Synthesis for Event-Recording Automata

. We address the veriﬁcation of timed concurrent systems with unknown or uncertain constants considered as parameters. First, we introduce parametric event-recording automata (PERAs), as a new subclass of parametric timed automata (PTAs). Although in the non-parametric setting event-recording automata yield better decidability results than timed automata, we show that the most common decision problem remains undecidable for PERAs. Then, given one set of components with parameters and one without, we propose a method to compute an abstraction of the non-parametric set of components, so as to improve the veriﬁcation of reachability properties in the full (parametric) system. We also show that our method can be extended to general PTAs. We implemented our method, which shows promising results.


Introduction
Verifying distributed systems involving timing constraints is notoriously difficult, especially when timing constants may be uncertain.This problems becomes even more difficult (often intractable) in the presence of timing parameters, unknown timing constants.Parametric reachability synthesis aims at synthesizing timing parameter valuations for which a set of (usually bad) states is reachable.Parametric timed automata (PTAs) [2] is a parametric extension of timed automata (TAs) to model and verify models involving (possibly parametric) timing constraints and concurrency.Its high expressiveness comes with the drawback that most interesting problems are undecidable [3].Related Work.Despite undecidability of the theoretical problems, several monolithic (non-compositional) techniques for parametric reachability synthesis in PTAs have been proposed in the past, either in the form of semi-algorithms (a procedure that is correct but may not terminate), or using approximations.In [2], a basic semi-algorithm (called EFsynth in [14]) has been proposed: it explores the symbolic state space until bad states are found, and gathers the associated parameter constraints.In [12], approximated parametric reachability synthesis is performed using counter-example guided abstraction refinement (CEGAR) techniques for parametric linear hybrid automata, a class of models more expressive than PTAs.In [7], we proposed a point-based technique: instead of attacking the reachability synthesis in a brute-force manner, we iterate on (some) integer parameter valuations, and derive for each of them a constraint around this valuation that preserves the (non-)reachability of the bad locations.Although numerous iterations may be needed, each of them explores a much smaller part of the state space than the brute-force exploration of EFsynth, often resulting in a faster execution than EFsynth.
Distributed systems are often made of a set of components interacting with each other; taking advantage of the compositionality is a goal often desired to speed up verification.In [11], a learning-based approach is proposed to automate compositional verification of untimed systems modeled by labeled transition systems (LTS).For timed systems, we proposed a learning-based compositional verification framework [15] for event-recording automata (ERAs), a subclass of TAs for which language inclusion is decidable [1].This approach showed to be much faster than monolithic verification.
The recent work [9] is close to our goal, as it proposes an approach for compositional parameter synthesis, based on the derivation of interaction and component invariants.The method is implemented in a prototype in Scala, making use of IMITATOR [5].Whereas both [9] and our approach address reachability or safety properties, the class of PTAs of [9] is larger; conversely, we add no further restrictions on the models, whereas in [9] all clocks and (more problematically) parameters must be local to a single component and cannot be shared.

Contribution.
In this work, we propose an approach relying on a pointbased technique for parametric reachability synthesis, combined with learningbased abstraction techniques, for a subclass of PTAs, namely parametric eventrecording automata.We propose this subclass due to the decidability of the language inclusion in the non-parametric setting.We consider a set of parametric components A (where parameters are dense in a bounded parameter domain D 0 ) and a set of non-parametric components B, with their parallel composition denoted by A B. For each integer parameter valuation v not yet covered by a good or bad constraint, we try to compute, by learning, an abstraction B of B s.t.v(A) B does not reach the bad locations.We then "enlarge" the valuation v using the abstract model A B, which yields a dense good constraint; we prove the correctness of this approach.If the learning fails to compute an abstraction, we derive a counter-example, and we then replay it in the fully parametric model A B, which allows us to derive very quickly a bad dense constraint.We iterate until (at least) all integer points in D 0 are covered.In practice, we cover not only all rational-valued in D 0 , but in fact the entire parameter space (except for one benchmark for which we fail to compute a suitable abstraction).
We propose the following technical contributions: 1. we introduce a parametrization of event-recording automata (PERAs); 2. we show that the reachability emptiness problem is undecidable for PERAs; 3. we then introduce our approach that combines iteration-based synthesis with learning-based abstraction; 4. we implement our approach into a toolkit using IMITATOR and CV, and we demonstrate its efficiency on several case studies.
Outline.Section 2 introduces the necessary preliminaries.Section 3 recalls the parametric reachability preservation [7].Section 4 introduces parametric eventrecording automata, and proves the undecidability of the reachability emptiness problem.Section 5 introduces our main contribution, and Sect.6 evaluates it on benchmarks.Section 7 concludes the paper.

