for System Modeling, Analysis, and Optimization

Similar documents
Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Timed Automata. Semantics, Algorithms and Tools. Zhou Huaiyang

Models for Efficient Timed Verification

The algorithmic analysis of hybrid system

Timed Automata VINO 2011

Recent results on Timed Systems

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Timed Automata: Semantics, Algorithms and Tools

Undecidability Results for Timed Automata with Silent Transitions

On decision problems for timed automata

State-Space Exploration. Stavros Tripakis University of California, Berkeley

EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016

Real-Time Systems. Lecture 15: The Universality Problem for TBA Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany

Robust Reachability in Timed Automata: A Game-based Approach

Reachability Results for Timed Automata with Unbounded Data Structures

arxiv: v1 [cs.fl] 25 Nov 2018

TCTL model-checking of Time Petri Nets

Robust Controller Synthesis in Timed Automata

Clock Matrix Diagrams

Lecture 6: Reachability Analysis of Timed and Hybrid Automata

New Complexity Results for Some Linear Counting Problems Using Minimal Solutions to Linear Diophantine Equations

The State Explosion Problem

Folk Theorems on the Determinization and Minimization of Timed Automata

Monitoring and Fault-Diagnosis with Digital Clocks

Hourglass Automata. Yuki Osada, Tim French, Mark Reynolds, and Harry Smallbone

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Laboratoire Spécification & Vérification. Language Preservation Problems in Parametric Timed Automata. Étienne André and Nicolas Markey

The efficiency of identifying timed automata and the power of clocks

Beyond Lassos: Complete SMT-Based Bounded Model Checking for Timed Automata

An Introduction to Hybrid Systems Modeling

Bridging the Semantic Gap Between Heterogeneous Modeling Formalisms and FMI

A Decidable Class of Planar Linear Hybrid Systems

Dense-Timed Pushdown Automata

Zone-Based Reachability Analysis of Dense-Timed Pushdown Automata

A Simplified Approach for Testing Real-Time Systems Based on Action Refinement

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

An introduction to Uppaal and Timed Automata MVP5 1

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

Bridging the Semantic Gap Between Heterogeneous Modeling Formalisms and FMI

Using non-convex approximations for efficient analysis of timed automata: Extended version

Sanjit A. Seshia EECS, UC Berkeley

Serge Haddad Mathieu Sassolas. Verification on Interrupt Timed Automata. Research Report LSV-09-16

Hybrid systems and computer science a short tutorial

Basic Problems in Multi-View Modeling

Analysis of a Boost Converter Circuit Using Linear Hybrid Automata

A Brief Introduction to Model Checking

TIMED automata, introduced by Alur and Dill in [3], have

Symbolic Real Time Model Checking. Kim G Larsen

models based on maximality semantics present concurrent actions differently from choice [11], because of non atomicity of actions. These models advoca

Abstractions and Decision Procedures for Effective Software Model Checking

When are Timed Automata Determinizable?

Design and Verification of Long Running Transactions in a Timed Framework

An Introduction to Timed Automata

Partial Order Reductions for Timed Systems

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS

Diagnosis of Dense-Time Systems using Digital-Clocks

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Robustness and Implementability of Timed Automata

Lecture 11: Timed Automata

Real-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main

Liveness in L/U-Parametric Timed Automata

Timed Automata: Semantics, Algorithms and Tools

Timed Automata with Observers under Energy Constraints

Computer-Aided Program Design

On Reachability for Hybrid Automata over Bounded Time

The Verification of Real Time Systems using the TINA Tool

State Explosion in Almost-Sure Probabilistic Reachability

Automata, Logic and Games: Theory and Application

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

EE 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2014

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Alan Bundy. Automated Reasoning LTL Model Checking

DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES

On Timed Components and their Abstraction

Introduction to Embedded Systems

Symmetry Reduction and Compositional Verification of Timed Automata

Synchronized Recursive Timed Automata

Classes and conversions

Software Verification with Abstraction-Based Methods

Timed Petri Nets and Timed Automata: On the Discriminating Power of Zeno Sequences

Part I: Definitions and Properties

Verifying Quantitative Properties of Continuous Probabilistic Timed Automata

An Efficient State Space Generation for the Analysis of Real-Time Systems

Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata

Decision Problems for Parametric Timed Automata

Automata-based Verification - III

Scaling BDD-based Timed Verification with Simulation Reduction

Control Synthesis of Discrete Manufacturing Systems using Timed Finite Automata

Automata-theoretic Decision of Timed Games

Controller Synthesis for MTL Specifications

Parametric Verification and Test Coverage for Hybrid Automata Using the Inverse Method

Verification of Polynomial Interrupt Timed Automata

Lower-Bound Constrained Runs in Weighted Timed Automata

COMPILING REAL-TIME SCENARIOS INTO A TIMED AUTOMATON*

Reachability-Time Games on Timed Automata (Extended Abstract)

Verification of Linear Duration Invariants by Model Checking CTL Properties

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Transcription:

Fundamental Algorithms for System Modeling, Analysis, and Optimization Stavros Tripakis UC Berkeley EECS 144/244 Fall 2013 Copyright 2013, E. A. Lee, J. Roydhowdhury, S. A. Seshia, S. Tripakis All rights reserved Timed automata Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 1 / 22

Timed Automata A formal model for dense-time systems [Alur and Dill(1994)] Developed mainly with verification in mind: in the basic TA variant, model-checking is decidable But also an elegant theoretical extension of the standard theory of regular and ω-regular languages. Many different TA variants, some undecidable. We will look at a basic variant. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 2 / 22

Timed Automaton A TA is a tuple C: finite set of clocks (C, Q, q 0, Inv, ) Q: finite set of control states; q 0 Q: initial control state Inv: a function assigning to each q Q an invariant : a finite set of actions, each being a tuple (q, q, g, C ) q, q Q: source and destination control states g: clock guard C : set of clocks to reset to 0, C C Invariants and guards are simple constraints on clocks, e.g., c 1, 0 < c 1 < 2 c 2 = 4, etc. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 3 / 22

Timed Automaton A TA is a tuple C: finite set of clocks (C, Q, q 0, Inv, ) Q: finite set of control states; q 0 Q: initial control state Inv: a function assigning to each q Q an invariant : a finite set of actions, each being a tuple (q, q, g, C ) q, q Q: source and destination control states g: clock guard C : set of clocks to reset to 0, C C Invariants and guards are simple constraints on clocks, e.g., c 1, 0 < c 1 < 2 c 2 = 4, etc. Can also have atomic propositions labeling control states, labels on actions, communication via shared memory or message passing, etc. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 3 / 22

Example: Timed Automaton A simple light controller: touch c 2 touch touch off light bright c := 0 c < 2 touch C = {c} Q = { off, light, bright } q 0 = off touch: action label (can be seen as the input symbol) Inv(q) = true for all q Q Actions: (off, light, true, {c}), (light, off, c 2, {}),... Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 4 / 22

Event-based vs. state-based models High-level: touch c 2 touch touch off light bright c := 0 c < 2 Low-level: touch Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 5 / 22

Timed Automata: Semantics A TA (C, Q, q 0, Inv, ) defines a transition system such that Set of states: S = Q R C + (S, S 0, R) R C + : the set of all functions v : C R + each v is called a valuation: it assigns a value to every clock Set of initial states: S 0 = {(q 0, v 0 )}, where we define v 0 (c) = 0 for all c C (i.e., all clocks are initially set to 0) Set of transitions: R = R t R d Rt : set of transitions modeling passage of time Rd : set of discrete transitions ( jumps between control states) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 6 / 22

Timed Automata: Semantics A TA (C, Q, q 0, Inv, ) defines a transition system such that Set of states: S = Q R C + (S, S 0, R) R C + : the set of all functions v : C R + each v is called a valuation: it assigns a value to every clock Set of initial states: S 0 = {(q 0, v 0 )}, where we define v 0 (c) = 0 for all c C (i.e., all clocks are initially set to 0) we could also define S 0 = {q 0 } R C + what does this say? Set of transitions: R = R t R d Rt : set of transitions modeling passage of time Rd : set of discrete transitions ( jumps between control states) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 6 / 22

Timed Automata: Discrete and Time Transitions where: R t = { ( (q, v), (q, v + t) ) t t : v + t = Inv(q)} R d = { ( (q, v), (q, v ) ) a = (q, q, g, C ) : v = g v = v[c := 0]} v + t is a new valuation u such that u(c) = v(c) + t for all c if g is a constraint, then v = g means v satisfies g v[c := 0] is a new valuation u such that u(c) = 0 if c C and u(c) = v(c) otherwise Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 7 / 22

Timed Automata: Discrete and Time Transitions where: R t = { ( (q, v), (q, v + t) ) t t : v + t = Inv(q)} R d = { ( (q, v), (q, v ) ) a = (q, q, g, C ) : v = g v = v[c := 0]} v + t is a new valuation u such that u(c) = v(c) + t for all c if g is a constraint, then v = g means v satisfies g v[c := 0] is a new valuation u such that u(c) = 0 if c C and u(c) = v(c) otherwise Instead of ( (q, v), (q, v + t) ) R t we write (q, v) (q, v + t). Instead of ( (q, v), (q, v ) ) a R d we write (q, v) (q, v ). t Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 7 / 22

Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Inv(off) = c 10 : automaton cannot spend more than 10 time units at control state off. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 8 / 22

Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Inv(off) = c 10 : automaton cannot spend more than 10 time units at control state off. What if we omit the invariant? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 8 / 22

Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Does it work correctly if cancel arrives exactly when c = 10? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 9 / 22

Example: Alarm Modeled as a Timed Automaton stopped cancel? c 10 off c 10 c = 10 RING! Does it work correctly if cancel arrives exactly when c = 10? Depends on the semantics of composition: if it s non-deterministic (as usually done) then alarm may still ring. Otherwise, must give higher priority to the cancel transition. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 9 / 22

Timed Automata Model-Checking: Reachability Basic question: is a given control state q reachable? i.e., does there exist some reachable state s = (q, v) in the transition system defined by the timed automaton? Many interesting questions about timed automata can be reduced to this question. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 10 / 22

Timed Automata Model-Checking: Reachability Basic question: is a given control state q reachable? i.e., does there exist some reachable state s = (q, v) in the transition system defined by the timed automaton? Many interesting questions about timed automata can be reduced to this question. Is the basic control-state reachability question decidable? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 10 / 22

Timed Automata Reachability Not the same as discrete-state reachability! q 0 q 1 q 2 q 3 q 4 c 1 := 0 c 2 := 0 c 2 > 1 c 1 1 q 4 is reachable if we ignore the timing constraints. But is it really reachable? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 11 / 22

Timed Automata Reachability Not the same as discrete-state reachability! q 0 q 1 q 2 q 3 q 4 c 1 := 0 c 2 := 0 c 2 > 1 c 1 1 q 4 is reachable if we ignore the timing constraints. But is it really reachable? No: at q 3, c 2 > 1 and c 1 c 2, therefore c 1 > 1 also. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 11 / 22

Timed Automata Model-Checking: Reachability A less obvious example: Fischer s mutual exclusion protocol. Suppose we have many processes, each behaving like the TA above. Is mutual-exclusion guaranteed? I.e., at most 1 process is in critical section (control state cs) at any given time. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 12 / 22

Timed Automata Model-Checking: Reachability Brute-force idea: exhaustive state-space exploration of the transition system defined by the timed automaton does not work since state-space is infinite (even uncountable) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 13 / 22

Timed Automata Model-Checking: Reachability Brute-force idea: exhaustive state-space exploration of the transition system defined by the timed automaton does not work since state-space is infinite (even uncountable) Yet problem is decidable! [Alur-Dill 94] Key idea: Region equivalence: partitions the state-space into finite number of equivalence classes (regions) Perform reachability on finite (abstract) state-space Can prove that q is reachable in the abstract space iff it is reachable in the concrete space Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 13 / 22

The Region Equivalence y Fig. 3: Set of regio straints with two clo Key idea: two valuations v 1, v 2 are equivalent iff: 2 2) 1. v 1 satisfies a guard g iff v 2 satisfies g. ( X +1)2. Note tha 2. 1 rect for M-bounded v 1 can lead to some v 1 satisfying a guard g with a discrete transition iff v 2 can do the same. 3. 0v 1 can1 lead2to some v x1 satisfying a guard g with a timeregion automata f (a) transition Partition iffcompatible v 2 can dowith the same. constraints, not with time elapsing (the two Let A be a timed au Region = equivalence class w.r.t. region equivalence = set of Let allm be the max points and can not be equivalent) equivalent valuations. of the constraints o of regions for A. F y Region in gray: subsections, we get 1 < region x < 2defined 1 < by: y < 2 Alur x > y. and Dill [6, 7] 2 Other 8 regions: < 1 < x < 2 fication of timed sy x = y = 0, 1 0 < 1 < y 2 : x = y < 1, {x} {y} x = 0 0 < y < 1, Theorem 1 (Alur & 0 1 2 x etc. equivalently empti (b) Partition compatible with constraints, time elapsing (and resets) Pictures in this and other slides taken from [Bouyer(2005)]. automata. It is (for both diagonal- Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 14 / 22

The Region Equivalence: 0 1Finiteness 2 x (a) Partition compatible with constraints, notclasses: with timebounded elapsing (the by two constant c = Finite number of equivalence maximal constant appearing points and in a can guard notor be invariant. equivalent) y 2 1 region defined by: 8 < 1 < x < 2 1 < y < 2 : {x} < {y} 0 1 2 x Some regions are unbounded, e.g.: x > 2 0 < y < 1 x > 2 y > 2 etc. (b) Partition compatible with constraints, time elapsing (and resets) Fig. 2: Diagonal-free region partitioning for two clocks and maximal constant 2 Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 15 / 22

0 1 2 x 0 1 2 Region x automata for classic (a) Partition compatible with con-(astraints, not with time elapsing (the twostraints, not with time elapsing Let(the Mtwo be the maximal const Partition compatible Let withacon- be a timed automaton w points and can not be equivalent) points and can not be equivalent) A graph of regions: one region space for each control of the location. constraints of A, the s of regions for A. From the re y y subsections, we get the follow region defined by: Alur and Dill region [6, defined 7], which by: is 2 2 8 < 1 < x < 2 fication of timed 8 systems. < 1 < x < 2 1 1 1 < y < 2 1 < y < 2 : : {x} < {y} {x} < {y} Theorem 1 (Alur & Dill 90 s 0 1 2 x 0 1 2 equivalently x emptiness) is d (b) Partition compatible with constraints, time elapsing q 1 (and resets) straints, time elapsing q 2 (and resets) (b) Partition compatible automata. with con- It is a PSPACE (for both diagonal-free as we automata). Nodes: pairs Fig. (q, 2: r) Diagonal-free where region partitioning Fig. 2: Diagonal-free for two region partitioning for two clocks and maximal constant 2 clocks and maximal constant Although 2 this theorem has bee q is a control location of the timed automaton. the proof we choose to sketc where it is written in details. r is a region. It is easy to prove (and left as an It exercise) easy tothe prove fol-(anlowing lemma: lowing lemma: left as an exercise) the fol- Proof. [Sketch] PSPACE mem size of th region automaton Two types of edges: Lemma 1 The partitioning R M the size of the original auto df Lemma (X) is a1 set The ofpartitioning regions for the constraints Cdf M(X). NLOGSPACE complexity of th R M df (X) is a set of regions for the constraints a (q, r) (q, r ): discrete transition lem Cdf M(X). in classical untimed graph (q, r) time Roughly (q, r counting ): time transition all possible Roughly combinations counting all ability possible in timed combinations automata can b above, we can bound the number above, of we regions can bound in the PSPACE-hardness number of regions can be in prov R M (X) by 2 X. X!.(2M + 2) R X M (X) where by 2 X. X!.(2M is termination + 2) X of where a linearly X isboun The Region Graph Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 16 / 22

Decidability Theorem ([Alur and Dill(1994)]) reachable state (q, v) in a timed automaton iff reachable node (q, r) in its region graph. Finite # regions and control states Region graph is finite Reachability is decidable. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 17 / 22

The Problem with Regions STATE EXPLOSION! Worst-case number of regions: O(2 n n! c n ) where n is the number of clocks and c is the maximal constant. This is actually often close to the actual number of regions no practical tool uses regions. Model-checkers for TA (Uppaal, Kronos,...) have improved upon the region-graph idea and use symbolic techniques. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 18 / 22

ints (x 1 3) (x 2 5) (x 1 x 2 4). zone, Fromdepicted Regions below to Zones the right, can be repnted by the DBM below (on the left). 0 1 2 Zone: a convex union of regions, e.g., x 1 3 x 2 5 x 1 x 2 4. x 0 x 1 x 2 3 4 5 5 2 3 4 9 one can have several representations using s. For example, the zone of the previous ple can equivalently be represented by the 0 3 0 9 0 4 5 2 0 Termination needs som lated to properties of t ciated with timed auto then relies on the follo proved as an exercise. Lemma 2 Let A be R be a set of regions and ➂ (for A). Consi p i=1 R i (with R i R following holds: - p i=1 R i is a fini - [Y 0] 1 ( p i= gions (for any set - g ( p i=1 R i) is is a constraint of Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 19 / 22

ints (x 1 3) (x 2 5) (x 1 x {v 2 : 4). X Termination i, j, v(x i ) needs v(x j som ) zone, Fromdepicted Regions below to Zones the right, can be repnted by the DBM below (on the lated to properties of t left). 0 where γ < simply means that γ i Zone: a convex union of regions, e.g., without x 1 3 bound. ciated x 2 5 This with timed auto x 1 xsubset 2 4. of n is will be denoted, then in what relies follows, on theby follo M proved as an exercise. x 0 x 1 x follows, to simplify notations, we will 2 5 all constraints are non-strict, so that c DBMs will be Lemma elements 2of Let A{ }. be 1 2 R be a set of regions 2 Example 3 Consider and ➂ (for the zone A). defined Consi 3 4 9 p straints (x i=1 R 1 3) (xi 2 (with 5) R i (x 1 R This zone, depicted following belowholds: on the right, Key property: can be represented efficiently resented usingby difference the DBM one can have several representations using - bound below p i=1 s. For example, the zone of the previous R (on the lef matrices (DBMs) [Dill(1989)]. i is a fini ple can equivalently be represented by the - [Y 0] 1 ( p x 0 x 1 x 2 i= x 0 gions (for any set x 1 3 x 0 2 5 x 3 0 1 x 2 +4 : x 1 3 5 4 9 0 4 - g ( p2 x i=1 R 2 5 i) is 5 2 0 is a constraint of 3 3 4 5 Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 19 / 22

Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Is zone union implementable with DBMs? Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

Symbolic Manipulations of Zones using DBMs DBMs = the BDDs of the timed automata world. Time elapse, guard intersection, clock resets, are all easily implementable in DBMs. Is zone union implementable with DBMs? No! The union of two zones in general is not a zone. often state explosion even with zones... Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 20 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : cannot because c 1 > 1 c 2 1 c 2 c 1 is UNSAT Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Timed Automata Reachability: Simple Example q 0 c 1 := 0 q 1 c 1 > 1 q 2 c 2 1 Is q 2 reachable? (initially, c 1 = c 2 = 0) Symbolic reachability analysis: step symbolic state initially: (q 0, c 1 = 0 c 2 = 0) let time elapse: (q 0, c 1 = c 2 ) take discrete transition to q 1 : (q 1, c 1 = 0 c 2 c 1 ) let time elapse: (q 1, c 2 c 1 ) take discrete transition to q 2 : cannot because c 1 > 1 c 2 1 c 2 c 1 is UNSAT therefore q 2 not reachable Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 21 / 22

Bibliography R. Alur. Timed automata. NATO-ASI 1998 Summer School on Verification of Digital and Hybrid Systems, 1998. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183 235, 1994. P. Bouyer. An introduction to timed automata. At http://www.lsv.ens-cachan.fr/publis/papers/pdf/bouyer-etr05.pdf, 2005. D. Dill. Timing assumptions and verification of finite-state concurrent systems. In J. Sifakis, editor, Automatic Verification Methods for Finite State Systems, volume 407 of LNCS, pages 197 212. Springer, 1989. Stavros Tripakis: EECS 144/244 Fall 2013 Timed Automata 22 / 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback