UPPAAL Introduction

Chien-Liang Chen

Outline

Real-Time Verification and Validation Tools

Promela and SPIN

Simulation

Verification

Real-Time Extensions:

RT-SPIN Real-Time extensions to SPIN

UPPAAL Toolbox for validation and verification of

real-time systems

Modelling

UPPAAL

UPPAAL is a tool box for simulation and verification of

real-time systems based on constraint solving and other
techniques.
UPPAAL was developed jointly by Uppsala University
and Aalborg University.
It can be used for systems that are modeled as a
collection of non-deterministic processes w/ finite control
structures and real-valued clocks, communicating
through channels and/or shared variables.
It is designed primarily to check both invariants and
reachability properties by exploring the statespace of a
system.

UPPAAL Components

UPPAAL consists of three main parts:

a description language,
a simulator, and
a model checker.

The description language is a non-deterministic guarded

command language with data types. It can be used to
describe a system as a network of timed automata using
either a graphical (*.atg, *.xml) or textual (*.xta) format.
The simulator enables examination of possible dynamic
executions of a system during the early modeling stages.
The model checker exhaustively checks all possible
states.

UPPAAL Tools (earlier

version)

checkta syntax checker

simta simulator
verifyta model checker

Example .xta file format

(from UPPAAL in a Nutshell)
clock x, y;
int n;
chan a;
process A {
state A0 { y<=6 }, A1, A2, A3;
init A0;
trans A0 -> A1 {
guard y>=3;
sync a!;
assign y:=0;
},
A1 -> A2 {
guard y>=4;
},
A2 -> A3 {
guard n==5;
}, A3 -> A0;
}

Example (cont.)
(from UPPAAL in a Nutshell)

process B {
state B0 { x<=4 }, B1, B2, B3;
commit B1;
init B0;
trans B0 -> B1 {
guard x>=2;
sync a?;
assign n:=5,x:=0;
},
B1 -> B2 {
assign n:=n+1;
},
B2 -> B3 {
}, B3 -> B0;
}
system A, B;

Example (cont.)

Linear Temporal Logic (LTL)

LTL formulae are used to specify temporal properties.

LTL includes propositional logic and temporal
operators:

[ ]P = always P
<>P = eventually P
P U Q = P is true until Q becomes true

Examples:

Invariance: [ ] (p)
Response: [ ] ((p) -> (<> (q)))
Precedence: [ ] ((p) -> ((q) U (r)))
Objective: [ ] ((p) -> <>((q) || (r)))

Labels and Transitions

The edges of the automata can be labeled with three

different types of labels:

a guard expressing a condition on the values of clocks

and integer variables that must be satised in order for
the edge to be taken,
a synchronization action which is performed when the
edge is taken, and
a number of clock resets and assignments to integer
variables.

Nodes may be labeled with invariants; that is,

conditions expressing constraints on the clock values
in order for control to remain in a particular node.

Committed Locations

A committed location must be left immediately.

A broadcast can be represented by two transitions with a
committed state between sends.

Transitions

Delay transitions if none of the invariants of the nodes

in the current state are violated, time may progress
without making a transition; e.g., from
((A0,B0),x=0,y=0,n=0), time may elapse 3.5 units to
((A0,B0),x=3.5,y=3.5,n=0), but time cannot elapse 5 time
units because that would violate the invariant on B 0.

Action transitions if two complementary edges of two

different components are enabled in a state, then they can
synchronize; also, if a component has an enabled internal
edge, the edge can be taken without any synchronizaton;
e.g., from ((A0,B0),x=3.5,y=3.5,n=0) the two components
can synchronize to ((A1,B1),x=0,y=0,n=5).

Transitions (cont.)

Action transitions if two complementary edges of two

different components are enabled in a state, then they can
synchronize; also, if a component has an enabled internal
edge, the edge can be taken without any synchronizaton; e.g.,
from ((A0,B0),x=0,y=0,n=0) the two components can
synchronize to ((A1,B1),x=0,y=0,n=5).

UPPAAL Transitions

Urgent Channels and Committed

Locations

Transitions can be overruled by the presence of

urgent channels and committed locations:

When two components can synchronize on an urgent

channel, no further delay is allowed; e.g., if channel a
is urgent, time could not elapse beyond 3, because in
state ((A0,B0),x=3,y=3,n=0), synchronization on channel
a is enabled.

Committed Nodes

Transitions can be overruled by the presence of

urgent channels and committed locations:

If one of the components is in a committed node, no

delay is allowed to occur and any action transition must
involve the component committed to continue; e.g., in
state ((A1,B1),x=0,y=0,n=5), B1 is commited, so the next
state of the network is ((A1,B2),x=0,y=0,n=6).

UPPAAL Locations

Translation to UPPAAL
P1
P1 ::
:: while
while True
True do
do
T1
T1 :: wait(turn=1)
wait(turn=1)
C1
C1 :: turn:=0
turn:=0
endwhile
endwhile
||
||
P2
P2 ::
:: while
while True
True do
do
T2
T2 :: wait(turn=0)
wait(turn=0)
C2
C2 :: turn:=1
turn:=1
endwhile
endwhile

Mutual Exclusion Program

Example: Mutual Exclusion

Intelligent Light Control

press?

Off

press?

x:=0

x>3

Light

press?

x<=3

Bright

press?

Requirements: If a user quickly presses the light control

twice, then the light should get brighter; on the other hand, if
the user slowly presses the light control twice, the light should
turn off.
Solution: Add a real-valued clock, x.

UPPAAL Model =
Networks of Timed Automata

A timed automaton is a standard finite state automaton

extended with a finite collection of real-valued clocks.

Timed Automata
Clocks: x, y

Alur & Dill 1990

Guard

Boolean combination of comp with

integer bounds

x<=5 && y>3

Reset
Action perfomed on clocks

State
( location , x=v , y=u )

x := 0

Transitions

Action
used
for synchronization

where v,u are in R

( n , x=2.4 , y=3.1415 ) a
( m , x=0 , y=3.1415 )
e(1.1)

( n , x=2.4 , y=3.1415 )
( n , x=3.5 , y=4.2415 )

Timed Automata - Invariants

n

Clocks: x, y

x<=5
x<=5 & y>3

Location
Invariants

( n , x=2.4 , y=3.1415 )

e(1.1)

Invariants ensure progress.

y<=10
g4
g2 g3

e(3.2)

( n , x=2.4 , y=3.1415 )
( n , x=3.5 , y=4.2415 )

x := 0

g1

Transitions

A simple program
Int
Intxx
Process
ProcessPP

What are possible values for x?

do
do
::::x<2000
x<2000
x:=x+1
x:=x+1
od
od

Process
ProcessQQ
do
do
::::x>0
x>0
x:=x-1
x:=x-1
od
od
Process
ProcessRR
do
do
::::x=2000
x=2000
x:=0
x:=0
od
od

Questions/Properties:

Possible

fork
forkP;P;fork
forkQ;
Q;fork
forkRR
Always

E<>(x>1000)
E<>(x>2000)
A[](x<=2000)
E<>(x<0)
A[](x>=0)

Verification (example.xta)
int x:=0;
Int
process P{
Intxx
state S0;
init S0;
Process
ProcessPP
trans S0 -> S0{guard x<2000; assign x:=x+1; };
do
do
}
::::x<2000
x<2000
x:=x+1
x:=x+1
process Q{
od
od
state S1;
init S1;
Process
ProcessQQ
trans S1 -> S1{guard x>0; assign x:=x-1; };
do
do
}
::::x>0
x>0
x:=x-1
x:=x-1
process R{
od
od
state S2;
init S2;
Process
ProcessRR
trans S2 -> S2{guard x==0; assign x:=0; };
do
do
}
::::x=2000
x=2000
x:=0
x:=0
p1:=P();
od
od
q1:=Q();
r1:=R();
fork
forkP;P;fork
forkQ;
Q;fork
forkRR
system p1,q1,r1;

BNF for q-format

Example: Mutual Exclusion

Example (mutex2.xta)
//Global declarations
int turn;
int in_CS;
//Process template
process P(const id){
clock x;
state Idle, Try, Crit;
init Idle;
trans Idle -> Try{assign turn:=id, x:=0; },
Try -> Crit{guard turn==(1-id); assign in_CS:=in_CS+1; },
Try -> Try{guard turn==id; },
Crit -> Idle{guard x>3; assign in_CS:=in_CS-1; };
}
//Process assignments
P1:=P(1);
P2:=P(0);
//System definition.
system P1, P2;

From UPPAAL Models to

Kripke Structures
-time

I1 I2
t=0

T1 I2
t=0

I1 I2
t=1

I1 T2
t=0
T1 T2
t=0

I1 C2
t=0

T1 C2
t=0

I1 T2
t=1

T1 I2
t=1

C1 I2
t=1

T1 T2
t=1

C1 T2
t=1

CTL Models

Computation Tree Logic, CTL

(Clarke and Emerson, 1980)
Syntax

Example
(from UPPAAL2k: Small Tutorial)
P1

Obs

Example (cont.)

Example (cont.)
P1

Verification:

A[](Obs.taken imply x>=2)

E<>(Obs.idle and x>3)
E<>(Obs.idle and x>3000)

Obs

Example (cont.)

Example (cont.)

Translation to UPPAAL
P1
P1 ::
:: while
while True
True do
do
T1
T1 :: wait(turn=1)
wait(turn=1)
C1
C1 :: turn:=0
turn:=0
endwhile
endwhile
||
||
P2
P2 ::
:: while
while True
True do
do
T2
T2 :: wait(turn=0)
wait(turn=0)
C2
C2 :: turn:=1
turn:=1
endwhile
endwhile

Mutual Exclusion Program

CTL Models

Computation Tree Logic, CTL

(Clarke and Emerson, 1980)
Syntax

Path

s1

s2
p

The set of path starting

in s
p

s3...

Formal Semantics

CTL, Derived Operators

possibl
e
inevitabl
e
AF p

EF p

p
p

...

...

...

...

...

...

...

...

CTL, Derived Operators

potentially always
always

AG p

EG p

...

...

...

...

...

...

...

...

Theorem
All
Alloperators
operatorsare
arederivable
derivablefrom
from
EX
EXff
EG
EGff
E[
E[ff UUgg]]
and
andboolean
booleanconnectives
connectives

A f U g E gU f g EGg

UPPAAL Specification
Language
(AG p)
(EF p)

A[] p
E<> p
process location

data guards

clock guards

p::= a.l | gd | gc | p and p |

p or p | not p | p imply p |
( p )

Semantics: Example
push

click

y9

push

(off , x y 0) 3.5(off , x y 3.5) push

(on, x y 0) (on, x y ) push

(on, x 0, y ) 3(on, x 3, y 3) 9 ( 3)
(on, x 9 ( 3), y 9) click
(off , x 0, y 9) ...

Light Switch (cont.)

A[] (x <= y)
P.on --> P.off

push

click

y9

AG( x y )
AG( on AFoff )
AG( on AF9 off )
A off U x 2
A off U x 3
E off U x 3

push

A x 2 U on
E x 2 U on

Paths

push

Example Path:
y9

click

(off , x y 0) 3.5(off , x y 3.5) push

(on, x y 0) (on, x y ) push

(on, x 0, y ) 3(on, x 3, y 3) 9 ( 3)
(on, x 9 ( 3), y 9) click
(off , x 0, y 9) ...

push

Elapsed Time in Path

Example:

(off , x y 0) 3.5(off , x y 3.5) push
(on, x y 0) (on, x y ) push

(on, x 0, y ) 3(on, x 3, y 3) 9 ( 3)
(on, x 9 ( 3), y 9) click
(off , x 0, y 9) ...

Infinite State Space?

Regions
Finite partitioning of state space
Definitio
n

w w' iff w and w' satisfy

the exact same conditions of

the form
xi n and xi x j n

where n max

An equivalence class (i.e. a region)

in fact there are only a finite number of
regions!

Regions
Finite partitioning of state space
Definitio
n

w w' iff w and w' satisfy

the exact same conditions of
the form
xi n and xi x j n

2
1

where n max

Successor regions,
Succ(r)

An equivalence class (i.e. a

region)

Regions
Finite partitioning of state space
Definitio
n w w' iff w and w' satisfy

the exact same conditions of

the form
xi n and xi x j n

2
1
{x}r

where n max
THEOREM

r
{y}r 1

Reset
regions

Whenever uv u ' v' then

l,u , v sat

An equivalence class (i.e. a

region) r

l,u ' , v' sat

Region graph of simple timed

automata

Modified light switch

Reachable part
of region graph

Properties
AG( x y )
AG(on AFoff )
AG(on AF3off )

Roughly speaking....

Model
Model checking
checking aa timed
timed automata
automata
against
against aa TCTL-formula
TCTL-formula amounts
amounts to
to
model
model checking
checking its
its region
region graph
graph
against
against aa CTL-formula
CTL-formula

Problem to be solved

Model Checking TCTL is PSPACEhard

Zones: From Infinite to Finite

Symbolic state (set)
(n, 1 x 4,1 y 3 )

State
(n, x=3.2, y=2.5)
y

Zone:
conjunction of
x-y<=n, x<=>n

Symbolic Transitions
y

1<=x<=4
1<=y<=3

n
x>3

y
delays to

x
y

x
y
conjuncts to

x
y:=0
m

1<=x, 1<=y
-2<=x-y<=3

3<x, 1<=y
-2<=x-y<=3

x
projects to

3<x, y=0

Thus (n,1<=x<=4,1<=y<=3) =a => (m, 3<x,

61 y=0)

Forward Reachability

Final

Waiting

Init -> Final ?

INITIAL Passed := ;
Waiting := {(n0,Z0)}
REPEAT
- pick (n,Z) in Waiting
- if for some Z
Z
(n,Z) in Passed then STOP
- else (explore) add
{ (m,U) : (n,Z) => (m,U) }
to Waiting;
Add (n,Z) to Passed

Init

Passed

UNTIL Waiting =
or
Final is in Waiting

Forward Reachability

Final

Waiting

INITIAL Passed := ;
Waiting := {(n0,Z0)}
REPEAT
- pick (n,Z) in Waiting

- if for some Z
Z
(n,Z) in Passed then STOP
- else (explore) add
{ (m,U) : (n,Z) => (m,U) }
to Waiting;
Add (n,Z) to Passed

n,Z

n,Z
Init

Init -> Final ?

Passed

UNTIL Waiting =
or
Final is in Waiting

Forward Reachability

Waiting

m,U

INITIAL Passed := ;
Waiting := {(n0,Z0)}
REPEAT
- pick (n,Z) in Waiting
- if for some Z
Z
(n,Z) in Passed then STOP
- else /explore/ add
{ (m,U) : (n,Z) => (m,U) }
to Waiting;
Add (n,Z) to Passed

n,Z

n,Z
Init

Final

Init -> Final ?

Passed

UNTIL Waiting =
or
Final is in Waiting

Forward Reachability

Waiting

m,U

INITIAL Passed := ;
Waiting := {(n0,Z0)}
REPEAT
- pick (n,Z) in Waiting
- if for some Z
Z
(n,Z) in Passed then STOP
- else /explore/ add
{ (m,U) : (n,Z) => (m,U) }
to Waiting;
Add (n,Z) to Passed

n,Z

n,Z
Init

Final

Init -> Final ?

Passed

UNTIL Waiting =
or
Final is in Waiting

UPPAAL Verification Options

Diagnostic
DiagnosticTrace
Trace
Breadth-First
Breadth-First
Depth-First
Depth-First

Local
LocalReduction
Reduction
Global
GlobalReduction
Reduction
Active-Clock
Active-ClockReduction
Reduction

Re-Use
Re-UseState-Space
State-Space

Over-Approximation
Over-Approximation
Under-Approximation
Under-Approximation

Forward Rechability

Waiting

m,U

n,Z

n,Z
Init

Passed

Final

Init -> Final ?

INITIAL Passed := ;
Waiting := {(n0,Z0)}
location
REPEAT
- pick (n,Z) in Waiting zone
Z
- if for some Z
(n,Z) in Passed then STOP
- else /explore/ add
{ (m,U) : (n,Z) => (m,U) }
to Waiting;
Add (n,Z) to Passed
UNTIL Waiting =
or
Final is in Waiting

Order of Exploration
Depth-First vs Breadth-First

Waiting

m,U

n,Z

Depth-First
Depth-First
Waiting
Waitingstored
storedon
on
stack
stack
Breadth-First
Breadth-First
Waiting
Waitingstored
storedin
in
queue
queue

n,Z
Init

Final

Passed

In most cases BF is preferred

because
it allows for generation of
shortest
traces.
DF is useful in situations when
reachability may be concluded
without

Philips Bounded
Retransmission Protocol
(BRP)
[DArgenio et.al. 97]

Protocol Overview

Protocol developed by Philips.

Transfer data between Audio/Video
components via infra-red communication.
Data files are sent in smaller chunks.
Problem: Unreliable communication medium.
Solution:
Sender retransmits if receiver responds too late.
Receiver aborts if sender sends too late.

Overview of BRP
Input: file = p1, , pn

Output: p1, , pn

Sender

Receiver

BRP
pi

K
L

lossy

ack
lossy

How It Works

Sender input: file = p1, , pn.

first part of file

more parts
will follow

S sends (p1,FST,0), (p2,INC,1), ,

(pn-1,INC,1), (pn,OK,0).

R sends: ack, , ack.

whole file OK
S retransmits pi if timeout.
Receiver recives: p1, , pn.
Sender and Receiver receive NOK or OK.

BRP Model Overview

Input: file = p1, , pn

Output: p1, , pn

Sender

Receiver

OK, NOK, DK

IND, OK, NOK

BRP
(pi,INDicator,abit)

K
L

lossy

lossy

ack

The Lossy Media

one-place
capacity
delay

value-passing
lossy = may drop
messages

Bounded Retransmission

BRP Sender S sends a chunk pi and waits for

ack from BRP Receiver R.
If timeout occurs, the chunk is retransmitted.
If too many timeouts occur, the transmission
fails
(NOK is sent to the Sender).
If the whole file is successfully transmitted,
then OK is sent to the Sender.
BRP Receiver is similar.

Process S BRP Sender

Process R BRP Receiver

Sender and Receiver Applications