Models for Efficient Timed Verification

Similar documents
Recent results on Timed Systems

Timed Automata VINO 2011

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Efficient timed model checking for discrete-time systems

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Parameterized model-checking problems

State Explosion in Almost-Sure Probabilistic Reachability

Robust Controller Synthesis in Timed Automata

The algorithmic analysis of hybrid system

for System Modeling, Analysis, and Optimization

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

On the Expressiveness and Complexity of ATL

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Parameter Synthesis for Timed Kripke Structures

Verification of Polynomial Interrupt Timed Automata

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Model Checking Durational Probabilistic Systems

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Time and Timed Petri Nets

Serge Haddad Mathieu Sassolas. Verification on Interrupt Timed Automata. Research Report LSV-09-16

From Liveness to Promptness

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

Experiments in the use of tau-simulations for the components-verification of real-time systems

The Verification of Real Time Systems using the TINA Tool

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Linear Temporal Logic and Büchi Automata

Model Checking Real-Time Systems

CS357: CTL Model Checking (two lectures worth) David Dill

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Automata-based Verification - III

Alternating Time Temporal Logics*

Temporal Logic Model Checking

Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata

Finite-State Model Checking

TCTL model-checking of Time Petri Nets

Timed Automata with Observers under Energy Constraints

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Undecidability Results for Timed Automata with Silent Transitions

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Basic Research in Computer Science BRICS RS Aceto & Laroussinie: Is your Model Checker on Time? Is your Model Checker on Time?

Model checking the basic modalities of CTL with Description Logic

Model Checking with CTL. Presented by Jason Simas

Automata-based Verification - III

A Brief Introduction to Model Checking

Model Checking Probabilistic Timed Automata with One or Two Clocks

Alternating-Time Temporal Logic

Timed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang

Computing Accumulated Delays in Real-time Systems

Lecture 11: Timed Automata

Formally Correct Monitors for Hybrid Automata. Verimag Research Report n o TR

The efficiency of identifying timed automata and the power of clocks

Representing Temporal System Properties Specified with CCTL formulas using Finite Automaton

Monitoring and Fault-Diagnosis with Digital Clocks

Real-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main

Monodic fragments of first-order temporal logics

Robust Reachability in Timed Automata: A Game-based Approach

Laboratoire Spécification & Vérification. Language Preservation Problems in Parametric Timed Automata. Étienne André and Nicolas Markey

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Chapter 4: Computation tree logic

Modal and Temporal Logics

Reasoning about Time and Reliability

An Introduction to Hybrid Systems Modeling

ESE601: Hybrid Systems. Introduction to verification

Discrete abstractions of hybrid systems for verification

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Timed Automata: Semantics, Algorithms and Tools

Model Checking: An Introduction

From Liveness to Promptness

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Alan Bundy. Automated Reasoning LTL Model Checking

Declarative modelling for timing

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Automata-Theoretic LTL Model-Checking

The State Explosion Problem

Model Checking Restricted Sets of Timed Paths

An Introduction to Timed Automata

Overview. overview / 357

Lecture Notes on Emptiness Checking, LTL Büchi Automata

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS

TIMED automata, introduced by Alur and Dill in [3], have

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

Verification of Linear Duration Invariants by Model Checking CTL Properties

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Control Synthesis of Discrete Manufacturing Systems using Timed Finite Automata

Alternating nonzero automata

Automata-theoretic Decision of Timed Games

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

Reachability-Time Games on Timed Automata (Extended Abstract)

A Timed CTL Model Checker for Real-Time Maude

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Logic Model Checking

Some Remarks on Alternating Temporal Epistemic Logic

DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES

Model Checking Algorithms

Chapter 6: Computation Tree Logic

Transcription:

Models for Efficient Timed Verification François Laroussinie LSV / ENS de Cachan CNRS UMR 8643 Monterey Workshop - Composition of embedded systems

Model checking System Properties Formalizing step? ϕ

Model checking We want... Expressive models: communication, variables, timing constraints, probabilities... Expressive specification languages: natural, powerful, intuitive...

Model checking We want... Expressive models: communication, variables, timing constraints, probabilities... Expressive specification languages: natural, powerful, intuitive... AND EFFICIENT ALGORITHM! Main limit of model checking = state explosion problem

State explosion problem An example: a protocol...

State explosion problem An example: a protocol... 1 2 3 4 a sender

State explosion problem An example: a protocol... 1 2 3 1 2 a buffer 4 a sender

State explosion problem An example: a protocol... 1 2 3 1 2 a buffer 4 a sender 1 2 a receiver

State explosion problem An example: a protocol... 1 2 3 4 a sender 1 3 1 2 a buffer 1 a server 2 2 a receiver

State explosion problem An example: a protocol... 1 2 3 4 a sender 1 3 1 2 a buffer 1 a server 2 2 a receiver

State explosion problem An example: a protocol... 1 2 1 2 a buffer 3 4 a sender 1 1 a server 3 2 2 a receiver

State explosion problem 3213 1211 1123 1113 3211 3221 3223 4211 4123 4113 4221 4222 1221 1222 1122 1112 1223 1111 1213 1121 3222 1212 4122 4112 4223 4111 4212 3212 4213 4121

State explosion problem This has motivated symbolic methods heuristics: on-the-fly algorithms acceleration partial order... abstraction... Model checkers exist and they work rather nicely!

Verification of compositions of embedded systems Two difficulties: the composition... Usually we need to address verification of quantitative aspects: timing constraints (Real-time systems) probabilities costs data...

Verification of compositions of embedded systems Two difficulties: the composition... Usually we need to address verification of quantitative aspects: timing constraints (Real-time systems) probabilities costs data... Each one may induce a complexity blow-up. This can be measured by the structural complexity of verification problems: for ex. the composition and the state explosion problem.

State explosion problem This state explosion holds for synchronized systems, systems with boolean variables, 1-safe Petri nets etc. These are non-flat systems. In practice, a model S is described as a non-flat system (whose operational semantics is a flat transition system T)

State explosion problem This state explosion holds for synchronized systems, systems with boolean variables, 1-safe Petri nets etc. These are non-flat systems. In practice, a model S is described as a non-flat system (whose operational semantics is a flat transition system T) Complexity of model checking non-flat systems Model checking T = Φ non-flat syst. = Φ Reachability NLOGSPACE-C PSPACE-C CTL model checking P-C PSPACE-C AF µ-calculus P-C EXPTIME-C (Papadimitriou, Vardi, Kupferman, Wolper, Rabinovich,...)

Challenge Define new formalisms to model and verify the embedded systems, with... timing constraints probabilities costs, dynamic variables... extended specification languages

Challenge Define new formalisms to model and verify the embedded systems, with... timing constraints probabilities costs, dynamic variables... extended specification languages request AF grant request AF <200 grant request P >0.9 F <200 grant request Agt 1 P >0.9 F <200 grant

Challenge Define new formalisms to model and verify the embedded systems, with... timing constraints probabilities costs, dynamic variables... extended specification languages request AF grant request AF <200 grant request P >0.9 F <200 grant request Agt 1 P >0.9 F <200 grant without increasing (too much) the complexity!

Efficient timed model-checking obj: find timed models and timed specification languages for which verification can be done efficiently. To model simply timed systems To use to abstract complex timed systems To combine with other quantitative extensions

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Classical verification problems Reachability of a control state S S? : (bi)simulation, etc. L(S) L(S)? : language inclusion (S A T ) + reachability : testing automata S = Φ with Φ a temporal logic formula : model checking

Timed properties Temporal properties: Any problem is followed by an alarm With CTL: ( ) AG problem AF alarm

Timed properties Temporal properties: Any problem is followed by an alarm With CTL: ( ) AG problem AF alarm Timed properties: Any problem is followed by an alarm in at most 10 time units

Timed properties Temporal properties: Any problem is followed by an alarm With CTL: ( ) AG problem AF alarm Timed properties: Any problem is followed by an alarm in at most 10 time units With TCTL: ( ) AG problem AF 10 alarm

Timed CTL We use TCTL whose formulae are built from: atomic propositions in Prop (For ex. Alarm, Problem,...) boolean combinators (,, ), and temporal operators tagged with timing constraints: E U c and A U c with {<,, =,, >} and c N. + all the standard abbreviations: AG c, AF c etc.

Timed CTL We use TCTL whose formulae are built from: atomic propositions in Prop (For ex. Alarm, Problem,...) boolean combinators (,, ), and temporal operators tagged with timing constraints: E U c and A U c with {<,, =,, >} and c N. + all the standard abbreviations: AG c, AF c etc. s = EϕU c ψ ρ = ρ ρ Exec(s) with s ρ s and Time(ρ ) c and s = ψ, and s = ϕ for all s < ρ s < ρ s

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Questions Studying timing constraints & complexity Two problems: 1 Are there simpler models with discrete time for which model checking can be efficient? 2 Are there classes of Timed Automata which allow efficient model checking?

Timed transition systems = a transition system + a notion of time used to define the semantics of real-time systems Let T be a time domain: N, R + or Q +. Timed transition system T = S, s 0,, l S is an (possibly infinite) set of states, s 0 S S T S l : S 2 Prop : assigns atomic propositions to states

Timed transition systems = a transition system + a notion of time used to define the semantics of real-time systems Let T be a time domain: N, R + or Q +. Timed transition system T = S, s 0,, l S is an (possibly infinite) set of states, s 0 S S T S l : S 2 Prop : assigns atomic propositions to states Every finite run σ in T has a finite duration Time(σ).

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Simple models for timed verification It is possible to use classical Kripke structures as timed models. There is no inherent concept of time: time elapsing is encoded by events. For example: each transition = one time unit (Emerson et al.) or: a tick proposition labels states where one t.u. elapses. Timed model checking can be efficient (polynomial-time)! Durational Transition Graphs extend these models without loosing efficiency.

Durational Transition Graph [0, ) Init state [7,45] New Card 0 Wait for Pincode. Read code [25,50] [25,50] 0 [0, ) [10;15] [0,366] Code OK Bad code Money+card [50,110] [0,7] Ask amount [5,10] Return card 10

Durational Transition Graph T = N A durational transition graph S is Q, R, l where Q is a (finite) set of states, R Q I Q is a total transition relation with duration l : Q 2 Prop labels every state with a subset of Prop. I = set of intervals [n, m] or [n, ) (with n, m N) q [n,m] q : moving from q to q takes some duration d in [n, m]. Two semantics are possible...

Two semantics for DTGs Consider the run: Init State 15 New Card 0 Wait for Pin C. 20...

Two semantics for DTGs Consider the run: Init State 15 New Card 0 Wait for Pin C. 20... Jump semantics: date: 0 Init State date: 15 New Card no intermediary states!... Simple semantics, no extra states. Not always natural. Difficult to synchronize two DTGs.

Two semantics for DTGs Consider the run: Init State 15 New Card 0 Wait for Pin C. 20... Jump semantics: date: 0 Init State date: 15 New Card no intermediary states!... Simple semantics, no extra states. Not always natural. Difficult to synchronize two DTGs. Continuous semantics: date: 0...14 Init state date: 15 New card date: 15...34 Wait for Pin C...

jump vs continuous semantics [2;4] r DTG S q [0;0] [3;3] s [1;2]

jump vs continuous semantics [2;4] r DTG S q [0;0] [3;3] s [1;2] jump sem. of S: 2 r 3 q 4 0 3 s 1 2

jump vs continuous semantics [2;4] r DTG S q [0;0] [3;3] s [1;2] jump sem. of S: 2 r continuous sem. of S: 1 r, 0 3 1 1 q 4 0 q, 0 1 q, 1 q, 2 q, 3 1 1 0 3 1 s 1 s, 0 1 s, 1 1 2 1 (q, i) : i time units have already been spent in q

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Timed Automata Example A = an automaton (locations and transitions) + clocks true, b, x := 0 x < 10, b, x := 0 OFF ON x 10 x = 10, i,

Timed automata - definition [Alur & Dill] A = an automaton (locations and transitions) + clocks Clocks progress synchronously with time (Time domain = R + ) Transitions: l g,a,r l T with: g is the guard, a is the label, r is the set of clocks to be reset to 0

Timed automata - definition [Alur & Dill] A = an automaton (locations and transitions) + clocks Clocks progress synchronously with time (Time domain = R + ) Transitions: l g,a,r l T with: g is the guard, a is the label, r is the set of clocks to be reset to 0 Semantics: States: (l, v) where v is a valuation for the clocks

Timed automata - definition [Alur & Dill] A = an automaton (locations and transitions) + clocks Clocks progress synchronously with time (Time domain = R + ) Transitions: l g,a,r l T with: g is the guard, a is the label, r is the set of clocks to be reset to 0 Semantics: States: (l, v) where v is a valuation for the clocks Action transition: { (l, v) 0 g,a,r a (l, v l l ) iff A, v = g, v = v[r 0]

Timed automata - definition [Alur & Dill] A = an automaton (locations and transitions) + clocks Clocks progress synchronously with time (Time domain = R + ) Transitions: l g,a,r l T with: g is the guard, a is the label, r is the set of clocks to be reset to 0 Semantics: States: (l, v) where v is a valuation for the clocks Action transition: { (l, v) 0 g,a,r a (l, v l ) iff l A, v = g, v = v[r 0] Delay transition: t R +, (l, v) t (l, v + t) iff 0 t t, v + t = Inv(l)

Model checking for TA A defines an infinite timed transition system. Decision procedures are based on the region graph technique (Alur, Courcoubetis, Dill) From A and Φ, one defines an equivalence A,Φ s.t.: ( ) v A,Φ v (l, v) = Φ iff (l, v ) = Φ R + X / A,Φ is finite A region = An equivalence class of A,Φ ) X We can reduce A = Φ to (A R + / A,Φ = Φ... and use a standard model checking algorithm.

Model checking for TA A defines an infinite timed transition system. Decision procedures are based on the region graph technique (Alur, Courcoubetis, Dill) From A and Φ, one defines an equivalence A,Φ s.t.: ( ) v A,Φ v (l, v) = Φ iff (l, v ) = Φ R + X / A,Φ is finite A region = An equivalence class of A,Φ ) X We can reduce A = Φ to (A R + / A,Φ = Φ... and use a standard model checking algorithm.! The size of R + X / A,Φ is in O( X! M X )!

The region abstraction y X = {x, y} M x = 3 and M y = 2 2 1 0 1 2 3 x

The region abstraction y X = {x, y} M x = 3 and M y = 2 2 1 0 1 2 3 x compatibility between regions and constraints x k and y k

The region abstraction y X = {x, y} M x = 3 and M y = 2 2 1 0 1 2 3 x compatibility between regions and constraints x k and y k compatibility between regions and time elapsing

The region abstraction y X = {x, y} M x = 3 and M y = 2 2 1 0 1 2 3 x compatibility between regions and constraints x k and y k compatibility between regions and time elapsing

The region abstraction y X = {x, y} M x = 3 and M y = 2 2 1 0 1 2 3 x compatibility between regions and constraints x k and y k compatibility between regions and time elapsing

The region abstraction y X = {x,y} M x = 3 and M y = 2 2 1 region defined by I x =]1;2[, I y =]0;1[ {x} < {y} 0 1 2 3 x compatibility between regions and constraints x k and y k compatibility between regions and time elapsing

The region abstraction y X = {x,y} M x = 3 and M y = 2 2 1 0 1 2 3 x region defined by I x =]1;2[, I y =]0;1[ {x} < {y} successor by delay transition: I x =]1;2[, I y = [2;2] compatibility between regions and constraints x k and y k compatibility between regions and time elapsing

An example [AD 90 s] y 1 0 1 x

Complexity of timed verification Reachability in TA is PSPACE-C (Alur & Dill) Reachability in TA with three clocks is PSPACE-C (Courcoubetis & Yannakakis) Reachability in TA with constants in {0, 1} is PSPACE-C (Courcoubetis & Yannakakis) Model checking Timed CTL over TA is PSPACE-C (Alur, Courcoubetis & Dill) Model checking AF Timed µ-calculus over TA is EXPTIME-C (Aceto & Laroussinie) ( But tools (Kronos, UppAal) exist and have been applied ) successfully for verifying industrial case studies.

One/two clock timed automata [LMS2004] 1 Model checking TCTL on 1C-TA is PSPACE-complete. 2 Reachability in 1C-TA is NLOGSPACE-complete. 3 Model checking TCTL, on 1C-TA is P-complete. 1 Reachability in 2C-TA is NP-hard. 2 Model checking CTL on 2C-TA is PSPACE-complete.

Outline 1 Timed specification languages 2 Timed models Discrete-time models Timed automata 3 Conclusion

Conclusion discrete time dense time DTG 0/1 DTG [LMS06] 1C-TA 2C-TA TA [ACD93] [LST03] jump cont. [LMS04] [LMS04] [CY92] Reachability NLOGSPACE-C NP-hard PSPACE-C TCTL, P-complete PSPACE-C TCTL P-compl. p 2 PSPACE-complete TCTL c PSPACE-complete

Conclusion No efficient algorithm for TCTL+clocks. As soon as there are two clocks, a complexity blow-up occurs for any verification problem. For TCTL, model-checking may be efficient only for the simple DTGs with durations in {0, 1}. For TCTL,, it is possible to have efficient model-checking algorithm for any kind of DTG and 1C-TA. The previous result can be extended to probabilistic timed systems (Probabilistic DTG and 1-clock Probabilistic TA).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback