Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a...
Transcript of Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a...
![Page 1: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/1.jpg)
Timing Is Everything
Joël Ouaknine
Department of Computer ScienceOxford University
BCS Meeting, Oxford
17 May 2012
![Page 2: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/2.jpg)
Automated Verification
theory practice
“In theory, there is no difference between theory andpractice. In practice, there is.”
Jan L.A. van de Snepscheut
![Page 3: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/3.jpg)
Ariane 5 Explosion, French Guyana, 1996
![Page 4: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/4.jpg)
NASA Mars Missions, 1997–2004
• 1997: Mars Rover loses contact• 1999: Mars Climate Orbiter is lost• 1999: Mars Polar Lander is lost• 2004: Mars Rover freezes
![Page 5: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/5.jpg)
Intel Pentium FDIV Bug, 1994
![Page 6: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/6.jpg)
Northeast Blackout, 2003
![Page 7: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/7.jpg)
Chrysler Pacifica SUV, 2006
December 2006: DaimlerChrysler recalls 128,000 Pacificasports utility vehicles because of a problem with the softwaregoverning the fuel pump and power train control. The defectcould cause the engine to stall unexpectedly. [Washington Post]
![Page 8: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/8.jpg)
Automated Verification
“A Grand Challenge for computing research.”
Sir Tony Hoare, 2003
Now one of a small handful of areas ‘targetted for growth’ byUK funding council EPSRC.
![Page 9: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/9.jpg)
Automated Verification
“A Grand Challenge for computing research.”
Sir Tony Hoare, 2003
Now one of a small handful of areas ‘targetted for growth’ byUK funding council EPSRC.
![Page 10: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/10.jpg)
Automated Verification
“Nobody is going to run into a friend’s office with aprogram verification. Nobody is going to sketch averification out on a paper napkin. . . One can feelone’s eyes glaze over at the very thought.”
Rich de Millo, Richard Lipton, Alan Perlis, 1979
“The success of program verification as a generallyapplicable and completely reliable method forguaranteeing program performance is not even atheoretical possibility.”
James H. FetzerProgram Verification: The Very Idea, CACM 31(9), 1988
![Page 11: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/11.jpg)
Automated Verification
“Nobody is going to run into a friend’s office with aprogram verification. Nobody is going to sketch averification out on a paper napkin. . . One can feelone’s eyes glaze over at the very thought.”
Rich de Millo, Richard Lipton, Alan Perlis, 1979
“The success of program verification as a generallyapplicable and completely reliable method forguaranteeing program performance is not even atheoretical possibility.”
James H. FetzerProgram Verification: The Very Idea, CACM 31(9), 1988
![Page 12: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/12.jpg)
Automated Verification: A High-Level Overview
G(a ==> Fb)
G(!c && d)
. . .
Modelling Specification
2.
Properties:
1.
Verification
system ok
bug found
parameter values
performance indices
![Page 13: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/13.jpg)
![Page 14: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/14.jpg)
TERMINATOR vs. The Ackermann Function
i n t Ack ( i n t m, i n t n ) {i f (m == 0)
return n + 1;else i f ( n == 0)
return Ack (m − 1 , 1 ) ;else
return Ack (m − 1 , Ack (m, n − 1 ) ) ;}
Ack(n, n) : 1, 3, 7, 61, 2222222
− 3, 222···2︸ ︷︷ ︸
Ack(5,4)+3
− 3
![Page 15: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/15.jpg)
TERMINATOR vs. The Ackermann Function
i n t Ack ( i n t m, i n t n ) {i f (m == 0)
return n + 1;else i f ( n == 0)
return Ack (m − 1 , 1 ) ;else
return Ack (m − 1 , Ack (m, n − 1 ) ) ;}
Ack(n, n) : 1, 3, 7, 61, 2222222
− 3, 222···2︸ ︷︷ ︸
Ack(5,4)+3
− 3
![Page 16: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/16.jpg)
Timing Is Everything
![Page 17: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/17.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 18: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/18.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 19: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/19.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 20: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/20.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 21: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/21.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 22: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/22.jpg)
A Login Protocol
pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?x ≥10?
![Page 23: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/23.jpg)
A Login Protocol
x ≥10? pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?
