CLASSIC Modelling, Specification, and Verification

Transcription

1 CLASSIC Modelling Specification and Verification using UPPAAL Kim Guldstrand Larsen

2 Modelling using Finite State Machines

3 Modelling processes UC b A process is the execution of a sequential program. modeled as a finite state machine LTS transits from state to state by executing a sequence of atomic actions. a light switch LTS on off on off on off. a sequence of actions or trace Kim G. Larsen 3

4 Modelling Choices UC b Who or what makes the choice? Is there a difference between input and output actions? Kim G. Larsen 4

5 Non-deterministic Choice UC b Tossing a coin Possible traces? Both outcomes possible Nothing said about relative frequency If coin is fair the outcome is 50/50 Kim G. Larsen 5

6 Non-Deterministic Choice modelling failure UC b How do we model an unreliable communication channel which accepts packets and if a failure occurs produces no output otherwise delivers the packet to the receiver? Use non-determinism... Kim G. Larsen 6

7 Internal-Actions UC b Spontaneous actions Internal actions Tau-actions Internal transitions can be taken on the initiative of a single machine without communication with others Kim G. Larsen 7

8 Extended FSM UC b EFSM = FSM + variables + enabling conditions + assignments Transition still atomic Can be translated into FSM if variables have bounded domain State: control location + variable values: stateamountcapacity s0510 Kim G. Larsen 8

9 Parallel Composition: interleaving UC b Flipper 2 states Speaker 3 states 2*3 states Lecturer = Speaker Flipper from Flipper Kim G. Larsen from Speaker 9

10 Process Interaction! = Output? = Input Handshake communication Two-way Coffee Machine Lecturer UC b University= Coffee Machine Lecturer LTS? How many states? Traces? 4 states 4 states synchronization results in internal actions 4 states:interaction constrain overall behavior Kim G. Larsen 10

11 Adding Time

12 Wang Yi Paul Pettersson John Håkansson Anders Hessel Pavel Krcal Leonid Mokrushin Kim G Larsen Gerd Behrman Arne Skou Brian Nielsen Alexandre David Jacob I. Rasmussen Marius Mikucionis Thomas Chatain Emmanuel Fleury Didier Lime Johan Bengtsson Fredrik Larsson Kåre J Kristoffersen Tobias Amnell Thomas Hune Oliver Möller Elena Fersman Carsten Weise David Griffioen Ansgar Fehnker Frits Vandraager Theo Ruys Pedro D Argenio J-P Katoen Jan Tretmans Judi Romijn Ed Brinksma Martijn Hendriks Klaus Havelund Franck Cassez Magnus Lindahl Francois Laroussinie Patricia Bouyer Augusto Burgueno H. Bowmann D. Latella M. Massink G. Faconti Kristina Lundqvist Lars Asplund Justin Pearson...

13 Real Time Systems Plant Continuous Eg.: Realtime Protocols Pump Control Air Bags Robots Cruise Control ABS CD Players Production Lines sensors actuators Controller Program Discrete Real Time System A system where correctness not not only only depends on on the the logical order of of events but but also also on on their their timing!!

14 Real Time Model Checking Plant Continuous Model of environment user-supplied / non-determinism b a c b a c sensors actuators UPPAAL Model 4 Controller Program Discrete Model of tasks automatic? 1 2 SAT φ a?? b c 3 4

15 Real Time Control Synthesis Plant Continuous Model of environment user-supplied b a c b a c sensors actuators Controller Program Discrete?? Partial UPPAAL Model Synthesis of tasks/scheduler automatic SAT φ!! SAT a φ!! b c

16 Real-time Model-Based Testing Plant Continuous Test generation offline or online wrt. Design Model b a c b a c sensors actuators inputs outputs UPPAAL Model 3 4 Controller Program Discrete Conforms-to? 4 4 b a c

17 UPPAAL Graphical Design Tool Tool timed automata = state machines + clocks communication datatypes user user defined functions cost cost variable

18 UPPAAL Graphical Simulator visualization and and recording inexpensive fault fault detection inspection of of error traces Message Sequence Charts Gannt Charts

19 UPPAAL Verifier Exhaustive & automatic checking of of requirements.... including validating safety liveness bounded liveness and and response properties.... generation of of debugging information for for visualisation in in simulator. Optimal scheduling for for cost cost models

20 Impact UPPAAL downloads y = 3236x x Date UPPAAL downloads Year Google: UPPAAL: SPIN Verifier: nusmv: > Google Scholar Citations Rhapsody/Esterel < Downloads per month Total number of Dowloads

21 Impact Academic DTU MCI IT-U DK Chalmers LinköpingLund Chalmers Mälardalarn S Nijmegen Twente CWI NL Upenn NorthumbriaUS Braunschweig Oldenborg Marktoberdorf D Tsinghua Shanghai ISS NUS Asia

22 Impact Tutorials Estonian School 01 IPA Fall Days 01 FTRTFT 02 CPN 02 SFM 02 MOVEP 02 DISC School 03 MOVEP 04 PRISE 04 PDMC 05 ARTIST2 05 EMSOFT 05 RTSS 05 TECS week 06 TAROT 06 ARTS 06 GLOBAN 06 ARTIST ASIAN SCH 07

23 Impact Company Downloads Mecel Jet Symantec SRI Relogic Realwork NASA Verified Systems Microsoft ABB Airbus PSA Saab Siemens Volvo Lucent Technologies

24 Timed Automata Alur & Dill 1989

25 Dumb Light Control Off Light Bright WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

26 Dumb Light Control Alur & Dill 1990 x:=0 Off Light Bright x>3 x 3 Solution: Add real-valued clock x

27 Timed Automata review Alur & Dill 1990 Action used for synchronization n x<=5 & y>3 a x := 0 m Discrete Trans Delay Trans Clocks: x y Transitions Guard Boolean combination of integer bounds on clocks Reset Action performed on clocks State location x=v y=u where vu are in R n x=2.4 y= a m x=0 y= n x=2.4 y= e1.1 n x=3.5 y=4.2415

28 Timed Automata Alur & Dill 1990 Reset x:=0 Off Light Bright x: realvalued clock States: States: location location x=v x=v where where v R v R x>3 x 3 Synchronizing action Guard Conjunctions of x~n Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=2.51 x=2.51 Bright Bright x=2.51 x=2.51

33 Intelligent Light Control Using Invariants x:=0 Off Light Bright x:=0 x:=0 x=100 x 100 x 3 x:=0 x>3 x:=0 x=100 X:=0 x 100 X<=3 x:=0 Off Light Bright X>3

34 Timed Automata review Invariants Location Invariants n x<=5 x<=5 & y>3 a x := 0 m y<=10 g4 g1 g2 g3 Clocks: x y Transitions n x=2.4 y= e3.2 e1.1 n x=2.4 y= n x=3.5 y= Invariants ensure progress!!

35 Intelligent Light Control Using Invariants x:=0 x=100 x:=0 Off Light Bright x:=0 x=100 Transitions: Transitions: Off Off x=0 x=0 delay delay Off Off x=4.32 x=4.32 Light Light x=0 x=0 delay delay Light Light x=4.51 x=4.51 Light Light x=0 x=0 delay delay Light Light x=100 x=100 τ Off Off x=0 x=0 τ x 100 x 3 x:=0 x>3 x:=0 x 100 x:=0 X Note: Note: Light Light x=0 x=0 delay delay Invariants ensures progress

36 Example With two clocks a b c Reachable?

37 Example With two clocks y a c b L0x=0y=0 x Reachable?

38 Example With two clocks y a c b ε1.4 L0x=0y=0 ε1.4 L0x=1.4y=1.4 x Reachable?

39 Example With two clocks y a c b ε1.4a L0x=0y=0 ε1.4 L0x=1.4y=1.4 a L0x=1.4y=0 x Reachable?

40 Example With two clocks y a c Reachable? b ε1.4a a ε1.6 L0x=0y=0 ε1.4 L0x=1.4y=1.4 a L0x=1.4y=0 ε1.6 L0x=3.0y=1.6 a L0x=3.0y=0 x

41 Networks x:=0 Light Controller & User x=100 Off Light Bright Rest x:=0 Synchronization y 10 y:=0 x:=0 press! press! x=100 x 100 y:=0 Busy y 10 x 3 x:=0 x>3 x:=0 x 100 x:=0 Transitions: Transitions: Off Off Rest Rest x=0 x=0 y=0 y=0 delay delay Off Off Rest Rest x=20 x=20 y=20 y=20!! Light Light Busy Busy x=0 x=0 y=0 y=0 delay delay 2 2 Light Light Busy Busy x=2 x=2 y=2 y=2!! Bright Bright Rest Rest x=0 x=0 y=0 y=0

42 Networks of Timed Automata a la CCS l1 m1 x>=2 y<=4 a! a? x := 0 l2 m2 Example transitions. Two-way Two-way synchronization synchronization on on complementary complementary actions. actions. Closed Closed Systems! Systems! l1 m1 x=2 y=3.5.. tau l2m2..x=0 y= l1m1 x=2.2 y=3.7.. If a URGENT CHANNEL

43 Timed Automata Formally

44

45

46

47

48 Timed Automata: Example location action guard a reset-set

49 Timed Automata: Example guard location action a reset-set a a

50 Timed Automata: Example x 3 a Invariant

51 Timed Automata: Example x 3 a a a a Invariant

52 Brick Sorting

53 LEGO Mindstorms/RCX Sensors: temperature light rotation pressure. Actuators: motors lamps Virtual machine: 10 tasks 4 timers 16 integers. Several Programming Languages: 3 output ports 1 infra-red port NotQuiteC Mindstorm Robotics legos etc. 3 input ports

54 A Real Real Timed System The Plant Conveyor Belt & Bricks Controller Program LEGO MINDSTORM

55 First UPPAAL model Sorting of Lego Boxes Ken Tindell Boxes Conveyer Belt Blck Yel Controller MAIN PUSH eject remove Black Piston 99 Red Exercise: Design Controller so that black boxes are being pushed out

56 NQC programs int int active; active; int int DELAY; DELAY; int int LIGHT_LEVEL; LIGHT_LEVEL; task task MAIN{ MAIN{ DELAY=75; DELAY=75; LIGHT_LEVEL=35; LIGHT_LEVEL=35; active=0; active=0; task task PUSH{ PUSH{ SensorIN_1 SensorIN_1 IN_LIGHT; IN_LIGHT; whiletrue{ whiletrue{ FwdOUT_A1; FwdOUT_A1; waittimer1>delay && && active==1; active==1; Display1; Display1; active=0; active=0; RevOUT_C1; RevOUT_C1; start start PUSH; PUSH; Sleep8; Sleep8; FwdOUT_C1; FwdOUT_C1; whiletrue{ whiletrue{ Sleep12; Sleep12; OffOUT_C; OffOUT_C; waitin_1<=light_level; } ClearTimer1; ClearTimer1; } active=1; active=1; PlaySound1; PlaySound1; waitin_1>light_level; } }

57 A Black Brick

58 Control Tasks & Piston GLOBAL DECLARATIONS: const int ctime = 75; int[01] active; clock x time; chan eject ok; urgent chan blck red remove go;

59 From RCX to UPPAAL and back Model includes Round-Robin Scheduler. Compilation of RCX tasks into TA models. Presented at ECRTS 2000 in Stockholm. From UPPAAL to RCX: Martijn Hendriks. Task MAIN

60 The Production Cell in LEGO Course at DTU Copenhagen Production Cell Rasmus Crüger Lund Simon Tune Riemanni

61 Light Control Interface

62 Light Control Interface User release? release? Interface Light touch! touch! starthold! starthold! endhold! endhold! Control Program L++/L--/L:=0 L++/L--/L:=0

63 Light Control Interface User release? release? touch! touch! starthold! starthold! endhold! endhold! Control Program L++/L--/L:=0 L++/L--/L:=0

64 Networks of Timed Automata a la CCS l1 m1 x>=2 y<=4 a! a? x := 0 l2 m2 Example transitions. Two-way Two-way synchronization synchronization on on complementary complementary actions. actions. Closed Closed Systems! Systems! l1 m1 x=2 y=3.5.. tau l2m2..x=0 y= l1m1 x=2.2 y=3.7.. If a URGENT CHANNEL

65 Network Semantics s T1 X T2 = S1 S2 s 0 X μ s1 1 s 1 μ 1 X s2 s 1 X s 2 s s 1 1 s 1 s 2 0 s a! a? 1 s 1 s2 τ X 2 ed s 1 X s s s 1 1 where X A s X s s s 2 s 1 ed s 2 1 X 2 s X s s s 2 ed 2 2 μ s 2 2 μ s X 2

66 Network Semantics URGENT synchronization s T1 X T2 = S1 S2 s 0 X μ s1 1 s 1 μ 1 X s2 s 1 X s 2 s s 1 1 s 1 s 2 0 s a! a? 1 s 1 s2 τ X 2 ed s 1 X s s s 1 1 where X A s X s s s 2 s 1 ed s 2 + Urgent synchronization 1 X 2 s X s s s 2 ed 2 2 μ s 2 2 μ s X 2 d < d u UAct: ed u? ed u! s 1 s 2

67 Light Control Network release? release? touch! touch! starthold! starthold! endhold! endhold! Control Program

68 Validation Light Controller

69 Druzba: The Shower Problem

70 The Druzba MUTEX Problem Kim Gerd

71 The Druzba MUTEX Problem

72 The Druzba MUTEX Problem Using the light as semaphor

73 Overview of the UPPAAL Toolkit

74 UPPAAL s architecture Linux Windows Solaris MacOS

75 GUI Editor Simulator Verifier

76 Train Crossing Queue Stopable Area [715] [1020] Gate [35] Crossing River

77 Train Crossing Communication via channels and shared variable. appr stop Stopable Area [715] go [1020] el el [35] Crossing leave Queue empty nonempty hd addrem Gate River

78 Timed Automata in UPPAAL

79 Declarations Constants Bounded integers Channels Clocks Clocks Arrays Arrays Templates Processes Systems

80 Declarations in UPPAAL The syntax used for declarations in UPPAAL is similar to the syntax used in the C programming language. Clocks: Syntax: clock x1 xn ; Example: clock x y; Declares two clocks: x and y.

81 Declarations in UPPAAL cont. Data variables Syntax: int n1 ; Integer with default domain. int[lu] n1 ; Integer with domain l to u. int n1[m] ; Integer array w. elements n1[0] to n1[m-1]. Example: int a b; int[01] a b[5][6];

82 Declarations in UPPAAL cont. Actions or channels: Syntax: chan a ; Ordinary channels. urgent chan b ; Urgent actions see later Example: chan a b; urgent chan c;

83 Declarations UPPAAL cont. Constants Syntax: const int c1 = n1; Example: const int[01] YES = 1; const bool NO = false;

84 Timed Automata in UPPAAL Discrete Variables Resets invariants Guards Synchronizations

85 Timed Automata in UPPAAL i: = Expr Expr :: = i i[expr] n Expr Expr Discrete + Variables Expr Expr Expr Expr * Expr Expr/Expr g d?expr : Expr Resets x := Expr inv :: = x < Expr x <= Expr invinv invariants Guards g:: = g g gg c d g:: c = x Expr x y+ Expr g::expropexpr d = Synchronizations <<===>=> { } op { < <= == >= >! = }

86 Expressions used used in in guards invariants assignments synchronizations properties

87 Expressions

88 Operators

89 Guards Invariants Assignments Guards: It is side-effect free type correct and evaluates to boolean Only clock variables integer variables constants are referenced or arrays of such Clocks and differences are only compared to integer expressions Guards over clocks are essentially conjunctions I.e. disjunctions are only allowed over integer conditions Assignments It has a side effect and is type correct Only clock variable integer variables and constants are referenced or arrays of such Only integer are assigned to clocks Invariants It forms conjunctions of conditions of the form x<e or x<=e where x is a clock reference and e evaluates to an integer

90 Synchronization Binary Synchronization Broadcast Synchronization Declared like: chan a b c[3]; If a is channel then: a! = Emmision a? = Reception Two edges in different processes can synchronize if one is emitting and the other is receiving on the same channel. Declared like broadcast chan a b c[2]; If a is a broadcast channel: a! = Emmision of broadcast a? = Reception of broadcast A set of edges in different processes can synchronize if one is emitting and the others are receiving on the same b.c. channle. A process can always emit. Receivers MUST synchronize if they can. No blocking.

