Table Of ContentFormal Verification of Timed Systems:
A Survey and Perspective
FARN WANG
Invited Paper
An overview of the current state of the art of formal verifica- • Withthereadinessofconcretetheoreticalframeworks
tion of real-time systems is presented. We discuss commonly ac- fortheverificationofreal-timesystems[5],[11],[113],
cepted models, specification languages, verification frameworks,
[127]–[129],[133],[197],bothprogrammersandthe-
state-spacerepresentation schemes,state-spaceconstructionpro-
oreticians are eager to see how the theory adapts to
cedures, reduction techniques, pioneering tools, and finally some
newrelatedissues.Wealsomakeafewcommentsaccordingtoour real-worldprojects.
experiencewithverificationtooldesignandimplementation. • Withtheincreasingscopeandcomplexityofembedded
systems and resulting state-space explosion, it is be-
Keywords—Embedded systems, formal methods, formal verifi-
cation, models, real-time systems, specification, temporal logics, cominglessandlesslikelythatwecanrunasufficient
theory,tools. numberofsimulationtracestogainbothenoughcov-
erageofthestatespacesandenoughconfidenceinthe
systemswithaprojectschedule.Further,evenifitwere
I. INTRODUCTION
feasibletohaveextensivecoverageofthe system,the
Real-time systems differ from untimed systems in that potentialofasingleuntestedsequenceofeventsthatno
theirbehavioralcorrectnessreliesnotonlyontheresultsof one thought of to cause system failure is also of con-
their computations, but also on the clock times when the cern.
results are produced. Formal verification means to rigor- In the last two decades, many achievements in the formal
ously explore the correctness of system designs expressed
verification of real-time systems have been reported, from
as mathematical models, most likely with the assistance of
various solid theory foundations to complex implementa-
modern computers. From our viewpoint, there have been
tion techniques and formal verification of many real-world
the following three motivations for the heated research on projects [37], [189], [203], [206]. Still the intrinsic com-
the formal verification of real-time systems in the last two
plexity of various framework for real-time system verifica-
decades.
tionisforbiddinglyhigh.Theverificationproblemsoftimed
• Withthesuccessofformalverificationintheverylarge systems are usually exponentially more complex than their
scale integration (VLSI) industry [53], it is natural to untimed counterparts. For example, the model-checking
expect that similar success can be repeated in the problemofcomputationtreelogic(CTL)isinPTIME1[60],
formal verificationofreal-time systems.In particular, [61], while that of timed CTL (TCTL) is in PSPACE2 [5].
the achievement of binary decision diagram (BDD) Thus, in the foreseeable future, it will be difficult to use
technology[52]hasraisedthehopesandconfidenceof formal techniques alone for decisive answers to complex
theindustryfortheverificationofreal-timesystems. verificationtasks.
Butthisdoesnotmeanthatwearepessimisticaboutthefu-
tureofformalverification.Onthecontrary,withmostmajor
projects currently spending over 50% of their development
Manuscript received November 15, 2003; revised April 19, 2004. costsinverificationandintegration,therearetremendousop-
ThisworkwassupportedinpartbytheNationalScienceCouncil(NSC)
portunitiesforusingformalverificationtosizablyreducethe
of Taiwan, R.O.C., under Grants NSC 92-2213-E-002-103 and NSC
92-2213-E-002-104, and in part by the System Verification Technology
ProjectoftheIndustrialTechnologyResearchInstitute,Taiwan,R.O.C.
The author is with the Department of Electrical Engineering, 1PTIMEproblemscanbesolvedwithtimecomplexitypolynomialstothe
National Taiwan University, Taipei 106, Taiwan, R.O.C. (e-mail: inputsizesinbitcounts.
[email protected]). 2PSPACEproblemsmayincurmemoryconsumptionpolynomialstothe
DigitalObjectIdentifier10.1109/JPROC.2004.831197 inputsizesinbitcounts.
0018-9219/04$20.00©2004IEEE
PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 1283
explosivegrowthofverificationandintegrationcostsandto Beforeyougoon,weremindyouthatthepapermayshow
enhancethequalityofsystemdesignsinindustry.Ontheone theauthor’sintentionalorunconsciousbiastowardeachap-
hand,forcomplexreal-timesystems,formalverificationwill proachinformalverification.Afterall,theamountofspace
likely be used to enhance the intelligence and performance neededtoexplainthedetailsofeachsubfieldisasubjective
ofsimulationandtesting.Forexample,coveragemetricscan decision.
bemorepreciselymappedtothefunctionstobeverified.On
the other hand, for targets with clean modularity and inter- II. MODELS
face,formalverificationcanbeusedtorigorouslycheckthe
Formal verification grows from formal or mathematical
components and the interfaces and gradually could be ac-
logics [41], in which we discuss the grammar (syntax) and
cepted as standard methods in the automation of industrial
meaning (semantics) of logic formulas. It is possible to as-
qualitycontrol.Actuallyitisclaimedthatthislatterapproach
sociatethesamegrammarwithdifferentstylesofmeaning.
has already had a dramatic effect on the SLAM project of
Themeaningofalogicformulaisdefinedasasetofmodels.
Microsoft,whichplanstoincorporatemodel-checkingcapa-
A model in mathematical logic is a domain of values and
bilityinitsWindowsdriverdevelopmentkit(DDK)[34].
somefunctionsonthedomain.Withoutsuchformaldefini-
In this paper, we give a review of these many achieve-
tions,rigorousandmechanicalverificationofreal-timesys-
ments so that readers can use the paper as an index to the
temswillbeimpossible.
literature.Weorganizethepaperaccordingtothevariousre-
Intuitively,intheforumofspecificationandverification,a
searchtopicsinformalverification,includingmodelsinSec-
modelisabehaviorofasystemdescription(orspecification).
tionII,descriptionandspecificationlanguagesinSectionIII,
Accordingtothevariousframeworksweuse,amodelfora
verificationframeworksinSectionIV,representationofstate
real-timesystemcanbeastateset,astatesequence,anevent
space in Section V, constructions of state-space representa-
sequence, a state tree, or an infinite domain with relations.
tionsinSectionVI,reductiontechniquesforrepresentations
Someotherpossibilitiescanalsobefoundin[80].
