Z. Manna, Y. Kesten, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T.A. Henzinger, and E.D. Sontag, editors, Hybrid Systems III, Lecture Notes in Computer Science 1066, pages 13--40. Springer-Verlag, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....Automata and related logics have been used to specify and verify systems. Hybrid Systems are automata equipped with variables. Constraints on these variables are expressed in Mathematical Logics. Hybrid Systems are used for modeling embedded systems (see [9] and time dependent processes (see [55]) In these branches of study safety and security properties are among the main requirements that a system must satisfy, hence the interest of ways to express and prove these properties. 1.1 Mathematical Logics A branch of First Order Logics are Mathematical Logics. Mathematical Logics consider ....

.... of regions, where regions encapsulate infinite evaluations ( 11] 58] and [13] In undecidable cases one can partially solve the problem by using symbolic verification (see [9] and [18] Another method is to have verification rules for proving safety properties and response properties (see [55], 72] and [71] To extend Temporal and Modal logics ( 34] so that control and test on time and variable values are ensured, many logics have been proposed ( 59] 16] 14] and [17] These Logics extend the classical temporal operators, such as until or next , with control on time that can ....

Kesten, Y., Manna, Z., Pnueli, A.: Verifying Clocked Transitions Systems. Lecture Notes in Computer Science 1066, Springer, Berlin, 1996, 13--40.

....justifies the use of the term extension . Time can advance in h(s) for s = a i :s i only if all the hybrid actions h(a i ) agree to let time advance. This rule determines a time progress condition associated with s similar to the invariants in [ACH 95] and time progress conditions in [KMP96] Associating time progress with actions is an important feature of the presented model as it will be shown throughout the paper. For a given hybrid action, its guard characterizes the states from which the action is possible while its deadline characterizes the subset of the states where the ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In School on Embedded Systems, Veldhoven, The Nederlands, November 1996.

....[HN96] contains the first rigorous (but informal) description of the Statemate implementation of statecharts. This is elaborated in [PU97] to a formal semantics in terms of clocked transition systems, thus making it possible to benefit from the analysis tools developed for this formalism [KMP96,MP91] UML adopted statecharts as one of the central behavioral diagrams. This seems natural, since statecharts correspond well with an object oriented approach (encapsulation) and subsume other useful formalisms, like finite state machines. The development of the UML is governed by large ....

Yonit Kesten, Zohar Manna, and Amir Pnueli. Verifying Clocked Transition Systems. In Hybrid Systems III, volume 1066 of Lecture Notes in Computer Science (LNCS), pages 13--40. Springer--Verlag, 1996. 33

....about continuous systems. That paper focuses on exploring the potentials of refinement reasoning for such systems, whereas we concentrate on a precise definition of the semantics. Action systems have an operational flavour, and our extension is thus related to various hybrid automata models [1, 20, 18] and the general hybrid model surveyed in [7] However, our interest is not in the basic model, but in an integration of specifications (predicates) and actions such that one can reason without reference to the semantics. A similar concept is found in the description language used in HyTech [15, ....

Y. Kesten, Z. Manna, and A. Pnuelli. Verifying Clocked Transition Systems. In R. Alur, T. A. Henzinger, and E. D. Sontag (eds.) Hybrid Systems III, LNCS 1066, pp. 13-40, Springer-Verlag, 1996.

....The weakest liberal preconditions are then used as a tool to extract this model. The gate example presented in this paper illustrates this approach. One application for the differential actions is to model the clocks in realtime systems. In comparison to the clocked transition system (CTS) by [9], the clocks are presented as ordinary variables. The transitions are sequences of actions modifying the variables in the system. The master clock is a global variable that is modified only by the tick action. The tick action is a differential action that updates all the clocks including the ....

Y. Kesten, Z. Manna, and A. Pnuelli. Verifying Clocked Transition Systems. In R. Alur, T. A. Henzinger, and E. D. Sontag (eds.) Hybrid Systems III, LNCS 1066, Springer-Verlag, 1996.

....ticks before further sensor updates can occur. plant relay output = h 92 R closed = 3. 0 Modules and module composition Our notion of a module is based on the untimed reactive modules of Manna and Pnueli [32] Although the Manna Pnueli framework has been used for real time systems [23], the extension to their system for modules as delineated by Chang [8] is different to ours. The main differences are: a) our modules are supported by a model checker, b) we provide a state event refinement relation for modules, and (c) the reactive modules of [32] are not fully compositional as ....

Kesten, Y., Z. Manna, and A. Pnueli. "Verifying Clocked Transition Systems." In Hybrid Systems III, Springer-Verlag, LNCS, 1996.

