





























BRICS Report Series RS-96-57
ISSN 0909-0878 December 1996
Copyright c© 1996, BRICS, Department of Computer Science
University of Aarhus. All rights reserved.
Reproduction of all or part of this work
is permitted for educational or research use
on condition that this copyright notice is
included in any copy.
See back inner page for a list of recent publications in the BRICS
Report Series. Copies may be obtained by contacting:
BRICS
Department of Computer Science
University of Aarhus
Ny Munkegade, building 540
DK - 8000 Aarhus C
Denmark
Telephone: +45 8942 3360
Telefax: +45 8942 3255
Internet: BRICS@brics.dk
BRICS publications are in general accessible through World Wide
Web and anonymous FTP:
http://www.brics.dk/
ftp://ftp.brics.dk/
This document in subdirectoryRS/96/57/
Diagnostic Model-Checking for Real-Time Systems?
Kim G. Larsen1 Paul Pettersson2 Wang Yi2??
1 BRICS??? , Aalborg University, DENMARK. E-mail: kgl@iesd.auc.dk
2 Department of Computer Systems, Box 325, Uppsala University,
S751 05, Uppsala, Sweden. E-mail: {paupet,yi}@docs.uu.se.
Abstract. Uppaal is a new tool suit for automatic verification of networks of
timed automata. In this paper we describe the diagnostic model-checking feature
of Uppaal and illustrates its usefulness through the debugging of (a version
of) the Philips Audio-Control Protocol. Together with a graphical interface of
Uppaal this diagnostic feature allows for a number of errors to be more easily
detected and corrected.
1 Introduction
Uppaal is a new tool for automatic verification of safety and bounded liveness prop-
erties of real-time systems modeled as networks of timed automata [10]. The current
version of Uppaal deals with the traditionally encountered state-explosion problem by
combining on-the-fly verification with a symbolic technique based on constraint-solving.
Uppaal contains a suit of tools and features including:
– a graphical interface allowing networks of timed automata to be defined by drawing,
– an automatic compilation of the graphical definition into a textual format used by
the model-checker, thus supporting the important principle “what you see is what
you verify” (WYSIWYV),
– compilation of certain types of hybrid automata into ordinary timed automata
(again supporting WYSIWYV), and
– in case verification of a particular real-time system fails (which happens more often
than not), a diagnostic trace is automatically reported by Uppaal in order to
facilitate debugging. Here the principle supported could be called “What You Don’t
Verify You Are Explained”(WYDVYAE).
This paper concentrates on describing the diagnostic model-checking feature of
Uppaal, and on demonstrating its usefulness through the debugging of an early version
of the Philips Audio-Control Protocol [6].
The paper is organized as follows: In the next section we give a short review of
the notions of timed automata and networks; in section 3 the logic for safety and
? This work has been supported by the European Communieties (under CONCUR2 and RE-
ACT), NUTEK (Swedish Board for Technical Development) and TFR (Swedish Technical
Research Council)
?? This author would also like to thank the Chinese NSF and the Hong Kong Wang’s Foun-
dation for supporting a visit to the Institute of Software, Chinese Academy of Sciences, in
1995.
??? Basic Research in Computer Science, Centre of the Danish National Research Foundation.
bounded liveness properties is presented. Section 4 describes the diagnostic model-
checking procedure; in section 5 we show how these results have been applied in a case
study where Philips Audio-Control Protocol was analyzed.
2 Real-Time Systems
We shall use timed transition systems as a basic semantical model for real-time systems.
The type of systems we are studying will be a particular class of timed transition
systems that are syntactically described by networks of timed automata [12, 8].
2.1 Timed Transition Systems
A timed transition system is a labeled transition system with two types of labels: atomic
actions and delay actions (i.e. positive reals), representing discrete and continuous
changes of real-time systems.
Let Act be a finite set of actions and P be a set of atomic propositions. We use
R to stand for the set of non-negative real numbers, ∆ for the set of delay actions
{ε(d) | d ∈ R}, and L for the union Act ∪∆.
Definition 1. A timed transition system over Act and P is a tuple S = 〈S, s0,−→, V 〉,
where S is a set of states, s0 is the initial state, −→⊆ S×L×S is a transition relation,
and V : S → 2P is a proposition assignment function. ut
We will need for −→ to satisfy the following well known properties:
– (Time Determinism) s
ε(d)−→ s1 and s
ε(d)−→ s2 ⇒ s1 = s2.
– (Time Continuity) s
ε(d+e)−→ s′ ⇔ ∃s′′.s ε(d)−→ s′′ ε(e)−→ s′.
Whenever defined, we will use the notation sd for the state satisfying s
ε(d)−→ sd. Note
that the state sd is unique due to time determinism.
