Formal Verification of Timed Systems: A Survey and Perspective FARN WANG Invited Paper An overview of the current state of the art of formal verifica- • Withthereadinessofconcretetheoreticalframeworks tion of real-time systems is presented. We discuss commonly ac- fortheverificationofreal-timesystems[5],[11],[113], cepted models, specification languages, verification frameworks, [127]–[129],[133],[197],bothprogrammersandthe- state-spacerepresentation schemes,state-spaceconstructionpro- oreticians are eager to see how the theory adapts to cedures, reduction techniques, pioneering tools, and finally some newrelatedissues.Wealsomakeafewcommentsaccordingtoour real-worldprojects. experiencewithverificationtooldesignandimplementation. • Withtheincreasingscopeandcomplexityofembedded systems and resulting state-space explosion, it is be- Keywords—Embedded systems, formal methods, formal verifi- cation, models, real-time systems, specification, temporal logics, cominglessandlesslikelythatwecanrunasufficient theory,tools. numberofsimulationtracestogainbothenoughcov- erageofthestatespacesandenoughconfidenceinthe systemswithaprojectschedule.Further,evenifitwere I. INTRODUCTION feasibletohaveextensivecoverageofthe system,the Real-time systems differ from untimed systems in that potentialofasingleuntestedsequenceofeventsthatno theirbehavioralcorrectnessreliesnotonlyontheresultsof one thought of to cause system failure is also of con- their computations, but also on the clock times when the cern. results are produced. Formal verification means to rigor- In the last two decades, many achievements in the formal ously explore the correctness of system designs expressed verification of real-time systems have been reported, from as mathematical models, most likely with the assistance of various solid theory foundations to complex implementa- modern computers. From our viewpoint, there have been tion techniques and formal verification of many real-world the following three motivations for the heated research on projects [37], [189], [203], [206]. Still the intrinsic com- the formal verification of real-time systems in the last two plexity of various framework for real-time system verifica- decades. tionisforbiddinglyhigh.Theverificationproblemsoftimed • Withthesuccessofformalverificationintheverylarge systems are usually exponentially more complex than their scale integration (VLSI) industry [53], it is natural to untimed counterparts. For example, the model-checking expect that similar success can be repeated in the problemofcomputationtreelogic(CTL)isinPTIME1[60], formal verificationofreal-time systems.In particular, [61], while that of timed CTL (TCTL) is in PSPACE2 [5]. the achievement of binary decision diagram (BDD) Thus, in the foreseeable future, it will be difficult to use technology[52]hasraisedthehopesandconfidenceof formal techniques alone for decisive answers to complex theindustryfortheverificationofreal-timesystems. verificationtasks. Butthisdoesnotmeanthatwearepessimisticaboutthefu- tureofformalverification.Onthecontrary,withmostmajor projects currently spending over 50% of their development Manuscript received November 15, 2003; revised April 19, 2004. costsinverificationandintegration,therearetremendousop- ThisworkwassupportedinpartbytheNationalScienceCouncil(NSC) portunitiesforusingformalverificationtosizablyreducethe of Taiwan, R.O.C., under Grants NSC 92-2213-E-002-103 and NSC 92-2213-E-002-104, and in part by the System Verification Technology ProjectoftheIndustrialTechnologyResearchInstitute,Taiwan,R.O.C. The author is with the Department of Electrical Engineering, 1PTIMEproblemscanbesolvedwithtimecomplexitypolynomialstothe National Taiwan University, Taipei 106, Taiwan, R.O.C. (e-mail: inputsizesinbitcounts. [email protected]). 2PSPACEproblemsmayincurmemoryconsumptionpolynomialstothe DigitalObjectIdentifier10.1109/JPROC.2004.831197 inputsizesinbitcounts. 0018-9219/04$20.00©2004IEEE PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 1283 explosivegrowthofverificationandintegrationcostsandto Beforeyougoon,weremindyouthatthepapermayshow enhancethequalityofsystemdesignsinindustry.Ontheone theauthor’sintentionalorunconsciousbiastowardeachap- hand,forcomplexreal-timesystems,formalverificationwill proachinformalverification.Afterall,theamountofspace likely be used to enhance the intelligence and performance neededtoexplainthedetailsofeachsubfieldisasubjective ofsimulationandtesting.Forexample,coveragemetricscan decision. bemorepreciselymappedtothefunctionstobeverified.On the other hand, for targets with clean modularity and inter- II. MODELS face,formalverificationcanbeusedtorigorouslycheckthe Formal verification grows from formal or mathematical components and the interfaces and gradually could be ac- logics [41], in which we discuss the grammar (syntax) and cepted as standard methods in the automation of industrial meaning (semantics) of logic formulas. It is possible to as- qualitycontrol.Actuallyitisclaimedthatthislatterapproach sociatethesamegrammarwithdifferentstylesofmeaning. has already had a dramatic effect on the SLAM project of Themeaningofalogicformulaisdefinedasasetofmodels. Microsoft,whichplanstoincorporatemodel-checkingcapa- A model in mathematical logic is a domain of values and bilityinitsWindowsdriverdevelopmentkit(DDK)[34]. somefunctionsonthedomain.Withoutsuchformaldefini- In this paper, we give a review of these many achieve- tions,rigorousandmechanicalverificationofreal-timesys- ments so that readers can use the paper as an index to the temswillbeimpossible. literature.Weorganizethepaperaccordingtothevariousre- Intuitively,intheforumofspecificationandverification,a searchtopicsinformalverification,includingmodelsinSec- modelisabehaviorofasystemdescription(orspecification). tionII,descriptionandspecificationlanguagesinSectionIII, Accordingtothevariousframeworksweuse,amodelfora verificationframeworksinSectionIV,representationofstate real-timesystemcanbeastateset,astatesequence,anevent space in Section V, constructions of state-space representa- sequence, a state tree, or an infinite domain with relations. tionsinSectionVI,reductiontechniquesforrepresentations Someotherpossibilitiescanalsobefoundin[80]. in Section VII, some tools in Section VIII, and some other issues in Section IX, including symbolic