## L'analyse Formelle Des Systemes Temporises En Pratique (1998)

### BibTeX

@MISC{De98l'analyseformelle,

author = {Docteur De and L'universite Joseph Fourier and En Informatique and Patrick Cousot Examinateur and Joseph Sifakis and Directeur De These and Jacques Voiron President and Samuel Beckett Watt and Stavros Tripakis and Stavros Tripakis},

title = {L'analyse Formelle Des Systemes Temporises En Pratique},

year = {1998}

}

### OpenURL

### Abstract

In this thesis we propose a complete formal framework for the analysis of timed systems, with the emphasis given on the practicality of the approach. We describe timed systems in the formal model of timed automata, finite-discrete-state automata equipped with clocks in a dense-time domain. Properties of such systems are expressed in the linear-time formalism of timed Büchi automata (timed automata with acceptance conditions), or in one of the branching-time logics CTL, TCTL or etctl. These formalisms cover a large spectrum of properties on the order of events and the timing constraints on the delays between events. We also examine other interesting properties such as deadlock and timelock freedom or reachability. We consider two types of analysis. Verification : given a system and a property, check whether the system satisfies the property. Controller synthesis : given a system and a property, find a restriction of the system which satisfies the property. These problems have been proven decidable in previous works, however, with a high (exponential) complexity, basically due to the fact that the state space is extremely large (state explosion) and has to be entirely generated and explored. To respond to the challenge of making the approach tractable, we propose methods which are efficient in practice, despite of the high worst-case theoretical complexity. Our approach is based on two key elements. First, on abstractions which reduce the concrete state space to a much smaller abstract state space, while preserving all properties of interest. Second, on efficient techniques to compute and explore the abstract state space. We define two sets of abstractions and study the properties they preserve. Time-abstracting bisimulations are equivalences which hide the quantitative aspect of time : we know that some time passes, but not how much. The stronger of these bisimulations preserves all properties of interest. Time-abstracting simulations are abstractions derived by a forward reachability analysis on the system. These abstractions preserve only linear properties. The analysis methods differ depending on the underlying abstraction(s) used. In the case of bisimulations, the approach consists in two steps : first, generate the time-abstracting quotient of the state space, then apply classical (untimed) analysis techniques to the quotient to prove properties of the concrete system. In the case of simulations, the generation of the abstract state space and the analysis are performed at the same time. This technique is called on-the-fly and can often provide fast answers without having to generate the entire (abstract) state space. We develop on-the-fly verification techniques for TBA and ETCTL.

### Citations

3054 | Graph-Based Algorithms for Boolean Function Manipulation - Bryant - 1986 |

2388 | Maintaining Knowledge about Temporal Intervals
- Allen
- 1983
(Show Context)
Citation Context ...ley Photos AYS Family y 3 y := 0 x 25 ^y 15 ^z 27 ^ y +5xy +20^ x , 13zx +7^ z , 22yz +3 Figure 12.37: The restricted CTA for the greeting card example. Madeus is inspired from the logic of intervals =-=[All83]-=-, with the addition of interruption and waiting operators. The speci cation of multimedia documents been previously considered in [SDdSS94], using a complicated model of time Petri nets with many di e... |

642 | Model checking and abstraction - Clarke, Grumberg, et al. - 1994 |

632 | The algorithmic analysis of hybrid systems - Alur, Courcoubetis, et al. |

609 | Symbolic model checking: 1020 states and beyond - Burch, Clarke, et al. - 1992 |

425 |
Automata for modeling real–time systems
- Alur, Dill
- 1990
(Show Context)
Citation Context ...hat the composite system satis es the same condition, which implies the one of lemma 3.6. Relation to the literature TAwere rst introduced in [Dil89, Lew90, AD90]. Our TA model di ers from the one of =-=[AD90]-=- in that it uses invariants and permits a bounded number of discrete transitions to happen in zero time. Our model is also di erent from the one of [HNSY94] in that it requires an in nite number of di... |

380 | The synchronous approach to reactive and real-time systems
- Berry, Benveniste
- 1991
(Show Context)
Citation Context ...heduling. Other approaches Many other formal approaches have been used for the analysis of timed systems, di ering in both the models and the analysis techniques. Synchronous languages such asEsterel =-=[BB91b]-=- and Lustre [CPHP87] are particularly suited for systems such as synchronous circuits, which are deterministic and work according to a global clock. An extensive bibliography exists on time Petri nets... |