![Page 24: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/24.jpg)
BMW Hydrogen 7
�(PEDAL→ ♦ BRAKE)
�(PEDAL→ ♦[25,40] BRAKE)
![Page 25: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/25.jpg)
BMW Hydrogen 7
�(PEDAL→ ♦ BRAKE)
�(PEDAL→ ♦[25,40] BRAKE)
![Page 26: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/26.jpg)
BMW Hydrogen 7
�(PEDAL→ ♦ BRAKE)
�(PEDAL→ ♦[25,40] BRAKE)
![Page 27: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/27.jpg)
BMW Hydrogen 7
�(PEDAL→ ♦ BRAKE)
�(PEDAL→ ♦[25,40] BRAKE)
![Page 28: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/28.jpg)
Timed Automata
Introduced by Rajeev Alur at Stanford during his PhD underDavid Dill:
I Rajeev Alur, David L. Dill: Automata For ModelingReal-Time Systems. ICALP 1990: 322-335
I Rajeev Alur, David L. Dill: A Theory of Timed Automata.TCS 126(2): 183-235, 1994
![Page 29: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/29.jpg)
Timed Automata
x ≥10? pw_wrong
login_name
restart
restart
log_pw_wrong
pw_correctSTART VALIDATE
LOG_ERRORDELAY
connectedx x
x 60?
x
x
<60?:=0
≥
:=0
<60?
![Page 30: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/30.jpg)
Timed Automata
Time is modelled as the non-negative reals, R≥0.
Theorem (Alur, Courcourbetis, Dill 1990)Reachability is decidable (in fact PSPACE-complete).
Unfortunately:
Theorem (Alur & Dill 1990)Language inclusion is undecidable for timed automata.
![Page 31: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/31.jpg)
Timed Automata
Time is modelled as the non-negative reals, R≥0.
Theorem (Alur, Courcourbetis, Dill 1990)Reachability is decidable (in fact PSPACE-complete).
Unfortunately:
Theorem (Alur & Dill 1990)Language inclusion is undecidable for timed automata.
![Page 32: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/32.jpg)
Timed Automata
Time is modelled as the non-negative reals, R≥0.
Theorem (Alur, Courcourbetis, Dill 1990)Reachability is decidable (in fact PSPACE-complete).
Unfortunately:
Theorem (Alur & Dill 1990)Language inclusion is undecidable for timed automata.
![Page 33: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/33.jpg)
Temporal Logic Model Checking
“The paradigmatic idea ofthe automata-theoreticapproach to verification isthat we can compilehigh-level logicalspecifications into anequivalent low-levelfinite-state formalism.”
Moshe Vardi
TheoremAutomata are closed under all Boolean operations. Moreover,the language inclusion problem [ L(A) ⊆ L(B) ?] is decidable.
![Page 34: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/34.jpg)
Temporal Logic Model Checking
“The paradigmatic idea ofthe automata-theoreticapproach to verification isthat we can compilehigh-level logicalspecifications into anequivalent low-levelfinite-state formalism.”
Moshe VardiTheoremAutomata are closed under all Boolean operations. Moreover,the language inclusion problem [ L(A) ⊆ L(B) ?] is decidable.
![Page 35: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/35.jpg)
An Uncomplementable Timed Automaton
A : //ONMLHIJK@GF ECD
a
��a
x :=0//ONMLHIJK a
x=1?//
@GF ECDa
�� ONMLHIJKGFED@ABC@GF ECD
a
��
1
L(A):
1
1
L(A):
A cannot be complemented:There is no timed automaton B with L(B) = L(A).
![Page 36: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/36.jpg)
An Uncomplementable Timed Automaton
A : //ONMLHIJK@GF ECD
a
��a
x :=0//ONMLHIJK a
x=1?//
@GF ECDa
�� ONMLHIJKGFED@ABC@GF ECD
a
��
L(A):1
1
L(A):
1
1
L(A):
A cannot be complemented:There is no timed automaton B with L(B) = L(A).
![Page 37: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/37.jpg)
An Uncomplementable Timed Automaton
A : //ONMLHIJK@GF ECD
a
��a
x :=0//ONMLHIJK a
x=1?//
@GF ECDa
�� ONMLHIJKGFED@ABC@GF ECD
a
��
1
L(A):
1
1
L(A):
A cannot be complemented:There is no timed automaton B with L(B) = L(A).
![Page 38: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/38.jpg)
An Uncomplementable Timed Automaton
A : //ONMLHIJK@GF ECD
a
��a
x :=0//ONMLHIJK a
x=1?//
@GF ECDa
�� ONMLHIJKGFED@ABC@GF ECD
a
��
1
L(A):
1
1
L(A):
A cannot be complemented:There is no timed automaton B with L(B) = L(A).
![Page 39: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/39.jpg)
An Uncomplementable Timed Automaton
A : //ONMLHIJK@GF ECD
a
��a
x :=0//ONMLHIJK a
x=1?//
@GF ECDa
�� ONMLHIJKGFED@ABC@GF ECD
a
��
1
L(A):
1
1
L(A):
A cannot be complemented:There is no timed automaton B with L(B) = L(A).
![Page 40: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/40.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
0 1 2 3
1
Does the timed word satisfy the specification? Yes.
![Page 41: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/41.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
0 1 2 3
1
Does the timed word satisfy the specification? Yes.
![Page 42: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/42.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
0 1 2 3
1
Does the timed word satisfy the specification?
![Page 43: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/43.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
0 1 2 3
1
Does the timed word satisfy the specification?
![Page 44: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/44.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 45: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/45.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 46: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/46.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 47: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/47.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 48: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/48.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 49: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/49.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 50: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/50.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
1
0 1 2 3
Does the timed word satisfy the specification?
![Page 51: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/51.jpg)
Metric Temporal Logic
�(a→ ♦[0,1] b)
0 1 2 3
1
Does the timed word satisfy the specification? Yes.
![Page 52: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/52.jpg)
Real-Time Model Checking
Given a timed automaton A and a Metric Temporal Logicspecification ϕ, does every timed word of A satisfy ϕ?
I For about 15 years (∼ 1990–2005), the real-timemodel-checking problem was widely claimed in theliterature to be undecidable.
I In 2005, James Worrell and I showed decidability throughthe development of the theory of timed alternatingautomata.
![Page 53: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/53.jpg)
Real-Time Model Checking
Given a timed automaton A and a Metric Temporal Logicspecification ϕ, does every timed word of A satisfy ϕ?
I For about 15 years (∼ 1990–2005), the real-timemodel-checking problem was widely claimed in theliterature to be undecidable.
I In 2005, James Worrell and I showed decidability throughthe development of the theory of timed alternatingautomata.
![Page 54: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/54.jpg)
Real-Time Model Checking
Given a timed automaton A and a Metric Temporal Logicspecification ϕ, does every timed word of A satisfy ϕ?
I For about 15 years (∼ 1990–2005), the real-timemodel-checking problem was widely claimed in theliterature to be undecidable.
I In 2005, James Worrell and I showed decidability throughthe development of the theory of timed alternatingautomata.
![Page 55: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/55.jpg)
![Page 56: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/56.jpg)
![Page 57: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/57.jpg)
�(a→ ♦=1 b)
a a
bb
{a, b}
0
=1?x
0
b
11
![Page 58: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/58.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0
b
11
![Page 59: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/59.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
![Page 60: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/60.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
![Page 61: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/61.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
1 1
![Page 62: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/62.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0
s1, )0.6(
s2,( 1.1)
0.1,b
,( 1.4)s0
s1, )0.5(
s2, )( 1.0
0.5,b
,( 1.3)s0,( 0.8)
s1,0( )
s1, )( 0.5
0.3,a
s0
s1,( )0.2
0.2,b
,( 0.5)s0,( )0.3
s1,0( )
0.3,a
s2,( )1.5
s0
s2, )( 1.0s0,0( )s0,0( )
( 1.8)
b0.4,
,
![Page 63: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/63.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0
s1, )0.6(
s2,( 1.1)
0.1,b
,( 1.4)s0
s1, )0.5(
s2, )( 1.0
0.5,b
,( 1.3)s0,( 0.8)
s1,0( )
s1, )( 0.5
0.3,a
s0
s1,( )0.2
0.2,b
,( 0.5)
s2,( )1.5
s0
s2, )( 1.0s0,( )0.3
s1,0( )
s0,0( )s0,0( )
0.3,a( 1.8)
b0.4,
,
![Page 64: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/64.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0
s1, )0.6(
s2,( 1.1)
0.1,b
,( 1.4)s0
s1, )0.5(
s2, )( 1.0
0.5,b
,( 1.3)s0,( 0.8)
s1,0( )
s1, )( 0.5
0.3,a
s2,( )1.5
s0
s2, )( 1.0s0
s1,( )0.2
s0,( )0.3
s1,0( )
s0,0( )s0,0( )
0.3, 0.2,ba( 1.8)
b0.4,
,( 0.5),
![Page 65: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/65.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0
s1, )0.6(
s2,( 1.1)
0.1,b
,( 1.4)s0
s1, )0.5(
s2, )( 1.0
0.5,b
,( 1.3)s0,( 0.8)
s1,0( )
s1, )( 0.5 s2,( )1.5
s0
s2, )( 1.0s0
s1,( )0.2
s0,( )0.3
s1,0( )
s0,0( )s0,0( )
0.3, 0.2,b 0.3,aa( 1.8)
b0.4,
,( 0.5),
![Page 66: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/66.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0
s1, )0.6(
s2,( 1.1)
0.1,b
,( 1.4)s0,( 0.8) s
0
s1,0( )
s1, )( 0.5
s1, )0.5(
s2, )( 1.0 s2,( )1.5
s0
s2, )( 1.0s0
s1,( )0.2
s0,( )0.3
s1,0( )
s0,0( )s0,0( )
0.3, 0.2,b 0.3,a0.5,b
a ,( 1.3) ( 1.8)
b0.4,
,( 0.5),
![Page 67: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/67.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0,( 0.8) s
0s0
s1,0( )
s1, )( 0.5
s1, )0.5( s
1, )0.6(
s2, )( 1.0 s
2,( 1.1) s2,( )1.5
s0
s2, )( 1.0s0
s1,( )0.2
s0,( )0.3
s1,0( )
s0,0( )s0,0( )
0.3, 0.2,b 0.3,a0.5,b 0.1,b
a ,( 1.3) ,( 1.4) ( 1.8)
b0.4,
,( 0.5),
![Page 68: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/68.jpg)
�(a→ ♦=1 b)
=1?xs1
<1?x
<1?x {a, b}
0s
2s
a
a
:=0x
b
bb
a
0 1 2
a b a b b b
0.5 0.8 1.31.4 1.80.3
11
s0,0( )s0,0( )
s0,( )0.3
s1,0( )
s0
s1,( )0.2
,( 0.5)s0,( 0.8) s
0s0
s0
s1,0( )
s1, )( 0.5
s1, )0.5( s
1, )0.6(
s2, )( 1.0 s
2,( 1.1)
s2, )( 1.0
s2,( )1.5
0.3, 0.2,b 0.3,a0.5,b 0.1,b 0.4,b
a ,( 1.3) ,( 1.4) ,( 1.8)
![Page 69: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/69.jpg)
Real-Time Model Checking:A High-Level Algorithm
Real-time model checking problem
⇓
Alternating timed automaton emptiness problem
⇓
Halting problem for Turing machine with insertion errors
![Page 70: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/70.jpg)
Real-Time Model Checking:A High-Level Algorithm
Real-time model checking problem
⇓
Alternating timed automaton emptiness problem
⇓
Halting problem for Turing machine with insertion errors
![Page 71: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/71.jpg)
Real-Time Model Checking:A High-Level Algorithm
Real-time model checking problem
⇓
Alternating timed automaton emptiness problem
⇓
Halting problem for Turing machine with insertion errors
![Page 72: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/72.jpg)
![Page 73: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/73.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTblackAIblackN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 74: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/74.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 75: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/75.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 76: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/76.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 77: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/77.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba
, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 78: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/78.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb
, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 79: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/79.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab
, aa, ba, bbb, abb, ab, a, bb, b
![Page 80: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/80.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa
, ba, bbb, abb, ab, a, bb, b
![Page 81: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/81.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba
, bbb, abb, ab, a, bb, b
![Page 82: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/82.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb
, abb, ab, a, bb, b
![Page 83: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/83.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb
, ab, a, bb, b
![Page 84: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/84.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb, ab
, a, bb, b
![Page 85: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/85.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb, ab, a
, bb, b
![Page 86: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/86.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb
, b
![Page 87: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/87.jpg)
Higman’s Lemma
TheoremThe subword order over a finite alphabet is a well-quasi order.
