Dynamic Linear Hybrid Automata and Their Applications to Formal Verification of Dynamic Reconfigurable Embedded Systems by 柳瀬 龍 & Yanase Ryo
Abstract for Dissertation
Dynamic Linear Hybrid Automata and Their






Graduate School of Natural Science and Technology
Division of Electrical Engineering and Computer Science
Kanazawa University




Networking systems and embedded systems are
able to change their conguration, components and
modules at run-time. Such a system is called dy-
namically recongurable system. For guaranteeing
safety of the system, model checking is one of the
eective methods. This paper presents a dynamic
linear hybrid automaton (DLHA) as a specica-
tion language for designing dynamically recong-
urable systems. As a practical experiment, we de-
scribe an embedded cooperative system consisting
of CPU and DRP by DLHAs and verify several
properties for the system with a model checker that
performs the reachability analysis by using moni-
tor automata.
1 Introduction
Dynamically recongurable systems are being used
in a number of areas [1, 2, 3]. The major methods
of checking system safety include simulation and
testing; however, it is often dicult for them to
ensure safety precisely, since these methods don't
check all states. In such cases, model checking is a
more eective method. In this paper, we propose
the Dynamic Linear Hybrid Automaton (DLHA)
specication language for describing dynamically
recongurable systems and provide a reachability
analysis algorithm for verifying system safety.
1.1 Features of dynamically recon-
gurable systems consisting of
CPU and DRP
The target of our research is an embedded system
in which a CPU and dynamically recongurable
hardware, e.g., DRP or D-FPGA [4] operate co-
operatively. The dynamically recongurable pro-
cessor (DRP) is a coarse-grained programmable
processor developed by NEC [3] and it manages
both the power conservation and miniaturization.
The DRP is used to accelerate the computations of
a general purpose CPU with through cooperating
operations, and it has the following features:
 Dynamically creation/destruction of the func-
tion: when a process occurs, the DRP consti-
tutes a private circuit for processing it. The
circuit conguration is released after the pro-
cess nishes.
 Hybrid property: the operation frequency
changes whenever a context switch occurs.
 Parallel execution: the DRP executes several
processes on the same board at the same time.
 Queue for communication: the DRP asyn-
chronously receives processing requests from
the CPU.
For the experiments, we specied a dynamically
recongurable embedded system consisting of a
CPU and DRP, and veried the some of its im-
portant features. This is the rst time that spec-
ication and verication of dynamic changes have
been tried in a practical case.
1.2 Related Work
1.2.1 Specication
We developed a new specication language
(DLHA) based on a linear hybrid automaton [5]
with both creation/destruction events and un-
bounded FIFO queues. DLHA is dierent from
existing research in the following points:
 V. Varshavsky and others proposed the GALA
(Globally Asynchronous - Locally Arbitrary)
modeling approach including timed guards [6].
This approach cannot describe hybrid systems
since it is the specication language based on
discrete systems. Thus, GALA cannot repre-
sent changes in operating frequency.
 S. Minami and others have specied a dynam-
ically recongurable system using linear hy-
brid automata and have veried it by using a
model checker, HYTECH[7]. Since linear hy-
brid automata cannot describe changes to the
conguration and asynchronous communica-
tions by using unbounded FIFO queues, the
system has been specied as a static system.
 P. C. Attie and N. A. Lynch specied sys-
tems whose components are dynamically cre-
ated/destroyed by using I/O automata [8].
I/O automata cannot describe changes in vari-
ables, for example, changes in clock and oper-
ating frequency.
2
 H. Yamada and others proposed hierarchical
linear hybrid automata for specifying dynam-
ically recongurable systems [9]. They intro-
duced concepts such as class, object, etc., to
the specication language. However, as the
scale of a system to be specied increases, the
representation and method of analysis in the
verication stage tend to be complex.
 B. Boigelot and P. Godefroid specied a
communication protocol in terms of nite-
state machines and unbounded FIFO buers
(queues), and they veried it [10]. Since
the nite-state machine also cannot describe
changes in variables, it is unsuitable in our
case.
 A. Bouajjani and others proposed a reachabil-
ity analysis for pushdown automata and sym-
bolic reachability analysis for FIFO-channel
systems [11, 12]. However, since their anal-
ysis don't provide for continuous changes in
variables, in languages cannot be used for de-
signing hybrid systems.
1.2.2 Verication Method
The originality of our work on the verication
method twofold:
 Our method targets systems that dynamically
change their congurations, which is some-
thing the existing work, such as HYTECH, has
studied. We extend the syntax and seman-
tics of linear hybrid automata with special ac-
tions called creation actions and destruction
actions. We dene a state in which an au-
tomaton does not exist and transitions for cre-
ation and destruction.
 Our method is a comprehensive symbolic ver-
ication for hybrid properties, FIFO queues
and creation/destruction of tasks.
2 Dynamic Linear Hybrid
Automaton
2.1 Syntax
A dynamic linear hybrid automaton (DLHA) is an
extended linear hybrid automaton and represented
as a 8-tuple (L; V; Inv;Flow;Act; T; t0; Td), where
 L is a nite set of nodes called locations.
 V is a nite set of variables.
 Inv : L ! (V ) is a function that assigns an
invariant to each location, where (V ) is a set
of all constraints over V .
 Flow : L ! F (V ) is a function that assigns a
ow condition to each location, where F (V ) is
a set of all ow conditions over V .
 Act = Actin [ Actout [ Act is a nite set of
actions.
{ Actin is a nite set of input actions, and
each input action has the form a?. An in-
put action m? denotes receiving the mes-
sage m.
{ Actout is a nite set of output actions,
and each output action has the form a!.
An output action m! denotes broadcast-
ing the message m to each DLHA.
{ Act is a nite set of internal actions that
denote other events.
Moreover, we formalize the following special
actions:
{ A creation action that has the form
Crt A0? or Crt A0! denotes a message for
creation of the DLHA A0. Crt A0? is an
input action, and it represents that A0
has been created. Crt A0! 2 Actout is an
output action, and represents a request
for creating A0.
{ A destruction action that has the form
Dst A0? or Crt A0! denotes a message for
a destruction of DLHA A0. Dst A0? 2
Actin is an input action that indicates A0
has been destroyed.
{ An enqueue action that has the form q!m
denotes enqueueing of message m into a
queue q. This action is an internal one,
that is, q!m 2 Act .
{ A dequeue action that has the form q?m
denotes dequeueing of message m from
the top of queue q.
3
 T  L(V )Act2UPD(V )L is a nite set
of edges called transitions. Here, a constraint
 2 (V ) is called a guard condition, and  2
2UPD(V ) are called update expressions. Each
update expression has the form x := c or x :=
x+ c, where x 2 V and c 2 Q.
 t0 2 L (Actin [Act ) 2UPD(V ) is an initial
transition.
 Td  L  (V )  Actout is a nite set of
destruction-transitions.
2.2 Operational Semantics
A state  of a DLHA (L; V; Inv;Flow; A; T; t0; Td)
is dened as ? j (l; ), where l 2 L is a location,
 : V ! R is an assignment called evaluation of
variables, and ? denotes an undened value.
The semantics M of the DLHA is dened as
(;); 0), where  is a set of states, ) is a set of
time transitions and discrete transitions and 0 is
the initial state.
2.2.1 Time transition
For arbitrary  2 R0,
 ?)?,
 (l; )) (l; 0) if 0 =  +  Flow(l) 2 Inv(l),
where 0 = +Flow(l) denotes an evaluation such
that 8x 2 V:0(x) = (x)+ _xFlow(l)(x), and 0 2
Inv(l) denotes that 0(x) satises the constraint
Inv(l) for any x 2 V .
2.2.2 Discrete transition
For an evaluation  and update expressions  2
2UPD(V ), [] denotes an evaluation updated by .
 For any transition (l; ; a; ; l0) 2 T , (l; ))a
(l; []) if  2  and [] 2 Inv(l0).
 (Creation of a DLHA) For the initial transi-
tion t0 = (l0; a0; 0), ?)a0 (l0;~0[0]) where ~0
is an evaluation such that 8x 2 V:[~0(x) = 0].
 (Destruction of a DLHA) For any destruction-
transition
(l; ; a) 2 Td, (l; ))a? if  2 
For the initial transition (l0; a0; 0), the initial
state 0 is dened as
0 =
(




To describe an asynchronous communication
among DLHAs in a dynamically recongurable sys-
tem, we use a queue (unbounded FIFO buer) as a
model of the communication channel. We assume
that the system performs lossless transmission, so
we can let the queue be unbounded.
A dynamically recongurable system S = (A;Q)
consists of a nite set A = fA1; : : : ;AjAjg of DL-
HAs and a nite set Q = fq1; : : : ; qjQjg of queues.
A state s of the dynamically recongurable sys-
tem is a tuple h~; ~wQi where ~ is a vector of states
of DLHAs and ~wQ is a vector of contents of queues.
3.0.1 Time Transition
For an arbitrary  2 R0, the time transition is
dened as
h~; ~wQi ! h~0; ~wQi () 8i:i ) i:
3.0.2 Discrete Transition
Let ~; ~0; ~wQ and ~w0Q be ~ = (1; : : : ; jAj), ~
0 =
(01; : : : ; 
0
jAj), ~wQ = (w1; : : : ; wjQj) and ~w
0
Q =
(w01; : : : ; w
0
jQj).
 For any output action a!, h~; ~wQi !a h~0; ~wQi
i 9i:i )a! 0i ^ 8j 6= i:j )a? j
_ ((:90j :j )a? 0j) ^ j = 0j):
An output action is broadcasted to all DL-
HAs, and a DLHA receiving the action moves
by synchronization if the the guard condition
holds in the state.
 For an internal action a ,
{ in the case of a = qk!w, h~; ~wQi !qk!w
h~0; ~w0Qi,
i 9i:i )qk!w 0i ^ 8j 6= i:j = 0j
^ w0k = wkw ^ 8l 6= k:wk = w0k;
4
{ while in the case of a = qk?w,
h~; ~wQi !qk?w h~0; ~w0Qi,
i 9i:i )qk?w 0i ^ 8j 6= i:j = 0j
^ wk = ww0k ^ 8l 6= k:wl = w0l;
{ otherwise, h~; ~wQi !a h~0; ~wQi,
i 9i:i )a 0i ^ 8j 6= i:j = 0j :
A run (or path)  of the system S is the following
nite (or innite) sequence of states.
 : s0 !0a0 s1 !1a1    !
i 1
ai 1 si !iai   
where !iai between si and si+1 is dened as fol-
lows:
si !iai si+1 () 9s0i:si !i s0i ^ s0i !ai si+1:
The initial state s0 is a tuple
h(01 : : : ; 0jAj); (w01; : : : ; w0jQj)i, where each
0i is the initial state of DLHA Ai and each w0j
is empty; that is, 8j:w0j = ".
4 Reachability Analysis
4.1 Reachability Problem
We dene reachability and the reachability prob-
lem for a dynamically recongurable system as fol-
lows:
Denition 1 (Reachability) For a dynamically
recongurable system S = (A;Q) and a location lt,
S reaches lt if there exists a path s0 !0a0    !
t 1
at 1
st such that st has a DLHA-state which contains
the location lt.
Denition 2 (Reachability Problem) Given
a dynamically recongurable system S = (A;Q)
and a location lt, we output \yes" if S can reach
lt, and \no" otherwise.
4.2 Algorithm of Reachability Anal-
ysis
Fig. 1 show the algorithm of the reachability anal-
ysis. Our method introduces convex polyhedra for
the reachability analysis in accordance with [17].
In this algorithm, we dene a state s in the reach-
ability analysis as (L; ; ~wQ), where L is a nite set
of locations,  is a convex polyhedron, and ~wQ is a
vector of contents of queues. Fig.1 is an overview
of the reachability analysis, and this algorithm is
performed by using the extended method of [13]
with a set Q of queues. The analysis is performed
as follows:
1. Compute the initial state s0 of the system S
(ll.1{3).
2. Initialize a traversed set Visit and a untra-
versed set Wait of states by ? and fs0g (line
4).
3. While Wait is not empty, repeat the following
process (ll.5{16).
(a) Take a state (L; ; ~wQ) from Wait and
remove the state from Wait (ll.6{7).
(b) If the set L of locations contains the tar-
get location, return \yes" and terminate
(ll.8{10).
(c) If the state has not been traversed yet
((L; ; ~wQ) 62 Visit) (line 11),
i. add the state to Visit (line 12),
ii. compute the set Spost of successors
by using the subroutine Succ (line
13), and
iii. add all components of Spost to Wait
(line 14).
The subroutine Succ computes successors of a
state. Successors for a state s together with a tran-
sition that has an output action are computed by
the following procedures:
1. Initialize Spost by ?.
2. Compute a convex polyhedron  for time
transition.
3. For each Ai in the system S, compute the set
Tsi of transitions that are outgoing from the
state by using the input action al?.
4. Compute a set  of combinations of Tsi.
5. For each combination T = (t1; : : : ; tn) 2 ,
the successor s0 = (L0T ; 
0
T ; ~wQ) is computed
and Spost := Spost [ fs0g.
The correctness of this algorithm is implied by
Lemma 1 and Lemma 2.
5
Lemma 1 If this algorithm terminates and re-
turns \lt is not reachable", the system S holds the
safety property.
Lemma 2 If this algorithm terminates and re-
turns \lt is reachable", the system S does not hold
the safety property.
By denition, all linear hybrid automata are DL-
HAs. Our system dynamically changes its struc-
ture by sending and receiving messages. However,
the messages statically determine the structure,
and the system is a linear hybrid automaton with
a set of queues. It is basically equivalent to the
reachability analysis of a linear hybrid automaton.
Therefore, the reachability problem of dynamically
recongurable systems is undecidable, and this al-
gorithm might not terminate [13].
Moreover, in some cases, a system will run into
an abnormal state in which the length of a queue
becomes innitely long, and the verication proce-
dure does not terminate.
Input: a system S and a target location lt
Output: \yes" or \no"
1: L0  fl0i j t0i = (l0i; a0i; 0i); a0i 6= Crt Ai?g
2: 0  
Sf0i j t0i = (l0i; a0i; 0i); a0i 6=
Crt Ai?g
3: s0  (L0;~0[0]; ("; : : : ; ")) /* Compute the ini-
tial state */
4: Visit ?;Wait fs0g /* Initialize */
5: while Wait 6= ? do
6: (L; ; ~wQ) s 2Wait
7: Wait Wait n f(L; ; ~wQ)g
8: if lt 2 L then
9: return \yes"
10: end if
11: if (L; ; ~wQ) 62 Visit then
12: Visit Visit [ f(L; ; ~wQ)g
13: Spost  Succ((L; ; ~wQ);S) /* Compute
the set of post-states */




Figure 1: Reachability Analysis
5 Practical Experiment
5.1 Model Checker
We implemented a model checker of dynamically
recongurable systems consisting of DLHAs in
Java (about 1,600 lines of code) by using the LAS,
PPL, and QDD external libraries [10, 14, 15, 16].
For the verication, we input the DLHAs of the
system, a monitor automaton, and the error lo-
cation to the model checker, and it output \yes
(reachable)" or \no (unreachable)". The monitor
automaton had a special location (we call it the
error location), and checked the system without
changing the system's behavior [17]. The monitor
automata had to be specied to reach the error
location if the system didn't satisfy the properties.
For the specication of the input model, we ex-
tended the syntax and semantics of DLHA as fol-
lows:
 A transition between locations can have a la-
bel asap (that means `as soon as possible').
For a transition labeled asap, a time transi-
tion does not occur just before the discrete
transition.
 Each DLHA can have constraints and update
expressions for the variables of another DLHA
in the same system. That is, for each DLHA,
invariants, guard conditions, update expres-
sions and ow conditions can be used by all
DLHAs.
5.2 Specication of Dynamically
Recongurable Embedded Sys-
tem
5.2.1 A cooperative system including CPU
and DRP
We have specied a dynamically recongurable em-
bedded system consisting of a CPU and DRP for
the model described in our previous research [7].
A DRP has computation resources called tiles (or
processing elements), and it dynamically sets the
context of a process if there are enough free tiles.
In addition, a DRP can change the operating fre-
quency in accordance with running processes. In
this paper, we assume that the number of tiles and
the operating frequency for each process have been
6
set in advance and that the operating frequency of
the DRP is always the minimum frequency of the
running co-tasks.
Fig. 2 shows an overview of the system. This
system processes jobs submitted from the external
environment through the cooperative operation of
the CPU and DRP. The CPU Dispatcher creates
a task when it receives a call message of the task
from the external environment. When a task on
the CPU uses the DRP, The CPU Dispatcher sends
a message to the DRP Dispatcher. The DRP Dis-
patcher receives the message asynchronously and
creates a co-task (it means `cooperative task') in a
rst-come, rst-served manner if there are enough
free tiles. Here, we will assume that this system
has two tasks and two co-tasks that have the pa-




























Figure 3: Components of the system
The system, whose components are illustrated
in Fig.3, consists of 11 DLHAs and 1 queue. The
Table 1: Parameters of tasks
Task Period Deadline Priority Process
A 70 ms 70 ms high 20 ms, co-task a0,
10 ms, co-task b0
B 200 ms 200 ms low co-task a1, 97 ms
Table 2: Parameters of co-tasks
co-task Processing time Deadline Tiles Rate of
Frequency
a0; a1 10 ms 15 ms 2 1
b0 5 ms 10 ms 6 1/2
external environment consists of EnvA and EnvB
that periodically create TaskA and TaskB. That
is, EnvA creates TaskA every 70 milliseconds, and
EnvB creates TaskB with every 200 milliseconds.
The Scheduler performs scheduling in accordance
with the priority and actions for creation and de-
struction of DLHAs.
TaskA and TaskB send a message to The Sender
if they need a co-task. The Sender enqueues the
message to create a co-task to q when it receives a
message from tasks.
The DRP Dispatcher dequeues a message and
creates cotask a0, cotask a1, and cotask b0 if there
are enough free tiles. The Frequency Manager is
a module that manages the operating frequency
of the DRP. When a DLHA of a co-task is cre-
ated, The Frequency Manager moves to the loca-
tion that sets the frequency to the minimum value.
5.2.2 Other cases
We have the parameters of the model in subsection
5.2.1 and conducted experiments with it.
 Modied Tasks: We modied the parameters
of the tasks on the CPU as shown in Table 3.
Here, the parameters of the co-tasks are the
same as those in Table 2.
 Modied co-tasks: We modied the parame-
ters of the co-tasks on the DRP, as shown in
Table 4. Parameters of the tasks are the same
as those in Table 1.
7
Table 3: Modied parameters of tasks
Task Period Deadline Priority Process
A 90 ms 80 ms high 20 ms, co-task b0,
20 ms, co-task a0
B 200 ms 150 ms low co-task a1, 70 ms
Table 4: Modied parameters of co-tasks
co-task Processing time Deadline Tiles Rate of
Frequency
a0; a1 5 ms 10 ms 4 1
b0 10 ms 20 ms 5 1/3
5.3 Verication Experiment
We veried that the embedded systems described
in subsection 5.2 provide the following properties
by using monitor automata. The verication ex-
periment was performed on a machine with an Intel
(R) Core (TM) i7-3770 (3.40GHz) CPU and 16GB
RAM running Gentoo Linux (3.10.25-gentoo).
Verication properties are below:
 Schedulability: Here, schedulability is a prop-
erty in which each task of the system nishes
before its deadline. Let EA be the total pro-
cessing time andDA be the deadline in task A;
the remaining processing time is represented
as EA   eA, and the remaining time till the
deadline is represented as DA   rA. There-
fore, the monitor automaton moves the error
location if the task A is created and it satises
the condition EA   eA > DA   rA (Fig. 4).
 Creation of co-tasks: In the embedded sys-
tem, each co-task must be created before the
remaining time in the task calling it reaches
its deadline. When the message create a0 is
received from task A, the monitor automaton
starts counting time for co-task a0. If the
waiting time exceeds the deadline of task A
before it receives the message Crt cotask a0,
the monitor moves to error location.
 Destruction of co-tasks: Each co-task must
be destroyed before the waiting time reaches
its deadline. For the co-task a0, when the
message Crt cotask a0 is received from the
dispatcher DRP Dispatcher, the monitor au-
tomaton checks the message Dst cotask a0.
 Frequency management: Creating or destroy-
ing a co-task, the DRP changes the operating
frequency corresponding to the co-tasks being
processed. Since this system requires that the
frequency is always at the minimum value, the
monitor checks whether the frequency man-
ager (Frequency Manager) moves to the cor-
rect location when it receives a message for
creating a co-task. For example, when co-
task a0 and co-task b0 are running on the
DRP, Frequency Manager must be at location
L Freq b.
 Tile Management: When the DRP receives a
message for creating of a co-task and the num-
ber of free tiles is enough to process it, the dis-
patcher creates the co-task. The dispatcher
then updates the number of used tiles. The
monitor automaton checks whether the num-
ber tiles in DRP Dispatcher is always between
0 and the maximum number, 8 in this case.
Figure 4: Monitor automaton checking schedula-
bility
The experimental results shown in Table 5 indi-
cate that the modied tasks cases and the modied
8
co-tasks cases were veried with less computation
resources (memory and time) than were used by
the original model. This reduction is likely due to
the following reasons:
 Regarding the schedulability of the modied
tasks model, the processing time is shorter
than that of the original model since the
verication terminates if a counterexample is
found.
 In the cases of the modied co-tasks, the most
obvious explanation is that the state-space is
smaller than that of the original model since
the number of branches in the search tree (i.e.
nondeterministic transitions in this system) is
reduced by changing the start timings of the
tasks and co-tasks with the parameters.
 In cases other than those of the modied tasks,
it is considered that the state-space is smaller
than that of the original model because this
system is designed to stop processing when a
task exceeds its deadline.
6 Conclusion and future work
In this paper, we proposed a dynamic linear hy-
brid automaton (DLHA) as a specication lan-
guage for dynamically recongurable systems. We
also devised an algorithm for reachability analy-
sis and developed a model checker for verifying
the system. Our future research will focus on a
more eective method of verication, for example,
model checking with CEGAR (Counterexample-
guided abstraction renement) and bounded model
checking based on SMT (Satisability modulo the-
ories) [18, 19].
References
[1] P. Garcia, K. Compton, M. Schulte, E. Blem
and W. Fu. An Overview of Recongurable
Hardware in Embedded Systems. EURASIP
J. Embedded Syst., 2006(1):1{19, 2002.
[2] J. W. Lockwood, J. Moscola, M. Kulig,
D. Reddick and T. Brooks. Internet
Worm and Virus Protection in Dynami-
cally Recongurable Hardware. In Military
and Aerospace Programmable Logic Device
(MAPLD), E10, 2003.
[3] M. Motomura, T. Fujii, K. Furuta, K. Anjo,
Y. Yabe, K. Togawa, J. Yamada, Y. Izawa
and R. Sasaki. New Generation Micropro-
cessor Architecture (2):Dynamically Recon-
gurable Processor (DRP). IPSJ Magazine,
46(11):1259{1265, 2005.
[4] H. Amano, Y. Adachi, S. Tsutsumi and
K. Ishikawa. A context dependent clock
control mechanism for dynamically recong-
urable processors. Technical Report of IEICE,
104(589):13{16, 2005.
[5] R. Alur, C. Courcoubetis, T. A. Henzinger
and P. Ho. Hybrid automata: An algorithmic
approach to the specication and verication
of hybrid systems. Lecture Notes in Computer
Science, 736:209{229, 1993.
[6] V. Varshavsky and V. Marakhovsky. GALA
(Globally Asynchronous { Locally Arbitrary)
Design. Lecture Notes in Computer Science,
2549:61{107, 2002.
[7] S. Minami, S. Takinai, S. Sekoguchi, Y. Nakai
and S. Yamane. Modeling, Specication and
Model checking of dynamically recongurable
processors. Computer Software, 28(1):190{
216, 2011.
[8] P. C. Attie and N. A. Lynch. Dynamic in-
put/output automata, a formal model for dy-
namic systems. Proceedings of the twenti-
eth annual ACM symposium on Principles of
distributed computing (PODC '01), 2154:314{
316, 2001.
[9] H. Yamada, Y. Nakai and S. Yamane. Pro-
posal of Specication Language and Veri-
cation Experiment for Dynamically Recon-
gurable System. Journal of Information
Processing Society of Japan, Programming,
6(3):1{19, 2013.
[10] B. Boigelot and P. Godefroid. Symbolic Veri-
cation of Communication Protocols with In-
nite StateSpaces using QDDs. Form. Methods
Syst. Des., 14(3):237{255, 1999.
9
Table 5: Experimental results
Model Property Satisability Memory [MB] Time [sec] States
Original: Schedulability yes 168 180 1220
Creation of co-tasks yes 92 315 1220
Destruction of co-tasks yes 154 233 1220
Frequency Management yes 173 265 1220
Tile Management yes 167 234 1220
Modied tasks: Schedulability no 105 10.2 91
Creation of co-tasks yes 117 145 771
Destruction of co-tasks yes 82 151 771
Frequency Management yes 197 115 771
Tile Management yes 135 107 771
Modied co-tasks: Schedulability yes 83 141 768
Creation of co-tasks yes 85 183 768
Destruction of co-tasks yes 86 191 768
Frequency Management yes 104 141 768
Tile Management yes 119 134 768
[11] A. Bouajjani, J. Esparza and O. Maler.
Reachability Analysis of Pushdown Au-
tomata: Application to Model Checking. Lec-
ture Notes in Computer Science, 1243:135{
150, 1997.
[12] A. Bouajjani and P. Habermehl. Symbolic
reachability analysis of FIFO-channel systems
with nonregular sets of congurations. Lec-
ture Notes in Computer Science,1256:560{
570, 1997.
[13] R. Alur, C. Courcoubetis, N. Halbwachs,
T. A. Henzinger, P. Ho, X. Nicollin, A. Oliv-
ero, J. Sifakis and S. Yovine. The algorithmic
analysis of hybrid systems. Theoretical Com-
puter Science, 138:3{34, 1995.
[14] Y. Ono and S. Yamane. Computation of quan-
tier elimination of linear inequlities of rst
order predicate logic. IEICE Technical Re-
port. COMP, Computation, 111(20): 55{59,
2011.
[15] R. Bagnara, P. M. Hill and E. Zaanella. The
Parma Polyhedra Library: Toward a complete
set of numerical abstractions for the analysis
and verication of hardware and software sys-
tems. Sci. Comput. Program., 72(1{2): 3{21,
2008.
[16] B. Boigelot, P. Godefroid, B. Willems and
P. Wolper. The Power of QDDs (Extended
Abstract). SAS, 172-186, 1997.
[17] T. A. Henzinger, P. Ho and H. Wong-toi.
HyTech : A Model Checker for Hybrid Sys-
tems. Software Tools for Technology Transfer,
1: 460{463, 1997.
[18] E. M. Clarke, O. Grumberg, S. Jha, Y. Lu
and H. Veith. Counterexample-Guided Ab-
straction Renement. Proceedings of the 12th
International Conference on Computer Aided
Verication, 1855:154{169, 2000.
[19] R. Nieuwenhuis, A. Oliveras and C. Tinelli.
Abstract DPLL and abstract DPLL modulo
theories. In LPAR ’04, LNAI 3452, 36{50,
2005.
10