....the satis ability of the input temporal logic formula is computed via a tableau of the input formula and system; the tableau is successively re ned based on the transition relation. This approach requires user intervention and gives no termination guarantee. Bj rner et al. 12] and Kesten et al. [56] use deductive approaches to verify real time systems. They model systems using Clocked Transition Systems, which are fair transition systems extended with clock variables, and use veri cation rules and veri cation diagrams to establish the validity of Linear Temporal Logic formulas. In [11] the ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying Clocked Transition Systems, Hybrid Systems III. In Proceedings of the Eight International Conference on Computer Aided Verication (CAV '96), Vol. 1102 of Lecture Notes in Computer Science, volume 1066 of Lecture Notes in Computer Science, pages 13-40, 1996.

....significant one computationally. Urbina [30] models hybrid systems as CLP programs. Various properties of hybrid systems can then be verified by top down or bottom up evaluation of the CLP programs. This approach is also based on CLP systems without tabling. Bjorner et al. 4] and Kesten et al. [21] use deductive approaches to verify real time systems. They model systems using Clocked Transition Systems, which are fair transition systems extended with clock variables, and use verification rules and verification diagrams to establish the validity of Linear Temporal Logic formulas. Kwak et ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying Clocked Transition Systems, Hybrid Systems III. In Proceedings of the Eight International Conference on Computer Aided Verification (CAV '96), Vol. 1102 of Lecture Notes in Computer Science, volume 1066 of Lecture Notes in Computer Science, pages 13--40, 1996.

....for computing the semantics. That procedure translates to the rst symbolic forward model checking procedure for STL properties of in nite state systems. 1 Introduction In the context of symbolic model checking for systems with numeric variables such as timed or hybrid systems (see e.g. [1 4, 7, 8, 10 14, 16, 17, 19 21, 29]) the term symbolic refers to the representation of a set of states by a disjunctive constraint, viz. a disjunction of conjunctions of inequalities or other atomic formulas. In this context, applying the operations negation or conjunction as part of the xpoint iteration in the model checking ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T. A. Henzinger, and E. D. Sontag, editors, Hybrid Systems III, volume 1066 of LNCS, pages 13-40. Springer-Verlag, 1996.

....ffi(v ; r) denotes the state of the PTS after time has acted on a system in state v for time r . The set T of instantaneous transitions is, as in the TTS 5 Note that some authors instead use the expression phase transition system for the hybrid systems extension of the clocked transition system [29,23] model. 20 case, equipped with upper and lower bounds. Furthermore, time cannot elapse past a moment when the enabling condition of a transition changes. Since the action of time can change the enabling of transitions, we assume that there is a computable function enabling change : Sigma D ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Proc. Hybrid Systems III, volume 1066 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

.... also been substantial work on veri cation of integer valued and parameterized systems using methods based on logic [DP99, FR96, FP93, RRRS99, SUM96] The works from the logic programming, theorem proving and database community that come closest to our work are [CDD 98, PG97, Fri98, BMSU97, KMP96, Urb96, GP99, Gup99, DRS99] 8 An attempt has been made in [CDD 98] for model checking real time systems based on logic programming. But no detailed results of such an attempt has been provided. Pontelli 7 Note that our de nition of receptiveness is di erent from that in [AH97] 8 Shortly ....

....automata without, however, establishing a formal connection with the standard model for timed systems. In fact, the semantics results in [Urb96] cannot be connected with temporal properties of timed automata, in contrast to our work on TLP s. The clocked transition system model considered in [KMP96, BMSU97] cannot be considered as a logic based model. In contrast to the timed temporal logic considered in this paper, which is branching time, KMP96, BMSU97] considers model checking for linear temporal logic. The works from the veri cation community that come closest to our work are [LPY95b, ....

[Article contains additional citation context not shown here]

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Proceedings of CAV, 1996.

.... also been substantial work on veri cation of integer valued and parameterized systems using methods based on logic [DP99, FR96, FP93, RRRS99, SUM96] The works from the logic programming, theorem proving and database community that come closest to our work are [CDD 98, PG97, Fri98, BMSU97, KMP96, Urb96] An attempt has been made in [CDD 98] for model checking real time systems based on logic programming. But no detailed results of such an attempt has been provided. Pontelli and Gupta in [PG97] have been able to verify several interesting properties of real time systems. In contrast ....

....automata without, however, establishing a formal connection with the standard model for timed systems. In fact, the semantics results in [Urb96] cannot be connected with temporal properties of timed automata, in contrast to our work on TLP s. The clocked transition system model considered in [KMP96, BMSU97] cannot be considered as a logic based model. In contrast to the timed temporal logic considered in this paper, which is branching time, KMP96, BMSU97] considers model checking for linear temporal logic. The works from the veri cation community that come closest to our work are [LPY95b, ....

[Article contains additional citation context not shown here]

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Proceedings of CAV, 1996.

....cant one computationally. Urbina [Urb96] models hybrid systems as CLP programs. Various properties of hybrid systems can then be veri ed by top down or bottom up evaluation of the CLP programs. This approach is also based on CLP systems without tabling. Bjorner et al. BMSU97] and Kesten et al. KMP96] use deductive approaches to verify real time systems. They model systems using Clocked Transition Systems, which are fair transition systems extended with clock variables, and use veri cation rules and veri cation diagrams to establish the validity of Linear Temporal Logic formulas. Kwak et al. ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying Clocked Transition Systems, Hybrid Systems III. In Proceedings of the Eight International Conference on Computer Aided Verication (CAV '96), Vol. 1102 of Lecture Notes in Computer Science, volume 1066 of Lecture Notes in Computer Science, pages 13-40, 1996.

....L( and upper bound U ( for any action of P . As in the case of untimed programs, we shall need an exact specification Pi(P T ) of a real time program P T . We introduce a distinguished state variable now to represent time, and an action to advance time, under the following assumptions [AL92, HMP94, KMP96, MP96]: time starts at 0: initially now = 0. time never decreases: 2[now 0 2 (now ; 1) now . time diverges: 8t 2 R :3(now t) Time divergence is also called the Non Zeno property and ensures that only a finite number of actions can be performed in any finite interval of time. The three ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T.A. Henzinger, and E.D. Sontag, editors, Hybrid Systems III, Lecture Notes in Computer Science 1066. Springer-Verlag, 1996.

....shared variables and shared labels is considered. This work also attacks proving non Zenoness by switching to a game theoretic framework. Going to the domain of timed systems, there are works which treat composition in presence of non deterministic timing constraints in variants of timed automata [21, 12]. Sifakis and Yovine distinguish between transitions which must take place and those which may take place by using a notion of deadline in addition to the usual notion of invariance in timed automata. Kesten, Manna and Pnueli, on the other hand, separate the progress conditions and enabling ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying Clocked Transition Systems. In Alur et al. [3], pages 13--40.

....about continuous systems. That paper focuses on exploring the potentials of refinement reasoning for such systems, whereas we concentrate on a precise definition of the semantics. Action systems have an operational flavour, and our extension is thus related to various hybrid automata models [1, 20, 18] and the general hybrid model surveyed in [7] However, our interest is not in the basic model, but in an integration of specifications (predicates) and actions such that one can reason without reference to the semantics. A similar concept is found in the description language used in HyTech [15, ....

Y. Kesten, Z. Manna, and A. Pnuelli. Verifying Clocked Transition Systems. In R. Alur, T. A. Henzinger, and E. D. Sontag (eds.) Hybrid Systems III, LNCS 1066, pp. 13-40, Springer-Verlag, 1996.

....hybrid systems, where continuous variables evolve over time as determined by di#erential equations. In this paper, we will focus on tools for untimed systems, including parameterized ones. However, our framework can be used as the basis for the verification of realtime and hybrid systems as well [34, 10, 51]. 1.2. The 2 process Bakery algorithm Figure 1 shows bakery(2) a program that implements Lamport s Bakery algorithm for mutual exclusion [37, 38] The program is written in the Simple Programming Language (SPL) of [46, 50] which is accepted as input by STeP. Two processes, P1 and P2, ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T. A. Henzinger, and E. D. Sontag, editors, Hybrid Systems III, volume 1066 of LNCS, pages 13--40. Springer-Verlag, 1996.

....of X is updated to a[3] 1 and simultaneously a[3] is updated to 2. Transition System local X : int int bool local a : array [1. 5] of int Transition t: assign (#2 X,a[3] a[3] 1,2) Figure 2.10: Legal assignments 2.7. 5 Clocked Transition Systems Clocked transition systems [ Kesten et al. 1996 ] can be used to model discrete or continuous real time systems, and are partially supported in the educational release of step. Clocked transition systems differ from fair transition systems in the following ways: ffl There are designated clock variables T, the master clock, global time) and ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Hybrid Systems III, volume 1066 of LNCS, pages 13--40. Springer-Verlag, 1996.

....hybrid systems , where continuous variables evolve over time as determined by di erential equations. In this paper, we will focus on tools for untimed systems, including parameterized ones. However, our framework can be used as the basis for the veri cation of realtime and hybrid systems as well [34, 10, 51]. 1.2. The 2 process Bakery algorithm Figure 1 shows bakery(2) a program that implements Lamport s Bakery algorithm for mutual exclusion [37, 38] The program is written in the Simple Programming Language (SPL) of [46, 50] which is accepted as input by STeP. Two processes, P1 and P2, ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T. A. Henzinger, and E. D. Sontag, editors, Hybrid Systems III, volume 1066 of LNCS, pages 13-40. Springer-Verlag, 1996.

.... A part of an ongoing research has implemented support for phase transition systems in step, and has used it to successfully (and actually without too much user interaction) verify a few of the HyTech examples [HHWT95] Preliminary versions of some parts of this paper appeared in [MP95a] and [KMP96] 2 Real Time Systems We now introduce a computational model for real time systems. 5 2.1 Computational Model: Clocked Transition System Real time systems are modeled as clocked transition systems (cts) A clocked transition system Phi = Omega V; Theta; T ; Pi ff consists of: ffl V : ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T.A. Henzinger, and E.D. Sontag, editors, Hybrid Systems III, volume 1066 of Lect. Notes in Comp. Sci., pages 13--40. Springer-Verlag, 1996.

....methods into a methodology that is complete (relative to first order reasoning) for proving linear time temporal logic properties of hybrid systems, provided no temporal operator appears in the scope of a quantifier. The advantages of the proposed methodology over the rule based approach of [11, 6] include the visual representation of the proof process, the provision of proof guidance, and the ability to prove specifications expressed by temporal formulas not in canonical form [10] Hybrid diagrams are related to the fairness diagrams of [4] and to the hybrid automata of [2, 1] They ....

....the system behavior and the safety and progress properties that have been proved about it: the vertex and edge labels represent the safety properties, the fairness constraints represent the progress properties. Hybrid diagrams are sufficiently expressive to encode phase transition systems (PTSs) [9, 6], which will be the system model adopted in this paper. The construction of the proof of a temporal specification begins by representing the system as a one vertex diagram, whose single edge encodes the possible The research was supported in part by the National Science Foundation under grant ....

[Article contains additional citation context not shown here]

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Hybrid Systems III, volume 1066 of Lect. Notes in Comp. Sci., pages 13--40. SpringerVerlag, 1996.

....as array references or tuple projections of local or out arrays tuples. Example: A legal assignment statement is given in Figure 2.9, where the second component of X is updated to a[3] 1 and simultaneously a[3] is updated to 2. 2.6. 5 Clocked Transition Systems Clocked transition systems [ Kesten et al. 1996 ] can be used to model discrete or continuous real time systems, and are partially supported in the educational release of step. Clocked transition systems differ from fair transition systems in the following ways: ffl There are designated clock variables T, the master clock, global time) and ....

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Hybrid Systems III, volume 1066 of LNCS, pages 13--40. Springer-Verlag, 1996.

....Continuous real time is modeled explicitly as part of the system, in the form of clock variables that increase uniformly, including a master clock that measures the passage of time. This model, in the spirit of [AL92] allows the reuse of standard deductive verification tools for reactive systems [KMP96] We add modularity to this framework, using clocked transition modules. Systems often have a natural decomposition into modules, where useful properties of the entire system may be inferred from properties of the modules. Properties of the composed system will still hold if modules are replaced ....

....inv with equal to p (that is, p holds initially and is preserved by all transitions) If these verification conditions can be proved assuming a set of properties S, we say that p is inductive relative to S. These rules are sound for proving safety properties of CTM s [MP96] Furthermore, KMP96] shows that these rules are also complete (relative to the underlying first order reasoning) for non Zeno CTS s. The following theorem relates the computations of two modules and those of their parallel composition: Theorem 1. Comp( M 1 jj M 2 ] Comp(M 1 ) Comp(M 2 ) Proof. Consider a ....

[Article contains additional citation context not shown here]

Y. Kesten, Z. Manna, and A. Pnueli. Verifying clocked transition systems. In Hybrid Systems III, volume 1066 of LNCS, pages 13--40. Springer-Verlag, 1996.

No context found.

Z. Manna, Y. Kesten, and A. Pnueli. Verifying clocked transition systems. In R. Alur, T.A. Henzinger, and E.D. Sontag, editors, Hybrid Systems III, Lecture Notes in Computer Science 1066, pages 13--40. Springer-Verlag, 1996.

No context found.

Y. Kesten, Z. Manna and A. Pnueli. Verifying Clocked Transition Systems. Hybrid Systems pp. 13-40, 1995.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC