© fachgebiet softwaretechnik, heinz nixdorf institut, universität paderborn 2.3 timed automata and...
TRANSCRIPT
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
2.3 Timed Automata and Real-Time Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
2Timed Automata und Realtime Statecharts 29.11.2012
Coding Contest
Prize: 100 € Amazon voucher
Task: Implement a BUZZER app Server-client application Android (4.0+) front-end Java back-end
Submit your complete source code until Dec. 23, 2012to [email protected]
My footnote text - My Name
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
3Timed Automata und Realtime Statecharts 29.11.2012
Summary State Machines
Different Semantics possible Trade-off: Flexibility (for the developer) vs. clarity
(compactness) Precise specification necessary
to guarantee unambiguouity (many developers are involved) to enable formal analysis (to prove that requirements are
fulfilled)
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
Timed Automata
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
5Timed Automata und Realtime Statecharts 29.11.2012
Timed Automata
Based on State Machines Finite state machine with clocks
Clocks handle time which is continuous Clock values can be tested or reset
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
6Timed Automata und Realtime Statecharts 29.11.2012
A Hot Topic
Ein digitales Detail stellt die Deutsche Bahn und den Siemens-Konzern
vor große Probleme: Das Kommando zum Anhalten eines ICE-3-Zugs
irrt etwa eine Sekunde lang durch den Rechner, bis es ausgeführt wird.
Nach SPIEGEL-Informationen verweigerte das Eisenbahn-Bundesamt
deshalb die Zulassung. Die acht neuen ICE vom Typ Velaro sind
schon lange bestellt, doch Siemens darf nicht liefern - wegen
Problemen an der Steuerungssoftware. Nach Informationen des
SPIEGEL traten bei Testfahrten des ICE 3 mit den bei der Deutschen
Bahn üblichen Doppelzügen schwerwiegende
Kommunikationsprobleme in der Software auf. Wird der Befehl zur
Aktivierung der Bremsen ausgelöst, erlaubt sich die Steuerung eine Art
Gedenksekunde, ehe sie das Kommando umsetzt. Bei einer
Geschwindigkeit von 250 Stundenkilometern kommt der
Zug nach einer Vollbremsung deshalb erst rund 70 Meter
später zum Stehen als die alten ICE. Trotzdem strebte Siemens die Zulassung
des ICE 3 an.“ (SPON 24.11.12)
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
7Timed Automata und Realtime Statecharts 29.11.2012
Timed Automata
Locations Represent states
Transitions Messages Guards Actions
A
addMoney(newAmount) [currentAmount + newAmount ≥ price]
currentAmount += newAmount
B
Finite state machine with real-valued clocks Clocks handle time which is continuous Clock values can be tested or reset
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
8Timed Automata und Realtime Statecharts 29.11.2012
A simple alarm clock
Goal: Model an alarm clock that rings after a specified time. When the snooze button is pressed the alarm is postponed for
5 minutes. The alarm shall not
sound more than 10 minutes.
Problem: UML allows only rather informal
specification of time in State Machines.
OffAlarm
set
Sound alarm
Snooze
setAlarm(time)
pressSnooze()
turnOff()?
?
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
9Timed Automata und Realtime Statecharts 29.11.2012
A simple alarm clock
Solution: Add a clock “clock1” Clock runs in back-ground during execution Clock conditions can serve as guards Clock can be reset (or
set to any other time)Off
Alarm set
Sound alarm
Snooze
setAlarm(time)
pressSnooze()
turnOff() [clock1 = time]
clock1 := 0
[clock1 = 300]clock1 := 0
clock1 := 0
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
10Timed Automata und Realtime Statecharts 29.11.2012
A simple alarm clock
Invariants ensure that the state is active at most the given amount of time Requirement: “The alarm shall not sound more than 10
minutes.”
OffAlarm
set
Sound alarm
Snooze
setAlarm(time)
pressSnooze()
turnOff()[clock1 = time]
clock1 := 0
[clock1 = 300]
clock1 ≤ 600
clock1 := 0
clock1 := 0
[clock1 = 600]
clock1 := 0
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
11Timed Automata und Realtime Statecharts 29.11.2012
Timed Automata
Locations Represent states
Transitions Guards
• Tells when the transition is enabled
Actions Clocks
Test them in guards Reset them in actions Invariants on states
Sound alarm
SnoozepressSnooze()
clock1 := 0
[clock1 = 300]clock1 := 0
clock1 ≤ 600
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
12Timed Automata und Realtime Statecharts 29.11.2012
Networked Timed Automata
Channels are used to synchronize TA Both automata take respective transition
simultaneously
Channels are bidirectional Can have an assigned priority
Original definition Only 1:1 synchronization
Later versions: 1:n synchronization (one ! and many ?)
Acts as a guard Transition cannot be taken unless both
processes are in the state that enables synchronization
A
B
channel1?
C
D
channel1?
X
Y
channel1!
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
13Timed Automata und Realtime Statecharts 29.11.2012
Networked Timed Automata
Locations Represent states
Transitions Guards
• Tells when the transition is enabled
Action Clocks
Test them in guards Reset them in actions Invariants on states Local and global
Channels Way of synchronizing processes
A
B
...
[clock < 5]
channel1?
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
14Timed Automata und Realtime Statecharts 29.11.2012
Timed Automata Definition
A Timed Automaton is a 9-Tupel (L, L0, Ch, A, C, G, Gc, I, E)
L : finite, non-empty set of locations (states) L0 L : initial location
Ch: finite set of channels used for synchronization A : set of actions (including synchronizations) C : finite set of clocks G : finite set of guards on the variables and clocks Gc G: finite set of propositions depending only on the clocks
from C (time constraints) I : L → Gc assigns a time invariant to a location
E: finite set of edges between locations, A Time Constraint on the set of clocks C is defined as
φ(C) := c < x | c ≤ x | c = x | c > x | c ≥ x | φ1 φ2
where c is a clock from C and is constant.
LCΡGALE }{
Qx
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
15
Tool Support for Networked Timed Automaton: UPPAAL
Uppaal is an integrated tool environment for modeling, simulation and verification of real-time systems.
Key features of Uppaal v.4 A graphical system editor allowing
graphical descriptions of systems. A graphical simulator which provides
graphical visualization. A requirement specification editor. A model-checker for automatic
verification. Generation of diagnostic trace
Timed Automata und Realtime Statecharts 29.11.2012
Quelle: http://www.uppaal.com/
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
16Timed Automata und Realtime Statecharts 29.11.2012
Example: Scientists crossing a bridge Scenario:
Dijkstra, Turing, Knuth, and Petri are on the return of a conference when their car breaks down in the dark.
They cannot stay in the car because there are wild and dangerous animals in the woods.
Across a moldered bridge is a house in which they can stay for the night.
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
17Timed Automata und Realtime Statecharts 29.11.2012
Example: Scientists crossing a bridge Requirements
The bridge can carry at most two people at the same time They have only one flashlight which only lasts one hour and
cannot be thrown. The bridge can only be crossed with the flashlight otherwise
it’s too dark. The speed of a pair is determined by the speed of the slower
person. The times each scientist needs to cross the bridge are:
• 5 min, 10 min, 20 min, and 25 min.
How do they manage to cross the river within an hour?
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
18Timed Automata und Realtime Statecharts 29.11.2012
Global Declarations and Templates
automaton template for scientists
automaton template for the flashlight
Urgent location: Time is not allowed to pass in this state. So one of the outgoing transitions is taken “immediately”, though interlea-ving with other processes is allowed.
Legend:guards (green)location name (red)update (purple)sync (cyan)
global declaration
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
19Timed Automata und Realtime Statecharts 29.11.2012
System declarations
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
20
System simulation
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
21Timed Automata und Realtime Statecharts 29.11.2012
System simulation
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
22Timed Automata und Realtime Statecharts 29.11.2012
Specifying requirements
Two different kinds of requirements: Safety: “something bad will not happen” Liveness: “something good will happen”
where P ::= (Atomic Propositions) • Proc.I oc | (Process Proc at
Location Ioc)• c = n | c < n | c <= n | (Clock comparison)• P and P | P or P | P -> P | (Boolean combinations)
not P | P imply P
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
23Timed Automata und Realtime Statecharts 29.11.2012
System verification
Verify that the system has no deadlock A[] not deadlock Property is satisfied.
Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and
Turing.safe and time <= 60 Property is satisfied.
Scheduling problem reformulated as reachability property
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
24Timed Automata und Realtime Statecharts 29.11.2012
System verification
Verify that the system has no deadlock A[] not deadlock Property is satisfied.
Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and
Turing.safe and time <= 60 Property is satisfied.
Scheduling problem reformulated as reachability property
Hint: Activate fastest diagnostic trace to see fastest solution trace in Simulator
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
Real-Time Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
26
Example: Convoys in RailCab System Motivation
RailCabs build convoys to save energy ( slipstream) Safety critical, because only small space between RailCabs => Software has to be correct
• i.e. “It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy.”
Idea: Specify complex communication between roles independently from other system behavior Validation possible
RailCab RailCab
ConvoyCoordination
Role: front Role: rear
Fahrtrichtung29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
27
Coordination Patterns & Realtime Statecharts Coordination Pattern specifies communication of roles Each role specified by a Real-Time Statechart
ConvoyCoordination
front rear
Convoy
noConvoy
default
startConvoy/[cf ≤ 999]
[cf > 999]
waitcf ≤ 1000
default
/convoyProposal {cf}
[isConvoyUseful()] [20;50]
breakConvoy/
Convoy
noConvoy
default
/startConvoy[cr = 999]
[cr > 999]
waitcf = 1000
default
convoyProposal/ {cr}
/breakConvoy
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
28
Convoy
noConvoy
default
startConvoy/[cf ≤ 999]
[cf > 999]
waitcf ≤ 1000
default
/convoyProposal {cf}
[isConvoyUseful()] [20;50]
breakConvoy/
Real-Time Statecharts
Combine UML Statemachines by concepts of Timed Automata to add timing constraints: periods, deadlines, (worst case) execution times
Clocks: assigned to a Statechart apply for all states of the
Statechart apply recursively within
hierarchically Statecharts
Clock-Reset
cf: clock name
state invariant
deadline
29.11.2012Timed Automata und Realtime Statecharts
Clock guard
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
29
Mapping RTSCs to Timed Automata Real-Time Statecharts enable hierarchy Timed Automata do not support hierarchy
Real-Time Statecharts have to be flattened to verify them with Uppaal
noConvoy.default
/startConvoy
[cr ≤ 999]
[cr > 999]
noConvoy.wait
cr ≤ 1000
convoy.default
convoyProposal/
{cr}
/breakConvoy
29.11.2012Timed Automata und Realtime Statecharts
Convoy
noConvoy
default
/startConvoy[cr = 999]
[cr > 999]
waitcf = 1000
default
convoyProposal/ {cr}
/breakConvoy
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
30
Mapping RTSCs to Timed Automata Timed Automata assume execution of transitions in zero time But: Transitions can have side effects like function calls
These are not executable in zero time Therefore, deadlines and WCETs are introduced in RTSCs
Can be mapped to Timed Automata (time is consumed within states)
A B... [2;5]
doSomething()
A A_B...
doSomething()B
cDead ≤ 5
[cDead ≥ 2]
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
31
RTSC of FrontRole
Timed Automata of FrontRole
Mapping RTSCs to Timed Automata
noConvoy.default
startConvoy/
[cf ≤ 999]
[cf > 999]
noConvoy.wait
cf ≤ 1000
convoy.default
/convoyProposal {cf}
[isConvoyUseful()] [20;50]
breakConvoy/
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
32
RTSC of RearRole
Timed Automata of RearRole
Mapping RTSCs to Timed Automata
noConvoy.default
/startConvoy
[cr ≤ 999]
[cr > 999]
noConvoy.wait
cr ≤ 1000
convoy.default
convoyProposal/
{cr}
/breakConvoy
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
33
Verification
Input: Timed Automata for FrontRole and RearRole of RailCab
Possible Verifications: No Deadlocks:
A[ ] not deadlock Property is satisfied.
It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy:A[] not (FrontRole.convoy and RearRole.noConvoy) Property is satisfied.
29.11.2012Timed Automata und Realtime Statecharts
© F
achg
ebie
t S
oftw
aret
echn
ik,
Hei
nz N
ixdo
rf I
nstit
ut,
Uni
vers
ität
Pad
erbo
rn
34
Conclusion
Timed Automata Finite state machine with continuous clocks and channels for
synchronization Automatic verification of requirements via model checking
possible
Real-Time Statecharts Combination of UML Statecharts and Timed Automata Can be transformed to Timed Automata
Coordination Patterns describe complex communications between roles Role behavior is defined by Real-Time Statecharts
Timed Automata und Realtime Statecharts 29.11.2012