Formalized Timed Automata Simon Wimmer Fakultt fr Informatik, - PowerPoint PPT Presentation

Formalized Timed Automata Simon Wimmer Fakultät für Informatik, Technische Universität München ITP Talk on August 24, 2016

Timed Automata • Timed Automata (TA) ≈ Finite Automata with clocks – Clock guards on transitions and clock invariants on locations – Transitions can reset clocks

Timed Automata (2) • Model Checking: PSPACE – Initial decidability from the region construction of Alur & Dill – Practical tools (UPPAAL): symbolic forward reachability algorithm • Bouyer: forward reachability analysis not correct for general TA – However, correctness given for the class of diagonal-free TA • This formalization: formalization of TA basics and symbolic forward reachability analysis in Isabelle/HOL – Region construction as a reasoning tool

This Formalization • Formalization of TA basics and forward reachability analysis • Region construction for decidability and as a reasoning tool • Symbolic analysis with Difference Bound Matrices (DBMs) • Correctness of approximation operation forward reachability analysis (Bouyer)

Semantics Zoo Operational Semantics Region Semantics ⊆ Zone Semantics approx. by ⍺ -regions Zone Semantics ⊆ Zone Semantics approx. by β -regions Symbolic Zone Semantics ⊆ Symbolic Zone Semantics + Normalization Given start state and destination l’ , is ( l, u ) A ` ( l, u ) ! ⇤ ( l 0 , u 0 ) there a run for some u’ ?

Formalization – Clock Constraints datatype ( 0 c , 0 t ) cconstraint = AND (( 0 c , 0 t ) cconstraint ) (( 0 c , 0 t ) cconstraint ) | LT 0 c 0 t | LE 0 c 0 t | EQ 0 c 0 t | GT 0 c 0 t | GE 0 c 0 t or ⇠ = <,  , = , >, � , represents t c ⇠ d for . Diagonal-free TA: No constraints of the form c 1 − c 2 ∼ d .

Formalization – Clock Constraints datatype ( 0 c , 0 t ) cconstraint = AND (( 0 c , 0 t ) cconstraint ) (( 0 c , 0 t ) cconstraint ) | LT 0 c 0 t | LE 0 c 0 t | EQ 0 c 0 t | GT 0 c 0 t | GE 0 c 0 t or ⇠ = <,  , = , >, � , represents t c ⇠ d for .

Formalization – Clock Constraints datatype ( 0 c , 0 t ) cconstraint = AND (( 0 c , 0 t ) cconstraint ) (( 0 c , 0 t ) cconstraint ) | LT 0 c 0 t | LE 0 c 0 t | EQ 0 c 0 t | GT 0 c 0 t | GE 0 c 0 t . represents for ∼ ∈ <, ≤ , = , ≥ , > t c ⇠ d

Formalization – Timed Automata • Timed Automaton I :: 0 s ⇒ ( 0 c, 0 t ) cconstraint – ! g,a,r l 0 a set of transitions of the form A ` l � – T start location – l :: 0 s end location – l 0 :: 0 s action label – a :: 0 a guard – g :: ( 0 c, 0 t ) cconstraint clocks to reset r :: 0 c list –

Operational Semantics • Valuations Time lapse: u :: 0 c ⇒ 0 t : u � d = ( λ x . u x + d ). • States ( l, u ) • Constraint satisfaction u ` AND ( LT c 1 1 ) ( EQ c 2 2 ) i if u c 1 < 1 and u c 2 = 2 • Delay steps via u ` inv-of A l ^ u � d ` inv-of A l ^ 0  d . A ` h l , u i ! d h l , u � d i • Action steps ! g , a , r l 0 ^ u ` g ^ u 0 ` inv-of A l 0 ^ u 0 = [ r ! 0 ] u A ` l � A ` h l , u i ! a h l 0 , u 0 i

Operational Semantics • Valuations Time lapse: u :: 0 c ⇒ 0 t : u � d = ( λ x . u x + d ). • States ( l, u ) • Constraint satisfaction u ` AND ( LT c 1 1 ) ( EQ c 2 2 ) i if u c 1 < 1 and u c 2 = 2 • Delay steps u ` I ( l ) u � d ` I ( l ) 0  d A ` h l, u i ! h l, u � d i • Action steps u 0 ` I ( l 0 ) u 0 = [ r ! 0] u ! g,a,r l 0 A ` l � u ` g A ` h l, u i ! h l 0 , u 0 i

Zone Semantics • First abstraction: Zones Z :: ( 0 c ⇒ 0 t ) set – Convex sets of valuations, i.e. a set of valuations satisfying a clock constraint • Operations on zones Z ↑ = Z ∩ { u | u c 1 ≤ 2 } Z = Z c 2 → 0 = { u | u c 1 > 1 ∧ u c 2 ≤ 2 } { u | u c 1 = 0 ∧ u c 2 ≤ 2 } { u | u c 1 > 1 ∧ u c 2 − u c 1 < 1 }

Zone Semantics • First abstraction: Zones Z :: ( 0 c ⇒ 0 t ) set – Convex sets of valuations, i.e. a set of valuations satisfying a clock constraint Z " = { u � d | u 2 Z ^ 0  d } – Delay: Reset: d Z r → 0 = { [ r ! 0 ] u | u 2 Z } . – Semantics A ` h l , Z i h l , ( Z \ { u | u ` inv-of A l } ) " \ { u | u ` inv-of A l } i ! g , a , r l 0 A ` l � A ` h l , Z i h l 0 , ( Z \ { u | u ` g } ) r → 0 \ { u | u ` inv-of A l 0 } i – Sound and complete w.r.t. reachability

Zone Semantics • First abstraction: Zones Z :: ( 0 c ⇒ 0 t ) set – Delay: Reset: Z " = { u � d | u 2 Z ^ 0  d } d Z r → 0 = { [ r ! 0 ] u | u 2 Z } . – Semantics A ` h l , Z i h l , ( Z \ { u | u ` inv-of A l } ) " \ { u | u ` inv-of A l } i ! g , a , r l 0 A ` l � A ` h l , Z i h l 0 , ( Z \ { u | u ` g } ) r → 0 \ { u | u ` inv-of A l 0 } i – Compare u ` I ( l ) u � d ` I ( l ) 0  d A ` h l, u i ! h l, u � d i ! g,a,r l 0 u 0 ` I ( l ) u 0 = [ r ! 0] u A ` l � u ` g A ` h l, u i ! h l 0 , u 0 i – Sound and complete w.r.t. reachability

Zone Semantics • First abstraction: Zones Z :: ( 0 c ⇒ 0 t ) set – Delay: Reset: Z " = { u � d | u 2 Z ^ 0  d } d Z r → 0 = { [ r ! 0 ] u | u 2 Z } . – Semantics A ` h l, Z i h l, ( Z \ { u | u ` I ( l ) } ) ↑ \ { u | u ` I ( l ) } i ! g,a,r l 0 A ` l � A ` h l, Z i h l 0 , ( Z \ { u | u ` g } ) r ! 0 \ { u | u ` I ( l 0 ) } i – Compare u ` I ( l ) u � d ` I ( l ) 0  d A ` h l, u i ! h l, u � d i ! g,a,r l 0 u 0 ` I ( l ) u 0 = [ r ! 0] u A ` l � u ` g A ` h l, u i ! h l 0 , u 0 i – Sound and complete w.r.t. reachability

Difference Bound Matrices • DBMs: symbolic representation of zones – Rows and columns: clocks – Entries: difference constraints between clocks datatype 0 t DBMEntry = Le 0 t | Lt 0 t | 1 – s: 0 t DBM ⌘ nat ) nat ) 0 t DBMEntry . – – Artificial zero clock ( 0 ) for bounds on individual clocks • Example: zone with and t c 1 > 3 ^ c 2  4 , 0 c 1 c 2 0 c 1 c 2 1 Lt ( � 3 ) Le 0 Le 0 Lt ( � 3 ) Le 0 0 0 ! ! c 1 1 1 1 c 1 1 Le 0 1 c 2 Le 4 1 1 c 2 Le 4 Lt 1 Le 0

Arithmetic on DBM entries • Orderings and on � M i j � a < b a < b a < b a  b Le a � Le b Le a � Lt b Lt a � Lt b Lt a � Le b Lt � 1 Le � 1 ! M i j � M 0 i j = ) [ M ] v , n ✓ [ M 0 ] v , n 1. 8 i j . i  n � ! j  n � • • Addition: a � ∞ , ∞ � b , Le 3 � Lt ( − 2) = Lt ( − 1) • Length of paths

Arithmetic on DBM entries • Addition: a � ∞ , ∞ � b , Le 3 � Lt ( − 2) = Lt ( − 1) • Orderings and on � M i j � – Lt 0 � Le 0, Le 0 � Lt 1, Lt 1 � 1 ! M i j � M 0 i j = ) [ M ] v , n ✓ [ M 0 ] v , n 1. 8 i j . i  n � – ! j  n � • Length of paths – len M s t [] = M s t d len M s t ( w · ws ) = M s w � len M w t ws 2 v , n if t Lt ( u i � u j ) � len M i j xs y u 2 [ M ] v , n – • Negative Cycles: c 1 c 2 0 0 1 Le 0 Le 0 ! ! c 1 1 1 Lt ( � 3 ) c 2 1 Le 3 Le 0

Arithmetic on DBM entries • Addition: a � ∞ = ∞ , Le 3 � Lt ( − 2) = Lt 1 • Orderings and on � M i j � – Lt 0 � Le 0, Le 0 � Lt 1, Lt 1 � 1 ! M i j � M 0 i j = ) [ M ] v , n ✓ [ M 0 ] v , n 1. 8 i j . i  n � – ! j  n � • Length of paths – len M s t [] = M s t d len M s t ( w · ws ) = M s w � len M w t ws 2 v , n if – t Lt ( u i � u j ) � len M i j xs y u 2 [ M ] v , n

DBM Operations • Intersection A u B = ( λ i j. min ( A i j ) ( B i j )) – Correctness: [ A ] v,n \ [ B ] v,n = [ A u B ] v,n • Similarly reset, delay and intersection with clock constraints

DBM Operations (2) • Floyd-Warshall algorithm – Computes canonical form: ⌘ 8 i j k . i  n ^ j  n ^ k  n � ! M i k � M i j � M j k 0 c 1 c 2 0 c 1 c 2 Le 0 Lt ( � 3 ) Le 0 1 Lt ( � 3 ) Le 0 0 0 ! ! ! c 1 Le 0 c 1 1 1 1 1 1 c 2 Le 4 1 1 c 2 Le 4 Lt 1 Le 0 – or negative diagonal entry – HOL formulation: recursive function with pointwise updates

DBM Operations (2) • Floyd-Warshall algorithm – Computes canonical form: ⌘ 8 i j k . i  n ^ j  n ^ k  n � ! M i k � M i j � M j k 0 c 1 c 2 0 c 1 c 2 Le 0 Lt ( � 3 ) Le 0 1 Lt ( � 3 ) Le 0 0 0 ! ! ! c 1 Le 0 c 1 1 1 1 1 1 c 2 Le 4 1 1 c 2 Le 4 Lt 1 Le 0 – or negative diagonal entry

DBM Operations (2) • Intersection : And A B ≡ λ i j . min ( A i j ) ( B i j ). ≡ e: [ A ] v , n ∩ [ B ] v , n = [ And A B ] v , n – • Reset – Want if at u c = d all u ∈ [ reset M n c d ] v , n . ∈ v , n and à define ( reset M n c d ) c 0 = Le d d ( reset M n c d ) 0 c = Le ( − d ). – All other constraints regarding c invalidated (i.e. set to ∞ ) – Correctness: { [ cs → d ] u | u. u ∈ [ M ] v,n } = [ reset 0 M n cs v d ] v,n • Similarly delay and intersection with clock constraints

DBM Semantics • Symbolic zone semantics M i = abstr I ( l ) v A ` h l, M i v,n h l, up ( M u M i ) u M i i ! g,a,r l 0 M i = abstr I ( l 0 ) v A ` l � A ` h l, M i v,n h l 0 , reset 0 ( M u abstr g v ) n r v 0 u M i i • Compare • Sound & complete w.r.t. zone semantics • Symbolic computation procedure for reachability but infinite search space