UPPAAL tutorial What s inside UPPAAL The UPPAAL input languages

Size: px

Start display at page:

Download "UPPAAL tutorial What s inside UPPAAL The UPPAAL input languages"

Julia Weaver
6 years ago
Views:

1 UPPAAL tutorial What s inside UPPAAL The UPPAAL inut languages 1 UPPAAL tool Develoed jointly by Usala & Aalborg University >>8,000 downloads since

2 UPPAAL Tool Simulation Modeling Verification 3 Architecture of UPPAAL Linu, Windows, Solaris, MacOS 4

3 What s inside UPPAAL 5 OUTLINE Data Structures DBM s (Difference Bounds Matrices) Canonical and Minimal Constraints Algorithms Reachability analysis Liveness checking Verification Otions 6 3

4 All Oerations on Zones (needed for verification) Transformation Conjunction Post condition (delay) Reset Consistency Checking Inclusion Emtiness S1 S, S3,..., Sn Si Sj 7 Zones = Conjuctive constraints A zone Z is a conjunctive formula: g 1 & g &... & g n where g i may be i ~ b i or i - j ~b ij Use a zero-clock 0 (constant 0), we have { i - j ~ b ij ~ is < or, i,j n} This can be reresented as a MATRIX, DBM (Difference Bound Matrices) 8 4

5 Datastructures for Zones in UPPAAL -4 Difference Bounded Matrices [Bellman58, Dill89] 1 4 Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] 9 Canonical Datastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 Inclusion Z1 <=1 y-<= z-y<= z<=9 Grah z y?? Z <= y-<=3 y<=3 z-y<=3 z<=7 Grah z 3 y 10 5

? y Shortest Path Closure 3 Shortest 3 3 Path 3 y 0 y Closure 7 6 z 3 z 3 0 1 5 3 z y Z1 Z!

6 Canonical Dastructures for Zones Difference Bounded Matrices Bellman 1958, Dill 1989 Inclusion Z1 Z <=1 y-<= z-y<= z<=9 <= y-<=3 y<=3 z-y<=3 z<=7 Grah Grah z?? y Shortest Path Closure 3 Shortest 3 3 Path 3 y 0 y Closure 7 6 z 3 z z y Z1 Z! 11 Canonical Datastructures for Zones Emtiness Difference Bounded Matrices Bellman 1958, Dill 1989 Z <=1 y>=5 y-<=3 Grah y 3 Negative Cycle iff emty solution set 1 6

Canonical Datastructures for Zones Difference Bounded Matrices y Conjunction y Z 1<=, 1<=y -<=-y<=3 Z g 1<=, 1<=y -<=-y<=3 3<= 0-1 -1 y 3 Add new edge for g -3-1 0-1 y 3 0-1 -3 y 3 13 Canonical

7 Canonical Datastructures for Zones Difference Bounded Matrices y Conjunction y Z 1<=, 1<=y -<=-y<=3 Z g 1<=, 1<=y -<=-y<=3 3<= y 3 Add new edge for g y y 3 13 Canonical Dastructures for Zones Difference Bounded Matrices y Delay y Z 1<= <=4 1<= y <=3 Z 1<=, 1<=y -<=-y<= y Shortest Path Closure y 3 Remove uer bounds on clocks y

8 Canonical Datastructures for Zones Difference Bounded Matrices y Reset y Z 1<=, 1<=y -<=-y<=3 {y}z y=0, 1<= y 3 Remove all bounds involving y and set y to y 15 COMPLEXITY Comuting the shortest ath closure, the cannonical form of a zone: O(n 3 ) [Dijkstra s alg.] Run-time comleity, mostly in O(n) (when we kee all zones in cannonical form) 16 8

1-<=-4-1<=10 3-1<= -3<= 0-1<=3 3-0<=5 3 1 0 10 5 3 1 Shortest Path Reduction O(n 3 ) 3 3 0-4 Shortest

9 Datastructures for Zones in UPPAAL -4 Difference Bounded Matrices [Bellman58, Dill89] 1 4 Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] 17 Minimal Grah <=-4-1<=10 3-1<= -3<= 0-1<=3 3-0<= Shortest Path Reduction O(n 3 ) Shortest Path Closure O(n 3 ) (DBM) Sace worst O(n ) ractice O(n) (Minimal grah, a.ka. comact data structure) 18 9

10 Grah Reduction Algorithm G: weighted grah 1. Equivalence classes based on 0-cycles. 19 Grah Reduction Algorithm G: weighted grah 1. Equivalence classes based on 0-cycles.. Grah based on reresentatives. Safe to remove redundant edges 0 10

11 Grah Reduction Algorithm G: weighted grah 1. Equivalence classes based on 0-cycles.. Grah based on reresentatives. Safe to remove redundant edges 3. Shortest Path Reduction = One cycle r. class + Removal of redundant edges between classes 1 Datastructures for Zones in UPPAAL -4 Difference Bounded Matrices [Bellman58, Dill89] 1 4 Minimal Constraint Form [RTSS97] Clock Difference Diagrams [CAV99] 11

12 Other Symbolic Datastructures NDD s Maler et. al. CDD s UPPAAL/CAV99 DDD s Møller, Lichtenberg Polyhedra HyTech... CDD-reresentations 3 Inside the UPPAAL tool Data Structures DBM s (Difference Bounds Matrices) Canonical and Minimal Constraints Algorithms Reachability analysis Liveness checking Verification Otions 4 1

13 Timed CTL in UPPAAL EF AG EG AF - -> q P ::= A.l g c g d not or and imly Process Location (a location in automaton A) Clock constraint redicate over data variables leads to q denotes AG ( imly AF q) 5 Timed CTL in UPPAAL EF AG EG AF - -> q P ::= A.l g c g d not or and imly Process Location (a location in automaton A) Clock constraint redicate over data variables SAFETY PROPERTIES leads to q denotes AG ( imly AF q) 6 13

14 SAFETY Proerties in UPPAAL F ::= EF P AG P Reachability Invariant = EF P Thus, AG P is also checked by reachability analysis! 7 We have a search roblem (n 0,Z 0 ) S, S3... Sn Symbolic state Symbolic transitions T1 T.. Reachable? EF 8 14

15 Forward Reachability Init -> Final? Waiting Final INITIAL := Ø; Waiting := {(n0,z0)} REPEAT - ick (n,z) in Waiting - if for some Z Z (n,z ) in then STOP - else /elore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Init UNTIL Waiting = Ø or Final is in Waiting 9 Forward Reachability Init -> Final? Waiting n,z n,z Final INITIAL := Ø; Waiting := {(n0,z0)} REPEAT - ick (n,z) in Waiting - if for some Z Z (n,z ) in then STOP - else (elore) add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Init UNTIL Waiting = Ø or Final is in Waiting 30 15

16 Forward Reachability Init -> Final? Waiting m,u Final INITIAL := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - ick (n,z) in Waiting - if for some Z Z (n,z ) in then STOP - else /elore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Init UNTIL Waiting = Ø or Final is in Waiting 31 Forward Reachability Init -> Final? Waiting m,u Final INITIAL := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - ick (n,z) in Waiting - if for some Z Z (n,z ) in then STOP - else /elore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Init UNTIL Waiting = Ø or Final is in Waiting 3 16

17 Forward Reachability Init -> Final? Waiting m,u Final INITIAL := Ø; Waiting := {(n0,z0)} n,z n,z REPEAT - ick (n,z) in Waiting - if for some Z Z (n,z ) in then STOP - else /elore/ add { (m,u) : (n,z) => (m,u) } to Waiting; Add (n,z) to Init UNTIL Waiting = Ø or Final is in Waiting 33 Further question Can we find the ath with shortest delay, leading to P? (i.e. a state satisfying P) OBSERVATION: Many scheduling roblems can be hrased naturally as reachability roblems for timed automata

18 Verification vs. Otimization State reachable? Verification Algorithms: Checks a logical roerty of the entire state-sace of a model. Efficient Blind search. Otimization Algorithms: Finds (near) otimal solutions. Uses techniques to avoid nonotimal arts of the state-sace (e.g. Branch and Bound). Goal: solve ot. roblems with verification. Min time of reaching state? OPTIMAL REACHABILITY The maimal and minimal delay roblem 36 18

19 Find the trace leading to P with min delay S 0 There may be a lot of athes leading to P Which one with the shortest delay? 37 Find the trace leading to P with min delay S 0 Idea: delay as Cost to reach a state, thus cost increases with time at rate

20 An Simle Algorithm for minimal-cost reachability State-Sace Eloration + Use of global variable Cost and global clock δ Udate Cost whenever goal state with min( C ) < Cost is found: Cost = δ:= Cost =80 60 δ Cost =60 Terminates when entire state-sace is elored. Problem: The search may never terminate! 39 Eamle (min delay to reach G) m (m,= δ=0) (m, 0, = δ) G :=0,δ:=0 (n,= δ=0) (n, 0,= δ) =10 :=0 X=>0 n G (n,=0, δ=10, δ-=10) (n, 0, δ 10, δ-= 10) (n,=0,=0, δ=0,δ-=0) (n, 0, δ 0, δ-= 0) (n,=0, δ=30,δ-=30) (n, 0, δ 30, δ-= 30) The minimal delay = 0 but the search may never terminate! Problem: How to symbolically reresent the zone C. 40 0

