CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Advertisements

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
The cardiac pacemaker – SystemJ versus Safety Critical Java Heejong Park, Avinash Malik, Muhammad Nadeem, and Zoran Salcic. University of Auckland, NZ.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Succinct Approximations of Distributed Hybrid Behaviors P.S. Thiagarajan School of Computing, National University of Singapore Joint Work with: Yang Shaofa.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Witness and Counterexample Li Tan Oct. 15, 2002.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
Jun. Sun Singapore University of Technology and Design Songzheng Song and Yang Liu National University of Singapore.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Transformation of Timed Automata into Mixed Integer Linear Programs Sebastian Panek.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
- 1 - Embedded Systems - SDL Some general properties of languages 1. Synchronous vs. asynchronous languages Description of several processes in many languages.
CS6133 Software Specification and Verification
Lecture51 Timed Automata II CS 5270 Lecture 5.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
Lecture 81 Regional Automaton CS 5270 Lecture 8. Lecture 82 What We Need to Do Problem: –We need to analyze the timed behavior of a TTS. –The timed behavior.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Model Checking Lecture 1: Specification Tom Henzinger.
Writing, Verifying and Exploiting Formal Specifications for Hardware Designs Chapter 3: Verifying a Specification Presenter: Scott Crosby.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
DISCRETE DYNAMICS EEN 417 Fall Midterm I In class on 10/4 Covered Material will be: Chapter 1 (Introduction) Chapters 2 & 3 (Continuous and Discrete.
SS 2017 Software Verification Timed Automata
Formal methods: Lecture
CIS 842: Specification and Verification of Reactive Systems
Timed Automata II CS 5270 Lecture Lecture5.
Automatic Verification
Program Synthesis is a Game
Timed Automata Formal Systems Pallab Dasgupta Professor,
High-Level Abstraction of Concurrent Finite Automata
CSEP590 – Model Checking and Automated Verification
An explicit state model checker
Introduction to SMV 2/19/2003.
Instructor: Aaron Roth
‘Crowds’ through a PRISM
Presentation transcript:

CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4

2 Overview The real time computing environment. –Basic concepts –Scheduling –Resource access protocols. Verification of real time systems. Time-triggered architectures, protocols.

CS5270 Lecture 43 Overview Verification of real time systems. –Timed automata. – Properties  Reachability properties will do! –Formal verification.  The method (regional construction)  An implementation : UPPAAL (Lab assignments)

CS5270 Lecture 44 Where We Were The real time computing environment –The external view –A closed loop consisting of a plant and a controller.

CS5270 Lecture 45 The External Closed System View Computing system Plant Sense Actuate Both the computing system and the plant have the same notion of time.

CS5270 Lecture 46 The External Closed System View Computing system Plant Sense Actuate Model this closed system as a timed automaton and verify it has the desired properties.

CS5270 Lecture 47 The Road Map Transition systems Behavior of a transition system Properties Verification setting Add time!

CS5270 Lecture 48 Transition Systems Vs Automata Automata = Transition system + accepting conditions. Transition systems ---- State spaces, dynamics Automata Languages, Properties

CS5270 Lecture 49 Example Resource Manager Req Release Grant

CS5270 Lecture 410 Example FRW Bad Req Release BU Grant crash

Example Bad Req Release Grant crash Any sequence over {Req, Grant, Release} as allowed by the automaton. Rq G Rl Rq G allowed. Rq G Rl Cr not wanted!

CS5270 Lecture 412 Example Bad Req Release Grant crash Any sequence over {Req, Grant, Release} as allowed by the automaton ?

CS5270 Lecture 413 Example Bad Req Release Grant crash Any sequence that ends with Release (except for the null string)

CS5270 Lecture 414 Transition Systems A Simple model of dynamic systems. Discrete time States Transitions Initial state(s). No accepting states.

CS5270 Lecture 415 Example C H On-heat On-ac OK Off-acOff-heat

CS5270 Lecture 416 Signal Flow Temperature AC-motor Heater-motor

CS5270 Lecture 417 Example C H On-heat On-ac OK Off-heat Off-ac

CS5270 Lecture 418 Example C H On-heat On-ac OK Off-acOff-heat State

Example C H On-heat On-ac OK Off-acOff-heat State OK Transition

Example C H On-heat On-ac OK Off-ac Off-heat State a Transition Off-acAction

C H On-heat On-ac OK Off-ac Off-heat State OKTransition Off-acAction Initial State

CS5270 Lecture 422 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 on-heat S 5 OK S 6 off-heat S 0 ? S 1 …. Non- Paths: S 5 off-heat S 6 off-heat S 0 S 1 on-ac S 5 OK S 6 ….

CS5270 Lecture 423 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 S 5 S 6 S 0 S 1 …. Run ---- Path starting from an initial state S 0 S 1 S 2 S 3 S 0 S 1 ….

CS5270 Lecture 424 Transition Systems TS = (S, Act, !, S in ) --- Transition System – S --- States –Act --- A set of actions – ! µ S £ Act £ S ---- Transition Relation – S in µ S ---- Initial states Often: –S and Act are finite sets. –S in has only one element. –The transition relation is deterministic.

CS5270 Lecture 425 Deterministic Transition Systems TS = (S, Act,, S in ) --- Transition System (s, a, s’)  – s s’ a

CS5270 Lecture 426 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S = ?

CS5270 Lecture 427 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S = { S0, S1, S2, …,S6}

CS5270 Lecture 428 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Act = ?

CS5270 Lecture 429 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Act = {C, On-heat, H, on-ac,..}

CS5270 Lecture 430 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 = ?

CS5270 Lecture 431 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 = { (S0, H, S1), (S0, C, S4),….}

CS5270 Lecture 432 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S in = ?

CS5270 Lecture 433 Transition Systems TS = (S, Act, !, S in ) --- Transition System S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 S in = {S0}

CS5270 Lecture 434 Deterministic Transition Systems s s1 s2 aa s a s1 s a s2 AND IMPLIES s1 = s2 Non-determinism is useful for getting succinct specifications. Abstractions (hiding details) give rise to non-determinism.

CS5270 Lecture 435 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right

CS5270 Lecture 436 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right

CS5270 Lecture 437 Non-Determinism Arrive at Junction Toss Coin HT Turn-leftTurn-right Toss Coin

CS5270 Lecture 438 Non-Determinism Arrive at Junction Toss Coin Turn-leftTurn-right Toss Coin

CS5270 Lecture 439 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 PATH – S 4 S 5 S 6 S 0 S 1 …. Run ---- Path starting from an initial state S 0 S 1 S 2 S 3 S 0 S 1 ….

CS5270 Lecture 440 Computations TS = (S, Act,, S in ) Behaviors can also be defined as action sequences: –Computations, traces,… s 0 s 1 s 2 ……. s n ---- run. s 0 a 1 s 1 a 2 s 2 ….s n-1 a n s n s i s i+1 a 1 a 2 a 3 ….a n is a computation. aiai

CS5270 Lecture 441 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Run S 0 S 1 S 2 S 3 Computation ?

CS5270 Lecture 442 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On-heat On-ac OK Off-acOff-heat S0S0 Run S 0 S 1 S 2 S 3 S 0 Computation H On-ac OK off-ac

CS5270 Lecture 443 Behaviors (Linear Time) The behavior of a transition system is: – Its set of runs. –Its set of computations. Does the behavior of TS have the desired property? –Does every computation (run) of the transition system have the desired property? –In no computation, C is immediately followed by On-Ac.

CS5270 Lecture 444 Behaviors Properties: – Is there a run leading to deadlock?  s > s s 0 2 S in  No action is enabled at s –Is the state s reachable (via a run) ? –Is there a bad state which is reachable? Often TS is presented implicitly! –For example, as a network of smaller transition systems.

CS5270 Lecture 445 The Verification Setting TS Behavior of TS Check for property ! System Model extraction Semantics

The Verification Setting TS Behavior of TS System Property = Temporal logic formula   YES !NO ! Model- Checker Models of 

CS5270 Lecture 447 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 Temperature Controller

CS5270 Lecture 448 S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 It is often convenient to consider both finite and infinite computations!

S4S4 S5S5 S6S6 S1S1 S2S2 S3S3 C H On- heat On-ac OK Off-acOff- heat S0S0 Property : every (finite) computation that ends with “on-heat” can be extended to a computation that ends with “off-heat”

CS5270 Lecture 450 Linear time Vs. Branching time Linear time –The (flat) set of computations. Branching time –The tree of computations –How computations branch off is kept track of.

CS5270 Lecture 451 Linear time Vs. Branching time LTL (Linear time temporal logic). CTL (Computation tree logic) These two logics are incomparable. LTL – SPIN (Bell Labs, G. Holtzmann) CTL – SMV (Clarke, McMillan, CMU- Cadence Lab)

CS5270 Lecture 452 Network of Transition Systems In general, the system will contain multiple components. The components will coordinate by communication. –Send/receive messages (asynchronous) –Perform common actions together (synchronous, hand-shake).  hand-shake is usually a convenient abstraction.

