We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

In this paper we describe the tool d=dt which provides automatic safety veri cation of hybrid systems with linear continuous dynamics with uncertain input. The veri cation procedure is based on a method for overapproximating reachable sets by orthogonal polyhedra.

Abstract not found

The increasing dependence of businesses on distributed architectures and computer networking places heavy demands on the speed and reliability of data exchange, leading to the emergence of sophisticated protocols which involve both real-time and randomization, for example FireWire IEEE1394. Automatic verification techniques such as model checking have been adapted to this class of probabilistic, timed systems [1, 9, 3, 14]. This abstract considers an application of such techniques to the IEEE1394 (FireWire) root contention protocol, in which the interplay between timed and probabilistic aspects is used to break the symmetry which may arise during the leader election process. Here, the properties of interest concern the election of a leader within a certain deadline, with a certain probability or greater. Our specification formalism is that of probabilistic timed automata [14], a variant of timed automa...

In this paper we argue that the semantic issues of discrete vs. dense time should be separated as much as possible from the pragmatics of state-space representation. Contrary to some misconceptions, the discrete semantics is not inherently bound to use state-explosive techniques any more than the dense one. In fact, discrete timed automata can be analyzed using any representation scheme (such as DBM) used for dense time, and in addition can bene t from enumerative andsymbolic techniques (such as BDDs) which are not naturally applicable to dense time. DBMs, on the other hand, can still be used more e ciently by taking into account theactivity of clocks, to eliminate redundancy. To support these claims we report experimental results obtained using an extension of Kronos with BDDs and variable-dimension DBMs where we veri ed the asynchronous chip STARI, a FIFO bu er which provides for skew-tolerant communication between two synchronous systems. Using discrete time and BDDs we were able to prove correctness of a STARI implementation with 18 stages (55 clocks), better than what has been achieved using other techniques. The veri cation results carry over to the dense semantics. Using variable-dimension DBMs we havemanaged to verify STARI for up to 8 stages (27 clocks). In fact, our analysis shows that at most one third of the clocks are active atanyreachable state, and about one fourth of the clocks are active in 90 % of the reachable states.

We report on the automatic veri cation of timed probabilistic properties of the IEEE 1394 root contention protocol combining two existing tools: the real-time modelchecker Kronos and the probabilistic model-checker Prism. The system is modelled as a probabilistic timed automaton. We rst use Kronos to perform a symbolic forward reachability analysis to generate the set of states that are reachable with non-zero probability from the initial state, and before the deadline expires. We then encode this information as a Markov decision process to be analyzed with Prism. We apply this technique to compute the minimal probability of a leader being elected before a deadline, for dierent deadlines, and study the inuence of using a biased coin on this minimal probability.

Many existing algorithms for model checking of infinite-state systems operate on constraints which are used to represent (potentially infinite) sets of states. A general powerful technique which can be employed for proving termination of these algorithms is that of well quasi-orderings. Several methodologies have been proposed for derivation of new well quasi-ordered constraint systems. However, many of these constraint systems suffer from a "constraint explosion problem", as the number of the generated constraints grows exponentially with the size of the problem. In this paper, we demonstrate that a refinement of the theory of well quasi-orderings, called the theory of better quasi-orderings is more appropriate for symbolic model checking, since it allows in...

Abstract not found

We report on the use of model checking techniques for both the verification of a process control program and the derivation of optimal control schedules. Most of this work has been carried out as part of a case study for the EU VHS project (Verification of Hybrid Systems), in which the program for a Programmable Logic Controller (PLC) of an experimental chemical plant had to be designed and verified. The original intention of our approach was to see how much could be achieved here using the standard model checking environment of SPIN/Promela. As the symbolic calculations of real-time model checkers can be quite expensive it is interesting to try and exploit the efficiency of established non-real-time model checkers like SPIN in those cases where promising work-arounds seem to exist. In our case we handled the relevant real-time properties of the PLC controller using a time-abstraction technique; for the scheduling we implemented in Promela a so-called variable time advance procedure. To compare and interpret the results we carried out the same case study with the aid of the real-time model checker Uppaal, enhanced with facilities for costguided state space exploration. Both approaches proved sufficiently powerful to verify the design of the controller and/or derive (time-)optimal schedules within reasonable time and space requirements.

In this work we apply the timing verification tool OpenKronos, which is based on timed automata, to verify correctness of numerous asynchronous circuits. The desired behavior of these circuits is specified in terms of signal transition graphs (STG) and we check whether the synthesized circuits behave correctly under the assumption that the inputs satisfy the STG conventions and that the gate delays are bounded between two given numbers. Our results demonstrate the viability of the timed automaton approach for timing analysis of certain classes of circuits.