Embed Size (px)
Citation preview
Verification of
Parameterized Timed Systems
Parosh Aziz Abdulla
Uppsala University
Johann DeneuxPritha MahataAletta Nylen
Outline
• Parameterized Timed Systems
• Syntactic and Semantic Variants
• with one clock• with several clocks • discrete time domain
Safety Properties
Parameterized System of Timed Processes –(Timed Networks)
Timed Process:x:=0
x<5
Parameterized System:
Single Clock Timed Networks - TN(1)
Timed Process:x:=0
x<5
(single clock)
Parameterized System:
Challenge: arbitrary rather than fixed size
x=0 x<1 x>1x:=0
Fischer’s Protocol
Timed Process:
critical section
Parameterized Network:
arbitrary size
Single Clock Timed Networks - TN(1)
State = Configuration
2.3 1.4 5.2 3.7 1.0 8.1
Timed Process:x:=0
x<5
(single clock)
Parameterized System:
Initial Configurations
0 0 0 0 0 0 0 0 0 0
Single Clock Timed Networks - TN(1)
Timed Process:x:=0
x<5
(single clock)
Parameterized System:
2.8 1.9 5.7 4.2 0.5 8.6
2.3 1.4 5.2 3.7 0.0 8.1
Timed Transitions
0.5
x<5 x:=0
2.3 1.4 0.0 3.7 1.0 8.1
Discrete Transitions
2.3 1.4 5.2 3.7 1.0 8.1
• Unbounded number of clocks• Cannot be modeled as timed automata
TN(1) :
• Unbounded number of clocks• Cannot be modeled as timed automata
TN(1) :
How to check Safety Properties ?
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
Equivalence on Configurations
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
Equivalence on Configurations
3.3 1.7 4.8
configurations equivalent if they agree (up to cmax) on:
colours integral parts of clock values ordering on fractional parts
3.1 4.8 1.5 6.2 5.6
3.2 4.8 1.6 6.4 5.7
3.3 1.7 4.8
3.1 1.8 4.9
Equivalence on Configurations
Ordering on Configurations
c1 c2 iff c3 :
c1 c3
c3 c2
<
3.1 4.8 1.5 6.2 5.6
4.9 6.4 5.7
Ordering on Configurations
3.1 4.8 1.5 6.2 5.6
4.9 6.4 5.7
4.8 6.2 5.6
c1 c2 iff c3 :
c1 c3
c3 c2
<
• mutual exclusion: Bad States : # processes in critical section > 1
Safety Properties
x=0 x<1 x>1x:=0
section critical
3.4 8.1
• mutual exclusion: Bad States : # processes in critical section > 1
Ideal = Upward closed set of configurations
Safety Properties
x=0 x<1 x>1x:=0
critical section
3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1
Ideal = Upward closed set of configurations
Safety = reachability of ideals
• mutual exclusion: Bad States : # processes in critical section > 1
Safety Properties
x=0 x<1 x>1x:=0
critical section
3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
Pre
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Properties of -- Monotonicity
c1c3
c2
Properties of -- Monotonicity
c1c3
c2
c4
Properties of -- Monotonicity
c1c3
c2
c4c5
Properties of -- Monotonicity
c1c3
c2
c4c5
c6
Properties of -- Monotonicity
c1c3
c2
c4c5
c6
Monotonicity ideals closed under computing Pre
I
Monotonicity ideals closed under computing Pre
I
Monotonicity ideals closed under computing Pre
I
Monotonicity ideals closed under computing Pre
IPre(I)
Monotonicity ideals closed under computing Pre
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Ideals
Existential Zones
x1 x2 x3
1 x2 - x12 x2 - x3
Existential Zones
x1 x2 x3
1 x2 - x12 x2 - x3
3.1 7.2 4.6
Existential Zones
minimal requirement
x1 x2 x3
1 x2 - x12 x2 - x3
3.1 3.5 7.2 0.5 4.6
3.1 7.2 4.6
Existential Zones
Existential Zone Ideal
minimal requirement
x1 x2 x3
1 x2 - x12 x2 - x3
3.1 3.5 7.2 0.5 4.6
3.1 7.2 4.6
Existential Zones – Computing Pre
x1 x2 x3
1 x2 - x12 x2 - x3
Existential Zones – Computing Pre
x1 x2 x4
1 x2 - x1
x5
2 x5
4 x4
x1 x2 x3
1 x2 - x12 x2 - x3
4 x 2 x
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Existential Zones
Termination
Existential Zones BQO (and therefore WQO)
Termination
Existential Zones BQO (and therefore WQO)
Theorem:Safety properties can be decided for TN(1)
Multi-Clock Timed Networks – TN(K)
Timed Process:x:=0
x<5
Parameterized Network:
Configuration
2.3 1.4 5.2 3.7 1.0 8.1
(two clocks) y>3
1.4 5.6 0.2 9.2 2.8 0.1
x
y
Timed Transitions
0.5
2.3 1.4 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
x
y
2.8 1.9 5.7 4.2 1.5 8.6
1.9 6.1 0.7 9.7 3.3 0.6
y<5 x>4 x:=0
Discrete Transitions
2.3 1.4 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
2.3 0.0 5.2 3.7 1.0 8.1
1.4 5.6 0.2 9.2 2.8 0.1
x
y
x1 y1
1 y2 - x12 x2 - y1
x2 y2
xi and yi
belong to the same process
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Existential Zones
x1 < x2 < x3< x4y1 = x2
y2 = x3
y3 = x4
x1 y1 x2 y2 x3 y3
y4 = x1
y1
x1y2
x2 x3y3
x3y3
x4 y4
Termination nolonger guaranteed !!