In order to study compositionality problems we introduce a parallel composition
between timed transition systems. Following [7] we use synchronization functions that
generalize a large range of existing notions of parallel compositions. A synchronization
function f is a partial function (Act ∪ {0}) × (Act ∪ {0}) ↪→ Act, where 0 denotes
a distinguished no-action symbol4. Now, let Si = 〈Si, si,0,−→i, Vi〉, i = 1, 2, be two
timed transition systems and let f be a synchronization function. Then the parallel
composition S1 |f S2 is the timed transition system 〈S, s0,−→, V 〉, where s1 |f s2 ∈ S
whenever s1 ∈ S1 and s2 ∈ S2, s0 = s1,0 |f s2,0, −→ is inductively defined as follows:
– s1 |f s2
c−→ s′1 |f s′2 if s1
a−→1 s′1, s2
b−→2 s′2 and f(a, b) = c
– s1 |f s2
ε(d)−→ s′1 |f s′2 if s1
ε(d)−→1 s′1 and s2
ε(d)−→2 s′2
4 We extend the transition relation of a timed transition system such that s
0−→ s′ iff s = s′.
2
and finally, the proposition assignment function V is defined by V (s1 |f s2) = V1(s1) ∪
V2(s2).
We now introduce the notion of a trace. A trace σ of a timed transition system is






ε(d2)−→ . . . an−→ sn
ε(dn)−→ s′n
where di ∈ R. A position π of a trace σ is a pair π = (i, d) where i ∈ 0 . . . n and
0 ≤ d ≤ di. We use ∆(σ, π) to stand for the accumulated delay of the trace σ before
the position π, i.e. ∆(σ, π) =
∑





ε(di+1)−→ . . . an−→ sn
ε(dn)−→ s′n
Whenever s
l−→ s0 (l ∈ L) we shall denote by s l−→ σ the trace obtained by extending
σ5. We order positions lexicographically, denoted π < π′. Finally, we write V (σ) for
the set V (s0).
2.2 Networks of Timed Automata
A timed automaton [1] is a standard finite-state automaton extended with a finite
collection of real-valued clocks. The clocks are assumed to proceed at the same rate
and their values may be tested (compared with natural numbers) and reset (assigned
to 0).
Definition Clock Constraints Let C be a set of real-valued clocks. We use B(C)
to stand for the set of formulas ranged over by g, generated by the following syntax:
g ::= c | g ∧ g, where c is an atomic constraint of the form: x ∼ n or x − y ∼ n for
x, y ∈ C, ∼∈ {≤,≥,=, <,>} and n being a natural number. We shall call B(C) clock
constraints or clock constraint systems over C. ut
We shall use tt to stand for a constraint like x ≥ 0 which is always true, and ff for
a constraint x < 0 which is always false as clocks can only have non-negative values.
Definition 2. A timed automaton A over actions Act, atomic propositions P and
clocks C is a tuple 〈N, l0, E, I, V 〉, where N is a finite set of nodes (control-nodes), l0 is
the initial node, and E ⊆ N ×B(C)×Act× 2C ×N corresponds to the set of edges. In
the case, 〈l, g, a, r, l′〉 ∈ E we shall write, l g,a,r−→ l′. I : N → B(C) is a function which for
each node assigns an invariant condition, and V : N → 2P is a proposition assignment
function which for each node gives a set of atomic propositions true in the node. ut
A state of an automaton A is a pair (l, u) where l is a node of A and u a clock
assignment for C, mapping each clock in C to a value in R. The initial state of A
is (l0, u0) where u0 is the initial clock assignment mapping all clocks in C to 0. The
semantics of A is given by the timed transition system SA = 〈S, s0,−→, V 〉, where S
is the set of states of A, s0 is the initial state (l0, u0), −→ is the transition relation
defined as follows:
5 In order to keep the extended trace alternating we might have to apply the time continuity
property to avoid two neighboring delay-transitions and we might have to insert 0-delay
transition in order to avoid neighboring action-transitions.
3
– (l, u)
a−→(l′, u′) if there exist r, g such that l g,a,r−→ l′, g is satisfied by u and u′ = r(u)6,
– (l, u)
ε(d)−→(l′, u′) if (l = l′), u′ = u+ d7 and I(l′) is satisfied by u′,
and V is extended to S simply by V (l, u) = V (l). We denote by Tr(A) all traces of SA
starting from the initial state (l0, u0).
Parallel composition may now be extended to timed automata in the obvious way:
for two timed automata A and B and a synchronization function f , the parallel com-
position A |
f
B denotes the timed transition system SA |f SB .
3 A Logic for Safety and Bounded Liveness Properties
It has been pointed out [4, 12], that the practical goal of verification of real-time
systems, is to verify simple safety properties such as deadlock-freeness and mutual
exclusion. Our previous work [12, 10] shows that such properties can be verified on-
the-fly by simple reachability analysis which avoids to construct the whole reachable
state-space of systems.
