Presentation is loading. Please wait.

Presentation is loading. Please wait.

UPPAAL Introduction Chien-Liang Chen.

Published byVictor Culverson Modified over 9 years ago

Similar presentations

Presentation on theme: "UPPAAL Introduction Chien-Liang Chen."— Presentation transcript:

1 UPPAAL Introduction Chien-Liang Chen

2 Outline Real-Time Verification and Validation Tools Promela and SPIN
Simulation Verification Real-Time Extensions: RT-SPIN – Real-Time extensions to SPIN UPPAAL – Toolbox for validation and verification of real-time systems

3 Modelling

4 UPPAAL UPPAAL is a tool box for simulation and verification of real-time systems based on constraint solving and other techniques. UPPAAL was developed jointly by Uppsala University and Aalborg University. It can be used for systems that are modeled as a collection of non-deterministic processes w/ finite control structures and real-valued clocks, communicating through channels and/or shared variables. It is designed primarily to check both invariants and reachability properties by exploring the statespace of a system.

5 UPPAAL Components UPPAAL consists of three main parts:
a description language, a simulator, and a model checker. The description language is a non-deterministic guarded command language with data types. It can be used to describe a system as a network of timed automata using either a graphical (*.atg, *.xml) or textual (*.xta) format. The simulator enables examination of possible dynamic executions of a system during the early modeling stages. The model checker exhaustively checks all possible states.

6 UPPAAL Tools (earlier version)
checkta – syntax checker simta – simulator verifyta – model checker

7 Example – .xta file format (from UPPAAL in a Nutshell)
clock x, y; int n; chan a; process A { state A0 { y<=6 }, A1, A2, A3; init A0; trans A0 -> A1 { guard y>=3; sync a!; assign y:=0; }, A1 -> A2 { guard y>=4; A2 -> A3 { guard n==5; }, A3 -> A0; }

8 Example (cont.) (from UPPAAL in a Nutshell)
process B { state B0 { x<=4 }, B1, B2, B3; commit B1; init B0; trans B0 -> B1 { guard x>=2; sync a?; assign n:=5,x:=0; }, B1 -> B2 { assign n:=n+1; B2 -> B3 { }, B3 -> B0; } system A, B;

9 Example (cont.)

10 Linear Temporal Logic (LTL)
LTL formulae are used to specify temporal properties. LTL includes propositional logic and temporal operators: [ ]P = always P <>P = eventually P P U Q = P is true until Q becomes true Examples: Invariance: [ ] (p) Response: [ ] ((p) -> (<> (q))) Precedence: [ ] ((p) -> ((q) U (r))) Objective: [ ] ((p) -> <>((q) || (r)))

11 Labels and Transitions
The edges of the automata can be labeled with three different types of labels: a guard expressing a condition on the values of clocks and integer variables that must be satised in order for the edge to be taken, a synchronization action which is performed when the edge is taken, and a number of clock resets and assignments to integer variables. Nodes may be labeled with invariants; that is, conditions expressing constraints on the clock values in order for control to remain in a particular node.

12 Committed Locations A committed location must be left immediately.
A broadcast can be represented by two transitions with a committed state between sends.

13 Transitions Delay transitions – if none of the invariants of the nodes in the current state are violated, time may progress without making a transition; e.g., from ((A0,B0),x=0,y=0,n=0), time may elapse 3.5 units to ((A0,B0),x=3.5,y=3.5,n=0), but time cannot elapse 5 time units because that would violate the invariant on B0. Action transitions – if two complementary edges of two different components are enabled in a state, then they can synchronize; also, if a component has an enabled internal edge, the edge can be taken without any synchronizaton; e.g., from ((A0,B0),x=3.5,y=3.5,n=0) the two components can synchronize to ((A1,B1),x=0,y=0,n=5).

14 Transitions (cont.) Action transitions – if two complementary edges of two different components are enabled in a state, then they can synchronize; also, if a component has an enabled internal edge, the edge can be taken without any synchronizaton; e.g., from ((A0,B0),x=0,y=0,n=0) the two components can synchronize to ((A1,B1),x=0,y=0,n=5).

15 UPPAAL Transitions

16 Urgent Channels and Committed Locations
Transitions can be overruled by the presence of urgent channels and committed locations: When two components can synchronize on an urgent channel, no further delay is allowed; e.g., if channel a is urgent, time could not elapse beyond 3, because in state ((A0,B0),x=3,y=3,n=0), synchronization on channel a is enabled.

17 Committed Nodes Transitions can be overruled by the presence of urgent channels and committed locations: If one of the components is in a committed node, no delay is allowed to occur and any action transition must involve the component committed to continue; e.g., in state ((A1,B1),x=0,y=0,n=5), B1 is commited, so the next state of the network is ((A1,B2),x=0,y=0,n=6).

18 UPPAAL Locations

19 Translation to UPPAAL Mutual Exclusion Program P1 :: while True do
T1 : wait(turn=1) C1 : turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : turn:=1 Mutual Exclusion Program

20 Example: Mutual Exclusion

21 Intelligent Light Control
press? Off Light Bright press? x:=0 x>3 x<=3 press? press? Requirements: If a user quickly presses the light control twice, then the light should get brighter; on the other hand, if the user slowly presses the light control twice, the light should turn off. Solution: Add a real-valued clock, x.

22 UPPAAL Model = Networks of Timed Automata
A timed automaton is a standard finite state automaton extended with a finite collection of real-valued clocks.

23 Timed Automata Clocks: x, y x<=5 && y>3 State a
Alur & Dill 1990 Clocks: x, y Guard Boolean combination of comp with integer bounds n Reset Action perfomed on clocks x<=5 && y>3 State ( location , x=v , y=u ) where v,u are in R a x := 0 Transitions ( n , x=2.4 , y= ) ( m , x=0 , y= ) a Action used for synchronization m e(1.1) ( n , x=2.4 , y= ) ( n , x=3.5 , y= )

24 Timed Automata - Invariants
Clocks: x, y x<=5 Transitions x<=5 & y>3 e(3.2) Location Invariants ( n , x=2.4 , y= ) a e(1.1) ( n , x=2.4 , y= ) ( n , x=3.5 , y= ) x := 0 m Invariants ensure progress. y<=10 g4 g1 g3 g2

25 A simple program What are possible values for x? Questions/Properties:
Int x Process P do :: x<2000  x:=x+1 od Process Q :: x>0  x:=x-1 Process R :: x=2000  x:=0 fork P; fork Q; fork R What are possible values for x? Questions/Properties: E<>(x>1000) E<>(x>2000) A[](x<=2000) E<>(x<0) A[](x>=0) Possible Always

26 Verification (example.xta)
int x:=0; process P{ state S0; init S0; trans S0 -> S0{guard x<2000; assign x:=x+1; }; } process Q{ state S1; init S1; trans S1 -> S1{guard x>0; assign x:=x-1; }; process R{ state S2; init S2; trans S2 -> S2{guard x==0; assign x:=0; }; p1:=P(); q1:=Q(); r1:=R(); system p1,q1,r1; Int x Process P do :: x<2000  x:=x+1 od Process Q :: x>0  x:=x-1 Process R :: x=2000  x:=0 fork P; fork Q; fork R

27 BNF for q-format

28 Example: Mutual Exclusion

29 Example (mutex2.xta) //Global declarations int turn; int in_CS;
//Process template process P(const id){ clock x; state Idle, Try, Crit; init Idle; trans Idle -> Try{assign turn:=id, x:=0; }, Try -> Crit{guard turn==(1-id); assign in_CS:=in_CS+1; }, Try -> Try{guard turn==id; }, Crit -> Idle{guard x>3; assign in_CS:=in_CS-1; }; } //Process assignments P1:=P(1); P2:=P(0); //System definition. system P1, P2;

30 From UPPAAL-time Models to Kripke Structures
I1 I2 t=1 I1 I2 t=0 T1 I2 t=0 I1 T2 t=1 T1 I2 t=1 I1 T2 t=0 T1 T2 t=0 C1 I2 t=1 T1 T2 t=1 I1 C2 t=0 C1 T2 t=1 T1 C2 t=0

31 CTL Models

32 Computation Tree Logic, CTL (Clarke and Emerson, 1980)
Syntax

33 Example (from UPPAAL2k: Small Tutorial)
Obs

34 Example (cont.)

35 Example (cont.) Verification: A[](Obs.taken imply x>=2)
E<>(Obs.idle and x>3) E<>(Obs.idle and x>3000)

36 Example (cont.)

37 Example (cont.)

38 Translation to UPPAAL Mutual Exclusion Program P1 :: while True do
T1 : wait(turn=1) C1 : turn:=0 endwhile || P2 :: while True do T2 : wait(turn=0) C2 : turn:=1 Mutual Exclusion Program

39 CTL Models

40 Computation Tree Logic, CTL (Clarke and Emerson, 1980)
Syntax

41 Path p s s1 s2 s3... The set of path starting in s

42 Formal Semantics

43 CTL, Derived Operators possible inevitable AF p EF p p p p p . . .

44 CTL, Derived Operators potentially always always AG p EG p p p p p p p
. . . . . . . . . . . . . . . . . . . . . . . .

45 Theorem All operators are derivable from EX f EG f E[ f U g ]
and boolean connectives

46 UPPAAL Specification Language
A[] p (AG p) E<> p (EF p) p::= a.l | gd | gc | p and p | p or p | not p | p imply p | ( p ) process location data guards clock guards

47 Semantics: Example push push click

48 Light Switch (cont.) A[] (x <= y) P.on --> P.off push push click

49 Paths push Example Path: push click

50 Elapsed Time in Path Example: s= D(s,1)=3.5, D(s,6)=3.5+9=12.5

51 Infinite State Space?

52 Regions Finite partitioning of state space
Definition y 2 1 1 2 3 x An equivalence class (i.e. a region) in fact there are only a finite number of regions!

