Embed Size (px)
Citation preview
17.02.05 Lecture5 1
Timed Automata II
CS 5270 Lecture 5
17.02.05 Lecture5 2
Goals
• Timed Transition Systems:– Review– Definition– Timed behaviors.– Parallel composition– Reachability
• UPPAAL
17.02.05 Lecture5 3
Timed Transition Systems
• Timed Transition Systems =
Transition Systems + Clock Variables.• Clock variables.
– Used to record the passage of (real) time.– Act like Timers.– Can be read.– Transitions constrained (guarded) by current values
of clock variables.– Can be reset to 0 during a transition.
Continue to evolve (in real time) until reset.
17.02.05 Lecture5 4
Using Clock Variables
Hot; y On-ac; x OK
Off-acx 5Off-ac
Spec. :
Turn off ac if the temperature is OK or any time after 5 units of time has elapsed since turning it on.
Turn on ac within 2 time units after receiving Hot signal.
y ≤ 2
Using Clock Variables
Hot; y On-ac; x OK
Off-acx ¸ 5 Off-ac
y ≤ 2
Three components:
Action on-ac
Reset x In general, more than one clock can be reset.
Guard y ≤ 2 In general, more than one constraint can be used.
17.02.05 Lecture5 6
State Invariants
• A clock constraint is associated with each state: state invariant– The system can stay in the state only as long
as the state’s invariant is not violated.
• For time points which violate the invariant one expects an output transition to be enabled.– Otherwise a time deadlock.
The progress of time is blocked (in the model!).
17.02.05 Lecture5 7
Timed Transition Systems: Definition
• Clock Constraints:• X, a finite set of clocks (clock variables).
– x X
• (X), the set of clock constraints over X.– (X) = x ≤ c | x ≥ c | x < c | x >c | 1 2 | – c Q
Q , the set of non-negative rational numbers.
• 2X --- The set of subsets of X X = {x, y} 2X = { , {x}, {y}, {x, y} }
17.02.05 Lecture5 8
Timed Transition Systems
• TTS = (S, sin, Act, X, I, )
– S is a finite set of states.
– sin, initial state
– Act, a finite set of actions– X, a finite set of clock variables.– I : S (X), assigns a clock invariant to
each state.– S Act 2X (X) S , the
transition relation.
9
Example
s3 x > 2 y 3
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, add, {x}, True, s1) is a transition in TTS.
10
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, add, {x}, True, s1) is a transition in TTS.X = {x0, x1,..xn}True = x0 ≥ 0
X = {x, y} True = x 0
11
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, data, {y}, True, s2) is a transition in TTS.
(s2, ack.add, ;, x > 2, s3) is a transition in TTS.
(s3, ack.data, ;, y ≤ 5, s0) is a transition in TTS
17.02.05 Lecture5 12
Behaviors
s0 s1 s2
s3
s4
a b
c
d
s0 a s1 b s2 c s3
s0 a s1 b s2 d s4
Are both paths (runs).
17.02.05 Lecture5 13
Behaviors
s0 s1 s2
s3
s4
a ; x b
c
d
s0 a s1 b s2 c s3 is NOT a run!
s0 a s1 b s2 d s4 is a run.
Computing behaviors is difficult.
x = 1
x < 1
x ≥ 2
17.02.05 Lecture5 14
Behaviors
• TTS = (S, sin, Act, X, I, )
• We associate a “normal” transition system with TTS while taking time into account:– TSTTS = (S, sin, Act R, )
– R, non-negative reals S Act R S
• TSTTS is, almost always, an infinite transition system!
17.02.05 Lecture5 15
Behaviors
• TTS = (S, sin, Act, X, I, )
• TSTTS = (S, sin, Act R, )
• S = S V
• V --- Valuations– A valuation says what the current values of
each clock variable is. v : X R
17.02.05 Lecture5 16
Behaviors
s0 s1 s2
s3
s4
a ; x b
c
d
(s1, 0) (s2, 1.8) (s4, ) are t-states.
(s3, 5) is a t-state but not reachable.
x = 1
x < 1
x ≥ 2
17.02.05 Lecture5 17
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, (2, 5) ) is a state; (s1, V) V(x) = 2 V(y) = 5
(s2, V’) is a state. V’(x) = 15 V’(y) = 0 (s2, (15, 0) )
17.02.05 Lecture5 18
Behaviors
• TTS = (S, sin, Act, X, I, !)
