Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification and Controller Synthesis for Timed Automata : the tool KRONOS Stavros Trypakis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Verification and Controller Synthesis for Timed Automata : the tool KRONOS Stavros Trypakis."— Presentation transcript:

1 Verification and Controller Synthesis for Timed Automata : the tool KRONOS
Stavros Trypakis

2 Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2
Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller

3 Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2
Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller time

4 Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2
Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller approach z <= 3 time

5 Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2
Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller approach lower y <= 1 time z <= 3

6 Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2
Timed Systems Timed Automata approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate lower exit approach z <= 3 z <= 1 raise z := 0 Controller x = 2.1 y = 0.9 z = 2.1 approach lower enter time x > 2  x <= 5

7 Verification   true Given a system and a property, verify that
Types of Analysis Verification Given a system and a property, verify that the system satisfies the property. e.g., “whenever the train is in the crossing, the gate is down” Properties: Linear-time (execution sequences): Timed Büchi Automata. task1 task2 Branching-time (execution trees): TCTL.   true >=1

8 Types of Analysis Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: Invariance: the controller keeps the system inside a set of safe states. Reachability: the controller leads the system to a set of target states.

9 Synthesizing a Controller
Timed Systems Synthesizing a Controller approach lower down up raise y := 0 y <= 1 y <= 2 y >= 1 far near x >= 1 x <= 5 x := 0 exit enter x := 0 x > 2 in Train Gate Environment approach x <= 1 x <= 0 Controller lower raise exit

10 Motivations Kronos backward (fix-point) Kronos backward (fix-point)
Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) No diagnostics Expensive: - complementation  - nested fix-points non-convex polyhedra Kronos forward Too big: 10 for TGC 4 Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

11 Time-abstracting Bisimulation
Contributions Contributions Symbolic: unions of regions encoded by polyhedra Kronos backward (fix-point) Kronos backward (fix-point) Kronos backward (fix-point) Kronos forward On-the-fly verification Generate & Verify at the same time Re-use untimed resources (algorithms + tools) Time-abstracting Bisimulation (Quotient graph) Enumerative: region by region Region graph Reachability TBA TCTL Controller Synthesis Model checking

12 Plan Analysis with the Time-abstracting Bisimulation
On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

13 Plan Analysis with the Time-abstracting Bisimulation
On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

14 The Time-abstracting Bisimulation
Analysis with Time-abstracting Bisimulations The Time-abstracting Bisimulation Equivalence  on TA states: s1 s2 s3 a s1 s2 s4 a 2 s4 1, 2  R 1 s3 Preserve discrete state changes. Abstract exact time delays.

15 The Time-abstracting Quotient Graph
Analysis with Time-abstracting Bisimulations The Time-abstracting Quotient Graph The quotient induced by the greatest time-abstracting bisimulation defined on the TA. Finite symbolic graph: - Nodes = symbolic states (equivalence classes). - Edges = symbolic transitions (discrete and time). Basic property: pre-stability a a s1 s2 s1 s2 Q1 Q2 Q1 Q2 Q1  pre (Q2) = Q1 a Q1  pre (Q2) = Q1 time

16 Example of Quotient graph
Analysis with Time-abstracting Bisimulations Example of Quotient graph up approach approach up enter lower up lower lower lower enter exit up down down down down down down enter exit (near, going up, 1, 1 < x <= y <= 2  z < x+1) raise raise raise approach

17 Verification on the Quotient graph: Linear-time
Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Linear-time Every cycle in the quotient graph contains an infinite run and vice versa. Q1 Q2 Q3 Q4 s1 s2 s3 s4 ... s5 Timed Büchi Automata model checking DFS for cycles or SCCs in the quotient graph

18 Verification on the Quotient graph: Branching-time
Analysis with Time-abstracting Bisimulations Verification on the Quotient graph: Branching-time If s1  s2, then for any TCTL formula , s1 satisfies  iff s2 satisfies . Due to determinism of time. 1 s1 s2 s3 2 s4 s5 s6 TCTL model checking CTL model checking in the quotient graph

19 Plan On-the-fly Verification
Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

20 The Simulation Graph Finite symbolic graph generated dynamically by
On-The-Fly Verification The Simulation Graph Finite symbolic graph generated dynamically by forward reachability : - Start from an initial node (symbolic state). - Add successor nodes using post( ) operator. - Stop when a node is already visited. Basic property: post-stability a s2 a s1 Q1 Q2 Q2 = post (post (Q1)) time a

21 Every cycle in the simulation graph contains an infinite run
On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. Idea of proof: every post-stable cycle can be pre-stabilized Q3  pre(Q1) Q0 Q1 Q2 Q3

22 Every cycle in the simulation graph contains an infinite run
On-The-Fly Verification Verification on the Simulation graph: Linear-time Every cycle in the simulation graph contains an infinite run and vice versa. The process terminates, yielding a non-empty, pre-stable cycle  can use pre-stability to extract an infinite run. Q0 Q1 Q2 Q3 Timed Büchi Automata model checking DFS for cycles or SCCs in the simulation graph

23 Verification on the Simulation graph: Branching-time
On-The-Fly Verification Verification on the Simulation graph: Branching-time Branching-time properties not preserved: no pre-stability. But : Nested problems of Timed Büchi Automata model checking TCTL model checking

24 Abstractions for on-the-fly verification
Clock activity : eliminate inactive clocks  polyhedra change dimension dynamically Closure (or widening) : extrapolate bounds when they go beyond some maximal threshold Inclusion, convex hull, etc.

25 Plan Diagnostics Analysis with the Time-abstracting Bisimulation
On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

26  Timed Diagnostics ...  a b c a b c
Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... Finite diagnostics: extract runs from symbolic paths. e.g., in quotient graph: a b c s2 a s3 b s3+ s4 c s1 choose points and delays in polyhedra (matrix representation) Q5 Q1 Q2 Q3 Q4

27 Diagnostics Timed Diagnostics Symbolic diagnostics not sufficient: no information on delays. Need timed diagnostics, e.g.: approach 2.5 lower 1 enter ... Infinite diagnostics: this method does not terminate. ... - a periodic run does not always exist - … unless if no strict constraints (<, >) in symbolic cycle

28 Plan Controller Synthesis
Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

29 Controller Synthesis u  s c Untimed case: u c u
- Model: graph with edges labeled controllable - uncontrollable. c c ... ... - Semantics: strategy = sub-graph containing, for each node, at least one controllable and all uncontrollable successors Timed case: - Model: TA with discrete actions labeled controllable - uncontrollable - Semantics: dense strategies (time transitions ?) u s c

30 Controller Synthesis using Fix-points
controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves. Q c u s compute winning states as fix-points of contr-pre( ). obtain controller = intersect TA with winning states. method costly (complementation in contr-pre( ), fix-point computes maximal strategy).

31 On-the-fly Controller Synthesis
on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found untimed algorithm can be used for timed synthesis, too: untimed algorithm Quotient graph (symbolic) strategy TA controller pre-stability of quotient graph essential for correctness  cannot use simulation graph… 

32 On-the-fly synthesis in quotient graph
Controller Synthesis On-the-fly synthesis in quotient graph up approach approach up enter lower up lower lower lower enter exit up down down down down down down enter exit raise raise raise approach

33 Plan Implementation Analysis with the Time-abstracting Bisimulation
On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

34 Implementation in Kronos
initial partition  P, <=k P, ... TA TA TA ... P, P  P (On-the-fly) Parallel Composition TA Minim. Full TCTL model checking Safe TCTL model checking Controller Synthesis Reachability TBA model checking TBA Quotient Graph  Yes/No, diagnostics Restricted TA (controller) Yes/No, diagnostics Matrix library Aldebaran: - reduction/comparison - model checking - simulation/visualization

35 Connection of Kronos to Open-Caesar
Implementation Connection of Kronos to Open-Caesar interface to Open-Caesar input: model code generation TA network + discrete shared vars. + message passing Kronos-Open model.c Open-Caesar’s graph library C-compiler Optimized polyhedra library simulator -calculus formula evaluator Yes/No + untimed diagnostics Yes/No + untimed diagnostics regular expression exhibitor Simulation graph generator State formula - Reachability + timed diagnostics - TBA model checking. profounder TBA

36 Plan Case studies Analysis with the Time-abstracting Bisimulation
On-the-fly Verification Diagnostics Controller Synthesis Implementation Case studies Conclusions and Perspectives

37 Case Studies FRP/DT protocol (project with CNET, Lannion)
- found inconsistency error (known to designers) Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis) Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol

38 Experiences: performance
Case studies Experiences: performance improved performance in benchmarks, often by many orders of magnitude. tools and techniques able to handle real-world case studies: - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs 7 - STARI: 30 clocks, 60 boolean variables often bottleneck is discrete state space

39 Experiences: comparison of methods
Case studies Experiences: comparison of methods Techniques are complementary Quotient graph Simulation graph Case study time (secs) time (secs) nodes edges nodes edges Fischer 22,085 122,804 1,000 164,935 457,799 1,060 Real-time scheduling 929 1,503 70 10,839 22,382 150 Philips 503 1,001 3 194 488 1 CSMA/CD 481 875 1 60 96 1

40 Conclusions Practicality not measured only in seconds, megabytes
Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL) Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers) Case studies : source of inspiration.

41 Perspectives Controller synthesis: - more properties (e.g., liveness)
- more efficient techniques (e.g., completely on-the-fly) Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders) Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory

Download ppt "Verification and Controller Synthesis for Timed Automata : the tool KRONOS Stavros Trypakis."

Similar presentations

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Chapter 16 : KRONOS (Model Checking of Real-time Systems)

Chapter 16 : KRONOS (Model Checking of Real-time Systems)
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Hybrid Approach to Model-Checking of Timed Automata DAT4 Project Proposal Supervisor: Alexandre David.

Hybrid Approach to Model-Checking of Timed Automata DAT4 Project Proposal Supervisor: Alexandre David.
Model Checking for Probabilistic Timed Systems Jeremy Sproston Università di Torino VOSS Dagstuhl seminar 9th December 2002.

Model Checking for Probabilistic Timed Systems Jeremy Sproston Università di Torino VOSS Dagstuhl seminar 9th December 2002.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google