New Results on Timed Specifications by Bourke, Timothy et al.
 
  
 
Aalborg Universitet
New Results on Timed Specifications
Bourke, Timothy; David, Alexandre; Larsen, Kim Guldstrand; Legay, Axel; Lime, Didier;
Nyman, Ulrik; Wasowski, Andrzej
Published in:
Recent Trends in Algebraic Development Techniques
DOI (link to publication from Publisher):
10.1007/978-3-642-28412-0_12
Publication date:
2012
Document Version
Accepted author manuscript, peer reviewed version
Link to publication from Aalborg University
Citation for published version (APA):
Bourke, T., David, A., Larsen, K. G., Legay, A., Lime, D., Nyman, U., & Wasowski, A. (2012). New Results on
Timed Specifications. In T. Mossakowski, & H-J. Kreowski (Eds.), Recent Trends in Algebraic Development
Techniques: 20th International Workshop, WADT 2010, Etelsen, Germany, July 1-4, 2010, Revised Selected
Papers (pp. 175-192). Springer. Lecture Notes in Computer Science Vol. 7137 https://doi.org/10.1007/978-3-
642-28412-0_12
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
            ? Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
            ? You may not further distribute the material or use it for any profit-making activity or commercial gain
            ? You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to
the work immediately and investigate your claim.
Downloaded from vbn.aau.dk on: November 30, 2020
New Results on Timed Specifications⋆
Timothy Bourke2, Alexandre David1, Kim. G. Larsen1, Axel Legay2,
Didier Lime3, Ulrik Nyman1, Andrzej Wąsowski4
1 Computer Science, Aalborg University, Denmark
2 INRIA/IRISA, Rennes Cedex, France
3 IRCCyN/Ecole Centrale de Nantes, France
4 IT University of Copenhagen, Denmark
Abstract. Recently, we have proposed a new design theory for timed systems.
This theory, building on Timed I/O Automata with game semantics, includes clas-
sical operators like satisfaction, consistency, logical composition and structural
composition. This paper presents a new efficient algorithm for checking Büchi
objectives of timed games. This new algorithm can be used to strengthen the in-
finite behavior of an interface, or to guarantee that the interfac can indeed be
implemented. We illustrate the framework with an infrared snsor case study.
1 Introduction and State of The Art
Several authors have proposed frameworks for reasoning about interfaces of indepen-
dently developed components (e.g. [20, 13, 9, 12]). Most of these works have, however,
devoted little attention to real time aspects. Recently, weproposed a new specification
theory for Timed Systems (TS) [11]. Syntactically, our specifications are represented as
Timed I/O Automata (TIOAs) [19], i.e., timed automata whosediscrete transitions are
labeled byInputandOutputmodalities. In contrast to most existing frameworks based
on this model, we view TIOAs as games between two players: Input and Output, which
allows for an optimistic treatment of operations on specifications [13].
Our theory is equipped with features typical of a compositional design framework:
asatisfaction relation(to decide whether a TS is an implementation of a specification),
a consistency check(whether the specification admits an implementation), and are-
finement (to compare specifications in terms of inclusion of sets of implementations).
Moreover, the model is also equipped withlogical composition(to compute the inter-
section of sets of implementations),tructural composition(to combine specifications)
and its dual operatorquotient. Our framework also supports incremental design [14]. To
the best of our knowledge, our theory is the first specification heory for TS in which
both logical and structural compositions can be computed within the same framework.
Refinement, Satisfaction, and Consistency problems can be reduced to solving timed-
game problems. As an example, assume that inconsistent states are states that cannot
be implemented in reality, since they violate important assumptions of the abstraction.
Then deciding whether an interface is consistent is equivalent to checking for the exis-
tence of a strategy that avoids inconsistent states.
⋆ Work partially supported by VKR Centre of Excellence – MT-LAB and by an “Action de
Recherche Collaborative” ARC (TP)I
A
X
S= JAKsem
P= JX Ksem
|= |=
J ·Ksem
J ·Ksem
timed I/O
transition systems
(infinite)
timed I/O
automata
(finite)
sp
ec
ifi
ca
tio
n
s
(im
pl
e
m
e
nt
a
tio
ns
)
m
o
d
el
s
Fig. 1: Structure of ECDAR’s specification theory.
Our theory is implemented in ECDAR [17], a tool that leverages the game engine
UPPAAL-TIGA [4], as well as the model editor and the simulator of the UPPAAL model
checker [5]. The purpose of this paper is to describe enrichments to our theory, and to
report on the evaluation of the tool on a concrete case study.Our contributions are:
1. An on-the-fly algorithm for checking Büchi objectives of two-player timed games.
The algorithm builds on an existing, efficient method for solving reachability objec-
tives [8, 4], but it uses zones as a symbolic representation.We show how the method
can be combined with a safety objective. This allows, for example, to guarantee that
a player has a strategy to stay within a set of states without bl cking the progress
of time. Similar results were proposed by de Alfaro et al. [16] but for a restricted
class of timed interfaces and without an implementation forthe continuous case.
2. A realistic case study.Most existing interface theories have not been implemented
and evaluated on concrete applications. We use ECDAR to showthat our interface
theory is indeed a feasible solution for the design of potentially complex timed sys-
tems. More precisely, we specify an infrared sensor for measuring short distances
and for detecting obstructions. This extensive case study reveals both the advan-
tages and disadvantages of our theory, which are summarizedin this paper.
2 Background: Real Time Specifications as Games
We shall now introduce the basic semantic and syntactic objects of this paper. These
originate directly in [11]. Our specification theory is, perhaps, a bit unusual, in the sense
that specifications and models (implementations) are takenfrom the same class of ob-
jects, and that they both exist in two flavors: infinite and finite. Figure 1 summarizes
this structure. We have two dimensions: vertical across thenotion of satisfaction (di-
vision into models and specifications) and horizontal across finite abstraction (division
between Timed I/O Transition Systems and Timed I/O Automata). This orthogonality
is exploited to treat the intricacies of continuous time behaviour separately from those
of the algorithms. Roughly speaking the infinite models havebe n used to develop the
theory, while the finite models serve as a symbolic representatio in the implementation.
In work on timed automata, the finite and infinite representations are often referred
to as syntax and semantics respectively, whereas in both logics and specification the-
ories these two terms are more often used for referring to specifications and models.
Recognizing this confusion of dimensions, we avoid the two terms as much as possible
in this paper, and use the concrete names of the objects instead.
Definition 1. A Timed I/O Transition System (TIOTS) is a tupleS = (StS , s0, ΣS ,−→S),
where StS is an infinite set of states,0 ∈ St is the initial state,ΣS = ΣSi ⊕Σ
S
o is a finite
set of actions partitioned into inputs and outputs, and−→S : StS × (ΣS ∪ R≥0) × St
S
is a transition relation. We writes a−→Ss′ instead of(s, a, s′) ∈ −→S and usei?, o! andd
to range over inputs, outputs andR≥0 respectively. Also for any TIOTS we require:
[time determinism] whenevers d−→Ss′ ands d−→Ss′′ thens′=s′′,
[time reflexivity]s 0−→Ss for all s ∈ StS , and,
[time additivity] for all s, s′′ ∈ StS and all d1, d2 ∈ R≥0 we haves d1+d2−−−−→Ss′′ iff
s d1−−→Ss′ ands′ d2−−→Ss′′ for somes′ ∈ StS .
TIOTSs are abstract representations of real time behaviour. We useTimed I/O Automata
(TIOAs) to represent them symbolically using finite syntax.
LetClk be a finite set ofclocks. A valuationoverClk is a mappingu ∈ [Clk 7→R≥0].
Givend ∈ R≥0, we writeu+d to denote a valuation such that for any clockr ∈ Clk
we have(u+d)(r) = x+d iff u(r) = x. We writeu[r 7→ 0]r∈c for a valuation which
agrees withu on all values for clocks not inc, and gives 0 for all clocks inc ⊆ Clk. Let
op be the set of relational operators:op = {<,≤, >,≥}. A guardoverClk is a finite
conjunction of expressions of the formx ≺ n, where≺∈ op andn ∈ N. We write
B(Clk) for the set of guards overClk using operators in the setop andP(X) for the
powerset of a setX .
Definition 2. A Timed I/O Automaton(TIOA) is a tupleA = (Loc, q0,Clk, E,
Act, Inv) where Loc is a finite set of locations,q0 ∈ Loc is the initial location, Clk
is a finite set of clocks,E ⊆ Loc×Act×B(Clk)×P(Clk)× Loc is a set of edges, Act
is the action set Act= Acti⊕Acto, partitioned into inputs and outputs respectively, and
Inv : Loc 7→ B(Clk) is a set of location invariants.
If (q, a, ϕ, c, q′) ∈ E is an edge, thenq is an initial location,a is an action label,ϕ is
a constraint over clocks that must be satisfied when the edge is executed,c is a set of
clocks to be reset, andq′ is a target location. We will give examples of TIOAs in Sect. 4.
The expansion of the behaviour of a TIOAA = (Loc, q0,Clk, E,Act, Inv) is the
following TIOTS[[A]]sem= (Loc×(Clk 7→ R≥0), (q0, 0),Act,−→), where0 is a constant
function mapping all clocks to zero, and−→ is generated by the two rules:
– Each(q, a, ϕ, c, q′) ∈ E gives rise to(q, u) a−→(q′, u′) for each clock valuation
u ∈ [Clk 7→ R≥0] such thatu |= ϕ andu′ = u[r 7→ 0]r∈c andu′ |= Inv(q′).
– Each locationq ∈ Loc with a valuationu ∈ [Clk 7→ R≥0] gives rise to a transition
(q, u) d−→(q, u+ d) for each delayd ∈ R≥0 such thatu+ d |= Inv(q).
Below, whenever we talk about the states and transitions of aTIOA, we mean the states
and the transitions of the underlying TIOTS. In particular,and as stated above, the states
of this TIOTS are pairs of locations and clock valuations.
The TIOTSs induced by TIOAs satisfy the axioms 1–3 of Definitio 1. In order
to guarantee determinism, the TIOA has to be deterministic:for each action–location
pair only one transition can be enabled at the same time. Thisis a standard check. We
assume that all TIOAs below are deterministic.
Implementations(models) are a subclass of specifications, which are amenablto
implementation in a real system. We assume that implementatio s have fixed timing
behaviour (outputs occur at predictable times) and systemscan always advance either
by producing an output or delaying.
Definition 3. An implementationP = (StP , p0, ΣP ,−→P ) is a specification such that
for each statep ∈ StP we have:
[output urgency]∀ p′, p′′ ∈ StP if p o!−−→P p′ andp d−→P p′′ thend = 0 (and consequently,
due to time determinism,p = p′′), and,
[independent progress](∀d≥0. p d−→P ) or (∃ d∈R≥0. ∃ o!∈ΣPo . p
d−→p′ andp′ o!−−→P )
The above definition introduces implementations as subset of TIOTSs, which simulta-
neously induces a subset of TIOAs space corresponding to them (those that are imple-
mentations when expanded to an infinite TIOTS).
A run ρ of a TIOTSS from its states1 is a sequences1
a1−→ s2
a2−→ · · ·
an−1
−−−→ sn
such that for alli ∈ [1..n], si
ai−→ si+1 is a transition ofS. We writeRuns(s1, S) for the
set of runs ofS starting ins1, andRuns(S) for the set of runs starting from the initial
state ofS. We writeStates(ρ) for the set of states ofS present inρ and, ifρ is finite,
last(ρ) for the last state occurring inρ.
TIOAs are interepreted as two-player real-time games between theoutput player
(the component) and theinput player(the environment). Theinput plays with actions
in Σi and theoutputplays with actions inΣo:
Definition 4. A strategyf for the input (resp. output) player,k ∈ {i, o}, on the TIOAA
is a partial function fromRuns([[A]]sem) to Acti ∪ {delay} (resp. Acto ∪ {delay}) such
that for every finite runρ, if f(ρ) ∈ Σk then last(ρ)
f(ρ)
−−−→ s′ for some states′ and if
f(ρ) = delay, then∃d > 0. ∃s′′ such thatlast(ρ)
d
−→ s′′.
For a given strategy, we consider behaviors resulting from the application of the
strategy to the TIOA, with respect to all possible strategies of the opponent:
Definition 5 (Outcome [15]). Let A be a TIOA,f a strategy overA for the input
player, ands a state of[[A]]sem. TheoutcomeOutcomei(s, f) of f from s is the sub-
set ofRuns(s, [[A]]sem) defined inductively by:
– s ∈ Outcomei(s, f),
– if ρ ∈ Outcomei(s, f) thenρ′ = ρ
e
−→ s′ ∈ Outcomei(s, f) if
ρ′ ∈ Runs(s, [[A]]sem) and one of the following three conditions hold:
1. e∈Acto,
2. e∈Acti ande = f(ρ),
3. e∈R≥0 and∀ 0≤e′<e. ∃s′′. last(ρ)
e′
−−→
[[A]]sem
s′′ andf(ρ
e′
−−→ s′′) = delay.
– ρ∈Outcomei(s, f) if ρ infinite and all its finite prefixes are inOutcomei(s, f)
Let MaxOutcomei(s, f) be the subset of maximal runs ofOutcomei(s, f), that is
ρ ∈ MaxOutcomei(s, f) iff ρ ∈ Outcomei(s, f) and eitherρ has an infinite number of
discrete actions, orρ contains a finite number of discrete actions and either thereexist
noe ∈ Act∪R≥0 and no states′ such thatρ
e
−→ s′ ∈ Outcomei(s, f), or the sum of the
delays inρ is infinite.
