Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan.

Published byKenneth Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan."— Presentation transcript:

1 1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan

2 2 Parallel Composition TTS = TTS 1 || TTS 2 || …… || TTS n Same principle as before: –Do common actions together –Take union of clock variables. –Take conjunction of the guards (state invariants) !

3 3 An Example.

4 4 The Product Construction TTS 1 = (S 1, s0 1, Act 1, X 1, I 1, → 1 ) TTS 2 = (S 2, s0 2, Act 2, X 2, I 2, → 2 ) Assume X 1 and X 2 are disjoint (rename if necessary). TTS = TTS 1 || TTS 2 = (S, S0, Act, X, I, →) – S = S 1  S 2 – (s0 1, s0 2 ) – Act = Act 1  Act 2 –X = X 1  X 2 – I(s1, s2) = I 1 (s1)  I 2 (s2)

5 5 The Product Construction TTS i = (S i, S0 i, Act i, X i, II, → i ) i = 1, 2 TTS = TTS 1 || TTS 2 = (S, S0, Act, X, I, →) → is the least subset of S  Act   (X)  2 X  S satisfying: –Suppose (s1, a,  1, Y 1, s1’)  → 1 and (s2, b,  2, Y 2, s2’)  → 2. –Case1: a = b  Act 1  Act 2 Then ((s1, s2), a,  1   2, Y 1  Y 2, (s1’, s2’))  →. –Case2: a  Act 1 - Act 2 Then ((s1, s2), a,  1, Y 1, (s1’, s2))  →. –Case3: b  Act 2 - Act 1 Then ((s1, s2), b,  2, Y 2, (s1, s2’))  →.

6 6 The Gate-Train Example

7 7 Reachability of Control States TS = (S, S0, Act, →) s  S s is reachable iff there is run which ends at s. TTS = (S, S0, Act, X, I, →) s  S s is reachable in TTS iff for some valuation (s, V), the state (s, V) is reachable in TS TTS. In the Train-Gate example a good question to ask is: –Is the state (in, up, s) reachable for some control state s of the controller? –Safety property!

8 8 Reachability of Control States TTS = (S, s0, Act, X, I, →) s  S s is reachable in TTS iff for some valuation (s, V), the state (s, V) is reachable in TS TTS. TS TTS = ((S  V), (s0, V zero ) Act  R,  ) R, non-negative reals   (S  V)  Act  R  (S  V) Both (S  V) and Act  R are infinite sets.

9 9 Reachability of Control States For a finite TS it is trivial to decide whether s 2 S is reachable in TS. For finite TTS, whether s is reachable in TTS is not easy to decide because TS TTS is an infinite object! But this can be done and this verification process can be automated. More involved (liveness) properties can also be verified effectively but not always efficiently.

10 10 The Reductions. TS TTS TA QTA Both the set of states and actions are infinite. Time abstraction Finite set of actions but infinite set of states. Quotient via stable equivalence relation of finite index. Both states and actions are finite sets. TTS Semantics

11 11 The Reductions. TS TTS TA QTA Both the set of states and actions are infinite. Finite set of actions but infinite set of states. Both states and actions are finite sets. QTA is computed directly from TTS (a finite object) s is reachable in TTS iff the corresponding state is reachable in QTA. TTS Semantics

12 12 Specification Logics

13 13 Temporal properties: Qualitative. We would like to pose more sophisticated questions (other than reachability questions) –Every “request” is “eventually” served. –The sensor signal x11 is sensed infinitely often. –From any stage of the computation it is possible to reach the “all clear” state within 3 steps.

14 14 Temporal Properties: Quantitative Every “request” is served within 3 micro seconds. The sensor signal x11 is sensed every 10 milliseconds for ever. From any stage of the computation it is possible to reach the “all clear” state within 1 second.

15 15 Temporal Logics –A good mechanism for expressing qualitative temporal properties of reactive systems. –Linear Time : LTL, ….. –Branching Time: CTL, ….. –SPIN, SMV,… UPPAAL Logic: –A part of CTL + a bit of real time. –A restricted version of TCTL.

16 16 The Verification Framework Start with a finite state (untimed) transition system TS = (S, s0, R) R  S  S is the (unlabeled) transition relation. –Identify a finite of atomic propositions AP. AP = {p, q, r, …} p = “The alarm light is on” q = “User15 is waiting” r = “The buffer is full”

17 17 The Verification Framework TS = (S, S0, R) AP = {p, q, r,..} L : S → 2 AP Valuation function Specifies the (subset of ) atomic propositions that are “True” at a state. Identifying AP and L is a part of the modeling process.

18 18 Atomic Propositions Arbiter Req-1 Grt-1 Req-2 Grt-2 Resource PR1 PR2 i1 – Process 1 is idle w1– Process 1 is waiting u1 – Process 1 is using the resource. AP = { i1, w1, u1, i2, w2, u2}

19 19 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1

20 20 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(so) = {i1, i2} L(s2) ={i1, u2} L(s5) = {w1,w2}

21 21 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(so) = {i1, i2} L(s3) = ?

