1 Simulator-Model Checker for Reactive Real-Time Abstract State Machines Anatol Slissenko University Paris 12 Pavel Vasilyev University Paris 12 University of St Petersburg, Russia

2 Contents Motivation Example Timed ASM. Two semantics. Non-determinism, properties Timed ASM syntax and semantics Simulation First Order Timed Logic Verification Conclusion

3 Motivation No simulators for real-time ASM Two different time semantics First Order Timed Logic (FOTL) to specify properties; `On-the-fly’ verification of FOTL-properties (Decidable classes are labor consuming)

4 Example. Token Passing. T is time (by default, non negative reals) P is a set of N processes Pass :  (P  {undef}) (input) Token : P  Bool function to control (output) A part of environment specification:  Pass is defined in isolated points;  the time distance between two consecutive signals lies in an interval [  0,  1 ], where 0 <  0 <  1 are abstract real constants;  two consecutive signals Pass have different values.

5 Requirements on functioning (Safety) At any time there are no two processes with a token. (Liveness1) At any time at least one process has a token. (Liveness2) The token changes its location within a duration that lies in a given interval (  0,  1 ). [More arithmetically complicated requirement: the average of the last 3 waiting times is in (  0,  1 ).

6 Initial values (at time instant 0): Pass = undef, Token(p 0 ) = true, forall q in P(q ≠ p 0  Token(q) = false), Last = 0, CT = 0 F= (d 0 ≤ (CT − a ∙ Last) ≤ d 1 ). forall p in P in parallel do if Pass ≠ undef and Token(p) then [Token(Pass) := F, Token(p) := ¬F, Last := CT] Token Passing Algorithm

7 Semantics of instantaneous actions 1 2 3

Semantics of delayed actions

9 Problems of simulation/verification: ● Continuous time (computing update instants) ● Verification of quantified formulas with arithmetics ● Resolving non-determinism ● Generation of inputs ● Representation of results

10 Example: ASM specification type Proc = Integer -> Boolean; var Token: Proc; var Last = 0: Time; var Pass: Integer; // external function var a, d1, d2: Float; // external functions Main() { while ( CT <= 10 ) do [ if ( Token(1) and (Pass != 1) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(1):=False; ] Last := CT; ] if ( Token(2) and (Pass != 2) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(2):=False; ] Last := CT; ] if ( Token(3) and (Pass != 3) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(3):=False; ] Last := CT; ] ] }

11 Example: external functions, Pass // Textual definition of the Pass function // It defines the next process in the queue Pass := (0, 0; 1, 4; 2, 1; 3, 2; 4, 3)

12 Instantaneous updates The Token function changes after the Pass input function.

13 Example: external functions, coefficient // Textual definition of the coefficient a := (0, 0.8; 2, 1.5; 4, 1.8)

14 Example: external functions, delay interval // Textual definition of the delay intervals (d1, d2) d1 := (0, 0.3; 1, 0.7; 2, 0.2; 3, 0.4; 4, 0.5) d2 := (0, 1.2; 1, 1.3; 2, 1.5; 3, 1.4; 4, 1.7)

15 Timed ASM ASM = basic Gurevich abstract state machine; Timed ASM = (Vocabulary, InitialState, Program) Vocabulary consists of Sorts, Functions, Predicates. R, Z, N, Boolean, Undef, Time=R + sorts are predefined. InitialState defines the initial state of the ASM. Program specifies the updates i.e. the transitions between the states.

16 Functions Functions can be divided into internal and external or static and dynamic. A special function CT is predefined and is nullary function that returns the current time. Dynamic & external functions (i.e. inputs) are defined separately from the program.

17 Delays The updates in ASM are designed as instantaneous; We add a bounded delay which is defined in a special configuration file; We consider two semantics: there are no delays, there are finite delays.

18 Example: the delay between Pass & Token This example shows the delay between the values of the external function Pass and the internal function Token. Here we show a case where one of the values of Pass function is missed due to a big delay.

19 Non-determinisms The first (last) element of a tuple; The minimal (max) element (if order is defined); A random element; An element which was not used in the previous non-determinism resolution. Non-determinisms occur if we use the choose statement. It can be resolved in different ways.

20 Timed ASM Syntax Sequential block: { P 1 P 2 … P n }; Parallel block: [ P 1 P 2 … P n ]; foreach u in U where b(u) do S; choose u in U where b(u) do S; forall x in X holds F(x); exists y in Y where H(y);

21 Timed ASM Semantics Sequential execution: All updates executed in the orders of appearance. Time is incremented by the corresponding delay. Block of parallel operations: Some conflicts may appear. Inconsistency is checked. The greatest of the delays is chosen. Looped parallel block: Each cycle is like a block of parallel operations. Time jumps are possible to avoid an infinite loop.

22 Timed ASM Semantics: no delays In this example the machine enters two parallel branches with values x=2, y=0. Each branch contains two sequential updates. After the instantaneous execution of each branch we get two sets of updated values. For the left branch we get x=7, y=7. For the right branch we get x=3, y=3. These sets are inconsistent, so the run is undefined. x := 3; x := y;y := x; y := 7; x=2 y=0 INCONSISTENCY

23 Timed ASM Semantics: no delays In this case the run is formally defined, but one shouldn’t write such programs. In each branch a product of x and y is calculated. But it gives different results. However, there is no contradiction. x := 3; x := x*y;y := y*x; y := 2; x=2 y=0 x=0 y=4 BAD STYLE

24 Timed ASM Semantics: nonzero delays The result of parallel execution of updates can be different as we can read the updated values in a parallel branch. In this example if we get t 1 t 2 then we get x=6, y=12. If t 1 = t 2 then we get x=6, y=6. x=6 y=6 or x=18 y=6 or x=6 y=12 BAD STYLE x:=3; x:=x*y; y:=y*x; y:=2; x=2 y=0 t t t t t

25 Timed ASM Semantics: nonzero delays This example can be interpreted correctly when there are nonzero delays. But it contains two potentially simultaneous updates in different parallel branches which can be contradictory. Therefore, this example is also considered as inconsistent by the simulator. x=7 y=3 or x=7 y=7 or x=3 y=3 x := 3; x := y;y := x; y := 7; x=2 y=0 INCONSISTENCY

26 Simulation Start from the Main() method as a top-level entry point; Calculation of the next time point in which at least one guard is true; State update, which is represented by one or more statement blocks; Evaluation of constraints before and after the state update.

27 This part is implemented. Demonstration will follow the presentation.

28 Example: properties in FOTL Safety property in textual syntax: forall t in Time holds forall p, q in Integer holds ( p != q & Token`(t, p) ==> !Token`(t, q) ) Liveness property in textual syntax: forall t in Time holds exists p in Integer where ( Token`(t, p) ) Safety: Liveness:

29 First Order Timed Logic The FOTL is based on the theory of mixed real/integer addition with rational constants and unary multiplications by rational numbers. This theory is known to be decidable. FOTL itself is clearly undecidable. Among discrete (non negative integers) and continuous (non negative reals) time we choose the case of continuous time.

30 FOTL Syntax The vocabulary of FOTL consists of finite sets of sorts, function symbols and predicate symbols. Some of them have a fixed interpretation (pre-interpreted): - Sorts: integers (Z), reals (R), the time sort T, etc. - Functions: +, -, * for real numbers. - Predicates: =, ≤, < over real numbers. The vocabulary of FOTL contains equality for all types of objects and a CT° function to work the time. Abstract functions: T × X  Y Abstract predicates: T × X  Bool

31 Verification

32 Implemented features Lexical and syntactical analysis with building a parse tree; Loading definitions of external functions and the simulation parameters from a file; Simulation of most constructs and operations of Timed ASM Language; Simulation results output with the history of all state changes.

33 Future Work Finish the verification feature (abstract functions elimination, quantifier elimination, simplification); Add non-deterministic bounded delays; Languages for generation of inputs and resolution of non-determinisms; Enrich ASM syntax (e.g. multi-agent ASM).

34 Thank you