Model Checking of of Timed Systems Rajeev Alur

Скачать презентацию Model Checking of of Timed Systems Rajeev Alur

2e5be8f894f5e94e31d62825003c6f46.ppt

Количество слайдов: 38

Model Checking of of Timed Systems Rajeev Alur University of Pennsylvania 1

model temporal property Model Checker yes error-trace Advantages Automated formal verification, Effective debugging tool Traditional: Finite-state systems (Boolean vars) Enumerative search with reduction heuristics: Spin, Murphi Symbolic search using BDDs: SMV, Cospan, VIS, Mocha Hybrid and Real-Time Systems Continuous variables make state-space infinite Timed automata: Decidability results, Efficient symbolic data structures 2

Talk Outline q q Timed Automata: Syntax and Semantics Specification Logic: Timed CTL Decidability: Region-based partitioning Efficient Implementation: Zones and DBMs UPPAAL (www. docs. uu. se/docs/rtmv/uppaal) Talk draft: Thanks to Kim Larsen and Paul Pettersson 3

UPPAAL 4

Timed Automata Intelligent Light Control press? Off press? Light Press? Bright Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. 5

Timed Automata Intelligent Light Control Off press? X: =0 Light X<=3 Press? press? Bright Press? X>3 Solution: Add real-valued clock x 6

Timed Automata (Alur & Dill 1990) Clocks: x, y Guard n Action used for synchronization Boolean combination of comparisons with integer bounds x<=5 & y>3 Reset Action performed on clocks a State ( location , x=v , y=u ) x : = 0 Transitions m where v, u are in R a ( n , x=2. 4 , y=3. 1415 ) ( m , x=0 , y=3. 1415 ) e(1. 1) ( n , x=2. 4 , y=3. 1415 ) ( n , x=3. 5 , y=4. 2415 ) 7

Timed Safety Automata (Henzinger et al, 1992) Timed Automata + Invariants n Clocks: x, y x<=5 & y>3 Location Invariants Transitions ( n , x=2. 4 , y=3. 1415 ) a e(3. 2) e(1. 1) ( n , x=2. 4 , y=3. 1415 ) ( n , x=3. 5 , y=4. 2415 ) x : = 0 m y<=10 g 1 g 2 g 3 g 4 Invariants ensure progress!! 8

Clock Constraints What can you express: Constant lower and upper bounds on delays Why the restricted syntax: slight generalizations (e. g. allowingx=2 y) lead to undecidable model checking problems 9

Timed (Safety) Automata 10

Light Switch push click push z Switch may be turned on whenever at least 2 time units has elapsed since last “turn off” z Light automatically switches off after 9 time units. 11

Semantics zclock valuations: zstate: z. Semantics of timed automata is a labeled transition system where zaction transition l g a r l’ zdelay Transition 12

Semantics: Example push click push 13

Larsen et al, 1996 Timed Automata in UPPAAL Communicating Timed Safety Automata + urgent actions + urgent locations (i. e. zero-delay locations) + committed locations (i. e. zero-delay and atomic locations) + data-variables (integers with bounded domains) + arrays of data-variables + guards and assignments over data-variables and arrays. . . 14

TCTL = CTL + Time Alur, Courcoubetis, Dill, 1991 constraints over formula clocks and automata clocks “freeze operator” introduces new formula clock z E[ f U f ], A[ f U f ] - like in CTL No EX f 15

Derived Operators = Along any path f holds continuously until within 7 time units y becomes valid. = The property f becomes valid within 5 time units. 16

TCTL Semantics s - location w - formula clock valuation ¥ PM(s) - set of paths from s Pos(s) - positions in s D(s, i) - elapsed time (i, d) <<(i’, d’) iff (i

Timeliness Properties receive(m) occurs within 5 time units after send(m) receive(m) occurs exactly 11 time units after send(m) putbox occurs periodically (exactly) every 25 time units (note: other putbox’s may occur in between) 18

Fischer’s Protocol A simple MUTEX Algorithm 2 ª ´ V Init V=1 A 2 V: =1 V: =2 B 1 B 2 Criticial Section V=1 V=2 CS 1 CS 2 19

Fischer’s Protocol A simple MUTEX Algorithm 2 ª ´ V Init V=1 A 2 X<1 Y<1 V: =2 X: =0 X>1 B 1 Y: =0 B 2 Y>1 Criticial Section V=1 V=2 CS 1 CS 2 20

Infinite State Space? 21

Regions Finite partitioning of state space ”Desired equivalence” y 2 1 1 2 3 x 22

Regions Finite partitioning of state space Definition y 2 1 1 2 3 x An equivalence class (i. e. a region) in fact there is only a finite number of regions!! 23

Regions Finite partitioning of state space y 2 1 {x}r r {y}r 1 Reset regions 2 3 x Successor regions, Succ(r) An equivalence class (i. e. a region) 24

Properties of Regions q The region equivalence relation @ is a timeabstract bisimulation: y. Action transitions: If w @ v and (l, w) -a-> (l’, w’) for some w’, then $ v’ @ w’ s. t. (l, v) -a-> (l’, v’) y. Delay transitions: If w @ v then for all real numbers d, there exists d’ s. t. w+d @ v+d’ q If w @ v then (l, w) and (l, v) satisfy the same TCTL formulas 25

Region graph of a simple timed automata 26

Fischers again A 1 Untimed case A 2 Timed case A 1, A 2, v=1 x=y=0 A 1, A 2, v=1 0 1 B 2 Y>1 V=1 CS 1 V=2 CS 2 A 1, A 2, v=1 1

Roughly speaking. . Model checking a timed automata against a TCTL-formula amounts to model checking its region graph against a CTL-formula 28

Problem to be solved Model Checking TCTL is PSPACE-complete 29

Zones Symbolic computation Symbolic state (set) (n, ) State (n, x=3. 2, y=2. 5 ) y Zone: conjunction of x-y<=n, x<=>n y x x 30

Symbolic Transitions 1<=x<=4 1<=y<=3 y y delays to n x>3 1<=x, 1<=y -2<=x-y<=3 x x y y 3 (m, 3

Forward Rechability Final Waiting Init -> Final ? INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else (explore) add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 32

Forward Rechability Final Waiting INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else (explore) add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z’ Init -> Final ? Passed UNTIL Waiting = Ø or Final is in Waiting 33

Forward Rechability Waiting m, U INITIAL Passed : = Ø; Waiting : = {(n 0, Z 0)} REPEAT - pick (n, Z) in Waiting - if for some Z’ Z (n, Z’) in Passed then STOP - else /explore/ add { (m, U) : (n, Z) => (m, U) } to Waiting; Add (n, Z) to Passed n, Z’ Init Final Init -> Final ? Passed UNTIL Waiting = Ø or Final is in Waiting 34

Canonical Dastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 When are two sets of constraints equivalent? D 1 D 2 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 1 Graph 2 y 0 9 1 Graph x z x 2 2 3 0 7 z y 2 Shortest Path Closure 1 0 5 1 x 3 z x 2 y 2 2 3 0 5 z y 2 36

Difference Bounds Matrices q. Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks) q. Reduced form obtained by running all-pairs shortest path algorithm q. Reduced DBM is canonical q. Operations such as reset, time-successor, inclusion, intersection are efficient q. Popular choice in timed-automata-based tools 37

Summary q. Applications of Uppaal and Kronos q. Philips bounded retransmission protocol q. Asynchronous circuits (STARI communication) q. Timing analysis of Esterel+C code q. Research theme 1: Efficient representation of Clock constraints + Boolean constraints q. Research theme 2: Automatic abstractions of complex dynamics by timed automata 38