258 | LUSTRE: A declarative language for programming synchronous systems
- Caspi, Pilaud, et al.
- 1987
(Show Context)
Citation Context ...roaches Many other formal approaches have been used for the analysis of timed systems, di ering in both the models and the analysis techniques. Synchronous languages such asEsterel [BB91b] and Lustre =-=[CPHP87]-=- are particularly suited for systems such as synchronous circuits, which are deterministic and work according to a global clock. An extensive bibliography exists on time Petri nets (for instance, [Ram... |

252 | Abstract interpretation of reactive systems - Dams, Gerth, et al. - 1997 |

210 | An old-fashioned recipe for real time
- Abadi, Lamport
- 1994
(Show Context)
Citation Context ...ges) of the basic formal model. The details can be found in appendix A. 12.1 Fischer's Mutual-Exclusion Protocol This is a well-known example in the literature of real-time veri cation, introduced in =-=[AL91]-=-. The protocol is a good benchmark for testing the capacity of tools, since it is parameterized by the number of processes involved and can be easily expanded to generate models of very large size. It... |

207 | Process Algebra - Baeten, Weijland - 1991 |

190 | Logics and Models of Real Time: A Survey
- Alur, Henzinger
- 1992
(Show Context)
Citation Context ...ere discrete transitions are taken in nitely often (i.e. runs). ETCTL 9 is introduced in [BLY96]. A large number of other timed logics exist in the literature. For a survey, the reader is referred to =-=[AH92]-=-. Regarding the debate between linear and branching time [Lam80, Lam83, EL85, EH86], it seems to be slightly out-of-date, although there is still no consensus as to which view is better. For the reaso... |

142 |
On a decision method in restricted second-order arithmetics
- Büchi
- 1962
(Show Context)
Citation Context ...h is strictly more expressive than both TBA and TCTL. 4.1 A linear-time formalism: Timed Buchi Automata Timed Buchi automata have been introduced in [Alu91] as a real-time extension of Buchi automata =-=[Buc62]-=-. Syntax and semantics. A timed Buchi automaton (TBA) is a tupleB =(A;F ), where A =(X;Q;q 0;E;invar) isaTA andFQ is a set of repeating discrete states. The notions of states, transitions and runs of ... |

121 | Kronos: A model-checking tool for real-time systems - Bozga, Daws, et al. - 1998 |

86 |
Model checking in dense real time
- Alur, Courcoubetis, et al.
- 1993
(Show Context)
Citation Context ... \projected" in two runs and 0 such that satis es 0 . Then: Lemma 4.2A satis esBi the language ofAB is non-empty. 4.2 The branching-time logic TCTL Timed Computation Tree Logic has been introduce=-=d in [ACD93]-=- as a real-time extension of the branching-time logic CTL [EC81]. Syntax and semantics. Let I denote the set of all intervals of R of the form [c;c 0 ], [c;c 0 ), (c;c 0 ], (c;c 0 ), (c; 1) and [c; 1)... |

79 | Minimization of Timed Transition Systems - Alur, Courcoubetis, et al. - 1992 |

74 | Asynchronous Circuits - Brzozowski, Seger - 1995 |

67 | Modeling urgency in timed systems
- Bornot, Sifakis, et al.
- 1998
(Show Context)
Citation Context ... for modeling multimedia documents. In particular: { To capture the hierarchical nature and parallel execution of documents in a convenient way, wehave modeled them as Petri nets with deadlines (PND) =-=[BST98]-=-. PND serve only as an intermediate description language, since they can be directly translated to TA. The details of the translation can be found in appendix A.3. In this section, PND are only presen... |

58 | An implementation of three algorithms for timing verification based on automata emptiness - Alur, Courcoubetis, et al. - 1992 |

57 | P.P.Tranchier ‘ A reservation principle with applications to the ATM traffic control - Boyer - 1992 |

55 | The SHIFT programming language and run-time system for dynamic networks of hybrid automata
- Deshpande, Gollu, et al.
- 1996
(Show Context)
Citation Context ...vel timed languages are currently used as a front-end to TA which are then used for the analysis. For example, Kronos has been interface to Aorta [BHKR95], Grafcet [MLP96], ET-Lotos [Her98] and Shift =-=[AGS96]-=-. In order to achieve better usability for domain-speci c applications, restrictions of the model and optimization of the algorithms can be envisaged. In this direction, kronos-open may be a useful st... |

54 | Partial order reductions for timed systems - Bengtsson, Jonsson, et al. - 1998 |

54 |
Abstract interpretation: A uni ed lattice model for static analysis of programs by construction or approximation of xpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...also hold for TCTL, modulo the construction described in section 6.2.2. Relation to the literature The abstract interpretation framework for program analysis using abstractions has been introduced in =-=[CC77]-=-, and has been used extensively for model checking in the untimed contexts(see, for instance, [CGL94, LGS + 95, DGG97]). This framework is quite powerful, however, when used for model-checking of in n... |

42 | Timing Analysis in COSPAN - Alur, Kurshan - 1995 |

41 | A.: On discretization of delays in timed automata and digital circuits
- Asarin, Maler, et al.
- 1998
(Show Context)
Citation Context ...ge Stari. Using the detailed model they could not verify more than 3 stages. The same model as the one presented here, but interpreted in discrete time, is treated in [BMS99]. Based on the results of =-=[AMP98]-=- the discrete-time model is shown to be a conservative approximation of the dense-time one and a discrete-time version of Kronos based on BDDs is used to verify the circuit for up to 18 stages. This l... |

38 | Approximate reachability analysis of timed automata - Balarin - 1996 |

37 | Verifying networks of timed processes
- Abdulla, Jonsson
- 1998
(Show Context)
Citation Context ...ive and is being continually enriched by new results. Recent works study how partial-order reduction techniques [Val90, GW91, Pel94] can be applied to the veri cation of timed systems [BJLY98, BM98]. =-=[AJ98]-=- exploit the symmetry of systems of a particular type, to verify them for a parameterized number of processes. Research is also being conducted for new representation techniques for dense state spaces... |

28 |
Integrating real time into Spin: A prototype implementation
- Boˇsnački, Dams
- 1998
(Show Context)
Citation Context ...d, since it admits powerful untimed veri cation techniques such as e cient symbolic representation [ABK + 97, BMPY97] using binary decision diagrams (BDDs) [Bry86, CBM89, BCD + 90], or partial orders =-=[BD98]-=-. This conception is true but only to some extent. First, the discrete-state techniques are not always given for free: discretizing the dense-time model or directly modeling in discrete time can resul... |

28 | Minimal state graph generation - Bouajjani, Fernandez, et al. - 1992 |

16 | Model checking for extended timed temporal logics
- Bouajjani, Lakhnech, et al.
- 1996
(Show Context)
Citation Context ...y, CTL, the untimed subclass of TCTL containing all formulae with trivial subscript interval [0; 1). 4.3 A mixture of branching and linear time: the logic ETCTL 9 The logic ETCTL 9 (extended TCTL 9 ) =-=[BLY96]-=- is a real-time version of the automata-based logic ECTL introduced in [HT87]. ETCTL 9 is more expressive than both TCTL and TBA (see next section). Intuitively, ETCTL 9 can be seen as an extension of... |

15 |
On-the- symbolic model checking for real-time systems
- Bouajjani, Tripakis, et al.
- 1997
(Show Context)
Citation Context ... to reachability. To our knowledge, simulation graphs have not been previously used for deadlock or timelock detection, neither for checking emptiness. ETCTL 9 modelchecking has been rst presented in =-=[BTY97]-=-, along with experimental results on the fddi protocol [Jai94] comparing the x-point TCTL model-checking algorithm of Kronos with the on-the- y algorithm. The formula veri ed was of the form 83p (\ine... |

14 | Modeling and veri cation of time dependent systems using time Petri nets - Berthomieu, Diaz - 1991 |

13 | Relating time progress and deadlines in hybrid systems - Bornot, Sifakis - 1997 |

11 |
Timing assumptions and veri cation of nite-state concurrent systems
- Dill
- 1989
(Show Context)
Citation Context ...) (resp. (c 0 ; )) is de ned to be the bound (c; ) (resp. (c 0 ; )). Let round() denote the rounding operator on bounds. 125sDBMs and representation of convex polyhedra A di erence bound matrix (DBM) =-=[Dil89]-=- of dimensionn is a (n +1) (n + 1) square matrix M, the elements of which are bounds. For 0i;jn, we writeM(i;j) for the element ofM in rowiand columnj. The idea behind the representation of a convex p... |

10 |
Memory-e cient algorithms for the veri cation of temporal properties
- Courcoubetis, Vardi, et al.
- 1992
(Show Context)
Citation Context ...s for elementary accepting cycles, depending on whether the acceptance conditions are trivial or not. In the rst case, a simple DFS su ces. Otherwise, a maximal-SCC search or the doubly-nested DFS of =-=[CVWY92]-=- has to be used. Although the three algorithms have the same worst-case complexity (linear in the size ofG), the DFS algorithms are preferable, since they can be implemented with a lower memory cost a... |

9 | Veri cation of synchronous sequential machines based on symbolic execution - Coudert, Berthet, et al. - 1989 |

8 | Uppaal |aTool Suite for Automatic Veri cation of Real{Time Systems - Bengtsson, Larsen, et al. - 1995 |

7 |
Techniques for Automatic Veri cation of Real-time Systems
- Alur
- 1991
(Show Context)
Citation Context ...sive power, there have beenanumber of di erent discrete-time models proposed for timed systems, as well as a number of works comparing them with dense time. Two discrete-time models are considered in =-=[Alu91]. In -=-the rst, events are bound to occur along with the clock \ticks", whereas in the second, events can occur anywhere in the real line, but the only quantitative information is how many ticks have pa... |

7 |
SMI: An Open Toolbox for Symbolic Protocol Veri
- Bozga
- 1997
(Show Context)
Citation Context ...and synth-kro, wehave used the parser and DBM library of Kronos, developed by S.Yovine, A.Olivero and C.Daws. For the implementation of kronos-open,wehave used the parser of smi, developed by M.Bozga =-=[Boz97]-=-. The implementation of synth-kro has been completed by K.Altisen. In the following sections, we present kronos, minim, synth-kro and kronos-open. 11.1 The model checker kronos The functionalities of ... |

6 | Data structures for the veri cation of timed automata - Asarin, Bozga, et al. - 1997 |

6 | Membership questions for timed and hybrid automata
- Alur, Kurshan, et al.
- 1998
(Show Context)
Citation Context ...Moreover, the symbolic reachability of [LPY95] does not contain thec-closure operation. This makes the extraction of runs simpler, but withoutc-closure termination is not generally ensured. Recently, =-=[AKV98]-=- have developed an algorithm which, given a sequence of edges, produces a corresponding run, if one exists. This algorithm has complexityO(ln 2 ) as ours, and can also be used to extract a nite concre... |

6 | Veri cation of an audio protocol with bus collision using Uppaal - Bengtsson, oen, et al. - 1996 |

5 |
G'en'eration automatique d'ordonnancements pour syst`emes temporis'es. M'emoire de
- Altisen
- 1998
(Show Context)
Citation Context ... not aware of any de nition of (semantic or syntactic) parallel composition in the presence of controllability either. A rst version of the de nition of strategies has been joint work with K. Altisen =-=[Alt98]-=-.sPart III Implementation and Tools 124sChapter 10 Symbolic representation The most important part in the implementation of the algorithms presented in the previous chapters is the representation of s... |

4 |
Timing veri cation by successive approximation
- Alur, Itai, et al.
- 1995
(Show Context)
Citation Context ...[Hal93, WTD94, WT95, Bal96]. Clock activity has been introduced in [DY96]. These techniques have been formalized in the framework of abstractions in [DT98]. A related approach can be found in [SV96]. =-=[AIKY92]-=- present a technique based on over-approximations: the method consists in attempting to prove the property on an abstract system where some clocks are ignored; if this attempt fails, then clocks are r... |

4 |
Methodes d’analyse de systemes temporises : de la theorie a la pratique
- Daws
- 1998
(Show Context)
Citation Context ...projection. Most of the rest of the DBM operations described in this chapter, as well as the DBM-list polyhedra implementation, have been implemented by S.Yovine [Yov93], A.Olivero [Oli94] and C.Daws =-=[Daw98]-=-. The technique for direct quanti er elimination has been implemented by K.Altisen [Alt98]. 5 4 3 2 1 3 4 xsRegarding optimizations, in the current implementation of Kronos, auxiliary information is s... |

2 | Deductive veri cation of real-time systems using STeP - Bjorner, Manna, et al. - 1997 |

2 |
Veri cation with real-time COSPAN
- Courcoubetis, Dill, et al.
- 1992
(Show Context)
Citation Context .... Parallel to the theoretical work, a number of dense-time veri cation tools have been developed in the past few years. Kronos has been the rst one [Yov93, Oli94, DOY94], followed by real-time Cospan =-=[CDCT92]-=-, Uppaal [BLL + 95], RtSpin [TC96] and Timed-Cospan [AK83, AK96]. These tools are more or less based on the same TA model, however, they di er in theirsproperty-speci cation languages. All the tools p... |

1 | Modelling elapsed time in protocol speci cation - Aggarwal, Kurshan - 1983 |

1 |
Validation, veri cation and implementation of timed protocols using AORTA
- Bradley, Henderson, et al.
- 1995
(Show Context)
Citation Context ...re a relatively low-level model. A number of higher-level timed languages are currently used as a front-end to TA which are then used for the analysis. For example, Kronos has been interface to Aorta =-=[BHKR95]-=-, Grafcet [MLP96], ET-Lotos [Her98] and Shift [AGS96]. In order to achieve better usability for domain-speci c applications, restrictions of the model and optimization of the algorithms can be envisag... |

1 | Veri cation of timed systems using partially ordered sets - Belluomini, Myers - 1998 |