53 Regions Finite partitioning of state space
Definition y 2 1 r 1 2 3 x Successor regions, Succ(r) An equivalence class (i.e. a region)

54 Regions Finite partitioning of state space
Definition y 2 1 THEOREM r {x}r {y}r 1 2 3 x Reset regions An equivalence class (i.e. a region) r

55 Region graph of simple timed automata

56 Modified light switch

57 Reachable part of region graph Properties

58 Roughly speaking.... Model checking a timed automata
against a TCTL-formula amounts to model checking its region graph against a CTL-formula

59 Problem to be solved Model Checking TCTL is PSPACE-hard

60 Zones: From Infinite to Finite
Symbolic state (set) (n, ) State (n, x=3.2, y=2.5) Zone: conjunction of x-y<=n, x<=>n x y x y

61 Symbolic Transitions y y delays to n x x x>3 y y conjuncts to x x
projects to 3<x, y=0 m Thus (n,1<=x<=4,1<=y<=3) =a => (m, 3<x, y=0)

62 Forward Reachability Init -> Final ? INITIAL Passed := Ø;
Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Final Waiting Init Passed

63 Forward Reachability Init -> Final ? INITIAL Passed := Ø;
Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Final Waiting n,Z n,Z’ Init Passed

64 Forward Reachability Init -> Final ? INITIAL Passed := Ø;
Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

65 Forward Reachability Init -> Final ? INITIAL Passed := Ø;
Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Waiting Final m,U n,Z n,Z’ Init Passed

66 UPPAAL Verification Options
Diagnostic Trace Breadth-First Depth-First Local Reduction Global Reduction Active-Clock Reduction Re-Use State-Space Over-Approximation Under-Approximation

67 Forward Rechability Init -> Final ? INITIAL Passed := Ø;
Waiting := {(n0,Z0)} REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add { (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed UNTIL Waiting = Ø or Final is in Waiting Waiting Final m,U location zone n,Z n,Z’ Init Passed

68 Order of Exploration Depth-First vs Breadth-First
Waiting stored on stack Breadth-First Waiting stored in queue Waiting Final m,U n,Z In most cases BF is preferred because it allows for generation of “shortest” traces. DF is useful in situations when reachability may be concluded without generating the full state-space. Easy computation of traces. n,Z’ Init Passed

69 Philips Bounded Retransmission Protocol (BRP)
[D’Argenio et.al. 97]

70 Protocol Overview Protocol developed by Philips.
Transfer data between Audio/Video components via infra-red communication. Data files are sent in smaller chunks. Problem: Unreliable communication medium. Solution: Sender retransmits if receiver responds too late. Receiver aborts if sender sends too late.

71 Overview of BRP Sender Receiver S R BRP K L Input: file = p1, …, pn
Output: p1, …, pn Sender Receiver S R BRP pi K lossy ack L lossy

72 How It Works Sender input: file = p1, …, pn.
S sends (p1,FST,0), (p2,INC,1), …, (pn-1,INC,1), (pn,OK,0). R sends: ack, …, ack. S retransmits pi if timeout. Receiver recives: p1, …, pn. Sender and Receiver receive NOK or OK. more parts will follow first part of file whole file OK

73 BRP Model Overview Sender Receiver S R BRP K L Input: file = p1, …, pn
Output: p1, …, pn Sender Receiver OK, NOK, DK IND, OK, NOK S R BRP (pi,INDicator,abit) K lossy L lossy ack

74 The Lossy Media one-place capacity delay value-passing
lossy = may drop messages

75 Bounded Retransmission
BRP Sender S sends a chunk pi and waits for ack from BRP Receiver R. If timeout occurs, the chunk is retransmitted. If too many timeouts occur, the transmission fails (NOK is sent to the Sender). If the whole file is successfully transmitted, then OK is sent to the Sender. BRP Receiver is similar.

76 Process S – BRP Sender

77 Process R – BRP Receiver

78 Sender and Receiver - Applications

Download ppt "UPPAAL Introduction Chien-Liang Chen."

Similar presentations

Real-Time Systems, DTU, Feb 15, 2000 Paul Pettersson, BRICS, Aalborg, Denmark. Timed Automata and Timed Computation Tree Logic Paul Pettersson

Real-Time Systems, DTU, Feb 15, 2000 Paul Pettersson, BRICS, Aalborg, Denmark. Timed Automata and Timed Computation Tree Logic Paul Pettersson
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
UPPAAL T-shirt to (identifiable)

UPPAAL T-shirt to (identifiable)
UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.

UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

Similar presentations

Ads by Google