#### Model Checking of Timed Systems

A UPPAAL Tutorial

Wang Yi Uppsala University, Sweden SFM 2010, Bertinoro

#### This is simple, simple, simple ... ...



LESLIE LAMPORT

#### UPPAAL A model checker for real-time systems



Developed by UPPsala Univ + AALborg Univ = UPPAAL

#### Main Authors/Contributors of UPPAAL

- Johan Bengtsson
- Gerd Behrman
- Alexandre David
- Kim Larsen
- Fredrik Larsson
- Paul Pettersson and
- Wang Yi

#### **OUTLINE**

- Model Checking in a Nutshell
- Timed automata and TCTL
- A UPPAAL Tutorial
  - Data stuctures & central algorithms
  - UPPAAL input languages

(Recent Work: Multi-core Timing Analysis)

#### Main references

Temporal Logics (CTL)

• Automatic Verification of Finite State Concurrent Systems Using Temporal Logic Specifications: A Practical Approach. Edmund M. Clarke, E. Allen Emerson, A. Prasad Sistla, POPt. 1983: 117-126, also as "Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM Trans. Program. Lang. Syst. 8(2): 244-258 (1986)

Timed Systems (Timed Automata, TCTL)

• A Theory of Timed Automata. Rajeev Alur, David L. Dill. Theor. Comput. Sci. 126(2): 183-235 (1994)

- Timed Automata Semantics, Algorithms and Tools, a tutorial on timed automata Johan Bengtsson and Wang Yi: (a book chapter in Rozenberg et al, 2004, LNCS).
  On-line help of UPPAAL: www.uppaal.cm

# **Model-Checking**

in a Nutshell

#### Merits of model checking ...

- Checking simple properties (e.g. deadlock-free) is already extremely useful! It is not to prove that a system is completely correct (bug-free)
- The goal is to have tools that can help a developer find errors and improve the quality of her/his design.
  - . It is to complement testing
- Now widely used in hardware design, protocol design, and hopefully soon,

#### History: Model-checking invented in 70's/80s

[Pnueli 77, Clarke et al 83, POPL83, Sifakis et al 82]

- Restrict attention to finite-state systems
  - Control skeleton + boolean (finite-domain) variables
  - Found in hardware design, communication protocols, process control
- Specification using CTL, LTL etc [Pnueli, Lamport, Clarke]
  - Safety, Progress/Liveness, Responsiveness etc
- BDD-based symbolic technique [Bryant 86]
  - SMV 1990 Clarke, McMillan et al, state-space 10<sup>20</sup>
  - Now powerful tools used in hardware design
- On-the-fly enumerative technique [Holzman 89]
  - SPIN, COSPAN, CAESAR, KRONOS, IF/BIP, UPPAAL (since 1993) etc
- SAT-based techniques [Clarke et al ...]

History: Model checking for real time systems, started in the 80s/90s

- Models of timed systems
  - Timed automata, [Alur&Dill 1990]
  - Timed process algebras, Timed CSP, Timed CCS [Wang 1990]
- Extension of model checking to consider time quantities
  - Timed variants of temporal logics e.g TCTL
- - · KRONOS, Hytech: 1993 --

  - UPPAAL 1995 –
     TAB 1993/Prototype of UPPAAL [FORTE94, Wang et al]

Example: Fischer's Protocol



Example: the Vikings Problem

Real time scheduling



#### **Multicore Challenges**

Off-chip memory СРИ СРИ СРИ СРИ Bandwidth 11 11 11 11 (L2 Cache) L1 L1 L1 L1 CPU CPU CPU <sup>13</sup> 13 Shared Resources -- cpu's, caches, bandwidth, energy budget etc.

Worst-Case Execution Time Analysis of Concurrent Programs on Multicores



A duo-core processor with private L1 cache and shared memory bus

14

#### Combining Static Analysis & Model-Checking [RTSS 2010, submitted]



#### UPPAAL A model checker for real-time systems



# **MODELING**

How to construct Model?

#### Modeling Real Time Systems



- Events
  - synchronization interrupts
  - Timing constraints
  - specifying event arrivalse.g. Periodic and sporadic

#### Modeling Real Time Systems



- Events
  - synchronizationinterrupts

  - Timing constraints
  - specifying event arrivals
    e.g. Periodic and sporadic
- Data variables & C-subset

  - Guards
  - assignments

#### A Light Controller



WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.

#### A Light Controller (with timer)



Solution: Add real-valued clock x

#### Construction of Models: Concurrency



### **SPECIFICATION**

How to ask questions: Specs?

#### Specification=Requirement, Lamport 1977

- Safety
  - Something (bad) should not happen
- Liveness
  - Something (good) must happen/should be repeated



#### Computation Tree Logic, CTL

Clarke & Emerson 1980

#### **Syntax**

#### $\phi ::= P \mid \neg \phi \mid \phi \lor \phi \mid EX \phi \mid E[\phi \cup \phi] \mid A[\phi \cup \phi]$

where  $\mathbf{P} \in \mathsf{AP}$  (atomic propositions)

#### **Derived Operators**



Liveness: p - -> q

"p leads to q"



#### Specification: Examples

Safety

Invariant

- AG ¬(P1.CS1 & P2.CS2)
   AG (temp > 10 & speed < 120)</li>

- Liveness
  - AF (speed >100)AG (P1.try imply AF P1.CS1)

Eventually Leads to

#### **VERIFICATION**

Model meets Specs?

#### Verification

- Semantics of a system
  - = all states + state transitions (all possible executions)
- Verification
  - = state space exploration + examination

#### Two basic verification algorithms

- Reachability analysis
  - Checking safety properties
- Loop detection
  - Checking liveness properties

#### OUTLINE

- Model Checking in a Nutshell
- Timed automata and TCTL
- A UPPAAL Tutorial
  - Data stuctures & central algorithms
  - UPPAAL input languages

Timed Automata: Syntax

(Recent Work: Multicore Timing Analysis)

#### **Timed Automata, TCTL** & Verification Problems

**UPPAAL DEMO** 

Clocks: x, y

Guard =clock constraint

Reset
used
for synchronization

x := 0

#### Timed Automata: Semantics



#### Timed Automata with *Invariants*



#### Timed Automata: Example



#### Timed Automata: Example





37

#### Timed Automata: Example





39

#### Timed Automata: Example





40

#### **Timed Automata**

=

Finite Automata + Clock Constraints + Clock resets

#### **Clock Constraints**

 $g ::= x \sim n \mid g \& g$ 

#### where

- x is a clock variable
- ~ ∈{<,>,≤,≥}
- n is a natural number and

#### Semantics (definition)

- <u>clock valuations</u>: V(C)  $v: C \rightarrow R \ge 0$
- <u>state</u>: (l,v) where  $l \in L$  and  $v \in V(C)$
- <u>action transition</u>

$$(l,v) \xrightarrow{a} (l',v')$$
 iff  $(l,v) \xrightarrow{g \ a \ r} (l',v')$   $(l,v) \xrightarrow{g \ a \ r} (l',v')$  and  $(l,v) \xrightarrow{g \ a \ r} (l',v')$ 

delay Transition

$$(l,v) \xrightarrow{d} (l,v+d)$$
 iff
$$Inv(l)(v+d') \text{ whenever } d' \le d \in R \ge 0$$

43

#### **Modeling Concurrency**

- Products of automata
- CCS Parallel composition
  - implemented in UPPAAL

44

#### CCS Parallel Composition (implemented in UPPAAL)



where a is an action c! or c? or  $\tau$ , and c is a channel name

#### The UPPAAL Model

= Networks of Timed Automata + Integer Variables +....



46

#### Location Reachability (def.)

#### **Verification Problems**

 $\boldsymbol{n}$  is reachable from  $\boldsymbol{m}$  if there is a sequence of transitions:

 $(m, u) \longrightarrow * (n, v)$ 

48

#### (Timed) Language Inclusion, $L(A) \subseteq L(B)$

$$(a_0, t_0) (a_1, t_1) \dots \dots (a_n, t_n) \in L(A)$$

"A can perform  $a_0$  at  $t_0$ ,  $a_1$ at  $t_1$  ... ...  $a_n$  at  $t_n$ "  $(\textbf{I}_0,\textbf{u}_0) \overset{\textbf{t}_0}{-\!\!\!-\!\!\!-\!\!\!-\!\!\!-} (\textbf{I}_0,\textbf{u}_0\!+\!\textbf{t}_0) \overset{\textbf{a}_0}{-\!\!\!\!-\!\!\!\!-\!\!\!\!-} (\textbf{I}_1,\textbf{u}_1) \ldots \ldots$ 

# Verification Problems

- Timed Language Equivalence & Inclusion ⊗

  - 1-clock, finite traces, decidable [Ouaknine & Worrell 04]
     1-clock, infinite traces & Buchi-conditions, undecidable [Abdula et al 05]
- Universality ⊗
- Untimed Language Inclusion ©
- (Un)Timed (Bi)simulation ©
- Reachability Analysis/Emptiness ©
- Optimal Reachability (synthesis problem) ©
  - If a location is reachable, what is the minimal delay before reaching the location?

#### Timed CTL = CTL + clock constraints

Note that the semantics of TA defines a transition system where each state has a Computation Tree

Computation Tree Logic, CTL

Clarke & Emerson 1980

#### **Syntax**

 $\phi ::= P \mid \neg \phi \mid \phi \lor \phi \mid EX \phi \mid E[\phi \cup \phi] \mid A[\phi \cup \phi]$ 

where  $\mathbf{P} \in \mathsf{AP}$  (atomic propositions)

#### **Derived Operators**



Liveness: p - -> q

"p leads to q"

Timed CTL (a simplified version)

#### **Syntax**

 $\varphi \, :: = \, \textcolor{red}{p} \mid \neg \, \varphi \mid \varphi \lor \varphi \mid \mathsf{EX} \, \varphi \mid \mathsf{E}[\varphi \, \mathsf{U} \, \varphi] \mid \mathsf{A}[\varphi \, \mathsf{U} \, \varphi]$ where  $\boldsymbol{p} \in \mathsf{AP}$  (atomic propositions)  $\boldsymbol{\mathsf{Or}}\;\; \boldsymbol{\mathsf{Clock}}\; \boldsymbol{\mathsf{constraint}}$ 



#### Timed CTL (a simplified version)

# Syntax $\phi ::= p \mid \neg \phi \mid \phi \lor \phi \mid EX \phi \mid E[\phi \cup \phi] \mid A[\phi \cup \phi]$ where $p \in AP$ (atomic propositions) Of Clock constraint Derived Operators $AG p \qquad EG p \qquad EF p \qquad AF p$ $EC> P in UPPAAL \qquad AC> P in UPPAAL \qquad E[] P In UPPAAL \qquad AC> P i$

#### Derived Operators (cont.)



#### Bounded Liveness

[TACAS 98]

Verify: "whenver p is true, q should be true within 10 sec



Use extra clock x
Add x:=0 on all edges
leading to P



#### Bounded Liveness/Responsiveness

(reachability analysis, more efficient?)

[TACAS 98]

Verify: "whenver p is true, q should be true within 10 sec

AG (( $P_b$  and x>10) imply q)

Use extra clock x and boolean  $P_b$ Add  $P_b := tt$  and x:=0 on all edges leading to location P



#### Bounded Liveness/Responsiveness

(reachability analysis, more efficient?)

[TACAS 98]

Verify: "whenver p is true, q should be true within 10 sec

AG (( $P_b$  and x>10) imply q)

Use extra clock x and boolean  $P_b$ Add  $P_b$ := tt and x:=0 on all edges leading to location P



#### Problem with Zenoness/Time-stop



#### **EXAMPLE**

#### **EXAMPLE**



We want to specify "whenever P is true, Q should be true within 10 time units



We want to specify "whenever P is true, Q should be true within 10 time units

AG (( $P_b$  and x>10) imply Q)

62

#### **EXAMPLE**

#### Solution with UPPAAL



We want to specify "whenever P is true, Q should be true within 10 time units

AG ((P<sub>b</sub> and x>10) imply q) is satisfied !!!

63

# System || ZenoCheck A X<=1

Check Zeno-freeness by an extra observer

X=1 Check (yes means "no zeno loops")
x:=0 ZenoCheck.A - - > ZenoCheck.B

Committed location!

64

# REACHABILITY ANALYSIS using Regions

#### Infinite State Space!

ZenoCheck



However, the reachability problem is decidable © Alur&Dill 1991

#### Region: From infinite to finite



#### Region equivalence (Intuition)



#### Region equivalence (Intuition)



#### Region equivalence (Intuition)



#### Region equivalence [Alur and Dill 1990]

- u,v are clock assignments
- u≈v iff
  - For all clocks x,
     either (1) u(x)>Cx and v(x)>Cx
     or (2) \( \bu(x) \) \( \bu(x) \) \( \bu(x) \)
  - For all clocks x, if  $u(x) \le Cx$ ,  $\{u(x)\}=0$  iff  $\{v(x)\}=0$
  - For all clocks x, y, if u(x) <= Cx and u(y) <= Cy  $\{u(x)\} <= \{u(y)\}$  iff  $\{v(x)\} <= \{v(y)\}$

#### Region equivalence (alternatively)



#### Region Graph

Finite-State Transition System!!



#### Theorem

u≈v implies

- u(x:=0) ≈ v(x:=0)
- u+n ≈ v+n for all natural number n
   for all d<1: u+d ≈ v+d′ for some d′<1</li>

"Region equivalence' is preserved by "addition" and reset. (also preserved by "subtraction" if clock values are "bounded")

74

# Region graph of a simple timed automata



Fischers again

Untimed case

AI,A2,v=1

AI,B2,v=2

I < x,y

AI,B2,v=2

#### Problems with Region Construction

- Too many 'regions'
  - Sensitive to the maximal constants
  - e.g. x>1,000,000, y>1,000,000 as guards in TA
- The number of regions is highly exponential in the number of clocks and the maximal constants.

REACHABILITY ANALYSIS using ZONES

#### Zones: From infinite to finite



#### Symbolic Transitions



## Fischer's Protocol





→ A1,CS2,v=2

→ B1,CS2,v=1

# Fischers cont.



Taking time into account



Untimed case

A1,A2,v=1

A1,A2,v=1

→ A1,B2,v=2









#### Zones = Conjuctive constraints

- A zone Z is a conjunctive formula:  $g_1 \& g_2 \& ... \& g_n$ where  $g_i$  may be  $x_i \sim b_i$  or  $x_i \sim b_{ij}$
- Use a zero-clock  $x_0$  (constant 0), we have  $\{x_i - x_j \sim b_{ij} \mid \sim is < or \le, i,j \le n\}$
- This can be represented as a MATRIX, DBM (Difference Bound Matrices)

Solution set as semantics

- Let Z be a zone (a set of constraints)
- Let [Z]={u | u is a solution of Z}

(We shall simply write Z instead [Z])

Operations on Zones

- Post-condition (Delay): SP(Z) or Z↑
  - $[Z\uparrow] = \{u+d| d \in R, u \in [Z]\}$
- Pre-condition: WP(Z) or Z↓ (the dual of Z↑)
   [Z↓] = {u| u+d∈[Z] for some d∈R}
- Reset: {x}Z or Z(x:=0)
  - $[\{x\}Z] = \{u[0/x] \mid u \in [Z]\}$
- Conjunction
  - [Z&g]=[Z]∩[g]

#### Two more operations on Zones

- Inclusion checking:  $Z_1 \subseteq Z_2$ 
  - solution sets
- Emptiness checking: Z = Ø
  - no solution

#### Theorem on Zones

# The set of zones is closed under all zone operations

- That is, the result of the operations on a zone is a zone
- Thus, there will be a zone to represent the sets:  $[Z^{\uparrow}]$ ,  $[Z^{\downarrow}]$ ,  $[\{x\}Z]$

#### One-step reachability: Si Sj

- Delay:  $(n,Z) \rightarrow (n,Z')$  where  $Z'=Z^{\uparrow} \wedge inv(n)$
- Action:  $(n,Z) \rightarrow (m,Z')$  where  $Z' = \{x\}(Z \land g)$

if 
$$n \xrightarrow{g} x := 0$$
 m

- Reach:  $(n,Z) \sim (m,Z')$  if  $(n,Z) \rightarrow (m,Z')$

Now, we have a search problem



EF 🕾

#### **OUTLINE**

- Model Checking in a Nutshell
- Timed automata and TCTL
- A UPPAAL Tutorial
  - Data stuctures & central algorithms
  - UPPAAL input languages

(Recent Work: Multicore Timing Analysis)

#### **What's inside UPPAAL**

#### **UPPAAL Tool**



#### Architecture of UPPAAL



#### Inside the UPPAAL tool

- Data Structures
  - DBM's (Difference Bounds Matrices)
  - Canonical and Minimal Constraints
- Algorithms
  - Reachability analysis
  - Liveness checking
- Verification Options



#### **All Operations on Zones**

(needed for verification)

- Transformation
  - Conjunction
  - Post condition (delay)
  - Reset
- Consistency Checking
  - Inclusion
  - Emptiness



Zones = Conjuctive constraints

- A zone Z is a conjunctive formula:  $g_1 \ \& \ g_2 \ \& \dots \ \& \ g_n$  where  $g_i$  may be  $x_i \sim b_i$  or  $x_i \sim x_j \sim b_{ij}$
- Use a zero-clock  $x_0$  (constant 0), we have  $\{x_i x_i \sim b_{\bar{i}} \mid \sim \text{is} < \text{or} \leq, i, j \leq n\}$
- This can be represented as a MATRIX, DBM (Difference Bound Matrices)

#### Datastructures for Zones in UPPAAL

- Difference Bounded Matrices [Bellman58, Dil89]
- Minimal Constraint Form [RTSS97]
- Clock Difference Diagrams [CAV99]



#### **Canonical Datastructures for Zones**

Difference Bounded Matrices

Bellman 1958, Dill 1989

#### Inclusion





# Canonical Dastructures for Zones Bellman 1958, Dill 1989

Difference Bounded Matrices

#### Inclusion





**Z2** 





#### **Canonical Datastructures for Zones**

Difference Bounded Matrices

Bellman 1958, Dill 1989

#### **Emptiness**

Z





ative Cycle empty solution set

#### Canonical Datastructures for Zones

Difference Bounded Matrices



#### Canonical Dastructures for Zones

**Difference Bounded Matrices** 



#### Canonical Datastructures for Zones

Difference Bounded Matrices



#### **COMPLEXITY**

- Computing the shortest path closure, the cannonical form of a zone: O(n³) [Dijkstra's alg.]
- Run-time complexity, mostly in O(n)
   (when we keep all zones in cannonical form)

#### Datastructures for Zones in UPPAAL

- Difference Bounded Matrices [Bellman58, Dill89]
- Minimal Constraint Form [RTSS97]
- Clock Difference Diagrams
   [CAV99]



109

Minimal Graph



Graph Reduction Algorithm



1. Equivalence classes based on 0-cycles.

#### Graph Reduction Algorithm



- 1. Equivalence classes based on 0-cycles.
- 2. Graph based on representatives. Safe to remove redundant edges

Graph Reduction Algorithm



- 1. Equivalence classes based on 0-cycles.
  - 2. Graph based on representatives. Safe to remove redundant edges
- 3. Shortest Path Reduction

One cycle pr. class

Removal of redundant edges between classes 114

#### Datastructures for Zones in UPPAAL

- Difference Bounded Matrices [Bellman58, Dill89]
- Minimal Constraint Form [RTSS97]
- Clock Difference Diagrams [CAV99]



1 2 3 4 5 6 X

#### Other Symbolic Datastructures

- NDD's Maler et. al.
- CDD's UPPAAL/CAV99
- DDD's Møller, Lichtenberg
- Polyhedra HyTech



#### Inside the UPPAAL tool

- Data Structures
  - DBM's (Difference Bounds Matrices)
  - Canonical and Minimal Constraints
- Algorithms

  - Reachability analysis Liveness checking
  - Verification Options



# Timed CTL in UPPAAL



#### Timed CTL (a simplified version)

#### **Syntax**



#### **Derived Operators**





#### We have a search problem



#### Forward Reachability



#### Forward Reachability



Init -> Final ?

INITIAL Passed := Ø;
Waiting := {(n0,Z0)}

REPEAT
- pick (n,Z) in Waiting
- if for some Z' Z
(n,Z') in Passed then STOP
- else (explore) add
{(m,U): (n,Z) => (m,U)}
to Waiting;
Add (n,Z) to Passed

UNTIL Waiting = Ø
or
Final is in Waiting

Forward Reachability





Forward Reachability





Forward Reachability





Init -> Final ?

Further question

Can we find the path with shortest delay, leading to P? (i.e. a state satisfying P)

#### **OBSERVATION:**

Many scheduling problems can be phrased naturally as reachability problems for timed automata.

#### Verification vs. Optimization

- Verification Algorithms:
  - Checks a logical property of the entire state-space of a model.
  - Efficient Blind search.
- Optimization Algorithms:
  - Finds (near) optimal solutions.
  - Uses techniques to avoid nonoptimal parts of the state-space (e.g. Branch and Bound).
- Goal: solve opt. problems with verification.



#### **OPTIMAL REACHABILITY**

The maximal and minimal delay problem

128

# Find the trace leading to P with min delay



There may be a lot of pathes leading to P

Which one with the shortest delay?

Find the trace leading to P with min delay



Idea: delay as "Cost" to reach a state, thus cost increases with time at rate 1

---

#### Example (min delay to reach G)



#### An Simple Algorithm for minimal-cost reachability

- State-Space Exploration + Use of global variable  ${\tt Cost}$  and global clock  ${\tt \delta}$
- Update Cost whenever goal state with min( C ) < Cost is found:



Terminates when entire state-space is explored.
 Problem: The search may never terminate!

#### Priced-Zone

- Cost = minimal total time
- C can be represented as the zone Z<sup>8</sup>, where:
   Z<sup>8</sup> original (ordinary) DBM plus...
  - $\delta$  clock keeping track of the cost/time.
- Delay, Reset, Conjunction etc. on Z are the standard DBM-operations
- Delay-Cost is incremented by Delay-operation on Z8.

133

Priced-Zone

- Cost = min total time
- C can be represented as the zone Z<sup>8</sup>, where:
   Z<sup>8</sup> is the original zone Z extended with the global clock δ keeping track of the cost/time.
- Delay, Reset, Conjunction etc. on C are the standard DBM-operations
- But inclusion-checking will be different



Then:  $C_3 \sqsubseteq C_2 \sqsubseteq C_1$ But:  $C_3 \not\subseteq C_2 \subseteq C_1$ 

Solution: ()<sup>†</sup>-widening operation

()<sup>†</sup> removes upper bound on the δ-clock:

 $\begin{array}{ccc}
\mathbf{C}_{5} & \mathbf{C}_{2} & \mathbf{C}_{1} \\
\mathbf{C}_{3}^{\dagger} & \mathbf{C}_{2}^{\dagger} & \mathbf{C}_{1}^{\dagger}
\end{array}$ 

- In the Algorithm:
  - Delay(C<sup>†</sup>) = ( Delay(C<sup>†</sup>) )<sup>†</sup>
  - Reset(x,C<sup>†</sup>) = ( Reset(x,C<sup>†</sup>) )<sup>†</sup>
  - $C_1^{\dagger} \wedge g = (C_1^{\dagger} \wedge g)^{\dagger}$

It is suffices to apply ()<sup>†</sup> to the initial state (I<sub>0</sub>,C<sub>0</sub>).

Example (widening for Min)



#### Example (widening for Min)



Example (widening for Min)



#### An Algorithm (Min)

```
\begin{split} & \text{Cost:=}\varnothing, \text{ Pass := } \{\}, \text{ Wait := } \{(1_0, C_0)\} \\ & \text{while Wait } \neq \{\} \text{ do} \\ & \text{ select } (1, C) \text{ from Wait } \\ & \text{ if } (1, C) \models P \text{ and Min(C)} < \text{Cost then Cost:= Min(C)} \\ & \text{ if } (1, C) \sqsubseteq (1, C') \text{ for some } (1, C') \text{ in Pass then skip } \\ & \text{ otherwise add } (1, C) \text{ to Pass } \\ & \text{ and forall } (m, C') \text{ such that } (1, C) & \text{ } (m, C'): \\ & \text{ add } (m, C') \text{ to Wait } \end{split} Return Cost
```

Output: Cost =the min cost of a found trace satisfying P.

Inside the UPPAAL tool

- Data Structures
  - DBM's (Difference Bounds Matrices)
  - Canonical and Minimal Constraints
- Algorithms
  - Reachability analysis
  - Liveness checking
- Verification Options



140

#### Timed CTL in UPPAAL



#### Timed CTL (a simplified version)



#### Derived Operators (cont.)



#### Question



#### Note that

#### A<> P

"P will be true for sure in future"



NO !!!! there is a path:  $(m_t, x=0) \rightarrow (m_t, x=1) \rightarrow (m_t, 2) \dots (m_t, x=k) \dots$ Idling forever in location m

#### Note that

#### A<> P

"P will be true for sure in future"



A<> P

This automaton satisfies AFP

#### Question: Time bound synthesis

#### Algorithm for checking A<> P Eventually P

Bouajjani, Tripakis, Yovine'97 On-the-fly symbolic model checking of TCTL

There is no cycle containing only states where p is false

"P will be true eventually " But no time bound is given.

Assume AF P is satisfied by an automaton A. Can we calculate the Max time bound?

OBS: we know how to calculate the Min!

not available in the distributed version of UPPAAL

#### Assume A<>P is satisfied



#### An Algorithm (Max)

 ${\tt Cost:=0,\ Pass} \; := \; \{\} \;, \; {\tt Wait} \; := \; \{\; ({\tt l_0}\,, {\tt C_0}) \; \}$ while Wait ≠ {} do
 select (1,C) from Wait if (1,C) = P and Max(C) > Cost then Cost := Max(C)else if forall (1,C') in Pass: C  $\not\sqsubseteq$  C' then add (1,C) to Pass forall (m,C') such that (1,C) (m,C'): add (m,C') to Wait One-step reachability relation Return Cost

Output: Cost =the max cost of a found trace satisfying P. BUT: ☐ is defined on zones where the lower bound of "cost" is removed

#### Zone-Widening operation for Max

# $C_1 \not \subseteq C_2$

#### Zone-Widening operation for Max



Inside the UPPAAL tool

- Data Structures
   DBM's (Difference Bounds Matrices)
   Canonical and Minimal Constraints
- Algorithms
  - Reachability analysis
  - Liveness checking





• Diagnostic Trace PO PO PICO (Viking).safe | Vicinity Reduction |

Vicinity Reduction | Vicinity Reduction |

Vicinity Reduction | Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction |

Vicinity Reduction

• Breadth-First • Depth-First Local Reduction Active-Clock Reduction Re-Use State-Space Over-ApproximationUnder-Approximation

# Inactive (passive) Clock Reduction



#### **Global Reduction**

(When to store symbolic state)



# Global Reduction (When to store symbolic state) Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list

157



#### Reuse of State Space



#### Reuse of State Space



#### Reuse of State Space



#### Reuse of State Space



#### **Under-approximation**

Bitstate Hashing (Holzman, SPIN)



#### **Under-approximation**

Bitstate Hashing



#### Bit-state Hashing



#### **Under Approximation**

(good for finding Bugs quickly, debugging)

- Possitive answer is safe (you can trust)
  - You can trust your tool if it tells:
     a state is reachable (it means Reachable!)
- Negative answer is Inconclusive
  - You should not trust your tool if it tells: a state is non-reachable
  - Some of the branch may be terminated by conflict (the same hashing value of two states)

Over-approximation

Convex Hull



# Over-Approximation

(good for safety property-checking)

- Possitive answer is Inconclusive
  - a state is reachable means Nothing (you should not trust your tool when it says so)
  - Some of the transitions may be enabled by Enlarged zones
- Negative answer is safe
  - a state is not reachable means Non-reachable (you can trust your tool when it says so)

#### Now, you can go home

- Download and use UPPAAL or
- Start to implement your own model checker