GENERAL INSTRUCTIONS FOk COMPLETING SF 298
The Report Documentation Page (RDP) is used in announcing and cataloging reports. It is important that this information be consistent with the rest of the report, particularly the cover and title page. Instructions for filling in each block of the form follow. It is important to stay within the lines to meet optical scanning requirements. As modern control systems become more complex, bugs in human design become increasingly hard to detect by traditional methods such as simulation and prototype testing. The introduction of timing information into specifications makes analyzing processes even more subtle. Thus there is great need for formal methods for proving the correctness of real-time systems. A related topic of research is how to automatically generate provably-correct real-time processes, thus bypassing the need for debugging and iterative design. The goals of this project are to develop computationally feasible automatic methods for the formal verification and synthesis of hard real-time systems. In previous years, we have investigated algorithms based on generalizations of finite-state minimization for verification and the use of approximations of various kinds. We have also explored formalisms for supervisory synthesis under real-time constraints. In this, the final year of the project, we have focussed our efforts on making approximation methods work for more realistic system designs. We have also invested considerable effort in generalizing our approximation techniques in the hope that they can be used in other domains. Our current algorithm works by successive approximation. It proceeds in a sequence of forward and backwards passes. In each pass, it maintains both an overapproximation and an underapproximation of the reachable state space. If no "bad states" appear in the overapproximation, or if a bad state appears in the underapproximation, the verifier can halt immediately with the correct result. Otherwise, it reverses direction and refines the approximations to increase accuracy. Ultimately, the verifier will always halt with the correct result (unless it runs out of memory or the user runs out of patience). There are several novel ideas in the approximation scheme. The verifier uses a hybrid symbolic representation of the state space, consisting of sets of linear inequalities of the form x -y < c, where c is an integer, to represent timing, and a binary decision diagram representing sets of control states (but not representing the timing). This year, we have cleaned up and improved the efficiency of the implementation of our verifier significantly. We added "invariants" to states, which allow us to express upper bounds as well as lower bounds on delays. Also, we have added "urgent" actions, which happen as soon as they are enabled. We are now consistently able to handle all of the examples we set out to do, including the difficult ethernet example of Weinberg and Zuck (from the Concur 92 conference). In addition, we have an algorithm for handling "skewed clock automata," which allow timers that
