Timed Automata lllllllllll Decidability Results

Transcription

1 Timed Automata lllllllllll Decidability Results

2 Decidability? a c b OBSTACLE: Uncountably infinite state space Reachable?

3

4

5

6 Stable Quotient Partitioning a c b y y x Reachable? x

7 Stable Quotient Partitioning a c b y y x Reachable? x

8 Stable Quotient Partitioning a c b y y x Reachable? x

9 Stable Quotient Partitioning a c b y y x Reachable? x

10 Stable Quotient Partitioning a c b y y x Reachable? x

11 Stable Quotient Partitioning a c b y y x Reachable? 0 ε 1 a 2 ε 3 a 4 ε 5 c 6 x

12

13 Regions Finite Partitioning of State Space y x An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

14

15

16 Regions Successor Operation (wrt delay) y 2 1 r x Successor regions, Succ(r) An equivalence class (i.e. a region)

17 Regions Reset Operation y {x}r 2 1 Reset regions r {y}r x An equivalence class (i.e. a region) r

18 An Example Region Graph

19 Modified light switch AG( x y) AG( on AG( on AFoff ) AF 9 off )

20 Reachable part of region graph Properties AG( x y) AG( on AFoff ) AG( on AF 9 off )

21

22

23

24 Fundamental Results PSPACE-c Reachability Alur, Dill Trace-inclusion Alur, Dill Timed ; Untimed Bisimulation Timed Cerans ; Untimed Model-checking TCTL, T mu, L nu,... PSPACE-c / EXPTIME-c

25 Updatable Timed Automata W Diagonals Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, Antoine Petit W Diagonals

26 TCTL: Timed Computational Tree Logic

27 TCTL = CTL + Time p z α z inφ AP, D, automic formula propositio ns, clocks, constraints over formula clocks and automata clocks freeze operator introduces new formula clock z E[ φ U φ ], A[ φ U φ ] - like in CTL No EX φ

28 Derived Operators = Along any path φ holds continuously until within 7 time units ψ becomes valid. = The property φ becomes valid within 5 time units.

29 Paths Example: push push click y 9 9)... 0,, ( 9) 3), ( 9, ( 3) 3,, ( ) 0,, ( ), ( 0), ( 3.5), ( 0), ( 3) ( = = = + = + = = = = = = = = = = = = + y x off y x on y x on y x on y x on y x on y x off y x off click push push π π π π π π

30 Elapsed time in path 9)... 0,, ( 9) 3), ( 9, ( 3) 3,, ( ) 0,, ( ), ( 0), ( 3.5), ( 0), ( 3) ( = = = + = + = = = = = = = = = = = = + y x off y x on y x on y x on y x on y x on y x off y x off click push push π π π π π π Example: Δ(σ,1)=3.5, Δ(σ,6)=3.5+9=12.5 σ=

31 TCTL Semantics s - location w - formula clock valuation PM(s) - set of paths from s Pos(σ) - positions in σ Δ(σ,i) - elapsed time (i,d) <<(i,d ) iff (i<j) or ((i=j) and (d<d ))

32 Timeliness Properties receive(m) occurs within 5 time units after send(m) receive(m) occurs exactly 11 time units after send(m) putbox occurs periodically (exactly) every 25 time units (note: other putbox s may occur in between)

33 The UPPAAL Verification Engine

34 Overview Zones and DBMs Minimal Constraint Form Clock Difference Diagrams Distributed UPPAAL [CAV2000, STTT2004] Unification & Sharing [FTRTFT2002, SPIN2003] Acceleration [FORMATS2002] Static Guard Analysis [TACAS2003,TACAS2004] Storage-Strategies [CAV2003]

35 Zones From infinite to finite y State (n, x=3.2, y=2.5 ) x y Symbolic state (set) (n, 1 x 4, 1 y 3) x Zone: conjunction of x-y<=n, x<=>n

36 Symbolic Transitions x>3 a y:=0 n m y y x x 1<=x<=4 1<=y<=3 delays to conjuncts to projects to y y x x 1<=x, 1<=y -2<=x-y<=3 3<x, 1<=y -2<=x-y<=3 3<x, y=0 Thus Thus (n,1<=x<=4,1<=y<=3) =a =a => => (m,3<x, y=0) y=0)

37 Zones = Conjuctive Constraints A zone Z is a conjunctive formula: g 1 & g 2 &... & g n where g i is a clock constraint x i ~ b i or x i -x j ~b ij Use a zero-clock x 0 (constant 0) A zone can be re-written as a set: {x i -x j ~b ij ~ is < or, i,j n} This can be represented as a matrix, DBM (Difference Bound Matrices)

38 Operations on Zones Future delay Z : Past delay Z : [Z ] = {u+d d R, u [Z]} [Z ] = {u u+d [Z] for some d R} Reset: {x}z or Z(x:=0) Conjunction [{x}z] = {u[0/x] u [Z]} [Z&g]= [Z] [g]

39 THEOREM The set of zones is closed under all constraint operations. That is, the result of the operations on a zone is a zone. That is, there will be a zone (a finite object i.e a zone/constraints) to represent the sets: [Z ], [Z ], [{x}z], [Z&g].

40 Symbolic Exploration y Reachable? x

41 Symbolic Exploration y Reachable? Delay x

42 Symbolic Exploration y Reachable? Left x

43 Symbolic Exploration y Reachable? Left x

44 Symbolic Exploration y Reachable? Delay x

45 Symbolic Exploration y Reachable? Left x

46 Symbolic Exploration y Reachable? Left x

47 Symbolic Exploration y Reachable? Delay x

48 Symbolic Exploration y Reachable? Down x

49 Fischer s Protocol analysis using zones Init V=1 2 V X<10 X:=0 X>10 V:=1 V=1 A1 B1 CS1 Y<10 Y:=0 Y>10 V:=2 V=2 A2 B2 CS2 Criticial Section

50 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

51 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y X

52 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 X Y X

53 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 X Y X

54 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 X Y X Y X

55 Fischers cont. X<10 A1 X:=0 V:=1 V=1 B1 X>10 CS1 Untimed case Y<10 Y:=0 Y>10 A2 V:=2 V=2 B2 CS2 A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 X Y X Y X

56 Forward Rechability Init -> Final? Init Waiting Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else (explore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

57 Forward Rechability Init -> Final? Waiting n,z Init n,z Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else(explore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

58 Forward Rechability Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

59 Forward Rechability Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

60 Canonical Datastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 Inclusion D1 D2 x<=1 x<=1 y-x<=2 z-y<=2 z-y<=2 z<=9 z<=9 x<=2 x<=2 y-x<=3 y<=3 y<=3 z-y<=3 z-y<=3 z<=7 z<=7 Graph Graph x 2 9 z 2?? 2 x z 3 y y

61 Canonical Datastructures for Zones Difference Bounded Matrices Inclusion D1 D2 x<=1 x<=1 y-x<=2 z-y<=2 z-y<=2 z<=9 z<=9 x<=2 x<=2 y-x<=3 y<=3 y<=3 z-y<=3 z-y<=3 z<=7 z<=7 Graph Graph 0 0 x z 2 2 x 3 3 7?? z 3 y y Shortest Path Closure Shortest Path Closure 0 0 x z x y 2 z 3 y

62 Canonical Datastructures for Zones Difference Bounded Matrices Emptiness Compact D x<=1 x<=1 y>=5 y>=5 y-x<=3 Graph x y 3 Negative Cycle iff empty solution set

63 Canonical Datastructures for Zones Difference Bounded Matrices Future D y 1<= 1<= x <=4 <=4 1<= 1<= y <=3 <= x y x Shortest Path Closure x 3 2 y y Remove upper bounds on clocks x Future D 1<=x, 1<=x, 1<=y 1<=y -2<=x-y<=3 x y

64 Canonical Datastructures for Zones Difference Bounded Matrices Reset D y 0-1 x 1<=x, 1<=x, 1<=y 1<=y -2<=x-y<=3 x y {y}d y Remove all bounds involving y and set y to x y=0, y=0, 1<=x 1<=x -1 0 x y

65 Canonical Datastructures for Zones Difference Bounded Matrices x1-x2<=4 x1-x2<=4 x2-x1<=10 x2-x1<=10 x3-x1<=2 x3-x1<=2 x2-x3<=2 x2-x3<=2 x0-x1<=3 x0-x1<=3 x3-x0<=5 x3-x0<=5 3 x1 x x2 x3 2 Shortest Path Closure O(n^3) x1 x2 x x3 2

66 Canonical Datastructures for Zones Minimal Constraint Form RTSS 1997 x1-x2<=4 x1-x2<=4 x2-x1<=10 x2-x1<=10 x3-x1<=2 x3-x1<=2 x2-x3<=2 x2-x3<=2 x0-x1<=3 x0-x1<=3 x3-x0<=5 x3-x0<=5 3 x1 x x2 x3 Shortest Path Reduction O(n^3) x1 2 Shortest Path Closure O(n^3) -4 x2 2 3 x1-4 4 x x0 1 x3 5 2 Space worst O(n^2) practice O(n) x0 x3

67 1 0,9 0,8 0,7 0,6 0,5 0,4 0,3 0,2 0,1 0 Percent SPACE PERFORMANCE Minimal Constraint Global Reduction Combination M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing Box Sorter B&O Audio Audio w Col

68 2,5 2 1,5 1 0,5 0 Percent TIME PERFORMANCE Minimal Constraint Global Reduction Combination M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing B&O Box Sorter Audio Audio w Col

69 Shortest Path Reduction 1st attempt Idea Problem w w v <=w An An edge is is REDUNDANT if if there exists an an alternative path path of of no no greater weight THUS Remove all all redundant edges! v and and w are are both both redundant Removal of of one one depends on on presence of of other. Observation: If If no no zero- or or negative cycles then then SAFE to to remove all all redundancies.

70 Shortest Path Reduction Solution G: weighted graph

71 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-cycles.

72 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges

73 Shortest Path Reduction Solution G: weighted graph Canonical given order of clocks 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes

74 Earlier Termination Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

75 Earlier Termination Init -> Final? Waiting n,z Init n,z m,u Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z' Z Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting

76 Earlier Termination Init -> Final? Waiting n,z 1 n,z 2 n,z k Init n,z m,u Final U i Z Passed i INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z' Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Z UNTIL Waiting = Ø or Final is in Waiting

77 Clock Difference Diagrams = Binary Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations Nodes labeled with differences Maximal sharing of substructures (also across different CDDs) Maximal intervals Linear-time algorithms for set-theoretic operations. NDD s Maler et. al DDD s Møller, Lichtenberg

78 4,5 4 3,5 3 2,5 2 1,5 1 0,5 0 SPACE PERFORMANCE CDD Reduced CDD CDD+BDD Fischer5 PowerDown1 PowerDown2 Dacapo GearBox Fischer4 BRP B&O Percent Philips Philps col

79 TIME PERFORMANCE CDD Reduced CDD CDD+BDD BRP PowerDown1 PowerDown2 Dacapo GearBox Fischer4 Fischer5 B&O Percent Philips Philps col

80 UPPAAL Dec 96 Sep 98 Every 9 month 10 times better performance! 3.x

81 Liveness Checking

82 in UPPAAL Liveness Properties F ::= E P A P P Q Bouajjani, Tripakis, Yovine 97 On-the-fly symbolic model checking of TCTL Possibly always P Eventually P is equivalent to ( E P) P leads to Q is equivalent to A ( P A Q)

83 in UPPAAL Liveness E[]φ (A φ)

84 in UPPAAL Passed (A φ) Liveness E[]φ (A φ) ST WS Unexplored

85 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Unexplored

86 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Unexplored

87 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Unexplored

88 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Unexplored?

89 in UPPAAL Passed (A φ) Liveness E φ (A φ) ST WS Unexplored???

90 Liveness E φ (A φ) in UPPAAL Passed (A φ) ST WS Unexplored [FORMATS05] Extensions allowing for automatic synthesis of smallest bound t such that A t φ holds

91 Verification Options

92 Verification Options Search Order Depth First Breadth First State Space Reduction None Conservative Aggressive State Space Representation DBM Compact Form Under Approximation Over Approximation Diagnostic Trace Some Shortest Fastest Extrapolation Hash Table size Reuse

93 State Space Reduction However, Passed list useful for efficiency No Cycles: Passed list not needed for termination

94 State Space Reduction Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list

95 To Store or Not To Store 117 states total 81 states entrypoint 9 states Time OH less than 10% Behrmann, Larsen, Pelanek 2003 Audio Protocol

96 To Store or Not to Store Behrmann, Larsen, Pelanek 2003

97 Over-approximation Convex Hull y x Convex Hull TACAS04: An EXACT method performing as well as Convex Hull has been developed based on abstractions taking max constants into account distinguishing between clocks, locations and &

98 Under-approximation Bitstate Hashing Waiting Init n,z n,z m,u Passed Final

99 Under-approximation Bitstate Hashing Waiting Init n,z n,z m,u Passed Final Hashfunction F Passed= Bitarray UPPAAL 8 Mbits

100 Modelling Patterns

101 Variable Reduction Reduce size of state space by explicitely resetting variables when they are not used! Automatically performed for clock variables (active clock reduction)

102 Clock Reduction x<7 x is only active in location S1 x:=0 S Definition x is inactive at S if on all path from S, x is always reset before being tested. x:=0 x<5 x>3

103 Synchronous Value Passing

104 Atomicity To allow encoding of control structure (foror while-loops, conditionals, etc.) without erroneous interleaving To allow encoding of multicasting. Heavy use of committed locations.

105 Bounded Liveness Intent: Check for properties that are guaranteed to hold eventually within some upper (time) bound. Provide additional information (with a valid bound). More efficient verification. φ leadsto t ψ reduced to A (b z t) with bool b set to true and clock z reset when φ starts to hold. When ψ starts to hold, set b to false.

106 Bounded Liveness The truth value of b indicates whether or not ψ should hold in the future. φ b=true z=0 φ b=false ψ b=false ψ A[] (b imply z t) b --> not b (for non zenoness) E<> b (for meaningful check) b true, check z t

107 Timers Parametric timer: (re-)start(value) start! var=value expired? active (bool) active go? (bool+urgent chan) time-out event timeout? Declare to with a tight range.

108 Zenoness Problem: UPPAAL does not check for zenoness directly. A model has zeno behavior if it can take an infinite amount of actions in finite time. That is usually not a desirable behavior in practice. Zeno models may wrongly conclude that some properties hold though they logically should not. Rarely taken into account. Solution: Add an observer automata and check for non-zenoness, i.e., that time will always pass.

109 Zenoness x 1 Zeno OK x x==1 1 x=0 x 1 Detect by adding the observer: Constant (10) can be anything (>0), but choose it well w.r.t. your model for efficiency. Clocks x are local. and check the property ZenoCheck.A --> ZenoCheck.B

110 Compositionality & Abstraction

111 The State Explosion Problem Sys a b c a b c a a a b c b c b c a a a b c b c b c sat ϕ Model-checking is is either EXPTIME-complete or or PSPACE-complete (for TA s this is is true even for for a single TA)

112 Abstraction ϕ ϕ Sys sat Abs Sys sat Abs a c b a c b a c b a c b a c b a c b a c b a c b ϕ sat Sys ϕ sat Abs REDUCE TO Preserving safety properties

