Verification Options. To Store Or Not To Store? Inside the UPPAAL tool. Inactive (passive) Clock Reduction. Global Reduction

Transcription

1 Inside the UPPAAL tool Data Structures DBM s (Difference Bounds Matrices) Canonical and Minimal Constraints Algorithms Reachability analysis Liveness checking Termination Verification Otions Verification Otions Diagnostic Trace Breadth-First Deth-First Local Reduction Active-Clock Reduction Global Reduction Re-Use State-Sace Over-Aroximation Under-Aroximation 1 2 Inactive (assive) Clock Reduction x is only active in location S1 Global Reduction (When to store symbolic state) x:=0 S Definition x is inactive at S if on all ath from S, x is always reset before being tested However, list useful for efficiency x:=0 x<5 x>3 3 No Cycles: list not needed for termination 4 Global Reduction [RTSS97] (When to store symbolic state) To Store Or Not To Store? [RTSS97,CAV03] Cycles: Only symbolic states involving loo-entry oints need to be saved on list 117 states total 81 states entryoint 9 states Time OH less than 10% (need to re-exlore some states) 5 6

2 Reuse of State Sace Reuse of State Sace ro2 A[] ro1 ro2 A[] ro1 ro1 A[] ro2 A[] ro3 A[] ro4 A[] ro5 A[] ron Search in existing list before continuing search Which order to search? Hashtable ro1 A[] ro2 A[] ro3 A[] ro4 A[] ro5 A[] ron Search in existing list before continuing search Which order to search? 7 8 Reuse of State Sace Reuse of State Sace ro2 A[] ro1 ro2 A[] ro1 Hashtable ro1 A[] ro2 A[] ro3 A[] ro4 A[] ro5 A[] ron Swaed to secondary memory Search in existing list before continuing search Which order to search? 9 ro1 Hashtable generation order A[] ro2 A[] ro3 A[] ro4 A[] ro5 REVERSE CREATION ORDER A[] ron Swaed to secondary memory Search in existing list before continuing search Which order to search? 10 Under-aroximation Bitstate Hashing (Holzman,SPIN) Under-aroximation Bitstate Hashing m,u Final m,u Final 1 0 = Bitarray n,z n,z 1 0 UPPAAL 8 Mbits Hashfunction F Init n,z Init n,z

3 Bit-state Hashing Under Aroximation (good for finding Bugs quickly, debugging) INITIAL := := Ø; Ø; := :={(n0,z0)} REPEAT --ick ick (n,z) (n,z) in in --ififfor for some some Z Z Z (n,z ) (n,z ) in in then then STOP STOP -else -else/exlore/ add add { (m,u) (m,u)::(n,z) (n,z) => => (m,u) (m,u)} to to ; Add Add (n,z) (n,z) to to UNTIL = Ø or or Final Final is is in in (F(n,Z)) = 1 (F(n,Z)) := 1 Possitive answer is safe (you can trust) You can trust your tool if it tells: a state is reachable (it means Reachable!) Negative answer is Inconclusive You should not trust your tool if it tells: a state is non-reachable Some of the branch may be terminated by conflict (the same hashing value of two states) Over-aroximation Convex Hull y Over-Aroximation (good for safety roerty-checking) Possitive answer is Inconclusive a state is reachable means Nothing (you should not trust your tool when it says so) Some of the transitions may be enabled by Enlarged zones Negative answer is safe a state is not reachable means Non-reachable (you can trust your tool when it says so) x Convex Hull OUTLINE A Brief Introduction Motivation what are the roblems to solve CTL, LTL and basic model-checking algorithms Timed Systems Timed automata and verification roblems UPPAAL tutorial (1): data stuctures & algorithms UPPAAL tutorial (2): inut languages TIMES: From models to code guaranteeing timing constraints Further toics/recent Work Systems with buffers/queues [CAV 2006] Lecture 7 UPPAAL tutorial (2) The UPPAAL inut languages: timed automata & TCTL in UPPAAL 17 18

4 Timed Automata + Invariants [Henzinger,Sifakis et al, 1992] Networks of Timed Automata n x<=5 Clocks: x, y m1 Location Invariants x<=5 & y>3 a x := 0 Transitions: ( n, x=24, y=31415 ) e(32) e(11) ( n, x=24, y=31415 ) ( n, x=35, y=42415 ) x>=2 i==3 x := 0 i:=i+4 y<=4 m2 m y<=10 g4 g1 g2 g3 Location invariants are used to force an automata to rogress (ie leave the location) before the invariant becomes false Two-way synchronization on comlementary actions Closed Systems! UPPAAL modeling language Networks of Timed Automata with Invariants + urgent action channels, + broadcast channels, + urgent and committed locations, + data-variables (with bounded domains), + arrays of data-variables, + constants, + guards and assignments over data-variables and arrays, + temlates with local clocks, data-variables, and constants + C subset Declarations in UPPAAL The syntax used for declarations in UPPAAL is similar to the syntax used in the C rogramming language Clocks: Syntax: clock x1,, xn ; Examle: clock x, y; Declares two clocks: x and y Declarations in UPPAAL (cont) Data variables Syntax: Declarations in UPPAAL (cont) Actions (or channels): Syntax: int n1, ; int[l,u] n1, ; int n1[m], ; Examle; int a, b; int[0,1] a, b[5]; Integer with default domain Integer with domain from l to u Integer array w elements n1[0] to n1[m-1] chan a, ; urgent chan b, ; Examle: chan a, b[2]; urgent chan c; Ordinary channels Urgent actions (described later) 23 24

5 Declarations UPPAAL (const) Declarations in UPPAAL Constants Syntax: const int c1 = n1; Examle: const int[0,1] YES = 1; const bool NO = false; Constants Bounded integers Channels Clocks Arrays Temlates Processes Systems x : = n Timed Automata in UPPAAL Clock Assignments Location Invariants n Variable Assignments x<=5 i : = Exr x>=5, y>3 Exr :: = i i[ Exr] n Exr Exr + Exr x := 0 Exr Exr m Exr * Exr y<=10 g4 Exr / Exr g1 g2 ( g? Exr : Exr) g3 d inv :: = x < n x <= n inv, inv clock natural number and g :: = gc gd g, g gc :: = x n x y + n gd :: = Exr o Exr { <, <=, ==, >=, > } o { <, <=, ==, >=, >,! = } Clock guards Data guards 27 x : = n Timed Automata in UPPAAL Clock Assignments Location Invariants n Variable Assignments x<=5 i : = Exr x>=5, y>3 Exr :: = i i[ Exr] n Exr Exr + Exr x := 0 Exr Exr m Exr * Exr y<=10 g4 Exr / Exr g1 g2 ( g? Exr : Exr) g3 d inv :: = x < n x <= n inv, inv clock natural number and Actions: :: = g c a gdname g, g of action or c :: = x n x y + n Clock guards one or zero er edge d :: = Exr o Exr Data guards { <, <=, ==, >=, > } { <, <=, ==, >=, >,! = } 28 g g g o Temlates in UPPAAL Urgent Channels: Examle 1 Temlates may be arameterised: int v; const min; const max int[0,n] e; const id Temlates are instantiated to form rocesses: = A(i,1,5); Q:= A(j,0,4); Train1:=Train(el, 1); Train2:=Train(el, 2); Q: s1 s2 Suose the two edges in automata P and Q should be taken as soon as ossible Ie as soon as both automata are ready (simultaneously in locations and s1) How to model with invariants if either one may reach or s1 first? 29 30

6 Urgent Channels: Examle 1 Urgent Channels Q: s1 s2 Suose the two edges in automata P and Q should be taken as soon as ossible Ie as soon as both automata are ready (simultaneously in locations and s1) How to model with invariants if either one may reach or s1 first? Solution: declare action a as urgent urgent chan hurry; Informal Semantics: There will be no delay if transition with urgent action can be taken Restrictions: No clock guard allowed on transitions with urgent actions Invariants and data-variable guards are allowed Urgent Channel: Examle 2 Urgent Channel: Examle 2 i==5 Assume i is a data variable We want P to take the transition from to as soon as i==5 i==5 go? Assume i is a data variable We want P to take the transition from to as soon as i==5 Solution: P can be forced to take transition if we add another automaton: s1 go! where go is an urgent channel, and we add go? to transition in automaton P Broadcast Synchronisation Urgent Location broadcast chan a, b, c[2]; Click Urgent in State Editor If a is a broadcast channel: = Emmision of broadcast = Recetion of broadcast A set of edges in different rocesses can synchronize if one is emitting and the others are receiving on the same bc channel A rocess can always emit Receivers must synchronize if they can No blocking Informal Semantics: No delay in urgent location Note: the use of urgent locations reduces the number of clocks in a model, and thus the comlexity of the analysis 35 36

7 Urgent Location: Examle Urgent Location: Examle Assume that we model a simle media M: a M that receives ackages on channel a and immediately sends them on channel b P models the media using clock x b x:=0 x 0 x==0 b! l3 Assume that we model a simle media M: a M that receives ackages on channel a and immediately sends them on channel b P models the media using clock x Q models the media using urgent location P and Q have the same behavior b x:=0 x 0 x==0 b! l3 Q: urgent b! l Committed Location Committed Location: Examle 1 Click Committed i State Editor Informal Semantics: No delay in committed location Next transition must involve automata in committed location Note: the use of committed locations reduces the number of interleaving in state sace exloration (and also the number of clocks in a model), and thus allows for more sace and time efficient analysis i==0 b! i:=1 P : i==0 n urgent b! i:=1 Assume: we want to model a rocess (P) simultaneously sending message a and b to two receiving rocesses (when i==0) P sends a two times at the same time instant, but in location n other automata, eg Q may interfear Q: k1 i==0 k Committed Location: Examle 1 i==0 b! i:=1 Assume: we want to model a rocess P : (P) simultaneously sending message (a) to two receiving rocesses (when i==0 i==0) P sends a two times at the same n time instant, but in location n other committed automata, eg Q may interfear: b! i:=1 Q: i==0 b! k1 k2 Solution: mark location n committed in automata P (instead of urgent ) Committed Locations (examle: atomic sequence in a network) x:=x+1; y:=y+1 41 If the sequence becomes too long, you can slit it 42

8 Committed Locations (examle: atomic sequence in a network) Committed Locations (examle: atomic sequence in a network) Semantics: the time sent on C-location should be zero! Semantics: the time sent on C-location should be zero! C x:=x+1 y:=y+1 C x:=x+1 y:=y Committed Locations (examle: atomic sequence in a network) Committed Locations (examle: atomic sequence in a network) Semantics: the time sent on C-location should be zero! x:=x+1 x:=x+1 C C y:=y+1 y:=y+1 Now, only the committed (red) transition can be taken! Committed Locations Committed Location: Examle 2 A trick of modeling (eg to model multi-way synchronization using handshaking) More imortantly, it is a simle and efficient mechanism for state-sace reduction! In fact, it is a simle form of artial order reduction It is used to avoid intermediate states, interleavings: Committed states are not stored in the assed list Interleavings of any state with a committed location will not be exlored Assume: we want to ass the value of integer k from automaton P to variable j in Q The value of k can is assed using a global integer variable t Location n is committed to ensure that no other automat can assign t before the assignment j:=t Q: t:=k n committed j:=t 47 48

9 More Exressions New oerators (not clocks): Logical: && (logical and), (logical or),! (logical negation), Bitwise: ^ (xor), & (bitwise and), (bitwise or), Bit shift: << (left), >> (right) Numerical: % (modulo), <? (min), >? (max) Comound Assignments: +=, -=, *=, /=, ^=, <<=, >>= Prefix or Postfix: ++ (increment), -- (decrement) More on Tyes Multi dimensional arrays eg int b[2][3]; Array initialiser: eg int b[2][3] := { {1,2,3}, {4,5,6} }; Arrays of channels, clocks, constants eg chan a[3]; clockc[3]; const k[3] { 1, 2, 3 }; Broadcast channels eg broadcast chan a; Extensions Advanced Features Select statement Models non-deterministic choise x : int[0,42] Tyes Record tyes Tye declarations Meta variables: not stored with state meta int x; Forall / Exists Exressions forall (x:int[0,42]) exr true if exr is true for all values in [0,42] of x exists (x:int[0,4]) exr true if exr is true for some values in [0,42] of x Examle: forall (x:int[0,4])array[x]; Priorities on channels chan a,b,c,d[2],e[2]; chan riority a,d[0] < default < b,e Priorities on rocesses system A < B,C < D; Functions C-like functions with return values TCTL Quantifiers in UPPAAL E A G F - exists a ath ( E in UPPAAL) - for all aths ( A in UPPAAL) - all states in a ath ( [] in UPPAAL) - some state in a ath ( <> in UPPAAL) UPPAAL secification language You may write the following queries in UPPAAL: A[], A<>, E<>, E[] and --> q 53 AG AF EF EG and q are local roerties 54

10 Local Proerties A[], A<>, E<>, E[], --> where is a local roerty E<> Reachable E<> it is ossible to reach a state in which is satisfied data guard automaton location clock guard ::= al gd gc and or not imly ( ) rocess/ name is true in (at least) one reachable state A[] Invariantly A[] holds invariantly A<> Inevitable A<> will inevitable become true, the automaton is guaranteed to eventually reach a state in which is true is true in all reachable states is true in some state of all aths E[ ] Potentially Always E[] is otentially always true --> q lead to q --> q if becomes true, q will inevitably become true same as A[]( imly A<> q ) q q There exists a ath in which is true in all states In all aths, if becomes true, q will inevitably become true 59 60