in Section VII, some tools in Section VIII, and some other
issues in Section IX, including symbolic simulation, para-
A. LinearTimeVersusBranchingTime
metric analysis, controller synthesis, probabilistic analysis,
andworstcaseexecutiontime(WCET)analysis. We can view a computation either as a linear sequence
Therearemanyframeworkstochoosefromtocompletea withonlyonefutureorasatreewithmanypossiblefutures.
verification task. Each framework has its unique advantage The former is calledlinear-time semantics [185],while the
and may incur an intrinsic challenge. We feel it is better to latteriscalledbranching-timesemantics[60],[61].
let the readers be informed of the challenges in the verifi- Linear-Time Temporal Logics: The research on auto-
cation frameworks of his/her choice. Thus we have cited maticverificationofcomputerprogramswasinitiatedwhen
manycomplexityresultsofvariousverificationproblemsin Pnueli proposed using linear-time propositional temporal
the paper. Complexity of a verification problem means the logic(LPTL)[185]tospecifyandcomputethebehaviorsof
order of growth of required resources to solve the problem computer systems. LPTL is a subclass of modal logic [41]
with respect to the input sizes in bit counts. The resources withpossible-worldsemanticsandmodaloperators: (for
can be CPU times, memory space, message counts, power allpossibleworlds)and (thereexistsapossibleworld).In
consumption,etc.Butinthispaper,wearemainlyconcerned LPTL, is interpreted as “from now on, at all states” (or
withCPUtimesandmemoryspace.Somejargonofthecom- henceforth,always),while isinterpretedas“fromnowon,
plexity classes includes PTIME, NP-complete,3 PSPACE, there exists a state” (or eventually). For example, we may
EXPTIME,4EXPSPACE,5nonelementarycomplexities,6and havethemodelofarailroadcrossingsystem.
undecidability.7 and are two atomic propositions, and we want to
HeitmeyerandMandriolihavealsowrittenahandbookon specifythatwheneveranapproachingtrainisdetected,from
formalverificationtechniquesforreal-timecomputing[106]. thatstateon,eventuallythegateisdown.InLPTL,thiscan
Regardingtechniquesforuntimedsystems,aclassicbookis beexpressedas
one by Clarke et al. [65]. A previous survey paper in this
regardisbyOstroff[179].
3NPproblemsmeansthatwe canguessasolutionintimecomplexity
Twoothercommonlyusedmodaloperatorsare (next)and
polynomialstotheinputsizes.NP-completeproblemsarethehardestonesin
NPandareingeneralconsidereduntamableproblemsincomputersciences. (until). means that is true in the next state.
4EXPTIMEproblemsconsumeCPUtimesexponentialtothesizesofin- meansthat istrueuntil istrue.
putsinbitcounts.
Indefininglogics,peopleusuallytrytouseminimalsyntax
5EXPSPACEisthesetofproblemsthatatmostconsumememoryca-
structures. Usually and can be defined as the short-
pacityexponentialtotheinputsizesinbitcounts.EXPSPACE-complete
problemsareharderthanEXPTIMEproblems. handsfortrue and ,respectively.Ontheotherhand,
.. Kampshowedthat cannotbemodeledwithmodalop-
.
6Nonelementarycomplexitiesarelike2 withtheheightsoftheexponent erators , ,and [131].
stacksatleastproportionaltotheinputsizesinbitcounts.
Inthelate1980s,peopleaddedtheconceptof“clocktime”
7Undecidableproblemsdonotguaranteetermination.Ingeneral,itisnot
toLPTL.Thatis,aglobalclockisassumedinthemodelsuch
possibletodesignalgorithms(proceduresthatguaranteetermination)for
undecidableproblems. thattheglobalclockdoesnothavetoincrementitsreading
1284 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004
ateverystate.Initially,Ostroff[178]discussedissuesinex-
pressiveness and complexity with quantification and linear
constraintsofclockreadingsinLPTL.Forexample,wemay
write
(1)
Here is the special variable for the reading of the global
Fig.1. TwobehaviorsthatCTLcandifferentiate.
clockatthecurrentstate.
Alur and Henzinger proposed timed propositional tem-
porallogic(TPTL)[15].TPTLhasaclock-readingfreezing ( , ).IntheliteratureofCTL,modaloperators , , , ,
modal operator and uses binary difference constraints be- ,and arewrittenas , , , , ,and ,respectively.
tween frozen clock readings. The intuition is that quantifi- Insemantics,anLPTLformuladefinesasetoflinearstate
cations on clock readings following are universal, while sequences,whileaCTLformuladefinesasetofcomputation
the ones following are existential. For example, we may trees.CTLandLPTLarenotcomparableinexpressiveness.
write For example, the LPTL formula says states happen
infinitelymanytimes.Also,thenonZenorequirement[113]
(2) in TPTL is . These properties are known to be
inexpressible in the timed extensions of CTL. On the other
which means that the gate will be down in 300 s from any
hand, CTL allows for the reasoning of properties between
stateinmode .Notethatthisformulaspecifies
possiblefuturebehaviors.Forexample,theCTLformula
somethingdifferentfrom(1).In(1),time isindependentof
thestatesquantifiedbythemodaloperator ,whilein(2),it
is not.
Alur and Henzinger also defined metric temporal logic
candifferentiatethetwobehaviorsinFig.1,whilenoLPTL
(MTL),whichallowsthespecificationoftimingdistancesbe-
formula can.
tweenstatesquantifiedbyadjacentmodaloperators[16].For
Emerson et al. proposed real-time CTL (RTCTL) [83],
example,wemaywrite
whichusesformulaslike tospecifytheexistence
of a state sequence along which becomes true within the
next states.Thistypeofpropertyissuitableforcycle-based
systems like VLSI, in which the discrete global clock ticks
to specify the same property as (2). A nice exploration of
ateverydiscretestatechange[83].
variousdiscrete-timeextensionsofLPTLis[16].
Harel et al.[104] discussed the expressivenessand com-
In 1992, Wang et al. extended TPTL to Asynchronous
plexity of the CTL extension with universally quantified
PTL(APTL)fordistributedsystemswithclockjitters[228].
clockvariablesandarbitrarylinearclockconstraints.
Specifically,theyredefinethesemanticsofclockdifferences
Themostusedbranching-timetemporallogicforreal-time
in distributed systems with a timing precedence relation.
systems is TCTL [5], which supports modal operators like
The idea is that instead of comparing the values of clock
, , , , ,and .Here isanat-
readings,wenowcomparethetemporalprecedenceofclock
uralnumberand isoneof , , , ,or .Forexample
readings.Forexample,wemaywrite ,
which means that we have two distributed clocks such that
at every state, if the reading of the two clocks are and ,
respectively, then every second tick of the first clock must
meansthatwheneverthemonitorisinmode ,
precedethenexttickofthesecondclock.Puttingitanother
alongallrunshenceforth,thegatewillbeclosedin300s.
way,foreverytickofclock2,clock1willtickatleasttwice.
Besideitsmodality,TCTLalsodiffersfromTPTLandthe
Branching-Time Temporal Logics: The intuition behind
likeinthatTCTLisdefinedwithdense-timeclockmodels.
linear-time logics is that there is only one future. With
Thus,thereisnomodaloperatorinvolving .
branching-time logics, the possibility of many futures is
IntegrationofLinearTimeandBranchingTime: Emerson
assumed, and modal operators , are provided to specify
andHalperndefinedaunifiedspecificationlanguage,called
therelationamongdifferentfutures.Pathquantifier means
,forbothLPTLandCTL[81].RememberthatinCTL,
“there exists a run from now on” and means that “for all
we require that linear-time modal operators must immedi-
runsfromnowon.”Forexample,inCTL[60],[61]
ately follow path quantifiers. If this restriction is lifted in
CTL,thenwegetCTL .RegardingLPTL,eachLPTLfor-
mulaspecifiesthesetoflinearsequencessatisfyingit.Thus,
meansthatwheneverthemonitorisinmode , intuitively,LPTLisasubclassofCTL becauseeveryLPTL
alongallrunshenceforth,thegatewilleventuallybeclosed. formulaimplicitlycarriesauniversalquantifieronallcom-
NotethatinCTLanditsextensions,linear-timemodaloper- putationsequences.Thatis,anLPTLformula characterizes
ators( , , , )mustimmediatelyfollowapathquantifier thesamesetofstatesequencesastheCTL formula .
WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1285
It is also natural to extend CTL to TCTL . Möller dis- able gate can be used for the gate position of the present
cussedhowtomodelcheckasubclassofTCTL [167].Wang state. State-based real-time temporal logics are usually de-
carriedoutexperimentsusingmodel-checkingalgorithmson rivedfromtheiruntimedcounterparts[60],[61],[185].Ex-
thesubclassofTCTL whichcontainsfairnessassumptions amples include TCTL [5], RTCTL [83], TPTL, MTL [16],
[220]. andAPTL[228].
An event represents an instantaneous change of states
B. DiscreteTimeVersusDenseTime
and may trigger a series of responses in a system. For
In the definition of real-time system models, we can example,thedetectionofanapproachingtrainatarailroad
requirethatalltime readingsare integers and allclocksin- crossing is an event that will hopefully cause the gate to
crementtheirreadingsatthesametime.Thisisdiscrete-time close. Event-driven system descriptions are very natural in
semantics [15], [127]. The other choice is dense-time se- theworldofembeddedsystemengineering.Onepioneering
mantics [11], [78], which means that time readings can be work that incorporates timed events into the linear-time
rationalsorrealsandallclocksincrementtheirreadingsata modelisreal-timelogic(RTL)byJahanianandMok[127].
uniformrate. RTL is a linear-time event-driven logic with event occur-
Discrete-time models are suitable for synchronous sys- rence-timefunctions.Forexample,wemaywrite
tems where all concurrent processes share the same global
clock.ExamplelanguagesareTPTLandMTL[16].Dense-
timemodelsarebetterfordistributedsystemswithmultiple
whichmeansthatafterthe thtrain eventhas
clocks and timers, which can be tested, set, and reset inde-
occurred,the thgate eventmusthappenin300s.RTL
pendently.ExamplesincludeTCTL[5].
is a subclass of first-order integer arithmetic with monadic
Note that inour explanation of discrete-time models, we
functions. Yang et al. [233] have also designed a temporal
require that there is a single global clock. It may seem that
logic, synchronous real-time event logic (SREL), based on
such a requirement is inappropriate for distributed systems
event countings along state sequences in a discrete-time
withdigitalclocks.Infact,afterthesamplingordetectionof
domain.
aneventinanembeddedsystem,theoccurrencetimeofthe
Onethingtonoteisthatinsynchronouscycle-basedsys-
eventisstillstoredinadigitalformat.Thus,philosophically,
tems,e.g.,VLSIcircuits,peopleusuallytreatstateandevent
discrete-timesemanticswithdistributedclocksseemsaplau-
asthesamething,sincevariableschangevaluesonlyatthe
siblechoice.Butingeneral,iftheclocksaredistributedand
beginningofeachclockcycleandthenremainsteadyinthe
donotincrementtheirreadingsatthesametime,thenwestill
cycle. But for distributed real-time systems, this treatment
have to implicitly record the ticking order of the clocks so
may leadtoimprecise modeling,sincethere isnocommon
thattheclocksstillincrementtheirreadingsatthesamerate.
clockamongthemanydistributedsites.
Theinformationpiecesoftickingordersareoffactorialcom-
Italsohaslongbeenarguedthatneitherpurestate-based
plexity,whichisthesameasthatofregiongraphconstruction
nor pure event-based languages quite support the natural
fordense-timemodels[5],anddonotsaveanycomputation
expressiveness desirable for the specification of real-world
resources. Henzinger et al. discussed the relation between
systems [57], [122], [134], [137], [174]. Recently, Wang
systems with distributed digital clocks and those with dis-
has proposed an extension to TCTL for the specification
tributeddenseclocks[112].
and model checking of behaviors involving both states and
Clock-readingmodelscanalsoaffecttheverificationcom-
eventswithfairnessassumptions[220].Forexample,inthe
plexity.Forexample,thesatisfiabilityproblemofTPTLisin
railroad crossing system, we may want to say that when
EXPSPACE,whileitsdense-timeversionisundecidable.In-
the monitor signals the controller to the gate, then
tuitively,discrete-timemodelsmayleadtolowercomplexity
the gate must be in 300 s. This can be specified as
inverificationandanalysis,sincetherearemanyfewerstates. lower . Here means that whenever
But in practice, the impact on complexity is tricky. Specif-
eventsoftype happen, mustimmediatelybetrue.
ically, with the symbolic techniques for timed and hybrid
systems[18],[113],statespacesarerepresentedasBoolean
III. DESCRIPTIONANDSPECIFICATIONLANGUAGES
combinationsoflinearconstraintsofstatevariables.Anim-
A. TimedAutomata
portant operation is checking the emptiness of state-space
representations. However, the emptiness problem of linear ThemodeloftimedautomatawasfirstproposedbyAlur
constraintsisinPTIMEforreals(indense-timemodels)and andDill[11].Atimedautomatonisafinite-stateautomaton
NP-completeforintegers(indiscrete-timemodels). equipped with a finite set of clocks which can hold non-
negative real values. It is structured as a directed graph
C. StateBasedVersusEventDriven
whose nodes are modes (control locations) and whose arcs
Astateisasnapshotofasystematamomentintime.In aretransitions.Theexampleofamonitorprocessfortrains
the sense of control, it is everything that we need to know approachingarailroadcrossingisinFig.2.Themonitorisin
about the system at that moment in order to determine the modefarwhenalltrainsarefarfromthecrossing,orinmode
futureforallfutureinputsequences.Mathematically,itcon- approaching when a train will arrive at the crossing within
sistsoftherecordingofthevaluesofallvariablesandcon- 300s,orinmodecrossingwhenatrainisatthecrossing,or
trol locations. For instance, at a railroad crossing, the vari- inmodepassedwhentrainshavejustleftthecrossingwithin
1286 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004
Fig.2. Themodelofgate–monitor.
the last 100 s. The ovals represent modes, while the arcs
representtransitions.Themodesarelabeledinsidetheovals
withinvarianceconditionswhichareBooleanconjunctions.
All states in a mode must satisfy the corresponding invari-
ance condition. At any moment, the timed automaton can
reside in only one mode. The transitions are labeled with
Fig.3. Themodelofgate–monitor–controller.
triggering conditions and a set of clocks to be reset during
the transitions. A timed automaton can make a transition
undercertainconditions,symbolicmanipulationtechniques
only if it satisfies the corresponding triggering condition.
for timed automata have performed well enough to verify
The invariance conditions and triggering conditions are
manyindustrialsystems[113].
Boolean combinations of clock (difference) inequalities. In
a timed automaton’s operation, one of the transitions can
B. CommunicatingTimedAutomata
be triggered when the corresponding triggering condition
is satisfied. Upon being triggered, the automaton instanta- Complexstatetransitionsmayrequirecooperationamong
neously transits from one mode to another and resets some processestoconstruct.Forexample,intherailroadcrossing
clocks to zero. In between transitions, all clocks increase example,atthetimewhenanapproachingtrainisdetected,
theirreadingsatauniformrate. the monitor sends a “signal” to the gate controller to move
Astateofatimedautomatonisarecordingofitspresent thegatedown.Conceptuallywecandecomposethesystem
mode and the readings of all clocks. With discrete-time intotwoprocesses:thetrainmonitorandthegatecontroller.
models,allclockswillhaveintegerreadingsandincrement The sending and receiving of the signal can best naturally
theirreadingsat thesameinstant.Withdense-timemodels, be modeled bythe interaction betweenthe monitor and the
clock readings are reals (or rationals). A computation of controller.Therearealsotwoprocesstransitionsinvolvedin
a timed automaton can be defined as an infinite sequence thebehavior,i.e.,thedetectionoftheapproachingtrainand
of time-state pairs such that the time components form a thestartingofthegate’smovingdown.
nondecreasinganddivergentrealnumbersequence. Thefirstlanguagedevicedesignedto“glue”processtran-
A timed automaton is a nondeterministic machine and sitions into a (global) transition is the channel concept for
does not have to make transitions as long as the invariance binary synchronizationinHoare’s Communicating Sequen-
condition is satisfied. One usual way to force transitions is tialProcesses(CSP)[115].Suchadevicecangreatlyhelpto
byusinganinvariancecondition.Forexample,inFig.2,in improvethemodularityofmodeldescriptions.Forexample,
the “approaching” mode, we require that to force in the embedded control system for a railroad crossing, we
thetransitionoutofthemodein300timeunits. mayhaveachannelcalled forthecommunicationof
Inpractice,areal-timesystemisusuallydescribedasaset the command to move the gate down. The language device
of process timed automata, each representing the behavior representsthesending(oroutput)eventthroughthe
ofanautonomousprocess.Suchadecompositionisnatural channel, while represents the receiving (or input)
in the description and construction of concurrent and dis- event through the same channel. Two process transitions
tributed systems. By decomposing a timed automaton to a labeled, respectively, with the sending event and receiving
setofprocessautomata,engineerscangreatlysimplifytheir event through the same channel must happen at the same
tasks in the modeling of complex, concurrent behaviors. instant to make a legitimate global transition. The inter-
The timed automaton can be constructed as the product active synchronization between a train monitor and a gate
automaton of the process timed automata. The mode set of controller can be modeled with the communicating timed
the product automaton is now the Cartesian product of the automaton in Fig. 3. When the monitor detects that a train
mode sets of the process timed automata. The invariance is approaching the railroad crossing, it sends out a signal
condition is defined by the conjunction of the invariance through channel to the controller to move the gate
conditionsofthemodesoftheprocesstimedautomata.The down. A process transition with an input event that cannot
behavior of the product timed automaton is an interleaving find a peer process transition with matching output event
oftransitionsoftheprocesstimedautomata. simplycannotbeexecuted.
What makes timed automata interesting is that their CSP-stylesynchronizationchannelswereincorporatedin
model-checking problem is in PSPACE [5]. Moreover, communicating real-time state machines (CRSM) [198] in
WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1287
1992. Such devices are now supported in real-time system To know when to stop inferencing in case the specifica-
model-checkers like I/O automata [90], [133], [157], UP- tion formula is actually not a theorem, we need to prove a
PAAL[39],[183],SGM[120],[222],[223],andtheregion- small model theorem to establish the maximum number of
encodingdiagram(RED)[213],[216],[217],[219]. inferencestepsfortheproofofthespecificationformula.The
A similar synchronization device is used inHyTech [18] complexityoftheverificationproceduredependsonthecom-
andKronos[75],[237]withnodistinctionbetweensenders plexityofthesmallmodels.
and receivers.Each process is declaredwith the setof syn- Propositional temporal logics, linear time and branching
chronizerstorespondto.Thenwhenasynchronizerhappens, time,havebeendiscussedinSectionII-A.Theadvantageof
all processes declared to respond to it will have to make a suchframeworksisthattheyusuallycomewithsmallmodel
processtransition.Suchadeviceishandyinmodelingbroad- theoremsandalgorithmstocheckwhetheraformulaisathe-
casting,multicasting,andothermultipartysynchronizations. orem or not. The disadvantage is that they are usually not
For example, to model the bus collision behavior in carrier expressiveenoughtomodelcomplexbehaviorswith,forin-
sense multiple access with collision detection (CSMA/CD) stance,queues,stacks,counters,range-unboundedvariables,
protocol[175],thebusprocessmayexecuteatransitionla- polynomialconstraints,etc.
beledwiththeeventCollision_Detected,whichwill First-order and higher order logics have also been used
forceeverysenderprocesstorespondtoatransitionwiththe [127], [197] for specification and verification. The advan-
sameevent.ItisalsopossibletocombinebasicCSP-stylebi- tageisthatsuchlogicsareveryexpressiveformodelingcom-
narysynchronizationstoconstructsuchcomplexmultiparty plexbehaviors.Thedisadvantageisthatingeneral,itisnot
synchronizations.Forexample,inRED[219],tomodelthe possibletodesignalgorithmstocheckwhetheraformulais
bus collisioneventinCSMAwith senders,thebus a theorem or not.8 First-order logics seem a good compro-
needs to execute a transition with !Collision_De- mise between expressiveness and computability, since they
tected labels, and, thus, forces each of the senders to are complete ingeneral.Thatis,we stillhavesemidecision
respectively respond with a transition with one ?Colli- proceduresthatareguaranteedtoconstructproofsifthespec-
sion_Detectedlabel. ificationformulasareindeedtheorems.
On the other hand, higher order logics [96], [181] are in
C. HybridAutomata
generalincomplete.Interestedreadersarereferedto[176]for
Hybridautomata[18],[108]areusedtomodelembedded atutorialonIsabelle/HOL.MattoliniandNesipresentedtem-
systemswithcontinuousvariables,whosevaluesmayincre- poral-interval logic with compositional operators (TILCO)
ment/decrementatvariousrates.Arbitrarylinearconstraints [161]withformalproofsupportfromIsabelle/HOL.
are allowed for invariance conditions and triggering condi-
tions.Timedautomata[11]area specialsubclassofhybrid E. TimedProcessAlgebras
automata in which all continuous variables increment their TimedCSPwasfirstdesignedbyReedandRoscoe[188]
values at a uniform rate and only upper-bound and lower- andlatermodifiedbyDaviesandSchneider[74].Itsupports
boundinequalitiesofclocksareallowed.Ahybridautomaton thefollowingthreegrammarruleswithtimingconstraints:
shares the same structure as timed automata, except that in
eachmode,theincrementrateofeachcontinuousvariableis
Wait
independentlyspecified.
Ingeneral,hybridautomataarenotsubjecttoalgorithmic
“Wait ”meanstowaitfor timeunits.
verification,buttherearesubclasseswhichare[109].
modelsthetimeoutincommunication.Itbehaves
as until,attime ,whennosynchronizationhashappened
D. Logics
yet,thecontrolistransferedto .
Logic formulas can also be used to describe system
behavior. In such frameworks, the system descriptions (in- models the interrupt in embedded systems. It
cluding the models for systems and environments) and the behavesas untilattime ,regardlessofsynchronizations,
specifications are all put down in the same language. In whencontrolistransferedto .
its operation, a logic theory is defined by a set of axioms The timevalue domainintimed CSPis dense. A variety
and inference rules. Every formula that can be constructed ofsemanticshasbeendefined.Thesimplestoneassociatesa
throughrepetitiveapplicationsoftheinferencerulesiscalled programwithasetoftimedtraces.Schneiderwroteabook
atheorem.Twokeyissuesaresoundnessandcompleteness. in this regard [194]. In the book, manual proofs are illus-
Soundness means that the theorems in the theory are con- tratedandarefinementrelationfromuntimedCSPprograms
sistent, i.e., do not contradict one another. Completeness totimedCSPprogramsispresented.Withtheintroductionof
means that every theorem can be provedin a finite number theeventtock,whichadvancestimebyoneunit,Schneider
ofstepsofinferenceruleapplications.Whenwe uselogics alsoshowedhowtotranslatetimedCSPprogramstountimed
forverification,weusuallyputdownthesystemdescription CSPprogramswithtockevents.
asaxiomsandinferencerulesandthespecificationformulas Baetenetal.havedonesubstantialworkinextendingthe
asatheorem.Aproofplanmayalsoinvolveseverallemmas process algebra known as the algebra of communicating
andcorollariesasintermediatestepstotheestablishmentof
8Inthejargonofcomputerscience,thedecisionproblemsofsuchlogics
thegoaltheorem. aresaidtobeundecidableorincomputable.
1288 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004
processes (ACP) to the real-time domain [30]–[32]. The axioms which must be satisfied in each action to maintain
time models can be dense or discrete. Both absolute time thenaturalconceptsoftimestamps.
and relative times can be specified. Time-stamped actions AdbullaandNylendefinedtimedPetrinets[3],inwhich
can be used to combine actions with the passage of time. each token is associated with a clock which can be reset at
Theintegrationoperator allowscompositionovera thetimeoftransition.Thisresemblestheclockresetopera-
continuum of alternatives. The initial abstraction operator tionsoftimedautomata.Thereisalsonoobligationtofirean
definesamappingfromaparametricinitialsetting enabledtransitionbeforetheLftexpires.
of real variable to a set of processes, whose behaviors Serugendo et al. extended Merlin and Faber’s time Petri
dependonthevalueof . net to real-time synchronized Petri nets with synchroniza-
Work on the calculus of communicating systems (CCS) tionsbetweenasetofobjects,modeledwithreal-timePetri
withtimingcanbefoundin[59],[170],and[234]. nets [195].
Another timed extension of process algebra is PACSR Girault and Valk editted a handbook on formal methods
[152],[184],whichsupportsresource-awarenessandproba- based on Petri nets [94]. Cerone and Maggiolo-Schettini
bilityreasoninginembeddedsystemdesign. wrote a survey paper on various approaches to extending
LOTOS is an ISO standard specification language based Petri netstospecification andverificationoftimed systems
on process algebra [43], [123]. Its real-time extension is [56].
called Enhanced Timed-LOTOS (ET-LOTOS) [124], [150],
[151]. G. GraphicalLanguages
Statecharts [103] were introduced to help users describe
F. TimedPetriNets behavioral hierarchies of untimed concurrent systems in a
graphicalstyle.Systemoperationscanbehierarchicallyde-
Petri nets [87], [130] are convenient for modeling con-
composedtoparalleland serialmodes.Suchbehavioralhi-
current systems. In a Petri net, we have places, which may
erarchy has inspired various compositional frameworks for
hold tokens, and transitions, which may consume some to-
verification and analysis, e.g., assume–guarantee reasoning
kensfromtheplacesandproducesomeothertokensinother
[1],[17],[99],[162],[205],andstaterefinementverification
places.A state ofa Petrinet is called amarking, which as-
[9], [232].
signs a number of tokens to each place. Since each place
Modecharts[128]werethefirsttimedextensionofstate-
canholdanunboundednumberoftokens,Petrinetsareinfi-
charts.Their semantics was definedwith RTL[127] indis-
nite-statesystems.OnespecialthingaboutPetrinetsisthat
cretetime-domain.Timingintervalsanddiscreteeventscan
they lack the capability to test the nonexistence of tokens.
beusedastriggeringconditionsfortransitions.
Specifically, a transition may happen if all its input places
Statechartssupportmanypowerfulprimitives,likeexcep-
have tokens. But no action can be taken when there is no
tions, group transitions, and history. As a result, their se-
tokeninsomeinputplace.Theoretically,Petrinetsareequiv-
manticsiscomplex.Hierarchicreactivemodule(HRM)isa
alent to counter machines without zero-test capability [97]
model description language for timed systems with restric-
andvectoradditionsystems(VAS)[118],[132].
tions on transitions to simplify the semantics [14]. Syntac-
SeveralclassesoftimedextensionsofPetrinetshavebeen tically, transitions in HRM can only connect to entry/exit
proposed [3], [42], [47], [93], [163], [187]. For example, pointsofstructuralmodules.Transitionsareforbiddenfrom
MerlinandFaberdefinedtimePetrinets,inwhicheachtran- jumpingdirectlytoinnermodules.
sition is associated with a clock that records the time lapse Timed unified modelinglanguage (UML) is the real-time
sinceitwaslastenabled[163].Clockreadingscanbenatural extensionofUML[72],whichisinturnavariationofstate-
numbersindiscrete-timemodelsordensenumbersincontin- charts.TranslationschemesfromtimedUMLtovariousver-
uous-time models. State may change due to transitions and ificationtoollanguageshavebeenstudiedandimplemented
timepassage.Eachtransitionalsohastwoattributes:earliest [73],[88],[136],[146],[172].
firingtime(Eft)andlatestfiringtime(Lft).Anenabledtran-
sition can only fire when its clock reading is no less than
IV. VERIFICATIONFRAMEWORK
its Eft, and if continuously enabled, it must be fired before
Therearethefollowingfourmajorapproachestocompu-
itsLft.Thus,timemaynotincrementbeyondtheminimum
tationallyverifyingtimedsystems.
deadlines set by the Lft of all enabled transitions. This se-
manticsthat“someenabledtransitionmustfire”isdifferent
A. SatisfiabilityChecking
from the nondeterministic semantics of timed automata, in
whichacontinuouslyenabledtransitiondoesnothavetobe Inthisframework,wewriteboththesystembehaviorde-
firedbeforetheLft. scription andspecification aslogicformulasandtryto
Ghezzietal.proposedanotherPetrinetextension,called prove that is a theorem (i.e., tautology) of the un-
Time Environment/Relation (ER) nets, for timed systems derlyingaxioms.Inreality,weusuallycheckif isa
[93]. Each token, instead of each transition, is associated contradiction,orequivalently isunsatisfiable.Inthe
with a time stamp. Transitions can be triggered only when implementation,wecanusethetableaumethodtoconstruct
the earliest time and latest time requirements are met with an untimed Kripke structure and check if is satis-
respecttothetokentimestamps.Theyalsopresentedthree fiedattheinitialnodesinthestructure.Atableauisasmall
WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1289
modelthatcanbeusedtochecktheexistenceofamodelfor flag,sincenomatterwhenwefreeze to ,thetruthvalue
.Conceptuallyitisadirectedgraph suchthat of isalreadydeterminedatthemomentwhen
isthesetofpossibleworlds(orstates)and isthesetof isgenerated.
transitionsfromworldtoworld. The small modeltheorem of TPTL says thatif there is a
Inthefollowing,weillustratethetableauconstructionfor modelfor ,thenthereissuchamodel:
TPTLsatisfiabilitychecking[15].Assumethatwearegiven
• whose nodes are in the powerset of and
aTPTLformula suchthatnegationsonlyappearinfrontof
satisfythenodeconsistencycondition;and
atomicconstraintslike and .Thisispossible
• whose transitions satisfy the transition consistency
because of deMorgan’s law and ,
condition;and
,and .
• thatcontainsacyclesuchthat
GivenaTPTLformula , isasetofTPTLfor-
— thecycleisreachablefromaninitialstatenode;and
mulasconstructedwiththefollowinginductionrules.
— if islabeledinsomenodeinthecycle,thereis
• andtrue . anothernodelabeledwith inthecycle;and
• If or , — if islabeledinsomenodeinthecycle,there
then and . isanothernodelabeledwith inthecycle.
• If , then , ,
The satisfiability problem of linear-time temporal logics
.
TPTL [15], TETL, MTL [16], and APTL [228] are EX-
• If , then ,
PSPACE-complete.
.
Itisalsopossibletousetemporallogicswithdense-time
• If , then ,
semantics to do satisfiability checking. However, the satis-
.
fiability problems of TPTL with dense-time semantics and
• If ,then .
TCTLareallundecidable[5],[16]
• If , then
where is the symbol for current time
and is identical to except that every B. ModelChecking
occurrence isreplacedby .
The framework of model checking [60], [61] means that
• If where ,
thesystemdescriptionsaregivenasautomata,thespecifica-
and ,then
tionformulasaregivenastemporallogicformulas,and we
.Thecasefor issymmetric.
wanttocheckifallmodelsofagivensystemdescriptionsat-
Here,forconvenience,weassumeonlyinequalitieslike isfy a given specification formula. One popular framework
,where and areclockvariablesand and in this category is the TCTL model-checking problem [5]
are used. inwhichthesystemdescriptionsaretimedautomata,while
Anode in for isasubsetof thatsatisfies the specifications are TCTL formulas. The TCTL model-
thefollowingnodeconsistencyconditions. checkingproblemisPSPACE-complete.Notethattheframe-
• true . workin[5]onlypermitsatomicconstraintslike with
• If ,thetruthvalueof isin . . For about one decade, people have
• If ,then . straightforwardly extended the framework with constraints
• If ,then or . like [113]. Recently, Bouyer [46] showed that
• If ,then and . themodel-checkingalgorithmsin[5],[113]isnotcorrectfor
• If ,theneither orboth and suchanextension.
. Animportantsubclassinthemodel-checkingframework
• If ,thenboth and . is safety checking, i.e., the model checking of formulas
• If ,theneither or . like where is a propositional formula for the safety
• If ,then . propertyofasystem.Inimplementation,thesafetyanalysis
problem is usually translated to the negation of the reach-
If ,thenthefollowingtransitionconsistencycon-
ability problem, i.e., whether is true or not. Most of
ditionsmustalsobemaintainedin ,i.e.,exactlyoneofthe
the implementations in model checking have focused on
followingtwoistrue.
the efficiency enhancement of safety checking. The major
1) Forall ,then . reason for this may be that fully model checking complex
2) Forall ,then ,where isidentical timedsystemsisindeedtoodifficult.
to exceptthateveryconstraintlike with
It is also possible to model check linear-time temporal
, isrespectivelyreplacedwith . logics like TPTL [15] or MTL [16]. In this framework, we
(Thecasefor issymmetric.)
wanttoverifythateverycomputationofthetimedautomata
Case 1 models the passage of zero time units, while case 2 isalsoastatesequenceofthelinear-timeproperty.
modelsthepassageofonetimeunit.Alsonotethatwhena Modelcheckinghasalsobeenappliedtoframeworksother
constraintlike isgenerated,wewillnolonger thanautomata.FDRisacommercialmodel-checkerforCSP
askforthedecrementsfrom .Thus, servesasa but does not quite support real-time system modeling [89].
1290 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004
Theideaistocheckwhether,byhidingsomeinternalvari- • foreveryinitialstate of ,thereisaninitialstate
ables, a behavior description in CSP can be identified as a of suchthat .
refinementofanotherspecificationinCSP. Timed simulation has been used extensively for systems
Thereisalsomodel-checkingresearchforPetrinets.One modeled with various extensions of I/O automata [44],
common approach is to put in restrictions to reduce Petri [105], [141], [154]–[156], [160]. Since I/O automata [133]
nets to finite-state systems, which are then subject to algo- have first-in-first-out (FIFO) queues and their verification
rithmic model checking. In general, the reachability (of a problemisingeneralundecidable,alotoftheworkwascar-
specificationmarking)problemofPetrinetsisdecidablebut ried out using theorem provers (see Section IV-D). Tas¸Iran
without known elementary complexity. Another commonly etal.showedthatthesimulationcheckingproblemfortimed
acceptedframeworkforverificationwithPetrinetsiscalled automataisEXPTIME[209].
thecoverabilityproblem,inwhichwearegivenaspecifica- The third alternative is timed bisimulation, which is also
tionmarking andwanttoseeifthereisareachablemarking a relation between states of two (timed) automata at an ab-
suchthat isnolessthan placebyplace. straction level. For convenience, given a relation , we let
. Given two model descriptions
and , a relation is a timed bisimulation between and
C. Simulation
iff isatimedsimulationfrom to and isatimed
It is also possible to use state-transition systems (au- simulationfrom to .Cˇera¯nsshowedthattimedbisimu-
tomata) for both system behavior descriptions and specifi- lationcheckingisdecidable[55].Lasotashowedthattimed
cations.Thisframeworkcanbeusefulwhenaspecification bisimulationcheckingisalsodecidablefortimedbasicpar-
is too complex to put down in temporal logics. After all, a allel processes (BPPs)9 [145]. Bisimulation-based verifica-
pictureisworthathousandwords.Givenabehaviormodel tionoftimedautomatacanbefoundin[71],[153].Workon
description andaspecification ,intuitively,wewantto discrete-timemodelscanbefoundin[147]–[149].
check whether simulates , i.e., every behavior of is
also a behavior of with respect to the input and output D. TheoremProving
events(i.e.,observableevents)andthetimesatwhichthose Thisapproachstemsfromveryearlyresearchinartificial
events occur. However, we need to define behavior more intelligence [58]. In this framework, verification engineers
clearly. manually designa verificationplan (proof sketch) and then
Inlineartime,abehaviorisan(infiniteorfinite)sequence use theorem provers to mechanically check the correctness
of events and the occurrence times of those events. Such a ofthereasoningstepsintheplan.Sincemanyofthetheorem
sequencetogetherwiththeeventoccurrencetimesiscalled provers accept undecidable classes of logic formulas, the
a timed trace. The framework of trace inclusion verifies approach usually does not guarantee the termination of
whether implements ,i.e.,thetimedtracesof arealso individual mechanical verification tasks. If a user feels that
timedtracesof .Thisframeworkmaynothavethepower a prover cannot finish a task, he/she may have to either
todiscerncertainbehaviors.Forexample,inFig.1,although intervene with expertise (formalized as axioms or proof
the two systems have the same set of traces, the choices at strategies) or change the verification plan. Fulfillment of
statesarenotthesame.Inaddition,AlurandDillshowed a verification plan depends heavily on the users’ profound
that the inclusion problem of timed traces is undecidable knowledgeoftheunderlyinglogicsandproficiencyinusing
[12]. the tools.
An alternative framework is simulation [158], [159], Variousalgorithmsweredevelopedtochecksubclassesof
[209],which,informalverificationliterature,doesnotmean first-orderlogics.Shostak[202]andNelsonandOppen[173]
that we build a mathematical model in the programming presentedalgorithmstodecideunquantifiedcombinationsof
language C, execute the model with an inference engine, somefragmentsoffirst-orderlogics.Shostakalsopresented
and then observe the trace [66], [224]. Instead, simulation algorithms(congruenceclosure)todecideequalitywithun-
is a relation between states of two model descriptions at interpreted functions [200] and methods, like loop residue
an abstraction level (regarding the same set of observable [201]andSUP-INF[199],todecidelineararithmetic.Oppen
inputs and outputs). Given a behavior model description presentedalgorithmsforcheckingPresburgerarithmeticfor-
andaspecification ,intuitively,wewanttocheckifthere mulas10[177].Techniquesfrompropositionalcalculus[52],
is a simulation relation from to (i.e., simulates ). [98]canalsobeemployedtocheckpropositionalfragments
Forconvenience,wewrite iffin ,wecantransit offirst-orderorhigh-orderlogics.
from to byfirstlettingtimeprogressby (anonnegative There is also an extensivelibrary of term rewriting tech-
real)andthenexecutingatransitionlabeledwithevent .A niquesforfirst-orderandhigherorderlogics[77],[135].Re-
relation betweenthestatesetsof and isasimulation searchhasshownthatcontrolledheuristicsonterm-rewriting
iffforevery : rulesareimportant.
• and are the same, predicate by predicate, at the 9BPPsaresystemsconstructedwithrulesP ::=pjP kP j1.P ,where
abstractionlevel; pisanatomicprocessand1.P istheprocessofthepassageofonetime
unitfollowedbyprocessP .
• if forsome ,then forsome
10Presburgerarithmeticisthetheoryoflinearconstraintslikec x +...+
of suchthat ;and c x (cid:24)d,Booleanoperators,andquantificationonvariablesx ;...;x .
WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1291
Shankar designed an operator (read “since” ) in a A DBM can represent a convex state space in the time
state-based model in the well-documented theorem prover space. Efficient operations like intersection and normaliza-
Prototype Verification System (PVS) [197]. The operator tion to all-pair shortest-path form, can be performed. But a
measures the time that has elapsed since last held. It is DBMcannotrepresentaconcavestatespace.
implemented with three axioms in PVS. The first specifies Annichini et al. [21] have extended DBM with parame-
the initial value of each . The second and third respec- ters for the semialgorithmic analysis of counter and clock
tivelydefinewhen shouldremainthesameandwhenit systems.
should increment in an action. Users can also define their
own axioms in PVS for convenience. Work along this line B. BDD-LikeDataStructures
canbefoundin[24],[25],[117],and[193]. BDD[52]isaminimumcanonicalformforpropositional
logic and has become an indispensible technology in hard-
wareverification.Topologically,aBDDisanacyclicdirected
V. REPRESENTATIONSOFSTATESPACES graphwithasinglesourceandtwosinks(forFALSEandTRUE,
respectively).Itcanrepresentbothdisjunctionsandconjunc-
Many verification frameworks rely on the analysis of
tions.Eachnodeislabeledwithadecisionatom,andtheout-
reachable state spaces. The efficient manipulation of rep-
goingarcsare labeledwiththe valuesofthecorresponding
resentations of reachable state spaces is fundamental to
decisionatom.ItisminimumbecauseBDDhastheleastrep-
efficient verification of real-time systems. One important
resentation size for any state space with respect to a given
work in this regard is [5], in which Alur et al. presented
variable ordering. It is canonical because there is exactly
a finite representation, called the region graph, for the
oneBDDforanygivenstatespace.Thiscanonicalityfeature
dense-time state space of timed automata, and then proved
alsoimpliesthatequalitycheckingbetweenstatespacesand
the PSPACE-completeness of the TCTL model-checking
emptinesscheckingofastatespacecanbedoneefficiently.
problem.Aregiongraphisadirectedgraphwhosenodesare
ThefirstpapertodiscusshowtouseBDDtoencodezones
calledregionsandwhosearcsrepresenteithertimeprogress
(actually for asynchronous systems with clock jitters) was
or discrete transitions between regions. A region is a state
by Wang et al. in 1993 [227]. They discussed how to use
subspace with three characteristics. The first is the control
BDD with decision atoms like to model
locationofthestates,thesecondistheintegerpartsofclock
check timed automata. Here, and are timing constants
readingsinthestatesuptothebiggesttimingconstantsused
withmagnitudenogreaterthanthebiggestconstantusedin
inthe automataand the TCTLformula,and the thirdis the
the behavior model and specification. Each decision atom
orderingamongthefractionalpartsofclockreadingsinthe
canassumeaBooleantruthvalue.Theapproachmaysuffer
states.
from bad performance, since the size of the decision atom
Region graphs are important in establishing complexity.
domain isalready proportional to the timing constantsand,
Forpracticalverification,symbolicdatastructurescanusu-
thus, exponential to the input size. However, they did not
ally yield more compact representations. In the following
reportimplementationorexperiments.In1996,Balarinim-
sections,wediscusssomeworkinthisregard.
plemented the same scheme and reportedexperiments with
approximation techniques [33]. In 1999, Møller et al. used
A. Difference-BoundedMatrices the same idea to devise a data structure called a difference
decisiondiagram(DDD)anddiscussedmanymanipulation
SinceDillproposedtousethedifference-boundedmatrix
techniques[168],[169].
(DBM) to record the time space of real-time systems [78],
Thenumericaldecisiondiagram(NDD)[26]usesbinary
the DBM has been adopted by two major model checkers:
encodingforclockreadings,anditsperformanceisverysen-
Kronos [75], [237] and UPPAAL [39] and has become the
sitivetotiming-constantmagnitude.
mostpopulardatastructureforsuchapurpose.
The clock-difference diagram (CDD) [36] uses decision
ADBMisatwo-dimensionalarray.EachentryinaDBM
atomslike andlabelsarcswithdisjointintervals.Forex-
recordsthedifferencebetweentwoclocks’readingsofastate
ample,anodelabel togetherwithanarclabel(3,5]con-
inthespacecharacterizedbytheDBM.Zeroisalsotreated
stitutetheconstraint .CDDswereonlyused
asa specialclock.Conceptually,givenaset ofclocks,a
inUPPAAL[36] asrecordingdevices ofzonesconstructed
DBM isamappingfrom toasetofelements
withDBMs.Nomodel-checkingandreachabilityalgorithms
like suchthat:
wereimplementedwithCDDsin[36].
• iseither or ;
RED[213],[214]encodestheorderingoffractionalparts
• where is the
of clock readings in the variable ordering and has achieved
biggesttimingconstantusedinthereal-timesystemsor
veryhighspaceefficiencyforsymmetricsystemswithlarge
inthespecificationand meansanyconstantgreater
numbers of clocks and small timing constants. RED is a
than ;and
canonicalrepresentationoftimedautomatastatesubspaces.
•
Butforlargetimingconstants,REDsperformancedegrades
Foreachtwo , , meansthat rapidly.
.AtimespacecharacterizablebyaDBMiscalled Then in 2001, Wang proposed the clock-restriction di-
a zone. agram (CRD) [216]–[218], which has a structure similar
1292 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004
