KRONOS [6, 8] is a tool developed with the aim to assist the user to validate complex real-time systems. The tool checks whether a real-tinae system modeled by a timed automaton [4] satisfies a timing property specified by a formula of the temporal logic TCTL [3]. KRONOS implements the symbolic model-checking

Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety and timing requirements. While the original HyTech prototype was based on the symbolic algebra tool Mathematica, the new implementation is written in C ++ and builds on geometric algorithms instead of formula manipulation. The new HyTech o ers a cleaner and more expressive input language, greater portability, superior performance (typically two to three orders of magnitude), and new features such as diagnostic error-trace generation. We illustrate the e ectiveness of the new implementation by applying HyTech to the automatic parametric analysis of the generic railroad crossing benchmark problem [HJL93] and to an active structure control algorithm [ECB94]. 1

State space minimization techniques are crucial for combating state explosion. A variety of verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a state space prior to model checking. This paper explores the third use in the context of verifying invariant properties. We consider three bisimulation minimization algorithms. From each, we produce an on-the-fly model checker for invariant properties and compare this model checker to a conventional one based on backwards reachability. Our comparisons, both theoretical and experimental, lead us to conclude that bisimulation minimization does not appear to be viable in the context of invariance verification, because performing the minimization requires as many, if not more, computational resources as model checking the unminimized system through backwards reachability. Keywords: Bisimulation minimization, model checking, invariant properties, on-the-fly...

Abstract. The theory of timed automata provides a formal framework to model and to verify the correct functioning of real-time systems. Among the di erent veri cation problems that have been investigated within this theory, the so-called reachability problem has been the most throughly studied. This problem is stated as follows. Given two statesof the system, is there an execution starting at one of them that reaches the other? The rst reason for studying such problem is that safety properties can expressed as the non-reachability of a set of states where the system is consider to show anincorrect or unsafe functioning. Second, the algorithms developed for analyzing other classes of properties are essentially based on the algorithms developed for solving the reachability question. In this paper we survey the di erent algorithms, data-structures and tools that have been proposed in the literature to solve this problem. 1

ing Bisimulations Stavros Tripakis and Sergio Yovine February 5, 1999 Abstract The objective of this paper is to show how verification of dense-time systems modeled as timed automata can be performed using classical (i.e. untimed) verification techniques. In that way, the existing rich infrastructure in algorithms and tools for the verification of untimed systems can be exploited. The paper completes the ideas introduced in [TY96]. Our approach consists in two steps. First, given a timed system A, we compute a finite graph G which captures the behavior of A modulo the fact that exact time delays are abstracted away. Then, we apply untimed verification techniques on G to prove properties on A. As property-specification languages, we use both the linear-time formalism of timed Buchi automata (TBA) and the branching-time logic TCTL. Model checking A against properties specified as TBA or TCTL formulae comes down to applying, respectively, automata-emptiness or CTL model-checking algori...

In recent years, there has been a resurgence of interest in the design of asynchronous circuits due to their ability to eliminate clock skew problems, achieve average case performance, adapt to processing and environmental variations, provide component modularity, and lower system power requirements. Traditional academic asynchronous designs methods use unbounded delay assumptions, resulting in circuits that are verifiable, but ignore timing for simplicity, leading to unnecessarily conservative designs. In industry, however, timing is critical to reduce both chip area and circuit delay. Due to a lack of formal methods that handle timing information correctly, circuits with timing constraints usually require extensive simulation to gain confidence in the design. This thesis bridges this gap by introducing timed circuits in which explicit timing information is incorporated into the specification and utilized throughout the design procedure to optimize the implementation. Our timed circu...

In classical timed automata, as de ned by Alur and Dill [AD90, AD94] and widely since studied, the only operation allowed to modify the clocks is the reset operation. For instance, a clock can neither be set to a non-null constant value, nor be set to the value of another clock, nor, in a non-deterministic way, to some value lower or higher than a given constant. In this paper we study in details such updates which can be very useful for modelization purposes. We characterise in a thin way the frontier between decidable and undecidable. Our main contributions are the following: -- We exhibit many classes of updates for which emptiness is undecidable. A surprising result is that these classes depend on the clock constraints that are used diagonal-free or not whereas it is well known that these two kinds of constraints are equivalent for classical timed automata. -- We propose a generalization of the region automaton proposed by Alur and Dill to handle with larger classes of updates. ...

Timed automata are a widely studied model. Its decidability has been proved using the so-called region automaton construction. This construction provides a correct abstraction for the behaviours of timed automata, but it suffers from a state explosion and is thus not used in practice. Instead, algorithms based on the notion of zones are implemented using adapted data structures like DBMs. When we focus on forward analysis algorithms, the exact computation of all the successors of the initial configurations does not always terminate. Thus, some abstractions are often used to ensure termination, among which, a widening operator on zones. In this paper, we study in detail this widening operator and the corresponding forward analysis algorithm. This algorithm is most used and implemented in tools like KRONOS and UPPAAL. One of our main results is that it is hopeless to find a forward analysis algorithm for general timed automata, that uses such a widening operator, and which is correct. This goes really against what one could think. We then study in detail this algorithm in the more general framework of updatable timed automata, a model which has been introduced as a natural syntactic extension of classical timed automata. We describe subclasses of this model for which a correct widening operator can be found.

Abstract. We investigate extensions of Alur and Dill’s timed automata, based on the possibility to update the clocks in a more elaborate way than simply reset them to zero. We call these automata updatable timed automata. They form an undecidable class of models, in the sense that emptiness checking is not decidable. However, using an extension of the region graph construction, we exhibit interesting decidable subclasses. In a surprising way, decidability depends on the nature of the clock constraints which are used, diagonal-free or not, whereas these constraints play identical roles in timed automata. We thus describe in a quite precise way the thin frontier between decidable and undecidable classes of updatable timed automata. We also study the expressive power of updatable timed automata. It turns out that any updatable automaton belonging to some decidable subclass can be effectively transformed into an equivalent timed automaton without updates but with silent transitions. The transformation suffers from an enormous combinatorics blow-up which seems unavoidable. Therefore, updatable timed automata appear to be a concise model for representing and analyzing large classes of timed systems. 1

. We adapt a generic minimal model generation algorithm to compute the coarsest finite model of the underlying infinite transition system of a timed automaton. This model is minimal modulo a timeabstracting bisimulation. Our algorithm uses a refinement method that avoids set complementation, and is considerably more efficient than previous ones. We use the constructed minimal model for verification purposes by defining abstraction criteria that allow to further reduce the model and to compare it to a specification. 1 Introduction Behavioral equivalences based on bisimulation relations have proven useful for verifying the correctness of concurrent systems. They allow comparing an implementation to a usually more abstract specification both represented as labeled transition systems. This approach also allows reducing the size of the system by identifying equivalent states which is crucial to avoid the explosion of the state-space. Since the introduction of strong bisimulation in [Mil80]...