Kim Guldstrand Larsen BRICS@Aalborg

1
Kim Guldstrand LarsenBRICS_at_Aalborg
FMT_at_Twente
Real Time Model Checking and Beyond
using UPPAAL2k
2
Model Checking Tools
Tanenbaum
Milner, Hoare
Hajek (Eindhoven)
80
PAN (Holzmann)
TAU
CWB, AUTO, LOTOS
BDDs (Bryant)
SPIN (Holzman)
Symbolic Model Checking (Clarke, Coudert)
CESAR
90
FDR
SMV (McMillan)
SPIN Workshop
SPIN w POR
00
3
Model Checking Tools w Time
Tanenbaum
Milner, Hoare
Hajek (Eindhoven)
80
PAN (Holzmann)
TAU
CWB, AUTO, LOTOS
BDDs (Bryant)
Timed Automata (Alur,Dill)
SPIN (Holzman)
Symbolic Model Checking (Clarke, Coudert,)
CESAR
90
FDR
SMV (McMillan)
EPSILON, TAB
SPIN Workshop
KRONOS, HyTech, UPPAAL DT SPIN, PMC
SPIN w POR
00
UPPAAL2k
4
Collaborators

• _at_AALborg
• Kim G Larsen
• Arne Skou
• Paul Pettersson
• Carsten Weise
• Kåre J Kristoffersen
• Gerd Behrman
• Thomas Hune
• Oliver Möller

• _at_UPPsala
• Wang Yi
• Johan Bengtsson
• Paul Pettersson
• Fredrik Larsson
• Alexandre David
• Tobias Amnell
• Oliver Möller

• _at_Elsewhere
• David Griffioen, Ansgar Fehnker, Frits
  Vandraager, Klaus Havelund, Theo Ruys, Pedro
  DArgenio, J-P Katoen, J. Tretmans,Judi Romijn,
  Ed Brinksma, Franck Cassez, Magnus Lindahl,
  Francois Laroussinie, Patricia Bouyer, Augusto
  Burgueno, H. Bowmann, D. Latella, M. Massink, G.
  Faconti, Kristina Lundqvist, Lars Asplund, Justin
  Pearson...

5
Real Time Systems
sensors
Task
Task
Task
Task
actuators
Controller Program Discrete
Plant Continuous
Eg.
Realtime Protocols Pump Control Air
Bags Robots Cruise Control ABS CD
Players Production Lines
Real Time System A system where correctness not
only depends on the logical order of events but
also on their timing!!
6
Real Time Model Checking Construction of UPPAAL
models
Controller Program Discrete
Plant Continuous
sensors
Task
Task
Task
Model of tasks (automatic?)
Task
actuators
Model of environment (user-supplied)
UPPAAL Model
7
and BeyondSynthesis of Control Program
Controller Program Discrete
Plant Continuous
sensors
Task
Task
Synthesis of tasks/scheduler (automatic)
Task
Task
actuators
Model of environment (user-supplied)
Partial UPPAAL Model
8
Overview

• UPPAAL
• Timed Automata
• Tool and Demo
• Case Studies
• Verification Engine
• CUPPAAL
• Linearly Priced Timed Automata
• (Optimal) Scheduling and Control Synthesis
• Concluding Remarks

9
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
WANT if press is issued twice quickly then
the light will get brighter otherwise the light
is turned off.
10
Intelligent Light Control
press?
Xlt3
Off
Light
Bright
X0
press?
press?
press?
Xgt3
Solution Add real-valued clock x
11
Timed Automata
Alur Dill 1990
Clocks x, y
Guard Boolean combination of integer bounds on
clocks and clock-differences.
n
Reset Action perfomed on clocks
Action used for synchronization
xlt5 ygt3
State ( location , xv , yu ) where v,u are
in R
a
Transitions
x 0
a
( n , x2.4 , y3.1415 )
( m , x0 , y3.1415 )
m
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
12
Timed Automata Invariants
n
Clocks x, y
xlt5
Transitions
xlt5 ygt3
e(3.2)
Location Invariants
( n , x2.4 , y3.1415 )

a
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
x 0
m
Invariants ensure progress!!
ylt10
g4
g1
g3
g2
13
The UPPAAL Model Networks of Timed Automata
Integer Variables .
m1
l1
Two-way synchronization on complementary
actions. Closed Systems!
xgt2 i3
ylt4
.

a!
a?

x 0 ii4

l2
m2
Example transitions
(l1, m1,, x2, y3.5, i3,..)
(l2,m2,..,x0, y3.5, i7,..)
(l1,m1,,x2.2, y3.7, I3,..)
tau
0.2
If a URGENT CHANNEL
14
Train Crossing
Communication via channels and shared variable.
Stopable Area
10,20
3,5
Crossing
7,15
River
Queue
Gate
15
Train Crossing
Communication via channels and shared variable.
Stopable Area
10,20
appr, stop
leave
3,5
Crossing
7,15
go
empty nonempty hd, add, rem
el
River
Queue
Gate
16
LEGO Mindstorms/RCX

• Sensors temperature, light, rotation, pressure.
• Actuators motors, lamps,
• Virtual machine
• 10 tasks, 4 timers, 16 integers.
• Several Programming Languages
• NotQuiteC, Mindstorm, Robotics, legOS, etc.

3 output ports
1 infra-red port
3 input ports
17
First UPPAAL modelSorting of Lego Boxes
Ken Tindell
Piston
Boxes
eject
remove
99
Conveyer Belt
81
18
90
9
Black
Blck Yel
Controller
Yellow
MAIN
PUSH
Exercise Design Controller so that only
yellew boxes are being pushed out

18
NQC programs
int active int DELAY int LIGHT_LEVEL
task MAIN DELAY75 LIGHT_LEVEL35
active0 Sensor(IN_1, IN_LIGHT)
Fwd(OUT_A,1) Display(1) start PUSH
while(true) wait(IN_1gtLIGHT_LEVEL)
ClearTimer(1) active1 PlaySound(1)
wait(IN_1ltLIGHT_LEVEL)
task PUSH while(true) wait(Timer(1)gtDELAY
active1) active0 Rev(OUT_C,1)
Sleep(8) Fwd(OUT_C,1) Sleep(12)
Off(OUT_C)
19
UPPAAL Demo
20
The Production Cell in LEGO Course at DTU,
Copenhagen
Rasmus Crüger Lund Simon Tune Riemanni
Production Cell
21
Case Studies Protocols

• Philips Audio Protocol HS95, CAV95, RTSS95,
  CAV96
• Collision-Avoidance Protocol SPIN95
• Bounded Retransmission Protocol TACAS97
• Bang Olufsen Audio/Video Protocol RTSS97
• TDMA Protocol PRFTS97
• Lip-Synchronization Protocol FMICS97
• Multimedia Streams DSVIS98
• ATM ABR Protocol CAV99
• ABB Fieldbus Protocol ECRTS2k
• IEEE 1394 Firewire Root Contention (2000)

22
Case-Studies Controllers

• Gearbox Controller TACAS98
• Bang Olufsen Power Controller
  RTPS99,FTRTFT2k
• SIDMAR Steel Production Plant RTCSA99, DSVV2k
• Real-Time RCX Control-Programs ECRTS2k
• Experimental Batch Plant (2000)
• RCX Production Cell (2000)

23
THE UPPAAL ENGINE Symbolic Reachability
Checking
24
ZonesFrom infinite to finite
Symbolic state (set) (n, )
State (n, x3.2, y2.5 )
Zone conjunction of x-yltn, xltgtn
25
Symbolic Transitions
delays to
n
xgt3
conjuncts to
a
y0
projects to
m
Thus (n,1ltxlt4,1ltylt3) a gt (m,3ltx, y0)
26
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else (explore) add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Final
Waiting
Init
Passed
27
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else (explore) add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Final
Waiting
n,Z
n,Z
Init
Passed
28
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
29
Forward Rechability
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
30
Canonical Datastructure for Zones Difference
Bounded Matrices
Bellman58, Dill89
-4
-4
x1-x2lt4 x2-x1lt10 x3-x1lt2 x2-x3lt2 x0-x1lt3 x3-x
0lt5
x1
x2
Shortest Path Closure O(n3)
x1
x2
4
10
2
3
3
2
3
-2
-2
2
2
x3
x0
x3
x0
1
5
5
31
New Canonical Datastructure Minimal
collection of constraints
RTSS 1997
-4
-4
x1-x2lt4 x2-x1lt10 x3-x1lt2 x2-x3lt2 x0-x1lt3 x3-x
0lt5
x1
x2
Shortest Path Closure O(n3)
x1
x2
4
10
2
3
3
2
3
-2
-2
2
2
x3
x0
x3
x0
1
5
5
-4
Shortest Path Reduction O(n3)
x1
x2
Space worst O(n2) practice O(n)
3
2
3
2
x3
x0
32
(No Transcript)
33
(No Transcript)
34
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
35
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some Z Z (n,Z) in Passed
then STOP - else /explore/ add (m,U)
(n,Z) gt (m,U) to Waiting
Add (n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z
Init
Passed
36
Earlier Termination
Init -gt Final ?
INITIAL Passed Ø Waiting
(n0,Z0) REPEAT - pick (n,Z) in Waiting
- if for some (n,Z) in Passed then STOP
- else /explore/ add (m,U) (n,Z) gt (m,U)
to Waiting Add
(n,Z) to Passed UNTIL Waiting Ø
or Final is in Waiting
Waiting
Final
m,U
n,Z
n,Z1
n,Z2
n,Zk
Init
Passed
37
Clock Difference Diagrams Binary Decision
Diagrams Difference Bounded Matrices
CAV99
CDD-representations

• Nodes labeled with differences
• Maximal sharing of substructures (also across
  different CDDs)
• Maximal intervals
• Linear-time algorithms for set-theoretic
  operations.

38
(No Transcript)
39
(No Transcript)
40
Distributing UPPAAL
Gerd Behrmann, Thomas Hune, Frits Vandraager
CAV2k
W1
?
Check in local Passed list. If not present
save, explore and distribute ...
P1
Passed structure distributed
Implemented using MPI on SUN Interprise
10000 Beowulf cluster
41
Performance
SUN Interprise 10000 Shared Memory 12GB Ram 24
333Mhz CPUs
Super-linear Speed-up
Full State Space Generation
42
UPPAAL 1995 - 2001
Every 9 month 10 times better performance!
Dec96
Sep98
3.x
43
Scheduling Synthesis of Control Programs
CUPPAAL
optimal
w Gerd Behrman, Ed Brinksma, Ansgar Fehnker,
Thomas Hune, Paul Pettersson, Judi
Romijn, Frits Vaandrager
,HSCC01, TACAS01, CAV01
44
Observation Many scheduling problems can be
phrased naturally as reachability problems for
timed automata!
45
Observation Many scheduling problems can be
phrased naturally as reachability problems for
timed automata!
46
Steel Production Plant
Crane A

• A. Fehnker
• Hune, Larsen, Pettersson
• Case study of Esprit-LTRproject 26270 VHS
• Physical plant of SIDMARlocated in Gent,
  Belgium.
• Part between blast furnace and hot rolling
  mill.
• Objective model the plant, obtain schedule
  and control program for plant.

Machine 2
Machine 3
Machine 1
Lane 1
Machine 4
Machine 5
Lane 2
Buffer
Crane B
Storage Place
Continuos Casting Machine
47
Steel Production Plant
Crane A
Machine 2
Machine 3
Input sequence of steel loads (pigs).
Machine 1
Lane 1
Machine 4
Machine 5
Lane 2
Load follows Recipe to become certain quality,
e.g start T1_at_10 T2_at_20 T3_at_10 T2_at_10 end
within 120.
Buffer
Crane B
Storage Place
Continuos Casting Machine
Output sequence of higher quality steel.
48
Steel Production Plant
Crane A
Machine 2
Machine 3
Input sequence of steel loads (pigs).
Machine 1
_at_10
_at_20
_at_10
2
2
2
Lane 1
Machine 4
Machine 5
5
_at_10
Lane 2
Load follows Recipe to become certain quality,
e.g start T1_at_10 T2_at_20 T3_at_10 T2_at_10 end
within 120.
6
Buffer
Crane B
Storage Place
?107
_at_40
Continuos Casting Machine
Output sequence of higher quality steel.
49
Steel Production Plant
Crane A
Machine 2
Machine 3
Input sequence of steel loads (pigs).
Machine 1
_at_10
_at_20
_at_10
2
2
2
Lane 1
Machine 4
Machine 5
15
_at_10
Lane 2
Load follows Recipe to obtain certain quality,
e.g start T1_at_10 T2_at_20 T3_at_10 T2_at_10 end
within 120.
16
Buffer
Crane B
Storage Place
?127
_at_40
Continuos Casting Machine
Output sequence of higher quality steel.
50
Modus Operandi
Physical Plant
Program
4. Execute program.
1. Model plant as networks of timed automata.
3. Synthesise program.
Plant Model
Trace
2. Reformulate scheduling as reachability and
apply UPPAAL tool.
51
A single load (part of)
Crane B
52
Modus Operandi
Physical Plant
Program
4. Execute program.
1. Model plant as networks of timed automata.
3. Synthesise program.
Plant Model
Trace
2. Reformulate scheduling as reachability and
apply UPPAAL .

• System with 5 steel loads Parallel composition
  of
• 15 timed automata (6 - 60 locations),
• 18 real-valued clocks,
• 28 bounded integer variables,
• 140 action channels.

Verification Generating schedule for three
batches FAILS!!!
53
Guiding
1971 lines of RCX code (n5), 24860 - -
(n60).
Physical Plant
Program
4. Execute program.
3. Synthesise program.
1(a). Model plant in UPPAAL
Plant Model
Trace
1(b). Add guides to plant model to restrict
behaviour.
2. Reformulate scheduling as reachability and
apply UPPAAL .
Guided Plant Model
54
Experiment

• BFS breadth-first search, DFS depth-first
  search, BSH bit-state hashing,
• - requires gt2h (on 450MHz Pentium III), gt256
  MB, or suitable hash-table size was not found.
• System size 2n5 automata and 3n3 clocks, if
  n35 75 automata and 108 clocks.
• Schedule generated for n60 on Sun Ultra with
  2x300MHz with 1024MB in 2257s .

55
LEGO Plant Model
crane a
m1
m2
m3

• LEGO RCX Mindstorms.
• Local controllers with control programs.
• IR protocol for remote invocation of programs.
• Central controller.

m4
m5
crane b
buffer
storage
central controller
casting
Synthesis
56
LEGO Plant Model
Belt/Machine Unit.
57
Time Optimality

• Asarin Maler (1999)Time optimal control using
  backwards fixed point computation
• Niebert, Tripakis Yovine (2000)Minimum-time
  reachability using forward reachability
• Behrmann, Fehnker et all TACAS01, MBVI01
• Minimum-time reachability using
  Branch-and-Bound

58
Cost Optimality

• In scheduling theory one is not just interested
  in shortest or fastest schedules also other cost
  functions are considered.
• This leads us to introduce a model of
• Linear Priced Timed Automata
  which adds prices to locations and transitions
• Price of a transition The cost of taking it.
• Price of a location The cost per time unit
  of staying there.

59
Linearly Priced Timed Automata
60
Example
Prices
61
Example (execution)
62
Example (min-cost)
63
EXAMPLE Optimal rescue plan for important
persons (Presidents
and Actors)
UNSAFE
GORE
CLINTON
SAFE
Mines
9
2
5
10
25
20
BUSH
DIAZ
3
10
OPTIMAL PLAN HAS ACCUMULATED COST195 and TOTAL
TIME65!
64
Aircraft Landing
runway
65
Priced Zones
Efficient Computability of Minimum Cost
Reachability
66
Zones
y
Operations
Z
x
67
Priced Zone
y
Z
2
-1
4
x
68
Reset
Z
y
2
0
-1
4
y0
x
69
Reset
Z
y
2
0
-1
4
y0
x
yZ
70
Reset
Z
y
2
0
-1
4
y0
x
yZ
4
71
Reset
Z
y
2
0
-1
4
y0
-1
1
x
yZ
4
2
4
A split of yZ
72
Delay
y
Z
3
-1
4
x
73
Delay
y
Z
3
-1
4
x
74
Delay
3
3
y
Z
2
3
-1
4
x
75
Delay
3
4
-1
y
0
Z
3
A split of
3
-1
4
x
76
Optimal Forward ReachabilityTerminationBigger
and Cheaper
8
6
10
4
10
2
0
0
10
10
10
2
4
6
8
10
10
10
1
1
1
1
1
4
6
8
2
8
10
10
6
4
2
10
10
77
Branch Bound Algorithm
Selection may be Guided
Exploration may be Pruned
78
Experiments
79
EXAMPLE Optimal rescue plan for important
persons (Presidents
and Actors)
UNSAFE
GORE
CLINTON
SAFE
Mines
9
2
5
10
25
20
BUSH
DIAZ
3
10
OPTIMAL PLAN HAS ACCUMULATED COST195 and TOTAL
TIME65!
80
Experiments MC Order
COST-rates COST-rates COST-rates COST-rates SCHEDULE COST TIME Expl Popd
G5 C10 B20 D25 SCHEDULE COST TIME Expl Popd
Min Time Min Time Min Time Min Time CGgt Glt BDgt Clt CGgt 60 1762 1538 2638
1 1 1 1 CGgt Glt BGgt Glt GDgt 55 65 252 378
9 2 3 10 GDgt Glt CGgt Glt BGgt 195 65 149 233
1 2 3 4 CGgt Glt BDgt Clt CGgt 140 60 232 350
1 2 3 10 CDgt Clt CBgt Clt CGgt 170 65 263 408
1 20 30 40 BDgt Blt CBgt Clt CGgt 975 1085 85 timelt85 - -
0 0 0 0 - 0 - 406 447
81
Aircraft Landing
Source of examples Baesley et al2000
82
Optimal Broadcast
Router2
Router1
k1
k0
costA1, costB1
costA2, costB2
B
3 sec
Basecost
5 sec
A
costA4, costB4
costA3, costB3
k0
k0
costB1
Router4
costA1
Router3
Given particular subscriptions, what is the
cheapest schedule for broadcasting k?
83
Experimental Results
COST-rates COST-rates COST-rates COST-rates COST-rates SCHEDULE COST TIME Expl
BC R1 R2 R3 R4 SCHEDULE COST TIME Expl
Min Time Min Time Min Time Min Time Min Time 1gt3(B) ( 3gt4(B) 1gt2(A) ) 8 1016
0 13 13 13 13 1gt4(A) 3gt4(A) 4gt2(A) 15 15 2982
3 13 13 13 13 1gt3(B) ( 3gt4(B) 1gt2(A) ) 47 8 1794
0 10 30 5 15 13 62 1gt3(A) 3gt2(A) 3gt4(A) 60 15 665
3 10 30 5 15 13 62 1gt4(A) 4gt3(B) 4gt2(B) 95 11 571
100 10 30 5 15 13 62 1gt4(B) ( 1gt3(A) 4gt2(B) ) 946 8 1471
0 tlt10 10 30 5 15 13 62 1gt4(B) 4gt2(B) 4gt3(B) 102 9 1167
0 tlt8 10 30 5 15 13 62 1gt4(B) ( 1gt3(A) 4gt2(B) ) 146 8 1688
84
Current Future Research

• DUPPAAL
• GUPPAAL
• CUPPAAL
• 
  
• PrUPPAAL
• PUPPAAL
• HUPPAAL
• HyUPPAAL

85
Current Future Research

• DUPPAAL Distributed
• GUPPAAL Guided
• CUPPAAL Cost-Optimal
• PrUPPAAL Probabilistic
• PUPPAAL Parameterized
• HUPPAAL Hierarchical (UML)
• HyUPPAAL Hybrid (stopwatch automata)

86
Conclusion Future

• New method for solving and modeling optimal
  scheduling/planning problems.
• Advantages
• Easy, flexible and very expressive modeling w
  clear operational interpretation
• Several, small LP problems.
• Disadvantages
• existing approaches still somewhat better
• Goals
• Integrate Model Checking and Scheduling.
• Extension to (optimal) dynamic scheduling/controll
  er synthesis.

87
CONCUR Conference21.-24. August, Aalborg, DK
Invited Speakers Prof. Bengt Jonsson (Feature
Interaction) Prof. Robin Milner (Turing Award
winner) Prof. Shankar Sastry (Hybrid Systems)
Prof. Steve Schneider (Security)
Satelite Workshops Express Workshop
GetCo Testing Workshop Safety
Critical Systems RealTime Tools Workshop
Tutorials Holger Hermans, Joost-Pieter Katoen
(Performance) John Hatcliff (ModelChecking
C-programs)
CALL-FOR-PAPERS March 25
concur01.cs.auc.dk
88
Thank you for the attentionFor more
information http//www.uppaal.com