Reachability Analysis Method Using Abstraction and Refinement of Priced Probabilistic Timed Automaton and Its Application for Design Verification of Wireless Sensor Networks

Abstract

The design and reliability assurance of embedded systems is a complex issue, since they need to handle not only digital behavior but also physical quantities such as time, cost, and sometimes randomness. In addition, since many embedded systems, such as networks and automobiles, have systems in which errors can be fatal, design verification for reliability assurance is an important research topic. Considering the above background, we adopt the approach of specifying and verifying embedded systems using formal models. Specifically, we focus on a priced probabilistic timed automaton as a specification description language and propose a reachability analysis method based on counterexample-guided abstraction refinement (CEGAR) to reduce the state explosion. To demonstrate the effectiveness of the proposed method, we attempt to verify the design of important wireless sensor networks (WSNs). In this paper, we model WSNs via a priced probabilistic timed automaton that can express their power characteristics in terms of cost, uncertainty in terms of probability, real time in terms of time, and attribute WSNs’ characteristics to the cost bound probabilistic reachability problem. To the best of our knowledge, this paper is the first CEGAR development and implementation of a priced probabilistic timed automaton. We have developed a prototype of the verifier and confirmed that it is verifiable. The model of verification is a WSN with four sensor nodes and three point hops and the verification problem is $(l^{error},\lambda =0.3,\kappa =32)$. The experimental result shows that the verification was completed with 22 CEGAR loops and 66 states. This paper is innovative and significant as a milestone in the development of an extension of CEGAR to priced probabilistic timed automata.

1. Introduction

The design and reliability assurance of embedded systems is a complex issue, since they need to deal not only with digital behavior but also with physical quantities such as time and cost, and sometimes with probabilistic behavior [1,2]. In addition, since many embedded systems, such as networks and automobiles, have systems in which errors can be fatal, design verification for reliability assurance is an important research topic. With the above background, we adopt the approach of specifying and verifying embedded systems by formal models. Specifically, we focus on priced probabilistic timed automaton [3] as a specification description language and propose a reachability analysis method based on counterexample-guided abstraction refinement (CEGAR) [4,5] in order to reduce the state explosion.

Related research on model checking for sensor networks can be broadly categorized into three main areas: “verification of communication protocol correctness,” “analysis of real-time performance and resource constraints,” and “security verification.” This paper focuses on the analysis of real-time requirements and resource constraints. In real-time, power-efficient analysis, the periodic sensing, packet transmission, and sleep schedules of sensor networks are critical; therefore, model checking using Timed Automata or TCTL [6,7] is commonly employed. In this approach, we detect communication delays, scheduling violations, and failures in node coordination and search for configurations that meet battery life and responsiveness requirements. In other words, the key feature is that we rigorously examine not just whether the system “works,” but whether it can “continue to operate within the constraints.” A major challenge is the state explosion, where the search space grows exponentially as the number of nodes increases. For this reason, techniques such as abstraction, symmetry reduction, modular partitioning, and partial network modeling are often used in combination. Furthermore, since real-world sensor networks are significantly affected by the physical environment and wireless errors, it is important to avoid overly idealized modeling.

Meanwhile, recent research on WSN architectures has addressed the problem of maximizing total throughput in WPCNs, where mobile hybrid access points (HAPs) support wireless power transfer and communication while on the move [8]. The key point of this research is that by using mobile HAPs, power can be supplied and communication established even with distant terminals, thereby mitigating the significant inequities observed with fixed HAPs. As a result, power reception and transmission conditions for each terminal are improved, making it easier to increase the total throughput of the entire network. This paper focuses on WSNs in which the access points do not move. We model WSNs by a priced probabilistic timed automaton that can express their power characteristics in terms of cost, uncertainty in terms of probability, real time in terms of time, and attribute WSNs’ characteristics to the cost bound probabilistic reachability problem. Also, in this research, focusing on simplifying and verifying complex costed stochastic temporal automata, we achieve rigorous verification of reachability for costed probabilistic timed automata using a model checking method that extends symbolic model checking with abstraction refinement.

Using a wireless sensor network [9] with time, cost, and probabilistic behavior as a case study, we propose and show the effectiveness of a reachability analysis method using counterexample-guided abstraction refinement (CEGAR) to reduce the state explosion by using a priced probabilistic timed automaton. For sensor nodes, which are the components of WSNs, there are physical quantities such as time and cost, as well as probabilistic behaviors, which can be described and verified using a priced probabilistic timed automaton. However, when the nodes operate in parallel and constitute a network that covers a wide area, the number of nodes becomes enormous, and the state explosion phenomenon is induced in the model of the entire network, making the verification of WSNs as a whole difficult. For this reason, despite its paramount importance, there are few examples of studies on model checking of priced probabilistic timed automata such as WSNs.

In model checking that includes reachability analysis, the expressive power of the model and state reduction techniques are crucial [10].

• Regarding the expressive power of the model, there are differential equations that include time, probability, and cost, as well as combinations thereof; costed probabilistic timed automata possess the strongest expressive power but are complex.
• State reduction techniques include partial order reduction, symmetry reduction, and compositional methods that capture the structural characteristics of the system, as well as general-purpose symbolic model checking, abstraction refinement, bisimulation minimization, and approximation methods. In this research, focusing on simplifying and verifying complex costed stochastic temporal automata, we achieve rigorous verification of reachability for costed probabilistic timed automata using a model checking method that extends symbolic model checking with abstraction refinement.

A comparison of existing tools with this study is as follows.

• APMC (Approximate Probabilistic Model Checker) is a distributed model checker for fully probabilistic systems that uses a client/server computation model to distribute path generation and formula verification on a cluster of workstations [11]. The APMC approach uses an efficient Monte-Carlo method to approximate satisfaction probabilities of monotone properties over fully probabilistic transitions systems. The properties to be checked are expressed in LTL (Linear Temporal Logic). This study offers greater model expressiveness and verification capabilities than APMC; however, while it verifies reachability, its verification capabilities regarding temporal properties are inferior to those of APMC. Nevertheless, this study can verify reachability that incorporates temporal constraints, probability, and cost.
• Fortuna is the first and only tool for model checking priced probabilistic timed automata (PPTAs) [12]. Fortuna can handle the combination of real time, probabilistic and cost features. This is required to address key design trade-offs that arise in many practical applications such as the Zeroconf, Bluetooth, IEEE802.11 and Firewire protocols, protocols for sensor networks, and scheduling problems with failures. PPTAs are an extension of probabilistic timed automata (PTAs) with cost-rates and discrete cost increments on states [13]. Fortuna is able to compute the maximal probability by which a state can be reached under a certain cost-bound (and time-bound). This study presents an evolution of Fortuna using CEGAR to reduce the number of states.
• CEGAR is the leading method for reducing the number of states in model checking by simplifying complex models, and in recent years, it has also been studied in the context of model checking for extensions of finite-state timed automata [14] and assembly programs [15].

In this paper, we propose cost-bounded maximal reachability using CEGAR of a priced probabilistic timed automaton aiming at reducing the state explosion. In particular, the following aspects are important and very new:

• We perform predicate abstraction on both cost and time constraints simultaneously.
• Using the counterexample analysis method, we determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not. A counterexample analysis consists of two parts: path counterexample analysis and simultaneous execution counterexample analysis. A path counterexample analysis is performed to check whether the extracted counterexamples are executable on the corresponding real systems. On the other hand, a simultaneous execution counterexample analysis is performed to check whether the elements of those counterexamples can be executed according to the same adversary.

To demonstrate the proposed method, we model WSN as a case study by expressing power characteristics in terms of cost, uncertainty in terms of probability, and real-time performance in terms of time, using a priced probabilistic timed automaton. Then, the properties of WSNs are attributed to the cost-bounded maximal probability reachability problem, and the reachability analysis by CEGAR is performed. To the best of our knowledge, this paper is the first CEGAR development and implementation of a priced probabilistic timed automaton. We have developed a prototype verifier to demonstrate the effectiveness of the proposed method. This paper is innovative and significant as a milestone in the development of an extension of CEGAR to priced probabilistic timed automata. The proposal in this paper has been prototyped in Mathematica to understand its characteristics. Fortuna [12], the only existing symbolic model checker, is implemented in C++ and uses high-performance libraries. Developing a full-fledged tool such as the symbolic model checker Fortuna remains a challenge for future work and will be described in the paper.

This paper is organized as follows. In Section 2, we define a priced probabilistic timed automaton. Section 3 defines the verification problem, Section 4 describes the verification method of predicate abstraction and refinement, and Section 5 proposes priced probabilistic timed CEGAR and its examples. Finally, a summary is given in Section 6.

2. Priced Probabilistic Timed Automaton

In this section, we define the syntax and semantics of a priced probabilistic timed automaton [3]. In the following subsections, we begin by laying the groundwork and then define the syntax and semantics of priced probabilistic timed automaton.

2.1. Preliminaries of Priced Probabilistic Timed Automaton

First, as a preliminary step, we define discrete probability distributions to express probabilities, clock variables to express real-time characteristics, and cost variables to express power characteristics, and also define MP zones to treat clock variables and cost variables as a set.

Definition 1

(Discrete probability distribution [16]). The set of discrete probability distributions on the countable state set $\mathcal{S}$ is denoted by $Dist\left(\mathcal{S}\right)$. $\mu \in Dist\left(\mathcal{S}\right)$ is a function $\mu :\mathcal{S}\to [0,1]$. However, ${\sum }_{s\in \mathcal{S}}\mu \left(s\right)=1$ and $\left\{s\mid s\in \mathcal{S}and\mu \left(s\right)>0\right\}$ is a finite set.

Next, we define the clock variables representing the passage of time, the valuation of the clock variables, and the constraints on the clocks.

Definition 2

(Clock variable [3]). The clock variables are non-negative real-valued variables. All clocks increase at the same rate and can be reset to 0 during the transition. Let $\mathcal{X}$ denote the set of clock variables on ${\mathbb{R}}_{\ge 0}$.

Definition 3

(Clock valuation [3]). The clock valuation is a function $\nu :\mathcal{X}\to {\mathbb{R}}_{\ge 0}$. The set of all clock valuations of $\mathcal{X}$ is denoted by ${\mathbb{R}}_{\ge 0}^{\mathcal{X}}$. We use $\nu [X:=0]$ to denote the clock valuation obtained from ν by resetting all the clocks in $X\subseteq \mathcal{X}$ to 0 and leaving the values of all other clocks unchanged. For all t that are $t\in {\mathbb{R}}_{\le 0}$, $\nu +t$ is a clock valuation giving $\nu \left(x\right)+t$ for all $x\in \mathcal{X}$.

Definition 4

(Zone [3]). The zone ζ on $\mathcal{X}$ is defined inductively as a convex subset of the set ${\mathbb{R}}_{\ge 0}^{\mathcal{X}}$ of clock valuations with the following syntax.

$$\begin{array}{c}\hfill \zeta ::=x\le c|x<c|x\ge d|x>c|x-y\le d|\\ \hfill x-y<d|\zeta \wedge \zeta |true,\end{array}$$

where $x,y\in \mathcal{X}$ and $c,d\in \mathbb{N}$. Let $Zones\left(\mathcal{X}\right)$ denote the set of zones ζ on $\mathcal{X}$.

The clock valuation $\nu$ satisfies the zone $\zeta$ if and only if after replacing each clock variable $X\in \mathcal{X}$ in the zone by the corresponding clock value $\nu \left(x\right)$ by $\nu$, the zone’s Boolean value $\zeta \nu \in \{true,false\}$ for the clock valuation is $true$. We write this as $\nu ▷\zeta$.

In the operation of a priced probabilistic timed automaton, the state cannot be described by the usual zone because of the accumulated cost from the beginning of the operation. Therefore, we begin by defining a cost variable that represents the accumulated cost from the start of operation and a cost valuation. Next, we define the set of clock and cost valuations that appear in the behavior of a priced probabilistic timed automaton as a conjunction of zones and the possible inequalities of the cost variable on those zones.

Definition 5

(Cost variable [3]). The cost variable z is a non-negative real variable, and z increases with the slope of the cost when the clock increases at a certain rate.

Definition 6

(Cost valuation [3]). The cost valuation is a function $c:z\to {\mathbb{R}}_{\ge 0}$. For a cost variable z and a cost slope n, let $c+nt$ for all $t\in {\mathbb{R}}_{\le 0}$ be a cost valuation giving a valuation of $c\left(z\right)+n·t$.

Next, we define multi-priced zones, which are zones augmented with a conjunction of linear inequalities that define an upper bound on the cost that can be associated with each valuation in the zone.

Definition 7

(Multi-Priced zone [3]). Multi-Priced zones (MP zones) are defined by $M=\zeta \wedge \varphi$. ζ is a zone and ϕ is defined inductively by the following syntax.

$$\begin{array}{c}\hfill \varphi ::=az\bowtie b_1{x}_1+\cdots +b_n{x}_n+b_0|\varphi \wedge \varphi |true,\end{array}$$

where Z is a cost variable, $\bowtie \in \{<,\le ,\ge ,>\}$, $x_1,\cdots ,x_n$ are all clocks that make up ζ, $a,b_0,\cdots ,b_n\in \mathbb{Z}$ and $a>0$. Let $\mathsf{\Phi }\left(Zones\right(\mathcal{X}\left)\right)$ be the set of cost expressions on $\zeta \in Zones\left(\mathcal{X}\right)$, where $\varphi \in \mathsf{\Phi }\left(Zones\right(\mathcal{X}\left)\right)$.

When the pair $(\nu ,c)$ of clock and cost valuations satisfies the MP zone $M=\zeta \wedge \varphi$, we write $(\nu ,c)▷\zeta \wedge \varphi$. $(\nu ,c)▷\zeta \wedge \varphi$ holds $true$ if and if only after replacing each clock variable $x\in \mathcal{X}$ in $\zeta$ by the corresponding clock value $\nu \left(x\right)$ by $\nu$, the zone Boolean value $\zeta \nu \in \{true,false\}$ for the clock valuation is $true$, and after replacing each clock variable $x\in \mathcal{X}$ and cost variable z in $\varphi$ by the corresponding clock and cost values $\nu \left(x\right),c\left(z\right)$ by the pair $(\nu ,c)$ respectively, the true value of the zone regarding clock valuation and cost valuation $\varphi (nu,c)\in \{true,false\}$ is $true$.

Definition 8

(MP zone operations [3]). The operation to deform the MP zone is defined as follows.

$$\begin{array}{ccc}\hfill \mathsf{time}\_\mathsf{succ}[M,n]& =& \left\{\right(\nu ,c\left)\right|\exists t\in \mathbb{R}.(\nu -t,c-nd)▷\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{time}\_\mathsf{pre}[M,n]& =& \left\{\right(\nu ,c\left)\right|\exists t\in \mathbb{R}.(\nu +t,c+nd)▷\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{reset}[M,X]& =& \left\{\right(\nu [X:=0],c\left)\right|(\nu ,c)▷\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{free}[M,X]& =& \left\{\right(\nu ,c\left)\right|\left(\nu \right[X:=0],c)▷\zeta \wedge \varphi \}\hfill \\ \hfill \mathsf{shift}[M,h]& =& \left\{\right(\nu ,c\left)\right|(\nu ,c+h)▷\zeta \wedge \varphi \}\hfill \end{array}$$

If the input zone is an MP zone, the result of the operation is also an MP zone.

2.2. Syntax of a Priced Probabilistic Timed Automaton

Next we define the syntax of a priced probabilistic timed automaton [3] using the subsection mentioned above.

Definition 9

(Priced probabilistic timed automaton [3]). The priced probabilistic timed automaton $P^{2}TA$ is defined by the pair $(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$.

• L is a finite set of locations.
• $\overline{l}\in L$ is the initial location.
• $\mathcal{X}$ is a finite set of clocks.
• $inv:L\to Zones\left(\mathcal{X}\right)$ is a function that assigns an invariant condition to each location.
• $prob\subseteq L\times Zones\left(\mathcal{X}\right)\times \mathbb{N}\times Dist(L\times 2^{\mathcal{X}})$ is a finite set of probabilistic transition relation.
• $\dot{\$}:L\to \mathbb{N}$ is s function that assigns a cost slope to each location.

The edge of a priced probabilistic timed automaton is generated by $(l,g,h,\mu )\in prob$, and takes the form of a pair $(l,g,h,\mu ,X,l^{\prime })$ such that $\mu (l^{\prime },X)>0$. Let $\mathrm{edgess}(l,g,h,\mu )$ be the set of edges generated by $(l,g,h,\mu )$, and $\mathrm{edgess}(l,g,h,\mu )=\left\{(l,g,h,\mu ,X,l^{\prime })\right|(l,g,h,\mu )\in proband\mu (l^{\prime },X)>0\}$, where $l\in L$, $g\in Zones\left(\mathcal{X}\right)$, $h\in \mathbb{N}$, $\mu \in \mathit{Dist}(L\times 2^{\mathcal{X}})$.

Example 1

(Example of automaton behavior in Figure 1). An example of a priced probabilistic timed automaton is shown in Figure 1. First, the behavior starts from the initial location $l_0$ with clock $t=0$ and cost $z=0$. Then, after a time elapses until $(t=1,c=1)$, a discrete transition is made. A discrete transition is made to location $l_1$ with probability $1-p$ and to location $l_2$ with probability p. If it transitions to location $l_1$, time elapses until $c>2$, and then it makes a discrete transition to location $l_{error}$ with probability 1. If a transition is made to location $l_2$, a discrete transition is made to location $l_{target}$ after a time elapses to $(t\le 1,c\le 2)$ or to location $l_{error}$ after a time elapses to $(t>1,c>2)$. Since the invariance condition is $true$ at location $l_{target}$ and location $l_{error}$, arbitrary time elapses or arbitrary discrete transitions are performed, since there is a self-loop.

2.3. Semantics of a Priced Probabilistic Timed Automaton

The state of the priced probabilistic timed automaton $P^{2}TA$ is expressed as the ordered pair $(l,(\nu ,c))\in L\times {\mathbb{R}}_{\ge 0}^{\mathcal{X}}\times {\mathbb{R}}_{\ge 0}$, where $\nu$ satisfies $inv\left(l\right)$. That is, $\nu$ is an element of the set of clock valuations of the zone represented by $inv\left(l\right)$. In addition, c represents the cumulative cost valuation from the initial state. The $P^{2}TA$ behaves from the initial state $(\overline{l},({\nu }_0,c_0))$, where ${\nu }_0$ denotes the initial clock valuation with all clock values set to 0 and $c_0$ denotes the initial cost valuation of 0. In a state $(l,(\nu ,c\left)\right)$ at some point in time, $P^{2}TA$ nondeterministically chooses a timed transition or a discrete transition. Discrete transitions are made by a feasible probabilistic transition relation $(l,g,h,\mu )\in prob$ for the transition source location l, where the MP zone g satisfies the current clock valuation and cost valuation pair $(\nu ,c)$. The probability that the location of $P^{2}TA$ transitions to $l^{\prime }$ and all clocks on the set X are reset to zero is denoted by $\mu (l^{\prime },X)$.

We define the semantics of a priced probabilistic timed automaton as a timed probabilistic system [16]. Timed probabilistic systems take the form of Markov decision processes (MDPs) and perform nondeterministic transitions.

Definition 10

(Timed probabilistic system [3]). The timed probabilistic system $\mathcal{M}$ defining the meaning of the priced probabilistic timed automaton $P^{2}TA=(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$ is a Markov decision process $(Q,q_0,Steps)$.

• $Q\subseteq L\times {\mathbb{R}}_{\ge 0}^{\mathcal{X}}\times {\mathbb{R}}_{\ge 0}$ is a set of states,
• $q_0=(l_0,({\nu }_0,c_0))$ is the initial state,
• $Steps\subseteq Q\times {\mathbb{R}}_{\ge 0}\times \mathbb{N}\times Dist(Q\times 2^{\mathcal{X}})$ is a timed probabilistic transition relation.

All states $(l,(\nu ,c\left)\right)$ are $\nu ▷Inv\left(l\right)$. The probabilistic transition relation $Steps$ consists of timed transitions and discrete transitions, and among the probability distributions paired with the state $(l,(\nu ,c\left)\right)$, the one due to timed transitions is denoted as ${\mu }_{\perp }$. Let $(l,g,h,{\mu }_P)\in prob$ of $P^{2}TA$ be $\left(\right(l,(\nu ,c)),t,h,\mu )$ as follows.

• Timed transition from state $(l,(\nu ,c\left)\right)$ to t unit time: $(l,(\nu ,c))\stackrel{t,0,{\mu }_{\perp }((l^{\prime },({\nu }^{\prime },c^{\prime })),\varnothing )}{\to }(l^{\prime },({\nu }^{\prime },c^{\prime }))$
  ${\mu }_{\perp }((l^{\prime },({\nu }^{\prime },c^{\prime })),\varnothing )=\left\{\begin{array}{cc}1\hfill & if{l}^{\prime }=l\wedge {\nu }^{\prime }=\nu +t\wedge \hfill \\ & c^{\prime }=c+\dot{\$}\left(l\right)t\wedge \hfill \\ & {\nu }^{\prime }▷inv\left(l\right)\wedge t>0\hfill \\ 0\hfill & otherwise\hfill \end{array}\right.$
• Discrete transition from state $(l,(\nu ,c\left)\right)$ by probabilistic transition relation $(l,g,h,{\mu }_P)$ to:$(l,(\nu ,c))\stackrel{0,h,\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)}{\to }(l^{\prime },({\nu }^{\prime },c^{\prime }))$
  $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)=\left\{\begin{array}{cc}{\mu }_P(l^{\prime },X)\hfill & if\nu ▷g\wedge \hfill \\ & {\nu }^{\prime }=\nu [X:=0]\wedge \hfill \\ & c^{\prime }=c+h\hfill \\ 0\hfill & otherwise\hfill \end{array}\right.$

The transition by probability $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime }))$ of a probabilistic transition relation on $\mathcal{M}$ is a transition that resets the clock variable X and reaches state $(l^{\prime },({\nu }^{\prime },c^{\prime }))$. Since the sample space of the probability distribution $\mu$ of the probabilistic transition relation is not only Q but also the product of Q and $2^{\mathcal{X}}$, one transition ${\mu }_P((l^{\prime },({\nu }^{\prime },c^{\prime })),X)>0$ on $P^{2}TA$ corresponds equally to one transition $\mu ((l^{\prime },({\nu }^{\prime },c^{\prime })),X)>0$ on $\mathcal{M}$.

The path of a timed probabilistic system is expressed as the resolution of nondeterministic and probabilistic choices.

$$\omega =q_0\stackrel{t_0,h_0,{\mu }_0(q_1,X_0)}{\to }{q}_1\stackrel{t_1,h_1,{\mu }_1(q_2,X_1)}{\to }\cdots ,$$

where $0\le i\le \left|\omega \right|$, $q_i\in Q,(q_i,t_i,{\mu }_i)\in Steps,{\mu }_i\left(q_i\right)>0$. Let $\omega \left(i\right)$ denote the i-th state of the path $\omega$, let $step(\omega ,i)$ denote the i-th transition, and if $\omega$ is a finite sequence, denote its length $\left|\omega \right|$ and its last state $last\left(\omega \right)$. The set of all finite or infinite paths starting from a state q is denoted by $Pat{h}_{fin}\left(q\right),Pat{h}_{ful}\left(q\right)$ respectively.

Here, we introduce an adversary of the timed probabilistic system as a representation that resolves only nondeterminism.

Definition 11

(Adversary [3]). The adversary A of the timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$ is a function that maps all finite paths ${\omega }_{fin}$ of $\mathcal{M}$ to a discrete probability distribution $(last\left({\omega }_{fin}\right),\mu )\in Steps$, where there exist $(last\left({\omega }_{fin}\right),\mu )\in Steps$ exists.

For any adversary A and state q, let $Pat{h}_{ful}^A\left(q\right),Pat{h}_{fin}^A\left(q\right)$ denote the subsets of $Pat{h}_{ful}\left(q\right),Pat{h}_{fin}\left(q\right)$ generated by A, respectively, and let $Ad{v}_{\mathcal{M}}$ be the set of adversaries of the timed probabilistic system $\mathcal{M}$. We also distinguish simple adversaries $A_{simple}$ as adversaries that all return the same probability distribution regardless of the path if the last states of the paths are equal. Hereafter, when we simply write “adversary”, we refer to a simple adversary. An adversary represents a particular resolution of the nondeterminism of a timed probabilistic system. Here, for a timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$, the behavior under a given simple adversary $A_{simple}$ can be described by a Markov chain ($MC$) [16].

Definition 12

(Markov chain [3]). For a timed probabilistic system $\mathcal{M}=(Q,q_0,Steps)$, the behavior of $\mathcal{M}$ under a given adversary A can be described by a Markov chain $M{C}^A$, denoted by the pair $(Q^A,q_0^A,{\mathbf{P}}^A)$, where, for any state $q,q^{\prime }\in Q^A$, we have

$$\begin{array}{c}\hfill {\mathbf{P}}^A(q,q^{\prime })=\left\{\begin{array}{c}\mu \left(q^{\prime }\right)if\exists \omega .last\left(\omega \right)=q\wedge A\left(\omega \right)=\mu \hfill \\ 0otherwise.\hfill \end{array}\right.\end{array}$$

Next, we define the probability of occurrence of paths appearing in the Markov chain and timed probabilistic system associated with the adversary.

Definition 13

(Probability of path [3]). Let A be the adversary of the timed probabilistic system $\mathcal{M}$. In this case, we define the probability $Pro{b}_{fin}^A:Pat{h}_{fin}^A\to [0,1]$ of path occurrence as follows.

$$\begin{array}{c}\hfill Pro{b}_{fin}^A\left(\omega \right)=\left\{\begin{array}{cc}{\mathbf{P}}^A(\omega \left(0\right),\omega \left(1\right))\cdots {\mathbf{P}}^A(\omega (n-1),\omega \left(n\right))\hfill & if\left|\omega \right|\ne 0\hfill \\ 1\hfill & otherwise.\hfill \end{array}\right.\end{array}$$

Since priced probabilistic timed automata are a subclass of probabilistic linear hybrid automata, their behavior may include the zeno behavior [10]. A zeno behavior is one in which an infinite number of discrete transitions occur in finite time. The problem of determining whether a model described by a hybrid automaton has zeno behavior is known to be undecidable [10]. However, since the modeling language in this paper is a priced probabilistic timed automaton, it can be considered as a probabilistic timed automaton by excluding the price. It is known from the literature [17] that the problem of determining whether a model described by a probabilistic timed automaton has zeno behavior is decidable, and we shall avoid zeno behavior in this paper accordingly.

3. Cost-Bounded Maximal Probability Reachability Analysis

When we specify embedded systems using a priced probabilistic timed automaton, it is very meaningful to be able to verify the property that the desired state can be reached with a certain probability or more and at a certain cost or less for every behavior [9]. An example is the mountain fire alarm system by WSNs. In this system, the above characteristics include “can you report a fire in the entire area with a probability of more than $99.9\%$ before running out of battery power?” In this study, we consider the verification of significant properties in priced probabilistic timed automata by means of a cost-bounded probability reachability problem. By the way, Fortune calls this problem cost-bounded maximal reachability (CBMR) [13]. In the behavior of a priced probabilistic timed automaton, when there exists a self-loop that transitions to the same state, it is difficult to solve a cost-bounded maximal probability reachability problem that requires the behavior to be investigated, since there may be an infinite number of paths that can be followed to reach the target state. It is known that the probability reachability problem can be verified by examining a finite number of paths by restricting the problem of reachability from ≤ to the form > [18]. Therefore, in this study, we define a cost-bounded probability reachability problem that can be verified with finite numbers by adding a cost bound.

The following is the definition of the cost boundary maximal probability reachability problem.

Definition 14

(Cost-bounded probability reachability problem [3]). For the priced probabilistic timed automaton $P^{2}TA=(L,\overline{l},\mathcal{X},inv,prob,\dot{\$})$, the cost-bound probability reachability problem is defined by the pair $PRP=(l_{error},{\lambda }^{\prime },\kappa )$, where $l_{error}$ is the target location, ${\lambda }^{\prime }\in [0,1]$ is the probability of reaching the target state, and $\kappa \in \mathbb{N}$ is the upper bound of cumulative cost. Also, when $(\nu ,c)$ satisfies the MP zone $inv\left(l_{error}\right)\wedge z>\kappa$, $(l_{error},(\nu ,c^{\prime }))$ is called the objective state.

The answer to the cost bound probability reachability problem for $P^{2}TA$ is “Yes, Reachable" iff in some adversary $A\in Ad{v}_{\mathcal{M}}$ of $\mathcal{M}$ defined by $P^{2}TA$, there exists one or more paths starting from the initial state $(\overline{l},({\nu }_0,c_0))$ of $P^{2}TA$ such that $last\left(\omega \right)=(l_{target},(\nu ,c^{\prime }))$ and the total occurrence probability $P_{max}$ of the paths satisfy the condition $P_{max}>{\lambda }^{\prime }$.

However, since there is no guarantee that the state space is finite, in general, the cost-boundary probability reachability problem is undecidable [10]. However, it is generally known that there are many verifiable models in realistic systems [13].

4. Predicate Abstraction and Refinement

The behavior of the entire WSNs can be modeled by synthesizing the behavior models of the nodes that make up the entire network through parallel composition. In general, the number of nodes in practical WSNs is said to be approximately several tens, and even if the behavior of the entire synthesized network is described, the number of states is very large and verification is very difficult. Therefore, it is necessary to suppress the number of states to a realistically verifiable number on the computer’s memory. We define this section in preparation for proposing priced probabilistic timed CEGAR in the next section. In this paper, we propose cost-bounded maximal reachability using CEGAR of a priced probabilistic timed automaton aiming at reducing the state explosion. In this section, we propose the following aspects, which are important and very new:

• We perform predicate abstraction on both cost and time constraints simultaneously.
• Using the counterexample analysis method, we determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not. A counterexample analysis consists of two parts: path counterexample analysis and simultaneous execution counterexample analysis. A path counterexample analysis is performed to check whether the extracted counterexamples are executable on the corresponding real systems. On the other hand, a simultaneous execution counterexample analysis is performed to check whether the elements of those counterexamples can be executed according to the same adversary.

4.1. Predicate Abstraction

Predicate abstraction is used to obtain a finite approximation of an infinite state transition system [4]. This method performs abstraction based on a set of abstraction predicates. We extend the paper [17] with cost and propose the new abstraction predicates as follows.

Definition 15

(Abstraction predicates). For a set of clock variables $\mathcal{X}$ and a cost variable z, the predicate ψ is defined as follows.

$$\begin{array}{ccc}\hfill \psi & ::=& {\psi }_{cl}\wedge {\psi }_{co}\hfill \\ \hfill {\psi }_{cl}& ::=& x_1\le e|x_1<e|x_1-x_2\le d|true\hfill \\ \hfill {\psi }_{co}& ::=& az\le b_1{x}_1+\cdots +b_n{x}_n+b_0|true,\hfill \end{array}$$

where $x_1,x_2,\cdots ,x_n\in \mathcal{X}$,z are cost variables, $e\in \mathbb{N},a,b_1,\cdots ,b_n,d\in \mathbb{Z}$ and $a>0$. In the clock valuation ν, cost valuation c, and abstraction predicate $\psi ={\psi }_{cl}\wedge {\psi }_{co}$, the true value of the predicate ψ on $(\nu ,c)$ is $\psi \left(\right(\nu ,c\left)\right)\in \{true,false\}$.

Let $(\nu ,c)$ satisfy the predicate ψ and write $(\nu ,c)\vDash \psi$ iff the result of substituting the value $\nu \left(x\right)$ corresponding to the clock $x\in \mathcal{X}$ appearing in ${\psi }_{cl}$ is true and the result of substituting the value $c\left(z\right)$ corresponding to the cost z appearing in ${\psi }_{co}$ is true.

Also, for any clock valuation $\nu \in {\mathcal{V}}_{\mathcal{X}}$ and any cost valuation $c\in {\mathcal{V}}_z$, $(\nu ,c)\vDash true$, where ${\mathcal{V}}_{\mathcal{X}}$ is the set of clock valuations, and ${\mathcal{V}}_z$ is the set of cost valuations.

The set of abstract predicates ${\mathsf{\Psi }}^l=\{{\psi }_1^l,\cdots ,{\psi }_n^l\}$ at location l is a mapping from a valuation pair $(\nu ,c)$ to a bit vector $b^l$ of length n. Let ${\mathsf{\Psi }}^{all}=\{{\mathsf{\Psi }}^{l_0}\cup \cdots \cup {\mathsf{\Psi }}^{l_k}\}$ be the set of abstraction predicates at all locations, then ${\mathsf{\Psi }}^{all}$ determines the abstraction function $\alpha$. The i-th element of $b^l$ is true if and only if ${\psi }^{l_p}(\nu ,c)$ is true at location l. Let us assume that bit vectors of length n in l are elements of the set $B_n^l$ and that $B_n^l$ is a function with domain $\{0,\cdots ,n-1\}$ and variational domain $\{0,1\}$. Also, let $\mathcal{B}$ be the set of bit vectors at all locations. The inverse image of $\alpha$ is the concretization function $\gamma$, which maps a bit vector $b^l$ to all clock evaluations such that ${\psi }_i^l$ is satisfied whenever the i-th element of the bit vector $b^l$ is true. Thus, the set of concrete states $(l,(\nu ,c\left)\right)$ is mapped to the abstract state $\alpha \left(\right(l,(\nu ,c)\left)\right)$ by the abstraction function $\alpha$, and the abstract state $(l,b^l)$ is mapped to the set of concrete states $\gamma \left((l,b^l)\right)$ by the concretization function $\gamma$.

Abstraction and concretization are defined as follows.

Definition 16

(Abstraction and concretization). Let $\mathcal{X}$ be a set of clocks, ${\mathcal{V}}_{\mathcal{X}}$ be a set of corresponding clock valuations, and ${\mathcal{V}}_{cost}$ be a set of cost valuations. Given a finite set of predicates ${\mathsf{\Psi }}^{all}=\{{\mathsf{\Psi }}^{l_0}\cup \cdots \cup {\mathsf{\Psi }}^{l_k}\}$, the abstraction function $\alpha :L\times {\mathcal{V}}_{\mathcal{X}}\times {\mathcal{V}}_{\mathcal{Z}}\to L\times \mathcal{B}$ is defined as follows.

$$\alpha \left((l,(\nu ,c))\right)\left(i\right)=(l,{\psi }_i(\nu ,c))$$

In short, an abstraction function takes a concrete state and returns an abstract state that is an overapproximation of it.

Also, the concretization function $\gamma :L\times \mathcal{B}\to L\times 2^{{\mathcal{V}}_{\mathcal{X}}}\times 2^{{\mathcal{V}}_{\mathcal{Z}}}$ is defined as follows.

$$\begin{array}{c}\hfill \gamma \left((l,b^l)\right)=\{(l,(\nu ,c))\in L\times {\mathcal{V}}_{\mathcal{X}}\times {\mathcal{V}}_{cost}\mid inv\left(l\right)\wedge {\displaystyle \underset{i=0}{\overset{n-1}{\bigwedge }}}{\psi }_i^l(\nu ,c)\equiv b^l\left(i\right)\}\end{array}$$

In short, a concretization function takes an abstract state and returns a concrete state, which is an underapproximation of the abstract state.

With respect to $\alpha ,\gamma$, the notation $\alpha \left(Q\right)=\{\alpha \left((l,(\nu ,c))\right)\mid (l,(\nu ,c))\in Q\},\gamma \left(Q^{♯}\right)=\{\gamma \left((l,b^l)\right)\mid (l,b^l)\in Q^{♯}\}$ is used. Here, the pair $(\alpha ,\gamma )$ of the abstraction function and concretization function forms a Galois connection. Also, $(l,b^l)\in Q^{♯}$ is a set of abstract states.

Definition 17

(Abstract structure). We construct an abstract structure ${\mathcal{M}}^{♯}=(Q^{♯},q_0^{♯},Step{s}^{♯})$ which is an overapproximation of the concrete structure $\mathcal{M}=(Q,q_0,Steps)$. The abstract structure ${\mathcal{M}}^{♯}$ consists of the following elements.

• $Q^{♯}=L\times \mathcal{B}$
• $q_0^{♯}=\alpha \left(q_0\right)$
• $Step{s}^{♯}\subseteq Q^{♯}\times Dist\left(Q^{♯}\right)$

$((l,b),{\mu }^{♯})\in Step{s}^{♯}$ is constructed on an abstract structure if and only if $\left(\right(l,(\nu ,c))\in \gamma ((l,b))$ such that $\left(\right(l,(\nu ,c)),\mu )\in Steps$ is on the concrete structure.

Here, let ${\mu }^{♯}$ be a probability distribution such that ${\mu }^{♯}\left((l^{\prime },b^{\prime })\right)=\mu \left((l^{\prime },({\nu }^{\prime },c))\right)$.

Unlike $Steps$, there is no definition of timed transition quantity in $Step{s}^{♯}$ to indicate that it is a timed transition. However, the probability distribution of $Step{s}^{♯}$ derived from the probability distribution ${\mu }_{♯}$ of showing timed transitions in $Steps$ is also noted as ${\mu }_{\perp }^{♯}$ to distinguish it.

Also, the path of ${\mathcal{M}}^{♯}$ is the following as well as the path of $\mathcal{M}$.

$${\omega }^{♯}=q_0^{♯}\stackrel{{\mu }_0(q_1^{♯},X_0)}{\to }{q}_1^{♯}\stackrel{{\mu }_1(q_2^{♯},X_1)}{\to }\cdots$$

4.2. Cost-Bounded Maximal Probability Reachability Analysis on Abstract Structure

The cost bound probability reachability analysis outputs “Not Reachable” if the system cannot reach the target state $(l_{target},(\nu ,c))$ with a probability greater than $\lambda$. If the system can reach the target state $(l_{target},(\nu ,c))$ with a probability greater than $\lambda$, the cost bound probability reachability analysis outputs “Reachable” and the path to that state (counterexample) is also output. The counterexample is given as the set ${\omega }^{♯}$ of paths from the initial state to the target state on the abstract structure.

From Definition 17, since transitions on abstract structures are overapproximations of transitions on concrete structures, all counterexamples on concrete structures are included in counterexamples on abstract structures, but the reverse is not necessarily true. In other words, it can happen that the behavior according to the counterexample ${\mathsf{\Omega }}^{♯}$ is not feasible on the concrete structure. Therefore, using the counterexample analysis method, we must determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not.

4.3. Counterexample Analysis Method

4.3.1. Preliminaries

In this subsection, we define the operation of the MP zone that computes the conditions for possible state transitions used in the counterexample analysis. This is an MP zone operation on $\mathcal{M}$ which, when making a timed transition or a discrete transition in a state contained in an MP zone, obtains an MP zone containing reachable states, or vice versa.

• $\mathsf{time}\_\mathsf{pre}/\mathsf{succ}$ operation: timed transition operation
  The $\mathsf{time}\_\mathsf{pre}$ operation calculates the MP zones that are available for timed transitions to a given MP zone. The $\mathsf{time}\_\mathsf{succ}$ operation calculates the MP zones from which timed transitions are possible from a given MP zone. Note that the $\mathsf{time}\_\mathsf{pre}/\mathsf{succ}$ operation is defined in Definition 8.
• $\mathsf{discrete}\_\mathsf{pre}/\mathsf{succ}$ operation: discrete transition operation
  The $\mathsf{discrete}\_\mathsf{pre}$ operation calculates the MP zones that can be transitioned to by discrete transitions to a certain MP zone. The $\mathsf{discrete}\_\mathsf{succ}$ operation calculates the MP zones that can be transitioned from a given MP zone by discrete transitions.

The $\mathsf{discrete}\_\mathsf{pre}/\mathsf{succ}$ operation on the probability transition relation $(l,g,h,\mu (l^{\prime },X))\in prob$ of $P^{2}TA$ is defined as follows using the Definition 8.

$$\begin{array}{ccc}& & \mathsf{discrete}\_\mathsf{succ}[M,g,X,h]=\mathsf{shift}\left[\mathsf{free}\right[M,X],h]\wedge g\hfill \\ & & \mathsf{discrete}\_\mathsf{pre}[M,g,X,h]=\mathsf{reset}\left[\mathsf{shift}\right[M,-h]\wedge g,X]\hfill \end{array}$$

4.3.2. Counterexample Analysis

Using the counterexample analysis method, we determine whether the counterexamples obtained by cost-bounded maximal probability reachability analysis on the abstract structure exist on the concrete structure or not. In the counterexample analysis, we first extract one element ${\omega }^{♯}$ of the counterexample ${\mathsf{\Omega }}^{♯}$. Next, a path counterexample analysis is performed to check whether the extracted counterexamples are executable on the corresponding real systems. This is repeated until ${\mathsf{\Omega }}^{♯}$ is empty, and then simultaneous execution counterexample analysis is performed to check whether the elements of those counterexamples can be executed according to the same adversary. In other words, a counterexample analysis consists of two parts: path counterexample analysis and simultaneous execution counterexample analysis.

Next, we explain path counterexample analysis.

(Path Counterexample Analysis)

First, we briefly explain the algorithm used in Path counterexample analysis as follows: This algorithm finds the target state by the $\mathsf{time}/\mathsf{discrete}\_\mathsf{pre}$ operation on the path ${\omega }^{♯}$, which is an element of the path set ${\mathsf{\Omega }}^{♯}$. Here, from $last\left({\omega }^{♯}\right)$ to the forward state, the starting condition $M_{i,{\omega }^{♯}}^{rea}$ and the arrival condition $M_{i,{\omega }^{♯}}^{dep}$ are obtained. We consider this path to be a counterexample if the starting condition $M_{i,{\omega }^{♯}}^{rea}$ is false.

First of all, we take one element ${\omega }^{♯}$ from the counterexample ${\mathsf{\Omega }}^{♯}$, and check whether the element of the counterexample is actually feasible on the corresponding model. Figure 2 is an overview of path counterexample analysis, where ${\omega }^{♯}\left(i\right)$ is the i-th abstract state of the counterexample, $M_{i,{\omega }^{♯}}^{rea}$ and $M_{i,{\omega }^{♯}}^{dep}$ are the starting and reaching conditions in the i-th abstract state, and q and $q^{\prime }$ are the concrete states corresponding to the starting and reaching conditions in the i-th abstract state, respectively. We verify that each path ${\omega }^{♯}$ obtained on the abstract structure $M^{♯}$ is feasible on the corresponding concrete structure $\mathcal{M}$. Specifically, using the backward counterexample analysis method, the starting and arrival conditions that can reach the target state from the end of the abstract path are obtained and verified by MP zone operations.

The algorithm for path counterexample analysis (Backward counterexample analysis) is shown in Algorithm 1.

Algorithm 1 Path counterexample analysis (Backward counterexample analysis)

1:  Input $P^{2}TA,{\mathsf{\Omega }}^{♯}$   2:  for ${\omega }^{♯}\in {\mathsf{\Omega }}^{♯}$ do   3:      $M_{|{\omega }^{♯}|,{\omega }^{♯}}^{rea}\leftarrow \mathit{Inv}\left(l_{|{\omega }^{♯}|,{\omega }^{♯}}\right)$   4:      for $i=|{\omega }^{♯}|-1,\cdots ,0$ do   5:          if ${\omega }^{♯}\left(i\right)\stackrel{{\mu }_{\perp }^{♯}}{\to }$ is a timed transition then   6:              $M_{i,{\omega }^{♯}}^{dep}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{i+1,{\omega }^{♯}}^{rea},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}}$   7:              if $M_{i,{\omega }^{♯}}^{dep}=$ false then   8:                 return spurious $l_{i+1,{\omega }^{♯}},M_{i+1,{\omega }^{♯}}^{rea},$                  $\mathsf{time}\_\mathsf{pre}[\mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i+1,{\omega }^{♯}}}$   9:              end if              /* discrete transition */ 10:          else 11:              $M_{i,{\omega }^{♯}}^{dep}\leftarrow \mathsf{discrete}\_\mathsf{pre}[M_{i+1,{\omega }^{♯}}^{rea},g_{i,{\omega }^{♯}},X_{i,{\omega }^{♯}},h_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}}$ 12:              if $M_{i,{\omega }^{♯}}^{dep}=$ false then 13:                  return spurious $l_{i+1,{\omega }^{♯}},M_{i+1,{\omega }^{♯}}^{rea},$                  $\mathsf{discrete}\_\mathsf{pre}[\mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}},g_{i,{\omega }^{♯}},X_{i,{\omega }^{♯}},$                  $h_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i+1,{\omega }^{♯}}}$ 14:              end if 15:          end if 16:         $M_{i,{\omega }^{♯}}^{rea}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{i,{\omega }^{♯}}^{dep},\dot{\$}\left(l_{i,{\omega }^{♯}}\right)]\wedge \mathit{Inv}\left(l_{i,{\omega }^{♯}}\right)\wedge b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}}$ 17:      end for 18:      if $M_{0,{\omega }^{♯}}^{rea}\wedge M_0=$ false then 19:          return spurious $l_0,M_{0,{\omega }^{♯}}^{rea},M_0$ 20:      end if 21:  end for 22:  return exists, $M_{{\omega }^{♯}}^{rea},M_{{\omega }^{♯}}^{dep}$

This algorithm finds the target state by the $\mathsf{time}/\mathsf{discrete}\_\mathsf{pre}$ operation on the path ${\omega }^{♯}$ (line 2), which is an element of the path set ${\mathsf{\Omega }}^{♯}$ (line 1). Here, from $last\left({\omega }^{♯}\right)$ (line 3) to the forward state (line 4), the starting condition $M_{i,{\omega }^{♯}}^{rea}$ (line 3) and the arrival condition $M_{i,{\omega }^{♯}}^{dep}$ (line 6) are obtained. Note that the starting condition $M_{i,{\omega }^{♯}}^{rea}$ uses different MP zone operations depending on whether the transition from the previous state is a timed transition or a discrete transition (line 5–15).

(1)

If the starting condition $M_{i,{\omega }^{♯}}^{dep}$ is $false$ (line 7), we consider this path to be a false counterexample (line 8) and divide $M_{i+1,{\omega }^{♯}}^{rea}$ and the MP zone that can transition from $\omega \left(i\right)$ to $\omega (i+1)$.

(2)

Next, since it is considered that there are abstract and hidden timed transitions on the abstract state, we obtain the arrival condition $M_{i,{\omega }^{♯}}^{rep}$(line 16) by the $\mathsf{time}\_\mathsf{pre}$ operation.

Repeat (1) and (2) until the first state ${\omega }^{♯}\left(0\right)$ is obtained, and then check whether the arrival condition $M_{0,{\omega }^{♯}}^{rep}$ includes the initial state $M_0$ (line 18). If it is not included, it is judged as a false counterexample and outputs a predicate that separates the attainment condition $M_{0,{\omega }^{♯}}^{rep}$ and the initial state $M_0$ (line 19). If it is confirmed that the initial state is reached on any path, output the arrival and departure conditions $M_{{\omega }^{♯}}^{rea},M_{{\omega }^{♯}}^{dep}$ for each state that exists and all ${\omega }^{♯}\in {\mathsf{\Omega }}^{♯}$ (line 22).

Next, we proceed to simultaneous execution of the counterexample analysis.

(Simultaneous Execution Counterexample Analysis)

First, we briefly explain the algorithm used in simultaneous execution counterexample analysis as follows: This algorithm takes as input the set of arrival conditions $M_{{\omega }^{♯}}^{rea}$ and the set of departure conditions $M_{{\omega }^{♯}}^{dep}$ for each element ${\omega }^{♯}$ in the path set obtained in Algorithm 1 and finds the MP zones that can be reached by these paths simultaneously via a forward search from the initial state.

If the counterexample ${\mathsf{\Omega }}^{♯}$ is empty in Path Counterexample Analysis, we verify whether the analyzed counterexamples can be executed simultaneously under the same adversary condition. For a given state on the concrete structure, the choice between timed transitions and discrete transitions is non-deterministic. In this case, the nondeterminism is resolved by providing an adversary, resulting in a path that is a sequence-of-state transition. On the other hand, since time is abstracted on the abstract structure, abstract paths included in the abstract counterexamples obtained by the reachability analysis may not be executed simultaneously on the concrete structure. Therefore, in this stage of simultaneous execution counterexample analysis, we check that the adversaries are identical for the obtained counterexamples. Figure 3 is an overview of the procedure for obtaining arrival and departure conditions in simultaneous execution counterexample analysis, where ${\omega }^{♯},{{\omega }^{♯}}^{\prime }$ are elements of different counterexamples. When the common part of these paths up to the i-th path is equal, by the product of the arrival condition $M_{i,{\omega }^{♯}}^{rea},M_{i,{{\omega }^{♯}}^{\prime }}^{rea}$ and the departure condition $M_{i,{\omega }^{♯}}^{dep},M_{i,{{\omega }^{♯}}^{\prime }}^{dep}$ and the starting condition $M_{i,{{\omega }^{♯}}^{\prime }}^{dep}$, we obtain the set of states that can be executed simultaneously from the forward.

The algorithm for simultaneous execution counterexample analysis (forward counterexample analysis) is shown in Algorithm 2.

This algorithm takes as input the set of arrival conditions $M_{{\omega }^{♯}}^{rea}$ and the set of departure conditions $M_{{\omega }^{♯}}^{dep}$ for each element ${\omega }^{♯}$ in the path set obtained in Algorithm 1 (line 1), and finds the MP zones that can be reached by these paths simultaneously via a forward search from the initial state.

(1)

First, we take one path $Pat{h}^{{\omega }^{♯}}$ from the set $Pat{h}_{fin}^{♯}$ that has the common part of all paths and perform assignments true to its starting condition $M_{{\omega }^{♯}}^{dep}$ and reaching condition $M_{{\omega }^{♯}}^{rea}$, which are initialized by assigning true (line 2–4). Let $M_0$ be the initial condition of arrival (line 6).

(2)

Next, starting from the one with the smallest length of the common part $C_{{\mathsf{\Omega }}_{max}}$ (line 7), the arrival and departure conditions are sequentially obtained.

(a)

In the reachability condition, for each path ${\omega }^{♯}$ of the candidate counterexamples (line 8), we take the product of the reachability condition of the common part $M_{{\omega }_{i-th}^{♯}}^{rea}$ and the reachability condition of that path $M_{i,{\omega }^{♯}}^{rea}$, which is the arrival condition of the path (line 10).

(a-1)

If the product is false, it is a false counterexample because it indicates that there is no common path on the timed probability system and outputs a predicate that splits $M_{{\omega }_{i-th}^{♯}}^{rea}$ and $M_{i,{\omega }^{♯}}^{rea}$ (line 11).

(a-2)

If the products not false, this product is newly set as the arrival condition of the common part $M_{{\omega }_{i-th}^{♯}}^{rea}$ (line 13), and then the time-transferable starting condition is obtained from this arrival condition (line 14).

(b)

Next, for each path ${\omega }^{♯}$ of the candidate counterexamples (line 17), we similarly take the product of the starting condition of the common part $M_{{\omega }_{i-th}^{♯}}^{dep}$ and the starting condition of that path $M_{i,\omega M^{♯}}^{dep}$, which is the starting condition of the path (line 19).

(b-1)

If the product is false, we similarly judge it to be a false counterexample and output the predicate that splits $M_{{\omega }_{i-th}^{♯}}^{dep}$ and $M_{i,{\omega }^{♯}}^{dep}$ (line 20).

(b-2)

If the product is not false, this product is the new starting condition for the common part $M_{{\omega }_{i-th}^{♯}}^{dep}$ (line 22). Furthermore, from these starting conditions, we obtain the arrival conditions under which timed transitions and discrete transitions are possible (line 23–26). If the arrival and departure conditions are not false for all common parts, we can say that all paths can be executed by at least one adversary. In other words, we can say that the counterexample exists, so the “Reachable”, which is the solution of exists and verification, is output (line 31), and the verification is terminated.

4.4. Refinement

When a false counterexample is determined by the counterexample analysis, the abstract state is refined by adding a predicate so that the counterexample does not exist. The information necessary for the refinement is obtained from the result of the previous stage of the counterexample analysis.

4.4.1. Path Counterexample Analysis

In the path counterexample analysis, a counterexample is a false counterexample if the path ${\omega }^{♯}$ that is an element of the counterexample ${\mathsf{\Omega }}^{♯}$ is not executable on the concrete structure $\mathcal{M}$. In other words, this means that there is no path corresponding to the abstract path ${\omega }^{♯}$ on the concrete structure. In this case, the transition $q\to q^{\prime }$ on the concrete structure corresponding to at least one transition $q_i^{♯}\to q_{i+1}^{♯}$ in ${\omega }^{♯}$ is non-transitionable because the transistibility or invariance condition in $q^{\prime }$ is not transitive because it does not satisfy either the transitivity condition or the invariance condition on $q^{\prime }$. However, on the abstract structure, it is feasible from the reachability analysis. This happens because the transitionable and non-transitionable states of a location are equated by abstraction. Therefore, by splitting the abstract state into two states that are transitive and non-transitive by predicates, the counterexample becomes infeasible. The predicate that divides this state is chosen from the zone at q, and the transitivity condition, or the invariance condition at $q^{\prime }$. An overview of refinement by path counterexample analysis is shown in Figure 4, where $q_i^{♯},q_{i+1}^{♯}$ are abstract states with transitions that cannot be executed by real operation obtained by path counterexample analysis, $\mathsf{discrete}/\mathsf{time}\_\mathsf{succ}(b^{i,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i,{\omega }^{♯}}})$ are the reachable states on the abstract state and the starting and reaching conditions obtained by path counterexample analysis, respectively, $\psi$ is the predicate that divides them.

Algorithm 2 Simultaneous execution counterexample analysis (forward counterexample analysis)

1:  Input $P^{2}TA,{\mathsf{\Omega }}^{♯},Pat{h}_{fin}^{♯},M_{{\mathsf{\Omega }}^{♯}}^{rea},M_{{\mathsf{\Omega }}^{♯}}^{dep}$   2:  for ${\omega }^{♯}\in {\mathit{Path}}_{fin}^{♯}$ do   3:      $M_{{\omega }^{♯}}^{rea}\leftarrow$ true   4:      $M_{{\omega }^{♯}}^{dep}\leftarrow$ true   5:  end for   6:  $M_{{\omega }^{♯}=q_0}^{dep}\leftarrow M_0$   7:  for $(i=0,\cdots ,C_{{\mathsf{\Omega }}_{max}})$ do   8:      for ${\omega }^{♯}\in {\mathsf{\Omega }}^{♯}$ do   9:          if $|{\omega }^{♯}|>i$ then 10:              if $M_{{\omega }_{i-th}^{♯}}^{rea}\wedge M_{i,{\omega }^{♯}}^{rea}=$ false then 11:                  return spurious $l_{i,\omega },M_{{\omega }_{i-th}^{♯}}^{rea},M_{i,{\omega }^{♯}}^{rea}$ 12:              end if 13:              $M_{{\omega }_{i-th}^{♯}}^{rea}\leftarrow M_{{\omega }_{i-th}^{♯}}^{rea}\wedge M_{i,{\omega }^{♯}}^{rea}$ 14:              $M_{{\omega }_{i-th}^{♯}}^{dep}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{{\omega }_{i-th}^{♯}}^{dep}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i+1,{\omega }^{♯}}}$ 15:          end if 16:     end for 17:     for ${\omega }^{♯}\in {\mathsf{\Omega }}^{♯}$ do 18:         if $|{\omega }^{♯}|>i$ then 19:             if $M_{{\omega }_{i-th}^{♯}}^{dep}\wedge M_{i,{\omega }^{♯}}^{dep}=$ false then 20:                 return spurious $l_{i,\omega },M_{{\omega }_{i-th}^{♯}}^{dep},M_{i,{\omega }^{♯}}^{dep}$ 21:             end if 22:             $M_{{\omega }_{i-th}^{♯}}^{dep}\leftarrow M_{{\omega }_{i-th}^{♯}}^{dep}\wedge M_{i,{\omega }^{♯}}^{dep}$ 23:             if ${\omega }^{♯}\left(i\right)\stackrel{{\mu }_{\perp }^{♯}}{\to }$ is a timed transition then 24:                 $M_{{\omega }_{(i+1)-th}^{♯}}^{rea}\leftarrow \mathsf{time}\_\mathsf{pre}[M_{{\omega }_{i-th}^{♯}}^{dep}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i+1,{\omega }^{♯}}}$ 25:             else 26:                 $M_{{\omega }_{(i+1)-th}^{♯}}^{rea}\leftarrow \mathsf{discrete}\_\mathsf{pre}[M_{{\omega }_{i-th}^{♯}}^{dep},{\zeta }_{i,{\omega }^{♯}}^g,X_{i,{\omega }^{♯}}]\wedge \mathit{Inv}\left(l_{i+1,{\omega }^{♯}}\right)\wedge b^{i+1,{\omega }^{♯}}{\mathsf{\Psi }}^{l_{i+1,{\omega }^{♯}}}$ 27:             end if 28:          end if 29:      end for 30:  end for 31:  return exists, “Reachable”

4.4.2. Simultaneous Execution Counterexample Analysis

When a false counterexample is found in simultaneous execution counterexample analysis, it means that a different destination is chosen for an abstract state $q^{♯}$ with arbitrary simultaneous executed paths. In other words, different timed and discrete transitions are taking place in a given state. Thus, splitting $q^{♯}$ into two parts with respect to timed transitions makes timed transitions and discrete transitions noncompetitive. Therefore, we add a time condition indicating this boundary as a predicate. An overview of refinement by simultaneous execution counterexample analysis is shown in Figure 5, where ${\omega }^{♯},{{\omega }^{♯}}^{\prime }$ is any simultaneous execution path, $q^{♯}$ is the abstract state shown to be incapable of simultaneous execution in simultaneous execution counterexample analysis, $\psi$ is a predicate that can split them, and ${q^{♯}}^{″},{q^{♯}}^{″}$ are the states divided by the predicate $\psi$.

In the new abstract structure with the added predicate, the previous false counterexample becomes infeasible. Thus, by repeating this process, we can finally construct an abstract structure that can compute the correct probability.

5. Priced Probabilistic Timed CEGAR

5.1. Overview

The CEGAR framework [4,5] automatically adapts predicate abstraction and refinement by counterexample. In this section, we describe the operation of priced probabilistic timed CEGAR, which is an extension of CEGAR for the purpose of verifying a priced probabilistic timed automaton. Reachability analysis by priced probabilistic timed CEGAR building on the work of the previous section is shown in Figure 6.

• Initial Abstraction:
  From a priced probabilistic timed automaton $P^{2}TA$ and a verification problem $\mathit{Problem}$, we construct a timed probabilistic system $\mathcal{M}$ and an initial predicate set ${\mathsf{\Psi }}^{init}$, from which we construct an initial abstract structure ${\mathcal{M}}_{{\mathsf{\Psi }}^{init}Ps{i}^{init}}^{♯}$ from them.
• Reachability Analysis:
  Compute the maximum reachability probability to the target state on ${\mathcal{M}}_{\mathsf{\Psi }}^{♯}$.
• Counterexample Analysis:
  For each element of the counterexample ${\mathsf{\Omega }}_{smallest}^{♯}$ that has reached the target state by 2. reachability analysis, analyze whether it is reachable on the concrete structure $\mathcal{M}$ by path counterexample analysis and simultaneous execution counterexample analysis.
• Refinement:
  From the results of 3. Counterexample Analysis, we obtain a set of predicates ${\mathsf{\Psi }}^{new}$ that partitions the abstract state so that there are no counterexamples obtained by 2. Reachability Analysis.
• Abstraction:
  From the set of predicates ${\mathsf{\Psi }}^{\prime }=\mathsf{\Psi }\cup {\mathsf{\Psi }}^{new}$ to which the predicate is added, we obtain a new abstract structure ${\mathcal{M}}_{{\mathsf{\Psi }}^{\prime }}^{♯}$.
• Return to 2. Reachability Analysis.

By repeating this loop, the system determines whether it will “Reach” or “Not Reach” the target state. In the case of “Reach,” a concrete path to the target state is provided, and this information can be used to modify and improve the system specification.

