1 / 103

Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur ,

I ntroduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification. Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur , with further contributions from: Andrea Mattioli , Paritosh Pandya , Yusi Ramadian.

walden
Télécharger la présentation

Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur ,

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Formal Methods for SW and HW Development11 - Timed and Hybrid Systems:Formal Modeling and Verification Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur, with further contributions from: Andrea Mattioli, Paritosh Pandya, Yusi Ramadian

  2. Trends in Model-Based Design • Emerging notations: UML,Stateflow • Visual, Hierarchical, Object oriented • Simulation, code generation • Steady progress in model checking tools • Control design employs tools (Matlab…) • Opportunities to influence design tools • Typically, semantics is not formal • Typically, only simulation is supported • ….

  3. model yes Model Checker temporal property error-trace Advantages Automated formal verification, Effective debugging tool Increasing industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Obstacles Scalability is still a problem (about 500 state vars) Effective use requires great expertise A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research

  4. State machines + Dynamical systems x>68 off on dx=-k’x x>60 dx=kx x<70 x<63 Hybrid Modeling (notation: “dx” abbreviation of “dx/dt”)

  5. Automotive Applications

  6. Coordination Protocols

  7. Interacting Autonomous Robots

  8. Physics-based Animation

  9. Biomolecular Regulatory Networks

  10. Overview • Timed systems: Modeling and Semantics • Timed automata • Symbolic Reachability Analysis for Timed Systems • Making the state space finite • Region automata • Zone automata • Hybrid Systems: Modeling and Semantics • Hybrid automata • Symbolic Reachability Analysis for Hybrid Systems • Linear Hybrid Automata • Approximations of reachable sets

  11. Acknowledgements • Thanks for providing slides & material to: • Rajeev Alur & colleagues (Penn University) • Paritosh Pandya (IIT Bombay) • Andrea Mattioli, Yusi Ramadian (Univ. Trento) • Disclaimer: • Very introductive • Only very-partial coverage • Mostly computer-science centric

  12. Part 1. Timed Systems:Modeling and Semantics

  13. Outline: Part 1 • Timed Automata

  14. Timed Automata

  15. Simple Light Control Press? Off Light Bright Press? Press? Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

  16. Simple Light Control Press? X<=3 Off Light Bright X:=0 Press? Press? X>3 Press? Solution: Add real-valued clock x Adding continuous variables and constraints to state machines

  17. Modeling : timing constraints • Finite graph + finite set of (real-valued) clocks • vertices  locations • Time can elapse • Constraint ( invariant ) • edges  switches • Reset a clock • Constraints • Meaning of a clock value: time elapsed since the last time it was reset.

  18. 2 kinds of transitions: a (n , x=2.4 , y=3.1415 ) (m , x=0 , y=3.1415 ) wait(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 ) Timed Automata Clocks:x, y n Guard Boolean combination of comparisons with integer bounds Reset Action performed on clocks Action used for synchronization x<=5 & y>3 State (location , x=v , y=u ) where v,u are in R a x := 0 m

  19. Adding Invariants n Clocks:x, y x<=5 Transitions x<=5 & y>3 wait(3.2) Location Invariants (n , x=2.4 , y=3.1415 ) a wait(1.1) (n , x=2.4 , y=3.1415 ) (n , x=3.5 , y=4.2415 ) x := 0 m y<=10 g4 g1 Invariants ensure progress!! g3 g2

  20. Timed Automata: Formal Syntax • timed automaton A = • L = locations; = initial locations • ∑ = labels • X = clocks • I = Invariants • = set of switches (edges) a switch = • s, s’ = locations • a = label • φ = clock constraints • = clocks to be reset

  21. Clock constraints and clock interpretations • Set of clock constraints grammar :  only allow comparison of a clock and a constant • clock interpretation ν : X={x,y,z} , ν(X) = {1.0, 1.5, 0} • = clock interpretation after δ time ν(X)+δ = {1.2, 1.7, 0.2} • = assigns 0 to each x Y Y={y,z}; ={1.0, 0, 0}

  22. Example location switch invariant • Clocks { x , y }, can be re/set independently • x is reset to 0 from s0 to s1 on a • switch c happens within 1 time-unit from a because of constraints in s1 and s2 • delay between b and the following d is >2 • no explicit bounds on time difference between event a-b or c -d

  23. Semantics • Semantics of A defined in terms of a (infinite) transition system SA = < Q,Q0, →, ∑>, s.t.: • Q = {(s, ν)} • Q0= {(s, ν)} where s L0and ν(x)=0 • → : • State change due to elapse of time • State change due to a location switch • ∑ = set of labels of A

  24. State change in transition system • (q,0) • Initial state

  25. State change in transition system • (q,0) (q,1.2) = state change due to elapse of time

  26. State change in transition system • (q,0) (q,1.2) (q’,1.2) = state change due to a location switch • q q and q q’ = q q’

  27. Example: LightSwitch push • Switch may be turned on whenever at least 2 time units has elapsed since last “turn off” • Light automatically switches off after 9 time units. push click

  28. Example: Light Switch (cont.) push push click

  29. Remark : non-zenoness • When the invariant is violated some edge must be enabled • Automaton should admit the possibility of time to diverge

  30. Combination of systems • Complex system = product of interacting transition systems • S1= and S2= • Product = S1||S2 = • Transition iff : • Label a belongs to both alphabets  synchronized (synchronization is blocking: an a-labeled switch cannot be shot singularly) • Label a only in the alphabet of S1  asynchronized • Label a only in the alphabet of S2  asynchronized

  31. Transition product • ∑1 = {a, b} • ∑2 = {a, c}

  32. Train – gate controller • Desired property: AG(s2 -> t2)

  33. Product Construction x:=0,z:=0 x≤5 z≤1 x>2 y:=0, z=1

  34. Part 2. Symbolic Reachability Analysis for Timed Systems

  35. Outline: Part 2 • Reachability analysis • Making the state space finite • Region automata • Zone automata

  36. Reachability Analysis • Verification of safety requirement: reachability problem • Input: a time-automaton A and a set of target locations • Determining whether LF is reachable in a timed automaton A • Location s of A is reachable if some state q with location component s is a reachable state of the transition system SA

  37. Timed/hybrid Systems: problem The transition system SA associated to A has infinitely-many states & symbols: Is finite state analysis possible? Is reachability problem decidable?

  38. Idea: Finite Partitioning Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors

  39. Reachability analysis Infinite set of actions Infinite set of states. Timed Automaton SA Semantics Time abstraction Finite set of actions Infinite set of states. Time-abstract automaton Regions Quotient Region Automaton Both states and actions are finite sets

  40. Outline: Part 2 • Reachability Analysis • Making the state space finite • Region automata • Zone automata

  41. Timed Vs Time-Abstract Relations Transition system associated with a timed/hybrid automaton A: • SA: Labels on continuous steps are delays in R • Actual delays are suppressed (all continuous steps have same label): Time-abstract UA

  42. Time-abstract transition system UA • Only change due to location switch stated explicitly • Cut system to finitely many labels • UA(instead of SA) allows for capturing untimed properties (e.g., reachability, safety)

  43. Stable quotients Stable according to the transition • Cut to finitely many states • Collapse equivalent states • Stable equivalence relation  • Quotient of UA = transition system [UA]~

  44. LF-sensitive equivalence relation • Equivalence relation ~ = LF-sensitive • All equivalent states in a class belong to either LF or not LF

  45. Outline: Part 2 • Reachability Analysis • Making the state space finite • Region Automata • Zone automata

  46. Region Equivalence over clock interpretation • x = 3.7 • Integral part : = 3.0 • Fractional part = fr(ν(x)) = 0.7 • iff • For all x, the integral part is the same or both exceed cx pict. (cx : max constant x is compared to) • For all x, y with ν(x) ≤ cx and ν(y) ≤cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict. • For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict next

  47. Constraint 1 For all x, the integral part is the same or both exceed cx = = 1 back

  48. Constraint 2 For all x, y with ν(x) ≤ cx and ν(y) ≤cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) (fr(v(x)) = fr(v(y))) (fr(v(x)) ,fr(v(y))) (fr(v’(x)) ,fr(v’(y))) back

  49. Constraint 3 For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0 fr(ν(x)) =0 fr(ν’(x)) =0 back

  50. Clock regions 2 clocks x, y. cx = 2, cy = 1 • 8 open regions • 14 open line segments • 6 corner points • Clock region: equivalence class of clock interpretation  finite • Max number of regions = • (k is the number of clocks) • Number of clock regions exponential in the encoding of the clock constraints

More Related