Clocks, Parameters and Constraints
Let N, Z, Q + and R + denote the sets of non-negative integers, integers, nonnegative rational and non-negative real numbers respectively.Throughout this paper, we assume a set X = {x 1 , . . ., x H } of clocks, realvalued variables that evolve at the same rate.A clock valuation is a function μ : X → R + .We write 0 for the clock valuation that assigns 0 to all clocks.Given d ∈ R + , μ + d denotes the valuation such that (μ + d)(x) = μ(x) + d, for all x ∈ X.Given R ⊆ X, we define the reset of a valuation μ, denoted by [μ] R , as follows: [μ] R (x) = 0 if x ∈ R, and [μ] R (x) = μ(x) otherwise.
We assume a set P = {p 1 , . . ., p M } of parameters, unknown rational-valued constants.A parameter valuation (or point ) v is a function v : P → Q + .
In the following, we assume ∈ {<, ≤} and ∈ {<, ≤, ≥, >}.Throughout this paper, lt denotes a linear term over X ∪ P of the form 1≤i≤H α i x i + 1≤j≤M β j p j + d, with α i , β j , d ∈ Z.Similarly, plt denotes a parametric linear term over P , that is a linear term without clocks (α i = 0 for all i).A constraint C (a convex polyhedron) over X ∪ P is a conjunction of inequalities of the form lt 0. Given a parameter valuation v, v(C) denotes the constraint over X obtained by replacing each parameter p in C with v(p).Likewise, given a clock valuation μ, μ(v(C)) denotes the Boolean value obtained by replacing each clock x in v(C) with μ(x).
A guard g is a constraint over X ∪ P defined by a conjunction of inequalities of the form x plt.
A parameter constraint K is a constraint over P .We write v |= K if v(K) evaluates to true.⊥ (resp.) denotes the special parameter constraint containing no (resp.all) parameter valuations.We will sometime manipulate non-convex constraints over P , finite unions of parameter constraints.Such non-convex constraints can be implemented using finite lists of constraints, and therefore all definitions extend in a natural manner to non-convex constraints.
A parameter domain is a box parameter constraint, a conjunction of inequalities of the form p d, with d ∈ N. A parameter domain D is bounded if, for each parameter, there exists in D an inequality p d (recall that, additionally, all parameters are bounded below from 0 as they are non-negative).Therefore D can be seen as a hypercube in M dimensions.

Parametric Timed Automata
Definition 1 (PTA).A parametric timed automaton (hereafter PTA) A is a tuple (Σ, L, l 0 , X, P, I, E), where: (i) Σ is a finite set of actions, (ii) L is a finite set of locations, (iii) l 0 ∈ L is the initial location, (iv) X is a finite set of clocks, (v) P is a finite set of parameters, (vi) I is the invariant, assigning to every l ∈ L a guard I(l), (vii) E is a finite set of edges e = (l, g, a, R, l ) where l, l ∈ L are the source and target locations, a ∈ Σ, R ⊆ X is a set of clocks to be reset, and g is a guard.
Given a PTA A and a parameter valuation v, we denote by v(A) the nonparametric timed automaton where all occurrences of a parameter p i have been replaced by v(p i ).
As usual, PTAs can be composed by performing their parallel composition, their synchronized product on action names.

Definition 2 (Concrete semantics).
Given a PTA A = (Σ, L, l 0 , X, P, I, E), and a parameter valuation v, the concrete semantics of v(A) is given by the timed transition system (S, s 0 , →), with ) is true}, s 0 = (l 0 , 0), and → consists of the discrete and delay transition relations: We consider as usual that concrete runs strictly alternate delays d i and discrete transitions e i and we thus write concrete runs in the form , where a i is the action of e i for all i.The trace set of v(A) is the set of traces associated with all runs of A.

Symbolic Semantics.
Let us recall the symbolic semantics of PTAs (as in e. g., [4,14]).We define the time elapsing of a constraint C, denoted by C , as the constraint over X and P obtained from C by delaying all clocks by an arbitrary amount of time.That is, as the constraint obtained from C by resetting the clocks in R, and keeping the other clocks unchanged.We denote by C↓ P the projection of C onto P , obtained by eliminating the clock variables (e. g., using Fourier-Motzkin).
A parametric zone is a convex polyhedron over X ∪ P in which constraints are of the form x plt, or x i −x j plt, where x i , x j ∈ X and plt is a parametric linear term over P .
A symbolic state is a pair s = (l, C) where l ∈ L is a location, and C its associated parametric zone.The initial symbolic state of The symbolic semantics relies on the Succ operation.Given a symbolic state s = (l, C) and an edge e = (l, g, a, R, l ), The Succ operation is effectively computable, using polyhedra operations; also note that the successor of a parametric zone C is a parametric zone (see e. g., [14]).
A symbolic run of a PTA is an alternating sequence of symbolic states and edges starting from the initial symbolic state, of the form s 0 such that for all i = 0, . . ., m − 1, we have e i ∈ E, and s i+1 = Succ(s i , e i ).
Given a symbolic run s 0

Parametric Reachability Preservation
Let us briefly recall the parametric reachability preservation algorithm PRP [7].Given a set of locations L , PRP(A, v, L ) synthesizes a dense (convex) constraint K containing at least v and such that, for all v ∈ K, v (A) preserves the reachability of L in v(A).By preserving the reachability of L in v(A), we mean that some locations of L are reachable in v (A) iff they are in v(A).That is, if v(A) is safe (it does not reach L ), then v (A) is safe too.Conversely, if v(A) is unsafe (L is reachable for some runs), then v (A) is unsafe too.
Lemma 1 (Soundness of PRP [7]).Let A be a PTA, v a parameter valuation, and L a subset of locations.
A specificity of PRP is that it does not aim at completeness; instead, it focuses on behaviors "similar" to that of v(A) so as not to explore a too large part of the state space, and outputs valuations neighboring v.A sort of completeness can be achieved by iterating PRP on various parameter valuations: when v(A) has computed K, the algorithm can be called again on a valuation v 2 "neighbor" of the result K, and so on until either the entire parameter space has been covered, or when a certain coverage of a bounded parameter domain has been achieved (e. g., 99 %).This iterated version is called PRPC (for PRP cartography), takes as input a PTA A and a bounded parameter domain D 0 , and iteratively calls PRP on parameter valuations of D 0 with a given precision (e. g., at least all integervalued).This gives a cartography of D 0 with a union K good of safe constraints (valuations for which L is unreachable) and a union K bad of unsafe constraints (for which L is reachable).Although only the coverage of the discrete points (e. g., integer-valued) can be theoretically guaranteed, PRPC often covers most (if not all) of the dense state space within D 0 , and often outside too.

Parametric Event-Recording Automata
Event-recording automata (ERAs) [1] are a subclass of timed automata, where each action label is associated with a clock such that, for every edge with a label, the associated clock is reset.We propose here a parametric extension of ERAs, following the parameterization of TAs into PTAs.Formally, let Σ be a set of actions: we denote by X Σ the set of clocks associated with Σ, {x a | a ∈ Σ}.A Σ-guard is a guard on X Σ ∪ P .

Definition 3 (PERAs).
A parametric event-recording automaton (PERA) is a tuple (Σ, L, l 0 , P, I, E), where: (i) Σ is a finite set of actions, (ii) L is a finite set of locations, (iii) l 0 ∈ L is the initial location, (iv) P is a finite set of parameters, (v) I is the invariant, assigning to every l ∈ L a Σ-guard I(l), (vi) E is a finite set of edges e = (l, g, a, x a , l ) where l, l ∈ L are the source and target locations, a ∈ Σ, x a is the clock to be reset, and g is a Σ-guard.
Just as for ERAs, PERAs can be seen as a syntactic subclass of PTAs: a PERA is a PTA for which there is a one-to-one matching between clocks and actions and such that, for each edge, the clock corresponding to the action is the only clock to be reset.
Following the conventions used for ERAs, we do not explicitly represent graphically the clock x a reset along an edge labeled with a: this is implicit.
Example 1. Figure 1 depicts an example of PERA with 3 actions (and therefore 3 clocks x a , x b and x c ), and one parameter p.Only clock x a is used in a guard.
It is well-known that the EF-emptiness problem ("is the set of parameter valuations for which it is possible to reach a given location empty?") is undecidable for PTAs [2,6].Reusing the proof of [6], we show below that this remains undecidable for PERAs.This negative result rules out the possibility to perform exact synthesis for PERAs.Still, in the next section, we propose an approach that is sound, though maybe not complete: the synthesized valuations are correct, but some may be missing.More pragmatically, we aim at improving the synthesis efficiency.

Partitioning the System
The proof rule is presented in the context of two components.If a system consists of more than two components, an intuitive way is to partition the components into two groups to fit the proof rule.For example, if we have four components M 1 , M 2 , M 3 , and M 4 , we could partition them as A = M 1 M 2 and B = M 3 M 4 .However, the number of possible partitions is exponential to the number of components.In addition, an investigation [10] showed that a good partition is very critical to AGR because it affects the verification performance significantly.In this work, we adopt the following heuristics: 1.If a component has timing parameters, it is collected in group A; 2. If a component shares common action labels with the property, the component is collected in group A.
Other components are collected in group B. Heuristics 1 is required for our approach to be sound.Concerning heuristics 2, in AGR, the ideal case is when A satisfies the property with the weakest assumption B that allows everything, A itself is sufficient to prove the property no matter how B behaves.Based on this observation, the rationale behind heuristics 2 is that if a component shares common action labels with the property, it is very likely to be necessary to prove the property.We will show that heuristics 2 indeed yields good performance in practice.

Computing an Abstraction via Learning
Let us explain how to automatically generate B by learning for non-parametric timed systems.We adopt the TL * algorithm [15], which is a learning algorithm to infer ERAs.The TL * algorithm has to interact with a teacher.The interaction between them is shown in Fig. 2b.Notice that only the teacher knows about the ERA (say U ) to be learned.During the learning process, the TL * algorithm makes two types of queries: membership and candidate queries.
A membership query asks whether a word is accepted by U .After several membership queries, TL * constructs a candidate ERA C, and makes a candidate query for it.A candidate query asks whether an ERA accepts the same timed language as U .If the teacher answers "yes", then the learning process is finished, and C is the ERA learned by TL * .If the candidate C accepts more (or less) timed words than U , the teacher answers "no" with a counterexample run ρ.TL * will refine the candidate ERA based on the counterexamples provided by the teacher until the answer to the candidate query is "yes".See [15] for details.
The two condition checkings in Fig. 3 (A C |= ϕ and B |= C) can be done by model checking, and counterexamples given by model checking can also serve as counterexamples to the TL * algorithm.Figure 3 shows our overall procedure LearnAbstr(B, A, ϕ) that returns either an assumption (denoted by Abstraction( B)) when it is proved that A B |= ϕ holds, or a counterexample (denoted by Counterex(τ )) otherwise.Counterex and Abstraction are "tags" containing a value, in the spirit of data exchanged in distributed programming or types in functional programming; these tags will be used later on to differentiate between the two kinds of results output by LearnAbstr.Also note that, in our setting, we need a counterexample in the form of a trace τ , which is why LearnAbstr returns Counterex(trace(ρ)).

Lemma 2. Let A, B be two ERAs. Assume LearnAbstr(B, A, ϕ) terminates with result Abstraction( B). Then A B |= ϕ and A B |= ϕ.
Proof.Abstraction( B) is returned only if A B |= ϕ and B |= B. Thus, A B |= ϕ holds.In addition, according to Fig. 2a, we can conclude that A B |= ϕ.

Replaying a Trace
In this section, we explain how to synthesize the exact set of parameter valuations for which a finite trace belongs to the trace set.Replaying a trace is close to two undecidable problems for PTAs: (i) the reachability of a location is undecidable for PTAs [2], and therefore this result trivially extends to the reachability of a single edge; (ii) the emptiness of the set of valuations for which the set of untimed words is the same as a given valuation is undecidable for PTAs [8] (where a proof is provided even for a unique untimed word).Nevertheless, computing the set of parameter valuations for which a given finite trace belongs to the trace set can be done easily by exploring a small part of the symbolic state space as follows.
We give our procedure ReplayTrace(A, τ) in Algorithm 1. Basically, Replay-Trace computes the symbolic run equivalent to τ , and returns the projection onto P of the last symbolic state of that run.The correctness of ReplayTrace comes from the following results (proved in, e. g., [13]):

Lemma 3. Let A be a PTA, and let ρ be a run of A reaching (l, C). Let v be a parameter valuation. There exists an equivalent run in
Proof.From [13, Propositions 3.17 and 3.18].

Lemma 4.
Let A be a PTA, let v be a parameter valuation.Let ρ be a run of v(A) reaching (l, μ).Then there exists an equivalent symbolic run in A reaching (l, C), with v |= C↓ P .
(i) Assume v |= K good .From Algorithm 2, K good is a finite union of convex constraints, each of them being the result of a call to PRP.Necessarily, v |= K, where K is one of these convex constraints, resulting from a call to (A B, v ), for some v .From Lemma 2, v (A) B |= (AG¬L ).Since B and B are non-parametric, we can write v straints, each of them being the result of a call to ReplayTrace.Necessarily, v |= K, where K is one of these convex constraints, resulting from a call to ReplayTrace(A B, τ) for some trace τ reaching L .This trace was generated by LearnAbstr for some v and is a valid counter-example, this trace τ

Proposition 3 (integer-completeness).
Let A be a PERA and D 0 be a bounded parameter domain.Assume CompSynth(A, B, D 0 , L ) terminates with result (K good , K bad ).
Then, for all v ∈ D 0 ∩ N, v ∈ K good ∪ K bad .
Remark 1.Note that the integerness can be scaled down to, e. g., multiples of 0.1, or in fact arbitrarily small numbers.The time needed to perform the verification might grow, but the coverage of all these discrete points is still guaranteed.

Handling General PTAs
So far, we showed that our framework is sound for PERAs.We now show that, since we address only reachability, any PTA can be transformed into an equivalent PERA, and therefore our framework is much more general.The idea is that, since we are interested in reachability properties, we can rename some of the actions so that the PTA becomes a PERA.Basically, we remove any action labels along the edges, and we add them back as follows: (1) if clock x is reset along an edge, the action label will be a x ; (2) if no clock is reset along an edge, the action label will be na, where na is a (unique) label, the clock associated to which (say x na ) is never used (in guards and invariants) in the PERA; note that, by definition, x na is reset along each edge labeled with na (although this has no impact in the PERA); (3) if more than one clock is reset along the edge, we split the edge into 2 consecutive edges in 0-time, where each clock is reset after the other, following the mechanism described above.Note that the 0-time can be ensured using an invariant x ≤ 0, where x is the first clock to be reset.
Basically, our transformation leaves the structure of the PTA unchanged (with the exception of a few transitions in 0-time to simulate multiple simultaneous clock resets).For each parameter valuation, the resulting PERA has the same timed language as the original PTA -up to action renaming and with the introduction of some 0-time transitions (that could be considered as silent transitions if the language really mattered).Therefore, reachability is preserved.
Note that this construction provides an alternative proof for Theorem 1. Remark 2. In our benchmarks, although we only address reachability, action labels are not entirely useless: they are often used for action synchronization between components.Therefore, renaming all actions is not a valid transformation, as components may not synchronize anymore the way it was expected.In fact, we ensured that our models either only work using interleaving (no action synchronization) or, when various components of a PTA synchronize on an action label, at most one clock is reset along that transition for all PTAs synchronizing on this action label.

Experiments
We implemented our method in a toolkit made of the following components: -IMITATOR [5] is a state of the art tool for verifying real-time systems modeled by an extension of PTAs with stopwatches, broadcast synchronization and integer-valued shared variables.IMITATOR is implemented in OCaml, and the polyhedra operations rely on the Parma Polyhedra Library (PPL).
by LearnAbstr, and the learning time required by LearnAbstr)."T.O." denotes a timeout (>600 s).FMS-1 and -2 are two versions of a flexible manufacturing system [15] (Fig. 1 depicts the conveyor component of FMS-1).AIP is a manufacturing system producing two products from two different materials [15].Fischer-3 (resp.4) is a PERA version of the mutual exclusion protocol with 3 (resp.4) processes; it was obtained using the transformation in Sect.6.1.
Comparison.Although reachability synthesis is intractable for PERAs (Theorem 1), CompSynth always terminates for our case studies (except for Fischer, for which the abstraction computation is too slow).In contrast, EFsynth does often not terminate.In addition, CompSynth always gives a complete (dense) result not only within D 0 but in fact in the entire parameter domain (Q M + ).First, CompSynth outperforms PRPC for all but one benchmark: this suggest to use CompSynth instead of PRPC in the future.
Second, CompSynth is faster than EFsynth in 13/20 cases.In addition, whereas EFsynth often does not terminate, CompSynth always outputs a result (except for Fischer).In some cases (FMS-2:3, FMS-2:4, AIP:4), EFsynth is much faster because it immediately derives ⊥, whereas CompSynth has to compute the abstraction first.Even in these unfavorable cases, CompSynth is never much behind EFsynth: the worst case is AIP:4, with 8 s slower.This suggests that CompSynth may be preferred to EFsynth for PERAs benchmarks. in almost all benchmarks, at most one abstraction (for good valuations) and one counter-example (for bad valuations) is necessary for CompSynth.In addition, most of the computation time of CompSynth (71 % in average) comes from LearnAbstr; this suggests to concentrate our future optimization efforts on this part.Perhaps an on-the-fly composition mixed with synthesis could help speeding-up this part; this would also solve the issue of constraints ⊥ synthesized only after the abstraction phase is completed (FMS-2:3, FMS-2:4, AIP:4).
For Fischer, our algorithm is very inefficient: this comes from the fact that the model is strongly synchronized, and the abstraction computation does not terminate within 600 s.In fact, in both cases, LearnAbstr successfully derives very quickly a counter-example that is used by CompSynth to immediately synthesize all "bad" valuations; but then, as LearnAbstr fails in computing an abstraction, the good valuations are not synthesized.Improving the learning phase for strongly synchronized models is on our agenda.
We were not able to perform a comparison with [9]; the prototype of [9] always failed to compute a result.In addition, our Fischer benchmark does not fit in [9] as Fischer makes use of shared parameters.
Size of the Parameter Domain.Algorithm 2 is based on an enumeration of integer points: although we could use an SMT solver to find the next uncovered point, in our implementation we just enumerate all points, and therefore the size of D 0 may have an impact on the efficiency of CompSynth.Table 2 shows the impact of the size of D 0 w.r.t.CompSynth."find next point" is the time to find the next uncovered point (and therefore includes the enumeration of all points).The overhead is reasonable up to 1,000,000 points, but then becomes very significant.Two directions can be taken to overcome this problem for very large parameter domains: (1) using an SMT solver to find the next uncovered point; or (2) using an on-the-fly refinement of the precision (e. g., start with multiples of 100, then 10 for uncovered subparts of D 0 , then 1. . .until D 0 ⊆ K bad ∪ K good ).
Partitioning.Finally, although the use of heuristic 2 is natural, we still wished to evaluate it.Results show that our partitioning heuristic yields always the best execution time, or almost the best execution time.

Conclusion and Perspectives
We proposed a learning-based approach to improve the verification of parametric distributed timed systems, that turns to be globally efficient on a set of benchmarks; most importantly, it outputs an exact result for most cases where the monolithic procedure EFsynth fails.
Among the limitations of our work is that the input model must be a PERA (although we provide an extension to PTAs), and that all parametric ERAs must be in the same component A. How to lift these assumptions is on our agenda.
Another perspective is the theoretical study of PERAs, their expressiveness and decidability (beyond EF-emptiness, that we proved to be undecidable).
Finally, addressing other properties than reachability is also on our agenda.

Theorem 1 .
The EF-emptiness problem is undecidable for PERAs, even with bounded parameters.Proof.The proof works by adapting to PERAs the proof of [6, Theorem 1].

Example 2 .Fig. 4 .
Fig. 4. General PTA and its translation to a PERA

Table 2 .
Experiments: scalability w.r.t. the reference domain