for System Modeling, Analysis, and Optimization

Transcription

1 Fundamental Algorithms for System Modeling, Analysis, and Optimization Stavros Tripakis UC Berkeley EECS 144/244 Fall 2013 Copyright 2013, E. A. Lee, J. Roydhowdhury, S. A. Seshia, S. Tripakis All rights reserved Timed automata Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 1 / 22

2 Timed Automata A formal model for dense-time systems [Alur and Dill(1994)] Developed mainly with verification in mind: in the basic TA variant, model-checking is decidable But also an elegant theoretical extension of the standard theory of regular and ω-regular languages. Many different TA variants, some undecidable. We will look at a basic variant. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 2 / 22

3 Timed Automaton A TA is a tuple C: finite set of clocks (C, Q, q 0, Inv, ) Q: finite set of control states; q 0 Q: initial control state Inv: a function assigning to each q Q an invariant : a finite set of actions, each being a tuple (q, q, g, C ) q, q Q: source and destination control states g: clock guard C : set of clocks to reset to 0, C C Invariants and guards are simple constraints on clocks, e.g., c 1, 0 < c 1 < 2 c 2 = 4, etc. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 3 / 22

4 Timed Automaton A TA is a tuple C: finite set of clocks (C, Q, q 0, Inv, ) Q: finite set of control states; q 0 Q: initial control state Inv: a function assigning to each q Q an invariant : a finite set of actions, each being a tuple (q, q, g, C ) q, q Q: source and destination control states g: clock guard C : set of clocks to reset to 0, C C Invariants and guards are simple constraints on clocks, e.g., c 1, 0 < c 1 < 2 c 2 = 4, etc. Can also have atomic propositions labeling control states, labels on actions, communication via shared memory or message passing, etc. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 3 / 22

5 Example: Timed Automaton A simple light controller: touch c 2 touch touch off light bright c := 0 c < 2 touch C = {c} Q = { off, light, bright } q 0 = off touch: action label (can be seen as the input symbol) Inv(q) = true for all q Q Actions: (off, light, true, {c}), (light, off, c 2, {}),... Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 4 / 22

6 Event-based vs. state-based models High-level: touch c 2 touch touch off light bright c := 0 c < 2 Low-level: touch Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 5 / 22

7 Timed Automata: Semantics A TA (C, Q, q 0, Inv, ) defines a transition system such that Set of states: S = Q R C + (S, S 0, R) R C + : the set of all functions v : C R + each v is called a valuation: it assigns a value to every clock Set of initial states: S 0 = {(q 0, v 0 )}, where we define v 0 (c) = 0 for all c C (i.e., all clocks are initially set to 0) Set of transitions: R = R t R d Rt : set of transitions modeling passage of time Rd : set of discrete transitions ( jumps between control states) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 6 / 22

8 Timed Automata: Semantics A TA (C, Q, q 0, Inv, ) defines a transition system such that Set of states: S = Q R C + (S, S 0, R) R C + : the set of all functions v : C R + each v is called a valuation: it assigns a value to every clock Set of initial states: S 0 = {(q 0, v 0 )}, where we define v 0 (c) = 0 for all c C (i.e., all clocks are initially set to 0) we could also define S 0 = {q 0 } R C + what does this say? Set of transitions: R = R t R d Rt : set of transitions modeling passage of time Rd : set of discrete transitions ( jumps between control states) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 6 / 22

9 Timed Automata: Discrete and Time Transitions where: R t = { ( (q, v), (q, v + t) ) t t : v + t = Inv(q)} R d = { ( (q, v), (q, v ) ) a = (q, q, g, C ) : v = g v = v[c := 0]} v + t is a new valuation u such that u(c) = v(c) + t for all c if g is a constraint, then v = g means v satisfies g v[c := 0] is a new valuation u such that u(c) = 0 if c C and u(c) = v(c) otherwise Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 7 / 22

10 Timed Automata: Discrete and Time Transitions where: R t = { ( (q, v), (q, v + t) ) t t : v + t = Inv(q)} R d = { ( (q, v), (q, v ) ) a = (q, q, g, C ) : v = g v = v[c := 0]} v + t is a new valuation u such that u(c) = v(c) + t for all c if g is a constraint, then v = g means v satisfies g v[c := 0] is a new valuation u such that u(c) = 0 if c C and u(c) = v(c) otherwise Instead of ( (q, v), (q, v + t) ) R t we write (q, v) (q, v + t). Instead of ( (q, v), (q, v ) ) a R d we write (q, v) (q, v ). t Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 7 / 22

11 Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Inv(off) = c 10 : automaton cannot spend more than 10 time units at control state off. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 8 / 22

12 Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Inv(off) = c 10 : automaton cannot spend more than 10 time units at control state off. What if we omit the invariant? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 8 / 22

13 Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Does it work correctly if cancel arrives exactly when c = 10? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 9 / 22

14 Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Does it work correctly if cancel arrives exactly when c = 10? Depends on the semantics of composition: if it s non-deterministic (as usually done) then alarm may still ring. Otherwise, must give higher priority to the cancel transition. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 9 / 22

15 Timed Automata Model-Checking: Reachability Basic question: is a given control state q reachable? i.e., does there exist some reachable state s = (q, v) in the transition system defined by the timed automaton? Many interesting questions about timed automata can be reduced to this question. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 10 / 22

16 Timed Automata Model-Checking: Reachability Basic question: is a given control state q reachable? i.e., does there exist some reachable state s = (q, v) in the transition system defined by the timed automaton? Many interesting questions about timed automata can be reduced to this question. Is the basic control-state reachability question decidable? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 10 / 22

17 Timed Automata Reachability Not the same as discrete-state reachability! q 0 q 1 q 2 q 3 q 4 c 1 := 0 c 2 := 0 c 2 > 1 c 1 1 q 4 is reachable if we ignore the timing constraints. But is it really reachable? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 11 / 22

18 Timed Automata Reachability Not the same as discrete-state reachability! q 0 q 1 q 2 q 3 q 4 c 1 := 0 c 2 := 0 c 2 > 1 c 1 1 q 4 is reachable if we ignore the timing constraints. But is it really reachable? No: at q 3, c 2 > 1 and c 1 c 2, therefore c 1 > 1 also. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 11 / 22

19 Timed Automata Model-Checking: Reachability A less obvious example: Fischer s mutual exclusion protocol. Suppose we have many processes, each behaving like the TA above. Is mutual-exclusion guaranteed? I.e., at most 1 process is in critical section (control state cs) at any given time. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 12 / 22

20 Timed Automata Model-Checking: Reachability Brute-force idea: exhaustive state-space exploration of the transition system defined by the timed automaton does not work since state-space is infinite (even uncountable) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 13 / 22

21 Timed Automata Model-Checking: Reachability Brute-force idea: exhaustive state-space exploration of the transition system defined by the timed automaton does not work since state-space is infinite (even uncountable) Yet problem is decidable! [Alur-Dill 94] Key idea: Region equivalence: partitions the state-space into finite number of equivalence classes (regions) Perform reachability on finite (abstract) state-space Can prove that q is reachable in the abstract space iff it is reachable in the concrete space Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 13 / 22

22 The Region Equivalence y Fig. 3: Set of regio straints with two clo Key idea: two valuations v 1, v 2 are equivalent iff: 2 2) 1. v 1 satisfies a guard g iff v 2 satisfies g. ( X +1)2. Note tha 2. 1 rect for M-bounded v 1 can lead to some v 1 satisfying a guard g with a discrete transition iff v 2 can do the same. 3. 0v 1 can1 lead2to some v x1 satisfying a guard g with a timeregion automata f (a) transition Partition iffcompatible v 2 can dowith the same. constraints, not with time elapsing (the two Let A be a timed au Region = equivalence class w.r.t. region equivalence = set of Let allm be the max points and can not be equivalent) equivalent valuations. of the constraints o of regions for A. F y Region in gray: subsections, we get 1 < region x < 2defined 1 < by: y < 2 Alur x > y. and Dill [6, 7] 2 Other 8 regions: < 1 < x < 2 fication of timed sy x = y = 0, 1 0 < 1 < y 2 : x = y < 1, {x} {y} x = 0 0 < y < 1, Theorem 1 (Alur & x etc. equivalently empti (b) Partition compatible with constraints, time elapsing (and resets) Pictures in this and other slides taken from [Bouyer(2005)]. automata. It is (for both diagonal- Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 14 / 22

23 The Region Equivalence: 0 1Finiteness 2 x (a) Partition compatible with constraints, notclasses: with timebounded elapsing (the by two constant c = Finite number of equivalence maximal constant appearing points and in a can guard notor be invariant. equivalent) y 2 1 region defined by: 8 < 1 < x < 2 1 < y < 2 : {x} < {y} x Some regions are unbounded, e.g.: x > 2 0 < y < 1 x > 2 y > 2 etc. (b) Partition compatible with constraints, time elapsing (and resets) Fig. 2: Diagonal-free region partitioning for two clocks and maximal constant 2 Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 15 / 22

24 0 1 2 x Region x automata for classic (a) Partition compatible with con-(astraints, not with time elapsing (the twostraints, not with time elapsing Let(the Mtwo be the maximal const Partition compatible Let withacon- be a timed automaton w points and can not be equivalent) points and can not be equivalent) A graph of regions: one region space for each control of the location. constraints of A, the s of regions for A. From the re y y subsections, we get the follow region defined by: Alur and Dill region [6, defined 7], which by: is < 1 < x < 2 fication of timed 8 systems. < 1 < x < < y < 2 1 < y < 2 : : {x} < {y} {x} < {y} Theorem 1 (Alur & Dill 90 s x equivalently x emptiness) is d (b) Partition compatible with constraints, time elapsing q 1 (and resets) straints, time elapsing q 2 (and resets) (b) Partition compatible automata. with con- It is a PSPACE (for both diagonal-free as we automata). Nodes: pairs Fig. (q, 2: r) Diagonal-free where region partitioning Fig. 2: Diagonal-free for two region partitioning for two clocks and maximal constant 2 clocks and maximal constant Although 2 this theorem has bee q is a control location of the timed automaton. the proof we choose to sketc where it is written in details. r is a region. It is easy to prove (and left as an It exercise) easy tothe prove fol-(anlowing lemma: lowing lemma: left as an exercise) the fol- Proof. [Sketch] PSPACE mem size of th region automaton Two types of edges: Lemma 1 The partitioning R M the size of the original auto df Lemma (X) is a1 set The ofpartitioning regions for the constraints Cdf M(X). NLOGSPACE complexity of th R M df (X) is a set of regions for the constraints a (q, r) (q, r ): discrete transition lem Cdf M(X). in classical untimed graph (q, r) time Roughly (q, r counting ): time transition all possible Roughly combinations counting all ability possible in timed combinations automata can b above, we can bound the number above, of we regions can bound in the PSPACE-hardness number of regions can be in prov R M (X) by 2 X. X!.(2M + 2) R X M (X) where by 2 X. X!.(2M is termination + 2) X of where a linearly X isboun The Region Graph Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 16 / 22

25 Decidability Theorem ([Alur and Dill(1994)]) reachable state (q, v) in a timed automaton iff reachable node (q, r) in its region graph. Finite # regions and control states Region graph is finite Reachability is decidable. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 17 / 22

26 The Problem with Regions STATE EXPLOSION! Worst-case number of regions: O(2 n n! c n ) where n is the number of clocks and c is the maximal constant. This is actually often close to the actual number of regions no practical tool uses regions. Model-checkers for TA (Uppaal, Kronos,...) have improved upon the region-graph idea and use symbolic techniques. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 18 / 22

27 ints (x 1 3) (x 2 5) (x 1 x 2 4). zone, Fromdepicted Regions below to Zones the right, can be repnted by the DBM below (on the left) Zone: a convex union of regions, e.g., x 1 3 x 2 5 x 1 x 2 4. x 0 x 1 x one can have several representations using s. For example, the zone of the previous ple can equivalently be represented by the Termination needs som lated to properties of t ciated with timed auto then relies on the follo proved as an exercise. Lemma 2 Let A be R be a set of regions and ➂ (for A). Consi p i=1 R i (with R i R following holds: - p i=1 R i is a fini - [Y 0] 1 ( p i= gions (for any set - g ( p i=1 R i) is is a constraint of Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 19 / 22

28 ints (x 1 3) (x 2 5) (x 1 x {v 2 : 4). X Termination i, j, v(x i ) needs v(x j som ) zone, Fromdepicted Regions below to Zones the right, can be repnted by the DBM below (on the lated to properties of t left). 0 where γ < simply means that γ i Zone: a convex union of regions, e.g., without x 1 3 bound. ciated x 2 5 This with timed auto x 1 xsubset 2 4. of n is will be denoted, then in what relies follows, on theby follo M proved as an exercise. x 0 x 1 x follows, to simplify notations, we will 2 5 all constraints are non-strict, so that c DBMs will be Lemma elements 2of Let A{ }. be 1 2 R be a set of regions 2 Example 3 Consider and ➂ (for the zone A). defined Consi p straints (x i=1 R 1 3) (xi 2 (with 5) R i (x 1 R This zone, depicted following belowholds: on the right, Key property: can be represented efficiently resented usingby difference the DBM one can have several representations using - bound below p i=1 s. For example, the zone of the previous R (on the lef matrices (DBMs) [Dill(1989)]. i is a fini ple can equivalently be represented by the - [Y 0] 1 ( p x 0 x 1 x 2 i= x 0 gions (for any set x 1 3 x x x 2 +4 : x g ( p2 x i=1 R 2 5 i) is is a constraint of Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 19 / 22

29 Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

30 Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Is zone union implementable with DBMs? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

31 Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Is zone union implementable with DBMs? No! The union of two zones in general is not a zone. often state explosion even with zones... Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

32 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

33 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

34 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

35 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

36 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

37 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

38 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

39 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

40 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

41 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : cannot because c 1 > 1 c 2 1 c 2 c 1 is UNSAT Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

42 Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : cannot because c 1 > 1 c 2 1 c 2 c 1 is UNSAT therefore q 2 not reachable Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

43 Bibliography R. Alur. Timed automata. NATO-ASI 1998 Summer School on Verification of Digital and Hybrid Systems, R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126: , P. Bouyer. An introduction to timed automata. At D. Dill. Timing assumptions and verification of finite-state concurrent systems. In J. Sifakis, editor, Automatic Verification Methods for Finite State Systems, volume 407 of LNCS, pages Springer, Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 22 / 22