The Formal Analysis of Timed Systems in Practice Stavros TRIPAKIS December 16, 1998 The Formal Analysis of Timed Systems in Practice Networks of Timed Automata • Verification (model checking) • Controller Synthesis • Practical Models and Algorithms • User-friendly Tools and Feedback • Case Studies Timed Systems Timed Automata approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in up far Train raise y := 0 down y <= 2 Gate z <= 3 lower raise z <= 1 y <= 1 y >= 1 approach z := 0 Controller lower y := 0 exit z := 0 Timed Systems Timed Automata approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in up far Train raise y := 0 down y <= 2 Gate z <= 3 lower raise z <= 1 y <= 1 y >= 1 approach z := 0 Controller lower y := 0 exit z := 0 time Timed Systems Timed Automata approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in up far Train raise y := 0 down y <= 2 Gate z <= 3 lower raise z <= 1 y <= 1 y >= 1 approach z := 0 Controller lower y := 0 exit z := 0 approach z <= 3 time Timed Systems Timed Automata approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in up far Train approach z <= 3 raise y := 0 down y <= 2 Gate z <= 3 lower raise z <= 1 y <= 1 y >= 1 approach z := 0 Controller lower y := 0 exit z := 0 lower y <= 1 time Timed Systems Timed Automata approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in up far Train approach raise y := 0 down y <= 2 Gate z <= 3 lower raise z <= 1 y <= 1 y >= 1 approach z := 0 Controller lower y := 0 exit z := 0 lower x > 2 x <= 5 enter x = 2.1 y = 0.9 z = 2.1 time Types of Analysis Verification Given a system and a property, verify that the system satisfies the property. e.g., “whenever the train is in the crossing, the gate is down” Properties: • Linear-time (execution sequences): Timed Büchi Automata. task1 task2 • Branching-time (execution trees): TCTL. >=1 true Types of Analysis Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: • Invariance: the controller keeps the system inside a set of safe states. • Reachability: the controller leads the system to a set of target states. Timed Systems Synthesizing a Controller approach near x >= 1 x <= 5 x := 0 exit enter x := 0 x>2 in far up lower y := 0 y <= 1 y >= 1 y <= 2 Train raise y := 0 down Gate Environment approach x <= 1 Controller lower raise x <= 0 exit Motivations Motivations Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward • No diagnostics • Expensive: non-convex - complementation polyhedra - nested fix-points 4 Enumerative: region by region Too big: 10 for TGC Region graph Reachability TBA TCTL Model checking Controller Synthesis Contributions Contributions Symbolic: unions of regions encoded by polyhedra Re-use untimed resources (algorithms + tools) Enumerative: region by region Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward On-the-fly verification Kronos backward (fix-point) Generate & Verify at the same time Time-abstracting Bisimulation (Quotient graph) Region graph Reachability TBA TCTL Model checking Controller Synthesis Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Analysis with Time-abstracting Bisimulations The Time-abstracting Bisimulation Equivalence on TA states: s1 a s2 a s3 s4 Preserve discrete state changes. s1 1 s3 s2 2 s4 Abstract exact time delays. 1, 2 R Analysis with Time-abstracting Bisimulations The Time-abstracting Quotient Graph • The quotient induced by the greatest time-abstracting bisimulation defined on the TA. • Finite symbolic graph: - Nodes = symbolic states (equivalence classes). - Edges = symbolic transitions (discrete and time). • Basic property: pre-stability a s1 Q1 a s2 s1 Q2 Q1 Q1 prea(Q2) = Q1 s2 Q2 Q1 pretime (Q2) = Q1 Analysis with Time-abstracting Bisimulations Example of Quotient graph up approach approach up lower up lower lower up down enter lower enter exit down down down down down enter exit (near, going up, 1, raise 1 < x <= y <= 2 z < x+1) approach raise raise Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Linear-time Every cycle in the quotient graph contains an infinite run and vice versa. Q1 Q2 Q3 Q4 s1 s2 s5 s3 s4 Timed Büchi Automata model checking ... DFS for cycles or SCCs in the quotient graph Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Branching-time If s1 s2, then for any TCTL formula , s1 satisfies iff s2 satisfies . Due to determinism of time. 1 s1 s5 s3 TCTL model checking s2 s6 2 s4 CTL model checking in the quotient graph Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives On-The-Fly Verification The Simulation Graph • Finite symbolic graph generated dynamically by forward reachability : - Start from an initial node (symbolic state). - Add successor nodes using post( ) operator. - Stop when a node is already visited. • Basic property: post-stability a s2 a s1 Q1 Q2 Q2 = post time(post a (Q1)) On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. Idea of proof: every post-stable cycle can be pre-stabilized Q3 pre(Q1) Q0 Q1 Q2 Q3 