Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania
38
1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania
description
Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania. Model Checker. model. yes. temporal property. error-trace. Advantages Automated formal verification, Effective debugging tool Traditional: Finite-state systems (Boolean vars) - PowerPoint PPT Presentation
Transcript of Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania
1
Model Checking ofof Timed Systems
Rajeev Alur
University of Pennsylvania
2
Model Checker
AdvantagesAutomated formal verification, Effective debugging tool
Traditional: Finite-state systems (Boolean vars)Enumerative search with reduction heuristics: Spin, MurphiSymbolic search using BDDs: SMV, Cospan, VIS, Mocha
Hybrid and Real-Time SystemsContinuous variables make state-space infiniteTimed automata: Decidability results, Efficient symbolic data
structures
model
temporalproperty
yes
error-trace
3
Talk Outline
Timed Automata: Syntax and Semantics Specification Logic: Timed CTL Decidability: Region-based partitioning Efficient Implementation: Zones and DBMs
UPPAAL (www.docs.uu.se/docs/rtmv/uppaal)Talk draft: Thanks to Kim Larsen and Paul
Pettersson
4
UPPAAL
5
Off Light Brightpress? Press?
press?
Press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
Timed AutomataIntelligent Light Control
6
Timed AutomataIntelligent Light Control
Off Light Bright
Solution: Add real-valued clock x
X:=0X<=3
X>3
press? Press?
press?
Press?
7
Timed Automata
n
m
a
(Alur & Dill 1990)
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of comparisons withinteger bounds
ResetAction performed on clocks
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
Transitions
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
8
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Invariants ensure progress!!
Timed Safety Automata Timed Automata + Invariants
(Henzinger et al, 1992)
9
Clock Constraints
What can you express: Constant lower and upper bounds on delays
Why the restricted syntax: slight generalizations (e.g. allowingx=2y) lead to undecidable model checking problems
10
Timed (Safety) Automata
11
Light Switch
Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”
Light automatically switches off after 9 time units.
push
pushclick
12
Semanticsclock valuations:state:Semantics of timed automata is a
labeled transition systemwhere
action transition
delay Transition
)(),( CVvandLlwherevl
})(|),({ LlandCVvvlS
0:)( RCvCV
),( S
0')')((
),(),(
RddwheneverdvlInv
iffdvlvl d
g a rl l’
)')('(][')(
)','(),(
vlInvandrvvandvg
iffvlvl a
13
Semantics: Example
...)9,0,()9),3(9,(
)3,3,(),0,(
),()0,(
)5.3,()0,(
)3(93
5.3
yxoffyxon
yxonyxon
yxonyxon
yxoffyxoff
click
push
push
push
pushclick
9y
14
Timed Automata in UPPAAL
Communicating Timed Safety Automata+ urgent actions+ urgent locations (i.e. zero-delay locations)+ committed locations (i.e. zero-delay and atomic locations)+ data-variables (integers with bounded domains)+ arrays of data-variables+ guards and assignments over data-variables and arrays...
Larsen et al, 1996
15
TCTL = CTL + Time
inz
clocksformulaDz
nspropositioautomicAPp
,,
,,
constraints over formula clocks and automata clocks
“freeze operator” introduces new formula clock z
E[ U ], A[ U ] - like in CTL
No EX
Alur, Courcoubetis, Dill, 1991
16
Derived Operators
Along any path holds continuously until within 7 time units
becomes valid.
=
=
The property becomes valid within 5 time units.
17
TCTL Semanticss - location
w - formula clock valuation
PM(s) - set of paths from s
Pos() - positions in ,i) - elapsed time
(i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))
18
Timeliness Properties
receive(m) occurs within 5 time units after send(m)
receive(m) occurs exactly 11 time units after send(m)
putbox occurs periodically (exactly) every 25 time units
(note: other putbox’s may occur in between)
19
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s ProtocolA simple MUTEX Algorithm
21 CSCS AG
20
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s ProtocolA simple MUTEX Algorithm
Y<1
X:=0
Y:=0
X>1
Y>1
X<1
12
212
21
CS
CSCS
CSCS
EF
AF
AG
21
Infinite State Space?
22
RegionsFinite partitioning of state space
x
y ”Desired equivalence”
.properties
samesatisfy and
or
automata. timed
any of locationany for
iff
(l,w')(l,w)
l
w'lBehwl Behww ),(),('
1 2 3
1
2
'ww
23
RegionsFinite partitioning of state space
x
y Definition
max
'
n
nxxnx
w'www
jii
where
and
form the
of conditions same exact the
satisfy and iff
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
24
RegionsFinite partitioning of state space
x
y
An equivalence class (i.e. a region)
Successor regions, Succ(r)
r
1 2 3
1
2
Resetregions
{y}r
{x}r
25
Properties of Regions
The region equivalence relation is a time-abstract bisimulation: Action transitions: If w v and (l,w) -a-> (l’,w’)
for some w’, then v’ w’ s.t. (l,v) -a-> (l’,v’) Delay transitions: If w v then for all real
numbers d, there exists d’ s.t. w+d v+d’ If w v then (l,w) and (l,v) satisfy the
same TCTL formulas
26
Region graph of a simple timed automata
27
Fischers again A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2Y<1
X:=0
Y:=0
X>1
Y>1
X<1
21 CSCS AG
A1,A2,v=1
A1,B2,v=2
A1,CS2,v=2
B1,CS2,v=1
CS1,CS2,v=1
Untimed case
A1,A2,v=1x=y=0
A1,A2,v=10 <x=y <1
A1,A2,v=1x=y=1
A1,A2,v=11 <x,y
A1,B2,v=20 <x<1
y=0
A1,B2,v=20 <y < x<1
A1,B2,v=20 <y < x=1
y=0
A1,B2,v=20 <y<1
1 <x
A1,B2,v=21 <x,y
A1,B2,v=2y=11 <x
A1,CS2,v=21 <x,y
No further behaviour possible!!
Timed case
PartialRegion Graph
28
Roughly speaking....
Model checking a timed automata against a TCTL-formula amounts to
model checking its region graph against a CTL-formula
Model checking a timed automata against a TCTL-formula amounts to
model checking its region graph against a CTL-formula
29
Problem to be solved
Model Checking TCTL is PSPACE-complete
30
ZonesSymbolic computation
State(n, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set)(n, )
Zone:conjunction ofx-y<=n, x<=>n
3y4,1x1
31
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
x
y
x
y conjuncts to
x
y
projects to
1<=x<=41<=y<=3
1<=x, 1<=y-2<=x-y<=3
3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)
a
32
Forward Rechability
Passed
WaitingFinal
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Init -> Final ?
33
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
Init -> Final ?
34
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
Init -> Final ?
35
Forward Rechability
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
36
Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2y<=3z-y<=2z<=7
x<=1y-x<=2y<=3z-y<=2z<=7
D1
D2
When are two sets of constraints equivalent?
x x
0 y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0 y
z
1 2
25
0
x
y
z
1 2
27
0
x
y
z
1 2
25
3
3 3
Graph
Graph
Canonical Dastructures for ZonesDifference Bounded Matrices
37
Difference Bounds Matrices
Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks)
Reduced form obtained by running all-pairs shortest path algorithm
Reduced DBM is canonical Operations such as reset, time-successor,
inclusion, intersection are efficientPopular choice in timed-automata-based
tools
38
Summary
Applications of Uppaal and KronosPhilips bounded retransmission protocolAsynchronous circuits (STARI communication)Timing analysis of Esterel+C code
Research theme 1: Efficient representation of Clock constraints + Boolean constraints
Research theme 2: Automatic abstractions of complex dynamics by timed automata