21 Priced-Zone Cost = minimal total time C can be reresented as the zone Z δ, where: Z δ original (ordinary) DBM lus δ clock keeing track of the cost/time. Delay, Reset, Conjunction etc. on Z are the standard DBM-oerations Delay-Cost is incremented by Delay-oeration on Z δ. 41 Priced-Zone δ Cost = min total time C 3 C can be reresented as the zone Z δ, where: Z δ is the original zone Z etended with the global clock δ keeing track of the cost/time. Delay, Reset, Conjunction etc. on C are the standard DBM-oerations C C 1 But inclusion-checking will be different Then: But: C 3 C C 1 C 3 C C 1 4 1

22 Solution: () -widening oeration () removes uer bound on the δ clock: C 3 C C 1 C 3 C C 1 C 1 δ C 3 In the Algorithm: Delay(C ) = ( Delay(C ) ) Reset(,C ) = ( Reset(,C ) ) C 1 g = ( C 1 g ) It is suffices to aly () to the initial state (l 0,C 0 ). C 43 Eamle (widening for Min) δ Z 1 Z Z 1 Z 44

23 Eamle (widening for Min) δ Z + 1 Z + = Widen(Z) Z 1 Z + Z 1 Z Z 45 Eamle (widening for Min) δ Z + 1 Z + = Widen(Z) Z + Z + 1 Z + Z 1 Z! 46 3

24 An Algorithm (Min) Cost:=, Pass := {}, Wait := {(l 0,C 0 )} while Wait {} do select (l,c) from Wait if (l,c) = P and Min(C)<Cost then Cost:= Min(C) if (l,c) (l,c ) for some (l,c ) in Pass then ski otherwise add (l,c) to Pass and forall (m,c ) such that (l,c) (m,c ): add (m,c ) to Wait One-ste reachability relation Return Cost Outut: Cost = the min cost of a found trace satisfying P. 47 Further reading: Priced Timed Automata <3 a {:=0} <3 b y>3 c [Larsen et al] Timed Automata + Costs on transitions and locations. Uniformly Priced = Same cost in all locations (edges may have different costs). Cost of erforming transition: Transition cost. Cost of erforming delay d: ( d location cost ). 48 4

25 Priced Timed Automata <3 a 4 < b y>3 {:=0} Trace: ε(.5) (a,=y=0) (b,=y=0) (b,=y=.5) Cost of Eecution Trace: Sum of costs: = 9 c (a,=0,y=.5) Problem: Finding the minimum cost of reaching c! 49 Inside the UPPAAL tool Data Structures DBM s (Difference Bounds Matrices) Canonical and Minimal Constraints Algorithms Reachability analysis Liveness checking Verification Otions 50 5

26 Timed CTL in UPPAAL EF AG EG AF - -> q P ::= A.l g c g d not or and imly Process Location (a location in automaton A) Clock constraint redicate over data variables LIVENESS PROPERTIES SAFETY PROPERTIES leads to q denotes AG ( imly AF q) 51 LIVENESS Proerties in UPPAAL F ::= EG AF - -> q Possibly always P is equivalent to (: AF : P) Eventually P is equivalent to (: EG : P) P leads to Q is equivalent to AG ( P imly AF Q) 5 6

27 Algorithm for checking AF P Eventually P Bouajjani, Triakis, Yovine 97 On-the-fly symbolic model checking of TCTL 53 Question AF P P will be true for sure in future m 5?? Does this automaton satisfy AF P 54 7

28 Note that AF P P will be true for sure in future m 5 NO!!!! there is a ath: (m, =0) (m,=1)(m,)... (m,=k)... Idling forever in location m 55 Note that AF P P will be true for sure in future m 5 5 This automaton satisfies AF P 56 8

29 Liveness Algorithm Bouajjani, Triakis, Yovine, 97 ST : φ Unelored AF φ S 57 Liveness Algorithm ST : φ Unelored AF φ =? 58 9

30 Liveness Algorithm ST : φ Unelored AF φ 59 Liveness Algorithm ST : φ Unelored AF φ?? 60 30

31 Liveness Algorithm ST : φ Unelored if emty(s) then eit(true) fi AF φ µ?? 61 Liveness Algorithm ST : φ Unelored AF φ 6 31

32 Liveness Algorithm ST : φ Unelored AF φ 63 Liveness Algorithm ST : φ Unelored AF φ 64 3

33 Liveness Algorithm ST : φ Unelored AF φ 65 Liveness Algorithm ST : φ Unelored AF φ 66 33

34 Question: Time bound synthesis AF P P will be true eventually But no time bound is given. Assume AF P is satisfied by an automaton A. Can we calculate the Ma time bound? OBS: we know how to calculate the Min! 67 Assume AF P is satisfied Find the trace leading to P with the ma delay P P S 0 S 0 Almost the same algorithm as for synthesizing Min We need to elore the Green art 68 34

35 An Algorithm (Ma) Cost:=0, Pass := {}, Wait := {(l 0,C 0 )} while Wait {} do select (l,c) from Wait if (l,c) = P and Ma(C)>Cost then Cost:= Ma(C) else if forall (l,c ) in Pass: C C then add (l,c) to Pass forall (m,c ) such that (l,c) (m,c ): add (m,c ) to Wait One-ste reachability relation Return Cost Outut: Cost = the min cost of a found trace satisfying P. BUT: is defined on zones where the lower bound of cost is removed 69 Zone-Widening oeration for Ma δ C 1 C C C

36 Zone-Widening oeration for Ma δ C 1 C C + 1 C + C + 1 C + C 1 C! 71 Inside the UPPAAL tool Data Structures DBM s (Difference Bounds Matrices) Canonical and Minimal Constraints Algorithms Reachability analysis Liveness checking Termination Verification Otions 7 36

Verification Otions Diagnostic Trace Breadth-First

Reduction Re-Use State-Sace Over-Aroimation

only active in location S1 :=0 S Definition is inactive

37 Verification Otions Diagnostic Trace Breadth-First Deth-First Local Reduction Active-Clock Reduction Global Reduction Re-Use State-Sace Over-Aroimation Under-Aroimation 73 Inactive (assive) Clock Reduction is only active in location S1 :=0 S Definition is inactive at S if on all ath from S, is always reset before being tested. :=0 <5 >

38 Global Reduction (When to store symbolic state) However, list useful for efficiency No Cycles: list not needed for termination 75 Global Reduction [RTSS97] (When to store symbolic state) Cycles: Only symbolic states involving loo-entry oints need to be saved on list 76 38

39 To Store Or Not To Store? [RTSS97,CAV03] 117 states total 81 states entryoint 9 states Time OH less than 10% (need to re-elore some states) 77 Reuse of State Sace Waiting ro A[] ro1 ro1 A[] ro A[] ro3 A[] ro4 A[] ro5... A[] ron Search in eisting list before continuing search Which order to search? 78 39

40 Reuse of State Sace Waiting Hashtable ro1 ro A[] ro1 A[] ro A[] ro3 A[] ro4 A[] ro5... A[] ron Search in eisting list before continuing search Which order to search? 79 Reuse of State Sace Waiting Hashtable ro1 ro A[] ro1 A[] ro A[] ro3 A[] ro4 A[] ro5... A[] ron Search in eisting list before continuing search Which order to search? 80 40

41 Reuse of State Sace Waiting ro A[] ro1 Hashtable ro1 generation order A[] ro A[] ro3 A[] ro4 A[] ro5 REVERSE CREATION. ORDER.. A[] ron Search in eisting list before continuing search Which order to search? 81 Under-aroimation Bitstate Hashing (Holzman,SPIN) Waiting m,u Final n,z n,z Init 8 41

42 Under-aroimation Bitstate Hashing Waiting m,u Final 1 0 = Bitarray n,z 1 0 UPPAAL 8 Mbits Init n,z Hashfunction F Bit-state Hashing (F(n,Z)) = 1 (F(n,Z)) :=

43 Under Aroimation (good for finding Bugs quickly, debugging) Possitive answer is safe (you can trust) You can trust your tool if it tells: a state is reachable (it means Reachable!) Negative answer is Inconclusive You should not trust your tool if it tells: a state is non-reachable Some of the branch may be terminated by conflict (the same hashing value of two states) 85 Over-aroimation Conve Hull y Conve Hull 86 43

44 Over-Aroimation (good for safety roerty-checking) Possitive answer is Inconclusive a state is reachable means Nothing (you should not trust your tool when it says so) Some of the transitions may be enabled by Enlarged zones Negative answer is safe a state is not reachable means Non-reachable (you can trust your tool when it says so) 87 44

Symbolic Real Time Model Checking. Kim G Larsen

Symbolic Real Time Model Checking. Kim G Larsen Smbolic Real Time Model Checking Kim G Larsen Overview Timed Automata Decidabilit Results The UPPAAL Verification Engine Datastructures for zones Liveness Checking Algorithm Abstraction and Compositionalit