CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 1.
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.
CS5270 Lecture 31 Uppaal, and Scheduling, and Resource Access Protocols CS 5270 Lecture 3.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Succinct Approximations of Distributed Hybrid Behaviors P.S. Thiagarajan School of Computing, National University of Singapore Joint Work with: Yang Shaofa.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Witness and Counterexample Li Tan Oct. 15, 2002.
CaV 2003 CbCb 1 Concurrency and Verification What? Why? How?
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.
Lecture 6 Template Semantics CS6133 Fall 2011 Software Specification and Verification.
Jun. Sun Singapore University of Technology and Design Songzheng Song and Yang Liu National University of Singapore.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
- 1 - Embedded Systems - SDL Some general properties of languages 1. Synchronous vs. asynchronous languages Description of several processes in many languages.
CS6133 Software Specification and Verification
Lecture51 Timed Automata II CS 5270 Lecture 5.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Lecture 81 Regional Automaton CS 5270 Lecture 8. Lecture 82 What We Need to Do Problem: –We need to analyze the timed behavior of a TTS. –The timed behavior.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Compositional Verification for System-on-Chip Designs SRC Student Symposium Paper 16.5 Nishant Sinha Edmund Clarke Carnegie Mellon University.
Model Checking Lecture 1: Specification Tom Henzinger.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
DISCRETE DYNAMICS EEN 417 Fall Midterm I In class on 10/4 Covered Material will be: Chapter 1 (Introduction) Chapters 2 & 3 (Continuous and Discrete.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
SS 2017 Software Verification Timed Automata
Formal methods: Lecture
CIS 842: Specification and Verification of Reactive Systems
Timed Automata II CS 5270 Lecture Lecture5.
Automatic Verification
Program Synthesis is a Game
Timed Automata Formal Systems Pallab Dasgupta Professor,
CSEP590 – Model Checking and Automated Verification
An explicit state model checker
Presentation transcript:

CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4

2 Where we were… RT systems –Modelling vs synthesis, hard vs soft, RT architectures The real-time computing environment –Temporal accuracy, clocks –TTP – time triggered protocols Scheduling –Preemption, feasibility, schedulability –RMS, priority inversion, PCP

CS5270 Lecture 43 Where we are going… Formal basis for Uppaal: –Detailed study of a basis for efficient real-time analysis/model checking  Transition systems,  Automata,  Model checking  Timed transition systems,  Zones/regions (efficient timed systems) This will all take time… perhaps 4/5 weeks

CS5270 Lecture 44 The immediate road map State transition systems –some definitions –parallel composition Timed transition systems –formal definition –parallel composition –Reduction of a TTS (which has possibly infinite states and actions) to a finite TS by quotienting… (takes time) Efficiency in TTS –Regions –zones Automata and safety properties

CS5270 Lecture 45 The long distance road map Local road map, and then… –Verification of temporal properties  LTL and CTL temporal/modal logic  The verification setting –CTL model checking  Definition of CTL  Kripke structures  Definition of the modelling relation  Model checking algorithm for CTL –TCTL model checking  Definition of TCTL  Model checking for TCTL

CS5270 Lecture 46 Transition Systems Vs Automata Automata = Transition system + accepting conditions. Transition systems ---- State spaces, dynamics Automata Languages, Properties

CS5270 Lecture 47 Example Resource Manager Req Release Grant

CS5270 Lecture 48 Example FRW Bad Req Release BU Grant crash

Example Bad Req Release Grant crash Any sequence over {Req, Grant, Release} as allowed by the automaton. Rq G Rl Rq G allowed. Rq G Rl Cr not wanted!

CS5270 Lecture 410 Example Bad Req Release Grant crash Any sequence over {Req, Grant, Release} as allowed by the automaton ?

CS5270 Lecture 411 Example Bad Req Release Grant crash Any sequence that ends with Release (except for the null string)

CS5270 Lecture 412 Transition Systems A Simple model of dynamic systems. Discrete time States Transitions Initial state(s). No accepting states.

CS5270 Lecture 413 Example C H On-heat On-ac OK Off-acOff-heat

CS5270 Lecture 414 Signal Flow Temperature AC-motor Heater-motor

CS5270 Lecture 415 Example C H On-heat On-ac OK Off-heat Off-ac

CS5270 Lecture 416 Example C H On-heat On-ac OK Off-acOff-heat State

Example C H On-heat On-ac OK Off-acOff-heat State OK Transition

Example C H On-heat On-ac OK Off-ac Off-heat State a Transition Off-acAction

C H On-heat On-ac OK Off-ac Off-heat State OKTransition Off-acAction Initial State

CS5270 Lecture 420 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 on-heat S 5 OK S 6 off-heat S 0 ? S 1 …. Non- Paths: S 5 off-heat S 6 off-heat S 0 S 1 on-ac S 5 OK S 6 ….

