1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania

2 Model Checker Advantages Automated formal verification, Effective debugging tool Traditional: Finite-state systems (Boolean vars) Enumerative search with reduction heuristics: Spin, Murphi Symbolic search using BDDs: SMV, Cospan, VIS, Mocha Hybrid and Real-Time Systems Continuous variables make state-space infinite Timed automata: Decidability results, Efficient symbolic data structures model temporal property yes error-trace

3 Talk Outline  Timed Automata: Syntax and Semantics  Specification Logic: Timed CTL  Decidability: Region-based partitioning  Efficient Implementation: Zones and DBMs UPPAAL ( Talk draft: Thanks to Kim Larsen and Paul Pettersson

4 UPPAAL

5 OffLightBright press?Press? press? Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. Timed Automata Intelligent Light Control

6 OffLightBright Solution: Add real-valued clock x X:=0 X<=3 X>3 press?Press? press? Press?

7 Timed Automata n m a (Alur & Dill 1990) Clocks: x, y x 3 x := 0 Guard Boolean combination of comparisons with integer bounds Reset Action performed on clocks ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) Transitions ( n, x=2.4, y= ) ( m, x=0, y= ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization

8 n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) e(1.1) ( n, x=2.4, y= ) e(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Invariants ensure progress!! Timed Safety Automata Timed Automata + Invariants (Henzinger et al, 1992)

9 Clock Constraints What can you express: Constant lower and upper bounds on delays Why the restricted syntax: slight generalizations (e.g. allowingx=2y) lead to undecidable model checking problems

10 Timed (Safety) Automata

11 Light Switch zSwitch may be turned on whenever at least 2 time units has elapsed since last “turn off” zLight automatically switches off after 9 time units. push click

12 Semantics zclock valuations: zstate: zSemantics of timed automata is a labeled transition system where zaction transition zdelay Transition g a r ll’

13 Semantics: Example push click

14 Timed Automata in U PPAAL Communicating Timed Safety Automata + urgent actions + urgent locations (i.e. zero-delay locations) + committed locations (i.e. zero-delay and atomic locations) + data-variables (integers with bounded domains) + arrays of data-variables + guards and assignments over data-variables and arrays... Larsen et al, 1996

15 TCTL = CTL + Time constraints over formula clocks and automata clocks “freeze operator” introduces new formula clock z E[  U  ], A[  U  ] - like in CTL No EX  Alur, Courcoubetis, Dill, 1991

16 Derived Operators Along any path  holds continuously until within 7 time units  becomes valid. = = The property  becomes valid within 5 time units.

17 TCTL Semantics s - location w - formula clock valuation P M (s) - set of paths from s Pos(  ) - positions in  ,i) - elapsed time  (i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))

18 Timeliness Properties receive(m) occurs within 5 time units after send(m) receive(m) occurs exactly 11 time units after send(m) putbox occurs periodically (exactly) every 25 time units (note: other putbox’s may occur in between)

19 A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Init V=1 2 ´´ V Criticial Section Fischer’s Protocol A simple MUTEX Algorithm

20 A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Init V=1 2 ´´ V Criticial Section Fischer’s Protocol A simple MUTEX Algorithm Y<1 X:=0 Y:=0 X>1 Y>1 X<1

21 Infinite State Space?

22 Regions Finite partitioning of state space x y ”Desired equivalence”

23 Regions Finite partitioning of state space x y Definition An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

24 Regions Finite partitioning of state space x y An equivalence class (i.e. a region) Successor regions, Succ(r) r Reset regions {y}r {x}r

25 Properties of Regions  The region equivalence relation  is a time- abstract bisimulation:  Action transitions: If w  v and (l,w) -a-> (l’,w’) for some w’, then  v’  w’ s.t. (l,v) -a-> (l’,v’)  Delay transitions: If w  v then for all real numbers d, there exists d’ s.t. w+d  v+d’  If w  v then (l,w) and (l,v) satisfy the same TCTL formulas

26 Region graph of a simple timed automata

27 Fischers again A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Y<1 X:=0 Y:=0 X>1 Y>1 X<1 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Untimed case A1,A2,v=1 x=y=0 A1,A2,v=1 0 <x=y <1 A1,A2,v=1 x=y=1 A1,A2,v=1 1 <x,y A1,B2,v=2 0 <x<1 y=0 A1,B2,v=2 0 <y < x<1 A1,B2,v=2 0 <y < x=1 y=0 A1,B2,v=2 0 <y<1 1 <x A1,B2,v=2 1 <x,y A1,B2,v=2 y=1 1 <x A1,CS2,v=2 1 <x,y No further behaviour possible!! Timed case Partial Region Graph

28 Roughly speaking.... Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula

29 Problem to be solved   Model Checking TCTL is PSPACE-complete

30 Zones Symbolic computation State (n, x=3.2, y=2.5 ) x y x y Symbolic state (set ) (n, ) Zone: conjunction of x-y n

31 Symbolic Transitions n m x>3 y:=0 x y delays to x y x y conjuncts to x y projects to 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 3<x, 1<=y -2<=x-y<=3 3<x, y=0 Thus (n,1 (m,3<x, y=0) a

32 Forward Rechability Passed Waiting Final Init INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Init -> Final ?

33 Forward Rechability Passed Waiting Final Init n,Z INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ Init -> Final ?

34 Forward Rechability Passed Waiting Final Init n,Z INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ m,U Init -> Final ?

35 Forward Rechability Passed Waiting Final Init INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ m,U n,Z Init -> Final ?

36 Bellman 1958, Dill 1989 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 D1 D2 When are two sets of constraints equivalent? x x 0 y z Shortest Path Closure Shortest Path Closure 0 y z x y z x y z Graph Canonical Dastructures for Zones Difference Bounded Matrices

37 Difference Bounds Matrices  Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks)  Reduced form obtained by running all-pairs shortest path algorithm  Reduced DBM is canonical  Operations such as reset, time-successor, inclusion, intersection are efficient  Popular choice in timed-automata-based tools

38 Summary  Applications of Uppaal and Kronos  Philips bounded retransmission protocol  Asynchronous circuits (STARI communication)  Timing analysis of Esterel+C code  Research theme 1: Efficient representation of Clock constraints + Boolean constraints  Research theme 2: Automatic abstractions of complex dynamics by timed automata