As shown in Figure 6, CEGAR stands for counterexample-guided abstraction refinement, and it operates in a loop consisting of abstraction, reachability analysis, counterexample checking, and refinement. When a property fails on the abstract model, if the counterexample is executable on the concrete model, we know there is a real bug; if it is not executable, we conclude that the abstraction is too coarse. In other words, if there are no counterexamples, the error metric is reached; if there are counterexamples, the model is refined and the reachability analysis is performed. This process is repeated until the model is ultimately refined back to its original form.

5.2. Verification Example by Priced Probabilistic Timed CEGAR

In WSNs, from a practical standpoint, the cost of reaching the target location and the probability of doing so are critical. We model a sensor node ${\mathcal{M}}_{nod{e}_i}$ shown in Figure 7. The following is an example of verification in the WSNs model $\mathcal{M}$ for n = 3 shown in Figure 8. We will verify whether the target location can be reached with a probability greater than a certain threshold cost within three hops. Here, the verification problem is $(l_5,\lambda =0.01,\kappa =30)$. Using the verification problem, we verify whether there will be no path in the abstract structure that reaches the target location $L_5$ with a probability greater than $\kappa =30$ and a probability greater than $\lambda =0.01$ of reaching the target.

In this subsection, we show the verification procedure of priced probabilistic timed CEGAR through an example. The verification example is an n-point hop wireless sensor network composed of n sensor nodes ${\mathcal{M}}_{nod{e}_i}$ shown in Figure 7. The behavior of this WSN is as follows: In normal operation, it is active and senses the surrounding environment. When it receives an external event, it moves to the sending state, which notifies surrounding sensor nodes of the detection of the event. At this time, sensor nodes communicate wirelessly. Wireless communication is probabilistic, and communication succeeds with probability p. Also, regardless of the outcome of the communication, the cumulative cost increases by $d^{\alpha }$ as the transmission cost, where d is the Euclidean distance between nodes and $\alpha$ is the communication channel characteristic, which is between one and six [9]. If the communication is successful, the node is put into a dormant sleep state, and if it fails, the node loops back to the sending state and retransmits the message. If the accumulated cost since startup in any of the non-sleep states becomes larger than $\kappa$, the system moves to the exhaust state, indicating that the system is down.

Example 2

(Verification example). First of all, locations in the set of target locations are initially abstracted by the predicate $z>\kappa$, which consists of the target cost κ. Otherwise, initial abstraction is performed according to the initial predicate set ${\mathsf{\Psi }}^{init}$ whose origin is all $true$. Next, for the obtained abstract structure ${\mathcal{M}}^{♯}$, we perform a probability reachability analysis with target probability λ. As a result, we obtain $(A^{♯},{\omega }^{♯})$ as a candidate counterexample. We select the smallest counterexample ${\mathsf{\Omega }}_{smallest}^{♯}$ from this candidate counterexample. The element of ${\mathsf{\Omega }}_{smallest}^{♯}$ consists only of ${\omega }^{♯}=l_0\to l_5$. A counterexample analysis is performed for this counterexample. This is judged to be infeasible on the concrete structure because it cannot return to the initial state $(l_0,({\nu }_0,c_0))$ in path counterexample analysis. Therefore, we refine abstract structure ${\mathcal{M}}^{♯}$ by splitting the abstract state $l_0$ using the predicate ${\psi }_{l_0}=z\le 28+4x_1$, and again construct abstract structure ${\mathcal{M}}^{\prime ♯}$ in Figure 9. As a result, the abstract state $L_5$ is unreachable on this counterexample, so this counterexample is excluded from the candidate counterexamples.

As described above, by following the verification procedure according to the costed probability time CEGAR, there will be no path in the abstract structure that reaches the target location $L_5$ with a probability greater than $\kappa =30$ and a probability greater than $\lambda =0.01$ of reaching the target. In other words, the result is “Not Reachable”. Therefore, this model is “Yes Reachable” for the Cost-bounded probability reachability problem $(l_4,1-\lambda =0.99,\kappa =30)$.

5.3. Empirical Experiments and Discussions

In this subsection, we present the results and discussion on the empirical experiments conducted by implementing the priced probabilistic timed CEGAR verification algorithm.

The verification prototype program was implemented by Mathematica 6. The properties of the verification machine are as follows: 32-bit Microsoft Windows Vista Business Service Pack 1 OS, Intel Xeon CPU 5160 3.00 GHz and 2.99 GHz processors. The memory is 4.00 GB.

The model of verification is a WSN with four sensor nodes and three point hops and the verification problem is $(l^{error},\lambda =0.3,\kappa =32)$. The experimental result shows that the verification was completed with 22 CEGAR loops and 66 states in Figure 10 and Figure 11.

• From Figure 10, it can be seen that the computation time and the memory used for verification increase exponentially with the number of CEGAR verification loops. The exponential increase may be due to the effect of the quantifier elimination ([19]) used in the implementation of the state set operation.
• Also, from Figure 11, the number of states shows a linear increase. Considering that the number of states of the finite state graph equivalent to the priced-removed probabilistic timed automaton is $4^3=64$, which is multiplied by the number of states of the priced-added probabilistic timed automaton, the effect of state reduction is considered sufficient.

On the other hand, the Fortuna Model Checker is the first tool for model checking priced probabilistic timed automata [12]. Fortuna is able to compute the maximal probability by which a state can be reached under a certain cost-bound and time-bound. Fortuna uses a number of crucial optimizations on that algorithm. Fortuna depends on a number of external libraries. The external libraries are the following:

• The BOOST C++ Libraries. Fortuna only depends on header files from BOOST.
• The Parma Polyhedra Library (PPL version 0.10). A pre-compiled version is available for Linux.
• The GNU Multiple Precision Arithmetic Library, libraries gmp and gmpxx. These libraries are already installed on standard Linux distributions. They are needed only by PPL.
• The lp solve library version 5.5.

The Fortuna Model Checker is expected to be more efficient than our priced probabilistic timed CEGAR, since the verification prototype program was implemented by Mathematica 6. But our priced probabilistic timed CEGAR is a milestone for the CEGAR model checking for priced probabilistic timed automata, and the future is promising.

5.4. Discussion of Theoretical Aspects

In the behavior of a priced probabilistic timed automaton, when there is a self-loop that transitions to the same state, it is difficult to solve a cost-bounded maximal probability reachability problem that requires the behavior to be investigated, since there may be an infinite number of paths that can be used to reach the target state [13]. It is known that the probability reachability problem can be verified by examining a finite number of paths by restricting the problem of reachability from ≤ to the form > [18]. In this paper, we define a cost-bounded probability reachability problem that can be verified with finite numbers by adding a cost bound such as >. By repeating these loops from 1 to 6 in Section 5.1, the verification system can determine whether it is able to “Reach” or “Not Reach” the target state, and the verification halts within a finite amount of time. In the case of “Reach,” a concrete path to the target state is given, and this information can be used to modify and improve the system specification.

6. Conclusions

In this paper, we focus on priced probabilistic timed automaton [3] as a specification description language and propose priced probabilistic timed CEGAR using abstraction refinement [4,5] in order to reduce the state explosion. To the best of our knowledge, this paper is the first CEGAR development and implementation of a priced probabilistic timed automaton. The verification prototype program was implemented by Mathematica 6.

Although a priced probabilistic timed automaton is an important model for representing cost, probability, and time, it is also a complex model, and reducing the number of states through model checking is challenging; to the best of our knowledge, no such solution exists. To reduce the number of states, we focus on CEGAR—a framework that simplifies complex models to enable model checking—and develop an innovative model-checking method to verify that the prototype functions correctly on a computer. However, although we were unable to demonstrate its performance due to the mathematics-based prototype, we were able to grasp the characteristics of model checking using CEGAR, a priced probabilistic timed automaton.

Using a wireless sensor network [9] with time, cost, and probabilistic behavior as a case study, we propose and demonstrate the effectiveness of a reachability analysis method using priced probabilistic timed CEGAR to reduce the state explosion. For sensor nodes, which are the components of WSNs, there are physical quantities such as time and cost, as well as probabilistic behaviors, which can be described and verified using a priced probabilistic timed automaton. Through verification experiments, we found that the computation time and the memory used for verification increased exponentially with the number of CEGAR verification loops, and the number of states showed a linear increase. The exponential increase may be due to the effect of the quantifier elimination ([19]) used in the implementation of the state set operation. As for the linear increase in the number of states, the effect of state reduction is considered sufficient.

Due to the limitations of Mathematica 6, further experimentation was not possible, so an implementation of priced probabilistic timed CEGAR in the c language is underway as an ongoing study. This paper is innovative and significant as a milestone in the development of an extension of CEGAR to priced probabilistic timed automata. The proposal in this paper has been prototyped in Mathematica to understand its characteristics. Fortuna, the only existing symbolic model checker, is implemented in C++ and uses high-performance libraries. Developing a full-fledged tool such as the symbolic model checker Fortuna remains an unaddressed challenge and will be described in a future paper.