CS5270 Lecture 421 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 S 5 S 6 S 0 S 1 …. Run ---- Path starting from an initial state S 0 S 1 S 2 S 3 S 0 S 1 ….

CS5270 Lecture 422 Transition Systems TS = (S, Act, !, S in ) --- Transition System – S --- States –Act --- A set of actions – ! µ S £ Act £ S ---- Transition Relation – S in µ S ---- Initial states Often: –S and Act are finite sets. –S in has only one element. –The transition relation is deterministic.

CS5270 Lecture 423 Deterministic Transition Systems TS = (S, Act,, S in ) --- Transition System (s, a, s’)  – s s’ a

CS5270 Lecture 424 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S = ?

CS5270 Lecture 425 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S = { S0, S1, S2, …,S6}

CS5270 Lecture 426 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Act = ?

CS5270 Lecture 427 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Act = {C, On-heat, H, on-ac,..}

CS5270 Lecture 428 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 = ?

CS5270 Lecture 429 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 = { (S0, H, S1), (S0, C, S4),….}

CS5270 Lecture 430 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S in = ?

CS5270 Lecture 431 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S in = {S0}

CS5270 Lecture 432 Deterministic Transition Systems s s1 s2 aa s a s1 s a s2 AND IMPLIES s1 = s2 Non-determinism is useful for getting succinct specifications. Abstractions (hiding details) give rise to non-determinism.

CS5270 Lecture 433 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right

CS5270 Lecture 434 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right

CS5270 Lecture 435 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right Toss Coin

CS5270 Lecture 436 Non-Determinism Arrive at Junction Toss Coin Turn-leftTurn-right Toss Coin

CS5270 Lecture 437 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 S 5 S 6 S 0 S 1 …. Run ---- Path starting from an initial state S 0 S 1 S 2 S 3 S 0 S 1 ….

CS5270 Lecture 438 Computations TS = (S, Act,, S in ) Behaviors can also be defined as action sequences: –Computations, traces,… s 0 s 1 s 2 ……. s n ---- run. s 0 a 1 s 1 a 2 s 2 ….s n-1 a n s n s i s i+1 a 1 a 2 a 3 ….a n is a computation. aiai

CS5270 Lecture 439 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Run S 0 S 1 S 2 S 3 Computation ?

CS5270 Lecture 440 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Run S 0 S 1 S 2 S 3 S 0 Computation H On-ac OK off-ac

CS5270 Lecture 441 Behaviors (Linear Time) The behavior of a transition system is: – Its set of runs. –Its set of computations. Does the behavior of TS have the desired property? –Does every computation (run) of the transition system have the desired property? –In no computation, C is immediately followed by On-Ac.

CS5270 Lecture 442 Behaviors Properties: – Is there a run leading to deadlock?  s > s s 0 2 S in  No action is enabled at s –Is the state s reachable (via a run) ? –Is there a bad state which is reachable? Often TS is presented implicitly! –For example, as a network of smaller transition systems.

CS5270 Lecture 443 The Verification Setting TS Behavior of TS Check for property ! System Model extraction Semantics

The Verification Setting TS Behavior of TS System Property = Temporal logic formula   YES !NO ! Model- Checker Models of 

CS5270 Lecture 445 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 Temperature Controller

CS5270 Lecture 446 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 It is often convenient to consider both finite and infinite computations!

S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 Property : every (finite) computation that ends with “on-heat” can be extended to a computation that ends with “off-heat”

CS5270 Lecture 448 Linear time Vs. Branching time Linear time –The (flat) set of computations. Branching time –The tree of computations –How computations branch off is kept track of.

CS5270 Lecture 449 Linear time Vs. Branching time LTL (Linear time temporal logic). CTL (Computation tree logic) These two logics are incomparable. LTL – SPIN (Bell Labs, G. Holtzmann) CTL – SMV (Clarke, McMillan, CMU- Cadence Lab)

CS5270 Lecture 450 Network of Transition Systems In general, the system will contain multiple components. The components will coordinate by communication. –Send/receive messages (asynchronous) –Perform common actions together (synchronous, hand-shake).  hand-shake is usually a convenient abstraction.

