Bounded Model Checking for Parametric Timed Automataâ
Bounded Model Checking for Parametric Timed Automata⋆ Michal Knapik1 and Wojciech Penczek1,2 1
2
Institute of Computer Science, PAS, J.K. Ordona 21, 01-237 Warszawa, Poland {Michal.Knapik}@ipipan.waw.pl Institute of Informatics, Podlasie Academy, Sienkiewicza 51, 08-110 Siedlce, Poland [email protected]
Abstract. The paper shows how bounded model checking can be applied to parameter synthesis for parametric timed automata with continuous time. While it is known that the general problem is undecidable even for reachability, we show how to synthesize a part of the set of all the parameter valuations under which the given property holds in a model. The results form a complete theory which can be easily applied to parametric verification of a wide range of temporal formulae – we present such an implementation for the existential part of CTL−X .
1
Introduction and related work
The growing abundance of complex systems in real world, and their presence in critical areas fuels the research in formal specification and analysis. One of the established methods in systems verification is model checking, where the system is abstracted into the algebraic model (e.g. various versions of Kripke structures, Petri nets, timed automata), and then processed with respect to the given property (usually a formula of modal or temporal logic). Classical methods have their limits however – the model is supposed to be a complete abstraction of system behaviour, with all the timing constraints explicitely specified. This situation has several drawbacks, e.g. the need to perform a batch of tests to confirm the proper system design (or find errors) is often impossible to fullfill due to the high complexity of the problem. Introducing parameters into models changes the task of property verification to task of parameter synthesis, meaning that parametric model checking tool produces the set of parameter valuations under which the given property holds instead of simple holds/does not hold answer. Unfortunately, the problem of parameter synthesis is shown to be undecidable for some of widely used parametric models, e.g. parametric timed automata [3, 8] and bounded parametric time Petri nets [15]. Many of model checking tools acquired new capabilities of parametric verification, e.g. UPPAAL-PMC [11] – the parametric extension of UPPAAL, LPMC [14] – extending PMC. Some of the tools were built from scratch with parametric ⋆
Partly supported by the Polish Ministry of Science and Higher Education under the grant No. N N206 258035.
Recent Advances in Petri Nets and Concurrency, S. Donatelli, J. Kleijn, R.J. Machado, J.M. Fernandes (eds.), CEUR Workshop Proceedings, ISSN 1613-0073, Jan/2012, pp. 419–435.
420 Petri Nets & Concurrency
Knapik and Penczek
model checking in mind, e.g. TREX [1] and MOBY/DC [7]. Parametric analysis is also possible with HyTech [10] by means of hybrid automata. However, due to undecidability issues, algorithms implemented in these tools need not to stop and are very time and resource consuming. Another, very interesting approach is given in a recently developed IMITATOR tool [4] – having both the parametric timed automaton and the initial parameter valuation, IMITATOR synthesizes a set of parameter constraints. Substituting the parameters with a valuation satisfying these constraints is guaranteed to produce the timed automaton which is time-abstract equivalent to the one obtained from substituting the parameters with the initial valuation. In this paper we present a new approach to parametric model checking, based on the observation that while we are not able to synthesize the full set of parameter constraints in general, there is no fundamental rule which forbids us from obtaining a part of this set. In Section 2 we introduce the parametric region graph – an extension of region graph used in theory of timed automata [2] and show (in Section 3) how the computation tree of a model can be unwinded up to some finite depth in order to apply bounded model checking (BMC) techniques [5]. To the best knowledge of the authors, this is the first application of BMC to parametric timed automata and seems to be a quite promising direction of research – firstly due to the unique BMC advantage which allows for verification of properties in limited part of the model, secondly due to the fact that it is quite easy to present BMC-based model checking algorithms for existential parts of many modal and temporal logics. In fact we describe how Parametric BMC can be implemented for the existential subset of CTL−X logic in Section 3, including the analysis of a simplified parametric model of the 4-phase handshake protocol.
2
Theory of Parametric Timed Automata
In this paper we use two kinds of variables, namely parameters Pm P = {p1 , . . . , pm } and clocks X = {x0 , . . . , xn }. An expression of the form i=1 ti · pi + t0 , where ti ∈ Z is called a linear expression. A simple guard is an expression of the form xi − xj ≺ e, where i 6= j, ≺∈ {≤, 1 minIO = 0
[(1.1, 1)] maxIO > 1 minIO = 0
[(1, 0.1)] maxIO ≥ 1 minIO = 0
readData τ
readData
readData putData
τ s1
s0 [(2.1, 2.1)] maxIO ≥ 3
[(2, 0)] maxIO > 2 minIO ≤ 2
τ s1
[(2, 0.1)] maxIO ≥ 2 minIO ≤ 1
s2 [(1.1, 0)] maxIO ≥ 2 minIO = 0
return τ
[(2, 1)] maxIO > 1 minIO = 0
τ s2
s1
[(1.1, 0.1)] maxIO > 1 minIO = 0
s0 [(0, 0)] maxIO > 1 minIO = 0
τ s1
[(2, 1.1)] maxIO ≥ 2 minIO = 0
s2 [(1.1, 1)] maxIO > 1 minIO = 0
return s0 [(0, 0.1)] maxIO ≥ 1 minIO = 0
Fig. 4. The 4–phase handshake protocol, Parametric Region Graph of depth 5
loops in concrete semantics of non-parametric timed automata with minIO = 0, and maxIO instantiated by any value greater that 1. The graph of Figure 4, treated as a subgraph of the Parametric Region Graph of Figure 3 allows us to observe that in the considered system the property EGEF (P roducerIdle ∧ ConsumerReady) holds for minIO = 0, and maxIO > 1, with the previously mentioned loop as a witness. The intuition behind the considered formula is that the Producer will put data into the transmission infinitely often in the running system. Of course, this is only the first, hand-made, step of synthesis of the parameter valuations under which the considered property is satisfied. The complete analysis of non-simplified versions with more parameters and components has to wait until we develop the planned tool.
4
Future work
The theory presented in this paper is to be implemented in Verics model checker [12]. There is a growing evidence [14, ?] of success of model checking in verification of safety critical industrial applications, and the idea of parameter synthesis for a complex model or protocol seems to be promising in analysis and design of real-world systems. Also, as the method is quite general, we expect that it may be applied to many known temporal, modal and epistemic logics. 15
434 Petri Nets & Concurrency
Knapik and Penczek
References 1. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994. 2. R. Alur, T. Henzinger, and M. Vardi. Parametric real-time reasoning. In Proc. of the 25th Ann. Symp. on Theory of Computing (STOC’93), pages 592–601. ACM, 1993. ´ Andr´e, T. Chatain, E. Encrenaz, and L. Fribourg. An inverse method for 3. E. parametric timed automata. International Journal of Foundations of Computer Science, 20(5):819–836, October 2009. 4. A. Annichini, A. Bouajjani, and M. Sighireanu. Trex: A tool for reachability analysis of complex systems. In Proc. of CAV, pages 368–372, 2001. 5. A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu. Bounded model checking. In Highly Dependable Software, volume 58 of Advances in Computers. Academic Press, 2003. Pre-print. 6. I. Blunno, J. Cortadella, A. Kondratyev, L. Lavagno, K. Lwin, and C. Sotiriou. Handshake protocols for de-synchronization. In International Symposium on Advanced Research in Asynchronous Circuits and Systems, pages 149–158. IEEE Computer Society Press, 2004. 7. E. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking using satisfiability solving. Formal Methods in System Design, 19(1):7–34, 2001. 8. H. Dierks and J. Tapken. Moby/DC - a tool for model-checking parametric realtime specifications. In Proc. of the 9th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’03), volume 2619 of LNCS, pages 271–277. Springer-Verlag, 2003. 9. L. Doyen. Robust parametric reachability for timed automata. Information Processing Letters, 102:208–213, 2007. 10. E. A. Emerson and E. Clarke. Using branching-time temporal logic to synthesize synchronization skeletons. Science of Computer Programming, 2(3):241–266, 1982. 11. S.B. Furber and P. Day. Four-phase micropipeline latch control circuits. In IEEE Transactions on VLSI Systems, volume 4, pages 247–253, 1996. 12. T. Henzinger, P. Ho, and H. Wong-Toi. HyTech: A model checker for hybrid systems. In Proc. of the 9th Int. Conf. on Computer Aided Verification (CAV’97), volume 1254 of LNCS, pages 460–463. Springer-Verlag, 1997. 13. T. Hune, J. Romijn, M. Stoelinga, and F. Vaandrager. Linear parametric model checking of timed automata. In Proc. of the 7th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’01), volume 2031 of LNCS, pages 189–203. Springer-Verlag, 2001. 14. M. Kacprzak, W. Nabialek, A. Niewiadomski, W. Penczek, A. P´ olrola, M. Szreter, B. Wo´zna, and A. Zbrzezny. VerICS 2008 - a model checker for time Petri nets and high-level languages. In Proc. of Int. Workshop on Petri Nets and Software Engineering (PNSE’09), pages 119–132. University of Hamburg, 2009. 15. Spelberg R. L., De Rooij R. C. H., , and Toetenel W. J. Application of parametric model checking – the root contention protocol using lpmc. In Proc. of the 7th ASCI Conference, pages 73–85, February 2000. 16. W. Penczek, B. Wo´zna, and A. Zbrzezny. Bounded model checking for the universal fragment of CTL. Fundamenta Informaticae, 51(1-2):135–156, 2002. 17. M. Stoelinga. Fun with firewire: A comparative study of formal verification methods applied to the ieee 1394 root contention protocol. In Formal Asp. Comput., volume 14, pages 328–337, 2003.
16
Model checking for timed automata
Petri Nets & Concurrency – 435
18. L-M. Tranouez, D. Lime, and O. H. Roux. Parametric model checking of time Petri nets with stopwatches using the state-class graph. In Proc. of the 6th Int. Workshop on Formal Analysis and Modeling of Timed Systems (FORMATS’08), volume 5215 of LNCS, pages 280–294. Springer-Verlag, 2008. 19. S. Tripakis and S. Yovine. Analysis of timed systems using time-abstracting bisimulations. Formal Methods in System Design, 18(1):25–68, 2001.
17
2
Institute of Computer Science, PAS, J.K. Ordona 21, 01-237 Warszawa, Poland {Michal.Knapik}@ipipan.waw.pl Institute of Informatics, Podlasie Academy, Sienkiewicza 51, 08-110 Siedlce, Poland [email protected]
Abstract. The paper shows how bounded model checking can be applied to parameter synthesis for parametric timed automata with continuous time. While it is known that the general problem is undecidable even for reachability, we show how to synthesize a part of the set of all the parameter valuations under which the given property holds in a model. The results form a complete theory which can be easily applied to parametric verification of a wide range of temporal formulae – we present such an implementation for the existential part of CTL−X .
1
Introduction and related work
The growing abundance of complex systems in real world, and their presence in critical areas fuels the research in formal specification and analysis. One of the established methods in systems verification is model checking, where the system is abstracted into the algebraic model (e.g. various versions of Kripke structures, Petri nets, timed automata), and then processed with respect to the given property (usually a formula of modal or temporal logic). Classical methods have their limits however – the model is supposed to be a complete abstraction of system behaviour, with all the timing constraints explicitely specified. This situation has several drawbacks, e.g. the need to perform a batch of tests to confirm the proper system design (or find errors) is often impossible to fullfill due to the high complexity of the problem. Introducing parameters into models changes the task of property verification to task of parameter synthesis, meaning that parametric model checking tool produces the set of parameter valuations under which the given property holds instead of simple holds/does not hold answer. Unfortunately, the problem of parameter synthesis is shown to be undecidable for some of widely used parametric models, e.g. parametric timed automata [3, 8] and bounded parametric time Petri nets [15]. Many of model checking tools acquired new capabilities of parametric verification, e.g. UPPAAL-PMC [11] – the parametric extension of UPPAAL, LPMC [14] – extending PMC. Some of the tools were built from scratch with parametric ⋆
Partly supported by the Polish Ministry of Science and Higher Education under the grant No. N N206 258035.
Recent Advances in Petri Nets and Concurrency, S. Donatelli, J. Kleijn, R.J. Machado, J.M. Fernandes (eds.), CEUR Workshop Proceedings, ISSN 1613-0073, Jan/2012, pp. 419–435.
420 Petri Nets & Concurrency
Knapik and Penczek
model checking in mind, e.g. TREX [1] and MOBY/DC [7]. Parametric analysis is also possible with HyTech [10] by means of hybrid automata. However, due to undecidability issues, algorithms implemented in these tools need not to stop and are very time and resource consuming. Another, very interesting approach is given in a recently developed IMITATOR tool [4] – having both the parametric timed automaton and the initial parameter valuation, IMITATOR synthesizes a set of parameter constraints. Substituting the parameters with a valuation satisfying these constraints is guaranteed to produce the timed automaton which is time-abstract equivalent to the one obtained from substituting the parameters with the initial valuation. In this paper we present a new approach to parametric model checking, based on the observation that while we are not able to synthesize the full set of parameter constraints in general, there is no fundamental rule which forbids us from obtaining a part of this set. In Section 2 we introduce the parametric region graph – an extension of region graph used in theory of timed automata [2] and show (in Section 3) how the computation tree of a model can be unwinded up to some finite depth in order to apply bounded model checking (BMC) techniques [5]. To the best knowledge of the authors, this is the first application of BMC to parametric timed automata and seems to be a quite promising direction of research – firstly due to the unique BMC advantage which allows for verification of properties in limited part of the model, secondly due to the fact that it is quite easy to present BMC-based model checking algorithms for existential parts of many modal and temporal logics. In fact we describe how Parametric BMC can be implemented for the existential subset of CTL−X logic in Section 3, including the analysis of a simplified parametric model of the 4-phase handshake protocol.
2
Theory of Parametric Timed Automata
In this paper we use two kinds of variables, namely parameters Pm P = {p1 , . . . , pm } and clocks X = {x0 , . . . , xn }. An expression of the form i=1 ti · pi + t0 , where ti ∈ Z is called a linear expression. A simple guard is an expression of the form xi − xj ≺ e, where i 6= j, ≺∈ {≤, 1 minIO = 0
[(1.1, 1)] maxIO > 1 minIO = 0
[(1, 0.1)] maxIO ≥ 1 minIO = 0
readData τ
readData
readData putData
τ s1
s0 [(2.1, 2.1)] maxIO ≥ 3
[(2, 0)] maxIO > 2 minIO ≤ 2
τ s1
[(2, 0.1)] maxIO ≥ 2 minIO ≤ 1
s2 [(1.1, 0)] maxIO ≥ 2 minIO = 0
return τ
[(2, 1)] maxIO > 1 minIO = 0
τ s2
s1
[(1.1, 0.1)] maxIO > 1 minIO = 0
s0 [(0, 0)] maxIO > 1 minIO = 0
τ s1
[(2, 1.1)] maxIO ≥ 2 minIO = 0
s2 [(1.1, 1)] maxIO > 1 minIO = 0
return s0 [(0, 0.1)] maxIO ≥ 1 minIO = 0
Fig. 4. The 4–phase handshake protocol, Parametric Region Graph of depth 5
loops in concrete semantics of non-parametric timed automata with minIO = 0, and maxIO instantiated by any value greater that 1. The graph of Figure 4, treated as a subgraph of the Parametric Region Graph of Figure 3 allows us to observe that in the considered system the property EGEF (P roducerIdle ∧ ConsumerReady) holds for minIO = 0, and maxIO > 1, with the previously mentioned loop as a witness. The intuition behind the considered formula is that the Producer will put data into the transmission infinitely often in the running system. Of course, this is only the first, hand-made, step of synthesis of the parameter valuations under which the considered property is satisfied. The complete analysis of non-simplified versions with more parameters and components has to wait until we develop the planned tool.
4
Future work
The theory presented in this paper is to be implemented in Verics model checker [12]. There is a growing evidence [14, ?] of success of model checking in verification of safety critical industrial applications, and the idea of parameter synthesis for a complex model or protocol seems to be promising in analysis and design of real-world systems. Also, as the method is quite general, we expect that it may be applied to many known temporal, modal and epistemic logics. 15
434 Petri Nets & Concurrency
Knapik and Penczek
References 1. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994. 2. R. Alur, T. Henzinger, and M. Vardi. Parametric real-time reasoning. In Proc. of the 25th Ann. Symp. on Theory of Computing (STOC’93), pages 592–601. ACM, 1993. ´ Andr´e, T. Chatain, E. Encrenaz, and L. Fribourg. An inverse method for 3. E. parametric timed automata. International Journal of Foundations of Computer Science, 20(5):819–836, October 2009. 4. A. Annichini, A. Bouajjani, and M. Sighireanu. Trex: A tool for reachability analysis of complex systems. In Proc. of CAV, pages 368–372, 2001. 5. A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu. Bounded model checking. In Highly Dependable Software, volume 58 of Advances in Computers. Academic Press, 2003. Pre-print. 6. I. Blunno, J. Cortadella, A. Kondratyev, L. Lavagno, K. Lwin, and C. Sotiriou. Handshake protocols for de-synchronization. In International Symposium on Advanced Research in Asynchronous Circuits and Systems, pages 149–158. IEEE Computer Society Press, 2004. 7. E. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking using satisfiability solving. Formal Methods in System Design, 19(1):7–34, 2001. 8. H. Dierks and J. Tapken. Moby/DC - a tool for model-checking parametric realtime specifications. In Proc. of the 9th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’03), volume 2619 of LNCS, pages 271–277. Springer-Verlag, 2003. 9. L. Doyen. Robust parametric reachability for timed automata. Information Processing Letters, 102:208–213, 2007. 10. E. A. Emerson and E. Clarke. Using branching-time temporal logic to synthesize synchronization skeletons. Science of Computer Programming, 2(3):241–266, 1982. 11. S.B. Furber and P. Day. Four-phase micropipeline latch control circuits. In IEEE Transactions on VLSI Systems, volume 4, pages 247–253, 1996. 12. T. Henzinger, P. Ho, and H. Wong-Toi. HyTech: A model checker for hybrid systems. In Proc. of the 9th Int. Conf. on Computer Aided Verification (CAV’97), volume 1254 of LNCS, pages 460–463. Springer-Verlag, 1997. 13. T. Hune, J. Romijn, M. Stoelinga, and F. Vaandrager. Linear parametric model checking of timed automata. In Proc. of the 7th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’01), volume 2031 of LNCS, pages 189–203. Springer-Verlag, 2001. 14. M. Kacprzak, W. Nabialek, A. Niewiadomski, W. Penczek, A. P´ olrola, M. Szreter, B. Wo´zna, and A. Zbrzezny. VerICS 2008 - a model checker for time Petri nets and high-level languages. In Proc. of Int. Workshop on Petri Nets and Software Engineering (PNSE’09), pages 119–132. University of Hamburg, 2009. 15. Spelberg R. L., De Rooij R. C. H., , and Toetenel W. J. Application of parametric model checking – the root contention protocol using lpmc. In Proc. of the 7th ASCI Conference, pages 73–85, February 2000. 16. W. Penczek, B. Wo´zna, and A. Zbrzezny. Bounded model checking for the universal fragment of CTL. Fundamenta Informaticae, 51(1-2):135–156, 2002. 17. M. Stoelinga. Fun with firewire: A comparative study of formal verification methods applied to the ieee 1394 root contention protocol. In Formal Asp. Comput., volume 14, pages 328–337, 2003.
16
Model checking for timed automata
Petri Nets & Concurrency – 435
18. L-M. Tranouez, D. Lime, and O. H. Roux. Parametric model checking of time Petri nets with stopwatches using the state-class graph. In Proc. of the 6th Int. Workshop on Formal Analysis and Modeling of Timed Systems (FORMATS’08), volume 5215 of LNCS, pages 280–294. Springer-Verlag, 2008. 19. S. Tripakis and S. Yovine. Analysis of timed systems using time-abstracting bisimulations. Formal Methods in System Design, 18(1):25–68, 2001.
17
