Timed Automata

Final Exam Time: June 25th, 2pm-4pm Location: TBD

Aim of the Lecture knowledge of a basic formalism for modeling timed systems basic understanding of verification algorithms for timed systems (useful for practical modeling and verification).

Example: Peterson's Algorithm flag[0], flag[1] (initialed to false) — meaning I want to access CS turn (initialized to 0) — used to resolve conflicts Process 0: while (true) { <noncritical section>; flag[0] := true; turn := 1; while flag[1] and turn = 1 do { }; <critical section>; flag[0] := false; } Process 1: while (true) { <noncritical section>; flag[1] := true; turn := 0; while flag[0] and turn = 0 do { }; <critical section>; flag[1] := false; }

Example: Peterson's Algorithm

Example: Peterson's Algorithm

Fischer's Protocol id — shared variable each process has it's own timer (for delaying) for correctness it is necessary that K2 > K1 Process i: while (true) { <noncritical section>; while id != 0 do {} delay K1; id := i; delay K2; if (id = i) { <critical section>; id := 0; }

Modeling Real Time Systems Two models of time: discrete time domain continuous time domain

Discrete Time Domain clock ticks at regular interval at each tick something may happen between ticks — the system only waits

Discrete Time Domain choose a fixed sample period ε all events happen at multiples of ε simple extension of classical models main disadvantage — how to choose ε ? big ε  too coarse model low ε  time fragmentation, too big state space usage: particularly synchronous systems (hardware circuits)

Continuous Time Domain time is modeled as real numbers delays may be arbitrarily small more faithful model, suited for asynchronous systems uncountable state space  cannot be directly handled automatically by “brute force”

Timed Automata extension of finite state machines with clocks continuous real semantics limited list of operations over clocks  automatic verification is feasible allowed operations: comparison of a clock with a constant reset of a clock uniform flow of time (all clocks have the same rate)

What is a Timed Automaton? an automaton with locations (states) and edges the automaton spends time only in locations, not in edges

What is a Timed Automaton? (2) real valued clocks (x, y, z) all clocks run at the same speed clock constraints can be guards on edges

What is a Timed Automaton? (3) clocks can be reset when taken an edge only a reset to value 0 is allowed

What is a Timed Automaton? (4) location invariants forbid to stay in a state too long invariants force taking an edge

Clock Constraints  

Timed Automata Syntax  

Semantics: Main Idea semantics is a state space (reminder: guarded command language, extended finite state machines) states given by: location (local state of the automaton) clock valuation transitions: waiting — only clock valuation changes action — change of location

Clock Valuations  

Evaluation of Clock Constraints  

Examples  

Timed Automata Semantics  

Example What is a clock valuation? What is a state? Find a run = sequence of states

Example    

Example 2 What does the automaton do? Write an example of a run...

Examples construct a simple timed automata model of: a digital wristwatch with 4 modes: cycle through modes “intelligent” return to basic mode (after used, timeout, ...) daily (morning) schedule: breakfast, transport, lecture, ... (include minimal times necessary, deadlines, ...)

Semantics: Notes the semantics is infinite state (even uncountable) the semantics is even infinitely branching

Reachability Problem Reachability Problem Input: a timed automaton A, a location l of the automaton Question: does there exists a run of A which ends in l This problem formalises the verification of safety problems — is an erroneous state reachable?

Example How to do it algorithmically?

Reachability Problem Theorem： Notes The reachability problem is PSPACE-complete. Notes note that even decidability of the problem is not straightforward — remind that the semantics is infinite state decidability proved by region construction (to be discussed) completeness proved by general reduction from linearly bounded Turing machine (not discussed)

Region Construction Main idea: some clock valuations are equivalent work with regions of valuations instead of valuations finite number of regions

Preliminaries  

Equivalence on Clock Valuation  

Equivalence on Clock Valuation  

Equivalence: Example 1  

Equivalence: Example 2  

Regions  

Regions: Example  

Regions: Example  

Region Graph  

Operations on Regions To construct the region graph, we need the following operations: let time pass — go to adjacent region at top right intersect with a clock constraint (note that clock constraints define supersets of regions) if region is in the constraint: no change otherwise: empty reset a clock — go to a corresponding region

Example: Automaton

Example: Region Graph

Other Problems verification of temporal (timed) logic universality, language inclusion (undecidable!) (timed) bisimulation of timed automata

Zones  

Difference Bound Matrix  

Zone Graph: Example

Approximations  

Extensions For practical modeling we use several extensions: location invariants parallel composition of automata channel communication, synchronization integer variables These issues are solved in the ‘usual way’. Here we focused on the basic model, basic aspects dealing with time.

Example: Parallel Composition

Fischer's Protocol id — shared variable each process has it's own timer (for delaying) for correctness it is necessary that K2 > K1 Process i: while (true) { <noncritical section>; while id != 0 do {} delay K1; id := i; delay K2; if (id = i) { <critical section>; id := 0; }

Fischer's Protocol: Mode

Summary timed automata: formal syntax and semantics reachability problem: the basic verification problem, decidable (PSPACE-complete) practical verification: zones, approximation techniques, ...

Hybrid System Systems containing both discrete and continuous components Practical Examples: Embedded System Controller VLSI circuits System Biology Safety Critical Area Formal Verification Formal Model : Hybrid Automata

Hybrid Automata Widely studied formal models for hybrid systems They consist of A finite state transition system Differential equations in each location Example

Linear Hybrid Automata Approximate

Safety Verification Reachability Find a sequence of states which can reach the target The continuous states between states and Flow function and first derivative and for all reals satisfies invariant in

Reachability Analysis Approach Over-approximation Geometric Computation Tools HyTech PHAVer Performance Undecidable Imprecise Low dimension

Reachability Analysis Bounded Model Checking Search for a potential behavior within k step Usually solved by SMT techniques Need to encode all the potential bounded behavior firstly Medium bound －> Large SMT problem Control The Complexity!

Thank You