1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania
Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania
Jan 22, 2016
Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania. Model Checker. model. yes. temporal property. error-trace. Advantages Automated formal verification, Effective debugging tool Traditional: Finite-state systems (Boolean vars) - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Model Checking ofof Timed Systems
Rajeev Alur
University of Pennsylvania
2
Model Checker
AdvantagesAutomated formal verification, Effective debugging tool
Traditional: Finite-state systems (Boolean vars)Enumerative search with reduction heuristics: Spin, MurphiSymbolic search using BDDs: SMV, Cospan, VIS, Mocha
Hybrid and Real-Time SystemsContinuous variables make state-space infiniteTimed automata: Decidability results, Efficient symbolic data
structures
model
temporalproperty
yes
error-trace
3
Talk Outline
Timed Automata: Syntax and Semantics Specification Logic: Timed CTL Decidability: Region-based partitioning Efficient Implementation: Zones and DBMs
UPPAAL (www.docs.uu.se/docs/rtmv/uppaal)Talk draft: Thanks to Kim Larsen and Paul
Pettersson
4
UPPAAL
5
Off Light Brightpress? Press?
press?
Press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
Timed AutomataIntelligent Light Control
6
Timed AutomataIntelligent Light Control
Off Light Bright
Solution: Add real-valued clock x
X:=0X<=3
X>3
press? Press?
press?
Press?
7
Timed Automata
n
m
a
(Alur & Dill 1990)
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of comparisons withinteger bounds
ResetAction performed on clocks
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
Transitions
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
8
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Invariants ensure progress!!
Timed Safety Automata Timed Automata + Invariants
(Henzinger et al, 1992)
9
Clock Constraints
What can you express: Constant lower and upper bounds on delays
Why the restricted syntax: slight generalizations (e.g. allowingx=2y) lead to undecidable model checking problems
10
Timed (Safety) Automata
11
Light Switch
Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”
Light automatically switches off after 9 time units.
push
pushclick
12
Semanticsclock valuations:state:Semantics of timed automata is a
labeled transition systemwhere
action transition
delay Transition
)(),( CVvandLlwherevl
})(|),({ LlandCVvvlS
0:)( RCvCV
),( S
0')')((
),(),(
RddwheneverdvlInv
iffdvlvl d
g a rl l’
)')('(][')(
)','(),(
vlInvandrvvandvg
iffvlvl a
13
Semantics: Example
...)9,0,()9),3(9,(
)3,3,(),0,(
),()0,(
)5.3,()0,(
)3(93
5.3
yxoffyxon
yxonyxon
yxonyxon
yxoffyxoff
click
push
push
push
pushclick
9y
14
Timed Automata in UPPAAL
Communicating Timed Safety Automata+ urgent actions+ urgent locations (i.e. zero-delay locations)+ committed locations (i.e. zero-delay and atomic locations)+ data-variables (integers with bounded domains)+ arrays of data-variables+ guards and assignments over data-variables and arrays...
Larsen et al, 1996
15
TCTL = CTL + Time
inz
clocksformulaDz
nspropositioautomicAPp
,,
,,
constraints over formula clocks and automata clocks
“freeze operator” introduces new formula clock z
E[ U ], A[ U ] - like in CTL
No EX
Alur, Courcoubetis, Dill, 1991
16
Derived Operators
Along any path holds continuously until within 7 time units
becomes valid.
=
=
The property becomes valid within 5 time units.
17
TCTL Semanticss - location
w - formula clock valuation
PM(s) - set of paths from s
Pos() - positions in ,i) - elapsed time
(i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))
18
Timeliness Properties
receive(m) occurs within 5 time units after send(m)
receive(m) occurs exactly 11 time units after send(m)
putbox occurs periodically (exactly) every 25 time units
(note: other putbox’s may occur in between)
19
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s ProtocolA simple MUTEX Algorithm
21 CSCS AG
20
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s ProtocolA simple MUTEX Algorithm
Y<1
X:=0
Y:=0
X>1
Y>1
X<1
12
212
21
CS
CSCS
CSCS
EF
AF
AG
21
Infinite State Space?
22
RegionsFinite partitioning of state space
x
y ”Desired equivalence”
.properties
samesatisfy and
or
automata. timed
any of locationany for
iff
(l,w')(l,w)
l
w'lBehwl Behww ),(),('
1 2 3
1
2
'ww
23
RegionsFinite partitioning of state space
x
y Definition
max
'
n
nxxnx
w'www
jii
where
and
form the
of conditions same exact the
satisfy and iff
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
24
RegionsFinite partitioning of state space
x
y
An equivalence class (i.e. a region)
Successor regions, Succ(r)
r
1 2 3
1
2
Resetregions
{y}r
{x}r
25
Properties of Regions
The region equivalence relation is a time-abstract bisimulation: Action transitions: If w v and (l,w) -a-> (l’,w’)
for some w’, then v’ w’ s.t. (l,v) -a-> (l’,v’) Delay transitions: If w v then for all real
numbers d, there exists d’ s.t. w+d v+d’ If w v then (l,w) and (l,v) satisfy the
same TCTL formulas
26
Region graph of a simple timed automata
27
Fischers again A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2Y<1
X:=0
Y:=0
X>1
Y>1
X<1
21 CSCS AG
A1,A2,v=1
A1,B2,v=2
A1,CS2,v=2
B1,CS2,v=1
CS1,CS2,v=1
Untimed case
A1,A2,v=1x=y=0
A1,A2,v=10 <x=y <1
A1,A2,v=1x=y=1
A1,A2,v=11 <x,y
A1,B2,v=20 <x<1
y=0
A1,B2,v=20 <y < x<1
A1,B2,v=20 <y < x=1
y=0
A1,B2,v=20 <y<1
1 <x
A1,B2,v=21 <x,y
A1,B2,v=2y=11 <x
A1,CS2,v=21 <x,y
No further behaviour possible!!
Timed case
PartialRegion Graph
28
Roughly speaking....
Model checking a timed automata against a TCTL-formula amounts to
model checking its region graph against a CTL-formula
Model checking a timed automata against a TCTL-formula amounts to
model checking its region graph against a CTL-formula
29
Problem to be solved
Model Checking TCTL is PSPACE-complete
30
ZonesSymbolic computation
State(n, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set)(n, )
Zone:conjunction ofx-y<=n, x<=>n
3y4,1x1
31
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
x
y
x
y conjuncts to
x
y
projects to
1<=x<=41<=y<=3
1<=x, 1<=y-2<=x-y<=3
3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)
a
32
Forward Rechability
Passed
WaitingFinal
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Init -> Final ?
33
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
Init -> Final ?
34
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
Init -> Final ?
35
Forward Rechability
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
36
Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2y<=3z-y<=2z<=7
x<=1y-x<=2y<=3z-y<=2z<=7
D1
D2
When are two sets of constraints equivalent?
x x
0 y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0 y
z
1 2
25
0
x
y
z
1 2
27
0
x
y
z
1 2
25
3
3 3
Graph
Graph
Canonical Dastructures for ZonesDifference Bounded Matrices
37
Difference Bounds Matrices
Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks)
Reduced form obtained by running all-pairs shortest path algorithm
Reduced DBM is canonical Operations such as reset, time-successor,
inclusion, intersection are efficientPopular choice in timed-automata-based
tools
38
Summary
Applications of Uppaal and KronosPhilips bounded retransmission protocolAsynchronous circuits (STARI communication)Timing analysis of Esterel+C code
Research theme 1: Efficient representation of Clock constraints + Boolean constraints
Research theme 2: Automatic abstractions of complex dynamics by timed automata
Related Documents
