1 / 71

Efficient Verification of Timed Automata Kim Guldstrand Larsen BRICS@Aalborg

Efficient Verification of Timed Automata Kim Guldstrand Larsen BRICS@Aalborg. The UPPAAL Model = Networks of Timed Automata + Integer Variables +…. m1. l1. Two-way synchronization on complementary actions. Closed Systems!. x>=2 i==3. y<=4. …………. a!. a?. x := 0 i:=i+4. l2. m2.

luke-jensen
Download Presentation

Efficient Verification of Timed Automata Kim Guldstrand Larsen BRICS@Aalborg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Verification of Timed AutomataKim Guldstrand Larsen BRICS@Aalborg

  2. The UPPAAL Model= Networks of Timed Automata + Integer Variables +…. m1 l1 Two-way synchronization on complementary actions. Closed Systems! x>=2 i==3 y<=4 …………. a! a? x := 0 i:=i+4 l2 m2 Example transitions (l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..) (l1,m1,………,x=2.2, y=3.7, I=3,…..) tau 0.2 If aURGENT CHANNEL

  3. Timed Automata in UPPAAL • Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and arrays…+ templates with local clocks, data-variables, and constants.

  4. Declarations in UPPAAL clock x1, …, xn; int i1, …, im; chan a1, …, ao; const c1 n1, …, cp np; Examples: clock x, y; int i, J0; int[0,1] k[5]; const delay 5, true 1, false 0; Array k of five booleans.

  5. Timed Automata in UPPAAL location invariants clock assignments n x<=5 clock assignments clock natural number and x<=5 & y>3 a clock guards x := 0 data guards m y<=10 g4 g1 g3 g2

  6. Urgent Channels urgent chan hurry; • Informal Semantics: • There will be no delay if transition with urgent action can be taken.Restrictions: • No clock guard allowed on transitions with urgent actions. • Invariants and data-variable guards are allowed.

  7. Urgent Locations Click “Urgent” in State Editor. • Informal Semantics: • No delay in urgent location.Note: the use of urgent locationsreducesthe number of clocks • in a model, and thus the complexity of the analysis.

  8. Committed Locations Click “Committed” in State Editor. • Informal Semantics: • No delay in committed location. • Next transition must involve an automaton in committed location. Note: the use of committed locationsreducesthe number of • clocks in a model,andallows for more space and time efficient • analysis.

  9. Logical Formulas Safety Properties: F ::= A[ ] P | E<> P Always P Possibly P clock comparison atomic properties where P ::= Proc.l | x = n | v = n | x<=n | x<n | P and P | not P | P or P | P imply P Process Proc at location l boolean combinations

  10. Train Crossing Stopable Area [10,20] appr, stop [3,5] leave Crossing [7,15] go River Queue empty nonempty hd, add,rem Gate

  11. Beyound SafetyDecoration TACAS98a B:=tt l l X:=0 n n B:=ff Leadsto: Whenever l is reached then n is reached with t Decoration new clockX booleanB A[] (B implies x<=t)

  12. THE UPPAAL ENGINEReachability & Zones Property and system dependent partitioning

  13. y y x x ZonesFrom infinite to finite Symbolic state (set) (n, ) State (n, x=3.2, y=2.5) Zone: conjunction of x-y<=n, x<=>n

  14. 1<=x, 1<=y -2<=x-y<=3 y x y y 3<x, 1<=y -2<=x-y<=3 x x 3<x, y=0 Symbolic Transitions 1<=x<=4 1<=y<=3 y delays to n x x>3 conjuncts to a y:=0 projects to m Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

  15. Fischer’s Protocolanalysis using zones 2 • ´ V Criticial Section X<10 X:=0 X>10 Init V=1 V:=1 V=1 A1 CS1 B1 Y<10 Y:=0 Y>10 V:=2 V=2 CS2 B2 A2

  16. Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

  17. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account

  18. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  19. Y X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10

  20. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  21. Y 10 Y X X Fischers cont. X<10 X:=0 X>10 V:=1 V=1 A1 CS1 B1 Y>10 Y<10 Y:=0 V:=2 V=2 A2 CS2 B2 Untimed case A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1 Taking time into account Y 10 10 X 10 10

  22. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting Init Passed

  23. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Final Waiting n,Z n,Z’ Init Passed

  24. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  25. Forward Rechability Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  26. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 D1 Graph y 0 9 2 z ? ? D2 x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 3 Graph y 0 7 3 z

  27. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Inclusion x x 1 2 x<=1 y-x<=2 z-y<=2 z<=9 1 2 Shortest Path Closure D1 3 Graph y 0 y 0 9 5 2 z 2 z ? ? D2 x x<=2 y-x<=3 y<=3 z-y<=3 z<=7 x 2 3 Shortest Path Closure 2 3 3 3 Graph y 0 y 0 6 3 7 3 z z

  28. Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989 Emptiness x 1 D x<=1 y>=5 y-x<=3 3 Graph 0 y -5 Negative Cycle iff empty solution set Compact

  29. Canonical Dastructures for ZonesDifference Bounded Matrices Future y y Future D D x x 1<= x <=4 1<= y <=3 1<=x, 1<=y -2<=x-y<=3 x 4 4 x x Remove upper bounds on clocks -1 Shortest Path Closure -1 -1 3 3 0 0 0 3 3 2 2 -1 y -1 y -1 y

  30. Canonical Dastructures for ZonesDifference Bounded Matrices Reset y y {y}D D x x 1<=x, 1<=y -2<=x-y<=3 y=0, 1<=x x x Remove all bounds involving y and set y to 0 -1 -1 3 0 0 0 2 -1 y 0 y

  31. Improved DatastructuresCompact Datastructure for Zones RTSS 1997 -4 -4 x1-x2<=4 x2-x1<=10 x3-x1<=2 x2-x3<=2 x0-x1<=3 x3-x0<=5 Shortest Path Closure O(n^3) x1 x2 x1 x2 4 10 3 3 2 3 2 -2 -2 2 2 x0 x3 x0 x3 1 5 5

  32. Improved DatastructuresCompact Datastructure for Zones RTSS 1997 -4 -4 x1-x2<=4 x2-x1<=10 x3-x1<=2 x2-x3<=2 x0-x1<=3 x3-x0<=5 Shortest Path Closure O(n^3) x1 x2 x1 x2 4 10 3 3 2 3 2 -2 -2 2 2 x0 x3 x0 x3 1 5 5 -4 Shortest Path Reduction O(n^3) x1 x2 Canonical wrt = Space worst O(n^2) practice O(n) 3 3 2 2 x0 x3

  33. Shortest Path Reduction1st attempt Idea An edge is REDUNDANT if there exists an alternative path of no greater weight THUS Remove all redundant edges! <=w w Problem v and w are both redundant Removal of one depends on presence of other. v w Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

  34. Shortest Path ReductionSolution G: weighted graph

  35. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges

  36. Shortest Path ReductionSolution G: weighted graph 1. Equivalence classes based on 0-cycles. 2. Graph based on representatives. Safe to remove redundant edges 3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes

  37. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  38. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

  39. Earlier Termination Init -> Final ? INITIALPassed:= Ø; Waiting:= {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in PassedthenSTOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTILWaiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z1 n,Z2 n,Zk Init Passed

  40. Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices CAV99 CDD-representations • Nodes labeled with differences • Maximal sharing of substructures (also across different CDDs) • Maximal intervals • Linear-time algorithms for set-theoretic operations. • NDD’s Maler et. al • DDD’s Møller, Lichtenberg

  41. Verification Options • Diagnostic Trace • Breadth-First • Depth-First • Local Reduction • Active-Clock Reduction • Global Reduction • Re-Use State-Space • Over-Approximation • Under-Approximation Case Studies

  42. Definition x is inactive at Sif on all path from S, x is always reset before being tested. S x:=0 x:=0 x>3 x<5 Representation of symbolic states(In)Active Clock Reduction x is only active in location S1 x<7 Case Studies

  43. Representation of symbolic states Active Clock Reduction S Definition g1 x is inactive at Sif on all path from S, x is always reset before being tested. gk g2 r1 r2 rk S1 S2 Sk x>3 x<5 Only save constraints on active clocks

  44. When to store symbolic stateGlobal Reduction However, Passedlist useful for efficiency No Cycles: Passed list not needed for termination Case Studies

  45. When to store symbolic stateGlobal Reduction Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list Case Studies

  46. Reuse State Space Waiting prop2 A[] prop1 A[] prop2 A[] prop3 A[] prop4 A[] prop5 . . . A[] propn Search in existing Passed list before continuing search prop1 Passed Which order to search? Case Studies

More Related