• TSTTS = (S, sin, Act R, ) R, non-negative reals S Act R S
• S = S V
• sin = (sin, VZERO)
– VZERO (x) = 0 for every x in X.
17.02.05 Lecture5 19
Behaviors
• There will be two types of transitions.• Time pass move:
– (s, v) (s, v’) t units of time pass starting from V. V’ (x) = V(x) + t for every x.
• Instantaneous transition.– (s, v) (s’, v’)– Some transition in the timed automaton is taken at v;
the guard is satisfied; v’ is the same as v except for resets.
t
a
20
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, (0, 5)) (s2, (1, 6) )1
Time- passing move?
21
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, (0, 5)) (s1, (1, 7) )1
Time- passing move?
22
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, (0, 5)) (s1, (0, 5) )0
Time- passing move?
23
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s1, (0, 5)) (s1, (2, 7.7) )2
Time- passing move?
24
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (3, 3) ) add
(s1, (0, 3)) a transition in TS?
25
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (3, 3) ) add
(s3, (0, 3)) a transition in TS?
26
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (3, 3) ) add
(s1, (0, 4)) a transition in TS?
27
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (0, 0) ) add
(s1, (0, 0)) a transition in TS?
28
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (0, 0) ) add
(s1, (0, 0))
data
(s2, (0, 0) )
Is this possible?
29
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s2, (3, 2)) (s3, (3, 2))ack.add
(s3, (5, 5)) (s0, (5, 5))ack.data
30
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
TSTTS will have (uncountably) infinite number of states and transitions.
(s0, (0, 0))
(s0, (.8, .8))
.8 …………..
(s0, (1, 1))
1
17.02.05 Lecture5 31
Timed Behaviors
• TTS = (S, S0, Act, X, I, !)
• TSTTS = (S, sin, Act R, )
• The timed behavior of TTS is defined as the behavior of TSTTS
– Runs– computations
32
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0)) ..…
17.02.05 Lecture5 33
Timed Behaviors
• Two consecutive time-passing moves can be amalgamated into one time passing move.
• (s1, (2,5)) 2 (s1, (4, 7)) 1.3 (s1, (5.3, 8.3)) can also be recorded as :– (s1, (2,5)) 3.3 (s1, (5.3, 8.3))
• (s, V) 1 (s, V+1) 2 (s, (V+1)+2) can also be recorded as:– (s, V) 1+2 (s, V+(1+2))
17.02.05 Lecture5 34
Timed Computations
• TTS = (S, S0, Act, X, I, !)
• TSTTS = (S, S0, Act [ R, ))
• (s0, V0) 0 (s0, V0’) a0 (s1, V1) 1 (s1, V1’) a1 (s2, V2) …… induces the timed computation– (a0, 0) (a1, 0+ 1) …… (an, 0+1+..n)
• Transition systems --- Computations• Timed Transition Systems ---
Timed Computations.
35
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0))
(add, ? ) (data, ?) ….
36
Example
s3 x > 2
s0 s1
s2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0, 1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0))
(add, 1.6 ) (data, 3.6) ….
17.02.05 Lecture5 37
Example
add ; x
data ; y
ack.add x > 2
ack.datay ≤ 5
(add, 1) (d, 10) (ack.a , 3) A timed computation?
17.02.05 Lecture5 38
Example
add ; x
data ; y
ack.add x > 2
ack.datay ≤ 5
(add, 1) (d, 10) (ack.a , 3) A tmed computation?
No! Time must increase monotonically.
17.02.05 Lecture5 39
Example
add ; x
data ; y
ack.add x > 2
ack.datay ≤ 5
(a, 1) (ack.a , 3) (d, 10) A timed computation?
40
Example
add ; x
data ; y
ack.add x > 2
ack.datay ≤ 5
(a, 1) (ack.a , 3) (d, 10) A timed computation?
No! The order of execution must respect the specification!
17.02.05 Lecture5 41
Example
add ; x
data ; y
ack.add x > 2
ack.datay ≤ 5
(a, 1) (d, 1) (ack.add, 10) A time computation?
