Clock Bound Repair for Timed Systems

Abstract: We present algorithms and techniques for the repair of timed system models, given as networks of timed automata (NTA). The repair is based on an analysis of timed diagnostic traces (TDTs) that are computed by real-time model checking tools, such as UPPAAL, when they detect the violation of a timed safety property. We present an encoding of TDTs in linear real arithmetic and use the MaxSMT capabilities of the SMT solver Z3 to compute possible repairs to clock bound values that minimize the necessary changes to … Show more

“…We analyze this model since it is a realistic model and of a reasonable size. A modified version of the model, which contains a property violation, is analyzed in [12]. The violated property expresses that the time delay between two ventricular heartbeats is not too high.…”

“…The type of properties that we are interested in are time bounded reachability properties, i.e., properties that state that a certain state will (or will not) be reached while a certain clock is satisfying a given bound. When a real-time model checker such as UPPAAL is noticing a violation of such a property, it produces a TDT which we represent symbolically as a symbolic timed trace (STT) [12]. A STT is a sequence of actions S = θ 0 , .…”

“…We encode the symbolic semantics of the TDT in linear real arithmetic as a timed diagnostic trace constraint system (TDTCS) [12]. A TDTCS T encodes every transition θ j = (l j , g j , a, r j , l j+1 ) in the TDT and is a conjunction of the following constraints:…”

“…A model satisfies the TDTCS iff the sequence of the delay values δ 0 , ..., δ n in the model is a realization of the STT [12]. We denote a realization by…”

“…The actual causes computed in this work rely on choices made during the dynamic execution of the model, for instance, a non-deterministically chosen interleaving of concurrent events during the execution of the model, and we refer to this type of a cause as dynamic actual causes. In other work, we have considered the syntactic repair of timed automata models based on an analysis of timed diagnostic traces obtained in real-time model checking [12]. In that work, syntactic features of the model are considered to be actual causes for the violation of timed reachability properties, and we refer to this type of causes as static actual causes.…”

Dynamic Causes for the Violation of Timed Reachability Properties

“…We analyze this model since it is a realistic model and of a reasonable size. A modified version of the model, which contains a property violation, is analyzed in [12]. The violated property expresses that the time delay between two ventricular heartbeats is not too high.…”

“…The type of properties that we are interested in are time bounded reachability properties, i.e., properties that state that a certain state will (or will not) be reached while a certain clock is satisfying a given bound. When a real-time model checker such as UPPAAL is noticing a violation of such a property, it produces a TDT which we represent symbolically as a symbolic timed trace (STT) [12]. A STT is a sequence of actions S = θ 0 , .…”

“…We encode the symbolic semantics of the TDT in linear real arithmetic as a timed diagnostic trace constraint system (TDTCS) [12]. A TDTCS T encodes every transition θ j = (l j , g j , a, r j , l j+1 ) in the TDT and is a conjunction of the following constraints:…”

“…A model satisfies the TDTCS iff the sequence of the delay values δ 0 , ..., δ n in the model is a realization of the STT [12]. We denote a realization by…”

“…The actual causes computed in this work rely on choices made during the dynamic execution of the model, for instance, a non-deterministically chosen interleaving of concurrent events during the execution of the model, and we refer to this type of a cause as dynamic actual causes. In other work, we have considered the syntactic repair of timed automata models based on an analysis of timed diagnostic traces obtained in real-time model checking [12]. In that work, syntactic features of the model are considered to be actual causes for the violation of timed reachability properties, and we refer to this type of causes as static actual causes.…”

Dynamic Causes for the Violation of Timed Reachability Properties

TarTar: A Timed Automata Repair Tool

Minimal Witnesses for Probabilistic Timed Automata