Unit-12: Modeling timing constraintssri/Courses/NPTEL/ModelChecking/... · 2018-08-12 · Unit-12:...
55
Unit-12: Modeling timing constraints B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1/20
Transcript of Unit-12: Modeling timing constraintssri/Courses/NPTEL/ModelChecking/... · 2018-08-12 · Unit-12:...
Unit-12: Modeling timing constraints
B. Srivathsan
Chennai Mathematical Institute
NPTEL-course
July - November 2015
1/20
ATM
Traffic lights controller
Automatic gear controlFlight control
Pacemaker
eg. when request for gear change is made, response should be within 1s
Controllers need to adhere to strict timing constraints2/20
ATM
Traffic lights controller
Automatic gear controlFlight control
Pacemaker
eg. when request for gear change is made, response should be within 1s
Controllers need to adhere to strict timing constraints2/20
How do we model-check systems with timing constraints?
3/20
Adding time to transition systems
4/20
Example 1
5/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
6/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
6/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
28/29
far, 0, up
near, 1, up
near, 2, down in, 1, up
in, 2, down
far, 3, down
approach
lower enter
enter
exit
lowerraise
Train || Controller || Gate
Unsafe state: Train is in when gate is still up
- need to add timinginformation in the model
7/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
28/29
far, 0, up
near, 1, up
near, 2, down in, 1, up
in, 2, down
far, 3, down
approach
lower enter
enter
exit
lowerraise
Train || Controller || Gate
Unsafe state: Train is in when gate is still up
- need to add timinginformation in the model
7/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
28/29
far, 0, up
near, 1, up
near, 2, down in, 1, up
in, 2, down
far, 3, down
approach
lower enter
enter
exit
lowerraise
Train || Controller || Gate
Unsafe state: Train is in when gate is still up - need to add timinginformation in the model
7/20
TRAIN
GATE
far near
in
0
1
2
3
up
down
approach
enterexit
approach
lower exit
raise
lowerraise
Train Controller Gate
after > 2 minutes after = 1 minute <= 1 minuteexecution time
8/20
Coming next: Timed transition systems
9/20
far near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1
y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdown
z≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdownz≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdownz≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdownz≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
far
near
in
nearx≤ 5
inx≤ 5
0
1
2
3
up
down
up comingdownz≤ 1
downcomingup
z≤ 1
approach
enterexit
approach
lower exit
raise
lowerraise
lower
raise
x := 0
x≥ 2
y := 0
y == 1 y := 0
y == 1
z := 0
z := 0
Train Controller Gate
Reset Invariant Guard
Train || Gate || Controller
Synchronous product gives timed transition system for the joint behaviour
10/20
Timed transition system
Transition system + Clocks
É Resets: to start measuring time
É Guards: to impose time constraint on action
É Invariants: to limit time spent in a state
11/20
UPPAAL - Model-checker for timed transition systems
Kim Larsen, Paul Pettersson, Wang Yi - Computer-Aided VerificationAward in 2013 for UPPAAL
www.uppaal.com
12/20
UPPAAL demo
É Adding states, transitions and clocks
É Simulation environment
É (Subset of) CTL property verification
13/20
UPPAAL demo
É Adding states, transitions and clocks
É Simulation environment
É (Subset of) CTL property verification
13/20
Example 2
14/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S
U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U
S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S
U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U
S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S
U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U
S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
15/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
⟨ x , p1 ⟩
⟨0,1⟩
⟨1,0⟩
⟨1,1⟩
⟨0,0⟩
x : 1, z1 := 0
p1 : 0, 1≤ z1 ≤ 3
x : 0, z1 ≤ 3
x : 0, z1 := 0
x : 1, z1 ≤ 3
p1 : 1, 1≤ z1 ≤ 3
16/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
2/3
x
yp2
⟨ x , y , p2 ⟩ ⟨000⟩
⟨010⟩ ⟨100⟩
⟨111⟩
⟨110⟩
⟨011⟩ ⟨101⟩
y : 1
y : 0
x : 1
x : 0
x : 1, z2 := 0
x : 0, z2 ≤ 3
p2 : 1 1≤ z2 ≤ 3
y : 1, z2 := 0
y : 0, z2 ≤ 3
x : 0, z2 := 0 y : 0, z2 := 0
x : 1, z2 ≤ 3 y : 1, z2 ≤ 3
p2 : 0
1≤ z2 ≤ 3
p2 : 0
1≤ z2 ≤ 3
17/20
x
y
p1
p2
p3
[1, 3]
[1, 3]
[1, 2]
Inertial delay
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
[1,3]
x
p1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
S U S U S U S
S: Stable (matches truth table)
U: Unstable (does not match truth table)
2/3
p1
p2
p3
⟨ p1 , p2 , p3 ⟩ ⟨001⟩
⟨011⟩ ⟨101⟩
⟨110⟩
⟨111⟩
⟨010⟩ ⟨100⟩
p2 : 1
p2 : 0
p1 : 1
p1 : 0
p1 : 1, z3 := 0
p1 : 0, z3 ≤ 2
p3 : 0 1≤ z3 ≤ 2
p2 : 1, z3 := 0
p2 : 0, z3 ≤ 2
p1 : 0, z3 := 0 p2 : 0, z3 := 0
p1 : 1, z3 ≤ 2 p2 : 1, z3 ≤ 2
p3 : 1
1≤ z3 ≤ 2
p3 : 1
1≤ z3 ≤ 2
18/20
x
y
p1
p2
p3
[1, 3]
[1, 2]
2/2
x p1
h x , p1 i
h0,1i
h1,0i
h1,1i
h0,0i
x : 1, z1 := 0
p1 : 0, 1 z1 3
x : 0, z1 3
x : 0, z1 := 0
x : 1, z1 3
p1 : 1, 1 z1 3
15/18
h000i
h010i h100i
h111i
h110i
h011i h101i
y : 1
y : 0
x : 1
x : 0
x : 1, z2 := 0
x : 0, z2 3
p2 : 1 1 z2 3
y : 1, z2 := 0
y : 0, z2 3
x : 0, z2 := 0 y : 0, z2 := 0
x : 1, z2 3 y : 1, z2 3
p2 : 0
1 z2 3
p2 : 0
1 z2 3
16/18
h001i
h011i h101i
h110i
h111i
h010i h100i
p2 : 1
p2 : 0
p1 : 1
p1 : 0
p1 : 1, z3 := 0
p1 : 0, z3 2
p3 : 0 1 z3 2
p2 : 1, z3 := 0
p2 : 0, z3 2
p1 : 0, z3 := 0 p2 : 0, z3 := 0
p1 : 1, z3 2 p2 : 1, z3 2
p3 : 1
1 z3 2
p3 : 1
1 z3 2
17/18
Synchronous product of above will give timed transition system forcircuit
19/20
Summary
É Modeling timing constraints in systems
É Timed transition systems
É Model-checker UPPAAL
A theory of timed automata, by Alur and Dill.Theoretical Computer Science Journal, 1994
20/20
Summary
É Modeling timing constraints in systems
É Timed transition systems
É Model-checker UPPAAL
A theory of timed automata, by Alur and Dill.Theoretical Computer Science Journal, 1994
20/20
