Algorithm Verify:

Given: n implementation TBAs Ai = P(Ai ), Si , Si0 , Ei , Ci , Fi and specification deterministic TBA AS = P(A), S0, S00 , E0, C0, F0

Construct the transition table of R(A) of the product A of the timed transition tables of Ai with AS .

Set of clocks C = C1 · · · Cn . State s0, . . . , sn where si Si .

Initial states each of the form s0, . . . , sn where si Si0 .

Transition is coupling of the transitions of individual automata labeled with consistent event sets.

The system is correct iff no cycle in the region automaton satisfies all the following conditions:

1.The cycle is reachable from an initial state of R(A).

2.The cycle has one (or more) region(s) satisfying [( j = 0) ( j > c j )] for each clock j C (the progressiveness condition).

3.The cycle has a transition from automaton Ai for each i = 1, . . . , n.

4.The cycle has a state with an ith component belonging to the

accepting set Fi (the fairness requirements of all implementation automata are satisfied).

5.The cycle has no state with the 0th component belonging to the

accepting set F0 (the fairness requirement of the specification automaton is not satisfied).

Figure 7.5 Verification algorithm.

7.4 AVAILABLE TOOLS

[Heitmeyer and Lynch, 1994] use the Larch Prover (LP) [Garland and Guttag, 1991] to perform simple simulations proof for verifying timing properties of real-time and distributed systems specified as MMT automata.

LP is an interactive theorem-proving system developed at MIT by Stephen J. Garland and John V. Guttag for multisorted first-order logic. It is used to reason about concurrent algorithms, circuit designs, hardware, and software. LP is intended to assist users in finding and correcting flaws in conjectures during the early stages of the design process. This is in contrast to most other theorem provers, which attempt to find automatically proofs for correctly stated conjectures. LP has a convenient user interface, handles large problems efficiently, and can be used without training. LP is available at

http://nms.lcs.mit.edu/Larch/LP/overview.html

Useful information about the Larch language can be found at

http://www.sds.lcs.mit.edu/spd/larch/ http://www.research.compaq.com/SRC/larch/larch-home.html

Several tools are available that allow the specification of real-time systems as finite-timed automata and perform verification.

206 VERIFICATION USING TIMED AUTOMATA

COSPAN (COordinated SPecification ANalysis) [Courcoubetis et al., 1992a; Alur, Henzinger, and Ho, 1996] is a verifier that supports automata-theoretic verification of coordinating processes with timing constraints. It incorporates several heuristics to speed up its performance. Experimental results of using the tool for several benchmark problems are presented in [Alur, Henzinger, and Ho, 1996]. More details about the commercial tool called Formal Check, based on COSPAN, can be found in

http://www.cadence.com/datasheets/formalcheck.html

VIS (Verification Interacting with Synthesis) [VIS, 1996] is a tool that integrates the verification, simulation, and synthesis of finite-state hardware systems. It provides a Verilog front end and supports fair CTL model checking (described in chapter 4), language-emptiness checking, combinational and sequential equivalence checking, cycle-based simulation, and hierarchical synthesis. More details about VIS can be found at

http://www-cad.eecs.berkeley.edu/Respep/Research/vis/

HSIS [Aziz et al., 1994] is a binary decision tree (BDD)-based environment for formal verification of hardware systems. It has an open language design by using a compact and expressive intermediate format, BLIF-MV, and supports a synthesis subset of Verilog. It uses efficient BDD-based algorithms (described in chapter 4) and supports model checking and language containment in a single unified environment using expressive fairness constraints as well as state minimization using bisimulation and similar techniques. It provides a debugging environment for both language containment and model checking, and automatic algorithms for the early quantification problem. More details about HSIS can be found at

http://www-cad.eecs.berkeley.edu/Respep/Research/hsis/

Kronos [Yovine, 1997] is a tool for modeling the components of real-time systems using timed automata. The correctness requirements are specified in the real-time temporal logic TCTL. TCTL extends the CTL temporal logic (described in chapter 4) to provide quantitative temporal reasoning over dense time. The tool uses a modelchecking algorithm that allows a symbolic representation of the infinite-state space by sets of linear constraints. More details about Kronos can be found at

http://www-verimag.imag.fr/TEMPORISE/kronos/

HyTech (HYbrid TECHnology Tool) [Alur, Henzinger, and Ho, 1996; Henzinger, Ho, and Wong-Toi, 1995; Henzinger, Ho, and Wong-Toi, 1997] is a tool for the analysis of embedded systems with continuous variables other than clocks, such as air pressure and temperature. The model of timed automata is extended to the model of hybrid automata with continuous variables so that discrete controllers embedded in an environment with continuous variables can be modeled. This tool can derive the condition under which a linear hybrid system satisfies a temporal requirement. It allows the specification of these hybrid systems as collections of automata with dis-

SUMMARY 207

crete and continuous components and then verifies using symbolic model checking the given temporal requirements. More details about HyTech can be found at

http://www-cad.eecs.berkeley.edu/~tah/HyTech/

7.5 HISTORICAL PERSPECTIVE AND RELATED WORK

[Mealy, 1955] and [Moore, 1956] were among the first to publish work on finite automata for use in modeling electronic circuits.

[Heitmeyer, Jeffords, and Labaw, 1993] present the generalized railroad crossing (GRC) problem as a benchmark for checking the practicality and efficiency of different approaches for specifying and verifying real-time systems. Lynch and Vaandrager use their timed automaton model [Lynch and Vaandrager, 1991] together with invariants and simulation mapping techniques to solve the GRC problem. A complete discussion on this solution is presented in [Heitmeyer and Lynch, 1994]. Several researchers study the issues of decomposing a large problem into smaller subproblems for analysis. A sample of these results includes [Abadi and Lamport, 1991; Lynch and Vaandrager, 1992; Shaw, 1992].

The Lynch–Vaandrager automata-theoretic approach [Lynch and Vaandrager, 1991; Heitmeyer and Lynch, 1994] is very general and can handle finiteand infinite-state systems, but it lacks an automatic verification mechanism. The Alur– Dill approach [Alur, Fix, and Henzinger, 1994] and is based on finite automata, but it offers an automated tool for verification of desirable properties. To model continuous variables other than clocks, such as speed and pressure, [Alur et al., 1995a] recently extended the timed automata model to the model of hybrid automata [Grossman et al., 1993], which can model discrete controllers and monitors embedded in a continuously changing environment.

[Henzinger et al., 1995] studied the decidable classes of problems using hybrid automata. [Henzinger, Ho, and Wong-Toi, 1997] developed a model checker for hybrid systems called HyTech. Henzinger and Majumdar [Henzinger and Majumdar, 2000] applied symbolic model checking to rectangular hybrid systems [Puri and Varaiya, 1994]. Other work on hybrid automata includes [Alur et al., 1995a; Grossman et al., 1993; Halbwachs, Raymond, and Proy, 1994; Henzinger and Ho, 1995; Ho, 1995; Kesten, Manna, and Pnueli, 1996; Manna and Pnueli, 1993; Maler, Manna, and Pnueli, 1992; Nicollin, Sifakis, and Yovine, 1993; Olivero, Sifakis, and Yovine, 1994; Vestal, 2000; Zhou, Hoare, and Hansen, 1993].

[Abdeddaim and Maler, 2001] used timed automata for job-shop scheduling. Recently, [Larsen et al., 2001] studied efficient cost-optimal reachability analysis for priced timed automata. [Dang, 2001] investigated the binary reachability analysis of pushdown timed automata with dense clocks.

7.6 SUMMARY

Qualitative properties of concurrent systems can be formally verified using finite automata and temporal logics. These properties include deadlockor livelock-freedom,

208 VERIFICATION USING TIMED AUTOMATA

the eventual occurrence of an event, and the satisfaction of a predicate. The need to reason with absolute time is unnecessary in these applications, whose correctness depends only on the relative ordering of the associated events and actions. These automata-theoretic and temporal logic techniques using finite-state graphs are practical in a variety of verification problems in network protocols, electronic circuits, and concurrent programs. More recently, several researchers have extended these techniques to timed or real-time systems while retaining many of the desirable features of their untimed counterparts.

In this chapter, we present two automata-theoretic techniques based on timed automata. The Lynch–Vaandrager approach [Lynch and Vaandrager, 1991; Heitmeyer and Lynch, 1994] is more general and can handle finite and infinite state systems, but it lacks an automatic verification mechanism. Its specification can be difficult to write and understand even for relatively small systems. The Alur–Dill approach [Alur, Fix, and Henzinger, 1994] is less ambitious and is based on finite automata, but it offers an automated tool for verification of desirable properties. Its dense-time model can handle time values selected from the set of real numbers, whereas discrete-time models such as those in Statecharts and Modecharts use only integer time values.

[Heitmeyer and Lynch, 1994] advocate the use of three specifications to formally describe a real-time system. A specification consists of the description of one or more timed automata. First, an axiomatic specification specifies the system in a descriptive, axiomatic style without showing how it operates. Then, an operational specification describes the operation of the system. A formal proof is required to show that the operational specification implements the axiomatic specification. The Larch Prover (LP) can be used to perform simple simulations proofs.

Several ways are available to construct this proof. [Lynch and Attiya, 1992; Lynch and Vaandrager, 1991] have used assertional techniques for untimed, concurrent, and distributed systems, and thus propose adapting these techniques to verify timing properties in real-time systems. In particular, the method of simulations is used to establish the relationships (such as implementation) between two specifications described by two corresponding timed automata. Here, simulations include special cases such as refinement mappings, backward and forward simulations, and history and prophecy mapping.

Several definitions exist for a general timed automaton. One variation proposed by [Lynch and Vaandrager, 1991] is defined as follows.

Timed Automaton: A timed automaton A is a general labeled transition system with four components:

states(A) is a set of states.

start(A) is a nonempty set of start states.

acts(A) is a set of actions. Actions can be internal or external. Internal actions are within the system. External actions include visible actions (which can be input or output actions) and special time-passage actions v(t), where t is a positive real number.

steps(A) is a set of steps (also known as transitions).

SUMMARY 209

The number of states can be finite or infinite. To improve readability, the notation

π As is used instead of (s, π, s ) steps(A), where A is a timed automaton. The s−→

subscript A is often omitted when there is no ambiguity.

We consider the behavior of a timed automaton by observing its execution from one point in time to another. A timed execution is a sequence of internal, visible, and time-passage actions, connected by their intervening states and augmented with the notion of trajectories for each time-passage action.

Given a timed automaton A, of practical interest is the set atexecs(A) of admissible timed executions in which the total amount of time passage is ∞. Time traces represent the visible behavior of timed automata for solving verification problems.

To model a complex system, we need to combine several automata representing different parts of the system through composition. Two timed automata A and B are compatible iff they have no common output actions and the internal actions of A are different from those of B.

To allow more efficient verification via simulations, the Merritt–Modugno–Tuttle (MMT) automaton [Merritt, Modugno, and Tuttle, 1991] is introduced. It is an I/O automaton augmented with upper and lower bounds on time between specific actions. The MMT automaton model can be used to represent many types of timed automata. An I/O automaton is a labeled transition system for representing an untimed asynchronous system. Its internal and output actions are grouped into tasks.

In the Alur–Dill automata-theoretic approach, to verify that an implementation of a system satisfies the specification of the system, we first represent or encode the specification as a Buchi automaton AS and the implementation as a Buchi automaton AI . Then we check that the implementation meets the specification iff L(AI ) L(AS ), or check for the emptiness of L(AI ) ∩ L(AS )C ; that is, the intersection of the languages accepted by the implementation and the languages accepted by the complement of the specification (negation of the specification) is empty.

Alur and Dill extend timed automata with a finite set of real-valued clocks to express timing constraints on non-clock variables. Clocks are like timers (or stopwatches) and thus can be reset (set to time 0). Clock values increase uniformly with time; that is, at any instant the value of a clock is equal to the time elapsed since the last time it was reset. Each transition in a timed automaton is labeled, in addition to the input symbol, with either a clock value assignment or a clock constraint. A transition with a clock constraint is enabled only if the current values of the clocks satisfy this timing constraint.

Alur and Dill extended the ω-automata to accept timed words, yielding a theory of timed regular languages.

Timed Transition Table: A timed transition table A is a 5-tuple , S, S0, C, E , where is a finite alphabet, S is a finite set of states, S0 S is a set of start states, C is a finite set of clocks, and E is a set of transitions. A transition on input symbol α s, s , α, λ, δ is represented by an edge from state s to state s . λ is the finite set of clocks to be reset with this transition. δ is a clock constraint over C.