Timed Automata II

1
Timed Automata II

• CS 5270 Lecture 5

2
Goals

• Timed Transition Systems
• Review
• Definition
• Timed behaviors.
• Parallel composition
• Reachability
• UPPAAL

3
Timed Transition Systems

• Timed Transition Systems
• Transition Systems Clock Variables.
• Clock variables.
• Used to record the passage of (real) time.
• Act like Timers.
• Can be read.
• Transitions constrained (guarded) by current
  values of clock variables.
• Can be reset to 0 during a transition.
• Continue to evolve (in real time) until reset.

4
Using Clock Variables
Hot y
On-ac x
OK
y 2
Off-ac
Off-ac
x ? 5
Spec. Turn off ac if the temperature is OK or
any time after 5 units of time has elapsed since
turning it on. Turn on ac within 2 time units
after receiving Hot signal.
5
Using Clock Variables
Hot y
On-ac x
OK
y 2
Off-ac
Off-ac
x 5
Three components Action on-ac Reset x In
general, more than one clock can be reset. Guard
y 2 In general, more than one constraint can
be used.
6
State Invariants

• A clock constraint is associated with each state
  state invariant
• The system can stay in the state only as long as
  the states invariant is not violated.
• For time points which violate the invariant one
  expects an output transition to be enabled.
• Otherwise a time deadlock.
• The progress of time is blocked (in the model!).

7
Timed Transition Systems Definition

• Clock Constraints
• X, a finite set of clocks (clock variables).
• x ? X
• ? (X), the set of clock constraints over X.
• ?(X) x c x c x c ?1 ? ?2
• c ? Q
• Q , the set of non-negative rational numbers.
• 2X --- The set of subsets of X
• X x, y 2X ?, x, y, x, y

8
Timed Transition Systems

• TTS (S, sin, Act, X, I, ?)
• S is a finite set of states.
• sin, initial state
• Act, a finite set of actions
• X, a finite set of clock variables.
• I S ?(X), assigns a clock invariant
  to each state.
• ? ? S ? Act ? 2X ? ?(X) ? S , the transition
  relation.

9
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2 ? y ? 3
(s0, add, x, True, s1) is a transition in TTS.
10
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
X x0, x1,..xn True x0 0 X x, y True
x ? 0
(s0, add, x, True, s1) is a transition in TTS.
11
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2 ?
(s1, data, y, True, s2) is a transition in
TTS. (s2, ack.add, , x 2, s3) is a transition
in TTS. (s3, ack.data, , y 5, s0) is a
transition in TTS
12
Behaviors
s3
c
b
a
s0
s1
s2
d
s4
s0 a s1 b s2 c s3 s0 a s1 b
s2 d s4 Are both paths (runs).
13
Behaviors
s3
c
x b
a x
s0
s1
s2
x 1
x 2
d
s4
s0 a s1 b s2 c s3 is NOT a run! s0
a s1 b s2 d s4 is a run. Computing
behaviors is difficult.
14
Behaviors

• TTS (S, sin, Act, X, I, ?)
• We associate a normal transition system with
  TTS while taking time into account
• TSTTS (S, sin, Act ? R, ?)
• R, non-negative reals
• ? ? S ? Act ? R ? S
• TSTTS is, almost always, an infinite transition
  system!

15
Behaviors

• TTS (S, sin, Act, X, I, ?)
• TSTTS (S, sin, Act ? R, ?)
• S S ? V
• V --- Valuations
• A valuation says what the current values of each
  clock variable is.
• v X R

16
Behaviors
s3
c
x b
a x
s0
s1
s2
x 1
x 2
d
s4
(s1, 0) (s2, 1.8) (s4, ?) are t-states. (s3, 5)
is a t-state but not reachable.
17
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
(s1, (2, 5) ) is a state (s1, V) V(x) 2 V(y)
5 (s2, V) is a state. V(x) 15 V(y) 0
(s2, (15, 0) )
18
Behaviors

• TTS (S, sin, Act, X, I, !)
• TSTTS (S, sin, Act ? R, ?)
• R, non-negative reals
• ? ? S ? Act ? R ? S
• S S ? V
• sin (sin, VZERO)
• VZERO (x) 0 for every x in X.

19
Behaviors

• There will be two types of transitions.
• Time pass move
• (s, v) ? (s, v)
• t units of time pass starting from V.
• V (x) V(x) t for every x.
• Instantaneous transition.
• (s, v) ? (s, v)
• Some transition in the timed automaton is taken
  at v the guard is satisfied v is the same as v
  except for resets.

t
a
20
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
1
(s1, (0, 5))
(s2, (1, 6) )
Time- passing move?
21
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
1
(s1, (0, 5))
(s1, (1, 7) )
Time- passing move?
22
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
0
(s1, (0, 5))
(s1, (0, 5) )
Time- passing move?
23
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
2
(s1, (0, 5))
(s1, (2, 7.7) )
Time- passing move?
24
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
add
(s0, (3, 3) )
(s1, (0, 3)) a transition in TS?
25
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
add
(s0, (3, 3) )
(s3, (0, 3)) a transition in TS?
26
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
add
(s0, (3, 3) )
(s1, (0, 4)) a transition in TS?
27
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
add
(s0, (0, 0) )
(s1, (0, 0)) a transition in TS?
28
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
add
(s0, (0, 0) )
(s1, (0, 0))
Is this possible?
data
(s2, (0, 0) )
29
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
ack.add
(s2, (3, 2))
(s3, (3, 2))
ack.data
(s3, (5, 5))
(s0, (5, 5))
30
Example
add x
(s0, (0, 0))
s0
s1
.8
1
..
data y
(s0, (.8, .8))
(s0, (1, 1))
y 5
ack.data
ack.add
s2
s3
x 2
TSTTS will have (uncountably) infinite number of
states and transitions.
31
Timed Behaviors

• TTS (S, S0, Act, X, I, !)
• TSTTS (S, sin, Act ? R, ?)
• The timed behavior of TTS is defined as the
  behavior of TSTTS
• Runs
• computations

32
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0,
1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0)) ..
33
Timed Behaviors

• Two consecutive time-passing moves can be
  amalgamated into one time passing move.
• (s1, (2,5)) 2 (s1, (4, 7)) 1.3 (s1, (5.3, 8.3))
  can also be recorded as
• (s1, (2,5)) 3.3 (s1, (5.3, 8.3))
• (s, V) ?1 (s, V?1) ?2 (s, (V?1)?2) can also be
  recorded as
• (s, V) ?1?2 (s, V(?1?2))

34
Timed Computations

• TTS (S, S0, Act, X, I, !)
• TSTTS (S, S0, Act R, ))
• (s0, V0) ?0 (s0, V0) a0 (s1, V1) ?1 (s1, V1)
  a1 (s2, V2) induces the timed computation
• (a0, ?0) (a1, ?0 ?1) (an, ?0?1..?n)
• Transition systems --- Computations
• Timed Transition Systems ---
• Timed Computations.

35
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0,
1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0)) (add, ?
) (data, ?) .
36
Example
add x
s0
s1
data y
y 5
ack.data
ack.add
s2
s3
x 2
(s0, (0, 0)) 1.6 (s0, (1.6, 1.6)) add (s1, (0,
1.6)) 2 (s1, (2, 3.6) data (s2, (2, 0)) (add,
1.6 ) (data, 3.6) .
37
Example
add x
data y
y 5
ack.data
ack.add
x 2
(add, 1) (d, 10) (ack.a , 3) A timed
computation?
38
Example
add x
data y
y 5
ack.data
ack.add
x 2
(add, 1) (d, 10) (ack.a , 3) A tmed
computation? No! Time must increase monotonically.
39
Example
add x
data y
y 5
ack.data
ack.add
x 2
(a, 1) (ack.a , 3) (d, 10) A timed
computation?
40
Example
add x
data y
y 5
ack.data
ack.add
x 2
(a, 1) (ack.a , 3) (d, 10) A timed
computation? No! The order of execution must
respect the specification!
41
Example
add x
data y
y 5
ack.data
ack.add
x 2
(a, 1) (d, 1) (ack.add, 10) A time
computation?
42
Example
x 2
(a, 1) (d, 1) (ack.add, 10) A timed
computation? Yes! Transitions are assumed to
take zero time. Must rule out an infinite number
of occurrences in finite time.
43
Zeno Computations
a
b
x (b, ½) .(b, 3/4) .(b, 15/16) . (b,
31/32). We must define computations of timed
transition systems carefully!
44
Parallel Composition

• TTS TTS_1 TTS_2 TTS_n
• Same principle as before
• Do common actions together
• Take union of clock variables.
• Take conjunction of the guards!

45
Reachability of Control States

• For a finite TS it is trivial to decide whether s
  is reachable in TS.
• For finite TTS, whether s is reachable in TTS is
  not easy to decide because TSTTS is an infinite
  object!
• But this can be done and this verification
  process can be automated.
• More involved (liveness) properties can also be
  verified effectively but not always efficiently.

46
An introduction toUPPAAL
47
What is UPPAAL?

• A toolbox for modeling, simulation and
  verification of real-time systems
• Developed jointly by Uppsala University and
  Aalborg University
• Often used for real-time controllers,
  communication protocols, etc.
• Consists of 3 main parts
• a system description
• a simulator
• a verifier

48
System Description
49
System Description

• A system in UPPAAL a set of concurrent processes
• A process a timed-automaton with
• Clocks and data variables
• data variables int, bool, array of int/bool
• Scopes global or local (to a process)
• Both clocks and data variables!
• Guards (on transitions) and invariants (on
  locations) are conditions on data variables and
  clocks

50
System Description

• Synchronization actions are described using
  communication channels
• Two processes communicate with each other via
  global data variables or synchronization on
  communication channels

51
System Description

• A system description in UPPAAL is composed of
• Global declarations
• Process templates
• Process assignments
• A system definition

52
System Description
Overview of UPPAAL
53
Global declarations
All the clocks, variables, constants and channels
declared here are visible to all the processes in
the system
54
Global declarations

• clock x, y
• two clocks x and y
• const a 1
• a constant a with value 1
• int a
• an integer variable a in the default range from
  -32768 to 32767
• int1,10 b 2
• an integer variable b in the range 1,,10 that is
  initialized to 2
• int a23 0,1,2,3,4,5
• a two dimensional integer array a default range
  and its initialization
• bool a3, b5
• two bit arrays a and b, with 3 and 5 elements
  respectively.

55
Global Declarations

• chan d
• A communication channel d
• Actions performed by two processes when they
  synchronize with each other on channel d are
  denoted as d! (sending) and d? (receiving)
• urgent chan d
• When two processes are able to synchronize on
  channel d, they have to do it immediately.
• No guard is allowed on transitions labeled with
  synchronization actions (eg. d!,d?) on urgent
  channels
• broadcast chan e
• Allows 1-to-many synchronization
• A transition with label e! emits a broadcast on
  the channel e.
• Any enabled transition with label e? will
  synchronise with the emitting process. No guard
  is allowed on these transitions

56
Process Templates

• Define a common control structures for the
  processes that are alike
• Each process is an instantiation of a template
• Each template can have
• symbolic variables and constants as parameters
• Parameters are syntactically similar to
  declarations, but with no initializations
• Eg. clock x, y int i1, i2 chan a, b
• local clocks and variables
• Declared in the same way as global clocks and
  variables

57
Declare symbolic constants and variables here!
Name of the template
Process Templates
Draw the structure of the template here!
58
Process Templates
All clocks, variables, constants declared here
are visible to process template P only
59
Process Templates
An example of process template
60
Process Templates

• Locations
• 3 types normal (with/without invariant),
  committed(C), urgent (U)
• When the system enters a committed location, it
  must leave the location immediately
• Just a way of breaking up the effect of a
  transition into a sequence of steps.
• urgent location Only 0 units of time can be
  spent in this location.

61
Process Templates

• A guard
• A conjunction of timing and data expressions
• Written as a list of expressions, separated by
  commas
• x
• Timing expression x e or x y e
• x, y clocks e an integer expression
• ?? , ,
• Data expression
• involves constants and variables
• same as in C/C/Java

62
Process Templates

• Invariants
• Same as guards, with no lower bounds on clocks
• Updates
• A list of assignment expressions
• Each assignment is of the form x e or a
  e
• In x e, almost always e is 0.
• x a clock
• a a variable
• e an integer expression
• e a data expression
• Evaluated sequentially
• a 1, b 2a sets a to 1, b to 2.

63
Process Assignments

• Declare instances of process templates
• Each assignment has the form P T(A)
• P a process name
• T a process template name
• A an argument list
• Examples
• P Q()
• Process P is an instance of template Q that has
  no parameter
• SR(x,1)
• Process S is an instance of template R that has
  two parameters - a clock and a constant

64
Process Assignments
Instantiate your processes here!
65
System Definition

• Declare the set of processes in the system
• Eg. system P, Q
• A system consists of two processes P and Q
• Each process in the system must be either
• a process that appears on the left-hand-side of a
  process assignment, or
• a template with no parameter

66
Simulator
67
Simulator

• A validation tool that
• allows users to interact and observe the
  behavior of the system during execution
• visualise executions (i.e. symbolic traces)
  generated by the verifier
• Interface divided into 4 sub-windows
• Simulation control
• Variable window
• Process window
• Message Sequence Chart

68
process window
Message sequence chart
simulator control
variable window
69
Simulator Control

• Used to control the simulation and to select the
  (symbolic) state or transition to be visualized
• Upper part for step-by-step simulation
• Displays all enabled transitions
• Enables users to select an enabled transition to
  be fired
• Lower part displays the generated trace
• A trace is an alternating sequence of location
  vectors and transitions.

70
Simulation Control
use the mouse to select the transition to be fired
press Reset resets the simulated system to its
initial state
press Next causes the system to fire the
selected transition
71
Simulation Control
the simulation always progresses from this
highlighted element
press Prev to highlight the element immediately
preceding the current selection in the trace.
press Replay to replay the trace starting from
the currently selected element.
press Open to open a file selector window for
loading a trace from file.
control the speed of simulation
72
Variable window

• Displays the values of data and clocks in the
  current state or transition selected in the trace

73
Process window

• Displays the process instances of the system
• The current location of each automaton is marked
  with a red token
• The transitions currently selected in the
  simulation control panel are highlighted

74
the selected transition
75
Message Sequence Chart

• Displays an MSC view of the generated trace
• a vertical lines for each process
• a horizontal line for each synchronisation point.

synchronization point
76
Verifier
77
Verifier

• Used to check invariant and liveness properties
  of the system
• Requirement Specification Language

p an expression that has no side-effect or
state formula (conjunction of state locations)
78
Verifier

• Examples
• A not deadlock
• true if the system is not deadlocked.
• E p1.cs and p2.cs
• true if the system can reach a state where both
  process p1 and p2 are in their locations cs.
• A p1.cs imply not p2.cs
• true if whenever process p1 is in its location
  cs, the process is not in its location cs.

79
Press to verify the selected property
The selected property to be verified
Insert a new property
Remove the selected property
Show the comments in overview window
the system is deadlock free
verification results are shown here!