Successfully reported this slideshow.
Upcoming SlideShare
×

# CSTalks - Model Checking - 26 Jan

667 views

Published on

CSTalk # 2

• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

### CSTalks - Model Checking - 26 Jan

1. 1. Computing Students Talks 26th January 2011 The Good, the Bad and the UnknownSynthesis of Timing Parameters in Concurrent Systems ´ ´ Etienne ANDRE PAT Team School of Computing, National University of Singapore´ ´Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 1 / 27
2. 2. IntroductionVeriﬁcation of Real Time Systems Motivation ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 2 / 27
3. 3. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
4. 4. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system A good behavior expected for the system ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
5. 5. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system A good behavior expected for the system Question: does the system always behave well? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
6. 6. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods AG¬badA ﬁnite model of the system A formula to be satisﬁed ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
7. 7. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods ? |= AG¬badA ﬁnite model of the system A formula to be satisﬁed Question: does the model of the system satisfy the formula? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
8. 8. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods ? |= AG¬badA ﬁnite model of the system A formula to be satisﬁed Question: does the model of the system satisfy the formula? Yes No Counterexample ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
9. 9. OutlineOutline1 A Coﬀee Vending Machine2 A Parametric Coﬀee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 5 / 27
10. 10. A Coﬀee Vending MachineOutline1 A Coﬀee Vending Machine2 A Parametric Coﬀee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 6 / 27
11. 11. A Coﬀee Vending MachineModel coﬀee! Waiting Adding sugar press? cup! Delivering coﬀee press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
12. 12. A Coﬀee Vending MachineModel coﬀee! Waiting Adding sugar press? cup! Delivering coﬀee press? Example of runs Coﬀee with no sugar press? cup! coﬀee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
13. 13. A Coﬀee Vending MachineModel coﬀee! Waiting Adding sugar press? cup! Delivering coﬀee press? Example of runs Coﬀee with no sugar press? cup! coﬀee! Coﬀee with 2 doses of sugar press? press? press? cup! coﬀee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
14. 14. A Coﬀee Vending MachineModel coﬀee! Waiting Adding sugar press? cup! Delivering coﬀee press? Example of runs Coﬀee with no sugar press? cup! coﬀee! Coﬀee with 2 doses of sugar press? press? press? cup! coﬀee! And so on ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
15. 15. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
16. 16. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” (×) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
17. 17. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a coﬀee is eventually delivered.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
18. 18. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coﬀee is eventually delivered.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
19. 19. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coﬀee is eventually delivered.” ( ) “It is possible to get a coﬀee with 2 doses of sugar.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
20. 20. A Coﬀee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coﬀee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coﬀee is eventually delivered.” ( ) √ “It is possible to get a coﬀee with 2 doses of sugar.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
21. 21. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
22. 22. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) coﬀee! press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
23. 23. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate coﬀee! press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
24. 24. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be veriﬁed to stay at a location coﬀee! y 5 press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
25. 25. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be veriﬁed to stay at a location Transition guard: property to be veriﬁed to enable a transition y=8 coﬀee! y 5 press? y=5 cup! x 1 press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
26. 26. A Coﬀee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be veriﬁed to stay at a location Transition guard: property to be veriﬁed to enable a transition Clock reset: some of the clocks can be set to 0 at each transition y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
