PowerPoint 演示文稿 - Nanjing University

Download Report

Transcript PowerPoint 演示文稿 - Nanjing University 

Timed Automata

Final Exam Time: June 25th, 2pm-4pm

Location: TBD
Aim of the Lecture


knowledge of a basic formalism for modeling timed
systems
basic understanding of verification algorithms for
timed systems (useful for practical modeling and
verification).
Example: Peterson's Algorithm


flag[0], flag[1] (initialed to false) — meaning I want
to access CS
turn (initialized to 0) — used to resolve conflicts
Process 0:
while (true) {
<noncritical section>;
flag[0] := true;
turn := 1;
while flag[1] and
turn = 1 do { };
<critical section>;
flag[0] := false;
}
Process 1:
while (true) {
<noncritical section>;
flag[1] := true;
turn := 0;
while flag[0] and
turn = 0 do { };
<critical section>;
flag[1] := false;
}
Example: Peterson's Algorithm
Example: Peterson's Algorithm
Fischer's Protocol



id — shared variable
each process has it's own timer (for delaying)
for correctness it is necessary that K2 > K1
Process i:
while (true) {
<noncritical section>;
while id != 0 do {}
delay K1;
id := i;
delay K2;
if (id = i) {
<critical section>;
id := 0;
}
}
Modeling Real Time Systems

Two models of time:


discrete time domain
continuous time domain
Discrete Time Domain



clock ticks at regular interval
at each tick something may happen
between ticks — the system only waits
Discrete Time Domain




choose a fixed sample period ε
all events happen at multiples of ε
simple extension of classical models
main disadvantage — how to choose ε ?



big ε  too coarse model
low ε  time fragmentation, too big state space
usage: particularly synchronous systems (hardware
circuits)
Continuous Time Domain




time is modeled as real numbers
delays may be arbitrarily small
more faithful model, suited for asynchronous
systems
uncountable state space  cannot be directly
handled automatically by “brute force”
Timed Automata




extension of finite state machines with clocks
continuous real semantics
limited list of operations over clocks  automatic
verification is feasible
allowed operations:



comparison of a clock with a constant
reset of a clock
uniform flow of time (all clocks have the same rate)
What is a Timed Automaton?


an automaton with locations (states) and edges
the automaton spends time only in locations, not in
edges
What is a Timed Automaton? (2)



real valued clocks (x, y, z)
all clocks run at the same speed
clock constraints can be guards on edges
What is a Timed Automaton? (3)


clocks can be reset when taken an edge
only a reset to value 0 is allowed
What is a Timed Automaton? (4)


location invariants forbid to stay in a state too long
invariants force taking an edge
Clock Constraints

Timed Automata Syntax

Semantics: Main Idea


semantics is a state space (reminder: guarded
command language, extended finite state machines)
states given by:



location (local state of the automaton)
clock valuation
transitions:


waiting — only clock valuation changes
action — change of location
Clock Valuations

Evaluation of Clock Constraints

Examples

Timed Automata Semantics

Example



What is a clock valuation?
What is a state?
Find a run = sequence of states
Example

Example 2
What does the automaton do? Write an example of a run...
Examples

construct a simple timed automata model of:

a digital wristwatch with 4 modes:



cycle through modes
“intelligent” return to basic mode (after used, timeout, ...)
daily (morning) schedule: breakfast, transport,
lecture, ... (include minimal times necessary,
deadlines, ...)
Semantics: Notes


the semantics is infinite state (even uncountable)
the semantics is even infinitely branching
Reachability Problem

Reachability Problem



Input: a timed automaton A, a location l of the automaton
Question: does there exists a run of A which ends in l
This problem formalises the verification of safety
problems — is an erroneous state reachable?
Example

How to do it algorithmically?
Reachability Problem

Theorem:


The reachability problem is PSPACE-complete.
Notes



note that even decidability of the problem is not
straightforward — remind that the semantics is infinite
state
decidability proved by region construction (to be
discussed)
completeness proved by general reduction from linearly
bounded Turing machine (not discussed)
Region Construction

Main idea:



some clock valuations are equivalent
work with regions of valuations instead of valuations
finite number of regions
Preliminaries

Equivalence on Clock Valuation

Equivalence on Clock Valuation

Equivalence: Example 1

Equivalence: Example 2

Regions

Regions: Example

Regions: Example

Region Graph

Operations on Regions

To construct the region graph, we need the
following operations:


let time pass — go to adjacent region at top right
intersect with a clock constraint (note that clock
constraints define supersets of regions)



if region is in the constraint: no change
otherwise: empty
reset a clock — go to a corresponding region
Example: Automaton
Example: Region Graph
Other Problems



verification of temporal (timed) logic
universality, language inclusion (undecidable!)
(timed) bisimulation of timed automata
Zones

Difference Bound Matrix

Zone Graph: Example
Approximations

Extensions

For practical modeling we use several extensions:





location invariants
parallel composition of automata
channel communication, synchronization
integer variables
These issues are solved in the ‘usual way’. Here we
focused on the basic model, basic aspects dealing
with time.
Example: Parallel Composition
Fischer's Protocol



id — shared variable
each process has it's own timer (for delaying)
for correctness it is necessary that K2 > K1
Process i:
while (true) {
<noncritical section>;
while id != 0 do {}
delay K1;
id := i;
delay K2;
if (id = i) {
<critical section>;
id := 0;
}
}
Fischer's Protocol: Mode
Summary



timed automata: formal syntax and semantics
reachability problem: the basic verification problem,
decidable (PSPACE-complete)
practical verification: zones, approximation
techniques, ...
Hybrid System

Systems containing both discrete and continuous
components

Practical Examples:



Embedded System Controller
VLSI circuits
System Biology

Safety Critical Area

Formal Verification

Formal Model : Hybrid Automata
Hybrid Automata

Widely studied formal models for hybrid systems
H  ( X , ,V , E,V 0 ,  ,  ,  )

They consist of



A finite state transition system
Differential equations in each location
Example

Linear Hybrid Automata

Approximate
Safety Verification

Reachability

Find a sequence of states which can reach the target
The continuous states between states
and

W :[0, ti ] 
andRfirst derivative

Flow function

W (ti )   i ( xq ) and

for all reals
 [0, ti ]
W (0)  i ( xq )

W ( ) satisfies invariant in

w( ) [ki , li ]
 (vi )
w :[0, ti ]  R
Reachability Analysis

Approach



Tools



Over-approximation
Geometric Computation
HyTech
PHAVer
Performance



Undecidable
Imprecise
Low dimension
Reachability Analysis

Bounded Model Checking




Search for a potential behavior within k step
Usually solved by SMT techniques
Need to encode all the potential bounded behavior firstly
Medium bound -> Large SMT problem
Control The Complexity!