View
220
Download
1
Tags:
Embed Size (px)
Citation preview
Verification of
Parameterized Timed Systems
Parosh Aziz Abdulla
Uppsala University
Johann DeneuxPritha MahataAletta Nylen
Outline
• Parameterized Timed Systems
• Syntactic and Semantic Variants
• with one clock• with several clocks • discrete time domain
Safety Properties
Parameterized System of Timed Processes –(Timed Networks)
Timed Process:x:=0
x<5
Parameterized System:
Challenge: arbitrary rather than fixed size
x=0 x<1 x>1x:=0
Fischer’s Protocol
Timed Process:
critical section
Parameterized Network:
arbitrary size
Single Clock Timed Networks - TN(1)
State = Configuration
2.3 1.4 5.2 3.7 1.0 8.1
Timed Process:x:=0
x<5
(single clock)
Parameterized System:
Initial Configurations
0 0 0 0 0 0 0 0 0 0
Single Clock Timed Networks - TN(1)
Timed Process:x:=0
x<5
(single clock)
Parameterized System:
• Unbounded number of clocks• Cannot be modeled as timed automata
TN(1) :
How to check Safety Properties ?
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
Equivalence on Configurations
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
Equivalence on Configurations
3.3 1.7 4.8
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
3.3 1.7 4.8
3.1 1.8 4.9
Equivalence on Configurations
• mutual exclusion: Bad States : # processes in critical section > 1
Safety Properties
x=0 x<1 x>1x:=0
section critical
3.4 8.1
• mutual exclusion: Bad States : # processes in critical section > 1
Ideal = Upward closed set of configurations
Safety Properties
x=0 x<1 x>1x:=0
critical section
3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1
Ideal = Upward closed set of configurations
Safety = reachability of ideals
• mutual exclusion: Bad States : # processes in critical section > 1
Safety Properties
x=0 x<1 x>1x:=0
critical section
3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Ideals
Existential Zones
Existential Zone Ideal
minimal requirement
x1 x2 x3
1 x2 - x12 x2 - x3
3.1 3.5 7.2 0.5 4.6
3.1 7.2 4.6
Existential Zones – Computing Pre
x1 x2 x4
1 x2 - x1
x5
2 x5
4 x4
x1 x2 x3
1 x2 - x12 x2 - x3
4 x 2 x
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Existential Zones
Termination
Existential Zones BQO (and therefore WQO)
Theorem:Safety properties can be decided for TN(1)
Multi-Clock Timed Networks – TN(K)
Timed Process:x:=0
x<5
Parameterized Network:
Configuration
2.3 1.4 5.2 3.7 1.0 8.1
(two clocks) y>3
1.4 5.6 0.2 9.2 2.8 0.1
x
y
Timed Transitions
0.5
2.3 1.4 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
x
y
2.8 1.9 5.7 4.2 1.5 8.6
1.9 6.1 0.7 9.7 3.3 0.6
y<5 x>4 x:=0
Discrete Transitions
2.3 1.4 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
2.3 0.0 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Existential Zones
x1 < x2 < x3< x4y1 = x2
y2 = x3
y3 = x4
x1 y1 x2 y2 x3 y3
y4 = x1
y1
x1y2
x2 x3y3
x3y3
x4 y4
Termination nolonger guaranteed !!
x1 y1
y1 = x2
x2 y2
y2 = x1
x1 < x2
x1 < x2 < x3
y1 = x2
y2 = x3
y3 = x1
x1 y1 x2 y2 x3 y3
x1 x2y1
y2
y1
x1y2
x2 x3y3
Termination nolonger guaranteed !!
x1 < x2 < x3
y1 = x2
y2 = x3
y3 = x1
x1 y1 x2 y2 x3 y3
x1 < x2 < x3< x4y1 = x2
y2 = x3
y3 = x4
x1 y1 x2 y2 x3 y3
y4 = x1
y1
x1y2
x2 x3y3
x3y3
x4 y4
Termination nolonger guaranteed !!
y1
x1y2
x2 x3y3
Simulation of 2-counter machine by TN(2)
Timed processes:• One models control state• Some model c1
• Some model c2
• The rest are idle
c1++
c2=0?c2--M:
Encoding of configurations in M:
Simulation of 2-counter machinec1++
c2=0?c2--M:
Encoding of c1 :
# c1=3 left end
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
right end
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.10.2 0.4 0.6
0.20.4 0.6 0.8 1.01.00.8
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.2 0.4 0.60.20.4 0.6 0.8 1.01.00.8
0.2 0.4 0.60.4 0.6 0.8 1.0
0.8
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.2 0.4 0.60.4 0.6 0.8 1.0
0.8
0 0.4 0.60.4 0.6 0.8 1.0
0.8
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0 0.4 0.60.4 0.6 0.8 1.0
0.8
0 0.4 0.60.4 0.6 0.8 0
0.8
Simulating Zero Testingc1=0?q1 q2
x>0y=1 x:=0
q1
q2
x=1y:=0
0.20.20.7
0.7
0.50.5 0
0
0.50.51.0
1.0
0.3
Discrete Timed Networks - DTN(K)
State = Configuration
2 1 5 3 1 8
Clocks interpreted over the discrete time domain
2 1 5 3 1 8 Timed Transitions
4 3 7 5 3 10
2
cmax = 1
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
# processes having:
same state clock value (up to cmax)
Exact Abstraction
x=0 x:=0 x=1
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
0
1
2*
0
1
2*
0
1
2*
5
1
3
4
0
6
4
0
8
Discrete Transitions
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Minimal elements
Syntactic Variants
Open timed networks: strict clock constraints
Closed timed networks: non-strict clock constraints
undecidable
decidable
Semantic Variants
Robust timed networks: semantically strict clock constraints undecidable
Summary
• TN(1) : decidable• TN(2) : undecidable• DTN(K) : decidable• TN(2) open : undecidable• TN(K) closed : decidable• TN(2) robust : undecidable