A reactive system with requirements pertaining to its timing behavior is often modeled as a network of timed automata (NTA) [BengtssonY03]. Whether a timing requirement holds in an NTA can be analyzed by timed model checkers such as Uppaal [BenLarLaretal95] or opaal [DalHanetal11]. In case of a requirement violation, a model checker returns a timed counterexample, also called a timed diagnostic trace (TDT). Until now, developers must manually identify and correct such violations by analyzing the generated TDTs. It is therefore desirable to support this process by an automated tool set that not only determines whether timing requirements are met, but also proposes syntactic repairs of the NTA in case they are not.
In [KoeLeuWie19] we presented an automated repair analysis that analyzes a TDT obtained from the violation of a timed safety property and returns syntactic repair suggestions that avoid the concrete executions of the TDT violating the property. The analysis performs an additional admissibility check ensuring that the repaired model is functionally equivalent with the original NTA, which means that no action traces are added or omitted by the repair.
To illustrate the repair analysis consider the NTA in Figures 1(a) and 1(b). It describes a client that sends a request req to a database db and expects to receive a response ser within time units after sending the request. The client contains a clock that measures the time delay between the request creation and the receiving of a response in location serReceiving. The NTA allows to execute a TDT that violates the property, illustrated as a sequence diagram with time intervals in Figure 1(c). A time interval in the sequence diagram denotes the minimal and maximal time delay for the message transmission and processing times in db, respectively. The repair computation analyzes the TDT and produces several syntactic repairs to the NTA that avoid the property violation. In [KoeLeuWie19], the computed repairs aim at the modification of clock bounds in location invariants and transition guards. An example of such a repair is to reduce the bound in the time constraint from to . The modified bound constrains the maximal transmit time of the req message so that the resulting NTA receives all responses within the expected time. This repair eliminates the problematic executions of the TDT in the original NTA without changing the functional behavior of the system, which is confirmed by an admissibility test defined in [KoeLeuWie19]. However, in general, it may not be possible to repair the model using only clock bound alterations.
We present TarTar [tartar], which extends the initial prototype implementation of the clock bound repair analysis presented in [KoeLeuWie19] to a more comprehensive NTA repair tool. Specifically, the extended tool implements new analyses that can suggest a whole range of repairs in addition to clock bound variation, such as modifying comparison operators in constraints, clock references, clock resets, and location urgency. Examples of new repairs computed for the model in Figure 1 are:
Exchanging the comparison operator in the constraint to ensures that the time to send a request is below time unit.
An exchange of clock in with clock restricts the time of processing and receiving the response to at most 2 time units.
To reset the clock on the previous transition instead ensures that the time for sending and processing the request is below time unit.
Making the location serReceiving urgent reduces the time to receive a response to 0.
We call a repair admissible if the repaired system is functionally equivalent to the unrepaired system. The repair analysis implemented in TarTar returns the complete set of admissible repairs.
The repair analysis combines concepts and algorithms from model checking, constraint solving, and automata theory. A real-time model checker is used to generate TDTs for a given NTA that violate a given timed safety property. TarTar translates the TDT into a linear real arithmetic constraint system. An SMT solver is used to compute a repair for the generated constraint system by solving a MaxSMT problem. An automata-based language equivalence test checks whether the repair is admissible in the NTA model. The collaboration between these subcomponents yields a complex tool architecture. We provide insights into the design and implementation of this architecture and the underlying infrastructure of supporting tools. We evaluate the new repair analyses by applying TarTar to a number of NTA models. We systematically inject different modifications in these correct models and compute repairs for the obtained faulty models, which results in at least one admissible repair for % of the TDTs. The number of proposed admissible repairs is less than for all analyzed TDTs.
Other tools exist that compute repairs. The tool BugAssist [JosMaj11] analyzes C-code by solving a MaxSMT problem. The tool ReAssert [DanGveetal11] checks a set of possible modification to repair broken unit tests. Angelix [MecYiRoy16], S3 [BacHieLoetal17] and SemFix [NguQiRoyetal13] computes repairs by symbolic execution and constraint solving. SketchFix [HuaZhaKhu18] is based on lazy candidate generation. All tools are not repairing broken time constraints. We are not aware of related work on tools for the repair of timed automata models. A more comprehensive overview of related work on automated repair is given in [GouPraRoy19]. A discussion of work related to the foundations of our repair analysis can be found in [KoeLeuWie19].