UPPAAL Ghaith Haddad. Introduction UPPAAL is a tool for modeling, validation and verification of real-time systems. Appropriate for systems that can be.

42510011 0010 1010 1101 0001 0100 1011

UPPAAL

Ghaith Haddad

4251

0011 0010 1010 1101 0001 0100 1011

Introduction

• UPPAAL is a tool for modeling, validation and verification of real-time systems.

• Appropriate for systems that can be modeled as a collection of non-deterministic processes with finite control structure and real-valued clocks (i.e. timed automata)

4251

0011 0010 1010 1101 0001 0100 1011

Introduction

• Communication is through channels and (or) shared data structures.

• Typical application areas:– Real-time controllers– Communication protocols– Other systems in which timing aspects are

critical

4251

0011 0010 1010 1101 0001 0100 1011

UPPAAL??!!

• SWEden + DENmark = SWEDEN– REJECTED

• sweDEN + denMARK = DENMARK– REJECTED

• UPPsala + AALborg = UPPAAL– ACCEPTED

4251

0011 0010 1010 1101 0001 0100 1011

UPPAAL Tool Parts

• Graphical user interface (GUI)– Used for modeling, simulation, and verification. Uses

the verification server for simulation and verification.

• Verification server – Used for simulation and verification. In simulation, it is

used to compute successor states.

• A command line tool– A stand-alone verifier, appropriate for e.g. batch

verifications.

4251

0011 0010 1010 1101 0001 0100 1011

Example: state types

P0 = T0();

P1 = T1();

P2 = T2();

system P0,P1,P2;

4251

0011 0010 1010 1101 0001 0100 1011

LocationsLocations can have an optional name. Besides serving as an identifier allowing you to refer to the location from the requirement specification language. The name must be a valid identifier.

Conjunction of simple conditions on clocks, differences between clocks, and boolean expressions not involving clocks. The bound must be given by an integer expression. Lower bounds on clocks are disallowed. States which violate the invariants are undefined; by definition, such states do not exist.

Like urgent locations, committed locations freeze time. Furthermore, if any process is in a committed location, the next transition must involve an edge from one of the committed locations.

Exactly one per Template

Freeze time; i.e. time is not allowed to pass when a process is in an urgent location.

4251

0011 0010 1010 1101 0001 0100 1011

Edges

non-deterministically bind a given identifier to a value in a given range. The other three labels of an edge are within the scope of this binding.

Processes can synchronize over channels. Edges labeled with complementary actions over a common channel synchronize.

An edge is enabled in a state if and only if the guard evaluates to true.

When executed, the update expression of the edge is evaluated. The side effect of this expression changes the state of the system.

4251

0011 0010 1010 1101 0001 0100 1011

Example: Mutual Exclusion Algorithm (Peterson’s)

4251

0011 0010 1010 1101 0001 0100 1011

Example: Mutual Exclusion Algorithm

typedef int[1,2] turn;

typedef int[1,2] flag;

flag guardFlag=1;

P1 = T1(1);P2 = T1(2);

system P1,P2;

4251

0011 0010 1010 1101 0001 0100 1011

Example: The Observer

clock x;

chan reset;

P1 = P();

Obs1 = Obs();

system P1,Obs1;

4251

0011 0010 1010 1101 0001 0100 1011

Verifying Properties

• E<> p: there exists a path where p eventually hold. (Possibly)

• A[] p: for all paths p always hold. (Invariantly)• E[] p: there exists a path where p always hold.

(Potentially Always)• A<> p: for all paths p will eventually hold.

(Eventually)• p --> q: whenever p holds q will eventually hold.

(Leads To)

4251

0011 0010 1010 1101 0001 0100 1011

References

• http://www.cs.aau.dk/~kgl/ARTES/index.htm

• http://www.it.uu.se/research/group/darts/papers/texts/new-tutorial.pdf

• http://www.it.uu.se/research/group/darts/uppaal/tutorial.pdf

• http://www.uppaal.com/