Verification of Parameterized Timed Systems Parosh Aziz Abdulla Uppsala University Johann Deneux Pritha Mahata Aletta Nylen
Outline Parameterized Timed Systems Syntactic and Semantic Variants with one clock with several clocks discrete time domain Safety Properties
Parameterized System of Timed Processes – (Timed Networks) Timed Process: x:=0 x<5 Parameterized System:
Single Clock Timed Networks - TN(1) Timed Process: x:=0 x<5 (single clock) Parameterized System:
Challenge: arbitrary rather than fixed size x=0x<1x>1 x:=0 Fischer’s Protocol Timed Process: critical section Parameterized Network: arbitrary size
Single Clock Timed Networks - TN(1) State = Configuration Timed Process: x:=0 x<5 (single clock) Parameterized System:
Initial Configurations Single Clock Timed Networks - TN(1) Timed Process: x:=0 x<5 (single clock) Parameterized System:
Timed Transitions 0.5
x<5 x:= Discrete Transitions
Unbounded number of clocks Cannot be modeled as timed automata TN(1) :
Unbounded number of clocks Cannot be modeled as timed automata TN(1) : How to check Safety Properties ?
configurations equivalent if they agree (up to cmax) on: colours integral parts of clock values ordering on fractional parts Equivalence on Configurations
configurations equivalent if they agree (up to cmax) on: colours integral parts of clock values ordering on fractional parts Equivalence on Configurations
configurations equivalent if they agree (up to cmax) on: colours integral parts of clock values ordering on fractional parts Equivalence on Configurations
Ordering on Configurations c 1 c 2 iff c 3 : c 1 c 3 c 3 c 2 <
Ordering on Configurations c 1 c 2 iff c 3 : c 1 c 3 c 3 c 2 <
mutual exclusion: Bad States : # processes in critical section > 1 Safety Properties x=0x<1x>1 x:=0 section critical
mutual exclusion: Bad States : # processes in critical section > 1 Ideal = Upward closed set of configurations Safety Properties x=0x<1x>1 x:=0 critical section
Ideal = Upward closed set of configurations Safety = reachability of ideals mutual exclusion: Bad States : # processes in critical section > 1 Safety Properties x=0x<1x>1 x:=0 critical section
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre
Properties of -- Monotonicity c1c1 c3c3 c2c2
c1c1 c3c3 c2c2 c4c4
c1c1 c3c3 c2c2 c4c4 c5c5
c1c1 c3c3 c2c2 c4c4 c5c5 c6c6
c1c1 c3c3 c2c2 c4c4 c5c5 c6c6
Monotonicity ideals closed under computing Pre
I Monotonicity ideals closed under computing Pre
I Monotonicity ideals closed under computing Pre
I Monotonicity ideals closed under computing Pre
IPre(I) Monotonicity ideals closed under computing Pre
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre Ideals
Existential Zones x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x 3
Existential Zones x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x
Existential Zones minimal requirement x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x
Existential Zones Existential Zone Ideal minimal requirement x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x
Existential Zones – Computing Pre x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x 3
Existential Zones – Computing Pre x1x1 x2x2 x4x4 1 x 2 - x 1 x5x5 2 x 5 4 x 4 x1x1 x2x2 x3x3 1 x 2 - x 1 2 x 2 - x 3 4 x 2 x
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre Existential Zones
Termination Existential Zones BQO (and therefore WQO)
Termination Existential Zones BQO (and therefore WQO) Theorem: Safety properties can be decided for TN(1)
Multi-Clock Timed Networks – TN(K) Timed Process: x:=0 x<5 Parameterized Network: Configuration (two clocks) y> x y
Timed Transitions x y x y
y<5x>4 x:=0 Discrete Transitions x y x y
x1x1 y1y1 1 y 2 - x 1 2 x 2 - y 1 x2x2 y2y2 x i and y i belong to the same process
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre Existential Zones
x 1 < x 2 < x 3 < x 4 y 1 = x 2 y 2 = x 3 y 3 = x 4 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 y 4 = x 1 y1y1 x1x1 y2y2 x2x2 x3x3 y3y3 x3x3 y3y3 x4x4 y4y4 Termination no longer guaranteed !!
x1x1 y1y1 y 1 = x 2 x2x2 y2y2 y 2 = x 1 x 1 < x 2 x1x1 x2x2 y1y1 y2y2 Termination no longer guaranteed !!
x1x1 y1y1 y 1 = x 2 x2x2 y2y2 y 2 = x 1 x 1 < x 2 x 1 < x 2 < x 3 y 1 = x 2 y 2 = x 3 y 3 = x 1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 x1x1 x2x2 y1y1 y2y2 y1y1 x1x1 y2y2 x2x2 x3x3 y3y3 Termination no longer guaranteed !!
x 1 < x 2 < x 3 y 1 = x 2 y 2 = x 3 y 3 = x 1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 x 1 < x 2 < x 3 < x 4 y 1 = x 2 y 2 = x 3 y 3 = x 4 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 y 4 = x 1 y1y1 x1x1 y2y2 x2x2 x3x3 y3y3 x3x3 y3y3 x4x4 y4y4 Termination no longer guaranteed !! y1y1 x1x1 y2y2 x2x2 x3x3 y3y3
Termination no longer guaranteed !!
Simulation of 2-counter machine by TN(2) Timed processes: One models control state Some model c 1 Some model c 2 The rest are idle c 1 ++ c 2 =0?c 2 -- M: Encoding of configurations in M:
Simulation of 2-counter machine c 1 ++ c 2 =0?c 2 -- M: Encoding of c 1 : # c 1 =3 left end right end
Simulating a Decrement c 1 -- q1q1 q2q2 x=1 y=1 x:=0 q1q1 q2q2 idle 0<x y:=
Simulating a Decrement c 1 -- q1q1 q2q2 x=1 y=1 x:=0 q1q1 q2q2 idle 0<x y:=
Simulating a Decrement c 1 -- q1q1 q2q2 x=1 y=1 x:=0 q1q1 q2q2 idle 0<x y:=
Simulating a Decrement c 1 -- q1q1 q2q2 x=1 y=1 x:=0 q1q1 q2q2 idle 0<x y:=
Simulating a Decrement c 1 -- q1q1 q2q2 x=1 y=1 x:=0 q1q1 q2q2 idle 0<x y:=
Simulating Zero Testing c 1 =0? q1q1 q2q2 x>0 y=1 x:=0 q1q1 q2q2 x=1 y:=
Theorem: Checking Safety properties undecidable for TN(2)
Discrete Timed Networks - DTN(K) State = Configuration Clocks interpreted over the discrete time domain Timed Transitions
cmax = * # processes having: same state clock value (up to cmax) Exact Abstraction
x=0 x:=0 x= * Discrete Transitions
0 1 2* Timed Transitions
0 1 2* Symbolic Representation minimal element
Checking Safety Properties: Backward Reachability Analysis bad statesinitial states Pre Minimal elements
Theorem: Checking Safety properties decidable for DTN(K)
Implementation
TPN - Parameterized Fischer 2 seconds
Lynch-Shavit’s Protocol
Parameterized Network: arbitrary size
TPN- Parameterized Lynch-Shavit 25 minutes
Syntactic Variants Open timed networks: strict clock constraints Closed timed networks: non-strict clock constraints undecidable decidable Semantic Variants Robust timed networks: semantically strict clock constraints undecidable
Summary TN(1) : decidable TN(2) : undecidable DTN(K) : decidable TN(2) open : undecidable TN(K) closed : decidable TN(2) robust : undecidable
Future work Acceleration and Widening Forward Analysis Price Timed Networks Stochastic Variants