Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of real-time systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of real-time systems. Its definition provides a simple way to annotate state-transition graphs with timing constraints using finitely many real-valued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of real-time systems.

Temporal logic comes in two varieties: linear-time temporal logic assumes implicit universal quantification over all paths that are generated by system moves; branching-time temporal logic allows explicit existential and universal quantification over all paths. We introduce a third, more general variety of temporal logic: alternating-time temporal logic offers selective quantification over those paths that are possible outcomes of games, such as the game in which the system and the environment alternate moves. While linear-time and branching-time logics are natural specification languages for closed systems, alternating-time logics are natural specification languages for open systems. For example, by preceding the temporal operator "eventually" with a selective path quantifier, we can specify that in the game between the system and the environment, the system has a strategy to reach a certain state. Also the problems of receptiveness, realizability, and controllability can be formulated as model-checking problems for alternating-time formulas.

Linear Relation Analysis [CH78] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.

This paper offers a synthetic overview of, and original contributions to, the use of logics and formal methods in the analysis of hybrid systems

) Bernard Boigelot Universit'e de Li`ege Institut Montefiore, B28 4000 Li`ege Sart-Tilman, Belgium Email: boigelot@montefiore.ulg.ac.be Patrice Godefroid Lucent Technologies -- Bell Laboratories 1000 E. Warrenville Road Naperville, IL 60566, U.S.A. Email: god@bell-labs.com Abstract We study the verification of properties of communication protocols modeled by a finite set of finite-state machines that communicate by exchanging messages via unbounded FIFO queues. It is well-known that most interesting verification problems, such as deadlock detection, are undecidable for this class of systems. However, in practice, these verification problems may very well turn out to be decidable for a subclass containing most "real" protocols. Motivated by this optimistic (and, we claim, realistic) observation, we present an algorithm that may construct a finite and exact representation of the state space of a communication protocol, even if this state space is infinite. Our algorithm performs a loo...

Symbolic approaches attack the state explosion problem by introducing implicit representations that allow the simultaneous manipulation of large sets of states. The most commonly used representation in this context is the Binary Decision Diagram (BDD). This paper takes the point of view that other structures than BDD's can be useful for representing sets of values, and that combining implicit and explicit representations can be fruitful. It introduces a representation of complex periodic sets of integer values, shows how this representation can be manipulated, and describes its application to the state-space exploration of protocols. Preliminary experimental results indicate that the method can dramatically reduce the resources required for state-space exploration.

Abstract. We consider the timed automata model of [3], which allows the analysis of real-time systems expressed in terms of quantitative timing constraints. Traditional approaches to real-time system description express the model purely in terms of nondeterminism; however, we may wish to express the likelihood of the system making certain transitions. In this paper, we present a model for real-time systems augmented with discrete probability distributions. Furthermore, using the algorithm of [5] with fairness, we develop a model checking method for such models against temporal logic properties which can refer both to timing properties and probabilities, such as, “with probability 0.6 or greater, the clock x remains below 5 until clock y exceeds 2”. 1

) Thomas Wilke Christian-Albrechts-Universitat zu Kiel, Institut fur Informatik und Praktische Mathematik, D-24098 Kiel, Germany ? Abstract. A monadic second-order language, denoted by Ld, is introduced for the specification of sets of timed state sequences. A fragment of Ld, denoted by L $ d, is proved to be expressively complete for timed automata (Alur and Dill), i. e., every timed regular language is definable by a L $ d-formula and every L $ d-formula defines a timed regular language. As a consequence the satisfiability problem for L $ d is decidable. Timed temporal logics are shown to be effectively embeddable into L $ d and hence turn out to have a decidable theory. This applies to TL \Gamma (Manna and Pnueli) and EMITLp , which is obtained by extending the logic MITLp (Alur and Henzinger) by automata operators (Sistla, Vardi, and Wolper). For every positive natural number k the full monadic second-order logic Ld and L $ d are equally expressive modulo the set of timed...

We present an algorithm for verifying that a model M with timing constraints satisfies a given temporal property T . The model M is given as a parallel composition of !-automata P i , where each automaton P i is constrained by bounds on delays. The property T is given as an !-automaton as well, and the verification problem is posed as a language inclusion question L(M ) ` L(T ). In constructing the composition M of the constrained automata P i , one needs to rule out the behaviors that are inconsistent with the delay bounds, and this step is (provably) computationally expensive. We propose an iterative solution which involves generating successive approximations M j to M , with containment L(M ) ` L(M j ) and monotone convergence L(M j ) ! L(M ) within a bounded number of steps. As the succession progresses, the approximations M j become more complex. At any step of the iteration one may get a proof or a counterexample to the original language inclusion question. The described algori...

. We describe how to model and verify real-time systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems appearing in the verification literature. 1 Introduction Model checking is a method of automatically verifying concurrent systems in which a finite-state model of a system is compared with a correctness requirement. This method has been shown to be very effective in detecting errors in high-level designs, and has been implemented in various tools. We consider the tool Cospan that is based on the theory of !-automata (!-automata are finite automata accepting infinite sequences, see [Tho90] for a survey, and [VW86, Kur94] for applications to verification). The system to be verified is modeled as a collection of coordinating processes described in the language S/R [Kur94]. The semantics of su...