1 / 25

Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems

Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems. Frits Vaandrager , University of Nijmegen joint work with Dilsun Kaynar and Nancy Lynch , MIT Roberto Segala , University of Verona. FV supported by EU IST project AMETIST. Objectives.

liang
Download Presentation

Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems Frits Vaandrager, University of Nijmegen joint work with Dilsun Kaynar and Nancy Lynch, MIT Roberto Segala, University of Verona FV supported by EU IST project AMETIST

  2. Objectives • A mathematical framework for modeling and analyzing real-time systems • Focus on expressiveness rather than on automatic verification • System designers can use this framework for • Decomposition of complex system descriptions into manageable pieces • Description at multiple levels of abstraction • Statement and proof of safety, liveness and performance properties

  3. Contributions • Improved formal model for real-time systems • Interesting special case of hybrid I/O automata • Simplified treatment of receptivity • “The problem with timed automata is that if you compose them you get deadlocks” (George Logothetis, RTSS03)

  4. Evolution of the Framework Previous timed I/O automaton models Merritt, Modugno, Tuttle (91): tasks, upper and lower bounds Lynch, Vaandrager (91): generalizes MMT model Hybrid I/O automata framework Lynch, Segala, Vaandrager (96,03) Timed I/O automata framework Kaynar, Lynch, Segala, Vaandrager

  5. I Describing Timed Behavior • Variable v • Static type, type(v) • Dynamic type, dtype(v): allowed “trajectories” for v • Functions from time intervals to type(v) • Valuation for V: assigns value in type(v) to each v in V • Trajectory • Models evolution of variables over time interval I • I-trajectory for V: maps I to valuations for V; restriction to each v is in dtype(v) • Hybrid sequence • Models a series of discrete and continuous changes • 0 a11a22…, alternating sequence of trajectories and actions

  6. Timed Automaton (TA) • X: internal variables • Q: states, a set of valuations of X • Θ: start states, a non-empty subset of Q • E, H: external, internal actions • D Q (E  U)  Q: discrete transitions • T: a set of trajectories for X such that (t)  Q for all t in domain()

  7. AutomatonChannel(b, M) whereb  R+ VariablesX: discretequeue (M  R)*initially empty analognow  Rinitially 0 StatesQ: val(X) ActionsA: externalsend(m), receive(m)wherem  M TransitionsD: externalsend(m) effectadd (m, now+b) to queue externalreceive(m, local u) precondition (m,u) is the first element of queue urgencyu = now effect remove first element of queue TrajectoriesT: satisfies constant(queue) d(now)=1

  8. AutomatonSynch(u,)iwhereu  R+, 0   < 1, i I VariablesX: discretenextsend, maxother  R initially 0 analog physclock  R initially 0 Derived Variables: logclock = max(maxother, physclock) StatesQ: val(X) ActionsA: externalsend(m)i,receive(m)j,iwherem  R, j I, j  i TransitionsD: externalsend(m)i preconditionm=physclock  physclock=nextsend urgencytrue effectnextsend := nextsend + u externalreceive(m)j,i effect maxother := max(maxother,m) TrajectoriesT: satisfies constant(nextsend), constant(maxother) 1- d(physclock)  1+ 

  9. Executions and Traces • Execution fragment: • Hybrid sequence 0a11a22…, where: • Each iis a trajectoryof the automaton and • Each (i.lstate, ai+1 ,i+1.fstate) is a discrete transition • Execution: • Execution fragment beginning in a start state • Trace: • Restrict to external actions and trajectories over empty set of variables

  10. Implementation Relationships • AimplementsBif they have the same external interface and traces(A) traces(B) • Simulation relations provide sufficient conditions for showing that one automaton implements another • Several types of simulation relations (forward, backward, history, prophecy) have been defined for timed automata

  11. Forward Simulation from A to B • Relation R from QA to QB satisfying: • Every start state of A related to some start state of B • If xR y and is a step of A starting with x, then there is an execution fragmentstarting with y such that trace() = trace(), and .lstate R .lstate y .lstate R R x.lstate • If xR y and is a closed trajectory of A starting withx, then there is …

  12. Simulation Theorems • Theorem: If there is a simulation relation from A to B then A implements B.

  13. Example: Simulation AutomatonSendVal(u,)iwhereu  R+, 0   < 1, i I VariablesX: discretecounter  N initially 0 analog now R initially 0 StatesQ: val(X) ActionsA: externalsend(m)i, receive(m)j,iwherem  M, j I, j  i TransitionsD: externalsend(m)i preconditionm= counter  u  counter  u / (1+ )  now urgency now = counter  u / (1-) effectcounter := counter + 1 externalreceive(m)j,i TrajectoriesT: satisfies constant(counter) d(now)=1

  14. Forward Simulation Relation R • Suppose that: • x isa state of Synch(u,)i , • y is a state of SendVal(u,)i • Then x R y provided that the following conditions hold: • y(now) (1 - )  x(physclock)  y(now)(1+ ) • y(counter) = x(nextsend)/u

  15. Composition • Assume A1 and A2 are compatible(internal actions are private). Then, A = A1 || A2is the following automaton: • X = X1 X2 • States Q: Projections in Q1, Q2 • E = (E1 E2 ) ; H=(H1 H2 ) • Start states, discrete steps, trajectories: Projections • Projection/pasting theorem: • If A = A1 || A2 then traces(A) is the set of hybrid sequences (of the right type) whose restrictions to A1 and A2are traces of A1 and A2, resp. • Substitutivity theorem: • If A1 implements A2 and both are compatible with B, then A1 || B implements A2 || B.

  16. Example: Clock Synchronization Network receive(m) C2,1 send(m) S1 S2 send(m) receive(m) C1,2 send(m) send(m) C1,3 receive(m) C2,3 receive(m) receive(m) C3,1 receive(m) C3,2 S3 send(m)

  17. Invariants for Clock Synchronization Network • The difference between any physical clock and the real time at time t is at most t • The difference between any two physical clock values is at most 2t • (Validity): The logical clock values of all the processes are always between the minimum and the maximum physical clock values in the system • All the logical clocks differ from real time at time t by at most t • (Agreement): The difference between two logical clocks is always bounded by u + b(1+)

  18. Timed I/O Automata (TIOA) • A TIOA is a TA where the set of external actions is partitioned into inputs and outputs • Inputs: model actions of the environment • Outputs: model external actions under the system’s control • Two additional axioms are required to hold: • (Input enabling): A TIOA is able to accommodate an input action whenever it arrives • (Time-passage enabling): A TIOA either allows time to advance forever, or it allows time to advance for a while, up to a point where it is prepared to react with some locally controlled action

  19. Example: From TA to TIOA • Channel(b, M) can be turned into a TIOA: • Classify send actions as inputs • Classify receive actions as outputs • Synch(u, )i , can be turned into a TIOA: • Classify send actions as outputs • Classify receive actions as inputs

  20. I/O Feasibility • An automaton is I/O feasible if it is capable of providing some response from any state, for any sequence of input actions and any amount of intervening time-passage. • A basic requirement for a reasonable TIOA • I/O feasibility is not preserved by composition of TIOAs • Search for a condition that implies I/O feasibility and is preserved by composition

  21. Progressive TIOAs • A TIOA is progressive if it never generates infinitely many locally controlled actions in finite time • Theorem: Every progressive TIOA is I/O feasible • Theorem:Composition of progressive TIOAs is progressive

  22. Receptive TIOAs • But progressiveness is not enough: • TIOAs involving only upper bounds on timing are not progressive • A strategyfor a TIOA A is a TIOA that is the same as A except that it restricts the sets of discrete steps and trajectories • TIOA is receptiveif it has a progressive strategy • Theorem: Every receptive TIOA is I/O feasible • Theorem: If A1and A2 are compatible receptive TIOAs with progressive strategies B1 and B2, then A1 || A2 is receptive with progressive strategy B1 || B2

  23. Example: Receptiveness • Channel(b, M) is not progressive: • Allows an infinite execution in which send and receive actions alternate without any time passage in between • Channel(b, M) is receptive: • Has a progressive strategy: add condition u=now to precondition of receive so that messages are delivered exactly at their delivery deadline • Synch(u,)iis receptive • The clock synchronization network is receptive

  24. Related Work • Alur-Dill timed automata • Uppaal/Kronos/IF/... • Linear hybrid automata • Hytech • Work of Sifakis et al on TAs with deadlines • Previous I/O automaton based models

  25. Conclusions and Future Work • The TIOA framework is a new modeling framework for timed systems • Special case of new HIOA model • General enough to collect and summarize previous timed I/O automata work • Establishes formal relationships with other models • Tool development project in progress • Extension of the IOA language • Automatic translation to UPPAAL • More details in monograph The Theory of Timed I/O Automata. Available at: http://theory.lcs.mit.edu/tds/reflist.html

More Related