27. 27. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
28. 28. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar x 0 y 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
29. 29. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? x 0 0 y 0 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
30. 30. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 x 0 0 5 y 0 0 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
31. 31. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! x 0 0 5 5 y 0 0 5 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
32. 32. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 x 0 0 5 5 8 y 0 0 5 5 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
33. 33. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
34. 34. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar x 0 y 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
35. 35. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? x 0 0 y 0 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
36. 36. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 x 0 0 1.5 y 0 0 1.5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
37. 37. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? x 0 0 1.5 0 y 0 0 1.5 1.5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
38. 38. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 x 0 0 1.5 0 2.7 y 0 0 1.5 1.5 4.2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
39. 39. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 press? x 0 0 1.5 0 2.7 0 y 0 0 1.5 1.5 4.2 4.2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
40. 40. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 x 0 0 1.5 0 2.7 0 0.8 y 0 0 1.5 1.5 4.2 4.2 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
41. 41. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! x 0 0 1.5 0 2.7 0 0.8 0.8 y 0 0 1.5 1.5 4.2 4.2 5 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
42. 42. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! 3 x 0 0 1.5 0 2.7 0 0.8 0.8 3.8 y 0 0 1.5 1.5 4.2 4.2 5 5 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
43. 43. A Coﬀee Vending MachineTimed Runs y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coﬀee with no sugar press? 5 cup! 3 coﬀee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coﬀee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! 3 coﬀee! x 0 0 1.5 0 2.7 0 0.8 0.8 3.8 3.8 y 0 0 1.5 1.5 4.2 4.2 5 5 8 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
44. 44. A Coﬀee Vending MachineDense Time Time is dense: transitions can be taken anytime Inﬁnite number of timed runs Model checking needs a ﬁnite structure! Some runs are equivalent Taking the press? action at t = 1.5 or t = 1.57 is equivalent w.r.t. the possible actions Idea: reason with abstractions Region automaton [Alur and Dill, 1994] Example: in location , all clock values in the following region are equivalent x 1∧y 5∧x=y This abstraction is ﬁnite ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 11 / 27
45. 45. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always eventually delivered within 10 units of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
46. 46. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always √ eventually delivered within 10 units of time.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
47. 47. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
48. 48. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
49. 49. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) “It must never happen that the button can be pressed twice within a time strictly less than 1 unit of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
50. 50. A Coﬀee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the ﬁrst time the button is pressed, a coﬀee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) “It must never happen that the button can be pressed twice within a √ time strictly less than 1 unit of time.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
51. 51. A Coﬀee Vending MachineTowards a Parametrization. . . Interesting problems Robustness Does the system still behave the same if one of the delays (slightly) changes? Optimization of timing constants Up to which value of the delay between two actions press? can I still order a coﬀee with 3 doses of sugar? Avoidance of numerous veriﬁcations If one of the timing delays of the model changes, should I model check again the whole system? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 13 / 27
52. 52. A Coﬀee Vending MachineTowards a Parametrization. . . Interesting problems Robustness Does the system still behave the same if one of the delays (slightly) changes? Optimization of timing constants Up to which value of the delay between two actions press? can I still order a coﬀee with 3 doses of sugar? Avoidance of numerous veriﬁcations If one of the timing delays of the model changes, should I model check again the whole system? Idea: reason with parameters (unknown constants) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 13 / 27
