Timed Automata From Theory to Implementation

Similar documents
Timed Automata: Semantics, Algorithms and Tools

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Timed Automata with Asynchronous Processes: Schedulability and Decidability

Specification and Analysis of Real-Time Systems Using Real-Time Maude

RT-Studio: A tool for modular design and analysis of realtime systems using Interpreted Time Petri Nets

Reducing Clocks in Timed Automata while Preserving Bisimulation

Timed Automata. Rajeev Alur. University of Pennsylvania

Software Testing IV. Prof. Dr. Holger Schlingloff. Humboldt-Universität zu Berlin

Fine-grained Compatibility and Replaceability Analysis of Timed Web Service Protocols

Lecture 2. Decidability and Verification

Quantitative analysis of real-time systems

A Test Case Generation Algorithm for Real-Time Systems

Model checking pushdown systems

Lecture 9: Reachability

Reachability Analysis for Timed Automata using Max-Plus Algebra

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

Stochastic Games for Verification of Probabilistic Timed Automata

Graphical Tool For SC Automata.

Real-time Testing with Timed Automata Testers and Coverage Criteria

AN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION

plant OUTLINE The Same Goal: Reliable Controllers Who is Who in Real Time Systems

Real-time Testing with Timed Automata Testers and Coverage Criteria

Kronos: A Model-Checking Tool for Real-Time Systems*

Verifying Periodic Task-Control Systems. Vlad Rusu? Abstract. This paper deals with the automated verication of a class

UPPAAL. Verification Engine, Options & Patterns. Alexandre David

want turn==me wait req2==0

Under-Approximation Refinement for Timed Automata

Efficient Synthesis of Production Schedules by Optimization of Timed Automata

Priced Timed Automata and Timed Games. Kim G. Larsen Aalborg University, DENMARK

Deep Random Search for Efficient Model Checking of Timed Automata

MANY real-time applications need to store some data

More on Verification and Model Checking

An MTBDD-based Implementation of Forward Reachability for Probabilistic Timed Automata

Towards Compositional Testing of Real-Time Systems

erics: A Tool for Verifying Timed Automata and Estelle Specifications

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

hal , version 1-9 Apr 2009

Real Time Software PROBLEM SETTING. Real Time Systems. Real Time Systems. Who is Who in Timed Systems. Real Time Systems

Language Overview for PHAVer version 0.35

Rewriting Models of Boolean Programs

Eliminating the Storage Tape in Reachability Constructions

Hybrid Acceleration using Real Vector Automata (extended abstract)

Dynamic Clock Elimination in Parametric Timed Automata

Multi-Clock Timed Networks

Modeling and Verification of Priority Assignment in Real-Time Databases Using Uppaal

Automated Formal Methods for Embedded Systems

Reasoning about Timed Systems Using Boolean Methods

Behavioural Equivalences and Abstraction Techniques. Natalia Sidorova

TiPEX: A Tool Chain for Timed Property Enforcement During execution

Action Language Verifier, Extended

Automatic Verification of the IEEE-1394 Root Contention Protocol with KRONOS and PRISM

UPPAAL Tutorial. UPPAAL Family

GSPeeDI a Verification Tool for Generalized Polygonal Hybrid Systems

Towards Validated Real-Time Software

Developing Uppaal over 15 Years

Critical Analysis of Computer Science Methodology: Theory

Counting multiplicity over infinite alphabets

A Gentle Introduction to Program Analysis

UPPAAL. Validation and Verication of Real Time Systems. Status & Developments y. Abstract

Editor. Analyser XML. Scheduler. generator. Code Generator Code. Scheduler. Analyser. Simulator. Controller Synthesizer.

Verification of Petri net properties in CLP

Computing Delay with Coupling Using Timed Automata

MODEL-BASED DESIGN OF CODE FOR PLC CONTROLLERS

Synthesis of Optimal Strategies Using HyTech

Model checking and timed CTL

A game-theoretic approach to real-time system testing David, Alexandre; Larsen, Kim Guldstrand; Li, Shuhao; Nielsen, Brian

Distributed Memory LTL Model Checking

ALASKA Antichains for Logic, Automata and Symbolic Kripke structures Analysis

Kahina Gani, Marinette Bouet, Michel Schneider, and Farouk Toumani. 1 2

Limitations of Algorithmic Solvability In this Chapter we investigate the power of algorithms to solve problems Some can be solved algorithmically and

Theory of Computations Spring 2016 Practice Final Exam Solutions

Advanced Programming Methods. Introduction in program analysis

Past Pushdown Timed Automata and Safety Verification

Modeling and Analysis of Fischer s Algorithm

TIMES A Tool for Modelling and Implementation of Embedded Systems

PARAMETRIC VERIFICATION AND TEST COVERAGE FOR HYBRID AUTOMATA USING THE INVERSE METHOD

Real-Time Model Checking on Secondary Storage

The SPIN Model Checker

To Store or Not To Store

Safra's Büchi determinization algorithm

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Interaction Between Input and Output-Sensitive

The Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS

Modeling and Verification of Marine Equipment Systems Using a Model Checker

An Introduction to UPPAAL. Purandar Bhaduri Dept. of CSE IIT Guwahati

UTILIZATION OF TIMED AUTOMATA AS A VERIFICATION TOOL FOR REAL-TIME SECURITY PROTOCOLS

Computational Techniques for Hybrid System Verification

Model Checking with Abstract State Matching

Modeling and Analysis of Real -Time Systems with Mutex Components

Extending Synchronous Languages for Generating Abstract Real-Time Models

Acceleration of Affine Hybrid Transformations

Extensions of the algorithm to deal with hybrid systems, controller synthesis and continuous disturbances are described in section 4 along with severa

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Expressiveness of Minmax Automata

On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap

Proc. XVIII Conf. Latinoamericana de Informatica, PANEL'92, pages , August Timed automata have been proposed in [1, 8] to model nite-s

Our aim is to extend this language in order to take into account a large class of timing constraints on systems to describe. Then, we will present a m

Processing Regular Path Queries Using Views or What Do We Need for Integrating Semistructured Data?

Overview of Timed Automata and UPPAAL

DSVerifier: A Bounded Model Checking Tool for Digital Systems

Transcription:

Timed Automata From Theory to Implementation Patricia Bouyer LSV CNRS & ENS de Cachan France Chennai january 2003 Timed Automata From Theory to Implementation p.1

Roadmap Timed automata, decidability issues Some extensions of the model Implementation of timed automata Chennai january 2003 Timed Automata From Theory to Implementation p.2

Timed automata, decidability issues presentation of the model decidability of the model the region automaton construction Chennai january 2003 Timed Automata From Theory to Implementation p.3

Timed automata x, y: clocks [Alur & Dill - 1990 s] guard action reset p y < 4, a, x := 0 x = 5, b q c, y := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.4

Timed automata x, y: clocks [Alur & Dill - 1990 s] guard action reset p y < 4, a, x := 0 x = 5, b q c, y := 0 a c b p q q p... 3.2 5.1 8.2 value of x 0 0 1.9 5... value of y 0 3.2 0 3.1... timed word (a, 3.2)(c, 5.1)(b, 8.2)... Chennai january 2003 Timed Automata From Theory to Implementation p.4

Emptiness checking Emptiness problem: is the language accepted by a timed automaton empty? reachability properties basic liveness properties (final states) (Büchi (or other) conditions) Chennai january 2003 Timed Automata From Theory to Implementation p.5

Emptiness checking Emptiness problem: is the language accepted by a timed automaton empty? reachability properties basic liveness properties (final states) (Büchi (or other) conditions) Theorem: The emptiness problem for timed automata is decidable. It is PSPACE-complete. [Alur & Dill 1990 s] Chennai january 2003 Timed Automata From Theory to Implementation p.5

The region abstraction y 2 Equivalence of finite index 1 0 1 2 3 x Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region abstraction y 2 Equivalence of finite index 1 0 1 2 3 x compatibility between regions and constraints Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region abstraction y 2 Equivalence of finite index 1 0 1 2 3 x compatibility between regions and constraints compatibility between regions and time elapsing Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region abstraction y 2 Equivalence of finite index 1 0 1 2 3 x compatibility between regions and constraints compatibility between regions and time elapsing Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region abstraction y 2 Equivalence of finite index 1 0 1 2 3 x compatibility between regions and constraints compatibility between regions and time elapsing a bisimulation property Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region abstraction y 2 1 Equivalence of finite index region defined by I x =]1; 2[, I y =]0; 1[ {x} < {y} 0 1 2 3 x compatibility between regions and constraints compatibility between regions and time elapsing a bisimulation property Chennai january 2003 Timed Automata From Theory to Implementation p.6

The region automaton timed automaton region partition q g,a,c:=0 q is transformed into: (q, R) a (q, R ) if there exists R Succ t (R) s.t. R g [C 0]R R L(reg. aut.) = UNTIME(L(timed aut.)) where UNTIME((a 1, t 1 )(a 2, t 2 )... ) = a 1 a 2... Chennai january 2003 Timed Automata From Theory to Implementation p.7

An example [AD 90 s] y 1 0 1 x Chennai january 2003 Timed Automata From Theory to Implementation p.8

Partial conclusion a timed model interesting for verification purposes Numerous works have been (and are) devoted to: the theoretical comprehension of timed automata extensions of the model (to ease the modelling) expressiveness analyzability algorithmic problems and implementation Chennai january 2003 Timed Automata From Theory to Implementation p.9

Some extensions of the model adding constraints of the form x y c adding silent actions adding constraints of the form x + y c adding new operations on clocks Chennai january 2003 Timed Automata From Theory to Implementation p.10

Adding diagonal constraints x y c and x c Decidability: yes, using the region abstraction y 1 0 1 2 x Expressiveness: no additional expressive power Chennai january 2003 Timed Automata From Theory to Implementation p.11

Adding diagonal constraints (cont.) c is positive copy where x y c x := 0 y := 0 x c x := 0 x y c y := 0 x := 0 x > c y := 0 y := 0 proof in [Bérard,Diekert,Gastin,Petit 1998] copy where x y > c Chennai january 2003 Timed Automata From Theory to Implementation p.12

Adding diagonal constraints (cont.) Open question: is this construction optimal? In the sense that timed automata with diagonal constraints are explonentially more concise than diagonal-free timed automata. Chennai january 2003 Timed Automata From Theory to Implementation p.12

Adding silent actions g, ε, C := 0 [Bérard,Diekert,Gastin,Petit 1998] Decidability: yes (actions has no influence on the previous construction) Expressiveness: strictly more expressive! x = 1 a x := x 1 0 < x < 1, b x = 1, ε, x := 0 a a b b a 0 1 2 3 4 Chennai january 2003 Timed Automata From Theory to Implementation p.13

Adding constraints of the form x + y c x + y c and x c [Bérard,Dufourd 2000] Decidability: - for two clocks, decidable using the abstraction y 2 1 0 1 2 x - for four clocks (or more), undecidable! Expressiveness: more expressive! (even using two clocks) x + y = 1, a, x := 0 {(a n, t 1... t n ) n 1 and t i = 1 1 2 i } Chennai january 2003 Timed Automata From Theory to Implementation p.14

The two-counter machine Definition. A two-counter machine is a finite set of instructions over two counters (x and y): Incrementation: (p): x := x + 1; goto (q) Decrementation: (p): if x > 0 then x := x 1; goto (q) else goto (r) Theorem. [Minsky 67] The emptiness problem for two counter machines is undecidable. Chennai january 2003 Timed Automata From Theory to Implementation p.15

Undecidability proof c is unchanged c is incremented c c c c c c c c cc d d dd d d d d d d 20 21 22 23 24 25 26 time d is decremented simulation of decrement of d increment of c We will use 4 clocks: u, tic clock (each time unit) x 0, x 1, x 2 : reference clocks for the two counters x i reference for c the last time x i has been reset is the last time action c has been performed [Bérard,Dufourd 2000] Chennai january 2003 Timed Automata From Theory to Implementation p.16

Undecidability proof (cont.) Increment of counter c: x 0 2, u + x 2 = 1, c, x 2 := 0 x 2 := 0 u = 1,, u := 0 x 0 > 2, c, x 2 := 0 u + x 2 = 1 ref for c is x 0 ref for c is x 2 Decrement of counter c: x 0 < 2, u + x 2 = 1, c, x 2 := 0 x 2 := 0 u = 1,, u := 0 x 0 = 2, c, x 2 := 0 u + x 2 = 1 u = 1, x 0 = 2,, u := 0, x 2 := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.17

Adding constraints of the form x + y c Two clocks: decidable! using the abstraction y 2 1 0 1 2 x Four clocks (or more): undecidable! Chennai january 2003 Timed Automata From Theory to Implementation p.18

Adding constraints of the form x + y c Two clocks: decidable! using the abstraction y 2 1 Three clocks: open question 0 1 2 x Four clocks (or more): undecidable! Chennai january 2003 Timed Automata From Theory to Implementation p.18

Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... Chennai january 2003 Timed Automata From Theory to Implementation p.19

Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... The general model is undecidable. (simulation of a two-counter machine) Chennai january 2003 Timed Automata From Theory to Implementation p.19

Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... The general model is undecidable. (simulation of a two-counter machine) Only decrementation also leads to undecidability Incrementation of counter x z = 0 z = 1, z := 0 z = 0, y := y 1 Decrementation of counter x z = 0 x 1 z = 0, x := x 1 x = 0 Chennai january 2003 Timed Automata From Theory to Implementation p.19

Decidability y := 0 y := 1 x y < 1 1 0 1 image by y := 1 the bisimulation property is not met The classical region automaton construction is not correct. Chennai january 2003 Timed Automata From Theory to Implementation p.20

Decidability (cont.) A Diophantine linear inequations system is there a solution? if yes, belongs to a decidable class Examples: constraint x c constraint x y c c max x c max x,y update x : y + c max x max y +c and for each clock z, max x,z max y,z + c, max z,x max z,y c update x :< c c max x and for each clock z, max z c + max z,x The constants (max x ) and (max x,y ) define a set of regions. Chennai january 2003 Timed Automata From Theory to Implementation p.21

Decidability (cont.) y := 0 y := 1 x y < 1 max y 0 max x 0 + max x,y max y 1 max x 1 + max x,y max x,y 1 = max x = 2 max y = 1 max x,y = 1 max y,x = 1 y 1 The bisimulation property is met. 0 1 2 x Chennai january 2003 Timed Automata From Theory to Implementation p.22

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

What s wrong when undecidable? Decrementation x := x 1 max x max x 1 etc... Chennai january 2003 Timed Automata From Theory to Implementation p.23

Decidability (cont.) x := c, x := y x := x + 1 x := y + c x := x 1 x :< c x :> c x : y + c y + c <: x :< y + d y + c <: x :< z + d Diagonal-free constraints PSPACE-complete Undecidable PSPACE-complete Undecidable General constraints PSPACE-complete Undecidable PSPACE-complete Undecidable [Bouyer,Dufourd,Fleury,Petit 2000] Chennai january 2003 Timed Automata From Theory to Implementation p.24

Implementation of Timed Automata analysis algorithms the DBM data structure a bug in the forward analysis Chennai january 2003 Timed Automata From Theory to Implementation p.25

Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Chennai january 2003 Timed Automata From Theory to Implementation p.26

Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Algorithms for minimizing the region automaton have been proposed... [Alur & Co 1992] [Tripakis,Yovine 2001] Chennai january 2003 Timed Automata From Theory to Implementation p.26

Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Algorithms for minimizing the region automaton have been proposed... [Alur & Co 1992] [Tripakis,Yovine 2001]...but on-the-fly technics are preferred. Chennai january 2003 Timed Automata From Theory to Implementation p.26

Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F backward analysis algorithm: compute the predecessors of final configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F backward analysis algorithm: compute the predecessors of final configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) [C 0] 1 (Z (C = 0)) g Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) [C 0] 1 (Z (C = 0)) g The exact backward computation terminates and is correct! Chennai january 2003 Timed Automata From Theory to Implementation p.28

Note on the backward analysis of TA (cont.) If A is a timed automaton, we construct its corresponding set of regions. Because of the bisimulation property, we get that: Every set of valuations which is computed along the backward computation is a finite union of regions Chennai january 2003 Timed Automata From Theory to Implementation p.29

Note on the backward analysis of TA (cont.) If A is a timed automaton, we construct its corresponding set of regions. Because of the bisimulation property, we get that: Every set of valuations which is computed along the backward computation is a finite union of regions But, the backward computation is not so nice, when also dealing with integer variables... i := j.k + l.m Chennai january 2003 Timed Automata From Theory to Implementation p.29

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) A zone is a set of valuations defined by a clock constraint ϕ ::= x c x y c ϕ ϕ Chennai january 2003 Timed Automata From Theory to Implementation p.30

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Chennai january 2003 Timed Automata From Theory to Implementation p.30

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Chennai january 2003 Timed Automata From Theory to Implementation p.30

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g Chennai january 2003 Timed Automata From Theory to Implementation p.30

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g [y 0]( Z g) Chennai january 2003 Timed Automata From Theory to Implementation p.30

Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g [y 0]( Z g) a termination problem Chennai january 2003 Timed Automata From Theory to Implementation p.30

Non Termination of the Forward Analysis y := 0, x := 0 x 1 y = 1, y := 0 y 2 1 0 1 2 3 4 5 x an infinite number of steps... Chennai january 2003 Timed Automata From Theory to Implementation p.31

Solutions to this problem (f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998]) inclusion checking: if Z Z and Z still handled, then we don t need to handle Z correct w.r.t. reachability... Chennai january 2003 Timed Automata From Theory to Implementation p.32

Solutions to this problem (f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998]) inclusion checking: if Z Z and Z still handled, then we don t need to handle Z correct w.r.t. reachability activity: eliminate redundant clocks [Daws,Yovine 1996] correct w.r.t. reachability q g,a,c:=0 q = Act(q) = clocks(g) (Act(q ) \ C)... Chennai january 2003 Timed Automata From Theory to Implementation p.32

Solutions to this problem (cont.) convex-hull approximation: if Z and Z are computed then we overapproximate using Z Z. semi-correct w.r.t. reachability Chennai january 2003 Timed Automata From Theory to Implementation p.33

Solutions to this problem (cont.) convex-hull approximation: if Z and Z are computed then we overapproximate using Z Z. semi-correct w.r.t. reachability extrapolation, a widening operator on zones Chennai january 2003 Timed Automata From Theory to Implementation p.33

The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x 2 + 3 + + + 4 5 + + Chennai january 2003 Timed Automata From Theory to Implementation p.34

The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x 2 + 3 + + + 4 5 + + Existence of a normal form 5 2 0 3 0 9 0 4 5 2 0 3 4 9 Chennai january 2003 Timed Automata From Theory to Implementation p.34

The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x 2 + 3 + + + 4 5 + + Existence of a normal form 5 2 3 4 9 0 3 0 9 0 4 5 2 0 All previous operations on zones can be computed using DBMs Chennai january 2003 Timed Automata From Theory to Implementation p.34

The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints 2 2 ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints 2 2 ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

Challenge Propose a good constant for the extrapolation: keep the correctness of the forward computation Solution by the past: maximal constant appearing in the automaton Several correctness proofs can be found Implemented in tools like UPPAAL, KRONOS, RT-SPIN... Successfully used on real-life examples Chennai january 2003 Timed Automata From Theory to Implementation p.36

Challenge Propose a good constant for the extrapolation: keep the correctness of the forward computation Solution by the past: maximal constant appearing in the automaton Several correctness proofs can be found Implemented in tools like UPPAAL, KRONOS, RT-SPIN... Successfully used on real-life examples However... Chennai january 2003 Timed Automata From Theory to Implementation p.36

A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.37

A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 v(x 1 ) = 0 v(x 2 ) = d v(x 3 ) = 2α + 5 v(x 4 ) = 2α + 5 + d Chennai january 2003 Timed Automata From Theory to Implementation p.37

A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 v(x 1 ) = 0 v(x 2 ) = d v(x 3 ) = 2α + 5 v(x 4 ) = 2α + 5 + d [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] Chennai january 2003 Timed Automata From Theory to Implementation p.37

The problematic zone [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] implies x 1 x 2 = x 3 x 4. [2α + 2; 2α + 4] [2α + 6; 2α + 8] Chennai january 2003 Timed Automata From Theory to Implementation p.38

The problematic zone [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] implies x 1 x 2 = x 3 x 4. [2α + 2; 2α + 4] [2α + 6; 2α + 8] If α is sufficiently large, after extrapolation: [1; 3] x 2 x 1 x 3 x 4 [1; 3] does not imply x 1 x 2 = x 3 x 4. > k Chennai january 2003 Timed Automata From Theory to Implementation p.38

