Präsentation herunterladen
Veröffentlicht von:Frideric Peters Geändert vor über 10 Jahren
1
2.3 Timed Automata and Real-Time Statecharts
2
Prize: 100 € Amazon voucher Task:
Coding Contest Prize: 100 € Amazon voucher Task: Implement a BUZZER app Server-client application Android (4.0+) front-end Java back-end Submit your complete source code until Dec. 23, 2012 to My footnote text - My Name Timed Automata und Realtime Statecharts
3
Summary State Machines
Different Semantics possible Trade-off: Flexibility (for the developer) vs. clarity (compactness) Precise specification necessary to guarantee unambiguouity (many developers are involved) to enable formal analysis (to prove that requirements are fulfilled) Timed Automata und Realtime Statecharts
4
Timed Automata
5
Timed Automata Based on State Machines
Finite state machine with clocks Clocks handle time which is continuous Clock values can be tested or reset Timed Automata und Realtime Statecharts
6
A Hot Topic Ein digitales Detail stellt die Deutsche Bahn und den Siemens-Konzern vor große Probleme: Das Kommando zum Anhalten eines ICE-3-Zugs irrt etwa eine Sekunde lang durch den Rechner, bis es ausgeführt wird. Nach SPIEGEL-Informationen verweigerte das Eisenbahn-Bundesamt deshalb die Zulassung. Die acht neuen ICE vom Typ Velaro sind schon lange bestellt, doch Siemens darf nicht liefern - wegen Problemen an der Steuerungssoftware. Nach Informationen des SPIEGEL traten bei Testfahrten des ICE 3 mit den bei der Deutschen Bahn üblichen Doppelzügen schwerwiegende Kommunikationsprobleme in der Software auf. Wird der Befehl zur Aktivierung der Bremsen ausgelöst, erlaubt sich die Steuerung eine Art Gedenksekunde, ehe sie das Kommando umsetzt. Bei einer Geschwindigkeit von 250 Stundenkilometern kommt der Zug nach einer Vollbremsung deshalb erst rund 70 Meter später zum Stehen als die alten ICE. Trotzdem strebte Siemens die Zulassung des ICE 3 an.“ (SPON ) Timed Automata und Realtime Statecharts
7
Timed Automata Finite state machine with real-valued clocks Locations
Clocks handle time which is continuous Clock values can be tested or reset Locations Represent states Transitions Messages Guards Actions Timed Automata und Realtime Statecharts
8
A simple alarm clock Goal: Problem:
Model an alarm clock that rings after a specified time. When the snooze button is pressed the alarm is postponed for 5 minutes. The alarm shall not sound more than 10 minutes. Problem: UML allows only rather informal specification of time in State Machines. Timed Automata und Realtime Statecharts
9
A simple alarm clock Solution: Add a clock “clock1”
Clock runs in back-ground during execution Clock conditions can serve as guards Clock can be reset (or set to any other time) Timed Automata und Realtime Statecharts
10
A simple alarm clock Invariants ensure that the state is active at most the given amount of time Requirement: “The alarm shall not sound more than 10 minutes.” Timed Automata und Realtime Statecharts
11
Timed Automata Locations Transitions Clocks Represent states Guards
Tells when the transition is enabled Actions Clocks Test them in guards Reset them in actions Invariants on states Timed Automata und Realtime Statecharts
12
Networked Timed Automata
Channels are used to synchronize TA Both automata take respective transition simultaneously Channels are bidirectional Can have an assigned priority Original definition Only 1:1 synchronization Later versions: 1:n synchronization (one ! and many ?) Acts as a guard Transition cannot be taken unless both processes are in the state that enables synchronization NETWORKED Synchronisation pair is chosen non-deterministically if several combinations are enabled and no broadcast defined Timed Automata und Realtime Statecharts
13
Networked Timed Automata
Locations Represent states Transitions Guards Tells when the transition is enabled Action Clocks Test them in guards Reset them in actions Invariants on states Local and global Channels Way of synchronizing processes Timed Automata und Realtime Statecharts
14
Timed Automata Definition
A Timed Automaton is a 9-Tupel (L, L0, Ch, A, C, G, Gc, I, E) L : finite, non-empty set of locations (states) L L : initial location Ch: finite set of channels used for synchronization A : set of actions (including synchronizations) C : finite set of clocks G : finite set of guards on the variables and clocks Gc G: finite set of propositions depending only on the clocks from C (time constraints) I : L → Gc assigns a time invariant to a location E: finite set of edges between locations, A Time Constraint on the set of clocks C is defined as φ(C) := c < x | c ≤ x | c = x | c > x | c ≥ x | φ1 φ2 where c is a clock from C and is constant. propositions = Aussagen phi Timed Automata und Realtime Statecharts
15
Tool Support for Networked Timed Automaton: UPPAAL
Uppaal is an integrated tool environment for modeling, simulation and verification of real-time systems. Key features of Uppaal v.4 A graphical system editor allowing graphical descriptions of systems. A graphical simulator which provides graphical visualization. A requirement specification editor. A model-checker for automatic verification. Generation of diagnostic trace UPPAAL is free for academic use only. Uppsala University, Sweden and Aalborg University, Denmark Quelle: Timed Automata und Realtime Statecharts
16
Example: Scientists crossing a bridge
Scenario: Dijkstra, Turing, Knuth, and Petri are on the return of a conference when their car breaks down in the dark. They cannot stay in the car because there are wild and dangerous animals in the woods. Across a moldered bridge is a house in which they can stay for the night. Timed Automata und Realtime Statecharts