On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. The process terminates, yielding a non-empty, pre-stable cycle can use pre-stability to extract an infinite run. Q0 Q1 Timed Büchi Automata model checking Q2 Q3 DFS for cycles or SCCs in the simulation graph On-The-Fly Verification Verification on the Simulation graph: Branching-time • Branching-time properties not preserved: no pre-stability. • But : TCTL model checking Nested problems of Timed Büchi Automata model checking Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Diagnostics Timed Diagnostics Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... • Finite diagnostics: extract runs from symbolic paths. e.g., in quotient graph: s1 Q1 a a s2 Q2 b b s3 Q3 c s3+ c s4 Q4 choose points and delays in polyhedra (matrix representation) Q5 Diagnostics Timed Diagnostics Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... • Infinite diagnostics: this method does not terminate. ... - a periodic run does not always exist - … unless if no strict constraints (<, >) in symbolic cycle Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Controller Synthesis Controller Synthesis • Untimed case: - Model: graph with edges labeled controllable - uncontrollable. c u ... u c c ... - Semantics: strategy = sub-graph containing, for each node, at least one controllable and all uncontrollable successors • Timed case: - Model: TA with discrete actions labeled controllable - uncontrollable - Semantics: dense strategies (time transitions ?) s u s c Controller Synthesis Controller Synthesis using Fix-points • controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves. c s u Q • compute winning states as fix-points of contr-pre( ). • obtain controller = intersect TA with winning states. • method costly (complementation in contr-pre( ), fix-point computes maximal strategy). Controller Synthesis On-the-fly Controller Synthesis • on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found • untimed algorithm can be used for timed synthesis, too: TA Quotient graph untimed algorithm (symbolic) strategy controller pre-stability of quotient graph essential for correctness cannot use simulation graph… Controller Synthesis On-the-fly synthesis in quotient graph up approach up lower up up down approach lower enter lower lower enter exit down down down down down enter exit raise raise raise approach Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Implementation Implementation in Kronos initial partition P, <=k P, ... P, P TA TA P TA Minim. Quotient Graph Full TCTL Safe TCTL Controller model model Synthesis checking checking Aldebaran: - reduction/comparison - model checking - simulation/visualization TA (On-the-fly) Parallel Composition Reachability Yes/No, Restricted TA diagnostics (controller) ... TBA model checking TBA Yes/No, diagnostics Matrix library Implementation Connection of Kronos to Open-Caesar input: model code generation interface to Open-Caesar TA network + discrete shared vars. + message passing Kronos-Open model.c Open-Caesar’s graph library C-compiler simulator Optimized polyhedra library -calculus formula evaluator Yes/No + untimed diagnostics regular expression exhibitor Yes/No + untimed diagnostics generator Simulation graph State formula TBA profounder - Reachability + timed diagnostics - TBA model checking. Plan • Analysis with the Time-abstracting Bisimulation • On-the-fly Verification • Diagnostics • Controller Synthesis • Implementation • Case studies • Conclusions and Perspectives Case studies Case Studies • FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers) • Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis) • Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study • Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol Case studies Experiences: performance • improved performance in benchmarks, often by many orders of magnitude. • tools and techniques able to handle real-world case studies: - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 7 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs - STARI: 30 clocks, 60 boolean variables • often bottleneck is discrete state space Case studies Experiences: comparison of methods Techniques are complementary Quotient graph Simulation graph Case study nodes Fischer 22,085 122,804 1,000 164,935 457,799 1,060 edges time (secs) nodes edges time (secs) Real-time scheduling 929 1,503 70 10,839 22,382 150 Philips 503 1,001 3 194 488 1 CSMA/CD 481 875 1 60 96 1 Conclusions Conclusions Practicality not measured only in seconds, megabytes • Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL) • Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers) • Case studies : source of inspiration. Perspectives Perspectives • Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly) • Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing parallelism (e.g., partial orders) • Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory Fin et merci !
© Copyright 2026 Paperzz