CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
-
Upload
rodger-wilkins -
Category
Documents
-
view
221 -
download
1
Transcript of CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
CS5270 Lecture 4 1
Timed Automata I
CS 5270 Lecture 4
CS5270 Lecture 4 2
Where we were…
• RT systems– Modelling vs synthesis, hard vs soft, RT
architectures
• The real-time computing environment– Temporal accuracy, clocks– TTP – time triggered protocols
• Scheduling– Preemption, feasibility, schedulability– RMS, priority inversion, PCP
CS5270 Lecture 4 3
Where we are going…
• Formal basis for Uppaal:– Detailed study of a basis for efficient real-time
analysis/model checkingTransition systems, Automata, Model checkingTimed transition systems,Zones/regions (efficient timed systems)
• This will all take time… perhaps 4/5 weeks
CS5270 Lecture 4 4
The immediate road map
• State transition systems – some definitions – parallel composition
• Timed transition systems – formal definition– parallel composition– Reduction of a TTS (which has possibly infinite states and
actions) to a finite TS by quotienting… (takes time)
• Efficiency in TTS– Regions– zones
• Automata and safety properties
CS5270 Lecture 4 5
The long distance road map
• Local road map, and then…
– Verification of temporal propertiesLTL and CTL temporal/modal logicThe verification setting
– CTL model checkingDefinition of CTLKripke structuresDefinition of the modelling relationModel checking algorithm for CTL
– TCTL model checkingDefinition of TCTLModel checking for TCTL
CS5270 Lecture 4 6
Transition Systems Vs Automata
• Automata = Transition system +
accepting conditions.
• Transition systems ---- State spaces,
dynamics
• Automata ----- Languages,
Properties
CS5270 Lecture 4 7
Example
Resource ManagerReq
Release
Grant
CS5270 Lecture 4 8
Example
FR W
Bad
Req
Release
BU Grant
crash
Example
Bad
Req
Release
Grant
crash Any sequence over
{Req, Grant, Release} as allowed by the automaton.
Rq G Rl Rq G allowed.
Rq G Rl Cr not wanted!
CS5270 Lecture 4 10
Example
Bad
Req
Release
Grant
crashAny sequence over
{Req, Grant, Release} as allowed by the automaton ?
CS5270 Lecture 4 11
Example
Bad
Req
Release
Grant
crash Any sequence that ends with Release (except for the null string)
CS5270 Lecture 4 12
Transition Systems
• A Simple model of dynamic systems.
• Discrete time
• States
• Transitions
• Initial state(s).
• No accepting states.
CS5270 Lecture 4 13
Example
CH
On-heat On-ac
OKOK
Off-acOff-heat
CS5270 Lecture 4 14
Signal Flow
TemperatureAC-motor
Heater-motor
CS5270 Lecture 4 15
Example
CH
On-heat On-ac
OKOK
Off-heatOff-ac
CS5270 Lecture 4 16
Example
CH
On-heat On-ac
OKOK
Off-acOff-heat
State
Example
CH
On-heat On-ac
OKOK
Off-acOff-heat
State
OK Transition
Example
CH
On-heat On-ac
OKOK
Off-acOff-heat
State
a TransitionOff-ac Action
CH
On-heat On-ac
OKOK
Off-acOff-heat
State
OK TransitionOff-ac Action
Initial State
CS5270 Lecture 4 20
S4
S5
S6
S1
S2
S3
CH
On-heat On-ac
OKOK
Off-acOff-heat
S0
PATH – S4 on-heat S5 OK S6 off-heat S0 ? S1 ….
Non- Paths: S5 off-heat S6 off-heat S0
S1 on-ac S5 OK S6….
CS5270 Lecture 4 21
S4
S5
S6
S1
S2
S3
CH
On-heat On-ac
OKOK
Off-acOff-heat
S0
PATH – S4 S5 S6 S0 S1 ….
Run ---- Path starting from an initial state
----- S0 S1 S2 S3 S0 S1 ….
CS5270 Lecture 4 22
Transition Systems
• TS = (S, Act, !, Sin) --- Transition System– S --- States– Act --- A set of actions– ! µ S £ Act £ S ---- Transition Relation– Sin µ S ---- Initial states
• Often:– S and Act are finite sets.– Sin has only one element.– The transition relation is deterministic.
CS5270 Lecture 4 23
Deterministic Transition Systems
• TS = (S, Act, , Sin) --- Transition System
• (s, a, s’)
– s s’a
CS5270 Lecture 4 24
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
S = ?
CS5270 Lecture 4 25
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
S = { S0, S1, S2, …,S6}
CS5270 Lecture 4 26
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
Act = ?
CS5270 Lecture 4 27
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
Act = {C, On-heat, H, on-ac,..}
CS5270 Lecture 4 28
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
= ?
CS5270 Lecture 4 29
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
= { (S0, H, S1), (S0, C, S4),….}
CS5270 Lecture 4 30
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
Sin = ?
CS5270 Lecture 4 31
Transition Systems• TS = (S, Act, !, Sin) --- Transition System
S4
S5
S6
S1
S2
S3
C HOn-heat
On-ac
OKOKOff-acOff-heat
S0
Sin = {S0}
CS5270 Lecture 4 32
Deterministic Transition Systems
s
s1 s2
a a
s as1 s a
s2AND IMPLIES s1 = s2
Non-determinism is useful for getting succinct specifications.
Abstractions (hiding details) give rise to non-determinism.
CS5270 Lecture 4 33
Non-Determinism
Arrive at Junction
Toss Coin
H T
Turn-left Turn-right
CS5270 Lecture 4 34
Non-Determinism
Arrive at Junction
Toss Coin
H T
Turn-left Turn-right
CS5270 Lecture 4 35
Non-Determinism
Arrive at Junction
Toss Coin
H T
Turn-left Turn-right
Toss Coin
CS5270 Lecture 4 36
Non-Determinism
Arrive at Junction
Toss Coin
Turn-left Turn-right
Toss Coin
CS5270 Lecture 4 37
S4
S5
S6
S1
S2
S3
CH
On-heat On-ac
OKOK
Off-acOff-heat
S0
PATH – S4 S5 S6 S0 S1 ….
Run ---- Path starting from an initial state
----- S0 S1 S2 S3 S0 S1 ….
CS5270 Lecture 4 38
Computations
• TS = (S, Act, , Sin)
• Behaviors can also be defined as action sequences:– Computations, traces,…
• s0 s1 s2 ……. sn ---- run.
• s0 a1 s1 a2 s2 ….sn-1 an sn
• si si+1
• a1 a2 a3 ….an is a computation.
ai
CS5270 Lecture 4 39
S4
S5
S6
S1
S2
S3
CH
On-heat On-ac
OKOK
Off-acOff-heat
S0
Run ----- S0 S1 S2 S3
Computation ----- ?
CS5270 Lecture 4 40
S4
S5
S6
S1
S2
S3
CH
On-heat On-ac
OKOK
Off-acOff-heat
S0
Run ----- S0 S1 S2 S3 S0
Computation ----- H On-ac OK off-ac
CS5270 Lecture 4 41
Behaviors (Linear Time)
• The behavior of a transition system is:– Its set of runs.– Its set of computations.
• Does the behavior of TS have the desired property?– Does every computation (run) of the transition
system have the desired property?– In no computation, C is immediately followed
by On-Ac.
CS5270 Lecture 4 42
Behaviors
• Properties:– Is there a run leading to deadlock?
s0 ---------------> s s0 2 Sin
No action is enabled at s
– Is the state s reachable (via a run) ?– Is there a bad state which is reachable?
• Often TS is presented implicitly!– For example, as a network of smaller
transition systems.
CS5270 Lecture 4 43
The Verification Setting
TS
Behavior of TS Check for property !
SystemModel extraction
Semantics
The Verification Setting
TS
Behavior of TS
System
Property = Temporal logic formula
YES ! NO !
Model-Checker Models of
CS5270 Lecture 4 45
S4
S5
S6
S1
S2
S3
C HOn-heat On-ac
OKOKOff-acOff-
heat
S0
Temperature Controller
CS5270 Lecture 4 46
S4
S5
S6
S1
S2
S3
C HOn-heat On-ac
OKOKOff-acOff-
heat
S0
It is often convenient to consider both finite and infinite computations!
S4
S5
S6
S1
S2
S3
C HOn-heat On-ac
OKOKOff-acOff-
heat
S0
Property : every (finite) computation that ends with “on-heat” can be extended to a computation that ends with “off-heat”
CS5270 Lecture 4 48
Linear time Vs. Branching time
• Linear time – The (flat) set of computations.
• Branching time– The tree of computations– How computations branch off is kept track of.
CS5270 Lecture 4 49
Linear time Vs. Branching time
• LTL (Linear time temporal logic).
• CTL (Computation tree logic)
• These two logics are incomparable.
• LTL – SPIN (Bell Labs, G. Holtzmann)
• CTL – SMV (Clarke, McMillan, CMU- Cadence Lab)
CS5270 Lecture 4 50
Network of Transition Systems
• In general, the system will contain multiple components.
• The components will coordinate by communication.– Send/receive messages (asynchronous)– Perform common actions together
(synchronous, hand-shake). hand-shake is usually a convenient abstraction.
CS5270 Lecture 4 51
Finite State Automata
• Finite State Automata (FSAs) are a basic computational model.
• FSAs = Regular Languages
= Temporal Logics.• Starting point for many system design
methodologies.– SDL, UML, POLIS,…
• Verification tools (SPIN, SMV) available.
