An introduction to Uppaal and Timed Automata MVP5 1

Transcription

1 An introduction to Uppaal and Timed Automata MVP5 1

2 What is Uppaal? ( A simple graphical interface for drawing extended finite state machines (automatons + shared variables A graphical simulator including MSC s An analyser (model checker) In addition, Uppaal supports the notion of timed automatons MVP5 2

3 Transitions in Uppaal Automata transitions are labelled with the following (optional) parts: A set of guards on variables A label (input? or output!) A set of variable assignments A transition can be taken when: All guards are true A synchronization is possible with another process MVP5 3

4 Transitions in Uppaal i<3 holds counter and incrementer may synchronize MVP5 4

5 A Uppaal system Consists of at set (network) of automata System state = snapshot of each machines control location + local variables + global variables MVP5 5

6 Parallel Composition: interleaving Flipper 2 states Speaker 3 states 2*3 states Lecturer = Speaker Flipper from Flipper from Speaker MVP5 6

7 Home-Banking? int accounta, accountb; //Shared global variables //Two concurrent bank costumers Thread costumer1 () { int a,b; //local tmp copy Thread costumer2 () { int a,b; } a=accounta; b=accountb; a=a-10;b=b+10; accounta=a; accountb=b; } a=accounta; b=accountb; a=a-20; b=b+20; accounta=a; accountb=b; Are the accounts in balance after the transactions? MVP5 7

8 Home Banking A[] (pc1.finished and pc2.finished) imply (accounta+accountb==200)? MVP5 8

9 Home Banking int accounta, accountb; //Shared global variables Semaphore A,B; //Protected by sem A,B //Two concurrent bank costumers Thread costumer1 () { int a,b; //local tmp copy Thread costumer2 () { int a,b; } down(a); down(b); a=accounta; b=accountb; a=a-10;b=b+10; accounta=a; accountb=b; up(a); up(b); } down(b); down(a); a=accounta; b=accountb; a=a-20; b=b+20; accounta=a; accountb=b; up(b); up(a); MVP5 9

10 Semaphore FSM Model Binary Semaphore Counting Semaphore MVP5 10

11 Semaphore Solution? 1. Race conditions? 2. Consistency? (Balance) 3. Deadlock? 1. A[] (mc1.finished and mc2.finished) imply (accounta+accountb==200) 2. E<> mc1.critical_section and mc2.critical_section 3. A[] not (mc1.finished and mc2.finished) imply not deadlock MVP5 11

12 Reachability Analysis Compute all possible execution sequences And consequently all states of the system Exhaustive search => proof Check if each state encountered has the (un)- desired property MVP5 12

13 UPPAAL Property Specification Language A[] p A<> p process location data guards E<> p E[] p P --> q clock guards p::= a.l gd gc p and p p or p not p p imply p ( p ) deadlock(only for A[],E<>) A[] (mc1.finished and mc2.finished) imply (accounta+accountb==200) MVP5 13

14 Uppaal Computation Tree Logic always A[] p E<> p Possible p p p P p P P p E[] p potentially always A<> p inevitable p --> q leads-to P p P P P P P q q q MVP

15 Reachability Analysis Passed:=Ø //already seen states Waiting:={S_0} //states not examined yet While(waiting!=Ø) { Waiting:=Waiting\{s_i} if s_i Passed whenever (s_j s_j) then waiting:=waiting s_j } Depth First: maintain waiting as a stack Order: Breadth First: maintain waiting as a queue (shortest counter example) Order: MVP5 15

16 Hybrid & Real Time Systems Control Theory Plant Continuous sensors actuators Task TaskTask Controller Program Discrete Computer Science Task Eg.: Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines Real Time System A system where correctness not only depends on the logical order of events but also on their timing MVP5 16

17 Timed Automata Intelligent Light Control press? press? Press? Off Light Bright Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. MVP5 17

18 Timed Automata Intelligent Light Control press? X:=0 X<=3 Press? press? Off Light Bright Press? X>3 Solution: Add real-valued clock x MVP5 18

19 Timed Automata (Alur & Dill 1990) Action used for synchronization n x<=5 & y>3 a x := 0 m Clocks: x, y Transitions Guard Boolean combination of comp with integer bounds Reset Action performed on clocks State ( location, x=v, y=u ) where v,u are in R ( n, x=2.4, y= ) a ( m, x=0, y= ) e(1.1) ( n, x=2.4, y= ) ( n, x=3.5, y= ) MVP5 19

20 (Henzinger et al, 1992) Timed Safety Automata = Timed Automata + Invariants Location Invariants n x<=5 x<=5 & y>3 a x := 0 m y<=10 g4 g1 g2 g3 Clocks: x, y Transitions ( n, x=2.4, y= ) e(3.2) e(1.1) ( n, x=2.4, y= ) ( n, x=3.5, y= ) Invariants ensure progress!! MVP5 20

21 Clock Constraints MVP5 21

22 Timed (Safety) Automata MVP5 22

23 Timed Automata: Example guard location reset MVP5 23

24 Timed Automata: Example guard location reset MVP5 24

25 Timed Automata: Example x 3 MVP5 25

26 Timed Automata: Example x 3 MVP5 26

27 Timed Automata: Example MVP5 27

28 Timed Automata: Example MVP5 28

29 Light Switch push y 9 click push MVP5 29

30 Light Switch push click y 9 push Switch may be turned on whenever at least 2 time units has elapsed since last turn off MVP5 30

31 Light Switch push click push Switch may be turned on whenever at least 2 time units has elapsed since last turn off Light automatically switches off after 9 time units. MVP5 31

32 Semantics clock valuations: V ( C) v : C R 0 state: ( l, v) where l L and v V ( C) Semantics of timed automata is a labeled transition system where S = { ( l, v) action transition ( S, ) v V ( C) a and l L } delay Transition ( l, v) ( l', v') g( v) ( l, v) Inv( l)( v and v' = d ( l, v + d') v[ r] + d) iff and whenever g a r l l Inv( l')( v') d' d MVP5 32 iff R 0

33 MVP5 33 Semantics: Example 9)... 0,, ( 9) 3), ( 9, ( 3) 3,, ( ) 0,, ( ), ( 0), ( 3.5), ( 0), ( 3) ( = = = + = + = = = = = = = = = = = = + y x off y x on y x on y x on y x on y x on y x off y x off click push push π π π π π π push push click 9 y

34 Uppaal Network of timed automata Timing requirement Uppaal No! Debugging Information Yes Uppsala (6 persons), Aalborg (10 persons), papers, 6 invited talks/tutorials 9 industrial case studies (or MVP5 34

35 Timed Automata in UPPAAL Networks of Timed Safety Automata + urgent actions + urgent locations (i.e. zero-delay locations) + committed locations (i.e. zero-delay and atomic locations) + data-variables (integers with bounded domains) + arrays of data-variables + guards and assignments over data-variables and arrays... MVP5 35

36 Networks of Timed Automata + Integer Variables + arrays. l1 m1 x>=2 i==3 a! y<=4 a?. Two-way synchronization on complementary actions. x := 0 i:=i+4 Closed Systems! l2 m2 Example transitions (l1, m1,, x=2, y=3.5, i=3,..) tau (l2,m2,..,x=0, y=3.5, i=7,..) 0.2 (l1,m1,,x=2.2, y=3.7, I=3,..) MVP5 36 If a URGENT CHANNEL

37 Timed Automata in UPPAAL clock assignments x : = n clock assignments i : = Expr Expr :: = n Expr Expr + Expr Expr Expr Expr * Expr Expr / Expr ( g d i i[ Expr]? Expr : Expr) n x<=5 x<=5 & y>3 a x := 0 m y<=10 g4 g1 g2 g3 location invariants g g inv :: = x < n x n inv, inv g :: = g c d clock natural number and c g d g, g :: = x p n x p y + n :: = Expr op Expr p { <, <=, =, >=, > } op { <, <=, =, >=, >,! = } clock guards data guards MVP5 37

38 Urgent Channels urgent chan hurry; Informal Semantics: There will be no delay if transition with urgent action can be taken. Restrictions: No clock guard allowed on transitions with urgent actions. Invariants and data-variable guards are allowed. MVP5 38

39 Urgent Locations Click Urgent in State Editor. Informal Semantics: No delay in urgent location. Note: the use of urgent locations reduces the number of states in a model, and thus the complexity of the analysis. MVP5 39

40 Committed Locations Click Committed in State Editor. Informal Semantics: No delay in committed location. Next transition must involve automata in committed location. Note: the use of committed locations reduces the number of states in a model, and allows for more space and time efficient analysis. MVP5 40

41 Urgent and Committed Locations committed m n x 2 a! urgent p q a? ( m p, x = 2.5 ( m p, x = ( n q, x = 0) 2.5) a ( n r, x = 2.5) 2.5) d o x := 0 r ( o ( o q, x = 0) r, x = 0) d ( n q, x = d) ( o q, x = d) MVP5 41

42 Uppaal Demo MVP5 42

43 Exercise: The Coffee Machine Person Machine takes time to brew time-out if coffee not taken before time-limit cof Start coin! y:=0 Wait1 y<=3 y=3 pub! Go pub Observer complain if more than 8 time-units between two consecutive publ. coin Ready cof? y:=0 Wait2 y<=2 y=2 Design Machine and Observer MVP5 43