. We introduce discrete pushdown timed automata that are timed automata with integer-valued clocks augmented with a pushdown stack. A configuration of a discrete pushdown timed automaton includes a control state, finitely many clock values and a stack word. Using a pure automata-theoretic approach, we show that the binary reachability (i.e., the set of all pairs of configurations (ff; fi), encoded as strings, such that ff can reach fi through 0 or more transitions) can be accepted by a nondeterministic pushdown machine augmented with reversal-bounded counters (NPCM). Since discrete timed automata with integer-valued clocks can be treated as discrete pushdown timed automata without the pushdown stack, we can show that the binary reachability of a discrete timed automaton can be accepted by a nondeterministic reversal-bounded multicounter machine. Thus, the binary reachability is Presburger. By using the known fact that the emptiness problem is decidable for reversalbounded ...

In this paper, we present the Adora approac to object-oriented modeling of software (Adora stands for analysis and description of requirements and arc itecture). T e main features of Adora t at distinguis it from ot er approac es like UML are t e use of abstract objects (instead of classes) as t e basis of t e model, a systematic hierarchical decomposition of t e modeled system and t e integration of all aspects of t e system in one coherent model. T e paper introduces t e concepts of Adora and t e rationale be ind t em, gives an overview of t e language, sketc es a novel concept for visualizing t e model ierarc y wit a tool and reports t e results of a validation experiment for t e Adora language. r 2002 ElsevierSsevie Ltd. All rig ts reserved.

. We consider pushdown timed automata (PTAs) that are timed automata (with dense clocks) augmented with a pushdown stack. A configuration of a PTA includes a control state, dense clock values and a stack word. By using the pattern technique, we give a decidable characterization of the binary reachability (i.e., the set of all pairs of configurations such that one can reach the other) of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we can show that the binary reachability of a timed automaton is definable in the additive theory of reals and integers. The results can be used to verify a class of properties containing linear relations over both dense variables and unbounded discrete variables. The properties previously could not be verified using the classic region technique nor expressed by timed temporal logics for timed automata and CTL for pushdown systems. 1 Introduction A timed automaton [3] can be considered as a finite automaton augmented...

Abstract. Using an automata-theoretic approach, we investigate the decidabilityof liveness properties (called Presburger liveness properties) for timed automata when Presburger formulas on configurations are allowed. While the general prob-lem of checking a temporal logic such as TPTL augmented with Presburger clock constraints is undecidable, we show that there are various classes of Presburgerliveness properties which are decidable for discrete timed automata. For instance, it is decidable, given a discrete timed automaton A and a Presburger property P,whether there exists an!-path of A where P holds infinitely often. We also showthat other classes of Presburger liveness properties are indeed undecidable for discrete timed automata, e.g., whether P holds infinitely often for each!-path of A. These results might give insights into the corresponding problems for timedautomata over dense domains, and help in the definition of a fragment of linear temporal logic, augmented with Presburger conditions on configurations, whichis decidable for model checking timed automata. 1 Introduction Timed automata [3] are widely regarded as a standard model for real-time systems,because of their ability to express quantitative time requirements in the form of clock regions: a clock or the difference of two clocks is compared against an integer constant,e.g.,

ASTRAL is a formal specification language for real-time systems. It is intended to support formal software development and, therefore, has been formally defined. The structuring mechanisms in ASTRAL allow one to build modularized specifications of complex systems with layering. A real-time system is modeled by a collection of state machine specifications and a single global specification. This paper discusses the ASTRAL Software Development Environment (SDE), which is an integrated set of design and analysis tools based on the ASTRAL formal framework. The tools that make up the support environment are a syntax-directed editor, a specification processor, a verification condition generator, a browser kit, a model checker, and a mechanical theorem prover.

ASTRAL is a high-level formal specification language for real-time systems. It is provided with structuring mechanisms that allow one to build modularized specifications of complex real-time systems with layering. The ASTRAL model checker checks the satisfiability of critical requirements of a specification by enumerating possible runs of transitions within a given time bound. This paper discusses the mechanism of the model checker and how it can be used to analyze encryption protocols. Several classic benchmarks have been investigated, including the Needham-Schroeder public-key authentication protocol and the TMN protocol, and a number of attacks were uncovered. This paper focuses on using ASTRAL to specify Mobile IP and testing the specification using the model checker. Keywords Encryption protocols, Formal methods, Formal specification and verification, Real-time systems, Timing requirements, State machines, ASTRAL. 1 INTRODUCTION ASTRAL is a high-level formal specification lan...

We consider pushdown timed automata (PTAs) that are timed automata (with dense clocks) augmented with a pushdown stack. A configuration of a PTA includes a state, dense clock values and a stack word. By using the pattern technique, we give a decidable characterization of the binary reachability (i.e., the set of all pairs of configurations such that one can reach the other) of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we can show that the binary reachability of a timed automaton is definable in the additive theory of reals and integers. The results can be used to verify a class of properties containing linear relations over both dense variables and unbounded discrete variables. The properties previously could not be verified using the classic region technique nor expressed by timed temporal logics for timed automata and CTL for pushdown systems. The results are also extended to other generalizations of timed automata.

Object-Z is strong in modeling the data and operations of complex systems. However, it is weak in specifying real-time and concurrent systems. The Timed Communicating Object-Z (TCOZ) extends Object-Z notation with Timed CSP's constructs. TCOZ is particularly well suited for specifying complex systems whose components have their own thread of control. This paper demonstrates expressiveness of the TCOZ notation through a case study on specifying a multi-lift system that operates in real-time.

Using an automata-theoretic approach, we investigate the decidability of liveness properties (called Presburger liveness properties) for timed automata when Presburger formulas on configurations are allowed. While the general problem of checking a temporal logic such as TPTL augmented with Presburger clock constraints is undecidable, we show that there are various classes of Presburger liveness properties which are decidable for discrete timed automata. For instance, it is decidable, given a discrete timed automaton A and a Presburger property P , whether there exists an !-path of A where P holds infinitely often. We also show that other classes of Presburger liveness properties are indeed undecidable for discrete timed automata, e.g., whether P holds infinitely often for each !-path of A . These results might give insights into the corresponding problems for timed automata over dense domains, and help in the definition of a fragment of linear temporal logic, augmented with Presburger conditions on configurations, which is decidable for model checking timed automata.

As technology progresses and computers become smaller, cheaper, and more powerful, they are increasingly relied on to guarantee the safety of human life and the environment. In most cases, it is not enough to merely provide such safety mechanisms, but is also critical to assure that they will be activated in time to prevent disasters. These real-time systems are found in both large-scale projects with highly visible consequences such as nuclear reactors and air traffic control systems as well as in consumer goods such as automobiles and smoke detectors. As more and more reliance is placed on real-time computing systems to perform critical and everyday functions, the need for formal methods to guarantee the correctness of these systems becomes crucial. Given the time