May, 16th, 2017 CA, USA

# Parametric model checking timed automata under non-Zenoness assumption

#### Hoang Gia NGUYEN Joint work with: Laure Petrucci, Étienne André and Jun Sun

LIPN, Université Paris 13, Sorbonne Paris Cité, CNRS, France

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

## Outline

### 1 Context

- Parametric Verification of Real-Time Systems
- Parametric Timed Automata (PTA)

### 2 Zenoness

- Zenoness Introduction
- Zenoness in Parametric Timed Model Checking

### 3 CUB-PTA

- CUB-TA Introduction
- CUB-PTA Introduction
- CUB-PTA Detection
- CUB-PTA Transformation
- Non-Zenoness Parametric Model Checking
- 4 Implementation and Experiments
- 5 Conclusions

## Outline

### 1 Context

- Parametric Verification of Real-Time Systems
- Parametric Timed Automata (PTA)

### 2 Zenoness

- Zenoness Introduction
- Zenoness in Parametric Timed Model Checking

### 3 CUB-PTA

- CUB-TA Introduction
- CUB-PTA Introduction
- CUB-PTA Detection
- CUB-PTA Transformation
- Non-Zenoness Parametric Model Checking
- 4 Implementation and Experiments
- 5 Conclusions

## Parametric Verification of Real-Time Systems

Verification techniques used for critical systems, timed systems where changes of time value is vital! such as:



- Systems incompletely specified, some timing delays may not be known yet, or may change
- 2 Verifying system for numerous values of constants requires a very long time, or even infinite

 $\Rightarrow$  Use parameterised techniques, by using parameters instead of constants, then one can check many values at the same time, but also infer good valuations of these timing constants

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

## Parametric Timed Automata (PTA)

PTA are a formalism to model and verify concurrent real-time systems [Alur et al., 1993]



x: Clock

p: Parameters allow to represent unknown values

 $K_0$ : Initial parameter contraint (e.g.  $p_1 \le p_2$  or  $p_2 > p_1$ )

## Parametric Timed Automata (PTA)

PTA are a formalism to model and verify concurrent real-time systems [Alur et al., 1993]



## Outline

### 1 Context

- Parametric Verification of Real-Time Systems
- Parametric Timed Automata (PTA)

### 2 Zenoness

- Zenoness Introduction
- Zenoness in Parametric Timed Model Checking

### 3 CUB-PTA

- CUB-TA Introduction
- CUB-PTA Introduction
- CUB-PTA Detection
- CUB-PTA Transformation
- Non-Zenoness Parametric Model Checking
- 4 Implementation and Experiments
- 5 Conclusions

## Zenoness in parametric timed model checking

#### Zeno Run Definition

A Zeno run is a run with an infinite number of actions within a finite time.

1 Run has a clock such that time cannot elapse



## Outline

### 1 Context

- Parametric Verification of Real-Time Systems
- Parametric Timed Automata (PTA)

### 2 Zenoness

- Zenoness Introduction
- Zenoness in Parametric Timed Model Checking

### 3 CUB-PTA

- CUB-TA Introduction
- CUB-PTA Introduction
- CUB-PTA Detection
- CUB-PTA Transformation
- Non-Zenoness Parametric Model Checking

### 4 Implementation and Experiments

### 5 Conclusions

## **CUB-TA** Introduction

#### **CUB** Introduction

CUB stands for "Clock Upper Bound", an approach derived from the paper [Wang et al., 2015] for solving the non-Zenoness problem on Timed Safety Automata (TA)

- Zeno loops can be checked directly on CUB-TA's Zone Graph
- 2 More efficient than other current existing approaches
- 3 No need to introduce any new clock to the model

 $\Rightarrow$  We define a CUB approach for PTA

## **CUB-PTA** Introduction

### **CUB-PTA** Definition

A PTA  $\mathcal{A}$  is a *CUB-PTA*, iff there exists a constraint  $\mathcal{A}.K_0$ on parameters that guarantees every clock has a non-decreasing upper bound along any path before it is reset, for all parameter valuations satisfying the initial constraint  $\mathcal{A}.K_0$ 



 $\begin{array}{l} \mathcal{A}.\mathsf{K}_0 = p_1 \leq p_2 \wedge p_1 \leq 5: \text{ non-decreasing} \\ \text{upper bound path!} \quad \Rightarrow \text{CUB-PTA} \\ \mathcal{A}.\mathsf{K}_0 = p_1 > p_2 \vee p_1 > 5: \text{ decreasing} \\ \text{upper bound path!} \quad \Rightarrow \text{ not CUB-PTA} \end{array}$ 

 $\Rightarrow$  No transformation exists such that a CUB-PTA can cover all cases! But a list of CUB-PTAs can

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

## CUB-PTA Introduction (cont.)

### Disjunctive CUB-PTA Definition

A disjunctive CUB-PTA is a list of CUB-PTAs



## CUB-PTA Introduction (cont.)



CUB-PTA detection aims at non-Zenoness synthesis of a partial or even complete result without modification on the given model.



 $\mathcal{A}.K_0 =$ 

#### Main idea

Given PTA  $\mathcal{A}$ , for each clock x on each edge with guard g from location l to l' we enforce a constraint with upper bound  $l_x$  less than or equal to  $g_x$  and  $l'_x$  (if x is not reset). If a conjunction of all constraints  $\mathcal{A}.K_0$  contains some valuations then the given PTA is *CUB-PTA* 

CUB-PTA detection aims at non-Zenoness synthesis of a partial or even complete result without modification on the given model.



 $\mathcal{A}.K_0 = p1 \leq p2$ 

#### Main idea

Given PTA  $\mathcal{A}$ , for each clock x on each edge with guard g from location l to l' we enforce a constraint with upper bound  $l_x$  less than or equal to  $g_x$  and  $l'_x$  (if x is not reset). If a conjunction of all constraints  $\mathcal{A}.K_0$  contains some valuations then the given PTA is *CUB-PTA* 

CUB-PTA detection aims at non-Zenoness synthesis of a partial or even complete result without modification on the given model.



$$\mathcal{A}.K_0 = p\mathbf{1} \le p\mathbf{2} \land \ p\mathbf{1} \le p\mathbf{1}$$

#### Main idea

Given PTA  $\mathcal{A}$ , for each clock x on each edge with guard g from location l to l' we enforce a constraint with upper bound  $l_x$  less than or equal to  $g_x$  and  $l'_x$  (if x is not reset). If a conjunction of all constraints  $\mathcal{A}.K_0$  contains some valuations then the given PTA is *CUB-PTA* 

CUB-PTA detection aims at non-Zenoness synthesis of a partial or even complete result without modification on the given model.



 $\begin{array}{l} \mathcal{A}.\mathsf{K}_0 = p1 \leq p2 \land \ p1 \leq p1 \Leftrightarrow \text{CUB-PTA with } \mathcal{A}.\mathsf{K}_0 = p1 \leq p2 \\ \text{Unchecked parameter valuations: } \mathcal{A}.\mathsf{K}_0 = p1 > p2 \Rightarrow \text{Partial CUB-PTA!} \end{array}$ 

#### Main idea

Given PTA  $\mathcal{A}$ , for each clock x on each edge with guard g from location l to l' we enforce a constraint with upper bound  $l_x$  less than or equal to  $g_x$  and  $l'_x$  (if x is not reset). If a conjunction of all constraints  $\mathcal{A}.K_0$  contains some valuations then the given PTA is *CUB-PTA* 

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017



location\*: a location containing an outgoing edge implies a decreasing upper bound

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017 14 / 23



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017



Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking



(with a new initial location), while preserving the symbolic runs

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

## Non-Zenoness Parametric Model Checking



2 For every clock x in A, if x is bounded by a constant or a parameter for some location in the SCC, there exists an edge in the SCC where x is reset

SCC: Strongly Connected Component

### Non-Zenoness Parametric Model-Checking



### Non-Zenoness Parametric Model Checking



Hoang Gia Nguyen (Paris 13) Non-Zenoness PTA Checking

## Outline

### 1 Context



### 3 CUB-PTA

**4** Implementation and Experiments

#### 5 Conclusions

Hoang Gia Nguyen (Paris 13)

### Implementation



Implementation in IMITATOR [André, Fribourg, Kühne, Soulat, 2012]<sup>1</sup>

- About 3,000 lines of new OCaml code for our non-Zenoness parameter synthesis algorithm
- Thank to the Parma Polyhedra Library (PPL) library for solving linear inequality systems

Hoang Gia Nguyen (Paris 13)

<sup>&</sup>lt;sup>1</sup>http://www.imitator.fr/

### Experiments

| Mo         | odel   |        |        | synt         | hCycle       | CUBdetect  |              |       | CUBtransform |              |       |
|------------|--------|--------|--------|--------------|--------------|------------|--------------|-------|--------------|--------------|-------|
| Name       | #<br>X | #<br>P | #<br>L | Result       | Appr.        | CUB<br>for | Result       | Appr. | #L<br>CUB    | Result       | Appr. |
| CSMA/CD    | 3      | 3      | 28     |              | p_invalid    | L.         | -            | -     | 74           |              | exact |
| Fischer    | 2      | 4      | 13     |              | p_invalid    | 1          | -            | -     | 20           |              | exact |
| RCP        | 6      | 5      | 48     | Some         | p_invalid    | 1          | -            | -     | 71           |              | under |
| WFAS       | 4      | 2      | 10     | Some<br>102% | p_invalid    | Т          | -            | -     | 40           | Some<br>100% | exact |
| AndOr      | 4      | 4      | 27     | Some<br>166% | p_invalid    | Т          | -            | -     | 34           | Some<br>100% | under |
| Flip-flop  | 5      | 2      | 52     |              | exact        | Т          |              | exact | 58           |              | exact |
| Sched5     | 21     | 2      | 153    |              | exact        | L.         | -            | -     | 180          |              | under |
| simop      | 8      | 2      | 46     |              | p_invalid    | L.         | -            | -     | 81           |              | under |
| train-gate | 5      | 9      | 11     |              | p_invalid    | Some       |              | under | 23           |              | under |
| coffee     | 2      | 3      | 4      | Some<br>100% | $p\_invalid$ | Some       | Some<br>100% | under | 10           | Some<br>100% | under |
| CUBPTA1    | 1      | 3      | 2      | 208%         | over         | Some       | Some<br>69%  | under | 6            | Some<br>100% | exact |
| JLR13      | 2      | 2      | 2      | 1            | p_invalid    | Т          | <u>_</u>     | under | 3            | 1            | under |

- synthCycle (without non-Zenoness assumption): Synthesizes all parameter valuations of loops
- CUBdetect: Detects a given PTA is CUB-PTA then synthesizes parameter valuations of non-Zeno runs
- **CUBtrans:** Transforms a given PTA into CUB-PTA then synthesizes parameter valuations of non-Zeno runs

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

### Experiments

| Mo         | odel   |        |        | synt        | hCycle       | CUBdetect            |                      |            |              | CUBtransform         |                      |           |              |
|------------|--------|--------|--------|-------------|--------------|----------------------|----------------------|------------|--------------|----------------------|----------------------|-----------|--------------|
| Name       | #<br>X | #<br>P | #<br>L | Time<br>(s) | Result       | Detec<br>time<br>(s) | Total<br>time<br>(s) | CUB<br>for | Result       | Trans<br>time<br>(s) | Total<br>time<br>(s) | #L<br>CUB | Result       |
| CSMA/CD    | 3      | 3      | 28     | TO          |              | 0.013                | 0.013                | 1          | -            | 0.300                | TO                   | 74        | Т            |
| Fischer    | 2      | 4      | 13     | TO          |              | 0.003                | 0.003                |            | -            | 0.012                | TO                   | 20        | T            |
| RCP        | 6      | 5      | 48     | TO          | Some         | 0.013                | 0.013                | 1          | -            | 0.348                | TO                   | 71        |              |
| WFAS       | 4      | 2      | 10     | то          | Some<br>102% | 0.009                | 0.009                | T          | -            | 0.246                | 1848                 | 40        | Some<br>100% |
| AndOr      | 4      | 4      | 27     | ТО          | Some<br>166% | 0.012                | 0.012                | Т          | -            | 0.059                | то                   | 34        | Some<br>100% |
| Flip-flop  | 5      | 2      | 52     | 0.058       | L I          | 0.002                | 0.086                | Т          | 1            | 0.010                | 0.972                | 58        | L I          |
| Sched5     | 21     | 2      | 153    | 190         |              | 0.051                | 0.051                | 1          | -            | 1.180                | TO                   | 180       |              |
| simop      | 8      | 2      | 46     | TO          |              | 0.012                | 0.012                |            | -            | 0.219                | TO                   | 81        |              |
| train-gate | 5      | 9      | 11     | TO          |              | 0.000                | TO                   | Some       |              | 0.059                | TO                   | 23        |              |
| coffee     | 2      | 3      | 4      | то          | Some<br>100% | 0.000                | то                   | Some       | Some<br>100% | 0.012                | то                   | 10        | Some<br>100% |
| CUBPTA1    | 1      | 3      | 2      | 0.006       | T<br>208%    | 0.000                | 0.015                | Some       | Some<br>69%  | 0.006                | 0.073                | 6         | Some<br>100% |
| JLR13      | 2      | 2      | 2      | TO          |              | 0.000                | TO                   | Т          |              | 0.000                | TO                   | 3         |              |

- synthCycle: almost never terminates, and its result (under-approx of an over-approx) cannot be kept
- **CUBdetect**: is not very interesting
- CUBtrans: sometimes gives an exact result, sometimes an under-approx result, sometimes nothing

Hoang Gia Nguyen (Paris 13)

### Outline





### 3 CUB-PTA

4 Implementation and Experiments

### 5 Conclusions

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017

## Conclusions

### Contributions:

- Proposed and implemented new Zeno-free parametric model synthesizing approaches in IMITATOR tool
- Gave an overall view of our algorithms' performance, a set of case studies for non-Zenoness parametric model checking study

#### Future work:

- Implement other techniques such as yet to be defined parametric extensions of:
  - Strongly non-Zeno TAs [Tripakis et al., 2005]
  - Guessing zone graph [Herbreteau et al., 2012]

They could turn to be more efficient and should be investigated

## **Bibliography**

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017

### References I

| Ξ | l |  |
|---|---|--|

Alur, R., Henzinger, T. A., and Vardi, M. Y. (1993). Parametric real-time reasoning. In STOC, pages 592-601. ACM. André, É., Fribourg, L., Kühne, U., and Soulat, R. (2012). IMITATOR 2.5: A tool for analyzing robustness in scheduling problems. In FM, volume 7436 of Lecture Notes in Computer Science, pages 33-36. Springer. Herbreteau, F., Srivathsan, B., and Walukiewicz, I. (2012). Efficient emptiness check for timed Büchi automata. Formal Methods in System Design, 40(2):122–146. Tripakis, S., Yovine, S., and Bouajjani, A. (2005). Checking timed Büchi automata emptiness efficiently. Formal Methods in System Design, 26(3):267–292.



Wang, T., Sun, J., Wang, X., Liu, Y., Si, Y., Dong, J. S., Yang, X., and Li, X. (2015). A systematic study on explicit-state non-zenoness checking for timed automata. *IEEE Transactions on Software Engineering*, 41(1):3–18.

## Licensing

Hoang Gia Nguyen (Paris 13)

Non-Zenoness PTA Checking

May 16th, 2017

## Source of the graphics used I



Title: Ocaml logo Author: Amir Chaudhry Source: https://commons.wikimedia.org/wiki/File:Smiley\_green\_alien\_big\_eyes.svg License: CC BY-SA 4.0



Title: IMITATOR logo (Typing Monkey) Author: Kater Begemot Source: https://commons.wikimedia.org/wiki/File:Smiley\_green\_alien\_big\_eyes.svg License: CC BY-SA 3.0



Title: PPL logo Author: Unknown Source: http://bugseng.com/files/ext/images/site/ppl\_mm\_8.png License: GCC