17.02.05 Lecture5 42
Example
x > 2
add ; x
data ; y
ack.add
ack.datay ≤ 5
(a, 1) (d, 1) (ack.add, 10) A timed computation?
Yes! Transitions are assumed to take zero time.
Must rule out an infinite number of occurrences in finite time.
17.02.05 Lecture5 43
Zeno Computations
x < 1b
a
… (b, ½) ….(b, 3/4) ….(b, 15/16) …. (b, 31/32)….
We must define computations of timed transition systems carefully!
17.02.05 Lecture5 44
Parallel Composition
• TTS = TTS_1 || TTS_2 || …… || TTS_n
• Same principle as before:– Do common actions together– Take union of clock variables.– Take conjunction of the guards!
17.02.05 Lecture5 45
Reachability of Control States
• For a finite TS it is trivial to decide whether s is reachable in TS.
• For finite TTS, whether s is reachable in TTS is not easy to decide because TSTTS is an infinite object!
• But this can be done and this verification process can be automated.
• More involved (liveness) properties can also be verified effectively but not always efficiently.
17.02.05 CS5272 - 18 Feb 2005Lecture5 46
An introduction toUPPAAL
17.02.05 Lecture5 47
What is UPPAAL?
• A toolbox for modeling, simulation and verification of real-time systems– Developed jointly by Uppsala University and Aalborg
University– Often used for real-time controllers, communication
protocols, etc.
• Consists of 3 main parts– a system description– a simulator– a verifier
17.02.05 Lecture5 48
System Description
17.02.05 Lecture5 49
System Description
• A system in UPPAAL: a set of concurrent processes
• A process: a timed-automaton with:– Clocks and data variables– data variables: int, bool, array of int/bool
• Scopes: global or local (to a process) – Both clocks and data variables! – Guards (on transitions) and invariants (on locations)
are conditions on data variables and clocks
17.02.05 Lecture5 50
System Description
• Synchronization actions are described using communication channels
• Two processes communicate with each other via global data variables or synchronization on communication channels
17.02.05 Lecture5 51
System Description
• A system description in UPPAAL is composed of– Global declarations– Process templates– Process assignments– A system definition
17.02.05 Lecture5 52
System Description
Overview of UPPAAL
17.02.05 Lecture5 53
Global declarations
All the clocks, variables, constants and channels declared here are visible to all the processes in the system
17.02.05 Lecture5 54
Global declarations
• clock x, y;– two clocks x and y
• const a 1;– a constant a with value 1
• int a; – an integer variable a in the default range from -32768 to 32767
• int[1,10] b := 2;– an integer variable b in the range 1,…,10 that is initialized to 2
• int a[2][3] := {{0,1,2},{3,4,5}};– a two dimensional integer array a default range and its
initialization• bool a[3], b[5];
– two bit arrays a and b, with 3 and 5 elements respectively.
17.02.05 Lecture5 55
Global Declarations
• chan d;– A communication channel d– Actions performed by two processes when they synchronize with
each other on channel d are denoted as d! (sending) and d? (receiving)
• urgent chan d;– When two processes are able to synchronize on channel d, they
have to do it immediately. – No guard is allowed on transitions labeled with synchronization
actions (eg. d!,d?) on urgent channels • broadcast chan e;
– Allows 1-to-many synchronization– A transition with label e! emits a broadcast on the channel e. – Any enabled transition with label e? will synchronise with the
emitting process. No guard is allowed on these transitions
17.02.05 Lecture5 56
Process Templates
• Define a common control structures for the processes that are alike– Each process is an instantiation of a template
• Each template can have – symbolic variables and constants as parameters
Parameters are syntactically similar to declarations, but with no initializations
Eg. clock x, y; int i1, i2; chan a, b
– local clocks and variablesDeclared in the same way as global clocks and variables
17.02.05 Lecture5 57
Process Templates
Draw the structure of the template here!
Declare symbolic constants and variables here! Name of the template
17.02.05 Lecture5 58
Process Templates
All clocks, variables, constants declared here are visible to process template P only
17.02.05 Lecture5 59
Process Templates
An example of process template
17.02.05 Lecture5 60
Process Templates
• Locations– 3 types: normal (with/without invariant),
committed(C), urgent (U)– When the system enters a committed location,
it must leave the location immediately:Just a way of breaking up the effect of a transition
into a sequence of steps.