x1 y1
y1 = x2
x2 y2
y2 = x1
x1 < x2
x1 x2y1
y2
Termination nolonger guaranteed !!
x1 y1
y1 = x2
x2 y2
y2 = x1
x1 < x2
x1 < x2 < x3
y1 = x2
y2 = x3
y3 = x1
x1 y1 x2 y2 x3 y3
x1 x2y1
y2
y1
x1y2
x2 x3y3
Termination nolonger guaranteed !!
x1 < x2 < x3
y1 = x2
y2 = x3
y3 = x1
x1 y1 x2 y2 x3 y3
x1 < x2 < x3< x4y1 = x2
y2 = x3
y3 = x4
x1 y1 x2 y2 x3 y3
y4 = x1
y1
x1y2
x2 x3y3
x3y3
x4 y4
Termination nolonger guaranteed !!
y1
x1y2
x2 x3y3
Termination nolonger guaranteed !!
Simulation of 2-counter machine by TN(2)
Timed processes:• One models control state• Some model c1
• Some model c2
• The rest are idle
c1++
c2=0?c2--M:
Encoding of configurations in M:
Simulation of 2-counter machinec1++
c2=0?c2--M:
Encoding of c1 :
# c1=3 left end
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
right end
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.10.2 0.4 0.6
0.20.4 0.6 0.8 1.01.00.8
0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.2 0.4 0.60.20.4 0.6 0.8 1.01.00.8
0.2 0.4 0.60.4 0.6 0.8 1.0
0.8
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0.2 0.4 0.60.4 0.6 0.8 1.0
0.8
0 0.4 0.60.4 0.6 0.8 1.0
0.8
Simulating a Decrement c1--
q1
q2
x=1 y=1 x:=0
q1
q2 idle
0<x y:=0
0 0.4 0.60.4 0.6 0.8 1.0
0.8
0 0.4 0.60.4 0.6 0.8 0
0.8
Simulating Zero Testingc1=0?q1 q2
x>0y=1 x:=0
q1
q2
x=1y:=0
0.20.20.7
0.7
0.50.5 0
0
0.50.51.0
1.0
0.3
Theorem:Checking Safety properties undecidable for TN(2)
Discrete Timed Networks - DTN(K)
State = Configuration
2 1 5 3 1 8
Clocks interpreted over the discrete time domain
2 1 5 3 1 8 Timed Transitions
4 3 7 5 3 10
2
cmax = 1
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
# processes having:
same state clock value (up to cmax)
Exact Abstraction
x=0 x:=0 x=1
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
0
1
2*
0
1
2*
0
1
2*
5
1
3
4
0
6
4
0
8
Discrete Transitions
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
1
0
1
2*
0
1
2*
0
1
2*
0
4
5
0
3
6
0
5
8
Timed Transitions
0
1
2*
0
1
2*
0
1
2*
4
2
3
3
0
6
5
0
8
Symbolic Representation
minimal element
Checking Safety Properties:Backward Reachability Analysis
bad statesinitial states
PrePrePrePre
Minimal elements
Theorem:Checking Safety properties decidable for DTN(K)
Implementation
TPN - Parameterized Fischer
2 seconds
Lynch-Shavit’s Protocol
Lynch-Shavit’s Protocol
Parameterized Network:
arbitrary size
TPN- Parameterized Lynch-Shavit
25 minutes
Syntactic Variants
Open timed networks: strict clock constraints
Closed timed networks: non-strict clock constraints
undecidable
decidable
Semantic Variants
Robust timed networks: semantically strict clock constraints undecidable
Summary
• TN(1) : decidable• TN(2) : undecidable• DTN(K) : decidable• TN(2) open : undecidable• TN(K) closed : decidable• TN(2) robust : undecidable
Future work
Acceleration and Widening Forward Analysis Price Timed Networks Stochastic Variants
