slides - Summer School Marktoberdorf

Model-based 

Verification and Validation 

Embedded Systems 

Kim G. Larsen 

Aalborg University, DENMARK

Timed Automata 

.. and Prices, Games, Probabilities 

Kim G. Larsen 


Aalborg 

Aarhus 

Aalborg 

Copenhagen 

Aalborg University leading Danish ICT University in terms of 

public investments (33%) Jomfru Ane Gade 

Marktoberdorf Summer School, 2012 Kim Larsen [3]

CISS - Center For Embedded Software Systems 

Regional ICT Center (2003- ) 

3 research groups 

Computer Science 

Control Theory 

HW/SW- codesign 

20 Employed 

25 Associated 

20 PhD Students 

50 Industrial projects 

10 Elite-students 

65 MDKK 

ARTIST Design 

ARTEMIS 


ES are Pervasive 

Characteristica: 

Marktoberdorf Summer School, 2012 Kim Larsen [5] 

Dedicated function 

Complex environment 

SW/HW/Mechanics 

Autonomous 

Ressource constrained 

: Energy 

: Bandwidth 

: Memory 

: … 

Timing constraints

ES are often Safety Critical 

How to achieve ES that are: 

• correct 

• predicable 

• dependable 

• fault tolerant 

• ressource minial 

• cheap 

.. 

Model-Based Development 

300 horse power 

100 processors 


System Description 

Requirement 

A( req ) A} grant) 

Model Checking 

TOOL 

A( req ) A} t

Synthesis 

? 

System Description 

Requirement 

A( req ) A} grant) 

TOOL 

A( req ) A} t

Overview 

Introduction to 


Decidability and 

Symbolic verification 

Priced Timed Automata 

Timed Games & Interfaces 

Stochastic Timed Automata 

Statistical Model Checking 

Open Problems 


CLASSIC 

CORA 

TIGA 

ECDAR 

SMC 

TRON

Timed Automata

UPPAAL (1995- ) 

@AALborg 

Kim G Larsen 

Alexandre David 

Gerd Behrman 

Marius Mikucionis 

Jacob I. Rasmussen 

Arne Skou 

Brian Nielsen 

Shuhao Li 

@Elsewhere 

Emmanuel Fleury, Didier Lime, Johan Bengtsson, 

Fredrik Larsson, Kåre J Kristoffersen, Tobias Amnell, 

Thomas Hune, Oliver Möller, Elena Fersman, Carsten 

Weise, David Griffioen, Ansgar Fehnker, Jan Tretmans, 

Frits Vandraager, Theo Ruys, Pedro D’Argenio, J-P 

Katoen,, Judi Romijn, Ed Brinksma, Martijn Hendriks, 

Klaus Havelund, Franck Cassez, Magnus Lindahl, 

Francois Laroussinie, Patricia Bouyer, Augusto 

Burgueno, H. Bowmann, D. Latella, M. Massink, G. 

Faconti, Kristina Lundqvist, Lars Asplund, Justin 

Pearson..... 

Marktoberdorf Summer School, 2012 

@UPPsala 

Wang Yi 

Paul Pettersson 

John Håkansson 

Anders Hessel 

Pavel Krcal 

Leonid Mokrushin 

Shi Xiaochun 

40000 

35000 

30000 

25000 

Total Downloads 

20000 

15000 

10000 

5000 

0 

y = 3.4322x 2 - 28.247x + 749.99 

Kim Larsen [11] 

UPPAAL Downloads 

YYMM

Real Time Systems 

Plant 

Continuous 

Eg.: Realtime Protocols 

Pump Control 

Air Bags 

Robots 

Cruise Control 

ABS 

CD Players 

Production Lines 

sensors 

actuators 

Controller Program 

Discrete 

Real Time System 

A system where correctness not only 

depends on the logical order of events 

but also on their timing!! 


A Dumb Light Controller 



x: real-valued 

clock 

Reset 

[Alur & Dill’89] 

Synchronizing 

action 


Clock Guard 

Conjunctions of 

x~n 

ADD a clock x

A Timed Automata (Semantics) 

States: 

( location , x=v) where v2R 

Transitions: 

delay 4.32 

( Off , x=0 ) 

( Off , x=4.32 ) 

press? ( Light , x=0 ) 

delay 2.51 ( Light , x=2.51 ) 

press? ( Bright , x=2.51 ) 


Intelligent Light Controller 

Invariant 

(Henzinger) 


Intelligent Light Controller 

Transitions: 

delay 4.32 

( Off , x=0 ) 

( Off , x=4.32 ) 


delay 4.51 ( Light , x=4.51 ) 


delay 100 ( Light , x=100) 

( Off , x=0) 


Note: X 

( Light , x=0 ) delay 103 

Invariants 

ensures 

progress

Timed Automata (formally) 








Timed Automata: Example 

guard 

reset 


synchronization 

22

Timed Automata: Example 

invariant 


guard 

23

Example 

a b 

c 

Is L1 reachable ? 


Example 

a b 

c 


y 

x

Example 

a b 

c 


y 

x

Example 

a b 

c 


y 

a 

x

Example 

a b 

c 


y 

a a 

x

Networks Light Controller & User 

press? x:=0 

press? 

Off Light Bright 

y¸10 

x:=0 

x:=0 

x=100 

x·100 

Rest Busy 

y:=0 

Synchronization 

press! 

press! 

y:=0 


y·10 

x·3 

x:=0 

press? 

x>3 

x:=0 

x=100 

x·100 

press? 

x:=0 

Transition 

delay 20 

( Off, Rest, x=0, y=0 ) 

( Off, Rest, x=20, y=20 ) 

press?! ( Light, Busy, x=0, y=0 ) 

delay 2 ( Light, Busy, x=2, y=2) 

press?! ( Bright, Rest, x=0, y=0) 

Kim Larsen [29]

Network Semantics 

s 

1 2 

T T ( S S , , 

s s ) Xwhere 

A 

1 X 

 

s1 

1 s1´ 

 

1 

Xs2 

s1´ 

X s2 

s 

s 

1 

1 

2 

s 

1 

2 

0 X 

0 

s 

s 

1 

X 

a ! 

