1 / 49

Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg

Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg. Timed Automata. Alur & Dill 1990. Clocks : x, y. Guard Boolean combination of integer bounds on clocks and clock-differences. n. Reset Action perfomed on clocks. Action used

bo-mejia
Download Presentation

Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Symbolic Reachabilityand Beyoundor how UPPAAL really worksKim Guldstrand LarsenBRICS@Aalborg

  2. Timed Automata Alur & Dill 1990 Clocks:x, y Guard Boolean combination of integer bounds on clocks and clock-differences. n Reset Action perfomed on clocks Action used for synchronization x<=5 & y>3 State (location , x=v , y=u ) where v,u are in R a Transitions x := 0 a (n , x=2.4 , y=3.1415 ) (m , x=0 , y=3.1415 ) m e(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 )

  3. Timed Automata Invariants n Clocks:x, y x<=5 Transitions x<=5 & y>3 e(3.2) Location Invariants (n , x=2.4 , y=3.1415 ) a e(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 ) x := 0 m Invariants ensure progress!! y<=10 g4 g1 g3 g2

  4. Fischer’s Protocolanalysis using zones 2 • ´ V Criticial Section X<10 X:=0 X>10 Init V=1 V:=1 V=1 A1 CS1 B1 Y<10 Y:=0 Y>10 V:=2 V=2 CS2 B2 A2

  5. THE UPPAAL ENGINESymbolic Reachability Checking

  6. y y x x ZonesFrom infinite to finite Symbolic state (set) (n, ) State (n, x=3.2, y=2.5) Zone: conjunction of x-y<=n, x<=>n

  7. 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 y y x x y y 3<x, 1<=y -2<=x-y<=3 x x 3<x, y=0 Symbolic Transitions delays to n x>3 conjuncts to a y:=0 projects to m Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

  8. Fischer’s Protocolanalysis using zones 2 • ´ V Criticial Section X<10 X:=0 X>10 Init V=1 V:=1 V=1 A1 CS1 B1 Y<10 Y:=0 Y>10 V:=2 V=2 CS2 B2 A2

  9. Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

  10. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account

  11. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  12. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  13. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  14. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  15. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting Init Passed

  16. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting n,Z n,Z’ Init Passed

  17. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  18. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  19. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 D1 Graph y 0 9 2 z ? ? D2 x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 3 Graph y 0 7 3 z

  20. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 1 2 Shortest Path Closure D1 3 Graph y 0 y 0 9 5 2 z 2 z ? ? D2 x x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 Shortest Path Closure 2 3 3 3 Graph y 0 y 0 6 3 7 3 z z Canonical Form

  21. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Emptyness x 1 D x<=1 y>=5 y-x<=3 3 Graph 0 y -5 Negative Cycle iff empty solution set

  22. Canonical Dastructures for ZonesDifference Bounded Matrices Future y y Future D D x x 1<= x <=4 1<= y <=3 1<=x, 1<=y -2<=x-y<=3 x 4 4 x x Remove upper bounds on clocks -1 Shortest Path Closure -1 -1 3 3 0 0 0 3 3 2 2 -1 y -1 y -1 y

  23. Canonical Dastructures for ZonesDifference Bounded Matrices Reset y y {y}D D x x 1<=x, 1<=y -2<=x-y<=3 y=0, 1<=x x x Remove all bounds involving y and set y to 0 -1 -1 3 0 0 0 2 -1 y 0 y

  24. Improved DatastructuresCompact Datastructure for Zones RTSS’97 -4 -4 x1-x2<=4 x2-x1<=10 x3-x1<=2 x2-x3<=2 x0-x1<=3 x3-x0<=5 Shortest Path Closure O(n^3) x1 x2 x1 x2 4 10 3 3 2 3 2 -2 -2 2 2 x0 x3 x0 x3 1 5 5 -4 Shortest Path Reduction O(n^3) x1 x2 Canonical wrt = Space worst O(n^2) practice O(n) 3 3 2 2 x0 x3

  25. Shortest Path Reduction1st attempt Idea An edge is REDUNDANT if there exists an alternative path of no greater weight THUS Remove all redundant edges! <=w w Problem v and w are both redundant Removal of one depends on presence of other. v w Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

  26. Shortest Path ReductionSolution G: weighted graph

  27. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges

  28. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes

  29. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  30. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  31. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z1 n,Z2 n,Zk Init Passed

  32. Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations • Nodes labeled with differences • Maximal sharing of substructures (also across different CDDs) • Maximal intervals • Linear-time algorithms for set-theoretic operations. • NDD’s Maler et. al • DDD’s Møller, Lichtenberg

  33. Beyond Reachability- Bounded Liveness - (Bi) simulations

  34. Logical Formulas Safety Properties: F ::= A[ ] P | E<> P Always P Possibly P clock comparison atomic properties where P ::= Proc.l | x = n | v = n | x<=n | x<n | P and P | not P | P or P | P imply P Process Proc at location l boolean combinations

  35. Train Crossing Communication via channels and shared variable. Stopable Area [10,20] appr, stop [3,5] leave Crossing [7,15] el go River empty nonempty hd, add,rem Queue Gate

  36. Beyound SafetyDecoration TACAS98a B:=tt l l X:=0 n n B:=ff Leadsto: Whenever l is reached then n is reached with t Decoration new clockX booleanB A[] (B implies x<=t)

  37. Beyond SafetyTest automata TACAS98b S S T a! l a? x:=0 l n n b? x==t b! x<=t BAD b urgent! A[] (not T.BAD)

  38. Timed Bisimulation Wang’91

  39. Timed Simulation

  40. Examples

  41. a a a a a a a a 1 1 2 2 b b b b b b b b c c c c c c c c 3 3 4 4 Abstraction & Compositionalitydealing w stateexplosion simulation Concrete Abstract

  42. Abstraction Example a1 a2 a3 a4 a5 a b

  43. Example Continued abstracted by

  44. Proving abstractions using reachability Recognizes all the BAD computations of PoP1 A[] not TestAbstPoP1.BAD

  45. Have a nice trip to USA

More Related