General abstractions Criteria for a good abstraction operator Abs: [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone [Effectiveness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite [Effectiveness] [Termination] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) [Effectiveness] [Termination] [Completeness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) soundness of the abstraction the computation of (Abs Post) is correct w.r.t. reachability [Effectiveness] [Termination] [Completeness] [Soundness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) soundness of the abstraction the computation of (Abs Post) is correct w.r.t. reachability [Effectiveness] [Termination] [Completeness] [Soundness] For the previous automaton, no abstraction operator can satisfy all these criteria! [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

Why that? Assume there is a nice operator Abs. The set {M DBM representing a zone Abs(Z)} is finite. k the max. constant defining one of the previous DBMs We get that, for every zone Z, Z Extra k (Z) Abs(Z) Chennai january 2003 Timed Automata From Theory to Implementation p.40

Problem! Open questions: - which conditions can be made weaker? - find a clever termination criterium? - use an other data structure than zones/dbms? Chennai january 2003 Timed Automata From Theory to Implementation p.41

What can we cling to? Diagonal-free: only guards x c (no guard x y c) Theorem: the classical algorithm is correct for diagonal-free timed automata. [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.42

What can we cling to? Diagonal-free: only guards x c (no guard x y c) Theorem: the classical algorithm is correct for diagonal-free timed automata. General: both guards x c and x y c Proposition: the classical algorithm is correct for timed automata that use less than 3 clocks. (the constant used is bigger than the maximal constant...) [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.42

Conclusion & Further Work Decidability is quite well understood. A rather big problem with the forward analysis of timed automata needs to be solved. a very unsatisfactory solution for dealing with diagonal constraints. maybe the zones are not the optimal objects that we can deal with. To be continued... Some other current challenges: adding C macros to timed automata reducing the memory consumption via new data structures Chennai january 2003 Timed Automata From Theory to Implementation p.43

Bibliography [ACD+92] Alur, Courcoubetis, Dill, Halbwachs, Wong-Toi. Minimization of Timed Transition Systems. CONCUR 92 (LNCS 630). [AD90] Alur, Dill. Automata for Modeling Real-Time Systems. ICALP 90 (LNCS 443). [AD94] Alur, Dill. A Theory of Timed Automata. TCS 126(2), 1994. [AL02] Aceto, Laroussinie. Is your Model-Checker on Time? On the Complexity of Model-Checking for Timed Modal Logics. To appear in JLAP 2002. [BD00] Bérard, Dufourd. Timed Automata and Additive Clock Constraints. IPL 75(1 2), 2000. [BDFP00a] Bouyer, Dufourd, Fleury, Petit. Are Timed Automata Updatable? CAV 00 (LNCS 1855). [BDFP00b] [BDGP98] [BF99] Bouyer, Dufourd, Fleury, Petit. Expressiveness of Updatable Timed Automata. MFCS 00 (LNCS 1893). Bérard, Diekert, Gastin, Petit. Characterization of the Expressive Power of Silent Transitions in Timed Automata. Fundamenta Informaticae 36(2 3), 1998. Bérard, Fribourg. Automatic Verification of a Parametric Real-Time Program: the ABR Conformance Protocol. CAV 99 (LNCS 1633). Chennai january 2003 Timed Automata From Theory to Implementation p.44

Bibliography (cont.) [Bouyer03] [Dill89] [DT98] [DY96] [LPY97] Bouyer. Untameable Timed Automata! To appear in STACS 03. Dill. Timing Assumptions and Verification of Finite-State Concurrent Systems. Aut. Verif. Methods for Fin. State Sys. (LNCS 1989). Daws, Tripakis. Model-Checking of Real-Time Reachability Properties using Abstractions. TACAS 98 (LNCS 1384). Daws, Yovine. Reducing the Number of Clock Variables of Timed Automata. RTSS 96. Larsen, Pettersson, Yi. UPPAAL in a Nutshell. Software Tools for Technology Transfer 1(1 2), 1997. [Minsky67] Minsky. Computation: Finite and Infinite Machines. 1967. [TY01] Tripakis, Yovine. Analysis of Timed Systems using Time-Abstracting Bisimulations. FMSD 18(1), 2001. Hytech: Kronos: Uppaal: http://www-cad.eecs.berkeley.edu:80/ tah/hytech/ http://www-verimag.imag.fr/temporise/kronos/ http://www.uppaal.com/ Chennai january 2003 Timed Automata From Theory to Implementation p.45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback