Research Article Compositional Abstraction Refinement for ...of state explosion in concurrent model...

Research ArticleCompositional Abstraction Refinement forComponent-Based Systems

Lianyi Zhang Qingdi Meng and Kueiming Lo

School of Software Tsinghua University Beijing 100084 China

Correspondence should be addressed to Lianyi Zhang lyzhang117gmailcom

Received 14 March 2014 Accepted 9 May 2014 Published 11 June 2014

Academic Editor Xiaoyu Song

Copyright copy 2014 Lianyi Zhang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

The efficiency of the compositional verification of invariants depends on the abstraction which may lead to verificationincompleteness The invariant strengthening and state partitioning techniques are proposed in this paper The former could refinethe overapproximation by removing the unreachable states and the latter is a variant of counterexample-guided abstractionrefinement Integrated with these two refinement techniques a unified compositional verification framework is presented tostrengthen the abstraction and find counterexamples Some examples are included to show that the verification of the safetyproperties in component-based systems has been achieved by our framework

1 Introduction

A component-based system is made up of several compo-nents using a set of glue (interactions) that describes thecoordination between components [1] Some componentslike program processes contain local data and control infor-mation to determine their own behaviors and their inter-actions represent the communication between componentsComponent-based system has the advantages that the devel-opment can be simplified and the time-to-market would bereduced However the tremendously high (or even infinite)number of states of the components makes the verificationof properties of these systems intractable In this paperwe discuss the compositional verification using abstractionrefinement techniques on component-based systems

Compositional verification would alleviate the problemof state explosion in concurrent model checking especiallyin conjunction with abstraction The work in [2 3] pro-posed an automated compositional abstraction frameworkwhich differs in the communication methodThe abstractionprocedure in [2] is guided by the data (interaction throughshared variables) of the model while it is guided by theaction (interaction through message-passing event) in [3]Threadmodular reasoning is also a compositional abstractionframework proposed in [4] which automatically generates

the environment for each thread by analyzing its interactionCompositional verification using abstraction refinementtechniques on component-based systems has been exten-sively studied Malkis et al combined CEGAR and threadmodular reasoning in their proposed technique [5] calledthread-modular CEGARThe technique computed reachablestates with Cartesian abstraction They directly compute thereachable states for all processes of the compositional systemin an explicit way Then refinement was applied to eliminateunreachable states by removing them from the Cartesianproduct A technique closely related to compositional ver-ification is assume-guarantee reasoning Henzinger et al[6 7] proposed a component-based verification algorithmwhich is complete for verifying safety properties They firstinitialize each component as true (the most abstract modelwhich essentially accepts any behaviors) and then iterativelyrefine them by adding new auxiliary predicates whereas theyinitialize the guarantee of the components as false (the mostabstract model which essentially rejects any behaviors) andrefine them successively by considering abstraction of currentcomponent and guarantees of other components

Another interesting branch for compositional verificationis the inductive invariant based method [8ndash10] The proper-ties established from the verification are usually invariants

Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2014 Article ID 703098 12 pageshttpdxdoiorg1011552014703098

2 Journal of Applied Mathematics

Given a property on component-based system states com-positional verification of invariant is to verify whether thegiven property can be inferred from the invariants of theircomponents Divide-and-conquer approaches can be appliedin compositional verification to infer global invariants fromlocal invariants A compositional verification method basedon the inductive invariant is presented in [11 12] In thisapproach the property of the component-based system canbe inferred by the compositional verification rule which isreferred to as the component invariant and the interactioninvariant This approach is incomplete Given a property(predicate) if the conjunction of the component invariantsand the interaction invariants is able to establish the propertyone concludes the verification Otherwise one reports thatthe verification is inconclusive

The inconclusive problem is due to two reasons Oneis the abstraction which transforms the original system(infinite) to an abstract system (finite) The other is theinteraction invariant which is the overapproximation of thereachable abstract states Thus the conjunction of com-ponent invariants and the interaction invariant is such anoverapproximation that unreachable states in the originalsystem may be computed as reachable in the abstract systemwhich may include unreachable error states We proposetwo refinement techniques counterexample-guided invariantstrengthening and state partitioning to address the inconclu-sive problem

A unified compositional abstraction refinement algo-rithm for the invariant checking problem on component-based systems is given which contains two phases At theverification phase we apply compositional verification tothe invariant checking problem If it suffices to concludethe verification we are done Otherwise the verificationalgorithm moves to the refinement phases In the otherphase we first strengthen the interaction invariant andremove the spurious counterexamples After the invariant isstrengthenedwe analyze the remaining counterexamples andpartition abstract states When our algorithm returns to theverification phase added states will induce a refined abstractmodel

The rest is organized as follows The component-basedsystem component invariant and component abstractionare introduced in Section 2 In Section 3 we introduce thecompositional verification of invariant for component-basedsystems which is the overapproximation of the system statesWe give counterexample-guided invariant strength and par-tition refinement methods in Section 4 A compositionalverification framework integrated with iterative refinementand its correctness proof are presented in Section 5 We showthe effectiveness of our proposed method in Section 6 andthen conclude in Section 7

2 Preliminaries

In this section we present concepts and definitions that areused in this paper We start with the overview of component-based systems which includes the concepts of atomic com-ponent interaction and compound component In the rest

of this section we introduce the concepts for the componentinvariant and abstraction

21 Component-Based System Component-based system is abasic model of wide-ranging concurrent systems It is provenin [13] that such a hierarchical model can be convertedto semantically equivalent flat model Therefore instead ofanalyzing complex hierarchical structure we concentrateon two-level structure in this paper The lower level ofthe component-based system is atomic component and thehigher level is compound component which is composed ofseveral atomic components with a set of interactions

An atomic component is a transition system denoted bya tuple 119861 = (119871 119875 119879119883 119892

119905119905isin119879 119891119905119905isin 119879

) where (119871 119875 119879) is atransition system that is 119871 = 119897

1 1198972 119897119896 is a set of control

locations 119875 is a set of ports and 119879 sube 119871 times 119875 times 119871 is a set oftransitions 119883 = 119909

1 119909

119899 is a set of variables and for each

119905 isin 119879 respectively 119892119905(x) is a guard a predicate on x and

119891119905(x x1015840) is an update relation a formula on x(current) and

x1015840(next) state variables Given a transition 119905 = (119897 119901 1198971015840) isin 119879 119897and 1198971015840 are respectively the source and target location denotedby 996354119905 and 119905996354

Given a set of components 1198611 1198612 119861

119899where 119861

119894=

(119871119894 119875119894 119879119894 119883119894 119892119905119905isin119879119894 119891119905119905isin119879119894) an interaction 119886 is a set of

ports subset of ⋃119899119894=1119875119894 such that for all 119894 = 1 119899 st

|119886cap119875119894| le 1The trans(119886) is a set of transitions 119905

119894= (119897119894 119901119894 1198971015840

119894) isin

119879119894119894isin119868 for arbitrary 119868 sube 1 119899 which have to execute

synchronouslyA compound component 120574(119861

1 119861

119899) is also a transition

system denoted by 119861 = (119871 120574 119879119883 119892119905119905isin119879 119891119905119905isin119879) where

(1) (119871 120574 119879) is the transition system such that

(i) 119871 = 1198711times1198712timessdot sdot sdottimes119871

119899is a set of control locations

(ii) 119879 sube 119871 times 120574 times 119871 contains transitions 119905 =

((1198971 119897119899) 119886 (119897

1015840

1 119897

1015840

119899)) obtained by synchro-

nization of sets of transitions 119905119894= (119897119894 119901119894 1198971015840

119894) isin

119879119894119894isin119868

such that 119901119894119894isin119868

= 119886 isin 120574 and 1198971015840119895= 119897119895if

119895 notin 119868 for arbitrary 119868 sube 1 119899

(2) 119883 = ⋃119899

119894=1119883119894and for 119886 isin 120574 the transition

trans(119886) resulting from the synchronization of a setof transitions 119905

119894119894isin119868 the associated guard and update

predicate are respectively 119892119905= ⋀119894isin119868119892119905119894and 119891

119905=

⋀119894isin119868119891119905119894and ⋀119894notin119868(1198831015840

119894= 119883119894)

A typical transition system (eg a component119861) containscontrol states usually the programcounterwhich takes valuesfrom the set of control locations Control states are definedby formulas of the form (at 119897

119894) where 119897

119894isin 119871 Additionally

we assume that for each transition 119905 = (119897119894 119901 119897119895) isin 119879 we get

a transition formula written as at 119897119894and 119892119905(x) 997891rarr 119891

119905(x x1015840) at 119897

119895

where x isin 119883

Definition 1 (component system) A component system isdenoted by S = (119861 Init) where 119861 is a component (atomicor compound component) and Init is the initial predicate ofthe system

Journal of Applied Mathematics 3

22 Component Invariant Most properties established dur-ing verification are either invariants or depend on invariantsTo prove that a predicate 120601 is an invariant of some systemS we need to find such a predicate 120595 that 120595 is strongerthan 120601 and 120595 is inductive In general for a system 119878 120595 is aninvariant of 119878 if every initial state of system 119878 satisfies 120595 and120595 is preserved under all transitions of the system

Definition 2 (component invariant) Given a component119861 = (119871 119875 119879119883 119892

119905119905isin119879 119891119905119905isin119879) for a global state predicate

Φ = ⋁119897isin119871

at 119897 and 120593119897 the generated formula by post pred-

icate is post(Φ) = ⋁119897isin119871(⋁119905=(119897119901119897

1015840)at 1198971015840and post

119905(120593119897)) where

post119905(120593(119883)) = exist119883

1015840sdot(119892119905(1198831015840)and119891119905(1198831015840 119883)and120593(119883

1015840)) A fixed point

of the post transformer is a component invariant (formulaΦ)of the component 119861 that is post(Φ) hArr Φ

The component invariant is computed by the post predi-cate transformer A more detailed technique as well as otherrelated properties for component invariants is given in [8 14]and will not be presented

Consider a system S = (119861 Init) where 119861 is a componentand Init is a state predicate satisfied by the initial states of 119861Φ is an invariant of 119878 if it is a component invariant of 119861 andInitrArr Φ

23 Component Abstraction When original system has realor large range discrete variables enumeration of concretestates by valuation is impossible Before computing interac-tion invariants of the compound system we need first togenerate a finite state abstraction for the component-basedsystem

In our methodology given a component-based systemS = ⟨119861 Init⟩ component invariant Φ = ⋁

119897isin119871at 119897 and

(⋁119898isin119872119897

120593119897119898) is automatically generated from a transition

system (a component) that describes its behavior which isrepresented by the disjunction of atomic formulas such asat 119897 and 120593

119897119898 However instead of using the atomic formulas

to generate an abstract system we use them to construct anabstraction function

The abstraction function maps an atomic formula to anabstract value of that formula which preserves the relationamong the atomic formulas instead of treating them asindependent propositions The abstraction technique usedhere is based on the approach proposed by Bensalem etal in [2 8] An abstraction function 120572 maps the concreterepresentation of the atomic predicates at 119897 and 120593

119897119898to the

abstract presentation 120601 called abstract state We use Φ120572 torepresent a set of abstract states

Definition 3 (abstract component) Given a component 119861 acomponent invariant Φ of 119861 and the associated abstractionfunction 120572 the abstract component 119861120572 is denoted by 119861120572 =(Φ120572 119875 999492999484) where

(i) Φ120572 is the abstract state where Φ is the componentinvariant and 120572 is abstraction function

(ii) 119875 is a set of ports of 119861

(iii) 999492999484 is the transition of 119861 For any pair of abstract states120601 = 120572(at 119897 and 120593) and 1206011015840 = 120572(at 1198971015840 and 1205931015840) there existsthe transition from 120601 to 1206011015840 through 119901 (denoted by120601119901

999492999484 1206011015840) if and only if exist119905 = (119897 119901 119897

1015840) isin 119879 post

119905(120593) and

1205931015840= false

3 Compositional Verification

After the overview of component-based system the com-ponent invariant and the component abstraction we firstpresent the compositional verification rule of component-based systems then we give out the concepts of the verifica-tion rules and last we do the analysis on the overapproxima-tion of the compositional abstraction

31 Compositional Verification Rule In the approach pre-sented in [11 12] the property Φ of 120574(119861

1 119861

119899) can be

inferred by the following compositional verification rule

119861119894⟨Φ119894⟩119899

119894 Ψ isin II (1198611205721

1 119861

120572119899

119899 120574) (⋀

119899

119894Φ119894) and Ψ rArr Φ

120574 (1198611 119861

119899) ⟨Φ⟩

(1)where 119861

119894⟨Φ119894⟩ means that Φ

119894is an invariant of component

119861119894and Ψ belongs to the set of interaction invariants II For

component 119861119894 a predicate Φ

119894on the component states is a

component invariant of 119861119894 Before generating the interaction

invariants one needs to compute the abstraction for thecomponents The abstraction for 119861

119894 denoted by 119861

120572119894

119894 is

computed from Φ119894by the abstraction function 120572

119894 In the

abstract system 120574(1198611205721

1 119861

120572119899

119899) we generate the interaction

invariant Ψ under the global behavior constraint which isthe overapproximation of the reachable abstract states Givena property (predicate) Φ if the conjunction of the invariant⋀119899

119894Φ119894and the interaction invariants Ψ are able to establish

the property one concludes the verification Otherwise onereports that the verification is inconclusive

32 Related Concepts Consider a compound system S =

⟨120574(1198611 119861

119899) Init⟩ and a set of component invariants

Φ1 Φ

119899associated with the atomic components If 119861120572119894

119894

is an abstraction of 119861119894with respect to an invariant Φ

119894and

its abstraction function 120572119894for 119894 = 1 119899 then 119861

120572=

120574(1198611205721

1 119861

120572119899

119899) is an abstraction of 119861 = 120574(119861

1 119861

119899) with

respect to ⋀119899119894=1Φ119894and an abstraction function 120572 obtained as

the composition of the 120572119894

Definition 4 (abstract system) Given a component systemS = (119861 Init) the abstract system is denoted by S120572 =

⟨119861120572 Init120572⟩ where 119861120572 is the abstraction for a component and

Init120572 = ⋁120601isinΦ120572

0

at 120601 where Φ1205720= 120601 isin Φ

120572| 120572minus1(120601) and

Init = false is the set of the initial abstract states

The following lemma in [11] says that 120574(11986112057211 119861

120572119899

119899) is an

abstraction of 119861 = 120574(1198611 119861

119899) and that invariants of the

abstract system are also invariants of the concrete system

Lemma 5 If 119861120572 is an abstraction of 119861 with respect to aninvariant Φ and 120572 its abstraction function then 119861120572 simulates


119861 Moreover if Φ120572 is an invariant of S120572 then 120572minus1(Φ120572) is aninvariant of S

Given an abstract system interaction invariants charac-terize constraints on the global abstract state space induced bysynchronization among components Interaction invariantsare based on the concept of traps in Petri net which arecomputed on finite transition system 120574(119861

1205721

1 119861

120572119899

119899) without

variables but abstract locations 120601Consider a compound system 120574(119861

1205721

1 119861

120572119899

119899) where

119861120572119894

119894= (Φ120572119894

119894 119875119894 999492999484119894) is a transition system For a set of abstract

states Φ120572 sube ⋃119899

119894=1Φ120572119894

119894 the forward interaction set is denoted

byΦ120572996354 = ⋃120601isinΦ120572 120601996354where 120601996354 = 120591

119894119894isin119868| forall119894 sdot 120591

119894isin 999492999484119894andexist119894 sdot 996354120591

119894=

120601 and port (120591119894)119894isin119868isin 120574 is related to some interactions In each

interaction there exists a transition 120591119894from 120601 participate in

That is 120601996354 is composed of sets of transitions involved in someinteraction of 120574 inwhich a transition 120591

119894from120601 can participate

Given a parallel composition 120574(11986112057211 119861

120572119899

119899) where 119861120572119894

119894=

(Φ120572119894

119894 119875119894 999492999484119894) a trap [15] is a setΦ120572 of abstract locationsΦ120572 sube

⋃119899

119894=1Φ120572119894

119894such thatΦ120572996354 sube 996354Φ120572

Definition 6 (interaction invariant) Given an abstract systemS120572 = ⟨120574(119861

1205721

1 119861

120572119899

119899) Init120572⟩ if the set of locations Φ120572 sube

⋃119899

119894=1Φ120572119894

119894is a trap containing the initial states of some

components then ⋁120601isinΦ120572at 120601 is the interaction invariant of

S120572

The characterization of traps in [12] allows one to com-pute the set of traps [16] using different approaches includingmethods of positive mapping or fix-pointed computation

33 Overapproximation In the compositional verificationrule present in Section 1 the conjunction of componentinvariants and the interaction invariant is an overapproxi-mation of reachable system states The overapproximationof the compositional verification mainly results from twokinds of abstractions One is due to the abstraction functionand the other is caused by interaction interference Theconjunction of interaction invariants overapproximates theset of reachable states which may cause some unreachableerror states to be included

The abstract system 119861120572 for a component 119861 is generated

by elimination in a conservative way To check whether 120601 9994929994841206011015840 where 120601 = 120572(at 119897 and 120593) and 120601

1015840= 120572(at 1198971015840 and 120593

1015840) we

check that for all transitions 119905 = (119897 119901 1198971015840) we have post119905(120593) and

1205931015840= false When we generate abstract systems the behaviors

of the abstract system are more than the original systemrsquosAs the compositional verification performance on abstractcomponents the verification is incompleteness

The conjunction of interaction invariant (a trap) charac-terizes constraints on the states induced by synchronizationamong components States satisfying interaction invariantsprovide enabled execution information a local projection ofglobal states on part of components However these globalstates may not be reachable from initial states Moreoverdifferent interactions may include common ports The inter-actions including the same portmust exclusively execute that

is just only one interaction can execute Interaction invariantcannot characterize this dynamic information

From the above analysis we can conclude that invariant-based compositional verification is incomplete We proposetwo refinement techniques in conjunction with invariant-based compositional verification rule to get a verificationframework The framework is an iterative scheme whichstarts from the abstraction until a concrete counterexample isfound or until the safety property holds on abstract systems

4 Refinement Approaches

We give counterexample-guided invariant strengthening andpartition refinement methods in this section

41 Invariant Strengthening In the first part of this sec-tion we present the invariant strengthening approach Asinteraction invariant computed by the greatest fixed point isthe overapproximation counterexamples (represented by theconjunction of abstract states) may be spurious For this casewe checkwhether counterexamples can be reachable from theinitial states If not we generate a fixed point backward fromthe spurious counterexample and strengthen the invariant bythe fixed point

Given an abstract component system S120572 = ⟨119861120572 Init120572⟩

where 119861120572 = 120574(11986112057211 119861

120572119899

119899) and 119861120572119894

119894= (Φ120572119894

119894 119875119894 999492999484119894) Formally

S120572 = (ΦT Init120572) is a finite state machine (FSM) in which

(i) Φ is a set of global states for the abstract state120601 = (120601

1 120601

119899)120601119894isinΦ120572119894

119894

we can represent it as con-junction (a vector) of local abstract state that is 120601 =⋀120601119894isinΦ120572119894

119894

120601119894isin Φ

(ii) T is a predicate on global states Φ and Φ1015840 for

((1206011 120601

119899) 119886 (120601

1015840

1 120601

1015840

119899)) where 119886 isin 120574 there exists

T(120601 1206011015840) where 120601 = ⋀120601119894isinΦ120572119894

119894

120601119894and 1206011015840 = ⋀

1206011015840

119894isinΦ120572119894

119894

1206011015840

119894

(iii) Init120572 is the initial predicate of the abstract system

A formula 120593 is interpreted as the set |[120593]| of all the globalstates 120601 isin Φ satisfy 120593 We define the set ReachT(Init

120572)

of the global states 119903119890119886119888ℎ119886119887119897119890 from the states |[Init120572]| viathe transition as the smallest set such that |[Init120572]| sube

ReachT(Init120572) and 1206011015840 | exist120601 sdotT(120601 1206011015840) sube ReachT(Init

120572) if

120601 sube ReachT(Init120572) Consider an abstract component system

S120572 = (ΦT Init120572) where Φ is a set of the global states Tis the transition predicate and Init120572 is the initial predicateThe converse transition system (ΦTminus1 Init120572) is defined byTminus1(1206011015840 120601) = T(120601 1206011015840) For a formula 120593 we compute all thesuccessor states which are generated from the states hold 120593 byspT(120593) spT(120593) = 120601

1015840| exist120601 sdot (T(120601 1206011015840) and 120593) where 120601 1206011015840 isin Φ

and 120601 holds 120593 Likewise we can define spTminus1(120593) = 1206011015840|

exist120601 sdot (T(1206011015840 120601) and 120593) where 120601 1206011015840 isin Φ and 120601 holds 120593The following lemma [17] says that if none of the states

represented by 120601 is backward reachable from the initial statesthen not120601 is an invariant

Lemma 7 Let S120572 = ⟨ΦT 119868119899119894119905120572⟩ be a transition system and120601 an arbitrary formula (or states) If 120593 is such that (119904119901Tminus1(120593) or


120601) rArr 120593 and the formula 119868119899119894119905and120593 is unsatisfiable then not120593 is aninductive invariant of S120572

Corollary 8 If 119877119890119886119888ℎTminus1(120593) cap 119868119899119894119905 = 0 then the formulacorresponding to the complement of the set of 119877119890119886119888ℎTminus1(120593) isan inductive invariant

Theorem 9 Assume that V119894119897119900 is a counterexample andV119894119897119900 and 120572

minus1(120601) = 119891119886119897119904119890 where 120601 is an abstract state of S120572

If 119877119890119886119888ℎTminus1(120601) cap 119868119899119894119905120572

= 0 then V119894119897119900 is the spuriouscounterexample and the complement of the set of 119877119890119886119888ℎTminus1(120601)is used to strengthen the invariants of 119878120572

Inspired by the above theorem we propose an approachcalled the invariant strengthening to strengthen the invari-ants from the compositional verification rule

We first choose a counterexample and generate a fixedpoint from the selected counterexample using backwardpropagation An abstract state including a counterexample isthe conjunction formula of abstract states like 120601 = ⋀

120601119894isinΦ120572119894

119894

120601119894

where 120601119894= 120572119894(at 119897 and120593) which is the product of abstract states

of each component On the abstract system S120572 we do thebackward propagation by spTminus1(120601) = 120601

1015840| exist120601 sdot (T(1206011015840 120601) and

120601) Then from a counterexample we can compute all theglobal abstract system states using backward propagation Ifthe intersection of the generated fixed point and the initialstates is empty the counterexample and all of the backwardgenerated fixed points are not reachable from initial statesFor this case we say the selected counterexample is spuriousThe invariant strengthening approach removes the spuriouscounterexample and eliminates the unreachable states gen-erated from the spurious counterexample to strengthen theinvariant

For invariant strengthening time consumes at counterex-ample reachable global states set computation As this setcomputation is based on fixed-pointed computation and ismonotonic so time complexity for Algorithm 1 is O(Φ)where Φ is number of global states of abstract system andΦ = prod

119899

119894=1Φ119894and Φ

119894= |Φ120572

119894| the number of abstract states

from 119894th component

42 Partition Refinement In this part we proposed a moreeffective counterexample-guided method called partitionrefinement which can accelerate abstraction refinementmechanism Consider the abstraction function which trans-forms the original infinite system to the finite abstract systemAn abstract state is an aggregation of a number of originalsystem states If a concrete state Φ

119888is part of an abstract

state Φ we cannot make decisions (1) whether Φ is acounterexample ifΦ

119888is a counterexample in concrete system

(2) whether Φ119888is reachable in concrete system although Φ

is reachable in abstract system We propose our refinementapproach to give the solution of the above question (Figure 1)

In the above approach we analyze whether the remainingcounterexamples are the spurious counterexamples whichare caused by inaccurate characterization To eliminate thesespurious counterexamples we refine the abstract componentstates by the proposed state partition approach Consider anabstract system state 120601120572 = at 119897 and 120593 and a counterexample

120601119890= at 119897 and 120593

119890such that 120593

119890rArr 120593 (Dec

0) We can partition

120601120572 into two states 120601

119890and 1206011015840 120601

119890= at 119897 and 120593

119890and 1206011015840 = at 119897 and 1205931015840

where 1205931015840 = 120593 minus 120593119890 here we denote 120601

119890or 1206011015840= 120601120572 and

120601119890and1206011015840= false Assume that there exist 120601120572

1and 1206011205722 fromwhich

120601120572 is reachable such that post

1205911(120572minus1(120601120572

1)sdot120593)and120572

minus1(120601119890)sdot120593 = false

and post1205912(120572minus1(120601120572

2) sdot 120593) and 120572

minus1(1206011015840) sdot 120593 = false (Dec

1) hold We

remove 120601120572 from abstract state space Φ120572 and add 120601119890and 1206011015840

into Φ120572From the above we assume that 120601120572

1reach the error-part

120601119890of 120601120572 and 120601120572

2reach the other 1206011015840 In this case we should add

the transitions into the system If exist120601120572119894 exist120591119894 (120601120572

119894 119901119894 120601120572) isin999492999484

such that post120591119894(120572minus1(120601120572

119894) sdot 120593) and 120572


2) we

add a transition from 120601120572

119894to 120601 (here 120601 stands for both 120601

119890

and 1206011015840) likewise if exist120601120572119894 and exist120591

119894 (120601120572 119901119894 120601120572

119894) isin999492999484 such that

post120591(120572minus1(120601)sdot120593)and120572

minus1(120601120572

119894)sdot120593 = false (Dec

3) we add a transition

from 120601 to 120601120572119894

Theorem 10 If S120572119903119890119891

is a refined system returned by Algo-rithm 2 then 119861120572

119903119890119891simulates 119861 Moreover if Φ120572 is an invariant

of 119861120572119903119890119891

then Φ = 120572minus1(Φ120572) is an invariant of 119861

Proof By Lemma 5 we show that theAlgorithm 2 onlymakesstates partition and then has no effect on the simulationrelation If (119897

1 119909)119901

997888rarr (119897 1199091015840) and 120572minus1(120601120572

1) = at 119897

1and 1205931 then

there exists 120601120572 such that 120572minus1(120601120572) = at 119897 and 120593 (119897 1199091015840)119877120601120572 and120601120572

1

119901

999492999484 120601120572 If 120593

119890rArr 120593 does not hold then the abstract state 120601120572

cannot be partitioned by 120593119890 Otherwise we split abstract state

120601120572 with disjoint two parts120601 = 120572(at 119897and120593

119890) and1206011015840 = 120572(at 119897and1205931015840)

and we have 120593119890and1205931015840= false and 120593

119890or1205931015840= 120593 so we have either

120601120572

1

119901

999492999484 120601 or 1206011205721

119901

999492999484 1206011015840 Then the refined abstract system 119861

120572

refsimulates 119861 If Φ120572 is an invariant of 119861120572ref then 120572

minus1(Φ120572) is an

invariant of 119861

For partition refinementmethod given a counterexampleΦ119888= ⋀120601119894isinΦ120572119894

119894

120601119894 state partition in 119894th component based

on 120601119894 only affects one abstract state to be parted And

a state is parted only once by 120601119894 As exists quantifier for

states needs examines all possible abstract state pairs and sodoes the quantifier of transitions state partition needs timecomplexity as O(sum119899

119894=1(|Φ120572

119894| sdot |999492999484119894|2))

The above refinement approaches are applied on theparallel compositional system However extended withthe decidable theories and symbolic representation ourapproaches can be applied on amore complex system like thehierarchical component system

5 Iteration Verification Framework

In this section we present the unified verification frameworkcomposed of compositional abstraction and our proposedrefinement techniques

Our verification framework for component-based sys-tems is an iterative scheme presented by Algorithm 1 In ourframework there exists themethod of abstraction refinement


Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=

120601i | Φc = 120601i splitted = false

ne 0

Get 120601e (a ) isin error error = error120601e

120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup

120601998400 splitted = true

Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1

presented by Algorithm 2 which includes the counterexam-ple guided invariant strengthening and abstract state parti-tioning inspired by CEGAR mechanism In the Algorithm 1the unified compositional abstraction refinement for theinvariant checking problem on component-based systems isgiven which contains two phases

At the verification phase we apply compositional verifi-cation to the invariant checking problem If properties canbe proven under the current abstraction (see line 12 in Algo-rithm 1) the verification succeeds immediately Otherwisethe refinement is performed (see line 16 inAlgorithm 1) If theabstraction cannot be further refined by the current reachablecounterexample (see line 17 in Algorithm 1) then currentcounterexample is a genuine counterexample If currentcounterexamples are all spurious counterexamples (see line20 in Algorithm 1) we conclude that verification succeedsOtherwise we go to line 23we get refined abstract systemandcompute the new more concrete interaction invariant withconjunction of strengthened inductive invariant computedfrombackward propagation of spurious counterexamples andgo back to counterexample guiding abstraction refinementportion of verification basis which call for less efforts thanprevious iteration processes in [11 12]

At the refinement phase we first strengthen the inter-action invariant and remove the spurious counterexamplesAfter the invariant is strengthened we analyze the remainingcounterexamples and partition abstract states When ouralgorithm returns to the verification phase added states willinduce a refined abstract model Our refinement method (seeAlgorithm 2) reconsiders information of counterexampleswhich may include ErrI and ErrII where ErrI is unreachableerror state introduced by interaction interference and ErrIIis inaccurate local configuration caused by abstraction func-tionWe use the invariant strengthening technique to removeErrI from the counterexamples and strengthen the invariantuse of the counterexample in ErrIWeuse the counterexamplein ErrII to do the state partition refinement which refines theabstraction until a genuine counterexample is found or thesafety property holds on abstract systems

Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound

component-based system and let Φ be a specific propertypredicate

(1) If 119868119905119890119903119886119905119894119900119899119881119890119903119894119891119910(S Φ) returns 119905119903119906119890 then S ⊨ Φ(2) if 119868119905119890119903119886119905119894119900119899119881119890119903119894119891119910(S Φ) returns 119891119886119897119904119890 then S ⊭ Φ


Input Component system S = (120574(1198611 119861

119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890

(2) for 119894 larr 1 to 119899 do(3) compute the component invariant Φ1015840

119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894

(5) compute the corresponding abstraction 119861120572119894119894based on 119861

119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896

(12) if notΦ and Ψ and (⋀119899119894=1Φ119894) = 119891119886119897119904119890 then

(13) Φ is an invariant of S(14) return 119905119903119906119890(15) else(16) compute counterexample set 119864119903119903 = Φ

119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)

(17) if 119877119890119891119894119899119886119887119897119890 = 119891119886119897119904119890ampamp119864119903119903 = 0 then(18) return 119891119886119897119904119890(19) end(20) if 119864119903119903 = 0 then(21) return 119905119903119906119890(22) else(23) goto 12(24) end(25) end

Algorithm 1 Iteration verification

Proof (1) If Algorithm 1 returns true from line 14 with thepreconditionnotΦandΨand(⋀119899

119894=1Ψ119894) = false we get the conclusion

that the property satisfied immediately Otherwise if allcurrent counterexamples are spurious counterexamples theverification stops with the property satisfied at line 21 (2)If Algorithm 1 returns false from line 18 with Refinable =

false and Err = 0 we get that the abstract system is unableto be refined any more by the current counterexamplewhich means the counterexample is a real violated behaviortruly reachable from the initial configuration and cannot beeliminated by a more concrete system Otherwise abstractsystem should be refined by the next refinement using thecurrent counterexamples

Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound

component-based system and letΦ be a specific property pred-icate Algorithm 119868119905119890119903119886119905119894119900119899119881119890119903119894119891119910(S Φ) always terminates

Proof In each refinement iteration either some newstrengthening invariant is added or the abstract system stateis split into new states Note that the state space of abstractsystem is finite and that the number of possible split states isalso finite In the worst case the algorithm finally terminatedwith the refined system is just the original system Then thealgorithm can terminate finally

Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound


(1) If S ⊨ Φ then 119868119905119890119903119886119905119894119900119899119881119890119903119894119891119910(S Φ) returns 119905119903119906119890(2) if S ⊭ Φ then 119868119905119890119903119886119905119894119900119899119881119890119903119894119891119910(S Φ) returns 119891119886119897119904119890

Proof (1) According to the second statements of Theorem 11if S ⊨ Φ Algorithm 1 cannot return with false According toTheorem 12 Algorithm 1 always terminates Thus if S ⊨ Φthen algorithm can only terminate with true

(2) Similarly according to the first statement ofTheorems11 and 12 if S ⊭ Φ the algorithm can only terminate withfalse

6 Examples and Experiments

Wewill provide certain examples to illustrate the effectivenessof our proposed verification framework

61 Train Gate Controller Consider the example of the traingate controller [18] which consists of a 119888119900119899119905119903119900119897119897119890119903 a 119892119886119905119890 anda number of 119905119903119886119894119899119904Themodel presented in Figure 2 describesonly one train interactingwith the controller and the gateThecontroller operates the gate up and down when a train entersand exits respectively

The 119862119900119899119905119903119900119897119897119890119903 has four locations 1198880 1198881 1198882 1198883 one

variable 119911 five ports approach raise exit lower tickand eight guarded transitions The 119879119903119886119894119899 has threelocations far in near a variable 119909 four portsapproach exit 119905 tick and six guarded transitionsThe 119866119886119905119890 has four locations 119892

0 1198921 1198922 1198923 a variable


Input Abstract system S120572 = (120574(1198611205721

1 119861

120572119899

119899) 119868119899119894119905

120572)

set of counterexamples 119864119903119903 interaction invariant ΨOutput 119905119903119906119890 or 119891119886119897119904119890

(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then

(13) return 119891119886119897119904119890(14) else(15) foreach Φ

119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890

(18) end(19) end(20) from split refinement abstract systemS120572

119903119890119891 compute

new compute interaction invariant Ψ(21) foreach Φ

119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end

Algorithm 2 Abstraction refinement

Approachx = 0 z = 0 y = 0

y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g

Train Controller Gate

x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2

Figure 2 The component-based model for train gate controller (TGC)

119910 four ports lower raise 119892 tick and eight guardedtransitions Three atomic components Train Gate andController are composed with a set 120574 of interactions119862tick 119879tick 119866tick 119879approach 119862approach 119879exit119862exit 119862lower 119866lower and 119862raise 119866raise In thisexample we aim to verify the TGC system by the initialcondition Init = 119897far and (119909 = 3) and 1198971198880 and (119911 = 1) and 1198971198920 and (119910 = 1)For the above three atomic components we generate thefollowing predicates ΦController = (119897

1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)

ΦTrain = (119897farand119909 ge 3)or(119897nearand0 le 119909 le 5)or(119897inand3 le 119909 le 5) andΦGate = (1198971198920and119910 ge 1)or(1198971198921and0 le 119910 le 1)or(1198971198922and119910 ge 0)or(1198971198923and0 le119910 le 2) which are respectively the component invariantsof TrainGate and Controller Since this system has aninfinite number of reachable states With the applicationof abstraction function 120572 we transform the originalcomponents (infinite) to the computed abstract components(finite) presented in Figure 3 The computed abstract statesare 120601

1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1

Train120572 Controller120572 Gate120572

1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1

The interested safety property is that when the train is atthe location 119897in the gate is at 1198971198922 We apply the compositionalverification rule to check the property In this model theverification rule can infer this property so we get theconclusion of the properties satisfied

62 Temperature Control System Consider the example ofthe temperature control system [11 12] presented in Figure 4The model consists of three atomic components ControllerRod1 and Rod2

The Controller has two locations 1198975 1198976 a variable 120579

three ports tick cool heat and four guarded transitionsThe Rod1 has two locations 119897

1 1198972 a variable 119905

1 three

ports tick1 cool1 rest1 and four guarded transitions Like-

wise the Rod2 has two locations 1198973 1198974 a variable 119905

2

three ports tick2 cool2 rest2 and four guarded transitions

Three atomic components Controller Rod1 and Rod2 arecomposed with a set 120574 of interactions tick tick

1 tick2

cool cool1 cool cool2 heat rest1 and heat rest2 Inthis example we aim to verify deadlock-freedom of thetemperature control system by the initial condition Init =1198975and (120579 = 100) and 119897

1and (1199051= 3600) and 119897

3and (1199052= 3600)

For the above three atomic components we generate thefollowing predicates Φ

1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le

120579 le 1000) or (1198976and 100 le 120579 le 1000) which are respectively

the component invariants of Rod1Rod2 and ControllerSince this system has an infinite number of reachable stateswith the application of abstraction function 120572 we transformthe original components (infinite) to the computed abstractcomponents (finite) in Figure 5The computed abstract statesare 120601

11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162

The interaction invariant of the component system isgenerated from the concept of the trap The sets of trapsfor the abstract system are 119871

1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After

the computation of traps we generate interaction invariantsΨ119894= ⋁120601isin119871 119894

