ABSTRACT The efficient representation and manipulation of time information is key to any successful implementation of a verification tool. We extend the syntax and semantics of the higher level specification language Promela to include constructs and statements based on the model of timed Bfichi automata [2] . We implement these extensions on top of the verification tool Spin.
2. information is available about the time delays encountered during the operation of system processes.
The first observation is crucial when trying to ensure that the system meets its requirements. The second one can be used to develop a more efficient system : knowing with certainty some facts about the delays in a system can lead to concluding that a number of behaviors are impossible, and therefore, can be ignored during system design.
Traditional formalisms for temporal reasoning deal only with the qualitative aspect of time, that is, the order of certain system events 1. However, *Department of Computer Science, University of Crete, Heraklion, Greece, and Institute of Computer Science, FORTH tPartially supported by the BIZA ESPRIT project REACT. tAn example of a qualitative time property is : "the green light is never switched on after the red one and before the orange one" real-time systems often demand for a quantitative aspect of time, that is, taking into consideration the actual distance in time of certain system events 2. Hence our motivation to extend Promela for real time. We consider time as dense, i.e., an unbounded (although finite) number of events can occur between two successive time moments. An untimed Promela program consists of a collection of components which interact asynchronously. Optionally, a special component can be specified, (called the never-claim) which interacts with the rest of the system synchronously, and models the complement of the desired system behavior. In the absence of the never-claim, wrong behaviors are coded explicitly into the components in terms of non-progress conditions. In either case, the correctness of the system can be reduced to a language--emptyness problem.
Our verification method consists in considering emptyness of timed B~chi automata (TBA) [6, 2] which are B/ichi automata extended with a finite number of clocks. Based on a timed Promela specification, we construct the equivalent (modulo operational semantics) TBA, and then check if the timed language of the latter is empty.
The work described in this document has been, first of all, to extend the syntax and semantics of untimed Promela for docks and time information.
We call this extended language Real-Time-Promela (RT-Promela). Next, we have implemented the TBA verification procedure on top of Spin [9] , obtaining RT-Spin, a tool for the verification of RT-Promela programs.
Care has been taken, so that the TBA analysis is absolutely compatible with the existing search algorithms used in untimed Spin. Finally, one of our contributions has been the description of a formal semantics of both untimed and RT-Promela, based on untimed and timed transition systems, respectively.
The rest of this document is organized as follows. Section 2 is a short overview of timed languages and automata. In section 3 we review Promela, give its operational semantics in terms of transition systems, and define the verification problem in the untimed case. RT-Promela is presented in section 5 in the same manner : syntactic extensions, semantics in terms of timed transition systems, verification reduced to language emptyness.
In the appendix, we also describe trace semantics for individual untimed and RT-Promela processes, and show how one can derive the semantics of the complete specification in a compositional way. Experimental results are presented in section 6.
~An example of a quantitative time property is : "the orange light will always be switched on at least 5 time units after the red one, followed in at most 0.5 time units by the green one"
Timed languages and timed Biichi automata
A Bfichi automaton (BA) is a nondeterministic finite-state machine A --(E, S, Tr, So, F). Z is the input alphabet, S is the set of states, So the set of initial states, and F the set of accepting states. Tr E S x Z x S is the transition relation. If (s, a, s') C Tr then A can move from s to s' upon reading a.
A trace or input word is an infinite sequence a = ala2..., ai E Z, while a run over a is an infinite sequence so ~-4 sl ~-~ ...,so E So, (si,a~+l,S~+l) Tr, i = 0, 1, .... A run r is said to be accepting iff there exists a state f E F such that f appears infinitely often in r. The language C.(A) of A is the set of all traces a such that A has an accepting run over a.
A timed trace or word is a pair (a, ~'), where a is a trace and r is a time sequence, i.e., an infinite sequence rl, r2, ..., T~ ~ R +. We only consider strictly increasing, non-zeno time sequences, i.e., T~ < TiT 1 and Vt E R3i, ri > t. This ensures that time progresses, that is, does not converge to a bounded value a. A timed language is a set of timed traces.
A TBA is a tuple A --(Z, S, Tr, So, F, C), where E, S, So and F are as in a BA, and C is a finite set of clocks. A transition in Tr has the form (s,a,s',R,#), where R C C are the clocks to be reset to zero, and # is a clock constraint (or guard), that is, a boolean conjunction of atoms of the formy <k,k <y,x-y < k andk<x-y for two clocksx, yCC, and an integer constant k E N.
Given a timed word (a, r), A starts at a state So E So at time 0. All the clocks of A are active, initialized to zero, and increase at the same rate. At time rl the symbol al is read and the automaton takes a transition fro = (so,al,Sl,Rl,#l) , only if the values of the clocks satisfy #1. The transition is instantaneous, that is, no clocks change, except from the ones belonging in R1 which are reset to zero. At time T2 a new input symbol is read, the next transition is chosen, and so on.
More formally, a run (~, ~) of a TBA over a timed word (a, T) is an infinite sequence (so,vo) ~ (sl,vl) ~2,~2 ...,v~ E RlCl such that so E So,Vx e C, Vo(x) = 0, and Vi = 1,2, . The syntax of the never-claim is just like any other process. However, at most one never claim can be present in the specification. Moreover, it should not participate in the execution of the system, but rather monitor it. By this we mean that every statement inside a claim is interpreted as a condition, and should not have side effects (i.e., send or receive messages, set global variables, execute run statements etc.). Since the system and the claim operate synchronously, the latter can observe the system's behavior step by step, and catch errors.
The Promela semantics
The operational semantics of an untimed Promela program P will be specified in terms of a transition system iTS), i.e., a (possibly infinite) graph T = (Q,-~), where Q is the set of nodes, and --+c_ Q • Q the set of edges. For matters of simplicity, we consider a known number of processes Po,P1, ...,Pro which are active right from the start. By convention, P0 will be the never claim, if specified, otherwise, P0 de f { do:: skip od }.
The state of the system is completely described by the contents of chan- 
Verification in untimed Promela
The correctness criteria of P are implied by the various types of analysis performed using the tool Spin. Locations can be optionally labeled as end, 
Syntax
First of all, we add the type clock to the declarations of Promela variables. Clock variables can be scalar or arrays, and are declared globally 7. Here is an example of the declaration of clocks : clock x, y, z [5] ;
Next, each statement is expanded with an optional time part, according to the following grammar rules :
<, i ,>, i ,<=, i ,>=, i ,--,
B!mymesg ; a = atb ; goto error ;
The guard/~ is interpreted as the conjunction of the inequalities it consists of, e.g., "when {x < 4, x > 2}" stands for "when {x < 4 A x >_ 2}'. There is no way to express disjunctions using a single statement. Instead, one should use a branching nondeterministic statement, like :
if :: when{x < 4} reset{x} stmnt_part :: when{x >_ 2} reset{x} stmnt_part fi
The reason for the above restriction will be clear in section 5, where we discuss our verification methodology.
The RT-Promela Semantics
The semantics of a RT-Promela program P is a timed TS (TTS) (Q~, -~).
States of Q~ are of the form (q, u) where q is as in section 3.2 and y is a clock valuation. A timed statement (st, R, #) is enabled at (q, v) if st is 7The reason for this is that the clock-space dimension cannot change at run time.
enabled at q and v E #. The transition relation ---~ contains two types of transitions :
1. Action transitions, ((q, v), (q', v')) (defined as in section 3.2). Each such transition is associated with a pair (resp. triple) of timed statements (sto, Ro, #o), (sti, Ri, #i) (resp. and (sty, R~, #j)) which are enabled at (q,~,) (this implies v E #0 A#iA#j). Let R be RoURi (resp.
Ro U Ri U Rj). Then, y' = v[R := 0].
2. Time transitions, ((q, v), (q, v + 5)), for 5 E JR+.
The initial state of T is (qo, 0), 0 = (0 .... ,0) E ]RI+ el. The correctness criteria of a RT-Promela program are identical to those defined in section 3.2 except that instead of T we consider (QT, __+T).
Verification using RT-Promela
Our aim is to reduce the verification of the correctness criteria of RTPromela programs to verification of TBA emptyness, following the approach of [5] . For a RT-Promela program P, we define two TBA A~ and A~ ~ one for each correctness criterion. Intuitively, U will also have an extended state space, each state (q, a) containing, apart from the state q of A, the set a of all possible clock valuations.
The TBA defined from a RT-Promela program
The latter is generally infinite, due to dense time. To represent such a set, the valuation space RlOl is partitioned into a finite number of equivalence classes. Two members u and u j of a class c~ are equivalent in the sense that, if v belongs to an accepting run (s0,u0) ~1,~1 (sl,ul) ~2,~ ... ~,~ (s~, y) ~'~fl'~+~ (S~+l, U~+l)..., then it can be substituted by v j, which gives another accepting run (so, u0) ~'~ (sl, vl) ~2'~ ... ~"~ (s~, v') v,~:r~+~ (s~+l, u~+ 1)..., so that the untimed projections of the two runs are the same.
Checking emptyness e]flciently
Checking whether s = 0 is reduced to a reachability analysis (depthfirst search) seeking loops which pass by accepting states. A very popular representation uses difference bounds matrices (DBMs) [6] .
DBMs are inexpensive as far as storage is concerned. Moreover, they are simple and require low-cost operations. Briefly, a DBM is a square matrix which describes a very simple system of linear inequalities, of the same form as time constraints, that is, x op k, or x op y + k, where op E {<, >, <, >, =}, and k is a positive integer constant. Assuming the dimension of a matrix D to be n • n, the set of vectors u E R n which satisfy the corresponding inequalities will be denoted u(D). This set is convex. Then, the idea is to represent a clock region CR by a DBM D, so that v(D) = CR. At each step during the reachability analysis, a new DBM is computed by transforming the old one. For this, we use a small number of low-cost operations described briefly below. The reader can refer to appendix 1.3 for the precise definitions. In general, more than one DBMs can be used to represent the same set of dock valuations. This is due to the fact that the bounds found in certain inequalities are not "strict" enough. Nevertheless, it is possible to obtain the canonical form of a DBM, which is its unique, "minimal" representative. The use of canonical form reduces the test for equality of two matrices to a test for the equality of their canonical forms. This is in turn reduced, at the implementation level, to a test for pointer equality, since all DBMs are usually stored in a hashing table. The rest of the DBM operations are also simplified by the use of canonical forms.
During the series of transformations, it is possible that the resulting DBM does not "cover" exactly a clock region. Indeed, a clock region is a union of equivalence classes, which is not always convex, while the region represented by a matrix always is. In that case the matrix can be enlarged to include as many points of the region as possible, resulting in a canonical representation s. This process is called maximization. 
(D) ~ 0 r ~ n u(D') ~ 0)) ~ u(D') C u(max(D)),
where a, as usual, denotes an equivalence class.
To prove the correctness of our approach, let us define another automaton, called the DBM automaton, denoted ADBM. This plays the same role as U, following exactly the same runs as A does, and keeping track of the possible clock positions at each step. 
D, 6 ) D ~ , u ~ D u ~ D c] [n:=~] D~ ~na~ DmaX = D'.

In the above sequence,, ~ ~ represents the time-elapse transformation, that is, Vu E u(D), ~ > O, u + ~ E u(DS). , ~ ) represents the intersection with the constraint #, that is, Vu E u(DU), u satisfies #. [n:=~] represents the clock resets, that is, Vu E u(D~ x E R, u(x) = O.
Finally, ma~ represents the maximization process. Intuitively, the whole series of transformations corresponds to the fact that, being in a state, the system lets the time pass first (this can be zero time) and then executes a statement instantaneously, sit is not wrong to add these extra points, since each one of them is equivalent with at least one point in the matrix, thus satisfies exactly the same properties regarding the evolution of the system in time.
moving to another state. In order for the transition to be taken, the time constraints must be satisfied. At the same moment, a number (possibly zero) of clocks are reset to zero.
Not all paths which are discovered during the reachability analysis are valid. Indeed, the presence of time gives meaning only to those infinite executions for which time progresses without bound (recall non-zeno timed traces, defined in section 2). A run of ADBM, r ----(80, Do) ~ (Sl, D1) ~-~ ... over a trace q, is progressive iff for each clock x E C :
1. there are infinitely many i's such that D~ satisfies (x --0) V (x > cx), where cx is the maximum constant that appears in an inequality of the form x op c~ in the specification ;
2. there are infinitely many j's such that Dj satisfies x > 0.
Examples
We have implemented the method described above on top of the tool Spin, developed for the validation of concurrent systems [8], by G. J. Holzmann. We have extended Spin to RT-Spin, which performs reachability analysis on the DBM automaton, using as input an RT-Promela program. We have tested our implementation using a number of examples. We now present three of them. The first one models a simple system of three processes representing a train, a gate, and a controller. The second is a realtime mutual-exclusion protocol, due to Fischer [15] . Both these examples have been taken from [3] . The third has to do with a general-purpose ATM switch [17, 12] . It has been taken from [14] , where it has been treated using the selection/resolution model [13] and the tool RT-Cospan [18] .
The systems consist of a number of components, modeled as TBA. RTPromela offers the possibility to use local and global variables, as well as channels. We take advantage of this, and we end up with less components than those described in the original models. For example, we do not need a special automaton to model the global variable in the mutual-exclusion protocol.
The alphabet of each TBA is a set of events, Automata synchronize their actions through shared events. Such an event can occur provided it is enabled in every automaton whose alphabet includes the event. Whenever necessary, synchronization in RT-Promela is done using rendez-vous.
Modeling the systems using RT-Promela
Train, Gate, Controller (TGC) :
This example deals with an automatic controller that opens and closes a gate at a railway track intersection (see figure 1) . Whenever the train enters the intersection it sends an approach signal at least two minutes in advance to the controller. The controller also detects the train leaving the intersection and this event occurs within five minutes after it started its approach 9 The gate responds to lower and raise commands by moving down and up respectively within certain time bounds. The controller sends a lower command to the gate exactly one minute after receiving an approach signal from the train. It commands the gate to raise within one minute of the train's exit from the intersection. The purpose of the verification is to ensure the following safety property 0 : whenever the gate goes down, it is moved back up within a certain upper time bound K. Notice that this implies that the gate will eventually come up again. Although this is not immediate from the above property, liveness conditions that are associated with each automaton ensure that in every infinite trace, process Gate passes infinitely often from state q0, therefore executing infinitely often the transition q3 -+ q0 which sets the gate up. Returning to the safety property, the automaton Monitor models precisely the negation of it, as was explained in section 2. The property is satisfied iff the integer constant K is greater than 6.
9A safety property can be formulated as "never will...". For example "never will processes 1 and 2 be found at their critical sections at the same time" In this protocol, there exist n processes P1,-..,Pn, as shown in figure 2 . A process Pi is initially idle, but at any time may begin executing the protocol provided the value of a global variable x is 0. Pi then delays for up to AB time units before assigning the value i to x. It may enter its critical section within ~c time units provided the value of x is still i. Upon leaving its critical section, it reinitializes x to zero. Global variable crit is used to keep count of the number of processes in the critical section. The auto-increment (auto-decrement) of the variable is done simultaneously with the test (reset of x to zero) 9 This is modeled in RT-Promela using atomic sequences. We need to verify that no two processes are ever in their critical sections at the same time. The property is satisfied iff As > ~c. A remark needs to be made concerning synchronization between more than two processes 9 In this case, two or more channels are necessary. The trick is to build a chain reaction of receive/send atomic moves in order to propagate the system event to all processes. The method is presented in appendix 1.2 through an example.
Veri .lying the round-trip delay of an ATM switch :
An ATM switch is a chip used as part of the Asynchronou~ Transfer Mode network protocol for Broadband Interactive Services Data Networks (B-ISDN)o It consists of four input and four output links, each one of 400 Mbits/sec bandwidth. In ATM, information is transferred in cells of fixed length (53 bytes) 9 These cells are routed using virtual circuits 1o (VCs), which have different priorities. The flow-control mechanism uses a special packet called token, which signals to the sender that the receiver is ready to accept a new high-priority cell 9 Each chip has a flow-control buffer storing the incoming tokens, as well as a cell buffer, used to store the incoming high-priority cells.
1~
exist also virtual paths, which are collections of VCs, but will be ignored, since the chip itself cannot distinguish them from VCs In our simplified example, we assume two adjucent chips, A and B (figure 3) . We are interested in computing the round-trip delay. This is defined in [17, 12] as "the delay between the start of two consecutive transmissions of cells of the highest priority", since the chips deal with VCs of different priorities. We make two assumptions :
1. Chip A has always a high priority cell waiting to be transmitted to B.
2. A high priority cell which is sent from B to C is not flow-controlled by C, that is, chip C is always ready to receive it from B.
The first hypothesis allows us to ignore the cell buffer of chip A, while the second allows us to ignore the flow-control buffer of B. The timing assumptions of the system are the following :
1. each chip operates on a cycle of 54 clock ticks, that is, between any two packet transmissions, there is a delay of exactly 54 ticks ;
2. the delay between the selection of the next packet to be send and its transmission is between 4 and 10 ticks ;
3. the transmission of a token takes between 11 and 33 ticks ;
4. the transmission of a high priority cell takes exactly 3 ticks ; Based on the above assumptions, we prove that the round-trip delay is never greater than 108 clock ticks, while it cannot be less than 54 ticks. In other words, at most one low priority packet gets transmitted between any two successive transmissions of high priority cells. The specification in RT-Promela can be found in appendix 1.1.
Proving safety properties
We used three different methods to verify the properties of the systems above. In the case of TGC, the monitor process moves to an error state marked with an accept label, where it stays forever. We ran the validator with the "-a" option to search for acceptance cycles. Notice that in this simple case, maximization wasn't necessary. Performance results are presented in table 2.
The specification of fischer's mutual-exclusion protocol includes a never claim monitoring the system and announcing an error if it finds out that more than one processes are in the critical section. We verified the correctness of the protocol when AB = 1, 5c = 2 for up to 4 processes, while in the case of 5 the validator refused to terminate. On the other hand, the erroneous case (AB = 2, 5c = 1) is very little affected by the size of the problem, since the error is found and announced early on. We managed to ran the wrong case for more than 23 processes. Performance results are shown in table 2 11 Finally, for the ATM switch, we make use of a clock RT which keeps count of the round-trip delay, and test the value of the dock each time a new high-priority cell is sent. If RT is between 54 and 108, it is reset to zero and the system continues normally. If the clock is strictly less than 54 or greater then 108, the error is announced. Performance results are shown in table 2.
Time is measured in seconds, and memory in megabytes. We have presented the theory and practice of the extensions made to Promela to include real-time semantics. The extended language, RT-Promela, allows for a special kind of global variables, which represent the clocks of the system. The statements of the language can contain simple linear constraints which restrict the possible values of a dock, or the relative values of two docks. This changes the executability semantics of a statement, which can which can be executed only if, in addition to the restrictions imposed by standard Promela, the constraints do not come against the current state of the clocks. The execution of a statement can affect a clock by resetting it to zero. The semantics of a specification in RT-Promela are given in terms of timed transition systems. The problem of verification is reduced to checking if the set of all possible valid paths (that is, the language of the system) is empty.
This time model permits the specification of a large class of real-time systems. We illustrate its power by three examples, which have been already considered in the bibliography, thus, allow for comparisons.
Putting docks in an untimed specification usually increases the size of the [16, 11] . It would be interesting to see whether this reduction preserves time properties, and under which conditions. Apart from the above, older methods for on-the-fly minimization of the state space exist [4] and should be also tried out.
1 Appendix In the case of synchronization of timed statements, the constraints and resets of all of them are grouped together, as if it were a single statement executed instantaneously.
Mutual exclusion in RT-
DBMs
DFIMs
We consider the class C?Z of convex polyhedra in RIcl which can be defined by a set of integer constraints on clocks and clock differences. If we identify a new fictitious clock x0 with the constant value O, the above constraints can be represented as bounds on the difference between two clock values. For instance, x < 5 can be expressed as x -x0 < 5, and x > 5 as x0 -x < -5. Furthermore, we can introduce ec as a bounding value, to represent inequalities of the form x < y (we write x -y < oc), and -c~ to express false (we write x -y < -co). Thus, we can restrict ourselves to upper bounds without loss of generality. More precisely, each inequality can be expressed as : xi -xj < k or x i --Xj ~_ k, for some integer k, or xi -xj < or or xi -xj < -oc. A DBM is an (n + 1) x (n + 1) matrix D, whose elements (called bounds) are of the form : dij = (r, #), r 9 RU {ec}, # 9 {<,<}. D represents the polyhedron of R n consisting of all points that satisfy the inequality xi -xj ~ r, where dij = (r, ~ ).
Canonicalization
There are possibly many DBMs defining the same clock region, because some of the upper bounds need not be tight 12. For example, {xl < 2, xl > 1,x2 < 5} can be represented by any matrix D such that do1 = (-1, _< ), do2 = (0, <), dlo = (2, <), d2o = (5, <), and d12 e {(2, <), (2, _), (3, < ), (3, <_),...}, 421 9 {(4, <), (4, _<), (5, <), (5, <), ...}.
Then, the idea is to represent D in a canonical form, where all upper bounds axe as "tight" as possible. We denote this canonical matrix cf(D). Dill [6] showed that cf(D) can be computed from D by applying an all-pairs 12Bounds are ordered lexicographically (< is taken to be strictly less than __), that is: (r, #) < (r', # ') i~ (r < r') v (r = r' ^ # =< ^ #' =<).
shortest-path algorithm. Moreover, canonicalization leads to easy tests for equality and emptiness of clock regions. A matrix D represents an empty region if a negative-cost cycle (i.e., (-c~, <)) appears during the computation of cf(D).
Elapse of time
As time elapses, clock differences remain the same, since all docks increase at the same rate. 
