The Theory of Reachability Analysis Method Using Abstraction and Refinement of Priced Probabilistic Timed Automaton, and Its Application to Design Verification of Wireless Sensor Networks

1. Introduction

The design and reliability assurance of embedded systems is a complex issue, since they need to deal not only with digital behavior but also with physical quantities such as time and cost, and sometimes with probabilistic behavior [1,2]. In addition, since many embedded systems, such as networks and automobiles, have systems in which errors can be fatal, design verification for reliability assurance is an important research topic. With the above background, we adopt the approach of specifying and verifying embedded systems by formal models. Specifically, we focus on priced probabilistic timed automaton [3] as a specification description language, and propose a reachability analysis method based on Counterexample-guided abstraction refinement (CEGAR) [4,5] in order to reduce the state explosion.

Using a wireless sensor network [6] with time, cost, and probabilistic behavior as a case study, we propose and show the effectiveness of a reachability analysis method using Counterexample-guided abstraction refinement (CEGAR) to reduce the state explosion by using a priced probabilistic timed automaton. For sensor nodes, which are the components of WSNs, there are physical quantities such as time and cost, as well as probabilistic behaviors, which can be described and verified using a priced probabilistic timed automaton. However, when the nodes operate in parallel and constitute a network that covers a wide area, the number of nodes becomes enormous, and the state explosion phenomenon is induced in the model of the entire network, making the verification of WSNs as a whole difficult. For this reason, despite its paramount importance, there are few examples of studies on model checking of priced probabilistic timed automata such as WSNs.

Related studies include the following:

1.

A. Demaille et al. at EPITA Research and Development Laboratory modeled WSNs in a probabilistic reactive module and used Approximate Probabilistic Model Checker tool. Using this Model Checker, A. Demaille et al. have performed an approximation to reduce the increase in the state space, and have also verified the properties of the network [7]. However, it has yet to express real-time performance, which is an important characteristic in embedded systems.

2.

J. Berendsen et al. at University of Twente have done a reachability analysis [3] of priced probabilistic timed automata, a subclass of probabilistic linear hybrid automata. However, J. Berendsen et al. have not proposed a method to avoid the state explosion.

3.

Based on the paper [3], J. Berendsen et al. have developed a reachability analyzer Fortuna [8], which is the only model checker for priced probabilistic timed automata, Fortuna is able to compute the maximal probability by which a state can be reached under a certain cost-bound (and time-bound). In other words, Fortune verifies cost-bounded maximal reachability (CBMR). We too will verify CBMR. Fortuna [8] is a verification by backward zone graphing, not a study from the viewpoint of the state space reduction.

In this paper, we propose cost-bounded maximal reachability using CEGAR of a priced probabilistic timed automaton aiming at reducing the state explosion. To demonstrate the proposed method, we model WSN as a case study by expressing power characteristics in terms of cost, uncertainty in terms of probability, and real-time performance in terms of time, using a priced probabilistic timed automaton. Then, the properties of WSNs are attributed to the cost-bounded maximal probability reachability problem, and the reachability analysis by CEGAR is performed. To the best of our knowledge, this paper is the first CEGAR development and implementation of a priced probabilistic timed automaton. We have developed a prototype verifier to demonstrate the effectiveness of the proposed method.

This paper is organized as follows. In Section 2, we define a priced probabilistic timed automaton. Section 3 defines the verification problem, Section 4 describes the verification method of predicate abstraction and refinement, and Section 5 proposes priced probabilistic timed CEGAR and its examples. Finally, a summary is given in Section 6.

2. Priced Probabilistic Timed Automaton

In this section, we define the syntax and semantics of a priced probabilistic timed automaton [3].

2.1. Preliminaries

First, as a preliminary step, we define discrete probability distributions to express probabilities, clock variables to express real-time characteristics, and cost variables to express power characteristics, and also define MP zones to treat clock variables and cost variables as a set.

Definition 1.(Discrete probability distribution)

The set of discrete probability distributions on the countable state set $\mathcal{S}$ is denoted by $Dist\left(\mathcal{S}\right)$. $\mu \in Dist\left(\mathcal{S}\right)$ is a function $\mu :\mathcal{S}\to [0,1]$.However, ${\sum }_{s\in \mathcal{S}}\mu \left(s\right)=1$ and $\left\{s\mid s\in \mathcal{S}and\mu \left(s\right)>0\right\}$ is a finite set. □

Next, we define the clock variables representing the passage of time, the valuation of the clock variables, and the constraints on the clocks.

Definition 2.(Clock variable)

The clock variables are non-negative real-valued variables, all clocks increase at the same rate and can be reset to 0 during the transition. Let $\mathcal{X}$ denote the set of clock variables on ${\mathbb{R}}_{\ge 0}$. □

Definition 3.(Clock valuation)

The clock valuation is a function $\nu :\mathcal{X}\to {\mathbb{R}}_{\ge 0}$. The set of all clock valuations of $\mathcal{X}$ is denoted by ${\mathbb{R}}_{\ge 0}^{\mathcal{X}}$. We use $\nu [X:=0]$ to denote the clock valuation obtained from ν by resetting all the clocks in $X\subseteq \mathcal{X}$ to 0, and leaving the values of all other clocks unchanged. For all t that are $t\in {\mathbb{R}}_{\le 0}$, $\nu +t$ is a clock valuation giving $\nu \left(x\right)+t$ for all $x\in \mathcal{X}$. □

Definition 4.(Zone)

The zone ζ on $\mathcal{X}$ is defined inductively as a convex subset of the set ${\mathbb{R}}_{\ge 0}^{\mathcal{X}}$ of clock valuations with the following syntax.

$$\begin{array}{c}\hfill \zeta ::=x\le c|x<c|x\ge d|x>c|x-y\le d|\\ \hfill x-y<d|\zeta \wedge \zeta |true,\end{array}$$

where $x,y\in \mathcal{X}$ and $c,d\in \mathbb{N}$. Let $Zones\left(\mathcal{X}\right)$ denote the set of zones ζ on $\mathcal{X}$. □

The clock valuation $\nu$ satisfies the zone $\zeta$ if and only if after replacing each clock variable $X\in \mathcal{X}$ in the zone by the corresponding clock value $\nu \left(x\right)$ by $\nu$, the zone’s boolean value $\zeta \nu \in \{true,false\}$ for the clock valuation is $true$. We write this as $\nu ▹\zeta$.

In the operation of a priced probabilistic timed automaton, the state cannot be described by the usual zone because of the accumulated cost from the beginning of the operation. Therefore, we first define a cost variable that represents the accumulated cost from the start of operation and a cost valuation. Next, we define the set of clock and cost valuations that appear in the behavior of a priced probabilistic timed automaton as a conjunction of zones and the possible inequalities of the cost variable on those zones.

