Chapter 16 : KRONOS (Model Checking of Real-time Systems) JIHO YANG

What is KRONOS? KRONOS allows analyzing timed automata. KRONOS is a model checker for the TCTL(Timed CTL) logic. KRONOS checks whether a timed automaton satisfies a TCTL.

KRONOS’ Essentials KRONOS is one of the tools, which implements a model checking algorithm for a timed temporal logic (TCTL). KRONOS contains no graphical, no simulation modes. KRONOS is a timed model checker. http://www-verimag.imag.fr/TEMPORISE/kronos

Railroad crossing example (Two train, a gate, a controller, a counter)

Cont.

Cont. KRONOS Code (Tr1.tg) /* train1 */ #locs 3 /* number of states*/ #trans 3            /* number of transitions */ #clocks x1            /* clock */ #sync app1 exit1     /* synchronization labels */   loc: 0 prop: far inv: TRUE trans: TRUE => app1;  x1:=0  ; goto 1 loc: 1 prop: near inv: x1 < 30 trans: x1 > 20 and x1 < 30 => enter;   ; goto 2 loc: 2 prop: on inv: x1 < 50 trans: x1 > 20 and x1 < 50 => exit1;   ; goto 0 (trans: x1 > 30 and x1 < 50 => exit1;   ; goto 0)

Synchronized Product In order for several components of a system to communicate, KRONOS introduce a synchronization function. KRONOS, a synchronization label is simply obtained by the union of the label sets of the components. A set of transitions are synchronized if and only if each label occurring in one of the transition sets also belongs to one set of another transition.

Cont. (example) A1 containts the single transition {a,b} t1 : q1 ------- r1 A2 contains the single transition {b,c} t2 : q2 ------- r2

Cont. (example) If b is a synchronization label, then the product of automata A1 and A2 contains transition of {a,b,c} q1,q2 ---------- r1,r2.

Kronos code (Example) Extension “.tg” : “timed graph” Make the product of A1 and A2: A(12) Kronos -out A12.tg A1.tg A2.tg

Cont.(Example) Compose the result A(12) with A3: (we can express kronos code like) Kronos -out A12A3.tg A12.tg A3.tg

Cont. The automaton A(12)3 – the product of A1 and A2, and then compose the result A(12) with A3 The automaton A1(23) – the product of A2 and A3, and then compose the result A(23) with A1 It is not easy to use a modular approach.

Cont. There is two ways to overcome. The first one consists in building in a single operation the product of all components of a given system. Kronos code: Kronos –out S.tg Tr1.tg Tr2.tg Gate.tg Contr.tg Ct.tg

Cont. The second way: use a special option “-sd” Kronos –sd –out A12.tg A1.tg A2.tg

Model checking The properties to be checked must be expressed by TCTL. Each being in a separate file with extension “.tctl”

Safety property Safety property : Under certain conditions, an event never occur. ……??? “when a train is inside the crossing, the gate is closed.” Safe.tctl : Init impl AB(on impl closed) AB correspond A and G of CTL Impl : Boolean combinator

Cont. Verifying safety property KRONOS command: Kronos –back S.tg safe.tctl (backward analysis) Kronos –forw S.tg safe.tctl (forwards analysis) Safe.eval contains the result

Liveness property Liveness property: under certain condition, some event will ultimately occur. “from the moment where no train arrives anymore, the gate will be open after d time units.” Express TCTL

Cont. Init => AG (┐near ^ ┐on => ┐E(┐near ^ ┐on ^ ┐open) U (>d) true)) Write KRONOS when d = 20; Init impl AB((not near and not on) impl not((not near and not on and not open) EU{>20} TRUE))

Questions…