Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata

Size: px

Start display at page:

Download "Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata"

Dana McCormick
5 years ago
Views:

1 Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata WOJCIECH PENCZEK ICS PAS, Warsaw, Poland joint work with Agata Półrola University of Lodz, Poland Many thanks to members of the Verics group: M Szreter, B Woźna, AZbrzezny ATPN 04, Invited talk, Bologna, June 2004 p147

2 Outline Time Petri nets TPNs Timed automata TA Timed temporal logics: CTL, CTL, TCTL Verification methods for TPNs: state class approaches From TPNs to TA Verification methods for TA: partitioning and SAT-based approaches Experimental results for verifying TPNs directly and TPNs via TA ATPN 04, Invited talk, Bologna, June 2004 p247

3 Some history Timed extensions of Petri nets: Timed Petri nets Time Petri nets [Ramchandani 74] [Merlin, Farber 76] Timed extensions of automata theory: Timed automata [Alur,Dill 90] Hybrid automata [Alur, Courcoubetis, Henzinger, Ho 93; Nicollin, Olivero, Sifakis, Yovine 93] ATPN 04, Invited talk, Bologna, June 2004 p347

4 Time Petri nets - an example p1 t1 p3 p5 t4 p7 [1,2] [0,0] t3 [1,2] t2 t5 p2 [0,3] p4 p6 [1,2] p8 ATPN 04, Invited talk, Bologna, June 2004 p447

5 Time Petri nets - definition A time Petri net TPN: N = P, T, F R, Eft, Lft, m 0, where P = {p 1,, p np } - a finite set of places, T = {t 1,, t nt } - a finite set of transitions, F R P T T P - the flow relation, Eft : T IN, Lft : T IN { } - the earliest and the latest firing time of the transitions; Eftt Lftt, m 0 P - the initial marking of N ATPN 04, Invited talk, Bologna, June 2004 p547

6 TPNs - some definitions t = {p P p, t F R} - a preset of t T, t = {p P t, p F R} - a postset of t T, a marking of N - any subset m P, a transition t T is enabled at m m[t for short if t m and t m \ t =, enm = {t T m[t } ATPN 04, Invited talk, Bologna, June 2004 p647

7 Concrete states of TPNs: clock approach A concrete state of a net - a pair σ = m, clock, where m - a marking, clock - values of clocks σ 0 = m 0, 0,, 0 - an initial state ATPN 04, Invited talk, Bologna, June 2004 p747

8 Concrete states of TPNs: clock approach A concrete state of a net - a pair σ = m, clock, where m - a marking, clock - values of clocks σ 0 = m 0, 0,, 0 - an initial state Clocks can be associated with: transitions, places, or processes of a distributed net ATPN 04, Invited talk, Bologna, June 2004 p747

9 Concrete states of TPNs: clock approach A concrete state of a net - a pair σ = m, clock, where m - a marking, clock - values of clocks σ 0 = m 0, 0,, 0 - an initial state Clocks can be associated with: transitions, places, or processes of a distributed net Concrete states change because of: firing of a transition σ t c σ, t T, passing some time which does not disable any enabled transition σ τ c σ ATPN 04, Invited talk, Bologna, June 2004 p747

10 Concrete states of TPNs: clock approach A concrete state of a net - a pair σ = m, clock, where m - a marking, clock - values of clocks σ 0 = m 0, 0,, 0 - an initial state Clocks can be associated with: transitions, places, or processes of a distributed net Concrete states change because of: firing of a transition σ t c σ, t T, passing some time which does not disable any enabled transition σ τ c σ Discrete transition relation: σ t d σ iff σ τ c t τ c c σ, t T ATPN 04, Invited talk, Bologna, June 2004 p747

11 Concrete states of TPNs: firing interval approach A concrete state of a net - a pair σ F = m, f, where m - a marking, and f - firing interval function assigning to each t enm the timing interval in which t can fire σ 0 F = m 0, f 0 - an initial state, where f 0 t = [Eftt, Lftt] for all t enm 0 ATPN 04, Invited talk, Bologna, June 2004 p847

12 Concrete states of TPNs: firing interval approach A concrete state of a net - a pair σ F = m, f, where m - a marking, and f - firing interval function assigning to each t enm the timing interval in which t can fire σ 0 F = m 0, f 0 - an initial state, where f 0 t = [Eftt, Lftt] for all t enm 0 Concrete states change because of: firing of a transition σ F t d σ F, t T ATPN 04, Invited talk, Bologna, June 2004 p847

13 Concrete models for TPNs Σ - a set of all the concrete states of N P V = { p p P } - a set of propositional variables V c : Σ P V - a valuation function st V c m, = { p p m} M c N = Σ, σ 0,, V c, where { c, d } - a concrete model of N usually infinite ATPN 04, Invited talk, Bologna, June 2004 p947

14 Zones X = {x1,, xn} - a set of variables clocks Zone - each convex polyhedron in IR n which can be described by a finite set of inequalities of the form xi c or xi xj c, where {, <, >, } and c IN Zn - the set of all the zones in IR n x 2 x x 2 x detailed zones non-detailed zones ATPN 04, Invited talk, Bologna, June 2004 p1047

15 Timed automata - an example exit x <= approach x := 0 x<=500 1 in x >= 300 out 3 2 x<=500 x y<=500 ATPN 04, Invited talk, Bologna, June 2004 p1147

16 Timed automata - definition A timed automaton A is a tuple A, L, X, l 0, E, I, where: A - a finite set of actions; L - a finite set of locations; X = {x 1,, x n } - a finite set of clocks; l 0 L - an initial location; E L A Zn 2 X L - a transition relation; I : L Zn - a location invariant ATPN 04, Invited talk, Bologna, June 2004 p1247

17 Timed automata - definition A timed automaton A is a tuple A, L, X, l 0, E, I, where: A - a finite set of actions; L - a finite set of locations; X = {x 1,, x n } - a finite set of clocks; l 0 L - an initial location; E L A Zn 2 X L - a transition relation; I : L Zn - a location invariant To reason about properties: V A : L 2 P V - a valuation function for a set of propositional variables P V ATPN 04, Invited talk, Bologna, June 2004 p1247

18 Concrete states of TA A concrete state of A is a pair q = l, v, where l L, and v IR n q 0 = l 0, 0,, 0 - the initial state ATPN 04, Invited talk, Bologna, June 2004 p1347

19 Concrete states of TA A concrete state of A is a pair q = l, v, where l L, and v IR n q 0 = l 0, 0,, 0 - the initial state Concrete states can change because of: a transition between locations q e c q, e E, passage of time q τ c q ATPN 04, Invited talk, Bologna, June 2004 p1347

20 Concrete states of TA A concrete state of A is a pair q = l, v, where l L, and v IR n q 0 = l 0, 0,, 0 - the initial state Concrete states can change because of: a transition between locations q e c q, e E, passage of time q τ c q Discrete transition relation: q e d q iff q τ c e τ c c q, e E ATPN 04, Invited talk, Bologna, June 2004 p1347

21 Concrete models for TA Q - a set of all the concrete states of A P V - a set of propositional variables V c : Q P V - a valuation function which extends V A V c l, = V A l assigns the same propositions to the states with the same locations M c A = Q, q 0,, V c, where { c, d } - a concrete model of N usually infinite ATPN 04, Invited talk, Bologna, June 2004 p1447

22 Abstract models M a = W, w 0,, V - an abstract model for a concrete model M c = S, s 0,, V c each node w W is a set of states of S and s 0 w 0, V w = V c s for each s w, EE w 1 b b w 2 if s 1 w 1 s 2 w 2 st s 1 s 2 b b b b Other conditions depend on the properties to be preserved ATPN 04, Invited talk, Bologna, June 2004 p1547

23 Examples of abstract models Surjective models: b s 2 b w 2 iff s2 w2 s1 w1 s1 EA w1 b 1 b 2 b 1 b 1 b 2 ATPN 04, Invited talk, Bologna, June 2004 p1647

24 Examples of abstract models Surjective models: EA w1 b w 2 iff s2 w2 s1 w1 s1 b s 2 b 1 b 1 b 1 b 2 b 2 Bisimulating b- models: AE w1 b w 2 iff s1 w1 s2 w2 s1 b s 2 b 1 b 1 b 1 b 2 b 2 b 2! "! # ATPN 04, Invited talk, Bologna, June 2004 p1647

25 Examples of abstract models - cont d Simulating s- models: for each w W there is a nonempty w cor w st s 0 w 0 cor, and U w 1 b w 2 iff s 1 w cor 1 s 2 w cor 2 s 1 b s 2 b 1 b 1 b 2 b 1 b 2 ATPN 04, Invited talk, Bologna, June 2004 p1747

26 Temporal logics: CTL* P V = { 1, 2 } - a set of propositional variables Syntax of CTL : the state formulas ϕ s, defined using path formulas ϕ p : ϕ s := ϕ s ϕ s ϕ s ϕ s Aϕ p Eϕ p ϕ p := ϕ s ϕ p ϕ p ϕ p ϕ p Xϕ p ϕ p Uϕ p ϕ p Rϕ p A for all paths and E there exists a path are path quantifiers, X next, U Until, and R Release are state operators ATPN 04, Invited talk, Bologna, June 2004 p1847

27 Temporal operators of CTL s s s s = AXϕ s = AϕUψ s = AϕRψ ϕ ϕ ψ ψ ϕ ψ ATPN 04, Invited talk, Bologna, June 2004 p1947

28 Temporal logics: TCTL P V = { 1, 2, } - a set of propositional variables Syntax of TCTL: the formulas defined by the grammar: ϕ := ϕ ϕ ϕ ϕ ϕ EϕU I ϕ EϕR I ϕ, where P V and I is an interval in IN ATPN 04, Invited talk, Bologna, June 2004 p2047

29 Temporal operators of TCTL s 0 ϕ 1 2 ψ [2, 3] s = EϕU [2,3] ψ 3 time ATPN 04, Invited talk, Bologna, June 2004 p2147

30 Temporal operators of TCTL s 0 ϕ 1 2 ψ [2, 3] s = EϕU [2,3] ψ 3 time s 0 ψ 1 2 ψ ϕ [2, 3] s = EϕR [2,3] ψ 3 time s 0 ψ 1 2 [2, 3] s = EϕR [2,3] ψ 3 time ATPN 04, Invited talk, Bologna, June 2004 p2147

31 Direct approaches to building finite models for TPNs A state class of a TPN is a pair C = m, I, where m is a marking, and I is a set of inequalities built over variables corresponding to transitions m, clockt 1 = 0 m, ft 1 = [0, 1 m, clockt 1 = 055 m, clockt 1 = 09 m, clockt 1 = 01 m, ft 1 = 05, 1 m, ft 1 = [1, 1] C = m, {0 t 1 2} C = m, {0 t 1 2} State classes can be defined for both the clock and firing intervals approach ATPN 04, Invited talk, Bologna, June 2004 p2247

32 Abstract models of timed systems TPN TA surjective models LTL, reachability TPN: State Class Graph SCG: Berthomieu, Menasche IFIP WCC 83, Berthomieu, Diaz 1991, Strong SCG: Berthomieu, Vernadat TACAS 03, Geometric Region Graph: Yoneda, Ryuba 1998, Gardey, O H Roux, O F Roux FORMATS 03 and others TA: Bouajjani, Tripakis, Yovine RTSS 97 ATPN 04, Invited talk, Bologna, June 2004 p2347

33 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* TPN TA TPN: Atomic SCG - Yoneda, Ryuba 1998, Strong Atomic SCG - Berthomieu, Vernadat TACAS 03 TA: Alur, Courcoubetis, Dill, Halbwachs, Wong-Toi CONCUR 92, Dembiński, Penczek, Półrola ATPN 04, Invited talk, Bologna, June 2004 p2347

34 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL TPN TA TPN: TA: Alur, Courcoubetis, Dill, Halbwachs, Wong-Toi RTSS 92; Yannakakis, Lee CAV 93; Tripakis, Yovine CAV 96 ATPN 04, Invited talk, Bologna, June 2004 p2347

35 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL s-models, discrete semantics ACTL* TPN TA TPN: Pseudo-Atomic SCG - Penczek, Półrola ICATPN 01 TA: Dembiński, Penczek, Półrola 2002 ATPN 04, Invited talk, Bologna, June 2004 p2347

36 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL s-models, discrete semantics ACTL* s-models, dense semantics ACTL X, TACTL TPN TA TPN: TA: Dembiński, Penczek, Półrola 2002 ATPN 04, Invited talk, Bologna, June 2004 p2347

37 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL s-models, discrete semantics ACTL* s-models, dense semantics ACTL X, TACTL pb-models reachability TPN TA TPN: TA: Półrola, Penczek, Szreter 2002 ATPN 04, Invited talk, Bologna, June 2004 p2347

38 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL s-models, discrete semantics ACTL* s-models, dense semantics ACTL X, TACTL pb-models reachability ps-models reachability TPN TA TPN: TA: Półrola, Penczek, Szreter FORMATS 03 ATPN 04, Invited talk, Bologna, June 2004 p2347

39 Abstract models of timed systems surjective models LTL, reachability b-models, discrete semantics CTL* b-models, dense semantics CTL X, TCTL s-models, discrete semantics ACTL* s-models, dense semantics ACTL X, TACTL pb-models reachability ps-models reachability detailed region graph CTL* X, TCTL TPN: Okawa, Yoneda 1997, Virbitskaite, Pokozy 1999 TPN TA TA: Alur, Courcoubetis, Dill LISC 90 ATPN 04, Invited talk, Bologna, June 2004 p2347

40 Verifying TPNs via a translation to TA To adapt TA-specific verification methods to TPNs, we need: clocks locations and invariants guards and resets ATPN 04, Invited talk, Bologna, June 2004 p2447

41 Transitions as clocks approach p1 t1 p3 p5 t4 p7 [1,2] [0,0] t3 [1,2] t2 t5 p2 [0,3] p4 p6 [1,2] p8 clock_t5<2 {p6,p7} t5 1<clock_t5<2 {p7,p8} clock_t1<2 clock_t2<3 t1 {p1,p2} 1<clock_t1<2 clock_t2<3 {p2,p3} 0<clock_t2<3 t2 clock_t3:=0 t4 0<clock_t4<0 t4 0<clock_t4<0 0<clock_t2<3 t2 clock_t1<2 {p1,p4} t1 1<clock_t1<2 clock_t3:=0 {p3,p4} clock_t3<2 t3 1<clock_t3<2 clock_t4:=0 clock_t5:=0 {p5,p6} t5 1<clock_t5<2 clock_t4<0 {p5,p8} clock_t4<0 clock_t5<2 ATPN 04, Invited talk, Bologna, June 2004 p2547

42 Places as clocks approach p1 t1 p3 p5 t4 p7 [1,2] [0,0] t3 [1,2] t2 t5 p2 [0,3] p4 p6 [1,2] p8 t5 clock_p6<2 1<clock_p5<2 {p6,p7} clock_p8:=0 {p7,p8} clock_p2<3 clock_p3<2 t2 0<clock_p2<3 {p2,p3} {p3,p4} t4 1<clock_p1<2 clock_p4:=0 t3 1<clock_p4<2 0<clock_p6<0 clock_p1<2 clock_p3:=0 clock_p3>2 clock_p7:=0 t1 t3 clock_p5:=0 t4 clock_p5:=0 clock_p6:=0 clock_p2<3 0<clock_p6<0 {p1,p2} clock_p6:=0 0<clock_p2<3 1<clock_p3<2 clock_p7:=0 1<clock_p1<2 clock_p4:=0 t2 clock_p3:=0 t2 clock_p5:=0 {p5,p6} t5 1<clock_p5<2 t1 clock_p6:=0 0<clock_p2<3 1<clock_p3<2 clock_p8:=0 clock_p4:=0 1<clock_p1<2 t3 clock_p5<0 clock_p3:=0 {p1,p4} {p3,p4} clock_p5:=0 {p5,p8} t3 clock_p6:=0 clock_p1<2 clock_p6<2 t1 1<clock_p4<2 clock_p3>2 clock_p3>2 clock_p5<0 clock_p4<2 ATPN 04, Invited talk, Bologna, June 2004 p2647

43 Other translations TPN TA Sifakis, Yovine STACS 96 translating time stream Petri nets TSPNs to TA with disjunctions of clock constraints TPNs are a subclass of TSPNs Cortés, Eles, Peng RTCSA 02 translating extended TPNs called PRES+ models to a network of extended TA, exploiting clusters sets of sequentially enabling transitions Lime, Roux PNPM 03 translation based on building SCG for the net state class automaton Gu, Shin DIPES 02, Cassez, Roux MSR 03 translations to TA with shared variables and urgency modelling ATPN 04, Invited talk, Bologna, June 2004 p2747

44 Partitioning algorithms Π 2 S - a partition of the state space S into classes for TA, classes are represented by location, zone, additional components depend on the kind of the model to be built The partitioning minimization algorithms generate models whose states are classes of a partition: start from an initial partition Π 0 of the state space, successively refine the partition until all the classes of Π satisfy an appropriate condition AE, EA, U, ATPN 04, Invited talk, Bologna, June 2004 p2847

45 Partitioning algorithm: how it works an example for b-models a a b c ATPN 04, Invited talk, Bologna, June 2004 p2947

46 Partitioning algorithm: how it works an example for b-models b a a c OK? a a b c ATPN 04, Invited talk, Bologna, June 2004 p2947

47 Partitioning algorithm: how it works an example for b-models OK? b a a c OK a a b c ATPN 04, Invited talk, Bologna, June 2004 p2947

48 Partitioning algorithm: how it works an example for b-models OK b a a c OK a a OK? b c ATPN 04, Invited talk, Bologna, June 2004 p2947

49 Partitioning algorithm: how it works an example for b-models OK OK? b a a c OK a a WRONG b c ATPN 04, Invited talk, Bologna, June 2004 p2947

50 Partitioning algorithm: how it works an example for b-models OK WRONG b a a c a a OK b c ATPN 04, Invited talk, Bologna, June 2004 p2947

51 Partitioning algorithm: how it works an example for b-models OK b a a c OK? a a OK b c ATPN 04, Invited talk, Bologna, June 2004 p2947

52 Partitioning algorithm: how it works an example for b-models OK? OK b a a c WRONG a a OK b c ATPN 04, Invited talk, Bologna, June 2004 p2947

53 Partitioning algorithm: how it works an example for b-models WRONG a OK b a c OK a a OK b c ATPN 04, Invited talk, Bologna, June 2004 p2947

54 and how partitioning works for s-models X X X X e e e e Y Y Y Y pseudo-e-stable pseudo-e-unstable semi-e-unstable e-unstable X X 1 X X 1 e e X 2 e X 2 e Y Y Y 1 Y 2 Y Y 2 1 modify X cor split X split Ŷ and modify Xcor split X and Ŷ ATPN 04, Invited talk, Bologna, June 2004 p3047

55 Symbolic data structures Difference Bound Matrices DBM [Dill 89] - for representing state classes of TPNs or regions of TA Clock Difference Diagrams CDD [Behrmann et al 99] Clock Restriction Diagrams CRD [Wang 00], Difference Decision Diagrams DDD [Møller et al 99] - for representing sets of regions Propositional Logic PL - for representing sets of detailed regions ATPN 04, Invited talk, Bologna, June 2004 p3147

56 Detailed zones and regions cmax - the largest constant used in A Detailed zones - the equivalence classes of the zone equivalence relation in the set of the clock valuations The set of all the detailed zones is denoted by DZn x 2 x DZ2 cmax = 1 ATPN 04, Invited talk, Bologna, June 2004 p3247

57 Detailed zones and regions cmax - the largest constant used in A Detailed zones - the equivalence classes of the zone equivalence relation in the set of the clock valuations The set of all the detailed zones is denoted by DZn x 2 x x 2 x DZ2 time steps cmax = 1 ATPN 04, Invited talk, Bologna, June 2004 p3247

58 Detailed zones and regions cmax - the largest constant used in A Detailed zones - the equivalence classes of the zone equivalence relation in the set of the clock valuations The set of all the detailed zones is denoted by DZn x 2 x x 2 x x 2 x 1!!!!!!!!!!!!!!!! " " " " " " " " " " " " " " " " # # # # # # # # # # # # # # # # * * * * * * * * * * * * * * * * ,,,,,,,,,,,, DZ2 time steps action steps cmax = 1 by transition s x 1:=0 s ATPN 04, Invited talk, Bologna, June 2004 p3247

59 Detailed zones and regions cmax - the largest constant used in A Detailed zones - the equivalence classes of the zone equivalence relation in the set of the clock valuations The set of all the detailed zones is denoted by DZn x 2 x x 2 x x 2 x 1!!!!!!!!!!!!!!!! " " " " " " " " " " " " " " " " # # # # # # # # # # # # # # # # * * * * * * * * * * * * * * * * ,,,,,,,,,,,, DZ2 time steps action steps cmax = 1 by transition s x 1:=0 s l, Z - a detailed region, where l L and Z DZn ATPN 04, Invited talk, Bologna, June 2004 p3247

60 BMC: exploiting a part of the model k Selecting submodels of the k-model ATPN 04, Invited talk, Bologna, June 2004 p3347

61 Discretization scheme [Asarin, Bozga, Kerbrat, Maler, Pnueli, Rasse, Data-Structures for the Verification of Timed Automata ] x x x 1 Discretizing [0, 1 2 : the circle points are the elements of the discretization x 1 ATPN 04, Invited talk, Bologna, June 2004 p3447

62 Discretization scheme [Asarin, Bozga, Kerbrat, Maler, Pnueli, Rasse, Data-Structures for the Verification of Timed Automata ] x x x 1 Discretizing [0, 1 2 : the circle points are the elements of the discretization x 1 ATPN 04, Invited talk, Bologna, June 2004 p3447

63 Discretization scheme [Asarin, Bozga, Kerbrat, Maler, Pnueli, Rasse, Data-Structures for the Verification of Timed Automata ] x x x 1 Discretizing [0, 1 2 : the circle points are the elements of the discretization x 1 ATPN 04, Invited talk, Bologna, June 2004 p3447

64 Discretization A - a timed automaton with n clocks = 1 m as a discretization step, where m = 2 log 2 2 n D = {l 0 l < 2 c max + 2} - the set of discretized values, and E = {l 0 l < c max + 1} - the set of labels The discrete representatives: U={u D n x X l INux=2l x X l INux=2l+1 } ATPN 04, Invited talk, Bologna, June 2004 p3547

65 "SMART" discretized region graph for TA Discrete abstract model for a timed automaton: DMA = S, l 0, 0,, 0,, V where S = L U is the set of states, and the transition relation has two types of transitions: SMART time transitions the transitive closure of timed steps SMART action transitions action steps combined with adjust steps to remain within U ATPN 04, Invited talk, Bologna, June 2004 p3647

66 Special k-paths A special k-path is a finite sequence π = u 0,, u k of states of DMA such that u 0 = l 0, 0,, 0 is the initial state of DMA, u i u i+1 for each 0 i < k, the transition u 0 u 1 is a time transition, each time transition is followed by an action transition, each action transition is followed by a time transition l 0, 0,, 0 ATPN 04, Invited talk, Bologna, June 2004 p3747

67 Checking reachability Each state l, v 1,, v n is represented by a vector u i = u i,1,, u i,m of propositional variables, where m depends on the number of locations, clocks, and c max udpu - a propositional formula encoding an undesirable property path k u 0,, u k - a propositional formula encoding all the special k-paths α = path k u 0,, u k k i=0 udpu i The property is reachable α is satisfiable ATPN 04, Invited talk, Bologna, June 2004 p3847

68 Checking unreachability - an intuition To prove unreachability of states satisfying udpu: Search for a longest path from an arbitrary state via states satisfying udpu to a state satisfying udpu if such a path π exists, then a path from the initial state to a state satisfying udpu cannot be longer than π, therefore it is sufficient to test reachability only for k = lengthπ ATPN 04, Invited talk, Bologna, June 2004 p3947

69 Free special k-paths A free special k-path is a finite sequence π = u 0,, u k of states of DMA such that u i u i+1 for each 0 i < k, the transition u 0 u 1 is a time transition, each time transition is followed by an action transition, each action transition is followed by a time transition ATPN 04, Invited talk, Bologna, June 2004 p4047

70 Searching for the longest witness Find the length of a longest free special k-path π st: the last transition of π is an action transition the undesirable property is true in the last state and false in all the previous states of π freepath k u 0,, u k - a propositional formula encoding all the free special k-paths Check satisfiability of β: β = freepath k u 0,, u k udpu k k 1 i=0 udpu i ATPN 04, Invited talk, Bologna, June 2004 p4147

71 Checking unreachability β = freepath k u 0,, u k udpu k k 1 i=0 udpu i If β is unsatisfiable for some k 0 {2, 4, 6, }, to prove unreachability of udpu, it is sufficient to verify satisfiability of the formula only for k = k 0 2 α = path k u 0,, u k k i=0 udpu i ATPN 04, Invited talk, Bologna, June 2004 p4247

72 Experimental results Net 5a Net 5b Net 5c states edges states edges states edges obtained by TPN - specific methods Tina SCG Tina SSCG Tina SASCG implem of [YR98] atomic implem of [YR98] geometric obtained by TPN to TA translations Kronos bis dense Kronos forw-ai-ax VerICS bis dense VerICS bis discr VerICS ps- discr Abstract models for nets of [YR98] by some different tools ATPN 04, Invited talk, Bologna, June 2004 p4347

73 Experimental results - cont d nop states edges nop states edges obtained by TPN - specific methods Tina SASCG Tina SCG Tina SSCG implem of [YR98] atomic not supported not supported implem of [YR98] geometric not supported not supported obtained by TPN TA translations Kronos bis dense Kronos forw-ai-ax VerICS bis dense VerICS bis discr VerICS ps- discr Abstract models for Fischer s protocol by some different tools parameters: = 1, δ = 2 or = 2, δ = 1, max 128 MB RAM and max 1800 s ATPN 04, Invited talk, Bologna, June 2004 p4447

74 Experimental results - cont d TPN to TA TA NoP vars clauses sec MB vars clauses sec MB BMC of VerICS for Fischer s protocol modelled by TPN and TA parameters: = 1, δ = 2 k=44 or = 2, δ = 1 k=17 ATPN 04, Invited talk, Bologna, June 2004 p4547

75 And finally some open problems Combine net and automata specific verification methods, Exploit concurrency: reductions within SAT-solvers, Unbounded model checking for verifying unreachability and TCTL, Combine SAT-based and BDD-based methods ATPN 04, Invited talk, Bologna, June 2004 p4647

76 THANK YOU NEXT TALK LTL model checking COFFEE BREAK p7 p1 t1 t2 p3 t3 t4 [0,0] [1,2] p2 [1,2] [1,2] p5 ATPN 04, Invited talk, Bologna, June 2004 p4747

Recent results on Timed Systems

Recent results on Timed Systems Time Petri Nets and Timed Automata Béatrice Bérard LAMSADE Université Paris-Dauphine & CNRS berard@lamsade.dauphine.fr Based on joint work with F. Cassez, S. Haddad, D.