D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of Formal Techniques in Real-Time and Fault-Tolerant Systems, number 863 in Lecture Notes in Computer Science, 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....of an accurate model of the environment assumptions. Secondly, the use of the environment model to control test generation: restrict the environment to handle larger systems, but at the cost of more expensive solutions. We have also created a DIEOU TA version of the Philips audio control protocol [3] frequently studied in the context of model checking. The system consists of a sender and a receiver communicating over a shared bus. The sender inputs a sequence of bits to be transmitted, manchester encodes them, and transmits them as high and low voltage on the bus. Further, it checks for ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of Formal Techniques in Real-Time and Fault-Tolerant Systems, number 863 in Lecture Notes in Computer Science, 1994.

....is restricted to invariant proofs, simulations are not taken into account until now. Furthermore, they do not consider meta theory, although the logic of PVS would be powerful enough. Further case studies have been performed with Coq [DFH 93] in the area of communication protocols [HSV94, BPV94] Again, the works rely much more on unformalized meta theory than we do. Inspired by our work Griffioen and Devillers [GD98] formalized the meta theory of I O automata in PVS [ORR 96] and proved the correctness of refinement mappings. The framework has been used to verify a small part of the ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In W.P. de Roever H. Langmaack and J. Vytopil, editors, Proc. 3rd Int. School and Symposium on Formal Techniques in Real Time and Fault Tolerant Systems (FTRTFT'94), volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer, 1994.

....Duration Calculus to model communication protocols taking into account how long it takes for the sender to change the signal from high to low and vice versa. The DC model of communication protocols given in that paper is proved to be more general and intuitive than the others in the literature [10, 1]. Duration Calculus (DC) 2] is a logic to reason about boolean functions based on interval temporal logics. This makes it one of the most suitable logics for specifying the communication protocols because the signal sent and received are usually modelled by boolean functions of time. In a ....

D. Bosscher et al. Verification of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192.

....are receptive, and we have mentioned that the strong I O feasibility condition of [VL92] is a sufficient conditions for receptiveness. Furthermore, any patient construction over a live I O automaton leads to a receptive pair. A more general sufficient condition for receptiveness is given in [BPV94], where The kernel of a preorder v is defined to be the equivalence j defined by x j y = x v y y v x. 48 linear hybrid systems are introduced as a basic model for the study of an audio control protocol. Roughly speaking, a linear hybrid system is an automaton with discrete and continuous ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack, de Roever, and Vytopil, editors, Proceedings of the Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 170--192, 1994. Full version available as Report CS-R9445, CWI, Amsterdam, July 1994.

....in [9,11] where a synthesis algorithm is presented for the subset of DC formulae called Implementables (cf. Sect. 8) We made also comprehensive case studies to evaluate our approach: Academic case studies like the gas burner (Sect. 8) the Production Cell [23,22] and the audio protocol [5] as well as case studies of industrial complexity like a redesign of a traffic control system for tramways with complicated driving rules which was originally provided by the industrial partner of the UniForM project. Acknowledgements I would like to thank E. R. Olderog and all other members of ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio Control Protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer-Verlag, 1994.

....signal at the begining of the following cell is held as the negation of the signal at the end of the previous cell. Despite its extensive use, to the best of our knowledge, in the literature there are relatively few works dedicated to formally modeling and assessing the protocol s performance. In [4] the authors used a model of linear hybrid systems to analyze a protocol developed by Philips Corp. That protocol uses Manchester encoding that in many aspects is similar to a BPM protocol. In [12] Moore used the Boyer Moore Logic to analyze a BPM protocol. In his version of the BPM protocol, ....

D. Bosscher et al. Verification of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192.

.... was shown during the debugging of an early version of Philips Audio Control Protocol [10] 3 Case Studies UPPAAL was applied to a number of case studies and benchmark examples during 1995, including: several versions of Fischers Protocol [1] two version of Philips Audio Control Protocol [5, 10, 3], a Steam Generator [2] a Train Gate Controller [7] a Manufacturing Plant [6] a Mine Pump Controller [8] and a Water Tank [11] In terms of complexity, Philips Audio Control Protocol with bus collision is the most serious case study where UPPAAL is applied so far. The protocol is developed by ....

....bus collision is the most serious case study where UPPAAL is applied so far. The protocol is developed by Philips to exchange information between components (e.g. amplifier, tuner, CD player, etc. in one of their high end audio sets. In [10] Philips Audio Control Protocol without bus collision [5] was verified using UPPAAL. In the verification of the protocol, the diagnostic model checking feature of UPPAAL was used for detecting and correcting several errors in an early description of the protocol Recently a version of Philips Audio Control Protocol with two senders and with ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of FTRTFT'94, volume 863 of Lecture Notes in Computer Science, 1994.

.... of an early version of Philips Audio Control Protocol [LPY95b] ANALYSIS OF A COLLISION AVOIDANCE PROTOCOL 9 UPPAAL has been applied to a number of case studies and benchmark examples, including: several versions of Fischers Protocol [AL93] two version of Philips Audio Control Protocol [BPV94, LPY95b, BGK 96] a Steam Generator [Abr95] a Train Gate Controller [HHWT95] a Manufacturing Plant [DY95] a Mine Pump Controller [JBW 96] and a Water Tank [OSY94] The growing list of succesfully completed real size verification case studies and recently initiated collaboration ....

D. Bosscher, I. Polak, and F. Vaandrager, Verification of an Audio-Control Protocol, Proc. of FTRTFT'94, Lecture Notes in Computer Science, vol. 863, 1994.

....TATL p formulas under universal path quantification and TATL Gamma p formulas under existential path quantification. BTATL p allows to express all the useful properties like invariants and response properties. In particular, we use it to describe properties of the Philips audio protocol [BPV94]. This experience shows that BTATL p allows a natural expression of properties that are in general not expressible in the other existing logics for which the verification problem is decidable. Our model checking algorithm for BTATL p is based on the fact that we can translate each path formula ....

....each time constraint in these logics is related to one temporal operator whereas constraints in TATL p and TPTL p are related to position variables, which allows to constrain overlapped computation segments. 5 Example In this section we show using the Philips audio control protocol [BPV94] that BTATL p allows to naturally express the requirements of a realistic case study. The system is composed of a sender and a receiver connected through a wire. The sender sends bit streams using Manchester encoding. A 1 is sent by raising the voltage in the middle of the bit slot, that is, ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, FTRTFT'94: Formal Techniques in Real-Time and Fault-Taulerant Systems, pages 170--192. Lecture Notes in Computer Science 863, SpringerVerlag, 1994.

....parametric expressions. They provide semialgorithms that use parametric shaped polyhedra, for which specialized algorithms and implementations are required. In our approach, existing tools can be used for analysis. Bounds on the error rate of the audio control protocol are analyzed manually in [BPV94] and generated automatically in [HW95] In those works, a common error parameter was used for the sender and the receiver clocks. The reduction technique employed in [HW95] relied strongly on the fact that the drift in the clocks was the same for both the sender and the receiver: that method is ....

....advance from 0 to 1. See Figure 7 for a move that decrements C 1 . 5 Example: an Audio Control Protocol We perform analysis of the slope parameters in a timing based bit level communication protocol. The protocol is used by Philips Electronics N.V. for sending messages between stereo components [BPV94] It is part of a local area network used by control programs that provide integrated features such as system activation or CD to cassette dubbing in response to a single button press. The single sender single receiver version of the protocol was first formally specified and verified by Bosscher ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio-control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, FTRTFT 94: Formal Techniques in Real-time and Fault-tolerant Systems, Lecture Notes in Computer Science 863, pages 170--192. Springer-Verlag, 1994.

....LHS a nice formalism First of all it is a formal method, we think that, in the end, formal methods are the simplest way to express and proof certain properties of a protocol. It is relatively simple to reason about systems in LHS. It has formally defined semantics and is rather easy to read. In [3] LHS is introduced and a verification of EEL is presented with one sender and one receiver. The protocol analysis in [3] is based on Polak s [15] analysis. In this paper a second sender is added. This means that bus collisions can happen and so collision detection is specified too. This has lots ....

....to express and proof certain properties of a protocol. It is relatively simple to reason about systems in LHS. It has formally defined semantics and is rather easy to read. In [3] LHS is introduced and a verification of EEL is presented with one sender and one receiver. The protocol analysis in [3] is based on Polak s [15] analysis. In this paper a second sender is added. This means that bus collisions can happen and so collision detection is specified too. This has lots of consequences for the specification and verification. In the next section we will give an informal description of the ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. Report CS-R94XX, CWI, Amsterdam, 1994. In preparation.

....and the correctness of the protocols can be proved by using the natural induction rule on the length of words in the traditional way. We try our approach in modeling two protocols that have been studied in the literature, namely the Biphase Mark Protocol (BPM) 10] and the Audio Protocol [1]. The BPM protocol (or format) is widely used in practice for asynchronous communication between two digital hardware devices. The BPM protocol works by coding each bit of message as a portion of square wave (called a cell) of fixed clock cycles. Each cell is logically divided into two parts. The ....

....of the length of cells, mark subcells and code subcells, and we can make clear about the assumption of the environments, namely we take into account the time it takes to change the signal from high to low and from low to high. In many aspects, the Audio Protocol is similar to a BPM protocol. In [1] the authors used a model of linear hybrid systems to specify and to verify the Audio protocol. However, in their model the receiver and the sender use the same clock which cannot be applied to the distributed communication systems, and the behavior of the digitization is not taken into account. ....

D. Bosscher et al. Verification of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192.

....we will try to build upon everyone s intuition about the nature of real time systems. Despite this focus, we will also try to provide a more general, but far from complete view of continuous time modeling. For a comprehensive survey on the theory of real time systems the reader is referred to [10] in the same issue. We proceed as follows: first we will address the status of formal methods in the context of real time system research in Sect. 2, and subsequently give an introduction into finite state machines and how they can be extended to include discrete time in Sect. 3. Thereafter we ....

....can be transformed into timed automata and thus be verified 2 What You See Is What You Verify. using the techniques available for timed automata, implemented in Uppaal. Uppaal allows linear hybrid automata where the rates of clocks are given byaninterval. Philips Audio Control Protocol of [10] is an example of such a linear hybrid systems. 2.2 Analysis Model Checking. The model checker is designed to check for invariant and reachability properties, in particular whether certain combinations of control nodes and constraints on clocks and integer variables are reachable from an initial ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of Formal Techniques in Real-Time and Fault-Tolerant Systems,volume 863 of Lecture Notes in Computer Science, 1994.

....coverage criteria, and a test derivation technique for verifying timing constraints on real time systems. The test language is based on the real time process algebra ACSR. We have constructed tools based on these techniques, and used these tools to model the Philips audio control protocol[1], a realistic data link layer protocol for controlling communication between various components of an integrated stereo system. The results of this analysis are reported in [2] Using ACSR as a test language offers two significant benefits. Tests of ACSR process models can be carried out within ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In FTRTFT '94: Formal Techniques in Real-time and Fault-tolerant Systems, volume LNCS-863, pages 170--192. Springer-Verlag, 1994.

....also mention the specification language TLA (Temporal Logic of Actions) which has been applied to a large number of examples. See, e.g. the specification and the hierarchically structured proof of a Byzantine generals algorithm [LM94] Another nice example of protocol verification can be found in [BPV94] where an industrial protocol is specified and verified based on timed I O automata. Acknowledgements The ACCESS.bus protocol has been proposed by Ron Koymans (Philips Research, Eindhoven) to a number of academic researchers as an example of an 14 industrial protocol. He is also thanked for ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In Formal Techniques in Real-Time and Fault-Tolerant Systems, pages 170--192. LNCS 863, 1994.

....signal at the begining of the following cell is held as the negation of the signal at the end of the previous cell. Despite its extensive use, to the best of our knowledge, in the literature there are relatively few works dedicated to formally modeling and assessing the protocol s performance. In [4] the authors used a model of linear hybrid systems to analyze a protocol developed by Philips Corp. That protocol uses Manchester encoding that in many aspects is similar to a BPM protocol. In [12] Moore used the Boyer Moore Logic to analyze a BPM protocol. In his version of the BPM protocol, ....

D. Bosscher et al. Verification of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192.

....their framework is restricted to invariant proofs, simulations are not taken into account until now. Furthermore, they do not consider meta theory, although the logic of PVS would be powerful enough. Further case studies have been performed with Coq [12] in the area of communication protocols [19, 6]. Again, they rely much more on unformalized meta theory than we do. Inspired by our work, Griffioen and Devillers [16] formalized the meta theory of I O automata in PVS [33] and proved the correctness of safe refinement mappings, but not of forward simulations. However, defining and reasoning ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In W. d. R. H. Langmaack and J. Vytopil, editors, Proc. 3rd Int. School and Symposium on Formal Techniques in Real Time and Fault Tolerant Systems (FTRTFT'94), volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer, 1994.

....an interface bus connecting the various devices e.g. CD players, amplifier etc. in audio equipments. It uses Manchester encoding to transmit bit sequences of arbitrary length between the components, whose timing errors are bound. A simplified version of the protocol is studied by Bosscher et.al. [Bosscher et al. 1994]. It is showed that the protocol is incorrect if the timing error of the components is Sigma 1 17 or greater. The proof is carried out without tool support. The first automatic analysis of the protocol is reported in [Ho and Wong Toi 1995] where HyTech is applied to check an abstract version of ....

....= 6.65Q Fig. 6. Error execution of the incorrect protocol. transitions, was generated in 4.5 sec using 1.8 MB of memory. Also, attempts to verify Property 1 for the full protocol with an error tolerance of 6 on the timing failed. The scenario is similar to the one found by Bosscher et.al. in [Bosscher et al. 1994] for the one sender protocol. The properties were verified using Uppaal version 2.17 [Larsen et al. 1997a; Bengtsson et al. 1998] that implements the verification algorithm for handling committed locations described in Section 3. It was installed on a Pentium 150 MHz MMX running Red Hat Linux 5.0. ....

Bosscher, D., Polak, I., and Vaandrager, F. 1994. Verification of an Audio-Control Protocol. In Proc. of Formal Techniques in Real-Time and Fault-Tolerant Systems , Number 863 in Lecture Notes in Computer Science (1994).

....2ffi 2Q jffij (Q Gamma r Gamma 1) 8 then the protocol is correct. For instance, let r = 3, Q = 5. a = 2Q. In this case, jffij 1=8, which means that the ratio of the rates of the sender s and the receiver s clock should be between 39=40 and 41=40. In practice, Q is very big ( 200, see e.g. [1]) and we have much looser constraints on the rates of the clock of the sender and the reader. 6. Conclusion We have presented our approach to the specification and verification of real time hybrid systems using Duration Calculus. By introducing the formula int into the calculus, we are able to ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio Control Protocol. In Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer-Verlag, 1994.

....TATL p formulas under universal path quantification and TATL Gamma p formulas under existential path quantification. BTATL p allows to express all the useful properties like invariants and response properties. In particular, we use it to describe properties of the Philips audio protocol [6]. This experience shows that BTATL p allows a natural expression of properties that are in general not expressible in the other existing logics for which the verification problem is decidable. Our model checking algorithm for BTATL p is based on the fact that we can translate each path ....

....in MITL P and EMITL formulas is related to one temporal operator whereas constraints in TATL p and TPTL p formulas are related to position variables, which allows to constrain overlapped computation segments. 5 Example In this section we show using the Philips audio control protocol [6] that BTATL p allows to naturally express the requirements of a realistic case study. The system is composed of a sender and a receiver connected through a wire. The sender sends bit streams using Manchester encoding. A 1 is sent by raising the voltage in the middle of the bit slot, that is, ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, FTRTFT'94: Formal Techniques in Real-Time and Fault-Taulerant Systems, pages 170--192. Lecture Notes in Computer Science 863, Springer-Verlag, 1994.

.... was shown during the debugging of an early version of Philips Audio Control Protocol [10] 3 Case Studies Uppaal was applied to a number of case studies and benchmark examples during 1995, including: several versions of Fischers Protocol [1] two version of Philips Audio Control Protocol [5, 10, 3], a Steam Generator [2] a Train Gate Controller [7] a Manufacturing Plant [6] a Mine Pump Controller [8] and a Water Tank [11] In terms of complexity, Philips Audio Control Protocol with bus collision is the most serious case study where Uppaal is applied so far. The protocol is developed by ....

....bus collision is the most serious case study where Uppaal is applied so far. The protocol is developed by Philips to exchange information between components (e.g. amplifier, tuner, CDplayer, etc. in one of their high end audio sets. In [10] Philips Audio Control Protocol without bus collision [5] was verified using Uppaal. In the verification of the protocol, the diagnostic model checking feature of Uppaal was used for detecting and correcting several errors in an early description of the protocol 2 . Recently a version of Philips Audio Control Protocol with two senders and with ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of FTRTFT'94, volume 863 of Lecture Notes in Computer Science, 1994.

....NP hard, it is important that we identify heuristics to make the test suite derivation problem tractable. At present, we use a greedy heuristic to select test templates and valuations to add to the test suite until complete coverage is achieved. 4 Case Study: The Philips Audio Control Protocol In [2] Bosscher, Polak and Vaandrager describe a bus protocol that is used in Philips audio devices. The protocol is a data link layer protocol for controlling communication between various components of an integrated stereo system (e.g. amplifier, tuner, CD player, etc. in one physical unit) The ....

....UP DOWN Bus Bit Generator Tester Empty Receiver Finish InBit0 copy InBit1 copy Empty copy Figure 4: Verification System for Philips Audio Control Protocol 4. 1 Formal Specification and Analysis of the Protocol In this section we present a formal verification of the protocol model described in [2] using ACSR and the VERSA system. This analysis will use traditional state space exploration techniques to verify the correctness of the protocol at the 5 tolerance level, and to demonstrate faults at the 6 tolerance level. This analysis will serve as a point of comparison for testing based ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In FTRTFT '94: Formal Techniques in Real-time and Fault-tolerant Systems, volume LNCS-863, pages 170--192. Springer-Verlag, 1994.

....coverage criteria, and a test derivation technique for verifying timing constraints on real time systems. The test language is based on the real time process algebra ACSR. We have constructed tools based on these techniques, and used these tools to model the Philips audio control protocol[BPV94], a realistic data link layer protocol for controlling communication between various components of an integrated stereo system. The objective of analysis of this protocol is to demonstrate that the protocol is error free for clock skew rates within a 5 tolerance level, and that an error arises ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In FTRTFT '94: Formal Techniques in Real-time and Fault-tolerant Systems, volume LNCS-863, pages 170--192. Springer-Verlag, 1994.

....Duration Calculus to model communication protocols taking into account how long it takes for the sender to change the signal from high to low and vice versa. The DC model of communication protocols given in that paper is proved to be more general and intuitive than the others in the literature [9, 1]. Duration Calculus (DC) 2] is a logic to reason about boolean functions based on interval temporal logics. This makes it one of the most suitable logics for specifying the communication protocols because the signal sent and received are usually modelled by boolean functions of time. In a ....

D. Bosscher et al. "Verification of an Audio Control Protocol", LNCS 863, 1994, pp. 170-192.

.... kind of information was shown during the debugging of an early version of Philips Audio Control Protocol [LPY95b] UPPAAL has been applied to a number of case studies and benchmark examples, including: several versions of Fischers Protocol [AL93] two version of Philips Audio Control Protocol [BPV94, LPY95b, BGK 96] a Steam Generator [Abr95] a Train Gate Controller [HHWT95] a Manufacturing Plant [DY95] a Mine Pump Controller [JBW 96] and a Water Tank [OSY94] The growing list of succesfully completed real size verification case studies and recently initiated collaboration with ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an AudioControl Protocol. In Proc. of FTRTFT'94, volume 863 of Lecture Notes in Computer Science, 1994.

....Duration Calculus to model communication protocols taking into account how long it takes for the sender to change the signal from high to low and vice versa. The DC model of communication protocols given in that paper is proved to be more general and intuitive than the others in the literature [10, 1]. Duration Calculus (DC) 2] is a logic to reason about boolean functions based on interval temporal logics. This makes it one of the most suitable logics for specifying the communication protocols because the signal sent and received are usually modelled by boolean functions of time. In a ....

D. Bosscher et al. Verification of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192.

....it is important that we identify heuristics to make the test suite derivation problem tractable. At present, we use a greedy heuristic to select test templates and valuations to add to the test suite until complete coverage is achieved. 4 Case Study: The Philips Audio Control Protocol In [2] Bosscher, Polak and Vaandrager describe a bus protocol that is used in Philips audio devices. The protocol is a data link layer protocol for controlling communication between various components of an integrated stereo system (e.g. amplifier, tuner, CD player, etc. in one physical unit) The ....

....pulses that are sent across the bus. The receiver detects the voltage changes on the bus and decodes the stream of high and low voltages to recreate the original bit string. 4. 1 Formal Specification and Analysis In this section we present a formal verification of the protocol model described in [2] using ACSR and the VERSA system. This analysis will use traditional state space exploration techniques to verify the correctness of the protocol at the 5 tolerance level, and to demonstrate faults at the 6 tolerance level. This analysis will serve as a point of comparison for testing based ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In FTRTFT '94: Formal Techniques in Real-time and Faulttolerant Systems, volume LNCS-863, pages 170-- 192. Springer-Verlag, 1994.

....Uppaal allows linear hybrid automata where the speed of clocks is given by an interval. Hybrid automata of this form may be transformed into 1 What You See Is What You Verify. 2 An Overview of UPPAAL 9 ordinary timed automata using the translator hs2ta. Philips Audio Control Protocol of [7] is one such linear hybrid system and for its Autograph version is shown in Figure 7. 2.4 Syntactical Checks Given a textual description of a timed automata in the .ta format the program checkta performs a number of syntactical checks. In particular the use of clocks, auxiliary integer variables ....

.... i ; E i 1 ) Otherwise, E i = D i free(a i ; border(a i ; E i 1 # I(l i 1 ) A Examples 22 A Examples The case studies and examples where Uppaal has been applied includes: a Bounded Retransmission Protocol [8] a Box Sorter Unit [14] two version of Philips AudioControl Protocol [7, 16, 5], several versions of Fischers Protocol [2, 15] a Steam Generator [3] a Train Gate Controller [10] a Manufacturing Plant [9] a Mine Pump Controller [13] and a Water Tank [19] In [8] Uppaal was applied to investigate to what extent real time aspects are important to guarantee the correctness ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of FTRTFT'94, volume 863 of Lecture Notes in Computer Science, 1994.

....demonstrate the usefulness of the diagnostic model checking feature of Uppaal by debugging an early description of the protocol. For detailed information about the tool Uppaal, see [2] in this volume. 5. 1 Philips Audio Control Protocol This protocol by Philips was first verified by Bosscher et al. [3] and recently using verification tools [6] The protocol is used for exchanging control information in tiny local area networks between components in modern audio equipment. Bit streams are encoded using the well known Manchester encoding that relies on timing delay between signals. The protocol ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of FTRTFT'94, volume 863 of Lecture Notes in Computer Science, 1993.

....to another model. In particular, we have used the a bisimulation equivalence, denoted a , as well as the a simulation preorder [FM91] 4 . Due to space limitations, here we illustrate this methodology in detail for only one application, namely the Philips audio control protocol [BPV94] Experimental results obtained for other well known examples (e.g. CSMA CD and FDDI [DOTY95] and Tick Tock [DOY94] communication protocols) are shown in table 1. The TA column presents the size of the input TA. The M column displays the size of the minimal model, while C tot is the total number ....

D. Bosscher, I. Polak and F. Vaandrager. Verification of an audio control protocol. In Proc. FTRTFT'94, LNCS 863, 1994.

....more than 20 case studies that had been analyzed with the HyTech prototype [AHH93, ACH 95, HH95a, HH95b, HH95c, HWT95] Our results show a verification time improvement of roughly two to three orders of magnitude. For example, using our new implementation, the Philips audio control protocol [BPV94] can be analyzed in 19 seconds as opposed to 5.0 hours [HWT95] 2 Indeed, without sacrificing generality, the performance of HyTech is now comparable to automatic verifiers for more specialized types of real time systems. Three examples of tools for the symbolic analysis of timed automata are ....

....our verifier on a number of examples. Two of these the generic railroad crossing and the active structure controller are new examples of automatic parametric analysis, and are described in more detail in Section 4 below. In addition, we first analyzed the Philips audio control protocol [BPV94] in [HWT95] and provide comparative performance data for the new generation HyTech. The protocol communicates bit sequences using the timing based Manchester encoding. The sender and receiver processes operate with unsynchronized clocks whose rates are subject to bounded drift. We verify that ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio-control protocol. In FTRTFT 94: Formal Techniques in Real-time and Fault-tolerant Systems, LNCS 863, pp. 170-- 192. Springer, 1994.

....[1; 1] n . 2 Remark. Clocks and drifting clocks] A clock can be modeled by a variable x i with the flow interval I flow i = 1; 1] All variables of a timed automaton are clocks [6] A clock with drift , for 2 Q0 , can be modeled by a variable with the flow interval [1 Gamma ; 1 ] [13, 37]. 2 Remark. Composition] Timed, singular, and rectangular automata are closed under composition: for two timed (singular; rectangular) automata H 1 and H 2 , we can construct a timed (singular; rectangular) automaton H such that S t H = S t H1kH2 (and therefore, S a H = S a H1kH2 ) If ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio-control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, FTRTFT 94: Formal Techniques in Real-time and Fault-tolerant Systems, Lecture Notes in Computer Science 863, pages 170--192. Springer-Verlag, 1994.

....the ability to derive test suites from constraint graphs with three different user selectable heuristics that can be used when minimizing the test suite; and (3) addition of the test application operator described in Section 3.3. We have used these tools to model the Philips audio control protocol[BPV94], a realistic datalink layer protocol for controlling communication between various components of an integrated stereo system. The objective of analysis of this protocol is to demonstrate that the protocol is error free for clock skew rates within a 5 tolerance level, and that an error arises ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In FTRTFT '94: Formal Techniques in Real-time and Fault-tolerant Systems, volume LNCS-863, pages 170--192. Springer-Verlag, 1994.

....We also show in detail the flavour of properties that may be proved using the KRONOS tool approach. Finaly, we conclude commenting work recently done in our country, and perspectives for future work. 2. The Protocol EEL In this section we present the Enhanced Easy Link (EEL) protocol following [6, 10]. In the first subsection we show how this protocol deals with its main task : sending bits. In the second we show how bus collisions are handled, and in the last subsection we point out where tolerances on timing are allowed. 2.1. Transmitting messages The EEL protocol uses Manchester encoding ....

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In Proc. FTRTFT'94: Formal Techniques in Real Time and Fault Tolerant Systems, LNCS 863, pages 170--192, 1994.

....3,218 11,236 11,407 2,282 28.9 5 Delta = 1000, ffi = 500 431 1,000 1,115 244 1.24 367 Table 3: Experimental results (III) altering the parameters 6. 3 Second example : Philips audio control protocol This example deals with the physical layer of the Philips audio control protocol specified in [BPV94] The protocol has been modeled in [DY95] using multirate timed automata, a subclass of hybrid systems. The methodology used has been to transform multirate TA into ordinary TA, as proposed in [OSY94] The approach consists in a linear transformation of the state space, that preserves most of the ....

....set to 0. The main correctness property to be proved is that the received string of bits is equal to the message sent by the sender. To do this we must take care of new incoming messages that arrive before the last one has been output by the receiver. This is considered as a chaotic situation in [BPV94] that is, whenever an action IN happens before the action OUT corresponding to the previous message, the protocol moves to a state of chaos where everything is allowed. This behavior is modeled by the automaton CHAOS in figure 24b. Let SYSTEM be the composition of PROTOCOL and CHAOS. Add 0 Head ....

[Article contains additional citation context not shown here]

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, FTRTFT'94: Formal Techniques in Real-Time and Fault-Taulerant Systems, pages 170--192, 1994.

....hardwire certain proof methods but can derive new ones from the metatheory at any point. This work is carried out in the context of I O automata (IOA) a popular model of distributed systems which has been used for a number of non trivial applications, e.g. in the area of communication protocols [9, 4]. The results, however, apply to any trace based model of parallelism which distinguishes internal and external actions. The starting point for our work is an existing formalization of I O automata in Isabelle HOL, the higher order logic of the theorem prover Isabelle [17] Unless noted ....

....theorem prover is only used to prove refinements, but the refinement notion itself is not semantically embedded. This is particularly true for a couple of case studies within the I O automata model for example Fischer s protocol [9] and an audio control protocol provided by Philips Laboratories [4] carried out in the Larch prover and Coq. Closely related to our work are the papers of Chou and Peled [3] and Loewenstein [8] Chou and Peled model infinite and finite sequences as a prerequisite for the formal verification of a partial order reduction technique in the theorem prover HOL [7] ....

I. P. D.J.B. Bosscher and F. Vaandrager. Verification of an audio control protocol. In W. d. R. H. Langmaack and J. Vytopil, editors, Proc. 3rd Int. School and Symposium FTRTFT'94, volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer, 1994.

.... the HIOA framework was used to describe and analyze many hybrid systems examples, including automated transportation systems [61,49,83,81,82,50,42,44] intelligent vehicle highway systems [22,47] aircraft control systems [46,43] automotive control systems [24] and consumer electronics systems [11]. We summarize the results of these modeling efforts briefly. In these examples, HIOAs were used to model system components of many different kinds, including real world components, computer programs, communication chan nels, sensors, actuators, and humans (for example, pilots interacting with ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack et al. [41], pages 170-192. 62

....for timing based systems. It is intended as a basis for formal reasoning about such systems, in particular, for verification of their correctness and for analysis of their complexity. In [29, 30] we develop a full range of simulation proof methods for timed automata; these methods are used in [25, 9, 18] to verify the correctness of timed protocols for communication, audio control and real time process control, respectively. In this paper, we continue the development by studying process algebras for the same model. Eventually, we envision using a combination of proof methods, perhaps even using ....

....up by a factor r. For Delta 1, RATE [1 Gamma Delta;1 Delta] introduces a tolerance of Delta on all timing of its argument. We think that RATE transducers can be useful in the process algebraic description of protocols that involve drifting clocks, such as the audio control protocol analyzed in [9]. An interesting property of the RATE transducers is that in general they do not preserve Wang s [47] axiom of time determinism. This axiom, which is valid for all timed process algebras that we have encountered in the literature, states that the resulting state after a time step is uniquely ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Proceedings of the Third International School and Symposium on Formal Techniques in Real Time 41 and Fault Tolerant Systems, Lubeck, Germany, September 1994.

.... framework was used to describe and analyze many hybrid systems examples, including automated transportation systems [58, 46, 79, 77, 78, 47, 39, 41] intelligent vehicle highway systems [20, 44] aircraft control systems [43, a0] automotive control systems [22] and consumer electronics systems [9]. We summarize the results of these modeling efforts briefly. In these examples, HIOAs were used to model system components of many different kinds, including real world components, computer programs, communication channels, sensors, actuators, and humans (for example, pilots interacting with ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack et al. [38], pages 170-192.

.... framework was used to describe and analyze many hybrid systems examples, including automated transportation systems [56, 45, 77, 75, 76, 46, 38, 40] intelligent vehicle highway systems [19, 43] aircraft control systems [42, 39] automotive control systems [21] and consumer electronics systems [9]. We summarize the results of these modeling efforts briefly. In these examples, HIOAs were used to model system components of many different kinds, including real world components, computer programs, communication channels, sensors, actuators, and humans (for example, pilots interacting with ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack et al. [37], pages 170-192.

....to develop a theory of timed transition systems and timed simulations with analogues of all results of Part I is still open. This paper does not contain examples of verifications carried out using timed simulations. However, our timed simulations have already been used extensively elsewhere [12, 23, 32, 34, 35, 36, 37, 38, 45, 58, 60]. The algorithms and systems verified in these papers include toy examples such as counters and process races, as well as substantial real examples such as a clock based at most once message delivery protocol, a clock synchronization algorithm, two mutual exclusion algorithms, a leader election ....

....in [38] are stated in a setting that has more structure than is really necessary for those theorems. Lynch and Vaandrager [41] show how a whole class of process algebraic operators can be defined on timed automata using the general notion of action transducers. Bosscher, Polak and Vaandrager [12] define a language of linear hybrid systems, inspired by the work of [5, 8] and provide it with a semantics in terms of timed automata. Our timed automata can also be used to define the semantics of the timed safety automata of Alur and Dill [7, 26] In the latter model a finite state restriction ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack et al. [33], pages 170--192. Full version available as Report CS-R9445, CWI, Amsterdam, July 1994.

....for timing based systems. It is intended as a basis for formal reasoning about such systems, in particular, for verification of their correctness and for analysis of their complexity. In [29, 30] we develop a full range of simulation proof methods for timed automata; these methods are used in [25, 9, 18] to verify the correctness of timed protocols for communication, audio control and real time process control, respectively. In this paper, we continue the development by studying process algebras for the same model. Eventually, we envision using a combination of proof methods, perhaps even using ....

....up by a factor r. For Delta 1, RATE [1 Gamma Delta;1 Delta] introduces a tolerance of Delta on all timing of its argument. We think that RATE transducers can be useful in the process algebraic description of protocols that involve drifting clocks, such as the audio control protocol analyzed in [9]. An interesting property of the RATE transducers is that in general they do not preserve Wang s [46] axiom of time determinism. This axiom, which is valid for all timed process algebras that we have encountered in the literature, states that the resulting state after a time step is uniquely ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Proceedings FTRTFT'94, volume 863 of Lecture Notes in Computer Science, pages 170--192. Springer-Verlag, 1994. Full version available as Report CS-R9445, CWI, Amsterdam, July 1994.

....and verify real life applications, we are generalizing existing methods from computer science to the setting of hybrid systems. We are applying our results in a number of projects in the areas of personal rapid transit [14, 10, 20] intelligent vehicle highway systems, and consumer electronics [5]. Within the theory of reactive systems, which has been developed in computer science during the last 20 years, it is common to represent both a system and its properties as abstract machines (see, for instance [11, 4, 9] A system is then defined to be correct iff the abstract machine for the ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Proc. FTRTFT'94, LNCS 863, pages 170--192. Springer-Verlag, 1994.

....most of the characteristics of the real protocol. It should be noted however that the model simplifies the real time aspects of the protocol by the way timers are encoded. We could have modeled these real time aspects more realistically by using a real time extension of the I O automata model (see [5]) but then the verification would have been much more involved. Importance of the verification The verification has answered a number of questions about the protocol. Foremost, it proves that the data link protocol is free of design errors. An important result of the work is that it has ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. Report CS-R94XX, CWI, Amsterdam, 1994. In preparation.

....computer. There are currently a number of programs that can be used to support this process. One of these is the type theory based system Coq [5] In this case study we will report on our experiences when proof checking a real time communication protocol with the Coq system. This article builds on [4], where the specification and correctness proof were shown. We add the proof checking in this article. Sections 4 and 5 are almost directly taken from [4] We use a slightly different formal model that was easier to implement in Coq. The protocol we analyzed is known as the Manchester protocol ....

....case study we will report on our experiences when proof checking a real time communication protocol with the Coq system. This article builds on [4] where the specification and correctness proof were shown. We add the proof checking in this article. Sections 4 and 5 are almost directly taken from [4]. We use a slightly different formal model that was easier to implement in Coq. The protocol we analyzed is known as the Manchester protocol and is in this case being used in audio systems. We will use a variant of the timed I O automata model of Lynch and Vaandrager to specify the protocol. The ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Proceedings of the Third International School and Symposium on Formal Techniques in Real Time and Fault Tolerant Systems, Lubeck, Germany, September 1994. To appear.

....to develop a theory of timed transition systems and timed simulations with analogues of all results of Part I is still open. This paper does not contain examples of verifications carried out using timed simulations. However, our timed simulations have already been used extensively elsewhere [12, 23, 32, 34, 35, 36, 37, 38, 45, 58, 60]. The algorithms and systems verified in these papers include toy examples such as counters and process races, as well as substantial real examples such as a clock based at most once message delivery protocol, a clock synchronization algorithm, two mutual exclusion algorithms, a leader election ....

....in [38] are stated in a setting that has more structure than is really necessary for those theorems. Lynch and Vaandrager [41] show how a whole class of process algebraic operators can be defined on timed automata using the general notion of action transducers. Bosscher, Polak and Vaandrager [12] define a language of linear hybrid systems, inspired by the work of [5, 8] and provide it with a semantics in terms of timed automata. Our timed automata can also be used to define the semantics of the timed safety automata of Alur and Dill [7, 26] In the latter model a finite state restriction ....

[Article contains additional citation context not shown here]

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Langmaack et al. [33], pages 170--192. Full version available as Report CS-R9445, CWI, Amsterdam, July 1994.

.... Research partially supported by a National Science Foundation Graduate Fellowship. of hybrid systems. We are applying our results in a number of projects in the areas of personal rapid transit [14, 10, 20] intelligent vehicle highway systems, and consumer electronics [5]. Within the theory of reactive systems, which has been developed in computer science during the last 20 years, it is common to represent both a system and its properties as abstract machines (see, for instance [11, 4, 9] A system is then defined to be correct iff the abstract machine for the ....

D.J.B. Bosscher, I. Polak, and F.W. Vaandrager. Verification of an audio control protocol. In Proc. FTRTFT'94, LNCS 863, pages 170--192. Springer-Verlag, 1994.

No context found.

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In Proc. of Formal Techniques in Real-Time and Fault-Tolerant Systems, number 863 in Lecture Notes in Computer Science, 1994.

No context found.

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio Control Protocol. In Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Compoter Science, pages 170--192. Springer-Verlag, 1994.

No context found.

D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-control Protocol. In Proceedings of Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, 1994.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC