The bdd-based symbolic model checking algorithm given in 4, 10] is extended to handle real-time properties using the bounded until operator 9]. We believe that this algorithm, which is based on discrete time, is able to handle many real-time properties that arise in practical problems. One example of such a property is priority inversion. This is a serious problem that can make real-time systems unpredictable in subtle ways. Our work discusses this problem and presents one possible solution. The solution is formalized and veri ed using the modi ed algorithm. We also propose another extension to the model checking algorithm. Timed transition graphs are transition graphs in which events may take non-unit time to occur. The time it takes for a transition in a TTG to happen is determined by a time interval. This allows the construction of smaller and more realistic models. A symbolic model checking algorithm is given for formulas using the bounded until operator in TTG models.
Introduction
Temporal logic model checking is a technique for determining the correctness of nite-state systems. A large number of problems in computer science can be modeled using nitestate representations. Real-time systems can often be represented in such a way. Because they are used in many critical applications, being able to depend on them is vital. Model checking 5, 6] can assist in demonstrating the correctness of such systems. The use of this technique can help increase the e ciency of their validation and help generate systems with higher reliability. This work explains how model checking can be applied to the veri cation of real-time systems.
In model checking, speci cations are expressed as formulas of a propositional temporal logic. The system to be veri ed is modeled as a state-transition graph, and the graph is searched to determine if it satis es the property. A symbolic model checking algorithm is one in which the transition relation is represented implicitly by boolean formulas, and states are not explicitly enumerated. The SMV symbolic model checking algorithm 4, 10] is the basis of our approach. It is extended to handle real-time properties. The original model checking algorithm represents properties as formulas in the temporal logic CTL (Computation Tree Logic). This logic allows us to state properties such as \event p will happen sometime in the future", but not \event p will happen in at most x units of time". In real-time systems properties of the latter type appear frequently, because we must bound the execution time in order to make the system predictable. We augment CTL so that it is possible to express real-time properties using the bounded until operator 9], and show how to check formulas involving operators of this type using bdd-based symbolic model checking techniques.
Another extension to the algorithm comes from the fact that all transitions in a SMV model take exactly one step to occur. However, in realistic models this is not always true. Various transitions frequently have di erent lengths in practice. It is also possible that one transition can take di erent amounts of time to occur in di erent executions. Modeling this behavior in SMV can be achieved by expanding a non-unit transition into a sequence of transitions through several intermediate states. The states introduced by this technique may signi cantly increase the size of the model. We propose an extension called Timed Transition Graphs (TTG) to handle this situation. A Timed transition graph is a transition graph that has time intervals associated with transitions. The time intervals specify a lower and an upper bound on the time it takes for a transition to occur. A transition can take a nondeterministic number of steps to occur, within the bounds speci ed by the TTG. Longer transitions that are also non-deterministic (within speci ed bounds) allow the modeling of realistic systems without the burden of adding extra states to the model. A symbolic model checking algorithm is presented for bounded CTL formulas using TTGs as models.
As an example of how these techniques can be used, we model the priority inversion 8, 11] problem using the extended veri er. Most real-time systems rely on priorities to maintain predictability. The fact that higher priority tasks must be executed before lower priority tasks is essential for the correctness of such systems. However, low priority processes can block high priority processes inde nitely, because of indirect priority constraints. This situation is called priority inversion. This behavior makes the system unpredictable. It is described in this paper. Several solutions exist to this problem, and one of those, priority inheritance, is 1 presented and formally veri ed.
Temporal logic model checking is described in section 2. Section 3 discusses binary decision diagrams, which form the basis for the symbolic algorithms described in this work. The logic used in the model checker is presented in section 4, and in section 5 the symbolic model checking algorithm is explained. The extension that allows real-time properties to be expressed is described in section 6. In section 7 timed transition graphs are presented, and a symbolic model checking algorithm for TTG models is given. An example of how these techniques work, the priority inversion problem, is presented in section 8. The paper ends in section 9 with a discussion of the results.
Temporal Logic Model Checking
Extensive simulation is currently the most widely used veri cation technique. However, simulation does not exhaust all possible behaviors of a computing system. Exhaustive simulation is too expensive, and non-exhaustive simulation can miss important events, specially if the number of states in the system being veri ed is large. Other approaches for veri cation include theorem provers, term rewriting systems and proof checkers. These techniques, however, are usually very time consuming, and require user intervention to a large degree. Such characteristics limit the size of the systems they can verify in practice.
Temporal logic model checking 5, 6 ] is an alternative approach that has achieved significant results recently. E cient algorithms are able to verify properties of extremely large systems. In this technique, speci cations are written as formulas in a propositional temporal logic and computer systems are represented by state-transition graphs. Veri cation is accomplished by an e cient breadth rst search procedure that views the transition system as a model for the logic, and determines if the speci cations are satis ed by that model.
There are several advantages to this approach. An important one is that the procedure is completely automatic. The model checker accepts a model description, speci cations written as temporal logic formulas and determines if the formulas are true or not for that model. Another advantage is that, if the formula is not true, the model checker will provide a counterexample. The counterexample is an execution trace that shows why the formula is not true. This is an extremely useful feature because it can help locate the source of the error and speed up the debugging process. Another advantage is the ability to verify partially speci ed systems. Useful information about the correctness of the system can be gathered before all the details have been determined. This allows the veri cation of a system to proceed concurrently with its design. Consequently veri cation can provide valuable hints that will help designers eliminate errors earlier and de ne better systems.
Properties to be veri ed are described as formulas in a propositional temporal logic. The system for which the properties should hold is given as a state transition graph. It de nes a model for the temporal logic since the semantics of the logic are given in terms of state transition graphs. The model checker traverses this graph and veri es if the model satis es the formula. Checking that a single model satis es a formula is much simpler than proving that a formula is valid for all possible models. Because of this fact model checkers can be more e ciently implemented than theorem provers. Clarke and Emerson 5] developed the rst algorithm. This algorithm used adjacency lists to represent the transition graph and had a complexity that was polynomial in the size of the model and in the length of the formula. This and other equivalent systems were able to handle graphs with up to 10 5 states. Around 1987, however, the concept of symbolic model checking was introduced 4, 10]. In the new approach the transition relation is represented implicitly by boolean formulas, and implemented by ordered binary decision diagrams 1]. This usually results in a much smaller representation for the transition relation, allowing the size of the models being veri ed to increase up to more than 10 20 states. The symbolic model checking approach will be explained in more detail later.
Binary Decision Diagrams
Ordered binary decision diagrams (BDD) are an e cient way to represent boolean formulas. BDDs often provide a much more concise representation than traditional representations like conjunctive normal form or disjunctive normal form. They can also be manipulated very e ciently 1]. Another advantage o ered by BDDs is that they provide a canonical representation for boolean formulas. This property means that two boolean formulas are logically equivalent if and only if they have isomorphic representations. It greatly simpli es the execution of operations that are performed frequently like checking equivalence of two formulas or deciding if a given formula is satis able or not. Because of these characteristics, BDDs have found application in the implementation of many CAD tools.
Boolean formulas can be represented by binary decision trees. The nodes in the decision tree correspond to the variables of the formula. Descendants of a node are labelled with true or false. The value of the formula for a given assignment of values to the variables can be found by traversing the tree from root to leaf. At each node the descendant labelled with the value of that variable is chosen. Each leaf corresponds to a particular assignment to the variables, and contain the truth value of the formula for that assignment.
This representation is not particularly compact, because it may store the same information repeatedly in di erent places. BDDs are derived from binary decision trees but its structure is a directed acyclic graph instead of a tree. Redundant information in the structure is avoided by eliminating common subtrees. As in decision trees, nodes are visited in sequence, from root to leaf. However, BDDs impose a total ordering in which the variables occur in this sequence. For example, the BDD in gure 1 represents the formula f = (a^b) _ (c^d) using the ordering a < b < c < d for the variables.
Given an assignment for the variables in f we can decide if this assignment satis es the formula by traversing the BDD from root to leaf. At each node we follow the path that corresponds to the value assigned to the variable in the node. The leaf indicates if the formula is satis ed or not for that particular assignment. Notice that redundancy is eliminated in two ways. Common subtrees are not replicated, as can be seen from the paths when a is false and when b is false. Also, when all the leaves of a subtree lead to the same value, the subtree is eliminated, and a leaf of that value is inserted at its place. very frequently in the model checker, and more e cient algorithms are used in the actual system. Describing these algorithms is out of the scope of this paper, but they can be found in 2].
Computation Tree Logic
Computation tree logic, CTL, is the logic used by SMV to express properties that will be veri ed. Computation trees are derived from state transition graphs. The graph structure is unwound into an in nite tree rooted at the initial state, as seen in gure 2. Paths in this tree represent all possible computations of the program being modelled. Formulas in CTL refer to the computation tree derived from the model. CTL is classi ed as a branching time logic, because it has operators that describe the branching structure of this tree. G ' (' holds globally) is true for a path if ' is satis ed by all states in the path. X ' (' holds in the next state) means that ' is true in the next state of the path. ' U (' holds until holds) is satis ed by a path is is true in some state in the path, and in all preceding states, ' holds.
Formally, the syntax for CTL can be de ned by:
Every atomic proposition p is a CTL formula.
If f and g are CTL formulas, then so are :f, f^g, EX f, EG f and E f U g].
The semantics of CTL formulas are de ned with respect to a labeled state-transition graph, which is a 5-tuple M = (P;S; L; N; S 0 ), where P is a set of atomic propositions, S is a nite set of states, L is a function labeling each state with a set of atomic propositions, N S S is a transition relation, and S 0 is the set of initial states. A path is an in nite sequence of states s 0 s 1 
Symbolic Model Checking
Early model checking algorithms represented the transition graph through adjacency lists. All existing states were explicitly enumerated. Since the model checking problem has an exponential behavior in the worst case, this frequently caused state explosion problems. The size of systems that could be veri ed was severely limited. Symbolic model checking represents states and transitions using boolean formulas. This usually generates smaller representations, because it can automatically eliminate redundancy in the graph. Implementing these boolean formulas as BDDs leads to very e cient algorithms for model checking that are able to verify much larger systems than previous ones. This section will explain the symbolic model checking approach.
6
Representing the Model A model of the system in our algorithm is a labeled state-transition graph M, and assertions about the system are expressed as CTL formulas. The key to the e ciency of the algorithm is to use BDDs to represent the labeled state-transition graph and to verify if the formula is true or not. The following method will be used to represent the transition relation as a BDD.
Assume that system behavior is determined by the boolean variables V = fv 0 ; :::;v n?1 g. Let 
Fixpoint characterization
Consider a labeled transition graph M with set of states S. We can denote a lattice of predicates over S by Pred(S), where each predicate is identi ed with the set of states in S that make it true, and use set inclusion as ordering. A functional F that maps P red(S) to Pred(S) is called a predicate transformer. Informally, Pred(S) is a set of states, and F is a function from sets of states to set of states. We can identify each CTL formula f with the predicate fs j M; s j = fg in Pred(S) (this is the set of states that satisfy f). Then 6 Real-Time Logics
The logic CTL can be used to specify many properties of nite state systems. However, there is an important class of properties that cannot be adequately handled using this logic. This class consists of the properties that involve quantitative constraints, that is, the class 8 of properties which place bounds on response time. In CTL it is possible to express the property that some event will happen in the future, but not that some event will happen at most x time units in the future. In this section we will discuss one way of augmenting CTL to permit representation of such properties. In order to represent bounded properties, we add time intervals to the existing temporal operators, as described in 9]. The basic temporal operator that we use in our real-time logic is the bounded until operator which has the form: U a;b] , where a;b] de nes the time interval in which our property must be true. We say that fU a;b] g is true of some path if g holds in some future state s on the path, f is true in all states between the beginning of the path and s, and the distance from this state to s is within the interval a;b]. The bounded EG operator can be de ned similarly. Other temporal operators are de ned in terms of these.
More formally, we extend our CTL semantics to include the bounded until by adding the following clauses to the formal semantics given in section 4: Consider the rst of these cases. We compute the sets of states where f is true for a steps. During this computation, a xpoint may be reached before a iterations have passed. When this happens, we can skip to the second case. By using this optimization, the number of required iterations may be reduced when the time interval is large, but a xpoint is reached quickly. The same optimization can also applied in the second case. If a xpoint is reached before b ? a iterations, with b and a being respectively the upper and lower bounds of the operator, we can immediately proceed to the third case.
Timed Transition Graphs
The extensions presented above allow the veri cation of a number of real-time systems. However, transition graphs have another important limitation for modeling time bounded computing systems. All transitions happen in one step. In actual systems events take 9 di erent amounts of time to occur. Moreover, the time it takes for some event to take place may change in di erent executions. We call this behavior bounded stuttering. A transition can stutter if the time it takes to occur is not xed, but is instead determined by a time interval.
A transition that takes more than one step and stutters can also be modeled in a transition graph. The longer path can be expanded into a series of one step transitions. Extra states and transitions have to be added to the transition graph. This makes the veri cation process more complex. The number of states added to the system is proportional to the size of the transitions being expanded. Extra transitions between states have to be added to introduce bounded stuttering. If there are many non-unit transitions, or if the individual transitions are long, this can cause state explosion problems.
We introduce the idea of Timed Transition Graphs, TTG, to help alleviate this problem. TTGs remove the unit transition limitation from transition graphs. With each transition in a TTG is associated a time range of the form a;b], where a;b 2 N. A transition labelled with a;b] will happen in x steps, where a x b. This extension allows transitions with length longer than one and also introduces bounded stuttering. A transition takes x steps, but x is chosen nondeterministically, within the bounds de ned by a and b.
Formally, a timed transition graph is a 5-tuple M = (P; S; L; R; S 0 ), where P is a set of propositional variables, S is a set of states, L is a function labeling each state with a set of propositonal variables that are true in that state, S 0 is a set of initial states and R S N N S is a transition relation. Informally, R(s 0 ; l; u;s 1 ) indicates that the transition between state s 0 and s 1 can take from l to u steps to occur.
The SMV model checking algorithm can be extended to verify properties of TTG models. Procedures for handling unbounded properties and boolean conectives can be used without modi cation. To verify bounded properties we must rst extend the representation of the transition relation to include the bounds for each transition. The algorithm uses a relation R derived from R to represent the transition relation. R(s 0 ; t;s 1 ) is true i there exists s 0 ; l; u; s 1 and t such that R(s 0 ; l; u;s 1 ) is a transition of the model, and l t u. The algorithm encodes variables and states as vectors of boolean variables. The time variable t is also encoded as a vector of boolean variables. In the discussion below, though, we do not distinguish between the value of a state or t and its encoding. The formula ghsi^t = 0 is true if state s satis es g and the time bound allows the path to have length 0. The formula, (E f U t 1 g ])hs 0 i^R (s; t 2 ; s 0 ), is true if s has a transition to a state s 0 and s 0 satis es E fU t 1 g]. To verify if s satis es the bounded property we must see if the length of the path from s 0 added to the length of the path from s to s 0 is within the bounds. t = (t 1 + t 2 ) veri es if this requirement is satis ed by s 0 and some t 1 ; t 2 that satisfy the transitions on the graph. Equations that compute the set of states that satisfy other operators are similarly de ned, and will not be presented here for brevity.
The TTG approach does not su er from the same problems as the path expansion technique, but it does add to the complexity of the xpoint calculation. The existential quanti cation algorithm must be applied to the variables that represent the time of a transition. This is an expensive operation, and can also cause state explosion problems. However, the TTG algorithm is more e cient than unrolling states. The number of boolean variables added to the model to represent the time range is proportional to log u, where u is the largest upper bound of all transitions. The existential quanti cation is applied to these variables. Also, this approach is independent of the number of long transitions and does not introduce another overhead for stuttering transitions.
Examples
As an example of how these techniques can be applied to real-time systems, we'll model the priority inversion problem, and a solution to this problem, priority inheritance. Our model shows how priority inversion a ects the predictability of real-time systems, and how inheritance solves the problem. A description of the problem and the solution is rst given.
Priorities are essential in real-time systems. The correct ordering of task execution is a fundamental problem that must be solved if the system is to be predictable. Many scheduling policies have been developed to de ne what constitutes a correct ordering and to enforce this ordering during the execution of the system. If a scheduling policy requires that higher priority tasks execute before lower priority tasks, it is possible for a low priority process to be executing while a higher priority one is blocked. This situation is called priority inversion. Unbounded priority inversions occur when high priority processes are blocked inde nitely by low priority processes. When this happens, the system may become unpredictable. The correct ordering of task execution will be compromised, and the system may fail to satisfy its speci cation.
In order to present the problem in a more concrete framework, we will introduce a hypothetical air-tra c control system. We will concentrate our analysis in two of the processes in the system. The rst, called sensor, reads airplane position data from radars, sets alarms on catastrophic conditions (conditions that cannot wait for a detailed analysis), and puts the data into shared memory. The other process is the reporter, that reads the data collected by the sensor, and updates the tra c controller screens. The sensor is a high priority process, because it processes urgent events, and must not be blocked by other processes. The reporter on the other hand, is a low priority process. Since it doesn't process urgent events, it may be delayed by other more important tasks.
The sensor and the reporter processes share data. To access this data appropriately, synchronization is necessary. In our system, the synchronization is implemented by a mutex variable which guarantees mutual exclusion among the processes accessing the data. The mutex variable is locked every time shared data is accessed. However, this may result in priority inversion. Suppose reporter is inside the critical section, and sensor tries to insert new data into the bu er area. The sensor can't access the data and blocks, waiting for reporter to unlock the mutex. Now a high priority process is waiting for a low priority process, and priority inversion occurs. Figure 4 shows this situation.
This priority inversion scenario is bounded. The reporter will delay the sensor only while it is inside the critical section. After the reporter releases the lock, the sensor will start executing, and the priority inversion will disappear. We can calculate the maximum duration of the priority inversion as the time to execute the largest critical section, and incorporate it in our calculations for the execution times. The system will still be predictable, although there may be a little loss in accuracy in execution time predictions. Consequently, if the system is well designed, and the critical sections are small, bounded priority inversions can In certain cases, it is possible to have unbounded priority inversions that cannot be solved by this simple method. Suppose a third process, called the analyzer is added to the system. This process reads data generated by other components of the air-tra c controller and processes it. The analyzer is less important than the sensor and has a lower priority. But it is more important than the reporter, since urgent conditions may arise as the result of the analysis and handling them is more important than updating the screen. Consider now the same scenario as above, with the reporter inside the critical section, and the sensor waiting on the mutex. At this point, the analyzer starts executing. It will block the reporter, since it has higher priority. However, the sensor is waiting for the reporter (and therefore also for the analyzer). Since the analyzer doesn't know the relation between the reporter and the sensor, it may execute for an unbounded amount of time and delay the sensor inde nitely. If a catastrophic event occurs, it will go unnoticed, because the sensor is blocked. As a result, the behavior of the system becomes unpredictable. Figure 5 shows this situation.
Priority inheritance protocols are one way of preventing unbounded priority inversions. A typical protocol might work in the following manner. As soon as a high priority process is blocked by a low priority one, the low priority process is temporarily given the priority of the blocked process. While inside the critical section the sensor is trying to access, the reporter will execute at high priority. When the reporter exits the critical section, it will be restored to its original priority. In this way, the analyzer will not be able to interrupt the reporter, when the sensor is waiting. We will show that this protocol avoids the unbounded priority inversion problem (except possibly for deadlocks in accessing synchronization variables). This allows the designer of the system to predict the maximum priority inversion time, as in the bounded case.
Priority inversion occurred in this example because the analyzer preempted the reporter. Another cause of priority inversion is queueing. Communication protocols may experience priority inversion for this reason. For example, packets to be sent to the network may have priorities. Low priority packets may be enqueued ahead of high priority ones in some protocol queue. In a prioritized network a high priority packet may have to wait for a low priority one to be sent. If medium priority packets start arriving in another processor's queue, they may monopolize the network, preventing high priority packets from being sent. Again, we have unbounded priority inversion. This type of priority inversion could also happen in our system, if the di erent components were distributed over a network. For example, sensor packets could be queued after some low priority packets in a queue, while analyzer packets were being trasmitted.
The inheritance mechanism that we have described to avoid unbounded inversions is called basic priority inheritance protocol. There are other priority inheritance protocols. Some protocols are designed to avoid deadlocks caused when critical sections are accessed in the wrong order. Other protocols are designed to handle chained bounded priority inversions.
A chained inversion occurs when a high priority process wants to lock n mutexes that are already locked by low priority processes. In this case, the high priority process has to wait for all low priority processes to nish their critical sections. While this wait is bounded, it may be too expensive to wait for the duration of all critical sections. One possible solution to this problem is to assign priorities to critical sections, based on the priorities of the processes that may access it. A process is allowed to access a critical section only if its priority is higher than the priority of all critical sections currently being accessed. A more complete study of these various algorithms and their characteristics can be found in 8, 11] .
Our implementation of the basic priority inheritance protocol is discussed in the full version of the paper. The three processes are implemented as described. We want to determine if the sensor can starve: AG(sensor:state = trying ! AFsensor:state = critical) This property is false without the priority inheritance mechanism. The property becomes true when priority inheritance is activated. Moreover, we can verify that there is an upper limit on the time the sensor enters the critical section with the following formula: AG(sensor:state = trying ! AF 0;32] sensor:state = critical) 9 
Conclusions
In this work we have shown how temporal logic model checking can be used to verify properties of real-time systems. We extended an existing symbolic model checker to handle properties that are bounded in time. The bounded until operator was implemented to allow the expression of such properties.
Timed transition graphs were proposed to extend even further the expressiveness of the tool. In a TTG, transitions have time bounds, and a transition can take a nondeterministic time to occur within these bounds. This allows the representation of more realistic models. A symbolic model checking algorithm was given to verify properties in TTG models.
As an example of the usefulness of bounded operators, we discussed the priority inversion problem in real time systems. We formalized a solution for a particular instance of this 14