We consider a timed modal logic to specify safety and bounded liveness properties
(sometimes called bounded response time properties). The logic may be seen as a
fragment of the timed µ-calculus presented in [5], and also studied in [9]8.
Definition 3. (Syntax) Assume K is a finite set of clocks. Then formulas over K is
defined by the following abstract syntax:
ϕ ::= a | ϕ1 ∧ ϕ2 | a ∨ ϕ | Inv(ϕ) | ϕ Untilr a
where r ⊆ K and a ::= c | p where c is an atomic clock constraint over K and p ∈ P
ut
Intuitively, for Inv(ϕ) to be satisfied all reachable states must satisfy ϕ. ϕ Untilr a
is a weak until-property expressing that ϕ must either hold invariantly or until a.
The use of the clock set r allows for bounded liveness properties to be expressed, e.g.
(x < 5) Until{x} a insists that a must hold within 5 time units. We interpret a formula
ϕ with respect to a trace σ relative to a time assignment v over formula clocks K. We
use σ |=v ϕ to mean that σ satisfies ϕ under u. The interpretation is defined on the
structure of ϕ in Table 1. Naturally, if all the traces of an automaton satisfy a formula,
we say that the automaton satisfies the formula.
Definition 4. Let Tr(ϕ) = {σ | σ |=vo ϕ} where v0 is the initial time assignment. For
a timed automaton A and a formula ϕ we write A |= ϕ when Tr(A) ⊆ Tr(ϕ). If there
exists a trace σ s.t. σ ∈ Tr(A) \ Tr(ϕ), we write A 6|= ϕ and in this case, σ is called a
diagnostic trace of A w.r.t. ϕ. ut
6 r(u) is the assignment s.t. r(u)(x) = 0 if x ∈ r and r(u)(x) = u(x) otherwise.
7 (u+ d) is the assignment s.t. (u+ d)(x) = u(x) + d.
8 The connectives of our logic are expressible as derived operators w.r.t. those of [9].
4
σ |=v c iff c(v)
σ |=v p iff p ∈ V (σ)
σ |=v ϕ1 ∧ ϕ2 iff σ |=v ϕ1 and σ |=v ϕ2
σ |=v a ∨ ϕ iff σ |=v a or σ |=v ϕ
σ |=v Inv(ϕ) iff ∀π : σ(π) |=v+∆(σ,π) ϕ
σ |=v ϕ Untilr a iff





σ(π) |=r(v)+∆(σ,π) a ∧ ∀π′ < π : σ(π′) |=r(v)+∆(σ,π′) ϕ
)
Table 1. Definition of satisfiability.
4 Diagnostic Model-Checking
Given a network of timed automataA and a formula ϕ in the logic specifying a property,
the so-called model-checking problem is to check if the formula is satisfied by the
system. We will take an opposite point of view and check for A 6|= ϕ instead of A |= ϕ.
From a proof of A 6|= ϕ we will then be able to synthesize a diagnostic trace which may
prove useful in subsequent debugging. However, if we fail to prove A 6|= ϕ we can assert
that A |= ϕ.
4.1 Operations on Clock Constraints
To develop the diagnostic model-checking algorithm, we need a few operations to ma-
nipulate clock constraints. Given a clock constraint D, we shall call the set of clock
assignments satisfying D, the solution set of D.
Definition 5. Let A and A′ be the solution sets of clock constraints D,D′ ∈ B(C∪K).
We define
A↑ = {w + d | w ∈ A and d ∈ R}
{x}A = {{x}w | w ∈ A}
A ∧A′ = {w | w ∈ A and w ∈ A′}
A↓C = {w↓C | w ∈ A}
where w↓C denotes the restriction of w to the clock set C. ut
First, note that A ∧A′ is simply the intersection of the two sets. Intuitively, A↑ is
the set of time assignments that may be reached from A by some delay. We extend
the projection operator {x}A to sets of clocks. Let r = {x1...xn} be a set of clocks.
We define r(A) recursively by {}(A) = A and {x1...xn}(A) = {x1}({x2...xn}A). The
following Proposition establishes that the class of clock constraints B(C ∪K) is closed
under the four operations defined above.
Proposition 6. Let D,D′ ∈ B(C ∪K) with solution sets A and A′, and x ∈ C ∪K.
Then there exist D1, D2, D3, D4 ∈ B(C ∪K) with solution sets A↑, {x}A, A ∧ A′ and
A↓C respectively. ut
5
In fact, the resulted constraints Di’s can be effectively constructed from D and
D′ [11, 10]. In order to save notation, from now on, we shall simply use D↑, {x}D
D ∧D′ and D↓C to denote the clock constraints which are guaranteed to exist due to
the above proposition. We will use D↑l to denote (D ∧ I(l))↑ ∧ I(l) where I(l) is the
invariant condition of node l.
We will also need a few predicates over clock constraints for the diagnostic model-
checking procedure. We write D ⊆ D′ to mean that the solution set of D is included
in the solution set of D′, D = ∅ to mean that the solution set of D is empty and u ∈ D
to denote that the time assignment u belongs to the solution set of D9.
4.2 Model-Checking with Diagnostic Synthesis
Note that the definition A 6|= ϕ means that there exists a trace σ of A s.t. σ 6∈ Tr(ϕ).
Intuitively, σ is a possible execution of A that does not meet the requirement ϕ, and
therefore it may be used as diagnostic information for subsequent debugging. In order
to effectively construct diagnostic traces, we define a relation 6` of the following type:
σ 6` [l,D] : ϕ, where σ is a trace of automaton A over the automata clocks C, l is a
node of A, D is a constraint system over C ∪K and ϕ is a formula over K. Now 6` is
the smallest relation satisfying the rules of Table 2.
We use the third invariant rule to exemplify the intuitive explanation of the inference
rules. The assertion (l, u)
a−→ (l′, u′) −→ · · · 6` [l,D] : Inv(ϕ) can be justified if any
of the symbolic states, reachable using an edge l
g,a,r−→ l′ from the symbolic state [l,D],
does not satisfy the invariant property Inv(ϕ). The clock assignments in this resulting
symbolic state is restricted to the (non-empty) constraint system r(g∧D). The premise
of the rule assumes the existence of a diagnostic trace for [l′, r(g ∧D)] : Inv(ϕ) and
the side-condition of the rule provides information as to how one may extend this trace
(obviously with an a-transition) in order to obtain a diagnostic trace for [l,D] : Inv(ϕ).
The rules in Table 2 are sound and complete in the following sense:
Theorem 7. Let A be a timed transition system with initial node l0. Then
1. Whenever σ 6` [l0, D0] : ϕ then σ ∈ Tr(A) and σ 6∈ Tr(ϕ).
2. Whenever A 6|= ϕ then σ 6` [l0, D0] : ϕ for some σ ∈ Tr(A). ut
4.3 Obtaining an Algorithm
Given a symbolic state [l,D] of the automata A and a property ϕ it is decidable whether
there exists a diagnostic trace σ such that σ 6` [l,D] : ϕ. We obtain an algorithm by
using the rules in Table 2 in two phases, In Phase 1 a goal directed search, starting
in the symbolic state [l,D], searching for a violating symbolic state, is performed by
using the inference rules in Table 2. We have the following two termination criteria for
the symbolic state [ln, Dn] and the property ϕn:
– (Success) c or p axiom can be applied,
– (Fail) for some i, ln = li, Dn ⊆ Di and ϕn = ϕi.
9 We will also write u ∈ D to mean the operation of computing a time assignment u given a
constraint system D.
6
c (l, u) 6` [l,D] : c w ∈ D ∧ ¬c, u = w↓C
p (l, u) 6` [l,D] : p w ∈ D, u = w↓C,
p 6∈ V (l)
ϕ1 ∧ ϕ2
σ 6` [l,D] : ϕi
σ 6` [l,D] : ϕ1 ∧ ϕ2
i = 1 or i = 2
a ∨ ϕ σ 6` [l, D ∧ ¬c] : ϕ
σ 6` [l,D] : c ∨ ϕ
σ 6` [l,D] : ϕ
σ 6` [l,D] : p ∨ ϕ p 6∈ V (σ)
Inv(ϕ)
σ 6` [l,D] : ϕ
σ 6` [l, D] : Inv(ϕ)
(l, u′) −→ · · · 6` [l,D↑l] : Inv(ϕ)
(l, u)
ε(d)
−→ (l, u′) · · · 6` [l,D] : Inv(ϕ)
u ∈ D↓C,





) −→ · · · 6` [l′, r(g ∧D)] : Inv(ϕ)
(l, u)
a−→ (l′, u′) −→ · · · 6` [l,D] : Inv(ϕ)
l
g,a,r−→ l′, u′ = r(u),
u ∈ (g ∧D)↓C
ϕ Untilr a
σ 6` [l, r(D)] : ϕUntil∅ a
σ 6` [l,D] : ϕUntilr a
ϕ Until∅ c
σ 6` [l,D ∧ ¬c] : ϕ
σ 6` [l,D] : ϕ Until∅ c
(l, u
′
) −→ · · · 6` [l, (D ∧ ¬c)↑l] : (ϕ Until∅ c)
(l, u)
ε(d)
−→ (l, u′) −→ · · · 6` [l,D] : (ϕ Until∅ c)
(l′, u′) −→ · · · 6` [l, r(g ∧D ∧ ¬c)] : (ϕ Until∅ c)
(l, u)
a−→ (l′, u′) −→ · · · 6` [l,D] : (ϕ Until∅ c)
l
g,a,r−→ l′, u′ = r(u),
u ∈ (D ∧ g ∧ ¬c)↓C
ϕ Until∅ p
σ 6` [l,D] : ϕ
σ 6` [l,D] : ϕ Until∅ p
(l, u
′
) −→ · · · 6` [l,D↑l] : (ϕ Until∅ p)
(l, u)
ε(d)
−→ (l, u′) −→ · · · 6` [l,D] : (ϕ Until∅ p)
(l′, u′) −→ · · · 6` [l, r(g ∧D)] : (ϕ Until∅ p)
(l, u)
a−→ (l′, u′) −→ · · · 6` [l,D] : (ϕ Until∅ p)
l
g,a,r−→ l′, u′ = r(u),
u ∈ (D ∧ g)↓C
Table 2. Inference rules for 6`.
