semantics and verification 2005
play

Semantics and Verification 2005 Lecture 10 region graph and the - PowerPoint PPT Presentation

Regions Region Graph Networks of Timed Automata Semantics and Verification 2005 Lecture 10 region graph and the reachability problem networks of timed automata model checking of timed automata Lecture 10 Semantics and Verification 2005


  1. Regions Region Graph Networks of Timed Automata Semantics and Verification 2005 Lecture 10 region graph and the reachability problem networks of timed automata model checking of timed automata Lecture 10 Semantics and Verification 2005

  2. Regions Motivation Region Graph Intuition Networks of Timed Automata Clock Equivalence Automatic Verification of Timed Automata Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be categorized into finitely many equivalence classes. Lecture 10 Semantics and Verification 2005

  3. Regions Motivation Region Graph Intuition Networks of Timed Automata Clock Equivalence Preliminaries Let d ∈ R ≥ 0 . Then let ⌊ d ⌋ be the integer part of d , and let frac ( d ) be the fractional part of d . Any d ∈ R ≥ 0 can be now written as d = ⌊ d ⌋ + frac ( d ) . Example: ⌊ 2 . 345 ⌋ = 2 and frac (2 . 345) = 0 . 345. Let A be a timed automaton and x ∈ C be a clock. We define c x ∈ N as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A . Lecture 10 Semantics and Verification 2005

  4. Regions Motivation Region Graph Intuition Networks of Timed Automata Clock Equivalence Intuition Let v , v ′ : C → R ≥ 0 be clock valuations. Let ∼ denote untimed bisimilarity of timed transition systems. Our Aim Define an equivalence relation ≡ over clock valuations such that 1 v ≡ v ′ implies ( ℓ, v ) ∼ ( ℓ, v ′ ) for any location ℓ 2 ≡ has only finitely many equivalence classes. Lecture 10 Semantics and Verification 2005

  5. Regions Motivation Region Graph Intuition Networks of Timed Automata Clock Equivalence Clock (Region) Equivalence Equivalence Relation on Clock Valuations Clock valuations v and v ′ are equivalent ( v ≡ v ′ ) iff 1 for all x ∈ C such that v ( x ) ≤ c x or v ′ ( x ) ≤ c x we have ⌊ v ( x ) ⌋ = ⌊ v ′ ( x ) ⌋ 2 for all x ∈ C such that v ( x ) ≤ c x we have frac ( v ′ ( x )) = 0 frac ( v ( x )) = 0 iff 3 for all x , y ∈ C such that v ( x ) ≤ c x and v ( y ) ≤ c y we have frac ( v ′ ( x )) ≤ frac ( v ′ ( y )) frac ( v ( x )) ≤ frac ( v ( y )) iff Lecture 10 Semantics and Verification 2005

  6. Regions Motivation Region Graph Intuition Networks of Timed Automata Clock Equivalence Regions Let v be a clock valuation. The ≡ -equivalence class represented by v is denoted by [ v ] and defined by [ v ] = { v ′ | v ′ ≡ v } . Definition of a Region An ≡ -equivalence class [ v ] represented by some clock valuation v is called a region. Theorem For every location ℓ and any two valuations v and v ′ from the same region ( v ≡ v ′ ) it holds that ( ℓ, v ) ∼ ( ℓ, v ′ ) where ∼ stands for untimed bisimilarity. Lecture 10 Semantics and Verification 2005

  7. Regions Definition Region Graph Applications Networks of Timed Automata Zones and Zone Graphs Symbolic States and Region Graph state ( ℓ, v ) symbolic state ( ℓ, [ v ]) � Note: v ≡ v ′ implies that ( ℓ, [ v ]) = ( ℓ, [ v ′ ]). Region Graph Region graph of a timed automaton A is an unlabelled (and untimed) transition system where states are symbolic states = ⇒ on symbolic states is defined as follows: a ⇒ ( ℓ ′ , [ v ′ ]) iff → ( ℓ ′ , v ′ ) for some label a ( ℓ, [ v ]) = ( ℓ, v ) − d ⇒ ( ℓ, [ v ′ ]) → ( ℓ, v ′ ) for some d ∈ R ≥ 0 ( ℓ, [ v ]) = iff ( ℓ, v ) − Fact A region graph of any timed automaton is finite. Lecture 10 Semantics and Verification 2005

  8. Regions Definition Region Graph Applications Networks of Timed Automata Zones and Zone Graphs Application of Region Graphs to Reachability → ( ℓ ′ , v ′ ) whenever We write ( ℓ, v ) − a → ( ℓ ′ , v ′ ) for some label a , or ( ℓ, v ) − d → ( ℓ ′ , v ′ ) for some d ∈ R ≥ 0 . ( ℓ, v ) − Reachability Problem for Timed Automata Instance (input): Automaton A = ( L , ℓ 0 , E , I ) and a state ( ℓ, v ). → ∗ ( ℓ, v ) ? Question: Is it true that ( ℓ 0 , v 0 ) − (where v 0 ( x ) = 0 for all x ∈ C ) Reduction of Timed Automata Reachability to Region Graphs Reachability for timed automata is decidable because → ∗ ( ℓ, v ) in a timed automaton if and only if ( ℓ 0 , v 0 ) − ⇒ ∗ ( ℓ, [ v ]) in its (finite) region graph. ( ℓ 0 , [ v 0 ]) = Lecture 10 Semantics and Verification 2005

  9. Regions Definition Region Graph Applications Networks of Timed Automata Zones and Zone Graphs Applicability of Region Graphs Pros Region graphs provide a natural abstraction which enables to prove decidability of e.g. reachability timed and untimed bisimilarity untimed language equivalence and language emptiness. Cons Region graphs have too large state spaces. State explosion is exponential in the number of clocks the maximal constants appearing in the guards. Lecture 10 Semantics and Verification 2005

  10. Regions Definition Region Graph Applications Networks of Timed Automata Zones and Zone Graphs Zones and Zone Graphs Zones provide a more efficient representation of symbolic state spaces. A number of regions can be described by one zone. Zone A zone is described by a clock constraint g ∈ B ( C ). [ g ] = { v | v | = g } Zone Graphs Region Graphs symbolic state: ( ℓ, [ g ]) symbolic state: ( ℓ, [ v ]) where g is a clock constraint where v is a clock valuation A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix). Lecture 10 Semantics and Verification 2005

  11. � � Regions Definition Region Graph Example Networks of Timed Automata Logical Properties in UPPAAL Networks of Timed Automata ���� ���� ���� ���� ���� ���� ���� ���� Timed Automata in Parallel Intuition in CCS ���� ���� ���� ���� ( a . Nil | a . Nil ) � { a } a ! a ? Let C be a set of clocks and Chan a set of channels. We let Act = N ∪ R ≥ 0 where N = { c ! | c ∈ Chan } ∪ { c ? | c ∈ Chan } ∪ { τ } . Let A i = ( L i , ℓ i 0 , E i , I i ) be timed automata for 1 ≤ i ≤ n . Networks of Timed Automata We call A = A 1 | A 2 | · · · | A n a network of timed automata. Lecture 10 Semantics and Verification 2005

  12. � � � � � � � � Regions Definition Region Graph Example Networks of Timed Automata Logical Properties in UPPAAL Example: Hammer, Worker, Nail ���� ���� ���� ���� start ? N: ���� ���� ���� ���� x :=0 , y :=0 ���� ���� up x ≥ 1 hit ! H: busy free x :=0 hit ? ���� ���� y ≥ 5 done ? half τ start ! ���� ���� ���� ���� ���� ���� z :=0 hit ? W: ���� ���� rest work z ≤ 60 down z ≥ 10 done ! Lecture 10 Semantics and Verification 2005

  13. Regions Definition Region Graph Example Networks of Timed Automata Logical Properties in UPPAAL Timed Transition System Generated by A = A 1 | · · · | A n a T ( A ) = ( Proc , Act , { − →| a ∈ Act } ) where Proc = ( L 1 × L 2 × · · · × L n ) × ( C → R ≥ 0 ), i.e. states are of the form (( ℓ 1 , ℓ 2 , . . . , ℓ n ) , v ) where ℓ i is a location in A i Act = { τ } ∪ R ≥ 0 − → is defined as follows: τ → (( ℓ 1 , . . . , ℓ ′ i , . . . , ℓ n ) , v ′ ) if there is (( ℓ 1 , . . . , ℓ i , . . . , ℓ n ) , v ) − g ,τ, r = g and v ′ = v [ r ] and → ℓ ′ ( ℓ i − i ) ∈ E i s.t. v | v ′ | = I i ( ℓ ′ i ) ∧ � I k ( ℓ k ) k � = i d → (( ℓ 1 , . . . , ℓ n ) , v + d ) for all d ∈ R ≥ 0 s.t. (( ℓ 1 , . . . , ℓ n ) , v ) − v | = � I k ( ℓ k ) and v + d | = � I k ( ℓ k ) k k Lecture 10 Semantics and Verification 2005

  14. Regions Definition Region Graph Example Networks of Timed Automata Logical Properties in UPPAAL Continuation → (( ℓ 1 , . . . , ℓ ′ i , . . . , ℓ ′ j , . . . , ℓ n ) , v ′ ) τ (( ℓ 1 , . . . , ℓ i , . . . , ℓ j , . . . , ℓ n ) , v ) − g j , a ? , r j g i , a ! , r i → ℓ ′ → ℓ ′ if i � = j and there are ( ℓ i − i ) ∈ E i and ( ℓ j − j ) ∈ E j s.t. = g i ∧ g j and v ′ = v [ r i ∪ r j ] and v ′ | = I i ( ℓ ′ i ) ∧ I j ( ℓ ′ j ) ∧ � v | I k ( ℓ k ) k � = i , j Lecture 10 Semantics and Verification 2005

  15. Regions Definition Region Graph Example Networks of Timed Automata Logical Properties in UPPAAL Logic for Timed Automata in UPPAAL Let φ and ψ be local properties (check-able locally in a given state). Example: (H.busy ∧ W.rest ∧ 20 ≤ z ≤ 30) UPPAAL can check the following formulae (subset of TCTL) A[] φ — invariantly φ E �� φ — possibly φ A �� φ — always eventually φ E[] φ — potentially always φ � � φ – > ψ — φ always leads to ψ same as A[]( φ = ⇒ A �� ψ ) Legend: A and E are so called path quantifiers, and [] and �� quantify over states of a selected path. Lecture 10 Semantics and Verification 2005

Recommend


More recommend