53. 53. A Parametric Coﬀee Vending MachineOutline1 A Coﬀee Vending Machine2 A Parametric Coﬀee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 14 / 27
54. 54. A Parametric Coﬀee Vending MachineParametric Timed Automaton Timed automaton (sets of locations, actions and clocks) y=8 coﬀee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 15 / 27
55. 55. A Parametric Coﬀee Vending MachineParametric Timed Automaton Timed automaton (sets of locations, actions and clocks) augmented with a set P of parameters [Alur et al., 1993b] Unknown constants used in guards and invariants y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! x p1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 15 / 27
56. 56. A Parametric Coﬀee Vending MachineSymbolic Exploration Iterative exploration of symbolic states Symbolic state: location and constraint on the clocks and parameters ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 16 / 27
57. 57. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
58. 58. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y 0 y p2 press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
59. 59. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y 0 y p2 y p2 press? cup! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
60. 60. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y 0 y p2 y p2 y p3 press? cup! coﬀee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
61. 61. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coﬀee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
62. 62. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coﬀee! press? y−x p1 cup! ··· 0 y p2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
63. 63. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coﬀee! press? y−x p1 cup! ··· 0 y p2 press? y−x 2p1 cup! ··· 0 y p2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
64. 64. A Parametric Coﬀee Vending MachineSymbolic Exploration: Coﬀee Machine y = p3 coﬀee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coﬀee! press? y−x p1 cup! ··· 0 y p2 press? y−x 2p1 cup! ··· 0 y p2 ··· ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
65. 65. A Parametric Coﬀee Vending MachineUndecidability The symbolic exploration is inﬁnite in general No possible abstraction like for Timed Automata ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 18 / 27
66. 66. A Parametric Coﬀee Vending MachineUndecidability The symbolic exploration is inﬁnite in general No possible abstraction like for Timed AutomataBad News(Almost) all interesting problems are undecidable for Parametric TimedAutomata. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 18 / 27
67. 67. Synthesis of ParametersOutline1 A Coﬀee Vending Machine2 A Parametric Coﬀee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 19 / 27
68. 68. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, ﬁnd a set of parameter valuations of good behavior” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
69. 69. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, ﬁnd a set of parameter valuations of good behavior” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
70. 70. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, ﬁnd a set of parameter valuations of good behavior” Interesting problem ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
71. 71. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, ﬁnd a set of parameter valuations of good behavior” Interesting problem But undecidable! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
72. 72. Synthesis of ParametersSynthesis of Parameters (2/2) Possible options to deal with undecidability Semi algorithms Example: Computation of all the reachable states, and intersection with the bad states [Henzinger and Wong-Toi, 1996] Approximations Example: Use of octahedra [Clariso and Cortadella, 2007] ´ Restrictions to decidable subclasses Example: L/U automata [Hune et al., 2002] ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 21 / 27
73. 73. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , ﬁnd other valuations around π0 of same (linear-time) behavior” Input · π0 p1 = 1 p2 = 5 p3 = 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
74. 74. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , ﬁnd other valuations around π0 of same (linear-time) behavior” Input Output · π0 p1 = 1 p2 = 5 p3 p2 ∧ 6p1 > p2 p3 = 8 ∧ p2 5p1 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
75. 75. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , ﬁnd other valuations around π0 of same (linear-time) behavior” Input Output · π0 p1 = 1 p2 = 5 p3 p2 ∧ 6p1 > p2 p3 = 8 ∧ p2 5p1 Properties Semi-algorithm Not complete Advantages Exact method Behaves well in practice! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
