Formal methods & Tools. UPPAAL Implementation Secrets. Kim Guldstrand Larsen & UCb

Transcription

1 Formal methods & Tools UPPAAL Implementation Secrets Kim Guldstrand Larsen &

2 Wang Yi Paul Pettersson Johan Bengtsson Fredrik Larsson Alexandre David Tobias Kim G Larsen Gerd Behrman Arne Skou Patricia Bouyer Emmanuel Fleury Carsten Weise Kåre J Kristoffersen Thomas Hune Oliver Möller David Griffioen, Ansgar Fehnker, Frits Vandraager, Klaus Havelund, Theo Ruys, Pedro D Argenio, J-P Katoen, J. Tretmans, Judi Romijn, Ed Brinksma, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson... 2

3 Overview Timed Automata (review) UPPAAL 3.2 ( and 4.0) The Early History of UPPAAL The Implementation Secrets of UPPAAL DBMs Minimal Constraint Form CDDs Distributed UPPAAL PW-list, Dynamic sized DBMs, Sharing. Acceleration and Metatransitions Beyond Model Checking 3

4 Timed Automata review Alur & Dill 1990 Action used for synchronization n x<=5 & y>3 a x := 0 m Discrete Trans Clocks: x, y Guard Boolean combination of integer bounds on clocks and clock-differences. Reset Action perfomed on clocks State ( location, x=v, y=u ) where v,u are in R Transitions ( n, x=2.4, y= ) a ( m, x=0, y= ) Delay Trans e(1.1) ( n, x=2.4, y= ) ( n, x=3.5, y= ) 4

5 Timed Automata review Invariants Location Invariants n x<=5 x<=5 & y>3 a x := 0 m y<=10 g4 g1 g2 g3 Clocks: x, y Transitions ( n, x=2.4, y= ) e(3.2) e(1.1) ( n, x=2.4, y= ) ( n, x=3.5, y= ) Invariants ensure progress!! 5

6 The Druzba MUTEX Problem Kim Gerd 6

7 The Druzba MUTEX Problem 7

8 The Druzba MUTEX Problem Using the light as semaphor 8

9 Parallel Composition (a la CCS) l1 x>=2 a! x := 0 m1 y<=4 a?. Two-way Two-way synchronization synchronization on on complementary complementary actions. actions. Closed Closed Systems! Systems! l2 m2 Example transitions (l1, m1,, x=2, y=3.5,..) tau (l2,m2,..,x=0, y=3.5,..) 0.2 (l1,m1,,x=2.2, y=3.7,..) If a URGENT CHANNEL 9

10 The UPPAAL Model = Networks of Timed Automata + Integer Var + Array Var +. l1 x>=2 i==3 a! x := 0 i:=i+4 m1 y<=4 a?. Two-way Two-way synchronization synchronization on on complementary complementary actions. actions. Closed Closed Systems! Systems! l2 m2 Example transitions (l1, m1,, x=2, y=3.5, i=3,..) tau (l2,m2,..,x=0, y=3.5, i=7,..) 0.2 (l1,m1,,x=2.2, y=3.7, I=3,..) If a URGENT CHANNEL 10

11 Train Crossing Stopable Area [10,20] [3,5] Crossing [7,15] Queue River Gate 11

12 Train Crossing Communication via channels and shared variable. Stopable Area appr, stop [10,20] [3,5] leave Crossing [7,15] go el el Queue empty nonempty hd, add,rem Gate River 12

13 UPPAAL 3.2 (and 3.3 & 4.0) Released October 01 Graphical User Interface XML based file format Better syntax-error indicataion Drop-and-drag for transitions Changed menu Verification Engine lines of JAVA code lines of C++ code Restructured (increased flexibility) Normalization-bug fixed More freedom in combing optimization options Deadlock checking Support for more general properties (E[]p, A<>p, p q) 13

14 Case Studies: Protocols Philips Audio Protocol [HS 95, CAV 95, RTSS 95, CAV 96] Collision-Avoidance Protocol [SPIN 95] Bounded Retransmission Protocol [TACAS 97] Bang & Olufsen Audio/Video Protocol [RTSS 97] TDMA Protocol [PRFTS 97] Lip-Synchronization Protocol [FMICS 97] Multimedia Streams [DSVIS 98] ATM ABR Protocol [CAV 99] ABB Fieldbus Protocol [ECRTS 2k] IEEE 1394 Firewire Root Contention (2000) 14

15 Case-Studies: Controllers Gearbox Controller [TACAS 98] Bang & Olufsen Power Controller [RTPS 99,FTRTFT 2k] SIDMAR Steel Production Plant [RTCSA 99, DSVV 2k] Real-Time RCX Control-Programs [ECRTS 2k] Experimental Batch Plant (2000) RCX Production Cell (2000) 15

16 Formal methods & Tools The Early History of UPPAAL

17 Before UPPAAL (=1995) TCCS C b TAV CONCURII TAB EPSILON Wang Yi relaxing UPPAAL , 1. June

18 C b Sävja spring 1995 Mia at Dalaresan 20 UPPAAL , 1. June

19 C b Are we still in Denmark? Mia in the local football club UPPAAL , 1. June

20 C b No!!!! UPPAAL , 1. June 99 The Larsen family searching for beer 6 20

21 First official UPPAAL presentation Wang Yi, TACAS, Aarhus, April 1995 C b UPPAAL , 1. June

22 C b CAV 96, New York David Griffeon and some Scandinavian friends. UPPAAL , 1. June

23 C b FTRTFT 96, Uppsala UPPAAL , 1. June 99 Palle, Per, Thomas, Paul, Jesper, Kim, Wang 13 23

24 UPPAAL C b UPPAAL , 1. June

25 Further Dutch Collaboration C b Pedro D Argenio UPPAAL , 1. June

26 C b RTSS 97 1st RTSS 97 talk, Kluas Havelund Fairmont Hotel, San Francisco UPPAAL , 1. June 99 Breakfast 21 26

27 1st UPPAAL workshop,1998 C b UPPAAL , 1. June

28 HyUPPAAL HUPPAAL PUPPAAL PrUPPAAL DUPAAL CUPPAAL TUPPAAL GUPPAAL 28

29 HyUPPAAL Hybrid HUPPAAL Hierarchical PUPPAAL Parameterized PrUPPAAL Probabilistic DUPAAL Distributed CUPPAAL Cost-optimizing TUPPAAL Testing GUPPAAL Guiding 29

30 Gerd, Alexandre, Johan The Main Implementers 30

31 Summary & Lessons Driven by case-studies Modelling capabilities Improvement of performance Complete rewriting of GUI & Verifier 2-3 times (involving several teams of student programmers). Large involvement of external researchers on casestudies & branches Kernel UPPAAL staff very stable. Common CVS archieve for all variants Frequent exchange visits. 31

32 Formal methods & Tools Implementation Secrets

33 Zones From infinite to finite y State (n, x=3.2, y=2.5 ) y Symbolic state (set) (n, 1 x 4,1 y 3) Zone: conjunction of x-y<=n, x<=>n x x 33

34 Symbolic Transitions n x>3 a y y x x 1<=x<=4 1<=y<=3 delays to conjuncts to y y x x 1<=x, 1<=y -2<=x-y<=3 3<x, 1<=y -2<=x-y<=3 y:=0 projects to 3<x, y=0 m Thus Thus (n,1<=x<=4,1<=y<=3) =a =a => => (m,3<x, y=0) y=0) 34

35 Forward Rechability Init -> Final? Waiting Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else (explore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 35

36 Forward Rechability Init -> Final? Waiting Init n,z n,z Passed Final INITIAL Passed := Ø; Waiting := {(n0,z0)} REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else(explore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed UNTIL Waiting = Ø or Final is in Waiting 36

37 Forward Rechability Init -> Final? Waiting m,u Final INITIAL Passed := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 37

38 Forward Rechability Init -> Final? Waiting m,u Final INITIAL Passed := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 38

39 Canonical Datastructure for Zones Difference Bounded Matrices Bellman 58, Dill 89 x1-x2<=4 x1-x2<=4 x2-x1<=10 x2-x1<=10 x3-x1<=2 x3-x1<=2 x2-x3<=2 x2-x3<=2 x0-x1<=3 x0-x1<=3 x3-x0<=5 x3-x0<=5 3 x1 x x2 x3 2 Shortest Path Closure O(n^3) x1 x2 x x3 2 39

40 New Canonical Datastructure Minimal collection of constraints RTSS 1997 x1-x2<=4 x1-x2<=4 x2-x1<=10 x2-x1<=10 x3-x1<=2 x3-x1<=2 x2-x3<=2 x2-x3<=2 x0-x1<=3 x0-x1<=3 x3-x0<=5 x3-x0<=5 3 x1 x x2 x3 2 Shortest Path Closure O(n^3) -4 3 x1 x2 x x3 2 Shortest x1 x2 Path Reduction O(n^3) Space worst O(n^2) 2 practice O(n) x0 x3 40

41 SPACE PERFORMANCE 1 0,9 0,8 0,7 0,6 0,5 0,4 0,3 0,2 0,1 0 Minimal Constraint Global Reduction Combination 41 Percent Audio Audio w Col B&O Box Sorter M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing

42 TIME PERFORMANCE 2,5 2 1,5 1 0,5 0 Minimal Constraint Global Reduction Combination 42 Percent Audio Audio w Col B&O Box Sorter M. Plant Fischer 2 Fischer 3 Fischer 4 Fischer 5 Train Crossing

43 Shortest Path Reduction 1st attempt Idea w <=w An An edge is is REDUNDANT if if there exists an an alternative path path of of no no greater weight THUS Remove all all redundant edges! Problem v v and and w are are both both redundant Removal of of one one depends on on presence of of other. w Observation: If If no no zero- or or negative cycles then then SAFE to to remove all all redundancies. 43

44 Shortest Path Reduction Solution G: weighted graph 44

45 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-cycles. 45

46 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges 46

47 Shortest Path Reduction Solution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges Canonical given order of clocks 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes 47

48 Earlier Termination Init -> Final? Waiting m,u Final INITIAL Passed := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - pick (n,z) in Waiting - if for some Z Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 48

49 Earlier Termination Init -> Final? Waiting m,u Final INITIAL Passed := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - pick (n,z) in Waiting - if for some Z Z' Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Init Passed UNTIL Waiting = Ø or Final is in Waiting 49

50 Earlier Termination Init -> Final? Waiting m,u Final INITIAL Passed := Ø; Waiting := {(n0,z0)} n,z 1 n,z 2 Init n,z k n,z i Passed Z i REPEAT - pick (n,z) in Waiting - if for some Z' Z (n,z ) in Passed then STOP -else/explore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Passed Z UNTIL Waiting = Ø or Final is in Waiting 50

51 Clock Difference Diagrams = Binary Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations Nodes labeled with differences Maximal sharing of substructures (also across different CDDs) Maximal intervals Linear-time algorithms for set-theoretic operations. NDD s Maler et. al DDD s Møller, Lichtenberg 51

52 SPACE PERFORMANCE 4,5 4 3,5 3 2,5 2 1,5 1 0,5 0 CDD Reduced CDD CDD+BDD 52 Fischer5 Percent Philips Philps col B&O BRP PowerDown1 PowerDown2 Dacapo GearBox Fischer4

53 TIME PERFORMANCE CDD Reduced CDD CDD+BDD 53 Percent Philips Philps col B&O BRP PowerDown1 PowerDown2 Dacapo GearBox Fischer4 Fischer5

54 Distributing UPPAAL Gerd Behrmann, Thomas Hune, Frits Vandraager CAV2k W1 W3? Passed Passed structure structure distributed distributed P1 Check Check in in local local Passed Passed list. list. If Ifnot not present present save, save, explore explore and and distribute distribute P3 W2 W4 P2 Implemented Implemented using using MPI MPI on on SUN SUN Interprise Interprise10000 Beowulf Beowulf cluster cluster P4 54

55 UPPAAL Every 9 month 10 times better performance! Dec 96 Sep 98 3.x 55

56 Hash table Hash table P+W Reachability States Passed list Searching: pop state hash push to passed (inclusion check) successor computation hash push to waiting queue (inclusion check) Alexandre & Gerd with Wang & Kim RT-TOOLS 02 Waiting queue 56

57 Hash table PW Reachability States Waiting queue Unified list Alexandre & Gerd with Wang & Kim RT-TOOLS 02 Searching: pop state reference successor computation hash push to unified list (inclusion check) and append state reference 57

58 Dynamic DBMs & Sharing Alexandre & Gerd with Wang & Kim RT-TOOLS 02 Symbolic State l 1 d 1 Z 1 l 2 d 2 Z 2 l k d k Z k l 1 d 1 Z 1 l 2 d 2 Z 2 l n d n Z n l 1 d 1 Z 1 l 2 d 2 Z 2 l m d m Z m Hashtable Location vector Discrete variable Zone/ DBM Observation :: :: Redundancy 58

59 Dynamic DBMs & Sharing RT-TOOLS 02 l 1 l l 2 l d 1 d 4 d 2 d Z 1 Hashtable Z 2 Z 3 59

60 Dynamic DBMs & Sharing RT-TOOLS 02 l 1 l l 2 l d 1 d 4 d 2 d Z 1 Hashtable Z 2 Z 3 60

61 Dynamic DBMs & Sharing RT-TOOLS 02 l 1 l l 2 l d 1 d 4 d 2 d 3 Hashtable COMING release space impr.: 4x 4x time impr.: 3x 3x Z 1 Z 2 Z 3 61

62 Formal methods & Tools Accelleration & Metatransitions

63 w Martijn Hendriks, TPTS 2002 Different Time Scales Models Typical: Models of scheduled and polling control programs (microseconds) operating in an environment (seconds); e.g. PLC programs or LEGO Mindstorms while(true){ wait(in_1<=light_level); ClearTimer(1); active=1; PlaySound(1); wait(in_1>light_level); Production Cell 63

64 w Martijn Hendriks, TPTS 2002 Different Time Scales Models Typical: Models of scheduled and polling control programs (microseconds) operating in an environment (seconds); e.g. PLC programs or LEGO Mindstorms while(true){ wait(in_1<=light_level); ClearTimer(1); active=1; PlaySound(1); wait(in_1>light_level); Production Cell 64

65 Fragmentation w Martijn Hendriks, TPTS 2002 z: clock of the Environment y: the clock used by Control Program FRAGMENTATION FRAGMENTATION PROBLEM PROBLEM of of Symbolic Symbolic State State Space Space Idea: Idea: accelerate accelerate cycles cycles 65

66 Window w Martijn Hendriks, TPTS 2002 L0, L1, L2 has window [3,7] DEFN WINDOW of of a cycle cycle C =(e =(e 1, 1, ee 2, 2,,, ee k ) k ) is is [a,b] [a,b] iff iff Every Every execution of of C has has accumulated delay delay between a and and b. b For For any any delay delay d between a and and b there there there there exists exists an an execution of of C with with accumulated delay delay d. d. 66

67 w Martijn Hendriks, TPTS 2002 Acceleratable Cycles DEFN Let Let C =(e =(e 1, 1, ee 2, 2,,, ee k ) k ) be be a cycle cycle and and let let y be be a clock. clock. Then Then (C,y) (C,y) is is an an accelaratable cycle cycle if: if: Every Every invariant of of C is is of of the the form form y<=n y<=n (or (or true) true) Every Every guard guard of of C is is of of the the form form y>=m y>=m (or (or true) true) y is is reset reset on on all all ingoing ingoing edges edges to to src(e src(e 1 ) 1 ) THM Every acceleratable cycle has a window 67

