Timed Automata Rajeev Alur University of Pennsylvania www. cis. - PowerPoint PPT Presentation

Timed Automata Rajeev Alur University of Pennsylvania www. cis. upenn. edu/ ~alur/ SFM- RT, Bertinoro, Sept 2004

model yes Model Checker temporal property error- trace Advant ages Aut omat ed f or mal verif icat ion, Ef f ect ive debugging t ool Moderat e indust rial success I n-house groups: I nt el, Microsof t , Lucent , Mot orola… Commercial model checkers: For malCheck by Cadence Obst acles Scalabilit y is st ill a problem (about 500 st at e vars) Ef f ect ive use requires great exper t ise Still, a great success story for CS theory impacting practice, and a vibrant area of research

Automata in Model Checking ! Aut omat a Theory provides f oundat ions f or model checking " Aut omat a / st at e machines t o model component s " I nt ersect ion, proj ect ion model operat ions " Verif icat ion is inclusion: is Syst em cont ained in Spec? ! Classical: Finit e-st at e aut omat a (regular languages) " Pushdown aut omat a " Count er aut omat a " Probabilist ic aut omat a … . ! Timed aut omat a as a f oundat ion f or real-t ime syst ems (aut omat a + t iming const r aint s

Course Overview ! Timed Aut omat a Model ! Reachabilit y Preliminaries: Transit ion Syst ems and Equivalences Region Graph Const ruct ion Decidabilit y Boundar y ! Timed Regular Languages Closure Propert ies and Complement at ion Det erminist ic and Two-way Aut omat a Robust ness I nclusion

Simple Light Control Press Press Press Off Light Bright Press WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

Simple Light Control Press x:= 0 Press Press Off Light Bright x< = 3 x> 3 Press Solution: Add a real-valued clock x Adding continuous variables to state machines

Timed Automata Clocks: x, y Guard n Boolean combination of comparisons with I nteger/ rational bounds Reset Action x< = 5 & y> 3 Action performed on clocks used for synchronization State a ( location , x = v , y = u ) where v,u are in R Transitions x := 0 a ( n , x = 2.4 , y = 3.1415 ) ( m , x = 0 , y = 3.1415 ) m wait(1.1) ( n , x = 2.4 , y = 3.1415 ) ( n , x = 3.5 , y = 4.2415 )

Adding I nvariants n Clocks: x, y x< = 5 Transitions x< = 5 & y> 3 wait(3.2) Location ( n , x = 2.4 , y = 3.1415 ) Invariants a wait(1.1) ( n , x = 2.4 , y = 3.1415 ) ( n , x = 3.5 , y = 4.2415 ) x := 0 m y< = 10 g4 g1 g2 g3 I nvariants ensure progress!!

Timed Automata: Syntax ! A f inite set V of locations ! A subset V 0 of initial locations ! A f inite set Σ Σ of labels (alphabet) Σ Σ ! A f inite set X of clocks ! I nvariant I nv(l) f or each location: (clock constraint over X ) ! A f inite set E of edges. Each edge has " source location l , target location l’ label a in Σ Σ Σ ( ε Σ ε labels also allowed) ε ε " " guard g (a clock constraint over X ) a subset λ λ of clocks to be reset λ λ "

Timed Automata: Semantics ! For a timed automaton A , def ine an inf inite- state transition system S(A) ! States Q : a state q is a pair (l, v), where l is a location, and v is a clock vector, mapping clocks in X to R , satisf ying I nv(l) ! (l, v) is initial state if l is in V 0 and v(x)=0 ! Elapse of time transitions: f or each nonnegative real number d , (l, v)- d- >(l, v+d) if both v and v+d satisf y I nv(l) ! Location switch transitions: (l, v)- a- >(l’, v’) if there is an edge (l, a, g, λ λ λ , l’) such that v satisf ies λ g and v’=v[ λ λ λ λ :=0]

Product Construction a b b c b| a | b,y:= 0 a,x:= 0 a x:= 0 b y:= 0 B D A C x< 4 y< 4 x> 3 y> 3 b c a x:= 0 a| BC AC a,x:= 0 x< 4 y> 3 c y> 3 c x> 3 b, y:= 0 a| BD a, x:= 0 AD a, x:= 0 x< 4 y< 4 y< 4 x> 3, b| x> 3, b,y:= 0

Verif ication ! System modeled as a product of timed automata ! Verif ication problem reduced to reachability or to temporal logic model checking ! Applications " Real- time controllers " Asynchronous timed circuits " Scheduling " Distributed timing- based algorithms

Course Overview # Timed Aut omat a Model ! Reachabilit y Preliminaries: Transit ion Syst ems and Equivalences Region Graph Const ruct ion Decidabilit y Boundar y ! Timed Regular Languages Closure Propert ies and Complement at ion Det erminist ic and t wo-way Aut omat a Robust ness I nclusion

Reachability f or Timed Automata I s f inite state analysis possible? I s reachability problem decidable?

Finite Partitioning Goal: To partition state- space into f initely many equivalence classes so that equivalent states exhibit similar behaviors

Labeled Transition System T ! Set Q of states ! Set I of initial states ! Set Σ Σ Σ of labels Σ ! Set $ $ $ of labeled transitions of the f orm $ q –a- > q’

Partitions and Quotients ! Let T=(Q, I , Σ Σ Σ , $ Σ $ $ $ ) be a transition system and ≅ ≅ be a partitioning of Q (i. e. an ≅ ≅ equivalence relation on Q ) ! Quotient T / ≅ ≅ is transition system: ≅ ≅ 1. States are equivalence classes of ≅ ≅ ≅ ≅ 2. A state P is initial if it contains a state in I 3. Set of labels is Σ Σ Σ Σ 4. Transitions: P –a- > P’ if q- a- >q’ f or some q in P and some q’ in P’

Language Equivalence ! Language of T : Set of possible f inite strings over Σ Σ Σ Σ that can be generated starting f rom initial states ! T and T’ are language- equivalent if f they generate the same language ! Roughly speaking, language equivalent systems satisf y the same set of “saf ety” properties

Bisimulation ! Relation ≅ ≅ ≅ ≅ on QXQ’ is a bisimulation if f whenever q ≅ ≅ ≅ q’ then ≅ if q- a- >u then f or some u’, u ≅ ≅ ≅ ≅ u’ and q’- a- >u’, and if q’- a- >u’ then f or some u, u ≅ ≅ u’ and q- a- >u . ≅ ≅ ! Transition systems T and T’ are bisimilar if there exists bisimulation ≅ ≅ ≅ ≅ on QXQ’ such that For every q in I , there is q’ in I ’, q ≅ ≅ ≅ ≅ q’ and vice versa ! Many equivalent characterizations (e. g. game- theoretic) ! Roughly speaking, bisimilar systems satisf y the same set of branching- time properties (including saf ety)

Bisimulation Vs Language equivalence a a a b c b c Language equivalent but not bisimilar Bisimilarit y -> Language equivalence

Timed Vs Time- Abstract Relations ! Transit ion syst em associat ed wit h a t imed aut omat on: • Labels on cont inuous st eps are delays in R : Timed • Act ual delays are suppressed (all cont inuous st eps have same label): Time- abstract ! Two versions of language equivalence and t wo versions of bisimulat ion ! Time-abst ract relat ions enough t o capt ure unt imed propert ies (e.g. reachabilit y, saf et y)

Time- abstract Vs Timed a b x>10 a b x:=0 Time-abst ract equivalent but not t imed equivalent Timed equivalence -> Time-abst ract equivalence

Alur, Dill, 90 Regions Finit e part it ioning of st at e space Definition y w ≅ w’ if f t hey sat isf y t he same set of const raint s of t he f orm 2 x i < c, x i = c, x i – x j < c, x i –x j =c f or c < = largest const relevant t o x i 1 1 2 3 x An equivalence class (i.e. a region ) in fact there is only a finite number of regions!!

Successor regions, Succ(r) Region Operations An equivalence class (i.e. a region ) x 3 2 r[y:= 0] 1 r regions Reset r[x:= 0] 2 1 y

Properties of Regions ! The region equivalence relat ion ≅ is a time- abstract bisimulation : – Act ion t ransit ions: I f w ≅ v and (l,w) -a-> (l’,w’) f or some w’, t hen ∃ v’ ≅ w’ s.t . (l,v) -a-> (l’,v’) – Delay t ransit ions: I f w ≅ v t hen f or all real numbers d , t here exist s d’ s.t . w+d ≅ v+d’ ! I f w ≅ v t hen (l,w) and (l,v) sat isf y t he same t emporal logic f ormulas

a simple timed automata Region graph of

Region Graphs (Summary) ! Finit e quot ient of t imed aut omat on t hat is t ime-abst ract bisimilar ! Number of regions: (# of locat ions) t imes (product of all const ant s) t imes (f act orial of number of clocks) ! Precise complexit y class of reachabilit y problem: PSPACE (basically, exponent ial dependence of clocks/ const ant s unavoidable) " PSPACE-hard even f or bounded const ant s or f or bounded number of clocks

Multi- rate Automata ! Modest extension of timed automata • Dynamics of the f orm dx = const (rate of a clock is same in all locations) • Guards and invariants: x < const, x > const • Resets: x := const ! Simple translation to timed automata that gives time- abstract bisimilar system by scaling x>5 and y <1 u>5/ 2 and v <1/ 3 dx = 2 du = 1 dy = 3 dv = 1

HKPV 95 Rectangular Automata ! I nteresting extension of timed automata • Dynamics of the f orm dx in const interval (rate- bounds of a clock same in all locations) • Guards/ invariants/ resets as bef ore ! Translation to multi- rate automata that gives time- abstract language- equiv system x>5 v>5, u:=5 dx in du = 2 [2, 3] x<2 dv = 3 u<2, v:=2

Rectangular Automata may not have f inite bismilar quotients! x=1, a, x:=0 dx =1 dy in [1, 2] y=1, b, y:=0 x<=1 y<=1