113 Compositionality Sys b b a a a a c b c b c b c a a a a c b c b c b c Sys 1 Sys 2 Abs 1 Abs Sys 1 Sys 1 Sys2 Sys Sys 1 Sys 2 2 Abs Abs Abs Abs1 Abs2 Abs Sys Abs 1 Abs2 Abs Abs 2

114 Abstraction & Compositionality dealing w stateexplosion a c b a c b a c b a c b a c b a c b a c b a c b A A C C A C A C p p p Concrete Abstract trace inclusion

115 Abstraction Example a1 a2 a3 a4 a5 a b

116 Example Continued abstracted by

117 Proving abstractions using reachability Applied to IEEE 1394a Root contention protocol (Simons, Stoelinga) B&O Power Down Protocol (Ejersbo, Larsen, Skou, FTRTFT2k) A[] not TestAbstPoP1.BAD Recognizes all the BAD computations of PoP1 Henrik Ejersbo Jensen PhD Thesis 1999

118 Further Optimizations

119 Datastructures for Zones Difference Bounded Matrices (DBMs) Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] PW List [SPIN03] x1 x2 x x3 2

120 Datastructures for Zones Difference Bounded Matrices (DBMs) Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] PW List [SPIN03] -4 x1 x Alexandre -2 2 David Elegant x0 RUBY 1bindings x3 for easy implementations 5

121 Zone Abstractions [TACAS03,TACAS04] Abstraction taking maximum constant into account necessary for termination Utilization of distinction between lower and upper bounds Utilization of location-dependency

122 LU Abstraction [TACAS04] THEOREM For any state in the LU- abstraction there is a state in the original set simulating it LU abstraction is exact wrt reachability

123 Zone abstractions Classical Loc. dep. Max Loc. dep. LU Convex Hull

124 Symmetry Reduction Exploitation of full symmetry may give factorial reduction Many timed systems are inherently symmetric Computation of canonical state representative using swaps. [Formats 2003]

125 Symmetry Reduction Exploitation of full symmetry may give factorial reduction Many timed systems are inherently symmetric Computation of canonical state representative using swaps. [Formats 2003] SWAP: 1 2 ; 3 4

126 Symmetry Reduction [Formats 2003]

127 Symmetry Reduction UPPAAL 3.6 [Formats 2003] Iterators for (i: int[0,4]) { } Quantifiers Selection forall (i: int[0,4]) a[i]==0 select i: int[0,4]; guard... Template sets process P[4](...) { } Scalar set based symmetry reduction Compact state-space representations Priorities Gerd Behrmann 10 Martijn Henriks, Nijmegen U

128 D-UPPAAL Gerd Behrmann Distributed implementation of UPPAAL on PC-cluster [CAV'00, PDMC'02, STTT'03]. WWW frontend available Applications Synthesis of Dynamic Voltage Scaling strategies (CISS). Ad-hoc mobile real-time protocol (Leslie Lamport) - 25GB in 3 min! Running on NorduGrid. Local cluster: 50 CPUs and 50GB of RAM To be used as inspiration for verification GRID platform within ARTIST2 NoE.

129 D-UPPAAL Gerd Behrman Distributed implementation of UPPAAL on PC-cluster [CAV'00, PDMC'02, STTT'03]. WWW frontend available. Applications Synthesis of Dynamic Voltage Scaling strategies (CISS). Ad-hoc mobile real-time protocol (Leslie Lamport) - 25GB in 3 min! Running on NorduGrid. Local cluster: 50 CPUs and 50GB of RAM To be used as inspiration for verification GRID platform within ARTIST2 NoE.

130 D-UPPAAL Gerd Behrman Distributed implementation of UPPAAL on PC-cluster [CAV'00, PDMC'02, STTT'03]. Applications Synthesis of Dynamic Voltage Scaling strategies (CISS). Ad-hoc mobile real-time protocol (Leslie Lamport) - 25GB in 3 min! Running on NorduGrid. Local cluster: 50 CPUs and 50GB of RAM To be used as inspiration for verification GRID platform within ARTIST2 NoE.