Section: New Results

Fundamental results and algorithms: communication with messages and scenarios

Participants : Loïc Hélouët, Rouwaida Abdallah, Claude Jard, Blaise Genest, Sundararaman Akshay.

In this paragraph, we collect our fundamental results regarding the models and algorithms we use for communicating systems, and in particular, scenarios.

A major challenge with models communicating with messages (e.g.: scenarios) is to exhibit good classes of models allowing users to specify easily complex distributed systems while preserving the decidability of some key problems, such as diagnosis, equality and intersection. Furthermore, when these problems are decidable for the designed models, the second challenge is to design algorithms to keep the complexity low enough to allow implementation in real cases.

The first part of our work is the study of Time-Constrained MSC graphs (TC-MSGS for short). Time-constrained MSCs (TC-MSCs) are simply MSCs decorated with constraints on the respective occurrence dates of events. The semantics of a TC-MSC $T$ is a dated MSC, that is a MSC where events are associated with an occurrence date. For a given TC-MSC, there can be an infinite set $L\left(T\right)$ of dated MSCs satisfying its constraints. Note however that some time-constraints in a TC-MSC may not be satisfiable, and hence $L\left(T\right)$ can simply be empty. TC-MSCs can be extended by composition mechanisms such as TC-MSC graphs. TC-MSC graphs are simply automata labeled by TC-MSC. Each path $\rho$ of a TC-MSC $G$ is associated with a TC-MSC $T_{\rho }$ obtained by concatenation of TC-MSC along $\rho$. The language $L\left(G\right)={\bigcup }_{\rho \mathrm{path}\mathrm{of}G}L\left(T_{\rho }\right)$ of a TC-MSC Graph is then the union of all dated MSCs associated with paths of $G$. Because of inconsistent timing constraints, some path may have no possible realization (i.e $L(T_{\rho }=\varnothing )$). One can even design a MSC Graph G such that $L\left(G\right)=\varnothing$ - such TC-MSC graph is clearly inconsistent-. It has been shown  [49] that checking whether $L\left(G\right)=\varnothing$ is an undecidable problem in general, but can be decided for the restricted subclass of regular TC-MSC graphs (that have the expressive power of event-count timed automata). We have proposed two restrictions allowing for the decision of emptiness. The first one is $K$-drift boundedness, which imposes for a fixed integer $K$ that for every $T_{\rho }$ there exists one dated realization such that for every pair of events $e,f$ appearing in the same transition of $G$, the dates of $e$ and $f$ differ by at most $K$. We have shown that $K$-drift boundedness is decidable in a symbolic and efficient way, and that for $K-$drift bounded TC-MSC graphs, emptiness is decidable. This extends decidability results beyond regular specifications. The second restriction is $K$-non-zenoness, which imposes that for a fixed $K$, for every path $\rho$ of $G$, there exists one realization such that at every date $d$, at most $K$ events occur between dates $d$ and $d+1$. When a TC-MSC graph is $A$-drift-bounded and $B$-non-zeno, then $L\left(G\right)$ has a regular set of representants, which opens the way for more involved model-checking applications [10] . We actually succeeded to use a different technique by symbolically encoding the configuration reached. It allows to remove the $K$-non-zeno restriction, we don't need the seminal result on timed automata of Alur-Dill 1994, and we have a true partial order algorithm, which does not need to consider different interleavings of the same execution [18] .

The second part of our work is the study of realistic implementation of scenarios. The main idea is to propose distributed implementation (communicating state machines) of High-level MSCs that do not contain deadlocks, and behave exactly as the original specification. It is well known   [51] that a simple projection of a HMSC on each of its processes to obtain communicating finite state machines results in an implementation with more behaviors than the original specification. An implementation of a HMSC $H$ is considered as consistent if and only if it exhibits the same prefix closed set of behaviors as $H$. We have proposed an implementation solution that uses local controllers allows the distributed synthesized behavior to remain consistent with the original specification. This work has been implemented in our scenario prototype (see the Software section). This synthesis algorithm is consistent for a particular syntactic class of scenarios, namely the class of local HMSCs. This work was accepted for publication in [14] .