Robustness in real-time systems Nicolas Markey LSV, CNRS & ENS - PowerPoint PPT Presentation

Robustness in real-time systems Nicolas Markey LSV, CNRS & ENS Cachan, France SIES’11 – June 15, 2011

Verification of (real-time) computerized systems system: property: Always safe model-checking algorithm yes/no

Verification of (real-time) computerized systems system: property: Always safe model-checking algorithm t ≤ 5 yes/no

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, Example

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, Example x y

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example x x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 y :=0 y ≥ 2 , y :=0 y

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Timed automata Timed automata (AD90) A timed automaton is made of a transition system, a set of clocks, a labelling of transitions with timing informations. Example y 2 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 1 y :=0 y ≥ 2 , y :=0 x 0 1 2

Region automata Example

Region automata Example Theorem (AD90) Reachability (and 휔 -regular properties) in timed automata can be checked in exponential time (and are PSPACE-complete).

Analysing timed automata in practice symbolic algorithms (using zones) efficient implementations (Uppaal, Kronos, ...)

Outline of the presentation Introduction – Timed automata 1 Robustness issues in timed automata 2 Several approaches 3 Tube semantics Probabilistic semantics Sampled semantics Enlarged semantics 4 A different approach Checking robustness against enlargement Making timed automata robust Conclusions and perspectives 5

Outline of the presentation Introduction – Timed automata 1 Robustness issues in timed automata 2 Several approaches 3 Tube semantics Probabilistic semantics Sampled semantics Enlarged semantics 4 A different approach Checking robustness against enlargement Making timed automata robust Conclusions and perspectives 5

Robustness issues in timed automata Zeno behaviours y x < 1 ∧ y < 1 1 x :=0 y =1 x 0 1

Robustness issues in timed automata Zeno behaviours y x < 1 ∧ y < 1 1 x :=0 y =1 x 0 1 Theorem (AD90) Checking 휔 -regular properties under x =1 , tick non-Zenoness requirement can be x :=0 done in exponential time. x ≤ 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Convergence phenomena (CHR02) z > 0 y :=0 y =1 x =1 x :=0 z :=0 x ≤ 1 x ≤ 1 x ≤ 1 y 1 x 0 1

Robustness issues in timed automata Strict timing constraints r :=0 r :=0 풫 id r ==0 r = id x id :=0 x id :=0 x id :=0 x id > 2 x id ≤ 2 r := id Theorem (KLL + 97) When P 1 and P 2 run in parallel (sharing variable r ), the state where both of them are in is not reachable. But this property is lost when x id > 2 is replaced with x id ≥ 2.

Robustness issues in timed automata Strict timing constraints r :=0 r :=0 풫 id r ==0 r = id x id :=0 x id :=0 x id :=0 x id > 2 x id ≤ 2 r := id Theorem (KLL + 97) When P 1 and P 2 run in parallel (sharing variable r ), the state where both of them are in is not reachable. But this property is lost when x id > 2 is replaced with x id ≥ 2.

Robustness issues in timed automata Strict timing constraints r :=0 r :=0 풫 id r ==0 r = id x id :=0 x id :=0 x id :=0 x id > 2 x id ≤ 2 r := id Theorem (KLL + 97) When P 1 and P 2 run in parallel (sharing variable r ), the state where both of them are in is not reachable. But this property is lost when x id > 2 is replaced with x id ≥ 2.

Robustness issues in timed automata Imprecision on clock values (ACS10) 2 t.u. frame 0 frame 1 frame 2 frame 3 frame 4 frame 5 encod. 0 encod. 1 encod. 2 encod. 3 encod. 4 2 t.u.

Robustness issues in timed automata Imprecision on clock values (ACS10) 2 t.u. frame 0 frame 1 frame 2 frame 3 frame 4 frame 5 encod. 0 encod. 1 encod. 2 encod. 3 encod. 4 2 + 휖

Outline of the presentation Introduction – Timed automata 1 Robustness issues in timed automata 2 Several approaches 3 Tube semantics Probabilistic semantics Sampled semantics Enlarged semantics 4 A different approach Checking robustness against enlargement Making timed automata robust Conclusions and perspectives 5

Several solutions have been proposed... Tube semantics (GHJ97) discards behaviours that have too strict constraints; only consider traces whose neighbouring traces are accepted; safety is decidable.

Several solutions have been proposed... Tube semantics (GHJ97) discards behaviours that have too strict constraints; only consider traces whose neighbouring traces are accepted; safety is decidable. Probabilistic semantics (BBBB07) defines a measure on traces; discards unlikely behaviours; safety is decidable.

Several solutions have been proposed... Sampled semantics (HMP92,AKY10) actions are taken only at integer multiples of 휏 ; conceptually simpler to handle, but checking safety still takes exponential time; Samplability A timed automaton 풜 is samplable if there exists 휏 > 0 s.t. 풜 exhibits similar (untimed) behaviours under the classical semantics as under the 휏 -sampled semantics. Theorem (AKY10) Samplability is decidable.