HyTech is a tool for the automated analysis of embedded systems. This document, designed for the rst-time user of HyTech, guides the reader through the underlying system model, and through the input language for describing and analyzing systems. The guide gives installation instructions, several examples of usage, some hints for gaining maximal computational e ciency from the tool, and the complete grammar for the input language.
Introduction
The control of physical systems with embedded hardware and software is a growing application area for computerized systems. Since many e m bedded controllers occur in safety-critical situations, it is important to have reliable design methodologies that ensure that the controllers operate correctly. HyTech aids in the design of embedded systems by not only checking systems requirements, but also performing parametric analysis. Given a parametric system description, HyTech returns the exact conditions on the parameters for which the system satis es its safety and timing requirements.
For completeness, we begin with a brief presentation of the underlying theoretical framework of linear hybrid automata ACHH93, A CH + 95], which w e use to describe system speci cations and requirement speci cations. These automata model the continuous activities of analog variables (such as temperature, time, and distance), as well as discrete events (such a s i n terrupts and output signals). Communication is modeled through event synchronization and shared variables. HyTech's input consists of two parts: a system description and analysis commands. The system-description language allows us to represent linear hybrid automata textually. The tool forms the parallel composition of a collection of automata, each describing a modular component o f a n e m bedded system. The analysis-command language allows us to write simple iterative programs for performing tasks such a s r e a c hability analysis and error-trace generation.
We illustrate the use of the tool on several examples taken from the literature, and provide hints for a veri cation engineer to gain the maximal possible e ciency from HyTech. Outline Section 2 reviews linear hybrid automata, their semantics, parallel composition, and associated analysis techniques. A brief history of HyTech appears in Section 3. Sections 4 and 5 describe the HyTech
This research w as supported in part by the O ce of Naval Research Y oung Investigator award N00014-95-1-0520, by t h e National Science Foundation CAREER award CCR-9501708, by the National Science Foundation grants CCR-9200794 and CCR-9504469, by t h e A i r F orce O ce of Scienti c Research contract F49620-93-1-0056, by the Advanced Research Projects Agency grant N A G2-892.
y An abbreviated version of this paper appeared in the Proceedings of the First Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), Lecture Notes in Computer Science 1019, Springer-Verlag, 1995, pp. 41{71. 1 The only changes from version 1.02 of February 1996 are bug xes, porting to Linux, DEC Ultrix, Digital Unix, and HP-UX in May 1996, and replacement of the closure di erence operator cldiff with the exact di erence operator diff in October 1996. Figure 2: Gate automaton input language, rst the system-description part, and then the analysis-command part. Section 6 illustrates the use of the tool on several examples. Section 7 is a short guide to designing speci cation requirements using HyTech's command language. Section 8 provides information on installing and running HyTech. Section 9 contains hints for the e cient use of HyTech. Appendix A contains complete input and output les. The grammar o f HyTech's input language appears in Appendix B.
Linear Hybrid Automata
We model systems as the parallel composition of a collection of linear hybrid automata ACHH93, ACH + 95]. Informally, a linear hybrid automaton consists of a nite set X of real-valued variables and a labeled multigraph. The vertices represent c o n trol modes, each with its own constraints on the slopes of variables in X. The edges represent discrete events and are labeled with guarded assignments to X. The state of the automaton changes either through the instantaneous action associated with an event or, while time elapses, through the continuous activity associated with a control mode. We also explicitly model urgent events, which m ust take place as soon as they are enabled (unless another instantaneous action disables them).
We use the linear hybrid automata that model a simple railroad crossing LS85, AHH93] as a running example. The system consists of three components: a train, a gate, and a controller. The train is initially some distance |at least 2000 feet |away from the track i n tersection with the gate fully raised. As the train approaches, it triggers a sensor | 1000 feet ahead of the intersection | signaling its upcoming entry to the controller. The controller then sends a lower command to the gate, after a delay o f u p t o seconds. When the gate receives a lower command, it lowers at a rate of 9 degrees per second. After the train has exited the intersection and is 100 feet away, it sends an exit signal to the controller. The controller then commands the gate to be raised. The role of the controller is to ensure that the gate is always closed whenever the train is in the intersection, and that the gate is not closed unnecessarily long. The linear hybrid automata for the train, the gate, and the controller appear in Figures 1, 2 and 3.
De nition
We give an informal description of linear hybrid automata, and refer the reader to AHH93, HHWT95a] for detailed de nitions. A linear hybrid automaton consists of the following components.
Variables The automaton uses a nite ordered set X = fx 1 x 2 . . . x n g of real-valued variables to model continuous activities. For example, the position of the train is determined by the value of the variable x, which represents the distance of the train from the intersection. The variable g models the angle of the gate. When g = 90, the gate is completely open when g = 0, it is completely closed. A valuation is a point ( a 1 a 2 . . . a n ) i n t h e n-dimensional real space R n , or equivalently, a function that maps each v ariable x i to its value a i . A linear expression over a set X of variables is a linear combination of variables in X with rational coe cients. A linear inequality is an inequality b e t ween linear expressions. A convex predicate is a nite conjunction of linear inequalities, e.g. x 1 3^3x 2 x 3 + 5 =2. A predicate is a nite disjunction of convex predicates, de ning a set of valuations.
Locations Control modes are modeled using a nite set of vertices called locations. F or example, the gate automaton has the locations open, raising, lowering, a n d closed. A state (v s) of the automaton A consists of a location v and a valuation s. W e use the term region to refer to a set of states. The valuations associated with a location v within a region W are the valuations s such t h a t ( v s) 2 W. Initial condition There is a designated initial location and an initial predicate 0 over X de ning the set of initial values of the variables. For example, the gate is initially in location open with the value of g equal to 90. In the graphical representation, a small incoming arrow i d e n ti es the initial location, and is labeled with the predicate 0 .
Invariant conditions Each location v is labeled with a convex predicate inv(v) o ver X, t h e invariant of v.
The automaton control may reside in location v only while its invariant is true, so the invariants can be used to enforce progress in the automaton. For example, in the gate automaton, inv(open) = ( g = 9 0 ) , inv(lowering) = ( g 0), inv(raising) = ( g 90), and inv(closed) = ( g = 0 ) . T h e i n variant at location lowering implies that the gate can only be lowered until it is fully closed, at which p o i n t c o n trol moves out to location closed. In the graphical representation, the invariant true is omitted.
We are primarily interested in states (v s) where the valuation s satis es the location's invariant inv(v). Such states are called admissible.
Transitions Discrete events are modeled using edges between locations, which are called transitions. F or example, the train automaton has three transitions one from location far to location near for entering the region immediately surrounding the intersection, one from near to past for going through the intersection, and one from past to far for exiting the region around the intersection. Each transition is labeled with an update set and a jump condition. The update set Y is a subset of X. The jump condition is a convex predicate over X Y 0 , where Y = fy 1 . . . y k g, a n d Y 0 = fy 0 1 . . . y 0 k g. The variable x i refers to its value before the transition, and the primed variable y 0 i refers to the value of y i after the transition. Only variables in Y are updated by the transition. In the train automaton, the transition between locations past and far is labeled with the guarded command x = 1 0 0 ! x := 2000 1). In the graphical representation, we omit the guard true. We de ne the binary transition-step relation, !, o ver admissible states such t h a t ( v s) ! (v 0 s 0 ) i the state (v 0 s 0 ) can be reached from the state (v s) b y taking a transition. We assume that for every urgent transition u, i f ( v s) u ! (v 0 s 0 ), then for all valuations s 0 satisfying inv(v) there exists a valuation s 0 0 such that (v s 0 ) u ! (v 0 s 0 0 ). A location v is urgent if there exists a valuation s and an urgent transition u, s u c h that u is enabled at (v s). No time is allowed to pass in such a location. Each transition is optionally given a synchronization label. The synchronization labels are used to de ne the parallel composition of hybrid automata. For example, in the gate automaton, the transition from open to lowering has the synchronization label lower, and this synchronizes (i.e. must be taken simultaneously) with the transition labeled lower in the controller automaton.
Rate conditions We denote the rate of change of the variable x 2 X by _ x, and we l e t _ X be the set f _ x 1 _ x 2 . . . _ x n g. Each control location v is labeled with a convex predicate act(v) o ver _ X, called the rate condition of v. F or a given location, the rate condition restricts the rates of change of the variables. In the gate automaton, the rate condition for locations open and closed is _ g = 0, for location raising, i t is _ g = 9 , a n d f o r lowering, i t i s _ g = ;9. There is a technical restriction on the rate conditions allowed.
All predicates that de ne closed and bounded sets over _ X are permitted, and all examples in this guide meet this condition 3 .
We de ne the time-step relation, !, s u c h that (v s) ! (v 0 s 0 ) i v = v 0 , and there exists a real 0 such t h a t > 0 implies v is not urgent, and there is a function f : 0 ] ! R n such t h a t (1) f(0) = s, ( 2 ) f( ) = s 0 , (3) for all t 2 0 ], f(t) satis es inv(v), and (4) for all time t 2 (0 ) (df 1 (t)=dt df 2 (t)=dt . . . d f n (t)=dt) satis es act(v), where f i (t) denotes the value of variable x i in the valuation f(t).
2 Given a valuation s, w e w r i t e s Y ] for the restriction of s to the variables in Y . 3 The precise condition for the rate condition to be allowed is that de nes a closed set, and the set of vectors f _ y j _ y does not satisfy and 9k 2 Rsuch t h a t 0 k 1 a n d _ x satisfying such that _ y = k _ xg is bounded. In theory, the condition we require is not essential: however, it guarantees that the computation of time-step successors is e cient.
Parallel composition
A h ybrid system typically consists of several components which operate concurrently and communicate with each other. Each component is described as a separate linear hybrid automaton. The component automata coordinate through shared variables, and synchronization labels on the transitions are used to model messagetype coordination. The linear hybrid automaton for the entire system is then obtained from the component automata using a product construction.
The control locations of the parallel composition of two automata A 1 and A 2 are pairs of locations, the rst from A 1 and the second from A 2 . The location (v 1 v 2 ) has the conjunction of v 1 and v 2 's invariants as its invariant, and the conjunction of their rate conditions as its rate condition. A location is initial i its components are initial in their respective automata. The initial convex predicate is the conjunction of the components' initial convex predicates. Transitions from the components are interleaved, unless they share the same synchronization label, in which case they are synchronized and executed simultaneously, if at all. In the train-gate controller example, the system is composed of the train, gate, and controller automata of Figures 1, 2 and 3 . The controller communicates with the train by synchronizing on approach and exit events. It issues commands to the gate on the synchronized events raise and lower. The train's transition from location near to far is unlabeled, so it does not synchronize with any of the other components. In particular, this means the controller does not know the precise time at which the train enters the intersection.
We require a technical condition that the composition be well-formed: whenever two components synchronize on a label, if one transition is urgent then the other must either be urgent, or have a jump condition expressible as a guarded command with its guard being either the predicate true or the predicate false.
Reachability and safety v eri cation
At a n y time instant, the state of a hybrid automaton speci es a location and the va l u e s o f a l l v ariables.
If the automaton has the location set V and n variables, the state space is de ned as V R n . W e de ne the binary successor relation ! A over states as ! !. F or a region W, w e de ne post(W ) t o b e t h e set of all successor states of W, i.e. all states reachable from a state in W via a single transition or time step. The region forward r eachable from W is de ned as the set of all states reachable from W after a nite numb e r o f s t e p s , i.e. the in nite union post (W) = S i 0 post i (W). Similarly, w e de ne pre(W ) t o b e t h e set of all predecessor states of W, a n d w e let the region backward r eachable from W be the in nite union pre (W) = S i 0 pre i (W). In practice, many problems to be analyzed can be posed in a natural way as reachability problems. Often, the system is composed with a special monitor process that \watches" the system and enters a violation state whenever the execution violates a given safety requirement. Indeed all timed safety requirements Hen92], including bounded-time response requirements, can be veri ed in this way. See Section 7. A state (v s) i s initial if v is the initial location, and s satis es the initial predicate. A system with initial states I is correct with respect to violation states Y i post (I) \ Y = , or equivalently i pre (Y ) \ I is empty.
HyTech computes the forward reachable region by nding the limit of the in nite sequence I, post(I), post 2 (I), . . . of regions. Analogously, the backward reachable region is found by iterating pre. These iteration schemes are semidecision procedures: there is no guarantee of termination. Nevertheless, we nd that in practice, HyTech's reachability procedures terminate on most examples we h a ve attempted. In addition, it has been shown that for a large class of systems HKPV95], a linear hybrid automaton can be automatically preprocessed into an equivalent automaton over which the iterations converge.
Parametric analysis
A major strength of HyTech is its ability to perform parametric analysis. Often a system is described using parameters, and the system designer is interested in knowing which v alues of the parameters are required for correctness. Since the system is incorrect for parameter values for which there exists a state in the region post (I) \ Y , w e m a y obtain necessary and su cient conditions for system correctness by performing reachability analysis followed by existential quanti cation CH78].
Our study of the train-gate controller demonstrates this technique. The controller decides when to issue lower commands to the gate based on the amount of time since the train last passed the sensor located 1000 feet ahead of the intersection. We consider the problem of determining exactly how long the controller can wait before issuing commands, while maintaining the requirement that the gate be closed whenever the train is within 10 feet of the intersection. The parameter corresponds to the latest possible moment the controller can wait. We then use HyTech to determine that the composed system includes violations whenever is greater than or equal to 49=5. Thus we conclude that the system is correct for values of the parameter strictly less than 49=5.
3 A Brief History of HyTech
Implementation
There have been three generations of HyTech. The very earliest prototype AHH93] w as written entirely in the symbolic computation tool Mathematica. Regions were represented as symbolic formulas. The evaluation of time-step successors used existential quanti cations that are easily encoded in this language. While Mathematica o ers powerful symbolic manipulation, and allows rapid development and experimentation with algorithms and heuristics, its operations over predicates turned out to be computationally inefcient. In particular, quanti er-elimination operations for computing time-step successors were expensive.
HyTech HH95b] The system-description language is a straightforward textual representation of linear hybrid automata. The user describes a system as the composition of a collection of components. Each c o m p o n e n t is given as a linear hybrid automaton. The system analyzed is taken as the product of all components given.
HyTech rst passes its input through the macro preprocessor m4, allowing clear de nition of constants in the system 5 . F or example, we m a y declare and use the constant raise rate in the gate automaton of for the parametric analysis of the train-gate-controller appears in Appendix A. Whitespace (blank spaces, tabs, new lines) between tokens is ignored. The syntax is described in more detail below. The grammar appears in Appendix B.
Comments The rest of an input line after two adjacent d a s h e s ( --) i s t a k en as a comment. Variables All variables in the system are declared at the top of the description, in a single declaration.
Variables may b e o f t h e f o l l o wing types: discrete, clock, stopwatch, parameter, analog. The type declarations allow more readable descriptions and enable simple static checking by the parser. A clock variable always has rate 1, and a discrete variable always has rate 0. The rate of a stopwatch m ust be either 0 or 1. Parameters have rate 0 in all locations, and may n e v er be assigned values. Analog variables have no syntactic restrictions. Variables of type discrete, clock and parameter are said to be xed r ate variables, since their rate intervals are xed by their type, namely 0, 1 and 0 respectively. Constraints on their rates are automatically added to the rate conditions for each location indeed, it is illegal for the user to constrain explicitly the rate of a xed rate variable. Note that rational coe cients must either (a) be an integer, (b) have a n i n teger as numerator and a nonzero integer as denominator, or (c) be omitted, in which case it is understood to be 1. For example, 1 / 2 x -2 4 / 5 y < z + 5 t -6 + y is a syntactically legal linear constraint.
Automaton components Each automaton is given a name which m a y be used later in the speci cation.
Its synchronization labels are declared. Its initial location and the initial condition on its variables must also be provided. For example, the header for the train automaton is as follows:
automaton train synclabs : app, --approach signal exit --signal that train is leaving initially far & x>=2000
Each automaton component includes a list of locations, described below, terminated by the keyword end.
Locations Each location is named and labeled with its invariant. Rate conditions may also be provided, where the term dx is used to denote _ x. The syntax dg in 10,20] is shorthand for dg >= 10, dg <= 20. F or example, loc far: while x>=100 wait fdx in -50,-40]g is the header for the location far with invariant x 100, and rate condition ;50 _ x ; 40. HyTech terminates whenever it detect illegal rate conditions. Invariants may be conjunctions of linear constraints, such a s x>=1/2 & y<=2/3+x, b u t m ust not be disjunctions 7 . Conjunctive rate conditions are separated by commas, as in wait fdx = dz, dy in
Each location is associated with a list of transitions originating from it.
Transitions Each transition lists a guard on enablement and the successor location. Both the synchronization label and the update information are optional. For example, the following are legal transitions.
6 Strict inequalities, previously unavailable i n HyTech, are now supported. 7 In order to model a disjunctive i n variant, split the location into several locations, one for each disjunct AHH93]. Again, notice that guards may be conjunctions of linear constraints, but not disjunctions (use multiple transitions). Also, the order of the synchronization information and the assignments is interchangeable, if they appear at all, but the guard must appear rst and the successor location last. It is assumed that the update set of the transition is precisely the set of variables for which the primed counterparts appear in the jump condition. The syntax x' = x' can be used to \assign" the variable x a nondeterministic value. The Asap guard on the last transition listed indicates it is an urgent transition which m ust take place as soon as possible. Recall that there is a syntactic restriction that non-trivial guards are not permitted on urgent transitions or any transitions in other components with the same synchronization label as an urgent transition.
Composition It is assumed that the system being described is the parallel composition of all listed components.
Input Language: Analysis Commands
The analysis section of the input consists of two parts: declaration of variables for regions, and a sequence of iterative command statements. Analysis commands provide a means of manipulating and outputting regions. Commands are built using objects of two basic types: region expressions for describing regions of interest, and boolean expressions used in the control of command statements. Regions may be stored in variables, provided the region variables are declared via a statement s u c h a s var init_reg, final_reg: region which declares two region variables called init reg and nal reg. HyTech provides a number of operations for manipulating regions, including computing the reachable set, successor operations, existential quanti cation, convex hull, and basic boolean operations. For example, the speci cation commands in Figure 5 are for analyzing the train-gate controller. Their overall e ect is to determine the critical bound on the parameter . First, the two regions nal reg and init reg are declared. The rst two statements assign values to these regions using direct constraints on the states. Notice that disjunctions may be used. The third statement outputs the constraint on the parameter under which the system is not correct. This printing command is given by the pre x print omit all locations, which t e l l s HyTech to output the region enclosed between the words hide and endhide, but only after hiding all information about locations. We c hoose to omit all location information since for any The negation of a region expression, written using the operator~, is a region expression (representing the complement of the its operand), as is the disjunction of region expressions (representing the union of its operands), written using the operator |, and the conjunction of region expressions (representing the intersection of its operands) is written with the operator &. The negation operator has highest precedence, followed by the & operator. An expression without parentheses is considered to be a disjunction of conjunctions. In addition, the boolean constants True and False have the expected meaning.
Di erence diff(hreg expi, hreg expi)
The set di erence expression evaluates to the region representing all states satisfying its rst argument but not its second argument. The region expression diff(r1,r2) is equivalent to the region expression is equivalent t o x<=4.
Region name A region expression may b e a n y declared region variable. There is no automatic check t h a t the region variable has been assigned a value. The value of the expression is the region most recently assigned to the variable.
Existential quanti cation hide hvar listi in hreg expi endhide
The hide expression evaluates to the region obtained by existentially quantifying a list of variables. Pre/Post pre(hreg expi), post(hreg expi)
The pre and post expressions evaluate to the regions obtained by applying pre and post respectively to their arguments.
Convex hull hull(hreg expi)
The expression hull(hreg expi) returns the region where each location v is associated with the convex hull of all valuations s for which ( v s) is in the region de ned by hreg expi. F or example,
assigns approx the region represented by loc1&0<=x&x<=1 | loc2&x=1.
Reachability reach forward from hreg expi endreach reach backward from hreg expi endreach There are two specialized expressions for returning the set of states reachable from any arbitrary region: one for forward reachability and one for backward reachability. F or example, the expression reach forward from init reg endreach appearing in the analysis commands in Figure 5 evaluates to the region reachable from init reg by iterating post. The backward reachability expression iterates pre until convergence.
Boolean expressions
Boolean expressions are built from region comparisons and region emptiness checks using boolean operators.
Boolean expressions are used in conditional statements and while loops. The symbol hbool expi denotes an arbitrary boolean expression.
Comparison between regions hreg expi h relopi h reg expi The relational operator hrelopi is one of the symbols <, <=, =, >=, and >, representing the binary set comparison operators (, , = , , a n d ) respectively. F or example, the following are legal boolean expressions.
Emptiness empty(hreg expi)
The unary predicate empty applied to a region expression evaluates to true i its argument c o n tains no states. For example, the following code could be used to determine whether the system satis es its safety requirement. Negation has highest priority and conjunctions bind more tightly than disjunctions.
Command statements
There are commands to perform common tasks such as error-trace generation and parametric analysis. Command statements are built from primitives for printing and assigning regions. Command statements may also occur within conditional statements and while statements. Each command is terminated by a semicolon.
Printing There are four basic commands for outputting information. All output appears on stdout. print hreg expi The basic print command outputs the states in the region de ned by its region expression argument. For example, the command print init reg (see Figure 5) indicating that the region given includes only locations in the product automaton for which the train component is in its far location, and that all valuations for which the value of x is greater than or equal to 1000 appear in some such location. The absence of a location name for the second and third component automata indicates that information for these components' locations has been existentially quanti ed. As shorthand, the keyword all may appear in place of a list of automata names, in which c a s e all location information is quanti ed, as in Figure 5 .
prints hstringi This command prints strings, enclosed in double quotes, directly to stdout. For example, the statement prints "Hi there" outputs the string \Hi there" followed by a carriage return.
printsize hreg namei This command prints information about the \size" of the region stored in the region variable given as an argument. Information output includes the number of product locations for which the associated predicate is nonempty and the total number of convex predicates used in representing the region. Error trace generation print trace to hreg expi using hreg namei HyTech provides a simple facility for generating error traces for faulty systems. One must rst use the built-in reachability utility (see Subsection 5.1), which causes HyTech to store internal information that can be used to generate traces. Second, the command to generate traces is issued, specifying both the target region of the traces, and the name of the region variable previously used to store the result of the reachability analysis. This is best illustrated by an example. Suppose we are using forward reachability analysis to see whether any state in the violation region nal reg is reachable from the initial region init reg. The following sequence of commands causes HyTech to generate an error trace, if one exists.
reached := reach forward from init_reg if empty(reached & final_reg) then prints "System verified" else prints "System contains violations" print trace to final_reg using reached endif
The trace output consists of regions, i.e. sets of states, not individual states. Each region will be accessible from the previous via a time step allowing the continuous variables to evolve, followed by a transition step. The trace generated is minimal in length, and includes the synchronization labels, if any, for transitions between regions along the trace. Regardless of whether forward or backward reachability is used, the trace is always printed in an absolute forward direction. Note: this command is rather fragile, and should be used with some care. The error trace generation command always assumes | without any automatic checks |that the region variable appearing after the keyword using (reached in the above example) has been assigned a reachable region using the built-in reach expression, and that no reach expression has since been evaluated.
Additional features
The following functions are also available in HyTech's command language. However, we advise you to use these features with care for two possible reasons they may be extremely ine cient, or their usage is error-prone with their semantics perhaps not as you intend.
Freeing memory free hreg namei
There is a command statement for freeing the memory used to store a region. For example, the statement free B1 frees the region stored in the variable B1. The user must ensure any v ariable freed is not accessed again until it has been reassigned a value. Note that it is not necessary to free variables before assigning them new values: this is done automatically. Also, intermediate regions created in evaluating expressions are also freed automatically.
Weak di erence operator weakdiff (hreg expi,hreg expi)
Region expressions can be formed using the weak di erence operator weakdiff. This operator o ers a fast method of gaining an overapproximation to the set di erence of two regions. Its semantics are not straightforward, and it may result in unexpected behavior. For each location, the operator computes the weak di erence of predicates associated with that location. The weak di erence of predicates 1 and 2 is de ned to be the disjunction of convex predicates occurring in 1 for which there does not exist an enclosing convex predicate occurring in 2 . HyTech represents predicates as a disjunction of conjunctions. However, our tool does not use a unique representation for a given predicate: to do so would require ine cient normalization. Therefore predicates can be stored in numerous forms. Thus the result of the weakdiff operator depends not so much on the valuations satisfying the predicate as on their internal representation. For example, let 1 be represented as x 3 _ x 6, 2 as x 2, and 3 as x 4 _ x 4. Let weakdi ( 1 2 ) denote the weak di erence of 1 and 2 . T h e n w e h a ve weakdi ( 1 2 ) = x 6 weakdi ( 1 3 ) = 1 weakdi ( 3 1 ) = false weakdi ( 3 2 ) = x 4 Despite its drawbacks, the operator is considerably faster to compute than cldiff and typically results in far fewer disjuncts.
Weak comparisons between regions hreg expi h weak opi h reg expi
Boolean expressions can be formed using weak comparison operators (weakle, weakge, a n d weakeq) between region expressions. The operator weakle (weakge) e v aluates to true i the weak di erence of its second ( rst) operand and its rst (second) operand is empty. The operator weakeq evaluates to true i the weak di erence of each operand with the other operand is empty.
Iteration iterate hreg namei from hreg expi using f h commandsi g Region expressions can be formed using the iteration expression which returns the xpoint obtained by repeatedly executing the body of a loop of commands until the value of the iteration variable (the hreg namei variable above) stabilizes. The precise termination condition is that the region stored in the iteration variable after the loop is weakly equivalent to the region stored in the variable before the loop. For example, the following expression may be used to compute the set of states reachable from the initial region init reg. reachable := iterate B1 from init_reg using {B1 := post(B1) } After executing this statement, the variable B1 also stores the set of reachable states. Beware: this construct has side e ects. All variables are global, so any v ariables altered within the loop of the iteration expression have their global values changed. This may o r m a y not be desirable, so use with extreme caution. As an example, consider the following more e cient means of computing the reachable states. reachable := init_reg B2 := iterate B2 from init_reg using { B2 := post(B2) B2 := weakdiff(B2 , reachable) reachable := reachable | B2 } This time we are iterating over B2, a v ariable which c o n tains the newly reachable states at each iteration. The iteration terminates when the set of new states is empty, with the side e ect that reachable contains the set of all reachable states.
Examples
Additional examples may be found in the directory examples of the software distribution. We discuss three of them here in more detail. then prints "Non-leaking duration requirement satisfied" else prints "Non-leaking duration requirement not satisfied" endif 
Gas burner
The \leaking gas burner" example has appeared in the early literature on formal methods applied to hybrid systems CHR91, A CHH93]. We s h o w h o w this simple system can be analyzed in HyTech. The gas burner is in one of two modes it is either leaking or not leaking. Leakages are detected and stopped within 1 second. Furthermore, once a leakage has been stopped, the burner is guaranteed not to leak again until at least 30 seconds later. The system is initially leaking.
The linear hybrid automaton of Figure 6 models the gas burner. The clock x records the time elapsed since last entering the current location, and is su cient for modeling the behavior of the system. However, in order to analyze the system, we need to add the auxiliary variables t and y. The stopwatch t measures the cumulative l e a k age time. It increases at rate 1 in the location leaking, and at rate 0 in location non leaking. The clock y measures the total elapsed time. Using these auxiliary variables, we p r o ve t h a t i f a t l e a s t 6 0 seconds have passed, then the burner has been leaking for less than one twentieth of the total elapsed time. The requirement holds unless there is a state, forward reachable from the initial states, in which y 60 and t y=20. We compute the region backward reachable from all states satisfying y 60^t y=20. Since this region does not include any initial states, the requirement is satis ed. In fact, forward reachability for this system does not terminate. In general, it is not easy to determine ahead of time whether forward or backward reachability analysis is preferable. 
Fischer's mutual exclusion protocol 6.2.1 Parametric analysis
We demonstrate parametric analysis through a drifting clock v ersion of the simple timing-based mutualexclusion protocol due to Fischer Lam87, AHH93]. The system consists of two processes, P 1 and P 2 , e a c h performing atomic read and write operations on a shared memory variable k. E a c h process P i , for i = 1 2, models the following algorithm:
repeat repeat await k = 0 k := i delay b until k = i Critical section k := 0 forever The instruction delay b delays a process for at least b time units as measured by its local clock. Process P i is allowed to enter its critical section i k = i. F urthermore, each process takes no more than a local time units to write a value into the variable k, i.e. the assignment k := i occurs within a time units after the await statement completes. To complicate matters, the two processes use drifting clocks. Process P 1 's clock is slow, and its rate may v ary between 0:8 and 1, while that of P 2 is fast with rate between 1 and 1:1.
The automata for the two processes appear in Figure 8 . Each process is modeled using the private clocks x and y, respectively. E a c h process has a critical section, represented by the location cs in each automaton. The invariants at location 2 ensure the upper time bound on the write access to k, while the guards on the transitions from location 3 to location cs model the lower time bound of the delay.