22 22 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(so) = {i1, i2} L(s3) = {w1, i2 }

23 23 CTL TS = (S, S0, R) AP = {p, q, r,..} L : S → 2 AP K = (S, S0, R, AP, L) is called a Kripke structure. – Often, AP is suppressed. Using AP, build a CTL formula . Ask K, s ╞  ? Is  true in K at s? This is the CTL model checking problem ! But we will look at only a fragment of CTL (CTL -).

24 24 CTL - Syntax –AP – a finite set of atomic propositions. –p  AP is a formula. –If  and  ’ are formulas then so are      ’. –If  is a formula then so is EX(  ) –If  is a formula then so are EF(  ) AF(  ).

25 25 Formulas EX(p  EF(AF(  p  r))) EX  pEF AF  r p 

26 26 Semantics K = (S, S0, R, AP, L) –L : S → 2 AP  a CTL - formula s  S K, s ╞   (holds) is satisfied at s.

27 27 Semantics CTL - ::= p |  |  1   2 | | EX(  ) | EF(  ) | AF(  ) K = (S, S0, R, AP, L); L: → 2 AP s  S K, s ╞ p iff p  L(s). K, s ╞   iff it is NOT the case K, s ╞  K, s ╞  1   2 iff K, s ╞  1 OR K, s ╞  2.

28 28 Ret2 L(s2) ={i1, u2} s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(s5) = {w1,w2} K, s5 ╞ w1 ? K, s0 ╞ w2?

29 29 Ret2 L(s2) ={i1, u2} s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(s5) = {w1,w2} K, s5 ╞  i1 ? K, s0 ╞ w2  i1?

30 30 Ret2 L(s2) ={i1, u2} s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(s5) = {w1,w2} K, s5 ╞  i1 ? K, s1 ╞  i1  u2?

31 31 Semantics K = (S, S0, R, AP, L); L: → 2 AP s  S K, s ╞ EX(  ) there exists s’ such that: – s → s’ (R(s, s’)) and –K, s’ ╞  –s has a successor state s’ at which  holds.

32 32 on off on off AP = {B, G, R}S0 S1 S2 K, S0 ╞ EX(R) ? K, S0 ╞ EX(  R) ? K, S1 ╞ EX(R) ? K, S2 ╞ EX(G) ?

33 33 Semantics K = (S, S0, R, AP, L); L: → 2 AP s  S A path from s is a(n infinite) sequence of states  = s 0, s 1, s 2, …,s i, s i+1, … s.t: –s = s 0 –s i → s i+1 (R(s i, s i+1 )) for every i.  (i) = s i the i th element of . Assume for convenience that for every s there is s’ such that R(s, s’).

34 34 Semantics CTL ::= p |  |  1   2 | EX(  ) | EF(  ) | AF(  ) K = (S, S0, R, AP, L); L: → 2 AP s  S K, s ╞ EF(  ) iff there exists a path  = s 0, s 1, … from s and k  0 such  that: K,  (k) ╞ 

35 35 EF(  ) 

36 36 s s1s1 sjsj sksk ╞ ╞  ╞ EF( 

37 37 Semantics CTL ::= p |  |  1   2 | EX(  ) | EF(  ) | AF(  ) K = (S, S0, R, AP, L); L: → 2 AP s  S K, s ╞ AF(  ) iff for every path  = s 0, s 1, … from s there exists k  0 such that: K,  (k) ╞ 

38 38 AF(  )       

39 39 0 3 4 Req2 Grt2 M, 0 ╞ AF(u 1 ) ? 0 Ret1 5 7 Req1 Grt1

40 40 0 3 4 Req2 Grt2 M, 0 ╞ AF(EF(u 1 )) ? 0 Ret1 5 7 Req1 Grt1

41 41 Derived Operator AX(  ) =  EX(  ) –It is not the case there exists a next state at which  does not hold. –For every next state  holds. AX(  )   

42 42 Derived Operators K, s ╞ AG(  ) AG(  ) =  EF(  ) –It is not the case there exists a path  (from s) and k  0 such that: K,  (k) ╞  –For every path  (from s) and every k ╞ 0: K,  (k) ╞ 

43 43 AG(  )      

44 44 Derived Operators K, s ╞ EG(  ) EG(  ) =  AF(  ) –It is not the case that for every path  from s there is a k  0 such that K,  (k) ╞ . –There exists a path  from s such that, for every k  0: K,  (k) ╞ .

45 45 EG(  )     

46 46 CTL - Model Checking The actual model checking problem: –Given K = (S, S0, R, AP, L) –Given s 2 S –Given , a CTL - formula. –Determine: K, s ╞ 

47 47 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 L(so) = {i1, i2} L(s2) ={i1, u2} L(s5) = {w1,w2} K, s0 ╞ AX(w1) ?

48 48 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ AX(w1  w2) ?

49 49 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ EF(u2) ?

50 50 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ EF(u1  u2) ? u1  u2 =  (  u1   u2)

51 51 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ AG(u2  u2) ?

52 52 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ AG(  (u2  u2)) ?

53 53 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ EG(  u2) ?

54 54 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ AF(  u2) ?

55 55 s0 s3 s1 s5s4 s2 Req1 Req2 Grt1 Grt2 Grt1 Grt2 Req2 Req1 Req2 Req1 Ret1 Ret2 Ret1 K, s0 ╞ AF(u1  u2 ) ?

56 56 CTL Model Checking The actual model checking problem: –Given K = (S, S0, R, AP, L) –Given s  S –Given , a CTL formula. –Determine: K, s ╞  This can be done “efficiently” Can be automated: –SMV

57 57 UPPAAL Properties The derived modalities EF, AF, EG and AG are defined as in the case of CTL. UPPAAL Syntax: –AG (bf) | EF (bf) –bf ::= p | x R c |  bf | bf1  bf2 –x ≤ c x ≥ c x c –x can be a clock or data variable.

58 58 Case Studies

59 59 Case Studies Available from the UPPAAL home page (“Examples”). (“Examples Bang & Olufsen Audio/Video Protocol: –Aim:  Messages are to be transmitted between audio/video components over a single bus. –Critical real time constraints. –Error discovered using UPPAAL.

60 60 Case Studies Bang & Olufsen Power Down Protocol: –Aim:  Control the switching between power on/off states in AV components. –15 properties proved in UPPAAL to verify the design. –Tightening of the design suggested by the verification process...

61 61 Case Studies Commercial Field Bus Protocol: –Aim:  Verify the process logic of this large industrial- strength bus communication protocol used in various industrial environments; developed by ABB. –A number of errors found.

62 62 Case Studies Gear Box Controller: –Aim:  Design and verify a prototype gear box controller for a vehicle (Mecel AB). A component in a real time distributed system. Gear-change requests from the driver delivered over a network to the controller; Controller actuates physical parts such as clutch, engine, gear box. 46 properties extracted from the requirements and verified.

63 63 Case Studies Multimedia Stream: –Aim:  Model AV streams  Verify quality-of-service properties  throughput, end-to-end latency..

64 64 BRP Bounded Retransmission Protocol (BRP). –Developed by Phillips Electronics Corporation. A real-time bounded variant of the alternating-bit protocol. Used to transfer in burst-mode a list of data (a file) –via an infra-red communication medium between AV equipment and a remote control unit.

65 65 BRP The medium is lossy! The file is transmitted in chunks. –If an acknowledgment for a sent-chunk is not received “in time” the chunk is retransmitted. –If the number of retransmissions for the same chunk exceed a bound then the transmission is aborted.

66 66 BRP Timing aspects: –The sender has a timer to decide when to retransmit a chunk. –The receiver has a timer to detect when a transmission has been aborted by the sender.

67 67 SenderReceiver S in S out R out K L F BA G

68 68 SenderReceiver S in S out R out K L F BA G (d 1, d 2,,,,,d n ) ; a file consisting of n chunks of data.

69 69 SenderReceiver S in S out R out K L F BA G {I OK, I NOK, I DK }

70 70 The values of S out I OK –All the acknowledgments were received. –All the chunks were transmitted successfully and were received by the receiver. I NOK –Some ack. failed to arrive in time ; the MAX count of retransmissions for that chunk was exhausted without receiving an ack. I DK –The ack. were received for all the chunks except the last one. –Don’t know whether the transmission was successful or not. –This is due to asynchronous communication via a lossy channel. –Byzantine agreement is impossible!

71 71 SenderReceiver S in S out R out K L F BA G (e 1, i 1 ) (e 2, i 2 ) ….(e k, i k )

72 72 SenderReceiver S in S out R out K L F BA G (e 1, i 1 ) (e 2, i 2 ) ….(e k, i k ) (d 1, d 2,,,,,d n )

73 73 R out (e 1, i 1 ) (e 2, i 2 )……. (e k, i k ) – 0 ≤ k ≤ n –i j  {I FST, I INC, I OK, I NOK }, 0 < j ≤ k I FST --- The first chunk of the file but not the last one. I OK --- The last chunk of the file. I INC --- For all other chunks. I NOK ---- Something has gone wrong. –In this case j = k and e k = * (no datum).

74 74 The Specification (e j, i j ) For every 0 < j ≤ k, if i j  I NOK then e j = d j –The datum delivered is the chunk that was sent. If n > 1 then i 1 = I FST –I NOK is put out only if something at all was received. If 1 < j < k then i j = I INC

75 75 The Specification i k = I OK OR i k = I NOK –The last output must signal positive or negative termination. i k = I OK implies k = n. –Successful transmission. i k = I NOK implies k > 1. –Unsuccessful only if something was received to start with.

76 76 The Specification If S out = I OK then i k = I OK. –Should we demand the converse too? If S out = I NOK then i k = I NOK If S out = I DK then k = n. –i k = ? If k = 0 then –S out = I DK iff n = 1. –S out = I NOK iff n > 1.

Download ppt "1 Networks of TA; Specification Logic; Case Studies CS5270, P.S. Thiagarajan."

Similar presentations

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

Similar presentations

Ads by Google