{VeSTA} : a Tool to Verify the Correct Integration of a Component in a Composite Timed System by Julliand, Jacques et al.
VeSTA : a Tool to Verify the Correct Integration of a
Component in a Composite Timed System
Jacques Julliand, Hassan Mountassir, Emilie Oudot
To cite this version:
Jacques Julliand, Hassan Mountassir, Emilie Oudot. VeSTA : a Tool to Verify the Correct
Integration of a Component in a Composite Timed System. ICFEM’07, the 9th Int. Conf. on
Formal Engineering Methods, 2007, United States. pp.116–135, 2007. <hal-00563421>
HAL Id: hal-00563421
https://hal.archives-ouvertes.fr/hal-00563421
Submitted on 4 Feb 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
VeSTA: a Tool to Verify the Correct Integration
of a Component in a Composite Timed System?
Jacques Julliand, Hassan Mountassir, and Emilie Oudot
LIFC - Laboratoire d’Informatique de l’Universite´ de Franche-Comte´
16, route de Gray, 25030 Besanc¸on Cedex, France
Ph:+33 (0)3 81 66 66 51, Fax:+33 (0)3 81 66 64 50
{julliand,mountass,oudot}@lifc.univ-fcomte.fr
Abstract. Vesta is a push-button tool for checking the correct inte-
gration of a component in an environment, for component-based timed
systems. By correct integration, we mean that the local properties of the
component are preserved when this component is merged into an envi-
ronment. This correctness is checked by means of a so-called divergence-
sensitive and stability-respecting timed τ -simulation, ensuring the preser-
vation of all linear timed properties expressed in the logical formalism
Mitl (Metric Interval Temporal Logic), as well as strong non-zenoness
and deadlock-freedom. The development of the tool was guided by the
architecture of the Open-Kronos tool. This allows, as additional fea-
ture, an easy connection of the models considered in Vesta to the Open-
Caesar verification platform, and to the Open-Kronos tool.
Key-words. τ -simulation, integration of components, timed systems,
preservation of linear-time properties.
1 Motivations
Model-checking is an attractive automatic verification method to ensure the cor-
rectness of models of systems. However, it is well-known that this method has
difficulties to handle large-sized models, in particular when treating models in-
volving timing constraints. Component-based modeling is a method often used
to model timed systems. First, it consists in decomposing the system into a set of
sub-systems, called components. Next, each component is modeled and the inter-
actions between them are specified. The complete model is obtained by putting
together all these components with respect to their interactions. With such a
modeling, two kinds of properties can be checked to ensure the correctness of
the model: global properties concerning the behavior of the complete model, and
local properties concerning the behavior of one or some components. For both
kind of properties, verification by model-checking is usually performed on the
complete model, and thus can become difficult if the size of the model is too large.
? This work has been partially funded by the ANR-06-SETI-017 TACOS project
(Trustworthy Assembling of Components: from requirements to specification).
Vesta is available at the following url: http://lifc.univ-fcomte.fr/∼oudot/VeSTA.
We propose to use an alternative method for the verification of local proper-
ties of the components: integration of components. Integration of components is
an incremental development method. It consists, for a local property L of a com-
ponent C, in checking L only on C. Model-checking is here applicable due to the
generally small size of the components. Obviously, L has to be preserved when C
is integrated in an environment E. When using the classic parallel composition
operator || between components, the preservation of local safety properties of C
on C‖E is ensured for free. This is not the case for local liveness properties.
Simulation relations are a way to ensure preservation of properties. They have
already been used in the untimed case for this purpose. For instance, [1] defines
the refinement of transition systems as a kind of τ -simulation, which ensures the
preservation of Ltl properties. In the timed case, a time-abstracting simulation
is defined in [2], but does not preserve timed properties. Timed simulation is
defined in [3], but does not consider the possible internal activity of the systems
(internal activity is a main barrier for the preservation of liveness properties). A
timed ready simulation is defined in [4], but does not allow to preserve liveness
properties. To our knowledge, there is no simulation relation for timed systems,
which handles internal activity of the systems, and also preserves liveness prop-
erties. Therefore, we defined in [5] a divergence-sensitive and stability-respecting
(DS) timed τ -simulation for timed components expressed as timed automata [6]
and proved it can ensure the preservation of all linear timed properties which can
be expressed in the logical formalism Mitl [7], thus in particular linear liveness
and bounded liveness properties. Strong non-zenoness and deadlock-freedom are
also preserved by the relation. That is, if C simulates C‖E with respect to this
relation, all linear local timed properties of C are preserved on C||E.
The tool Vesta (Verification of Simulations for Timed Automata) was devel-
oped to automate the verification of the DS timed τ -simulation. More precisely,
Vesta considers component-based timed systems, developed incrementally by
integration of components, where each component is modeled as a timed au-
tomaton. It allows to check that local properties of a component (or group of
components) of the system are preserved during its integration with other com-
ponents of this system. The architecture of the tool was inspired by the one
of the Open-Kronos tool [8]. Thus, as Open-Kronos, Vesta benefits of li-
braries which provide an efficient symbolic representation for networks of timed
automata. This choice also allows to connect the models considered in Vesta to
Open-Kronos, and also to the verification platform Open-Caesar[9].
The structure of the paper is the following. In section 2, we recall some back-
ground on timed systems, i.e., on the formalisms which are used in Vesta for
the modeling of timed systems and their properties. This section also intro-
duces the divergence-sensitive and stability-respecting timed τ -simulation, and
its preservation abilities. Section 3 presents the tool Vesta: its architecture, the
algorithms which are implemented and its graphical user interface. In section 4,
we illustrate the interest of Vesta by using it to verify incrementally properties
of a case study concerning a production cell. Section 5 presents some additional
features of the tool. Finally, section 6 contains the conclusion and exhibits some
future developments for Vesta.
2 Incremental verification of timed systems
We present here the preliminary notions that we consider concerning component-
based timed systems. First, we introduce timed automata which we use to model
timed components, and the composition operator we use to assemble these com-
ponents. Then, we present the simulation relation we defined for timed automata
and recall previous results concerning the properties that it preserves during in-
cremental development, and in particular, during integration of components.
2.1 Modeling timed systems
Since their introduction in [6], timed automata are amongst the most studied
models for timed systems. They are finite automata with real-valued variables
called clocks, to model time elapsing.
Clock valuations and clock constraints. Let X be a set of clocks. A clock
valuation over X is a mapping v : X → R+, associating to each clock in X
a value in R+. We note 0 the valuation assigning the value 0 to each clock in
X . Given a clock valuation v and t ∈ R+, v + t is the valuation obtained by
adding t to the value of each clock in v. Given Y ⊆ X , the dimension-restricting
projection of v on Y , written vcY , is the valuation over Y only containing the
values in v of clocks in Y . The reset in v of the clocks in Y , written [Y := 0]v, is
the valuation in which all clocks in Y are reset to zero, while the value of other
clocks remains unchanged.
A clock constraint over X is a set of clock valuations over X . The set Cdf (X) of
diagonal-free clock constraints1 over X is defined by the following grammar:
g ::= x ∼ c | g ∧ g | true
where x ∈ X , c ∈ N and ∼∈ {<,≤, =,≥, >}. Diagonal-free clock constraints do
not allow comparison between clocks such as x − y ∼ c. Note that a clock con-
straint defines a convex X-polyhedron. We note zero the X-polyhedron defined
by
∧
x∈X v(x) = 0. The dimension-restricting projection and reset operation
can be directly extended to clock constraints. The backward diagonal projec-
tion of the X-polyhedron ζ defines a X-polyhedron ↙ζ such that v′ ∈↙ζ if
∃t ∈ R+ ·v′+ t ∈ ζ. The forward diagonal projection of ζ defines a X-polyhedron
↗ζ such that v′ ∈↗ζ if ∃t ∈ R+ · v′− t ∈ ζ. Given c ∈ N, the extrapolation of ζ
w.r.t. c, written Approxc(ζ), is the smallest polyhedron ζ
′ ⊇ ζ defined intuitively
as follows: lower bounds of ζ greater than c are replaced by c, and upper bounds
greater than c are ignored. All these operations preserve convexity.
1 We restrict ourselves to this kind of clocks constraints to ensure the correctness of
the construction of the symbolic representation of TA [10].
Timed Automata. Let Props be a set of atomic propositions. A timed au-
tomaton (TA) over Props is a tuple A =〈Q, q0, Σ,X,T, Invar,L〉 where Q is a
finite set of locations, q0 ∈ Q is the initial location, Σ is a finite alphabet of
names of actions, X is a finite set of clocks, T ⊆ Q×Cdf (X)×Σ×2X ×Q is a fi-
nite set of edges, Invar is a function mapping to each location a clock constraint
called its invariant and L is a labelling function mapping to each location a set
of atomic propositions over Props. Each edge is a tuple e = (q, g, a, r, q′) where
q and q′ are the source and target locations, g is a clock constraint defining the
guard of the edge, a is the label of the edge and r is the set of clocks to be reset
by the edge. We use the notation label(e) to denote the label a of the edge e.
Examples of TA can be found in section 4.
Semantics. The semantics of a TA A is an infinite graph G(A) in which states
are pairs (q, v), where q is a location of A and v a clock valuation over the clocks
of A, such that v ∈ Invar(q). The transitions of this graph can be either discrete
or time transitions. Consider a state (q, v). Given an edge e = (q, g, a, r, q′) of A,
(q, v)
e
→ (q′, v′) (where v′ = [r := 0]v) is a discrete transition in G(A) if v ∈ g
and v′ ∈ Invar(q′). We call (q′, v′) a discrete successor of (q, v). Time transitions
have the form (q, v)
t
→ (q, v + t) where t ∈ R+ and v + t ∈ Invar(q). We say
that (q, v + t) is a time successor of (q, v).
Symbolic representation. Due to the dense nature of time, the semantic graph of
a TA has an infinite number of states. To perform algorithmic analysis for TA,
a finite representation of this state space is needed. The symbolic representation
currently used is based on the notion of zones, and leads to a symbolic graph
called simulation graph. A zone (q, ζ) is a set of (semantic) states of a TA, such
that they have the same discrete part q and the set of their valuations forms a
convex polyhedron ζ. Given a zone z = (q, ζ), we note disc(z) the discrete part
q of z, and poly(z) its polyhedron ζ. The transitions of a simulation graph are
labelled by discrete actions (intuitively time elapses inside zones, and thus there
are no transitions labelled by time delays). The following operations allow to
compute the transitions of a simulation graph: time-succ(z) and time-pred(z)
represent respectively the set of time successors and predecessors of some state
in z, while disc-succ(e, z) and disc-pred(e, z) represent the set of discrete
successors of some state in z, by taking transition e. The operation post(e, z, c)2
computes the successor zone of z by taking transition e, with respect to a con-
stant c ∈ N (in general, this constant is the greater constant appearing in the
constraints of the TA), while the operation pre(e, z) computes the predecessor
zone of z by transition e.
time-succ(z)
def
= {s′ | ∃s ∈ z, t ∈ R+ s
t
→ s′}
time-pred(z)
def
= {s | ∃s′ ∈ z, t ∈ R+ · s
t
→ s′}
disc-succ(e, z)
def
= {s′ | ∃s ∈ z · s
e
→ s′}
disc-pred(e, z)
def
= {s | ∃s′ ∈ z · s
e
→ s′}
post(e, z, c)
def
= Approxc(time-succ(disc-succ(e, z)))
pre(e, z)
def
= disc-pred(e,time-pred(z))
2 The operation post is used to compute the simulation graph. The use of the operator
Approxc in its definition ensures the termination of the construction of the simulation
graph. More details can be found in [8].
Consider a TA A =〈Q, q0, Σ,X,T, Invar,L〉 and c ∈ N a constant greater
or equal to the greatest constant appearing in a constraint of A. The sim-
ulation graph of A with respect to c, written SG(A, c), is a tuple 〈Z, z0, Σ,
E〉 where Z is the finite set of states of the graph (i.e., a set of zones) and
z0 = (q0,↗zero ∩ Invar(q0)) is the initial zone. The set E ⊆ Z × T × Z
of transitions is defined as follows: given a zone z and an edge e ∈ T , if
z′ = post(e, z, c) 6= ∅, then z′ is a zone of the graph and z
e
→ z′ is a transi-
tion of the graph.
