1. Timed Automata II
CS 5270 Lecture 5
Lecture5

2. Goals Timed Transition Systems: UPPAAL Review Definition
Timed behaviors.
Parallel composition
Reachability
UPPAAL
Lecture5

3. Timed Transition Systems
Transition Systems + Clock Variables.
Clock variables.
Used to record the passage of (real) time.
Act like Timers.
Can be read.
Transitions constrained (guarded) by current values of clock variables.
Can be reset to 0 during a transition.
Continue to evolve (in real time) until reset.
Lecture5

4. Using Clock Variables Hot; y y ≤ 2 On-ac; x OK Off-ac Off-ac x  5
Spec. :
Turn off ac if the temperature is OK or any time after 5 units of time has elapsed since turning it on.
Turn on ac within 2 time units after receiving Hot signal.
Lecture5

5. Using Clock Variables Hot; y y ≤ 2 On-ac; x OK Off-ac Off-ac x  5
Three components:
Action on-ac
Reset x
Guard y ≤ 2
Lecture5

6. Using Clock Variables Hot; y y ≤ 2 On-ac; x OK Off-ac Off-ac x ¸ 5
Three components:
Action on-ac
Reset x In general, more than one clock can be reset.
Guard y ≤ 2 In general, more than one constraint can be used.

7. Timed Transitions a ; X g a, an action
X, a set of clock variables; the clock variables set to 0.
g, a guard; a predicate based on the values of the clock variables.

8. State Invariants
A clock constraint is associated with each state: state invariant
The system can stay in the state only as long as the state’s invariant is not violated.
For time points which violate the invariant one expects an output transition to be enabled.
Otherwise a time deadlock.
The progress of time is blocked (in the model!).
Lecture5

9. State Invariants
x ≤ 2 b
a ; x
Lecture5

10. State Invariants SAME AS b a ; x x ≤ 2 b a ; x x > 2 17.02.05
Lecture5

11. State Invariants s1 s2 s0 b a ; x x ≤ 2 x > 3
At (s1, x = 2.4) the behavior is undefined!
Lecture5

12. State Invariants g g1 g2 g3
At all “times” g OR g1 OR g2 OR g3 is satisfied.
If more than one output transition is enabled, the choice is made non-deterministically.
Lecture5

13. Timed Transition Systems: Definition
Clock Constraints:
X, a finite set of clocks (clock variables).
x  X
 (X), the set of clock constraints over X.
(X) = x ≤ c | x ≥ c | x < c | x >c | 1  2 |
c  Q
Q , the set of non-negative rational numbers.
2X --- The set of subsets of X
X = {x, y} 2X = { , {x}, {y}, {x, y} }
Lecture5

14. Timed Transition Systems
TTS = (S, sin, Act, X, I, )
S is a finite set of states.
sin, initial state
Act, a finite set of actions
X, a finite set of clock variables.
I : S (X), assigns a clock invariant to each state.
  S  Act  2X  (X)  S , the transition relation.
Lecture5

15. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3
x > 2  y  3
(s0, add, {x}, True, s1) is a transition in TTS.

16. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
X = {x0, x1,..xn}
True = x0 ≥ 0
X = {x, y} True = x  0
(s0, add, {x}, True, s1) is a transition in TTS.

17. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2 
(s1, data, {y}, True, s2) is a transition in TTS.
(s2, ack.add, ;, x > 2, s3) is a transition in TTS.
(s3, ack.data, ;, y ≤ 5, s0) is a transition in TTS

18. Behaviors s3 c b a s0 s1 s2 d s4 s0 a s1 b s2 c s3 s0 a s1 b s2 d s4
Are both paths (runs).
Lecture5

19. Behaviors s3 c x < 1 b a ; x s0 s1 s2 x = 1 x ≥ 2 d s4
s0 a s1 b s2 c s3 is NOT a run!
s0 a s1 b s2 d s4 is a run.
Computing behaviors is difficult.
Lecture5

20. Behaviors TTS = (S, sin, Act, X, I, )
We associate a “normal” transition system with TTS while taking time into account:
TSTTS = (S, sin, Act  R, )
R, non-negative reals
  S  Act  R  S
TSTTS is, almost always, an infinite transition system!
Lecture5

21. Behaviors TTS = (S, sin, Act, X, I, ) TSTTS = (S, sin, Act  R, )
S = S  V
V --- Valuations
A valuation says what the current values of each clock variable is.
v : X R
Lecture5

22. Behaviors s3 c x < 1 b a ; x s0 s1 s2 x = 1 x ≥ 2 d s4
(s1, 0) (s2, 1.8) (s4, ) are t-states.
(s3, 5) is a t-state but not reachable.
Lecture5

23. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s1, (2, 5) ) is a state; (s1, V) V(x) = 2 V(y) = 5
(s2, V’) is a state. V’(x) = 15 V’(y) = 0 (s2, (15, 0) )
Lecture5

24. Behaviors TTS = (S, sin, Act, X, I, !) TSTTS = (S, sin, Act  R, )
R, non-negative reals
  S  Act  R  S
S = S  V
sin = (sin, VZERO)
VZERO (x) = 0 for every x in X.
Lecture5

25. Behaviors There will be two types of transitions. Time pass move:
(s, v)  (s, v’)
t units of time pass starting from V.
V’ (x) = V(x) + t for every x.
Instantaneous transition.
(s, v)  (s’, v’)
Some transition in the timed automaton is taken at v; the guard is satisfied; v’ is the same as v except for resets. t a
Lecture5

26. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2 1
Time- passing move?

27. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2 1
Time- passing move?

28. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s1, (0, 5))
(s1, (0, 5) )
Time- passing move?

29. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2 2
Time- passing move?

30. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s1, (0, 3)) a transition in TS?

31. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s3, (0, 3)) a transition in TS?

32. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s1, (0, 4)) a transition in TS?

33. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s1, (0, 0)) a transition in TS?

34. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
Is this possible?
data
(s2, (0, 0) )

35. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2

36. Example add ; x (s0, (0, 0)) s0 s1 .8 1 ………….. data ; y (s0, (.8, .8))
ack.data
ack.add s2 s3
x > 2
TSTTS will have (uncountably) infinite number of states and transitions.

37. Timed Behaviors TTS = (S, S0, Act, X, I, !)
TSTTS = (S, sin, Act  R, )
The timed behavior of TTS is defined as the behavior of TSTTS
Runs
computations
Lecture5

38. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s0, (0, 0)) (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0)) ..…

39. Timed Behaviors
Two consecutive time-passing moves can be amalgamated into one time passing move.
(s1, (2,5)) 2 (s1, (4, 7)) 1.3 (s1, (5.3, 8.3)) can also be recorded as :
(s1, (2,5)) 3.3 (s1, (5.3, 8.3))
(s, V) 1 (s, V+1) 2 (s, (V+1)+2) can also be recorded as:
(s, V) 1+2 (s, V+(1+2))
Lecture5

40. Timed Computations TTS = (S, S0, Act, X, I, !)
TSTTS = (S, S0, Act [ R, ))
(s0, V0) 0 (s0, V0’) a0 (s1, V1) 1 (s1, V1’) a1 (s2, V2) …… induces the timed computation
(a0, 0) (a1, 0+ 1) …… (an, 0+1+..n)
Transition systems --- Computations
Timed Transition Systems ---
Timed Computations.
Lecture5

41. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s0, (0, 0)) (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0))
(add, ? ) (data, ?) ….

42. Example add ; x s0 s1 data ; y y ≤ 5 ack.data ack.add s2 s3 x > 2
(s0, (0, 0)) (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0))
(add, 1.6 ) (data, 3.6) ….

43. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(add, 1) (d, 10) (ack.a , 3) A timed computation?
Lecture5

44. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(add, 1) (d, 10) (ack.a , 3) A tmed computation?
No! Time must increase monotonically.
Lecture5

45. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(a, 1) (ack.a , 3) (d, 10) A timed computation?
Lecture5

46. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(a, 1) (ack.a , 3) (d, 10) A timed computation?
No! The order of execution must respect the specification!

47. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(a, 1) (d, 1) (ack.add, 10) A time computation?
Lecture5

48. Example add ; x data ; y y ≤ 5 ack.data ack.add x > 2
(a, 1) (d, 1) (ack.add, 10) A timed computation?
Yes! Transitions are assumed to take zero time.
Must rule out an infinite number of occurrences in finite time.
Lecture5

49. Zeno Computations a b x < 1
… (b, ½) ….(b, 3/4) ….(b, 15/16) …. (b, 31/32)….
We must define computations of timed transition systems carefully!
Lecture5

50. Parallel Composition TTS = TTS_1 || TTS_2 || …… || TTS_n
Same principle as before:
Do common actions together
Take union of clock variables.
Take conjunction of the guards!
Lecture5

51. Reachability of Control States
For a finite TS it is trivial to decide whether s is reachable in TS.
For finite TTS, whether s is reachable in TTS is not easy to decide because TSTTS is an infinite object!
But this can be done and this verification process can be automated.
More involved (liveness) properties can also be verified effectively but not always efficiently.
Lecture5

52. An introduction to UPPAAL
CS Feb 2005Lecture5

53. What is UPPAAL?
A toolbox for modeling, simulation and verification of real-time systems
Developed jointly by Uppsala University and Aalborg University
Often used for real-time controllers, communication protocols, etc.
Consists of 3 main parts
a system description
a simulator
a verifier
Lecture5

54. System Description
Lecture5

55. System Description A system in UPPAAL: a set of concurrent processes
A process: a timed-automaton with:
Clocks and data variables
data variables: int, bool, array of int/bool
Scopes: global or local (to a process)
Both clocks and data variables!
Guards (on transitions) and invariants (on locations) are conditions on data variables and clocks
Lecture5

56. System Description
Synchronization actions are described using communication channels
Two processes communicate with each other via global data variables or synchronization on communication channels
Lecture5

57. System Description A system description in UPPAAL is composed of
Global declarations
Process templates
Process assignments
A system definition
Lecture5

58. System Description
Overview of UPPAAL
Lecture5

59. Global declarations
All the clocks, variables, constants and channels declared here are visible to all the processes in the system
Lecture5

60. Global declarations clock x, y; const a 1; int a; int[1,10] b := 2;
two clocks x and y
const a 1;
a constant a with value 1
int a;
an integer variable a in the default range from to 32767
int[1,10] b := 2;
an integer variable b in the range 1,…,10 that is initialized to 2
int a[2][3] := {{0,1,2},{3,4,5}};
a two dimensional integer array a default range and its initialization
bool a[3], b[5];
two bit arrays a and b, with 3 and 5 elements respectively.
Lecture5

61. Global Declarations chan d; urgent chan d; broadcast chan e;
A communication channel d
Actions performed by two processes when they synchronize with each other on channel d are denoted as d! (sending) and d? (receiving)
urgent chan d;
When two processes are able to synchronize on channel d, they have to do it immediately.
No guard is allowed on transitions labeled with synchronization actions (eg. d!,d?) on urgent channels
broadcast chan e;
Allows 1-to-many synchronization
A transition with label e! emits a broadcast on the channel e.
Any enabled transition with label e? will synchronise with the emitting process. No guard is allowed on these transitions
Lecture5

62. Process Templates
Define a common control structures for the processes that are alike
Each process is an instantiation of a template
Each template can have
symbolic variables and constants as parameters
Parameters are syntactically similar to declarations, but with no initializations
Eg. clock x, y; int i1, i2; chan a, b
local clocks and variables
Declared in the same way as global clocks and variables
Lecture5

63. Declare symbolic constants and variables here! Name of the template
Process Templates
Draw the structure of the template here!
Lecture5

64. Process Templates
All clocks, variables, constants declared here are visible to process template P only
Lecture5

65. Process Templates
An example of process template
Lecture5

66. Process Templates Locations
3 types: normal (with/without invariant), committed(C), urgent (U)
When the system enters a committed location, it must leave the location immediately:
Just a way of breaking up the effect of a transition into a sequence of steps.
urgent location: Only 0 units of time can be spent in this location.
Lecture5

67. example
Lecture5

68. Process Templates A guard Timing expression: x ~ e or x – y ~ e
A conjunction of timing and data expressions
Written as a list of expressions, separated by commas
x < y, x <= 5, (a[0] + 1) != (a[1]*5)
Timing expression: x ~ e or x – y ~ e
x, y : clocks; e: an integer expression
~  { <=, >=, ==, <, > }
Data expression:
involves constants and variables
same as in C/C++/Java
Lecture5

69. Process Templates Invariants Updates
Same as guards, with no lower bounds on clocks
Updates
A list of assignment expressions
Each assignment is of the form: x := e or a := e’
In x: = e, almost always e is 0.
x: a clock
a: a variable
e: an integer expression
e’: a data expression
Evaluated sequentially
a := 1, b := 2*a sets a to 1, b to 2.
Lecture5

70. Process Assignments Declare instances of process templates
Each assignment has the form P := T(A);
P : a process name
T : a process template name
A : an argument list
Examples:
P := Q();
Process P is an instance of template Q that has no parameter
S:=R(x,1);
Process S is an instance of template R that has two parameters - a clock and a constant
Lecture5

71. Process Assignments
Instantiate your processes here!
Lecture5

72. System Definition Declare the set of processes in the system
Eg. system P, Q;
A system consists of two processes P and Q
Each process in the system must be either
a process that appears on the left-hand-side of a process assignment, or
a template with no parameter
Lecture5

73. Simulator
Lecture5

74. Simulator A validation tool that Interface: divided into 4 sub-windows
allows users to interact and observe the behavior of the system during execution
visualise executions (i.e. symbolic traces) generated by the verifier
Interface: divided into 4 sub-windows
Simulation control
Variable window
Process window
Message Sequence Chart
Lecture5

75. Message sequence chart simulator control variable window
process window
Message sequence chart
simulator control
variable window
Lecture5

76. Simulator Control
Used to control the simulation and to select the (symbolic) state or transition to be visualized
Upper part: for step-by-step simulation
Displays all enabled transitions
Enables users to select an enabled transition to be fired
Lower part: displays the generated trace
A trace is an alternating sequence of location vectors and transitions.
Lecture5

77. Simulation Control use the mouse to select the transition to be fired
press “Reset” resets the simulated system to its initial state
press “Next” causes the system to fire the selected transition
Lecture5

78. Simulation Control
the simulation always progresses from this highlighted element
press “Prev” to highlight the element immediately preceding the current selection in the trace.
press “Replay” to replay the trace starting from the currently selected element.
press “Open” to open a file selector window for loading a trace from file.
Lecture5
control the speed of simulation

79. Variable window
Displays the values of data and clocks in the current state or transition selected in the trace
Lecture5

80. Process window Displays the process instances of the system
The current location of each automaton is marked with a red token
The transitions currently selected in the simulation control panel are highlighted
Lecture5

81. the selected transition
Lecture5

82. Message Sequence Chart
Displays an MSC view of the generated trace
a vertical lines for each process
a horizontal line for each synchronisation point.
synchronization point
Lecture5

83. Verifier
Lecture5

84. Verifier Used to check invariant and liveness properties of the system
Requirement Specification Language
A[ ] p
For all paths, p always holds
E<> p
There exists a path where p will eventually hold
E[ ] p
There exists a path where p always holds
A<> p
For all paths, p will eventually hold
p --> q
Whenever p holds, q will eventually hold
p : an expression that has no side-effect or state formula (conjunction of state locations)
Lecture5

85. Verifier Examples A[] not deadlock E<> p1.cs and p2.cs
true if the system is not deadlocked.
E<> p1.cs and p2.cs
true if the system can reach a state where both process p1 and p2 are in their locations cs.
A[ ] p1.cs imply not p2.cs
true if whenever process p1 is in its location cs, the process is not in its location cs.
Lecture5

86. Press to verify the selected property
The selected property to be verified
Insert a new property
Remove the selected property
Show the comments in overview window
the system is deadlock free
verification results are shown here!
Lecture5

87. Downloading UPPAAL http://www.uppaal.com Version 3.4.7
You must use the Windows platform version!
References
Demos provided in the software
Papers and tutorials can be downloaded from the website (under Documentation section)
Lecture5