [ whosevaluescanbecomparedwithconstantsandsetto0.The havebeenproposedthatgiveanapproximationoftheunionof clocksmeasuredelaysbetween differentsteps of executionof regions intersecting a zone. Bigger approximation makes the 4 the automaton. The reachability problem for timed automata abstracted zone graph smaller. So potentially it gives a more v 5 asks if there exists a path from its initial state to a given efficient algorithm. 0 target state. This problem cannot be solved by a simple An importantobservationmade in [3] is that if reachability 7 state exploration since clocks are real-valued variables. The is concerned then we can consider simulation instead of 3 standardsolutiontothisprobleminvolvescomputingthezone bisimulation. Indeed, it is safe to add configurations that are . 0 graph of the automaton that in principle could be infinite. simulated by those that we have already reached. Simulation 1 In order to make it finite, zones are approximated using relationsin questiondependon the given automaton,and it is 1 an abstraction operator. Till recently it has been generally EXPTIME-hard to calculate the biggest one [13]. A pragmatic 1 assumedthatforreasonsofefficiencyanabstractionofazone approach is to abstract some part of the structure of the : v should always be a zone. Here we avoid this assumption. We automaton and define simulation based on this information. Xi showaratherunexpectedfactthata4LU approximationdefined The most relevant information are the bounds with which by Behrmann et al. [3] is the biggest sound and complete clocks are compared in guards of the automaton. Since lower r a approximation. We also present a method of constructing and upper bounds are considered separately, they are called abstractedzonegraphusinga4LU approximation.Eventhough LU-bounds. In [3] the authors define an abstraction based on this approximation can yield non-convex sets, we show that simulation with respect to LU-bounds; it is denoted a . 4LU ourmethodisatleastasefficientasanyothercurrentlyknown Theoretically a is very attractive: it has clear semantics 4LU method based on abstractions. and, as we show here, it is always a union of regions. The The reachabilityproblemis a basic problemin verification. problemisthata abstractionofazoneisseldomaconvex 4LU Itis historically the first problemthathas beenconsideredfor set, so one cannot represent the result as a zone. In this timed-automata, and it is still a lively subject of research [3], paper we give another very good reason to consider a 4LU [11], [14], [17]. Apart from being interesting by itself, the abstraction.We show thatit is actuallythe biggestabstraction advanceson this problemmay allow to give new methodsfor that is sound and complete with respect to reachability for verification of more complicated models, like priced timed- all automata with the same LU-bounds. In other words it automata [7], or probabilistic timed automata [6], [8], [12]. means that in order to get bigger (that is better) abstractions Allapproachestosolvingthereachabilityproblemfortimed one would need to look at some other structural properties of automata should ensure termination. To tackle this, most of automata than just LU-bounds. them use abstractions to group together bisimilar valuations Our main technical result is an effective algorithm for of clock variables, that is, valuations not distinguishable by dealing with a abstraction. It allows to manipulate this 4LU the automaton. The first solution has been based on regions: abstraction as efficiently as purely zone based ones. We y reachabilityproblem.In Section III, we introducethe concept ofLU-boundsputtinglimitsontheconstantsthatcanbeused Uy Z: in guards of automata. In the same section, we propose an abstraction abs and prove that it is the coarsest sound Extra+ (Z): ∪ LU LU and complete abstraction for all automata with given LU- Closure+LU(Z): ∪ ∪ bounds. Subsequently, in Section IV we show that the a Ly a4LU(Z): ∪ ∪ ∪ abstraction actually coincides with this biggest abstrac4tiLoUn abs . Section V then presents the efficientinclusion test for LU a abstractionwhich allowsforits use in implementations. Lx Ux x 4LU II. PRELIMINARIES Fig.1. Acomparisonofabstraction operators forzones. After recalling some preliminary notions, we introduce a concept of abstraction as a means to reduce the reachability propose a forward exploration algorithm working with zones problem for timed-systems to the one for finite systems. We that constructs the a abstraction of the transition graph then observe that simulation relation is a convenient way of 4LU of the automaton. This algorithm uses standard operations on obtaining abstractions with good properties. zones, plus a new test of inclusion of a zone in the a 4LU A. Timed automata and the reachability problem abstractionofanotherzone.Thetestisquadraticinthenumber of clocks and not more complex than that for just testing an LetX beasetofclocks,i.e.,variablesthatrangeoverR , ≥0 inclusion between two zones. Since a4LU abstraction is the the set of non-negative real numbers. A clock constraint is a coarsestsoundandcompleteabstraction,itcanpotentiallygive conjunction of constraints x#c for x ∈ X, # ∈ {<,≤,= smallest abstract systems. ,≥,>} and c ∈ N, e.g. (x ≤ 3∧y > 0). Let Φ(X) denote the set of clock constraints over clock variables X. A clock A. Related work valuation over X is a function v : X → R . We denote ≥0 Forward analysis is the main approach for the reacha- RX the set of clock valuations over X, and 0 the valuation ≥0 bility testing of real-time systems. The use of zone-based that associates 0 to every clock in X. We write v (cid:15) φ when abstractions for termination has been introduced in [9]. In v satisfies φ ∈ Φ(X), i.e. when every constraint in φ holds recent years, coarser abstractions have been introduced to after replacing every x by v(x). For δ ∈ R , let v +δ be ≥0 improve efficiency of the analysis [3]. An approximation the valuation that associates v(x)+δ to every clock x. For method based on LU-bounds, called Extra+ , is used in the R ⊆ X, let [R]v be the valuation that sets x to 0 if x ∈ R, LU current implementation of UPPAAL [4]. In [11] it has been and that sets x to v(x) otherwise. shownthatitispossibletoefficientlyusetheregionclosureof A Timed Automaton (TA) is a tuple A=(Q,q ,X,T,Acc) 0 Extra+ ,denotedClosure+ .Thishasbeenthefirstefficient where Q is a finite set of states, q ∈Q is the initial state, X LU LU 0 use of a non-convex approximation. In comparison, a4LU is a finite set of clocks, Acc ⊆Q is a set of accepting states, approximationhasawell-motivatedsemantics,itisalsoregion and T ⊆ Q×Φ(X)×2X ×Q is a finite set of transitions closed,andtheresultinginclusiontestisevensimplerthanthat (q,g,R,q′)whereg isa guard,andRisthesetofclocksthat of Closure+ . A comparisonof these abstractionsis depicted are reset on the transition. LU in Fig. 1. The semantics of A is a transition system of its config- Let us mention that abstractions are not needed in back- urations. A configuration of A is a pair (q,v) ∈ Q×RX ≥0 ward explorationof timed systems. Nevertheless, any feasible and (q ,0) is the initial configuration. We have two kinds of 0 backwardanalysisapproachneedstosimplifyconstraints.For transitions: example [14] does not use approximations and relies on an Delay: (q,v)→δ (q,v+δ) for some δ ∈R ; ≥0 SMT solver instead. Clearly this approach is very difficult to Action:(q,v)→α (q,v′) forsome transition (q,g,R,q′)∈T compare with the forward analysis approach we study here. such that v (cid:15)g and v′ =[R]v. Another related approach to verification of timed automata is to build a quotient graph of the semantic graph of the In this paper we are interested in the reachability problem automaton with respect to some bisimulation relation [8], that asks if there exists a configuration (q,v) with accepting [16]. For reachability properties, this approach is not a priori state q ∈ Acc that is reachable from (q ,0) by any finite 0 competitive with respect to forward exploration as it requires sequence of delay and action transitions. toconstructthewholestatespaceoftheautomaton.Itismore The class of TA we consider is usually known as diagonal- adapted to checking branching time properties. freeTAsinceclockcomparisonslikex−y ≤1aredisallowed. Notice that if we are interested in state reachability, consid- B. Organization of the paper ering timed automata without state invariants does not entail In the next section, we present preliminary definitions, any loss of generality as the invariants can be added to the introduce the notion of sound and complete abstractions and guards. For state reachability, we can also consider automata explain how these abstractions could be used to solve the without transition labels. 2 B. Abstractions this to work we need to be able to compute the transition relation on this representation. We also need to know when Since the transition system determinedby the automaton is two representations stand for the same node in the abstract infinite, we usually try to find a finite approximation of it by system.Thisissummarizedinthefollowingtworequirements: grouping valuations together. In consequence we work with configurations consisting of a state and a set of valuations. Transition compatibility: for every transition (q,a(Z)) ⇒a The transitions are then defined by: (q′,W′) and the matching transition (q,Z) ⇒ (q′,Z′) we have W′ =a(Z′). (q,W)⇒α (q′,W′) Efficient inclusion test: for every two zones Z,Z′, the test where W′ ={v′ :∃v ∈W. v →α v′}, and Z′ ⊆a(Z) is efficient. (q,W)⇒τ (q′,W′) Thefirstconditionisquiteeasytosatisfy.Everyabstraction relationcomingfromtime-abstractsimulation[15]istransition where W′ ={v′ :∃v ∈W. ∃δ ∈R≥0 v →δ v′}. compatible. Assume that we are given an automaton A. So ⇒α transition is the existential lifting of →α transition to sets, similarly for ⇒τ transition but it moreover permits Definition 1 (Time-abstract simulation) A (state based) any delay. We will write ⇒ without superscript to denote the time-abstract simulation between two states of a transition union of the two relations. system is a relation (q,v)(cid:22) (q′,v′) such that: t.a. Anabstractionoperation[2]isaconvenientwayofexpress- ing a grouping of valuations. It is a function a : P(R|X|) → • q =q′, aPb(sRtr|≥aXc0t|)ionsuocpherthataotrWdefi⊆nesa(aWn )abasntrdacat(sae(mWan))tic=s: a(W≥0). An • δsifa′t(∈isqf,Ryvi≥)n0g→s(uqδc(h,qv,thv)at+(cid:22)(qδ′),v→(q′)′α,→v(′qδ)′1.,(vq1′,)v,′th+enδ′)th→ereαe(xq1i′s,tvs1′a) 1 1 t.a. 1 1 (q,W)⇒a (q′,a(W′)) For two valuations v,v′, we say that v (cid:22) v′ if for every t.a. when a(W)=W and (q,W)⇒(q′,W′). state q of the automaton, we have (q,v) (cid:22)t.a. (q′,v′). An If a has a finite range then this abstraction is finite. Analo- abstraction a based on a simulation (cid:22)t.a. can be defined as gouslywe define⇒α and⇒τ. We write⇒∗ forthetransitive follows: a a closure of ⇒, similarly for →∗. Of course we want this abstraction to reflect some proper- Definition 2 (Abstraction based on simulation) Given a ties of the original system. In order to preserve reachability zone Z, we define a(Z)={v :∃v′ ∈Z. v (cid:22) v′}. t.a. propertieswe can requirethe followingtwo properties(where → denotes the union of →α and →δ): For a given automaton this abstraction defines an abstract transition system. Our goal is to efficiently construct this Soundness:if(q ,{v })⇒∗ (q,W)thenthereisv ∈W such 0 0 a system,orarelevantpartofitifwearecheckingareachability that (q ,v )→∗ (q,v). 0 0 property. As explained in Section II, for nodes of this system Completeness:if(q ,v )→∗ (q,v)thenthereisW suchthat 0 0 we can use pairs of the form (q,Z), i.e., pairs consisting of v ∈W and (q ,{v })⇒∗ (q,W). 0 0 a a state and a zone. Such a pair will represent a configuration It can be easily verified that if an abstraction satisfies (q,a(Z)).Transitionrelationwillbecomputedonzones.This W ⊆a(W) then the abstracted system is complete. However is possible since the abstraction is defined using a simulation soundness is more delicate to obtain. so it is automatically transition compatible. Naturally, it is important to be able to efficiently compute the abstract transition system. A standard way to do this Lemma 3 Let a be an abstraction based on a simulation is to use zones. A zone is a set of valuations defined by relation. For every transition (q,a(Z)) ⇒a (q′,W′) and the a conjunction of two kinds of constraints: comparison of matching transition (q,Z)⇒(q′,Z′), we have W′ =a(Z′). difference between two clocks with an integer like x−y#c, or comparison of a single clock with an integer like x#c, Proof:Leta bebased ona simulationrelation(cid:22) , that t.a. where # ∈ {<,≤,=,≥,>} and c ∈ N. For instance is, for a set W, we have a(W) = {v : ∃v′ ∈ W. v (cid:22) v′}. t.a. (x−y ≥ 1)∧(y < 2) is a zone. Zones can be efficiently Without loss of generality, assume that ⇒ denotes a time- represented using difference bound matrices (DBMs) [10]. transition followed by an action: →δ→a. This suggests that one should consider abstractions that give Let v ∈W′. Then, by definition of (q,a(Z))⇒a (q′,W′), zones. This is an important restriction: zones are convex, and there exists v ∈ a(Z) and a δ ∈ R such that 1 1 ≥0 abstractions based on regions are usually not convex. (q,v1)→δ1→a (q′,v1′)andv (cid:22)t.a. v1′.Now,sincev1 ∈a(Z), We propose a way to use non-convex abstractions and we can find v ∈ Z satisfying v (cid:22) v . Therefore by 2 1 t.a. 2 zone representations at the same time. We will only consider definition of simulation relation, there exists a δ ∈ R 2 ≥0 sets W of the form a(Z) and represent them simply by Z. which enables the transition: (q,v2) →δ2→a (q′,v2′) and This way we can represent states of an abstract transition yieldsv′ (cid:22) v′.Aswehaveseenbeforewehavev (cid:22) v′ 1 t.a. 2 t.a. 1 system efficiently: we need just to store a zone. In order for and so we can infer that v (cid:22) v′. By completeness of ⇒, t.a. 2 3 we will have v′ ∈ Z′ and hence v ∈ a(Z′). This shows that Using LU boundswe define a simulation relationon valua- 2 W′ ⊆a(Z′). tionswithoutreferringtoanyparticularautomaton;ortoputit Let v ∈ a(Z′). Then, there exists v ∈ Z and a δ ∈ R differently, by considering all LU-automata at the same time. 1 1 ≥0 such that v1 →δ1→a v1′ and v (cid:22)t.a. v1′. By the property of an abstraction operator, we will have v ∈ a(Z) too. Now, Definition 5 (LU-simulation) Let L, U be two functions 1 directly by the definition of (q,a(Z)) ⇒a (q′,W′), we get giving an integer bound for every clock. The LU-simulation that v ∈W′ and this shows a(Z′)⊆W′. relation between valuations is the biggest relation ⊑ such LU The above lemma shows that abstractions based on time- that if v ⊑ v′ then for every LU-guardg, and set of clocks LU abstract simulations are transition compatible. This paper is R⊆X we have essentiallyabouthowtosatisfythesecondcondition(efficient • if v −g,→R v1 for some v1 then v′ −g,→R v1′ for v1′ such that inclusion test) and get as good abstraction as possible at the v ⊑ v′. 1 LU 1 same time. wherev −g,→R v meansthatforsomeδ ∈R wehavev+δ (cid:15) 1 ≥0 III. THE BIGGEST LUABSTRACTION g and v1 =[R](v+δ). WeintroducetheconceptofLUbounds:maximalconstants Onecancheckthat⊑ isthebiggestrelationthatisatime- LU used in lower and upper bounds. These can be used to define abstract simulation for all automata with given LU bounds. simulations and abstractions independently of automata. The Simulationrelationpermitstodefineanabstractionoperator. goal of this section is to come up with the coarsest possible Basically,totheabstractionofZ wecanaddallvaluationsthat abstraction if the only a priori knowledge we have about an can be simulated by a valuation in Z. This way we guarantee automaton is LU-information. To this regard, we propose an soundness of the abstraction as the added valuations cannot abstraction operation abs and prove that it is the biggest LU do more than the valuations already present in Z. such (Theorem 10). One way to obtain abstractions is to group together valua- Definition 6 (Abstraction based on LU-simulation) For a tionsthatarenotdistinguishablebyanautomaton,i.e.consider zone Z we define: abs (Z)={v :∃v′ ∈Z. v ⊑ v′}. LU LU a bisimulation relation. If we are after reachability proper- ties then one can even consider (time abstract) simulation The definition of LU-simulation is sometimes difficult to relation [15]. For a given automaton it can be computed if work with since it talks about infinite sequences of actions. two configurations are in a simulation relation. It should be In the next lemma we present a useful characterization im- noted though that computing the coarsest simulation relation plying that actually we need to consider only very particular is EXPTIME-hard [13]. Since the reachability problem can be sequences of transitions that are of length bounded by the solved in PSPACE, this suggests that it may not be reasonable number of clocks (Corollary 9). For this discussion let us to try to solve it using the abstraction based on the coarsest fix some L and U functions. We start with a preparatory simulation. definition. We can get simulation relations that are computationally easier if we consider only a part of the structure of the Definition 7 For a valuation v we define its LU-region, automaton. The simplest is to take a simulation based on denoted rLU(v), to be the set of valuations v′ such that: the maximal constant that appears in guards. More refined • v′ satisfies the same LU-guards as v. is to take the maximum separately over constants from lower • For every pair of clocks x,y with ⌊v(x)⌋ = ⌊v′(x)⌋, bound constraints, that is in guards of the form x > c or ⌊v(y)⌋=⌊v′(y)⌋, v(x)≤U and v(y)≤L we have: x y x ≥ c, and those from upper bound constraints, that is in – if {v(x)}<{v(y)} then {v′(x)}<{v′(y)}. guards x < c or x ≤ c. If one moreover does this for every – if {v(x)}={v(y)} then {v′(x)}≤{v′(y)}. clockxseparately,onegetsforeachclocktwointegersL and x U .Theabstractionthatiscurrentlymostusedisarefinement Thefirstconditionroughlysaysthattheintegerpartsofthe x ofthismethodbycalculatingL andU foreverystateofthe two valuations are the same. Observe that we cannot require x x automaton separately [2]. For simplicity of notation we will that they are exactly the same for values between L and U not consider this optimization but it can be incorporated with bounds. The second part says that the order of fractional no real difficulty in everything that follows. We summarize parts should be the same, but once again we restrict only to this presentation in the following definition. inequalitiesthatwecanexpresswithinourLU-bounds.Notice that if L =U =M, for some M and all clocks x, then we x x Definition 4 (LU-bounds) TheL boundforan automatonA get just the usual definition of regions with respect to M. is the function assigning to every clock a maximal constant that appears in a lower bound guard for x in A. Similarly U Lemma 8 For every two valuations v and v′: but for upper bound guards. An LU-guard is a guard where v ⊑ v′ iff there is δ′ ∈R with v′+δ′ ∈r (v). LU ≥0 LU lower bound guards use only constants bounded by L and upper bound guards use only constants bounded by U. An Proof:Firstletustakevanddefineasequenceofabstract LU-automaton is an automaton using only LU-guards. transitions that reflect the definition of r (v). We define LU 4 someguards.Letgint betheconjunctionofallLU guardsthat Automaton A1 v satisfies. For every pair of clocks x,y such that v(x)≤U , x ... ... v(y)≤L we consider guards: • ... y q • if {v(x)} < {v(y)} then we take a guard gxy ≡ (x < 0 • ... • q1 ⌊v(x)⌋+1)∧(y >⌊v(y)⌋+1). • if {v(x)} = {v(y)} then we take a guard gxy ≡ (x ≤ qfgy1• •gyk• gint ⌊v(x)⌋+1)∧(y ≥⌊v(y)⌋+1). Finally for every y with v(y) < Ly we put gy = {gxy : Fig.2. Addingthesequenceseq(v)toA1. v(x) ≤ U }. Note that the guards that are defined are x V consistent with the LU bounds. Consider all the clocks y with v(y)≤L and suppose that it is possible to execute this sequence from v but it is not y y ,...,y is the ordering of these clocks with respect to the possible to do it from any valuation in Z since otherwise we 1 k value of their fractional parts: {v(y1)} ≤ ··· ≤ {v(yk)}. Let would get v ∈absLU(Z). seq(v)bethesequenceoftransitions−gi→nt −gy→k ... −gy→1 ;since As illustrated in Fig 2 we add to A1 a new sequence of transitionsconstructedfromthesequenceseq(v).Westartthis theresetsareemptywehavenotrepresentedtheminthelabels sequence from q , and let q be the final state of this new of the sequence. 1 f sequence. The modified automaton A started in the initial The sequence seq(v) can be performed from v: 1 configuration arrives with (q ,Z) in q and then it can try 1 1 v −g−in→t v −→τ v+δ −g−y→k v+δ −→τ v+δ −g−y−k−−→1 ... to execute the sequence we have added. From what we have k k k−1 observed above, it will not manage to reach q . On the other ...−→τ v+δ1 −g−y→1 v+δ1 hand from (q1,v) it will manage to completef the sequence. whenchoosingδi =(1−{v(yi)})orδi =(1−{v(yi)})+εfor But then by completeness of the abstraction (q1,a′(Z))s−eq→(v) some sufficiently small ε>0; depending on whether we test (qf,W) for a nonempty W. So a′ is not a sound abstraction. for non-strict or strict inequality in g . Delay δ makes the yi i tvhaaluteifofityiisinptoegsseirbolerjtuostdaobothviesinseteqgueern.cIteisofaltsroanesaistyiotnoscfhreocmk IV. THEa4LU ABSTRACTION some valuation v′ then there is δ′ ∈ R such that v′+δ′ ∈ SinceabsLU isthebiggestabstraction,wewouldliketouse ≥0 itinareachabilityalgorithm.Thedefinitionofabs ,oreven r (v). This shows left to right implication. LU LU the characterizationreferringto r , are still too complicated For the right to left implication we show that the relation LU toworkwith.Thea abstractionproposedbyBehrmannet S ={(v,v′):v′ ∈rLU(v)} is an LU-simulation relation. For 4LU al. in [3] has much simpler definition. It turns out that in the this we take any (v,v′) ∈ S, any LU guard g, and any reset context of reachability analysis the two abstractions coincide R such that v −g,→R v . We show that v′ −g,→R v′ for some v′ 1 1 1 (Theorem 15). with (v ,v′)∈S. Theargumentis verysimilar to the onefor 1 1 We begin by recalling the definition of an LU-preorder standard regions. defined in [3]. We use a different but equivalent formulation. The sequence seq(v) introduced in the above proof will be quite useful. In particular the proof shows the following. Definition 11 (LU-preorder [3]) Let L,U : X → N be two bound functions. For a pair of valuations we set v 4 v′ if Corollary 9 For two valuations v, v′: LU for every clock x: v ⊑LU v′ iff v′ can execute the sequence seq(v). • if v′(x)<v(x) then v′(x)>Lx, and • if v′(x)>v(x) then v(x)>Ux. We are now ready to prove the first main result of this section showing that absLU(Z) is the biggest sound and Definition 12 (LU-abstraction [3]) For L, U as above. For complete simulation that uses solely LU information a set of valuations W we define: Theorem 10 TheabsLU abstractionisthebiggestabstraction a4LU(W)={v:∃v′ ∈W. v 4LU v′}. that is sound and complete for all LU-automata. A. Abstractions abs and a coincide LU 4LU Proof: Suppose that we have some other abstraction a′ Our goal is to show that when we consider zones closed that is not included in abs on at least one LU-automaton. under time-successors, a and abs coincide. To prove LU 4LU LU This means that there is some LU automaton A and its this, we wouldfirst showthat thereis a veryclose connection 1 reachable configuration (q ,Z) such that a′(Z)\abs (Z) between valuations in r (v) and valuations that simulate v 1 LU LU is not empty.We suppose that a′ is complete and show that it with respect to 4 . The following lemma says that if v′ ∈ LU is not sound. r (v) then byslightlyadjustingthe fractionalpartsofv′ we LU Take v ∈ a′(Z) \ abs (Z). Consider the test sequence can get a valuation v′ such that v 4 v′. We start with a LU 1 LU 1 seq(v) as in Corollary 9. From this corollary we know that preliminary definition. 5 Definition 13 A valuation v is said to be in the neighbour- the order in v′. This is the main challenge and this is where 1 hood of v, written v ∈nbd(v) if for all clocks x,y: we would be using the second property in the definition of 1 • ⌊v(x)⌋=⌊v1(x)⌋, v′ ∈rLU(v), which we restate here: • {v(x)}=0 iff {v1(x)}=0, ∀x,y ∈X such that v(x)≤U and v(y)≤L (1) • {v(x)}⋖{v(y)} implies {v1(x)}⋖{v1(y)} where ⋖ is f x y either < or =. {v(x)}<{v(y)}⇒{v′(x)}<{v′(y)} {v(x)}={v(y)}⇒{v′(x)}≤{v′(y)} Noticethattheneighbourhoodofvisthesameastheregion of v with respect to the classical region definition [1] with Let 0 < λ′ < λ′ < ··· < λ′ < 1 be the fractional values 1 2 n maximal bound being ∞. taken by clocks of X in v′, that is, for every clock x∈X , f f the fractional value {v′(x)} = λ′ for some i ∈ {1,...,n}. Lemma 14 (Adjustment) Let v be a valuation and let v′ ∈ i Let X be the set of clocks x ∈ X that have the fractional i f rLU(v).Then,thereexistsav1′ ∈nbd(v′)suchthatv 4LU v1′. value as λ′: i Proof: Let v′ ∈ r (v). The goal is to construct a LU X ={x∈X | {v′(x)}=λ′} valuation v′ ∈ nbd(v′) that satisfies v 4 v′. To be in i f i 1 LU 1 the neighbourhood, the valuation v′ should have the same for i∈{1,...,n}. 1 integral parts as that of v′ and should agree on the ordering In order to match with the ordering of v′, one can see that of fractional parts. So for all x, we put ⌊v′(x)⌋ = ⌊v′(x)⌋. for all clocks x in some X , the value of {v′(x )} should be 1 i i 1 i It remains to choose the fractional parts for v′. But before, the same, and if x ∈X with i6=j, then we need to choose 1 j j we will first see that there are clocks for which irrespective {v′(x )} and {v′(x )} depending on the order between λ′ 1 i 1 j i of whatthe fractionalpartis, the two conditionsin Definition and λ′. j 11 would be true. Therefore, we need to pick n values 0 < σ < σ < 1 2 Consider a clock x that has ⌊v′(x)⌋ < ⌊v(x)⌋. Since v′ ··· < σ < 1 and assign for all x ∈ X , the fractional part n i i satisfies all LU-guards as v, we should have v′(x) > Lx. {v1′(xi)} =σi. We show that it can be done by an induction The first conditionof 4 forx becomestrue andthe second involving n steps. LU conditionisvacuouslytrue.Similarly,when⌊v′(x)⌋>⌊v(x)⌋, Afterthekth stepoftheinductionweassumethefollowing we should have v(x) > Ux and the second condition of hypothesis: 4 becomes true and the first condition is vacuously true. LU • we have picked values 0 < σn−k+1 < σn−k+2 < ··· < Therefore, clocks x that do not have the same integral part σ <1, n diniffveraenndtinvt′egsartailsfpyartths.eW4hLaUtevcoerndthiteiofnracdtiiroencatllypathrtasnokfsvt′oatrhee, • for all clocks x∈Xn−k+1∪Xn−k+2···∪Xn, the 4LU 1 condition is satisfied, the 4 condition for these clocks would still be true. LU • for all clocks y ∈X1∪X2···∪Xn−k, we have Let us thereforenow consideronly the clocksthat have the sameintegralparts:⌊v′(x)⌋=⌊v(x)⌋.Ifthisintegerisstrictly v(y)≤Ly ⇒{v(y)}<σn−k+1 (2) greaterthanbothL andU ,thetwoconditionsof4 would x x LU Let us now perform the k + 1th step and show that the clearly be satisfied, again irrespective of the fractional parts. hypothesisistruefork+1.Thetask istopickσ .We first So we consider only the clocks x that have the same integral n−k define two values 0<l<1 and 0<u<1 as follows: part in both v and v′ and additionally either ⌊v(x)⌋ ≤ U or x ⌊v(x)⌋≤Lx. l=max {v(z)} | z ∈Xn−k and v(z)≤Lz Weprunefurtherfromamongtheseclocks.Supposethereis u=min {{v(z)} | z ∈X and v(z)≤U }∪σ suchaclockthathas{v′(x)}=0.Tobeintheneighbourhood, (cid:8) n−k z(cid:9) n−k+1 we need to set {v′(x)} =0. If {v(x)} is 0 too, we are done Weclaim(cid:8)thatl ≤u.Firstly,l <σ fromthethirdparto(cid:9)f 1 n−k+1 as the 4 condition becomes vacuously true. Otherwise, we theinductionhypothesis.Soifuisσ wearedone.Ifnot, LU n−k+1 wouldhavev′(x)=v1′(x)<v(x).Butrecallthatv′ ∈rLU(v) suppose l >u, this means that there are clocks x,y ∈Xn−k and so it satisfies the same LU-guardsas v does. This entails with v(x) ≤ U and v(y) ≤ L such that {v(x)} < {v(y)}. x y that v1′(x) > Lx and we get the first condition of 4LU to be From Equation 1, this would imply that {v′(x)} < {v′(y)}. true.Onceagain,theotherconditionistrivial.Soweeliminate But this leads to a contractionsince we knowthey both equal clocksthathavezerofractionalpartsinv′.Asimilarargument λ′ in v′. n−k can be used to eliminate clocksthat have zero fractionalparts This leaves us with two cases, either l = u or l < u. in v. When l = u, we pick σ = l = u. Firstly, from the third n−k So finally, we end up with the set of clocks x that have: part of the hypothesis, we should have l < σ and so n−k+1 • ⌊v′(x)⌋=⌊v(x)⌋, σn−k <σn−k+1.Secondlyforallz ∈Xn−k,ifv1′(z)<v(z), • {v′(x)}>0 and {v(x)}>0, then z should not contribute to l and so v(z)>Lz, which is • v(x)<max(Ux,Lx). equivalent to saying, v1′(z) > Lz. Similarly, if v1′(z) > v(z), Call this set X . The task is to select non-zero fractional then z should not contribute to u and so v(z) > U , thus f z values {v′(x)} for all clocks in X so that they match with satisfying the 4 condition for z. Finally, we should show 1 f LU 6 (q0,Z0) doing(q1,Z1)⇒α (q2,Z2)⇒α−→(q3,Z3),itispreferabletodo −→τ −(→q1,Z1) ⇒α (q2,Z2) ⇒τ (q2,Z2) ⇒α (q3,Z3′) since Z2 ⊆ (q0,Z0) Z2 and ⇒ is monotone with respect to zone inclusion. For thisreasonthe algorithmcanstart in time-elapsedinitial node α α α −→ (q ,Z ), and for every node (q,Z) consider its successors (q1,Z1) (q2,Z2) (q3,Z3) 0 0 (q,Z)⇒α⇒τ (q′,Z′) disregardingthe intermediate node. So τ τ τ −→ −→ −→ all nodes visited by the algorithm have time-elapsed zones. (q1,Z1) (q2,Z2) (q3,Z3) Beforecontinuingexplorationfroma node(q,Z), thealgo- rithmfirstchecksifqisaccepting.Ifnot,thealgorithmchecks α α α α ... ... ... ... if for some visited node (q,Z′), we have Z ⊆ a (Z′). If 4LU this is the case, (q,Z) need not be explored. Otherwise, the Fig.3. Areachability treeinazonegraphalternating τ andαedges. successors of (q,Z) are computed as stated above. This way weensureterminationofthealgorithmsincea isafintary 4LU abstraction [3] (see also Proposition 17). the thirdhypothesis.Considera clocky ∈X ∪···∪X 1 n−k−1 Since the reachabilityalgorithmrefersto only time-elapsed with v(y) < Ly. If {v(y)} ≥ σn−k, it would mean that zones, Theorems 10 and 15 show that a is the biggest {v(y)}≥uandfromEquation1givesacontradiction.Sothe 4LU sound and complete abstraction provided the only thing we three requirements of the induction assumption are satisfied know about the structure of the automaton are its L and U after this step in this case. bounds. Recall that bigger abstractions make abstract graph Now suppose l < u. Consider a clock y ∈ X ∪ ··· ∪ 1 smaller, so the exploration algorithm can finish faster. X such that v(y) < L . From Equation 1, we should n−k−1 y The refined forward exploration algorithms calculate LU have {v(y)}<u. Take the maximum of {v(y)} over all such information for each state of the automaton separately [2], clocks: or even on-the-fly during exploration [11]. The maximality λ=max{{v(y)} | y ∈X1∪···∪Xn−k−1 and v(y)<Ly} argumentin favourofa4LU is ofcoursetruealso inthiscase. The last missing piece is an efficient inclusion test Z ⊆ Choose σn−k in the interval (λ,u). We can see that all the a4LU(Z′).Thisisthemaintechnicalcontributionofthispaper. three assumptions of the induction hold after this step. V. ANO(|X|2)ALGORITHMFORZ ⊆a4LU(Z′) We are now ready to prove the second main result of In this section, we present an efficient algorithm for the this section.−→We write −→Z for the closure of Z under time- inclusionZ ⊆a4LU(Z′) (Theorem34). Since a lotof tests of successors: Z = {v+δ : v ∈ Z,δ ∈ R }. We say that a this kindneed to be performedduringexplorationof the zone −→ ≥0 graph,itisessentialtohavealowcomplexityforthisinclusion zone Z is time-elapsed if Z = Z. procedure.Weareaimingatquadraticcomplexityasthisisthe complexity incurred in the existing algorithms for inclusions Theorem 15 If Z is time-elapsed then of the form Z ⊆ Z′ or Z ⊆ Closure(Extra+ (Z′)) [11]. It LU abs (Z)=a (Z) iswellknownthatalltheotheroperationsneededforforward LU 4LU exploration, can be done in at most quadratic time [18]. Proof:Supposev ∈a (Z).Thereexistsav′ ∈Z such 4LU We solve the inclusion problem in two steps. We first that v 4 v′. It can be easily verified that 4 is a LU- LU LU concentrate on the question: given a region R and a zone Z, simulation relation. Since ⊑LU is the biggest LU-simulation, whenR⊆a (Z)holds.Weshowthecrucialpointthatthis we get that v ⊑ v′. Hence v ∈abs (Z). 4LU LU LU can be decided by verifyingif the projection on every pair of Suppose v ∈ absLU(Z). There exists v′ ∈ Z such that variablessatisfies thisinclusion.Sincea (Z)isnotconvex v ⊑ v′. From Lemma 8, this implies there exists a δ′ such 4LU LU we need to find a way to work with Z instead. It turns out thatv′+δ′ ∈rLU(v).AsZ istime-elapsed,wegetv′+δ′ ∈Z. thatonecandefinea−1 (R)insuchawaythatR⊆a (Z) Moreover,fromLemma 14, we know thatthere is a valuation is equivalent to a−14L(RU)∩Z 6= ∅. We show moreo4veLrUthat v′ ∈nbd(v′+δ′) such that v 4 v′. Every valuation in the 4LU 1 LU 1 a−1 (R)isazone.Thisgetsusalreadyhalfwaytotheresult, neighbourhoodof v′+δ′ satisfies the same constraints of the 4LU the rest being examinationof the structureof the intersection. form y−x⋖c with respect to all clocks x,y and hence v′ 1 Once the inclusion question is solved with respect to regions, belongstoZ too.Therefore,wehaveavaluationv′ ∈Z such 1 we extend the solution to zones thanks to a method allowing that v 4 v′ and hence v ∈a (Z). LU 1 4LU us to quickly tell which regions intersect a given zone. Fortherestofthesection,weassumea givenautomatonA B. Using a to solve the reachability problem 4LU withLU bounds.Beforewebeginwewillneedtorecallsome Aforwardexplorationalgorithmforsolvingthereachability standardnotions.Letusconsideraboundfunctionassociating problemconstructsthereachabilitytreestartingfromtheinitial to each clock x of A a bound α ∈ N (that is the maximum x node (q ,Z ) (cf. Fig. 3). Observe that the algorithm should of L and U bounds).A region [1] with respect to α is the set 0 0 not take two consecutive action transitions. Indeed, instead of of valuations specified as follows: 7 (<,∞) is (<,−2). To convert it to canonical form, it is sufficient to (<,∞) (≤,−1) change the weight of the edge x−→y to (<,−2). 0 x y A distance graph of a region R, denoted G , is the (<,−4) (<,∞) R canonical graph representing all the constraints defining R. (<,2) Similarly G for a zone Z. For two distance graphs G , Z 1 Fig.4. Distance graphforthezone(x−y≥1 ∧ y<2 ∧ x>4). G2 which are not necessarily in canonical form, we denote by min(G ,G ) the distance graph where each edge has the 1 2 weightequalto the minimumofthe correspondingweightsin 1) for each clock x∈X, one constraint from the set: G1 and G2. Even though this graph may be not in canonical {x = c | c = 0,...,α }∪{c−1 < x < c | c = form, it should be clear that it represents intersection of the x 1,...,αx}∪{x>αx} two arguments, that is, [[min(G1,G2)]] = [[G1]] ∩ [[G2]]; in other words, the valuationssatisfying the constraintsgivenby 2) for each pair of clocks x,y having interval constraints: min(G ,G ) are exactly those satisfying all the constraints c−1<x<c and d−1<y <d, it is specified if {x} 1 2 from G as well as G . is less than, equal to or greater than {y}. 1 2 We are now in a position to consider the inclusion R ⊆ One can check that the set of regions finitely partitions RX . ≥0 a (Z). The first result says that for every zone Z, the set A notion of a zone has already been recalled on page 3. 4LU a (Z) is a union of regions. Every region is a zone but not vice-versa. The standard 4LU way to represent zones is using difference bound matrices (DBMs) [10]. We will consider an equivalent representation Proposition 17 Let Z be a zone: every region that has a that uses graphs instead of matrices. nonemptyintersectionwith a4LU(Z) is includedin a4LU(Z). It will be very convenient to represent zones by distance Beforeprovingtheproposition,webeginwithalemmathat graphs.Suchagraphhasclocksasvertices,withanadditional relates the simulation v 4 v′ and the containment v′ ∈ special clock x representing the constant 0. For readability, LU 0 r (v) defined in page 7. wewilloftenwrite0insteadofx .Betweeneverytwovertices LU 0 thereisanedgewitha weightoftheform(⋖,c)wherec∈Z and ⋖ is either ≤ or <; or (⋖,c) equals (<,∞). An edge Lemma 18 Let v,v′ be valuations such that v 4 v′. Then, LU x −⋖→c y represents a constraint y −x⋖c: or in words, the v′ ∈rLU(v). distancefromxtoyisboundedbyc.Anexampleofadistance Proof:Itisnotdifficulttoseefromthedefinitionof4 graph is depicted in Fig. 4. LU that both v and v′ satisfy the same LU-guards. It remains to Let[[G]]bethesetofvaluationsofclockvariablessatisfying show the second property for v′ to be in r (v). alltheconstraintsgivenbytheedgesofGwiththe restriction LU Let x,y be clocks such that ⌊v(x)⌋ = ⌊v′(x)⌋ and v(x) ≤ that the value of x is 0. We denote a distance graph G by the set of its weigh0ts: (⋖ ,c ) . Ux, v(y)≤Ly. Suppose {v(x)}⋖{v(y)}, for ⋖ being either An arithmetic over theijweijigih,tjs∈X(⋖,c) can be defined as < or =. As v 4LU v′, if v′(x) > v(x), we need v(x) > Ux which is not true. Hence we can conclude that v′(x)≤v(x). follows [5]. Similarly, for y, one can conclude that v′(y) ≥ v(y). As the Equality (⋖ ,c )=(⋖ ,c ) if c =c and ⋖ =⋖ . 1 1 2 2 1 2 1 2 integer parts are the same in v and v′, we get {v′(x)} < Addition (⋖ ,c ) + (⋖ ,c ) = (⋖,c + c ) where 1 1 2 2 1 2 {v′(y)} or {v′(x)} ≤ {v′(y)} depending on whether ⋖ is < ⋖=< iff either ⋖ or ⋖ is <. 1 2 or =. Minus −(⋖,c)=(⋖,−c). Order (⋖1,c1)<(⋖2,c2)ifeitherc1 <c2 or(c1 =c2 Proof of Proposition 17: Let v and w be valuations be- and ⋖1 =< and ⋖2 =≤). longing to the same region. Assume that v ∈ a4LU(Z). So This arithmetic lets us talk about the weight of a path as a there exists a valuation v′ ∈ Z such that v 4 v′. From LU weightof the sum of its edges.A cycle in a distance graphG Lemma18, we get v′ ∈rLU(v). Since w belongsto the same is said to be negativeif the sum of the weights of its edges is region as v, one also has v′ ∈ rLU(w). From the adjustment at most (<,0); otherwise the cycle is positive. The following lemma, there exists w′ ∈ nbd(v′) such that w 4 w′. But LU useful lemma is folklore. values in the same neighbourhoodsatisfy the same difference constraints and should hence belong to the same zones. This Lemma 16 A distance graph G has only positive cycles iff gives that w′ ∈Z and hence w ∈a4LU(Z). [[G]]6=∅. A. When is R⊆a (Z)? 4LU A distance graph is in canonical form if the weight of the WewillfirsttransformthequestionabouttheinclusionR⊆ edge from x to y is the lower bound of the weights of paths a (Z)intooneaboutanintersection.Webeginbydefining fromxtoy.Forinstance,thedistancegraphshowninFigure4 an4LoUperator a−1 . is not in canonical form as the weight of the edge x −→ y is 4LU (≤,−1) whereas there is a path x −→ 0 −→ y whose weight 8 Definition 19 (a−1 abstraction) Let W be a set of valu- We begin with the following lemma that shows one side of 4LU ations. Then, a−1 (W) is the set of valuations defined as the implication. 4LU follows: a−1 (W)={v′ | ∃v ∈W with v 4 v′}. Lemma 24 Let v′ be a valuation in a−1 (R). Then, v′ ∈ 4LU LU [[G∗]]. 4LU Next lemma says that deciding if R ⊆ a (Z) can be R 4LU reduced to checking if a−41LU(R) intersects with Z. Proof:LetGR begivenby (⋖ij,cij)i,j∈X andlet G∗R = (⋖′ ,c′ ) be the graph obtained from Definition 22. ij ij i,j∈X Lemma 20 Given a region R and a zone Z, we have We willshowthatvaluationv′ hasto satisfytheconstraints R⊆a4LU(Z) iff a−41LU(R)∩Z 6=∅ Xgiv,ewnebygeGt∗Rv′. T−hvat′ i⋖s,′wce′ w. iFllronmowthsehodwefitnhiattiofnoroefvGer∗y ifi,njit∈e j i ij ij R Proof: Suppose R ⊆ a4LU(Z) and let v ∈ R. As v ∈ weightsoccuronlyinedgesoftheformi−→j andj −<−−−−L→j 0 a (Z) too, there exists a valuationv′ ∈Z such that v 4 4LU LU with i ∈B ∪U and j ∈ B ∪L . In the former case, the v′. Now by Definition 19, we get v′ ∈a−1 (R) showing that R R R R v′ belongsto bothZ and a−1 (R). Hen4ceLUa−1 (R)∩Z 6=∅. finite values are in fact (⋖ij,cij). It is enough to consider 4LU 4LU these edges. Suppose a−41LU(R) ∩ Z 6= ∅ and let v′ ∈ a−41LU(R) ∩ Z. Now, as v′ ∈a−1 (R), there exists a valuationv ∈R such This shows that v′ ∈ Z and v 4 v′ for some valuation 4LU LU thatv 4 v′. Thevaluationv satisfies theconstraintsofG , v ∈R.Nowfromthedefinitionof4LU,wegetv ∈a4LU(Z). that is vLU−v ⋖ c . Consider two variables, i ∈ B ∪UR j i ij ij R R Therefore, we have a valuation v such that v ∈ R and v ∈ and j ∈B ∪L . Since v 4 v′, we will have v′ ≥v and a4LU(Z). From Lemma 17, this means R⊆a4LU(Z). v′ ≤ v . RThis cRlearly gives LvU′ −v′ ⋖ c too. Ai lso isince j j i j ij ij We will now focus on the intersection question: when is j ∈LR∪MR, we will have Lj <vj′ ≤vj which shows that a−41LU(R) ∩ Z empty. Given the canonical distance graphs the constraint j −<−−−−L→j 0 is satisfied. G and G for R and Z respectively, the idea is to rep- R Z resent a−1 (R) as a distance graph G∗ and check when The rest of the section is devoted to prove that if v′ ∈G∗ 4LU R R min(G∗R,GZ) has negative cycles. We first partition the set then v′ ∈a−41LU(R). Let v be an arbitrary valuation such that of clocks X into four sets based on the region R and then v ∈ R. We will first show that v′ ∈ r (v). We will then LU define the distance graph G∗ for a−1 (R) based on these giveareverse-adjustmentlemmabelowwhichwillentailthere R 4LU sets. exists a valuation v ∈ nbd(v) such that v 4 v′. Since 1 1 LU v ∈nbd(v), it would also belong to R. 1 Definition 21 (Partitioning clocks based on R) Let R be a region and let G = (⋖ ,c ) be its distance graph in R ij ij i,j∈X Lemma 25 Let R be a region and let v′ ∈ G∗. Then, for canonical form. Then, we partition the set of clocks X into R every