verification of parameterized timed systems

Verification of

Parameterized Timed Systems

Parosh Aziz Abdulla

Uppsala University

Johann DeneuxPritha MahataAletta Nylen

Outline

• Parameterized Timed Systems

• Syntactic and Semantic Variants

• with one clock• with several clocks • discrete time domain

Safety Properties

Parameterized System of Timed Processes –(Timed Networks)

Timed Process:x:=0

x<5

Parameterized System:

Single Clock Timed Networks - TN(1)

Timed Process:x:=0

x<5

(single clock)


Challenge: arbitrary rather than fixed size

x=0 x<1 x>1x:=0

Fischer’s Protocol

Timed Process:

critical section

Parameterized Network:

arbitrary size


State = Configuration

2.3 1.4 5.2 3.7 1.0 8.1

Timed Process:x:=0

x<5

(single clock)


Initial Configurations

0 0 0 0 0 0 0 0 0 0


Timed Process:x:=0

x<5

(single clock)


2.8 1.9 5.7 4.2 0.5 8.6

2.3 1.4 5.2 3.7 0.0 8.1

Timed Transitions

0.5

x<5 x:=0

2.3 1.4 0.0 3.7 1.0 8.1

Discrete Transitions

2.3 1.4 5.2 3.7 1.0 8.1

• Unbounded number of clocks• Cannot be modeled as timed automata

TN(1) :

• Unbounded number of clocks• Cannot be modeled as timed automata

TN(1) :

How to check Safety Properties ?

configurations equivalent if they agree (up to cmax) on:

colours integral parts of clock values ordering on fractional parts

3.1 4.8 1.5 6.2 5.6

3.2 4.8 1.6 6.4 5.7

Equivalence on Configurations



3.1 4.8 1.5 6.2 5.6

3.2 4.8 1.6 6.4 5.7


3.3 1.7 4.8



3.1 4.8 1.5 6.2 5.6

3.2 4.8 1.6 6.4 5.7

3.3 1.7 4.8

3.1 1.8 4.9


Ordering on Configurations

c1 c2 iff c3 :

c1 c3

c3 c2

<

3.1 4.8 1.5 6.2 5.6

4.9 6.4 5.7

Ordering on Configurations

3.1 4.8 1.5 6.2 5.6

4.9 6.4 5.7

4.8 6.2 5.6

c1 c2 iff c3 :

c1 c3

c3 c2

<

• mutual exclusion: Bad States : # processes in critical section > 1

Safety Properties

x=0 x<1 x>1x:=0

section critical

3.4 8.1


Ideal = Upward closed set of configurations

Safety Properties

x=0 x<1 x>1x:=0

critical section

3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1

Ideal = Upward closed set of configurations

Safety = reachability of ideals


Safety Properties

x=0 x<1 x>1x:=0

critical section

3.3 8.2 2.3 1.4 5.2 3.7 3.4 8.1

Checking Safety Properties:Backward Reachability Analysis

bad statesinitial states



Pre



PrePrePrePre

Properties of -- Monotonicity

c1c3

c2


c1c3

c2

c4


c1c3

c2

c4c5


c1c3

c2

c4c5

c6

Monotonicity ideals closed under computing Pre

I


IPre(I)




PrePrePrePre

Ideals

Existential Zones

x1 x2 x3

1 x2 - x12 x2 - x3

Existential Zones

x1 x2 x3

1 x2 - x12 x2 - x3

3.1 7.2 4.6

Existential Zones

minimal requirement

x1 x2 x3

1 x2 - x12 x2 - x3

3.1 3.5 7.2 0.5 4.6

3.1 7.2 4.6

Existential Zones

Existential Zone Ideal

minimal requirement

x1 x2 x3

1 x2 - x12 x2 - x3

3.1 3.5 7.2 0.5 4.6

3.1 7.2 4.6

Existential Zones – Computing Pre

x1 x2 x3

1 x2 - x12 x2 - x3

Existential Zones – Computing Pre

x1 x2 x4

1 x2 - x1

x5

2 x5

4 x4

x1 x2 x3

1 x2 - x12 x2 - x3

4 x 2 x



PrePrePrePre

Existential Zones

Termination

Existential Zones BQO (and therefore WQO)

Termination

Existential Zones BQO (and therefore WQO)

Theorem:Safety properties can be decided for TN(1)

Multi-Clock Timed Networks – TN(K)

Timed Process:x:=0

x<5


Configuration

2.3 1.4 5.2 3.7 1.0 8.1

(two clocks) y>3

1.4 5.6 0.2 9.2 2.8 0.1

x

y

Timed Transitions

0.5

2.3 1.4 5.2 3.7 1.0 8.1

1.4 5.6 0.2 9.2 2.8 0.1

x

y

x

y

2.8 1.9 5.7 4.2 1.5 8.6

1.9 6.1 0.7 9.7 3.3 0.6

y<5 x>4 x:=0


2.3 1.4 5.2 3.7 1.0 8.1

1.4 5.6 0.2 9.2 2.8 0.1

x

y

2.3 0.0 5.2 3.7 1.0 8.1

1.4 5.6 0.2 9.2 2.8 0.1

x

y

x1 y1

1 y2 - x12 x2 - y1

x2 y2

xi and yi

belong to the same process



PrePrePrePre

Existential Zones

x1 < x2 < x3< x4y1 = x2

y2 = x3

y3 = x4

x1 y1 x2 y2 x3 y3

y4 = x1

y1

x1y2

x2 x3y3

x3y3

x4 y4

Termination nolonger guaranteed !!

x1 y1

y1 = x2

x2 y2

y2 = x1

x1 < x2

x1 x2y1

y2


x1 y1

y1 = x2

x2 y2

y2 = x1

x1 < x2

x1 < x2 < x3

y1 = x2

y2 = x3

y3 = x1

x1 y1 x2 y2 x3 y3

x1 x2y1

y2

y1

x1y2

x2 x3y3


x1 < x2 < x3

y1 = x2

y2 = x3

y3 = x1

x1 y1 x2 y2 x3 y3

x1 < x2 < x3< x4y1 = x2

y2 = x3

y3 = x4

x1 y1 x2 y2 x3 y3

y4 = x1

y1

x1y2

x2 x3y3

x3y3

x4 y4


y1

x1y2

x2 x3y3

Simulation of 2-counter machine by TN(2)

Timed processes:• One models control state• Some model c1

• Some model c2

• The rest are idle

c1++

c2=0?c2--M:

Encoding of configurations in M:

Simulation of 2-counter machinec1++

c2=0?c2--M:

Encoding of c1 :

# c1=3 left end

0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7

right end

Simulating a Decrement c1--

q1

q2

x=1 y=1 x:=0

q1

q2 idle

0<x y:=0

0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7


q1

q2

x=1 y=1 x:=0

q1

q2 idle

0<x y:=0

0.10.2 0.4 0.6

0.20.4 0.6 0.8 1.01.00.8

0.1 0.3 0.50.10.3 0.5 0.7 0.90.90.7


q1

q2

x=1 y=1 x:=0

q1

q2 idle

0<x y:=0

0.2 0.4 0.60.20.4 0.6 0.8 1.01.00.8

0.2 0.4 0.60.4 0.6 0.8 1.0

0.8


q1

q2

x=1 y=1 x:=0

q1

q2 idle

0<x y:=0

0.2 0.4 0.60.4 0.6 0.8 1.0

0.8

0 0.4 0.60.4 0.6 0.8 1.0

0.8


q1

q2

x=1 y=1 x:=0

q1

q2 idle

0<x y:=0

0 0.4 0.60.4 0.6 0.8 1.0

0.8

0 0.4 0.60.4 0.6 0.8 0

0.8

Simulating Zero Testingc1=0?q1 q2

x>0y=1 x:=0

q1

q2

x=1y:=0

0.20.20.7

0.7

0.50.5 0

0

0.50.51.0

1.0

0.3

Theorem:Checking Safety properties undecidable for TN(2)

Discrete Timed Networks - DTN(K)

State = Configuration

2 1 5 3 1 8

Clocks interpreted over the discrete time domain

2 1 5 3 1 8 Timed Transitions

4 3 7 5 3 10

2

cmax = 1

0

1

2*

0

1

2*

0

1

2*

4

2

3

3

0

6

5

0

8

# processes having:

same state clock value (up to cmax)

Exact Abstraction

x=0 x:=0 x=1

0

1

2*

0

1

2*

0

1

2*

4

2

3

3

0

6

5

0

8

0

1

2*

0

1

2*

0

1

2*

5

1

3

4

0

6

4

0

8


0

1

2*

0

1

2*

0

1

2*

4

2

3

3

0

6

5

0

8

1

0

1

2*

0

1

2*

0

1

2*

0

4

5

0

3

6

0

5

8

Timed Transitions

0

1

2*

0

1

2*

0

1

2*

4

2

3

3

0

6

5

0

8

Symbolic Representation

minimal element



PrePrePrePre

Minimal elements

Theorem:Checking Safety properties decidable for DTN(K)

Implementation

TPN - Parameterized Fischer

2 seconds

Lynch-Shavit’s Protocol

Lynch-Shavit’s Protocol


arbitrary size

TPN- Parameterized Lynch-Shavit

25 minutes

Syntactic Variants

Open timed networks: strict clock constraints

Closed timed networks: non-strict clock constraints

undecidable

decidable

Semantic Variants

Robust timed networks: semantically strict clock constraints undecidable

Summary

• TN(1) : decidable• TN(2) : undecidable• DTN(K) : decidable• TN(2) open : undecidable• TN(K) closed : decidable• TN(2) robust : undecidable

Future work

Acceleration and Widening Forward Analysis Price Timed Networks Stochastic Variants

verification of parameterized timed systems

Documents