1 / 34

Simulator-Model Checker for Reactive Real-Time Abstract State Machines

Simulator-Model Checker for Reactive Real-Time Abstract State Machines. Anatol Slissenko University Paris 12 Pavel Vasilyev University Paris 12 University of St Petersburg, Russia. Contents. Motivation Example Timed ASM. Two semantics. Non-determinism, properties

carney
Download Presentation

Simulator-Model Checker for Reactive Real-Time Abstract State Machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Simulator-Model Checker for Reactive Real-Time Abstract State Machines Anatol Slissenko University Paris 12 Pavel Vasilyev University Paris 12 University of St Petersburg, Russia

  2. Contents • Motivation • Example • Timed ASM. Two semantics. • Non-determinism, properties • Timed ASM syntax and semantics • Simulation • First Order Timed Logic • Verification • Conclusion

  3. Motivation • No simulators for real-time ASM • Two different time semantics • First Order Timed Logic (FOTL) to specify properties; • `On-the-fly’ verification of FOTL-properties (Decidable classes are labor consuming)

  4. Example. Token Passing. T is time (by default, non negative reals) P is a set of N processes Pass :  (P{undef}) (input) Token : PBool function to control (output) A part of environment specification: Pass is defined in isolated points;  the time distance between two consecutive signals lies in an interval [0, 1], where 0 < 0 < 1 are abstract real constants;  two consecutive signals Pass have different values.

  5. Requirements on functioning •(Safety) At any time there are no two processes with a token. • (Liveness1) At any time at least one process has a token. • (Liveness2) The token changes its location within a duration that lies in a given interval (0, 1). [More arithmetically complicated requirement: the average of the last 3 waiting times is in (0, 1).

  6. Initial values (at time instant 0): Pass = undef, Token(p0) = true, forallq inP(q ≠p0Token(q) = false), Last = 0, CT = 0 F=(d0 ≤ (CT − a∙Last) ≤d1 ). forallpin Pin parallel do if Pass≠undef and Token(p) then[Token(Pass) :=F, Token(p) := ¬F, Last := CT] Token Passing Algorithm

  7. 3 2 1 Semantics of instantaneous actions

  8. 3 2 1 Semantics of delayed actions

  9. Problems of simulation/verification: ● Continuous time (computing update instants) ● Verification of quantified formulas with arithmetics ● Resolving non-determinism ● Generation of inputs ●Representation of results

  10. Example: ASM specification type Proc = Integer -> Boolean; var Token: Proc; var Last = 0: Time; var Pass: Integer; // external function var a, d1, d2: Float; // external functions Main() { while ( CT <= 10 ) do [ if ( Token(1) and (Pass != 1) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(1):=False; ] Last := CT; ] if ( Token(2) and (Pass != 2) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(2):=False; ] Last := CT; ] if ( Token(3) and (Pass != 3) ) then [ if ( a*Last+d1 <= CT <= a*Last+d2 ) then [ Token(Pass):=True; Token(3):=False; ] Last := CT; ] ] }

  11. Example: externalfunctions, Pass // Textual definition of the Pass function // It defines the next process in the queue Pass := (0, 0; 1, 4; 2, 1; 3, 2; 4, 3)

  12. Instantaneous updates The Token function changes after the Pass input function.

  13. Example: externalfunctions, coefficient // Textual definition of the coefficient a := (0, 0.8; 2, 1.5; 4, 1.8)

  14. Example: externalfunctions, delay interval // Textual definition of the delay intervals (d1, d2) d1 := (0, 0.3; 1, 0.7; 2, 0.2; 3, 0.4; 4, 0.5) d2 := (0, 1.2; 1, 1.3; 2, 1.5; 3, 1.4; 4, 1.7)

  15. Timed ASM ASM = basic Gurevich abstract state machine; Timed ASM = (Vocabulary, InitialState, Program) Vocabulary consists of Sorts, Functions, Predicates. R, Z, N, Boolean, Undef, Time=R+ sorts are predefined. InitialState defines the initial state of the ASM. Program specifies the updates i.e. the transitions between the states.

  16. Functions • Functions can be divided into internal and external or static and dynamic. • A special function CT is predefined and is nullary function that returns the current time. • Dynamic & external functions (i.e. inputs) are defined separately from the program.

  17. Delays • The updates in ASM are designed as instantaneous; • We add a bounded delay which is defined in a special configuration file; • We consider two semantics: there are no delays, there are finite delays.

  18. Example: the delay between Pass & Token This example shows the delay between the values of the external function Pass and the internal function Token. Here we show a case where one of the values of Pass function is missed due to a big delay.

  19. Non-determinisms • The first (last) element of a tuple; • The minimal (max) element (if order is defined); • A random element; • An element which was not used in the previous non-determinism resolution. Non-determinisms occur if we use the choose statement. It can be resolved in different ways.

  20. Timed ASM Syntax • Sequential block: { P1 P2 … Pn }; • Parallel block: [ P1 P2 … Pn ]; • foreach u in U where b(u) do S; • choose u in U where b(u) do S; • forall x in X holds F(x); • exists y in Y where H(y);

  21. Timed ASM Semantics • Sequential execution: All updates executed in the orders of appearance. Time is incremented by the corresponding delay. • Block of parallel operations: Some conflicts may appear. Inconsistency is checked. The greatest of the delays is chosen. • Looped parallel block: Each cycle is like a block of parallel operations. Time jumps are possible to avoid an infinite loop.

  22. Timed ASM Semantics: no delays x=2 y=0 In this example the machine enters two parallel branches with values x=2, y=0. Each branch contains two sequential updates. After the instantaneous execution of each branch we get two sets of updated values. For the left branch we get x=7, y=7. For the right branch we get x=3, y=3. These sets are inconsistent, so the run is undefined. y := 7; x := 3; INCONSISTENCY x := y; y := x;

  23. Timed ASM Semantics: no delays In this case the run is formally defined, but one shouldn’t write such programs. In each branch a product of x and y is calculated. But it gives different results. However, there is no contradiction. x=2 y=0 y := 2; x := 3; BAD STYLE y := y*x; x := x*y; x=0 y=4

  24. Timed ASM Semantics: nonzero delays x=2 y=0 The result of parallel execution of updates can be different as we can read the updated values in a parallel branch. In this example if we get t1 < t2 the results will be x=18, y=6. If t1 > t2 then we get x=6, y=12. If t1 = t2 then we get x=6, y=6. t 0 0 y:=2; x:=3; t 1 BAD STYLE y:=y*x; t 2 x:=x*y; t 3 x=6 y=6 or x=18 y=6 or x=6 y=12 t

  25. Timed ASM Semantics: nonzero delays x=2 y=0 This example can be interpreted correctly when there are nonzero delays. But it contains two potentially simultaneous updates in different parallel branches which can be contradictory. Therefore, this example is also considered as inconsistent by the simulator. y := 7; x := 3; INCONSISTENCY x := y; y := x; x=7 y=3 or x=7 y=7 or x=3 y=3

  26. Simulation • Start from the Main() method as a top-level entry point; • Calculation of the next time point in which at least one guard is true; • State update, which is represented by one or more statement blocks; • Evaluation of constraints before and after the state update.

  27. This part is implemented. Demonstration will follow the presentation.

  28. Example: properties in FOTL Safety: Safety property in textual syntax: forall tin Time holds forall p, q in Integer holds ( p != q & Token`(t, p) ==> !Token`(t, q) ) Liveness property in textual syntax: forall t in Time holds exists p in Integer where ( Token`(t, p) ) Liveness:

  29. First Order Timed Logic The FOTL is based on the theory of mixed real/integer addition with rational constants and unary multiplications by rational numbers. This theory is known to be decidable. FOTL itself is clearly undecidable. Among discrete (non negative integers) and continuous (non negative reals) time we choose the case of continuous time.

  30. FOTL Syntax The vocabulary of FOTL consists of finite sets of sorts, function symbols and predicate symbols. Some of them have a fixed interpretation (pre-interpreted): - Sorts: integers (Z), reals (R), the time sort T, etc. - Functions: +, -, * for real numbers. - Predicates: =, ≤, < over real numbers. The vocabulary of FOTL contains equality for all types of objects and a CT° function to work the time. Abstract functions: T×X Y Abstract predicates: T×XBool

  31. Verification

  32. Implemented features • Lexical and syntactical analysis with building a parse tree; • Loading definitions of external functions and the simulation parameters from a file; • Simulation of most constructs and operations of Timed ASM Language; • Simulation results output with the history of all state changes.

  33. Future Work • Finish the verification feature (abstract functions elimination, quantifier elimination, simplification); • Add non-deterministic bounded delays; • Languages for generation of inputs and resolution of non-determinisms; • Enrich ASM syntax (e.g. multi-agent ASM).

  34. Thank you

More Related