– urgent location: Only 0 units of time can be spent in this location.
17.02.05 Lecture5 61
Process Templates
• A guard– A conjunction of timing and data expressions – Written as a list of expressions, separated by commas
x < y, x <= 5, (a[0] + 1) != (a[1]*5)
• Timing expression: x ~ e or x – y ~ e– x, y : clocks; e: an integer expression– ~ { <=, >=, ==, <, > }
• Data expression: – involves constants and variables– same as in C/C++/Java
17.02.05 Lecture5 62
Process Templates
• Invariants– Same as guards, with no lower bounds on clocks
• Updates– A list of assignment expressions– Each assignment is of the form: x := e or a := e’
In x: = e, almost always e is 0. x: a clocka: a variablee: an integer expressione’: a data expression
– Evaluated sequentiallya := 1, b := 2*a sets a to 1, b to 2.
17.02.05 Lecture5 63
Process Assignments
• Declare instances of process templates• Each assignment has the form P := T(A);
– P : a process name– T : a process template name– A : an argument list
• Examples:– P := Q();
Process P is an instance of template Q that has no parameter
– S:=R(x,1); Process S is an instance of template R that has two
parameters - a clock and a constant
17.02.05 Lecture5 64
Process Assignments
Instantiate your processes here!
17.02.05 Lecture5 65
System Definition
• Declare the set of processes in the system
• Eg. system P, Q;– A system consists of two processes P and Q
• Each process in the system must be either– a process that appears on the left-hand-side
of a process assignment, or – a template with no parameter
17.02.05 Lecture5 66
Simulator
17.02.05 Lecture5 67
Simulator
• A validation tool that– allows users to interact and observe the behavior of
the system during execution– visualise executions (i.e. symbolic traces) generated
by the verifier
• Interface: divided into 4 sub-windows– Simulation control– Variable window– Process window– Message Sequence Chart
17.02.05 Lecture5 68simulator control variable window
process window
Message sequence chart
17.02.05 Lecture5 69
Simulator Control
• Used to control the simulation and to select the (symbolic) state or transition to be visualized – Upper part: for step-by-step simulation
Displays all enabled transitionsEnables users to select an enabled transition to be
fired
– Lower part: displays the generated traceA trace is an alternating sequence of location
vectors and transitions.
17.02.05 Lecture5 70
Simulation Controluse the mouse to select the transition to be fired
press “Next” causes the system to fire the selected transition
press “Reset” resets the simulated system to its initial state
17.02.05 Lecture5 71
Simulation Controlthe simulation always progresses from this highlighted element
press “Replay” to replay the trace starting from the currently selected element.
press “Prev” to highlight the element immediately preceding the current selection in the trace.
press “Open” to open a file selector window for loading a trace from file.
control the speed of simulation
17.02.05 Lecture5 72
Variable window
• Displays the values of data and clocks in the current state or transition selected in the trace
17.02.05 Lecture5 73
Process window
• Displays the process instances of the system– The current location of each automaton is
marked with a red token– The transitions currently selected in the
simulation control panel are highlighted
17.02.05 Lecture5 74
the selected transition
17.02.05 Lecture5 75
Message Sequence Chart
• Displays an MSC view of the generated trace – a vertical lines for each
process – a horizontal line for each
synchronisation point.
synchronization point
17.02.05 Lecture5 76
Verifier
17.02.05 Lecture5 77
Verifier
• Used to check invariant and liveness properties of the system
• Requirement Specification Language
A[ ] p For all paths, p always holds
E<> p There exists a path where p will eventually hold
E[ ] p There exists a path where p always holds
A<> p For all paths, p will eventually hold
p --> q Whenever p holds, q will eventually hold
p : an expression that has no side-effect or state formula (conjunction of state locations)
17.02.05 Lecture5 78
Verifier
• Examples• A[] not deadlock
true if the system is not deadlocked.
– E<> p1.cs and p2.cs true if the system can reach a state where both process
p1 and p2 are in their locations cs.
• A[ ] p1.cs imply not p2.cstrue if whenever process p1 is in its location cs, the
process is not in its location cs.
17.02.05 Lecture5 79
The selected property to be verifiedPress to verify the selected property
Insert a new property
Remove the selected property
Show the comments in overview window
the system is deadlock free
verification results are shown here!
