LSVbouyer/files/bouyer-hdr-soutenance.pdf · Reachability analysis in timed automata Improving...

Soutenance d’habilitation

“From Qualitative to Quantitative Analysisof Timed Systems”

Patricia Bouyer

January 12, 2009

Introduction

Outline

1. Introduction

2. Reachability analysis in timed automata

3. Model-checking timed temporal logics

4. Modelling resources in timed systemsOptimizing resourcesManaging resources

5. Probabilistic analysis of timed automata

6. Summary and perspectives

Introduction

Context: verification of timed systems

What are timed systems?

What we want to avoid

; Verification by model-checking

system:

property:

G (request→F grant)model-checking

algorithm

yes/no

Introduction

What we want to avoid; Verification by model-checking

system:

property:

algorithm

yes/no

Introduction

system:

property:

algorithm

yes/no

Introduction

What are timed systems?What we want to avoid

Ariane 5, 1996

Atlanta airport, 2008

Mars climate obs., 1998

Blackout, 2003

Radiotherapy in Toulouse, 2007

Bug Pentium, 1994

system:

property:

algorithm

yes/no

Introduction

system:

property:

algorithm

yes/no

Introduction

A running example

Introduction

A running example: natural questions

Can I reach Pontivy from Oxford?

What is the minimal time to reach Pontivy fromOxford?

What is the minimal fuel consumption to reachPontivy from Oxford?

Can I use my computer all the way?

How likely will I visit Paris and for how long?

Introduction

A first model of the system

Oxford

Pontivy

Calais

London

Stansted

Nantes

St Malo

Introduction

Can I reach Pontivy from Oxford?

Oxford

Pontivy

Calais

London

Stansted

Nantes

St Malo

This is a reachability question in a finite graph: Yes, I can!

Introduction

A second model of the system

Oxford

Pontivy

Calais

London

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

Introduction

How long will that take?

Oxford

Pontivy

Calais

London

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

It is a reachability (and optimization) questionin a timed automaton: at least 350mn = 5h50mn!

Introduction

The timed automaton model: an example

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

23−→ safeproblem−−−−−→ alarm

15.6−−→ alarmdelayed−−−−−→ failsafe

23 0 15.6 15.6 ···

23 23 38.6 0

failsafe2.3−−→ failsafe

repair−−−−→ repairing22.1−−→ repairing

done−−−→ safe

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

23−→ safeproblem−−−−−→ alarm

23 0 15.6 15.6 ···

23 23 38.6 0

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

problem−−−−−→ alarm15.6−−→ alarm

delayed−−−−−→ failsafe

x 0 23

0 15.6 15.6 ···

y 0 23

23 38.6 0

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

problem−−−−−→ alarm

x 0 23 0

15.6 15.6 ···

y 0 23 23

38.6 0

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6

15.6 ···

y 0 23 23 38.6

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

failsafe

2.3−−→ failsaferepair−−−−→ repairing

22.1−−→ repairingdone−−−→ safe

··· 15.6

17.9 17.9 40 40

2.3 0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

··· 15.6 17.9

17.9 40 40

0 22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

repair−−−−→ repairing

22.1−−→ repairingdone−−−→ safe

··· 15.6 17.9 17.9

0 2.3 0

22.1 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

··· 15.6 17.9 17.9 40

0 2.3 0 22.1

Introduction

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

delayed, y :=0

156x616

repair

26y∧x656

done, 226y625

safe23−→ safe

x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

Introduction

Basics of timed automata

[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).

Theorem [AD90,AD94]

The reachability problem is decidable (and PSPACE-complete) in timedautomata.

timed automaton

finite bisimulation

large (but finite) automaton(region automaton)

Introduction

Basics of timed automata

[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).

Theorem [AD90,AD94]

The reachability problem is decidable (and PSPACE-complete) in timedautomata.

timed automaton

finite bisimulation

large (but finite) automaton(region automaton)

Introduction

Outline

1. Introduction

Reachability analysis in timed automata

Outline

1. Introduction

What about the practice?

the region automaton is never computed

instead, symbolic computations are performed using zones

Example of a zone

Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)

x1−x2=4

x0 x1 x2

∞ −3 ∞∞ ∞ 45 ∞ ∞

What about the practice?

the region automaton is never computed

instead, symbolic computations are performed using zones

Example of a zone

Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)

x1−x2=4

x0 x1 x2

0 −3 09 0 45 2 0

Backward computation

, the backward computation always terminates!

Forward computation

/ the forward computation may not terminate...

; abstractions need to be used, that ensure termination...

Forward computation

/ the forward computation may not terminate...; abstractions need to be used, that ensure termination...

An abstraction: the extrapolation operator

0 −3 09 0 45 2 0

0 −2 0∞ 0 ∞∞ 2 0

Extra2

An abstraction: the extrapolation operator

Extra2(Z)

0 −3 09 0 45 2 0

0 −2 0∞ 0 ∞∞ 2 0

Extra2

Results

[Bou03] Bouyer. Untameable Timed Automata! (STACS’03).[Bou04] Bouyer. Forward Analysis of Updatable Timed Automata (Formal Methods in System Design).

x1,x3:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2>x1+2

x4<x3+2

Theorem [Bou03,Bou04]

In Abug, any extrapolation operator is incorrect!

The extrapolation operator is correct in diagonal-free timedautomata.

Results

x1,x3:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2>x1+2

x4<x3+2

Results

x1,x3:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2>x1+2

x4<x3+2

Improving further

[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International

Journal on Software Tools for Technology Transfer).

the extrapolation operator can be made coarser:

local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints

[BBLP03,BBLP06]

; has leaded to a practical improvement in of up to 20%!

Since then...

further improvement due to better data structure manipulations...

... but no further algorithmic improvement!

Improving further

[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International

Journal on Software Tools for Technology Transfer).

the extrapolation operator can be made coarser:

local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints

[BBLP03,BBLP06]

; has leaded to a practical improvement in of up to 20%!

Since then...

further improvement due to better data structure manipulations...

... but no further algorithmic improvement!

Model-checking timed temporal logics

Outline

1. Introduction

MotivationChecking reachability properties may not be enough:

basically only safety properties can be verified [ABBL98,ABBL03]

what about liveness properties?

And other properties?

“the monkey will eventually write the complete works of Shakespeare”

“every request is eventually granted”

“the machine produces 56 items per day until it needs to be repaired”

Need for specification languages expressing timing constraints...

“the airbag inflates no more than 56ms after the car crashes”

; critical property

“the reponse time of the memory circuit is no more than 10−12s”

; performance, quality of service

... and for algorithms to verify those properties.

We will focus on timed extensions of LTL [Pnu77]

Motivation

[ABBL98] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (FSTTCS’98).[ABBL03] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (Theoretical Computer Science).

Checking reachability properties may not be enough:

basically only safety properties can be verified [ABBL98,ABBL03]

what about liveness properties?

; critical property

basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?

; critical property

basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?

; critical property

basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?

; critical property

Motivation

[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).

; critical property

Motivation

[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).

; critical property

Two classical timed extensions of LTL: MTL and TPTL

[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).

[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).

MTL (Metric Temporal Logic) [Koy90]

ψ = G (request→ F61 grant)

0 1 2 3 4|= ψ

0 1 2 3 46|= ψ

[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).

TPTL (Timed Propositional Temporal Logic) [AH89]

ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))

ϕ = G (request→ x · F (ack ∧ F (grant ∧ x 6 2)))

0 1 2 3 4|= ϕ

0 1 2 3 46|= ϕ

Expressiveness of these logics

Conjecture (Alur & Henzinger, since 1990)

TPTL is strictly more expressive than MTL, and the TPTL formula

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

cannot be expressed in MTL.

However...

F=1 •

ϕ ≡

G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

However...

F=1 •

ϕ ≡ G • →

F61 • ∧ F[1,2] •

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

Expressiveness results

[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).

Theorem [BCM05]

The conjecture is correct: TPTL is strictly more expressive than MTL.

Also, MTL+Past is strictly more expressive than MTL.

The formulas

x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past

[Kam68] Kamp. Tense logic and the theory of linear order (PhD UCLA).[GPSS80] Gabbay, Pnueli, Shelah, Stavi. On the temporal analysis of fairness (POPL’80).[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).

Theorem [BCM05]

The conjecture is correct: TPTL is strictly more expressive than MTL.Also, MTL+Past is strictly more expressive than MTL.

Recall: LTL+Past and LTL are equally expressive [Kam68,GPSS80].

The formulas

Theorem [BCM05]

The formulas

Theorem [BCM05]

The formulas

Back to the model-checking problem

algorithm

yes/no

aton MTLTPTL formula

Theorem [AH94,AFH96,OW06...]

The model-checking problem is (mostly) undecidable...

Can be rather easily explained using channel machines...

... and more tractable fragments need be defined!

algorithm

yes/no

MTLTPTL formula

algorithm

yes/no

[AH94] Alur, Henzinger. A really temporal logic (Journal of the ACM).[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).[OW06] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (FoSSaCS’06).

algorithm

yes/no

algorithm

yes/no

algorithm

yes/no

The quest for tractable fragments of MTL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

MITL [AFH96]: ban punctuality

G (• → F62 •) is in MITLG (• → F=1 •) is not in MITL

[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

MITL [AFH96]: ban punctuality

timed regularityverification in exponential space

[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Safety-MTL [OW05]: restrict to safety properties

G (• → F62 •) is in Safety-MTLG (• → F •) is not in Safety-MTL

[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).[OW08] Ouaknine, Worrell. Some recent results in Metric Temporal Logic (FORMATS’08).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Safety-MTL [OW05]: restrict to safety properties

only finite counter-examples need be looked forverification using alternating timed automatadecidable, but non-primitive recursive [OW08]

[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Bounded-MTL [BMOW07]: restrict to bounded future

G65 (• → F62 •) is in Bounded-MTLG (• → F62 •) is not in Bounded-MTL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Bounded-MTL [BMOW07]: restrict to bounded future

expresses non-regular propertiesonly time-bounded prefixes need to be verifiedverification in exponential space

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLLTL [BMOW07]: a flatness condition on the formula

G (• → F=1 •) is in coFlat-MTLLTL

FG61 • is not in coFlat-MTLLTL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLLTL [BMOW07]: a flatness condition on the formula

expresses non-regular propertiesonly counter-examples of the following form need to be looked for:

LTL LTL LTL LTL

hardhardhardhard

verification in exponential space

[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLMITL [BMOW08]: a flatness condition on the formula

FG61 • is in coFlat-MTLMITL

FG=1 • is not in coFlat-MTLMITL

[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLMITL [BMOW08]: a flatness condition on the formula

only counter-examples of the following form need to be looked for:

non-punctual non-punctual non-punctual non-punctual

punctualpunctualpunctualpunctual

the largest (known) fragment for which...... verification in exponential space!

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

non-tractable

tractable

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

PSPACE-c.

undec./NPR

EXPSPACE-c.

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

PSPACE-c.

undec./NPR

EXPSPACE-c.

Algorithmics needs now to be worked out!

Modelling resources in timed systems

Outline

1. Introduction

Motivation

System resources might be relevant and even crucial information

energy consumption,memory usage,price to pay,bandwidth,...

; timed automata are not powerful enough!

A possible solution: use hybrid automata

Theorem [HKPV95]

The reachability problem is undecidable in hybrid automata.

An alternative: weighted/priced timed automata [ALP01,BFH+01]

; hybrid variables do not constrain the system

Motivation

Theorem [HKPV95]

Motivation

Theorem [HKPV95]

Motivation

Theorem [HKPV95]

Motivation

System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...

The thermostat example

T=−0.5T

(T>18)

T=2.25−0.5T

(T622)

2 4 6 8 10 time

Theorem [HKPV95]

Motivation

System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...

The thermostat example

T=−0.5T

(T>18)

T=2.25−0.5T

(T622)

2 4 6 8 10 time

Theorem [HKPV95]

Motivation

[HKPV95] Henzinger, Kopke, Puri, Varaiya. What’s decidable wbout hybrid automata? (SToC’95).

Theorem [HKPV95]

Motivation

[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).

Theorem [HKPV95]

Optimizing resources

A third model of the system

Oxford

Pontivy

Calais

Paris+2

London +2

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

How much fuel will I use?

Oxford

Pontivy

Calais

Paris+2

London +2

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

It is a quantitative (optimization) questionin a weighted timed automaton: at least 68 anti-planet units!

Weighted/priced timed automata [ALP01,BFH+01]

,x62,c,y :=0

x=2,c+1

x=2,c+7

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost :

6.5 + 0 + 0 + 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5

+ 0 + 0 + 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0

+ 0 + 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0

+ 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7

+ 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7

= 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2

,x62,c,y :=0

x=2,c+1

x=2,c+7

Question: what is the optimal cost for reaching,?

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 9

; strategy: leave immediately `0, go to `3, and wait there 2 t.u.

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 9

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1 , 5t + (2− t) + 7

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9

Optimization problems in weighted timed automata

[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).[BBBR07] Bouyer, Brihaye, Bruyere, Raskin. On the optimal reachability problem (Formal Methods in System Design).

Theorem [ALP01,BFH+01,BBBR07]

The optimal reachability problem is decidable (and PSPACE-complete) in(weighted) timed automata.

Theorem [BBL04,BBL08]

The optimal mean-cost problem is decidable (and PSPACE-complete) in(weighted) timed automata.

; In both cases, the corner-point abstraction can be used

(a refinement of the region automaton)

[BBL04] Bouyer, Brinksma, Larsen. Staying alive as cheaply as possible (HSCC’04).[BBL08] Bouyer, Brinksma, Larsen. Optimal infinite scheduling for multi-priced timed automata (Formal Methods in System Design).

What if an unexpected event happens?

Oxford

Pontivy

Calais

Paris+2

London +2

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

Flightcancelled!

On strike!!!

; modelled as timed games

Oxford

Pontivy

Calais

Paris+2

London +2

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

Flightcancelled!

On strike!!!

Oxford

Pontivy

Calais

Paris+2

London +2

Stansted

Nantes

St Malo

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

Flightcancelled!

On strike!!!

Weighted timed games

,x62,c,y :=0

Question: what is the optimal cost we can ensure while reaching,?

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

; strategy: wait in `0, and when t = 43 , go to `1

,x62,c,y :=0

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

5t + 10(2− t) + 1 , 5t + (2− t) + 7

) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )

= 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1

,x62,c,y :=0

x=2,c+1

x=2,c+7

inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1

Optimal reachability in weighted timed games

[LMM02] La Torre, Mukhopadhyay, Murano. Optimal-reachability and control for acyclic weighted timed automata (TCS@02).[ABM04] Alur, Bernardsky, Madhusudan. Optimal reachability in weighted timed games (ICALP’04).[BCFL04] Bouyer, Cassez, Fleury, Larsen. Optimal strategies in priced timed game automata (FSTTCS’04).

This topic has been fairly hot these last couple of years...e.g. [LMM02,ABM04,BCFL04]

Theorem [BBR05,BBM06]

Optimal timed games are undecidable, as soon as automata have threeclocks or more.

Theorem [BLMR06]

Turn-based optimal timed games are decidable in 3EXPTIME whenautomata have a single clock. They are PTIME-hard.

[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).

Theorem [BLMR06]

[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).[BLMR06] Bouyer, Larsen, Markey, Rasmussen. Almost-optimal strategies in one-clock priced timed automata (FSTTCS’06).

Theorem [BLMR06]

Managing resources

A fourth model of the system

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

Managing resources

Can I work with my computer all the way?

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

batterycharge

2 13 16.5 22.3 45 56 60.4

Managing resources

Can I work with my computer all the way?

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

106x612

146x615x :=0

276x630

96x612

216x624

x=27x :=0

x :=0176

6x :=0

96x615

126x615

126x614

batterycharge

2 13 16.5 22.3 45 56 60.432/48

Managing resources

An example of resource management

x=1x :=0

Globally (x61)

Lower-bound problem: can we stay above 0?

Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Lower-bound problemLower-upper-bound problem: can we stay within bounds?

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

1lost!

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

Managing resources

x=1x :=0

Globally (x61)

1lost!

Managing resources

x=1x :=0

Globally (x61)

Lower-bound problemLower-upper-bound problemLower-weak-upper-bound problem: can we “weakly” stay withinbounds?

Managing resources

x=1x :=0

Globally (x61)

Lower–bound problem ; L

Lower-upper-bound problem ; L+U

Lower-weak-upper-bound problem ; L+W

Managing resources

Only partial results so far [BFLMS08]

[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).

0 clock!

exist. problem univ. problem games

∈ PTIME ∈ PTIME∈ UP ∩ co-UP

PTIME-hard

∈ PTIME ∈ PTIME∈ NP ∩ co-NP

PTIME-hard

∈ PSPACE

NP-hard∈ PTIME EXPTIME-c.

Managing resources

1 clock

∈ PTIME ∈ PTIME ?

? ? undecidable

Managing resources

n clocks

? ? undecidable

Managing resources

Single-clock L+U-games

TheoremThe single-clock L+U-games are undecidable.

We encode the behaviour of a two-counter machine:

each instruction is encoded as a module;

the values c1 and c2 of the counters are encoded by the energy level

e = 5− 1

2c1 · 3c2

when entering the corresponding module.

There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.

; We present a generic constructionfor incrementing/decrementing the counters.

Managing resources

e = 5− 1

2c1 · 3c2

Managing resources

e = 5− 1

2c1 · 3c2

Managing resources

e = 5− 1

2c1 · 3c2

Managing resources

Generic module for incrementing/decrementing

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

module ok

−αx :=0

energy

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

Managing resources

Partial conclusion and perspectives

Weighted timed automata, an interesting model for representingresources in timed systems

, some optimization problems are (fully) decidable(with a reasonable complexity)

; algorithmics needs to be further developed

/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)

restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes

Many open problems to be solved, e.g. in resource management

Compute equilibria in weighted timed games; towards a theory of timed games

Managing resources

restriction of the underlying timed automaton to one clock anddevelopment of specific algorithms

development of approximation schemes

Managing resources

Probabilistic analysis of timed automata

Outline

1. Introduction

Motivation

The goal

Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.

In the running example: “how likely will I visit Paris?”

“how long should I expect be waiting in Paris?”

A relaxed semantics for timed automata

removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.

A new timed and probabilistic model

models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata

Motivation

The goal

Motivation

The goal

Motivation

The goal

Methodology

Rough idea

Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.

We put (continuous) distributions over delays...

... and discrete distributions over transitions.

; this naturally defines a probability measure P over sets of runs.

P(A |= ϕ

)measures “how likely A satisfies ϕ”

Two natural questions:

; decide whether P(A |= ϕ

)= 1 (qualitative question)

; compute (an approximation of) P(A |= ϕ

)(quantitative question)

Methodology

Rough idea

P(A |= ϕ

Methodology

Rough idea

P(A |= ϕ

Methodology

Rough idea

P(A |= ϕ

Methodology

Rough idea

P(A |= ϕ

Methodology

Rough idea

P(A |= ϕ

Methodology

Rough idea

P(A |= ϕ

An example

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

Indeed, almost surely, paths are of the form e∗1 e2

An example

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •)

but P(A |= G (• ⇒ F •)

An example

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

An example

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

The classical region automaton

`0,(0,1)

`1,(0,1)

`2,0 `3,0

`3,(0,1)

... viewed as a finite Markov chain MC (A)

Proposition

For single-clock timed automata,

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

(this is independent of the choice of the distributions...)

The pruned region automaton

`0,(0,1)

`1,(0,1)

`2,0 `3,0

`3,(0,1)

Proposition

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

`0,(0,1)

`1,(0,1)

`3,(0,1)

Proposition

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

`0,(0,1)

`1,(0,1)

`3,(0,1)

Proposition

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

`0,(0,1)

`1,(0,1)

`3,(0,1)

Proposition

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

Probabilistic model-checking

[BBBBG08] Baier, Bertrand, Bouyer, Brihaye, Großer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).[BBBM08] Bertrand, Bouyer, Brihaye, Markey. Quantitative model-checking of one-clock timed automata under probabilistic semantics (QEST’08).

Theorem [BBBBG08]

For single-clock timed automata, the almost-sure model-checking

of LTL is PSPACE-complete;

of ω-regular properties is NLOGSPACE-complete;

of the non-zenoness property is in NLOGSPACE.

Theorem [BBBM08]

In single-clock timed automata, we can compute (an approximation of)the probability of satisfying an LTL/ω-regular property (for exponentialdistributions).

; none of these results extend to two-clock timed automata...

Theorem [BBBBG08]

Theorem [BBBM08]

Theorem [BBBBG08]

Theorem [BBBM08]

Perspectives

Further study this timed and probabilistic model

timed automata with an arbitrary number of clocks(hint: restrict the distributions)model-checking timed properties like those in MTL

measurability of MTL propertiescan we get a better complexity than NPR?

performance analysis (expected time, mean waiting time, etc.)(this model, a 1

2-player model, generalizes continuous-time Markov chains)

Study the 1 12 - and 2 1

2 -player models(to model non-determinism and interaction)

preliminary result: quantitative model-checking of the 2 12-player

model is undecidable

Design an irrefutable example

Perspectives

Summary and perspectives

Outline

1. Introduction

Summary

A progressive lift from qualitative to quantitative considerations:

quantitativeverification

qualitativeverification

untimedproperties

timedproperties

resource-basedproperties

Reachability(2.)

Timed prop.(3.)

Resources(4.)

Proba. analysisof LTL (5.)

Summary

A progressive lift from qualitative to quantitative considerations:

quantitativeverification

qualitativeverification

untimedproperties

timedproperties

resource-basedproperties

Reachability(2.)

Timed prop.(3.)

Resources(4.)

Proba. analysisof LTL (5.)

Perspectives

study further the resource management problem

develop approximation schemes(undecidability relies on the infinite precision of the system)

compute equilibria

Probabilities and timed automata

investigate further the 12 -player model

model with several clocks(hint: restrict the allowed distributions)

quantitative properties (time and resources)performance analysis: expected time, etc.

add non-determinism and interaction (1 12 - and 2 1

2 -player models)(preliminary results: undecidability rather far away...)

design an irrefutable example

Perspectives

study further the resource management problem

develop approximation schemes(undecidability relies on the infinite precision of the system)

compute equilibria

Probabilities and timed automata

investigate further the 12 -player model

model with several clocks(hint: restrict the allowed distributions)

quantitative properties (time and resources)performance analysis: expected time, etc.

add non-determinism and interaction (1 12 - and 2 1

2 -player models)(preliminary results: undecidability rather far away...)

design an irrefutable example

Perspectives

[BMR08] Bouyer, Markey, Reynier. Robust analysis of timed automata via channel machines (FoSSaCS’08).

Adequation of timed models to timed systems

Two main approaches: relaxed satisfactionrobust satisfaction

Relaxed satisfaction: cf probabilities and timed automata

Robust satisfaction:

develop further the purely channel-machine approach of [BMR08]synthesize systems that are robustly correct by constructionfurther think of other notions of robustness

Perspectives

LSVbouyer/files/bouyer-hdr-soutenance.pdf · Reachability analysis in timed automata Improving...

Documents

Timed Automata: Semantics, Algorithms and Toolspeople.cs.aau.dk/~adavid/UDBM/materials/by04-bookchapter.pdf · Concurrency and Communication To model concurrent systems, timed automata

Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region

Robustness and Implementability of Timed Automata

Model Checking Timed Automata - ISTE

Pushdown Timed Automata: a Binary Reachability Characterization … · Pushdown Timed Automata: a Binary Reachability Characterization and Safety Veriﬁcation ⋆ Zhe Dang School

Timed Automata - RWTH Aachen University

Timed Automata Based Analysis of Embedded System Architectures · Timed Automata Based Analysis of Embedded System Architectures Martijn Hendriks & Marcel Verhoef Radboud University

Verification of timed automata: reachability, liveness, and modeling

Timed Automata – lllllllllll Decidability Resultsbeckert/teaching/... · Timed Automata – lllllllllll Decidability Results. Informationsteknologi UCb Decidability ? Reachable?

A theory of timed automata* - Chennai Mathematical Institute

Patricia Bouyer-Decitreqmc.cs.aau.dk › slides › slides-bouyer-1.pdf · Patricia Bouyer-Decitre LSV, CNRS & ENS Cachan, France 1/22. An example of a timed automaton safe alarm

First Lecture: Modeling with Finite, Timed and Hybrid Automata€¦ · Finite, Timed and Hybrid Automata Jean-François Raskin Université Libre de Bruxelles Belgium ... Mathematics

Communicating Timed Automata

An Inverse Method for Parametric Timed Automata - ENS Cachan

Dense-Timed Pushdown Automata - Uppsala Universityuser.it.uu.se/~parosh/publications/papers/lics12.pdf · To that end, we introduce dense-timed pushdown automata that extend the classical

Timed Concurrent State Machines - arXiv · Title: Timed Concurrent State Machines Abstract. Timed Concurrent State Machines are an application of Alur’s Timed Automata concept to

Transforming VHDL to Timed Automata

Automata on Timed Structures

Nested Timed Automata...automata (NeTAs). An NeTA is a pushdown system whose stack symbols are timed automata (TAs). It either behaves as the top TA in the stack, or switches from

Dense-Timed Pushdown Automata - Uppsala Universityuser.it.uu.se/~mohat117/lics12.pdf · To that end, we introduce dense-timed pushdown automata that extend the classical models of