CS5270 Lecture 451 Finite State Automata Finite State Automata (FSAs) are a basic computational model. FSAs = Regular Languages = Temporal Logics. Starting point for many system design methodologies. –SDL, UML, POLIS,… Verification tools (SPIN, SMV) available.

CS5270 Lecture 452 A Railway System

CS5270 Lecture 453 The Gate/Train TS – graph view open close Fin-Close approach brake proceed Gate Train left

CS5270 Lecture 454 The Gate Controller TS approach close Fin-Close proceed left open

CS5270 Lecture 455 The Signal Space Gate Controller open close Fin-close Fin-Close approach left open close proceed

CS5270 Lecture 456 Transition system To model the entire system, construct the parallel composition: Gate ║ Train ║ Controller (This is another TS)

CS5270 Lecture 457 Parallel composition…

Parallel Composition open closeproceed left approach proceed brake approach close Fin-Close proceed open Enabled actions ?

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition open close left approach proceed brake approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition g0 open close left t0 t1 approach proceed Brake GC0 GC1 approach close Fin-Close proceed open proceed Fin-Close left

CS5270 Lecture 466 Parallel Composition TS = TrainTS || Gate-ControllerTS || GateTS s = (t, GC, g) A state of TS (g0, t0, GC0) ( g0, t1, GC1 ) approach t0 t1 (TRAIN) approach GC1 (Gate-Controller) approach GC0

CS5270 Lecture 467 State Space Explosion TS = TS 1 || TS 2 … || TS n TS is presented implicitly! –Fix a communication convention –Present TS 1, TS 2,…, TS n We wish to analyze TS and often implement TS. But constructing TS first explicitly is often hopeless. |TS i | = 10 n = 6 –|TS| = ? (worst case)

CS5270 Lecture 468 Timed Transition Systems Timed Transition Systems = Transition Systems + Clock Variables. Clock variables. – Used to record the passage of (real) time. –Act like Timers. –Can be read. – Transitions constrained (guarded) by current values of clock variables. –Can be reset to 0 during a transition.

CS5270 Lecture 469 Using Clock Variables HotOn-acOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

CS5270 Lecture 470 Using Clock Variables HotOn-ac; xOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. x  5 Off-ac

CS5270 Lecture 471 Using Clock Variables HotOn-ac; xOK Off-ac x  5 Off-ac Clock variable x is set to 0. On-ac ; x is short form for: On-ac ; x := 0

CS5270 Lecture 472 Using Clock Variables HotOn-ac; xOK Off-ac x  5 Off-ac Clock variable x is used to form a guard: x  5

CS5270 Lecture 473 Using Clock Variables HotOn-acOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. Turn on ac within 3 time units after receiving Hot signal.

CS5270 Lecture 474 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. Turn on ac within 3 time units after receiving Hot signal. y ≤ 3

CS5270 Lecture 475 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac y ≤ 3 Three components: Action on-ac Reset x Guard y ≤ 3

CS5270 Lecture 476 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac y ≤ 3 Do we need two clocks?

CS5270 Lecture 477 Using Clock Variables Hot; x On-ac; xOK Off-ac x  5 Off-ac x ≤ 3 Do we need two clocks? NO!

78 Timed Transitions a ; X g a, an action X, a set of clock variables; the clock variables set to 0. g, a guard; a predicate based on the values of the clock variables. g :: = x ≤ c | x  c | x  c | x  c | g1  g2 x  CL CL ---- The set of clock variables used by the model. c A rational number (integer)

CS5270 Lecture 479 State Invariants A clock constraint is associated with each state: state invariant –The system can stay in the state only as long as the state’s invariant is not violated. For time points which violate the invariant one expects an output transition to be enabled. –Otherwise a time deadlock.  The progress of time is blocked (in the model!).

CS5270 Lecture 480 State Invariants x ≤ 2 a ; x b

CS5270 Lecture 481 State Invariants x ≤ 2 a ; x b b x > 2 SAME AS ?

CS5270 Lecture 482 State Invariants x ≤ 2 a ; x b x > 3 At (s1, x = 2.4) the behavior is undefined! s0 s1 s2

CS5270 Lecture 483 State Invariants g g1 g2g3 At all “times” g OR g1 OR g2 OR g3 is satisfied. If more than one output transition is enabled, the choice is made non-deterministically.

CS5270 Lecture 484 Timed Transition systems and automata How do we model real time systems? How do we specify (real time) behavioral properties? How do verify behavioral properties? What is the behavior of a timed transition system?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.