76. 76. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 [Andr´ and Fribourg, 2010] e 1800 Cover the parametric space with tiles 1700 1600 Parametric zones with uniform behavior 1500 1400 1300 1200 1100 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
77. 77. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 6 [Andr´ and Fribourg, 2010] e 1800 1 Cover the parametric space with tiles 1700 1600 5 Parametric zones with uniform 11 14 behavior 1500 19 2 4 9 12 18 1400 16 17 8 3 7 1300 13 10 1200 15 1100 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
78. 78. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 6 [Andr´ and Fribourg, 2010] e 1800 1 Cover the parametric space with tiles 1700 1600 5 Parametric zones with uniform 11 14 behavior 1500 19 2 4 9 12 18 1400 16 17 8 3 7 Remarks 1300 13 1200 10 Tiles may be inﬁnite 15 The cartography may not cover 1100 the whole real-valued space 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
79. 79. Synthesis of ParametersBehavioral Cartography of Timed Automata (2/2)s min 2200 2100 2000 Partition into good and bad 1900 6 subspaces 1800 1 Good if the property is true 1700 Bad if the property is false Unknown if not covered by 1600 5 11 14 any tile 1500 19 2 4 9 12 18 1400 16 17 8 3 7 1300 13 10 1200 15 1100 1000 900 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 24 / 27
80. 80. Synthesis of ParametersBehavioral Cartography of Timed Automata (2/2)s min 2200 2100 2000 Partition into good and bad 1900 6 subspaces 1800 1 Good if the property is true 1700 Bad if the property is false Unknown if not covered by 1600 5 11 14 any tile 1500 19 2 4 9 12 18 1400 16 17 8 3 7 Advantages 1300 13 Independent of the property 10 1200 15 (Only the partition depends on 1100 the property) Covers much of the parametric 1000 space in practice 900 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 24 / 27
81. 81. ConclusionSummary Synthesis of parameters for real-time concurrent systems important Robustness Optimization of timing constants Avoidance of numerous veriﬁcations Undecidable in the general case Possible solutions Semi algorithms Approximations Restrictions to decidable subclasses Still ongoing work! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 25 / 27
82. 82. BibliographyReferences I Alur, R., Courcoubetis, C., and Dill, D. L. (1993a). Model-checking in dense real-time. Information and Computation, 104(1):2–34. Alur, R. and Dill, D. L. (1994). A theory of timed automata. TCS, 126(2):183–235. Alur, R., Henzinger, T. A., and Vardi, M. Y. (1993b). Parametric real-time reasoning. In STOC ’93, pages 592–601. ACM. e ´ Andr´ , E., Chatain, T., Encrenaz, E., and Fribourg, L. (2009). An inverse method for parametric timed automata. International Journal of Foundations of Computer Science, 20(5):819–836. e ´ Andr´ , E. and Fribourg, L. (2010). Behavioral cartography of timed automata. In RP’10, volume 6227 of LNCS, pages 76–90. Springer. Clariso, R. and Cortadella, J. (2007). ´ The octahedron abstract domain. Sci. Comput. Program., 64(1):115–139. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 26 / 27
83. 83. BibliographyReferences II Clarke, E. M. and Emerson, E. A. (1982). Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages 52–71, London, UK. Springer-Verlag. Henzinger, T. A. and Wong-Toi, H. (1996). Using HyTech to synthesize control parameters for a steam boiler. In Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control, LNCS 1165. Springer-Verlag. Hune, T., Romijn, J., Stoelinga, M., and Vaandrager, F. (2002). Linear parametric model checking of timed automata. Journal of Logic and Algebraic Programming. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 27 / 27
84. 84. Extra SlidesSummary of Experiments: IM Computation times of various case studies Experiments conducted on an Intel Core2 Duo 2.4 GHz with 2 Gb Example PTAs loc./PTA |X| |P| iter. |K0 | states trans. Time SR-latch 3 [3, 8] 3 3 5 2 4 3 0.007 Flip-ﬂop 5 [4, 16] 5 12 9 6 11 10 0.122 And–Or 3 [4, 8] 4 12 14 4 13 13 0.15 Latch circuit 7 [2, 5] 8 13 12 6 18 17 0.345 CSMA/CD 3 [3, 8] 3 3 19 2 219 342 1.01 RCP 5 [6, 11] 6 5 20 2 327 518 2.3 BRP 6 [2, 6] 7 6 30 7 429 474 34 SIMOP 5 [5, 16] 8 7 53 9 1108 1404 67 SPSMALL 28 [2, 11] 28 62 94 45 129 173 461 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 28 / 27
85. 85. Extra SlidesSummary of Experiments: BC Computation time for the cartography algorithm Experiments conducted on an Intel Core2 Duo 2.4 GHz with 2 Gb Example PTAs loc./PTA |X| |P| |V0 | tiles states trans. Time (s) SR-latch 3 [3, 8] 3 3 1331 6 5 4 0.3 Flip-ﬂop 5 [4, 16] 5 2 644 8 15 14 3 Latch circuit 7 [2, 5] 8 4 73062 5 21 20 96.3 And–Or 3 [4, 8] 4 6 75600 4 64 72 118 CSMA/CD 3 [3, 8] 3 3 2000 140 349 545 269 RCP 5 [6, 11] 6 3 186050 19 5688 9312 7018 SPSMALL 28 [2, 11] 28 3 784 213 145 196 31641 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 29 / 27