Results 11  20
of
270
Model Checking of RealTime Reachability Properties Using Abstractions
, 1998
"... . Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the sta ..."
Abstract

Cited by 86 (10 self)
 Add to MetaCart
(Show Context)
. Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the statespace while preserving reachability properties. Four exact , plus one safe abstractions are defined. In the main abstraction (simulation) a concrete state is mapped to a symbolic abstract state (a set of concrete states). The other four abstractions are defined on top of the simulation one. They can be computed onthefly in a completely orthogonal manner and thus can be combined to yield better reductions. A prototype implementation in the tool Kronos has permitted to verify two benchmark examples with a significant scaleup in size. 1 Introduction Model checking is an approach commonly used for the automatic verification of reachability properties. Given a system and a property p, reac...
From Simulink to SCADE/Lustre to TTA: a Layered Approach for Distributed Embedded Applications
 In Languages, Compilers, and Tools for Embedded Systems (LCTES’03
, 2003
"... We present a layered endtoend approach for the design and implementation of embedded software on a distributed platform. The approach comprises a highlevel modeling and simulation layer (Simulink), a middlelevel programming and validation layer (SCADE/Lustre) and a lowlevel execution layer (TT ..."
Abstract

Cited by 82 (20 self)
 Add to MetaCart
(Show Context)
We present a layered endtoend approach for the design and implementation of embedded software on a distributed platform. The approach comprises a highlevel modeling and simulation layer (Simulink), a middlelevel programming and validation layer (SCADE/Lustre) and a lowlevel execution layer (TTA). We provide algorithms and tools to pass from one layer to the next. First, a translator from Simulink to Lustre. Second, a set of realtime and codedistribution extensions to Lustre. Third, implementation techniques for decomposing a Lustre program into tasks and messages, scheduling the tasks and messages on the processors and the bus, distributing the Lustre code on the execution platform, and generating the necessary “glue ” code.
Modularity for Timed and Hybrid Systems
, 1997
"... In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in ..."
Abstract

Cited by 81 (17 self)
 Add to MetaCart
(Show Context)
In a tracebased world, the modular specification, verification, and control of live systems require each module to be receptive; that is, each module must be able to meet its liveness assumptions no matter how the other modules behave. In a realtime world, liveness is automatically present in the form of diverging time. The receptiveness condition, then, translates to the requirement that a module must be able to let time diverge no matter how the environment behaves. We study the receptiveness condition for realtime systems by extending the model of reactive modules to timed and hybrid modules. We define the receptiveness of such a module as the existence of a winning strategy in a game of the module against its environment. By solving the game on region graphs, we present an (optimal) Exptime algorithm for checking the receptiveness of propositional timed modules. By giving a fixpoint characterization of the game, we present a symbolic procedure for checking the re...
Hierarchical Modeling and Analysis of Embedded Systems
, 2003
"... This paper describes the modeling language CHARON for modular design of interacting hybrid systems. The language allows specification of architectural as well as behavioral hierarchy and discrete as well as continuous activities. The modular structure of the language is not merely syntactic, but is ..."
Abstract

Cited by 78 (24 self)
 Add to MetaCart
(Show Context)
This paper describes the modeling language CHARON for modular design of interacting hybrid systems. The language allows specification of architectural as well as behavioral hierarchy and discrete as well as continuous activities. The modular structure of the language is not merely syntactic, but is exploited by analysis tools and is supported by a formal semantics with an accompanying compositional theory of refinement. We illustrate the benefits of CHARON in the design of embedded control software using examples from automated highways concerning vehicle coordination
Reducing the Number of Clock Variables of Timed Automata
 Proc. RTSS'96, 7381, IEEE
, 1996
"... We propose a method for reducing the number of clocks of a timed automaton by combining two algorithms. The first one consists in detecting active clocks, that is, those clocks whose values are relevant for the evolution of the system. The second one detects sets of clocks that are always equal. We ..."
Abstract

Cited by 77 (7 self)
 Add to MetaCart
(Show Context)
We propose a method for reducing the number of clocks of a timed automaton by combining two algorithms. The first one consists in detecting active clocks, that is, those clocks whose values are relevant for the evolution of the system. The second one detects sets of clocks that are always equal. We implemented the algorithms and applied them to several case studies. These experimental results show that an appropriate encoding of the state space, based on the output of the algorithms, leads to a considerable reduction of the memory space allowing a more efficient verification. 1 Introduction Timed automata [3, 13], are automata extended with a finite set of realvalued clocks that proceed at a uniform rate and constrain the times at which transitions occur. Since the time component makes the underlying transition system to be infinite, verification algorithms depend on the construction of a finite partition of the state space. As shown in [2, 3] the complexity of the verification probl...
Blackbox conformance testing for realtime systems
 In 11th International SPIN Workshop on Model Checking of Software (SPIN’04), volume 2989 of LNCS
, 2004
"... We propose a new framework for blackbox conformance testing of realtime systems. The framework is based on the model of partiallyobservable, nondeterministic timed automata. We argue that partial observability and nondeterminism are essential features for ease of modeling, expressiveness and im ..."
Abstract

Cited by 76 (11 self)
 Add to MetaCart
(Show Context)
We propose a new framework for blackbox conformance testing of realtime systems. The framework is based on the model of partiallyobservable, nondeterministic timed automata. We argue that partial observability and nondeterminism are essential features for ease of modeling, expressiveness and implementability. The framework allows the user to define, through appropriate modeling, assumptions on the environment of the system under test (SUT) as well as on the interface between the tester and the SUT. We consider two types of tests: analogclock tests and digitalclock tests. Our algorithm to generate analogclock tests is based on an onthefly determinization of the specification automaton during the execution of the test, which in turn relies on reachability computations. The latter can sometimes be costly, thus problematic, since the tester must quickly react to the actions of the system under test. Therefore, we provide techniques which allow analogclock testers to be represented as deterministic timed automata, thus minimizing the reaction time to a simple state jump. We provide algorithms for static or onthefly generation of digitalclock tests. These tests measure time only with finiteprecision, digital clocks, another essential condition for implementability. We also propose a technique for location, edge and state coverage of the specification, by reducing the problem to covering a symbolic reachability graph. This avoids having to generate too many tests. We report on a prototype tool TTG and two case studies: a lighting device and the Bounded Retransmission Protocol. Experimental results obtained by applying TTG on the Bounded Retransmission Protocol show that only a few tests suffice to cover thousands of reachable symbolic states in the specification.
Implementation of Symbolic Model Checking for Probabilistic Systems
, 2002
"... In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilist ..."
Abstract

Cited by 72 (21 self)
 Add to MetaCart
(Show Context)
In this thesis, we present ecient implementation techniques for probabilistic model checking, a method which can be used to analyse probabilistic systems such as randomised distributed algorithms, faulttolerant processes and communication networks. A probabilistic model checker inputs a probabilistic model and a speci cation, such as \the message will be delivered with probability 1", \the probability of shutdown occurring is at most 0.02" or \the probability of a leader being elected within 5 rounds is at least 0.98", and can automatically verify if the speci cation is true in the model.
Partial order reductions for timed systems
 In International Conference on Concurrency Theory
, 1998
"... Abstract. In this paper, we present a partialorder reduction method for timed systems based on a localtime semantics for networks of timed automata. The main idea is to remove the implicit clock synchronization between processes in a network by letting local clocks in each process advance independ ..."
Abstract

Cited by 63 (4 self)
 Add to MetaCart
Abstract. In this paper, we present a partialorder reduction method for timed systems based on a localtime semantics for networks of timed automata. The main idea is to remove the implicit clock synchronization between processes in a network by letting local clocks in each process advance independently of clocks in other processes, and by requiring that two processes resynchronize their local time scales whenever they communicate. A symbolic version of this new semantics is developed in terms of predicate transformers, which enjoys the desired property that two predicate transformers are independent if they correspond to disjoint transitions in different processes. Thus we can apply standard partial order reduction techniques to the problem of checking reachability for timed systems, which avoid exploration of unnecessary interleavings of independent transitions. The price is that we must introduce extra machinery to perform the resynchronization operations on local clocks. Finally, we present a variant of DBM representation of symbolic states in the local time semantics for efficient implementation of our method. 1
Reachability Analysis of Hybrid Systems via Predicate Abstraction
 Hybrid Systems: Computation and Control, Fifth International Workshop, LNCS 2289
, 2002
"... Predicate abstraction has emerged to be a powerful technique for extracting finitestate models from infinitestate discrete programs. This paper presents algorithms and tools for reachability analysis of hybrid systems by combining the notion of predicate abstraction with recent techniques for appr ..."
Abstract

Cited by 62 (8 self)
 Add to MetaCart
(Show Context)
Predicate abstraction has emerged to be a powerful technique for extracting finitestate models from infinitestate discrete programs. This paper presents algorithms and tools for reachability analysis of hybrid systems by combining the notion of predicate abstraction with recent techniques for approximating the set of reachable states of linear systems using polyhedra. Given a hybrid system and a set of userdefined predicates, we consider the finite discrete quotient whose states correspond to all possible truth assignments to the input predicates. The tool performs an onthefly exploration of the abstract system by using weakest preconditions to compute abstract transitions corresponding to the discrete switches and conservative polyhedral approximations to compute abstract transitions corresponding to continuous flows. Compared to tools such as Checkmate and d/dt, this approach requires significantly less computational resources as the emphasis is shifted from computing the reachable set to searching in the abstract quotient. We demonstrate the feasibility of the proposed technique by analyzing a parametric timingbased mutual exclusion protocol and safety of a simple controller for vehicle coordination.
The Theory of Timed I/O Automata
, 2003
"... This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a no ..."
Abstract

Cited by 60 (18 self)
 Add to MetaCart
(Show Context)
This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also denes what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and de nes notions of simulations, which provide sucient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time. The TIOA framework supports the statement and verication of safety and liveness properties for timed systems. It denes what it means for a property to be a safety or a liveness property, includes basic results about safetyliveness classication, and