We consider the language inclusion problem for timed automata: given two timed automata A and B, are all the timed traces accepted by B also accepted by A? While this problem is known to be undecidable, we show here that it becomes decidable if A is restricted to having at most one clock. This is somewhat surprising, since it is well-known that there exist timed automata with a single clock that cannot be complemented. The crux of our proof consists in reducing the language inclusion problem to a reachability question on an infinite graph; we then construct a suitable well-quasi-order on the nodes of this graph, which ensures the termination of our search algorithm. We also show that the language inclusion problem is decidable if the only constant appearing among the clock constraints of A is zero. Moreover, these two cases are essentially the only decidable instances of language inclusion, in terms of restricting the various resources of timed automata. 1.

We discuss the modeling and verification of real-time systems using the SAL model checker. A new modeling framework based on event calendars enables dense timed systems to be described without relying on continuously varying clocks. We present verification techniques that rely on induction and abstraction, and show how these techniques are e#ciently supported by the SAL symbolic model-checking tools. The modeling and verification method is applied to the fault-tolerant real-time startup protocol used in the Timed Triggered Architecture.

We introduce the distributed gradient clock synchronization problem. As in traditional distributed clock synchronization, we consider a network of nodes equipped with hardware clocks with bounded drift. Nodes compute logical clock values based on their hardware clocks and message exchanges, and the goal is to synchronize the nodes ’ logical clocks as closely as possible, while satisfying certain validity conditions. The new feature of gradient clock synchronization (GCS for short) is to require that the skew between any two nodes ’ logical clocks be bounded by a nondecreasing function of the uncertainty in message delay (call this the distance) between the two nodes. That is, we require nearby nodes to be closely synchronized, and allow faraway nodes to be more loosely synchronized. We contrast GCS with traditional clock synchronization, and discuss several practical motivations for GCS, mostly arising in sensor and ad hoc networks. Our main result is that the worst case clock skew between two nodes at distance d from each other is log D log log D), where D is the diameter1 of the network. Ω(d + This means that clock synchronization is not a local property, in the sense that the clock skew between two nodes depends not only on the distance between the nodes, but also on the size of the network. Our lower bound implies, for example, that the TDMA protocol with a fixed slot granularity will fail as the network grows, even if the maximum degree of each node stays constant. Categories and Subject Descriptors: F.2.0 [Theory of Computation]: analysis of algorithms and problem complexity— general

Abstract. Time synchronization is a fundamental service in many wireless applications. While the synchronization problem is well-studied in traditional wired networks, physical constraints of the wireless medium impose a unique set of challenges. We present a novel time synchronization algorithm which is highly energy efficient and failure/recoverytolerant. Our algorithm allows nodes to synchronize to sources of real time such as GPS when such signals are available, but continues to synchronize nodes to each other, even in the absence of GPS. In addition, the algorithm satisfies a relaxed gradient property, in which the degree of synchronization between nodes varies as a linear function of their distance. Thus, nearby nodes are highly synchronized, which is desirable in many wireless applications. 1

TIOA is a simple formal language for modeling distributed systems with timing as collections of interacting state machines, called timed input/output automata. The TIOA Toolkit supports a range of validation methods, including simulation and machine-checked proofs. This user guide and reference manual includes a tutorial on the use of timed input/output automata and the TIOA language to model timed systems. It also includes a complete definition of the TIOA language.

Abstract not found

Abstract not found

Abstract. Atomicity (or linearizability) is a commonly used consistency criterion for distributed services and objects. Although atomic object implementations are abundant, proving that algorithms achieve atomicity has turned out to be a challenging problem. In this paper, we initiate the study of systematic ways of verifying distributed implementations of atomic objects, beginning with read/write objects (registers). Our general approach is to replace the existing operational reasoning about events and partial orders with assertional reasoning about invariants and simulation relations. To this end, we define an abstract state machine that captures the atomicity property and prove correctness of the object implementations by establishing a simulation mapping between the implementation and the specification automata. We demonstrate the generality of our specification by showing that it is implemented by three different read/write register constructions: the message-passing register emulation of Attiya, Bar-Noy and Dolev, its optimized version based on real time, and the shared memory register construction of Vitanyi and Awerbuch. In addition, we show that a simplified version of our specification is implemented by a general atomic object construction based on the Lamport’s replicated state machine algorithm. 1

Abstract—In recent years, crisis response has become cyberphysical in nature because of the increased use of computing technologies by the responders. As such, crisis preparedness requires objective evaluation of crisis response in addition to the traditional drills. This paper develops a generic Crisis Response Evaluation Tool (CRET) for off-line objective crisis response evaluation to improve preparedness. The evaluation is performed through model-based engineering, which allows specification and automated analysis of crisis response behavior. An established state-based stochastic model is used to describe the behavior of crisis response processes. The effectiveness of a planned action is measured in terms of the action’s qualifiedness (also called the Q-value)—which depends on the probability of any additional crises and the conformance to a temporal window-of-opportunity Architecture Description Language (AADL) to specify the stochastic crisis response behavior model. Using this specification, CRET objectively analyzes the planned actions ’ Q-values under different circumstances; thus enabling an objective evaluation for crisis preparedness.

A key challenge in the design and analysis of real-time systems is the integration of functional and non-functional properties into a single specification. In this paper, we present an integrated toolset based on the TASM language. The toolset is used to specify and analyze reactive embedded real-time systems. The toolset implements the features of the Timed Abstract State Machine (TASM) language, a novel specification language. The non-functional properties that can be expressed in the language include timing behavior and resource consumption. The toolset enables the creation of executable specifications with well-defined execution semantics, abstraction mechanisms, and composition semantics. The toolset includes facilities for editing, analyzing, and simulating TASM specifications. The features of the toolset are demonstrated using an Electronic Throttle Controller (ETC) from a major automotive vendor. The TASM toolset is used to analyze the mode switching logic of the ETC. The ETC is used to calculate fuel injection and air intake to optimize fuel consumption. The TASM toolset is used to analyze the resource consumption resulting from the mode switching logic, and to verify the completeness and consistency of the specification. 1