(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)
“HIGMAN” is a subword of “HIGHMOUNTAIN”.
Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.
I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b
![Page 88: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/88.jpg)
The Halting Problem for Faulty Turing Machines
, W’)
q0 , <>)(
halt
halt
q(is a subword of
...(q, W)
![Page 89: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/89.jpg)
The Halting Problem for Faulty Turing Machines
, W’)
q0 , <>)(
halt
halt
q(is a subword of
...(q, W)
![Page 90: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/90.jpg)
The Halting Problem for Faulty Turing Machines
, W’)
q0 , <>)(
halt
halt
q(is a subword of
...(q, W)
![Page 91: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/91.jpg)
The Halting Problem for Faulty Turing Machines
, W’)
q0 , <>)(
halt
halt
q(is a subword of
...(q, W)
![Page 92: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/92.jpg)
The Halting Problem for Faulty Turing Machines
, W’)
q0 , <>)(
halt
halt
q(
...( , W)q
is a subword of
![Page 93: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/93.jpg)
The Halting Problem for Faulty Turing Machines
q0 , <>)(
halt
halt...
, W’)
( , W)q
is a subword ofq(
![Page 94: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/94.jpg)
The Halting Problem for Faulty Turing Machines
q0 , <>)(
halt
halt...
q( , W’)
( , W)q
is a subword of
![Page 95: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/95.jpg)
The Halting Problem for Faulty Turing Machines
q0 , <>)(
halt
halt
...
q( , W’)
( , W)q
is a subword of
![Page 96: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/96.jpg)
The Halting Problem for Faulty Turing Machines
q0 , <>)(
halt
halt
...
q( , W’)
( , W)q
is a subword of
![Page 97: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/97.jpg)
The Halting Problem for Faulty Turing Machines
q0 , <>)(
halt
halt...
q( , W’)
( , W)q
is a subword of
![Page 98: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/98.jpg)
Real-Time Model Checking
TheoremThe real-time model-checking problem for Metric TemporalLogic is decidable (under the pointwise semantics).
The complexity is provably non-primitive recursive. In particular,it grows faster than Ackermann’s function in the worst case.
![Page 99: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/99.jpg)
Real-Time Model Checking
TheoremThe real-time model-checking problem for Metric TemporalLogic is decidable (under the pointwise semantics).
The complexity is provably non-primitive recursive. In particular,it grows faster than Ackermann’s function in the worst case.
![Page 100: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/100.jpg)
From Timed Alternating Automata toEfficient Runtime Monitoring Algorithms
�(PEDAL→ ♦[25,40] BRAKE)
![Page 101: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/101.jpg)
Quantitative Verification:From Model Checking to Model Measuring
quantitativesystems
qualitativesystems
runti
me
monito
ring
model
measu
ring
para
metric
synth
esis
module
chec
king
model
chec
king
![Page 102: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/102.jpg)
Quantitative Verification:From Model Checking to Model Measuring
quantitativesystems
qualitativesystems
runti
me
monito
ring
model
measu
ring
para
metric
synth
esis
module
chec
king
model
chec
king
![Page 103: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/103.jpg)
Quantitative Verification:From Model Checking to Model Measuring
quantitativesystems
qualitativesystems
runti
me
monito
ring
model
measu
ring
para
metric
synth
esis
module
chec
king
model
chec
king
![Page 104: Timing Is Everything - oxon.bcs.org fileAutomated Verification “Nobody is going to run into a friend’s office with a program verification. Nobody is going to sketch a verification](https://reader030.fdocuments.us/reader030/viewer/2022041218/5e077c94483b8a44df2c6ff8/html5/thumbnails/104.jpg)
Quantitative Verification:From Model Checking to Model Measuring
quantitativesystems
qualitativesystems
runti
me
monito
ring
model
measu
ring
para
metric
synth
esis
module
chec
king
model
chec
king