91 More on Types Multi dimensional arrays e.g. int b[4][2]; Array initialiser: e.g. int b[4] := { }; Arrays of channels clocks constants. e.g. chan a[3]; clock c[3]; const k[3] { }; Broadcast channels. e.g. broadcast chan a;

92 Templates Templates may be parameterised: int v; const min; const max int[0n] e; const id Templates are instantiated to form processes: P:= Ai15; Q:= Aj04; Train1:=Trainel 1; Train2:=Trainel 2;

93 Extensions Select statement Forall / Exists expressions models a non-deterministic choise x : int[042] Types Record types Type declarations Meta variables: not stored with state meta int x; forall x:int[042] expr true if expr is true for all values in [042] of x exists x:int[04] expr true if expr is true for some values in [042] of x Example: forall x:int[04]array[x];

94 Urgency & Commitment Urgent Channels Urgent Locations No delay if the synchronization edges can be taken! No clock guard allowed. Guards on data-variables. Declarations: urgent chan a b c[3]; No delay time is freezed! May reduce number of clocks! Committed Locations No delay. Next transition MUST involve edge in one of the processes in committed location May reduce considerably state space

95 Queries : Specification Language

96 Logical Specifications Validation Properties Possibly: E<> P Safety Properties Invariant: A[] P Pos. Inv.: E[] P Liveness Properties Eventually: A<> P Leadsto: P Q Bounded Liveness Leads to within: P t Q The expressions P and Q must be type safe side effect free and evaluate to a boolean. Only references to integer variables constants clocks and locations are allowed and arrays of these.

97 Logical Specifications Validation Properties Possibly: E<> P Safety Properties Invariant: A[] P Pos. Inv.: E[] P Liveness Properties Eventually: A<> P Leadsto: P Q Bounded Liveness Leads to within: P t Q

100 Logical Specifications Validation Properties Possibly: E<> P Safety Properties Invariant: A[] P Pos. Inv.: E[] P Liveness Properties Eventually: A<> P Leadsto: P Q Bounded Liveness Leads to within: P t Q t t

101 Train Crossing Communication via channels and shared variable. appr stop Stopable Area [715] go [1020] el el [35] Crossing leave Queue empty nonempty hd addrem Gate River

102 Gear Controller with MECEL AB Lindahl Pettersson Yi 1998 GearControl Clutch Volvo Saab Network Canbus GearBox Engine Interface Flowgraph

103 Gear Controller with MECEL AB Volvo Saab GearControl Clutch Interface Requirements GearBox Engine

104 UPPAAL 3.4 Gate Template int[0n] list[n] len i; IntQueue

105 UPPAAL with C-Code Gate Template Gate Declaration

106 Case-Studies: Controllers Gearbox Controller [TACAS 98] Bang & Olufsen Power Controller [RTPS 99FTRTFT 2k] SIDMAR Steel Production Plant [RTCSA 99 DSVV 2k] Real-Time RCX Control-Programs [ECRTS 2k] Experimental Batch Plant 2000 RCX Production Cell 2000 Terma Verification of Memory Management for Radar 2001 Scheduling Lacquer Production 2005 Memory Arbiter Synthesis and Verification for a Radar Memory Interface Card [NJC 05]

107 Case Studies: Protocols Philips Audio Protocol [HS 95 CAV 95 RTSS 95 CAV 96] Collision-Avoidance Protocol [SPIN 95] Bounded Retransmission Protocol [TACAS 97] Bang & Olufsen Audio/Video Protocol [RTSS 97] TDMA Protocol [PRFTS 97] Lip-Synchronization Protocol [FMICS 97] Multimedia Streams [DSVIS 98] ATM ABR Protocol [CAV 99] ABB Fieldbus Protocol [ECRTS 2k] IEEE 1394 Firewire Root Contention 2000 Distributed Agreement Protocol [Formats05] Leader Election for Mobile Ad Hoc Networks [Charme05]

108