1 s1´ 

a? 

s2 

 

 

1 s s ´ 

X 2 

1 s 

X 2 

 

e( 

d) 

 


s 

1 

s 

X 

1 

2 

s 

1 

´ 

e( 

d) 

s 

2 

 

s 

 

´ 

1 

X 

´ 

2 

s 

2 

e( 

d) 

s 

2 

2 

 

 

 

s 

´ 

 

2 

 

2 

´ 

 

2 

s 

2 


´ 

s 

s 

2 

´ 

1 

X 

s 

2 

´

Network Semantics 

(URGENT synchronization) 

s 

1 2 

T T ( S S , , 

s s ) Xwhere 

A 

1 X 

 

s1 

1 s1´ 

1 Xs 2 

s1´ 

X s2 

s 

s 

1 

1 

2 

a ! 

s 

1 

 

s 

1 X 

e( 

d) 

1 

2 

s 

2 

 


s 

1 

s 

X 

1 

2 

1 

´ 

 

0 X 

s 

2 

 

s 

s 

1 

´ 

e( 

d) 

´ 

0 

s 

1 X 

s 

 

s 

s 

1 

X 

a? 

 

2 

s 

´ 

2 

1 

X 

´ 

2 

s 

2 

e( 

d) 

s 

2 

2 

 

 

 

s 

´ 

 

2 

 

2 

´ 

 

2 

s 

2 


´ 

s 

s 

2 

´ 

1 

X 

s 

2 

´ 

d’ < d, u UAct: 

e(d’) u? e(d’) u! 

( s1 s2 )

Light Control Interface

User 

press? 0.2 release? … press? 0.7 release? … press? 1.0 2.4 release? … 

Ø 

press? 

release? 

Interface 

touch! 

starthold! 

endhold! 

press? d release? touch! 0.5·d· 1 

press? 1 starthold! Light 

press? d release? endhold! d >1 

touch! starthold! endhold! 

Informationsteknologi Light Control Interface 

Marktoberdorf Summer School, 

2012 

Control 

Program 

33

User 

press? 

release? 

touch! 

starthold! 

endhold! 

Informationsteknologi Light Control Interface 


Control 

Program 

34

Informationsteknologi 

Light Control Network 

press? 

release? 

touch! 

starthold! 

endhold! 


Control 

Program 

35

Informationsteknologi Full Light Controller 

Marktoberdorf Summer 

School, 2012 

Dim 

Dim 

36

UPPAAL 

Modeling & Specification

Train Crossing 

list 

Stopable 

Area 

[7,15] 

[10,20] 

Gate 

[3,5] 

Crossing 

River 


Train Crossing 

appr 

stop 

list 

Stopable 

Area 

[7,15] 

go 

enqueue() 

dequeue() 

front() 

[10,20] 

Gate 

[3,5] 

Crossing 

River 


Communication via channels! 

leave 

id-”parameter”

Declarations 



Constants 

Bounded integers 

Channels 

Clocks 

Arrays 

Types 

Functions 

Templates 

Processes 

Systems

UPPAAL Help 


Logical Specifications 

Validation Properties 

Possibly: E P 

Safety Properties 

Invariant: A[] P 

Pos. Inv.: E[] P 

Liveness Properties 

Eventually: A P 

Leadsto: P Q 

Bounded Liveness 

Leads to within: P · t Q 


The expressions P and 

Q must be type safe, 

side effect free, and 

evaluate to a boolean. 

Only references to 

integer variables, 

constants, clocks, 

and locations are 

allowed (and arrays of 

these). 

42

Case Studies: Controllers 

Gearbox Controller [TACAS’98] 

Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k] 

SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k] 

Real-Time RCX Control-Programs [ECRTS’2k] 

Terma, Verification of Memory Management for Radar (2001) 

Scheduling Lacquer Production (2005) 

Memory Arbiter Synthesis and Verification for a Radar Memory Interface Card [NJC’05] 

Adapting the UPPAAL Model of a Distributed Lift System, 2007 

Analyzing a χ model of a turntable system using Spin, CADP 

and Uppaal, 2006 

Designing, Modelling and Verifying a Container Terminal 

System Using UPPAAL, 2008 

Model-based system analysis using Chi and Uppaal: An 

industrial case study, 2008 

Climate Controller for Pig Stables, 2008 

Optimal and Robust Controller for Hydralic Pump, 2009 


Kim Larsen [43]

Case Studies: Protocols 

Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96] 

Bounded Retransmission Protocol [TACAS’97] 

Bang & Olufsen Audio/Video Protocol [RTSS’97] 

TDMA Protocol [PRFTS’97] 

Lip-Synchronization Protocol [FMICS’97] 

ATM ABR Protocol [CAV’99] 

ABB Fieldbus Protocol [ECRTS’2k] 

IEEE 1394 Firewire Root Contention (2000) 

Distributed Agreement Protocol [Formats05] 

Leader Election for Mobile Ad Hoc Networks [Charme05] 

Analysis of a protocol for dynamic configuration of IPv4 link 

local addresses using Uppaal, 2006 

Formalizing SHIM6, a Proposed Internet Standard in UPPAAL, 

2007 

Verifying the distributed real-time network protocol RTnet using 

Uppaal, 2007 

Analysis of the Zeroconf protocol using UPPAAL, 2009 

Analysis of a Clock Synchronization Protocol for Wireless Sensor 

Networks, 2009 

Model Checking the FlexRay Physical Layer Protocol, 2010 


Kim Larsen [44]

Using UPPAAL as Back-end 

Vooduu: verification of object-oriented designs using Uppaal, 

2004 

Moby/RT: A Tool for Specification and Verification of Real-Time 

Systems, 2000 

Formalising the ARTS MPSOC Model in UPPAAL, 2007 

Timed automata translator for Uppaal to PVS 

Component-Based Design and Analysis of Embedded 

Systems with UPPAAL PORT, 2008 

Verification of COMDES-II Systems Using UPPAAL with 

Model Transformation, 2008 

METAMOC: Modular WCET Analysis Using UPPAAL, 

2010. 


www.uppaal.com 


Kim Larsen [46]

Decidability 

and 

Symbolic Verification 

Kim G. Larsen 


Decidability

Reachability ? 

a b 

c 

Reachable from initial state (L0,x=0,y=0) ? 


OBSTACLE: 

Uncountably infinite 

state space 

locations clock-valuations

The Region Abstraction 


Time Abstracted Bisimulation 


Regions – From Infinite to Finite 

Reset 

region 

THM [AD90] 

Reachability is decidable 

(and PSPACE-complete) for 

timed automata 

THM [CY90] 

Time-optimal reachability is decidable 

(and PSPACE-complete) for 

timed automata 


+ 

A region 

Successor Successor 

Regions regions

Region Graph 


Region Automaton = 

Finite Bisimulation Quotiont 


An Example 


Region Automaton 

LARGE: exponential in the number of clocks and in the 

constants (if encoded in binary). The number of regions is 

 

xX (2 2) | !| 2 X 

M X 


x 

| |

Fundamental Results 

Reachability 

Model-checking 

TCTL ; MTL ; MITL 

Bisimulation, Simulation 

Timed ; Untimed 

Trace-inclusion 

Timed ; Untimed 


Kim Larsen [57]

Symbolic Verification 

The UPPAAL 

Verification Engine

Regions – From Infinite to Finite 


+

Zones – From Finite to Efficiency 


A zone Z: 

1· x · 2 

0· y · 2 

x - y ¸ 0

Zones - Operations 

y 

y 

(n, 2·x·4 

1·y·3 y-x·0 ) 

(n, x=0 1·y·3 ) 

Reset 


x 

x 

y 

y 

(n, 2·x 

1·y -3· y-x·0 ) 

x 

x 

y 

y 

(n, 2·x 

1·y·3 y-x·0 ) 

Delay Delay (stopwatch) 

(n, 2·x·4 1·y ) 

Extrapolation 

2 


Convex Hull 

x 

x

Symbolic Transitions 

x>3 

a 

y:=0 


y 

y 

x 

x 

1

Datastructures for Zones 

Difference Bounded 

Matrices (DBMs) 

Minimal Constraint 

Form 

[RTSS97] 

Clock Difference 

Diagrams 

[CAV99] 


x1 x2 

4 

x0 

-4 

3 3 -2 -2 

2 

1 

5 

x3 

2

Inclusion Checking (DBMs) 

Inclusion 

D1 

D2 

x

Future (DBMs) 

D 

1

Reset (DBMs) 

D 

y 

0 

-1 

x 

1

Forward Reachability 

PW 

Waiting Final 

Init 

Init -> Final ? 

Passed 

67 Marktoberdorf Summer School, 2012 

INITIAL Passed := Ø; 

Waiting := {(n 0,Z 0)} 

REPEAT 

pick (n,Z) in Waiting 

if (n,Z) = Final return true 

for all (n,Z)(n’,Z’): 

if for some (n’,Z’’) Z’ Z’’ continue 

else add (n’,Z’) to Waiting 

move (n,Z) to Passed 

UNTIL Waiting = Ø 

return false


PW 

Waiting Final 

Init 


Passed 



Waiting := {(n 0,Z 0)} 

REPEAT 








return false


PW 

Waiting 

Init 


Passed 


Final? 


Waiting := {(n 0,Z 0)} 

REPEAT 








return false


PW 

Waiting Final 

Init 


Passed 



Waiting := {(n 0,Z 0)} 

REPEAT 








return false


PW 

Waiting Final 

Init 


Passed 



Waiting := {(n 0,Z 0)} 

REPEAT 








return false


PW 

Waiting Final 

Init 


Passed 



Waiting := {(n 0,Z 0)} 

REPEAT 








return false


PW 

Waiting Final 

Init 


Passed 



Waiting := {(n 0,Z 0)} 

REPEAT 








return false

Symbolic Exploration 

Reachable? 


y 

x


Reachable? 


y 

Delay 

x


Reachable? 


y 

Left 

x


Reachable? 


y 

Left 

x


Reachable? 


y 

Delay 

x


Reachable? 


y 

Left 

x


Reachable? 


y 

Left 

x


Reachable? 


y 

Delay 

x


Reachable? 


y 

Down 

x

Verification Options

Verification Options 


Search Order 

Depth First 

Breadth First 

State Space Reduction 

None 

Conservative 

Aggressive 

State Space Representation 

DBM 

Compact Form 

Under Approximation 

Over Approximation 

Diagnostic Trace 

Some 

Shortest 

Fastest 

Extrapolation 

Hash Table size 

Reuse 

Kim Larsen [84]

State Space Reduction 


Cycles: 

Only symbolic states 

involving loop-entry points 

need to be saved on Passed list 

Kim Larsen [85]

To Store or Not To Store 

117 states total 

! 

81 states entrypoint 

! 

9 states 

Time OH 

less than 10% 



Behrmann, Larsen, 

Pelanek 2003 

Audio Protocol

Over/Under Approximation 

Declared State Space 


I 

O 

U 

R 

G 

Question: 

G 2 R ? 

How to use: 

G 2 O ? 

G 2 U ? 

G2 U ) G2 R 

:(G2 O) ) :(G2 R) 

Kim Larsen [87]

Over-approximation 

Convex Hull 

Marktoberdorf Summer School, 2012 88 

5 

3 

1 

y 

1 3 5 

x 

Convex Hull 

TACAS04: An EXACT method performing 

as well as Convex Hull has been 

developed based on abstractions 

taking max constants into account 

distinguishing between clocks, locations and · & ¸

Under-approximation 

Bitstate Hashing 

Waiting 

Init 

n,Z’ 

n,Z 


m,U 

Passed 

Final 

Kim Larsen [89]

Under-approximation 

Bitstate Hashing 

Waiting 

Init 

n,Z’ 

n,Z 

m,U 

Passed 

Final 

Hashfunction 

F 


1 

0 

1 

0 

0 

1 

Passed= 

Bitarray 

UPPAAL 

4 - 512 Mbits

Extrapolation 


Forward Symbolic Exploration 

Need for 

Finite 

Abstractions 



TERMINATION 

not 

garanteed

Abstractions 


We want ) a to be: 

- sound & complete wrt reachability 

- finite 

- easy to compute 

- as coarse as possible 

Kim Larsen [93]

Abstraction by Extrapolation 

Let k be the largest constant appearing in the TA 

x1 x2 

x0 

* 

>k 

* * * * 

* 

* 

* 


x3 

Location Dependency 


k x = 5 k y = 10 6 

Will generate all symbolic states of the form 

(l 2, x2 [0,14] , y2 [5,14n] , y-x2 [5,14n-14]) 

for n ·10 6 /14 !! 

[Behrmann, Bouyer, 

Fleury, Larsen 03] 

But y¸10 6 is not RELEVANT in l 2 

Kim Larsen [95]

Location Dependent Constants 

k x i = 14 for i2{1,2,3,4} 

k y i = 5 for i2{1,2,3} 

k y 4 = 10 6 


k x = 5 k y = 10 6 

k j i may be found as solution to 

simple linear constraints! 

Active Clock Reduction: 

k j i = -1 

Kim Larsen [96]

Experiments 


Kim Larsen [97]

Lower and Upper Bounds 

k x l = 10 6 


[Behrmann, Bouyer, 

Larsen, Pelanek 04] 

Given that x·10 6 is an upper bound implies that 

(l,v x,v y) simulates (l,v’ x,v y) 

whenever v’ x¸ v x¸ 10. 

For reachability downward 

closure wrt simulation 

suffices! 

Kim Larsen [98]

Fischer 

CSMA/CD 

Advanced Extrapolations 


Classical Loc. dep. Max Loc. dep. LU Convex Hull 

Kim Larsen [99]

Additional “secrets” 

Sharing among symbolic states 

location vector / discrete values / zones 

Distributed implementation of UPPAAL 

Symmetry Reduction 

Sweep Line Method 

Guiding wrt Heuristic Value 

User-supplied / Auto-generated 

Slicing wrt “C” Code 


Kim Larsen [100]

Open Problems 

Fully symbolic exploration of TA (both 

discrete and continuous part) ? 

Canonical form for CDD’s ? 

Partial Order Reduction ? 

Compositional Backwards Reachability ? 

Bounded Model Checking for TA ? 

Exploitation of multi-core processors ? 

… 


Kim Larsen [101]


Optimal Scheduling 

Kim G. Larsen 

– Aalborg University 

DENMARK

Overview 


Scheduling 


Optimal Reachability 

Optimal Infinite Scheduling 

Multi Objectives 

Energy Automata 


CLASSIC 

CORA 

TIGA 

ECDAR 

TRON 

PRO

Resources & Tasks 

Resource 

Shared variable 


Synchronization 


Task

A 

C 

D 

Task Graph Scheduling – Example 

3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

2 

6 

4 

1 

+ 

+ 

3ps 


+ 

* 

2ps 

time 

+ 

* 

5ps 

7ps 

5 10 15 20 25 

2 3 5 6 

4 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 

using 2 processors 

P1 (fast) P2 (slow) 

4

A 

C 

D 


3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

2 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



3ps 


+ 

* 

2ps 

time 

+ 

* 

5ps 

7ps 

5 10 15 20 25 

3 5 4 

6

A 

C 

D 


3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

2 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



3ps 


+ 

* 

2ps 

time 

+ 

* 

5ps 

7ps 

5 10 15 20 25 

3 5 4 

6

A 

C 

D 


3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



3ps 


+ 

* 

2ps 

time 

+ 

* 

5ps 

7ps 

5 10 15 20 25 

3 5 4 6 

2 

E (Task1.End and … and Task6.End)

Experimental Results 


Symbolic A* 

Branch-&-Bound 

60 sec 

Abdeddaïm, Kerbaa, Maler

Priced Timed 

Automata

A 

C 

D 

Task Graph Scheduling – Revisited 

3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

2 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



ENERGY: 

3ps 


+ 

* 

2ps 

time 

+ 

* 

5ps 

7ps 

5 10 15 

90W 

20 

30W 

25 

3 5 4 6 

Idle 

In use 

1oW 

Idle 

In use 

20W

A 

C 

D 


3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

3 

2 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



ENERGY: 

3ps 


+ 

* 

Idle 

In use 

2ps 

10W 

Idle 

time 

+ 

* 

In use 

5ps 

7ps 

20W 

5 10 15 

90W 

20 

30W 

25 

4 

5 

6

A 

C 

D 


3 

5 

1 

+ * 

* 

* 

P1 

P2 

B C D 

1 

2 

6 

4 

+ 

+ 

3 

2 

Compute : 

(D * ( C * ( A + B )) + (( A + B ) + ( C * D )) 



ENERGY: 

3ps 


+ 

* 

Idle 

In use 

2ps 

10W 

Idle 

time 

+ 

* 

In use 

5ps 

7ps 

20W 

5 10 15 

90W 

20 

30W 

25 

4 

5 

6

A simple example 


A simple example 

Q: What is cheapest cost for reaching ? 


Corner Point Regions 


0 

THM [Behrmann, Fehnker ..01] [Alur,Torre,Pappas 01] 

Optimal reachability is decidable for PTA 

THM [Bouyer, Brojaue, Briuere, Raskin 07] 

Optimal reachability is PSPACE-complete 

for PTA 

0 

3 

0 

0 0 

0 

3

Priced Zones 


[CAV01] 

A zone Z: 

1· x · 2 

0· y · 2 

x - y ¸ 0 

A cost function C 

C(x,y)= 

2x - 1y + 3

Priced Zones – Reset 

Z[x=0]: 

x=0 

0· y · 2 

C = 1y + 3 

C= -1y + 5 


[CAV01] 

A zone Z: 

1· x · 2 

0· y · 2 

x - y ¸ 0 

A cost function C 

C(x,y) = 

2x - 1y + 3

Symbolic Branch & Bound Algorithm 



Z' 

Z 

Z’ is bigger & 

cheaper than Z 

· is a well-quasi 

ordering which 

guarantees 

termination!

Example: Aircraft Landing 

cost 

e*(T-t) 

d+l*(t-T) 

E T L 

Planes have to keep separation 

distance to avoid turbulences 

caused by preceding planes 


t 

E earliest landing time 

T target time 

L latest time 

e cost rate for being early 

l cost rate for being late 

d fixed cost for being late 


Runway

Example: Aircraft Landing 

x >= 4 

x=5 

x

Aircraft Landing Source of examples: 

Baesley et al’2000 


Kim Larsen [122]

Symbolic Branch & Bound Algorithm 


Zone based 

Linear Programming 

Problems 

(dualize) 

Min Cost Flow 

Kim Larsen [123]

Optimal Infinite Schedule 



Maximize throughput: 

i.e. maximize Reward / Time in the long run! 



Minimize Energy Consumption: 

i.e. minimize Cost / Time in the long run 



Maximize throughput: 

i.e. maximize Reward / Cost in the long run 


Mean Pay-Off Optimality 

Bouyer, Brinksma, Larsen: 

HSCC04,FMSD07 

s 

c 1 

c 2 

r 1 r 2 

c 3 

r 3 

: BAD 


c n 

r n 

Accumulated cost 

Accumulated reward 

Value of path s: val(s) = lim n!1 c n/r n 

Optimal Schedule s * : val(s * ) = inf s val(s)

Discount Optimality 

Larsen, Fahrenberg: 

INFINITY’08 

s 

c(t1) c(t2) c(t3) c(tn) t3 tn t1 t2 : BAD 

Value of path s: val(s) = 

Cost of time t n 

Optimal Schedule s * : val(s * ) = inf s val(s) 


< 1 : discounting factor 

Time of step n

Soundness of 

Corner Point Abstraction 


Multiple Objective Scheduling 

16,10 

2,3 

cost 1’==4 cost 2’==3 

P 2 

cost 2 


2,3 

P 1 

6,6 10,16 

P6 P3 P4 Pareto Frontier 

2,2 P7 8,2 

P 5 

4W 3W 

cost 1

Energy Automata

Managing Resources 


Consuming & Harvesting Energy 

Maximize throughput 

while respecting: 0 · E · MAX 


Energy Constrains 

Energy is not only consumed but may also be regained 

The aim is to continously satisfy some energy constriants 


Results (so far) 


Bouyer, Fahrenberg, 

Larsen, Markey, Srba: 

FORMATS 2008

L-Problem for 1-Clock Case 

Theorem: 

The L-problem is decidable in PTIME for 1-clock PTAs 

P Bouyer, U Fahrenberg, K Larsen, N Markey,.. . Infinite runs in weighted timed automata with energy constraints. 2008. 


LU-Problem for 

1-Clock Energy Games 

Theorem 

For 1-clock priced timed games, the existence of a strategy 

satisfying LU-bounds is undecidable 

P Bouyer, U Fahrenberg, K Larsen, N Markey,.. . Infinite runs in weighted timed automata with energy constraints. 2008. 


Generic Module for Inc/Dec 


1½ Clocks = Discrete Updates 


New Approach: Energy Functions 

Maximize energy 

along paths 

Use this information 

to solve 

general problem 

P. Bouyer, U. Fahrenberg, K. G. Larsen, N. Markey: Timed automata with observers under energy constraints. HSCC 2010 


Energy Function 

General Strategy 

Spend just enough time 

to survive the next negative 

update 



Exponential PTA 

General Strategy 

Spend just enough time 

to survive the next negative 

update 

so that after next negative 

update there is a certain positive 

amount ! 

Minimal Fixpoint: 



Exponential PTA 

Thm [BFLM09]: 

The L-problem is decidable 

for linear and exponential 1-clock PTAs with 

negative discrete updates. 

Energy Function 



Multiple Costs & Clocks 

LU Problem Undecidable 

2 clocks + 2 costs [1] 

1 clock + 2 costs [2] 

2 clocks + 1 cost [3] 

Update Test-Decrement 

c1 Increment n=3 

Decrement n=12 

(1) Karin Quaas. On the interval-bound problem for weighted timed automata. 2011. 

(2) Uli Fahrenberg, Line Juhl, Kim G. Larsen, and Jirı Srba. Energy games in multiweighted automata. 2011 

(3) Nicolas Markey. Verification of Embedded Systems – Algorithms and Complexity. 2011. 


Multiple Clocks & 1 Cost 

L problem is undecidable 

4 clocks or more 

x=x 0 

C=C 0 

x=x 0 

C=C 0 

P. Bouyer, K. G. Larsen, and N. Markey. Lower-bound constrained runs in weighted timed automata. QEST 2012 


x=x 0 

C=x 0+C 0 

x=x 0 

C=(1-x 0) 

+C 0


L Problem 




L Problem 

Encoding of N-TM 




L Problem 

Encoding of N-TM 

t·dK 

t=dK 



-4 

t=dK t=dK 

t·dK t·dK 

-4 -4


L Problem 

Region Construction 

Lemma 3 



Multiple Costs & 0 Clocks 

Uli Fahrenberg, Line Juhl, Kim G. Larsen, and Jirı Srba. Energy games in multiweighted automata. 2011 


Conclusion 

Priced Timed Automata a uniform framework 

for modeling and solving dynamic ressource 

allocation problems! 

Not mentioned here: 

Model Checking Issues (ext. of CTL and LTL). 

Future work: 

Zone-based algorithm for optimal infinite runs. 

Approximate solutions for priced timed games to 

circumvent undecidablity issues. 

Open problems for Energy Automata. 

Approximate algorithms for optimal reachability 


Timed Games 

& 

Timed Interfaces 

Kim G. Larsen 

– Aalborg University 

DENMARK 

TIGA 

ECDAR

Timed Automata & Model Checking 


State (L1, x=0.81) 

Transitions 

(L1 , x=0.81) 

- 2.1 -> 

(L1 , x=2.91) 

-> 

(goal , x=2.91) 

Ehi goal ? 

Ahi goal ? 

A[ ] : L4 ?

Timed Game Automata & Synthesis 

controllable 

uncontrollable 

Problems to be considered: 

- Does there exist a winning strategy? 

- If yes, compute one (as simple as possible) 


Decidability of Timed Games 


Computing Winning States 


Reachability Games Backwards Fixed-Point Computation 

Definitions 

cPred(X) = { q2Q | 9 q’2 X. q c q’} 

uPred(X) = { q2Q | 9 q’2 X. q u q’} 

Pred t(X,Y) = { q2Q | 9 t. q t 2X and 8 s·t. q s 2Y C } 

p(X) = Pred t[ X [ cPred(X) , uPred(X C ) ] 

Theorem: 

The set of winning states is obtained as the least fixpoint 

of the function: X a p(X) [ Goal 



Pred t(X,Y) 

X 

Y

Symbolic On-the-fly Algorithms for 

Timed Games [CDF+05, BCD+07] 

symbolic version of on-the-fly MC algorithm 

for modal mu-calculus 

Liu & Smolka 98 


Kim Larsen [159]

Model Checking (ex Train Gate) 

Environment 


Controller 

: Never two trains at 

the crossing at the 

same time

Synthesis (ex Train Gate) 

Environment 

? 


Controller 



same time

Timed Games 

Environment 

Find strategy for controllable 

actions st behaviour satisfies 


Controllable Uncontrollable 

Controller 



same time

Plastic Injection Molding Machine 


Robust and optimal 

control 

Tool Chain 

Quasiomodo 

Synthesis: UPPAAL 

TIGA 

Verification: PHAVer 

Performance: SIMULINK 

40% improvement of 

existing solutions.. 


[CJL+09]

Oil Pump Control Problem 


R1: stay within safe 

interval [4.9,25.1] 

R2: minimize 

average/overall oil 

volume 


Quasiomodo

The Machine (consumption) 

Infinite cyclic demand 

to be satisfied by our 

control strategy. 

P: latency 2 s between 

state change of pump 


F: noise 0.1 l/s 


Quasiomodo

Abstract Game Model 

UPPAAL Tiga 

offers games of perfect information 

Abstract game model such that states only 

contain information about: 

Volume of oil at the beginning of cycle 

The ideal volume as predicted by the 

consumption cycle 

Current time within the cycle 

State of the Pump (on/off) 

Discrete model 



Quasiomodo 

D 

V, V_rate 

V_acc 

time

Machine (uncontrollable) 



Quasiomodo 

Checks whether V 

under noise gets 

outside 

[Vmin+0.1,Vmax-0.1]

Pump (controllable) 


Every 1 (one) 

seconds 


Quasiomodo

Tool Chain 

Strategy Synthesis TIGA 

Verification PHAVER 


Performance Evaluation 

SIMULINK 

Guaranteed 

Correctness 

Robustness 

with 


Quasiomodo 

40% Improvement

Timed Interfaces 

& Compositionality

Real-Time version of Milner’s Scheduler 

w i+1 

rec i+1 


N i+1 

w i 

N i 

S 

rec 0 

rec i 

N 0 

w 0 

rec 1 

N 1 

N 2 

w 1 

rec 2 

w 2 

171


Demo 

172


Compositional Verification 

SubSpec 3 

SubSpec 1 

SubSpec 2 

173

Spec: set of specifications 

Imp: set of implementations 

Specification Theory 

Specification 

SPF 

where 

Formalism 

(Imp, Spec, 

sat Imp 

Spec 

| S| 

 

{ 

Refinement: 

I 

: 

I 

sat 

sat) 

S 

S Tiff |S| |T| 

Consistenc y : 

| S| 

| S| 

 

Ø 

| 

T | 

Ø 

}

Operations on Specifications 

Logical Conjunction: 

Given S 1 and S 2 construct S 1S 2 such that 

|S 1 S 2| = |S 1||S 2| 

Structural Composition: 

Given S 1 and S 2 construct S 1 par S 2 such that 

| S 1 par S 2 | = |S 1| par |S 2| 

· should be precongruence wrt par to allow for 

compositional analysis ! 

Quotienting: 

Given overall specification T and component specification S 

construct the quotient specification T\S such that 

S par X · T iff X · T\S 


175

SPECs 

IMPs 

Specifications and Implementations 

Timed I/O Transition Systems 



Timed I/O Automata 

176

Refinements, Implementations, Consistency 


177

TIOTS : 

where 

and 

( St, 

Act, 

) 

St 

Act 


: 

St 

( Act ) 

St 

 

 

i 

touch? 

1.4 

off! 


 

o 

dim! 

Time determinism (d ) 

d 

d 

if s s ' and s s '' then s ' s '' 

Input enabledness 

i 

for all s and i . s 

Determinis m 

if 

a 

s 

s' 

and 

Output Urgency 

whenever 

(a Act ) 

o 

s 

d 

Either d 0. 

s 

i 

d 

then s implies d 

Independent Progress 

a 

s 

s' 

' then s' 

s' 

' 

d o 

or d , o. s 

0 

178

Let 

S T 

i. 

ii. 

iii. 

Definition 

I 

S 

S 

S' 

sat 

and 

iff 

i? 

o! 

S 

T 

 

Refinement = 

Timed Alternating Simulation 

be TIOGA. 

T 

T' 

then S 

S' 

with S' 

T' 

S 

S' 

then T 

T' 

with S' 

T' 


d 

I S 

i? 

o! 

d 

then T 

T' 

with S' 

T' 

Theorem 

Intuition: 

S leaves less choices than T 

for an implementation. 

: WheneverS 

T then| 

S| 

| 

T| 

Theorem: 

Whenever |S| |T| then S T 

Theorem 

S 

T 

 

Φ 

ATCTL. 

T cntr Φ Scntr 

Φ 

179

grant 

coin 

Timed Systems Specifications = 

Timed I/O Automata 

Machine Researcher 


Administration 

tea 

cof 

pub 

patent 

Input: 

control. 

(required) 

Output: 

uncontrol. 

(allowed) 

180

Overall Specification 

grant patent 

¸ ? 


grant 


coin pub 


tea 

cof 

patent 

181

grant 


u·20 

coin pub 


Specification 

tea 

cof 

Quotienting, ”Application” 

· 

patent 

grant 

u·20 

patent 

Spec\Adm 


u·20 

IFF 

coin pub 


tea 

cof 

· 

Spec \ Adm 

182

Assume-Guarantee 

Guarantee Assumption 


Good 

Bad 

ButA 

ButB 

A>>G = (A | G) \ A 

Properties 

A>>G ¸ G 

A · A’ ) 

A>>G ¸ A’>> G 

G · G’ ) 

A>>G · A>>G’ 

183

A, G 


Assume-Guarantee Reasoning 

A 1, G 1 

A 2, G 2 

Proof Rule: 

A>>G ¸ ( A1>>G1 | A2>>G2 ) 

184

w i+1 

rec i+1 

w i 

N i+1 

N i 


Milner’s Scheduler Compositionaly 

S 

rec 0 

SPEC 

rec i 

N 0 

w 0 

rec 1 

N 1 

N 2 

w 1 

rec 2 

w 2 

Find SS i and verify: 

1. N 1· SS 1 

2. SS 1 | N 2 · SS 2 

3. SS 2 | N 3 · SS 3 

… … 

n. SS n-1 | N n · SS n 

n+1. SS n | N 0 · SPEC 

185

w i+1 

rec i+1 

w i 

N i+1 

G 

N i 



S 

rec 0 

rec i 

N 0 

w 0 

rec 1 

N 1 

N 2 

w 1 

rec 2 

w 2 

A 1 

A 2 

Find SS i …… 

186

w i+1 

rec i+1 

w i 

N i+1 

G 

N i 



S 

rec 0 

rec i 

N 0 

w 0 

rec 1 

N 1 

N 2 

w 1 

rec 2 

w 2 

A 1 

A 2 

Take SS i = (A 1 & A 2)>>G 

187

w i+1 

rec i+1 

w i 

N i+1 

N i 



S 

rec 0 

rec i 

N 0 

w 0 

rec 1 

N 1 

N 2 

w 1 

rec 2 

w 2 

Take SS i = (A 1 & A 2)>>G 

188


Experiments 

189

Open Problems 


Open Problems 


Statistical Model Checking 

for Timed Automata 

Collaborators: Peter Bulychev, 

Alexandre David, Dehui Du, 

Axel Legay, Marius Mikucionis 

Wang Zheng, Guanyan Li, 

Jonas van Vliet, Danny Poulsen

UPPAAL Tool Suit 

Editor 


Simulator 

Processes 

Verifier 

MSC

UPPAAL 

Safety 

A[] forall (i : id_t) forall (j : id_t) 

Train(i).Cross && Train(j).Cross imply i == j 

E Train(0).Cross and Train(1).Stop 

Reachability 

Train(0).Appr --> Train(0).Cross 

Liveness 

A .. E[] .. 

Performance properties 

State-space explosion 

Limited quantitative analysis 

sup: .. inf: .. 


UPPAAL SMC 

Performance properties 

Pr[

Overview 

Stochastic Semantics of Networks of Timed 

Automata 

Statistical Model Checking in UPPAAL 

Estimation 

Sequential Hypothesis Testing 

Sequential Probability Comparison 

Demo 

Case Studies 

LMAC 

Energy Aware Buildings 

Genetic Oscillation 

SMC for WMTL 

Conclusion 


Stochastic Semantics of TA 

Exponential Distribution 

Input enabled 

Uniform Distribution 

Composition = 

Repeated races between components 


Stochastic Semantics of 


Delay Density Function 

¹ s: R! R 

Output Probability Function 

° s: § o! [0,1] 


g1 

s 

g2 

• ¹ s uniform on [ d min, d max ] 

• ° s uniform over enabled outputs 

Kim Larsen [198]



Composition = Race between components 

for outputting 


Pr[time




Assumptions: 

Component TAs are: 

• Input enabled 

• Deterministic 

• Disjoint set of output actions 

¼ ( s , a 1 a 2 …. a n ) : 

the set of maximal runs from s with a prefix 

t 1 a 1 t 2 a 2 … t n a k 

for some t 1,…,t n 2 R. 

Kim Larsen [200]

Logical Properties 


Kim Larsen [201]

Random Run Generator 

THEOREM 


SMC Algorithms -1 

Quantitative (Estimation) 

Algorithm I: Probability Estimation 


= ? 

Chernoff-Hoeffding Bound 

Alternatives, e.g. Clopper-Pearson 

10


Qualitative (Hypothesis Testing) 

®: prob of acc H 0 when H 1 

¯: prob of acc H 1 when H 0 

Algorithm II: Sequential Probability Ratio Testing (Wald) 


r 

0 

0 

0 

1 

Accept H 1 

1 

0 

0 

Accept H 0 

11 

0 

0 

runs #


t 

Probability Comparison 

(Beyond “Classical” SMC) 

Decide p1 ¸ p2 without 

computing p1, p2 0 0 

1 

Relative “superiority” of Á1 over Á2 u0 < 1 < u1 1 

0 

1 

1 

Accept H0 Algorithm III: Sequential Test for Probability Comparison 

®: prob of acc H 0 when H 1 

Accept H 1 


¯: prob of acc H 1 when H 0 

r 

a 

runs #

Queries in UPPAAL SMC 

Pr[


Pr[ = 0.8 

Pr[ = 0.5 


207


Pr[ = 

Pr[


simulate 1 [

DEMO

Extensions of UPPAALs TA 

Constant Slope Timed Automata 

Clocks may have different (integer) slope in different 

locations. 

Branching edges with discrete probabilities (weights). 

Beyond Priced TA, Energy TA. Equal LHA in (nonstochastic) 

expressive power. 

Beyond TPS, Probabilistic TA, DTMC, beyond CTMC 

(with multiple rewards) 

All features of UPPAAL supported 

User defined functions and types 

Expressions in guards, invariants, clock-rates, delayrates 

(rationals), and weights. 

New GUI for plot-composing and exporting. 



Invariants 

x’==5 

y’==int_fun() 

T’==5 T




locations. 















locations. 






Hybrid Systems – by discretizing and integration 










locations. 
















locations. 













Stochastic Hybrid Systems 

simulate 1 [

Stochastic Hybrid Systems 

A Bouncing Ball 

Simulate 5 [= 4)) 

Marktoberdorf Summer School, 2012 Kim Larsen [217/52]

Case Studies 

FIREWIRE BLUETOOTH 

10 node LMAC 


Energy Aware 

Buildings 


100 x 100 ROBOT 

Genetic Oscilator

LMAC

Lightweight Media Access Control 

Problem domain: 

communication 

scheduling 

Targeted for: 

self-configuring 

networks, 

collision avoidance, 

low power 

consumption 

Application domain: 

wireless sensor 

networks 


Initialization (listen until a 

neighbor is heard) 

Waiting (delay a random 

amount of time frames) 

Discovery (wait for entire 

frame and note used slots) 

Active 

choose free slot, 

use it to transmit, including 

info about detected collisions 

listen on other slots 

fallback to Discovery if 

collision is detected 

Only neighbors can detect 

collision and tell the usernode 

that its slot is used by 

others

added 

power 


adopted from A.Fehnker, L.v.Hoesel, A.Mader 

initialization 

..used UPPAAL to explore 4- and 5-node 

random wait 

topologies and found cases with 

perpetual collisions 

(8.000 MC problems) 

discovery 

Statistical MC offers an insight by 

calculating the probability over the 

number of collisions. 

+ estimated cost in terms of energy. 


active usage

SMC of LMAC with 4 Nodes 

Wait distribution: 

geometric 

uniform 

Network topology: 

chain 

ring 

Collision probability 

Collision count 

Power consumption 


no collisions 

10-Node Star 

The first collision: 

happens before 500tu 

• The first collisions happen before 500tu. 

• It is unlikely (8.2%) that 

there will be 0 collisions. 

• And if they happen, they are perpetual. 


Collision counts after 1000tu 

0 0 0 

0 

0 

Collision counts after 2000tu: 

the numbers are doubled – 

perpetual collisions 

0

Energy Aware 

Fehnker, Ivancic. 

Benchmarks for Hybrid Systems Verification. 

HSCC04 

Buildings 

With Alexandre David, 

Dehui Du 

Marius Mikucionis 

Arne Skou

Framework 

Design 

Space 

Exploration 


Kim Larsen [225]

Rooms & Heaters – MODELS 


Control Strategies – MODELS 


Temperature Threshold 


Strategies

Weather & User Profile – MODELS 


Results – Simulations 


simulate 1 [

Results – Discomfort 

Pr[0 

&& Monitor.Discomfort) 


Kim Larsen [230]

Results – Comfort 

Pr[comfort=2*day) 


Kim Larsen [231]

Results – Energy 

Pr[Monitor.energy=2*day) 


Kim Larsen [232]

Result – User Profile 

Pr[Monitor.energy=2*day) 


Kim Larsen [233]

Genetic Oscillator 

With 

Alexandre David,, Axel Legay, 

Marius Mikucionis, 

Danny Bøgsted Poulsen, Sean Sedwards

CMTC Model 


Vilar, Kueh, Barkai, Leibler: 

Mechanisms of noise-resistance in genetic oscillators, 

PNAS, 2002 

Kim Larsen [235]

ODE Model 


Amplitudes & Periods 

Amplitude E[

Frequency Analysis 


SMC for MITL

Example – WMITL 

SYSTEM 

95% confidence interval: [0.215,0.225] 


MONITOR 

(det)

Metric Interval Temporal Logic 

MITL ≤ syntax: 

ϕ ::=σ | ¬ϕ | ϕ 1 ∧ ϕ 2 | Oϕ | ϕ 1 U ≤d ϕ 2 

where d ∈ ℕ is a natural number and c a clock. 

MITL ≤ semantics [ r=(a 1,t 1)(a 2,t 2)(a 3,t 3) … ]: 

r ⊨σ if a 1= σ 

r ⊨¬ϕ if r ⊭ ϕ 

r ⊨ ϕ 1 ∧ ϕ 2 if r ⊨ ϕ 1 and r ⊨ ϕ 2 

r ⊨Oϕ if (a 2,t 2)(a 3,t 3)… ⊨ ϕ 

r ⊨ϕ 1 U ≤d ϕ 2 if 9 i. (a i,t i)(a i+1,t i+1)… ⊨ ϕ 2 

with t 1 +t 2 +…+t i ≤d 

and (a j,t j)(a j+1,t j+1)… ⊨ ϕ 1 for j

Tableaux Construction 

} ·1 p 

accept 

p 

p , x·1 

} ·1 p 

p x in O[}( p x·1 )] 

}( }( p p x·1 x·1 ) ) 

(x·1 p) O[}( p x·1 )] 


!p 

!p 

x=0

Tableaux Construction 


Tool Chain [LPAR2012] 


Experiments 

How exact is the over / underapproximation 

1000 random formulas 

2, 3, 4 actions 

15 connectives 


Case Study 2: Robot control 

Consider the case of a robot 

moving on a two-dimensional 

grid in a random fashion 


Ice 

Wall 

Starting point 

Fire 

We want to estimate the 

probability that the 

robot will arrive in time 

at the Goal location 

without burning or 

freezing to death 


Goal

www.uppaal.{org,com} 


Thank You !

slides - Summer School Marktoberdorf

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?