A Timed CTL Model Checker for Real-Time Maude

Similar documents
Models for Efficient Timed Verification

Designing and Verifying Distributed Cyber-Physical Systems using Multirate PALS: An Airplane Turning Control System Case Study

A Rewriting-Logic-Based Technique for Modeling Thermal Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Recent results on Timed Systems

Algorithmic verification

Alan Bundy. Automated Reasoning LTL Model Checking

Finite-State Model Checking

Model Checking: An Introduction

Technical Report: Formal Modeling and Analysis of Interacting Hybrid Systems in Rewriting Logic Using Effort/Flow Approach

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

The Montana Toolset: Formal Analysis of AADL Specifications

Adaptive-Step-Size Numerical Methods in Rewriting-Logic-Based Formal Analysis of Interacting Hybrid Systems

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Approximate Synchrony: An Abstraction for Distributed Time-Synchronized Systems

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

Quantitative Safety Analysis of Non-Deterministic System Architectures

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Lecture 2: Symbolic Model Checking With SAT

An Introduction to Hybrid Systems Modeling

A Constructor-Based Reachability Logic for Rewrite Theories

MODEL CHECKING. Arie Gurfinkel

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

ENES 489p. Verification and Validation: Logic and Control Synthesis

Time and Timed Petri Nets

arxiv: v1 [cs.lo] 8 Mar 2018

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Logic Model Checking

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Formalization and Correctness of the PALS Architectural Pattern for Distributed Real-Time Systems

The algorithmic analysis of hybrid system

Lecture 16: Computation Tree Logic (CTL)

Formal Methods in Software Engineering

On the Synergy of Probabilistic Causality Computation and Causality Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Timed Automata VINO 2011

The State Explosion Problem

Formal Verification via MCMAS & PRISM

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Computer-Aided Program Design

CS477 Formal Software Dev Methods

PSPACE-completeness of LTL/CTL model checking

Decidability Results for Probabilistic Hybrid Automata

T Reactive Systems: Temporal Logic LTL

FAIRNESS FOR INFINITE STATE SYSTEMS

Chapter 4: Computation tree logic

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model checking the basic modalities of CTL with Description Logic

Abstractions and Decision Procedures for Effective Software Model Checking

Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer. December 17, 2017

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

ProbVerus: Probabilistic Symbolic Model Checking

Timo Latvala. February 4, 2004

A Modular Rewriting Semantics for CML

Automata-based Verification - III

A Brief Introduction to Model Checking

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Software Verification

Outline F eria AADL behavior 1/ 78

Model for reactive systems/software

ONR MURI AIRFOILS: Animal Inspired Robust Flight with Outer and Inner Loop Strategies. Calin Belta

Computation Tree Logic (CTL)

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Valentin Goranko Stockholm University. ESSLLI 2018 August 6-10, of 33

Lecture 4 Model Checking and Logic Synthesis

PRISM: Probabilistic Model Checking for Performance and Reliability Analysis

Planning Under Uncertainty II

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Introduction to Embedded Systems

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

ESE601: Hybrid Systems. Introduction to verification

7. Queueing Systems. 8. Petri nets vs. State Automata

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Revising UNITY Programs: Possibilities and Limitations 1

Embedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal.

Temporal Logic Model Checking

PALS: Physically Asynchronous Logically Synchronous Systems

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Automata on Infinite words and LTL Model Checking

Model Checking. Boris Feigin March 9, University College London

Automata-based Verification - III

Automata-Theoretic Model Checking of Reactive Systems

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Computation Tree Logic

Linear Temporal Logic (LTL)

Formal Verification of Mobile Network Protocols

Specification Mining of Industrial-scale Control Systems

Finite State Machine (FSM)

CS357: CTL Model Checking (two lectures worth) David Dill

Transcription:

A Timed CTL Model Checker for Real-Time Maude Daniela Lepri 1, Erika Ábrahám 2, and Peter Csaba Ölveczky 1 1 University of Oslo and 2 RWTH Aachen

Real-Time Maude Extends Maude to real-time systems Object-oriented modeling of distributed real-time systems Expressiveness and generality properties in general undecidable!

Real-Time Maude (II) Static parts: algebraic equational specification Instantaneous change: rewrite rules crl [l] : t => t if cond. Time elapse modeled by tick rewrite rules crl [tick] : {t} => {t } in time τ if cond.

Real-Time Maude (II) Static parts: algebraic equational specification Instantaneous change: rewrite rules crl [l] : t => t if cond. Time elapse modeled by tick rewrite rules crl [tick] : {t} => {t } in time τ if cond. Formal analysis: simulation time-bounded reachability analysis explicit-state untimed LTL model checking

Some Real-Time Maude Applications (I) Large and complex distributed real-time systems 50-page active networks multicast protocol IETF multicast protocol wireless sensor network algorithms scheduling algorithms avionics systems airplane turning algorithms cloud data stores (Megastore,...)... Formalizing complexity-reducing patterns (Multirate) PALS safe operation of medical devices

Some Real-Time Maude Applications (II) Semantic framework and formal analysis tool for modeling languages AADL avionics modeling standard Synchronous AADL Ptolemy II DE models DoCoMo Labs handset programming language Real-Time MOMENT-2 Eclipse model transformation framework e-motions visual model transformations Timed Rebeca actor language Timed Creol Orc... Intuitive domain-specific modeling + automated formal analysis

Ptolemy II Example: Fault-Tolerant Traffic Light System HierarchicalTrafficLight Decision TrafficLight TrafficLight Normal Error

Integration into Ptolemy II

RTM Verification of Synchronous AADL in OSATE

Dealing with Dense Time var T : Time. crl [tick] : {t} => {timeeffect(t, T)} in time T if T <= mte(t).

Dealing with Dense Time var T : Time. crl [tick] : {t} => {timeeffect(t, T)} in time T if T <= mte(t). can visit all dense time values not executable Real-Time Maude approach: time sampling strategies advance time by value fixed advance time maximally

Dealing with Dense Time var T : Time. crl [tick] : {t} => {timeeffect(t, T)} in time T if T <= mte(t). can visit all dense time values not executable Real-Time Maude approach: time sampling strategies advance time by value fixed advance time maximally Model checking in general not sound/complete! analysis sound and complete for many systems

Timed Temporal Logic So far: untimed LTL model checking the airbag must eventually deploy after crash detected the ventilator machine must eventually be turned on after having been turned off BO eventually closes G

Timed Temporal Logic So far: untimed LTL model checking the airbag must eventually deploy after crash detected the ventilator machine must eventually be turned on after having been turned off BO eventually closes G Timed temporal logics the airbag must deploy within 10ms after crash the ventilator machine cannot be continuously stopped for more than 3 seconds BO closes G within one year after inauguration

Timed CTL TCTL: temporal operators with time intervals: φ U [r1,r 2 ] φ (crash = 10ms airbagdeployed) ((inauguration(bo) open(g)) = one year closed(g)) (ventoff = 3sec ( 10min venton))

Two Main Issues (I): Intended Semantics Intended semantics? {f (X )} {f (X + Y )} in time Y if Y 3 X does F [1,2] True hold from {f (0)}?

Two Main Issues (I): Intended Semantics Intended semantics? {f (X )} {f (X + Y )} in time Y if Y 3 X does F [1,2] True hold from {f (0)}? Pointwise semantics - only visited states into account - F [1,2] True does not hold from {f (0)} Continuous semantics - tick rule interpreted as representing continuous process - F [1,2] True holds from {f (0)}

Two Main Issues (II): Soundness and Completeness Soundness/completeness for untimed TL properties do not hold for timed CTL! Maximal time sampling analysis does not satisfy F [1,2] True Dense time: γ is the gcd of non-zero time values in TCTL formula non-zero maximal tick amounts Continuous semantics: advance time by γ/2 in each tick step Pointwise semantics: advance time by any multiple of γ/2 Soundness and completeness for time-robust systems: R, L P, t = c ϕ R gcd(t 0,r,ϕ)/2, L P, t = p ϕ,

Real-Time Maude s TCTL Model Checker Explicit-state TCTL model checker (mc-tctl t = ϕ.) (mc-tctl-gcd t = ϕ.)

Real-Time Maude s TCTL Model Checker Explicit-state TCTL model checker (mc-tctl t = ϕ.) (mc-tctl-gcd t = ϕ.) Implemented in Maude Adapts explicit-state CTL model checking algorithm by Laroussinie, Markey, and Schnoebelen No counterexample provided!

Example: Hierarchical Traffic Light System in Ptolemy II Only yellow light will show within one time unit of failure: Maude> (mc-tctl {init} = AG (( HierarchicalTrafficLight. Decision (port Error is present)) implies AF[<= than 1] ( HierarchicalTrafficLight ( Cyel = # 1, Cgrn = # 0, Cred = # 0)))).)

Example (cont.)

Benchmarking: Crossing the Bridge

Benchmarking: Crossing the Bridge

Crossing the Bridge Initial state and property eq init(n) = person(5 * N,false) person(20 * N,false) lamp(false). person(10 * N,false) person(25 * N,false) op safe : -> Prop. eq {person(t:time, false) S:System} = safe = false. eq {S:System} = safe = true [owise]. Model checking: Maude> (mc-tctl {init(1)} = AG EF[<= than 85] safe.)

Benchmarking Initial state TSMV Real-Time Maude RED 7.0 (pointwise) (continuous) init(1) 0.074 0.149 1.266 0.429 init(10) 0.148 0.168 0.999 0.408 init(100) 1.443 0.168 1.012 0.404 init(1000) 57.426 0.327 1.014 0.426 init+(2) 0.191 0.746 6.864 1.044 init+(4) 0.280 1.772 17.752 2.153 init+(8) 0.759 5.227 57.580 16.912 init+(12) 1.080 11.198 129.957 79.319 init+(16) 1.515 19.620 233.414 241.098 Table: Execution times (in seconds).

Concluding Remarks Timed CTL model checking for Real-Time Maude and other modeling languages! Sound/complete for time-robust models

Concluding Remarks Timed CTL model checking for Real-Time Maude and other modeling languages! Sound/complete for time-robust models Future work: C++ implementation informative analysis results

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback