We provide an overview of the current status of the tool HyTech, and re ect on some of the lessons learned from our experiences with the tool. HyTech is a symbolic model checker for mixed discrete-continuous systems that are modeled as automata with piecewise-constant polyhedral di erential inclusions. The use of a formal input language and automated procedures for state-space traversal lay the foundation for formally verifying properties of hybrid dynamical systems. We describe some recent experiences analyzing three hybrid systems. We point out the successes and limitations of the tool. The analysis procedure has been extended in a number of ways to address some of the tool's shortcomings. We evaluate these extensions, and conclude with some desiderata for veri cation tools for hybrid systems. 1

The task of checking if a computer system satisfies its timing specifications is extremely important. These systems are often used in critical applications where failure to meet a deadline can have serious or even fatal consequences. This paper presents an efficient method for performing this verification task. In the proposed method a real-time system is modeled by a state-transition graph represented by binary decision diagrams. Efficient symbolic algorithms exhaustively explore the state space to determine whether the system satisfies a given specification. In addition, our approach computes quantitative timing information such as minimum and maximum time delays between given events. These results provide insight into the behavior of the system and assist in the determination of its temporal correctness. The technique evaluates how well the system works or how seriously it fails, as opposed to only whether it works or not. Based on these techniques a verification tool called Verus...

ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, NY 10036 USA, fax +1 (212) 869-0481, or permissions@acm.org. 2 \Delta M. Dwyer, J. Hatcliff, and M. Nanda 1. INTRODUCTION Modern computing applications increasingly require software systems that are extremely reliable and concurrent or distributed. Unfortunately, current software validation techniques are unable to provide high levels of assurance of correctness for these systems due to system size and complexity as well as the fundamental difficulties of reasoning about concurrency. Finite-state verification (FSV) techniques (originally developed for hardware verification) are emerging as a promising technology for assuring high-quality in modern software systems. In FSV, one describes th...

Conventional partial evaluators specialize programs with respect to concrete values, but programs can also be specialized with respect to abstractions of concrete values. We present a novel method for staging static analyses using abstraction-based program specialization (ABPS). Building on earlier work by Consel and Khoo and Jones, we give an ABPS system that serves as a formal foundation for a suite of analysis and verification tools that we are developing for Ada programs. Our tool set makes use of existing verification packages. Currently many programs must be hand-transformed before they can be submitted to these packages. We have determined that these hand-transformations can be carried out automatically using ABPS. Thus, preprocessing programs using ABPS can significantly extend the applicability of existing tools without modifying the tools themselves.

The Computer-Aided Resuscitation Algorithm, or ... device for treating blood loss experienced by combatants injured on the battlefield. CARA is responsible for automatically stabilizing a patient’s blood pressure by infusing blood as needed, based on blood-pressure data the CARA system collects. The control part of the system is implemented in software, which is extremely safety-critical and thus must perform correctly. This paper describes a case study in which a verification tool, the Concurrency Workbench of the New Century (CWB-NC), is used to analyze a model of the CARA system. The huge state space of the CARA makes it problematic to conduct traditional “push-button” automatic verification, such as model checking. Instead, we develop a technique, called unit verification, which entails taking small units of a system, putting them in a “verification harness ” that exercises relevant executions appropriately within the unit, and then model checking these more tractable units. For systems, like CARA, whose requirements are localized to individual system components or interactions between small numbers of components, unit verification offers a means of coping with huge state spaces.

this paper we report the results of the maturation study of model checking techniques and tools. Model checking techniques are a subset of Formal Methods, which are defined as "mathematically-based languages, techniques, and tools for specifying and verifying programs". We are interested tracing the maturation of the research results that have established the mathematical, theoretical basis for formal verification technologies. Further, we would like to trace how formal verification tools have become accepted by the industry and what factors have influence such acceptance. This study complements parallel studies on integrated development environments by Halloran, on software design and modeling environments (CASE tools) by Fairbanks, and on software analysis-based software maintenance tools by Sutherland

Language). To establish a formula 2 as an invariant, Salsa carries out an induction proof that utilizes tightly integrated decision procedures (currently a combination of binary-decision-diagram (BDD) algorithms and a constraint solver for integer linear arithmetic) for discharging the verication conditions. Unlike most other inductive provers, Salsa works in a totally automatic fashion. Its user interface mimics that of a model checker: given a formula and a model, Salsa either establishes the formula as an invariant of the model or provides a counter example. In either case, the algorithm will terminate. Unlike model checkers, Salsa returns only a state-pair as a counterexample (the states before and after the state that is reached where the invariant does not hold) rather than an entire execution sequence. Also, due to the incompleteness of induction, users must validate the counterexamples. The use of induction enables Salsa to combat the state-explosion problem that plagues m...

Active networking offers a change in the usual network paradigm: from passive carrier of bits to a more general computing engine. Active networking not only allows the network nodes to perform computations on the data but also allow their users to inject customized programs into the nodes of the network, that may modify, redirect or store the user data flowing through the network. In this thesis, we focus on the benefits of active networking with respect to a problem that is unlikely to disappear in the near future: network congestion. Rather than applying congestion reduction mechanisms generically and broadly, we discuss the mechanism that allows each application to specify how losses to its data should occur in a controlled fashion. Congestion is a prime candidate for active networking, since it is specifically an intra-network event and is potentially far removed from the application. Further, the time that is required for congestion notification information to propagate back to the sender limits the speed with which an application can selfregulate to reduce congestion. In this thesis, we propose a model for Active Congestion control, using active queue

Abstract. Clock Difference Diagrams (CDDs), a BDD-like data structure for model checking of timed automata, were presented in 1999. After the original article the work on them seems to have stopped, although there are still important open questions. CDD definition required that repeated subtrees were aliased, but no clear algorithm was presented for producing such compact representation, which seems costly to achieve. Also, since then, case studies have increased in size. In this article we revisit CDDs by comparing their performance against DBMs on current case studies, with and without repeated subtrees. Our experiments show that CDDs still require more time and memory than DBMs, that eliminating repetitions is still not enough. Thus, this article re-opens issues that previous work on the topic considered closed. 1 Introduction and Previous Work In current days timed systems are both pervasive and critical, ranging from