Introduction
Temporal logic model checking is a technique for determining the correctness of finite-stale systems. A large number of problenis in computer science can be modeled using finitcstate representations. Real-time systems can often be represented in siich a way. Becaunse they are used in many critical applications, being able to depend on them is vital. Model checking [5, 6] can assist in demonstrating the correctness of such systems. The use of I his technique can help increase the efficiency of their validation and help generate systlemuis wit h higher reliability. This work explains how model checking canl be applied1 to the verification of real-time systems.
In model checking, specifications are expressed as formulas of a propositional temporal logic. The system to be verified is modeled as a state-transition graph. and the graph is searched to determine if it satisfies the property. A symbolic liodel checking algorit hil is one,' in which the transition relation is represented implicitly 1* boolean formuilas. and states are not explicitly enumerated. Tile SM \v sYml)ol c model chleckking algorithli [1. 10] is the basis of our approach. It is extended to handle real-time properties. The original riodel checkinm.Y algorithm represents properties as formulas in the templ)oral logic ("TL ('omplitation Trev Logic). This logic allows us to state properties such as "'event p will happen sorietkiie in the future", but not -event p will happen in at, tuost x .rnits of tiune'. In real-i inie s. %seri•s properties of the latter type appear frequently. because we iniiist bound1 the ''x'ciiion I ille in order to make the system predictable. ke• augmient ('TL so that it is possille to express real-time properties using the boundf d iutil operalor [9] . and show how to check fOrniii'la. involving operators of this type using I -)1)-based syymbolic ,nody I ('lh ckinr hv c'i wquv .
Another extension to the algorithm conies from the fact I hat all I ransitions iin a S NI" model take exactly one step to occur. Hlowever. in realistic i"odvels I his is not alway's i rire. Various ,vh'lo checking algorithm is presented for boiildvv' (T 'L forinti las ,1sing lT(;s as 1iovhels.
As an example of how these tech ( Temporal logic model checking is described in section 2. Section 3 discusses biiiarv' decision diagrams, which foi~n the basis for the symb~olic algorithms dlescribedc iln this work.I The logic used in the model checker is presentedl in section 1. and inl section .5 Ole s ,ymbolic model checking algorithm is explained. The extension that afllows real-time Properties to) be expressed is described in section 6. In section 7 timed transition graphs are presented. alnti a symbolic model checking algorithm for rTG, models is given. ,\if examphfle of how these techniques work, the p~riority inversion prob~lem. is pre'se'ntedt in sect ion Ss. The paper enlds in section 9 with a dliscussion of the result~s.
Temporal Logic Model Checking
Extensive simulation is currently thle most widely iised 'betificat ioni Iechifiicje. H owever. simulation does not exhaust all possible behaviors of it coipitting sy stemi. l'xha~ist ive sihunllation is too expensive. and non-exhaustiv~e simulation ('all miiss ant jortairit. even is. spt'(iad ' v if the number of states inl the systemi being verified is large. Other approaches for verilication include theorem provers, termn rewriting systems aid proof ('hvckeis. Theluse techliii(Iiies. however, are uisually very time conisuming. atild require user iiitervent~ioii to aI large degrree. Suich characteristics limint the size of' the systems they c-anl verf 'ly inl practice.
Temporal logic rmodel checking [5. 61] is anl alternative approach t hal. has achieved signiificant results recently. Efficient algorithms are able to verily p)roperties of ext reitiely larg~e systems. In this technique, specificationts are writteni as formulas inl a proposit jimal I einip0-ral logic and computer systems are represen~ted by state-tranisit.ion graphs. \'erilIicit ioll is accomplished by an efficient breadth first search procedlure that views the t ratisit~ioti s ysvst e as a model for the logic, and determines if the specificat-ions are satisfietd b) , hat mlodel.
There are several advantages to this approach. A\n important onle is th1at I lie lploc't'lii'e is completely automatic. Trhe mnodel checker accept~s a model description. spt'ca icat ions written as tenmploral logic formulas alii([ dte ermi Iit' 11' the lormid i as at(true ofi it'0'1iot for thata model. Another ad vanitage is t hat.. if' t.he f'ormiula, is niot I riue. I it', mnod el checkier wvill pow i le a counterexaniple. The c'oiiitert'xaiiilelt is all t'e('litioii Itrace thai. ShlowS \Vli*y Ilt'e l'01.int1 I;1 is not true. This is anl extr'emely itseful feat~ure because it. ('aill help locate Olie sot in ofe the error and speed ilp the' debuigging proce'ss. Ainothier advantage is lie abilit ,y to veri'il' partially specified systeims. I Iseltil inlformiationl abouit th1e t'or'iect ness of' tlie svsiciii (.,III be gathered b~efore all the det'tails have been tieternih ied. *['llis alIlows Ithe yerificat l~oll of' at s , (illii to proceed concurrently with its designi. ( otisequiientilY verificationi can protvide' valiuabi' hulfls that will help designiers eliminate errors earl ier and tlehie better se ' \slvseiiis. Properties to be yen fie.' are detsc'ribedlias roi'mnlas iii a. propositionlal t iii poi'al logit'. Thie system for which the proper'ties should hold is giveil ais a state t~railisit ion graph. Il. (efl'lies a model for thc' temporal logic' since.( the seiliantit's of the logic' art' giv't'i ill tlt'i'iis of state, transition graphs. 'Flit' odel t'hteckc'r t~raverstes this graph antI vt'rilit's if'I tw lt'iii sill saislit's the formula. Chiet'king t.hat, a sintght' inlotle.l satisfies a l'01-i mi hA is ii tuu'hm si iii ph'' I h alil~i~ poili g that a formula is valid for all potssible miodels. lBt't'ast ol' tdlis fac. miotelt' cleckei's catl he4 more c'fftiri'ntly i inpleinentt'ed t. h~iai tflieoreii prtovers. Cl'a rkt' antid Eit'rsoni [5] del(veloped I thet first, algorithm. T[his alIgom'i thl ln ist' at jljat'ecv lists to reprneseiit, thlit t i'aisi t i ml gralph a ut hiadt a complexity that was polynomial in the size of the model and in tile length of the formula. This and other equivalent systems were able to handle graphs with tip to 105 states.
Around 1987, however, the concept of symbolic modul checking was introduced [1. 10]. It the new approach the transition relation is representedl implicitly by boolean formulas. and implemented by ordered binary decision diagrams [1] . This usually results in a much smaller representation for the transition relation, allowing the size of the models being verified to increase up to more than 1020 states. The symbolic model checking approach will be explained in more detail later.
Binary Decision Diagrams
Ordered binary decision diagrams (BDD) are an efficient way to represent boolearn formulas. BDDs often provide a much more concise representation than traditional represenltatio|s like conjunctive normal form or disjunctive normal forni. They can also be mnanipulated very efficiently [1] . Another advantage offered hv 13DDs is that they\ provide a canooical representation for boolean formulas. This prol)ertY ni'ans Ithat. two )ooleait formulas are logically equivalent if and only if they have isomorphic representtations. It greatly situplifies the execution of operations that are performed frequently like checking eqIiivalence of" iwo formulas or deciding if a given formula is satisfiable or not.. liecause of lhiese characterist ics. BDDs have found application in the implenmentation of inal ( '.\ CD tools. Boolean formulas can be represented by biniary decision t rees. Thle nodes ill lhe decisiot tree correspond to the variables of the formula. Descendant s of a. node are labelled with I'll or fals.. The value of the formula for a. given assignment or values to tlie variables -aln be found by traversing the tree from root to leaf. .\t each node lite descendant labelled wit h1 the value of that variable is chosen. Each leaf corresponds to a particular assignmentIt to !he variables, and contain the truth value of t~he formula for that. assignlm|ent. This representation is not i)articularl *I comp j)act. be'au se it Illa *y Store tlhe Sillt itl'orination repeatedly in different. places. fIl)l)s are derived frotil billary' fl,'cisiolt t rE4,s bl,,l its structure is a directed acvyclic graph itsltadI of a Iree. lRedtindailt itl'orinat toll i I ll, structure is avoided by eliminating 'ontit•i.ot stb)t ret'vs..\s ill decisiot t rt'ves. ftledhs a•.t visited in sequence. from root to leaf. Ilowever. HI)l)s imptose a total ordering ill which the variables occur in this sequence. lor exanit ple, thn' 131)1) ill ligitre I representis thl('
Given an assignment for the variables in f we call decide if tlis assignl iienli sa islfis the formula by traversing the B1)D froit root, to leaf. .\At ach node wt'e follow I1he paill that corresponds to the value assigned to tile v'ariabh' in tlie node. The leaf itlticates if the formula is satisfied or not for tihal. parlictlt|.r assignmltt(ent.. Notice that redut lit , a' is eliminated in two ways. (C'ommton slbt~rees are not. rep)licatled, as can b)e seen from I he paihls when a is false and when b is false. Also. wheti all tl he leaves of a sibtree lead it I the sain' value, the subtree is eliminated. and a leaf of that. value is inserted at its p)lace. Notice ill the figure that when a and b are both true a strt' cotinaiiita g tie variables c atnd d is eliminated because all of its leaves would have flite value I. 
Computation Tree Logic
Computation tree logic, (YlL. is the logic iised by SSMV to express properties thait will be verified. ('omputation trees are derived from state tranisition graphs. The gral)hi st iriict.'re is unwound into an infinite tree rooted at tHie initial state. as seen in figure 2. Pathis In I his tree represent all possible comp|tutatiouis of the program being modelhled. Formulhas ill ( 1'T, refer to the computation tree derived from the uo(hel. ('T|, is classified as a. branthing li/M logic, because it has operators that descril)e tie bratichiing structure of this tree.
Formulas in CTL are built from atomic propositions, where each iproposition correspol)lds to a variable in the model, I)oolean coonectives -an( A, and cinpvall ol 'Orators. Eacih operator consists of two parts: a path (liantifier followed hY a temporal operator. PIalt quantifiers indicate that the property should be trite of all lpat his from a giveut state (A). or some path from a given state (E). 'I'lie temp)oral (;iiaiiti ier describe how eveits should * X ýp (p holds in the next state) titeans that, p is truef in t IIe next state of the path.
9 V U I/, (p holds until G, holds) is satisfied by a path is u2 is I rle in some slate in Ilie path, and in all preceding states, p holds.
Formally, the syntax for CTL can be defined by:
"* Every atomic proposition 1) is a C(L formula.
"* If f and g are CTL formulas, then so are -' f( f A y. EX f. EG .f" and E./'fU q.
The semantics of CT L formulas are (leliove wit lh respect Io a labeflcl siale-1'-ra .,itionl graph. which is a 5-tuple M4 = (P. S. L..N. ,'). whlere f) is a set of at omic prot~sit ilouls. '
is a finite set of states, L is a function labeling each stalev with a set, of atoic prolosii lolls. AX f -,EX -,.f.
Some examples of (ifL fornitlas are giVenI belW owI)illsra HC le CX l)I("V5i\IViC5S of I I 1v
logic. The size of systems that ('011141 be verified wa~s severely iY ii 1111ed. ~vib I~iiillt'l c~loc'kIiii" represents states and transitions iisiing I)4)04a ii formijitas. Thiis usi1ia liv t"I'ii4'iah I e lia I cl i p resentations, hecalitse it, can atitoriaticall % eljiiiinate, reflnil)(alic vI In 1liet 'rajpi 11Icii)4iloie ilt-,ii these hoolean formulas as 131)ls ieadls to very elhicient al~toroim iis for mdl~e cliu'ckili, Ohal are able t~o verify mnuch larger syst~ems trha ii jpreviolis ot~ies. Tiii s 'ctoitn will C\'aIII, symbolic modlel checking appiroachi.
"* AG(req -+AF

6i
Representing the Model A model of the system in our algorithm is a labeled state-transition graph k4. ;rinlI assert iols about the system are expressed as .TL formulas. The kvY to thle eflicienrcv of t he al,_orit hur is to use BDDs to rel)resent the labeled state-transition graph and to yenrifv if I hie forimlia is true or not. The following method will Ibe used to represet It I.e le raI isiI iI relal iou IIas a Bi)I).
Assume that system behavior is determined I) the Ioolean varial) hes I' = {'. ..... ,-I K' ) is a set olf slatwes. and V I' is a fuinction ftrom sets of states to set of' states.
As described in [7] . if a predlicate It ,|isfon'1reF I" is iriiitO1)li'. 
"* If ; is EGf. tlie algorithint is defined in a similar wa. It searc'hes for lihe great est fixpoint EGf iisttead, and uses the following fonuwila:
EG./" = .'A EX EG./"
"* All other (TIL operators are written in t,'rls of the, onles p)resen'ted. 6 
Real-Time Logics
The logic c'TL can be uised to specify mltany prolp'erties of nlite st.a.t, systems. Ilowever. there is an important class of properties that cannot, be adequa.tely handled u1sing this logic.
This class consists of the properties that involve qu(IanWildirc constraitits, that is. the (lass of properties which place bounds on response time. In ('TL it is possible to express I le property that some event will happen in the future. but not, that some event will happen at £ most x time units in the future. In this section we will discuss one way of augnienting ('I, to permit representation of such properties.
In order to represent bounded properties. we add time intervals to the existing ternix)ral operators, as described in [9] . The basic temporal operator that we ulse in our real-t itme logic is the bounded until operator which has the form: O[,,., for allj <i.
As an example of the use of the boundf d until consider t ite property -It is always tr|te that p may be followed by q within :3 t ite uinits-. t his property cati be expressed as AG(sEFt0. 3 1q). The bounded F operator is derived from the bot ,nhd unildjitst as in t Ite |utbhotti|ded case, i.e. EFIbbif -E[triteU[..blfI.
In order to implement this operator. we will use a fixpoint coint)pttat ion that is similar io the one implemented in CTL. It is easy to see that tI le formula fh{fUe,,,:, ' , expressed in the form: if a > 0 and 6 > 0: E[fU [,,., 
Timed Transition Graphs
The extensions presented al)ove allow the verificat.io of a iminlr of real-tiine s*ystem|ls. Formally, a timed transition graph is a 5-tuple ." = (P.S. L. R.,Se). wher,, P is a set of propositional variables. S is a set of states, L is a f[n.ction labeling each sta'e with a set of propositonal variables that are true in that state, S•" is a set. of initial states and Each iteration finds states that have a transition to an ('eetent, in the set compl)utied by the previous iteration and updates the current set. 'Tlie fixpoint* of this iteraltion iproc'ess is the
If)
set of states that satisfy ýp. For example, to find the set of states that satisfy E[J'U[,,hI!qj we use the method outlined below.
We compute the boulidcd unt.il for an interval as an extension of the Iounhded mitil for a
The formula g(s) A ' and some /I.f, t hat satisfy the transitions on the graph. Equations that compute thi, set of slates I hal satisfy other operators are similarly defined, and will not, be )res(ented h(ere for l)revit *v.
The TTG approach (foes not suffer from the same prol)lems as lIh( pat h eXpalisioli t,('chnique, but it does add to the complexity of the fixpoiit c(alc('latit . olhe, existential qnailtification algorithm must be applied to the variables that represent thle line of a tranlsit ionl. This is an expensive operation. and can also cause stale explosion problets. However. hlie TTG algorithm is more efficient than lirolling states. The number of ioohean variables added to the model to represent the time range is proportional to log it. where it is tlhe largest tipper botind of all transitions. The existenLial quantiicitation is applied to these variables. Also. this approach is indepelent. of thell( un muiber of long I rallsil ions and r Idoes jIol introduce another overhead for sti tieri jig transit iois.
Examples
As an example of how these techniiqlues call be applied( to real-li me, systems. we'll Iiuo hI the priority invertsion l)roblem. and a solution 1.o this I)robleil. prioritJy ihr ri/ ncr. Our model shows how priority inversion afrectts the predictab)ility of rteal-1tilt, sysl ells. ad lI how inheritance solves the problem. A description of the, problell and ti'e sollt ion is first. gie'ln.
Priorities are essential in real-time systetns. The correct ordehring of task execnll ioii is a fundamental problem that must be solved if the svst-eom is to hbe predictal)he. \[all liv schedtili|ng policies have been developed to define what constitutes a. correct, ordleuring and to e'nl fOrce this ordering during thew execuition of the syst.el. i1 a scliediling policy re(qiuires thatI higher priority tasks execute before lower priority tasks, it is fossibl, for a low priorit.y proc5ss to be executing while a higher priority one is blocked.. This sitluatioll is called priari/y in I'r.Siol,. Unbounded priority inrversions occutr when Ihigh priority processes are blocked iuddefi itely by low priority processes. When, this happens. the svstenl ilav ,lecotiWe ,nprediclable. The' correct ordering of task exection will he coruprontised. and hle system may" fail to sat isf\" its specification.
In order to present the problem in a niore ('oicrotv' frainework. we will int rohlice a htypothetical air-traffic control system. We will cottcentrate our analysis in two of tlie plr)oCess(es it the system. The first. calle(I .sen'sor. reads airplane posit ion dlata froin radars. sets alarmis on catastrophic conditions (conditions that cannot wait for a detailed analysis). and puts the data into shared memory. The other process is the r(po(rtr I that reads the data collected bY the sensor, and updates the traffic controller screens. The .4( i.,or is a high priority process. because it processes urgent events, artd must not. be blocked by other Iprocesses. 'I'lh v prporhf r on the other hand. is a low prioritY procvss. Since it doesnl proces's urgenl events, it ilta\ be delayed by other nmore importantt tasks.
The sensor and the ir( -port(r processes share dlata.. l'o access tilis data ;Ipprol rialel'. synchronization is necessary. In our systemn, the synchronlizat ion is ithplenient.ol h it a iwo (x variable which guarantees mutual exclusion amlonlg I.hle processes accessinhg the lialta. T'h'e mutex variable is locked every time shared data is acc'essed. I lowev'er. Ithis may rsullt in priority inversion. Sitppose rrportcr is inside the critical section. and x• n.,or I ries to insert new data into the buffer area. Tlhe .itnsor cant access the data and bhlocks,. waiting for reporter to unlock the muutex. Now at high priority process is waiting for a low priorii.v process, and p)riority inversion occurs. Figure I shows this situation.
This priority inversion sc(enario is houmded. The rrPorh r will delay the -,1 . ,.xoroinly while it is inside the critical section. A 'ter the r'portcr releases the lock. the s. 11sot will start executing, and the priority inversion will disappear. We can calculate the nmaxiutnun dillrat ion of the priority inversion as the, time to execute the largest critical section, and incorporat.e it in our calctilations for the execIutiou tiites. The svst-enl will still be predictable, alt.hough there may be a little loss in accuracy ill execution tulnle predictions. ConsOequelilt.ly, if the system is well designed, and the criti'cal sections ate sitall, 0 It•thleI priority inversions cau This property is false vi ioui t he pririt ly inhierit1anrce nieclia ii sii. '1' lie proper e't v 1)('o1)314 ' trite when priority inherit~ance is activated. Mloteover. we' (-;tit vvi'niL that thllerv Is ;uIl uipper limit oil the( timie the M fl).sori' el'3i4 I lie critic'al s'ct ion with fit-14 follOWItig 1,01-i1iila:
Conclusions
In t his work we have s~how n how em pnjXla logic Illodlel chec'kin33g cal ki I 1w a 33434let4leriii IIist ic time to occuir wit hini I hese hotimls. This allows i t(e rew.,sen'3t at toil 4)1' 1i1)on4 realist i(* Il)414'15. A symbolic modlel checkinrg algorit hm was gi vei I 4) verily pu'vt'ties iutl'l T(;1111)4els.
As an exam ple of the( iisetftill ess of 1)111 14 ed oIperators, we' Iiscltsse I114 )i(,
problem in real ftime systems. ' We formnialized a. 51)111itiol fon a part'tictillar ilist a314' of' this problem and verified that it was correct using temporal logic model checking tcchiiques.
This example demonstrates that non-trivial p~roperties of real-time syslems can be proven using symbolic model checking techniques.