valuation v ∈R, v′ ∈r (v). four sets: B ,L ,U and M as follows: LU R R R R BR = {x∈X | c0x ≤min(Lx,Ux)}∪x0 Proof: Let v be a valuation in R. From the definition LR = {x∈X | Lx <c0x ≤Ux} of G∗R, it can be easily seen that both v and v′ satisfy the sameLU-guards.Itisthesecondpropertyaboutthefractional U = {x∈X | U <c ≤L } R x 0x x parts for clocks with the same integer parts that needs to be M = {x∈X | max(L ,U )<c } R x x 0x checked. Let x,y be clocks such that ⌊v′(x)⌋ = ⌊v(x)⌋, ⌊v′(y)⌋ = Definition 22 (Distance graph for a−1 (R)) Given a re- 4LU ⌊v(y)⌋ and v(x) ≤ Ux and v(y) ≤ Ly. By the partition of gion R and its associated distance graph in canonical form clocks this means that x ∈/ U and y ∈/ L . From Definition G = (⋖ ,c ) , the distance graph G∗ is given by R R R ij ij i,j∈X R 22, the edge y −→x carries the same weight as that of G in (⋖′ ,c′ ) where: R ij ij i,j∈X G∗. R ⋖d Let ⌊v(x)⌋=c , ⌊v(y)⌋=c and let y −−→x be the edge x y (<,∞) if j ∈MR∪UR in G . This entails that all valuations in R satisfy x−y⋖d. R (⋖′ ,c′ )=(<,∞) if i∈MR∪LR and j 6=0 Hence their fractional parts satisfy: ij ij ((<⋖,−,cLi)) iofthie∈rwMiseR∪LR and j =0 {x}−{y}⋖d−(cx−cy) ij ij The following lemma confirms that the distance graph Suppose {x} < {y} for all valuations and since GR is defined above indeed represents a−41LU(R). ⋖canison<ic.al, we can infer d−(cx−cy) ≤ 0 and if it is 0 then Lemma 23 Let G be the canonical distance graph of a Now consider the graph G∗. Since the edge y −⋖−→d x R R region R. Then [[G∗]]=a−1 (R). remains in G∗, and since v′ ∈ G∗, the valuation v′ should R 4LU R R 9 satisfy v′ −v′ ⋖d and as ⌊v′⌋=c and ⌊v′⌋=c , we get: a−1 (R) ∩Z is empty reduces to checking if the distance x y y y x x 4LU graphmin(G∗,G )hasanegativecycle.TogetG∗,wetook {v′}−{v′}⋖d−(⌊v′⌋−⌊v′⌋) R Z R x y x y G and modified some edges to (<,∞) and some edges of R ⇒ {vx′}−{vy′}⋖d−(cx−cy) theformx−→0 to(<,−Lx). So notethatthegraphG∗R need not necessarily be in canonical form. We will now state a necessary and sufficient condition We saw before that either d−(cx−cy)<0 or if it is 0, then for the graph min(G∗,G ) to have a negative cycle. We ⋖ is <. This shows that {v′(x)}<{v′(y)}. denote by Z the wReightZof the edge x −⋖−−xy−c−x→y y in the Theothercasewhen{v(x)}={v(y)}canbeshownexactly xy canonical distance graph representing Z. Similarly for R. in the same manner. When a variable x represents the special clock x , we define 0 R to be (≤,0). Since by convention x is always 0, this is Lemma 26 (Reverse-adjustment) Let v,v′ be valuations 0x 0 consistent. such that v′ ∈ r (v). Then there exists a valuation v ∈ LU 1 nbd(v) such that v 4 v′. 1 LU Proposition 27 LetG ,G bethecanonicaldistancegraphs R Z Proof:Thetaskistopickavaluationv1 thathasthesame foraregionRandazoneZ respectively.Then,min(G∗R,GZ) integralpartsasvandagreestotheorderingoffractionalparts has a negative cycle iff there exists a variable x ∈ BR∪LR as in v. Similar to the proof of the adjustment lemma, it is andavariabley ∈X suchthatoneofthefollowingconditions enoughto choosefractionalpartsfortheclocksX thathave: is true: f • ⌊v′(x)⌋=⌊v(x)⌋, 1) either y ∈BR∪UR and Zxy+Ryx <(≤,0), • {v′(x)}>0 and {v(x)}>0, 2) or y ∈LR∪MR and R0x+Zxy+(<,−Ly)<(≤,0). • v(x)<max(Ux,Lx). The proof of Proposition 27 follows from Lemmas 29 Again, as v′ ∈r (v), we have the following property: LU and 30 below whose proofs in turn rely on an important observation made in Lemma 28. We say that a variable x ∀x,y ∈X such that v(x)≤U and v(y)≤L (3) f x y is bounded in R if a constraint x ≤ c holds in R for some {v(x)}<{v(y)}⇒{v′(x)}<{v′(y)} constant c. {v(x)}={v(y)}⇒{v′(x)}≤{v′(y)} Lemma 28 Let x, y be bounded variables of R appearing in Let 0δ < δ < ··· < δ < 1 be the fractional parts taken 1 2 n somenegativecycleN ofmin(G∗,G ).Lettheedgeweights by clocks of Xf in v and let Xi be defined as follows: be x −⋖−−xy−c−x→y y and y −⋖−−yx−c−y→x xRinZG . If the value of the R Xi ={x∈Xf | {v(x)}=δi} path x −→ ... −→ y in N is strictly less than (⋖ ,c ), then xy xy for i∈{1,...,n}. x−→...−→y −⋖−−yx−c−y→x x is a negative cycle. We will now select n values 0<σ <σ <···<σ <1 1 2 n Proof: Let the path x −→ ... −→ y in N have weight and set for all clocks x ∈ X , the {v (x )} to be δ . We i i 1 i i (⋖,c). Now, since x and y are bounded variables in R, we perform an induction involving n steps. can have either y −x = d or d−1 < y−x < d for some Afterthekth stepoftheinductionweassumethefollowing integer d. hypothesis: ≤d ≤−d In the first case, we have edges x −−→ y and y −−−→x in • we have picked values 0 < σn−k+1 < σn−k+2 < ··· < G , that is (⋖ ,c ) = (≤,d) and (⋖ ,c ) = (≤,−d). σ <1, R xy xy yx yx n Sincebyhypothesis(⋖,c)isstrictlylessthan(≤,d),wehave • for all clocks x∈Xn−k+1∪Xn−k+2···∪Xn, the 4LU either c < d or c = d and ⋖ is the strict inequality. Hence condition is satisfied, • for all clocks y ∈X1∪X2···∪Xn−k, we have (⋖,c)+(≤,−d)<(≤,0)showingthatx−→...−→y −⋖−−yx−c−y→x x is a negative cycle. v′(y)≤U ⇒{v′(y)}<σ (4) <d <−d+1 y n−k+1 Inthesecondcase,wehaveedgesx−−→y andy −−−−−→x Let us now perform the k + 1th step and show that the inGR,thatis,(⋖xy,cxy)=(<,d)and(⋖yx,cyx)=(<,−d). hypothesisis truefork+1.Thetask istopickσ . We first Herec<dandagainx−→...−→y −⋖−−yx−c−y→x xgivesanegative n−k define two values 0<l′ <1 and 0<u′ <1 as follows: cycle. l′ = min{ {v′(z)} | z ∈X and v′(z)≤L } n−k z Lemma 29 Suppose there exists a negative cycle in u′ = max{ {v′(z)} | z ∈Xn−k and v′(z)≤Uz }∪σn−k+1 min(G∗R,GZ) containing no edges of the form x −<−−−−L→x 0. It can be shown that u′ ≤l′. The rest of the proof follows Then, there exist variables x ∈ BR ∪LR and y ∈ BR ∪UR such that Z +R <(≤,0). in exactly the same lines as that of the adjustment lemma. xy yx We now have two distance graphs G∗R, GZ correspond- Proof: Let N be a negative cycle of min(G∗R,GZ) ing to a−1 (R) and Z respectively. Therefore, checking if containing no edges of the form x −<−−−−L→x 0. Therefore the 4LU 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.