Parameterized Model Checking for Timed Systems with Conjunctive Guards

1. Parameterized Model-Checking for Timed Systems with Conjunctive Guards Luca Spalazzi, and Francesco Spegni fspalazzi,spegnig@dii.univpm.it DII @ UnivPM, Ancona, Italy Veri

2. ed Software: Theories, Tools and Experiments 18th July 2014 L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 1 / 31

3. Intro You are here... 1 Intro 2 System Model 3 Speci

4. cation 4 Cuto Theorems 5 An example 6 Final discussion L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 2 / 31

5. Intro Parameterized Model-Checking Problem De

6. nition INPUT: process templates P1; : : : ; Pm, speci

7. cation OUTPUT: True: if 8(n1; : : : ; nk ) : P(n1)jj : : : jjP(nk ) j= False: otherwise (+ counterexample) Undecidable in general see. (Apt and Kozen, '86), parameterized reachability Relevance to Software Veri

8. cation (Fault Tolerant) Distributed Algorithms Security Protocols . . . L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 3 / 31

17. Intro Cuto upper bound to the number of copies for each process template Cuto Theorem for Untimed Systems with Conjunctive/Disjunctive guards (Emerson and Kahlon, 2003) plus: automatic, modular approach (reuse model checkers) minus: complexity may be high (i.e. non optimal) until now, no work on cuto for timed systems (that we know. . . ) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 4 / 31

18. Intro Parameterized Veri

19. cation of Timed Systems Several formalisms (Timed Automata, Hybrid Systems, . . . ) Some negative results on parameterized veri

20. cation . . . . . . all these results require synchronous rendezvous Let's try dierent synchronization (e.g. conjunctive guards . . . ) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 5 / 31

21. System Model You are here... 1 Intro 2 System Model 3 Speci

23. System Model Parameterized Networks of Timed Automata - 1 Timed Automaton: P = (S; ^s; C; ; ; I ) S: set of states ^s 2 S: initial state C: set of clock variables : set of boolean expressions on S S TCC 2C S: transition relation I : S ! TCC : state invariant mapping L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 7 / 31

24. System Model L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 8 / 31

25. System Model Parameterized Networks of Timed Automata - 2 Network of TA with Conjunctive Guards: P(n1) jj 1 : : : jjP(nm) m guards in l have the form: ^ mnl m6=i (^sm l _ pm l _ _ qm l ) ^ ^ hk h6=l ( ^ jnh (^sj h _ pj h _ _ qj h)) l ; : : : ; qm l 2 Sm l , pj where pm h; : : : ; qj h 2 Sj h, and ^sm l , ^sj h are the initial l and Uj states of Um h, respectively. L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 9 / 31

26. System Model Parameterized Networks of Timed Automata - 2 Network of TA with Conjunctive Guards: P(n1) jj 1 : : : jjP(nm) m guards in l have the form: ^ mnl m6=i (^sm l _ pm l _ _ qm l ) ^ ^ hk h6=l ( ^ jnh (^sj h _ pj h _ _ qj h)) l ; : : : ; qm l 2 Sm l , pj where pm h; : : : ; qj h 2 Sj h, and ^sm l , ^sj h are the initial l and Uj states of Um h, respectively. L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 9 / 31

27. System Model Network Semantics Con

28. guration: (hs1; u1i; : : : ; hsm; umi) sl : [1::nl ] ! Sl maps an instance to its current state, and ul : [1::nl ] ! (Cl ! R0), maps an instance to its clock function Continuous time model Steps delay: clocks update, local states unchanged local: local state changes instantaneously, guard must hold State invariants: 8i 2 [1; nl ] : ul (i) j= I i l (sl (i )) Interleaving semantics L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 10 / 31

37. Speci

38. cation You are here... 1 Intro 2 System Model 3 Speci

40. Speci

41. cation ITCTL? - Syntax Indexed-Timed CTL? Syntax ::= j p(il ) j ^ j : j A j V il ::= j ^ j : j Uc where 2 f;;;g Example ^ i6=j AG0!(CS mypid(i) ^ CS mypid(j)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 12 / 31

42. Speci

43. cation ITCTL? - Syntax Indexed-Timed CTL? Syntax ::= j p(il ) j ^ j : j A j V il ::= j ^ j : j Uc where 2 f;;;g Example ^ i6=j AG0!(CS mypid(i) ^ CS mypid(j)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 12 / 31

44. Speci

45. cation ITCTL? - Semantics Semantics c j= V p(il ) i p(il ) = state(c(l ; i)) c j= il (il ) i 8i 2 [1; nl ] : c j= (il ) c j= A i 8 2 paths(c) : j= j= 1 Uc 2 i 9t0 c : bt0 j= 2 ^ 8t 2 [0; t0) : bt j= 1 where c is a con

46. guration is a path; bt is a sux originating at time t 2 f;; ; ;=g L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 13 / 31

47. Cuto Theorems You are here... 1 Intro 2 System Model 3 Speci

49. Cuto Theorems Cuto Theorem for NTA with DG - 1 Monotonicity Lemma (i) P(1) 1 jjP(n) 2 j= E(12) ) P(1) 1 jjP(n+1) 2 j= E(12) (ii) P(1) 1 jjP(n) 2 j= E(11) ) P(1) 1 jjP(n+1) 2 j= E(11) where is a MITL formula Proof idea: in the big system, every instance behaves as in the small one, except the (n + 1)-th that stutters in its initial state L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 15 / 31

50. Cuto Theorems Cuto Theorem for NTA with DG - 1 Monotonicity Lemma (i) P(1) 1 jjP(n) 2 j= E(12) ) P(1) 1 jjP(n+1) 2 j= E(12) (ii) P(1) 1 jjP(n) 2 j= E(11) ) P(1) 1 jjP(n+1) 2 j= E(11) where is a MITL formula Proof idea: in the big system, every instance behaves as in the small one, except the (n + 1)-th that stutters in its initial state L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 15 / 31

51. Cuto Theorems Cuto Theorem for NTA with DG - 2 Bounding Lemma (i ) 8n c2:P(1) 1 jjP(n) 2 j= E(12) i P(1) 1 jjP(c2) 2 j= E(12) (ii) 8n c1:P(1) 1 jjP(n) 2 j= E(11) i P(1) 1 jjP(c1) 2 j= E(11) where is a MITL formula, c1 = 2jP2j and c2 = 2jP2j + 1 Proof idea: given a path x in the big system,

52. nd a path y in the small one, such that: instances 11 and 12 are mimicked exactly instance 22 is any instance with in

53. nite behavior instances i2, for i 3 are for detecting deadlock L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 16 / 31

54. Cuto Theorems Cuto Theorem for NTA with DG - 2 Bounding Lemma (i ) 8n c2:P(1) 1 jjP(n) 2 j= E(12) i P(1) 1 jjP(c2) 2 j= E(12) (ii) 8n c1:P(1) 1 jjP(n) 2 j= E(11) i P(1) 1 jjP(c1) 2 j= E(11) where is a MITL formula, c1 = 2jP2j and c2 = 2jP2j + 1 Proof idea: given a path x in the big system,

55. nd a path y in the small one, such that: instances 11 and 12 are mimicked exactly instance 22 is any instance with in

56. nite behavior instances i2, for i 3 are for detecting deadlock L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 16 / 31

57. Cuto Theorems Cuto Theorem for NTA with DG - 3 Cuto Theorem 8(n1; : : : ; nk ) : P(n1) 1 jj : : : jjP(nk ) k j= i 8(d1; : : : ; dk ) (c1; : : : ; ck ) : P(d1) 1 jj : : : jjP(dk ) k j= Follows from Monotonicity Lemma, Bounding Lemma and duality of E/A path quanti

58. ers Trace equivalence of small and big systems (restricted to 1st instance) Smaller cutos: c1 = 1; c2 = 2 for Einf=Ainf c1 = 1; c2 = 1 for E

59. n=A

60. n L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 17 / 31

63. n=A

67. n=A

71. n=A

73. Cuto Theorems Complexity of Parameterized Model Checking Problem PMCP for Timed Systems with Conjunctive Guards is: UNDECIDABLE for 2 ITCTL? DECIDABLE and 2-EXPSPACE for 2 IMITL DECIDABLE and EXPSPACE for 2 TCTL L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 18 / 31

74. An example You are here... 1 Intro 2 System Model 3 Speci

76. An example Example: Fischer's Protocol - 1 v = 0; c := 0 v := PID; c := 0 v = PID; c k start init b1 b2 cs v6= PID; c k v := 0 Standard process de

77. nition in Fischer's protocol c: local clock variable k: timeout constant v: shared integer variable PID: integer constant, unique for every process L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 20 / 31

78. An example Example: Fischer's Protocol - 2 Abstracting PID variable v1 start v0 v2 Figure: V: a shared variable start dipid mypid Figure: W: a process-centric view of a shared PID variable L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 21 / 31

79. An example Example: Fischer's Protocol - 3 Resulting model: P00 = (P W) (with conjunctive guards) P: standard process de

80. nition in Fischer's protocol W: process abstraction of shared PID variable conjunctive guards: obtained translating guards (v = PID, v6= PID) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 22 / 31

81. An example Example: Fischer's Protocol - 4 Simpli

82. cation: removed states without incoming transition Lower the required cuto (9 = 2 * 4 + 1) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 23 / 31

83. An example Example: Fischer's Protocol - 5 Veri

84. cation results FVormula Out Time (s) Mem (M) Vi EF(CS mypid(i)) T 0.01 155.2 Vi6=j AG!(CS mypid(i ) ^ CS mypid(j)) T 30.1 155.2 i AF(CS mypid(i)) F 0.59 155.2 L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 24 / 31

85. Final discussion You are here... 1 Intro 2 System Model 3 Speci

87. Final discussion Some take-home messages Cuto theorems are useful for verifying real-time systems in practice May be non optimal :-/ Systems are too complex (i.e. infeasible) Veri

88. cation chains needs to be de

89. ned (i.e. abstractions . . . ) Conjunctive guards can be used to abstract PID variables For the future: Extend cuto for timed systems with disjunctive guards (pairwise rendezvous don't admit cuto!) Explore systems mixing templates with CG/DG (but not arbitrary boolean formula: PMCP is UNDECIDABLE!) Compute cuto for speci

90. c process templates Verify more complex benchmarks/real-world examples (suggestions are welcome :-)) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 26 / 31

127. Final discussion So long and thanks for all the

128. sh L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 27 / 31

129. Some approaches to PMCP Abstraction (precise, CEGAR, . . . ) Proof theoretic Inductive invariants Satis

130. ability Modulo Theories plus: semi-automatic minus: semi-automatic Cuto upper bound to the number of copies for each process template plus: automatic, modular approach (reuse model checkers) minus: complexity may be high (i.e. non optimal) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 28 / 31

131. Parameterized Veri

132. cation of Timed Systems Several formalisms (Timed Automata, Hybrid Systems, . . . ) Some results on parameterized veri

133. cation Controller state reachability is undecidable in multi-clock dense timed networks (Abdulla et al., 2004) Controller state reachability is decidable in multi-clock discrete timed networks (Abdulla et al., 2004) Recurrent state problem is undecidable in timed networks (Abdulla and Jonsson, 2003) All these results require synchronous rendezvous . . . No results on cutos for timed systems No rendezvous (parameterized rendezvous systems don't have cuto) L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 29 / 31

143. Cuto for Timed Systems - Simple solution reuse (untimed) cuto theorem 1 design timed process template 2 apply clock/zone abstraction 3 compute cuto on abstract states and instantiate 4 model check plus: no need for theoretical results minus: high cuto, cannot reuse model checkers for timed systems L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 30 / 31

146. Cuto for Timed Systems - Alternative solution prove timed cuto theorems 1 design timed process template 2 compute cuto on original template and instantiate 3 model check plus: the timed cuto theorems can be reused, can reuse existing model checkers for timed systems, the cuto is smaller minus: required some theoretical eort L. Spalazzi, F. Spegni (UnivPM, Ancona) PMC for Timed Systems with Conj. Guards VSTTE 2014 31 / 31

Parameterized Model Checking for Timed Systems with Conjunctive Guards

Recomendados

Recomendados

Más contenido relacionado

Similar a Parameterized Model Checking for Timed Systems with Conjunctive Guards

Similar a Parameterized Model Checking for Timed Systems with Conjunctive Guards (20)

Último

Último (20)

Parameterized Model Checking for Timed Systems with Conjunctive Guards