The search will be terminated on the Fail criterion if all the possibilities of backtracking
have been exhausted. It can then be asserted that the automaton A in any state
complying with [l,D] satisfies ϕ. However, if Phase 1 terminates on the Success criterion
it follows that σ 6` [l,D] : ϕ. The rules in Table 2 provide a way to synthesize the
diagnostic trace of the conclusion from a diagnostic trace of the premise, constituting
Phase 2. If the search in Phase 1 is performed using a breadth-first strategy, a resulting
trace will be a shortest diagnostic trace.
The implementation of both phases relies on efficient implementation of the opera-
tions and predicates on clock constraint systems discussed in Section 4.1. In fact, they






























































































































































































translow_0tr la str la str la stranshigh_0tr ia str ia str ia s rise_0riseriserise
translow_1tr la str la str la s
rise_1riseriserise
transhigh_1tr ia str ia str ia s
transhightr ia str ia str ia s
startt rts at rts at rts a
head_is_1iea siea siea s
stopts tsts endeven_00e e ee e ee e e
head_is_0iea siea siea sstartt rts at rts at rts a
translowtr la str la str la s
startt rts at rts at rts a
last_is_1l t ias sl t ias sl t ias s
next_is_01t ie st ie st ie s up_0
last_is_0l t ias sl t ias sl t ias sstopts tsts
up_1
errorrr re rr rerr re
ackacacac
translow_1atr la s atr la s atr la s a
tranhigh_0atr ia atr ia atr ia a
Senderrrr
Output_Ackt tt tt t
Receiveri ri ri r
Configfififi
//
// 9505 - Paul Petersson and Johan Bengtsson
//
clock  x rate [19,21],
       y rate [19,21];
int    c, k, m, leng;
chan   input_0, input_1,
       head_0, head_1, head_e,
       output_0, output_1, output_neq_0, output_neq_1,
       up;
system Input, Sender, Receiver, Output_Ack;
InputI tI tI t
Fig. 1. Philips’s Audio-Control Protocol — Final Version.
5 Applications
The techniques presented in previous sections have been implemented in the verification
tool Uppaal. The tool has been used in a case study, where Philips Audio-Control
Protocol was verified. We demonstrate the usefulness of the diagnostic model-checking
feature of Uppaal by debugging an early description of the protocol. For detailed
information about the tool Uppaal, see [2] in this volume.
5.1 Philips Audio-Control Protocol
This protocol by Philips was first verified by Bosscher et al [3] and recently using
verification tools [6]. The protocol is used for exchanging control information in tiny
local area networks between components in modern audio equipment. Bit streams are
encoded using the well-known Manchester encoding that relies on timing delay between
signals. The protocol uses bit slots of four time units, a 1 bit is encoded by raising the
voltage from low to high in the middle of the bit slot. A 0 bit is encoded in the
opposite way. The goal of the protocol is to guarantee reliable communication with a
tolerance of ±5% on all the timing. The communication is further complicated since
the voltage changing from high to low can not be reliably detected. The decoding has to
be done using only the changing from low to high. A linear hybrid automaton network
description of the protocol is shown in Figure 1.
8
To perform experiments on the protocol we used an early draft version of a descrip-
tion by Wong–Toi and Ho [6]10. In their work they automatically verifies the audio-
control protocol using the tool HyTech (The Cornell Hybrid Technology Tool is a
symbolic model checker for linear hybrid systems). By reusing their description we
avoid the difficult and time-consuming work of modelling the protocol. The protocol
is modeled as a parallel composition of four processes described below. Several integer
variables are used for recording information: leng for recording the number of bits
generated by the input automaton but not yet acknowledged as being received; c for
representing the binary encoding of these bits; k for recording the parity of the number
of bits generated; and m for recording the parity of the number of bits received. The
four parallel processes are:
– Input. The Input automaton nondeterministically generates valid bit sequences for
the Sender automaton. Valid bit sequences are restricted to either odd length or
ending in two 0 bits. The values of the integer variables k, c and leng are also
updated appropriately. The Input automaton is also used by the Sender automaton
to decide the next input bit.
– Sender. This automaton encodes the bit sequences by reading the value of the
next bit from the Input automaton and determine the time delay for the next high
voltage, modeled as an up!-action.
– Receiver. The Receiver automaton decodes the bit stream by measuring the time
delay between two subsequent up?-actions received from the Sender. The decoded
bits are then acknowledged by synchronizing on the output 1 or output 0 port
with the output-acknowledgment automaton. The Receiver also records the parity
of the received number of bits by updating m.
– Output Ack. The output-acknowledgment automaton checks the current number of
unacknowledges bits (leng) together with their binary encoding (c) and acknowl-
edges the bits decoded by the receiver. It also updates the values of the variables
leng and c.
The way the protocol has been modeled enables correctness of the received bits to
be verified by reachability analysis. By introducing the edge stop
leng≥1−→ error in the
receiver automaton, the received bit stream is guaranteed to be identical to the sent
bit stream precisely when the system satisfies the property Inv(¬at(error)).
First Version. The first version was an adjusted version of the description in [6].
The adjustments were necessary due to differences in HyTech and Uppaal. This
step comprised: transforming the invariant conditions of the original description into
enabling conditions of the model in Uppaal; introducing complementary synchroniza-
tion actions; adding the edge stop
leng≥1−→ error in the receiver automaton; and model the
modulo-2 counters m and k as integer variables. Modulo-2 addition ⊕ was modeled as a
conditional value assignment on integers (e.g. m==0, m:=1 or m==1, m:=0)11. This first
version was also free from some obvious typing errors found in the original description
of the system.
10 Available, at that time, from the Web server at Cornell University
(http://www.cs.cornell.edu/).
11 Alternatively, modulo-2 addition ⊕ can be modeled using the integer assignment m:=-m+1.
9
((start,start,start,ack), (0, 0), (0, 0, 0, 0))
0−→
((head is 1,start,start,ack), (0, 0), (1, 0, 0, 1))
input 1
−→
((head is 0,rise 1,start,ack), (0, 0), (2, 1, 0, 2))
up
−→
((head is 0,transhigh,up 1,ack), (0, 0), (2, 1, 1, 2))
head 0−→
((head is 0,tranhigh 0a,up 1,ack), (0, 0), (2, 1, 1, 2))
output 1
−→
((head is 0,tranhigh 0a,last is 1,ack), (0, 0), (0, 1, 1, 1))
ε(76)
−→
((head is 0,tranhigh 0a,last is 1,ack), (76, 76), (0, 1, 1, 1))
input 0
−→
((head is 1,translow,last is 1,ack), (0, 76), (1, 0, 1, 2))
head 1−→
((head is 1,translow 1a,last is 1,ack), (0, 76), 1, 0, 1, 2))
ε(76)
−→
((head is 1,translow 1a,last is 1,ack), (76, 152), (1, 0, 1, 2))
0−→
((head is 1,rise 1,last is 1,ack), (0, 152), (1, 0, 1, 2))
up
−→
((head is 1,transhigh,up 0,ack), (0, 0), (1, 0, 0, 2))
output neq 0
−→
((head is 1,transhigh,error,ack), (0, 0), (1, 0, 0, 2))
Fig. 2. Diagnostic Trace from the First Version of the Protocol.
The protocol was then attempted verified but found erroneous12. Using the diag-
nostic trace shown in Figure 21314, automatically synthesized by Uppaal, the system
was further improved. The trace indicates errors in several ways. First recall that the
existence of a trace implies that the correctness property is not satisfied. This particu-
lar trace is wrong since a head 1-action is followed by a subsequent up-action without
an interjacent input 1-action. Also, from the diagnostic trace in Figure 2, it was re-
vealed that the action labels output neq 1? and output neq 0? was swapped in the
Output Ack automaton. This must be the case since c = 1 and leng = 2 implies that
the next output should be 0 while output neq 0? is signaled to acknowledge that the
next output can not be 0.
Improved Version no.1. In the first improved version, missing actions input 1? on
the edges translow 1 −→ rise 1 and translow 1a −→ rise 1 in the Sender automaton was
added. Furthermore, the action labels output neq 0? and output neq 1? was swapped
in the Output Ack automaton.
Once again, we attempted to verify the system; the systems was found erroneous.
From the diagnostic trace shown in Figure 3, a timing error was discovered. In the
control-state (endeven 00,transhigh 0,up 1,ack) the Receiver automaton has decoded a
1 bit, but this is not the bit sent by the sender. The disagreement is monitored by
the Output Ack automaton that makes the system violating the correctness property
by offering an output neq 1?-action. The reason for this error was found on the edges
last is 1 −→ next is 01 and last is 1 −→ up 0 where the enabling conditions on clock y
was swapped.
12
Uppaal, installed on a SparcStation 10, performs the attempted verification and reports a
diagnostic trace in 2.2 seconds.
13 The states are shown in this trace as triples, where the first component is the control-
node, the second component is the clock assignment for the clocks x and y, and the third
component is the value assignment for the auxiliary variables c, k, m and leng.
14 This is a trace of the transformed version of the description, where the non-zero linear
hybrid automata have been compiled into timed automata.
10
((start,start,start,ack), (0, 0), (0, 0, 0, 0))
0−→
((head is 1,start,start,ack), (0, 0), (1, 0, 0, 1))
input 1
−→
((head is 0,rise 1,start,ack), (0, 0), (2, 1, 0, 2))
up
−→
((head is 0,transhigh,up 1,ack), (0, 0), (2, 1, 1, 2))
head 0−→
((head is 0,tranhigh 0a,up 1,ack), (0, 0), (2, 1, 1, 2))
output 1
−→
((head is 0,tranhigh 0a,last is 1,ack), (0, 0), (0, 1, 1, 1))
ε(76)
−→
((head is 0,tranhigh 0a,last is 1,ack), (76, 76), (0, 1, 1, 1))
input 0
−→
((endeven 00,translow,last is 1,ack), (0, 76), (0, 1, 1, 2))
head 0−→
((endeven 00,translow 0,last is 1,ack), (0, 76), (0, 1, 1, 2))
ε(38)
−→
((endeven 00,translow 0,last is 1,ack), (38, 114), (0, 1, 1, 2))
head 0−→
((endeven 00,rise 0,last is 1,ack), (0, 114), (0, 1, 1, 2))
up
−→
((endeven 00,transhigh 0,next is 01,ack), (0, 0), (0, 1, 1, 2))
output 0
−→
((endeven 00,transhigh 0,up 1,ack), (0, 0), (0, 1, 1, 1))
output neq 1
−→
((endeven 00,transhigh 0,error,ack), (0, 0), (0, 1, 1, 1))
Fig. 3. Diagnostic Trace from the First Improved Version of the Protocol.
Improved Version no.2. An even further improved version was made by swap-
ping the enabling conditions on clock y between the edges last is 1 −→ next is 01 and
last is 1 −→ up 0 in the receiver automaton.
Once again a diagnostic trace was produced. The error was found by inspection
of the action sequence. In the control-node (head is 0,tranhigh 0a,last is 1,ack) three
output 1-actions and one output 0 has been performed but the value of m indicates
an odd parity of the accumulated output bit stream. We concluded that some update
operation of m was wrong or missing.
Final Version. When the modulo-2 addition on the variable m was removed from the
edges last is 1 −→ next is 01 and last is 0 −→ next is 01 in the receiver automaton we
got the final version of the protocol (Figure 1). By adjusting the rate of the senders
and the receivers clocks (i.e. x and y) it can be confirmed that the correctness property
is not satisfied if the tolerance is equal to ± 117 .
6 Conclusion and Future Work
In this paper we have presented a diagnostic model-check procedure for real-time sys-
tems, capable of, not only deciding if a property is satisfied by a model, but also
providing a violating trace whenever the property is not satisfied. Such a trace may be
considered as diagnostic information of the error, useful during the subsequent debug-
ging of the model. This principle could be called WYDVYAE.
The presented techniques have been implemented in the new verification tool Uppaal.
Besides a diagnostic model-checker for networks of timed automata, the Uppaal tool
kit have a graphical interface (Autograph), allowing system descriptions to be defined
by drawing and thereby allowing the user to see what is verified, i.e. WYSIWYV. In
this way, a number of errors can be avoided. In a case study where Uppaal was used to
verify (a version of) Philips Audio-Control Protocol, both the graphical interface and
11
the automatically generated diagnostic traces proved useful for detecting and correcting
several errors in the description of the protocol.
A diagnostic trace, generated by the current version of Uppaal, is sometimes unnec-
essarily long. Thus, future work includes implementing synthesis of a shortest diagnos-
tic trace. Another future extensions will follow the principle of WYSIWYV. Whenever
needed, clock assignments of a diagnostic trace will be transformed back into values
in accordance with the original description. This is sometimes needed since Uppaal is
able to compile descriptions of certain types of hybrid systems into timed automata.
Acknowledgment
The Uppaal tool has been implemented in large parts by Johan Bengtsson and Fredrik
Larsson. The authors would like to thank them for their excellent work and also for
several discussions concerning the verification of the Audio Control Protocol.
References
1. R. Alur and D. Dill. Automata for Modelling Real-Time Systems. Theoretical Computer
Science, 126(2):183–236, April 1994.
2. Johan Bengtsson, Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi.
Uppaal— a Tool Suite for Automatic Verification of Real–Time Systems. In Proc. of the
4th DIMACS Workshop on Verification and Control of Hybrid Systems, Lecture Notes in
Computer Science, October 1995.
3. D. Bosscher, I. Polak, and F. Vaandrager. Verification of an Audio-Control Protocol. In
Proc. of FTRTFT’94, volume 863 of Lecture Notes in Computer Science, 1993.
4. Nicolas Halbwachs. Delay Analysis in Synchronous Programs. Lecture Notes in Computer
Science, 697, 1993. In Proc. of CAV’93.
5. T. A. Henzinger, Z. Nicollin, J. Sifakis, and S. Yovine. Symbolic Model Checking for
Real-Time Systems. In Logic in Computer Science, 1992.
6. Pei-Hsin Ho and Howard Wong-Toi. Automated Analysis of an Audio Control Protocol.
In Proc. of CAV’95, volume 939 of Lecture Notes in Computer Science. Springer Verlag,
1995.
7. H. Hüttel and K. G. Larsen. The use of static constructs in a modal process logic. Lecture
Notes in Computer Science, Springer Verlag, 363, 1989.
8. F. Laroussinie and K.G. Larsen. Compositional Model Checking of Real Time Systems.
In Proc. of CONCUR’95, Lecture Notes in Computer Science. Springer Verlag, 1995.
9. F. Laroussinie and K.G. Larsen. From Timed Automata to Logic — and Back. In Proc. of
MFCS’95, Lecture Notes in Computer Sciencie, 1995. Also BRICS report series RS–95–2.
10. K.G. Larsen, P. Pettersson, and W. Yi. Compositional and Symbolic Model-Checking of
Real-Time Systems. To appear in Proc. of the 16th IEEE Real-Time Systems Symposium,
December 1995.
11. Mihalis Yannakakis and David Lee. An efficient algorithm for minimizing real–time tran-
sition systems. In Proceedings of CAV’93, volume 697 of Lecture Notes in Computer
Science, pages 210–224, 1993.
12. Wang Yi, Paul Pettersson, and Mats Daniels. Autfomatic Verification of Real-Time Com-
municating Systems By Constraint-Solving. In Proc. of the 7th International Conference
on Formal Description Techniques, 1994.
This article was processed using the LATEX macro package with LLNCS style
12
Recent Publications in the BRICS Report Series
RS-96-57 Kim G. Larsen, Paul Pettersson, and Wang Yi.Diagnostic
Model-Checking for Real-Time Systems. December 1996.
12 pp. Appears in Alur, Henzinger and Sontag, editors,
DIMACS Workshop on Verification and Control of Hybrid
Systems, HYBRID ’96 Proceedings, LNCS 1066, 1996,
pages 575–586.
RS-96-56 Zine-El-Abidine Benaissa, Pierre Lescanne, and Kristof-
fer H. Rose.Modeling Sharing and Recursion for Weak Re-
duction Strategies using Explicit Substitution. December
1996. 35 pp. Appears in Kuchen and Swierstra, editors,
8th International Symposium on Programming Languages,
Implementations, Logics, and Programs, PLILP ’96 Pro-
ceedings, LNCS 1140, 1996, pages 393–407.
RS-96-55 K̊are J. Kristoffersen, François Laroussinie, Kim G.
Larsen, Paul Pettersson, and Wang Yi.A Compositional
Proof of a Real-Time Mutual Exclusion Protocol. Decem-
ber 1996. 14 pp. To appear in Dauchet and Bidoit, editors,
Theory and Practice of Software Development. 7th Inter-
national Joint Conference CAAP/FASE, TAPSOFT ’97
Proceedings, LNCS, 1997.
RS-96-54 Igor Walukiewicz. Pushdown Processes: Games and
Model Checking. December 1996. 31 pp. Appears in
Alur and Henzinger, editors, 8th International Confer-
ence on Computer-Aided Verification, CAV ’96 Proceed-
ings, LNCS 1102, 1996, pages 62–74.
RS-96-53 Peter D. Mosses.Theory and Practice of Action Semantics.
December 1996. 26 pp. Appears in Penczek and Szalas,
editors, Mathematical Foundations of Computer Science:
21st International Symposium, MFCS ’96 Proceedings,
LNCS 1113, 1996, pages 37–61.
RS-96-52 Claus Hintermeier, H́elène Kirchner, and Peter D.
Mosses.Combining Algebraic and Set-Theoretic Specifica-
tions (Extended Version). December 1996. 26 pp. Appears
in Haveraaen, Owe and Dahl, editors,Recent Trends in
Data Type Specification: 11th Workshop on Specification
of Abstract Data Types, joint with 8th COMPASS Work-
shop, Selected Papers, LNCS 1130, 1996, pages 255–274.
