Verifying Timed Reachability Properties Lecture #17 of Advanced - PowerPoint PPT Presentation

Verifying Timed Reachability Properties Lecture #17 of Advanced Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling & Verification E-mail: katoen@cs.rwth-aachen.de June 30, 2014 c � JPK

Advanced model checking Timelock, time-divergence and Zenoness • A path is time-divergent if its execution time is infinite � d 0 d 1 ExecTime ( s 0 − − → s 1 − − → . . . ) = d i = ∞ i =0 • TA is timelock-free if no state in Reach ( TS ( TA )) contains a timelock a state contains a timelock whenever no time-divergent paths emanate from it • TA is non-Zeno if there does not exist an initial Zeno path in TS ( TA ) a path is Zeno if it is time-convergent and performs infinitely many actions c � JPK 1

Advanced model checking Some abbreviations “Always” is obtained in the following way: ∃ ✷ J Φ = ¬∀ ✸ J ¬ Φ ∀ ✷ J Φ = ¬∃ ✸ J ¬ Φ and ∃ ✷ J Φ asserts that for some path during the interval J , Φ holds ∀ ✷ J Φ requires this to hold for all paths Standard ✷ and ✸ -operator are obtained as follows: ✸ Φ = ✸ [0 , ∞ ) Φ ✷ Φ = ✷ [0 , ∞ ) Φ and c � JPK 2

Advanced model checking The ⇒ relation For infinite path fragments in TS ( TA ) performing ∞ many actions let: d 0 d 1 d 2 s 0 ⇒ s 1 ⇒ s 2 ⇒ . . . with d 0 , d 1 , d 2 . . . � 0 denote the equivalence class containing all infinite path fragments induced by execution fragments of the form: d k 0 d k 1 d k 2 d 1 d 1 d 1 α 1 α 2 α 3 0 0 1 1 2 2 s 0 → . . . → s 0 + d 0 − → s 1 → . . . → s 1 + d 1 − → s 2 → . . . → s 2 + d 2 − → . . . � �� � � �� � � �� � time passage of time passage of time passage of d 0 time-units d 1 time-units d 2 time-units R � 0 and α i ∈ Act such that � k i j =1 d j where k i ∈ I N , d i ∈ I i = d i . ⇒ . . . we have ExecTime ( π ) = � d 0 d 1 For π ∈ s 0 ⇒ s 1 i � 0 d i c � JPK 3

Advanced model checking Semantics of timed reachability d 0 d 1 For time-divergent path π ∈ s 0 ⇒ s 1 ⇒ . . . , we have: = ✸ J Ψ π | iff ∃ i � 0 . s i + d | = Ψ for some d ∈ [0 , d i ] with i − 1 � d k + d ∈ J and k =0 where for s i = � ℓ i , η i � and d � 0 we have s i + d = � ℓ i , η i + d � c � JPK 4

Advanced model checking Timed reachability for timed automata • Let TA be a timed automaton with clocks C and locations Loc • The satisfaction set Sat ( ∀ ✸ J Φ) is defined by: = ✸ J Φ } Sat ( ∀ ✸ J Φ) = { s ∈ Loc × Eval ( C ) | ∀ π ∈ Paths div ( s ) . π | The satisfaction set for ∃ ✸ J Φ is defined analogously • TA satisfies ∀ ✸ J Φ iff ∀ ✸ J Φ holds in all initial states of TA : = ∀ ✸ J Φ = ∀ ✸ J Φ TA | if and only if ∀ ℓ 0 ∈ Loc 0 . � ℓ 0 , η 0 � | where η 0 ( x ) = 0 for all x ∈ C c � JPK 5

Advanced model checking Characterizing timelock • TCTL semantics is also well-defined for TA with timelock • A state has a timelock if no time-divergent paths emanate from it • A state is timelock-free if and only if it satisfies ∃ ✷ true – some time-divergent path satisfies ✷ true, i.e., there is � 1 time-divergent path – note: for fair CTL, the states in which a fair path starts also satisfy ∃ ✷ true • TA is timelock-free iff ∀ s ∈ Reach ( TS ( TA )) : s | = ∃ ✷ true • Timelocks can thus be characterised by a timed reachability property c � JPK 6

Advanced model checking Verifying timed reachability = ∀ ✸ J Φ for non-Zeno TA • Timed reachability problem: TA | = ∀ ✸ J Φ = ∀ ✸ J Φ TA | TS ( TA ) | iff � �� � � �� � timed automaton uncountable transition system – Zeno paths are excluded as they could be false alarms • Idea: take a finite quotient of TS ( TA ) wrt. a tailored bisimulation – TS ( TA ) / ∼ = is a region transition system and denoted RTS ( TA ) • Transform ∀ ✸ J Φ into an “equivalent” reachability property ∀ ✸ � Φ = ∀ ✸ J Φ = ∀ ✸ � • Then: TA | iff RTS ( TA ) | Φ � �� � � �� � CTL formula finite transition system c � JPK 7

Advanced model checking Eliminating timing parameters • Eliminate all intervals J � = [0 , ∞ ) from timed reachability – introduce a fresh clock, z say, that does not occur in TA • Formally: for any state s of TS ( TA ) it holds: � � = ∃ ✸ J Φ s | iff s { z := 0 } | = ∃ ✸ ( z ∈ J ) ∧ Φ � �� � state in TS ( TA ⊕ z ) – where TA ⊕ z is TA (over C ) extended with z �∈ C atomic clock constraints are atomic propositions, i.e., a CTL formula results c � JPK 8

Advanced model checking Correctness Let TA = ( Loc , Act , C, ֒ → , Loc 0 , Inv , AP , L ) . For clock z �∈ C , let TA ⊕ z = ( Loc , Act , C ∪ { z } , ֒ → , Loc 0 , Inv , AP , L ) . For any state s of TS ( TA ) it holds that: � � J Ψ 1. s | = ∃ ✸ iff s { z := 0 } | = ∃ ✸ ( z ∈ J ) ∧ Ψ � �� � state in TS ( TA ⊕ z ) � � J Ψ 2. s | = ∀ ✸ s { z := 0 } | = ∀ ✸ ( z ∈ J ) ∧ Ψ iff � �� � state in TS ( TA ⊕ z ) c � JPK 9

Advanced model checking Constraints on clock equivalence ∼ = (A) Equivalent clock valuations satisfy the same clock constraints g : = η ′ ⇒ ( η | η ′ | η ∼ = g iff = g ) (B) Time-divergent paths of equivalent states are “equivalent” – this property guarantees that equivalent states satisfy the same path formulas (C) The number of equivalence classes under ∼ = is finite c � JPK 10

Advanced model checking Clock equivalence • Correctness criteria (A) and (B) are ensured if equivalent states: – agree on the integer parts of all clock values, and – agree on the ordering of the fractional parts of all clocks ⇒ This yields a denumerable infinite set of equivalence classes • Observe that: – if clocks exceed the maximal constant with which they are compared their precise value is not of interest ⇒ The number of equivalence classes is then finite (C) c � JPK 11

Advanced model checking Clock equivalence: definition Clock valuations η, η ′ ∈ Eval ( C ) are equivalent , denoted η ∼ = η ′ , if either: • for all x ∈ C : η ( x ) > c x iff η ′ ( x ) > c x , or • for any x, y ∈ C with η ( x ) , η ′ ( x ) � c x and η ( y ) , η ′ ( y ) � c y it holds: – ⌊ η ( x ) ⌋ = ⌊ η ′ ( x ) ⌋ frac ( η ( x )) = 0 iff frac ( η ′ ( x )) = 0 , and and frac ( η ′ ( x )) � frac ( η ′ ( y )) . – frac ( η ( x )) � frac ( η ( y )) iff s ∼ η ∼ = s ′ ℓ = ℓ ′ = η ′ iff and c � JPK 12

Advanced model checking Regions • The clock region of η ∈ Eval ( C ) , denoted [ η ] , is defined by: [ η ] = { η ′ ∈ Eval ( C ) | η ∼ = η ′ } • The state region of s = � ℓ, η � ∈ TS ( TA ) is defined by: [ s ] = � ℓ, [ η ] � = { � ℓ, η ′ � | η ′ ∈ [ η ] } c � JPK 13

Advanced model checking Example c x =2 , c y =1 c � JPK 14

Advanced model checking Bounds on the number of regions The number of clock regions is bounded from below and above by: � � � � | C | ! ∗ 2 | C |− 1 ∗ Eval ( C ) / ∼ � � � | C | ! ∗ c x = (2 c x + 2) � � �� � x ∈ C x ∈ C number of regions where for the upper bound it is assumed that c x � 1 for any x ∈ C the number of state regions is | Loc | times larger c � JPK 15

Advanced model checking Proof c � JPK 16

Advanced model checking Preservation of atomic properties 1. For η, η ′ ∈ Eval ( C ) such that η ∼ = η ′ : η ′ | η | = g if and only if = g for any g ∈ ACC ( TA ∪ Φ) 2. For s, s ′ ∈ TS ( TA ) such that s ∼ = s ′ : s ′ | = a for any a ∈ AP ′ s | = a if and only if where AP ′ includes all propositions in TA and atomic clock constraints in TA and Φ c � JPK 17

Advanced model checking Clock equivalence is a bisimulation Clock equivalence is a bisimulation equivalence over AP ′ c � JPK 18

Advanced model checking Proof c � JPK 19

Advanced model checking Region automaton: intuition • Region automaton = quotient of TS ( TA ) under ∼ = • State regions are states in quotient transition system under ∼ = • Transitions in region automaton “mimic” those in TS ( TA ) • Delays are abstract – the exact delay is not recorded, only that some delay took place – if any clock x exceeds c x , delays are self-loops • Discrete transitions correspond to actions c � JPK 20

Advanced model checking A simple example x � 2 : α ℓ reset ( x ) ℓ ℓ ℓ τ τ x =0 x =1 0 <x< 1 α τ α ℓ ℓ ℓ τ τ τ x> 2 x =2 1 <x< 2 c � JPK 21

Advanced model checking Unbounded and successor regions � � • Clock region r ∞ = η ∈ Eval ( C ) | ∀ x ∈ C. η ( x ) > c x is unbounded • r ′ is the successor (clock) region of r , denoted r ′ = succ ( r ) , if either: 1. r = r ∞ and r = r ′ , or 2. r � = r ∞ , r � = r ′ and ∀ η ∈ r : ∀ 0 � d ′ � d. η + d ′ ∈ r ∪ r ′ ) R > 0 . ( η + d ∈ r ′ ∃ d ∈ I and • The successor region : succ ( � ℓ, r � ) = � ℓ, succ ( r ) � • Note: the location invariants are ignored so far! c � JPK 22