Results 1  10
of
17
Model Checking of RealTime Reachability Properties Using Abstractions
, 1998
"... . Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the sta ..."
Abstract

Cited by 70 (10 self)
 Add to MetaCart
. Practical realtime model checking suffers from the stateexplosion problem: the size of the state space grows exponentially with many system parameters: number of clocks, size of constants, number of system components. To cope with state explosion, we propose to use abstractions reducing the statespace while preserving reachability properties. Four exact , plus one safe abstractions are defined. In the main abstraction (simulation) a concrete state is mapped to a symbolic abstract state (a set of concrete states). The other four abstractions are defined on top of the simulation one. They can be computed onthefly in a completely orthogonal manner and thus can be combined to yield better reductions. A prototype implementation in the tool Kronos has permitted to verify two benchmark examples with a significant scaleup in size. 1 Introduction Model checking is an approach commonly used for the automatic verification of reachability properties. Given a system and a property p, reac...
Generating finitestate abstractions of reactive systems using decision procedures
 In: CAV 98: Conference on ComputerAided Verification. Volume 1427 of Lecture Notes in Computer Science., SpringerVerlag
, 1998
"... Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is propor ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
Abstract. We present an algorithm that uses decision procedures to generate finitestate abstractions of possibly infinitestate systems. The algorithm compositionally abstracts the transitions of the system, relative to a given, fixed set of assertions. Thus, the number of validity checks is proportional to the size of the system description, rather than the size of the abstract statespace. The generated abstractions are weakly preserving for ∀CTL * temporal properties. We describe several applications of the algorithm, implemented using the decision procedures of the Stanford Temporal Prover (STeP). 1
Timing Analysis in COSPAN
 In Hybrid Systems III
, 1996
"... . We describe how to model and verify realtime systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
. We describe how to model and verify realtime systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems appearing in the verification literature. 1 Introduction Model checking is a method of automatically verifying concurrent systems in which a finitestate model of a system is compared with a correctness requirement. This method has been shown to be very effective in detecting errors in highlevel designs, and has been implemented in various tools. We consider the tool Cospan that is based on the theory of !automata (!automata are finite automata accepting infinite sequences, see [Tho90] for a survey, and [VW86, Kur94] for applications to verification). The system to be verified is modeled as a collection of coordinating processes described in the language S/R [Kur94]. The semantics of su...
Efficient Data Structure for Fully Symbolic Verification of RealTime Software Systems
 Proceedings of the 6th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2000), LNCS 1785
"... A new datastructure called DDD (DataDecision Diagram) for the fully symbolic modelchecking of realtime software systems is proposed. DDD is a BDDlike datastructure for the encoding of regions [2]. Unlike DBM which records differences between pairs of clock readings, DDD only uses one auxiliar ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
A new datastructure called DDD (DataDecision Diagram) for the fully symbolic modelchecking of realtime software systems is proposed. DDD is a BDDlike datastructure for the encoding of regions [2]. Unlike DBM which records differences between pairs of clock readings, DDD only uses one auxiliary binary variable for each clock. Thus the number of variables used in DDD is always linear to the number of clocks declared in the input system description. Experiment has been carried out to compare DDD with previous technologies. 1 Introduction Fully symbolic verification of realtime systems is desirable with the promise of efficient datasharing. We propose Data Decision Diagram (DDD) as the new datastructure for such a purpose. DDD is a BDDlike datastructure [5, 8] for the encoding of regions [2]. The ordering among fractional parts of clock readings is explicitly encoded in the variable ordering of DDD. To record sets of clock readings with the same fractional parts, we add one...
Symbolic parametric safety analysis of linear hybrid systems with BDDlike datastructures
 IEEE TRANS. SOFTW. ENG
, 2004
"... We introduce a new BDDlike data structure called HybridRestriction Diagrams (HRDs) for the representation and manipulation of linear hybrid automata (LHA) statespaces and present algorithms for weakest precondition calculations. This permits us to reason about the valuations of parameters that ma ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
We introduce a new BDDlike data structure called HybridRestriction Diagrams (HRDs) for the representation and manipulation of linear hybrid automata (LHA) statespaces and present algorithms for weakest precondition calculations. This permits us to reason about the valuations of parameters that make safety properties satisfied. Advantages of our approach include the ability to represent discrete state information and concave polyhedra in a unified scheme, as well as to save both memory consumptions and manipulation times when processing the same substructures in statespace representations. Our experimental results document its efficiency in practice.
Partial Order reduction for Model Checking of Timed Automata
, 1999
"... Abstract. The paper presents a partial order reduction method applicable to networks of timed automata. The advantage of the method is that it reduces both the number of explored control states and the number of generated time zones. The approach is based on a localtime semantics for networks of ti ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. The paper presents a partial order reduction method applicable to networks of timed automata. The advantage of the method is that it reduces both the number of explored control states and the number of generated time zones. The approach is based on a localtime semantics for networks of timed automata defined by Bengtsson et al. [1998], and used originally for local reachability analysis. In this semantics, each component automaton executes asynchronously, in its own local time scale, which is tracked by an auxiliary reference clock. On communication transitions, the automata synchronize their time scales. We show how this model can be used to perform model checking for an extension of linear temporal logic, which can express timing relations between events. We also show how for a class of timed automata, the localtime model can be implemented using difference bound matrices without any space penalty, despite the need to represent local time. Furthermore, we analyze the dependence relation between transitions in the new model and give practical conditions for selecting a reduced set of transitions. 1
TCTL Inevitability Analysis of DenseTime Systems LNCS 2759
, 2003
"... Inevitability properties in branching temporal logics are of the syntax∀♦φ, where φ is an arbitrary (timed) CTL formula. In the sense that ”good things will happen”, they are parallel to the ”liveness” properties in linear temporal logics. Such inevitability properties in densetime logics can be an ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Inevitability properties in branching temporal logics are of the syntax∀♦φ, where φ is an arbitrary (timed) CTL formula. In the sense that ”good things will happen”, they are parallel to the ”liveness” properties in linear temporal logics. Such inevitability properties in densetime logics can be analyzed with greatest fixpoint calculation. We present algorithms to modelcheck inevitability properties both with and without requirement of nonZeno computations. We discuss a technique for early decision on greatest fixpoints in the temporal logics. Our algorithms come with a dparameter for the measurement of timeprogress. We have experimented with various issues, which may affect the performance of TCTL inevitability analysis. Specifically, we report the performance of our implementation w.r.t. various dparameter values and with or without the nonZeno computation requirement in the evaluation of greatest fixpoints. We have also experimented with safe abstration techniques for modelchecking TCTL inevitability properties. Analysis on the experiment data helps clarify how various techniques can be used to improve verification of inevitability properties.
A Tool Architecture for the Next Generation of UPPAAL
, 2003
"... We present the design of the modelchecking engine and internal data structures for the next generation of Uppaal. The design is based on a pipeline architecture where each stage represents one independent operation in the verification algorithms. The architecture is based on essentially one sha ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We present the design of the modelchecking engine and internal data structures for the next generation of Uppaal. The design is based on a pipeline architecture where each stage represents one independent operation in the verification algorithms. The architecture is based on essentially one shared data structure to reduce redundant computations in state exploration, which unifies the socalled passed and waiting lists of the traditional reachability algorithm. In the implementation, instead of using standard memory management functions from generalpurpose operating systems, we have developed a specialpurpose storage manager to best utilize sharing in physical storage. We present experimental results supporting these design decisions. It is demonstrated that the new design and implementation improves the efficiency of the current distributed version of Uppaal by about 60% in time and 80% in space.
Tempo: A Model Checker for EventRecording Automata
 In Proceedings of RTTools'01
, 2001
"... We present a symbolic onthefly model checking algorithm for eventrecording automata, a subclass of timed automata. This algorithm is based on a forward reachability analysis and uses a symbolic representation of clock constraints. It forms the core of the verification tool Tempo. We also develop ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We present a symbolic onthefly model checking algorithm for eventrecording automata, a subclass of timed automata. This algorithm is based on a forward reachability analysis and uses a symbolic representation of clock constraints. It forms the core of the verification tool Tempo. We also develop a realtime logic for specifying properties of eventrecording automata in a suitable way and demonstrate that the model checking problem for this logic is decidable.
Timed Automata May Cause Some Troubles
 RESEARCH REPORT LSV029, LSV, ENS DE
, 2002
"... Timed automata are a widely studied model. Its decidability has been proved using the socalled region automaton construction. This construction provides a correct abstraction for the behaviours of timed automata, but it does not support a natural implementation and, in practice, algorithms based ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Timed automata are a widely studied model. Its decidability has been proved using the socalled region automaton construction. This construction provides a correct abstraction for the behaviours of timed automata, but it does not support a natural implementation and, in practice, algorithms based on the notion of zones are implemented using adapted data structures like DBMs. When we focus on forward analysis algorithms, the exact computation of all the successors of the initial configurations does not always terminate. Thus, some abstractions are often used to ensure termination, among which, a widening operator on zones. In this paper