# Embedded Systems Specification and Design Model-based Design and Verification

David Kendall

David Kendall CM0604/KF6009 Lecture 10 1/15

#### State space of timed automaton is infinite ?!!

- Introduction of real-valued clock variables to FSM makes its state space infinite
- How can we exhaustively explore infinite state space?
  - We can't
- How can we exhaustively explore state space of timed automaton?
  - Find an equivalent finite representation of its state space
- This is the key idea that makes model-checking of timed automata possible
- Finite representations
  - Region graph
  - Zone (simulation) graph

David Kendall CM0604/KF6009 Lecture 10 2/15

## Zones and their representation







$$M'$$
  $h_0$   $h_1$   $h_2$   $h_0$   $(0, \le)$   $(-2, \le)$   $(-1, \le)$   $h_1$   $(4, \le)$   $(0, \le)$   $(3, \le)$   $h_2$   $(3, \le)$   $(1, \le)$   $(0, \le)$ 

#### **DIFFERENCE BOUND MATRICES**

David Kendall CM0604/KF6009 Lecture 10 3/15

## Operations on zones



Thus (q,2<=h1<=4,1<=h2<=3) = a => (r, 3<h1, h2=0)

David Kendall CM0604/KF6009 Lecture 10 4/15

# Symbolic states and transitions

#### Symbolic state

A symbolic state,  $s = (\ell, \zeta)$ , consists of:

- a location vector, ℓ, and
- a zone, ζ

#### Symbolic transition

If the edges of a network of timed automata justify a transition from location vector  $\ell$  to location vector  $\ell'$  and the delays to, conjuncts and projects operations transform the zone  $\zeta$  to  $\zeta'$ , then for  $s=(\ell,\zeta)$  and  $s'=(\ell',\zeta')$ , we say there is a *symbolic transition* from s to s' and write  $s\Rightarrow s'$ 

David Kendall CM0604/KF6009 Lecture 10 5/15



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
         return true
    else
         if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
              WAITING \leftarrow WAITING \cup SUCC
              VISITED \leftarrow VISITED \cup \{s\}
         end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
         return true
    else
         if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
              WAITING \leftarrow WAITING \cup SUCC
              VISITED \leftarrow VISITED \cup \{s\}
         end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```



```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
        return true
    else
        if s \notin VISITED then
             SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
             WAITING ← WAITING ∪ SUCC
             VISITED \leftarrow VISITED \cup \{s\}
        end if
    end if
end while
return false
```

#### Search order



#### Breadth First:

- Search state space in breadth-first order
- Good for complete search and shortest/fastest trace

#### Depth First:

- Search state space in depth-first order
- Better than breadth-first if counter-example expected

David Kendall CM0604/KF6009 Lecture 10 7/15

# State space reduction



- Inclusion abstraction
- Active-clock reduction
- ...

David Kendall CM0604/KF6009 Lecture 10 8/15

#### Inclusion abstraction

```
INIT \leftarrow (\ell^0, \mathbf{0}_C)
WAITING \leftarrow {INIT}
VISITED \leftarrow \emptyset
while WAITING \neq \emptyset do
    remove some s = (\ell, \zeta) from WAITING
    if s satisfies p then
         return true
    else
         if \exists \zeta' \supseteq \zeta : (\ell, \zeta') \in VISITED then
              SUCC \leftarrow \{s' \mid s \Rightarrow s'\}
              WAITING \leftarrow WAITING \cup SUCC
              VISITED \leftarrow VISITED \cup \{s\}
         end if
    end if
end while
return false
```

David Kendall CM0604/KF6009 Lecture 10 9/15

#### Active clock reduction



- Inactive clocks need not be stored
- ⇒ smaller state space

David Kendall CM0604/KF6009 Lecture 10 10 / 15

## State space representation



David Kendall CM0604/KF6009 Lecture 10 11/15

# **Under-approximation**

- Uses bit-state hashing
- Does not guarantee to explore all states
- So, if verifier claims that some state is unreachable, it may be wrong
- Useful mainly for discovering bugs, not for proving their absence

David Kendall CM0604/KF6009 Lecture 10 12/15

# Over-approximation

- Uses convex hull abstraction
- May explore too many states
- So, if verifier claims that some state is reachable, it may be wrong
- Can prove absence of bugs but when it fails you need to ask if it's a genuine failure or a failure caused by the abstraction

David Kendall CM0604/KF6009 Lecture 10 13/15

## State space explosion summary

- Infinite number of states can be represented finitely by using symbolic representation, e.g. zones
- State space explosion
  - State space may be finite but often still too large to handle with current computing power
- Attacks on state space explosion
  - Store fewer states
  - Store smaller states

David Kendall CM0604/KF6009 Lecture 10 14/15

## And finally...

Much recent research has pushed model-based development using timed automata into new areas

- Priced timed automata
  - Reason about resource usage, e.g. energy
- Timed games
  - Controller synthesis
- Probabilistic timed automata
  - Reason about probabilistic systems, e.g. Bluetooth
- Statistical model-checking
  - Don't explore full state space, but use statistical techniques to calculate confidence in results based on partial exploration

David Kendall CM0604/KF6009 Lecture 10 15/15