UPPAAL T-shirt to (identifiable) download no 40 Formal Methods Automatic Validation and Verification Tools Kim Guldstrand Larsen BRICS@Aalborg Institute of Computer Science Aalborg University Formal Methods seems to be finding its way into industrial software engineering practice. In particular, methods based on fully automatic verification tools have for a long time been established practice for hardware designs. Today, an increasing number of (commercial) tools offering automatic verification support for industrial designs of embedded systems, real-time systems, and communication protocols are emerging. The scalability of these tools has been significantly improved due to recent, scientific advances in the underlying algorithmic techniques, which have allowed for large industrial applications to be verified. The talk will present the tool UPPAAL, a tool suite for validating and verifying real-time system models. The tool has been developed since 1995 in collaboration between Aalborg and Uppsala Universities. The presentation will be based on on-line demonstration and survey the industrial applications of UPPAAL. The final part of the talk will address the tool visualSTATE, a commercial tool for automatic validation and verification of embedded system models In addition visualSTATE allows for automatic generation of efficient code for a number of platforms. Resent collaboration between visualSTATE, BRICS@Aalborg and DTU has resulted in truely significant advances in the size of systems which may be dealt with. Timed CTL Model Checking Region Automata Kim Guldstrand Larsen Paul Pettersson BRICS@Aalborg

Timed CTL IDA foredrag 20.4.99

Light Switch Switch may be turned on whenever at least 2 time units has elapsed since last “turn off” Light automatically switches off after 9 time units. push push click

Semantics clock valuations: state: Semantics of timed automata is a labeled transition system where action transition delay Transition g a r l l’

Semantics: Example push push click

TCTL = CTL + Time constraints over formula clocks and automata clocks “freeze operator” introduces new formula clock z E[ f U f ], A[ f U f ] - like in CTL No EX f

Derived Operators = Along any path f holds continuously until within 7 time units y becomes valid. = The property f may becomes valid within 5 time units.

Light Switch (cont) push push click

Timeliness Properties receive(m) always occurs within 5 time units after send(m) receive(m) may occur exactly 11 time units after send(m) putbox occurs periodically (exactly) every 25 time units (note: other putbox’s may occur in between)

Fischer’s Protocol A simple MUTEX Algorithm 2 ´ V Criticial Section Init V=1 A1 V:=1 V=1 B1 CS1 V:=2 V=2 A2 B2 CS2

Fischer’s Protocol A simple MUTEX Algorithm 2 ´ V Criticial Section X<1 X:=0 X>1 Init V=1 A1 V:=1 V=1 B1 CS1 Y>1 Y<1 Y:=0 V:=2 V=2 A2 B2 CS2

Paths push Example: push click

Elapsed time in path Example: s= D(s,1)=3.5, D(s,6)=3.5+9=12.5

TCTL Semantics s - (location, clock valuation) w - formula clock valuation PM(s) - set of paths from s Pos(s) - positions in s D(s,i) - elapsed time ¥ (i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))

Region Automata Model Checking IDA foredrag 20.4.99

Infinite State Space?

Regions Finite partitioning of state space ”Definition” y 2 1 1 2 3 x

Regions Finite partitioning of state space ”Definition” y 2 1 1 2 3 x max determined by timed automata (and formula)

Regions Finite partitioning of state space Alternative to JPK Definition y 2 1 1 2 3 x max determined by timed automata (and formula)

Regions Finite partitioning of state space Definition y 2 1 1 2 3 x An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

Regions Finite partitioning of state space Definition y 2 1 r 1 2 3 x Successor regions, Succ(r) An equivalence class (i.e. a region)

Regions Finite partitioning of state space Definition y 2 1 THEOREM r {x}r {y}r 1 2 3 x Reset regions An equivalence class (i.e. a region) r

Region graph of a simple timed automata

Fischers again A1 B1 CS1 A2 B2 CS2 Y<1 X:=0 Y:=0 X>1 Y>1 V:=1 V=1 A2 B2 CS2 V:=2 V=2 Y<1 X:=0 Y:=0 X>1 Y>1 X<1 Untimed case Timed case Partial Region Graph A1,A2,v=1 A1,A2,v=1 x=y=0 A1,A2,v=1 0 <x=y <1 A1,A2,v=1 x=y=1 A1,A2,v=1 1 <x,y A1,B2,v=2 A1,B2,v=2 0 <x<1 y=0 A1,B2,v=2 0 <y < x<1 A1,B2,v=2 0 <y < x=1 y=0 A1,B2,v=2 0 <y<1 1 <x A1,CS2,v=2 A1,B2,v=2 1 <x,y A1,B2,v=2 y=1 1 <x B1,CS2,v=1 A1,CS2,v=2 1 <x,y CS1,CS2,v=1 No further behaviour possible!!

Modified light switch

Reachable part of region graph Properties

Roughly speaking.... Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula

Problem to be solved    Model Checking TCTL is PSPACE-hard

END IDA foredrag 20.4.99