In this paper, we consider symbolic model-checking for event-driven real-time systems. The concrete syntax of these systems is given in terms of a graphical programming language called Modechart [JMSS]. We propose a logic, Synchronous Real-Time Event Logic (SREL) for specifying the timing properties of these systems. W e then present a symbolic model-checking algorithm which checks a modechart against an SREL formula, and discuss several implementation issues. In particular, we gave an eficient solution to the problem of encoding timing and event counting functions based on Binary Decision Diagram (BDD). This solution has been incorporated into the SMV system v2.3 [M92] and has been able to achieve one to two orders of magnitude in speedup and space saving when compared t o the solution based on the integer operations provided by the SMV system.
Introduction
Real-time systems are different from traditional finite-state systems in that they often have to meet hard real-time constraints in addition to functional correctness requirements. Many efforts have been carried out in recent years to automate the verification of real-time systems. An early work in this area is by Jahanian, Mok, and Stuart. As a part of the SARTOR project [M85], they extended the language Statechart [H86] with constructs for specifying timing constraints. The semantics of the resulting language, Modechart, is given in RTL (Real Time Logic) [JM86], a first-order logic which is specialized for specifying timing properties of event-based real-time systems. In [JS88, SSO], they proposed and subsequently implemented an algorithm for verifying timing properties of real-time systems using computation graphs. In a more recent development, Alur, Courcoubetis, Dill, Henzinger and others have considered extending temporal logic by introducing a "freeze" operator [ACDSO, HNSSl] . In [ACDSO] , the authors successfully applied the model checking technique for finite state machines [CE81, CESSS] to the verification of real-time systems based on the region graph approach. However, the application of model checking is limited by the state explosion problem which is even more severe in the presence of timing predicates. For this reason, many researchers have focused on symbolic model checking methods [EC80, S82, CBM89, BCDSO, CBGSl] . Symbolic model checking has proven to be very successful for non-real-time systems because of the effectiveness of the BDD representation. In [HNSSl] , the authors considered extending symbolic model checking to the realtime systems. The practicality of their method depends on the representation of state predicates and the computing of the next relation D.
As a continues effort on the SARTOR project, we want to explore the possibilities of incorporating the successful symbolic verification technique into the verification scheme based on Modechart and RTL.
Generally speaking, an event denotes an instantaneous change in system state and many instances of an event may occur over time. An event-driven real-time system must respond to certain events with appropriate actions and within certain hard deadlines. In section 2, we propose a system model for synchronous event-driven real-time systems. In this model, the occurrences of events are observable only at integral (discrete) time boundaries. In another word, there is no temporal precedence among event instances that have the same time stamp. In section 3, We adopt a graphical programming language, Modechart [JM86] to provide a concrete syntax for these systems. For formal specification and verification, we propose a logic, Synchronous Real-Time Event Logic (SREL) in section 4. SREL can be viewed as a variation of Asynchronous Real-Time Event Logic (AREL) [WM92] . In section 5, we discuss several theoretical issues on model checking for Modechart and SREL. In section 6, we present a symbolic model checking algorithm which verifies a modechart against an SREL formula. In section 7 and section 8, we discuss several optimization strategies in the implementation of the model checking algorithm. In particular, since the representation of time ticks and event counting is critical in the implementation of a symbolic model checking algorithm for real-time systems, we propose an efficient BDD representation scheme for encoding such expressions in section 7. We have incorporated this scheme into the SMV system v2.3 [M92] from Carnegie-Mellon University and have been able to save one to two orders of magnitude in time and space compared to the integer implementation in the original system, as shown in section 9. We conclude our paper in section 10.
A System Model for Event-Driven
Real-Time Systems (Railroad Crossing System) "The gate at a guarded railroad crossing is to be soflware controlled, and since the gate cannot control the train, a real-time solution is needed. There is an early waming signal at a distance from the crossing that gives notice t o the gate controller that a train is approaching, and it is known that it takes the train at least 900 time units t o reach the crossing from the signal. It is also known that the time required to lower the gate is between 20 and 50 time units. The controller itself can detect the departure of the train, and it requires between 20 and 100 time units t o raise the gate. It is also known that trains are scheduled so that it takes at least 100 time units from the time a train leaves the crossing until the next train reaches the early waming signal. " In most situations, the behavior of such a system can be characterized by the set of all possible sequences of event instances that happen in the system along the time line. For example, an execution of the railroad crossing system is shown in Figure 1 .
In the figure, a name following (followed by) an arrow denotes a mode entry (exit) event. Two places in the figure worth noticing. One place is that the instances of an event are distinguished by their different indices. Each instance is given a unique time stamp. By doing so, we are able to describe the correspondence relation between the instances of a stimuli event and the instances of a response event for most real-time applications. The other place is that there is no temporal precedence among event instances with the same time stamp. In another word, they happen exactly at the same time. This choice of granularity is justified since the very basic RTL type real-time specifications are the constraints on the time differences among related event instances. We shall present some examples to illustrate the ideas later in section 4.
Now we formally define a system model to capture the behavior of a real-time system. The model is similar to the one in [ACDSO] and adopts a discrete domain for time. Let N be natural numbers, and E a finite set of symbols called events. 0 = { I : E -+ N} and 11 = {R : E 4 boolean} are the sets of all functions from E to N and from E to { t r u e , f a l s e } , respectively. where m(t), re(t) are the projections of r ( t ) onto 11, 0, respectively. Intuitively, m ( t ) is the set of events happening at time t . re(t) records the number of instances of an event that have occurred up to time t . Given two traces r , T I , a set of traces A, and a time t o , let rto denote the trace such that (rto . r')(t) = r(t) for 0 5 t 5 t o -1 and (rto . r/)(t) = r'(t -t o ) otherwise, and let no . A = {rto e r 1 : r' E A}. Definition 2.2 (System Model) A system model for a synchronous event-driven real-time system over the discrete time domain is a structure M = (E, f ) , where 1 . E is a finite set of events.
2. f is a function from 11 x 0 to set of all traces, such that for given R E II, I E 8, f ( R , I ) is the set of ($2, I)-traces satisfying the tree constraint:
The tree constraint in Definition 2.2 states that the behavior of the system only depends on the current configuration of the system.
Modechart
Modechart [JM86] is a graphical language extended from Statechart [I3861 with the constructs for specifying time properties. Its visualized hierarchical structure together with a small set of well-defined constructs makes it an attractive programming language for real-time systems. The restricted form of Modechart used in this paper treats a real-time system as a two-level structure as the example shown in Figure 2 . In the example, the outermost box with name "railroad crossing)' is the parallel mode representing the entire railroad crossing system. The second level boxes with names "monitor" and "controller" are the serial modes representing the concurrent components in the system. The innermost boxes in each serial mode are the atomic modes representing the states of the serial mode. The arcs in each serial mode are transitions. A triggering condition, e.g. 4 BC, on an arc means that once the condition holds when the serial mode is in the source atomic mode, the transition must be taken immediately. A timing condition of the form (r, d) means that the transition should be taken no earlier than r and no later than d once the source mode is entered.
The restricted form of Modechart is formally defined as follows. The event set EG of G consists of (1) an entry event -+ a and an exit event a 4 for each atomic mode a, ( 2 ) a transition event a+a' for each edge <a, a'>.
The semantics of the modechart is given formally in terms of a system model. = U k o , no(+-aka) = t r u e , Io(-aka) = 1.
. V other event e E E G , $2o(e)= false, Io(e)=O.
To derive the system model for a modechart, we first take continues snapshots on the states where transition are occurring. 2. time is increasing and divergent, i.e., Vi > 0, ti 2 t i -1 , and Vt E N, 3, such that ti > t.
3. All deadlines are met, i.e., for every atomic mode a , if a is a component of a state si and was last entered at state s, before (and including) S i , then ( t i -t j ) 5 d for all d's on the transitions from a. 4. Vi > 0 , state si is reached from state si-1 by either a single transition or merely time passage.
In the first case, if the transition < a,a' > is labeled a triggering condition, then a is a component of si-1 and the condition is satisfied by Ri-1; Otherwise, let sj be the state at which a was last entered before (and including) si, then By the definition, the sequence of state transitions happening at a time point preserves monotonicity, i.e., if R ( e ) is true in a state in the sequence, then it stays true in the subsequent states. Hence, once a triggering condition is true, it stays true unless time passes.
