Model Checking Timed Automata

Model Checking Timed AutomataMaterial from “Principles of Model Checking” by C. Baier and J-.P Katoen

Borzoo Bonakdarpour

School of Computer ScienceUniversity of Waterloo

November 24, 2013

B. Bonakdarpour (School of Computer ScienceUniversity of Waterloo)Model Checking Timed Automata November 24, 2013 1 / 18

Outline

1 Timed Computation Tree Logic (TCTL)

2 TCTL Model Checking

Presentation outline

Timed Computation Tree Logic (TCTL)

Definition (Syntax of TCTL)

Formulae in TCTL are either state or path formulae. TCTL state formulae over the setAP of atomic propositions and set C of clocks are formed according to the followinggrammar:

Φ ::= true | a | g | Φ ∧ Φ | Eϕ | Aϕ

where a ∈ AP, g ∈ ACC(C) and ϕ is a path formula defined by:

ϕ ::= ΦUJ Φ

where J ⊆ R≥0 is an interval whose bounds are natural numbers.

TCTL Tempral Abbreviations

♦JΦ = true UJ Φ

E�JΦ = ¬A♦J¬Φ

A�JΦ = ¬E♦J¬Φ

TCTL Interval Abbreviations

Intervals are often denoted by shorthand, e.g., ♦≤2 denotes ♦[0,2] and �>8 denotes �(8,∞)

TCTL Tempral Abbreviations

♦JΦ = true UJ Φ

E�JΦ = ¬A♦J¬Φ

A�JΦ = ¬E♦J¬Φ

TCTL Interval Abbreviations

Intervals are often denoted by shorthand, e.g., ♦≤2 denotes ♦[0,2] and �>8 denotes �(8,∞)

Example

Consider the following timed automata

Example

The property:

“the light cannot be continously switched on for more than 2 minutes”

is expressed by the TCTL formula:

A�(on→ A♦>2¬on)

Example

Consider the following timed automata

Example

The property:

“the light cannot be continously switched on for more than 2 minutes”

is expressed by the TCTL formula:

A�(on→ A♦>2¬on)

Semantics of TCTL

Definition (Satisfaction relation for TCTL)

Let TA = (L,Σ,E ,C , L0, I ) be a timed automaton, a ∈ AP, g ∈ ACC(C), and J ⊆ R≥0.For state s = 〈l , ν〉 in TS(TA) and TCTL formulea Φ and Ψ, and TCTL path formula ϕ,the satisfaction relation |= is defined for state formulae by

s |= true

s |= a iff a ∈ Label(l)

s |= g iff ν |= g

s |= ¬Φ iff not s |= Φ

s |= Φ ∧ Ψ iff (s |= Φ) ∧ (s |= Ψ)

s |= Eϕ iff π |= ϕ for some π ∈ Pathsdiv (s)

s |= Aϕ iff π |= ϕ for all π ∈ Pathsdiv (s)

Semantics of TCTL (cont’d)

Definition (Satisfaction relation for TCTL (con’d))

For a time-divergent path π = s0d0==⇒ s1

d1==⇒ . . . , the satisfaction relation |= for pathformulae is defined by:

π |= ΦUJ Ψ iff ∃i ≥ 0.si + d |= Ψ for some d ∈ [0, di ] with

i−1∑k=0

dk + d ∈ J and

∀j ≤ i .sj + d ′ |= Φ ∨ Ψ for any d ′ ∈ [0, dj ] with

j−1∑k=0

dk + d ′ ≤i−1∑k=0

dk + d

where for si = 〈li , νi 〉 and d ≥ 0, we have si + d = 〈li , νi + d〉

Semantics of TCTL (cont’d)

Definition (TCTL Semantics fot Timed Automata)

A timed automaton TA satisfies a TCTL formula Φ iff s0 |= Φ for each initial state s0 ofTA.

Presentation outline

Reduction to CTL Model Checking

Given a time automaton TA and a TCTL formula Φ, our goal is to find a finite transitionsystem S and an CTL formula Φ̂, such that

TA |=TCTL Φ iff R(TA,Φ) |=CTL Φ̂

Input: timed automaton TA and TCTL formula Φ (both overpropositions AP and clocks C .

Output: TA |= Φ

1 Φ̂ := eliminate the timing parameters from Φ;

2 determine the clock equivalence classes under ∼=;

3 construct the region transition system TS = R(TA,Φ);

4 apply the CTL model checking algorithm to check TS |= Φ̂

5 TA |= Φ if and only if TS |= Φ̂

Algorithm 1: A recipe for TCTL model checking

Elimination of Timing Parameters

Notation

For clock evaluation ν, z 6∈ C , and d ∈ R≥0, let ν{z := d} denote the clock valuation forC ∪ {z} that extends ν by setting z to d while keeping the value of all other clocksunchanged:

ν{z := d}(x) =

{ν(x) if x ∈ C

d if x = z(1)

Notation

Let TA be a timed automaton over clocks C . For state s = 〈l , ν〉 in TS(TA) lets{z := d} denote the state, ν{z := d}. Note that s{z := d} is a state in TS(TA⊕ z)where TA⊕ z is the timed automaton TA with the set of clocks C ∪ {z}.

Notation

For clock evaluation ν, z 6∈ C , and d ∈ R≥0, let ν{z := d} denote the clock valuation forC ∪ {z} that extends ν by setting z to d while keeping the value of all other clocksunchanged:

ν{z := d}(x) =

{ν(x) if x ∈ C

d if x = z(1)

Notation

Let TA be a timed automaton over clocks C . For state s = 〈l , ν〉 in TS(TA) lets{z := d} denote the state, ν{z := d}. Note that s{z := d} is a state in TS(TA⊕ z)where TA⊕ z is the timed automaton TA with the set of clocks C ∪ {z}.

Theorem

Let TA be timed automaton (L,Σ,C ,E , L0, I ), and ΦUJ Ψ a TCTL formula over C andAP. For clock z 6∈ C and for any state s of TS(TA) it holds that

1 s |=TCTL E(ΦUJ Ψ) iff s{z := 0} |=CTL E((Φ ∨Ψ)U ((z ∈ J) ∧Ψ)).

2 s |=TCTL A(ΦUJ Ψ) iff s{z := 0} |=CTL A((Φ ∨Ψ)U ((z ∈ J) ∧Ψ)).

Example

Light Switch Consider the following timed automaton TA and the TCTL formulaΦ = E♦≤1on.

x ≤ 1

x = 1switch on

x := 0

x = 1switch off

As a first step, Φ is replaced by Φ̂ = E♦((z ≤ 1) ∧ on) and TA is equipped with anadditional clock z . The maximal constants for the clocks x and z are cx = 1 and cz = 1.The region transition system TS = R(TA⊕ z ,Φ) is on the next slide.

Example (con’d)

Example

Light Switch (cont’d)

offx = 0z = 0

off0 < x < 10 < z < 1

offx = 1z = 1

offx > 1z > 1

onx = 0z = 1

on0 < x < 1

onx = 1z > 1

offx = 1z > 1

onx = 0z > 1

sw off

Example (con’d)

Example

Light Switch (cont’d) The state region

〈on, [x = 0, z = 1]〉 |= (z ≤ 1) ∧ on

and is reachable from the initial state region. Therefore,

TS |=CTL E♦((z ≤ 1) ∧ on)

and thusTA| = E♦≤1on

Handling Multiple Clocks

Eliminating Multiple Clocks

A simple way of treating formulae with nested time bounds is to introduce a fresh clockfor each subformula.

Example

For example, the followling TCTL formula

Φ = A�≥3E♦]1,2]on

is transformed into:

Φ̂ = A�((z1 ≥ 3) ⇒ E♦(z2 ∈]1, 2]) ∧ on))

Model Checking Timed Automata

Documents

Transcript of Model Checking Timed Automata

Formal Verification of Multitasking Applications …hanzalek/publications/...Keywords: Formal methods, Verification, Model-checking, Timed automata, OSEK/VDX, Multitasking 1 Introduction

A theory of timed automata* - CMI

MODEL CHECKING PROBABILISTIC PUSHDOWN AUTOMATA · PDF filemodel checking probabilistic pushdown automata ... (ppda) and properties ... model checking probabilistic pushdown automata

Priced Timed Automata - Aalborg Universitetpeople.cs.aau.dk/~kgl/China2011/Slides/L4 Scheduling PTA.pdf · Priced Timed Automata Optimal Scheduling ... Optimal rescue plan for cars

Timed Automata Rajeev Alur - Information Science and

Robustness and Implementability of Timed Automata

Statistical Model CheckingModel Checking for Timed Automata

MODEL CHECKING PROBABILISTIC TIMED AUTOMATA WITH … · Logical Methods in Computer Science Vol. 4 (3:12) 2008, pp. 1–28 Submitted Sep. 3, 2007 Published Sep. 26, 2008 MODEL CHECKING

Lecture 3. Reachability Analysis - cis.upenn.edualur/Talks/hl3.pdf · Symbolic Reachability Analysis " Timed Automata (Kronos, ... We focus on checking invariants of a single state

Timed Automata

Lazy Reachability Checking for Timed Automata with ...spinroot.com/spin/symposia/ws18/SPIN_2018_paper_6.pdf · checking, and in particular for model checking software. It consists

Model Checking Timed Recursive CTL

Timed Automata: Semantics, Algorithms and Toolspeople.cs.aau.dk/~adavid/UDBM/materials/by04-bookchapter.pdf · Concurrency and Communication To model concurrent systems, timed automata

Fault Diagnosis for Timed Automata

Parallel & Distributed Statistical Model Checking for Parameterized Timed Automata

Timed Automata - RWTH Aachen University

A theory of timed automata

Transforming VHDL to Timed Automata

From Time Petri Nets to Timed Automata · From Time Petri Nets to Timed Automata 227 systems. It has been shown that model-checking a quantitative real-time logic, called TCTL, is

From Timed Automata to Stochastic Hybrid Games