1 / 42

The Formal Analysis of Timed Systems in Practice

The Formal Analysis of Timed Systems in Practice. Stavros TRIPAKIS December 16, 1998. The Formal Analysis of Timed Systems in Practice. Networks of Timed Automata. Verification (model checking) Controller Synthesis. Practical Models and Algorithms

magee
Download Presentation

The Formal Analysis of Timed Systems in Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Formal Analysis of Timed Systemsin Practice Stavros TRIPAKIS December 16, 1998

  2. The Formal Analysis of Timed Systemsin Practice Networks ofTimed Automata • Verification (model checking) • ControllerSynthesis • Practical Models and Algorithms • User-friendly Tools and Feedback • Case Studies

  3. Timed Systems up lower y <= 1 y := 0 y >= 1 raise approach y <= 2 y := 0 z <= 3 down z := 0 lower raise exit z <= 1 z := 0 Timed Automata approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Controller

  4. Timed Systems up lower y <= 1 y := 0 y >= 1 raise approach y <= 2 y := 0 z <= 3 down z := 0 lower raise exit z <= 1 z := 0 Timed Automata approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Controller time

  5. Timed Systems up lower y <= 1 y := 0 y >= 1 raise approach y <= 2 y := 0 z <= 3 down z := 0 lower raise exit z <= 1 z := 0 z <= 3 Timed Automata approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Controller approach time

  6. Timed Systems up lower y <= 1 y := 0 y >= 1 raise approach y <= 2 y := 0 z <= 3 down z := 0 lower raise exit z <= 1 z := 0 y <= 1 Timed Automata approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Controller approach lower time z <= 3

  7. Timed Systems up lower y <= 1 y := 0 y >= 1 raise approach y <= 2 y := 0 z <= 3 down z := 0 lower raise exit z <= 1 z := 0 x = 2.1 y = 0.9 z = 2.1 Timed Automata approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Controller approach lower enter time x > 2 x <= 5

  8. Types of Analysis  true >=1 Verification Given a systemand a property, verify that the system satisfies the property. e.g., “whenever the train is in the crossing, the gate is down” Properties: • Linear-time (execution sequences): Timed Büchi Automata. task1 task2 • Branching-time (execution trees): TCTL.

  9. Types of Analysis Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: • Invariance: the controller keeps the system inside • a set of safe states. • Reachability: the controller leads the system to • a set of targetstates.

  10. Timed Systems up lower y <= 1 y := 0 y >= 1 raise y <= 2 y := 0 down x <= 1 x <= 0 Synthesizing a Controller approach far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Environment approach Controller lower raise exit

  11. Motivations • No diagnostics • Expensive: • - complementation  • - nested fix-points non-convex polyhedra 4 Too big: 10 for TGC Motivations Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

  12. Contributions Generate & Verify at the same time Re-use untimed resources (algorithms + tools) Contributions Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward On-the-fly verification Time-abstracting Bisimulation (Quotient graph) Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

  13. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  14. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  15. Analysis with Time-abstracting Bisimulations  s1 s2 a a 2 1, 2  R   s3 s4 s4 The Time-abstracting Bisimulation Equivalence on TA states:  s1 s2 1 s3 Preserve discrete state changes. Abstract exact time delays.

  16. Analysis with Time-abstracting Bisimulations Q1 pre (Q2) = Q1 Q1 pre (Q2) = Q1 a time The Time-abstracting Quotient Graph • The quotient induced by the greatest time-abstracting • bisimulation defined on the TA. • Finite symbolicgraph: • - Nodes = symbolic states(equivalence classes). • - Edges = symbolic transitions(discrete and time). • Basic property: pre-stability  a  a s1 s2 s1 s2 Q1 Q2 Q1 Q2

  17. Analysis with Time-abstracting Bisimulations (near, going up, 1, 1 < x <= y <= 2 z < x+1) Example of Quotient graph  up approach approach up    enter  lower up lower lower lower   enter exit up down down down down down down    enter exit raise raise  raise   approach

  18. Analysis with Time-abstracting Bisimulations s2 s3 s4 ... s5 Timed Büchi Automata model checking DFS for cycles or SCCs in the quotient graph Verification on the Quotient graph:Linear-time Every cycle in the quotient graph contains an infinite run and vice versa. Q1 Q2 Q3 Q4 s1

  19. Analysis with Time-abstracting Bisimulations  s1 s2 s5  1 s6 2  s3 s4 TCTL model checking CTL model checking in the quotient graph Verification on the Quotient graph:Branching-time If s1  s2, then for any TCTL formula , s1 satisfies  iff s2 satisfies . Due to determinism of time.

  20. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  21. On-The-Fly Verification Q2 = post (post (Q1)) time a The Simulation Graph • Finite symbolic graph generated dynamically by • forward reachability: • - Start from an initial node (symbolic state). • - Add successor nodes using post( ) operator. • - Stop when a node is already visited. • Basic property: post-stability a s2  a s1 Q1 Q2

  22. On-The-Fly Verification Q3  pre(Q1) Verification on the Simulation graph:Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. Idea of proof: every post-stable cycle can be pre-stabilized Q0 Q1 Q2 Q3

  23. On-The-Fly Verification Timed Büchi Automata model checking DFS for cycles or SCCs in the simulation graph Verification on the Simulation graph:Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. The process terminates, yielding a non-empty, pre-stablecycle  can use pre-stability to extract an infinite run. Q0 Q1 Q2 Q3

  24. On-The-Fly Verification Verification on the Simulation graph:Branching-time • Branching-time properties not preserved: no pre-stability. • But : Nested problems of Timed Büchi Automata model checking TCTL model checking

  25. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  26. Diagnostics  a b c s3+ s2 s3 s4 choose points and delays in polyhedra (matrix representation) Timed Diagnostics Symbolic diagnostics not sufficient: no information ondelays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... • Finite diagnostics: extract runs from symbolic paths. e.g., in quotient graph:  a b c s1 Q5 Q1 Q2 Q3 Q4

  27. Diagnostics Timed Diagnostics Symbolic diagnostics not sufficient: no information ondelays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... • Infinite diagnostics: this method does not terminate. ... - a periodic run does not always exist - … unless if no strict constraints (<, >) in symbolic cycle

  28. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  29. Controller Synthesis • Timed case: - Model: TA with discrete actions labeled controllable-uncontrollable - Semantics: dense strategies (time transitions ?)   c u s s Controller Synthesis • Untimed case: u c u - Model: graph with edges labeled controllable - uncontrollable. c c ... ... - Semantics: strategy = sub-graph containing, for each node, at least one controllable and alluncontrollablesuccessors

  30. Controller Synthesis c  u Q s Controller Synthesis using Fix-points • controllable-predecessor operator contr-pre(Q) = • all states from which the system can be led to Q, • no matter how the environment behaves. • compute winning states as fix-points of contr-pre( ). • obtain controller = intersect TA with winning states. • method costly (complementation in contr-pre( ), • fix-point computes maximal strategy).

  31. Controller Synthesis On-the-fly Controller Synthesis • on-the-fly algorithm for theuntimed case: • - a DFS is used to find a strategy • - the algorithm stops as soon as first strategy is found • untimed algorithm can be used for timed synthesis, too: untimed algorithm Quotient graph (symbolic) strategy TA controller pre-stability of quotient graph essential for correctness  cannot use simulation graph… 

  32. Controller Synthesis On-the-fly synthesis in quotient graph  up approach approach up    enter  lower up lower lower lower   enter exit up down down down down down down    enter exit raise raise raise    approach

  33. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives

  34. Implementation Full TCTL model checking TBA model checking Safe TCTL model checking Minim. Controller Synthesis Reachability Matrix library Implementation in Kronos initial partition TA TA P, <=k P, ... TA ...  P, P  P (On-the-fly) Parallel Composition TA TBA Quotient Graph Yes/No, diagnostics Restricted TA (controller) Yes/No, diagnostics  Aldebaran: - reduction/comparison - model checking - simulation/visualization

  35. Implementation TA network + discrete shared vars. + message passing model.c Kronos-Open generator C-compiler Open-Caesar’s graph library exhibitor Optimized polyhedra library simulator evaluator Connection of Kronos to Open-Caesar interface to Open-Caesar input: model code generation -calculus formula Yes/No + untimed diagnostics Yes/No + untimed diagnostics regular expression Simulation graph State formula -Reachability + timed diagnostics - TBA model checking. profounder TBA

  36. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • ConclusionsandPerspectives

  37. Case studies Case Studies • FRP/DT protocol(project with CNET, Lannion) • - found inconsistency error(known to designers) • Multimedia documents(from INRIA project OPERA) • - modeled documents as Timed Automata • - checked executability (model checking) • - computed schedulers (controller synthesis) • Bang&Olufsen protocol (from previous case study by Uppaal) • - found error not reported in Uppaal case study • Benchmarks: STARIchip, Fischer’sprotocol, • CSMA/CD protocol, FDDIprotocol, Philips protocol

  38. Case studies Experiences: performance • improved performance in benchmarks, • often by many orders of magnitude. • tools and techniques able to handle • real-world case studies: - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs 7 - STARI: 30 clocks, 60 boolean variables • often bottleneck is discrete state space

  39. Case studies Experiences: comparison of methods Techniques are complementary Quotient graph Simulation graph Case study time (secs) time (secs) nodes edges nodes edges Fischer 22,085 122,804 1,000 164,935 457,799 1,060 Real-time scheduling 929 1,503 70 10,839 22,382 150 Philips 503 1,001 3 194 488 1 CSMA/CD 481 875 1 60 96 1

  40. Conclusions Conclusions Practicality not measured only in seconds, megabytes • Expressive models : • - discrete variables (Kronos-open) • - different property-specification formalisms (TBA, TCTL) • Variety : • - of problems (model checking, controller synthesis) • - of techniques (on-the-fly, using untimed tools) • - of feedback (symbolic/timed diagnostics, controllers) • Case studies : source of inspiration.

  41. Perspectives Perspectives • Controller synthesis: • - more properties (e.g., liveness) • - more efficient techniques (e.g., completely on-the-fly) • Performance: • - homogeneous representation of discrete and • continuous state space (e.g., BDDs + polyhedra) • - adaptation/combination with untimed techniques • reducing parallelism (e.g., partial orders) • Methodology for correct & efficient modeling: • - domain-specific guidelines • - composition theory

  42. Finet merci !

More Related