We perform parametric analysis to determine the values for a and b, i f a n y, for which m utual exclusion holds. The \unsafe" region is characterized by the region expression loc P1]=cs & loc P2]=cs. As for the train-gate controller example, we are interested in the values of the parameters for which there exists a reachable unsafe state. These values are output using the print omit all locations analysis command, in conjunction with existential quanti cation of the non-parameter variables: HyTech's computation takes 1.46 seconds using 1.1 MB of memory, producing the following output, which indicates that the system is correct whenever a < 8b=11.
11a >= 8b & a >= 0
The full input and output les appear in Appendix A.
Error-trace generation
We demonstrate the generation of error traces for a system that does not meet the parametric requirements for correctness. If we s e t a to 5, and b to 6, then mutual exclusion will not hold. Since we a r e i n terested in generating error traces, it is helpful to label transitions, even if they do not participate in any s y n c hronization.
In an error trace, the synchronization labels give a clear indication of which transitions are taken. The full input and output les are found in Appendix A.
Corbett's distributed controller
Corbett Cor94] describes a distributed robot control system, derived from GL92]. The goal of the system is to provide timely robot commands based on recent measurements of the environment. The system consists of four main components: two sensors, a scheduler, and a controller. Each sensor repeatedly constructs readings for sending to the controller. Sensor 1 takes between 0:5 a n d 1 :1 milliseconds of CPU time to take a r e a d i n g , while sensor 2 requires between 1:5 and 2:0 milliseconds. The two sensors share a single processor with the controller executing on its own dedicated processor. Our model deviates slightly from Corbett's where the sensors and the controller all share one processor. The scheduler ensures that sensor 2 has priority o ver sensor 1. If sensor 1 is interrupted by sensor 2, it is rescheduled as soon as sensor 2 completes, and continues constructing its reading as if uninterrupted. Once a reading is complete, it is sent to the controller, as soon as the controller is ready to receive it. After forwarding its reading to the controller, a sensor must delay for 6 milliseconds before starting a new reading. Sensor readings are considered stale and are remeasured if they are not sent to the controller soon enough after being completed. The role of the controller is to deliver appropriate commands to the robot based on both sensors' readings. Commands cannot be computed unless the two sensors' readings are received at most 10 milliseconds apart. Given two fresh readings, the controller requires from 3:6 t o 5 :6 milliseconds to calculate the robot command. Sensor readings are also acknowledged, and this takes between 0:9 a n d 1 :0 milliseconds.
One property o f i n terest to Corbett is whether the controller always generates a command signal within a certain time bound. We show here how HyTech can be used to determine the precise maximal delay between commands in our system. The system is modeled using the linear hybrid automata appearing in Figure 9 . Sensor 1 has four locations: idle, read, wait, a n d send. It uses the stopwatch v ariable y 1 to enforce its timing constraints. At the start of execution, it is in its idle location with y 1 = 6, indicating that it has delayed su ciently long to initiate a read request via a request 1 event. In location read, the sensor waits until a read 1 event occurs, indicating that the scheduler has provided it with su cient CPU time to construct a reading. The sensor remains in location wait for up to 4 milliseconds, modeled by the incoming reset y 1 := 0 and the location invariant y 1 4. During this time, it is ready to send its reading to the controller via a send 1 event. The transition labeled send 1 is an urgent transition that takes place as soon as the controller is ready to synchronize, i.e. receive, the reading. After sending the reading, sensor 1 waits in location send 1 for an acknowledgement, modeled by a n ack 1 event, from the controller. It then delays 6 milliseconds before initiating a new reading. However, if the controller and sensor cannot synchronize a send 1 event in time, sensor 1 takes a transition back to its read location and requests CPU time for a completely new reading. Sensor 2 is identical in structure.
The scheduler allocates each sensor CPU time on a shared processor. It synchronizes with the two sensors on the labels request 1 and request 2 , which correspond to the sensors' initiating a request for CPU time to The automaton uses two s t o p watch v ariables, x 1 and x 2 to model the CPU times that sensor 1 and sensor 2 have received since their last requests. For each x i , the rate of x i is 1 if sensor i is scheduled on the processor, and equals 0 otherwise. When su cient time has accumulated for a sensor, the corresponding read transition may occur. The scheduler has four locations, one for each c o m bination of pending requests: idle (no pending requests), sensor 1 (only sensor 1 has requested a reading), sensor 2 (only sensor 2 has a pending request), and sensor 2 &wait 1 (both sensors have pending requests). Priority for sensor 2 is achieved by giving sensor 2 the CPU when both sensors request it, i.e. in the location sensor 2 &wait 1 the variables' rates are given as _ x 2 = 1 and _ x 1 = 0 . The controller uses the clock v ariable z to control its behavior. Initially, i t i s w aiting in location idle for a send signal from either sensor. The signal is acknowledged and a waiting location is entered. In location wait 2 , u p t o 1 0 m i l l i seconds is allowed to pass. If a send 2 event does not occur in time, the invariant z 10 forces control to return to the idle location via an expire 1 event. If a second send event does occur in a timely fashion, it is duly acknowledged, and the invariant and outgoing guard for location compute model the time required to calculate the command to send to the robot. For our analysis, we i n troduce an additional clock c which is used to measure the time elapsed since the last signal was sent to the robot, or since execution began if there has been no signal sent y et. The clock has initial value 0 and is reset every time a signal occurs. HyTech determines the maximal delay b e t ween signals by computing the set of values of c occurring in any reachable state. This information is output via the following analysis command that hides all information other than the value of c. print omit all locations hide x1, x2, y1, y2, z in reach forward from init_reg endreach endhide
The complete input le appears in Appendix A.
Designing Requirement Speci cations
It is not always obvious how to specify requirements of systems. This section provides some hints to the veri cation engineer by outlining how t o c heck f o r m a n y common classes of requirements. All forms of speci cations below rely on the use of reachability analysis.
Simple safety
A safety requirement i n tuitively asserts that \nothing bad ever happens". Many speci cations are expressed naturally as safety requirements. A system is said to be correct i its reachable states all satisfy an invariant , de ning a set of safe states: the \bad thing" to happen is to reach a state that does not satisfy the invariant 8 . F or example, Fischer's mutual exclusion protocol should guarantee that processes P 1 and P 2 are never in their critical sections at the same time. Also, the train-gate controller is required to ensure that the gate is always down whenever the train is within 10 feet.
As discussed above (Subsection 2.3), safety requirements can be veri ed in HyTech using the region : . One method is to perform forward reachability analysis from the system's initial states, and then check whether the intersection with the violating states : is empty. Assuming the region init reg has been assigned the set of initial states, and viol has been set to the region : , the following HyTech input checks the safety requirement, and generates an error trace if any exists.
f_reachable := reach forward from init_reg endreach reached_viol := f_reachable & viol if empty(reached_viol) then prints "System verified" else prints "System not verified" prints "The violating states reached are" print reached_viol print trace to viol using f_reachable endif Alternatively, the analogous backward reachability analysis can be used. A simple possibility requirement asserts that \something good can always happen." If the notion of \some-thing good" can be expressed as a region expression , t h e n s u c h requirements maintain that all states forward reachable from the initial states are backward reachable from a state in . 9 For example, we m a y wish to prove that for Fischer's mutual exclusion protocol, there is always a possibility that process P 1 will enter its critical section sometime in the future. The following HyTech code checks this assertion.
b_reachable := reach backward from loc P1] = cs endreach f_reachable := reach forward from init_reg endreach if f_reachable <= b_reachable then prints "Requirement satisfied" else prints "Requirement not satisfied" endif
Simple real-time and duration requirements
Many simple real-time requirements can be speci ed by i n troducing clocks and stopwatches to measure delays between events, or the length of time a particular condition holds. In the gas burner example, we assert that as long as a minute or more has passed, the burner has been leaking no more than 5% of the time. In this case, we i n troduce a new variable for each time duration of interest. We n e e d t o k n o w the total elapsed time and the time spent in location leaking. These quantities are measured by the clock y and stopwatch t respectively. The duration requirement w e are interested in then becomes the safety requirement where the violating states are given by the predicate y 60^t y=20.
Additional requirements
By no means do all requirement speci cations fall into the categories discussed above. However, a simple technique can be used to reduce many requirements to safety requirements. The idea is to build a separate monitor automaton for the requirement being checked VW86]. The monitor typically contains special states which are only reachable by violating executions. The monitor must act strictly as an observer of the original system, without changing its behavior. Reachability analysis may then be performed on the parallel composition of the system and the monitor, with the system correct i no violating state in the monitor is reached. To illustrate the technique, we use the category of bounded-response requirements.
Bounded response
A bounded-response requirement asserts that if something (a trigger event, a say) happens, then a response, b say, occurs strictly within a certain time limit . 10 For example, one may assert that every approach o f the train is followed by a raise command within 10 seconds. To v erify these requirements, it is often easiest Figure 10 depicts a generic automaton for bounded-response requirements. Control is initially in the idle location. When a trigger event occurs in a non-violating location, control may pass to the wait location and the clock t is reset. Response events cause control to return to the idle location. The unlabeled transition from the wait location to viol is only enabled when t , i.e. time for the response event h a s passed by. This automaton will reach its violation location i it is possible for time units to pass after an a event without a b event occurring. Therefore, the violation location is not reachable i every a event i s followed by a b event occurring less than time units later. To assert that the response event m a y occur any time up to and including time units after the trigger event, we m a y use the same monitor automaton as above, but checking that the violation location is only ever reached with the value of t being .
Since bounded-response requirements occur frequently, w e demonstrate how strict bounded-response requirement s c a n b e v eri ed slightly more e ciently, i.e. the response event m ust occur before the response time|occurring when exactly time units have passed is not acceptable. The monitor in Figure 11 is slightly more deterministic than that of Figure 10 and will generally lead to a less complex reachable region. Note that the sel oops on the violation location have been omitted. Although this a ects the behavior of the system, it does so in a way that has no e ect on its correctness, assuming we use forward reachability once a violation has been detected, which additional states are reachable is irrelevant.
Minimal event separation
Monitor processes can be built to verify that events occur with some minimal separation time. For example, Figure 12 shows the automaton for verifying that no two instances of the event a occur within time units of each other. The HyTech directory contains the subdirectories src, bin, user guide, a n d examples, c o n taining the source code, executable le for the Sun4 architecture (SunOS compiled), a copy of this user guide, and examples, respectively. The main directory also contains the les README and license. Please sign a copy of the license and follow the instructions given on the form. Licensed users will be assured of being informed about new releases of the software. We w ould also appreciate hearing about your experiences with HyTech and the applications you analyze with it.
HyTech has been successfully compiled on a number of platforms, and the following additional executables are also available through the Web page. The .hy su x on the lename may be omitted. Output appears on stdout, so it is usually directed to a le via a command such a s hytech a.hy > a.log HyTech creates and removes temporary input les in /tmp. Options Available options are displayed by executing HyTech with no ags and no input le. Options are given in the form -h ag typeihni, and must occur before the lename on the command line. There are options for controlling the amount of output generated (-p0, -p1, a n d -p2, where the higher numbers indicate more verbose output), the format of the output (-f0 for conjunctions output along a single line, and -f1 for conjuncts listed one per line), whether to perform consistency checks on the input automata (-c0 for no checks, -c1 for checks), more information on the particular version of HyTech (-i), for performing simple reachability on the control space while forming the composition of automata (-r1 for performing reachability analysis, -r0 for none), and for performing more expensive computations in order to avoid the possibility of arithmetic over ow errors, (-o0 for no avoidance, -o2 for maximal e ort to avoid over ow, and -o1 for some avoidance attempted).
Examples Numerous sample input les and their output logs can be found in the subdirectory examples.
Examine these to familiarize yourself with the input description language. Some of them are discussed in the user guide and HHWT95a].
Bugs, comments, suggestions Please report any bugs or installation and maintenance problems to hytech@eecs.berkeley.edu. We do not have the resources to provide commercial-level support, but we c a n probably help you. We also welcome comments and suggestions, since the experience of HyTech's users will help to improve future versions of the software.
9 Hints for the E cient U s e o f HyTech This section describes hints on how to make the most of HyTech's computational power. If HyTech does not terminate on your input le, and you cannot gure out why, trying these heuristics may w ell help. Sometimes a slightly modi ed description will make a tremendous di erence. As a general principle, keep your model of the system as simple as possible at rst. Once HyTech has successfully analyzed the system, slowly add more detail to your model.
Keep the system description small. Generally, the smaller the better, i.e. try to minimize the number of components, locations, and variables. For example, try to model only a small number of the system's components rst. Share locations wherever possible, e.g. error locations can often be combined into one. Some locations may be eliminated if they are \intermediate" locations not involved in direct synchronization with other components, and time spent in these locations can be transferred to the immediately adjacent locations.
Encode discrete variables into locations. For a bounded discrete variable, it is generally more e cient to split each location into several locations, one for each v alue of the variable, than to declare the variable as a real-valued variable. However, the increased e ciency often carries the disadvantage of a less compact description.
Manually compose tightly coupled components. When taking the product of two automata, many product locations are irrelevant since they are unreachable. If two c o m p o n e n ts are tightly coupled with synchronized events, the reachable product automaton can be substantially smaller than the complete product. It may be bene cial to input the reachable product of such automata, instead of their components, since this version of HyTech constructs complete products only. Keep constants simple. Generally, t h e l o wer the lcm:gcd ratio of the constants in the system, the faster the reachability analysis. Indeed, lowering the ratio may be necessary for reachability to terminate. To a c hieve l o w lcm:gcd ratios, it is often possible to verify an abstracted system where lower bounds are rounded down to smaller constants, and upper bounds are rounded up AIKY92].
Model urgent e v ents explicitly. If an event is urgent, model this fact directly where possible by using the Asap guard. This is more e cient t h a n i n troducing an auxiliary clock. Exploit \don't care" information. In many locations of an automaton, not all variable values are relevant. However, reachability analysis will record the exact values of such \don't care" variables. Thus to simplify the reachable region, it is helpful to make these variables completely unknown wherever they are irrelevant. This can be achieved by explicitly assigning them into the interval (;1 1) o n all transitions into the appropriate locations, using the syntax x'=x' for the variable x. A tempting option is to set them to a particular xed value while control remains in a given location. However, this strategy is not as bene cial as assigning them into (;1 1), since there is a nontrivial relationship between them and any other variables as time passes.
Use strong invariants. Sometimes it is helpful to restrict reachability a n a l y s i s a s m uch as possible through the use of strong invariants. For instance, enforcing implicit invariants can be advantageous, particularly when performing backward reachability analysis. In the gas burner example, backward reachability is required, since forward reachability does not terminate. It would be easy (and natural) to model the system without using the invariants x 0, y 0, and t 0 for the clock and stopwatch variables. These invariants would play n o r o l e i n f o r w ard analysis. However, backward analysis is nonterminating without these invariants, whereas adding them causes termination in six iterations.
Use the reachability facility provided. It is optimized for its task and faster than writing your own while loops. It also enables error traces to be generated.
Try forward and backward analysis. It is often not easy to predict which direction will terminate faster.
Free memory. Free any regions that will not be used again. ------------------------------------------------------------- when True sync request_1 do {x1' = 0} goto sensor1 when True sync request_2 do {x2' = 0} goto sensor2 loc sensor1: while x1<=11/10 wait {dx1=1,dx2=0} when x1>=1/2 sync read_1 goto idle when True sync request_2 do {x2'=0} goto sensor2_wait1 loc sensor2: while x2<=2 wait {dx2=1,dx1=0} when x2>=3/2 sync read_2 goto idle when True sync request_1 do {x1'=0} goto sensor2_wait1 loc sensor2_wait1: while x2<=2 wait {dx2=1,dx1=0} when x2>=3/2 sync read_2 goto sensor1
end ----------------------------------------------------------------
automaton controller synclabs : send_1, expire_1, ack_1, send_2, expire_2, ack_2, signal initially rest & c=0 loc rest: while True wait {dz=0} when True sync send_1 do {z'=0} goto rec_1 when True sync send_2 do {z'=0} goto rec_2 loc rec_1: while z<=1 wait {dz=1} when z>=9/10 sync ack_1 goto wait_2 loc wait_2: while z<=10 wait {dz=1} when z>=10 sync expire_2 goto rest when True sync send_2 do {z'=0} goto rec_12 loc rec_12: while z<=1 wait {dz=1} when z>=9/10 sync ack_2 do {z'=0} goto compute loc rec_2: while z<=1 wait {dz=1} when z>=9/10 sync ack_2 goto wait_1 loc wait_1: while z<=10 wait {dz=1} when z>=10 sync expire_1 goto rest when True sync send_1 do {z'=0} goto rec_21 loc rec_21: while z<=1 wait {dz=1} when z>=9/10 sync ack_1 do {z'=0} goto compute loc compute: while z<=56/10 wait {dz=1} when z>=36/10 sync signal do {c'=0} goto rest In boolean expressions, the unary operator not has highest priority, followed by the in x binary operator and, then or. In region expressions, the operator~has highest priority, followed by &, and then |. Expressions are evaluated bottom-up from the left.
end ---------------------------------------------------------------

B.3 Reserved words
The following words are keywords and cannot be used as names for automata, synchronization labels, locations, or regions. Some of these are not described above, but are retained from earlier versions of the input language for backward compatibility.
all, analog, and, asap, automaton, backward, clock, diff, direction, discrete, do, eliminate non parameters, eliminate variables, eliminate all locations, eliminate locations, else, end, endhide, endif, endreach, endwhile, empty, forward, False, final, free, from, goto, hide, hull, if, in, inf, initially, integrator, iterate, stopwatch, loc, locations, non parameters, not, omit, or, parameter, post, pre, print, prints, printsize, reach, region, stopwatch, sync, synclabs, then, to, trace, True, using, var, vars, wait, weakdiff, weakeq, weakge, weakle, when, while