CS5270 Lecture 4 52
A Railway System
CS5270 Lecture 4 53
The Gate/Train TS – graph view
open
close
Fin-Close
approach
brakeproceed
proceed
Gate Train
left
CS5270 Lecture 4 54
The Gate Controller TS
approach
close
Fin-Close proceed
left
open
CS5270 Lecture 4 55
The Signal Space
Gate
GateController
open
close
Fin-close
Fin-Close
approach
left
open
close
proceed
CS5270 Lecture 4 56
Transition system
• To model the entire system, construct the parallel composition:
Gate ║ Train ║ Controller
(This is another TS)
CS5270 Lecture 4 57
Parallel composition…
Parallel Composition
open
close proceedleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
left
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
left
Parallel Composition
open
closeleft
approach
proceed
brake
approach
close
Fin-Close proceed
open
Enabled actions ?
proceed
Fin-Close
left
Parallel Composition
g0
open
closeleft
t0
t1
approach
proceed
Brake
GC0
GC1
approach
close
Fin-Close proceed
open
proceed
Fin-Close
left
CS5270 Lecture 4 66
Parallel Composition
TS = TrainTS || Gate-ControllerTS || GateTS
s = (t, GC, g) A state of TS
(g0, t0, GC0) (g0, t1, GC1)approach
t0 t1 (TRAIN)approach
GC1 (Gate-Controller)approachGC0
CS5270 Lecture 4 67
State Space Explosion
• TS = TS1 || TS2 … || TSn
• TS is presented implicitly!– Fix a communication convention
– Present TS1, TS2,…, TSn
• We wish to analyze TS and often implement TS.• But constructing TS first explicitly is often
hopeless.
• |TSi| = 10 n = 6 – |TS| = ? (worst case)
CS5270 Lecture 4 68
Timed Transition Systems
• Timed Transition Systems = Transition Systems + Clock Variables.• Clock variables.
– Used to record the passage of (real) time.– Act like Timers.– Can be read.– Transitions constrained (guarded) by current
values of clock variables.– Can be reset to 0 during a transition.
CS5270 Lecture 4 69
Using Clock Variables
Hot On-ac OK
Off-ac
Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.
CS5270 Lecture 4 70
Using Clock Variables
Hot On-ac; x OK
Off-ac
Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.
x 5 Off-ac
CS5270 Lecture 4 71
Using Clock Variables
Hot On-ac; x OK
Off-acx 5Off-ac
Clock variable x is set to 0.
On-ac ; x
is short form for:
On-ac ; x := 0
CS5270 Lecture 4 72
Using Clock Variables
Hot On-ac; x OK
Off-acx 5Off-ac
Clock variable x is used to form a guard:
x 5
CS5270 Lecture 4 73
Using Clock Variables
Hot On-ac OK
Off-ac
Spec. :
Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.
Turn on ac within 3 time units after receiving Hot signal.
CS5270 Lecture 4 74
Using Clock Variables
Hot; y On-ac; x OK
Off-acx 5Off-ac
Spec. :
Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.
Turn on ac within 3 time units after receiving Hot signal.
y ≤ 3
CS5270 Lecture 4 75
Using Clock Variables
Hot; y On-ac; x OK
Off-acx 5Off-ac
y ≤ 3
Three components:
Action on-ac
Reset x
Guard y ≤ 3
CS5270 Lecture 4 76
Using Clock Variables
Hot; y On-ac; x OK
Off-acx 5Off-ac
y ≤ 3
Do we need two clocks?
CS5270 Lecture 4 77
Using Clock Variables
Hot; x On-ac; x OK
Off-acx 5Off-ac
x ≤ 3
Do we need two clocks? NO!
78
Timed Transitions
a ; X
g
a, an action
X, a set of clock variables; the clock variables set to 0.
g, a guard; a predicate based on the values of the clock variables.
g :: = x ≤ c | x c | x c | x c | g1 g2
x CL
CL ---- The set of clock variables used by the model.
c ----- A rational number (integer)
CS5270 Lecture 4 79
State Invariants
• A clock constraint is associated with each state: state invariant– The system can stay in the state only as long
as the state’s invariant is not violated.
• For time points which violate the invariant one expects an output transition to be enabled.– Otherwise a time deadlock.
The progress of time is blocked (in the model!).
CS5270 Lecture 4 80
State Invariants
x ≤ 2a ; x b
CS5270 Lecture 4 81
State Invariants
x ≤ 2a ; x b
a ; x bx > 2
SAME AS ?
CS5270 Lecture 4 82
State Invariants
x ≤ 2a ; x b
x > 3
At (s1, x = 2.4) the behavior is undefined!
s0s1 s2
CS5270 Lecture 4 83
State Invariants
g
g1 g2 g3
At all “times” g OR g1 OR g2 OR g3 is satisfied.
If more than one output transition is enabled, the choice is made non-deterministically.
CS5270 Lecture 4 84
Timed Transition systems and automata
• How do we model real time systems?
• How do we specify (real time) behavioral properties?
• How do verify behavioral properties?
• What is the behavior of a timed transition system?