Results 1  10
of
38
A theory of timed automata
, 1999
"... Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of ..."
Abstract

Cited by 1975 (31 self)
 Add to MetaCart
Model checking is emerging as a practical tool for automated debugging of complex reactive systems such as embedded controllers and network protocols (see [23] for a survey). Traditional techniques for model checking do not admit an explicit modeling of time, and are thus, unsuitable for analysis of realtime systems whose correctness depends on relative magnitudes of different delays. Consequently, timed automata [7] were introduced as a formal notation to model the behavior of realtime systems. Its definition provides a simple way to annotate statetransition graphs with timing constraints using finitely many realvalued clock variables. Automated analysis of timed automata relies on the construction of a finite quotient of the infinite space of clock valuations. Over the years, the formalism has been extensively studied leading to many results establishing connections to circuits and logic, and much progress has been made in developing verification algorithms, heuristics, and tools. This paper provides a survey of the theory of timed automata, and their role in specification and verification of realtime systems.
Inference of Message Sequence Charts
 Software Concepts and Tools
, 2003
"... Software designers draw Message Sequence Charts for early modeling of the individual behaviors they expect from the concurrent system under design. Can they be sure that precisely the behaviors they have described are realizable by some implementation of the components of the concurrent system? I ..."
Abstract

Cited by 181 (11 self)
 Add to MetaCart
Software designers draw Message Sequence Charts for early modeling of the individual behaviors they expect from the concurrent system under design. Can they be sure that precisely the behaviors they have described are realizable by some implementation of the components of the concurrent system? If so, can we automatically synthesize concurrent state machines realizing the given MSCs? If, on the other hand, other unspecified and possibly unwanted scenarios are # A preliminary version of this paper appears in Proceedings of 22nd International Conference on Software Engineering, pages 304313, 2000. A journal version will appear in IEEE Transactions in Software Engineering, but due to space limitations in the journal, this is the fuller version.
A user guide to HYTECH
, 1995
"... HyTech is a tool for the automated analysis of embedded systems. This document, designed for the rsttime user of HyTech, guides the reader through the underlying system model, and through the input language for describing and analyzing systems. The guide gives installation instructions, several exa ..."
Abstract

Cited by 144 (3 self)
 Add to MetaCart
HyTech is a tool for the automated analysis of embedded systems. This document, designed for the rsttime user of HyTech, guides the reader through the underlying system model, and through the input language for describing and analyzing systems. The guide gives installation instructions, several examples of usage, some hints for gaining maximal computational e ciency from the tool, and the complete grammar for the input language. This guide describes version 1.04 of HyTech. The latest update occurred in October 1996 1. HyTech is available through the WorldWide Web at
Design of Embedded Systems: Formal Models, Validation, and Synthesis
 PROCEEDINGS OF THE IEEE
, 1999
"... This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the ..."
Abstract

Cited by 106 (9 self)
 Add to MetaCart
This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.
EventClock Automata: A Determinizable Class of Timed Automata
 Theoretical Computer Science
, 1999
"... We introduce eventrecording automata. An eventrecording automaton is a timed automaton that contains, for every event a, a clock that records the time of the last occurrence of a. The class of eventrecording automata is, on one hand, expressive enough to model (finite) timed transition systems an ..."
Abstract

Cited by 91 (3 self)
 Add to MetaCart
We introduce eventrecording automata. An eventrecording automaton is a timed automaton that contains, for every event a, a clock that records the time of the last occurrence of a. The class of eventrecording automata is, on one hand, expressive enough to model (finite) timed transition systems and, on the other hand, determinizable and closed under all boolean operations. As a result, the language inclusion problem is decidable for eventrecording automata. We present a translation from timed transition systems to eventrecording automata, which leads to an algorithm for checking if two timed transition systems have the same set of timed behaviors. We also consider eventpredicting automata, which contain clocks that predict the time of the next occurrence of an event. The class of eventclock automata, which contain both eventrecording and eventpredicting clocks, is a suitable specification language for realtime properties. We provide an algorithm for checking if a timed automa...
Some progress in the symbolic verification of timed automata
 IN PROC. OF THE 8TH CONFERENCE ON COMPUTERAIDED VERI CATION
, 1997
"... In this paper we discuss the practical difficulty of analyzing the behavior of timed automata and report some results obtained using an experimental bddbased extension of kronos. We have treated examples originating from timing analysis of asynchronous boolean networks and CMOS circuits with delay ..."
Abstract

Cited by 49 (4 self)
 Add to MetaCart
In this paper we discuss the practical difficulty of analyzing the behavior of timed automata and report some results obtained using an experimental bddbased extension of kronos. We have treated examples originating from timing analysis of asynchronous boolean networks and CMOS circuits with delay uncertainties and the results outperform those obtained by previous implementations of timed automata verification tools.
Timing Analysis in COSPAN
 In Hybrid Systems III
, 1996
"... . We describe how to model and verify realtime systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
. We describe how to model and verify realtime systems using the formal verification tool Cospan. The verifier supports automatatheoretic verification of coordinating processes with timing constraints. We discuss different heuristics, and our experiences with the tool for certain benchmark problems appearing in the verification literature. 1 Introduction Model checking is a method of automatically verifying concurrent systems in which a finitestate model of a system is compared with a correctness requirement. This method has been shown to be very effective in detecting errors in highlevel designs, and has been implemented in various tools. We consider the tool Cospan that is based on the theory of !automata (!automata are finite automata accepting infinite sequences, see [Tho90] for a survey, and [VW86, Kur94] for applications to verification). The system to be verified is modeled as a collection of coordinating processes described in the language S/R [Kur94]. The semantics of su...
Threadmodular Abstraction Refinement
 In: CAV
, 2003
"... We present an algorithm called Tar ("Threadmodular Abstraction Refinement") for model checking safety properties of concurrent software. The Tar algorithm uses threadmodular assumeguarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
We present an algorithm called Tar ("Threadmodular Abstraction Refinement") for model checking safety properties of concurrent software. The Tar algorithm uses threadmodular assumeguarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread modularity means that Tar explores the state space of one thread at a time, making assumptions about how the environment can interfere. The Tar algorithm uses counterexampleguided predicateabstraction refinement to overcome the usually infinite complexity in the data state of C programs. A successive approximation scheme automatically infers the necessary precision on data variables as well as suitable environment assumptions. The scheme is novel in that transition relations are approximated from above, while at the same time environment assumptions are approximated from below. In our software verification tool Blast we have implemented a fully automatic race checker for multithreaded C programs which is based on the Tar algorithm. This tool has verified a wide variety of commonly used locking idioms, including locking schemes that are not amenable to existing dynamic and static race checkers such as Eraser or Warlock.
Timing Analysis of Ada Tasking Programs
 IEEE transactions on Software Engineering
, 1996
"... Concurrent realtime software is increasingly used in safetycritical embedded systems. Assuring the quality of such software requires the rigor of formal methods. In order to analyze a program formally, we must first construct a mathematical model of its behavior. In this paper, we consider the pro ..."
Abstract

Cited by 36 (4 self)
 Add to MetaCart
Concurrent realtime software is increasingly used in safetycritical embedded systems. Assuring the quality of such software requires the rigor of formal methods. In order to analyze a program formally, we must first construct a mathematical model of its behavior. In this paper, we consider the problem of constructing such models for concurrent realtime software. In particular, we provide a method for building mathematical models of realtime Ada tasking programs that are accurate enough to verify interesting timing properties, and yet abstract enough to yield a tractable analysis on nontrivial programs. Our approach differs from schedulability analysis in that we do not assume that the software has a highly restricted structure (e.g., a set of periodic tasks). Also, unlike most abstract models of realtime systems, we account for essential properties of real implementations, such as resource constraints and runtime overhead. Keywords timing analysis, realtime systems, program ...
The software model checker BLAST: Applications to software engineering
 INTERNATIONAL JOURNAL ON SOFTWARE TOOLS TECHNOLOGY TRANSFER
, 2006
"... BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolationbased predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and testcase generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a typebased memorysafety analyzer, to annotate a program with runtime assertions that check for safe memory operations. Then, we use BLAST to remove as many of the runtime checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining runtime checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs.