View
213
Download
0
Category
Preview:
Citation preview
08-11-2004 Kåre J. Kristoffersen 1
Research Topic:Finding Shortest paths in Vector
Rally using a Model Checker
Win a T-Shirt!
08-11-2004 Kåre J. Kristoffersen 2
Vector Rally: Essentials
Question: What is the smallest
number of steps from
Start to Finish, such that the
car reaches the Finish Line and
halts?
08-11-2004 Kåre J. Kristoffersen 3
A Model Checker
model
(program)
specification
(a requirement)
YES
NO
- Or a Verification Machine
www.uppaal.com
08-11-2004 Kåre J. Kristoffersen 4
Uppaal: Model Language
Parallel composition of Finite State Machines. This means we can model things like threads and communication protocols.
State machines may be nondetermisistic.
Augmented with Integer variables, arrays, clocks (timers) and synchronization labels for modelling handshake.
08-11-2004 Kåre J. Kristoffersen 5
Uppall : Handshake
n0
n1
m0
m1
a! a?
N MN || M
(n0, m0)
(n1, m1)
x<5
z:=z+2 y := y-7
x<5
z:=z+2
y:=y-7
08-11-2004 Kåre J. Kristoffersen 6
Uppaal: Spec. Language
Temporal Logic for expressing safety and Liveness properties.
Safety: Something bad will never happen.
Liveness: Something good will eventually happen.
08-11-2004 Kåre J. Kristoffersen 7
Safety Properties:
A state satisfying prodicate Error is never reached:
A[]not(Error)
For all executions
For all states in an
execution
08-11-2004 Kåre J. Kristoffersen 8
Safety Example:
A[]not(x > 100)
A[](Gate.Open and Train.AtCrossing)
08-11-2004 Kåre J. Kristoffersen 9
Liveness Properties
A State satisfying Good is eventually reached:
E<> (Good)
There exists an execution
For some state in this execution
08-11-2004 Kåre J. Kristoffersen 10
Liveness Example:
E<>(8<=x and x<=10 and y==0 and dx==0 and dy==0)
There exist an execution (of Vector Rally) such that the car reaches the Finish Line and Halts.
Nice: If there is such a path then UPPAAL will give us the shortest
08-11-2004 Kåre J. Kristoffersen 11
Global Declarations//The obstacles
int[0,10] b[4][4] := {{2,2,4,4},{0,7,3,8},{6,0,7,7},{9,6,10,7}};
// The speed vector
int[-5,10] dx,dy;
// Position and number of obstacles
int[0,10] x:=0;
int[0,10] y:=0;
int[0,4] rect;
// Sync. labels between Car and Checker
chan check, ok;
08-11-2004 Kåre J. Kristoffersen 12
The Automaton Car
08-11-2004 Kåre J. Kristoffersen 13
Principle of Collision Detection
Here, collision because:
x1 <= a <= x2 AND
L<= (a-x1)dy/dx +y1 <= h,
which reduces to:
x1 <= a <= x2 AND
L*dx<= (a-x1)dy + y1*dx <= h*dx
08-11-2004 Kåre J. Kristoffersen 14
The Atomaton Checker
08-11-2004 Kåre J. Kristoffersen 15
Collision Condition:not(
x+dx<0 or x+dx>10 or y+dy<0 or y+dy>10 or
(dx==0 and b[rect][0]<=x and x<=b[rect][2] and
((y<=b[rect][1] and y+dy>=b[rect][1])or
(y>=b[rect][1] and y+dy<=b[rect][1])or
(y<=b[rect][3] and y+dy>=b[rect][3])or
(y>=b[rect][3] and y+dy<=b[rect][3])))
or
(dy==0 and b[rect][1]<=y and y<=b[rect][3] and
((x<=b[rect][0] and x+dx>=b[rect][0])or
(x>=b[rect][0] and x+dx<=b[rect][0])or
(x<=b[rect][2] and x+dx>=b[rect][2])or
(x>=b[rect][2] and x+dx<=b[rect][2])))
or
(((dx>0 and x<=b[rect][0] and x+dx>=b[rect][0])or(dx>0 and x>=b[rect][0] and x+dx<=b[rect][0])) and
b[rect][1]*dx<= (y*dx)+(b[rect][0]-x)*dy and
(y*dx)+(b[rect][0]-x)*dy<=b[rect][3]*dx)
or
(((dx<0 and x<=b[rect][0] and x+dx>=b[rect][0])or(dx<0 and x>=b[rect][0] and x+dx<=b[rect][0])) and
b[rect][1]*dx>= (y*dx)+(b[rect][0]-x)*dy and
(y*dx)+(b[rect][0]-x)*dy>=b[rect][3]*dx)
or
(((dx>0 and x<=b[rect][2] and x+dx>=b[rect][2])or(dx>0 and x>=b[rect][2] and x+dx<=b[rect][2])) and
b[rect][1]*dx <= (y*dx)+(b[rect][2]-x)*dy and
(y*dx)+(b[rect][2]-x)*dy<=b[rect][3]*dx)
or
(((dx<0 and x<=b[rect][2] and x+dx>=b[rect][2])or(dx<0 and x>=b[rect][2] and x+dx<=b[rect][2])) and
b[rect][1]*dx >= (y*dx)+(b[rect][2]-x)*dy and
(y*dx)+(b[rect][2]-x)*dy>=b[rect][3]*dx)
or(((dy>0 and y<=b[rect][1] and y+dy>=b[rect][1]) or (dy>0 and y>=b[rect][1] and y+dy<=b[rect][1])) and
b[rect][0]*dy<= (x*dy)+(b[rect][1]-y)*dx and
(x*dy)+(b[rect][1]-y)*dx <= b[rect][2]*dy)
or(((dy<0 and y<=b[rect][1] and y+dy>=b[rect][1]) or (dy<0 and y>=b[rect][1] and y+dy<=b[rect][1])) and
b[rect][0]*dy>= (x*dy)+(b[rect][1]-y)*dx and
(x*dy)+(b[rect][1]-y)*dx >= b[rect][2]*dy)
or(((dy>0 and y<=b[rect][3] and y+dy>=b[rect][3]) or (dy>0 and y>=b[rect][3] and y+dy<=b[rect][3])) and
b[rect][0]*dy<= (x*dy)+(b[rect][3]-y)*dx and
(x*dy)+(b[rect][3]-y)*dx <= b[rect][2]*dy)
or(((dy<0 and y<=b[rect][3] and y+dy>=b[rect][3]) or (dy<0 and y>=b[rect][3] and y+dy<=b[rect][3])) and
b[rect][0]*dy>= (x*dy)+(b[rect][3]-y)*dx and
(x*dy)+(b[rect][3]-y)*dx >= b[rect][2]*dy)
)
08-11-2004 Kåre J. Kristoffersen 16
Let’s try Uppaal
• Modelling
• Simulation
• Verification
08-11-2004 Kåre J. Kristoffersen 17
The Solution:
08-11-2004 Kåre J. Kristoffersen 18
Algorithm: Reachability Analysis
Initialize Passed := Ø
Waiting := {n0}
Repeat Pick n from Waiting
if n already in Passed then do nothing
else add {m: n->m} to Waiting and
move n to Passed
Until (Waiting = Ø) OR (Goal in Waiting)
08-11-2004 Kåre J. Kristoffersen 19
How many Combinations?
0
0
1
1Q: How many different states are there in this
very simple grid?
Hint: A state is a four tuple
(x,y,dx,dy).
x
y
08-11-2004 Kåre J. Kristoffersen 20
Exhaustive Verification
• 100 % coverage
• Precomputes all possible execution paths and checks them prior to the execution of the program
• Used for checking safety critical systems (controllers, drivers, etc.)
• Suffers from the State Explosion problem
• However, the limits of application of verification is constantly being pushed
08-11-2004 Kåre J. Kristoffersen 21
Runtime Verification
• Performed at Runtime
• Only a single program trace is being checked.
• Almost like testing
• Feasible for less safety critical systems like e.g. financial software
• Current research project (NEXT) on checking temporal business rules.
08-11-2004 Kåre J. Kristoffersen 22
Chellenge: Driving a Loop
Start/Finish
We need a small trick in the model to
find the shortest path
here!!
Recommended