NORMAS QUE DEBEN CUMPLIR…

above) are isomorphic.

Proof. Because GI has a single location lgwithout any edges and the synchron-isation alphabet is empty, l 7→ hl^g,li is a bijection between the locations of the parallel composition and relabelling semantics of e and GI k e and the two PTA are isomorphic (up to deadlines and invariants). In the following, we denote the PTA that makes up the aforementioned semantics of a process algebraic expression e by [e].

It remains to show (indicated by⇔) that the time progress conditions for^? all l and hlg,li are equivalent, i.e. that for all l ∈ Loc[e], we have

∀t⁰<t :J¬^Whg,d,a,μi∈E[e](l)dK(v +t⁰)⇔ ∀t^{? 0}≤ t :JInv[e](hlg,li)K(v +t⁰)

⇔ ∀t⁰<t :J^Vhg,d,a,μi∈E[e](l)¬dK(v +t⁰)⇔ ∀t^{? 0}≤ t :J^V_a∈A(e)gi_a(e)K(v +t⁰)

⇔ ∀t⁰≤ t :J^Vhg,d,a,μi∈E[e](l)Conv(d)K(v +t⁰)⇔ ∀t^{? 0}≤ t :J^V_a∈A(e)gi_a(e)K(v +t⁰)

⇐ ^Vhg,d,a,μi∈E[e](l)Conv(d)⇔^{? V}_a∈A(e)gi_a(e)

The last equivalence is in particular satisfied if we have that

∀l ∈ Loc[e],a ∈ A(e): ^Vhg,d,a,μi∈E[e](l)Conv(d) ⇔ gia(e).

We will now show this by induction over the structure of e, using ∗ to mark steps where the induction hypothesis was applied:

1. Case e = M:

gi_a(e) = gia(M)

= ^V_l0∈LocM

P_l^M₀ ⇒^Vhg,d,a,μi∈EM(l⁰)Conv(d)

⇔ ^Vhg,d,a,μi∈EM(l)Conv(d) (def. of P_l^M)

= ^Vhg,d,a,μi∈E[e](l)Conv(d) 2. Case e = f (e⁰):

gi_a(e) = gi_a( f (e⁰))

= ^V_{b: f(b)=a}gi_b(e⁰)

⇔∗ ^Vb: f(b)=aV

hg,d,b,μi∈E_[e0](l)Conv(d)

⇔ ^Vhg,d,a,μi∈E_{[ f (e0)]}(l)Conv(d)

= ^Vhg,d,a,μi∈E[e](l)Conv(d) 3. Case e = e1k e²:

Let l = hl1,l2i, i.e. the lⁱare the component locations of the [ei] that make up l. We consider three subcases:

(a) Case a /∈ A(e1) ∩ A(e2) \ {τ}:

gi_a(e) = gi_a(e1k e2)

= gi_a(e1) ∧ gia(e2)

⇔∗ ^Vhg1,d₁,a,μ₁i∈E_[e1](l₁)Conv(d1) ∧^V_hg2,d₂,a,μ₂i∈E_[e2](l₂)Conv(d2)

⇔ ^V_hgi,d_i,a,μi×D(h∅,l3−ii)i∈E_[e1ke2](hl1,l₂i)Conv(di)

⇔ ^Vhg,d,a,μi∈E[e](l)Conv(d)

(b) Case a ∈ A(e1) ∩ A(e2) \ {τ}, and there is no edge labelled a from at least one of l1or l2:

gi_a(e) = gi_a(e1k e2)

= Ena(e1) ∧ Ena(e2) ⇒ gia(e1) ⊗ gia(e2)

⇔ false ⇒ gia(e1) ⊗ gia(e2)

⇔ true

⇔ ^Vhg,d,a,μi∈E[e](l)Conv(d) (@hg,d,a,μ_{i ∈ E[e]}(l))

(c) Case a ∈ A(e1) ∩ A(e2) \ {τ}, and there are edges labelled a from both l1and l2:

gi_a(e) = gi_a(e1k e²)

= Ena(e1) ∧ Ena(e2) ⇒ gia(e1) ⊗ gia(e2)

⇔ gia(e1) ⊗ gia(e2)

⇔∗ ^Vhg1,d₁,a,μ₁i∈E_[e1](l₁)Conv(d1)⊗^V_hg2,d₂,a,μ₂i∈E_[e2](l₂)Conv(d2)

⇔ ^V_hg1∧g2,d₁⊗d2,a,μ1×μ2i∈E_[e1ke2](hl1,l₂i)Conv(d1) ⊗ Conv(d2)

⇔ ^V_hg1∧g2,d₁⊗d2,a,μ1∙μ2i∈E_[e1ke2](hl1,l₂i)Conv(d1⊗ d2)

⇔ ^Vhg,d,a,μi∈E[e](l)Conv(d)

Example 34. For the PTA in Example33, assuming that a is patient, the global invariant computed according to Definition68is

P_a^M1∧ Pa^M2 ⇒ (P1^M1⇒ x ≤ 5) ∨ (PA^M2 ⇒ x ≤ 3).

Since P_a^M1⇔ P1^M1and P_a^M2⇔ PA^M2, it is equivalent to what we intuitively expect:

P₁^A1∧ PA^A2 ⇒ x ≤ 5 ∨ x ≤ 3

5.3 Modelling

MODESTallows the specification of models that represent networks of VPTA with deadlines and invariants. Clock variables can be introduced into a model by simply declaring a variable of typeclock. Variables declared in this way can only be set to zero in assignments. To enable or disable edges over time, clock constraints can simply be used in the expressions for guards specified withwhen. In order to control the passage of time itself, MODEST provides support for two new keywords that allow the addition of deadlines and invari-ants: urgentandinvariant, extending the grammar for process behaviours as follows:

P ::= ... |urgent(e) P |invariant(e) P |invariant(e){P}

where e ∈ Bxp with subexpressions involving clocks conforming to the syntax for clock constraints.

Deadlines Theurgentkeyword to associate a deadline with an edge follows the same pattern as thewhenkeyword for guards. Its inference rule (with edge

labels as introduced in the previous section now consisting of a guard, a dead-line and an action label) is

P−−−→ W^g,d,a urgent(e) P−−−−→ W^g,d∨e,a

(urgent)

where e ∈ Bxp and W denotes a symbolic probability distributions over updates and target MODEST process behaviours (i.e. a function in Upd × P → Axp).

Note the use of ∨ to combine the new deadline with an existing one: The edge is now urgent, i.e. time cannot pass any more, if either the new or the existing deadline (or both) are satisfied. It would not be intuitive to use ∧ here instead because this would mean that the “addition” of a deadline leads to “less” ur-gency.

As mentioned, actions in MODESTcan be patient or impatient. When de-claring an action, that declaration is simply prefixed with either patientor impatient. If omitted, it is impatient by default. MODEST’s parallel compos-ition then deals with the composcompos-ition of deadlines using ⊗ ∈ {∧,∨} for patient or impatient actions just like the parallel composition operator for PTA with deadlines (cf. Equation (5.1)).

Invariants Location invariants can be specified by theinvariantkeyword.

For modelling convenience, it comes in two forms: as a dynamic operator that

“disappears” when an edge is taken (like thewhenorurgentconstructs), and as a static operator that remains in effect until the contained process behaviour terminates (liketry-catch). Syntactically, the difference is that the former looks like a guard or deadline, while the latter uses curly brackets around the process behaviour that it applies to. The inference rule for the dynamic operator case is very simple:

P−−−→ W^g,d,a invariant(e) P−−−→ W^g,d,a

(inv)

For the static operator case, some effort is needed to preserve the operation in the process behaviours in the support of the symbolic probability distribution.

The inference rule thus is as follows, with Q(P) =invariant(e) {P}:

P−−−→ W^g,d,a Q(P)−−−→ W ◦ M^{g,d,a −1}inv

(sinv) whereMinv(hU,P⁰i)=^def

(hU,Q(P⁰)i if P⁰6= X hU,P⁰i if P⁰=X The inference rules for the two variants of the invariant construct ignore the actual invariant expression e ∈ Bxp because it does not become part of the

Inv(P) = e ∧ Inv(Q) if P =invariant(e) Q or P =invariant(e) {Q}

Inv(P) = tt if P = act, P = actpalt{:w¹: U1; P1. . . :wk: Uk; Pk}, P =stop, P =abort, P =breakor

P =throw(excp)

Inv(P) = Inv(P1) if P = P1; P2or P =auxdo{P¹} {P²}

Inv(P) =^Vk_i=1Inv(Pi) if P =alt{::P1. . .::Pk}, P =do{::P1. . .::Pk} or P =par{::P1. . .::Pk}

Inv(P) = Inv(Q) if P =when(e) Q, P =urgent(e) Q,

P =relabel{I }by{G} Q, P =extend{H } Q, P =try{Q}catchexcp₁{P¹} ...catchexcp_k{P^k} or P = ProcName(e1, . . . ,ek) and ProcName is declared asprocessProcName(t1x1, . . . ,tnxk) {Q}

Table 5.2: The invariant function for MODESTprocess behaviours

edges, but is instead preserved as part of the function Inv that maps each loca-tion to an invariant. Remember that the localoca-tions of the VPTA semantics of a M^ODESTmodel are the M^ODESTprocess behaviours. The definition of Inv for process behaviours, and thus for the VPTA semantics of M^ODEST, is given in Table5.2. This is where the invariant expressions e are picked up to become part of the automaton.

Example 35. We can now model the timed channel and sender processes in MODESTthat we have built as PTA in previous examples. Figure5.5shows the MODESTcode that directly represents the channel PTA as shown in Figure5.1 (modulo renaming of snd_datatosnd). In Figure5.6, we show MODEST

code that combines the sender with timeout detection introduced in Figure5.2 with the bounded retransmission approach of the simple BRP sender from Ex-ample8. Observe that we use both deadlines and invariants, and that we opted for makingsnd_dataan impatient action that is urgent in the Sender process.

In M^ODEST, we can also simply writeurgentas a shorthand forurgent(true).

In the model of the sender, we have also made the edge that sets failure to true urgent, with deadline n == 0. This is to make sure that the assignment cannot be delayed indefinitely, but the progress of time is only restricted if the assignment is actually available—thus guard and deadline are the same. Since the affected edge is (implicitly) labelled τ, it cannot synchronise in parallel composition, so we could have usedinvariant(n 6= 0) with the same effect.

If we now take the simple probabilistic BRP model of Example19, replace its

process Channel() {

clock c;

snd palt { :95: {= c = 0 =};

invariant(c <= TD_MAX) alt { :: when(c >= TD_MIN) rcv

:: snd {= collision = true =}; stop }

: 5: {= c = 0 =};

invariant(c <= TD_MAX) alt { :: when(c >= TD_MIN) tau

:: snd {= collision = true =}; stop }

};

Channel() }

Figure 5.5: The lossy comm. channel with transmission delay in M^ODEST

impatient action snd_data;

process Sender(int n) {

clock c;

urgent(true) snd_data {= n = n - 1 =};

invariant(c <= TS) alt { :: rcv_ack {= success = true =}

:: when(c >= TS) timeout;

alt {

:: when(n > 0) Sender(n) // retry

:: when(n == 0) urgent(n == 0) {= failure = true =};

stop // deadlock on failure }

} }

Figure 5.6: The simple BRP sender with timeout detection in MODEST

channel and sender processes by the ones introduced here (thereby also rela-belling snd back tosnd_datawhere appropriate), and add deadline true to thesnd_ackin the receiver, then we get what we call the simple probabilistic-timed BRP.

5.4 Properties

For PTA, we consider two classes of properties: those that refer to the prob-ability of reaching a certain set of states (extending the reachprob-ability properties of the previous chapters by timed aspects), and those that refer to the expected value of certain random variables given by so-called rewards.

5.4.1 Reachability

To specify properties to verify on PTA models, we can use standard probab-ilistic reachability properties as we know them from MDP. To include timing requirements, they can be extended to probabilistic timed reachability prop-erties, which include the popular special case of probabilistic time-bounded reachability.

Probabilistic timed reachability Probabilistic reachability properties in the form that we already used for MDP are directly applicable to PTA as well:

Pmax(φ^{) –and–} Pmin(φ) (quantitative form) P(φ) ∼ x (qualitative form) In order to express timed requirements, such as the probability of eventually reaching a certain state within t time units, simple clock constraints can be included in the set of atomic propositions AP of a PTA. Although they cannot sensibly be used by its labelling function L (since there is no way to know whether a clock constraint is satisfied in a certain location), they are treated specially by the PTA semantics of Definition 61to become part of the state labelling in the underlying TPTS whenever they are satisfied for the current valuation of the clock variables. Allowing clock constraints in state formulas leads to the class of probabilistic timed reachability properties. This new class in particular includes probabilistic time-bounded reachability: A property with time bound TB can be specified by adding a clock cBto the PTA that is never reset and including the clause cB≤ TB in the property. In M^ODEST, such a clock is available inside properties with the nametimeand does not need to be declared explicitly.

The semantics of probabilistic timed reachability properties for PTA is simply defined as their semantics on the underlying TPTS. In order to give

In document Impacto fiscal del IDE en el flujo de efectivo del ejercicio 2008, en la empresa combustibles del sur S.A. de C.V (página 84-92)