Parameterized Model Checking for Timed Systems with Conjunctive Guards

1. Parameterized Model-Checking for Timed Systems with Conjunctive Guards Luca Spalazzi, and Francesco Spegni fspalazzi,spegnig@dii.univpm.it DII @ UnivPM, Ancona, Italy Veri

2. ed Software: Theories, Tools and Experiments 18th July 2014 L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 1 / 31

3. Intro You are here... 1 Intro 2 System Model 3 Speci

4. cation 4 Cuto Theorems 5 An example 6 Final discussion L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 2 / 31

5. Intro Parameterized Model-Checking Problem De

6. nition INPUT: process templates P1; : : : ; Pm, speci

7. cation OUTPUT: True: if 8(n1; : : : ; nk ) : P(n1)jj : : : jjP(nk ) j= False: otherwise (+ counterexample) Undecidable in general see. (Apt and Kozen, '86), parameterized reachability Relevance to Software Veri

8. cation (Fault Tolerant) Distributed Algorithms Security Protocols . . . L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 3 / 31

17. Intro Cuto upper bound to the number of copies for each process template Cuto Theorem for Untimed Systems with Conjunctive/Disjunctive guards (Emerson and Kahlon, 2003) plus: automatic, modular approach (reuse model checkers) minus: complexity may be high (i.e. non optimal) until now, no work on cuto for timed systems (that we know. . . ) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 4 / 31

18. Intro Parameterized Veri

19. cation of Timed Systems Several formalisms (Timed Automata, Hybrid Systems, . . . ) Some negative results on parameterized veri

20. cation . . . . . . all these results require synchronous rendezvous Let's try dierent synchronization (e.g. conjunctive guards . . . ) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 5 / 31

21. System Model You are here... 1 Intro 2 System Model 3 Speci

23. System Model Parameterized Networks of Timed Automata - 1 Timed Automaton: P = (S; ^s; C; ; ; I ) S: set of states ^s 2 S: initial state C: set of clock variables : set of boolean expressions on S S TCC 2C S: transition relation I : S ! TCC : state invariant mapping L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 7 / 31

24. System Model L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 8 / 31

25. System Model Parameterized Networks of Timed Automata - 2 Network of TA with Conjunctive Guards: P(n1) jj 1 : : : jjP(nm) m guards in l have the form: ^ mnl m6=i (^sm l _ pm l _ _ qm l ) ^ ^ hk h6=l ( ^ jnh (^sj h _ pj h _ _ qj h)) l ; : : : ; qm l 2 Sm l , pj where pm h; : : : ; qj h 2 Sj h, and ^sm l , ^sj h are the initial l and Uj states of Um h, respectively. L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 9 / 31

26. System Model Parameterized Networks of Timed Automata - 2 Network of TA with Conjunctive Guards: P(n1) jj 1 : : : jjP(nm) m guards in l have the form: ^ mnl m6=i (^sm l _ pm l _ _ qm l ) ^ ^ hk h6=l ( ^ jnh (^sj h _ pj h _ _ qj h)) l ; : : : ; qm l 2 Sm l , pj where pm h; : : : ; qj h 2 Sj h, and ^sm l , ^sj h are the initial l and Uj states of Um h, respectively. L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 9 / 31

27. System Model Network Semantics Con

28. guration: (hs1; u1i; : : : ; hsm; umi) sl : [1::nl ] ! Sl maps an instance to its current state, and ul : [1::nl ] ! (Cl ! R0), maps an instance to its clock function Continuous time model Steps delay: clocks update, local states unchanged local: local state changes instantaneously, guard must hold State invariants: 8i 2 [1; nl ] : ul (i) j= I i l (sl (i )) Interleaving semantics L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 10 / 31

37. Speci

38. cation You are here... 1 Intro 2 System Model 3 Speci

40. Speci

41. cation ITCTL? - Syntax Indexed-Timed CTL? Syntax ::= j p(il ) j ^ j : j A j V il ::= j ^ j : j Uc where 2 f;;;g Example ^ i6=j AG0!(CS mypid(i) ^ CS mypid(j)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 12 / 31

42. Speci

43. cation ITCTL? - Syntax Indexed-Timed CTL? Syntax ::= j p(il ) j ^ j : j A j V il ::= j ^ j : j Uc where 2 f;;;g Example ^ i6=j AG0!(CS mypid(i) ^ CS mypid(j)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 12 / 31

44. Speci

45. cation ITCTL? - Semantics Semantics c j= V p(il ) i p(il ) = state(c(l ; i)) c j= il (il ) i 8i 2 [1; nl ] : c j= (il ) c j= A i 8 2 paths(c) : j= j= 1 Uc 2 i 9t0 c : bt0 j= 2 ^ 8t 2 [0; t0) : bt j= 1 where c is a con

46. guration is a path; bt is a sux originating at time t 2 f;; ; ;=g L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 13 / 31

47. Cuto Theorems You are here... 1 Intro 2 System Model 3 Speci

49. Cuto Theorems Cuto Theorem for NTA with DG - 1 Monotonicity Lemma (i) P(1) 1 jjP(n) 2 j= E(12) ) P(1) 1 jjP(n+1) 2 j= E(12) (ii) P(1) 1 jjP(n) 2 j= E(11) ) P(1) 1 jjP(n+1) 2 j= E(11) where is a MITL formula Proof idea: in the big system, every instance behaves as in the small one, except the (n + 1)-th that stutters in its initial state L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 15 / 31

50. Cuto Theorems Cuto Theorem for NTA with DG - 1 Monotonicity Lemma (i) P(1) 1 jjP(n) 2 j= E(12) ) P(1) 1 jjP(n+1) 2 j= E(12) (ii) P(1) 1 jjP(n) 2 j= E(11) ) P(1) 1 jjP(n+1) 2 j= E(11) where is a MITL formula Proof idea: in the big system, every instance behaves as in the small one, except the (n + 1)-th that stutters in its initial state L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 15 / 31

51. Cuto Theorems Cuto Theorem for NTA with DG - 2 Bounding Lemma (i ) 8n c2:P(1) 1 jjP(n) 2 j= E(12) i P(1) 1 jjP(c2) 2 j= E(12) (ii) 8n c1:P(1) 1 jjP(n) 2 j= E(11) i P(1) 1 jjP(c1) 2 j= E(11) where is a MITL formula, c1 = 2jP2j and c2 = 2jP2j + 1 Proof idea: given a path x in the big system,

52. nd a path y in the small one, such that: instances 11 and 12 are mimicked exactly instance 22 is any instance with in

53. nite behavior instances i2, for i 3 are for detecting deadlock L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 16 / 31

54. Cuto Theorems Cuto Theorem for NTA with DG - 2 Bounding Lemma (i ) 8n c2:P(1) 1 jjP(n) 2 j= E(12) i P(1) 1 jjP(c2) 2 j= E(12) (ii) 8n c1:P(1) 1 jjP(n) 2 j= E(11) i P(1) 1 jjP(c1) 2 j= E(11) where is a MITL formula, c1 = 2jP2j and c2 = 2jP2j + 1 Proof idea: given a path x in the big system,

55. nd a path y in the small one, such that: instances 11 and 12 are mimicked exactly instance 22 is any instance with in

56. nite behavior instances i2, for i 3 are for detecting deadlock L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 16 / 31

57. Cuto Theorems Cuto Theorem for NTA with DG - 3 Cuto Theorem 8(n1; : : : ; nk ) : P(n1) 1 jj : : : jjP(nk ) k j= i 8(d1; : : : ; dk ) (c1; : : : ; ck ) : P(d1) 1 jj : : : jjP(dk ) k j= Follows from Monotonicity Lemma, Bounding Lemma and duality of E/A path quanti

58. ers Trace equivalence of small and big systems (restricted to 1st instance) Smaller cutos: c1 = 1; c2 = 2 for Einf=Ainf c1 = 1; c2 = 1 for E

59. n=A

60. n L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 17 / 31

63. n=A

67. n=A

71. n=A

73. Cuto Theorems Complexity of Parameterized Model Checking Problem PMCP for Timed Systems with Conjunctive Guards is: UNDECIDABLE for 2 ITCTL? DECIDABLE and 2-EXPSPACE for 2 IMITL DECIDABLE and EXPSPACE for 2 TCTL L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 18 / 31

74. An example You are here... 1 Intro 2 System Model 3 Speci

76. An example Example: Fischer's Protocol - 1 v = 0; c := 0 v := PID; c := 0 v = PID; c k start init b1 b2 cs v6= PID; c k v := 0 Standard process de

77. nition in Fischer's protocol c: local clock variable k: timeout constant v: shared integer variable PID: integer constant, unique for every process L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 20 / 31

78. An example Example: Fischer's Protocol - 2 Abstracting PID variable v1 start v0 v2 Figure: V: a shared variable start dipid mypid Figure: W: a process-centric view of a shared PID variable L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 21 / 31

79. An example Example: Fischer's Protocol - 3 Resulting model: P00 = (P W) (with conjunctive guards) P: standard process de

80. nition in Fischer's protocol W: process abstraction of shared PID variable conjunctive guards: obtained translating guards (v = PID, v6= PID) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 22 / 31

81. An example Example: Fischer's Protocol - 4 Simpli

82. cation: removed states without incoming transition Lower the required cuto (9 = 2 * 4 + 1) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 23 / 31

83. An example Example: Fischer's Protocol - 5 Veri

84. cation results FVormula Out Time (s) Mem (M) Vi EF(CS mypid(i)) T 0.01 155.2 Vi6=j AG!(CS mypid(i ) ^ CS mypid(j)) T 30.1 155.2 i AF(CS mypid(i)) F 0.59 155.2 L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 24 / 31

85. Final discussion You are here... 1 Intro 2 System Model 3 Speci

87. Final discussion Some take-home messages Cuto theorems are useful for verifying real-time systems in practice May be non optimal :-/ Systems are too complex (i.e. infeasible) Veri

88. cation chains needs to be de

89. ned (i.e. abstractions . . . ) Conjunctive guards can be used to abstract PID variables For the future: Extend cuto for timed systems with disjunctive guards (pairwise rendezvous don't admit cuto!) Explore systems mixing templates with CG/DG (but not arbitrary boolean formula: PMCP is UNDECIDABLE!) Compute cuto for speci

90. c process templates Verify more complex benchmarks/real-world examples (suggestions are welcome :-)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 26 / 31

127. Final discussion So long and thanks for all the

128. sh L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 27 / 31

129. Some approaches to PMCP Abstraction (precise, CEGAR, . . . ) Proof theoretic Inductive invariants Satis

130. ability Modulo Theories plus: semi-automatic minus: semi-automatic Cuto upper bound to the number of copies for each process template plus: automatic, modular approach (reuse model checkers) minus: complexity may be high (i.e. non optimal) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 28 / 31

131. Parameterized Veri

132. cation of Timed Systems Several formalisms (Timed Automata, Hybrid Systems, . . . ) Some results on parameterized veri

133. cation Controller state reachability is undecidable in multi-clock dense timed networks (Abdulla et al., 2004) Controller state reachability is decidable in multi-clock discrete timed networks (Abdulla et al., 2004) Recurrent state problem is undecidable in timed networks (Abdulla and Jonsson, 2003) All these results require synchronous rendezvous . . . No results on cutos for timed systems No rendezvous (parameterized rendezvous systems don't have cuto) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 29 / 31

143. Cuto for Timed Systems - Simple solution reuse (untimed) cuto theorem 1 design timed process template 2 apply clock/zone abstraction 3 compute cuto on abstract states and instantiate 4 model check plus: no need for theoretical results minus: high cuto, cannot reuse model checkers for timed systems L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 30 / 31

146. Cuto for Timed Systems - Alternative solution prove timed cuto theorems 1 design timed process template 2 compute cuto on original template and instantiate 3 model check plus: the timed cuto theorems can be reused, can reuse existing model checkers for timed systems, the cuto is smaller minus: required some theoretical eort L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 31 / 31

Parameterized Model Checking for Timed Systems with Conjunctive Guards

Recommended

Recommended

More Related Content

Similar to Parameterized Model Checking for Timed Systems with Conjunctive Guards

Similar to Parameterized Model Checking for Timed Systems with Conjunctive Guards (20)

Recently uploaded

Recently uploaded (20)

Parameterized Model Checking for Timed Systems with Conjunctive Guards