We present an extension of the model checker Uppaal, capable of synthesizing linear parameter constraints for the correctness of parametric timed automata. A symbolic representation of the (parametric) state space in terms of parametric difference bound matrices is shown to be correct. A second contribution of this paper is the identification of a subclass of parametric timed automata (L/U automata), for which the emptiness problem is decidable, contrary to the full class where it is known to be undecidable. Also, we present a number of results that reduce the verification effort for L/U automata in certain cases. We illustrate our approach by deriving linear parameter constraints for a number of well-known case studies from the literature (exhibiting a flaw in a published paper).

The increasing dependence of businesses on distributed architectures and computer networking places heavy demands on the speed and reliability of data exchange, leading to the emergence of sophisticated protocols which involve both real-time and randomization, for example FireWire IEEE1394. Automatic verification techniques such as model checking have been adapted to this class of probabilistic, timed systems [1, 9, 3, 14]. This abstract considers an application of such techniques to the IEEE1394 (FireWire) root contention protocol, in which the interplay between timed and probabilistic aspects is used to break the symmetry which may arise during the leader election process. Here, the properties of interest concern the election of a leader within a certain deadline, with a certain probability or greater. Our specification formalism is that of probabilistic timed automata [14], a variant of timed automa...

The biphase mark protocol is a convention for representing both a string of bits and clock edges in a square wave. The protocol is frequently used for communication at the physical level of the ISO/OSI hierarchy, and is implemented on microcontrollers such as the Intel 82530 Serial Communications Controller. An important property of the protocol is that bit strings of arbitrary length can be transmitted reliably, despite differences in the clock rates of sender and receiver (drift), variations of the clock rates (jitter), and distortion of the signal after generation of an edge. In this article, we show how the protocol can be modelled naturally in terms of timed automata. We use the model checker Uppaal to derive the maximal tolerances on the clock rates, for different instances of the protocol, and to support the general parametric verification that we formalized using the proof assistant PVS. Based on the derived parameter constraints we propose instances of BMP that are correct (at least in our model) but have a faster bit rate than the instances that are commonly implemented in hardware.

Abstract not found

The IEEE 1394 Root Contention Protocol is an industrial leader election algorithm for two processes in which probability, real{time and parameters play an important role. This protocol has been analysed in various case studies, using a variety of veri cation and analysis methods. In this paper, we survey and compare several of these case studies.

Abstract. The paper presents a verification of the IEEE Root Contention Protocol as an illustration of a new and innovative approach for the verification of real-time distributed systems. Systems are modeled with basic Gurevich abstract state machines (ASMs), and requirements are expressed in a first order timed logic (FOTL). FOTL is undecidable, however the protocol we study is in a decidable class of practical interest. Advantages of this framework are twofold: on the one hand, a great expressive power which permits in particular an easy treatment of parameters, on the other hand the modeling task is simplified by an adequate choice of tools.

Abstract. We present machine-assisted timing-parameter synthesis of the biphase mark protocol (BMP) [1] using event order abstraction (EOA)[2]. By using EOA, we separate the task of synthesizing parameter constraints that guarantee key safety properties of BMP into two parts: 1. Safety property verification of the protocol by a conventional untimed model-checker under the condition that “bad” event orders do not occur; and 2. Derivation of timing parameter constraints that are sufficient to exclude bad event orders in the protocol, using our tool METE-ORS. Though the user has to provide information about bad event orders, the rest of the synthesis process is automated. With the case study presented in this paper, we provide the community with two new pieces of information about BMP. First, the synthesis process using EOA produces, as a by-product, a list of all “bad scenarios ” of BMP that would happen when parameters are tuned incorrectly. Second, the METEORS tool provides information about which parameter constraint in the finally derived conjunction of constraints is actually sufficient to exclude each of these bad scenarios. 1

We consider in this paper systems modeled by timed automata. The timing bounds involved in the action guards and location invariants of our timed automata are not constants, but parameters. Those parametric timed automata allow the modelling of various kinds of timed systems, e.g. communication protocols or asynchronous circuits. We will also assume that we are given an initial tuple π0 of values for the parameters, which corresponds to values for which the system is known to behave properly. Our goal is to compute a constraint K0 on the parameters, satisfied by π0, guaranteeing that, under any parameter valuation satisfying K0, the system behaves in the same manner: for any two parameter valuations satisfying K0, the behaviors of the timed automata are (time-abstract) equivalent, i.e., the traces of execution viewed as alternating sequences of actions and locations are identical. We present an algorithm InverseMethod that terminates in the case of acyclic models, and discuss how to extend it in the cyclic case. We also explain how to combine our method with classical synthesis methods which are based on the avoidance of a given set of bad states. A prototype implementation has been done, and various experiments are described.