1

Simulator-Model Checker for Reactive Real-Time Abstract State

Machines

Anatol SlissenkoUniversity Paris 12

Pavel VasilyevUniversity Paris 12

University of St Petersburg, Russia

2

Contents

• Motivation• Example• Timed ASM. Two semantics.• Non-determinism, properties• Timed ASM syntax and semantics• Simulation• First Order Timed Logic• Verification• Conclusion

3

Motivation• No simulators for real-time ASM • Two different time semantics • First Order Timed Logic (FOTL) to specify

properties;• `On-the-fly’ verification of FOTL-properties (Decidable classes are labor consuming)

4

Example. Token Passing.

T is time (by default, non negative reals)

P is a set of N processes

Pass : (P {undef}) (input)

Token : P Bool function to control (output)

A part of environment specification:

Pass is defined in isolated points;

the time distance between two consecutive signals lies in an interval

[0, 1], where 0 < 0 < 1 are abstract real constants;

two consecutive signals Pass have different values.

5

Requirements on functioning

• (Safety) At any time there are no two processes with a token.

• (Liveness1) At any time at least one process has a token.

• (Liveness2) The token changes its location within a duration that lies in a given interval (0, 1).

[More arithmetically complicated requirement: the average of the last 3 waiting times is in (0, 1).

6

Initial values (at time instant 0):

Pass = undef ,

Token(p0) = true,

forall q in P(q ≠ p0 Token(q) = false),

Last = 0, CT = 0

F= (d0 ≤ (CT − a ∙ Last) ≤ d1 ).

forall p in P in parallel do

if Pass ≠ undef and Token(p)

then [Token(Pass) := F, Token(p) := ¬F, Last := CT]

Token Passing Algorithm

7

Semantics of instantaneous actions

1

2

3

8

1

2

3

Semantics of delayed actions

9

Problems of simulation/verification:

● Continuous time (computing update instants)

● Verification of quantified formulas with arithmetics

● Resolving non-determinism

● Generation of inputs

● Representation of results

10

Example: ASM specificationtype Proc = Integer -> Boolean;var Token: Proc;var Last = 0: Time;var Pass: Integer; // external functionvar a, d1, d2: Float; // external functions

Main() { while ( CT <= 10 ) do [

if ( Token(1) and (Pass != 1) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(1):=False; ] Last := CT; ] if ( Token(2) and (Pass != 2) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(2):=False; ] Last := CT; ] if ( Token(3) and (Pass != 3) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(3):=False; ] Last := CT; ] ]}

11

Example: external functions, Pass

// Textual definition of the Pass function

// It defines the next process in the queuePass := (0, 0; 1, 4; 2, 1; 3, 2; 4, 3)

12

Instantaneous updates

The Token function changes after the Pass input function.

13

Example: external functions, coefficient

// Textual definition of the coefficienta := (0, 0.8; 2, 1.5; 4, 1.8)

14

Example: external functions, delay interval

// Textual definition of the delay intervals (d1, d2)d1 := (0, 0.3; 1, 0.7; 2, 0.2; 3, 0.4; 4, 0.5)d2 := (0, 1.2; 1, 1.3; 2, 1.5; 3, 1.4; 4, 1.7)

15

Timed ASM

ASM = basic Gurevich abstract state machine;

Timed ASM = (Vocabulary, InitialState, Program)

Vocabulary consists of Sorts, Functions, Predicates. R, Z, N, Boolean, Undef, Time=R+ sorts are predefined.

InitialState defines the initial state of the ASM.

Program specifies the updates i.e. the transitions between the states.

16

Functions

• Functions can be divided into internal and external or static and dynamic.

• A special function CT is predefined and is nullary function that returns the current time.

• Dynamic & external functions (i.e. inputs) are defined separately from the program.

17

Delays

• The updates in ASM are designed as instantaneous;

• We add a bounded delay which is defined in a special configuration file;

• We consider two semantics: there are no delays, there are finite delays.

18

Example: the delay between Pass & Token

This example shows the delay between the values of the external function Pass and the internal function Token. Here we show a case where one of the values of Pass function is missed due to a big delay.

19

Non-determinisms

• The first (last) element of a tuple;• The minimal (max) element (if order is defined);• A random element;• An element which was not used in the previous

non-determinism resolution.

Non-determinisms occur if we use the choose statement. It can be resolved in different ways.

20

Timed ASM Syntax

• Sequential block: { P1 P2 … Pn };

• Parallel block: [ P1 P2 … Pn ];

• foreach u in U where b(u) do S;• choose u in U where b(u) do S;• forall x in X holds F(x);• exists y in Y where H(y);

21

Timed ASM Semantics

• Sequential execution: All updates executed in the orders of appearance. Time is incremented by the corresponding delay.

• Block of parallel operations: Some conflicts may appear. Inconsistency is checked. The greatest of the delays is chosen.

• Looped parallel block: Each cycle is like a block of parallel operations. Time jumps are possible to avoid an infinite loop.

22

Timed ASM Semantics: no delays

In this example the machine enters two parallel branches with values x=2, y=0. Each branch contains two sequential updates. After the instantaneous execution of each branch we get two sets of updated values. For the left branch we get x=7, y=7. For the right branch we get x=3, y=3. These sets are inconsistent, so the run is undefined.

x := 3;

x := y; y := x;

y := 7;

x=2 y=0

INCONSISTENCY

23

Timed ASM Semantics: no delays

In this case the run is formally defined, but one shouldn’t write such programs. In each branch a product of x and y is calculated. But it gives different results. However, there is no contradiction.

x := 3;

x := x*y;y := y*x;

y := 2;

x=2 y=0

x=0 y=4

BAD STYLE

24

Timed ASM Semantics: nonzero delays

The result of parallel execution of updates can be different as we can read the updated values in a parallel branch. In this example if we get t1 < t2 the results will be x=18, y=6. If t1 > t2 then we get x=6, y=12. If t1 = t2 then we get x=6, y=6.

x=6 y=6 orx=18 y=6 orx=6 y=12

BAD STYLE

x:=3;

x:=x*y;

y:=y*x;

y:=2;

x=2 y=0

t

t

t

t

t

00

3

1

2

25

Timed ASM Semantics: nonzero delays

This example can be interpreted correctly when there are nonzero delays. But it contains two potentially simultaneous updates in different parallel branches which can be contradictory. Therefore, this example is also considered as inconsistent by the simulator.

x=7 y=3 orx=7 y=7 orx=3 y=3

x := 3;

x := y; y := x;

y := 7;

x=2 y=0

INCONSISTENCY

26

Simulation

• Start from the Main() method as a top-level entry point;

• Calculation of the next time point in which at least one guard is true;

• State update, which is represented by one or more statement blocks;

• Evaluation of constraints before and after the state update.

27

This part is implemented.

Demonstration will follow the presentation.

28

Example: properties in FOTL

Safety property in textual syntax:forall t in Time holds forall p, q in Integer holds

( p != q & Token`(t, p) ==> !Token`(t, q) )

Liveness property in textual syntax:forall t in Time holds exists p in Integer where

( Token`(t, p) )

Safety:

Liveness:

29

First Order Timed Logic

The FOTL is based on the theory of mixed real/integer addition with rational constants and unary multiplications by rational numbers. This theory is known to be decidable. FOTL itself is clearly undecidable.

Among discrete (non negative integers) and continuous (non negative reals) time we choose the case of continuous time.

30

FOTL Syntax

The vocabulary of FOTL consists of finite sets of sorts, function symbols and predicate symbols. Some of them have a fixed interpretation (pre-interpreted): - Sorts: integers (Z), reals (R), the time sort T, etc. - Functions: +, -, * for real numbers. - Predicates: =, ≤, < over real numbers.The vocabulary of FOTL contains equality for all types of objects and a CT° function to work the time.

Abstract functions: T × X YAbstract predicates: T × X Bool

31

Verification

32

Implemented features

• Lexical and syntactical analysis with building a parse tree;

• Loading definitions of external functions and the simulation parameters from a file;

• Simulation of most constructs and operations of Timed ASM Language;

• Simulation results output with the history of all state changes.

33

Future Work

• Finish the verification feature (abstract functions elimination, quantifier elimination, simplification);

• Add non-deterministic bounded delays;

• Languages for generation of inputs and resolution of non-determinisms;

• Enrich ASM syntax (e.g. multi-agent ASM).

34

Thank you