simulation, para- A. LinearTimeVersusBranchingTime metric analysis, controller synthesis, probabilistic analysis, andworstcaseexecutiontime(WCET)analysis. We can view a computation either as a linear sequence Therearemanyframeworkstochoosefromtocompletea withonlyonefutureorasatreewithmanypossiblefutures. verification task. Each framework has its unique advantage The former is calledlinear-time semantics [185],while the and may incur an intrinsic challenge. We feel it is better to latteriscalledbranching-timesemantics[60],[61]. let the readers be informed of the challenges in the verifi- Linear-Time Temporal Logics: The research on auto- cation frameworks of his/her choice. Thus we have cited maticverificationofcomputerprogramswasinitiatedwhen manycomplexityresultsofvariousverificationproblemsin Pnueli proposed using linear-time propositional temporal the paper. Complexity of a verification problem means the logic(LPTL)[185]tospecifyandcomputethebehaviorsof order of growth of required resources to solve the problem computer systems. LPTL is a subclass of modal logic [41] with respect to the input sizes in bit counts. The resources withpossible-worldsemanticsandmodaloperators: (for can be CPU times, memory space, message counts, power allpossibleworlds)and (thereexistsapossibleworld).In consumption,etc.Butinthispaper,wearemainlyconcerned LPTL, is interpreted as “from now on, at all states” (or withCPUtimesandmemoryspace.Somejargonofthecom- henceforth,always),while isinterpretedas“fromnowon, plexity classes includes PTIME, NP-complete,3 PSPACE, there exists a state” (or eventually). For example, we may EXPTIME,4EXPSPACE,5nonelementarycomplexities,6and havethemodelofarailroadcrossingsystem. undecidability.7 and are two atomic propositions, and we want to HeitmeyerandMandriolihavealsowrittenahandbookon specifythatwheneveranapproachingtrainisdetected,from formalverificationtechniquesforreal-timecomputing[106]. thatstateon,eventuallythegateisdown.InLPTL,thiscan Regardingtechniquesforuntimedsystems,aclassicbookis beexpressedas one by Clarke et al. [65]. A previous survey paper in this regardisbyOstroff[179]. 3NPproblemsmeansthatwe canguessasolutionintimecomplexity Twoothercommonlyusedmodaloperatorsare (next)and polynomialstotheinputsizes.NP-completeproblemsarethehardestonesin NPandareingeneralconsidereduntamableproblemsincomputersciences. (until). means that is true in the next state. 4EXPTIMEproblemsconsumeCPUtimesexponentialtothesizesofin- meansthat istrueuntil istrue. putsinbitcounts. Indefininglogics,peopleusuallytrytouseminimalsyntax 5EXPSPACEisthesetofproblemsthatatmostconsumememoryca- structures. Usually and can be defined as the short- pacityexponentialtotheinputsizesinbitcounts.EXPSPACE-complete problemsareharderthanEXPTIMEproblems. handsfortrue and ,respectively.Ontheotherhand, .. Kampshowedthat cannotbemodeledwithmodalop- . 6Nonelementarycomplexitiesarelike2 withtheheightsoftheexponent erators , ,and [131]. stacksatleastproportionaltotheinputsizesinbitcounts. Inthelate1980s,peopleaddedtheconceptof“clocktime” 7Undecidableproblemsdonotguaranteetermination.Ingeneral,itisnot toLPTL.Thatis,aglobalclockisassumedinthemodelsuch possibletodesignalgorithms(proceduresthatguaranteetermination)for undecidableproblems. thattheglobalclockdoesnothavetoincrementitsreading 1284 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 ateverystate.Initially,Ostroff[178]discussedissuesinex- pressiveness and complexity with quantification and linear constraintsofclockreadingsinLPTL.Forexample,wemay write (1) Here is the special variable for the reading of the global Fig.1. TwobehaviorsthatCTLcandifferentiate. clockatthecurrentstate. Alur and Henzinger proposed timed propositional tem- porallogic(TPTL)[15].TPTLhasaclock-readingfreezing ( , ).IntheliteratureofCTL,modaloperators , , , , modal operator and uses binary difference constraints be- ,and arewrittenas , , , , ,and ,respectively. tween frozen clock readings. The intuition is that quantifi- Insemantics,anLPTLformuladefinesasetoflinearstate cations on clock readings following are universal, while sequences,whileaCTLformuladefinesasetofcomputation the ones following are existential. For example, we may trees.CTLandLPTLarenotcomparableinexpressiveness. write For example, the LPTL formula says states happen infinitelymanytimes.Also,thenonZenorequirement[113] (2) in TPTL is . These properties are known to be inexpressible in the timed extensions of CTL. On the other which means that the gate will be down in 300 s from any hand, CTL allows for the reasoning of properties between stateinmode .Notethatthisformulaspecifies possiblefuturebehaviors.Forexample,theCTLformula somethingdifferentfrom(1).In(1),time isindependentof thestatesquantifiedbythemodaloperator ,whilein(2),it is not. Alur and Henzinger also defined metric temporal logic candifferentiatethetwobehaviorsinFig.1,whilenoLPTL (MTL),whichallowsthespecificationoftimingdistancesbe- formula can. tweenstatesquantifiedbyadjacentmodaloperators[16].For Emerson et al. proposed real-time CTL (RTCTL) [83], example,wemaywrite whichusesformulaslike tospecifytheexistence of a state sequence along which becomes true within the next states.Thistypeofpropertyissuitableforcycle-based systems like VLSI, in which the discrete global clock ticks to specify the same property as (2). A nice exploration of ateverydiscretestatechange[83]. variousdiscrete-timeextensionsofLPTLis[16]. Harel et al.[104] discussed the expressivenessand com- In 1992, Wang et al. extended TPTL to Asynchronous plexity of the CTL extension with universally quantified PTL(APTL)fordistributedsystemswithclockjitters[228]. clockvariablesandarbitrarylinearclockconstraints. Specifically,theyredefinethesemanticsofclockdifferences Themostusedbranching-timetemporallogicforreal-time in distributed systems with a timing precedence relation. systems is TCTL [5], which supports modal operators like The idea is that instead of comparing the values of clock , , , , ,and .Here isanat- readings,wenowcomparethetemporalprecedenceofclock uralnumberand isoneof , , , ,or .Forexample readings.Forexample,wemaywrite , which means that we have two distributed clocks such that at every state, if the reading of the two clocks are and , respectively, then every second tick of the first clock must meansthatwheneverthemonitorisinmode , precedethenexttickofthesecondclock.Puttingitanother alongallrunshenceforth,thegatewillbeclosedin300s. way,foreverytickofclock2,clock1willtickatleasttwice. Besideitsmodality,TCTLalsodiffersfromTPTLandthe Branching-Time Temporal Logics: The intuition behind likeinthatTCTLisdefinedwithdense-timeclockmodels. linear-time logics is that there is only one future. With Thus,thereisnomodaloperatorinvolving . branching-time logics, the possibility of many futures is IntegrationofLinearTimeandBranchingTime: Emerson assumed, and modal operators , are provided to specify andHalperndefinedaunifiedspecificationlanguage,called therelationamongdifferentfutures.Pathquantifier means ,forbothLPTLandCTL[81].RememberthatinCTL, “there exists a run from now on” and means that “for all we require that linear-time modal operators must immedi- runsfromnowon.”Forexample,inCTL[60],[61] ately follow path quantifiers. If this restriction is lifted in CTL,thenwegetCTL .RegardingLPTL,eachLPTLfor- mulaspecifiesthesetoflinearsequencessatisfyingit.Thus, meansthatwheneverthemonitorisinmode , intuitively,LPTLisasubclassofCTL becauseeveryLPTL alongallrunshenceforth,thegatewilleventuallybeclosed. formulaimplicitlycarriesauniversalquantifieronallcom- NotethatinCTLanditsextensions,linear-timemodaloper- putationsequences.Thatis,anLPTLformula characterizes ators( , , , )mustimmediatelyfollowapathquantifier thesamesetofstatesequencesastheCTL formula . WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1285 It is also natural to extend CTL to TCTL . Möller dis- able gate can be used for the gate position of the present cussedhowtomodelcheckasubclassofTCTL [167].Wang state. State-based real-time temporal logics are usually de- carriedoutexperimentsusingmodel-checkingalgorithmson rivedfromtheiruntimedcounterparts[60],[61],[185].Ex- thesubclassofTCTL whichcontainsfairnessassumptions amples include TCTL [5], RTCTL [83], TPTL, MTL [16], [220]. andAPTL[228]. An event represents an instantaneous change of states B. DiscreteTimeVersusDenseTime and may trigger a series of responses in a system. For In the definition of real-time system models, we can example,thedetectionofanapproachingtrainatarailroad requirethatalltime readingsare integers and allclocksin- crossing is an event that will hopefully cause the gate to crementtheirreadingsatthesametime.Thisisdiscrete-time close. Event-driven system descriptions are very natural in semantics [15], [127]. The other choice is dense-time se- theworldofembeddedsystemengineering.Onepioneering mantics [11], [78], which means that time readings can be work that incorporates timed events into the linear-time rationalsorrealsandallclocksincrementtheirreadingsata modelisreal-timelogic(RTL)byJahanianandMok[127]. uniformrate. RTL is a linear-time event-driven logic with event occur- Discrete-time models are suitable for synchronous sys- rence-timefunctions.Forexample,wemaywrite tems where all concurrent processes share the same global clock.ExamplelanguagesareTPTLandMTL[16].Dense- timemodelsarebetterfordistributedsystemswithmultiple whichmeansthatafterthe thtrain eventhas clocks and timers, which can be tested, set, and reset inde- occurred,the thgate eventmusthappenin300s.RTL pendently.ExamplesincludeTCTL[5]. is a subclass of first-order integer arithmetic with monadic Note that inour explanation of discrete-time models, we functions. Yang et al. [233] have also designed a temporal require that there is a single global clock. It may seem that logic, synchronous real-time event logic (SREL), based on such a requirement is inappropriate for distributed systems event countings along state sequences in a discrete-time withdigitalclocks.Infact,afterthesamplingordetectionof domain. aneventinanembeddedsystem,theoccurrencetimeofthe Onethingtonoteisthatinsynchronouscycle-basedsys- eventisstillstoredinadigitalformat.Thus,philosophically, tems,e.g.,VLSIcircuits,peopleusuallytreatstateandevent discrete-timesemanticswithdistributedclocksseemsaplau- asthesamething,sincevariableschangevaluesonlyatthe siblechoice.Butingeneral,iftheclocksaredistributedand beginningofeachclockcycleandthenremainsteadyinthe donotincrementtheirreadingsatthesametime,thenwestill cycle. But for distributed real-time systems, this treatment have to implicitly record the ticking order of the clocks so may leadtoimprecise modeling,sincethere isnocommon thattheclocksstillincrementtheirreadingsatthesamerate. clockamongthemanydistributedsites. Theinformationpiecesoftickingordersareoffactorialcom- Italsohaslongbeenarguedthatneitherpurestate-based plexity,whichisthesameasthatofregiongraphconstruction nor pure event-based languages quite support the natural fordense-timemodels[5],anddonotsaveanycomputation expressiveness desirable for the specification of real-world resources. Henzinger et al. discussed the relation between systems [57], [122], [134], [137], [174]. Recently, Wang systems with distributed digital clocks and those with dis- has proposed an extension to TCTL for the specification tributeddenseclocks[112]. and model checking of behaviors involving both states and Clock-readingmodelscanalsoaffecttheverificationcom- eventswithfairnessassumptions[220].Forexample,inthe plexity.Forexample,thesatisfiabilityproblemofTPTLisin railroad crossing system, we may want to say that when EXPSPACE,whileitsdense-timeversionisundecidable.In- the monitor signals the controller to the gate, then tuitively,discrete-timemodelsmayleadtolowercomplexity the gate must be in 300 s. This can be specified as inverificationandanalysis,sincetherearemanyfewerstates. lower . Here means that whenever But in practice, the impact on complexity is tricky. Specif- eventsoftype happen, mustimmediatelybetrue. ically, with the symbolic techniques for timed and hybrid systems[18],[113],statespacesarerepresentedasBoolean III. DESCRIPTIONANDSPECIFICATIONLANGUAGES combinationsoflinearconstraintsofstatevariables.Anim- A. TimedAutomata portant operation is checking the emptiness of state-space representations. However, the emptiness problem of linear ThemodeloftimedautomatawasfirstproposedbyAlur constraintsisinPTIMEforreals(indense-timemodels)and andDill[11].Atimedautomatonisafinite-stateautomaton NP-completeforintegers(indiscrete-timemodels). equipped with a finite set of clocks which can hold non- negative real values. It is structured as a directed graph C. StateBasedVersusEventDriven whose nodes are modes (control locations) and whose arcs Astateisasnapshotofasystematamomentintime.In aretransitions.Theexampleofamonitorprocessfortrains the sense of control, it is everything that we need to know approachingarailroadcrossingisinFig.2.Themonitorisin about the system at that moment in order to determine the modefarwhenalltrainsarefarfromthecrossing,orinmode futureforallfutureinputsequences.Mathematically,itcon- approaching when a train will arrive at the crossing within sistsoftherecordingofthevaluesofallvariablesandcon- 300s,orinmodecrossingwhenatrainisatthecrossing,or trol locations. For instance, at a railroad crossing, the vari- inmodepassedwhentrainshavejustleftthecrossingwithin 1286 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 Fig.2. Themodelofgate–monitor. the last 100 s. The ovals represent modes, while the arcs representtransitions.Themodesarelabeledinsidetheovals withinvarianceconditionswhichareBooleanconjunctions. All states in a mode must satisfy the corresponding invari- ance condition. At any moment, the timed automaton can reside in only one mode. The transitions are labeled with Fig.3. Themodelofgate–monitor–controller. triggering conditions and a set of clocks to be reset during the transitions. A timed automaton can make a transition undercertainconditions,symbolicmanipulationtechniques only if it satisfies the corresponding triggering condition. for timed automata have performed well enough to verify The invariance conditions and triggering conditions are manyindustrialsystems[113]. Boolean combinations of clock (difference) inequalities. In a timed automaton’s operation, one of the transitions can B. CommunicatingTimedAutomata be triggered when the corresponding triggering condition is satisfied. Upon being triggered, the automaton instanta- Complexstatetransitionsmayrequirecooperationamong neously transits from one mode to another and resets some processestoconstruct.Forexample,intherailroadcrossing clocks to zero. In between transitions, all clocks increase example,atthetimewhenanapproachingtrainisdetected, theirreadingsatauniformrate. the monitor sends a “signal” to the gate controller to move Astateofatimedautomatonisarecordingofitspresent thegatedown.Conceptuallywecandecomposethesystem mode and the readings of all clocks. With discrete-time intotwoprocesses:thetrainmonitorandthegatecontroller. models,allclockswillhaveintegerreadingsandincrement The sending and receiving of the signal can best naturally theirreadingsat thesameinstant.Withdense-timemodels, be modeled bythe interaction betweenthe monitor and the clock readings are reals (or rationals). A computation of controller.Therearealsotwoprocesstransitionsinvolvedin a timed automaton can be defined as an infinite sequence thebehavior,i.e.,thedetectionoftheapproachingtrainand of time-state pairs such that the time components form a thestartingofthegate’smovingdown. nondecreasinganddivergentrealnumbersequence. Thefirstlanguagedevicedesignedto“glue”processtran- A timed automaton is a nondeterministic machine and sitions into a (global) transition is the channel concept for does not have to make transitions as long as the invariance binary synchronizationinHoare’s Communicating Sequen- condition is satisfied. One usual way to force transitions is tialProcesses(CSP)[115].Suchadevicecangreatlyhelpto byusinganinvariancecondition.Forexample,inFig.2,in improvethemodularityofmodeldescriptions.Forexample, the “approaching” mode, we require that to force in the embedded control system for a railroad crossing, we thetransitionoutofthemodein300timeunits. mayhaveachannelcalled forthecommunicationof Inpractice,areal-timesystemisusuallydescribedasaset the command to move the gate down. The language device of process timed automata, each representing the behavior representsthesending(oroutput)eventthroughthe ofanautonomousprocess.Suchadecompositionisnatural channel, while represents the receiving (or input) in the description and construction of concurrent and dis- event through the same channel. Two process transitions tributed systems. By decomposing a timed automaton to a labeled, respectively, with the sending event and receiving setofprocessautomata,engineerscangreatlysimplifytheir event through the same channel must happen at the same tasks in the modeling of complex, concurrent behaviors. instant to make a legitimate global transition. The inter- The timed automaton can be constructed as the product active synchronization between a train monitor and a gate automaton of the process timed automata. The mode set of controller can be modeled with the communicating timed the product automaton is now the Cartesian product of the automaton in Fig. 3. When the monitor detects that a train mode sets of the process timed automata. The invariance is approaching the railroad crossing, it sends out a signal condition is defined by the conjunction of the invariance through channel to the controller to move the gate conditionsofthemodesoftheprocesstimedautomata.The down. A process transition with an input event that cannot behavior of the product timed automaton is an interleaving find a peer process transition with matching output event oftransitionsoftheprocesstimedautomata. simplycannotbeexecuted. What makes timed automata interesting is that their CSP-stylesynchronizationchannelswereincorporatedin model-checking problem is in PSPACE [5]. Moreover, communicating real-time state machines (CRSM) [198] in WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1287 1992. Such devices are now supported in real-time system To know when to stop inferencing in case the specifica- model-checkers like I/O automata [90], [133], [157], UP- tion formula is actually not a theorem, we need to prove a PAAL[39],[183],SGM[120],[222],[223],andtheregion- small model theorem to establish the maximum number of encodingdiagram(RED)[213],[216],[217],[219]. inferencestepsfortheproofofthespecificationformula.The A similar synchronization device is used inHyTech [18] complexityoftheverificationproceduredependsonthecom- andKronos[75],[237]withnodistinctionbetweensenders plexityofthesmallmodels. and receivers.Each process is declaredwith the setof syn- Propositional temporal logics, linear time and branching chronizerstorespondto.Thenwhenasynchronizerhappens, time,havebeendiscussedinSectionII-A.Theadvantageof all processes declared to respond to it will have to make a suchframeworksisthattheyusuallycomewithsmallmodel processtransition.Suchadeviceishandyinmodelingbroad- theoremsandalgorithmstocheckwhetheraformulaisathe- casting,multicasting,andothermultipartysynchronizations. orem or not. The disadvantage is that they are usually not For example, to model the bus collision behavior in carrier expressiveenoughtomodelcomplexbehaviorswith,forin- sense multiple access with collision detection (CSMA/CD) stance,queues,stacks,counters,range-unboundedvariables, protocol[175],thebusprocessmayexecuteatransitionla- polynomialconstraints,etc. beledwiththeeventCollision_Detected,whichwill First-order and higher order logics have also been used forceeverysenderprocesstorespondtoatransitionwiththe [127], [197] for specification and verification. The advan- sameevent.ItisalsopossibletocombinebasicCSP-stylebi- tageisthatsuchlogicsareveryexpressiveformodelingcom- narysynchronizationstoconstructsuchcomplexmultiparty plexbehaviors.Thedisadvantageisthatingeneral,itisnot synchronizations.Forexample,inRED[219],tomodelthe possibletodesignalgorithmstocheckwhetheraformulais bus collisioneventinCSMAwith senders,thebus a theorem or not.8 First-order logics seem a good compro- needs to execute a transition with !Collision_De- mise between expressiveness and computability, since they tected labels, and, thus, forces each of the senders to are complete ingeneral.Thatis,we stillhavesemidecision respectively respond with a transition with one ?Colli- proceduresthatareguaranteedtoconstructproofsifthespec- sion_Detectedlabel. ificationformulasareindeedtheorems. On the other hand, higher order logics [96], [181] are in C. HybridAutomata generalincomplete.Interestedreadersarereferedto[176]for Hybridautomata[18],[108]areusedtomodelembedded atutorialonIsabelle/HOL.MattoliniandNesipresentedtem- systemswithcontinuousvariables,whosevaluesmayincre- poral-interval logic with compositional operators (TILCO) ment/decrementatvariousrates.Arbitrarylinearconstraints [161]withformalproofsupportfromIsabelle/HOL. are allowed for invariance conditions and triggering condi- tions.Timedautomata[11]area specialsubclassofhybrid E. TimedProcessAlgebras automata in which all continuous variables increment their TimedCSPwasfirstdesignedbyReedandRoscoe[188] values at a uniform rate and only upper-bound and lower- andlatermodifiedbyDaviesandSchneider[74].Itsupports boundinequalitiesofclocksareallowed.Ahybridautomaton thefollowingthreegrammarruleswithtimingconstraints: shares the same structure as timed automata, except that in eachmode,theincrementrateofeachcontinuousvariableis Wait independentlyspecified. Ingeneral,hybridautomataarenotsubjecttoalgorithmic “Wait ”meanstowaitfor timeunits. verification,buttherearesubclasseswhichare[109]. modelsthetimeoutincommunication.Itbehaves as until,attime ,whennosynchronizationhashappened D. Logics yet,thecontrolistransferedto . Logic formulas can also be used to describe system behavior. In such frameworks, the system descriptions (in- models the interrupt in embedded systems. It cluding the models for systems and environments) and the behavesas untilattime ,regardlessofsynchronizations, specifications are all put down in the same language. In whencontrolistransferedto . its operation, a logic theory is defined by a set of axioms The timevalue domainintimed CSPis dense. A variety and inference rules. Every formula that can be constructed ofsemanticshasbeendefined.Thesimplestoneassociatesa throughrepetitiveapplicationsoftheinferencerulesiscalled programwithasetoftimedtraces.Schneiderwroteabook atheorem.Twokeyissuesaresoundnessandcompleteness. in this regard [194]. In the book, manual proofs are illus- Soundness means that the theorems in the theory are con- tratedandarefinementrelationfromuntimedCSPprograms sistent, i.e., do not contradict one another. Completeness totimedCSPprogramsispresented.Withtheintroductionof means that every theorem can be provedin a finite number theeventtock,whichadvancestimebyoneunit,Schneider ofstepsofinferenceruleapplications.Whenwe uselogics alsoshowedhowtotranslatetimedCSPprogramstountimed forverification,weusuallyputdownthesystemdescription CSPprogramswithtockevents. asaxiomsandinferencerulesandthespecificationformulas Baetenetal.havedonesubstantialworkinextendingthe asatheorem.Aproofplanmayalsoinvolveseverallemmas process algebra known as the algebra of communicating andcorollariesasintermediatestepstotheestablishmentof 8Inthejargonofcomputerscience,thedecisionproblemsofsuchlogics thegoaltheorem. aresaidtobeundecidableorincomputable. 1288 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 processes (ACP) to the real-time domain [30]–[32]. The axioms which must be satisfied in each action to maintain time models can be dense or discrete. Both absolute time thenaturalconceptsoftimestamps. and relative times can be specified. Time-stamped actions AdbullaandNylendefinedtimedPetrinets[3],inwhich can be used to combine actions with the passage of time. each token is associated with a clock which can be reset at Theintegrationoperator allowscompositionovera thetimeoftransition.Thisresemblestheclockresetopera- continuum of alternatives. The initial abstraction operator tionsoftimedautomata.Thereisalsonoobligationtofirean definesamappingfromaparametricinitialsetting enabledtransitionbeforetheLftexpires. of real variable to a set of processes, whose behaviors Serugendo et al. extended Merlin and Faber’s time Petri dependonthevalueof . net to real-time synchronized Petri nets with synchroniza- Work on the calculus of communicating systems (CCS) tionsbetweenasetofobjects,modeledwithreal-timePetri withtimingcanbefoundin[59],[170],and[234]. nets [195]. Another timed extension of process algebra is PACSR Girault and Valk editted a handbook on formal methods [152],[184],whichsupportsresource-awarenessandproba- based on Petri nets [94]. Cerone and Maggiolo-Schettini bilityreasoninginembeddedsystemdesign. wrote a survey paper on various approaches to extending LOTOS is an ISO standard specification language based Petri netstospecification andverificationoftimed systems on process algebra [43], [123]. Its real-time extension is [56]. called Enhanced Timed-LOTOS (ET-LOTOS) [124], [150], [151]. G. GraphicalLanguages Statecharts [103] were introduced to help users describe F. TimedPetriNets behavioral hierarchies of untimed concurrent systems in a graphicalstyle.Systemoperationscanbehierarchicallyde- Petri nets [87], [130] are convenient for modeling con- composedtoparalleland serialmodes.Suchbehavioralhi- current systems. In a Petri net, we have places, which may erarchy has inspired various compositional frameworks for hold tokens, and transitions, which may consume some to- verification and analysis, e.g., assume–guarantee reasoning kensfromtheplacesandproducesomeothertokensinother [1],[17],[99],[162],[205],andstaterefinementverification places.A state ofa Petrinet is called amarking, which as- [9], [232]. signs a number of tokens to each place. Since each place Modecharts[128]werethefirsttimedextensionofstate- canholdanunboundednumberoftokens,Petrinetsareinfi- charts.Their semantics was definedwith RTL[127] indis- nite-statesystems.OnespecialthingaboutPetrinetsisthat cretetime-domain.Timingintervalsanddiscreteeventscan they lack the capability to test the nonexistence of tokens. beusedastriggeringconditionsfortransitions. Specifically, a transition may happen if all its input places Statechartssupportmanypowerfulprimitives,likeexcep- have tokens. But no action can be taken when there is no tions, group transitions, and history. As a result, their se- tokeninsomeinputplace.Theoretically,Petrinetsareequiv- manticsiscomplex.Hierarchicreactivemodule(HRM)isa alent to counter machines without zero-test capability [97] model description language for timed systems with restric- andvectoradditionsystems(VAS)[118],[132]. tions on transitions to simplify the semantics [14]. Syntac- SeveralclassesoftimedextensionsofPetrinetshavebeen tically, transitions in HRM can only connect to entry/exit proposed [3], [42], [47], [93], [163], [187]. For example, pointsofstructuralmodules.Transitionsareforbiddenfrom MerlinandFaberdefinedtimePetrinets,inwhicheachtran- jumpingdirectlytoinnermodules. sition is associated with a clock that records the time lapse Timed unified modelinglanguage (UML) is the real-time sinceitwaslastenabled[163].Clockreadingscanbenatural extensionofUML[72],whichisinturnavariationofstate- numbersindiscrete-timemodelsordensenumbersincontin- charts.TranslationschemesfromtimedUMLtovariousver- uous-time models. State may change due to transitions and ificationtoollanguageshavebeenstudiedandimplemented timepassage.Eachtransitionalsohastwoattributes:earliest [73],[88],[136],[146],[172]. firingtime(Eft)andlatestfiringtime(Lft).Anenabledtran- sition can only fire when its clock reading is no less than IV. VERIFICATIONFRAMEWORK its Eft, and if continuously enabled, it must be fired before Therearethefollowingfourmajorapproachestocompu- itsLft.Thus,timemaynotincrementbeyondtheminimum tationallyverifyingtimedsystems. deadlines set by the Lft of all enabled transitions. This se- manticsthat“someenabledtransitionmustfire”isdifferent A. SatisfiabilityChecking from the nondeterministic semantics of timed automata, in whichacontinuouslyenabledtransitiondoesnothavetobe Inthisframework,wewriteboththesystembehaviorde- firedbeforetheLft. scription andspecification aslogicformulasandtryto Ghezzietal.proposedanotherPetrinetextension,called prove that is a theorem (i.e., tautology) of the un- Time Environment/Relation (ER) nets, for timed systems derlyingaxioms.Inreality,weusuallycheckif isa [93]. Each token, instead of each transition, is associated contradiction,orequivalently isunsatisfiable.Inthe with a time stamp. Transitions can be triggered only when implementation,wecanusethetableaumethodtoconstruct the earliest time and latest time requirements are met with an untimed Kripke structure and check if is satis- respecttothetokentimestamps.Theyalsopresentedthree fiedattheinitialnodesinthestructure.Atableauisasmall WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1289 modelthatcanbeusedtochecktheexistenceofamodelfor flag,sincenomatterwhenwefreeze to ,thetruthvalue .Conceptuallyitisadirectedgraph suchthat of isalreadydeterminedatthemomentwhen isthesetofpossibleworlds(orstates)and isthesetof isgenerated. transitionsfromworldtoworld. The small modeltheorem of TPTL says thatif there is a Inthefollowing,weillustratethetableauconstructionfor modelfor ,thenthereissuchamodel: TPTLsatisfiabilitychecking[15].Assumethatwearegiven • whose nodes are in the powerset of and aTPTLformula suchthatnegationsonlyappearinfrontof satisfythenodeconsistencycondition;and atomicconstraintslike and .Thisispossible • whose transitions satisfy the transition consistency because of deMorgan’s law and , condition;and ,and . • thatcontainsacyclesuchthat GivenaTPTLformula , isasetofTPTLfor- — thecycleisreachablefromaninitialstatenode;and mulasconstructedwiththefollowinginductionrules. — if islabeledinsomenodeinthecycle,thereis • andtrue . anothernodelabeledwith inthecycle;and • If or , — if islabeledinsomenodeinthecycle,there then and . isanothernodelabeledwith inthecycle. • If , then , , The satisfiability problem of linear-time temporal logics . TPTL [15], TETL, MTL [16], and APTL [228] are EX- • If , then , PSPACE-complete. . Itisalsopossibletousetemporallogicswithdense-time • If , then , semantics to do satisfiability checking. However, the satis- . fiability problems of TPTL with dense-time semantics and • If ,then . TCTLareallundecidable[5],[16] • If , then where is the symbol for current time and is identical to except that every B. ModelChecking occurrence isreplacedby . The framework of model checking [60], [61] means that • If where , thesystemdescriptionsaregivenasautomata,thespecifica- and ,then tionformulasaregivenastemporallogicformulas,and we .Thecasefor issymmetric. wanttocheckifallmodelsofagivensystemdescriptionsat- Here,forconvenience,weassumeonlyinequalitieslike isfy a given specification formula. One popular framework ,where and areclockvariablesand and in this category is the TCTL model-checking problem [5] are used. inwhichthesystemdescriptionsaretimedautomata,while Anode in for isasubsetof thatsatisfies the specifications are TCTL formulas. The TCTL model- thefollowingnodeconsistencyconditions. checkingproblemisPSPACE-complete.Notethattheframe- • true . workin[5]onlypermitsatomicconstraintslike with • If ,thetruthvalueof isin . . For about one decade, people have • If ,then . straightforwardly extended the framework with constraints • If ,then or . like [113]. Recently, Bouyer [46] showed that • If ,then and . themodel-checkingalgorithmsin[5],[113]isnotcorrectfor • If ,theneither orboth and suchanextension. . Animportantsubclassinthemodel-checkingframework • If ,thenboth and . is safety checking, i.e., the model checking of formulas • If ,theneither or . like where is a propositional formula for the safety • If ,then . propertyofasystem.Inimplementation,thesafetyanalysis problem is usually translated to the negation of the reach- If ,thenthefollowingtransitionconsistencycon- ability problem, i.e., whether is true or not. Most of ditionsmustalsobemaintainedin ,i.e.,exactlyoneofthe the implementations in model checking have focused on followingtwoistrue. the efficiency enhancement of safety checking. The major 1) Forall ,then . reason for this may be that fully model checking complex 2) Forall ,then ,where isidentical timedsystemsisindeedtoodifficult. to exceptthateveryconstraintlike with It is also possible to model check linear-time temporal , isrespectivelyreplacedwith . logics like TPTL [15] or MTL [16]. In this framework, we (Thecasefor issymmetric.) wanttoverifythateverycomputationofthetimedautomata Case 1 models the passage of zero time units, while case 2 isalsoastatesequenceofthelinear-timeproperty. modelsthepassageofonetimeunit.Alsonotethatwhena Modelcheckinghasalsobeenappliedtoframeworksother constraintlike isgenerated,wewillnolonger thanautomata.FDRisacommercialmodel-checkerforCSP askforthedecrementsfrom .Thus, servesasa but does not quite support real-time system modeling [89]. 1290 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004 Theideaistocheckwhether,byhidingsomeinternalvari- • foreveryinitialstate of ,thereisaninitialstate ables, a behavior description in CSP can be identified as a of suchthat . refinementofanotherspecificationinCSP. Timed simulation has been used extensively for systems Thereisalsomodel-checkingresearchforPetrinets.One modeled with various extensions of I/O automata [44], common approach is to put in restrictions to reduce Petri [105], [141], [154]–[156], [160]. Since I/O automata [133] nets to finite-state systems, which are then subject to algo- have first-in-first-out (FIFO) queues and their verification rithmic model checking. In general, the reachability (of a problemisingeneralundecidable,alotoftheworkwascar- specificationmarking)problemofPetrinetsisdecidablebut ried out using theorem provers (see Section IV-D). Tas¸Iran without known elementary complexity. Another commonly etal.showedthatthesimulationcheckingproblemfortimed acceptedframeworkforverificationwithPetrinetsiscalled automataisEXPTIME[209]. thecoverabilityproblem,inwhichwearegivenaspecifica- The third alternative is timed bisimulation, which is also tionmarking andwanttoseeifthereisareachablemarking a relation between states of two (timed) automata at an ab- suchthat isnolessthan placebyplace. straction level. For convenience, given a relation , we let . Given two model descriptions and , a relation is a timed bisimulation between and C. Simulation iff isatimedsimulationfrom to and isatimed It is also possible to use state-transition systems (au- simulationfrom to .Cˇera¯nsshowedthattimedbisimu- tomata) for both system behavior descriptions and specifi- lationcheckingisdecidable[55].Lasotashowedthattimed cations.Thisframeworkcanbeusefulwhenaspecification bisimulationcheckingisalsodecidablefortimedbasicpar- is too complex to put down in temporal logics. After all, a allel processes (BPPs)9 [145]. Bisimulation-based verifica- pictureisworthathousandwords.Givenabehaviormodel tionoftimedautomatacanbefoundin[71],[153].Workon description andaspecification ,intuitively,wewantto discrete-timemodelscanbefoundin[147]–[149]. check whether simulates , i.e., every behavior of is also a behavior of with respect to the input and output D. TheoremProving events(i.e.,observableevents)andthetimesatwhichthose Thisapproachstemsfromveryearlyresearchinartificial events occur. However, we need to define behavior more intelligence [58]. In this framework, verification engineers clearly. manually designa verificationplan (proof sketch) and then Inlineartime,abehaviorisan(infiniteorfinite)sequence use theorem provers to mechanically check the correctness of events and the occurrence times of those events. Such a ofthereasoningstepsintheplan.Sincemanyofthetheorem sequencetogetherwiththeeventoccurrencetimesiscalled provers accept undecidable classes of logic formulas, the a timed trace. The framework of trace inclusion verifies approach usually does not guarantee the termination of whether implements ,i.e.,thetimedtracesof arealso individual mechanical verification tasks. If a user feels that timedtracesof .Thisframeworkmaynothavethepower a prover cannot finish a task, he/she may have to either todiscerncertainbehaviors.Forexample,inFig.1,although intervene with expertise (formalized as axioms or proof the two systems have the same set of traces, the choices at strategies) or change the verification plan. Fulfillment of statesarenotthesame.Inaddition,AlurandDillshowed a verification plan depends heavily on the users’ profound that the inclusion problem of timed traces is undecidable knowledgeoftheunderlyinglogicsandproficiencyinusing [12]. the tools. An alternative framework is simulation [158], [159], Variousalgorithmsweredevelopedtochecksubclassesof [209],which,informalverificationliterature,doesnotmean first-orderlogics.Shostak[202]andNelsonandOppen[173] that we build a mathematical model in the programming presentedalgorithmstodecideunquantifiedcombinationsof language C, execute the model with an inference engine, somefragmentsoffirst-orderlogics.Shostakalsopresented and then observe the trace [66], [224]. Instead, simulation algorithms(congruenceclosure)todecideequalitywithun- is a relation between states of two model descriptions at interpreted functions [200] and methods, like loop residue an abstraction level (regarding the same set of observable [201]andSUP-INF[199],todecidelineararithmetic.Oppen inputs and outputs). Given a behavior model description presentedalgorithmsforcheckingPresburgerarithmeticfor- andaspecification ,intuitively,wewanttocheckifthere mulas10[177].Techniquesfrompropositionalcalculus[52], is a simulation relation from to (i.e., simulates ). [98]canalsobeemployedtocheckpropositionalfragments Forconvenience,wewrite iffin ,wecantransit offirst-orderorhigh-orderlogics. from to byfirstlettingtimeprogressby (anonnegative There is also an extensivelibrary of term rewriting tech- real)andthenexecutingatransitionlabeledwithevent .A niquesforfirst-orderandhigherorderlogics[77],[135].Re- relation betweenthestatesetsof and isasimulation searchhasshownthatcontrolledheuristicsonterm-rewriting iffforevery : rulesareimportant. • and are the same, predicate by predicate, at the 9BPPsaresystemsconstructedwithrulesP ::=pjP kP j1.P ,where abstractionlevel; pisanatomicprocessand1.P istheprocessofthepassageofonetime unitfollowedbyprocessP . • if forsome ,then forsome 10Presburgerarithmeticisthetheoryoflinearconstraintslikec x +...+ of suchthat ;and c x (cid:24)d,Booleanoperators,andquantificationonvariablesx ;...;x . WANG:FORMALVERIFICATIONOFTIMEDSYSTEMS:ASURVEYANDPERSPECTIVE 1291 Shankar designed an operator (read “since” ) in a A DBM can represent a convex state space in the time state-based model in the well-documented theorem prover space. Efficient operations like intersection and normaliza- Prototype Verification System (PVS) [197]. The operator tion to all-pair shortest-path form, can be performed. But a measures the time that has elapsed since last held. It is DBMcannotrepresentaconcavestatespace. implemented with three axioms in PVS. The first specifies Annichini et al. [21] have extended DBM with parame- the initial value of each . The second and third respec- ters for the semialgorithmic analysis of counter and clock tivelydefinewhen shouldremainthesameandwhenit systems. should increment in an action. Users can also define their own axioms in PVS for convenience. Work along this line B. BDD-LikeDataStructures canbefoundin[24],[25],[117],and[193]. BDD[52]isaminimumcanonicalformforpropositional logic and has become an indispensible technology in hard- wareverification.Topologically,aBDDisanacyclicdirected V. REPRESENTATIONSOFSTATESPACES graphwithasinglesourceandtwosinks(forFALSEandTRUE, respectively).Itcanrepresentbothdisjunctionsandconjunc- Many verification frameworks rely on the analysis of tions.Eachnodeislabeledwithadecisionatom,andtheout- reachable state spaces. The efficient manipulation of rep- goingarcsare labeledwiththe valuesofthecorresponding resentations of reachable state spaces is fundamental to decisionatom.ItisminimumbecauseBDDhastheleastrep- efficient verification of real-time systems. One important resentation size for any state space with respect to a given work in this regard is [5], in which Alur et al. presented variable ordering. It is canonical because there is exactly a finite representation, called the region graph, for the oneBDDforanygivenstatespace.Thiscanonicalityfeature dense-time state space of timed automata, and then proved alsoimpliesthatequalitycheckingbetweenstatespacesand the PSPACE-completeness of the TCTL model-checking emptinesscheckingofastatespacecanbedoneefficiently. problem.Aregiongraphisadirectedgraphwhosenodesare ThefirstpapertodiscusshowtouseBDDtoencodezones calledregionsandwhosearcsrepresenteithertimeprogress (actually for asynchronous systems with clock jitters) was or discrete transitions between regions. A region is a state by Wang et al. in 1993 [227]. They discussed how to use subspace with three characteristics. The first is the control BDD with decision atoms like to model locationofthestates,thesecondistheintegerpartsofclock check timed automata. Here, and are timing constants readingsinthestatesuptothebiggesttimingconstantsused withmagnitudenogreaterthanthebiggestconstantusedin inthe automataand the TCTLformula,and the thirdis the the behavior model and specification. Each decision atom orderingamongthefractionalpartsofclockreadingsinthe canassumeaBooleantruthvalue.Theapproachmaysuffer states. from bad performance, since the size of the decision atom Region graphs are important in establishing complexity. domain isalready proportional to the timing constantsand, Forpracticalverification,symbolicdatastructurescanusu- thus, exponential to the input size. However, they did not ally yield more compact representations. In the following reportimplementationorexperiments.In1996,Balarinim- sections,wediscusssomeworkinthisregard. plemented the same scheme and reportedexperiments with approximation techniques [33]. In 1999, Møller et al. used A. Difference-BoundedMatrices the same idea to devise a data structure called a difference decisiondiagram(DDD)anddiscussedmanymanipulation SinceDillproposedtousethedifference-boundedmatrix techniques[168],[169]. (DBM) to record the time space of real-time systems [78], Thenumericaldecisiondiagram(NDD)[26]usesbinary the DBM has been adopted by two major model checkers: encodingforclockreadings,anditsperformanceisverysen- Kronos [75], [237] and UPPAAL [39] and has become the sitivetotiming-constantmagnitude. mostpopulardatastructureforsuchapurpose. The clock-difference diagram (CDD) [36] uses decision ADBMisatwo-dimensionalarray.EachentryinaDBM atomslike andlabelsarcswithdisjointintervals.Forex- recordsthedifferencebetweentwoclocks’readingsofastate ample,anodelabel togetherwithanarclabel(3,5]con- inthespacecharacterizedbytheDBM.Zeroisalsotreated stitutetheconstraint .CDDswereonlyused asa specialclock.Conceptually,givenaset ofclocks,a inUPPAAL[36] asrecordingdevices ofzonesconstructed DBM isamappingfrom toasetofelements withDBMs.Nomodel-checkingandreachabilityalgorithms like suchthat: wereimplementedwithCDDsin[36]. • iseither or ; RED[213],[214]encodestheorderingoffractionalparts • where is the of clock readings in the variable ordering and has achieved biggesttimingconstantusedinthereal-timesystemsor veryhighspaceefficiencyforsymmetricsystemswithlarge inthespecificationand meansanyconstantgreater numbers of clocks and small timing constants. RED is a than ;and canonicalrepresentationoftimedautomatastatesubspaces. • Butforlargetimingconstants,REDsperformancedegrades Foreachtwo , , meansthat rapidly. .AtimespacecharacterizablebyaDBMiscalled Then in 2001, Wang proposed the clock-restriction di- a zone. agram (CRD) [216]–[218], which has a structure similar 1292 PROCEEDINGSOFTHEIEEE,VOL.92,NO.8,AUGUST2004