Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania.

Published byKenneth Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania."— Presentation transcript:

1 1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania

2 2 Model Checker Advantages Automated formal verification, Effective debugging tool Traditional: Finite-state systems (Boolean vars) Enumerative search with reduction heuristics: Spin, Murphi Symbolic search using BDDs: SMV, Cospan, VIS, Mocha Hybrid and Real-Time Systems Continuous variables make state-space infinite Timed automata: Decidability results, Efficient symbolic data structures model temporal property yes error-trace

3 3 Talk Outline  Timed Automata: Syntax and Semantics  Specification Logic: Timed CTL  Decidability: Region-based partitioning  Efficient Implementation: Zones and DBMs UPPAAL (www.docs.uu.se/docs/rtmv/uppaal) Talk draft: Thanks to Kim Larsen and Paul Pettersson

4 4 UPPAAL

5 5 OffLightBright press?Press? press? Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. Timed Automata Intelligent Light Control

6 6 OffLightBright Solution: Add real-valued clock x X:=0 X<=3 X>3 press?Press? press? Press?

7 7 Timed Automata n m a (Alur & Dill 1990) Clocks: x, y x 3 x := 0 Guard Boolean combination of comparisons with integer bounds Reset Action performed on clocks ( n, x=2.4, y=3.1415 ) ( n, x=3.5, y=4.2415 ) e(1.1) Transitions ( n, x=2.4, y=3.1415 ) ( m, x=0, y=3.1415 ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization

8 8 n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y=3.1415 ) ( n, x=3.5, y=4.2415 ) e(1.1) ( n, x=2.4, y=3.1415 ) e(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Invariants ensure progress!! Timed Safety Automata Timed Automata + Invariants (Henzinger et al, 1992)

9 9 Clock Constraints What can you express: Constant lower and upper bounds on delays Why the restricted syntax: slight generalizations (e.g. allowingx=2y) lead to undecidable model checking problems

10 10 Timed (Safety) Automata

11 11 Light Switch zSwitch may be turned on whenever at least 2 time units has elapsed since last “turn off” zLight automatically switches off after 9 time units. push click

12 12 Semantics zclock valuations: zstate: zSemantics of timed automata is a labeled transition system where zaction transition zdelay Transition g a r ll’

13 13 Semantics: Example push click

14 14 Timed Automata in U PPAAL Communicating Timed Safety Automata + urgent actions + urgent locations (i.e. zero-delay locations) + committed locations (i.e. zero-delay and atomic locations) + data-variables (integers with bounded domains) + arrays of data-variables + guards and assignments over data-variables and arrays... Larsen et al, 1996

15 15 TCTL = CTL + Time constraints over formula clocks and automata clocks “freeze operator” introduces new formula clock z E[  U  ], A[  U  ] - like in CTL No EX  Alur, Courcoubetis, Dill, 1991

16 16 Derived Operators Along any path  holds continuously until within 7 time units  becomes valid. = = The property  becomes valid within 5 time units.

17 17 TCTL Semantics s - location w - formula clock valuation P M (s) - set of paths from s Pos(  ) - positions in  ,i) - elapsed time  (i,d) <<(i’,d’) iff (i<j) or ((i=j) and (d<d’))

18 18 Timeliness Properties receive(m) occurs within 5 time units after send(m) receive(m) occurs exactly 11 time units after send(m) putbox occurs periodically (exactly) every 25 time units (note: other putbox’s may occur in between)

19 19 A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Init V=1 2 ´´ V Criticial Section Fischer’s Protocol A simple MUTEX Algorithm

20 20 A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Init V=1 2 ´´ V Criticial Section Fischer’s Protocol A simple MUTEX Algorithm Y<1 X:=0 Y:=0 X>1 Y>1 X<1

21 21 Infinite State Space?

22 22 Regions Finite partitioning of state space x y ”Desired equivalence” 123 1 2

23 23 Regions Finite partitioning of state space x y Definition An equivalence class (i.e. a region) in fact there is only a finite number of regions!! 123 1 2

24 24 Regions Finite partitioning of state space x y An equivalence class (i.e. a region) Successor regions, Succ(r) r 123 1 2 Reset regions {y}r {x}r

25 25 Properties of Regions  The region equivalence relation  is a time- abstract bisimulation:  Action transitions: If w  v and (l,w) -a-> (l’,w’) for some w’, then  v’  w’ s.t. (l,v) -a-> (l’,v’)  Delay transitions: If w  v then for all real numbers d, there exists d’ s.t. w+d  v+d’  If w  v then (l,w) and (l,v) satisfy the same TCTL formulas

26 26 Region graph of a simple timed automata

27 27 Fischers again A1 B1 CS1 V:=1V=1 A2 B2 CS2 V:=2V=2 Y<1 X:=0 Y:=0 X>1 Y>1 X<1 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Untimed case A1,A2,v=1 x=y=0 A1,A2,v=1 0 <x=y <1 A1,A2,v=1 x=y=1 A1,A2,v=1 1 <x,y A1,B2,v=2 0 <x<1 y=0 A1,B2,v=2 0 <y < x<1 A1,B2,v=2 0 <y < x=1 y=0 A1,B2,v=2 0 <y<1 1 <x A1,B2,v=2 1 <x,y A1,B2,v=2 y=1 1 <x A1,CS2,v=2 1 <x,y No further behaviour possible!! Timed case Partial Region Graph

28 28 Roughly speaking.... Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula

29 29 Problem to be solved   Model Checking TCTL is PSPACE-complete

30 30 Zones Symbolic computation State (n, x=3.2, y=2.5 ) x y x y Symbolic state (set ) (n, ) Zone: conjunction of x-y n

31 31 Symbolic Transitions n m x>3 y:=0 x y delays to x y x y conjuncts to x y projects to 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 3<x, 1<=y -2<=x-y<=3 3<x, y=0 Thus (n,1 (m,3<x, y=0) a

32 32 Forward Rechability Passed Waiting Final Init INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Init -> Final ?

33 33 Forward Rechability Passed Waiting Final Init n,Z INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ Init -> Final ?

34 34 Forward Rechability Passed Waiting Final Init n,Z INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ m,U Init -> Final ?

35 35 Forward Rechability Passed Waiting Final Init INITIAL Passed := Ø; Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting n,Z’ m,U n,Z Init -> Final ?

36 36 Bellman 1958, Dill 1989 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 D1 D2 When are two sets of constraints equivalent? x x 0 y z 12 2 9 Shortest Path Closure Shortest Path Closure 0 y z 12 2 5 0 x y z 12 2 7 0 x y z 12 2 5 3 3 3 Graph Canonical Dastructures for Zones Difference Bounded Matrices

37 37 Difference Bounds Matrices  Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks)  Reduced form obtained by running all-pairs shortest path algorithm  Reduced DBM is canonical  Operations such as reset, time-successor, inclusion, intersection are efficient  Popular choice in timed-automata-based tools

38 38 Summary  Applications of Uppaal and Kronos  Philips bounded retransmission protocol  Asynchronous circuits (STARI communication)  Timing analysis of Esterel+C code  Research theme 1: Efficient representation of Clock constraints + Boolean constraints  Research theme 2: Automatic abstractions of complex dynamics by timed automata

Download ppt "1 Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.

Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de.
Timed Automata Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ SFM-RT, Bertinoro, Sept 2004.

Timed Automata Rajeev Alur University of Pennsylvania SFM-RT, Bertinoro, Sept 2004.
Real-Time Systems, DTU, Feb 15, 2000 Paul Pettersson, BRICS, Aalborg, Denmark. Timed Automata and Timed Computation Tree Logic Paul Pettersson

Real-Time Systems, DTU, Feb 15, 2000 Paul Pettersson, BRICS, Aalborg, Denmark. Timed Automata and Timed Computation Tree Logic Paul Pettersson
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Regions Finite Partitioning of State Space x y An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

Regions Finite Partitioning of State Space x y An equivalence class (i.e. a region) in fact there is only a finite number of regions!!
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
UPPAAL T-shirt to (identifiable)

UPPAAL T-shirt to (identifiable)
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Similar presentations

Ads by Google