Results 1  10
of
50
The Tool KRONOS
 In Proc. of Hybrid Systems III, LNCS 1066
, 1996
"... KRONOS [6, 8] is a tool developed with the aim to assist the user to validate complex realtime systems. The tool checks whether a realtinae system modeled by a timed automaton [4] satisfies a timing property specified by a formula of the temporal logic TCTL [3]. KRONOS implements the symbolic mode ..."
Abstract

Cited by 233 (39 self)
 Add to MetaCart
KRONOS [6, 8] is a tool developed with the aim to assist the user to validate complex realtime systems. The tool checks whether a realtinae system modeled by a timed automaton [4] satisfies a timing property specified by a formula of the temporal logic TCTL [3]. KRONOS implements the symbolic modelchecking
HYTECH: The next generation
 In Proceedings of the 16th IEEE RealTime Systems Symposium
, 1995
"... Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety ..."
Abstract

Cited by 102 (7 self)
 Add to MetaCart
Abstract. We describe a new implementation of HyTech 1,asymbolic model checker for hybrid systems. Given a parametric description of an embedded system as a collection of communicating automata, HyTech automatically computes the conditions on the parameters under which the system satis es its safety and timing requirements. While the original HyTech prototype was based on the symbolic algebra tool Mathematica, the new implementation is written in C ++ and builds on geometric algorithms instead of formula manipulation. The new HyTech o ers a cleaner and more expressive input language, greater portability, superior performance (typically two to three orders of magnitude), and new features such as diagnostic errortrace generation. We illustrate the e ectiveness of the new implementation by applying HyTech to the automatic parametric analysis of the generic railroad crossing benchmark problem [HJL93] and to an active structure control algorithm [ECB94]. 1
Bisimulation and Model Checking
 In Proc. Compositionality Workshop, LNCS 1536
, 1999
"... State space minimization techniques are crucial for combating state explosion. A variety of verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a state space prior to model checking. This paper explores the th ..."
Abstract

Cited by 69 (11 self)
 Add to MetaCart
State space minimization techniques are crucial for combating state explosion. A variety of verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a state space prior to model checking. This paper explores the third use in the context of verifying invariant properties. We consider three bisimulation minimization algorithms. From each, we produce an onthefly model checker for invariant properties and compare this model checker to a conventional one based on backwards reachability. Our comparisons, both theoretical and experimental, lead us to conclude that bisimulation minimization does not appear to be viable in the context of invariance verification, because performing the minimization requires as many, if not more, computational resources as model checking the unminimized system through backwards reachability. Keywords: Bisimulation minimization, model checking, invariant properties, onthefly...
Analysis of Timed Systems using TimeAbstracting Bisimulations
 Formal Methods in System Design
, 1999
"... ing Bisimulations Stavros Tripakis and Sergio Yovine February 5, 1999 Abstract The objective of this paper is to show how verification of densetime systems modeled as timed automata can be performed using classical (i.e. untimed) verification techniques. In that way, the existing rich infrastruc ..."
Abstract

Cited by 58 (13 self)
 Add to MetaCart
ing Bisimulations Stavros Tripakis and Sergio Yovine February 5, 1999 Abstract The objective of this paper is to show how verification of densetime systems modeled as timed automata can be performed using classical (i.e. untimed) verification techniques. In that way, the existing rich infrastructure in algorithms and tools for the verification of untimed systems can be exploited. The paper completes the ideas introduced in [TY96]. Our approach consists in two steps. First, given a timed system A, we compute a finite graph G which captures the behavior of A modulo the fact that exact time delays are abstracted away. Then, we apply untimed verification techniques on G to prove properties on A. As propertyspecification languages, we use both the lineartime formalism of timed Buchi automata (TBA) and the branchingtime logic TCTL. Model checking A against properties specified as TBA or TCTL formulae comes down to applying, respectively, automataemptiness or CTL modelchecking algori...
Model checking timed automata
 In European Educational Forum: School on Embedded Systems
, 1998
"... Abstract. The theory of timed automata provides a formal framework to model and to verify the correct functioning of realtime systems. Among the di erent veri cation problems that have been investigated within this theory, the socalled reachability problem has been the most throughly studied. This ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
Abstract. The theory of timed automata provides a formal framework to model and to verify the correct functioning of realtime systems. Among the di erent veri cation problems that have been investigated within this theory, the socalled reachability problem has been the most throughly studied. This problem is stated as follows. Given two statesof the system, is there an execution starting at one of them that reaches the other? The rst reason for studying such problem is that safety properties can expressed as the nonreachability of a set of states where the system is consider to show anincorrect or unsafe functioning. Second, the algorithms developed for analyzing other classes of properties are essentially based on the algorithms developed for solving the reachability question. In this paper we survey the di erent algorithms, datastructures and tools that have been proposed in the literature to solve this problem. 1
ComputerAided Synthesis And Verification Of GateLevel Timed Circuits
, 1995
"... In recent years, there has been a resurgence of interest in the design of asynchronous circuits due to their ability to eliminate clock skew problems, achieve average case performance, adapt to processing and environmental variations, provide component modularity, and lower system power requirement ..."
Abstract

Cited by 47 (21 self)
 Add to MetaCart
In recent years, there has been a resurgence of interest in the design of asynchronous circuits due to their ability to eliminate clock skew problems, achieve average case performance, adapt to processing and environmental variations, provide component modularity, and lower system power requirements. Traditional academic asynchronous designs methods use unbounded delay assumptions, resulting in circuits that are verifiable, but ignore timing for simplicity, leading to unnecessarily conservative designs. In industry, however, timing is critical to reduce both chip area and circuit delay. Due to a lack of formal methods that handle timing information correctly, circuits with timing constraints usually require extensive simulation to gain confidence in the design. This thesis bridges this gap by introducing timed circuits in which explicit timing information is incorporated into the specification and utilized throughout the design procedure to optimize the implementation. Our timed circu...
Are Timed Automata Updatable?
, 2000
"... In classical timed automata, as de ned by Alur and Dill [AD90, AD94] and widely since studied, the only operation allowed to modify the clocks is the reset operation. For instance, a clock can neither be set to a nonnull constant value, nor be set to the value of another clock, nor, in a nondeterm ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
In classical timed automata, as de ned by Alur and Dill [AD90, AD94] and widely since studied, the only operation allowed to modify the clocks is the reset operation. For instance, a clock can neither be set to a nonnull constant value, nor be set to the value of another clock, nor, in a nondeterministic way, to some value lower or higher than a given constant. In this paper we study in details such updates which can be very useful for modelization purposes. We characterise in a thin way the frontier between decidable and undecidable. Our main contributions are the following:  We exhibit many classes of updates for which emptiness is undecidable. A surprising result is that these classes depend on the clock constraints that are used diagonalfree or not whereas it is well known that these two kinds of constraints are equivalent for classical timed automata.  We propose a generalization of the region automaton proposed by Alur and Dill to handle with larger classes of updates. ...
Forward Analysis of Updatable Timed Automata
, 2004
"... Timed automata are a widely studied model. Its decidability has been proved using the socalled region automaton construction. This construction provides a correct abstraction for the behaviours of timed automata, but it suffers from a state explosion and is thus not used in practice. Instead, algor ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
Timed automata are a widely studied model. Its decidability has been proved using the socalled region automaton construction. This construction provides a correct abstraction for the behaviours of timed automata, but it suffers from a state explosion and is thus not used in practice. Instead, algorithms based on the notion of zones are implemented using adapted data structures like DBMs. When we focus on forward analysis algorithms, the exact computation of all the successors of the initial configurations does not always terminate. Thus, some abstractions are often used to ensure termination, among which, a widening operator on zones. In this paper, we study in detail this widening operator and the corresponding forward analysis algorithm. This algorithm is most used and implemented in tools like KRONOS and UPPAAL. One of our main results is that it is hopeless to find a forward analysis algorithm for general timed automata, that uses such a widening operator, and which is correct. This goes really against what one could think. We then study in detail this algorithm in the more general framework of updatable timed automata, a model which has been introduced as a natural syntactic extension of classical timed automata. We describe subclasses of this model for which a correct widening operator can be found.
Expressiveness of updatable timed automata
 Theoretical Computer Science
, 2000
"... Abstract. We investigate extensions of Alur and Dill’s timed automata, based on the possibility to update the clocks in a more elaborate way than simply reset them to zero. We call these automata updatable timed automata. They form an undecidable class of models, in the sense that emptiness checking ..."
Abstract

Cited by 30 (11 self)
 Add to MetaCart
Abstract. We investigate extensions of Alur and Dill’s timed automata, based on the possibility to update the clocks in a more elaborate way than simply reset them to zero. We call these automata updatable timed automata. They form an undecidable class of models, in the sense that emptiness checking is not decidable. However, using an extension of the region graph construction, we exhibit interesting decidable subclasses. In a surprising way, decidability depends on the nature of the clock constraints which are used, diagonalfree or not, whereas these constraints play identical roles in timed automata. We thus describe in a quite precise way the thin frontier between decidable and undecidable classes of updatable timed automata. We also study the expressive power of updatable timed automata. It turns out that any updatable automaton belonging to some decidable subclass can be effectively transformed into an equivalent timed automaton without updates but with silent transitions. The transformation suffers from an enormous combinatorics blowup which seems unavoidable. Therefore, updatable timed automata appear to be a concise model for representing and analyzing large classes of timed systems. 1
Analysis of Timed Systems Based on TimeAbstracting Bisimulations
 Formal Methods in System Design
, 1996
"... . We adapt a generic minimal model generation algorithm to compute the coarsest finite model of the underlying infinite transition system of a timed automaton. This model is minimal modulo a timeabstracting bisimulation. Our algorithm uses a refinement method that avoids set complementation, and is ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
. We adapt a generic minimal model generation algorithm to compute the coarsest finite model of the underlying infinite transition system of a timed automaton. This model is minimal modulo a timeabstracting bisimulation. Our algorithm uses a refinement method that avoids set complementation, and is considerably more efficient than previous ones. We use the constructed minimal model for verification purposes by defining abstraction criteria that allow to further reduce the model and to compare it to a specification. 1 Introduction Behavioral equivalences based on bisimulation relations have proven useful for verifying the correctness of concurrent systems. They allow comparing an implementation to a usually more abstract specification both represented as labeled transition systems. This approach also allows reducing the size of the system by identifying equivalent states which is crucial to avoid the explosion of the statespace. Since the introduction of strong bisimulation in [Mil80]...