Efficient Verification of Timed Automata Kim Guldstrand Larsen BRICS@Aalborg

1

Efficient Verification of Timed Automata

Kim Guldstrand Larsen

BRICS@Aalborg

2Estonian Winter School in Computer Science Kim G. Larsen UCb

The UPPAAL Model= Networks of Timed Automata + Integer Variables +….

l1

l2

a!

x>=2i==3

x := 0i:=i+4

m1

m2

a?

y<=4

………….Two-way synchronizationon complementary actions.

Closed Systems!

Two-way synchronizationon complementary actions.

Closed Systems!

(l1, m1,………, x=2, y=3.5, i=3,…..) (l2,m2,……..,x=0, y=3.5, i=7,…..)

(l1,m1,………,x=2.2, y=3.7, I=3,…..)

0.2

tau

Example transitions

If a URGENT CHANNEL


Timed Automata in UPPAAL

Timed (Safety) Automata+ urgent actions + urgent locations+ committed locations+ data-variables (with bounded domains)+ arrays of data-variables + constants + guards and assignments over data-variables and arrays…+ templates with local clocks, data-variables, and constants.


Declarations in UPPAAL

clock x1, …, xn;

int i1, …, im;

chan a1, …, ao;

const c1 n1, …, cp np;

Examples:

clock x, y;

int i, J0; int[0,1] k[5];

const delay 5, true 1, false 0;

Array k of five booleans.


Timed Automata in UPPAAL

n

m

a

x<=5 & y>3

x := 0

x<=5

y<=10

g1g2 g3

g4

invinvnxnxinv ,||::

clock natural number and

}!,,,,,{

},,,,{

::

|::

,||::

op

ExpropExprg

nyxnxg

ggggg

d

c

dc

nx :

clock guards

data guards

clock assignments

clock assignments

):?(

|/

|*

|

|

||

|][|::

:

ExprExprg

ExprExpr

ExprExpr

ExprExpr

ExprExpr

Exprn

ExpriiExpr

Expri

d

location invariants


Urgent Channels

urgent chan hurry;

Informal Semantics:• There will be no delay if transition with urgent action can be taken.

Restrictions:• No clock guard allowed on transitions with urgent actions.

• Invariants and data-variable guards are allowed.


Urgent Locations

Click “Urgent” in State Editor.

Informal Semantics:• No delay in urgent location.

Note: the use of urgent locations reduces the number of clocks

in a model, and thus the complexity of the analysis.


Committed Locations

Click “Committed” in State Editor.

Informal Semantics:• No delay in committed location.• Next transition must involve an automaton in committed location.

Note: the use of committed locations reduces the number of

clocks in a model, and allows for more space and time efficient

analysis.


Logical Formulas

Safety Properties:F ::= A[ ] P |

E<> P Always P

P ::= Proc.l | x = n | v = n | x<=n | x<n | P and P | not P | P or P | P imply P

Possibly P

where

atomic properties

Process Proc at location l

clock comparison

boolean combinations


Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]appr,stop

leave

go

emptynonemptyhd, add,rem


Beyound SafetyDecoration TACAS98a

l

n

Leadsto: Whenever l is reached then n is reached with t

l

n

Decorationnew clock Xboolean B

X:=0

B:=tt

B:=ff

A[] (B implies x<=t)

)( ba t AFAG

12

THE UPPAAL ENGINE

Reachability & ZonesProperty and system dependent

partitioning


ZonesFrom infinite to finite

State(n, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set)(n, )

Zone:conjunction ofx-y<=n, x<=>n

3y4,1x1


Symbolic Transitions

n

m

x>3

y:=0

x

ydelays to

conjuncts to

projects to

x

y

1<=x<=41<=y<=3

x

y1<=x, 1<=y-2<=x-y<=3

x

y 3<x, 1<=y-2<=x-y<=3

3<x, y=0

Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

a


A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s Protocolanalysis using zones

Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Fischers cont. B1 CS1

V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10

A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

Untimed case

A1



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case

Taking time into account

X

Y

A1



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


X

Y

A1

10X

Y1010



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10


Forward Rechability

Passed

WaitingFinal

Init

INITIAL Passed := Ø; Waiting := {(n0,Z0)}

REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add

{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed

UNTIL Waiting = Ø or Final is in Waiting

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add



n,Z’

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add



n,Z’

m,U

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

0

x

y

z

2 3

37

3

? ?

Graph

Graph


Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

ShortestPath

Closure

ShortestPath

Closure

0

x

y

z

1 2

25

0

x

y

z

2 3

37

0

x

y

z

2 3

36

3

3 3

Graph

Graph

? ?

Canonical Dastructures for ZonesDifference Bounded Matrices


Bellman 1958, Dill 1989

x<=1y>=5y-x<=3

x<=1y>=5y-x<=3

D

Emptiness

0y

x1

3

-5

Negative Cycleiffempty solution set

Graph


Compact


1<= x <=41<= y <=3

1<= x <=41<= y <=3

D

Future

x

y

x

y

Future D

0

y

x4

-1

3

-1

ShortestPath

Closure

Removeupper

boundson clocks

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

y

x

-1

-1

3

2

0

4

3




x

y

D

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

Remove allbounds

involving yand set y to 0

x

y

{y}D

y=0, 1<=xy=0, 1<=x

Reset

y

x

-1

0

0 0


Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3 3 -2 -2

1

ShortestPath

ClosureO(n^3)

RTSS 1997


Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Canonical wrt =Space worst O(n^2) practice O(n)

RTSS 1997


SPACE PERFORMANCE

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Per

cen

t Minimal Constraint

Global Reduction

Combination


TIME PERFORMANCE

0

0,5

1

1,5

2

2,5

Per

cen

t Minimal Constraint

Global Reduction

Combination


v and w are both redundantRemoval of one depends on presence of other.

v and w are both redundantRemoval of one depends on presence of other.

Shortest Path Reduction1st attempt

Idea

Problem

w

<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

w

v

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.


Shortest Path ReductionSolution

G: weighted graph



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges

3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes


Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?

ZZ'



REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in Passed then STOP - else /explore/ add



Earlier Termination

Passed

Waiting Final

Init

n,Zk

m,U

n,Z

Init -> Final ?

n,Z1

n,Z2 ZZii

ZZ'


Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices

CDD-representationsCDD-representations

CAV99

Nodes labeled with differences

Maximal sharing of substructures (also across different CDDs)

Maximal intervals Linear-time algorithms

for set-theoretic operations.

NDD’s Maler et. al

DDD’s Møller, Lichtenberg


SPACE PERFORMANCE

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

Per

cen

t CDD

Reduced CDD

CDD+BDD


TIME PERFORMANCE

0

1

2

3

4

5

6

Per

cen

t CDD

Reduced CDD

CDD+BDD


Verification Options• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Active-Clock Reduction• Global Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation

• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Active-Clock Reduction• Global Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation

Case Studies


Representation of symbolic states (In)Active Clock Reduction

x is only active in location S1

x>3x<5

x:=0

x:=0

S x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitionx<7

Case Studies


Representation of symbolic states Active Clock Reduction

x>3x<5

S

x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitiong1

gkg2r1

r2 rk

iii

ii

rClocks/SAct

gClocks

)S(Act

S1

S2 Sk

Only save constraints on active clocks


When to store symbolic stateGlobal Reduction

No Cycles: Passed list not needed for termination

However,Passed list useful forefficiency

Case Studies


When to store symbolic stateGlobal Reduction

Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list

Case Studies


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?

prop2

Case Studies


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?Hashtable

prop2

Case Studies


Over-approximationConvex Hull

x

y

Convex Hull

1 3 5

1

3

5

Case Studies


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z

Passed= Bitarray

1

0

1

0

0

1

UPPAAL 8 Mbits

HashfunctionF


Bitstate Hashing


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add




REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add



Passed(F(n,Z)) = 1

Passed(F(n,Z)) := 1

56

Distributed Implementationof UPPAALUPPAAL

Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k


Distributing UPPAALUPPAAL

P

W



Distributing UPPAALUPPAAL

P

W


P1

W1

P2

W2

P4

W4

P3

W3

Passedstructuredistributed



Distributing UPPAALUPPAAL Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k

P1

W1

P2

W2

P4

W4

P3

W3



Check in local Passedlist.If not present save,explore and distribute ...


? MPI


Distributing UPPAALUPPAAL Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k

P1

W1

P2

W2

P4

W4

P3

W3



?

Implemented usingMPI

on SUN Interprise 10000Beowulf cluster

Implemented usingMPI

on SUN Interprise 10000Beowulf cluster




Performance

DACAPODACAPO

T(n)T(1)

SUN Interprise 10000Shared Memory 12GB Ram24 333Mhz CPU’s


Performance

FullState SpaceGeneration

FullState SpaceGeneration

Super-linearSpeed-up



Performance

ShortestPath

Buscoupler



Performance

T(n)n

Linux Beowulf -- alpha clusterDistributed Memory 10 450 Mhz CPU/5 machines

65

Compositionality &Abstraction


The State Explosion Problem

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

sat

Model-checking is either EXPTIME-complete or PSPACE-complete

(for TA’s this is true even for a single TA)

Model-checking is either EXPTIME-complete or PSPACE-complete

(for TA’s this is true even for a single TA)

Sys


Abstraction

satSys AbsSys satAbs

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

sat

Sys

1 2

43 sat

Abs

REDUCE TO Preserving safetyproperties


Compositionality

AbsSysAbsAbs |Abs

Abs Sys

Abs Sys

21

22

11

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

Sys

1 2

43

1 2

43

Sys1 Sys2

Abs1 Abs2

2121

22

11

Abs |AbsSys |Sys Abs Sys

Abs Sys


Timed Simulation

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -

then Rt)(s,Whenever b)

R)t,(s a)

s.t. StStR

relation a is there if TT

a

a

00

21

21

)(

)(

de

de

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

)Test(T ||Tfor question

ty reachabili a to reduced bemay

TT then cdetermisti is T If *

decidable is *

ncompositio parallelby preserved is *

propertiessafety preserves *

21

212




decidable is *



21

212

UPPAALUPPAAL


R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

R)t',(s' st. t't

then s's if -

R)t',(s' st. t't

then s's if -


R)t,(s a)

s.t. StStR


a

a

00

21

21

)(

)(

de

de

Timed Simulation




decidable is *



21

212




decidable is *



21

212

UPPAALUPPAAL

Applied to

IEEE 1394a Root contention protocol (Simons, Stoelinga)

B&O Power Down Protocol (Ejersbo, Larsen, Skou, FTRTFT2k)

Modifications identified

when urgency

and shared integers

71

END

Documents

Efficient Verification of Timed Automata Kim Guldstrand Larsen BRICS@Aalborg