Besides the above property, we identify from most real-time applications some other properties a uesful modechart should possess. Among them are n o m a lization and synchronization. A modechart G is normal iff for any initialized run U of G , no event can happen more than once at any time point. The synchronization property is more complicated. The assumption is that events do not happen in an arbitrary pattern. It is often the case that the occurring ratio between the instances of a response event and the the instances of a stimuli event is properly balanced. Although the ratio varies from one system to another, it can usually be identified at an early design stage. In a missile system, for example, it is very natural to require that the number of missiles fired be close to but not exceeding the number of targets found. Formal specification examples will be given in section 4. From now on, unless otherwise stated, we assume that all the modecharts are both normal and synchronized.
Now we derive the system model for a given modechart from the set of its initialized runs. Let us call a state in an initialized run stable iff the transition from the state is a time passage. The projection of an initialized run on IIG and OG at stable states defines an initialized trace TO of the system as follows: V t , let t' be the maximum time appearing in the initialized run satisfying t ' s t , and si the stable state at t', then
~( t )
= (R, Ii) where R = Rj if t' = t and Q(e) = false for every e E EG otherwise. Hence, where f G ( n , I) consists of all traces T such that:
SREL: Syntax and Semantics
As stated in the previous sections, the properties of a real-time system to be specified and verified are the constraints on the real time differences among related event instances. Hence, the logic we propose should have constructs for identifying individual instances of events and associating instances with times. Let R be a finite set of integer variables called registers.
Definition4.1 (SREL)
The syntax of SREL is inductively defined as follows: In SREL, we separate the concern of identifying individual event instances from that of associating times to event instances by introducing two operators R and I. Let to be the current time. Informally speaking, R ( e ) means that an instance of event e is happening at t o and I ( E ) records the total number of the instances of the events in E have occurred by time t o . The introduction of terms enables us to group the same type of events together and specify properties among different types of events which occur at different rates. We shall show how this kind of expression is used through an example later in this section. The freeze operator ( z : = k l~(~l ) ) . . 4 means that 4 holds after k l I ( E 1 ) is assigned to register z . AF,,& means that along every trace 41 will hold eventually at a time t satisfying t -to -c. EF,,41 means that along some trace 41 will hold at some time t with the above property. We do not use the until operator in SREL since we are not concerned about properties spanning time intervals. Now we look at some specification examples. Example 2 (A Missile System) A missile system consists of 3 firing units and 2 radar units. Event f ri denotes the event that a missile is fired by the i-th firing unit. Event f n , denotes the event that a tarqet is located b y the j -t h radar unit.
The synchronization property:. "the number of fired missiles is no more than the number of found targets and no less than the number of the targets minus 2 at any time moment".
The timeliness property: "A missile must be fired within 6 time units once a target is found".
AG( (s:=r({fnl, jn,}))-(vjn(fnj) *
The different ratio assertion: "the number of missile fired by the first firing unit is always around 2 times as many as the number of missiles fired by the second firing unit". holds. We can show the following theorem. Theorem 4.1 (1) Given a synchronization property and a normal modechart, verifying whether the modechart preserves the property is in P S P A C E ; (2) the satisfiability problem for an s-fair SREL formula is
E X P S P A C E -c o m p l e t e .
Given a formula 4, two terms 7r1 and 7r2 in
Model Checking A Modechart
In this section, we discuss the model checking problem. We use the following trivial example to illustrate how the model is built from a modechart. For simplicity, we assume that -+ B is the only event in the specification and no time bound is mentioned. Since the exact value of a timer or a counter is no longer interesting once it passes the largest constant referred to by the variable in G and 4 (including the derived constants in the s-fairness condition), a fixed value is used to represent all values beyond the largest constant (note infinity is not considered as a constant). Hence, each variable has a finite number of values.
Let S be the set of all introduced variables. The model checking algorithm involves three stages: (1) constructing a transition graph, (2) constructing a trace graph, (3) model-checking the trace graph.
In the first stage, the transition graph of modechart G is constructed as follows.
e A node in the transition graph is an assignment to the variables in S. e An edge connects a source node to a destination node in the transition graph if the destination node can be reached by the source node by either a state transition or a time tick. The node in the graph that corresponds to the initial state of the modechart is called the initial node of the transition graph. An edge is a tick edge if it represents a time tick. Otherwise, it is a state transition edge.
The transition graph for Example 3 is shown in Figure 3 . The first and the second elements of a node correspond to modes S, T, respectively. The third and the forth elements are timers for mode S, mode In the second stage, the trace graph is constructed e A node is in the trace graph if it is a node in the transition graph with an outgoing tick edge. e An edge connects a source node to a destination node in the trace graph if there is a path from the source node to the destination node in the transition graph such that the first edge on the path is a tick edge and all the other edges on the path are state transition edges. A node in the trace graph is an initial node if it can be reached from the initial node of the transition graph by only going through state transition edges in the transition graph. The trace graph for the trivial modechart is shown in Figure 4 .
As the final stage, the model checking procedure for SREL applies a labeling procedure on the trace graph very much similar to the labeling procedure for TCTL [ACDSO] on the region graph. Readers are suggested to refer the paper for the detail. We conclude this section by stating the following theorems.
from the transition graph as follows. 
+ 0 8

Rule 4
The predicate for a tick of a timer t is where bt is the largest constant referred b y t .
S M ( S i , S I ) = V M T ( S i , S I ) ,
ST(S, S') = vi SMs,s, (Si, s:),
TICK(t,t') = ( ( t > b t ) A (t' = t ) V ( t 5 b t ) A (t' = t + 1).
Rule 5 The predicate f o r the time passage relation is T P ( S , S') = (A TC(S,)) A (A TZCK(t, t')) A (A e'= false),
where T I C K ( t , t') is a tick of timer t .
Combining Rule 3 and Rule 5, we finally get, Rule 6 The predicate f o r the state transition of G is
T R ( S , S') = ST(S, S') V T P ( S , S').
A complete symbolic representation for the railroad crossing system is given as follows. 
p S T * ( S , S ' ) . ( ( A s = 8') v (ST*(S,S") A ST(S",S'))((s,si)).
S € S
We observe that a node is in the trace graph iff the 
Stage 3: Symbolically Model Checking
The following algorithm computes the predicate representing the set of states in a given trace graph satisfying a given SREL formula. In the algorithm, y, yr denote counters assigned to the corresponding event counting inequalities, t denotes the timer assigned to the AF(EF) operator. Algorithm (symbolic model checking) Input: a trace graph with legal condition T C ( S ) and transition relation T R ( S , S'), an SREL formula +(S)
Output: the boolean formula +(S) denoting the set of states where q5 is true.
I end.
Finally, the formula is satisfied by the trace graph iff +(S) j IC(S) where IC(S) is the initial condition of the trace graph.
Our symbolic model-checking algorithm has the following characteristics. In contrary to the approach in [HNSSl] in which the time advancement is implicitly expressed by a next operator D, we represent time explicitly. Our approach is application independent. Although it inevitably introduces a fine granularity of time values, we overcome the problem by using a fast and efficient BDD construction scheme to encode time advancement and by using a variable reduction technique. These techniques will be discussed in the two subsequent sections. Another characteristic of our algorithm is that it works on traces graphs instead of transition graphs. A trace graph only encodes the stable states and time tick edges. Evidently, the size of the graph is smaller and the fixpoint will converge faster. Since the transitive closure of relation ST(S,S') can be computed without referring to the whole relation TR(S,S') and since each disjunct of the disjunction ST(S, S') can be enumerated during the computation instead of the whole relation being used, time and space can be saved significantly. In contrary, converting an SREL formula to an equivalent RTCTL formula and verifying the formula on the transition graph often ends up in manipulating a more complicated formula on a graph of a larger size.
A Fast and Efficient BDD Construction Scheme for Subrange Integers with Restricted Set of Operators
The SMV system v2.3 from Carnegie-Mellon University [M92] is a BDD-based symbolic model verifier. It takes a finite state machine (FSM) and a CTL formula, and uses a BDD-based symbolic model checking algorithm to determine whether the CTL formula is satisfied by the FSM (refer to [M92] for the details). The system has already implemented various operations on the subrange integer type. However, the implementation is very inefficient both in time and in space. The subrange integer type is treated with almost no difference from an ordinary enumerate type. The definition for an enumerate variable consists of a sequence of bit variables together with a complete ordered binary tree which maps the assignments to the sequence of bit variables to the values of the variable. Evidently, this mechanism causes an exponential blowup in time and space when a subrange integer variable is declared. A related inefficiency lies in converting inequalities into the corresponding BDDs. Given such an inequality, the system exhaustively enumerates all value combinations for involved variables in order to figure out the combinations that makes the inequality true. This is a very time-consuming process. Figure 5 and Figure 6 show two examples.
We observe that for our purposes, the timers and counters are actually subrange integer variables with a The definition for a restricted subrange variable also involves a sequence of bit variables. What is different is that we use the natural mapping from decimal values to binary values. There is no need to explicitly build mapping from assignments to the sequence of bit variables to the decimal values of the variable. Declaring a restricted subrange variable only takes linear time and space. In the following, we present a fast and efficient BDD construction scheme for the inequalities over the restricted subrange type. Let 
Proof:
We consider the case where -is =. Other cases can be proved similarly. Figure 7 shows how to build the BDDs for eq(i, k ) from BDDs for eq(i, k + l ) .
Since the predicate for x = y + c is eq (0, l) 
where adv(n + 1 ) = true. Then we have From the above lemma, we can show that,
Reducing Variables in Trace Graphs
Usually, the size of a trace graph can be significantly reduced by reducing the number of variables in the graph. Variables that do not appear in the SREL formula can be eliminated as long as the elimination does not collapse the nodes in the trace graph. We call such a variable an auziliary variable. A simple reduction is to eliminate all auxiliary variables that are invariants. A variable is an invariant if it has the same value in all nodes. To test whether a variable x is an invariant in the symbolic trace graph whose transition relation is TR(S, SI), we simply test whether the pro-
an invariant iff the implication holds.
Another more sophisticated reduction is to eliminate redundant auxiliary variables. Given a node V ing two-level nested-loop procedure to find redundant variables. For each auxiliary variable x in S, we examine the projection ( I C ( S ) V S U C ( S ) ) I ( , , , ) for every other variable y to test whether x is redundant with respect to y. We then eliminate all found redundant variables. This procedure is both time and space efficient. It is worth doing since the symbolic verification procedure now works on a graph with less variables.
As an example, we show the trace graph for the trivial modechart after eliminating redundant variables in Figure 8 .
Experimental Results
We have incorporated the restricted subrange type and the BDD construction scheme into the SMV system v2.3 and tested our implementation on two examples. The first example is the construction of expression z = (x + 1 ) mod 2'. The second example is the construction of the transition relation for the railroad crossing example described in a previous section. These two examples are tested on a SparcStation 1 with 2OMhz clock and 16MB memory. The results are shown in the following tables.
A value listed in column trans. is the number of BDD nodes for the transition relation plus the number of those for the invariant (it is simply true in our testing examples). A value listed in column totalis the 
Conclusions
We propose in this paper a logic called SREL for the verification of synchronous event-driven real-time systems and give an efficient symbolic model checking algorithm for it. We show how to apply our techniques to a concrete specification language Modechart, and give implementation results which show order-ofmagnitude improvement over the SMV system v2.3.
Our improvements come from efficient encoding of time ticking and event counting functions in BDDs.
We are continuing work to gain more efficiency by exploiting the semantics of synchronous systems where transient states are not observable.
Much theoretical and practical work needs to be done. Currently, we are refining our symbolic model checker for SREL on top of the SMV system v2.3. We are also investigating more efficient algorithms for constructing symbolic trace graphs and performing verification. One approach is to only record in the trace graph the time instants when events occur. Subsequently, a more sophisticated symbolic model checking algorithm should be designed in order to utilize the further reduced graph. Another approach is to find variable redundancy in more sophisticated ways and to eliminate redundant variables in an earlier construction stage. Success in this area is likely to lead to a great reduction on the size of the trace graph.
