Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSTalks - Model Checking - 26 Jan

667 views

Published on

CSTalk # 2

  • Be the first to comment

  • Be the first to like this

CSTalks - Model Checking - 26 Jan

  1. 1. Computing Students Talks 26th January 2011 The Good, the Bad and the UnknownSynthesis of Timing Parameters in Concurrent Systems ´ ´ Etienne ANDRE PAT Team School of Computing, National University of Singapore´ ´Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 1 / 27
  2. 2. IntroductionVerification of Real Time Systems Motivation ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 2 / 27
  3. 3. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
  4. 4. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system A good behavior expected for the system ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
  5. 5. IntroductionContext: Model Checking Timed Systems (1/2) Input A timed concurrent system A good behavior expected for the system Question: does the system always behave well? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 3 / 27
  6. 6. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods AG¬badA finite model of the system A formula to be satisfied ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
  7. 7. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods ? |= AG¬badA finite model of the system A formula to be satisfied Question: does the model of the system satisfy the formula? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
  8. 8. IntroductionContext: Model Checking Timed Systems (2/2) Use of formal methods ? |= AG¬badA finite model of the system A formula to be satisfied Question: does the model of the system satisfy the formula? Yes No Counterexample ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 4 / 27
  9. 9. OutlineOutline1 A Coffee Vending Machine2 A Parametric Coffee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 5 / 27
  10. 10. A Coffee Vending MachineOutline1 A Coffee Vending Machine2 A Parametric Coffee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 6 / 27
  11. 11. A Coffee Vending MachineModel coffee! Waiting Adding sugar press? cup! Delivering coffee press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
  12. 12. A Coffee Vending MachineModel coffee! Waiting Adding sugar press? cup! Delivering coffee press? Example of runs Coffee with no sugar press? cup! coffee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
  13. 13. A Coffee Vending MachineModel coffee! Waiting Adding sugar press? cup! Delivering coffee press? Example of runs Coffee with no sugar press? cup! coffee! Coffee with 2 doses of sugar press? press? press? cup! coffee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
  14. 14. A Coffee Vending MachineModel coffee! Waiting Adding sugar press? cup! Delivering coffee press? Example of runs Coffee with no sugar press? cup! coffee! Coffee with 2 doses of sugar press? press? press? cup! coffee! And so on ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 7 / 27
  15. 15. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  16. 16. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” (×) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  17. 17. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a coffee is eventually delivered.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  18. 18. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coffee is eventually delivered.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  19. 19. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coffee is eventually delivered.” ( ) “It is possible to get a coffee with 2 doses of sugar.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  20. 20. A Coffee Vending MachineTemporal Logics Specify properties on the order between events Example: CTL (Computation Tree Logic) [Clarke and Emerson, 1982] “After the button is pressed, a coffee is always eventually delivered.” (×) “After the button is pressed, there exists an execution such that a √ coffee is eventually delivered.” ( ) √ “It is possible to get a coffee with 2 doses of sugar.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 8 / 27
  21. 21. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  22. 22. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) coffee! press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  23. 23. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate coffee! press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  24. 24. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be verified to stay at a location coffee! y 5 press? cup! press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  25. 25. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be verified to stay at a location Transition guard: property to be verified to enable a transition y=8 coffee! y 5 press? y=5 cup! x 1 press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  26. 26. A Coffee Vending MachineTimed Automaton Finite state automaton (sets of locations and actions) augmented with a set X of clocks [Alur and Dill, 1994] Real-valued variables evolving linearly at the same rate Features Location invariant: property to be verified to stay at a location Transition guard: property to be verified to enable a transition Clock reset: some of the clocks can be set to 0 at each transition y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 9 / 27
  27. 27. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  28. 28. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar x 0 y 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  29. 29. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? x 0 0 y 0 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  30. 30. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 x 0 0 5 y 0 0 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  31. 31. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! x 0 0 5 5 y 0 0 5 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  32. 32. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 x 0 0 5 5 8 y 0 0 5 5 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  33. 33. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  34. 34. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar x 0 y 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  35. 35. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? x 0 0 y 0 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  36. 36. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 x 0 0 1.5 y 0 0 1.5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  37. 37. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? x 0 0 1.5 0 y 0 0 1.5 1.5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  38. 38. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 x 0 0 1.5 0 2.7 y 0 0 1.5 1.5 4.2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  39. 39. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 press? x 0 0 1.5 0 2.7 0 y 0 0 1.5 1.5 4.2 4.2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  40. 40. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 x 0 0 1.5 0 2.7 0 0.8 y 0 0 1.5 1.5 4.2 4.2 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  41. 41. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! x 0 0 1.5 0 2.7 0 0.8 0.8 y 0 0 1.5 1.5 4.2 4.2 5 5 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  42. 42. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! 3 x 0 0 1.5 0 2.7 0 0.8 0.8 3.8 y 0 0 1.5 1.5 4.2 4.2 5 5 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  43. 43. A Coffee Vending MachineTimed Runs y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 Examples of timed runs Coffee with no sugar press? 5 cup! 3 coffee! x 0 0 5 5 8 8 y 0 0 5 5 8 8 Coffee with 2 doses of sugar press? 1.5 press? 2.7 press? 0.8 cup! 3 coffee! x 0 0 1.5 0 2.7 0 0.8 0.8 3.8 3.8 y 0 0 1.5 1.5 4.2 4.2 5 5 8 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 10 / 27
  44. 44. A Coffee Vending MachineDense Time Time is dense: transitions can be taken anytime Infinite number of timed runs Model checking needs a finite structure! Some runs are equivalent Taking the press? action at t = 1.5 or t = 1.57 is equivalent w.r.t. the possible actions Idea: reason with abstractions Region automaton [Alur and Dill, 1994] Example: in location , all clock values in the following region are equivalent x 1∧y 5∧x=y This abstraction is finite ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 11 / 27
  45. 45. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always eventually delivered within 10 units of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  46. 46. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always √ eventually delivered within 10 units of time.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  47. 47. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  48. 48. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  49. 49. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) “It must never happen that the button can be pressed twice within a time strictly less than 1 unit of time.” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  50. 50. A Coffee Vending MachineTimed Temporal Logics Specify properties on the order and the delay between events Example: TCTL (Timed CTL) [Alur et al., 1993a] “After the first time the button is pressed, a coffee is always √ eventually delivered within 10 units of time.” ( ) “It must never happen that the button can be pressed twice within 1 unit of time.” (×) “It must never happen that the button can be pressed twice within a √ time strictly less than 1 unit of time.” ( ) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 12 / 27
  51. 51. A Coffee Vending MachineTowards a Parametrization. . . Interesting problems Robustness Does the system still behave the same if one of the delays (slightly) changes? Optimization of timing constants Up to which value of the delay between two actions press? can I still order a coffee with 3 doses of sugar? Avoidance of numerous verifications If one of the timing delays of the model changes, should I model check again the whole system? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 13 / 27
  52. 52. A Coffee Vending MachineTowards a Parametrization. . . Interesting problems Robustness Does the system still behave the same if one of the delays (slightly) changes? Optimization of timing constants Up to which value of the delay between two actions press? can I still order a coffee with 3 doses of sugar? Avoidance of numerous verifications If one of the timing delays of the model changes, should I model check again the whole system? Idea: reason with parameters (unknown constants) ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 13 / 27
  53. 53. A Parametric Coffee Vending MachineOutline1 A Coffee Vending Machine2 A Parametric Coffee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 14 / 27
  54. 54. A Parametric Coffee Vending MachineParametric Timed Automaton Timed automaton (sets of locations, actions and clocks) y=8 coffee! y 5 press? y=5 x := 0 cup! x 1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 15 / 27
  55. 55. A Parametric Coffee Vending MachineParametric Timed Automaton Timed automaton (sets of locations, actions and clocks) augmented with a set P of parameters [Alur et al., 1993b] Unknown constants used in guards and invariants y = p3 coffee! y p2 press? y = p2 x := 0 cup! x p1 y := 0 press? x := 0 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 15 / 27
  56. 56. A Parametric Coffee Vending MachineSymbolic Exploration Iterative exploration of symbolic states Symbolic state: location and constraint on the clocks and parameters ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 16 / 27
  57. 57. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  58. 58. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y 0 y p2 press? ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  59. 59. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y 0 y p2 y p2 press? cup! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  60. 60. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y 0 y p2 y p2 y p3 press? cup! coffee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  61. 61. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coffee! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  62. 62. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coffee! press? y−x p1 cup! ··· 0 y p2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  63. 63. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coffee! press? y−x p1 cup! ··· 0 y p2 press? y−x 2p1 cup! ··· 0 y p2 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  64. 64. A Parametric Coffee Vending MachineSymbolic Exploration: Coffee Machine y = p3 coffee! y p2 press? y = p2 x := 0 cup! y := 0 x p1 press? x := 0 x=y x=y x=y x=y press? 0 y p2 y p2 y p3 press? cup! coffee! press? y−x p1 cup! ··· 0 y p2 press? y−x 2p1 cup! ··· 0 y p2 ··· ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 17 / 27
  65. 65. A Parametric Coffee Vending MachineUndecidability The symbolic exploration is infinite in general No possible abstraction like for Timed Automata ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 18 / 27
  66. 66. A Parametric Coffee Vending MachineUndecidability The symbolic exploration is infinite in general No possible abstraction like for Timed AutomataBad News(Almost) all interesting problems are undecidable for Parametric TimedAutomata. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 18 / 27
  67. 67. Synthesis of ParametersOutline1 A Coffee Vending Machine2 A Parametric Coffee Vending Machine3 Synthesis of Parameters4 Conclusion ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 19 / 27
  68. 68. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, find a set of parameter valuations of good behavior” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
  69. 69. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, find a set of parameter valuations of good behavior” ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
  70. 70. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, find a set of parameter valuations of good behavior” Interesting problem ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
  71. 71. Synthesis of ParametersSynthesis of Parameters (1/2) The good parameters problem “Given a bounded parameter domain, find a set of parameter valuations of good behavior” Interesting problem But undecidable! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 20 / 27
  72. 72. Synthesis of ParametersSynthesis of Parameters (2/2) Possible options to deal with undecidability Semi algorithms Example: Computation of all the reachable states, and intersection with the bad states [Henzinger and Wong-Toi, 1996] Approximations Example: Use of octahedra [Clariso and Cortadella, 2007] ´ Restrictions to decidable subclasses Example: L/U automata [Hune et al., 2002] ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 21 / 27
  73. 73. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , find other valuations around π0 of same (linear-time) behavior” Input · π0 p1 = 1 p2 = 5 p3 = 8 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
  74. 74. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , find other valuations around π0 of same (linear-time) behavior” Input Output · π0 p1 = 1 p2 = 5 p3 p2 ∧ 6p1 > p2 p3 = 8 ∧ p2 5p1 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
  75. 75. Synthesis of ParametersAn Inverse Method for PTAs Original method for synthesis of parameters [Andr´ et al., 2009] e “Given a reference parameter valuation π0 , find other valuations around π0 of same (linear-time) behavior” Input Output · π0 p1 = 1 p2 = 5 p3 p2 ∧ 6p1 > p2 p3 = 8 ∧ p2 5p1 Properties Semi-algorithm Not complete Advantages Exact method Behaves well in practice! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 22 / 27
  76. 76. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 [Andr´ and Fribourg, 2010] e 1800 Cover the parametric space with tiles 1700 1600 Parametric zones with uniform behavior 1500 1400 1300 1200 1100 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
  77. 77. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 6 [Andr´ and Fribourg, 2010] e 1800 1 Cover the parametric space with tiles 1700 1600 5 Parametric zones with uniform 11 14 behavior 1500 19 2 4 9 12 18 1400 16 17 8 3 7 1300 13 10 1200 15 1100 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
  78. 78. Synthesis of ParametersBehavioral Cartography of Timed Automata (1/2)s min 2200 2100 Idea: repeatedly call the inverse 2000 method 1900 6 [Andr´ and Fribourg, 2010] e 1800 1 Cover the parametric space with tiles 1700 1600 5 Parametric zones with uniform 11 14 behavior 1500 19 2 4 9 12 18 1400 16 17 8 3 7 Remarks 1300 13 1200 10 Tiles may be infinite 15 The cartography may not cover 1100 the whole real-valued space 1000 900 Example: Root Contention Protocol 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 23 / 27
  79. 79. Synthesis of ParametersBehavioral Cartography of Timed Automata (2/2)s min 2200 2100 2000 Partition into good and bad 1900 6 subspaces 1800 1 Good if the property is true 1700 Bad if the property is false Unknown if not covered by 1600 5 11 14 any tile 1500 19 2 4 9 12 18 1400 16 17 8 3 7 1300 13 10 1200 15 1100 1000 900 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 24 / 27
  80. 80. Synthesis of ParametersBehavioral Cartography of Timed Automata (2/2)s min 2200 2100 2000 Partition into good and bad 1900 6 subspaces 1800 1 Good if the property is true 1700 Bad if the property is false Unknown if not covered by 1600 5 11 14 any tile 1500 19 2 4 9 12 18 1400 16 17 8 3 7 Advantages 1300 13 Independent of the property 10 1200 15 (Only the partition depends on 1100 the property) Covers much of the parametric 1000 space in practice 900 800 0 100 200 300 400 500 600 700 800 900 delay ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 24 / 27
  81. 81. ConclusionSummary Synthesis of parameters for real-time concurrent systems important Robustness Optimization of timing constants Avoidance of numerous verifications Undecidable in the general case Possible solutions Semi algorithms Approximations Restrictions to decidable subclasses Still ongoing work! ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 25 / 27
  82. 82. BibliographyReferences I Alur, R., Courcoubetis, C., and Dill, D. L. (1993a). Model-checking in dense real-time. Information and Computation, 104(1):2–34. Alur, R. and Dill, D. L. (1994). A theory of timed automata. TCS, 126(2):183–235. Alur, R., Henzinger, T. A., and Vardi, M. Y. (1993b). Parametric real-time reasoning. In STOC ’93, pages 592–601. ACM. e ´ Andr´ , E., Chatain, T., Encrenaz, E., and Fribourg, L. (2009). An inverse method for parametric timed automata. International Journal of Foundations of Computer Science, 20(5):819–836. e ´ Andr´ , E. and Fribourg, L. (2010). Behavioral cartography of timed automata. In RP’10, volume 6227 of LNCS, pages 76–90. Springer. Clariso, R. and Cortadella, J. (2007). ´ The octahedron abstract domain. Sci. Comput. Program., 64(1):115–139. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 26 / 27
  83. 83. BibliographyReferences II Clarke, E. M. and Emerson, E. A. (1982). Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages 52–71, London, UK. Springer-Verlag. Henzinger, T. A. and Wong-Toi, H. (1996). Using HyTech to synthesize control parameters for a steam boiler. In Formal Methods for Industrial Applications: Specifying and Programming the Steam Boiler Control, LNCS 1165. Springer-Verlag. Hune, T., Romijn, J., Stoelinga, M., and Vaandrager, F. (2002). Linear parametric model checking of timed automata. Journal of Logic and Algebraic Programming. ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 27 / 27
  84. 84. Extra SlidesSummary of Experiments: IM Computation times of various case studies Experiments conducted on an Intel Core2 Duo 2.4 GHz with 2 Gb Example PTAs loc./PTA |X| |P| iter. |K0 | states trans. Time SR-latch 3 [3, 8] 3 3 5 2 4 3 0.007 Flip-flop 5 [4, 16] 5 12 9 6 11 10 0.122 And–Or 3 [4, 8] 4 12 14 4 13 13 0.15 Latch circuit 7 [2, 5] 8 13 12 6 18 17 0.345 CSMA/CD 3 [3, 8] 3 3 19 2 219 342 1.01 RCP 5 [6, 11] 6 5 20 2 327 518 2.3 BRP 6 [2, 6] 7 6 30 7 429 474 34 SIMOP 5 [5, 16] 8 7 53 9 1108 1404 67 SPSMALL 28 [2, 11] 28 62 94 45 129 173 461 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 28 / 27
  85. 85. Extra SlidesSummary of Experiments: BC Computation time for the cartography algorithm Experiments conducted on an Intel Core2 Duo 2.4 GHz with 2 Gb Example PTAs loc./PTA |X| |P| |V0 | tiles states trans. Time (s) SR-latch 3 [3, 8] 3 3 1331 6 5 4 0.3 Flip-flop 5 [4, 16] 5 2 644 8 15 14 3 Latch circuit 7 [2, 5] 8 4 73062 5 21 20 96.3 And–Or 3 [4, 8] 4 6 75600 4 64 72 118 CSMA/CD 3 [3, 8] 3 3 2000 140 349 545 269 RCP 5 [6, 11] 6 3 186050 19 5688 9312 7018 SPSMALL 28 [2, 11] 28 3 784 213 145 196 31641 ´ ´ Etienne ANDRE (NUS) The Good, the Bad and the Unknown 26th January 2011 29 / 27

×