17
Example: Scientists crossing a bridge
Requirements The bridge can carry at most two people at the same time They have only one flashlight which only lasts one hour and cannot be thrown. The bridge can only be crossed with the flashlight otherwise it’s too dark. The speed of a pair is determined by the speed of the slower person. The times each scientist needs to cross the bridge are: 5 min, 10 min, 20 min, and 25 min. How do they manage to cross the river within an hour? Timed Automata und Realtime Statecharts
18
Global Declarations and Templates
Urgent location: Time is not allowed to pass in this state. So one of the outgoing transitions is taken “immediately”, though interlea-ving with other processes is allowed. automaton template for scientists automaton template for the flashlight Legend: guards (green) location name (red) update (purple) sync (cyan) Timed Automata und Realtime Statecharts
19
System declarations Timed Automata und Realtime Statecharts
20
System simulation Timed Automata und Realtime Statecharts
21
System simulation Timed Automata und Realtime Statecharts
22
Specifying requirements
Two different kinds of requirements: Safety: “something bad will not happen” Liveness: “something good will happen” where P ::= (Atomic Propositions) Proc.I oc | (Process Proc at Location Ioc) c = n | c < n | c <= n | (Clock comparison) P and P | P or P | P -> P | (Boolean combinations) not P | P imply P In einer kommenden Vorlesung wird darauf genauer eingegangen. Timed Automata und Realtime Statecharts
23
System verification Verify that the system has no deadlock
A[] not deadlock Property is satisfied. Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and Turing.safe and time <= 60 Property is satisfied. Scheduling problem reformulated as reachability property Timed Automata und Realtime Statecharts
24
System verification Verify that the system has no deadlock
A[] not deadlock Property is satisfied. Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and Turing.safe and time <= 60 Property is satisfied. Scheduling problem reformulated as reachability property Hint: Activate fastest diagnostic trace to see fastest solution trace in Simulator Timed Automata und Realtime Statecharts
25
Real-Time Statecharts
26
Example: Convoys in RailCab System
Motivation RailCabs build convoys to save energy ( slipstream) Safety critical, because only small space between RailCabs => Software has to be correct i.e. “It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy.” Idea: Specify complex communication between roles independently from other system behavior Validation possible ConvoyCoordination Slipstream = Windschatten Role: front Role: rear RailCab RailCab Fahrtrichtung Timed Automata und Realtime Statecharts
27
Coordination Patterns & Realtime Statecharts
Coordination Pattern specifies communication of roles Each role specified by a Real-Time Statechart ConvoyCoordination front rear Timed Automata und Realtime Statecharts
28
Real-Time Statecharts
Combine UML Statemachines by concepts of Timed Automata to add timing constraints: periods, deadlines, (worst case) execution times Clocks: assigned to a Statechart apply for all states of the Statechart apply recursively within hierarchically Statecharts cf: clock name Clock guard Clock-Reset state invariant [Hei09] Feuern von Transitionen kostet im Allgemeinen Zeit Einsatz von Deadline-Intervallen deadline Timed Automata und Realtime Statecharts
29
Mapping RTSCs to Timed Automata
Real-Time Statecharts enable hierarchy Timed Automata do not support hierarchy Real-Time Statecharts have to be flattened to verify them with Uppaal Timed Automata und Realtime Statecharts
30
Mapping RTSCs to Timed Automata
Timed Automata assume execution of transitions in zero time But: Transitions can have side effects like function calls These are not executable in zero time Therefore, deadlines and WCETs are introduced in RTSCs Can be mapped to Timed Automata (time is consumed within states) Timed Automata und Realtime Statecharts
31
Mapping RTSCs to Timed Automata
RTSC of FrontRole Timed Automata of FrontRole Hier wird nur Kommunikation verifiziert werden. /convoyProposal wird asychron versendet convoyProposal? wird synchron durchgeführt Wie kann man asynchrone Komm. auf synchrone abbilden? A: Nachricht auf Kanal legen, Nachricht im Kanal speichern, Nachricht an Empfänger übermitteln Timed Automata und Realtime Statecharts
32
Mapping RTSCs to Timed Automata
RTSC of RearRole Timed Automata of RearRole Timed Automata und Realtime Statecharts
33
Verification Input: Timed Automata for FrontRole and RearRole of RailCab Possible Verifications: No Deadlocks: A[ ] not deadlock Property is satisfied. It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy: A[] not (FrontRole.convoy and RearRole.noConvoy) Property is satisfied. Timed Automata und Realtime Statecharts
34
Conclusion Timed Automata Real-Time Statecharts
Finite state machine with continuous clocks and channels for synchronization Automatic verification of requirements via model checking possible Real-Time Statecharts Combination of UML Statecharts and Timed Automata Can be transformed to Timed Automata Coordination Patterns describe complex communications between roles Role behavior is defined by Real-Time Statecharts Timed Automata und Realtime Statecharts
Ähnliche Präsentationen
© 2024 SlidePlayer.org Inc.
All rights reserved.