Verification and Controller Synthesis for Timed Automata : the tool KRONOS Stavros Trypakis

Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller

Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller time

Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller approach z <= 3 time

Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller approach lower y <= 1 time z <= 3

Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller x = 2.1 y = 0.9 z = 2.1 approach lower enter time x > 2  x <= 5

Verification   true Given a system and a property, verify that Types of Analysis Verification Given a system and a property, verify that the system satisfies the property. e.g., “whenever the train is in the crossing, the gate is down” Properties: Linear-time (execution sequences): Timed Büchi Automata. task1 task2 Branching-time (execution trees): TCTL.   true >=1

Types of Analysis Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: Invariance: the controller keeps the system inside a set of safe states. Reachability: the controller leads the system to a set of target states.

Synthesizing a Controller Timed Systems Synthesizing a Controller approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Environment approach x <= 1 x <= 0 Controller lower raise exit

Motivations Kronos backward (fix-point) Kronos backward (fix-point) Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) No diagnostics Expensive: - complementation  - nested fix-points non-convex polyhedra Kronos forward Too big: 10 for TGC 4 Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

Time-abstracting Bisimulation Contributions Contributions Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward On-the-fly verification Generate & Verify at the same time Re-use untimed resources (algorithms + tools) Time-abstracting Bisimulation (Quotient graph) Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

The Time-abstracting Bisimulation Analysis with Time-abstracting Bisimulations The Time-abstracting Bisimulation Equivalence  on TA states: s1 s2 s3  a s1  s2 s4  a 2 s4  1, 2  R 1 s3 Preserve discrete state changes. Abstract exact time delays.

The Time-abstracting Quotient Graph Analysis with Time-abstracting Bisimulations The Time-abstracting Quotient Graph The quotient induced by the greatest time-abstracting bisimulation defined on the TA. Finite symbolic graph: - Nodes = symbolic states (equivalence classes). - Edges = symbolic transitions (discrete and time). Basic property: pre-stability  a  a s1 s2 s1 s2 Q1 Q2 Q1 Q2 Q1  pre (Q2) = Q1 a Q1  pre (Q2) = Q1 time

Example of Quotient graph Analysis with Time-abstracting Bisimulations Example of Quotient graph  up approach approach up    enter  lower up lower lower lower   enter exit up down down down down down down    enter exit (near, going up, 1, 1 < x <= y <= 2  z < x+1) raise raise  raise   approach

Verification on the Quotient graph: Linear-time Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Linear-time Every cycle in the quotient graph contains an infinite run and vice versa. Q1 Q2 Q3 Q4 s1 s2 s3 s4 ... s5 Timed Büchi Automata model checking DFS for cycles or SCCs in the quotient graph

Verification on the Quotient graph: Branching-time Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Branching-time If s1  s2, then for any TCTL formula , s1 satisfies  iff s2 satisfies . Due to determinism of time. 1 s1 s2 s3  2 s4 s5 s6 TCTL model checking CTL model checking in the quotient graph

Plan On-the-fly Verification Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

The Simulation Graph Finite symbolic graph generated dynamically by On-The-Fly Verification The Simulation Graph Finite symbolic graph generated dynamically by forward reachability : - Start from an initial node (symbolic state). - Add successor nodes using post( ) operator. - Stop when a node is already visited. Basic property: post-stability a s2  a s1 Q1 Q2 Q2 = post (post (Q1)) time a

Every cycle in the simulation graph contains an infinite run On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. Idea of proof: every post-stable cycle can be pre-stabilized Q3  pre(Q1) Q0 Q1 Q2 Q3

Every cycle in the simulation graph contains an infinite run On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. The process terminates, yielding a non-empty, pre-stable cycle  can use pre-stability to extract an infinite run. Q0 Q1 Q2 Q3 Timed Büchi Automata model checking DFS for cycles or SCCs in the simulation graph

Verification on the Simulation graph: Branching-time On-The-Fly Verification Verification on the Simulation graph: Branching-time Branching-time properties not preserved: no pre-stability. But : Nested problems of Timed Büchi Automata model checking TCTL model checking

Abstractions for on-the-fly verification Clock activity : eliminate inactive clocks  polyhedra change dimension dynamically Closure (or widening) : extrapolate bounds when they go beyond some maximal threshold Inclusion, convex hull, etc.

Plan Diagnostics Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

 Timed Diagnostics ...  a b c a b c Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... Finite diagnostics: extract runs from symbolic paths. e.g., in quotient graph:  a b c s2 a s3 b s3+  s4 c s1 choose points and delays in polyhedra (matrix representation) Q5 Q1 Q2 Q3 Q4

Diagnostics Timed Diagnostics Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... Infinite diagnostics: this method does not terminate. ... - a periodic run does not always exist - … unless if no strict constraints (<, >) in symbolic cycle

Plan Controller Synthesis Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

Controller Synthesis u  s c Untimed case: u c u - Model: graph with edges labeled controllable - uncontrollable. c c ... ... - Semantics: strategy = sub-graph containing, for each node, at least one controllable and all uncontrollable successors Timed case: - Model: TA with discrete actions labeled controllable - uncontrollable - Semantics: dense strategies (time transitions ?) u  s c

Controller Synthesis using Fix-points controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves. Q c u  s compute winning states as fix-points of contr-pre( ). obtain controller = intersect TA with winning states. method costly (complementation in contr-pre( ), fix-point computes maximal strategy).

On-the-fly Controller Synthesis on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found untimed algorithm can be used for timed synthesis, too: untimed algorithm Quotient graph (symbolic) strategy TA controller pre-stability of quotient graph essential for correctness  cannot use simulation graph… 

On-the-fly synthesis in quotient graph Controller Synthesis On-the-fly synthesis in quotient graph  up approach approach up    enter  lower up lower lower lower   enter exit up down down down down down down    enter exit raise raise raise    approach

Plan Implementation Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

Implementation in Kronos initial partition  P, <=k P, ... TA TA TA ...  P, P  P (On-the-fly) Parallel Composition TA Minim. Full TCTL model checking Safe TCTL model checking Controller Synthesis Reachability TBA model checking TBA Quotient Graph  Yes/No, diagnostics Restricted TA (controller) Yes/No, diagnostics Matrix library Aldebaran: - reduction/comparison - model checking - simulation/visualization

Connection of Kronos to Open-Caesar Implementation Connection of Kronos to Open-Caesar interface to Open-Caesar input: model code generation TA network + discrete shared vars. + message passing Kronos-Open model.c Open-Caesar’s graph library C-compiler Optimized polyhedra library simulator -calculus formula evaluator Yes/No + untimed diagnostics Yes/No + untimed diagnostics regular expression exhibitor Simulation graph generator State formula - Reachability + timed diagnostics - TBA model checking. profounder TBA

Plan Case studies Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

Case Studies FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers) Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis) Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol

Experiences: performance Case studies Experiences: performance improved performance in benchmarks, often by many orders of magnitude. tools and techniques able to handle real-world case studies: - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs 7 - STARI: 30 clocks, 60 boolean variables often bottleneck is discrete state space

Experiences: comparison of methods Case studies Experiences: comparison of methods Techniques are complementary Quotient graph Simulation graph Case study time (secs) time (secs) nodes edges nodes edges Fischer 22,085 122,804 1,000 164,935 457,799 1,060 Real-time scheduling 929 1,503 70 10,839 22,382 150 Philips 503 1,001 3 194 488 1 CSMA/CD 481 875 1 60 96 1

Conclusions Practicality not measured only in seconds, megabytes Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL) Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers) Case studies : source of inspiration.

Perspectives Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly) Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders) Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory