08-11-2004 Kåre J. Kristoffersen 1 Research Topic: Finding Shortest paths in Vector Rally using a Model Checker Win a T-Shirt!

08-11-2004 Kåre J. Kristoffersen 1

Research Topic:Finding Shortest paths in Vector

Rally using a Model Checker

Win a T-Shirt!


Vector Rally: Essentials

Question: What is the smallest

number of steps from

Start to Finish, such that the

car reaches the Finish Line and

halts?


A Model Checker

model

(program)

specification

(a requirement)

YES

NO

- Or a Verification Machine

www.uppaal.com


Uppaal: Model Language

Parallel composition of Finite State Machines. This means we can model things like threads and communication protocols.

State machines may be nondetermisistic.

Augmented with Integer variables, arrays, clocks (timers) and synchronization labels for modelling handshake.


Uppall : Handshake

n0

n1

m0

m1

a! a?

N MN || M

(n0, m0)

(n1, m1)

x<5

z:=z+2 y := y-7

x<5

z:=z+2

y:=y-7


Uppaal: Spec. Language

Temporal Logic for expressing safety and Liveness properties.

Safety: Something bad will never happen.

Liveness: Something good will eventually happen.


Safety Properties:

A state satisfying prodicate Error is never reached:

A[]not(Error)

For all executions

For all states in an

execution


Safety Example:

A[]not(x > 100)

A[](Gate.Open and Train.AtCrossing)


Liveness Properties

A State satisfying Good is eventually reached:

E<> (Good)

There exists an execution

For some state in this execution


Liveness Example:

E<>(8<=x and x<=10 and y==0 and dx==0 and dy==0)

There exist an execution (of Vector Rally) such that the car reaches the Finish Line and Halts.

Nice: If there is such a path then UPPAAL will give us the shortest


Global Declarations//The obstacles

int[0,10] b[4][4] := {{2,2,4,4},{0,7,3,8},{6,0,7,7},{9,6,10,7}};

// The speed vector

int[-5,10] dx,dy;

// Position and number of obstacles

int[0,10] x:=0;

int[0,10] y:=0;

int[0,4] rect;

// Sync. labels between Car and Checker

chan check, ok;


The Automaton Car


Principle of Collision Detection

Here, collision because:

x1 <= a <= x2 AND

L<= (a-x1)dy/dx +y1 <= h,

which reduces to:

x1 <= a <= x2 AND

L*dx<= (a-x1)dy + y1*dx <= h*dx


The Atomaton Checker


Collision Condition:not(

x+dx<0 or x+dx>10 or y+dy<0 or y+dy>10 or

(dx==0 and b[rect][0]<=x and x<=b[rect][2] and

((y<=b[rect][1] and y+dy>=b[rect][1])or

(y>=b[rect][1] and y+dy<=b[rect][1])or

(y<=b[rect][3] and y+dy>=b[rect][3])or

(y>=b[rect][3] and y+dy<=b[rect][3])))

or

(dy==0 and b[rect][1]<=y and y<=b[rect][3] and

((x<=b[rect][0] and x+dx>=b[rect][0])or

(x>=b[rect][0] and x+dx<=b[rect][0])or

(x<=b[rect][2] and x+dx>=b[rect][2])or

(x>=b[rect][2] and x+dx<=b[rect][2])))

or

(((dx>0 and x<=b[rect][0] and x+dx>=b[rect][0])or(dx>0 and x>=b[rect][0] and x+dx<=b[rect][0])) and

b[rect][1]*dx<= (y*dx)+(b[rect][0]-x)*dy and

(y*dx)+(b[rect][0]-x)*dy<=b[rect][3]*dx)

or

(((dx<0 and x<=b[rect][0] and x+dx>=b[rect][0])or(dx<0 and x>=b[rect][0] and x+dx<=b[rect][0])) and

b[rect][1]*dx>= (y*dx)+(b[rect][0]-x)*dy and

(y*dx)+(b[rect][0]-x)*dy>=b[rect][3]*dx)

or

(((dx>0 and x<=b[rect][2] and x+dx>=b[rect][2])or(dx>0 and x>=b[rect][2] and x+dx<=b[rect][2])) and

b[rect][1]*dx <= (y*dx)+(b[rect][2]-x)*dy and

(y*dx)+(b[rect][2]-x)*dy<=b[rect][3]*dx)

or

(((dx<0 and x<=b[rect][2] and x+dx>=b[rect][2])or(dx<0 and x>=b[rect][2] and x+dx<=b[rect][2])) and

b[rect][1]*dx >= (y*dx)+(b[rect][2]-x)*dy and

(y*dx)+(b[rect][2]-x)*dy>=b[rect][3]*dx)

or(((dy>0 and y<=b[rect][1] and y+dy>=b[rect][1]) or (dy>0 and y>=b[rect][1] and y+dy<=b[rect][1])) and

b[rect][0]*dy<= (x*dy)+(b[rect][1]-y)*dx and

(x*dy)+(b[rect][1]-y)*dx <= b[rect][2]*dy)

or(((dy<0 and y<=b[rect][1] and y+dy>=b[rect][1]) or (dy<0 and y>=b[rect][1] and y+dy<=b[rect][1])) and

b[rect][0]*dy>= (x*dy)+(b[rect][1]-y)*dx and

(x*dy)+(b[rect][1]-y)*dx >= b[rect][2]*dy)

or(((dy>0 and y<=b[rect][3] and y+dy>=b[rect][3]) or (dy>0 and y>=b[rect][3] and y+dy<=b[rect][3])) and

b[rect][0]*dy<= (x*dy)+(b[rect][3]-y)*dx and

(x*dy)+(b[rect][3]-y)*dx <= b[rect][2]*dy)

or(((dy<0 and y<=b[rect][3] and y+dy>=b[rect][3]) or (dy<0 and y>=b[rect][3] and y+dy<=b[rect][3])) and

b[rect][0]*dy>= (x*dy)+(b[rect][3]-y)*dx and

(x*dy)+(b[rect][3]-y)*dx >= b[rect][2]*dy)

)


Let’s try Uppaal

• Modelling

• Simulation

• Verification


The Solution:


Algorithm: Reachability Analysis

Initialize Passed := Ø

Waiting := {n0}

Repeat Pick n from Waiting

if n already in Passed then do nothing

else add {m: n->m} to Waiting and

move n to Passed

Until (Waiting = Ø) OR (Goal in Waiting)


How many Combinations?

0

0

1

1Q: How many different states are there in this

very simple grid?

Hint: A state is a four tuple

(x,y,dx,dy).

x

y


Exhaustive Verification

• 100 % coverage

• Precomputes all possible execution paths and checks them prior to the execution of the program

• Used for checking safety critical systems (controllers, drivers, etc.)

• Suffers from the State Explosion problem

• However, the limits of application of verification is constantly being pushed


Runtime Verification

• Performed at Runtime

• Only a single program trace is being checked.

• Almost like testing

• Feasible for less safety critical systems like e.g. financial software

• Current research project (NEXT) on checking temporal business rules.


Chellenge: Driving a Loop

Start/Finish

We need a small trick in the model to

find the shortest path

here!!

Documents

08-11-2004 Kåre J. Kristoffersen 1 Research Topic: Finding Shortest paths in Vector Rally using a Model Checker Win a T-Shirt!