Classic parallel composition operator for TA. We consider timed systems modeled
in a compositional framework. Each component is modeled as a TA, and com-
ponents are put together with some parallel composition operator. We consider
here the classic parallel composition operator for TA. This operator, written ‖,
operates between TA with disjoint sets of clocks. It is defined as a synchronized
product where synchronizations are done on actions with identical labels. Other
actions interleave and time elapses synchronously between all the components.
Formally, let us consider two TA Ai = 〈Qi, q0i , Σi,Xi,Ti, Invari,Li〉 for i = 1, 2,
such that X1 ∩X2 = ∅. The parallel composition of A1 and A2, written A1‖A2,
creates a new TA which set of clocks is X1 ∪X2 and which labels are Σ1 ∪Σ2.
The set Q of locations consists of pairs (q1, q2) where q1 ∈ Q1 and q2 ∈ Q2.
The initial location is the pair (q01 , q02). The invariant of a location (q1, q2) is
Invar(q1)∧Invar(q2), and its label is L(q1)∪L(q2). The set T of edges is defined
by the following rules:
Interleaving:
(q1,q2)∈Q , (q1,g1,a,r1,q
′
1
) ∈ T1 , a6∈Σ2
((q1,q2),g1,a,r1,(q′1,q2)) ∈ T
(q1,q2)∈Q , (q2,g2,a,r2,q
′
2
) ∈ T2 , a6∈Σ1
((q1,q2),g2,a,r2,(q1,q′2)) ∈ T
Synchronization:
(q1,q2)∈Q, (q1,g1,a,r1,q
′
1
) ∈ T1 , (q2,g2,a,r2,q
′
2
) ∈ T2
((q1,q2),g1∧g2,a,r1∪r2,(q′1,q
′
2
)) ∈ T
2.2 Simulation relations to preserve properties
Recall that we are interested in developing incrementally component-based timed
systems, by integration of components. The major issue when using such a
method is to ensure preservation of already checked local properties of a com-
ponent, when integrating it in an environment. We defined in [5] a divergence-
sensitive and stability-respecting (DS) timed τ -simulation, which ensures the
preservation of linear timed properties, in particular safety, liveness and bounded-
liveness ones.
Consider a component C to be integrated in an environment E, using the
parallel composition operator ‖, where each component is modeled as a timed
automaton. This integration leads to a composite automaton C‖E, which con-
tains new clocks and new actions comparing to C. New clocks are the clocks
of E, and new actions are internal actions of E which do not synchronize with
an action of C. In C‖E, we consider such actions as being non-observable and
rename them by τ . The DS timed τ -simulation is defined between the traces
of C||E and C and is characterized by (i) if C||E can make an action of C
after some amount of time, then C could also make this action after the same
amount of time (clauses 1 and 2 of Definition 1), (ii) internal actions of the
environment E (called τ) stutter (clause 3 of Definition 1). Note that this defini-
tion actually corresponds to the classic notion of τ -simulation, that we extend to
handle time. We also add two criteria to the definition of this simulation, namely
divergence-sensitivity and stability-respect. Divergence-sensitivity ensures that
internal actions τ of E will not take the control forever, and stability-respect
guarantees that the integration of C in E will not create new deadlocks.
In order to avoid too many definitions, we remained concise in the presenta-
tion of the simulation and focus here directly on its symbolic formal definition,
which is the one implemented in the tool Vesta. More details, as well as the
definition at the semantic level, can be found in [5]. However, the following tech-
nical points used in Definition 1 must be clarified. The predicate free, used in
the clause stability-respect, was defined in [8]. Informally, given a location q of a
timed automaton, free(q) is the set of all valuations (of states with q as discrete
part) from which a discrete transition can be taken after some time elapsed. The
formal definition is: free(q) =
⋃
e=(q,g,a,r,q′)∈T ↙ (g ∩ ([r := 0]Invar(q
′))).The
predicate src val, used in the clause strict simulation is defined formally as
follows: src val(z, e, z′) = poly(pre(e, z′) ∩ z). It represents the valuations of
the subset of states in z which lead to states in the zone z ′ by taking transition
e and letting time elapse.
Definition 1 (Symbolic DS timed τ-simulation). Let SG1 = 〈Z1, z01 ,
Σ1, E1〉 and SG2 = 〈Z2, z02 , Σ1 ∪ {τ}, E2〉 be two simulation graphs, obtained
respectively from two TA A1 and A2. The symbolic DS timed τ -simulation Zds
is the greatest binary relation included in Z2 × Z1, such that z2Zdsz1 if:
1. Strict simulation:
z2
e2→ z′2 ∧ label(e2) ∈ Σ1 ⇒ ∃z
′
1 · (z1
e1→ z′1 ∧ label(e1) = label(e2) ∧
src val(z2, e2, z
′
2)cX1 ⊆ src val(z1, e1, z
′
1) ∧ z
′
2 Zds z
′
1).
2. Equality of delays and of common clocks valuations: poly(z2)cX1 ⊆ poly(z1).
3. τ -transitions stuttering: z2
e2→ z′2 ∧ label(e2) = τ ⇒ z
′
2 Zds z1.
4. Stability respect: (poly(z2)\free(disc(z2))cX1 ⊆ poly(z1)\free(disc(z1)).
5. Divergence sensitivity: SG2 does not contain any non-zeno τ -cycles. A non-
zeno τ -cycle is a cycle which only contains transitions labelled by τ and in
which the total time elapsed goes to infinity (i.e., time diverges).
We extend this relation to simulation graphs. Consider two simulation graphs
SG1 and SG2, which initial zones are respectively z01 and z02 . We say that SG1
simulates SG2 with respect to Zds, written SG2 Zds SG1, if z02Zdsz01 .
Preservation abilities. The DS timed τ -simulation preserves all properties
which can be expressed with the logic Mitl (Metric Interval Temporal Logic)
[7], as well as strong non-zenoness and deadlock-freedom. Formal proofs can be
found in [5]. Mitl is a linear timed logic, which can be viewed as the timed
extension of the linear (untimed) logic Ltl [11] and in which temporal operators
are constrained by a time interval. Strong non-zenoness is a specific essential
property of timed systems. A TA is said to be strongly non-zeno if time can
diverge along each path of its semantic graph. Note that the timed τ -simulation,
without divergence-sensitivity and stability-respect criteria, preserves all safety
properties.
Composability. Composability is an essential property for integration of com-
ponents. Indeed, it expresses that a component automatically simulates its inte-
gration with other ones. Formally, given components C and E, it means that C
simulates its integration with E, i.e., the composition C‖E. Thus, composability
can ensure the preservation of local properties of C for free (properties preserved
depends on the notion of simulation which is considered).
The composability property is guaranteed with the timed τ -simulation (without
divergence-sensitivity and stability-respect), when integration is achieved with
the classic parallel omposition operator. This implies that safety properties are
preserved for free during this integration process. However, this is not the case
when considering the divergence-sensitivity and stability-respect criteria. Com-
posability does not automatically hold. To ensure this property, the DS timed
τ -simulation has to be checked algorithmically. Therefore, we implemented this
verification in a tool named Vesta.
3 The tool Vesta
Vesta considers component-based timed models consisting of a set of compo-
nents (modeled as timed automata) which interact using the classic parallel
composition operator ‖. Therefore, it provides graphical and textual editors to
capture these elements. Then, Vesta can automatically generate composite sys-
tems, made up by parallel composition of chosen components with respect to
the given interactions.
The main feature of Vesta is to check if local properties of a component are
preserved when it is merged into an environment, by checking if this component
simulates the composite system obtained by this merging. The simulation can
be checked either in a “general way”, i.e., to ensure preservation of all the local
properties of a component, or “partially”, i.e., for some specific given properties.
This partial verification is presented in details in section 5.1. In both cases, if the
simulation is not checked successfully, the tool reports the error found as well as
a graphical diagnostic consisting of the trace of the composite system which is
not simulated by any traces of the component, and the trace of the component
it had to correspond to.
3.1 Architecture of Vesta
Vesta was developed using both C and Java languages. Java is used for the
graphical user interface, which is described in the next section, and C for the
core of the tool, which is described below. The architecture of Vesta is shown
in Fig. 1. The models considered consist of three kinds of elements: the set of
components (saved in .aut files) and possibly their local properties (prop) in the
case of partial verification, the types of the variables used in the components and
the interactions between components (sync). From this modeling, Vesta can au-
tomatically generate composite systems by using the classic parallel composition
operator between the components (.exp files). Compositions can also have local
properties.
To get an efficient representation of this model, Vesta is based on SMI3
(Symbolic Model Interface). SMI is a powerful library providing efficient repre-
sentation for finite-state models, by building an equivalent symbolic representa-
tion using decision diagrams. Note that our choice was guided by the functioning
of the Open-Kronos tool [8], which is already based on SMI.
synctypes
prop
.aut
prop
.aut
prop
.aut...
COMPONENT−BASED TIMED MODEL
prop
.exp
prop
.exp
prop
.exp ...
composite
systems
Create
translator
Check
Simulations
.c
Possible connection
to Open/Caesar
verif. modulesOPEN−CAESAR library
DBM library C compiler
simul
simul.a profounder.a
Yes / No answer +
Graphical representation
of the diagnostic
Yes / No answer +
Diagnostic
profounder
(modified)
Fig. 1. Structure of Vesta
The core of the tool consists of two modules: translator and simul, tak-
ing as input two components, which can be composite systems (.exp files): one
corresponding to a component C to be integrated in an environment E, and the
other to the composite system C||E obtained after having integrated C in E.
translator creates a file .c which implements data structures and functions to
generate a symbolic graph (the so-called simulation graph) for each input compo-
nent. The way data structures and functions are created for C||E allows it to be
3 http://www-verimag.imag.fr/∼async/SMI/index.shtml
connected to the different modules of Open-Caesar. When this file is created,
it is compiled and linked to Open-Caesar and Dbm libraries (Dbm libraries
allow to manipulate the timing constraints of the model). Then, an executable
simul is created and run to check the stability-respecting timed τ -simulation.
The divergence-sensitivity part is checked thanks to an adaptation of an algo-
rithm of the module Profounder [12] of Open-Kronos. This algorithm, as
well as the one implemented in simul, is presented in the next section.
3.2 Algorithms
The DS timed τ -simulation is checked in two phases. The divergence-sensitive
part (i.e., clause 5 of Def. 1) is checked independently with an adaptation of an
algorithm of the module Profounder, which is part of the Open-Kronos tool.
Then, the stability-respecting timed τ -simulation is checked in the module simul
(i.e., clauses 1 to 4 of Def. 1). Thus, Vesta uses two main algorithms to check
the DS timed τ -simulation: one for divergence-sensitivity, and the other for the
stability-respecting timed τ -simulation.
Adaptation of the module Profounder to check divergence-sensitivity.
For this verification, we use the algorithm called full DFS (full Depth First
Search) defined in [8, 12]. This algorithm was first designed to test the empti-
ness of a timed Bu¨chi automaton, in the case of a persistent acceptance condition
(i.e., from one point on, the automaton only visits accepting states). The algo-
rithm thus consists in detecting non-zeno cycles in the automaton such that they
only contain accepting states. For this, it visits all the paths of the simulation
graph of the automaton, and puts them in a stack. The exploration of a path
stops when reaching a state which is already in the stack (this means that an
elementary cycle is found). It only remains to check that the cycle is non-zeno
and only contains accepting states.
Algorithm 1 presents the adaptation of this algorithm to detect non-zeno
τ -cycles, instead of non-zeno accepting cycles, in a simulation graph SG =〈Z,
z0, Σ, E〉, where the alphabet Σ contains the action τ . When a cycle is detected,
we test if it is non-zeno and if all the transitions of the cycle are labelled by
τ . The procedures Top, Push and Pop are classic operations on stacks, allowing
to get the top of a stack, and to add and remove an element in the stack. The
procedure Part(Stack, e) gets all the elements of the stack Stack added after
the element e. The procedure Next(Stack, e) gets the element following e in
Stack (i.e. the element added after e). The procedure non zeno is defined as in
[8] and performs a syntactic test to check if a path is non-zeno. This test consists
in checking that, in the cycle, there exists a clock x which is reset at a point i of
the cycle, and that x has a lower bound at a point j of the cycle. Intuitively, this
allows to ensure that at least one time unit elapses at each loop in the cycle.
Algorithm 1. A full DFS to check divergence-sensitivity
divergence sensitivity(SG){
Stack := {z0}
return non zeno τ cycles()
}
non zeno τ cycles(){
z := top(Stack)
cycle := false
while ∃ z
e
→ z′ ∈ E and cycle = false
if z
′ 6∈ Stack then
Push(z′, Stack)
cycle := non zeno τ cycles()
Pop(Stack)
else
if ∀z1 ∈ Part(Stack, z
′), ∃z1
τ
→ Next(Stack, z1) ∈ E
and non zeno(Part(Stack, z′)) then
return true
end while
return cycle
}
Note that a classic DFS is generally not sufficient to detect non-zeno τ -
cycles. Indeed, this search can miss cycles. For instance, consider a simulation
graph with four states (and, to simplify only τ -transitions), such that there is a
zeno τ -cycle visiting the following states: 1 → 2 → 3 → 1, and a non-zeno one
1 → 4 → 2 → 3 → 1. A simple DFS would explore the path 1 → 2 → 3 → 1 and
find this zeno cycle, which is not retained for divergence-sensitivity checking.
Then, the search would explore the path 1 → 4 → 2, and stop since the state 2
has already been visited. Thus, the non-zeno cycle is missed. The full DFS would
not have missed this cycle since it explores all cycles. However, the drawback
of this algorithm is its worst-case complexity: exponential in the size of the
simulation graph [12]. The problem exposed above with a simple DFS comes
from zeno cycles. For strongly non-zeno simulation graphs (i.e., which do not
contain any zeno path), a simple DFS (linear in the size of the graph) is sufficient.
Checking the stability-respecting timed τ -simulation in the module
simul. Algorithm 2 checks the symbolic stability-respecting timed τ -simulation
between two simulation graphs SG1 =〈Z1, z01 , Σ1, E1〉, with set of clocks X1, and
SG2 =〈Z2, z02 , Σ1∪{τ}, E2〉. Formally, it checks that SG2 Zds SG1, without the
divergence-sensitivity clause. This verification is in O((|Z1|+|E1|)×(|Z2|+|E2|)).
The algorithm is cut in four parts, the main one being verification Zds. A
procedure verif Z and stability respect performs a joint depth-first search
of SG2 and SG1, and at each step of the search, it checks clauses 1 to 4 of Def.
1. A set Visited records the already visited pairs of zones in relation, and a
stack Stack contains the currently checked pairs of zones. This stack also allows
to return diagnostics when the verification fails.
Algorithm 2. Verification of the symbolic ds timed τ -simulation
verification Zds(SG2, SG1){
if (divergence sensitivity(SG2)) then
return false
else
Stack := {(z02 , z01 )}
Visited := ∅
return verif Z and stability respect()
}
verif Z and stability respect(){
simul ok := true
(z2, z1) := top(Stack)
if delays equality(z2 , z1) ∧ stab respect(z2, z1) then
while ∃ a transition z2
e2→ z′2 in E2 and simul ok = true
if label(e2) ∈ Σ1 then
if ∃z1
e1→ z′1 s.t. label(e1) = label(e2) ∧
strict simulation(z1 , e1, z
′
1, z2, e2, z
′
2) = true then
if (z′2, z
′
1) 6∈ Visited and (z
′
2, z
′
1) 6∈ Stack
Push((z′2, z
′
1), Stack)
simul ok := verif Z and stability respect()
Pop(Stack)
else
return false
else
if (z′2, z1) 6∈ Visited and (z
′
2, z1) 6∈ Stack then
Push((z′2, z1), Stack)
simul ok := verif Z and stability respect()
Pop(Stack)
end while
else
return false
if simul ok = true then Visited := Visited ∪ {(z2, z1)}
return simul ok
}
strict simulation (z1, e1, z
′
1, z2, e2, z
′
2){
return (src val(z2, e2, z
′
2)cX1 ⊆ src val(z1, e1, z
′
1))
}
stab respect (z2, z1){
return (poly(z2)\free(disc(z2)))cX1 ⊆ poly(z1)\free(disc(z1))
}
delays equality (z2, z1){
return (poly(z2)cX1 ⊆ poly(z1))
}
3.3 Graphical User Interface
The GUI of Vesta is shown in Fig. 2. The tree on the left is an explorer to
navigate between the elements of the model, the generated assembling of com-
ponents, and the results of already checked preservations (i.e., simulations). The
bottom-right part is a log window, displaying informations such as syntax errors
or summarized results of preservation checkings. The top-right part is the main
element of the GUI, with five tabs:
– the Types tab displays the types of the variables used in the model,
– the Interactions tab shows the interactions between the components,
– the Basic Components tab contains all the components of the model,
– the Composite Components tab contains the assembling of components,
– the Simulations tab contains results for each already checked preservation.
Fig. 2. Graphical User Interface of Vesta
The menubar and toolbar provide buttons to treat a new model. They al-
low to create new components, import components from another model, choose
components to put together and automatically create the assembling, and check
simulations. The interactions between components can be created graphically via
the Interactions tab. Components (i.e. timed automata4) are described through
a textual editors, with a simple language which consists in giving the invariant
of each location, and the transitions of the component (name, source and target
location, guard, reset and, possibly, update of some variables).
4 Actually, Vesta considers extended timed automata, which can be equiped with
boolean, bounded-integer and enumerative-type variables. However, the use of these
variables is restricted to a local use for the components (no shared variables).
4 Vesta in practice: incremental verification of a
production cell
The tool Vesta allowed us to show the interest of incremental development by
integration of components, formalized by the DS timed τ -simulation, in compar-
ison to a direct verification on the complete model of the system. We present
in this section a case study concerning a production cell5. This case study was
developed by FZI (the Research Center for Information Technologies, in Karl-
sruhe) as part of the Korso project. The goal was to study the impact of the
use of formal methods when treating industrial applications. Thus, this case
study was treated in about thirty different formalisms. We treated it with timed
automata, as it was in [14].
Presentation of the case study The production cell contains six devices, as
shown in Fig. 3: a feed-belt equipped with a sensor, a deposit-belt, an elevating-
rotary table, a two-arms robot and a press. It also contains one or several pieces
to be treated. Our modeling of the cell follows the one of [14].
        
        
      
      


      
      


                   
                   


                   
                   
table
feed-belt
arm A
robot arm B
deposit-belt
sensor
press
Fig. 3. The Production Cell Example
Description of the production cell. A simplified functioning of the cell is
the following. Pieces arrive on the feed-belt. The sensor detects when a piece is
introduced in the cell, and sends a message to the robot to inform that the piece
is going to be available. When it arrives at the end of the belt, it is transferred
to the table, which goes up and turns until being in an adequate position to give
to the robot the possibility to take it. The robot turns 90◦ so that its arm A
can pick the piece up, and then puts it in the press which processes it. When
the treatment is finished, the piece is taken by the arm B of the robot, which
transports it to the deposit-belt where it is evacuated. The behavior of each
device depends on timing constraints and is modeled by a timed automaton. In
the sequel, we focus particularly on local properties concerning the robot, and
the assembling robot‖press. Fig. 4 and 5 show respectively the timed automata
modeling the robot and the press.
5 The detailed results for this case study, as well as other experimentations, can be
found in [13].
at table
wait table to press
turn 90
at press2 wait2
to table2
at press3
to dep beltwait dep beltat dep belt
read
table to robot,
xR = 5,
PP = 1,
wait piece in press
PP = 0,
xR = 15,
turn 90
PA = 1,
wait press ready
PB = 1,
armB full
xR = 5,
move to db
robot to db,
PB := 0, {xR}
xR = 25,
piece on press detected
PP = 1,
{xR}
read,
ready to move to press,
{xR}
xR = 2,
xR ≤ 2xR ≤ 3
PA := 1, {xR}
xR ≤ 5
move to press,
{xR}
wait1
at press
PP := 0, PB := 1
ready to move to unload, {xR}
xR ≤ 15
no piece on A, {xR}
PA = 0,
PA := 0, PP := 1
xR ≤ 5
to wait1
to wait2 armB empty
PB = 0,
{xR}
move to wait pos,
xR = 17,xR = 22,
{xR}
xR ≤ 17xR ≤ 22
xR ≤ 2
at wait
to press2
move to press
xR = 3,
move to table
move to table
xR ≤ 25
no piece to evac
PP = 0,
plate taken by robot,
press get plate,
to table1
move to wait pos2,
Fig. 4. Timed Automaton of the robot
xP ≥ 22,
xP ≤ 25
xP ≤ 20
xP ≤ 25
plt2
process plate
{xP }plt3
plwait move
move back
press move back,
xP ≥ 18
xP ≤ 20
press get plate,
{xP }
plate taken by robot,
wait2pl2
Fig. 5. Timed Automaton of the press
Some local properties. We identified seven main properties of the robot: two
safety properties (called P1 and P2), two liveness (response) properties (P3 and
P4) and three bounded liveness properties (P5, P6 and P7)
6. We also identi-
fied a main liveness property (P8) ensuring the correct functioning of the robot
and the press when they are put together. We express these properties in Mitl7.
6 Under some conditions, safety properties express that something bad will not happen,
liveness ones that something expected will eventually happen and bounded liveness
ones that something expected will eventually happen within some bounded delay.
7 The detailed expressions of these properties can be found in [13].
Our objective is to compare direct verification and incremental verification
by integration of components, for Mitl properties. The first method consists
in assembling all the components, and then to check properties P1 to P8 on
the complete model obtained. The second method consists in checking these
properties locally only on the components they concern, and then to ensure
they are preserved when these components are integrated in their environment.
That is, properties P1 to P7 are checked on the robot component, and property
P8 on the assembling robot‖press. Then, the preservation of P1 to P7 must be
ensured when the robot component is integrated with the press component. The
preservation of P8 must be guaranteed when this assembling is integrated with
all the other components of the system. In this way, each locally checked property
will hold on the complete model, since preservation is checked thanks to the DS
timed τ -simulation, which is a preorder, and thus, is a transitive relation.
Experimental results for the production cell. First note that Vesta is
not a model-checker. Thus to check the properties locally and globally, we used
the model-checker Kronos[15]. Kronos is a verification tool for timed sys-
tems which performs Tctl model-checking [16]. Tctl is a logical formalism
that allows to express branching-time properties. Even if we do not consider
branching-time properties, we can use it for this example since the Mitl prop-
erties we consider can also be expressed in Tctl8. It turns out that the local
and global verification of all the properties, achieved with Kronos, succeeded.
Vesta allows to ensure the preservation of locally established properties. There-
fore, it is first used to check that the local properties of the robot are preserved
when it is combined with the press, and then that the property of the assembling
robot‖press is preserved when these components are integrated with the rest of
the components of the cell and one piece. In both cases, the verification suc-
ceeded, and thus, the preservation of the Mitl properties P1 to P8 is guaranteed
(as well as the preservation of strong non-zenoness and deadlock-freedom).
Fig. 6 presents the results obtained on the example, by comparing incremen-
tal verification by integration of components to direct verification. We compared
the time consumed to perform this direct verification on the whole model (col-
umn “Global Verification”) and the time spent to achieve incremental verifica-
tion, i.e., local verification and preservation checking. It turns out that, even if
the computation times are still acceptable, direct verification consumes much
more time (almost 20 seconds) than incremental verification when preservation
is achieved with Vesta (less than one second).
Diagnostics. In section 3, we stated that Vesta has the ability to provide
diagnostics when the verification of the DS timed τ -simulation (and thus of
the preservation) fails. To show this functionality, we slightly modify the au-
tomaton of the press. We add a guard (for instance xp ≤ 40) to the transition
8 To our knowledge, there is no tool performing Mitl model-checking.
Property Global Verification Local Verification Preservation checking
(Kronos) (Kronos) (Vesta)
P1 (safety) 0.01 < 0.001
P2 (safety) 0.01 < 0.001
P3 (liveness) 0.98 < 0, .001
P4 (liveness) 15.79 0.04 0.05
P5 (bounded liveness) 0.68 < 0.001
P6 (bounded liveness) 0.48 < 0.001
P7 (bounded liveness) 0.7 < 0.001
P8 (liveness) 0.93 0.02 0.46
Total 19.58 0.06 0.51
Fig. 6. Comparison of the local and global verification times (in seconds)
plate taken by robot, which means that the press expects to be unloaded by the
robot at most 40 time units after having received a piece. This modification pre-
vents the preservation from being established, when integrating the robot with
the press. Indeed, adding this guard introduces a deadlock in the assembling
press‖robot, which did not exist in the robot component alone. Thus, deadlock-
freedom is obviously not preserved. Moreover, Mitl properties P3 to P7 are also
not preserved since non-introduction of deadlocks is precisely one of the con-
ditions which define the DS timed τ -simulation (clause stability-respect), and
thus, which ensure the preservation of Mitl properties. Note that properties P1
and P2 are still preserved since they are safety properties and, therefore, their
preservation does not need neither stability-respect, nor divergence-sensitivity.
The graphical diagnostic provided by Vesta helps detecting where the dead-
lock is introduced, by showing the trace of the assembling robot‖press where
the deadlock appears, and the corresponding trace of the component robot that
had to simulate it, with respect to the DS timed τ -simulation. Fig. 7 shows how
diagnostics are displayed in Vesta.
5 Additional features
The main functionality of Vesta is to check the DS timed τ -simulation, using
exactly algorithms 1 and 2. In addition, Vesta proposes an interesting additional
feature, consisting in verifying partially the relation to ensure the preservation
of some specific given Mitl properties. This kind of verification, as well as the
motivations, are explained below.
5.1 Partial verification of the preservation
Let us go back to the second version of the production cell example, in which
we modified the guard of the edge plate taken by robot in the automaton of the
press. As we explained, the deadlock introduced in the assembling robot‖press
prevents ensuring the preservation of all the properties which can be expressed
for the robot, since the verification of the simulation fails. However, the speci-
fied local properties of the robot may be preserved. For this reason, we improved
Fig. 7. Diagnostic provided by Vesta
Vesta by giving the possibility to the user to specify the properties to preserve,
and to check the preservation only for these properties (instead of a “global
preservation”). This is what we call partial verification of the preservation.
Thus, the objective of such a verification is to guarantee the preservation of
specified local properties of a component, rather than the preservation of all the
properties which could be potentially specified. Until now, this functionality is
only available for response properties of the form (p ⇒ ♦q). The reasoning for
this kind of verification is the following. In most cases, the verification of the sim-
ulation fails due to an introduction of deadlocks (i.e., the clause stability-respect
of the simulation does not hold). Consider now a component C, a local property
L = (p ⇒ ♦q) of C and an environment E in which C must be integrated.
A path pi in C‖E, in which a deadlock is introduced comparing to the path of
C which simulates it, makes the verification of the preservation fail. However, if
this path pi does not concern L, then the preservation should be guaranteed.
Let us detail how this partial verification is achieved, for a response property
of the form (p ⇒ ♦q). To ensure the preservation of such a property, we must
guarantee that, when p is encountered in a path pi, this path is not cut (by the
introduction of a deadlock) before q is reached. Thus, the partial verification
consists in checking this non-introduction of deadlock (i.e., the clause stability-
respect) only for the states of pi located between the state satisfying p, and the
one satisfying q. Fig. 8 illustrates the principle of this verification for this kind of
property. A path is represented, and the states on which stability-respect must
be checked are put in grey. Note also that divergence-sensitivity must also be
checked for these states, to ensure that the path is not cut by means of the
introduction of an infinite sequence of non-observable actions. The verification
for divergence-sensitivity consists in checking that these states are not part of a
non-zeno cycle only containing non-observable actions.
No verification of stability-respect and divergence-sensitivity
Verification of stability-respect and divergence-sensitivity
¬p ¬p ¬p p ¬q ¬q q,¬p
Fig. 8. Partial verification for a property of the form (p ⇒ ♦q)
Thus, Vesta gives the possibility to specify the local properties of C, of the
form (p ⇒ ♦q), which must be preserved, and to verify the simulation only
to guarantee the preservation of these properties. Note that, contrary to the
classic verification, this partial verification does not guarantee the preservation
of strong non-zenoness and deadlock-freedom.
5.2 Connection to other platforms and tools
Another interesting point of Vesta is the following. Recall that the way the tool
was designed was inspired by the Open-Kronos tool. In particular, the syn-
tax used to describe the components, and the symbolic representation of these
models, is identical to the one in Open-Kronos. Thus, a direct consequence of
this design choice is that models considered in Vesta can be connected to the
Open-Kronos tool. Connection to the Open-Caesar verification platform is
also possible as another direct consequence, since this connection was already
available from Open-Kronos models.
The connection to Open-Kronos is particularly interesting. Indeed, the abil-
ity to connect Vesta models to Open-Kronos could allow to check Mitl prop-
erties directly on the models considered in Vesta. Recall that, now, we use
the tool Kronos to perform model-checking, since there exist no tools for
Mitl model-checking. Thus, as Kronos is a Tctl model-checker, we are re-
stricted to Mitl properties which can also be expressed in Tctl. Moreover,
Vesta models must be translated into Kronos syntax. The Open-Kronos tool
can perform reachability analysis, but can also test timed Bu¨chi automata (TBA)
emptiness. Mitl properties can be translated into TBA which recognize the same
language. Thus, with a translator from Mitl to TBA (such translators do not
exist yet) and an implementation of the composition of TA with TBA (see [8] to
get more details about this special composition), it would be possible to directly
connect Vesta models of components to Open-Kronos, perform Mitl model-
checking on these components, and then check with Vesta the preservation of
these properties during the integration of these components.
6 Conclusion and further developments
In this paper, we presented the tool Vesta, which allows (i) to model incremen-
tally a component-based timed system, by integration of components, and (ii) to
ensure the preservation of established local properties of the components on the
complete model, instead of performing a direct verification of these properties
on this complete model. Timed components are modeled as timed automata,
and integration is achieved thanks to the classic parallel composition operator
for timed automata. Preservation is checked by means of a divergence-sensitive
and stability-respecting timed τ -simulation. Precisely, a successful verification
of this relation ensures the preservation of all linear timed properties expressed
with the logic Mitl, strong non-zenoness and deadlock-freedom.
The first results obtained for incremental verification by integration of com-
ponents, using Vesta for the preservation part, are encouraging. On the produc-
tion cell case study of [14], it turns out that a direct verification consumes almost
20 seconds of computation time, while the incremental one based on preservation
needs less than one second. Other experiments showed that Vesta can handle
models up to 400000 symbolic states. Beyond this number, we had not enough
memory for the verification of the preservation to be run to completion (on a PC
with 1Gb memory). Nevertheless, this number has to be relativized with respect
to the number of clocks of the model, which is a direct cause of great memory
consumption: 15 clocks for the model from which we obtained this upper bound.
Thus, further improvements will be dedicated to handle this limitation, by im-
plementing abstractions such as the active-clock reduction [17, 18], allowing to
ignore clocks in states where they are inactive.
Another further development concerns the partial verification of the DS timed
τ -simulation. The objective of such a verification is to check preservation only
for the local properties which are specified for the components, instead of en-
suring the preservation of all properties which could potentially be expressed.
Until now, this partial verification is only available for response properties of
the form (p ⇒ ♦q). It seems interesting to extend this kind of verification to
other patterns of liveness and bounded-liveness properties. Moreover, this kind
of verification could optimize computation times. Indeed, recall that partial ver-
ification consists, in particular, in checking the stability-respecting part of the
simulation only on some specific states, instead of checking it systematically. As
stability-respect is checked by means of high-cost operations, such as polyhedra
complementation, it is essential to avoid as much as possible to check this clause.
Thus, generalizing partial verification could lead to better performances in terms
of computation times to check preservation.
Additional Informations. More informations on Vesta can be found in its
complete documentation and user guide at the following url:
http://lifc.univ-fcomte.fr/publis/papers/pub/2006/RT2006-01.pdf.
Acknowledgments. We would like to thank Stavros Tripakis for having sent to
us the distribution of Open-Kronos, particularly the module Profounder and
some (useful !) source files. Thanks also for the time spent answering questions.
References
1. Bellegarde, F., Julliand, J., Kouchnarenko, O.: Ready-simulation is not Ready to
Express a Modular Refinement Relation. In: Proc. of FASE’00. Volume 1783 of
LNCS., Berlin, Germany, Springer-Verlag (2000) 266–283
2. Henzinger, M., Henzinger, T., Kopke, P.: Computing simulations on finite and
infinite graphs. In: Proc. of FOCS’95. (1995) 453–462
3. Tasiran, S., Alur, R., Kurshan, R., Brayton, R.: Verifying Abstractions of Timed
Systems. In: Proc. of CONCUR’96. Volume 1119 of LNCS., Pisa, Italy, Springer-
Verlag (1996) 546–562
4. Jensen, H., Larsen, K., Skou, A.: Scaling up Uppaal : Automatic verifica-
tion of real-time systems using compositionnality and abstraction. In: Proc. of
FTRTFT’00, London, UK, Springer-Verlag (2000) 19–30
5. Bellegarde, F., Julliand, J., Mountassir, H., Oudot, E.: On the contribution of a
τ -simulation in the incremental modeling of timed systems. In: Proc. of FACS’05.
Volume 160 of ENTCS., Macao, Macao, Elsevier (2005) 97–111
6. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science
126 (1994) 183–235
7. Alur, R., Feder, T., Henzinger, T.: The benefits of relaxing punctuality. Journal
of the ACM 43 (1996) 116–146
8. Tripakis, S.: The analysis of timed systems in practice. PhD thesis, Universite
Joseph Fourier, Grenoble, France (1998)
9. Garavel, H.: OPEN/CAESAR: An Open Software Architecture for Verification,
Simulation and Testing. In Steffen, B., ed.: Proc. of TACAS’98, Lisboa, Portugal
(1998)
10. Bouyer, P.: Untameable Timed Automata ! In: Proc. of STACS’03. Volume 2607
of LNCS., Berlin, Germany, Springer-Verlag (2003) 620–631
11. Pnueli, A.: The temporal logic of programs. In: Proceedings of the 18th IEEE
Symposium on Foundations Of Computer Science. (1977) 46–77
12. Tripakis, S., Yovine, S., Bouajjani, A.: Checking Timed Bu¨chi Automata Emptiness
Efficiently. Formal Methods in System Design 26 (2005) 267–292
13. Bellegarde, F., Julliand, J., Mountassir, H., Oudot, E.: Experiments in the use
of τ -simulations for the components-verification of real-time systems. In: Proc. of
SAVCBS’06, Portland, Oregon, USA (2006) Also available on ACM Digital Library.
14. Burns, A.: How to verify a safe real-time system: The application of model-checking
and timed automata to the production cell case study. Real-Time Systems Journal
24 (2003) 135–152
15. Yovine, S.: Kronos: A verification tool for real-time systems. Journal of Software
Tools for Technology Transfer 1 (1997) 123–133
16. Alur, R., Courcoubetis, C., Dill, D.: Model-Checking in Dense Real-time. Infor-
mation and Computation 104 (1993) 2–34
17. Daws, C., Yovine, S.: Reducing the number of clock variables in timed automata.
In: Proc. of RTSS’96, IEEE Computer Society Press (1996)
18. Daws, C., Tripakis, S.: Model checking of real-time reachability properties using
abstractions. In: Proc. of TACAS’98. Volume 1384 of LNCS., Lisbon, Portugal,
Springer-Verlag (1998) 313–329