120572minus1(120601) (119894 = 1 5) and then get Ψ = ⋀

5

119894=1Ψ119894

To verify the deadlock-freedom of the temperature con-trol system we define a predicate 119863119868119878 which characterizesthe set of system states from which all interactions in 120574 aredisabled In this example DIS = (not(119897

5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and

120579 = 100) or not1198974) If the predicate notDIS is an invariant of

the temperature control system then it is deadlock-free To

check that notDIS is an invariant we need a stronger invariantΦ such that Φ rArr notDIS (equivalently Φ and DIS = false)Based on the previous compositional verification rule thecomputed invariant isΦ = (Φ

1and Φ2and Φ3) and Ψ To verify the

deadlock-freedom of the system we computed the predicateΦ and Init and DIS which is reduced to

(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)

As the invariantΦ = (Φ1andΦ2andΦ3)andΨ is the overapprox-

imate of the reachable states some spurious counterexamplesmay be includedWe can strengthen invariants and refine theabstract system by our proposed refinement approaches Atfirst we analyze the generated counterexamplesΦ

1198881Φ1198882 and

Φ1198883and check whether the counterexamples are spurious or

not by our counterexample-guided invariant strengtheningThe abstract states Φ

2= 12060112and 12060142and 12060152

and Φ3= 12060121and

12060132and 12060152 which include Φ

1198882and Φ

1198883 are unreachable from

the initial abstract states Since Φ2and Φ

3are unreachable

from the initial abstract states we can conclude that Φ1198882and

Φ1198883are spurious counterexamples However we cannotmake

decisions whether Φ1198881

is reachable from the initial statesalthoughΦ

1is reachable from the initial abstract states

After the application of invariant strengthening on theabstract system we eliminate Φ

1198882and Φ

1198883from counterex-

amples and strengthen invariants by the generated infeasiblestates Now we refine the abstract system and check whetherΦ1198881

is genuine counterexample or not by state partitiontechnique After the application of state partition techniqueon the abstract system we get the refined abstract systempresented in Figure 6 We split the state 120601

12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000

By the state partition technique finally we find that Φ1198881is a

counterexample of the systemThe example is implemented as BIP models and has been

translated into timed automata using the tool BIP2UPPAAL[19] To illustrate effectiveness of our approach we verifymodels against property EFΦ

1198881 EFΦ

1198882 and EFΦ

1198883 which

means ldquothere exists a run that eventually reaches deadlockstates Φ

119888119894rdquo As a comparison we first check both original

system and abstract system The checking results are shownin Table 2 As EFΦ

1198882and EFΦ

1198883are not satisfied by the

abstract model we conclude that Φ1198882

and Φ1198883

are spuri-ous counterexamples immediately Then we make partitionrefinement withΦ

1198882 During state partition refinement states

11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have

been partitioned We verified refined abstract models againstproperty As EFΦ

1198881is ultimately satisfied and we cannot use

Φ1198881

to partition models further we conclude that Φ1198881

is agenuine counterexample


Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12

Figure 3 The abstraction for the TGC

Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1

Figure 4 The component-based model for temperature control system

Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2

Cool1 Cool2Rest2Rest1

Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112

Rod1205721 Rod1205722Controller120572

Figure 5 The abstraction for the component-based model


Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122

Rod1205721 Controller120572 Rod1205722

Rest2Rest2

Rest2

Figure 6 The refined abstract model

Table 2 Simple table

Original Abstract RefinedProperty 1 EFΦ

1198881

Result True True TrueTime (s) 0046 0001 0001Memory (KB) 8056 7084 7084Property 2 EFΦ

1198882

Result False False FalseTime (s) 0044 0001 0001Memory (KB) 8060 7088 7072Property 3 EFΦ

1198883

Result False False FalseTime (s) 0045 0001 0001Memory (KB) 8064 7084 7072

From the above analysis we have shown the effectivenessof our proposed verification framework Using our proposedrefinement techniques we reconsidered the counterexamplesof the system We finally identify which are spurious coun-terexamples and refine the abstract systems

7 Conclusions

We have proposed a unified framework with iterative refine-ments for compositional verification of component-basedsystems This framework extends invariant-based compo-sitional verification rule with the counterexample-guidedinvariant strength and state partition techniques The formerremoves the spurious counterexample and uses the fixedpoint generated backward from the spurious to strengthenthe system invariant The latter partitions the abstract statesaccording to the rest counterexamples to refine the abstractsystem Both contribute to the unified verification frameworkwhich is proved to be sound and complete

Compared with the invariant-based compositional verifi-cation which is incomplete our verification framework withthe iterative refinements can get more precise results with thebalance of the verification complexity

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was supported by the Fund NSFC61171121 and theScience Foundation of Chinese Ministry of Education-ChinaMobile 2012

References

[1] K M Chandy Parallel Program Design Springer 1989[2] S Bensalem Y Lakhnech and S Owre ldquoComputing abstrac-

tions of infinite state systems compositionally and automati-callyrdquo in Computer Aided Verification pp 319ndash331 Springer1998

[3] S Chaki J Ouaknine K Yorav and E Clarke ldquoAutomated com-positional abstraction refinement for concurrent C programsa two-level approachrdquo Electronic Notes in Theoretical ComputerScience vol 89 no 3 pp 417ndash432 2003

[4] C Flanagan and S Qadeer ldquoThread-modular model checkingrdquoinModel Checking Software pp 213ndash224 Springer 2003

[5] A Malkis A Podelski and A Rybalchenko ldquoThread-modularcounterexample-guided abstraction refinementrdquo in Static Anal-ysis pp 356ndash372 Springer 2011

[6] T A Henzinger R Jhala RMajumdar and S Qadeer ldquoThread-modular abstraction refinementrdquo in Computer Aided Verifica-tion pp 262ndash274 Springer Berlin 2003

[7] T A Henzinger R Jhala and R Majumdar ldquoRace checking bycontext inferencerdquo ACM SIGPLAN Notices vol 39 no 6 pp 1ndash13 2004


[8] S Bensalem Y Lakhnech and S Owre ldquoInvest a tool for theverification of invariantsrdquo in Computer Aided Verification pp505ndash510 Springer 1998

[9] A Pnueli S Ruah and L Zuck ldquoAutomatic deductive verifica-tion with invisible invariantsrdquo in Tools and Algorithms for theConstruction and Analysis of Systems pp 82ndash97 Springer 2001

[10] T Arons A Pnueli S Ruah Y Xu and L Zuck ldquoParameterizedverification with automatically computed inductive assertionsrdquoin Computer Aided Verification pp 221ndash234 Springer Berlin2001

[11] S Bensalem M Bozga T-H Nguyen et al ldquoCompositionalverification for component-based systems and applicationrdquo inProceedings of the Automated Technology for Verification andAnalysis 6th International Symposium (ATVA rsquo08) vol 5311 pp64ndash79 Seoul Republic of Korea 2008

[12] S Bensalem M Bozga T-H Nguyen and J Sifakis ldquoCompo-sitional verification for component-based systems and applica-tionrdquo IET Software vol 4 no 3 pp 181ndash193 2010

[13] M Bozga M Jaber and J Sifakis ldquoSource-to-source architec-ture transformation for performance optimization in BIPrdquo IEEETransactions on Industrial Informatics vol 6 no 4 pp 708ndash7182010

[14] S Bensalem and Y Lakhnech ldquoAutomatic generation of invari-antsrdquo Formal Methods in System Design vol 15 no 1 pp 75ndash921999

[15] J L Peterson Petri Net Theory and the Modeling of SystemsPrentice Hall Englewood Cliffs NJ USA 1981

[16] K Barkaoui and M Minoux ldquoA polynomial-time graph algo-rithm to decide liveness of some basic classes of bounded Petrinetsrdquo inApplication andTheory of Petri Nets vol 616 pp 62ndash75Springer Berlin 1992

[17] A Tiwari H Rueszlig H Saıdi and N Shankar ldquoA techniquefor invariant generationrdquo in Tools and Algorithms for theConstruction andAnalysis of Systems pp 113ndash127 Springer 2001

[18] R Alur and D L Dill ldquoA theory of timed automatardquoTheoreticalComputer Science vol 126 no 2 pp 183ndash235 1994

[19] C Su M Zhou L Yin HWan andM Gu ldquoModeling and ver-ification of component-based systems with data passing usingbiprdquo in Proceedings of the 18th IEEE International Conference onEngineering of Complex Computer Systems (ICECCS rsquo13) pp 4ndash13 2013

Submit your manuscripts athttpwwwhindawicom

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

MathematicsJournal of


Mathematical Problems in Engineering

Hindawi Publishing Corporationhttpwwwhindawicom

Differential EquationsInternational Journal of

Volume 2014

Applied MathematicsJournal of


Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Journal of


Mathematical PhysicsAdvances in

Complex AnalysisJournal of


OptimizationJournal of


CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of


Operations ResearchAdvances in

Journal of


Function Spaces

Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of Mathematics and Mathematical Sciences


The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Algebra

Discrete Dynamics in Nature and Society



Decision SciencesAdvances in

Discrete MathematicsJournal of


Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Stochastic AnalysisInternational Journal of


Given a property on component-based system states com-positional verification of invariant is to verify whether thegiven property can be inferred from the invariants of theircomponents Divide-and-conquer approaches can be appliedin compositional verification to infer global invariants fromlocal invariants A compositional verification method basedon the inductive invariant is presented in [11 12] In thisapproach the property of the component-based system canbe inferred by the compositional verification rule which isreferred to as the component invariant and the interactioninvariant This approach is incomplete Given a property(predicate) if the conjunction of the component invariantsand the interaction invariants is able to establish the propertyone concludes the verification Otherwise one reports thatthe verification is inconclusive

The inconclusive problem is due to two reasons Oneis the abstraction which transforms the original system(infinite) to an abstract system (finite) The other is theinteraction invariant which is the overapproximation of thereachable abstract states Thus the conjunction of com-ponent invariants and the interaction invariant is such anoverapproximation that unreachable states in the originalsystem may be computed as reachable in the abstract systemwhich may include unreachable error states We proposetwo refinement techniques counterexample-guided invariantstrengthening and state partitioning to address the inconclu-sive problem

A unified compositional abstraction refinement algo-rithm for the invariant checking problem on component-based systems is given which contains two phases At theverification phase we apply compositional verification tothe invariant checking problem If it suffices to concludethe verification we are done Otherwise the verificationalgorithm moves to the refinement phases In the otherphase we first strengthen the interaction invariant andremove the spurious counterexamples After the invariant isstrengthenedwe analyze the remaining counterexamples andpartition abstract states When our algorithm returns to theverification phase added states will induce a refined abstractmodel

The rest is organized as follows The component-basedsystem component invariant and component abstractionare introduced in Section 2 In Section 3 we introduce thecompositional verification of invariant for component-basedsystems which is the overapproximation of the system statesWe give counterexample-guided invariant strength and par-tition refinement methods in Section 4 A compositionalverification framework integrated with iterative refinementand its correctness proof are presented in Section 5 We showthe effectiveness of our proposed method in Section 6 andthen conclude in Section 7

2 Preliminaries

In this section we present concepts and definitions that areused in this paper We start with the overview of component-based systems which includes the concepts of atomic com-ponent interaction and compound component In the rest

of this section we introduce the concepts for the componentinvariant and abstraction

21 Component-Based System Component-based system is abasic model of wide-ranging concurrent systems It is provenin [13] that such a hierarchical model can be convertedto semantically equivalent flat model Therefore instead ofanalyzing complex hierarchical structure we concentrateon two-level structure in this paper The lower level ofthe component-based system is atomic component and thehigher level is compound component which is composed ofseveral atomic components with a set of interactions

An atomic component is a transition system denoted bya tuple 119861 = (119871 119875 119879119883 119892

119905119905isin119879 119891119905119905isin 119879

) where (119871 119875 119879) is atransition system that is 119871 = 119897

1 1198972 119897119896 is a set of control

locations 119875 is a set of ports and 119879 sube 119871 times 119875 times 119871 is a set oftransitions 119883 = 119909

1 119909

119899 is a set of variables and for each

119905 isin 119879 respectively 119892119905(x) is a guard a predicate on x and

119891119905(x x1015840) is an update relation a formula on x(current) and

x1015840(next) state variables Given a transition 119905 = (119897 119901 1198971015840) isin 119879 119897and 1198971015840 are respectively the source and target location denotedby 996354119905 and 119905996354

Given a set of components 1198611 1198612 119861

119899where 119861

119894=

(119871119894 119875119894 119879119894 119883119894 119892119905119905isin119879119894 119891119905119905isin119879119894) an interaction 119886 is a set of

ports subset of ⋃119899119894=1119875119894 such that for all 119894 = 1 119899 st

|119886cap119875119894| le 1The trans(119886) is a set of transitions 119905

119894= (119897119894 119901119894 1198971015840

119894) isin

119879119894119894isin119868 for arbitrary 119868 sube 1 119899 which have to execute

synchronouslyA compound component 120574(119861

1 119861

119899) is also a transition

system denoted by 119861 = (119871 120574 119879119883 119892119905119905isin119879 119891119905119905isin119879) where

(1) (119871 120574 119879) is the transition system such that

(i) 119871 = 1198711times1198712timessdot sdot sdottimes119871

119899is a set of control locations

(ii) 119879 sube 119871 times 120574 times 119871 contains transitions 119905 =

((1198971 119897119899) 119886 (119897

1015840

1 119897

1015840

119899)) obtained by synchro-

nization of sets of transitions 119905119894= (119897119894 119901119894 1198971015840

119894) isin

119879119894119894isin119868

such that 119901119894119894isin119868

= 119886 isin 120574 and 1198971015840119895= 119897119895if

119895 notin 119868 for arbitrary 119868 sube 1 119899

(2) 119883 = ⋃119899

119894=1119883119894and for 119886 isin 120574 the transition

trans(119886) resulting from the synchronization of a setof transitions 119905

119894119894isin119868 the associated guard and update

predicate are respectively 119892119905= ⋀119894isin119868119892119905119894and 119891

119905=

⋀119894isin119868119891119905119894and ⋀119894notin119868(1198831015840

119894= 119883119894)

A typical transition system (eg a component119861) containscontrol states usually the programcounterwhich takes valuesfrom the set of control locations Control states are definedby formulas of the form (at 119897

119894) where 119897

119894isin 119871 Additionally

we assume that for each transition 119905 = (119897119894 119901 119897119895) isin 119879 we get

a transition formula written as at 119897119894and 119892119905(x) 997891rarr 119891

119905(x x1015840) at 119897

119895

where x isin 119883

Definition 1 (component system) A component system isdenoted by S = (119861 Init) where 119861 is a component (atomicor compound component) and Init is the initial predicate ofthe system





Φ = ⋁119897isin119871



1015840)at 1198971015840and post

119905(120593119897)) where

post119905(120593(119883)) = exist119883

1015840sdot(119892119905(1198831015840)and119891119905(1198831015840 119883)and120593(119883







119897isin119871at 119897 and

(⋁119898isin119872119897






119897119898to the







1015840) isin 119879 post

119905(120593) and

1205931015840= false




1 119861

119899) can be


119861119894⟨Φ119894⟩119899

119894 Ψ isin II (1198611205721

1 119861

120572119899

119899 120574) (⋀

119899

119894Φ119894) and Ψ rArr Φ

120574 (1198611 119861

119899) ⟨Φ⟩

(1)where 119861

119894⟨Φ119894⟩ means that Φ







119894 denoted by 119861

120572119894

119894 is


119894 In the

abstract system 120574(1198611205721

1 119861

120572119899






⟨120574(1198611 119861


Φ1 Φ


119894


119894and


120572=

120574(1198611205721

1 119861

120572119899


1 119861

119899) with





Init120572 = ⋁120601isinΦ120572

0

at 120601 where Φ1205720= 120601 isin Φ

120572| 120572minus1(120601) and



120572119899

119899) is an

abstraction of 119861 = 120574(1198611 119861







1205721

1 119861

120572119899

119899) without


1205721

1 119861

120572119899

119899) where

119861120572119894

119894= (Φ120572119894



119894=1Φ120572119894


byΦ120572996354 = ⋃120601isinΦ120572 120601996354where 120601996354 = 120591

119894119894isin119868| forall119894 sdot 120591


119894=






120572119899

119899) where 119861120572119894

119894=

(Φ120572119894


⋃119899

119894=1Φ120572119894

119894such thatΦ120572996354 sube 996354Φ120572


1205721

1 119861

120572119899


⋃119899

119894=1Φ120572119894



S120572





1015840= 120572(at 1198971015840 and 120593

1015840) we











where 119861120572 = 120574(11986112057211 119861

120572119899

119899) and 119861120572119894

119894= (Φ120572119894

119894 119875119894 999492999484119894) Formally



1 120601

119899)120601119894isinΦ120572119894

119894


119894

120601119894isin Φ


((1206011 120601

119899) 119886 (120601

1015840

1 120601

1015840


T(120601 1206011015840) where 120601 = ⋀120601119894isinΦ120572119894

119894

120601119894and 1206011015840 = ⋀

1206011015840

119894isinΦ120572119894

119894

1206011015840

119894



120572)



120572) if













If 119877119890119886119888ℎTminus1(120601) cap 119868119899119894119905120572




120601119894isinΦ120572119894

119894

120601119894



1015840| exist120601 sdot (T(1206011015840 120601) and



119899

119894=1Φ119894and Φ

119894= |Φ120572










120601119890= at 119897 and 120593

119890such that 120593

119890rArr 120593 (Dec

0) We can partition

120601120572 into two states 120601

119890and 1206011015840 120601

119890= at 119897 and 120593

119890and 1206011015840 = at 119897 and 1205931015840


119890or 1206011015840= 120601120572 and




1205911(120572minus1(120601120572

1)sdot120593)and120572

minus1(120601119890)sdot120593 = false

and post1205912(120572minus1(120601120572

2) sdot 120593) and 120572


1) hold We




120601119890of 120601120572 and 120601120572



119894 119901119894 120601120572) isin999492999484


119894) sdot 120593) and 120572


2) we



119890


119894 (120601120572 119901119894 120601120572

119894) isin999492999484 such that


minus1(120601120572



from 120601 to 120601120572119894

Theorem 10 If S120572119903119890119891



of 119861120572119903119890119891



1 119909)119901

997888rarr (119897 1199091015840) and 120572minus1(120601120572

1) = at 119897

1and 1205931 then


1

119901

999492999484 120601120572 If 120593




119890) and1206011015840 = 120572(at 119897and1205931015840)



120601120572

1

119901

999492999484 120601 or 1206011205721

119901


120572



invariant of 119861


119894





119894=1(|Φ120572

119894| sdot |999492999484119894|2))






Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=


ne 0


120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup


Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1




Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound





119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra













Φ = ⋁119897isin119871



1015840)at 1198971015840and post

119905(120593119897)) where

post119905(120593(119883)) = exist119883

1015840sdot(119892119905(1198831015840)and119891119905(1198831015840 119883)and120593(119883







119897isin119871at 119897 and

(⋁119898isin119872119897






119897119898to the







1015840) isin 119879 post

119905(120593) and

1205931015840= false




1 119861

119899) can be


119861119894⟨Φ119894⟩119899

119894 Ψ isin II (1198611205721

1 119861

120572119899

119899 120574) (⋀

119899

119894Φ119894) and Ψ rArr Φ

120574 (1198611 119861

119899) ⟨Φ⟩

(1)where 119861

119894⟨Φ119894⟩ means that Φ







119894 denoted by 119861

120572119894

119894 is


119894 In the

abstract system 120574(1198611205721

1 119861

120572119899






⟨120574(1198611 119861


Φ1 Φ


119894


119894and


120572=

120574(1198611205721

1 119861

120572119899


1 119861

119899) with





Init120572 = ⋁120601isinΦ120572

0

at 120601 where Φ1205720= 120601 isin Φ

120572| 120572minus1(120601) and



120572119899

119899) is an

abstraction of 119861 = 120574(1198611 119861







1205721

1 119861

120572119899

119899) without


1205721

1 119861

120572119899

119899) where

119861120572119894

119894= (Φ120572119894



119894=1Φ120572119894


byΦ120572996354 = ⋃120601isinΦ120572 120601996354where 120601996354 = 120591

119894119894isin119868| forall119894 sdot 120591


119894=






120572119899

119899) where 119861120572119894

119894=

(Φ120572119894


⋃119899

119894=1Φ120572119894

119894such thatΦ120572996354 sube 996354Φ120572


1205721

1 119861

120572119899


⋃119899

119894=1Φ120572119894



S120572





1015840= 120572(at 1198971015840 and 120593

1015840) we











where 119861120572 = 120574(11986112057211 119861

120572119899

119899) and 119861120572119894

119894= (Φ120572119894

119894 119875119894 999492999484119894) Formally



1 120601

119899)120601119894isinΦ120572119894

119894


119894

120601119894isin Φ


((1206011 120601

119899) 119886 (120601

1015840

1 120601

1015840


T(120601 1206011015840) where 120601 = ⋀120601119894isinΦ120572119894

119894

120601119894and 1206011015840 = ⋀

1206011015840

119894isinΦ120572119894

119894

1206011015840

119894



120572)



120572) if













If 119877119890119886119888ℎTminus1(120601) cap 119868119899119894119905120572




120601119894isinΦ120572119894

119894

120601119894



1015840| exist120601 sdot (T(1206011015840 120601) and



119899

119894=1Φ119894and Φ

119894= |Φ120572










120601119890= at 119897 and 120593

119890such that 120593

119890rArr 120593 (Dec

0) We can partition

120601120572 into two states 120601

119890and 1206011015840 120601

119890= at 119897 and 120593

119890and 1206011015840 = at 119897 and 1205931015840


119890or 1206011015840= 120601120572 and




1205911(120572minus1(120601120572

1)sdot120593)and120572

minus1(120601119890)sdot120593 = false

and post1205912(120572minus1(120601120572

2) sdot 120593) and 120572


1) hold We




120601119890of 120601120572 and 120601120572



119894 119901119894 120601120572) isin999492999484


119894) sdot 120593) and 120572


2) we



119890


119894 (120601120572 119901119894 120601120572

119894) isin999492999484 such that


minus1(120601120572



from 120601 to 120601120572119894

Theorem 10 If S120572119903119890119891



of 119861120572119903119890119891



1 119909)119901

997888rarr (119897 1199091015840) and 120572minus1(120601120572

1) = at 119897

1and 1205931 then


1

119901

999492999484 120601120572 If 120593




119890) and1206011015840 = 120572(at 119897and1205931015840)



120601120572

1

119901

999492999484 120601 or 1206011205721

119901


120572



invariant of 119861


119894





119894=1(|Φ120572

119894| sdot |999492999484119894|2))






Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=


ne 0


120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup


Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1




Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound





119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra












1205721

1 119861

120572119899

119899) without


1205721

1 119861

120572119899

119899) where

119861120572119894

119894= (Φ120572119894



119894=1Φ120572119894


byΦ120572996354 = ⋃120601isinΦ120572 120601996354where 120601996354 = 120591

119894119894isin119868| forall119894 sdot 120591


119894=






120572119899

119899) where 119861120572119894

119894=

(Φ120572119894


⋃119899

119894=1Φ120572119894

119894such thatΦ120572996354 sube 996354Φ120572


1205721

1 119861

120572119899


⋃119899

119894=1Φ120572119894



S120572





1015840= 120572(at 1198971015840 and 120593

1015840) we











where 119861120572 = 120574(11986112057211 119861

120572119899

119899) and 119861120572119894

119894= (Φ120572119894

119894 119875119894 999492999484119894) Formally



1 120601

119899)120601119894isinΦ120572119894

119894


119894

120601119894isin Φ


((1206011 120601

119899) 119886 (120601

1015840

1 120601

1015840


T(120601 1206011015840) where 120601 = ⋀120601119894isinΦ120572119894

119894

120601119894and 1206011015840 = ⋀

1206011015840

119894isinΦ120572119894

119894

1206011015840

119894



120572)



120572) if













If 119877119890119886119888ℎTminus1(120601) cap 119868119899119894119905120572




120601119894isinΦ120572119894

119894

120601119894



1015840| exist120601 sdot (T(1206011015840 120601) and



119899

119894=1Φ119894and Φ

119894= |Φ120572










120601119890= at 119897 and 120593

119890such that 120593

119890rArr 120593 (Dec

0) We can partition

120601120572 into two states 120601

119890and 1206011015840 120601

119890= at 119897 and 120593

119890and 1206011015840 = at 119897 and 1205931015840


119890or 1206011015840= 120601120572 and




1205911(120572minus1(120601120572

1)sdot120593)and120572

minus1(120601119890)sdot120593 = false

and post1205912(120572minus1(120601120572

2) sdot 120593) and 120572


1) hold We




120601119890of 120601120572 and 120601120572



119894 119901119894 120601120572) isin999492999484


119894) sdot 120593) and 120572


2) we



119890


119894 (120601120572 119901119894 120601120572

119894) isin999492999484 such that


minus1(120601120572



from 120601 to 120601120572119894

Theorem 10 If S120572119903119890119891



of 119861120572119903119890119891



1 119909)119901

997888rarr (119897 1199091015840) and 120572minus1(120601120572

1) = at 119897

1and 1205931 then


1

119901

999492999484 120601120572 If 120593




119890) and1206011015840 = 120572(at 119897and1205931015840)



120601120572

1

119901

999492999484 120601 or 1206011205721

119901


120572



invariant of 119861


119894





119894=1(|Φ120572

119894| sdot |999492999484119894|2))






Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=


ne 0


120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup


Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1




Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound





119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra














If 119877119890119886119888ℎTminus1(120601) cap 119868119899119894119905120572




120601119894isinΦ120572119894

119894

120601119894



1015840| exist120601 sdot (T(1206011015840 120601) and



119899

119894=1Φ119894and Φ

119894= |Φ120572










120601119890= at 119897 and 120593

119890such that 120593

119890rArr 120593 (Dec

0) We can partition

120601120572 into two states 120601

119890and 1206011015840 120601

119890= at 119897 and 120593

119890and 1206011015840 = at 119897 and 1205931015840


119890or 1206011015840= 120601120572 and




1205911(120572minus1(120601120572

1)sdot120593)and120572

minus1(120601119890)sdot120593 = false

and post1205912(120572minus1(120601120572

2) sdot 120593) and 120572


1) hold We




120601119890of 120601120572 and 120601120572



119894 119901119894 120601120572) isin999492999484


119894) sdot 120593) and 120572


2) we



119890


119894 (120601120572 119901119894 120601120572

119894) isin999492999484 such that


minus1(120601120572



from 120601 to 120601120572119894

Theorem 10 If S120572119903119890119891



of 119861120572119903119890119891



1 119909)119901

997888rarr (119897 1199091015840) and 120572minus1(120601120572

1) = at 119897

1and 1205931 then


1

119901

999492999484 120601120572 If 120593




119890) and1206011015840 = 120572(at 119897and1205931015840)



120601120572

1

119901

999492999484 120601 or 1206011205721

119901


120572



invariant of 119861


119894





119894=1(|Φ120572

119894| sdot |999492999484119894|2))






Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=


ne 0


120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup


Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1




Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound





119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Dec0

Dec1

Dec2

Dec3

Return splitted

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Error

ErrorError

=

=


ne 0


120601120572 = 120601e or 120601998400 and

120593e or 120601998400= false

Φ120572 = (Φ120572120601120572) cup 120601e cup


Add 120601120572ip999492

p999492

p999492

120601e(or 120601120572i 120601998400) to 999492

p999492(or 120601120572i120601998400 ) to 999492

Add 120601e 120601120572i

t l and 120593e

⋀120601iisinΦ

120572119894i

Figure 1




Theorem 11 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound





119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra











119899) 119868119899119894119905) property Φ

Output 119905119903119906119890 or 119891119886119897119904119890(1) Φ

119894= 119905119903119906119890 for each 119894 = 1 119899 119877119890119891119894119899119886119887119897119890 = 119905119903119906119890


119894based on 119861

119894

(4) Φ119894= Φ119894and Φ1015840

119894


119894and Φ

119894

(6) end(7) from 120574(119861

1205721

1 119861

120572119899

119899) compute 119871

1 1198712 119871

119898

(8) for 119896 larr 1 to 119898 do(9) Ψ

119896= ⋁120601isin119871119896

120572minus1(120601)

(10) end(11) Ψ = ⋀

119898

119896=1Ψ119896



119888

119877119890119891119894119899119886119887119897119890 = 119860119887119904119877119890119891119894119899119890119898119890119899119905(S120572 119864119903119903 Ψ)







Theorem 12 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound



Theorem 13 Let S = ⟨120574(1198611 119861

119899) 119868119899119894119905⟩ be a compound










0 1198921 1198922 1198923 a variable



1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra











1 119861

120572119899

119899) 119868119899119894119905

120572)


(1) 119877119890119891119894119899119890119889 = 119891119886119897119904119890 119864119903119903119868= 0 119864119903119903

119868119868= 0

(2) foreach Φ119888isin 119864119903119903 do

(3) 119864119903119903 = 119864119903119903 Φ119888

(4) 119868119899V119878119905119903Φ119888= 119868119899V119886119903119878119905119903119890119899119892119905ℎ119890119899(S120572 Φ

119888)

(5) if 119868119899V119878119905119903Φ119888= 119905119903119906119890 then

(6) 119864119903119903119868119868= 119864119903119903

119868119868cup Φ119888

(7) else(8) 119864119903119903

119868= 119864119903119903

119868cup Φ119888

(9) end(10) end(11) 119864119903119903 = 119864119903119903

119868119868

(12) if 119864119903119903119868119868= 0 then


119888isin 119864119903119903

119868119868do

(16) if 119878119901119897119894119905119860119887119904119905119903119886119888119905119894119900119899(S120572 Φ119888) = 119905119903119906119890 then

(17) 119877119890119891119894119899119890119889 = 119905119903119906119890


119903119890119891 compute


119888isin 119864119903119903

119868do

(22) Ψ = Ψ and 119868119899V119878119905119903Φ119888

(23) end(24) return 119877119890119891119894119899119890119889(25) end



y = 0z = 0

z = 1Exit t

Tick

Tick

Tickx = x +1

x = x +1

x = x +1

Approach

Exit

LowerRaise

Tick

Lower

Raise

g

Exit

Tick

Approach

Tick

Approach

Exit

Tick

Lower

Raise

Lower

Raise

t g

g


x le 5

x le 5 Tick

Tick

z = z +1

z = z +1

Ticky = y +1

z = z +1 z le 1

TickTick

y = y +1y = y +1 y le 1

Tickz = z +1z le 1

Ticky = y +1y le 2

x ge 3 y ge 1

lfar lnear

lin

lc1lc0

lc3 lc2

lg1lg0

lg3 lg2



1198880and 119911 ge 0) or (119897

1198881and

0 le 119911 le 1) or (1198971198882and 119911 ge 1) or (119897

1198883and 0 le 119911 le 1)


1198991 1206011198992 1206011198993 120601in 120601far 12060111988811 12060111988812 1206011198882 12060111988831 12060111988832 1206011198880 12060111989211 12060111989212

1206011198922 12060111989231 12060111989232 1206011198920 (see Table 1)


Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Table 1


1206011198991= 119897near and 119909 = 0 120601

11988811= 1198971198881and 119911 = 0 120601

11989211= 1198971198921and 119910 = 0

1206011198992= 119897near and 1 le 119909 le 2 120601

11988812= 1198971198881and 119911 = 1 120601

11989212= 1198971198921and 119910 = 1

1206011198993= 119897near and 3 le 119909 le 5 120601

1198882= 1198971198882and 119911 ge 1 120601

1198922= 1198971198922and 119910 ge 0

120601in = 119897in and 3 le 119909 le 5 12060111988831= 1198971198883and 119911 = 0 120601

11989231= 1198971198923and 119910 = 0

120601far = 119897far and 119909 ge 3 12060111988832= 1198971198883and 119911 = 1 120601

11989232= 1198971198923and 1 le 119910

1206011198880= 1198971198880and 119911 ge 0 120601

1198920= 1198971198920and 119910 ge 1





1 1198972 a variable 119905

1 three



2



1 tick2


1and (1199051= 3600) and 119897

3and (1199052= 3600)


1= (1198971and 1199051ge 0) or (119897

2and 1199051ge 3600)

Φ2= (1198973and 1199052ge 0) or (119897

4and 1199051ge 3600) and Φ

3= (1198975and 100 le



11 12060112 12060121 12060122 12060131 12060132 12060141 12060142 12060151 12060152 12060161 12060162


1= 12060121 12060141 12060151 12060152 1198712=

12060111 12060112 12060121 12060131 12060132 12060141 1198713= 12060132 12060141 12060142 12060151 1198714=

12060111 12060112 12060131 12060132 12060161 12060162 and 119871

5= 12060112 12060121 12060122 12060151 After



5

119894=1Ψ119894


5and 120579 lt 1000))⋀(not(119897

6and

120579 = 100) ornot1198972)⋀(not(119897

6and120579 gt 100))⋀(not(119897

5and120579 = 1000) ornot(119897

3and

1199052ge 3600))⋀(not(119897

5and 120579 = 1000) or not(119897

1and 1199051ge 3600))⋀(not(

6and






(1) Φ1198881= (1198971and 1 le 119905

1lt 3600) and (119897

3and 1 le 119905

2lt 3600) and

(1198975and 120579 = 1000)

(2) Φ1198882= (1198971and1 le 119905

1lt 3600)and (119897

4and1199052ge 3600)and (119897

5and120579 =

1000)

(3) Φ1198883= (1198972and1199051ge 3600)and (119897

3and1 le 119905

2lt 3600)and (119897

5and120579 =

1000)



1198881Φ1198882 and



2= 12060112and 12060142and 12060152

and Φ3= 12060121and


1198882and Φ



3are unreachable







1198882and Φ




12= 1198971and 1199051ge 1

into 120601121

= 1198971and 1 le 119905

1lt 3600 and 120601

122= 1198971and 1199051ge 3600

state 12060132= 1198973and 1199052ge 1 into 120601

321= 1198973and 1 le 119905

2lt 3600 and

120601322

= 1198973and 1199052ge 3600 state 120601

52= 1198975and 101 le 120579 le 1000

into 120601521

= 1198975and 101 le 120579 lt 1000 and 120601

522= 1198975and 120579 = 1000




1198881 EFΦ

1198882 and EFΦ

1198883 which




1198882and EFΦ



and Φ1198883



11987512 11987552 and 11987532 (refer to 12060112 12060152 and 120601

32 resp) have



Φ1198881




Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Approach

Exit

t

Tick

t

Tick

Exit

Tick

ApproachTick

Tick

Tick

Tick

Approach

Exit

Lower

Raise

Approach

Tick

Lower

ExitTick

Tick

RaiseRaise

tickLower

Raise

Tick

g

Tick Tick

TickTick

Tick Lower

ggg

RaiseTick

Tick


120601far

120601in

120601n2

120601n3

120601n1

120601c12

120601c11

120601c32 120601c31

120601c2

120601c0 120601g0

120601g32

120601g2120601g31

120601g11

120601g12


Tick1

Tick1

Tick 2

Tick 2Tick 2

Cool

Heat

Tick

Cool Heat

Controller

Cool1

Cool1

t1 = t1 + 1t2 = t2 + 1

t1 ge 3600Cool2

t2 ge 3600t1 = 0

Rod1 Rod2

Tick 120579 lt 1000

120579 = 1000 120579 = 100

l1

l2

l5

l4l6

l3

Tick 120579 gt 100120579 = 120579 minus 2

120579 = 120579 + 1

Rest1 Cool2Rest2

Rest1

t2 = 0

Rest2

Tick1


Tick

Cool Heat

Tick

Tick

Tick

Cool

Tick

HeatCool1 Cool2


Rest2Rest2Rest1

Rest1

Tick1Tick2

Tick2

Tick2

Tick2

Tick2

Tick1 Tick1

Tick1

Tick112060111 12060151 12060152

12060132

12060141

12060131

1206014212060162 1206016112060122 12060121

12060112




Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra










Tick

Tick

Tick

Tick

Cool

Tick

Heat

Tick

Cool Heat

Cool1 Cool2

Cool1 Cool2Rest1

Rest1Rest1

Tick1

Tick1Tick1Tick1

Tick1

Tick1 Tick2

Tick2

Tick2

Tick2Tick2 Tick2

Tick2Tick1

12060111

120601521

12060151 120601522

120601321

120601322

12060141

12060131

1206014212060162 1206016112060122 12060121

120601121

120601122


Rest2Rest2

Rest2




1198881


1198882


1198883



7 Conclusions





Acknowledgments


References




























Volume 2014




Journal of











Journal of


Function Spaces






Algebra





























Volume 2014




Journal of











Journal of


Function Spaces






Algebra









Research Article Compositional Abstraction Refinement for ...of state explosion in concurrent model...

Documents

Transcript of Research Article Compositional Abstraction Refinement for ...of state explosion in concurrent model...