CS5270 Lecture 453 Our Old Example

CS5270 Lecture 454 The Signal Space Gate Controller open close Fin-close Fin-Close approach left open close proceed Train proceed break approach left

CS5270 Lecture 455 The Gate and Train Transition Systems Fin-Close Gate Train open close approach proceed left break

56 The Gate Controller Transition System left approach close Fin-Close proceed open

CS5270 Lecture 457 Parallel Composition The communication is synchronous/ hand- shake. Perform common actions together. TS = TrainTS || Gate-ControllerTS || GateTS

Parallel Composition open closeproceed left approach proceed break approach close Fin-Close proceed open Enabled actions ?

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition open close left approach proceed break approach close Fin-Close proceed open Enabled actions ? proceed Fin-Close left

Parallel Composition g0 open close left t0 t1 approach proceed break GC0 GC1 approach close Fin-Close proceed open proceed Fin-Close left

CS5270 Lecture 466 Parallel Composition TS = TrainTS || Gate-ControllerTS || GateTS s = (t, GC, g) A state of TS (g0, t0, GC0) ( g0, t1, GC1 ) approach t0 t1 (TRAIN) approach GC1 (Gate-Controller) approach GC0

CS5270 Lecture 467 State Space Explosion TS = TS 1 || TS 2 … || TS n TS is presented implicitly! –Fix a communication convention –Present TS 1, TS 2,…, TS n We wish to analyze TS and often implement TS. But constructing TS first explicitly is often hopeless. |TS i | = 10 n = 6 –|TS| = ? (worst case)

CS5270 Lecture 468 Timed Transition Systems Timed Transition Systems = Transition Systems + Clock Variables. Clock variables. – Used to record the passage of (real) time. –Act like Timers. –Can be read. – Transitions constrained (guarded) by current values of clock variables. –Can be reset to 0 during a transition.

CS5270 Lecture 469 Using Clock Variables HotOn-acOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

CS5270 Lecture 470 Using Clock Variables HotOn-ac; xOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. x  5 Off-ac

CS5270 Lecture 471 Using Clock Variables HotOn-ac; xOK Off-ac x  5 Off-ac Clock variable x is set to 0. On-ac ; x is short form for: On-ac ; x := 0

CS5270 Lecture 472 Using Clock Variables HotOn-ac; xOK Off-ac x  5 Off-ac Clock variable x is used to form a guard: x  5

CS5270 Lecture 473 Using Clock Variables HotOn-acOK Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. Turn on ac within 3 time units after receiving Hot signal.

CS5270 Lecture 474 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on. Turn on ac within 3 time units after receiving Hot signal. y ≤ 3

CS5270 Lecture 475 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac y ≤ 3 Three components: Action on-ac Reset x Guard y ≤ 3

CS5270 Lecture 476 Using Clock Variables Hot; y On-ac; xOK Off-ac x  5 Off-ac y ≤ 3 Do we need two clocks?

CS5270 Lecture 477 Using Clock Variables Hot; x On-ac; xOK Off-ac x  5 Off-ac x ≤ 3 Do we need two clocks? NO!

78 Timed Transitions a ; X g a, an action X, a set of clock variables; the clock variables set to 0. g, a guard; a predicate based on the values of the clock variables. g :: = x ≤ c | x  c | x  c | x  c | g1  g2 x  CL CL ---- The set of clock variables used by the model. c A rational number (integer)

CS5270 Lecture 479 State Invariants A clock constraint is associated with each state: state invariant –The system can stay in the state only as long as the state’s invariant is not violated. For time points which violate the invariant one expects an output transition to be enabled. –Otherwise a time deadlock.  The progress of time is blocked (in the model!).

CS5270 Lecture 480 State Invariants x ≤ 2 a ; x b

CS5270 Lecture 481 State Invariants x ≤ 2 a ; x b b x > 2 SAME AS ?

CS5270 Lecture 482 State Invariants x ≤ 2 a ; x b x > 3 At (s1, x = 2.4) the behavior is undefined! s0 s1 s2

CS5270 Lecture 483 State Invariants g g1 g2g3 At all “times” g OR g1 OR g2 OR g3 is satisfied. If more than one output transition is enabled, the choice is made non-deterministically.

CS5270 Lecture 484 Timed Transition systems and automata How do we model real time systems? How do we specify (real time) behavioral properties? How do verify behavioral properties? What is the behavior of a timed transition system?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.