Jasper Berendsen

Probably on Time and within BudgetOn Reachability in Priced Probabilistic Timed Automata

This paper presents an algorithm for cost-bounded probabilistic reachability in timed automata extended with prices (on edges and locations) and discrete probabilistic branching. The algorithm determines whether the probability to reach a (set of) goal location(s) within a given price bound (and time bound) can exceed a threshold p isin [0,1]. We prove that the algorithm is partially correct and show an example for which termination cannot be guaranteed

Compositional Abstraction in Real-Time Model Checking

The idea to use simulations (or refinements) as a compositional abstraction device is well-known, both in untimed and timed settings, and has already been studied theoretically and practically in many papers during the last three decades. Nevertheless, existing approaches do not handle two fundamental modeling concepts which, for instance, are frequently used in the popular Uppaal model checker: (1) a parallel composition operator that supports communication via shared variables as well as synchronization of actions, and (2) committed locations. We describe a framework for compositional abstraction based on simulation relations that does support both concepts, and that is suitable for Uppaal . Our approach is very general and the only essential restriction is that the guards of input transitions do not depend on external variables. We have applied our compositional framework to verify the Zeroconf protocol for an arbitrary number of hosts.

Undecidability of Cost-Bounded Reachability in Priced Probabilistic Timed Automata

Priced Probabilistic Timed Automata (PPTA) extend timed automata with cost-rates in locations and discrete probabilistic branching. The model is a natural combination of Priced Timed Automata and Probabilistic Timed Automata. In this paper we focus on cost-bounded probabilistic reachability for PPTA, which determines if the maximal probability to reach a goal location within a given cost bound (and time bound) exceeds a threshold p *** (0,1]. We prove undecidability of the problem for simple PPTA in 3 variants: with 3 clocks and stopwatch cost-rates or strictly positive cost-rates. Because we encode a 2-counter machine in a new way, we can also show undecidability for cost-rates in *** and only 2 clocks.

The axiomatization of override and update

Abstract There are only very few natural ways in which arbitrary functions can be combined. One composition operator is override: for arbitrary functions f and g, f ▷ g is the function with domain dom ( f ) ∪ dom ( g ) that behaves like f on dom ( f ) and like g on dom ( g ) ∖ dom ( f ) . Another operator is update: f [ g ] has the same domain as f, behaves like f on dom ( f ) ∖ dom ( g ) , and like g on dom ( f ) ∩ dom ( g ) . These operators are widely used, especially within computer science, where for instance f [ g ] may denote the new state that results when in state f the updates given as g are applied. It is therefore surprising that thus far no axiomatization of these operators has been proposed in the literature. As an auxiliary operator we consider the minus operator: f − g is the restriction of f to the domain dom ( f ) ∖ dom ( g ) . The update operator can be defined in terms of override and minus. We present five equations that together constitute a sound and complete axiomatization of override and minus. As part of our completeness proof, we infer a large number of useful derived laws using the proof assistant Isabelle . With the help of the SMT solver Yices , we establish independence of the axioms. Thus, our axiomatization is also minimal. Finally, we establish that override and minus are functionally complete in the sense that any operation on general functions that corresponds to a valid coloring of a Venn diagram can be described using just these two operations.

Formal specification and analysis of zeroconf using uppaalS

The model checker Uppaal is used to formally model and analyze parts of Zeroconf, a protocol for dynamic configuration of IPv4 link-local addresses that has been defined in RFC 3927 of the IETF. Our goal has been to construct a model that (a) is easy to understand by engineers, (b) comes as close as possible to the informal text (for each transition in the model there should be a corresponding piece of text in the RFC), and (c) may serve as a basis for formal verification. Our modeling efforts revealed several errors (or at least ambiguities) in the RFC that no one else spotted before. We present two proofs of the mutual exclusion property for Zeroconf (for an arbitrary number of hosts and IP addresses): a manual, operational proof, and a proof that combines model checking with the application of a new abstraction relation that is compositional with respect to committed locations. The model checking problem has been solved using Uppaal and the abstractions have been checked by hand.