For a given TIOA A, a winning condition W for input is a subset of
Runs([[A]]sem). We say thatW does not depend on the progress of the opponent (here
output) iff wheneverρ ∈ W andρ = ρ′
e
−→ ρ′′, with e ∈ Acto, then either there exists
e′ ∈ Acti , d ∈ R≥0, a states and a runρ′′′ such thatρ′
d
−→ s
e′
−→ ρ′′′ ∈W or there ex-
istsd ∈ R≥0 and some states such thatρ′
d
−→ s ∈W . This restriction means that input
should always be able to ensure progress by itself and that the actions of the opponent
should not be abused to advance the game, since we cannot assume that the opponent
will ever make use of them. For a winning conditionW , we writeStrip(W ) to denote
the subset ofW in which the runs not satisfying this condition are removed.
A pair (A,W ) is an input timed game. Given a winning conditionW for input,
a strategyf of input is winning from states if MaxOutcome(s, f) ⊆W. A states is
winningfor input, if there exists a winning strategy for input froms. The game(A,W )
is winning for input if the initial state ofA is winning for it. For an input timed game
(A,W ), we writeWi(A,W ) for the set of winning states for input andFi(A,W, s) for
all winning strategies for input froms. The winning conditions considered here are:
– Reachability objective: the input player must enforce a setGoal of “good” states.
The corresponding winning condition is defined as
WRi(Goal) = Strip{ρ ∈ Runs([[A]]sem) | States(ρ) ∩ Goal 6= ∅} (1)
– Safety objective: the player must avoid a setBad of “bad” states. The corresponding
winning condition is defined as:
WSi(Bad) = {ρ ∈ Runs([[A]]sem) | States(ρ) ∩ Bad = ∅} (2)
– Büchi objective: the player must enforce visitingGoal, a set of “good” states, in-
finitely often. The corresponding winning condition is
WBi(Goal) = Strip{ρ ∈ Runs([[A]]sem) | States(ρ) ∩ Goal| =∞} (3)
We define the outcomesOutcomeo(s, f) andMaxOutcomeo(s, f) of a strategy of
the output player, as well as output timed games and all the related notions, by swapping
Acti andActo in the above definitions.
We now discuss therefinement relation, which relates two real time specifications,
by saying which one allows more behaviour:
Definition 6. A specificationS = (StS , s0, Σ,−→S) refines a specificationT = (St
T, t0,
Σ,−→T ), written S ≤ T , iff there exists a binary relationR ⊆ StS × StT containing
(s0, t0) such that for each pair of states( , t) ∈ R we have:
1. if t i?−−→T t′ for somet′ ∈ StT thens i?−−→Ss′ and(s′, t′) ∈ R for somes′ ∈ StS
2. if s o!−−→Ss′ for somes′ ∈ StS thent o!−−→T t′ and(s′, t′) ∈ R for somet′ ∈ StT
3. if s d−→Ss′ for d ∈ R≥0 thent d−→T t′ and(s′, t′) ∈ R for somet′ ∈ St
T
An automatonA1 refines automatonA2, writtenA1 ≤ A2, iff [[A1]]sem≤ [[A2]]sem. If A1
is an implementation then we also say that it satisfiesA2, writtenA1 |= A2.
Refinement between two automata may be checked by playing a safety g me on the
product of their two state spaces, avoiding the error states(where error states are pairs
of states ofS andT for which one of the above rules is violated). See details in [11,
13]. Since the product can be expressed as a TIOA itself, the refinement can be checked
using the safety game as defined above.
Consider two TIOTSsS = (StS, sS0 , Σ
S,−→S) andT = (StT, sT0 , Σ
T,−→T ). We say
that they arecomposableiff their output alphabets are disjointΣSo ∩ Σ
T
o = ∅. The
productof S andT is the specificationS ⊗ T = (StS ⊗ StT, (sS0 , s
T
0 ), Σ
S⊗T,−→S⊗T ),
where the alphabetΣS⊗T = ΣS ∪ ΣT is partitioned into inputs and outputs in the
following way:ΣS⊗Ti = (Σ
S
i \Σ
T
o ) ∪ (Σ
T
i \Σ
S
o ), Σ
S⊗T
o = Σ
S
o ∪Σ
T
o . The transition
relation is generated by the following rules:
s a−→Ss′ a ∈ ΣS \ΣT
(s, t) a−→S⊗T (s′, t)
[indep-l]
t a−→T t′ a ∈ ΣT \ΣS
(s, t) a−→S⊗T (s, t′)
[indep-r]
s a−→Ss′ t a−→T t′ a ∈ R≥0 ∪Σ
S⊗T
i ∪ (Σ
S
i ∩Σ
T
o ) ∪ (Σ
S
o ∩Σ
S
i )
(s, t) a−→S⊗T (s′, t′)
[sync]
Let undesirable be a set of error states, where a safety property is violated (for ex-
ample by starting the engine of an elevator when its door is open). Two specifications
areusefulwith respect to each other if there exists an environment that can avoid unde-
sirable states of their product. Existance of such an enviroment can be established by
finding a wining strategy in the gameWSi(undesirable) for the product automaton.
The parallel composition ofS andT is defined asS |T = prune(S ⊗ T ), where
the prune operation removes fromS ⊗ T all states which are not winning for the input
player in the game(S ⊗ T ,WSi(undesirable)). Parallel composition is defined both for
specifications and implementations, as both are TIOTSs. Also a imilar construction
can be given on their finite representation, TIOAs [11], which can be used in tools.
In [11] we give constructions for two other operators computed as winning strategies
in time games. For TIOAs (TIOTSs)B andC we define conjunctionB ∧ C, which
computes an automaton representing shared implementations of B andC, and also
quotientB \ C, which computes a specification describing implementations that when
composed withC give a specification refiningB. Rather than define these operations
explicitly we characterize their essential properties, and refer the reader to [11] for
precise details of the constructions. LetA be an implementation. Then:
A |= B ∧ C iff A |= B andA |= C (4)
A |= B \ C iff C | A ≤ B (5)
3 Büchi Objectives
Symbolic On-The-Fly Timed Reachability(SOFTR) [8] is an efficient algorithm for
solving two-players reachability timed games used in UPPAAL-TIGA [4]. It operates
on the simulation graph induced by a TIOA representing the game. It follows an estab-
lished principle: begin with all reachable states and propagate the winning states back-
wards. Its major contribution was the use of zones rather than regions. Zones, which
are unions of regions of Alur and Dill [3], are the most efficient representation of clock
valuations known so far. In the following we recall SOTFTR, extend it to solve Büchi
objectives, and provide a new algorithm to verify Büchi and safety objectives combined.
3.1 Solving Büchi Games with SOTFTR
For a TIOTSS and a set of statesX , write Preda(X) = {s ∈ St
∣
∣ ∃s′ ∈X. s a−→s′}
for the set of alla-predecessors of states inX . We write iPred(X) for the set of all
input predecessors, andoPred(X) for all the output predecessors ofX , soiPred(X) =
⋃
a∈ΣSi
Preda(X) andoPred(X) =
⋃
a∈ΣSo
Preda(X). Also post[0,d0](s) is the set of
all time successors of a states that can be reached by delays less than or equal tod0:
post[0,d0](s) = {s
′ ∈StS
∣
∣ ∃ d∈ [0, d0]. s d−→Ss′}. The safe timed predecessors of a set
X relative to an unsafe setY are the states from which a state inX is reached after a
delay while avoiding any of the states inY :
cPredt(X,Y ) = {s ∈ St
S
∣
∣ ∃d0 ∈ R≥0. ∃s
′ ∈ X.s d0−−→Ss′ andpostS[0,d0](s) ⊆ Y }
LetA be a TIOA andG a set of “good” states in[[A]]semthat have to be reached, that
is the objective isWRi(G). Consider the following computation [21, 8]:
H0 ← ∅
repeatHk+1 ← Hk ∪ πi(Hk) ∪G for k = 0, 1, . . .
until Hk+1 = Hk
whereπi(H) = cPredt(iPred(H), oPred(States(Runs([[A]]sem)) \H)). Theπi operator
computes the predecessors of setH hat can enforceH in one step, regardless of what
the output player does. It computes the timed predecessors (cPredt) of the discrete pre-
decessors by input actions ofH (iPred), avoiding the discrete predecessors by output
actions (oPred) of the states not inH . The fixpoint ofπi is the set of states in which the
input player can enforce reaching ofG eventually [21, 8]. SOTFTR is a symbolic zone-
based implementation of the above fixpoint. The main difficulty in implementation are
handling unions of zones, checking inclusion, and handlingthe predecessor operators.
The winning states of the output player can be computed by replacing πi with
πo(H) = cPredt(oPred(H), iPred(States(Runs([[A]]sem))\H)). Thus, in the remainder,
we focus on solving the game for the input player only.
The following algorithm for solving Büchi timed games is an adaptation of the
above procedure given in [21], adjusted for a TIOAA and a Büchi objective. The set of
“good” states,Goal, is to be enforced infinitely often:
W0 ← States(Runs([[A]]sem))
for j = 0, 1, . . . repeat
H0 ← ∅
repeatHk+1 ← Hk ∪ πi(Hk) ∪ (Goal ∩ πi(Wj)) for k = 0, 1, . . .
until Hk+1 = Hk
Wj+1 ← Hk
until Wj+1 = Wj
Observe that a Büchi objective is essentially a closure of a reachability objective: it
corresponds to finding a subset of ‘good’Goal states, which themselves can warrant
controllable reachability to the good subset itself, and then solving for reachability of
that good subset. In the above computation, the inner loop finds states that can enforce
a Goal state in at least one discrete step, and uses this information to determine which
Goal states are actually “good” (the intersection withGoal). The outer loop removes the
Goal states that are not “good” from the target set of the inner loop. In the fixpoint, we
find both the subset of goodGoal states and the states that can warrant reaching them.
SOTFTR itself computes the inner loop of this algorithm whenG = Goal∩πi(Wj),
this observation leads to theSymbolic Timed Büchigames (STB) algorithm:
W0 ← States(Runs([[A]]sem))
repeatWj+1 ← SOTFTR(Goal ∩ πi(Wj)) for j = 0, 1, . . .
until Wj+1 = Wj
Observe that STB uses exactly the same operations on zones asSOTFTR, which means
that it can also be implemented in an efficient manner.
Theorem 1 ([8, 21]).For any input Büchi timed game(A,WBi(Goal)), STB terminates
and upon terminationWj =Wi(A,WBi(Goal)).
The algorithm of [21] computes over infinite sets of states. Our algorithm is nothing
more than a symbolic implementation of the original. By construction and because of
[8], the above correspondence is obtained directly. Terminatio is shown in [21].
3.2 Combining Safety and Büchi objectives
We now strengthen the Büchi objective so that not only theGoal states are visited in-
finitely often, but also the set of unsafe statesBad is avoided (Bad ∩ Goal = ∅):
WBS(Goal,Bad) = Strip{ρ ∈ Runs([[A]]sem) | States(ρ) ∩ Bad = ∅ and
|States(ρ) ∩ Goal| =∞} (6)
Solving such games is of clear interest. For example, one would like to ensure that the
Inputs have a strategy to avoidBad while ensuring that time is elapsing [16], in order
to eliminate the so called Zeno-behaviours. It turns out that, if Bad can be expressed as
a finite union of pairs of locations and finite unions of zones,then this objective can be
reduced to the usual Büchi objective by applying the following transformation to the
game: (i) add a fresh locationB 6∈ Goal; (ii) add a freshoutputactionerr 6∈ Acti ; (iii)
for each pair(q,
⋃
i=1..n Zi) ∈ Bad such thatq is a location ofA and
⋃
i=1..n Zi is a
finite union of zones, addn edgesEi (i = 0..n) labelled byerr from q to B such that
for all i, the guard ofEi isZi.
Since locationB has no outgoing edges and does not belong toGoal, enteringB
means losing the Büchi game. Suppose we want a winning strategy for Input. Observe
that the added edges belong to the opponent. By definition of outcomes, going through
any state inBad means that one of these edges can now be taken by the Output player
and, asB 6∈ Goal, the game is lost for the Input player. The following theoremexpresses
the correctness of our transformation.
Theorem 2. Let (A,WBSi(Goal,Bad)) be a TIOA, andA′ be its modification obtained
by the above construction. ThenFi(A,WBSi(Goal,Bad)) = Fi(A′,WBi(Goal))
Proof. By constructionFi(A′,WBi(Goal)) ⊆ Fi(A,WBSi(Goal,Bad)). A winning
strategy inFi(A′,WBi(Goal)) will never satisfy a guard inA that allowsBad to be
reached, because these guards lead to the newly-added absorbing l cation inA′.
The converse follows directly from the definitions of winning conditions. Assume a
strategy inFi(A,WBSi(Goal,Bad)). Such a strategy is a winning strategy forWBi(Goal)
by construction sinceWB is a weaker condition thanWBS. ⊓⊔
y=0
NonZeno
y==1
Init
Z
Fig. 2: Monitor for non-
zeno strategies
An Application: eliminating Zeno Strategies.Consider a
TIOA A and a setBad of bad states. Our objective is to find
the set of states from which Input (symmetrically Output)
has a strategy to avoidBad while letting time elapse —
as opposed to, for example, taking infinitely many discrete
transitions without any delay transitions.
In order to generate non-zeno strategies consider the
productA×Z of A and the TIOAZ of Fig. 2. Then solve
the timed game(A × Z,WBSi(Goal,Bad)), whereGoal is the set of states ofA × Z
in whichZ is in locationNonZeno. To fulfill this objective, Input needs to avoidBad
andensure thatNonZeno is visited infinitely often: once inNonZeno, the only way to
revisit it is to pass throughInit. This loop requires that1 time unit elapses, so repeated
revisit ofNonZeno ensures time progress.
Note that this does not prevent the opposing player from using a spoiling strategy
producing zeno runs to prevent fulfillment of the objective.
Remark 1.One problem with the above setup is the effect of adding self-loops. Our
interface theory requires TIOA to be input-enabled. This means that, in any state of
the game, the Input player should always be able to react on any of the Input actions.
This typically means that states have implicit loops on input actions when the designer
does not specify any other transition for an input. Now, assume that Output wants to
win the game and guarantee that time elapses. Input could always play such an input-
loop and hence block time. This means that the potential addition of arbitrary inputs
may corrupt the game. A solution to the above problem is to blame Input each time it
plays [16]. Then, the Input loses the game if there is a point of time after which it is
blamed forever. De Alfaro et al. were the first to use blames. We can also add a monitor
for the blame situation. Another solution, in order to avoidadding an extra automaton,
is to use a counter in ECDAR to bound the number of Inputs (Outputs) that can be
played successively.
4 Case Study
The ideas just presented have been implemented in the tool ECDAR [10], which sup-
ports graphical modeling of TIOAs, computing composition operators (including quo-
tienting), and reachability analysis. For this paper, we have extended ECDAR with sup-
port for Büchi and Büchi with safety objectives. We apply it to the analysis of a simple
(a) Logical interface (b) Timing diagram; modified slightly from [22]
Fig. 3: The driver/sensor system
voutL! voutH!
voutH!
voutL!
sample!
vinH!
vinL!
vinH!
x = 0
x = 0, y = 0
x = 0, y = 0,
b = 7, w = 1,
changed = false
vinL!
voutL!
w = 1
vinH!
sample!
y = 0
vinL!
powerOff!
vinH!
vinL!
voutH!
t11
t9 t10t4
x<=2
x <= 700
x <= 700
x <= 15
t0
t2
t7
t5
t8
t1
t3
t6
y = 0, b = b − 1, changed = false
b==0 && x>=10
&& y>minspace
w==0
y = 0
x>15
x>15
b>0 &&
y>minspace
w = 1, changed = true
x = 0
w = 0
w = 0, changed = true
x = 0
b>0 &&
y>minspace
w==0 && y<=maxtrans
&& !changed
y>minmark
y>maxtrans
w==1 && y<=maxtrans
&& !changed
w==1
Fig. 4: TIOA model of the timing diagram:T
but realistic example: a sensor component and the software required to interface with
it.5 The case study serves both to elucidate some of the technicaldefinitions and to
demonstrate their practicability.
4.1 Timing diagram model
The Sharp GP2D02 infrared sensor is a small component for measuring short distances
and for detecting obstructions. Such sensors are incorporated into larger embedded sys-
tems through two communication wires which carry a protocolof rising and falling
voltage levels. The four main components of a sensor subsystem are shown in Fig. 3a:
an instance of thesensor, adriver component of a larger system, avin wire controlled
by the driver and read by the sensor, and avoutwire controlled by the sensor and read
by the driver. The communication protocol between driver and sensor is described by
the timing diagram of Fig. 3b.
The timing diagram describes the permissible interactionsbetween a driver and a
sensor. It represents a (partial) ordering of events and thetiming constraints between
5 Seehttp://www.tbrk.org/papers/wadt10.tar.gz for the implementation in ECDAR
them. With careful interpretation, against a background ofengineering practice, the
timing diagram can be modeled as the TIOA shown in Fig. 4 and heceforth calledT .
Note that constants are multiples of0.1ms, so that the smallest constant in the tim-
ing diagram (0.2ms) can be represented by an integer constant (2) in the model. This
model is the result of several choices and its fidelity can only be justified by informal
argument [6, Chapter 4].
We will now step through the timing diagram and the TIOA modelin parallel de-
scribing the meaning of the former and justifying the details of the latter.
The interaction of driver and sensor is essentially quite simple: the driver requests a
range reading, then after a brief delay the sensor signals tht a reading has been made,
the driver triggers the sensor to transmit the reading bit bybit, and, finally, the process
is either repeated or the sensor is powered off. This interaction takes place entirely over
the two communication wires.
The signal controlled by the driver is shown in the top half ofthe timing diagram.
Its most obvious features are the falling and rising transitions, these have been mod-
eled in the TIOA as outputs called, respectively,vinL! andvinH!. The driver may also
perform two other actions which are not entirely evident from the timing diagram. It
may sample thevoutsignal to read a bit transmitted by the sensor, which we represent
by an output calledsample!, and it may stop using the sensor, which we represent by
an output calledpowerOff!. The signal controlled by the sensor is shown in the bottom
half of the timing diagram. The rising and falling transitions on this signal are mod-
eled as outputs called, respectively,voutL! andvoutH!. In fact, all of the actions in the
model are outputs because the timing diagram describes a closed system. The model
is thus trivially input-enabled and there is no need for self-looping input transitions on
each state. Furthermore, the model can be simulated in isolation since all channels in
ECDAR must be broadcast channels (i.e. outputs are non-blocking).
The driver requests a range reading withvinL!, i.e. by lowering the voltage level
of vin. The sensor responds withvoutL!, it then performs the necessary measurements
before signaling completion withvoutH!. The timing diagram guarantees that the sensor
will complete a reading and respond before70ms or morehave passed, after which the
driver may perform avinH!. This sequence can be seen in the model in the transitions
linking statesT0–T4. We model the timing constraint by resetting a clockx when the
initial vinL! occurs, and adding the location invariantx ≤ 700 to statesT1 andT2. By
rights this invariant should be strict, i.e.x < 700, but this is not currently permitted in
ECDAR.For strict compliance with the timing diagram we should also add the guard
x > 700 to the vinH! transition betweenT3 andT4, in practice, however, there are
implementations that do not wait the full700ms but rather respond tovoutH!. Both
possible behaviors will be examined more closely in the nextsubsection.
After a reading has been made, the driver transfers the eightb ts of the result from
the sensor, from the most (MSB) to the least (LSB) significantbit. For each bit, the sen-
sor sets the level ofvout according to the value being transmitted, hence the ‘crossed
blocks’ in Fig. 4. The timing diagram could be more precise about the details, but in
our interpretation the driver triggers the next bit value with avinL!, the sensor responds
within a bounded time, and then the sensor maysample! the value and resetvin with
a vinH!, in any order, before the next bit is requested. The triggering v nL! appears in
the model fromT4 for the first bit and fromT8 for subsequent bits. The first action
must occur in0.2ms or less, hence the invariant onT4. The associated transition resets
two clocks:x, for enforcing the1ms or moreconstraint across cycles, andy, for con-
ditions on response times within each cycle. It also sets three variables:b, for counting
the number of bits transmitted,w, for monitoring the level ofvout, andchanged, for
limiting oscillations onvout. We use thew variable to ensure the strict alternation of
voutL! andvoutH!, an alternative approach is shown later. Two other constants appear
around the loopT5–T8: maxtrans is a limit on the time it takes forvout to change after
a triggeringvinL!, andminspace is the minimum width of pulses onvin. We set both
constants to zero for this case study.
Finally, after transmitting eight bits, the driver and sensor return their respective
wires to a high level, and, after1.5ms or more, either another reading is requested, or
the sensor is powered off. The timing constraint is expressed a an invariant onT9, i.e.
a guarantee on the behavior of the sensor, and guards on the transitions fromT10, i.e. a
constraint on the behavior of the driver. The invariant is right-closed and the guards are
left-open for the same reasons given above for the700ms constraint. Importantly, they
do not overlap, so that time alone can be used to enforce the ordering between sensor
and driver actions.
ECDAR is used to verify that the model is a valid (deterministc) specification, and
also that it is consistent, i.e. that it has at least one validimplementation. We can also
show two basic properties of the timing diagram model. The first, thatvinL! andvinH!
alternate strictly, is expressed using the automatonV in , shown in Fig. 5b, and verified
by the refinementT ≤ V in . The second, thatvoutL! and voutH! alternate strictly,
is shown similarly usingV out , shown in Fig. 5c, and the refinementT ≤ V out . In
fact, both properties can also be shown, using composition,by the single refinement
T ≤ (V in | V out ).
4.2 Separate driver and sensor models
While the single automaton model of the previous section is asuitable formalization
of the timing diagram, there are at least two motivations forcreating separate but inter-
acting models for the roles of driver and sensor. First, thisseparation emphasizes the
distinct behaviors of each and clarifies their points of synchronization; each of the two
wires is, in effect, modeled separately. Second, each of themodels may be used in isola-
tion. This possibility is exploited in an appendix of the full version of this paper where
a separate driver model serves as the specification for a model of an implementation in
assembly language.
The components of the models are shown in Fig. 5. We discuss the driver models
first, then the sensor, before relating them all to the timingdia ram model.
The driver model.As previously mentioned, there are two ways for a driver to behav
after it has requested a range reading: it can wait for a rising transition on thevoutwire,
or it can just wait700ms regardless. We model each possibility separately, both mdels
shown in Fig. 5a. The model that responds to the sensor event is calledDev , it comprises
all locations except the one labeledd 1, which should be ignored together with all of its
voutL?
voutH?
voutH?
voutL?
voutL?
sample!
voutL?
voutH? vinH!
vinH!
voutH?voutL?
voutL?voutH?
voutH? voutH?
voutH?voutL?
voutL? voutL?
vinL!
sample!
vinH!
vinL!
vinH!
vinH!
vinL!
powerOff!
vinL!
x>15
x>700
x<=2
d9
d8
b>0 &&
y>minspace
b>0 &&
y>minspace
y>maxtrans
y>minmark
x>15
d6
d0
de1 dd1
d3
d4 d5
d7
de2
voutH? x = 0, y = 0
vinL!
x = 0
x = 0,
y = 0,
b = 7
y = 0
voutH?
voutL?
vinL!
voutL?
voutH?
x>15
x = 0
y = 0
x = 0
y = 0, b = b − 1
b==0 && x>=10
&& y>minspace
x = 0
x = 0
x = 0
(a) Driver models:Dev andDde
vinL!
low
vinH!
high
(b) Driver property:V in
voutL!
low
voutH!
high
(c) Auxiliary sensor model:V out
vinH?
vinH?
vinL?
voutL!
vinL? voutL!
vinH?
vinH?
vinH? vinL? vinH?
vinL?
voutH!
voutH!
voutL!
voutH!
vinL?
vinL?
x <= 700 x <= 700
s5 x <= 15
x<=maxtrans || b==0
x <= maxtrans || b>0
s2s0 s3s1
s4
vinL?
x = 0, b = b − 1, changed = false
changed = true
changed = true
x = 0, b = 7,
changed = false
vinH?
x > maxtrans && b==0
x > maxtrans && b>0
x = 0
x = 0
x <= maxtrans && changed ==false
x <= maxtrans && changed == false
(d) Main sensor model:S
Fig. 5: Sensor and driver models
incoming and outgoing transitions. The model that always delays is calledDde , it com-
prises all locations except those labeledde1andde2whose connected transitions are
also excluded. The models cannot be combined without introducing non-determinism.
Aside from these initial differences the two models behave identically and their
structures resemble that of the timing diagram model exceptthat events onvout from
the sensor are now modeled as the input actionsvoutL? andvoutH?, and a counter-
part for the stateT9 is not required. We explicitly model input-enabledness by adding
self-loops, which, although not mandatory, since actions occur on broadcast channels,
are necessary in ECDAR for verifying refinement. Note that both driver variants re-
quire little interaction with the sensor, relying instead on timing assumptions to ensure
synchronization. In fact onlyDev reacts to sensor events directly, through thevoutH?
transition betweenDev1 andD
ev
2 , though both models do sample the level ofv ut.
Refinement can be used to show a basic property of both driver models, thatvinL!
andvinH! alternate. This property is expressed as the automatonV in , shown in Fig. 5b,
and we use ECDAR to showDev ≤ V in andDde ≤ V in .
We would also like to claim thatDde refinesDev , i.e. thatDde ≤ Dev , sinceDev
can always wait after receivingvoutH?, but ECDAR rejects this claim sinceDde does
not guarantee thatvoutH? will precede its initialvinH!. In fact, this type of refinement
can only be shown in a conditional form where assumptions on the environment are
made explicit. We revisit this idea after presenting a modelfor the sensor that embodies
sufficient assumptions.
The sensor model.The sensor modelS is shown in Fig. 5d. Events on thevin wire
are now modeled as the inputsvinL? andvinH?, with additional self-loops on certain
states, and the outputssample! andpowerOff! are not needed. The initial segment,S0–
S3, mimics the corresponding part of the timing diagram model,but the clocking loop
is reduced to a single locationS4 with five self-looping transitions and one outgoing
transition.
In locationS4, the effect of the inputs,vinL? and voutL?, depends on the time
elapsed since the last request for a bit, as measured by the clockx, and the number of
bits remaining to transmit, as tracked by the counterb. The inputvinL?, which requests
the next bit, is ignored if it occurs (again) within the period given to the sensor to set the
level of vout, and also when all bits have been transmitted, i.e. whenb = 0. The input
vinH! is ignored until all bits have been transmitted at which time, providedmaxtrans
units have elapsed since the lastvinL?, it triggers an exit fromS4. The outputsvoutL!
andvoutH! may only occur withinmaxtrans units of the lastvinL?, and, furthermore,
only at most one output may occur within any cycle, that is betwe n any two successive
and ‘legal’vinL?s. The former constraint is expressed in the clausex ≤ maxtrans, and
the latter using the variablechanged.
Instead of achanged variable, an earlier model [6, Figure 4.16] has two states with
three transitions from the first (changed = tt) to the second (changed = ff): one
labeled withvoutL!, another withvoutH!, and the last unlabeled. This lastτ - ransition
marks the possibility that the sensor decides not to change the voltage level, which
occurs when two consecutive bits of a range reading are identical. Besides being more
explicit, the two-state version is also more liberal since it is ready to acceptvinH? and
vinL? as soon as the value ofvout has been set. Even withmaxtrans = 0 there is a
difference since in the current model there is always a non-zero delay after a triggering
vinL! before subsequentvinL! or vinH! actions can influence the sensor. In any case,τ -
steps are not permitted in TIOA and replacing them with an explicit output only makes
modeling awkward, and, moreover, it is unnecessary since the driver models always
wait and never respond immediately tovinL! or vinH! whose occurrence is a sufficient
but not necessary indication of a stable value onv ut.
The sensor model as it stands allows arbitrary interleavingof voutL! andvoutH!.
This is in contrast to the timing diagram model of Fig. 3b, where a variable,w, tracks
the level ofvout, or effectively which ofvoutL! or voutH! occurred most recently, and
is used to constrain output events. The required alternating behavior is recovered using
Dde .vinL! Attacker plays outputs on left of≤
Dev .vinL! Defender’s response on right of≤
Dde waits701ms Attacker may delay on left of≤
Dev waits701ms Defender’s response on right of≤
Dde .vinH! Attacker plays outputs on left of≤
no response Defender loses!
Table 1: Counterexample forDde ≤ Dev
the conjunction operator and the TIOAV out , depicted in Fig. 5c, giving the complete
sensor specification:(S ∧ V out). Here, the conjunction operator obviates the need
to update and query a state variable on multiple transitions. A pecific constraint is
expressed in a localized and obvious form and the rest of the model can be constructed
under the assumption that it will hold. In ECDAR, the two automata,S andV out ,
execute in parallel and must synchronize onv utL! andvoutH!, neither of which may
occur otherwise. Unlike for the timing diagram and the driver models, there is no need
to separately verify the alternation of outputs—it is guaranteed by construction.
Relations between the models.Now that we have a few different models, we turn our
attention to their interrelationships. It turns out that one of the driver models is more
general than the other under certain assumptions. After verifying that fact, we turn
our attention to validating the composition of the driver and sensor models against the
timing diagram model. We also consider how the quotient operator might be applied.
The two driver models differ only in their initial interaction with the sensor, after
requesting a range reading,Dde always waits700ms whereasDev may respond as soon
as the sensor raisesvout. One could thus suppose thatDev is more general thanDde ,
since it can also refuse to act before700ms has passed even after receiving avoutH!.
But, as described earlier, a first, naive attempt to show the refinementDde ≤ Dev fails!
The counter-example strategy can be simulated in ECDAR, givin the results shown in
Table 1. There is no guarantee that the inputs needed byDev will be provided. We must
make these assumptions on the environment explicit by instead stating the relation as
(
Dde | (S ∧ V out )
)
≤
(
Dev | (S ∧ V out )
)
,
which is readily validated by ECDAR.6 The verification fails ifDde and Dev are
swapped:Dev can perform avinH? whenx ≤ 700 whileDde cannot.
The compositions of the driver and sensor models have been proposed as alterna-
tives to the timing diagram model. We state this, for the moregeneral driver model,
as two properties:(Dev | (S ∧ V out )) ≤ T , andT ≤ (Dev | (S ∧ V out )). Both of
which are verified almost instantaneously by ECDAR. For the similar properties with
Dde instead ofDev , only the version withT on the right of the refinement holds; as
would be expected.
Even ignoring the conjunction operator, the possibility ofverifying a refinement
with a composition on the right-hand side is interesting, because it is not possible in
6 In the current version of ECDAR,S andV out must be explicitly duplicated.
any existing tools for checking timed automata refinement. For instance, current im-
plementations [7] of the usual construction for checking timed trace inclusion [18, 23]
require that the refined specification is an explicit automaton. The capability to ad-
dress compositions is one advantage of incorporating the refinement verification into
the model-checker itself.
There are limited opportunities to apply the quotient operator in this case study,
perhaps because there are only a small number of models and the operators are not
nested in especially complicated ways. There are, though, two types of properties that
may be attempted.
The first type of property uses the quotient on the right-handside of a refine-
ment instead of composition on the left-hand side. For instance, we can verifyDev ≤
(T \ (S ∧ V out )) in ECDAR. The right hand side expresses the idea of the timingd -
agram modulo certain assumptions on the environment. Currently the tool requires the
explicit definition of universal and inconsistent states when using the quotient operator,
and simulations are not possible. These issues will be addressed in future versions.
Second, we could try the quotient on the left-hand side of a refinement. For instance,
to propose the property(T \ Dev ) ≤ (S ∧ V out ) as a means of finding out whether
the sensor model is maximal with respect to the timing diagram and driver model. This
cannot work in general, however, since as soon asDev cannot do an output from a state,
like vinH! from the initial state for example, the quotient will have a tr nsition to the
universal state from which any output or delay can be chosen,at any time, to challenge
the other side of the refinement.
Büchi objectives.Some aspects of specifying liveness are addressed by the algorithms
presented earlier, and supported in ECDAR. It is possible, for example, to determine
whether a given combination of a TIOA and a liveness constraint, expressed as a Büchi
objective, are consistent; i.e. whether refinement is possible. But other important aspects
are not yet addressed satisfactorily. Most notably, the intraction of Büchi constraints
and refinement is limited.
Büchi objectives offer a way to further constrain specifications. For example, con-
sider adding an additional requirement to the timing diagram modelT : if an initial
range reading is requested, the system must eventually be pow red off. We will inter-
pret this to mean that two behaviors are allowed: 1. resting forever inT0, or, 2. termi-
nating inT11. Our first attempt is to simply try to solve a Büchi objective for the current
model:(T ,WB({T0, T11})). But this is not correct, and ECDAR reports that the model
is inconsistent. While the model starts inT0, andT11 is always reachable, the Büchi ob-
jective is only satisfied if either ofT0 or T11 is reentered infinitely often. Self-looping
output transitions must be added toT0 andT11 to allow ‘resting’ in these states. If we
do this—choosing an arbitrary output that will not occur in any other models—and call
the modified versionT ′, ECDAR confirms that(T ′,WB({T ′0, T
′
11})) is consistent.
The modified model is easily adapted to allow a system that never stops taking range
readings:(T ′,WB({T ′0, T
′
10, T
′
11})). This model is obviously consistent since increas-
ing the set of states in the Büchi objective cannot reduce theset of possible implementa-
tions. More information can be gained by verifying the consistency of(T ′,WB({T ′10})),
which confirms that the model allows unbounded repetitions of the protocol. Com-
pliance with the Büchi objective is achieved by pruning awaythe transition labelled
powerOff!, so this verification does not show that the unadorned modelT ′ does not
allow termination, only that the model can choose to cycle continuously. Verifying the
consistency of a model with a Büchi objective can be useful asa sanity check.
While Büchi objectives in ECDAR are quite useful for checking consistency prop-
erties, they work less well in combination with refinement. For instance, in ECDAR we
can show(T ′,WB({T ′0})) ≤ (T
′,WB({T ′10})).
This is indeed correct, since any implementation of the left-hand side is also an
implementation of the right-hand side, but it could be considered misleading, since
the left-hand side specifies a system that never starts a range reading, while the right-
hand side could be interpreted as specifying a system that never stops performing range
readings whereas, in fact, it is a system where it is possible, but not strictly necessary,
to keep performing range readings. The source of this mismatch is that the current
refinement is based on partial observations rather than complete ones, which is adequate
for safety but not for liveness.
The pruning of output transitions that can result from the combination of a TIOA
and a Büchi objective gives models where a constraint that issupposedly on infinite
behaviors also constrains finite behaviors, which, while not necessarily bad, is perhaps
not completely reasonable [1]. The methodological implications for our theory are not
yet clear, but we note here that this situation can be detected using refinement verifica-
tion in ECDAR. Themachine closure[2] of a TIOA A and a Büchi objectiveB can be
checked by the refinementA ≤ (A,B), which will fail if a reachable output transition
in A is not present in(A,B).
5 Summary and Future Work
We have shown that ECDAR and the underlying theory, are powerful enough to handle a
small—in terms of the scale of systems developed by industry—but realistic case study.
The input/output semantics of TIOA works well for open systems, and the game-based
refinement semantics, i.e. the idea of challenging with inputs from the right-hand side
and outputs or delays from the left-hand side, quickly comesto seem natural. Including
refinement testing in the model checker itself is much more convenient than having to
pass models through an external tool, and the concomitant feture of allowing composed
models on either side of the relation is a powerful one. Finally, the conjunction operator
is a very convenient modeling feature.
Still, several elements could be improved. While Büchi objectiv s are currently not
without use, a different notion and implementation of refinement is needed to support
more sophisticated applications. The quotient operator issupported by ECDAR, but its
effect is not easily visualized or simulated. More work is need d to determine how it can
be usefully applied to system development and verification;he sensor case study is too
limited in this regard. ECDAR takes advantage of the mature UPPAAL user interface,
but strategies, goals, and the effect of pruning are inherently more complicated and
harder to understand than are simple traces, more work is needed to understand how
best to compute and communicate this information. Furthermore, the new operators and
analyses available in ECDAR make it natural to work with multiple pairings of system
declarations and properties, but this is not yet well supported by the user interface.
References
1. M. Abadi, B. Alpern, K. R. Apt, N. Francez, S. Katz, L. Lamport, and F. B. Schneider. Pre-
serving liveness: Comments on “Safety and liveness from a methodological point of view”.
Information Processing Letters, 40(3):141–142, 1991.
2. M. Abadi and L. Lamport. The existence of refinement mappings. Theoretical Computer
Science, 82(2):253–284, 1991.
3. R. Alur and D. L. Dill. A theory of timed automata.Theoretical Computer Science,
126(2):183–235, 1994.
4. G. Behrmann, A. Cougnard, A. David, E. Fleury, K. G. Larsen, and D. Lime. UPPAAL-Tiga:
Time for playing games! InCAV, volume 4590 ofLNCS. Springer, 2007.
5. G. Behrmann, A. David, and K. G. Larsen. A tutorial on Uppaal. In M. Bernardo and
F. Corradini, editors,SFM, volume 3185 ofLNCS, pages 200–236. Springer, 2004.
6. T. Bourke. Modelling and Programming Embedded Controllers with TimedAutomata and
Synchronous Languages. PhD thesis, University of New South Wales, Sydney, 2009.
7. T. Bourke and A. Sowmya. Automatically transforming and relating Uppaal models of em-
bedded systems. InEMSOFT, pages 59–68, 2008.
8. F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime. Efficient on-the-fly algorithms
for the analysis of timed games. InCONCUR, 2005.
9. A. Chakabarti, L. de Alfaro, T. A. Henzinger, and M. I. A. Stoelinga. Resource interfaces.
In R. Alur and I. Lee, editors,EMSOFT, LNCS. Springer, 2003.
10. A. David, K. Larsen, A. Legay, U. Nyman, and A. Wąsowski.ECDAR: An environment for
compositional design and analysis of real time systems. InATVA, 2010. Accepted.
11. A. David, K. Larsen, A. Legay, U. Nyman, and A. Wąsowski.Timed I/O automata: a com-
plete specification theory for real-time systems. InHSCC’10, pages 91–100. ACM, 2010.
12. L. de Alfaro, L. D. da Silva, M. Faella, A. Legay, P. Roy, and M. Sorea. Sociable interfaces.
In FroCos, volume 3717 ofLNCS, pages 81–105. Springer, 2005.
13. L. de Alfaro and T. A. Henzinger. Interface automata. InFSE, pages 109–120, Vienna,
Austria, Sept. 2001. ACM Press.
14. L. de Alfaro and T. A. Henzinger. Interface-based design. In Marktoberdorf Summer School.
Kluwer Academic Publishers, 2004.
15. L. De Alfaro, T. A. Henzinger, and R. Majumdar. Symbolic Algorithms for Infinite-State
Games. InCONCUR, volume 2154 ofLNCS, pages 536–550. Springer, 2001.
16. L. de Alfaro, T. A. Henzinger, and M. I. A. Stoelinga. Timed interfaces. InEMSOFT, volume
2491 ofLNCS, pages 108–122. Springer, 2002.
17. http://www.cs.aau.dk/~adavid/ecdar/.
18. H. E. Jensen, K. G. Larsen, and A. Skou. Scaling up Uppaal:Automatic verification of real-
time systems using compositionality and abstraction. InFTRTFT00, pages 19–30, 2000.
19. D. K. Kaynar, N. A. Lynch, R. Segala, and F. W. Vaandrager.Timed I/O Automata: A
mathematical framework for modeling and analyzing real-time systems. InRTSS, pages
166–177. IEEE Computer Society, 2003.
20. K. G. Larsen. Modal specifications. In J. Sifakis, editor, Automatic Verification Methods for
Finite State Systems, volume 407 ofLNCS, pages 232–246. Springer, 1989.
21. O. Maler, A. Pnueli, and J. Sifakis. On the synthesis of discrete controllers for timed systems
(an extended abstract). InSTACS, pages 229–242, 1995.
22. Sharp Corp. GP2D02: Compact, high sensitive distance measuring sensor, 1997.
23. M. I. Stoelinga.Alea Jacta est: Verification of probabilistic, real-time and parametric sys-
tems. PhD thesis, Katholieke Universiteit Nijmegen, 2002.