Definition 5.(Cost variable)

The cost variable z is a non-negative real variable, and z increases with the slope of the cost when the clock increases at a certain rate. □

Definition 6.(Cost valuation)

The cost valuation is a function $c:z\to {\mathbb{R}}_{\ge 0}$. For a cost variable z and a cost slope n, let $c+nt$ for all $t\in {\mathbb{R}}_{\le 0}$ be a cost valuation giving a valuation of $c\left(z\right)+n·t$. □

Definition 7.(Multi-Priced zone)

Multi-Priced zones (MP zones) are defined by $M=\zeta \wedge \varphi$. ζ is a zone and ϕ is defined inductively by the following syntax.

$$\begin{array}{c}\hfill \varphi ::=az\bowtie b_1{x}_1+\dots +b_n{x}_n+b_0|\varphi \wedge \varphi |true,\end{array}$$

where Z is a cost variable, $\bowtie \in \{<,\le ,\ge ,>\}$, $x_1,\dots ,x_n$ are all clocks that make up ζ, $a,b_0,\dots ,b_n\in \mathbb{Z}$ and $a>0$. Let $\Phi \left(Zones\right(\mathcal{X}\left)\right)$ be the set of cost expressions on $\zeta \in Zones\left(\mathcal{X}\right)$, where $\varphi \in \Phi \left(Zones\right(\mathcal{X}\left)\right)$. □

When the pair $(\nu ,c)$ of clock and cost valuations satisfies the MP zone $M=\zeta \wedge \varphi$, we write $(\nu ,c)▹\zeta \wedge \varphi$. $(\nu ,c)▹\zeta \wedge \varphi$ holds true

if and if only

after replacing each clock variable $x\in \mathcal{X}$ in $\zeta$ by the corresponding clock value $\nu \left(x\right)$ by $\nu$, the zone boolean value $\zeta \nu \in \{true,false\}$ for the clock valuation is $true$, and after replacing each clock variable $x\in \mathcal{X}$ and cost variable z in $\varphi$ by the corresponding clock and cost values $\nu \left(x\right),c\left(z\right)$ by the pair $(\nu ,c)$ respectively, the true value of the zone regarding clock valuation and cost valuation $\varphi (nu,c)\in \{true,false\}$ is $true$.

Definition 8.(MP zone operations)

The operation to deform the MP zone is defined as follows.

$$\begin{array}{ccc}\hfill \mathsf{time}\_\mathsf{succ}[M,n]& =& \left\{\right(\nu ,c\left)\right|\exists t\in \mathbb{R}.(\nu -t,c-nd)▹\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{time}\_\mathsf{pre}[M,n]& =& \left\{\right(\nu ,c\left)\right|\exists t\in \mathbb{R}.(\nu +t,c+nd)▹\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{reset}[M,X]& =& \left\{\right(\nu [X:=0],c\left)\right|(\nu ,c)▹\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{free}[M,X]& =& \left\{\right(\nu ,c\left)\right|\left(\nu \right[X:=0],c)▹\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{shift}[M,h]& =& \left\{\right(\nu ,c\left)\right|(\nu ,c+h)▹\zeta \wedge \varphi \}\hfill \end{array}$$

If the input zone is a MP zone, the result of the operation is also a MP zone. □

2.2. Syntax of a Priced Probabilistic Timed Automaton

Next we define the syntax of a priced probabilistic timed automaton.

Definition 9.

(Priced probabilistic timed automaton)

The priced probabilistic timed automaton $P^{2}TA$ is defined by the pair $(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$.

• L is a finite set of locations,
• $\overline{l}\in L$ is the initial location, .
• $\mathcal{X}$ is a finite set of clocks,
• $inv:L\to Zones\left(\mathcal{X}\right)$ is a function that assigns an invariant condition to each location.
• $prob\subseteq L\times Zones\left(\mathcal{X}\right)\times \mathbb{N}\times Dist(L\times 2^{\mathcal{X}})$ is a finite set of probabilistic transition relation,
• $\dot{\$}:L\to \mathbb{N}$ is s function that assigns a cost slope to each location.

□

Definition 10.(Edge of a priced probabilistic timed automaton)

The edge of a priced probabilistic timed automaton is generated by $(l,g,h,\mu )\in prob$, and takes the form of a pair $(l,g,h,\mu ,X,l^{\prime })$ such that $\mu (l^{\prime },X)>0$. Let $\mathrm{edgess}(l,g,h,\mu )$ be the set of edges generated by $(l,g,h,\mu )$ , and $\mathrm{edgess}(l,g,h,\mu )=\left\{(l,g,h,\mu ,X,l^{\prime })\right|(l,g,h,\mu )\in proband\mu (l^{\prime },X)>0\}$, where $l\in L$, $g\in Zones\left(\mathcal{X}\right)$, $h\in \mathbb{N}$, $\mu \in \mathit{Dist}(L\times 2^{\mathcal{X}})$. □

Example 1.(Example of automaton behavior in Figure 1)

An example of a priced probabilistic timed automaton is shown in Figure 1. First, the behavior is started from the initial location $l_0$ with clock $t=0$ and cost $z=0$. Then, after a time elapses until $(t=1,c=1)$, a discrete transition is made. A discrete transition is made to location $l_1$ with probability $1-p$ and to location $l_2$ with probability p. If it transitions to location $l_1$, time elapses until $c>2$, and then it makes a discrete transition to location $l_{error}$ with probability 1. If a transition is made to location $l_2$, a discrete transition is made to location $l_{target}$ after a time elapses to $(t\le 1,c\le 2)$ or to location $l_{error}$ after a time elapses to $(t>1,c>2)$. Since the invariance condition is $true$ at location $l_{target}$ and location $l_{error}$, arbitrary time elapses or arbitrary discrete transitions are performed since there is a self-loop. □

2.3. Semantics of a Priced Probabilistic Timed Automaton

The state of the priced probabilistic timed automaton $P^{2}TA$ is expressed as the ordered pair $(l,(\nu ,c))\in L\times {\mathbb{R}}_{\ge 0}^{\mathcal{X}}\times {\mathbb{R}}_{\ge 0}$, where $\nu$ satisfies $inv\left(l\right)$. That is, $\nu$ is an element of the set of clock valuations of the zone represented by $inv\left(l\right)$. In addition, c represents the cumulative cost valuation from the initial state. The $P^{2}TA$ behaves from the initial state $(\overline{l},({\nu }_0,c_0))$, where ${\nu }_0$ denotes the initial clock valuation with all clock values set to 0 and $c_0$ denotes the initial cost valuation of 0. In a state $(l,(\nu ,c\left)\right)$ at some point in time, $P^{2}TA$ nondeterministically chooses a timed transition or a discrete transition. Discrete transitions are made by a feasible probabilistic transition relation $(l,g,h,\mu )\in prob$ for the transition source location l, where the MP zone g satisfies the current clock valuation and cost valuation pair $(\nu ,c)$. The probability that the location of $P^{2}TA$ transitions to $l^{\prime }$ and all clocks on the set X are reset to zero is denoted by $\mu (l^{\prime },X)$.

We define the semantics of a priced probabilistic timed automaton as a timed probabilistic system [9]. Timed probabilistic systems take the form of Markov decision processes (MDPs) and perform nondeterministic transitions.

Definition 11.

(Timed probabilistic system)

The timed probabilistic system $\mathcal{M}$ defining the meaning of the priced probabilistic timed automaton $P^{2}TA=(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$ is a Markov decision process $(Q,q_0,Steps)$.

• $Q\subseteq L\times {\mathbb{R}}_{\ge 0}^{\mathcal{X}}\times {\mathbb{R}}_{\ge 0}$ is a set of states,
• $q_0=(l_0,({\nu }_0,c_0))$ is the initial state,
• $Steps\subseteq Q\times {\mathbb{R}}_{\ge 0}\times \mathbb{N}\times Dist(Q\times 2^{\mathcal{X}})$ is a timed probabilistic transition relation.

All states $(l,(\nu ,c\left)\right)$ are $\nu ▹Inv\left(l\right)$. The probabilistic transition relation $Steps$ consists of timed transitions and discrete transitions, and among the probability distributions paired with the state $(l,(\nu ,c\left)\right)$, the one due to timed transitions is especially denoted as ${\mu }_{\perp }$. Let $(l,g,h,{\mu }_P)\in prob$ of $P^{2}TA$ be $\left(\right(l,(\nu ,c)),t,h,\mu )$ as follows.

• Timed transition from state $(l,(\nu ,c\left)\right)$ to t unit time: $(l,(\nu ,c))\stackrel{t,0,{\mu }_{\perp }((l^{\prime },({\nu }^{\prime },c^{\prime })),\varnothing )}{\to }(l^{\prime },({\nu }^{\prime },c^{\prime }))$
  ${\mu }_{\perp }((l^{\prime },({\nu }^{\prime },c^{\prime })),\varnothing )=\left\{\begin{array}{cc}1\hfill & if{l}^{\prime }=l\wedge {\nu }^{\prime }=\nu +t\wedge \hfill \\ & c^{\prime }=c+\dot{\$}\left(l\right)t\wedge \hfill \\ & {\nu }^{\prime }▹inv\left(l\right)\wedge t>0\hfill \\ 0\hfill & otherwise\hfill \end{array}\right.$
• Discrete transition from state $(l,(\nu ,c\left)\right)$ by probabilistic transition relation $(l,g,h,{\mu }_P)$ to : $(l,(\nu ,c))\stackrel{0,h,\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)}{\to }(l^{\prime },({\nu }^{\prime },c^{\prime }))$
  $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)=\left\{\begin{array}{cc}{\mu }_P(l^{\prime },X)\hfill & if\nu ▹g\wedge \hfill \\ & {\nu }^{\prime }=\nu [X:=0]\wedge \hfill \\ & c^{\prime }=c+h\hfill \\ 0\hfill & otherwise\hfill \end{array}\right.$

□

The transition by probability $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime }))$ of a probabilistic transition relation on $\mathcal{M}$ is a transition that resets the clock variable X and reaches state $(l^{\prime },({\nu }^{\prime },c^{\prime }))$. Since the sample space of the probability distribution $\mu$ of the probabilistic transition relation is not only Q but also the product of Q and $2^{\mathcal{X}}$, one transition ${\mu }_P((l^{\prime },({\nu }^{\prime },c^{\prime })),X)>0$ on $P^{2}TA$ corresponds to corresponds equally to one transition $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)>0$ on $\mathcal{M}$.

The path of a timed probabilistic system is expressed as the resolution of nondeterministic and probabilistic choices. The path of a timed probabilistic system is expressed as the resolution of nondeterministic and probabilistic choices.

$$\omega =q_0\stackrel{t_0,h_0,{\mu }_0(q_1,X_0)}{\to }{q}_1\stackrel{t_1,h_1,{\mu }_1(q_2,X_1)}{\to }\dots ,$$

where $0\le i\le \left|\omega \right|$, $q_i\in Q,(q_i,t_i,{\mu }_i)\in Steps,{\mu }_i\left(q_i\right)>0$. Let $\omega \left(i\right)$ denote the i-th state of the path $\omega$, $step(\omega ,i)$ denote the i-th transition, and if $\omega$ is a finite sequence, denote its length $\left|\omega \right|$ and its last state $last\left(\omega \right)$. The set of all finite or infinite paths starting from a state q is denoted by $Pat{h}_{fin}\left(q\right),Pat{h}_{ful}\left(q\right)$ respectively.

Here, we introduce an adversary of the timed probabilistic system as a representation that resolves only nondeterminism.

Definition 12.(Adversary)

The adversary A of the timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$ is a function that maps all finite paths ${\omega }_{fin}$ of $\mathcal{M}$ to a discrete probability distribution $(last\left({\omega }_{fin}\right),\mu )\in Steps$, where there exist $(last\left({\omega }_{fin}\right),\mu )\in Steps$ exists. □

For any adversary A and state q, let $Pat{h}_{ful}^A\left(q\right),Pat{h}_{fin}^A\left(q\right)$ denote the subsets of $Pat{h}_{ful}\left(q\right),Pat{h}_{fin}\left(q\right)$ generated by A respectively, and let $Ad{v}_{\mathcal{M}}$ be the set of adversaries of Timed probabilistic system $\mathcal{M}$. We also distinguish simple adversaries $A_{simple}$ as adversaries that all return the same probability distribution regardless of the path if the last states of the paths are equal. Hereafter, when we simply write “adversary", we refer to simple adversary. An adversary represents a particular resolution of the non-determinism of a timed probabilistic system. Here, for a timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$, the behavior under a given simple adversary $A_{simple}$ can be described by a Markov chain ($MC$) [9].

Definition 13.(Markov chain)

For a timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$, the behavior of $\mathcal{M}$ under a given adversary A can be described by a Markov chain $M{C}^A$, denoted by the pair $(Q^A,q_0^A,{\mathbf{P}}^A)$, where, for any state $q,q^{\prime }\in Q^A$, we have

$$\begin{array}{c}\hfill {\mathbf{P}}^A(q,q^{\prime })=\left\{\begin{array}{c}\mu \left(q^{\prime }\right)if\exists \omega .last\left(\omega \right)=q\wedge A\left(\omega \right)=\mu \hfill \\ 0otherwise.\hfill \end{array}\right.\end{array}$$

□

Next, we define the probability of occurrence of paths appearing in the Markov chain and timed probabilistic system associated with the adversary.

Definition 14.(Probability of path)

Let A be the adversary of the timed probabilistic system $\mathcal{M}$. In this case, we define the probability $Pro{b}_{fin}^A:Pat{h}_{fin}^A\to [0,1]$ of path occurrence as follows.

$$\begin{array}{c}\hfill Pro{b}_{fin}^A\left(\omega \right)=\left\{\begin{array}{cc}{P}^A(\omega \left(0\right),\omega \left(1\right))\cdots P^A(\omega (n-1),\omega \left(n\right))\hfill & if\left|\omega \right|\ne 0\hfill \\ 1\hfill & otherwise.\hfill \end{array}\right.\end{array}$$

□

2.4. Zeno Behavior

Since priced probabilistic timed automata are a subclass of probabilistic linear hybrid automata, their behavior may include the zeno behavior [10]. A zeno behavior is one in which an infinite number of discrete transitions occur in finite time. The problem of determining whether a model described by a hybrid automaton has zeno behavior is known to be undecidable [11]. However, since the modeling language in this paper is a priced probabilistic timed automaton, it can be considered as a probabilistic timed automaton by excluding the price. It is known from the literature [12] that the problem of determining whether a model described by a probabilistic timed automaton has zeno behavior is decidable, and we shall avoid zeno behavior in this paper accordingly.

3. Cost-Bounded Maximal Probability Reachability Analysis

When we specify embedded systems using a priced probabilistic timed automaton, it is very meaningful to be able to verify the property that the desired state can be reached with a certain probability or more and at a certain cost or less for every behavior [6]. An example is the mountain fire alarm system by WSNs. In this system, the above characteristics include “can you report a fire in the entire area with a probability of more than $99.9\%$ before running out of battery power?" In this study, we consider the verification of significant properties in priced probabilistic timed automata by means of cost-bounded probability reachability problem. By the way, Fortune calls this problem cost-bounded maximal reachability (CBMR) [8]. In the behavior of a priced probabilistic timed automaton, when there exists a self-loop that makes transitions to the same state, it is difficult to solve a cost-bounded maximal probability reachability problem that requires the behavior to be investigated, since there may be an infinite number of paths to reach the target state. It is known that the probability reachability problem can be verified by examining a finite number of paths by restricting the problem of reachability from ≤ to the form > [13]. Therefore, in this study, we define a cost-bounded probability reachability problem that can be verified with finite numbers by adding a cost bound.

The following is the definition of the cost boundary maximal probability reachability problem.

Definition 15.(Cost-bounded probability reachability problem)

For the priced probabilistic timed automaton $P^{2}TA=(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$, the cost-bound probability reachability problem is defined by the pair $PRP=(l_{error},{\lambda }^{\prime },\kappa )$, where $l_{error}$ is the target location, ${\lambda }^{\prime }\in [0,1]$ is the probability of reaching the target state, and $\kappa \in \mathbb{N}$ is the upper bound of cumulative cost. Also, when $(\nu ,c)$ satisfies the MP zone $inv\left(l_{error}\right)\wedge z>\kappa$, $(l_{error},(\nu ,c^{\prime }))$ is called the objective state.

The answer to the cost bound probability reachability problem for $P^{2}TA$ is “Yes,Reachable"

iff

in some adversary $A\in Ad{v}_{\mathcal{M}}$ of $\mathcal{M}$ defined by $P^{2}TA$, there exists one or more paths starting from the initial state $(\overline{l},({\nu }_0,c_0))$ of $P^{2}TA$ such that $last\left(\omega \right)=(l_{target},(\nu ,c^{\prime }))$ and the total occurrence probability $P_{max}$ of the paths satisfy the condition $P_{max}>{\lambda }^{\prime }$. □

However, since there is no guarantee that the state space is finite, in general, the cost-boundary probability reachability problem is undecidable [14]. However, it is generally known that there are many verifiable models in realistic systems [8].

4. Predicate Abstraction and Refinement

The behavior of the entire WSNs can be modeled by synthesizing the behavior models of the nodes that make up the entire network through parallel composition. In general, the number of nodes in practical WSNs is said to be about several tens, and even if the behavior of the entire synthesized network is described, the number of states is very large and verification is very difficult. Therefore, it is necessary to suppress the number of states to a realistically verifiable number on the computer’s memory. Therefore, we introduce predicate abstraction, a method for abstracting and representing state spaces [4,12].

4.1. Predicate Abstraction

Predicate abstraction is used to obtain a finite approximation of an infinite state transition system. This method performs abstraction based on a set of abstraction predicates. We extend the paper [12] with cost.

Definition 16.(Abstraction predicates)

For a set of clock variables $\mathcal{X}$ and a cost variable z, the predicate ψ is defined as follows.

$$\begin{array}{ccc}\hfill \psi & ::=& {\psi }_{cl}\wedge {\psi }_{co}\hfill \\ \hfill {\psi }_{cl}& ::=& x_1\le e|x_1<e|x_1-x_2\le d|true\hfill \\ \hfill {\psi }_{co}& ::=& az\le b_1{x}_1+\dots +b_n{x}_n+b_0|true,\hfill \end{array}$$

where $x_1,x_2,\dots ,x_n\in \mathcal{X}$,z are cost variables, $e\in \mathbb{N},a,b_1,\dots ,b_n,d\in \mathbb{Z}$ and $a>0$. In the clock valuation ν, cost valuation c, and abstraction predicate $\psi ={\psi }_{cl}\wedge {\psi }_{co}$, the true value of the predicate ψ on $(\nu ,c)$ is $\psi \left(\right(\nu ,c\left)\right)\in \{true,false\}$.

Let $(\nu ,c)$ satisfy the predicate ψ and write $(\nu ,c)\vDash \psi$

iff

the result of substituting the value $\nu \left(x\right)$ corresponding to the clock $x\in \mathcal{X}$ appearing in ${\psi }_{cl}$ is true and the result of substituting the value $c\left(z\right)$ corresponding to the cost z appearing in ${\psi }_{co}$ is true.

Also, for any clock valuation $\nu \in {\mathcal{V}}_{\mathcal{X}}$ and any cost valuation $c\in {\mathcal{V}}_z$, $(\nu ,c)\vDash true$, where ${\mathcal{V}}_{\mathcal{X}}$ is the set of clock valuations, and ${\mathcal{V}}_z$ is the set of cost valuations. □

The set of abstract predicates ${\Psi }^l=\{{\psi }_1^l,\dots ,{\psi }_n^l\}$ at location l is a mapping from a valuation pair $(\nu ,c)$ to a bit vector $b^l$ of length n. Let ${\Psi }^{all}=\{{\Psi }^{l_0}\cup \dots \cup {\Psi }^{l_k}\}$ be the set of abstraction predicates at all locations, then ${\Psi }^{all}$ determines the abstraction function $\alpha$. The i-th element of $b^l$ is true if and only if ${\psi }^{l_p}(\nu ,c)$ is true at location l. Let us assume that bit vectors of length n in l are elements of the set $B_n^l$ and that $B_n^l$ is a function with domain $\{0,\dots ,n-1\}$ and variational domain $\{0,1\}$. Also, let $\mathcal{B}$ be the set of bit vectors at all locations. The inverse image of $\alpha$ is the concretization function $\gamma$, which maps a bit vector $b^l$ to all clock evaluations such that ${\psi }_i^l$ is satisfied whenever the i-th element of the bit vector $b^l$ is true. Thus, the set of concrete states $(l,(\nu ,c\left)\right)$ is mapped to the abstract state $\alpha \left(\right(l,(\nu ,c)\left)\right)$ by the abstraction function $\alpha$, and the abstract state $(l,b^l)$ is mapped to the set of concrete states $\gamma \left((l,b^l)\right)$ by the concretization function $\gamma$.

Abstraction and concretization are defined as follows.

Definition 17.(Abstraction and concretization) Let $\mathcal{X}$ be a set of clocks, ${\mathcal{V}}_{\mathcal{X}}$ be a set of corresponding clock valuations, and ${\mathcal{V}}_{cost}$ be a set of cost valuations. Given a finite set of predicates ${\Psi }^{all}=\{{\Psi }^{l_0}\cup \dots \cup {\Psi }^{l_k}\}$, the abstraction function $\alpha :L\times {\mathcal{V}}_{\mathcal{X}}\times {\mathcal{V}}_{\mathcal{Z}}\to L\times \mathcal{B}$ is defined as follows.

$$\alpha \left((l,(\nu ,c))\right)\left(i\right)=(l,{\psi }_i(\nu ,c))$$

Also, the concretization function $\gamma :L\times \mathcal{B}\to L\times 2^{{\mathcal{V}}_{\mathcal{X}}}\times 2^{{\mathcal{V}}_{\mathcal{Z}}}$ is defined as follows.

$$\begin{array}{c}\hfill \gamma \left((l,b^l)\right)=\{(l,(\nu ,c))\in L\times {\mathcal{V}}_{\mathcal{X}}\times {\mathcal{V}}_{cost}\mid inv\left(l\right)\wedge \\ \hfill \underset{i=0}{\overset{n-1}{\bigwedge }}{\psi }_i^l(\nu ,c)\equiv b^l\left(i\right)\}\end{array}$$

□

With respect to $\alpha ,\gamma$, the notation $\alpha \left(Q\right)=\{\alpha \left((l,(\nu ,c))\right)\mid (l,(\nu ,c))\in Q\},\gamma \left(Q^{♯}\right)=\{\gamma \left((l,b^l)\right)\mid (l,b^l)\in Q^{♯}\}$ is used. Here the pair $(\alpha ,\gamma )$ of abstraction function and concretization function forms a Galois connection. Also, $(l,b^l)\in Q^{♯}$ is a set of abstract states.

Definition 18.

(Abstract structure)

We construct an abstract structure ${\mathcal{M}}^{♯}=(Q^{♯},q_0^{♯},Step{s}^{♯})$ which is an overapproximation of the concrete structure $\mathcal{M}=(Q,q_0,Steps)$. The abstract structure ${\mathcal{M}}^{♯}$ consists of the following elements.

• $Q^{♯}=L\times \mathcal{B}$
• $q_0^{♯}=\alpha \left(q_0\right)$
• $Step{s}^{♯}\subseteq Q^{♯}\times Dist\left(Q^{♯}\right)$

$((l,b),{\mu }^{♯})\in Step{s}^{♯}$ is constructed on an abstract structure

if and only if

$\left(\right(l,(\nu ,c))\in \gamma ((l,b))$ such that $\left(\right(l,(\nu ,c)),\mu )\in Steps$ is on the concrete structure.

Here let ${\mu }^{♯}$ be a probability distribution such that ${\mu }^{♯}\left((l^{\prime },b^{\prime })\right)=\mu \left((l^{\prime },({\nu }^{\prime },c))\right)$. □

Unlike $Steps$, there is no definition of timed transition quantity in $Step{s}^{♯}$ to indicate that it is a timed transition. However, the probability distribution of $Step{s}^{♯}$ derived from the probability distribution ${\mu }_{♯}$ of showing timed transitions in $Steps$ is also noted as ${\mu }_{\perp }^{♯}$ to distinguish it.

Also, the path of ${\mathcal{M}}^{♯}$ is the following as well as the path of $\mathcal{M}$.

$${\omega }^{♯}=q_0^{♯}\stackrel{{\mu }_0(q_1^{♯},X_0)}{\to }{q}_1^{♯}\stackrel{{\mu }_1(q_2^{♯},X_1)}{\to }\dots$$

4.2. Cost-Bounded Maximal Probability Reachability Analysis on Abstrct Strucure

The cost bound probability reachability analysis outputs “Not Reachable” if the system cannot reach the target state $(l_{target},(\nu ,c))$ with probability greater than $\lambda$. If the system can reach the target state $(l_{target},(\nu ,c))$ with probability greater than $\lambda$, the cost bound probability reachability analysis outputs “Reachable” and the path to that state (counterexample) is also output. The counterexample is given as the set ${\omega }^{♯}$ of paths from the initial state to the target state on the abstract structure.

From Definition 18, since transitions on abstract structures are over-approximations of transitions on concrete structures, all counterexamples on concrete structures are included in counterexamples on abstract structures, but the converse is not necessarily true. In other words, it can happen that the behavior according to the counterexample ${\Omega }^{♯}$ is not feasible on the concrete structure. Therefore, by counterexample analysis method, we must determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not.

4.3. Counterexample Analysis Method

4.3.1. Preliminaries

In this subsection, we define the operation of the MP zone that computes the conditions for possible state transitions used in the counterexample analysis. This is an MP zone operation on $\mathcal{M}$ which, when making a timed transition or a discrete transition in a state contained in an MP zone, obtains an MP zone containing reachable states, or vice versa.

• $\mathsf{time}\_\mathsf{pre}/\mathsf{succ}$ operation: timed transition operation
  The $\mathsf{time}\_\mathsf{pre}$ operation calculates the MP zones that are available for timed transitions to a given MP zone. The $\mathsf{time}\_\mathsf{succ}$ operation calculates the MP zones from which timed transitions are possible from a given MP zone. Note that the $\mathsf{time}\_\mathsf{pre}/\mathsf{succ}$ operation is defined in Definition 8.
• $\mathsf{discrete}\_\mathsf{pre}/\mathsf{succ}$ operation: discrete transition operation
  The $\mathsf{discrete}\_\mathsf{pre}$ operation calculates the MP zones that can be transitioned to by discrete transitions to a certain MP zone. The $\mathsf{discrete}\_\mathsf{succ}$ operation calculates the MP zones that can be transitioned from a given MP zone by discrete transitions.

The $\mathsf{discrete}\_\mathsf{pre}/\mathsf{succ}$ operation on the probability transition relation $(l,g,h,\mu (l^{\prime },X))\in prob$ of $P^{2}TA$ is defined as follows using the Definition 8.

$$\begin{array}{ccc}& & \mathsf{discrete}\_\mathsf{succ}[M,g,X,h]=\mathsf{shift}\left[\mathsf{free}\right[M,X],h]\wedge g\hfill \\ & & \mathsf{discrete}\_\mathsf{pre}[M,g,X,h]=\mathsf{reset}\left[\mathsf{shift}\right[M,-h]\wedge g,X]\hfill \end{array}$$

4.3.2. Counterexample Analysis

By counterexample analysis method, we determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not. In the counterexample analysis, we first extract one element ${\omega }^{♯}$ of the counterexample ${\Omega }^{♯}$. Next, a path counterexample analysis is performed to check whether the extracted counterexamples are executable on the corresponding real systems. This is repeated until ${\Omega }^{♯}$ is empty, and then simultaneous execution counterexample analysis is performed to check whether the elements of those counterexamples can be executed according to the same adversary. In other words, a counterexample analysis consists of two parts: path counterexample analysis and simultaneous execution counterexample analysis.

Next, we explain path counterexample analysis.  

4.3.2.1. Path Counterexample Analysis

First, we take one element ${\omega }^{♯}$ from the counterexample ${\Omega }^{♯}$, and check whether the element of the counterexample is actually feasible on the corresponding model. Figure 2 is an overview of path counterexample analysis, where ${\omega }^{♯}\left(i\right)$ is the i-th abstract state of the counterexample, $M_{i,{\omega }^{♯}}^{rea}$ and $M_{i,{\omega }^{♯}}^{dep}$ are the starting and reaching conditions in the i-th abstract state, q and $q^{\prime }$ are the concrete states corresponding to the starting and reaching conditions in the i-th abstract state, respectively. We verify that each path ${\omega }^{♯}$ obtained on the abstract structure $M^{♯}$ is feasible on the corresponding concrete structure $\mathcal{M}$. Specifically, using the backward counterexample analysis method, the starting and arrival conditions that can reach the target state from the end of the abstract path are obtained and verified by MP zone operations.

The algorithm for path counterexample analysis (Backward counterexample analysis) is shown in Algorithm 1.

Algorithm 1 Path counterexample analysis (Backward counterexample analysis)

1: Input $P^{2}TA,{\Omega }^{♯}$ 2: for${\omega }^{♯}\in {\Omega }^{♯}$do 3:    $M_{|{\omega }^{♯}|,{\omega }^{♯}}^{rea}\leftarrow \mathit{Inv}\left(l_{|{\omega }^{♯}|,{\omega }^{♯}}\right)$ 4:    for $i=|{\omega }^{♯}|-1,\dots ,0$ do 5:      if ${\omega }^{♯}\left(i\right)\stackrel{{\mu }_{\perp }^{♯}}{\to }$ is a timed transition then 6:         $M_{i,{\omega }^{♯}}^{dep}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{i+1,{\omega }^{♯}}^{rea},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}}$ 7:         if $M_{i,{\omega }^{♯}}^{dep}=$ false then 8: return spurious $l_{i+1,{\omega }^{♯}},M_{i+1,{\omega }^{♯}}^{rea},$$\mathsf{time}\_\mathsf{pre}[\mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\Psi }^{l_{i+1,{\omega }^{♯}}}$ 9:         end if /* discrete transition */ 10:      else 11:         $M_{i,{\omega }^{♯}}^{dep}\leftarrow \mathsf{discrete}\_\mathsf{pre}[M_{i+1,{\omega }^{♯}}^{rea},g_{i,{\omega }^{♯}},X_{i,{\omega }^{♯}},h_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}}$ 12:         if $M_{i,{\omega }^{♯}}^{dep}=$ false then 13:         return spurious $l_{i+1,{\omega }^{♯}},M_{i+1,{\omega }^{♯}}^{rea},$ $\mathsf{discrete}\_\mathsf{pre}[\mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}},g_{i,{\omega }^{♯}},X_{i,{\omega }^{♯}},$ $h_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\Psi }^{l_{i+1,{\omega }^{♯}}}$ 14:         end if 15:      end if 16:      $M_{i,{\omega }^{♯}}^{rea}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{i,{\omega }^{♯}}^{dep},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}}$ 17:    end for 18:    if $M_{0,{\omega }^{♯}}^{rea}\wedge M_0=$ false then 19:    return spurious $l_0,M_{0,{\omega }^{♯}}^{rea},M_0$ 20:    end if 21:  end for 22: return exists, $M_{{\omega }^{♯}}^{rea},M_{{\omega }^{♯}}^{dep}$

This algorithm finds the target state by the $\mathsf{time}/\mathsf{discrete}\_\mathsf{pre}$ operation on the path ${\omega }^{♯}$ (line:2), which is an element of the path set ${\Omega }^{♯}$ (line:1) . Here, from $last\left({\omega }^{♯}\right)$ (line:3) to the forward state (line:4), the starting condition $M_{i,{\omega }^{♯}}^{rea}$ (line:3) and the arrival condition $M_{i,{\omega }^{♯}}^{dep}$ (line:6) are obtained. Note that the starting condition $M_{i,{\omega }^{♯}}^{rea}$ uses different MP zone operations depending on whether the transition from the previous state is a timed transition or a discrete transition (line:5-15).

(1)If the starting condition $M_{i,{\omega }^{♯}}^{dep}$is $false$ (line:7), we consider this path to be a false counterexample (line:8) and divide $M_{i+1,{\omega }^{♯}}^{rea}$ and the MP zone that can transition from $\omega \left(i\right)$ to $\omega (i+1)$.

(2)Next, since it is considered that there exist abstract and hidden timed transitions on the abstract state, we obtain the arrival condition $M_{i,{\omega }^{♯}}^{rep}$(line:16) by the $\mathsf{time}\_\mathsf{pre}$ operation.

Repeat (1) and (2) until the first state ${\omega }^{♯}\left(0\right)$ is obtained, and then check whether the arrival condition $M_{0,{\omega }^{♯}}^{rep}$ includes the initial state $M_0$ (line:18). If it is not included, it is judged as a false counterexample, and outputs a predicate that separates the attainment condition $M_{0,{\omega }^{♯}}^{rep}$ and the initial state $M_0$ (line:19). If it is confirmed that the initial state is reached on any path, output the arrival and departure conditions $M_{{\omega }^{♯}}^{rea},M_{{\omega }^{♯}}^{dep}$ for each state of exists and all ${\omega }^{♯}\in {\Omega }^{♯}$ (line:22).

Next, we proceed to simultaneous execution counterexample analysis.  

4.3.2.2. Simultaneous Execution Counterexample Analysis

If the counterexample ${\Omega }^{♯}$ is empty in 4.3.2.1, we verify whether the analyzed counterexamples can be executed simultaneously under the same adversary condition. For a given state on the concrete structure, the choice between timed transitions and discrete transitions is non-deterministic. In this case, the nondeterminism is resolved by giving an adversary, resulting in a path that is a sequence of state transitions. On the other hand, since time is abstracted on the abstract structure, abstract paths included in the abstract counterexamples obtained by the reachability analysis may not be executed simultaneously on the concrete structure. Therefore, in this stage of simultaneous execution counterexample analysis, we check that the adversaries are identical for the obtained counterexamples. Figure 3 is an overview of the procedure for obtaining arrival and departure conditions in simultaneous execution counterexample analysis, where ${\omega }^{♯},{{\omega }^{♯}}^{\prime }$ are elements of different counterexamples. When the common part of these paths up to the i-th path is equal, by the product of the arrival condition $M_{i,{\omega }^{♯}}^{rea},M_{i,{{\omega }^{♯}}^{\prime }}^{rea}$ and the departure condition $M_{i,{\omega }^{♯}}^{dep},M_{i,{{\omega }^{♯}}^{\prime }}^{dep}$ and the starting condition $M_{i,{{\omega }^{♯}}^{\prime }}^{dep}$, we obtain the set of states that can be executed simultaneously from the forward.

The algorithm for simultaneous execution counterexample analysis (Forward counterexample analysis) is shown in Algorithm 2.

Algorithm 2:Simultaneous execution counterexample analysis (Forward counterexample analysis)

1: Input $P^{2}TA,{\Omega }^{♯},Pat{h}_{fin}^{♯},M_{{\Omega }^{♯}}^{rea},M_{{\Omega }^{♯}}^{dep}$ 2: for${\omega }^{♯}\in {\mathit{Path}}_{fin}^{♯}$do 3:    $M_{{\omega }^{♯}}^{rea}\leftarrow$ true 4:    $M_{{\omega }^{♯}}^{dep}\leftarrow$ true 5: end for 6: $M_{{\omega }^{♯}=q_0}^{dep}\leftarrow M_0$ 7: for$(i=0,\dots ,C_{{\Omega }_{max}})$do 8:    for ${\omega }^{♯}\in {\Omega }^{♯}$ do 9:      if $|{\omega }^{♯}|>i$ then 10:         if $M_{{\omega }_{i-th}^{♯}}^{rea}\wedge M_{i,{\omega }^{♯}}^{rea}=$ false then 11:         return spurious $l_{i,\omega },M_{{\omega }_{i-th}^{♯}}^{rea},M_{i,{\omega }^{♯}}^{rea}$ 12:         end if 13:         $M_{{\omega }_{i-th}^{♯}}^{rea}\leftarrow M_{{\omega }_{i-th}^{♯}}^{rea}\wedge M_{i,{\omega }^{♯}}^{rea}$ 14:         $M_{{\omega }_{i-th}^{♯}}^{dep}\leftarrow \mathsf{time}\_\mathsf{pre}\left[M_{{\omega }_{i-th}^{♯}}^{dep}\right]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\Psi }^{l_{i+1,{\omega }^{♯}}}$ 15:      end if 16:    end for 17:    for ${\omega }^{♯}\in {\Omega }^{♯}$ do 18:      if $|{\omega }^{♯}|>i$ then 19:         if $M_{{\omega }_{i-th}^{♯}}^{dep}\wedge M_{i,{\omega }^{♯}}^{dep}=$ false then 20:         return spurious $l_{i,\omega },M_{{\omega }_{i-th}^{♯}}^{dep},M_{i,{\omega }^{♯}}^{dep}$ 21:         end if 22:         $M_{{\omega }_{i-th}^{♯}}^{dep}\leftarrow M_{{\omega }_{i-th}^{♯}}^{dep}\wedge M_{i,{\omega }^{♯}}^{dep}$ 23:         if ${\omega }^{♯}\left(i\right)\stackrel{{\mu }_{\perp }^{♯}}{\to }$ is a timed transition then 24:           $M_{{\omega }_{(i+1)-th}^{♯}}^{rea}\leftarrow \mathsf{time}\_\mathsf{pre}\left[M_{{\omega }_{i-th}^{♯}}^{dep}\right]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\Psi }^{l_{i+1,{\omega }^{♯}}}$ 25:         else 26:           $M_{{\omega }_{(i+1)-th}^{♯}}^{rea}\leftarrow \mathsf{discrete}\_\mathsf{pre}[M_{{\omega }_{i-th}^{♯}}^{dep},{\zeta }_{i,{\omega }^{♯}}^g,X_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\Psi }^{l_{i+1,{\omega }^{♯}}}$ 27:         end if 28:      end if 29:    end for 30: end for 31: return exsits, "Reachable"

This algorithm takes as input the set of arrival conditions $M_{{\omega }^{♯}}^{rea}$ and the set of departure conditions $M_{{\omega }^{♯}}^{dep}$ for each element ${\omega }^{♯}$ in the path set obtained in Algorithm 1 ( line:1), and find the MP zones that can be reached by these paths simultaneously by forward search from the initial state.

(1)First, we take one path $Pat{h}^{{\omega }^{♯}}$ from the set $Pat{h}_{fin}^{♯}$ that has the common part of all paths, and assign true to its starting condition $M_{{\omega }^{♯}}^{dep}$ and reaching condition $M_{{\omega }^{♯}}^{rea}$ are initialized by assigning true (line:2-4). Let $M_0$ be the initial condition of arrival (line:6).

(2)Next, starting from the one with the smallest length of the common part $C_{{\Omega }_{max}}$ (line:7), the arrival and departure conditions are sequentially obtained.

(a)In the reachability condition, for each path ${\omega }^{♯}$ of the candidate counterexamples (line:8), we take the product of the reachability condition of the common part $M_{{\omega }_{i-th}^{♯}}^{rea}$ and the reachability condition of that path $M_{i,{\omega }^{♯}}^{rea}$, which is the arrival condition of the path (line:10).

(a-1)If the product is false, it is a false counterexample because it indicates that there is no common path on the timed probability system, and outputs a predicate that splits $M_{{\omega }_{i-th}^{♯}}^{rea}$ and $M_{i,{\omega }^{♯}}^{rea}$. (line:11).

(a-2)If the product is not false, this product is newly set as the arrival condition of the common part $M_{{\omega }_{i-th}^{♯}}^{rea}$ (line:13), and then the time-transferable starting condition is obtained from this arrival condition (line:14).

(b)Next, for each path ${\omega }^{♯}$ of the candidate counterexamples (line:17), we similarly take the product of the starting condition of the common part $M_{{\omega }_{i-th}^{♯}}^{dep}$ and the starting condition of that path $M_{i,\omega M^{♯}}^{dep}$, which is the starting condition of the path (line:19).

(b-1)If the product is false, we similarly judge it to be a false counterexample and output the predicate that splits $M_{{\omega }_{i-th}^{♯}}^{dep}$ and $M_{i,{\omega }^{♯}}^{dep}$ (line:20).

(b-2)If the product is not false, this product is the new starting condition for the common part $M_{{\omega }_{i-th}^{♯}}^{dep}$ (line:22). Furthermore, from these starting conditions, we obtain the arrival conditions under which timed transitions and discrete transitions are possible (line:23-26). If the arrival and departure conditions are not false for all common parts, we can say that all paths can be executed by at least one adversary. In other words, we can say that the counterexample exists, so the “Reachable”, which is the solution of exists and verification, is output (line:31), and the verification is terminated.

4.4. Refinement

When a false counterexample is determined by the counterexample analysis, the abstract state is refined by adding a predicate so that the counterexample does not exist. The information necessary for the refinement is obtained from the result of the previous stage of the counterexample analysis.

4.4.1. Path Counterexample Analysis

In the path counterexample analysis, a counterexample is a false counterexample if the path ${\omega }^{♯}$ that is an element of the counterexample ${\Omega }^{♯}$ is not executable on the concrete structure $\mathcal{M}$. In other words, it means that there is no path corresponding to the abstract path ${\omega }^{♯}$ on the concrete structure. In this case, the transition $q\to q^{\prime }$ on the concrete structure corresponding to at least one transition $q_i^{♯}\to q_{i+1}^{♯}$ in ${\omega }^{♯}$ is non-transitionable because the transistibility or invariance condition in $q^{\prime }$ is not transitive because it does not satisfy either the transitivity condition or the invariance condition on $q^{\prime }$. However, on the abstract structure, it is feasible from the reachability analysis. This happens because the transitionable and non-transitionable states of a location are equated by abstraction. Therefore, by splitting the abstract state into two states that are transitive and non-transitive by predicates, the counterexample becomes infeasible. The predicate that divides this state is chosen from the zone at q, and the transitivity condition, or the invariance condition at $q^{\prime }$. An overview of refinement by path counterexample analysis is shown in Figure 4, where $q_i^{♯},q_{i+1}^{♯}$ are abstract states with transitions that cannot be executed by real operation obtained by path counterexample analysis, $\mathsf{discrete}/\mathsf{time}\_\mathsf{succ}\left(b^{i,{\omega }^{♯}}{\Psi }^{l_{i,{\omega }^{♯}}}\right)$ are the reachable states on the abstract state and the starting and reaching conditions obtained by path counterexample analysis, respectively, $\psi$ is the predicate that divides them.

4.4.2. Simultaneous Execution Counterexample Analysis

When a false counterexample is found in simultaneous execution counterexample analysis , it means that a different destination is chosen for an abstract state $q^{♯}$ with arbitrary simultaneous executed paths. In other words, different timed and discrete transitions are taking place in a given state. Thus, splitting $q^{♯}$ into two parts with respect to timed transitions makes timed transitions and discrete transitions noncompetitive. Therefore, we add a time condition indicating this boundary as a predicate. An overview of refinement by simultaneous execution counterexample analysis is shown in Figure 5, where ${\omega }^{♯},{{\omega }^{♯}}^{\prime }$ is any simultaneous execution path, $q^{♯}$ is the abstract state shown to be incapable of simultaneous execution in Simultaneous execution counterexample analysis, $\psi$ is a predicate that can split them, ${q^{♯}}^{\prime \prime },{q^{♯}}^{\prime \prime }$ are the states divided by the predicate $\psi$.

In the new abstract structure with the added predicate, the previous false counterexample becomes infeasible. Thus, by repeating this process, we can finally construct an abstract structure that can compute the correct probability.

5. Priced Probabilistic Timed CEGAR

5.1. Overview

The CEGAR framework [4,5] automatically adapts predicate abstraction and refinement by counterexample. In this section, we describe the operation of priced probabilistic timed CEGAR, which is an extension of CEGAR for the purpose of verifying a priced probabilistic timed automaton. Reachability analysis by Priced probabilistic timed CEGAR is shown in Figure 6.

1.

Initial Abstraction:

From a priced probabilistic timed automaton $P^{2}TA$ and a verification problem $\mathit{Problem}$, we construct a timed probabilistic system $\mathcal{M}$ and an initial predicate set ${\Psi }^{init}$, from which we construct an initial abstract structure ${\mathcal{M}}_{{\Psi }^{init}Ps{i}^{init}}^{♯}$ from them.

2.

Reachability Analysis:

Compute the maximum reachability probability to the target state on ${\mathcal{M}}_{\Psi }^{♯}$.

3.

Counterexample Analysis:

For each element of the counterexample ${\Omega }_{smallest}^{♯}$ that has reached the target state by 2.Reachability Analysis, analyze whether it is reachable on the concrete structure $\mathcal{M}$ by path counterexample analysis and simultaneous execution counterexample analysis.

4.

Refinement:

From the results of 3.Counterexample Analysis, we obtain a set of predicates ${\Psi }^{new}$ that partitions the abstract state so that there are no counterexamples obtained by 2.Reachability Analysis.

5.

Abstraction:

From the set of predicates ${\Psi }^{\prime }=\Psi \cup {\Psi }^{new}$ to which the predicate is added, we obtain a new abstract structure ${\mathcal{M}}_{{\Psi }^{\prime }}^{♯}$.

6.

Return to 2.Reachability Analysis.

By repeating this loop, the system determines whether it “Reach” or “Not Reach” the target state. In the case of “Reach,” a concrete path to the target state is given, and this information can be used to modify and improve the system specification.

5.2. Verification Example by Priced Probabilistic Timed CEGAR

In this subsection, we show the verification procedure of priced probabilistic timed CEGAR through an example. The verification example is an n-point hop wireless sensor network composed of n sensor nodes ${\mathcal{M}}_{nod{e}_i}$ shown in Figure 7.

The behavior of this WSN is as follows: In normal operation, it is active and senses the surrounding environment. When it receives an external event, it moves to the sending state, which notifies surrounding sensor nodes of the detection of the event. At this time, sensor nodes communicate wirelessly. Wireless communication is probabilistic, and communication succeeds with probability p. Also, regardless of the outcome of the communication, the cumulative cost increases by $d^{\alpha }$ as the transmission cost, where d is the Euclidean distance between nodes and $\alpha$ is the communication channel characteristic, which is between 1 and 6 [6]. If the communication is successful, the node is put into a dormant sleep state, and if it fails, the node loops back to the sending state and retransmits the message. If the accumulated cost since startup in any of the non-sleep states becomes larger than $\kappa$, the system moves to the exhaust state, indicating that the system is down.

The following is an example of verification in the WSNs model $\mathcal{M}$ for n=3 shown in Figure 8.

Here, the verification problem is $(l_5,\lambda =0.01,\kappa =30)$.

Example 2.(Verification example)

First of all, locations in the set of target locations are initially abstracted by the predicate $z>\kappa$, which consists of the target cost κ. Otherwise, initial abstraction is performed according to the initial predicate set ${\Psi }^{init}$ whose origin is all $true$. Next, for the obtained abstract structure ${\mathcal{M}}^{♯}$, we perform a probability reachability analysis with target probability λ. As a result, we obtain $(A^{♯},{\omega }^{♯})$ as a candidate counterexample. We select the smallest counterexample ${\Omega }_{smallest}^{♯}$ from this candidate counterexample. The element of ${\Omega }_{smallest}^{♯}$ consists only of ${\omega }^{♯}=l_0\to l_5$. A counterexample analysis is performed for this counterexample. This is judged to be infeasible on the concrete structure because it cannot return to the initial state $(l_0,({\nu }_0,c_0))$ in path counterexample analysis. Therefore, we refine abstract structure ${\mathcal{M}}^{♯}$ by splitting the abstract state $l_0$ using the predicate ${\psi }_{l_0}=z\le 28+4x_1$, and again construct abstract structure ${\mathcal{M}\prime }^{♯}$ in Figure 9. As a result, the abstract state $L_5$ is unreachable on this counterexample, so this counterexample is excluded from the candidate counterexamples.

As described above, by following the verification procedure according to the costed probability time CEGAR, there will be no path in the abstract structure that reaches the target location $L_5$ with a probability greater than $\kappa =30$ and a probability greater than $\lambda =0.01$ of reaching the target. In other words, the result is “Not Reachable”. Therefore, this model is “Yes Reachable” for the Cost-bounded probability reachability problem $(l_4,1-\lambda =0.99,\kappa =30)$. □

5.3. Empirical Experiments and Discussions

In this subsection, we present the results and discussion on the empirical experiments conducted by implementing Priced probabilistic timed CEGAR verification algorithm.

The verification prototype program was implemented by Mathematica 6. The performance of the verification machine is as follows: 32-bit Microsoft Windows Vista Business Service Pack 1 OS, Intel Xeon CPU 5160 3.00GHz and 2.99GHz processors. The memory is 4.00GB. The memory is 4.00GB.

The model of verification is a WSN with 4 sensor nodes 3 point hops and the verification problem is $(l^{error},\lambda =0.3,\kappa =32)$. The experimental result shows that the verification was completed with 22 CEGAR loops and 66 states. Figure 10 and Figure 11 are the results of the experiment. From Figure 10, it can be seen that the computation time and the memory used for verification increase exponentially with the number of CEGAR verification loops. The exponential increase may be due to the effect of the Quantifier Elimination ([15]) used in the implementation of the state set operation. Also, from Figure 11, the number of states is linearly increasing. As for the linear increase in the number of states, considering that the number of states of the finite state graph equivalent to the pricded-removed probabilistic timed automaton is $4^3=64$, which is multiplied by the number of states of the priced-added probabilistic timed automaton, the effect of state reduction is considered sufficient.

On the other hand, the Fortuna Model Checker is the first tool for model checking priced probabilistic timed automata [16]. Fortuna is able to compute the maximal probability by which a state can be reached under a certain cost-bound and time-bound. Fortuna uses a number of crucial optimizations on that algorithm. Fortuna depends on a number of external libraries. The external libraries are the following:

1.

The BOOST C++ Libraries. Fortuna only depends on header files from BOOST.

2.

The Parma Polyhedra Library (PPL version 0.10). A pre-compiled version is available for Linux.

3.

The GNU Multiple Precision Arithmetic Library, libraries gmp and gmpxx. These libraries are already installed on standard Linux distributions. They are needed only by PPL.

4.

The lp solve library version 5.5.

The Fortuna Model Checker is expected to be more efficient than our priced probabilisti timed cegar since the verification prototype program was implemented by Mathematica 6. But our priced probabilisti timed CEGAR is a milestone for the CEGAR model checking for priced probabilistic timed automata, and the future is promising.

6. Conclusions

In this paper, we focus on priced probabilistic timed automaton [3] as a specification description language, and propose priced probabilistic timed CEGAR using abstraction refinement [4,5] in order to reduce the state explosion. To the best of our knowledge, this paper is the first CEGAR development and implementation of a priced probabilistic timed automaton. The verification prototype program was implemented by Mathematica 6.

Using a wireless sensor network [6] with time, cost, and probabilistic behavior as a case study, we propose and show the effectiveness of a reachability analysis method using priced probabilistic timed CEGAR to reduce the state explosion. For sensor nodes, which are the components of WSNs, there are physical quantities such as time and cost, as well as probabilistic behaviors, which can be described and verified using a priced probabilistic timed Automaton. From verification experiments, We find that the computation time and the memory used for verification increased exponentially with the number of CEGAR verification loops, and the number of states was linearly increasing. The exponential increase may be due to the effect of the Quantifier Elimination ([15]) used in the implementation of the state set operation. As for the linear increase in the number of states, the effect of state reduction is considered sufficient.

Due to the limitations of Mathematica 6, further experimentation was not possible, so an implementation of priced probabilistic timed CEGAR in the c language is underway as an ongoing study. We plan to conduct a number of system verification experiments with it. Future work is to establish a verification method for WSNs that includes dynamic characteristics such as temporal generation and extinction of sensor nodes and changes in communication paths due to changes in communication conditions.