68 Exact Acceleration Acceleration of of cycle = Unfolding of of cycle THM 68

69 Exact & Efficient Acceleration Acceleration of of cycle = Unfolding of of cycle THM If If y is is reset reset on on the the first first edge edge in in the the accelerated cycle cycle C, C, then then one oneexecution of of the the appended cycle cycle suffices!! 69

70 Experimental Results On sample LEGO Mindstorm Models: Speed-up-factor: 2-5 With convex-hull: 200 MAIN Questions Which cycles to to accelerate Generalization to to full full model 70

71 Formal methods & Tools Beyond Model Checking

72 Formal methods & Tools optimal Scheduling & CUPPAAL Synthesis of Control Programs w Gerd Behrman, Ed Brinksma, Ansgar Fehnker, Thomas Hune, Paul Pettersson, Judi Romijn, Frits Vaandrager, Henning Dierks, HSCC 01, TACAS 01, CAV 01, AIPS 02,. AMETIST

73 A real-time scheduling problem UNSAFE SAFE Mines At At most 2 crossing at at a time time Need torch Can Can they they make it it within minutes? 73

74 Observation Many scheduling problems can be phrased naturally as reachability problems for timed automata! UNSAFE Mines SAFE UPPAAL 74

75 Steel Production Plant A. Fehnker Hune, Larsen, Pettersson Case study of Esprit-LTR project VHS Physical plant of SIDMAR located in Gent, Belgium. Part between blast furnace and hot rolling mill. Machine 1 Machine 2 Machine 3 Machine 4 Machine 5 Crane B Crane A Lane 2 Buffer Storage Place Lane 1 Objective: model the plant, obtain schedule and control program for plant. Continuos Casting Machine 75

76 Steel Production Plant Input: sequence of steel loads ( pigs ). Crane A Machine 1 Machine 2 Machine 3 Machine 4 Machine 5 Lane 1 Load follows Recipe to become certain quality, e.g: start; T1@10; T2@20; T3@10; T2@10; end within 120. Output: sequence of higher quality steel. Crane B Lane 2 Buffer Storage Place Continuos Casting Machine 76

77 Steel Production Plant Input: sequence of steel loads ( pigs ). Crane A Machine 1 Machine 2 Machine 2 2 Machine 4 Machine Lane 1 Load follows Recipe to become certain quality, e.g: start; T1@10; T2@20; =107 T3@10; T2@10; end within 120. Output: sequence of higher quality steel. Crane B 6 Lane 2 Buffer Storage Continuos Casting Machine 77

78 Steel Production Plant Input: sequence of steel loads ( pigs ). Crane A Machine 1 Machine 2 Machine 2 2 Machine 4 Machine 5 2 Lane 1 Load follows Recipe to obtain certain quality, e.g: start; T1@10; T2@20; =127 T3@10; T2@10; end within 120. Output: sequence of higher quality steel. 16 Crane B Lane 2 Buffer Storage Continuos Casting Machine 78

79 A single single load load (part (part of) of) Crane CraneB 79

80 Experiment A l l G u i d e s S o m e G u i d e s N o G u i d e s n B F S D F S B S H B F S D F S B S H B F S D F S B S H s M B s M B s M B s M B s M B s M B s M B s M B s M B 1 0,1 0,9 0,1 0,9 0,1 0,9 0,1 0,9 0,1 0,9 0,1 0,9 3,2 6,1 0,8 2, ,4 36,4 0,1 1 0,1 1, ,4 7,8 7,8 1, ,5 36, ,2 6,5 3,4 1, ,4 92, , ,2 4,6 1, ,2 5,5 2, ,3 25,3 16,1 9, ,6 51,2 48,1 22, ,8 89, , ,2 83, , BFS = breadth-first search, DFS = depth-first search, BSH = bit-state hashing, - = requires >2h (on 450MHz Pentium III), >256 MB, or suitable hash-table size was not found. System size: 2n+5 automata and 3n+3 clocks, if n=35: 75 automata and 108 clocks. Schedule generated for n=60 on Sun Ultra with 2x300MHz with 1024MB in 2257s. 80

81 LEGO Plant Model LEGO RCX Mindstorms. Local controllers with control programs. IR protocol for remote invocation of programs. Central controller. crane a m1 m2 m3 m4 buffer storage casting m5 crane b central controller Synthesis 81

82 LEGO Plant Model Belt/Machine Unit. 82

83 UNSAFE EXAMPLE: Optimal rescue plan for important persons (Presidents and Actors) Mines SAFE GORE CLINTON BUSH DIAZ 3 10 OPTIMAL PLAN HAS ACCUMULATED COST=195 and TOTAL TIME=65! 83

84 Experiments MC Order COST-rates G 5 C 10 B 20 D 25 SCHEDULE COST TIME #Expl #Pop d Min Time CG> G< BD> C< CG> CG> G< BG> G< GD> GD> G< CG> G< BG> CG> G< BD> C< CG> CD> C< CB> C< CG> BD> B< CB> C< CG> time<

85 Example: Aircraft Landing cost e*(t-t) E d+l*(t-t) T L t E earliest landing time T target time L latest time e cost rate for being early l cost rate for being late d fixed cost for being late Planes have to keep separation distance to avoid turbulences caused by preceding planes Runway 85

86 Example: Aircraft Landing x <= 5 x >= 4 x=5 land! cost+=2 x <= 5 x <= 9 cost =3 cost =1 x=5 land! 4 earliest landing time 5 target time 9 latest time 3 cost rate for being early 1 cost rate for being late 2 fixed cost for being late Planes have to keep separation distance to avoid turbulences caused by preceding planes Runway 86

87 Aircraft Landing Source of examples: Baesley et al

88 Future Work & Open Problems Datastructures for fully symbolic, efficient exploration Partial order reduction Exploitation of symmetries Distributed checking of full TCTL Efficient use of disk Extension of acceleration techniques Application of abstract interpretation 88

89 Formal methods & Tools END

90 Relevant Workshops RT-Tools affiliated with FLOC, July 2002 MTCS: Models for Time-Criticial Systems, CONCUR, August 2002 PDMC: Parallel and Distributed Model Checking, CONCUR, August

91 The State Explosion Problem Sys a a a a b c b c b c b c sat ϕ a a a a b c b c b c b c Model-checking is is either EXPTIME-complete or or PSPACE-complete (for TA s this is is true even for for a single TA) 91

92 Abstraction Sys a a a a b c b c b c b c sat ϕ a a a a b c b c b c b c Abs REDUCE TO Preserving safety properties sat ϕ Abs sat ϕ Sys sat Sys ϕ Abs 92

93 Compositionality Sys b a a c b a a c b a a c b a a c Sys 1 Sys 1 Sys2 Sys 2 Abs 1 Abs2 Abs 1 Abs 2 b c b c b c b c Sys 1 Sys 2 Abs 1 Abs Sys 1 Sys 2 Abs Abs Abs1 Abs2 Abs Sys Abs

94 Timed Simulation T 1 T R St a) (s St,t if there is a relation 0 2 ) R s.t. b) Whenever (s, t) R then - if s a s' then t a t' st. (s',t') R - if s s' then e( d ) t e( d ) t' st. (s',t') R * * * * preserves safety properties is preserved by parallel composition is decidable If T2 is determistic then T1 T2 may be reduced to a reachability question for T 1 Test(T 2 ) UPPAAL 94

95 Timed Simulation T 1 T - 2 if if there is a a relation * preserves safety properties R St1 St 2 s.t. Applied to a) (s 0,t 0 ) R * is preserved by parallel composition IEEE 1394a Root contention protocol b) Whenever (s, t) R then (Simons, Stoelinga) - if s s' then * is decidable t B&O a t' st. Power (s',t') Down R Protocol s s' then (Ejersbo, Larsen, * If T2Skou, is determistic FTRTFT2k) then T1 T2 e( d ) t e( d ) t' st. (s',t') R may be reduced to a reachability question for T Test(T ) Modifications identified when urgency and shared integers 1 UPPAAL 2 95