Quantitati e Models for Verification

Quantitative Models for Verification
— A timed-automata-based perspective —
Patricia Bouyer-Decitre
LSV, CNRS & ENS Cachan, France
September 22, 2011
1/22
Time-dependent systems
We are interested in timed systems
2/22
Time-dependent systems
We are interested in timed systems
2/22
The standard timed automaton model
[AD90,AD94]
Example
done
y
, 22≤
≤25
15
re
problem,
x:=0
safe
y :=
0
repair
alarm
2≤y ∧x≤56
15≤
x≤
del
16
ay
ed,
safe
x
y
23
−→
safe
problem
−−−−−→
repairing
x≤
r,
pai
alarm
y :=
0
15.6
−−→
y :=0
failsafe
alarm
delayed
−−−−−→
failsafe
0
23
0
15.6
15.6
0
23
23
38.6
0
⋅⋅⋅
[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).
[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).
3/22
Why should we go further?
Not only time should be modelled, but further (time-dependent, or
not) information might be of interest.
Examples:
Interaction
Uncertainty
Resources
...
4/22
Task graph scheduling problems
Compute
D×(C ×(A+B))+(A+B)+(C ×D)
using two processors:
5/22
Task graph scheduling problems
Compute
P1
D×(C ×(A+B))+(A+B)+(C ×D)
(fast):
P2
using two processors:
T1
time
+
2 picoseconds
+
5 picoseconds
×
3 picoseconds
×
7 picoseconds
energy
B
energy
idle
10 Watt
idle
20 Watts
in use
90 Watts
in use
30 Watts
D
C
×
+
(slow):
time
A
T2
C
×
T3
+
T4
D
×
T5
+
T6
5/22
Task graph scheduling problems
Compute
(fast):
P2
using two processors:
+
2 picoseconds
+
5 picoseconds
3 picoseconds
×
7 picoseconds
10 Watt
idle
20 Watts
in use
90 Watts
in use
30 Watts
P2
5
T2
10
T3
T1
T5
T4
15
T6
×
T2
×
+
T3
T4
D
energy
idle
0
D
C
C
×
P1
B
T1
time
energy
A
+
(slow):
time
Sch1
P1
D×(C ×(A+B))+(A+B)+(C ×D)
×
+
T5
20
13 p
ic
1.37 osecon
ds
nano
joule
s
T6
25
Task graph scheduling problems
Compute
(fast):
P2
using two processors:
+
2 picoseconds
+
5 picoseconds
3 picoseconds
×
7 picoseconds
10 Watt
idle
20 Watts
in use
90 Watts
in use
30 Watts
Sch1
5
T2
P2
P1
P2
10
T3
T1
T1
15
T5
T6
T4
T3
T2
T5
T4
T6
×
T2
×
+
T3
T4
D
energy
idle
0
D
C
C
×
P1
B
T1
time
energy
A
+
(slow):
time
Sch2
P1
D×(C ×(A+B))+(A+B)+(C ×D)
×
+
T5
20
13 p
ic
1.37 osecon
ds
nano
joule
s
12 p
ic
1.39 osecon
ds
nano
joule
s
T6
25
Task graph scheduling problems
Compute
(fast):
P2
+
2 picoseconds
+
5 picoseconds
3 picoseconds
×
7 picoseconds
idle
20 Watts
in use
90 Watts
in use
30 Watts
Sch1
Sch2
5
P2
P1
T1
T1
P2
P1
P2
10
T3
×
×
20
13 p
ic
1.37 osecon
ds
nano
joule
s
T6
T4
T3
T5
T4
T3
T2
T4
T5
+
T6
25
12 p
ic
1.39 osecon
ds
nano
joule
s
T6
T2
T1
+
T4
T5
15
T5
T2
D
10 Watt
T2
×
T3
energy
idle
0
D
C
C
×
P1
B
T1
time
energy
A
+
(slow):
time
Sch3
P1
using two processors:
D×(C ×(A+B))+(A+B)+(C ×D)
T6
19 p
ic
1.32 osecon
ds
nano
joule
s
5/22
Modelling the task graph scheduling problem
Processors
x=2
P1 :
+
(x≤2)
P2 :
+
(y ≤5)
done1
add1
x=3
idle
x:=0
done1
mult1
×
x:=0
(x≤3)
y =5
y =7
done2
add2
done2
mult2
x:=0
idle
x:=0
×
(y ≤7)
6/22
Modelling the task graph scheduling problem
Processors
x=2
P1 :
done1
mult1
×
x:=0
x:=0
(x≤3)
y =5
y =7
+
done1
add1
(x≤2)
P2 :
+
(y ≤5)
Tasks
T4 :
x=3
done2
add2
x:=0
idle
idle
done2
mult2
x:=0
T5 :
t1 ∧t2
t4 :=1
addi
donei
addi
donei
t3
t5 :=1
×
(y ≤7)
6/22
Modelling the task graph scheduling problem
Processors
x=2
P1 :
done1
mult1
×
x:=0
x:=0
(x≤3)
y =5
y =7
+
done1
add1
(x≤2)
P2 :
+
(y ≤5)
Tasks
T4 :
x=3
done2
add2
x:=0
idle
idle
done2
mult2
x:=0
T5 :
t1 ∧t2
t4 :=1
addi
donei
addi
donei
t3
t5 :=1
×
(y ≤7)
Global system: (P1 ∥ P2 ) ∥s (T1 ∥ T2 ∥ ⋅ ⋅ ⋅ ∥ T6 )
A schedule: a path in the global system which reaches t1 ∧ ⋅ ⋅ ⋅ ∧ t6
6/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x=2
+
(x≤2)
done
add
x:=0
x=3
idle
done
mult
x:=0
×
(x≤3)
7/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
x:=0
×
(x≤3)
7/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
x:=0
×
(x≤3)
7/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
x:=0
×
(x≤3)
to model an interaction with an environment
Example of the gate in the train/gate example
7/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
×
(x≤3)
x:=0
to model an interaction with an environment
Example of the gate in the train/gate example
?
7/22
Why (timed) games?
to model uncertainty
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
x:=0
×
(x≤3)
to model an interaction with an environment
Example of the gate in the train/gate example
7/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
,
x≤1,c3
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
,
x≤1,c3
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
,
x≤1,c3
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
,
x≤1,c3
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
A (memoryless) winning strategy
from (ℓ0 , 0), play (0.5, c1 )
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
c2
/
,
x≤1,c3
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
A (memoryless) winning strategy
from (ℓ0 , 0), play (0.5, c1 )
; can be preempted by u2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
,
x≤1,c3
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
A (memoryless) winning strategy
from (ℓ0 , 0), play (0.5, c1 )
; can be preempted by u2
from (ℓ2 , ★), play (1 − ★, c2 )
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
,
x≤1,c3
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
A (memoryless) winning strategy
from (ℓ0 , 0), play (0.5, c1 )
; can be preempted by u2
from (ℓ2 , ★), play (1 − ★, c2 )
from (ℓ3 , 1), play (0, c3 )
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
,
x≤1,c3
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
A (memoryless) winning strategy
from (ℓ0 , 0), play (0.5, c1 )
; can be preempted by u2
from (ℓ2 , ★), play (1 − ★, c2 )
from (ℓ3 , 1), play (0, c3 )
c2
ℓ3
from (ℓ1 , 1), play (1, c4 )
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
,
x≤1,c3
Problems to be considered
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
,
x≤1,c3
Problems to be considered
Does there exist a winning strategy?
c2
ℓ3
8/22
An example of a timed game
Rule of the game
(x≤2)
x≥1,u3
ℓ0
x≤1,c1
x≥2,c4
x<1,u2 ,x:=0
ℓ1
x<1,u1
ℓ2
/
Aim: avoid
/ and reach ,
How do we play? According to a
strategy:
f : history 7→ (delay, cont. transition)
,
x≤1,c3
Problems to be considered
Does there exist a winning strategy?
c2
If yes, compute one (as simple as possible).
ℓ3
8/22
Why add stochastic features? And how?
to model probabilistic behaviours
9/22
Why add stochastic features? And how?
to model probabilistic behaviours
Example of losses when sending messages
lost
send
x≤2
x:=0
delivered
9/22
Why add stochastic features? And how?
to model probabilistic behaviours
Example of losses when sending messages
send
0.1
x:=0
0.9
lost
x≤2
delivered
; the probabilistic timed automata model
used e.g. in PRISM and UPPAAL-PRO
[KNSS02]
[KNSS02] Automatic verification of real-time systems with discrete probability distributions (TCS).
9/22
Why add stochastic features? And how?
to model probabilistic behaviours
Example of losses when sending messages
send
0.1
x:=0
0.9
lost
x≤2
delivered
; the probabilistic timed automata model
used e.g. in PRISM and UPPAAL-PRO
[KNSS02]
to model uncertainty on delays
[KNSS02] Automatic verification of real-time systems with discrete probability distributions (TCS).
9/22
Why add stochastic features? And how?
to model probabilistic behaviours
Example of losses when sending messages
send
0.1
x:=0
0.9
lost
; the probabilistic timed automata model
used e.g. in PRISM and UPPAAL-PRO
[KNSS02]
x≤2
delivered
to model uncertainty on delays
Example of a processor in the taskgraph example
x≥1
+
(x≤2)
done
add
x:=0
x≥1
idle
done
mult
×
x:=0
(x≤3)
[KNSS02] Automatic verification of real-time systems with discrete probability distributions (TCS).
9/22
Why add stochastic features? And how?
to model probabilistic behaviours
Example of losses when sending messages
send
0.1
x:=0
0.9
lost
; the probabilistic timed automata model
used e.g. in PRISM and UPPAAL-PRO
[KNSS02]
x≤2
delivered
to model uncertainty on delays
Example of a processor in the taskgraph example
x≥1
done
add
+
1
1.5
2
(x≤2)
x:=0
x≥1
idle
done
mult
×
x:=0
(x≤3)
1
2
3
; the stochastic timed automata model [BBB+08,BF09]
[KNSS02] Automatic verification of real-time systems with discrete probability distributions (TCS).
[BBB+08] Baier, Bertrand, Bouyer, Brihaye, Größer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).
[BF09] Bouyer, Forejt. Reachability in stochastic timed games (ICALP’09).
9/22
Stochastic timed game: an example
b
f
x≤1
x≤2
a
x≤3
x≤2
c
e
x=2
g
x=2
d
x :=0
x ≤2
Timed graph with vertices partitioned among three players:
classical players
playing “turn-based”
the Nature
stochastic player
10/22
Stochastic timed game: an example
b
f
x≤1
x≤2
a
x≤3
x≤2
c
e
x=2
g
x=2
d
x :=0
x ≤2
Timed graph with vertices partitioned among three players:
classical players
playing “turn-based”
the Nature
stochastic player
There are prescribed probability distributions from
vertices.
10/22
How is this game played?
b
f
x≤1
x≤2
a
x≤3
x≤2
c
e
x=2
g
x=2
d
x :=0
Players
Player
and
x ≤2
play according to standard strategies
plays according to the prescribed probability distributions:
choose a delay according to some distribution
choose an action according to some discrete distribution
11/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
d
x :=0
x ≤2
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(a,0)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(a,0)
(c,1)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(a,0)
(c,1)
probability distribution
over delays
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(a,0)
(c,1)
probability distribution
over delays
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(e,1)
(e,1+𝜀)
(a,0)
(c,1)
probability distribution
over delays
(e,2)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(e,1)
(e,1+𝜀)
(a,0)
(c,1)
probability distribution
over delays
(e,2)
(d,2)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(e,1)
(e,1+𝜀)
(a,0)
(g ,2)
(c,1)
probability distribution
over delays
(e,2)
(d,2)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(e,1)
(e,1+𝜀)
(a,0)
(g ,2)
(c,1)
probability distribution
over delays
(e,2)
(d,2)
12/22
Play, an example
b
f
x≤1
x≤2
a
x≤3
x≤2
e
c
x=2
g
x=2
Strategy for
: go to c when x = 1
Strategy for
: go to g when x = 2
d
x :=0
x ≤2
From the game and the strategies we obtain a Markov chain:
(b,1)
(f ,2)
(e,1)
(e,1+𝜀)
(a,0)
(g ,2)
(c,1)
probability distribution
over delays
(f ,3)
(e,2)
(d,2)
12/22
How can we attach probabilities to delays?
The example of continuous-time Markov chains
n𝜆 ⋅ exp(−𝜆t)
exponential distribution
density function t 7→
0
if t ≥ 0
otherwise
13/22
How can we attach probabilities to delays?
The example of continuous-time Markov chains
n𝜆 ⋅ exp(−𝜆t)
exponential distribution
density function t 7→
0
if t ≥ 0
otherwise
; this is ok if delays are in [0, +∞)
13/22
How can we attach probabilities to delays?
The example of continuous-time Markov chains
n𝜆 ⋅ exp(−𝜆t)
exponential distribution
density function t 7→
0
if t ≥ 0
otherwise
; this is ok if delays are in [0, +∞)
But what if bounded intervals?
13/22
How can we attach probabilities to delays?
The example of continuous-time Markov chains
n𝜆 ⋅ exp(−𝜆t)
exponential distribution
density function t 7→
0
if t ≥ 0
otherwise
; this is ok if delays are in [0, +∞)
But what if bounded intervals?
truncated normal distribution
How can we attach probabilities to delays?
The example of continuous-time Markov chains
n𝜆 ⋅ exp(−𝜆t)
exponential distribution
density function t 7→
0
if t ≥ 0
otherwise
; this is ok if delays are in [0, +∞)
But what if bounded intervals?
I
truncated normal distribution
uniform distribution
density function t 7→
§
1
∣I ∣
0
if t ≥ 0
otherwise
13/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
randomly choose a delay
s
probability distribution
over delays
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
randomly choose a delay
s′
s
probability distribution
over delays
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
randomly choose a delay
then randomly select an edge
s′
s ′′
s
probability distribution
over delays
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
randomly choose a delay
then randomly select an edge
then continue
s′
s ′′
...
s
probability distribution
over delays
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s′
randomly choose a delay
€
e
...
s
then randomly select an edge
then continue
s ′′
probability distribution
over delays
e
Š Z
€
1
n
ℙ 𝜋(s −→
⋅ ⋅ ⋅ −→
) =
e
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
t∈I (s,e1 )
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s′
randomly choose a delay
€
e1
...
s
then randomly select an edge
then continue
s ′′
probability distribution
over delays
en
Š Z
€
e
t∈I (s,e1 )
𝜏,e1
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
ℙ 𝜋(s −→ ⋅ ⋅ ⋅ −→ ) =
I (s, e1 ) = {𝜏 ∣ s −−→} and 𝜇s distribution over I (s) =
S I (s, e)
e
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s′
randomly choose a delay
€
e1
...
s
then randomly select an edge
then continue
s ′′
probability distribution
over delays
en
Š Z
€
e
t∈I (s,e1 )
𝜏,e1
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
ℙ 𝜋(s −→ ⋅ ⋅ ⋅ −→ ) =
I (s, e1 ) = {𝜏 ∣ s −−→} and 𝜇s distribution over I (s) =
S I (s, e)
e
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s′
randomly choose a delay
€
e
...
s
then randomly select an edge
then continue
s ′′
probability distribution
over delays
e
Š Z
€
1
n
ℙ 𝜋(s −→
⋅ ⋅ ⋅ −→
) =
e
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
t∈I (s,e1 )
𝜏,e1
I (s, e1 ) = {𝜏 ∣ s −−→} and 𝜇s distribution over I (s) =
S I (s, e)
e
ps+t distribution over transitions enabled in s + t
(given by weights on transitions)
14/22
The semantics for 12 -player games in a nutshell
e
e
1
n
We measure symbolic cylinders of the form 𝜋(s −→
. . . −→
)
Idea:
From state s:
s′
randomly choose a delay
€
e
...
s
then randomly select an edge
then continue
s ′′
probability distribution
over delays
e
Š Z
€
1
n
ℙ 𝜋(s −→
⋅ ⋅ ⋅ −→
) =
e
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
t∈I (s,e1 )
𝜏,e1
I (s, e1 ) = {𝜏 ∣ s −−→} and 𝜇s distribution over I (s) =
S I (s, e)
e
ps+t distribution over transitions enabled in s + t
(given by weights on transitions)
e1
t
s−
→ s + t −→
st
14/22
Some remarks
1
2 -player
games define purely stochastic processes.
15/22
Some remarks
1
2 -player
games define purely stochastic processes.
Continuous-time Markov chains = timed automata with a single
“useless” clock which is reset on all transitions. The distributions on
delays are exponential distributions with a rate per location.
15/22
Some remarks
1
2 -player
games define purely stochastic processes.
Continuous-time Markov chains = timed automata with a single
“useless” clock which is reset on all transitions. The distributions on
delays are exponential distributions with a rate per location.
The semantics can be extended in a natural way to several players:
€
e
e
Š Z
€
1
n
⋅ ⋅ ⋅ −→
ℙ 𝜋(s −→
) =
e
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
t∈I (s,e1 )
mass distribution given by the strategy
if s is a player
vertex
15/22
Some remarks
1
2 -player
games define purely stochastic processes.
Continuous-time Markov chains = timed automata with a single
“useless” clock which is reset on all transitions. The distributions on
delays are exponential distributions with a rate per location.
The semantics can be extended in a natural way to several players:
€
e
e
Š Z
€
1
n
⋅ ⋅ ⋅ −→
ℙ 𝜋(s −→
) =
e
e
Š
2
n
ps+t (e1 ) ℙ 𝜋(st −→
⋅ ⋅ ⋅ −→
) d𝜇s (t)
t∈I (s,e1 )
mass distribution given by the strategy
if s is a player
vertex
Probabilistic timed automata = a subclass of the 1 12 -player games
0
z=
2≤x≤5
2≤x≤5
z:=0
(z=0)
z=
0
15/22
The synthesis problem
Problem statement
Given a game G , a (linear-time) property 𝜑, a rational threshold ⊳⊲ r ,
€
Š
is there a strategy f⋄ for player
s.t.
for all strategies f2 of player , ℙ G f⋄ ,f2 ∣= 𝜑 ⊳⊲ r ?
16/22
The synthesis problem
Problem statement
Given a game G , a (linear-time) property 𝜑, a rational threshold ⊳⊲ r ,
€
Š
is there a strategy f⋄ for player
s.t.
for all strategies f2 of player , ℙ G f⋄ ,f2 ∣= 𝜑 ⊳⊲ r ?
Number of players
2 12 -player games:
1 12 -player games:
1
2 -player
games:
(“Markov decision process”)
(“Markov chain”)
16/22
The synthesis problem
Problem statement
Given a game G , a (linear-time) property 𝜑, a rational threshold ⊳⊲ r ,
€
Š
is there a strategy f⋄ for player
s.t.
for all strategies f2 of player , ℙ G f⋄ ,f2 ∣= 𝜑 ⊳⊲ r ?
Number of players
2 12 -player games:
1 12 -player games:
1
2 -player
games:
(“Markov decision process”)
(“Markov chain”)
Possibility to ask ‘performance evaluation’ questions [BHHK10]
[BHHK10] Baier, Hermanns, Haverkort, Katoen. Performance Evaluation and Model Checking Join Forces (CACM).
16/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
A possible solution: use hybrid automata
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
A possible solution: use hybrid automata
The thermostat example
T ≤19
Off
On
Ṫ =−0.5T
Ṫ =2.25−0.5T
(T ≥18)
(T ≤22)
T ≥21
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
A possible solution: use hybrid automata
The thermostat example
T ≤19
Off
On
Ṫ =−0.5T
Ṫ =2.25−0.5T
(T ≥18)
(T ≤22)
T ≥21
22
21
19
18
2
4
6
8
10
time
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
[HKPV95] Henzinger, Kopke, Puri, Varaiya. What’s decidable wbout hybrid automata? (SToC’95).
17/22
Why model time-dependent resources?
System resources might be relevant and even crucial information
energy consumption,
memory usage,
bandwidth,
...
price to pay,
benefits,
temperature,
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: priced/weighted timed automata [ALP01,BFH+01]
; hybrid variables are observer variables
(they do not constrain a priori the system)
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).
[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed
automata (HSCC’01).
17/22
A simple example of weighted timed automata (WTA)
[ALP01,BFH+01]
Example (with a linear observer)
−3
+6
−6
ℓ0
ℓ1
ℓ2
x:=0
delay( 1 )
x=1
delay( 1 )
6
2
Run (ℓ0 , 0) −−−−−
→ (ℓ0 , 16 ) → (ℓ1 , 61 ) −−−−−
→ (ℓ1 , 32 ) → (ℓ2 , 23 ) . . .
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).
[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
18/22
A simple example of weighted timed automata (WTA)
[ALP01,BFH+01]
Example (with a linear observer)
4
−3
+6
−6
ℓ0
ℓ1
ℓ2
x:=0
delay( 1 )
x=1
3
2
1
0
0
1
delay( 1 )
6
2
Run (ℓ0 , 0) −−−−−
→ (ℓ0 , 16 ) → (ℓ1 , 61 ) −−−−−
→ (ℓ1 , 32 ) → (ℓ2 , 23 ) . . .
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).
[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
18/22
The taskgraph scheduling example
Compute
P1
D×(C ×(A+B))+(A+B)+(C ×D)
(fast):
P2
using two processors:
T1
time
+
2 picoseconds
+
5 picoseconds
×
3 picoseconds
×
7 picoseconds
energy
B
C
energy
idle
10 Watt
idle
20 Watts
in use
90 Watts
in use
30 Watts
D
×
+
(slow):
time
A
T2
C
×
T3
+
T4
D
×
T5
+
T6
19/22
The taskgraph scheduling example
Compute
P1
D×(C ×(A+B))+(A+B)+(C ×D)
(fast):
P2
using two processors:
T1
time
+
2 picoseconds
+
5 picoseconds
3 picoseconds
×
7 picoseconds
×
idle
20 Watts
in use
90 Watts
in use
30 Watts
x=2
done1
(x≤2)
add1
x:=0
+30
(y ≤5)
+
T6
+90
mult1
x:=0
(x≤3)
y =7
done2
+20
add2
x:=0
×
T5
x=3
done1
+10
y =5
done2
P2 :
+
T4
D
10 Watt
+90
D
×
T2
T3
energy
idle
P1 :
C
C
×
energy
B
+
(slow):
time
A
+30
mult2
x:=0
(y ≤7)
19/22
Beyond linear observers...
−50
−100
−50
−150
−100
Bank A:
rate: 2%
−20
Bank B:
rate: 5%
Bank C:
rate: 6%
−100
20/22
Beyond linear observers...
Example
We also consider PTA with an exponential observer:
−3
ℓ0
ℓ1
x:=0
−6
+6
−1
ℓ2
x=1
20/22
Beyond linear observers...
Example
We also consider PTA with an exponential observer:
−3
ℓ0
ℓ1
x:=0
−6
+6
−1
ℓ2
x=1
Rate −3 in location ℓ0 means
∂ cost
= −3 × cost
∂ time
cost = cost0 ⋅ e −3×t
20/22
Beyond linear observers...
Example
We also consider PTA with an exponential observer:
−3
ℓ0
ℓ1
x:=0
−6
+6
−1
ℓ2
x=1
4
3
2
1
0
0
1
Rate −3 in location ℓ0 means
∂ cost
= −3 × cost
∂ time
cost = cost0 ⋅ e −3×t
20/22
Relevant questions
Various optimization questions (optimal reachability, optimal
mean-cost or discounted infinite schedules, etc)
; an abundant literature since 2001 (for the linear observers only)
21/22
Relevant questions
Various optimization questions (optimal reachability, optimal
mean-cost or discounted infinite schedules, etc)
; an abundant literature since 2001 (for the linear observers only)
Scheduling under energy constraints (resource management): are
there scheduling policies/strategies when energy is constrained?
[BFLMS08]
[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).
21/22
Relevant questions
Various optimization questions (optimal reachability, optimal
mean-cost or discounted infinite schedules, etc)
; an abundant literature since 2001 (for the linear observers only)
Scheduling under energy constraints (resource management): are
there scheduling policies/strategies when energy is constrained?
[BFLMS08]
; An example: an oil pump control system [CJL+09]
[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).
[CJL+09] Cassez, Jessen, Larsen, Raskin, Reynier. Automatic synthesis of robust and optimal controllers - An industrial case study (HSCC’09).
21/22
Conclusion
Timed automata have been proven to be a convenient model for
representing real-time systems
However it is not expressive enough to faithfully represent some
important features of systems
interaction with the environment (antagonistic, stochastic,
cooperative...)
modelling of resources or energy
probabilities
A number of extensions have been proposed to adequately represent
such features (we can mix them)
The algorithmics of such systems is difficult (in general)
But a huge effort is put to develop methods for (approximate)
verification
22/22