Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of real-time systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of real-time systems. Its definition provides a simple way to annotate state-transition graphs with timing constraints using finitely many real-valued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of real-time systems.

Software designers draw Message Sequence Charts for early modeling of the individual behaviors they expect from the concurrent system under design. Can they be sure that precisely the behaviors they have described are realizable by some implementation of the components of the concurrent system? If so, can we automatically synthesize concurrent state machines realizing the given MSCs? If, on the other hand, other unspecified and possibly unwanted scenarios are # A preliminary version of this paper appears in Proceedings of 22nd International Conference on Software Engineering, pages 304--313, 2000. A journal version will appear in IEEE Transactions in Software Engineering, but due to space limitations in the journal, this is the fuller version.

HyTech is a tool for the automated analysis of embedded systems. This document, designed for the rst-time user of HyTech, guides the reader through the underlying system model, and through the input language for describing and analyzing systems. The guide gives installation instructions, several examples of usage, some hints for gaining maximal computational e ciency from the tool, and the complete grammar for the input language. This guide describes version 1.04 of HyTech. The latest update occurred in October 1996 1. HyTech is available through the World-Wide Web at

This paper addresses the design of reactive real-time embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.

We introduce event-recording automata. An event-recording automaton is a timed automaton that contains, for every event a, a clock that records the time of the last occurrence of a. The class of event-recording automata is, on one hand, expressive enough to model (finite) timed transition systems and, on the other hand, determinizable and closed under all boolean operations. As a result, the language inclusion problem is decidable for event-recording automata. We present a translation from timed transition systems to event-recording automata, which leads to an algorithm for checking if two timed transition systems have the same set of timed behaviors. We also consider event-predicting automata, which contain clocks that predict the time of the next occurrence of an event. The class of event-clock automata, which contain both event-recording and event-predicting clocks, is a suitable specification language for real-time properties. We provide an algorithm for checking if a timed automa...

In this paper we discuss the practical difficulty of analyzing the behavior of timed automata and report some results obtained using an experimental bdd-based extension of kronos. We have treated examples originating from timing analysis of asynchronous boolean networks and CMOS circuits with delay uncertainties and the results outperform those obtained by previous implementations of timed automata verification tools.

. We describe how to model and verify real-time systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems appearing in the verification literature. 1 Introduction Model checking is a method of automatically verifying concurrent systems in which a finite-state model of a system is compared with a correctness requirement. This method has been shown to be very effective in detecting errors in high-level designs, and has been implemented in various tools. We consider the tool Cospan that is based on the theory of !-automata (!-automata are finite automata accepting infinite sequences, see [Tho90] for a survey, and [VW86, Kur94] for applications to verification). The system to be verified is modeled as a collection of coordinating processes described in the language S/R [Kur94]. The semantics of su...

Concurrent real-time software is increasingly used in safety-critical embedded systems. Assuring the quality of such software requires the rigor of formal methods. In order to analyze a program formally, we must first construct a mathematical model of its behavior. In this paper, we consider the problem of constructing such models for concurrent real-time software. In particular, we provide a method for building mathematical models of real-time Ada tasking programs that are accurate enough to verify interesting timing properties, and yet abstract enough to yield a tractable analysis on nontrivial programs. Our approach differs from schedulability analysis in that we do not assume that the software has a highly restricted structure (e.g., a set of periodic tasks). Also, unlike most abstract models of real-time systems, we account for essential properties of real implementations, such as resource constraints and run-time overhead. Keywords--- timing analysis, real-time systems, program ...

We present an algorithm called Tar ("Thread-modular Abstraction Refinement") for model checking safety properties of concurrent software. The Tar algorithm uses thread-modular assume-guarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread modularity means that Tar explores the state space of one thread at a time, making assumptions about how the environment can interfere. The Tar algorithm uses counterexampleguided predicate-abstraction refinement to overcome the usually infinite complexity in the data state of C programs. A successive approximation scheme automatically infers the necessary precision on data variables as well as suitable environment assumptions. The scheme is novel in that transition relations are approximated from above, while at the same time environment assumptions are approximated from below. In our software verification tool Blast we have implemented a fully automatic race checker for multithreaded C programs which is based on the Tar algorithm. This tool has verified a wide variety of commonly used locking idioms, including locking schemes that are not amenable to existing dynamic and static race checkers such as Eraser or Warlock.

Predicate abstraction has emerged to be a powerful technique for extracting finite-state models from infinite-state systems, and has been recently shown to enhance the effectiveness of the reachability computation techniques for hybrid systems. Given a hybrid system with linear dynamics and a set of linear predicates, the verifier performs an on-the-fly search of the finite discrete quotient whose states correspond to the truth assignments to the input predicates. The success of this approach crucially depends on the choice of the predicates used for abstraction. In this paper, we focus on identifying these predicates automatically by analyzing spurious counter-examples generated by the search in the abstract state-space. We present the basic techniques for discovering new predicates that will rule out closely related spurious counter-examples, optimizations of these techniques, implementation of these in the verification tool, and case studies demonstrating the promise of the approach.