1 Timed CTL Model Checking Region Automata Kim Guldstrand Larsen Paul Pettersson BRICS@Aalborg UPPAAL T-shirt to (identifiable) download no 40.

1

Timed CTLModel CheckingRegion Automata

Kim Guldstrand LarsenPaul Pettersson

BRICS@Aalborg

UPPAAL T-shirt to (identifiable)

download no 40

IDA foredrag 20.4.99 2

Timed CTL

3Real Time Systems, DTU, February 21., 2000 Kim G. Larsen & Paul Pettersson UCb

Light Switch

Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”

Light automatically switches off after 9 time units.

push

pushclick

9y


Semantics

clock valuations:state:Semantics of timed automata is a labeled

transition systemwhere

action transition

delay Transition

)(),( CVvandLlwherevl

})(|),({ LlandCVvvlS

0:)( RCvCV

),( S

0')')((

),(),(

RddwheneverdvlInv

iffdvlvl d

g a rl l’

)')('(][')(

)','(),(

vlInvandrvvandvg

iffvlvl a


Semantics: Example

...)9,0,()9),3(9,(

)3,3,(),0,(

),()0,(

)5.3,()0,(

)3(93

5.3

yxoffyxon

yxonyxon

yxonyxon

yxoffyxoff

click

push

push

push

pushclick

9y


TCTL = CTL + Time

inz

clocksformulaDz

nspropositioautomicAPp

,,

,,

constraints over formula clocks and automata clocks

“freeze operator” introduces new formula clock z

E[ U ], A[ U ] - like in CTL

No EX


Derived Operators

Along any path holds continuously until within 7 time units

becomes valid.

=

=

The property may becomes valid within 5 time units.


Light Switch (cont)

push

pushclick

9y

onx

onx

xoff

xoff

xoff

offon

offon

yx

U E

U A

U E

U A

U A

)AFAG(

)AFAG(

)AG(

2

2

3

3

2

9


Timeliness Properties

receive(m) always occurs within 5 time units after send(m)

receive(m) may occur exactly 11 time units after send(m)

putbox occurs periodically (exactly) every 25 time units

(note: other putbox’s may occur in between)


A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s ProtocolA simple MUTEX Algorithm

21 CSCS AG


A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s ProtocolA simple MUTEX Algorithm

Y<1

X:=0

Y:=0

X>1

Y>1

X<1

12

212

21

CS

CSCS

CSCS

EF

AF

AG


Paths

Example:

push

pushclick

9y

...)9,0,()9),3(9,(

)3,3,(),0,(

),()0,(

)5.3,()0,(

)3(93

5.3

yxoffyxon

yxonyxon

yxonyxon

yxoffyxoff

click

push

push


Elapsed time in path

...)9,0,()9),3(9,(

)3,3,(),0,(

),()0,(

)5.3,()0,(

)3(93

5.3

yxoffyxon

yxonyxon

yxonyxon

yxoffyxoff

click

push

push

Example:


TCTL Semanticss - (location, clock valuation)

w - formula clock valuation

PM(s) - set of paths from s

Pos() - positions in ,i) - elapsed time

(i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))


Region AutomataModel Checking


Infinite State Space?


RegionsFinite partitioning of state space

x

y ”Definition”

.properties

samesatisfy and

or

automata. timed

any of locationany for

iff

(l,w')(l,w)

l

w'lBehwl Behww ),(),('

1 2 3

1

2

'ww



x

y ”Definition”

.properties

samesatisfy and

or

automata. timed

any of locationany for

iff

(l,w')(l,w)

l

w'lBehwl Behww ),(),('

1 2 3

1

2

'ww

max determinedby timed automata(and formula)



x

y Definition

max

'

n

nxxnx

w'www

jii

where

and

form the

of conditions same exact the

satisfy and iff

1 2 3

1

2

max determinedby timed automata(and formula)

'ww

Alternativeto JPK



x

y Definition

max

'

n

nxxnx

w'www

jii

where

and

form the


satisfy and iff

An equivalence class (i.e. a region)in fact there is only a finite number of regions!!

1 2 3

1

2



x

y Definition

max

'

n

nxxnx

w'www

jii

where

and

form the


satisfy and iff

An equivalence class (i.e. a region)

Successor regions, Succ(r)

r

1 2 3

1

2



x

y

Definition

max

'

n

nxxnx

w'www

jii

where

and

form the


satisfy and iff

An equivalence class (i.e. a region) r

{x}r

{y}r

r

Resetregions

sat

sat

then Whenever

','

,

''

vl,u

vl,u

vuuv

THEOREM

1 2 3

1

2


Region graph of a simple timed automata


Fischers again A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2Y<1

X:=0

Y:=0

X>1

Y>1

X<1

21 CSCS AG

A1,A2,v=1

A1,B2,v=2

A1,CS2,v=2

B1,CS2,v=1

CS1,CS2,v=1

Untimed case

A1,A2,v=1x=y=0

A1,A2,v=10 <x=y <1

A1,A2,v=1x=y=1

A1,A2,v=11 <x,y

A1,B2,v=20 <x<1

y=0

A1,B2,v=20 <y < x<1

A1,B2,v=20 <y < x=1

y=0

A1,B2,v=20 <y<1

1 <x

A1,B2,v=21 <x,y

A1,B2,v=2y=11 <x

A1,CS2,v=21 <x,y

No further behaviour possible!!

Timed case

PartialRegion Graph


Modified light switch


)AFAG(

)AFAG(

)AG(

offon

offon

yx

9

Reachable partof region graph

Properties


Roughly speaking....

Model checking a timed automata against a TCTL-formula amounts to

model checking its region graph against a CTL-formula

Model checking a timed automata against a TCTL-formula amounts to

model checking its region graph against a CTL-formula


Problem to be solved

Model Checking TCTL is PSPACE-hard


END

1 Timed CTL Model Checking Region Automata Kim Guldstrand Larsen Paul Pettersson BRICS@Aalborg UPPAAL T-shirt to (identifiable) download no 40.

Documents

larsen paul pettersson

time units

ctl time constraints

ctlformula slide

timed ctl slide

init v

ex slide

y1 y1 x slide