Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 40 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
40
Dung lượng
720,91 KB
Nội dung
390 13 Discrete Timed Automata Network: |Π V S : {T ∈ N} Θ S : T =0 DTA: Π V L : t1,t2,t3,t4 ∈ N SourceState ∈{0, 1}, Place1State, Place2State, SinkState ∈{1, 2} Θ L : t1=0 ∧ t2=0 ∧ t3=0 ∧ t4=0∧ SourceState =0∧ Place1State =1 ∧ Place2State =1 ∧ SinkState =1 TL = {sourceOut, sinkIn, play} A : tick eff: T = T +1 sourceOut prec: SourceState =0 ∧ T =0 ∧ Place1State =1 deadline: SourceState =0 ∧ T =0 ∧ Place1State =1 eff: SourceState =1 ∧ t4 = T ∧ Place1State =2 sourceOut prec: SourceState =0 ∧ T =0 ∧ Place2State =1 deadline: SourceState =0 ∧ T =0 ∧ Place2State =1 eff: SourceState =1 ∧ t3 = T ∧ Place2State =2 sourceOut prec: SourceState =1 ∧ T = t1+50 ∧ Place1State =1 deadline: SourceState =1 ∧ T = t1+50 ∧ Place1State =1 eff: t1 = T ∧ t4 = T ∧ Place1State =2 sourceOut prec: SourceState =1 ∧ T = t1+50 ∧ Place2State =1 deadline: SourceState =1 ∧ T = t1+50 ∧ Place2State =1 eff: t1 = T ∧ t3 = T ∧ Place2State =2 sinkIn prec: Place1State =2 ∧ T>t4+80 ∧ SinkState =1 deadline: Place1State =2 ∧ T ≥ t4+90 ∧ SinkState =1 eff: Place1State =1 ∧ t2 = T ∧ SinkState =2 sinkIn prec: Place2State =2 ∧ T>t3+80 ∧ SinkState =1 deadline: Place2State =2 ∧ T ≥ t3+90 ∧ SinkState =1 eff: Place2State =1 ∧ t2 = T ∧ SinkState =2 play prec: SinkState =2 ∧ T = t2+5 deadline: SinkState =2 ∧ T = t2+5 eff: SinkState =1 Fig. 13.3. DTA Product Automaton for the Multimedia Stream 13.4 Verifying Safety Properties over DTAs 391 (Section 13.2.1). In particular, deadlines in the product automaton can be ex- pressed as (semantically equivalent) preconditions for the tick action; because the product automaton does not contain half actions, time progress conditions can be independently obtained from every deadline. Let |A =(|A 1 , ,A n ,V S ,Θ S ) be a network of DTAs, and Π (V L ,Θ L , TL, A,V S ,Θ S ) the corresponding product automaton. Let ρ tick be defined as follows, ρ tick (T = T +1) ∧ (a,p,d,e)∈A ¬ d Then, Π is semantically equivalent to the FTS F Π =(V,Θ,T ), where V V L ∪ V S Θ Θ L ∧ Θ S T { ρ tick }∪{ρ τ p ∧ e | τ =(a, p, d, e) ∈A,a= tick } Consider again the multimedia stream example, and the product automaton Π depicted by Figure 13.3. Figure 13.4 shows the equivalent FTS F Π (super- scripts have been used to distinguish the transition formulae that correspond to actions with the same label). Given F Π , then, invariance proofs can be used to confirm that synchroni- sation between Source and either Place1 or Place2 is always possible, i.e. that packets can be put in the Channel whenever the Source is ready to send them. This safety property 6 can be expressed by the LTL formula ✷φ,where φ ¬((T =0∨ T = t1 + 50) ∧ Place1State = 2 ∧ Place2State = 2 ) As discussed in Section 13.2.1, the verification of ✷φ is achieved by applying the deductive rule, P1 ϕ → φ P2 Θ → ϕ P3 ∀ τ ∈T ,ρ τ ∧ ϕ → ϕ ✷φ In particular, Figure 13.5 offers a list of assertions, which can be used as auxiliary invariants in the verification of ✷φ. The predicate mult50(n)canbe expressed in WS1S and holds whenever n is a multiple of 50. 6 Section 11.3.2 discusses the verification of an equivalent (branching-time) reach- ability property, for a TA specification of the multimedia stream. 392 13 Discrete Timed Automata V : {T, t1,t2,t3,t4 ∈ N SourceState ∈{0, 1}, Place1State, Place2State, SinkState ∈{1, 2} } Θ : T =0 ∧ t1=0 ∧ t2=0 ∧ t3=0 ∧ t4=0∧ SourceState =0 ∧ Place1State =1 ∧ Place2State =1 ∧ SinkState =1 T : { ρ tick : ¬(SourceState =0 ∧ T =0 ∧ Place1State =1)∧ ¬(SourceState =0 ∧ T =0 ∧ Place2State =1)∧ ¬(SourceState =1 ∧ T = t1+50 ∧ Place1State =1)∧ ¬(SourceState =1 ∧ T = t1+50 ∧ Place2State =1)∧ ¬(Place1State =2 ∧ T ≥ t4+90 ∧ SinkState =1)∧ ¬(Place2State =2 ∧ T ≥ t3+90 ∧ SinkState =1)∧ ¬(SinkState =2 ∧ T = t2+5)∧ T = T +1 ρ 1 sourceOut : SourceState =0 ∧ T =0 ∧ Place1State =1∧ SourceState =1 ∧ t4 = T ∧ Place1State =2 ρ 2 sourceOut : SourceState =0 ∧ T =0 ∧ Place2State =1∧ SourceState =1 ∧ t3 = T ∧ Place2State =2 ρ 3 sourceOut : SourceState =1 ∧ T = t1+50 ∧ Place1State =1∧ t1 = T ∧ t4 = T ∧ Place1State =2 ρ 4 sourceOut : SourceState =1 ∧ T = t1+50 ∧ Place2State =1∧ t1 = T ∧ t3 = T ∧ Place2State =2 ρ 1 sinkIn : Place1State =2 ∧ T>t4+80 ∧ SinkState =1∧ Place1State =1 ∧ t2 = T ∧ SinkState =2 ρ 2 sinkIn : Place2State =2 ∧ T>t3+80 ∧ SinkState =1∧ Place2State =1 ∧ t2 = T ∧ SinkState =2 ρ play : SinkState =2 ∧ T = t2+5 ∧ SinkState =1} Fig. 13.4. FTS F Π for the Multimedia Stream Notice that all formulae occurring in the deductive rule, that is ϕ, ϕ , φ, Θ, the transition formulae ρ τ , and the premises themselves would be instantiated with WS1S formulae and, as such, they are expressible in MONA. Therefore, MONA can be used to check whether a particular premise is valid. In the case where the premise is not valid, MONA will return a given valuation (i.e. a state) as a counterexample, and user interaction will be needed to assess whether such a valuation is reachable in the system. As we have mentioned in Section 13.2.1, if we are in the presence of a reachable state then ✷φ can be immediately guaranteed not to hold. If, on the other hand, the MONA coun- 13.4 Verifying Safety Properties over DTAs 393 (1) Place1State =2 ∧ Place2State =2⇒ (t3 ≥ t4+50∨t4 ≥ t3 + 50) (2) t1 ≥ t3 ∧ t1 ≥ t4 (3) SourceState =0⇒ T =0 ∧ Place1State =1 ∧ Place2State =1 (4) (T>t4+90⇒ Place1State =1) ∧ (T>t3+90⇒ Place2State =1) (5) T ≥ t1 ∧ T ≥ t2 ∧ T ≥ t3 ∧ T ≥ t4 (6) mult50 (t1) ∧ mult50(t3) ∧ mult50(t4) (7) t2=T ∧ T>0 ⇒ (( Place1State =1 ∧ T ≤ t4+90 ∧ T>t4 + 80)∨ (Place2State =1 ∧ T ≤ t3+90 ∧ T>t3 + 80)) (8) SinkState =2⇒ T ≤ t2+5 (9) T ≤ t1+50 Fig. 13.5. Example Auxiliary Invariants terexample denotes an unreachable state, then verification might proceed by strengthening ϕ with other auxiliary invariants, and checking all rule premises again. Figure 13.6 shows, as an example, the MONA specification that checks whether the invariant φ is preserved by the time action, i.e. to check the validity of the WS1S formula (part of rule premise P 3), ρ tick ∧ φ ⇒ φ % Variables var1 T,T’,t1,t3,t4,t2, SourceState where SourceState in {0,1}, Place1State where Place1State in {1,2}, Place2State where Place2State in {1,2}, SinkState where SinkState in {1,2}; % ρ tick ∧ φ ⇒ φ as a MONA formula % for φ ¬((T =0∨T = t1 + 50) ∧Place1State = 2 ∧ Place1State = 2 ) ∼(SourceState=0 & T=0 & Place1State=1) & ∼(SourceState=0 & T=0 & Place2State=1) & ∼(SourceState=1 & T=t1+50 & Place1State=2) & ∼(SourceState=1 & T=t1+50 & Place1State=1) & ∼(Place1State=2 & T>=t4+90 & SinkState=1) & ∼(Place2State=2 & T>=t3+90 & SinkState=1) & ∼(SinkState=2 & T=t2+5) & T’ = T+1 & (∼((T=0 | T=t1+50) & Place1State=2 & Place2State=2)) => (∼((T’=0 | T’=t1+50) & Place1State=2 & Place2State=2)); Fig. 13.6. MONA Specification to Verify ρ tick ∧ φ ⇒ φ 394 13 Discrete Timed Automata Other quality of service properties can also be verified for the multimedia stream, such as throughput (i.e. the number of packets delivered to the Sink in a given period of time), and latency (i.e. the end-to-end delay between the timeapacketissentbytheSource,andthetimeitisplayedbytheSink). As shown in [85], a few modifications to the original DTA specification allow these properties to be expressed as invariants, and be verified by MONA. 13.5 Discussion: Comparing DTAs and TIOAs with Urgency A detailed comparison between DTAs and other similar notations (e.g. clock transition systems [135]) escapes the format of this book (the reader is re- ferred, instead, to [85]). Nevertheless, this section highlights some differences and common points between DTAs and timed I/O automata with urgency (TIOAUs, for short) [82]. Both notations, DTAs and TIOAUs, are influenced (among other frame- works) by timed I/O automata [110] and TAD (Section 12.3.1). As a result of this, a number of similarities can be observed. In both notations, DTA and TIOAU, automata are composed of variables, which define the state-space, and actions, which model instantaneous state changes (i.e. discrete events). Actions are characterised by a label, a precondition, an effect and a deadline. The set of actions is partitioned into internal (or completed) and external (input or output) actions. Automata can be composed to describe complex systems, and interaction among components is realised via message passing (matching external actions). Also, DTA and TIOAU specifications are time- reactive (although, zeno-timelocks can occur in both models). But here the similarities end, and the models differ in a number of ways. Synchronisation and Parallel Composition. DTAs adopt CCS-like bi- nary synchronisation, and only allows one level of parallel components. Effec- tively, a network of DTAs results in a product automaton where synchronisa- tion is resolved, and all actions are completed. Thus, the product automaton cannot participate in further synchronisations, and so parallel composition cannot be applied incrementally. Notice that this is consistent with the com- municating automata models described in this book: finite- and infinite-state communicating automata (chapter 8), and timed automata (chapter 11). On the other hand, TIOAUs are closer to process calculi such as CSP or LOTOS. TIOAUs adopt multiway synchronisation, and parallel composition can be incrementally applied to build larger systems (as discussed in Sec- tion 2.3.6.4, this suits a constraint-oriented style of specification). In TIOAU, parallel composition can be thought of as yielding a new automaton, where synchronisation between matching output and input actions results in a new output action (and not a completed action, as in DTAs). Also, and unlike DTAs, TIOAUs are input enabled; i.e. input actions are enabled in any state. 13.5 Discussion: Comparing DTAs and TIOAs with Urgency 395 This is consistent with the intention of TIOAUs to model open systems, in which input actions are assumed to be under the control of the environment (hence, it can be argued that input actions should not be constrained by the system). These different approaches to specification have been discussed in Section 8.2.6.2, in the context of communicating automata and process cal- culi. In general, the same conclusions apply here, and thus we can argue that the expressiveness of TIOAUs facilitates the specification of complex systems, whereas the verification of DTA specifications is easier to automatise. Time. Discrete time in DTAs is represented by a time-passage action, whereas in TIOAUs continuous time is represented by trajectories (which describes how variables, i.e. the state, change over time). It is argued [110], that trajec- tories are more convenient than time-passage actions, as they lead to simpler mathematical proofs. On the other hand, a time-passage action, such as the tick action in DTAs, seems to be a more natural choice if invariance proofs are to be applied (because both discrete events and the passage of time are represented by the same kind of actions, mapping DTAs to FTSs is straight- forward). Expressiveness of the Specification Language. Representing complex specifications with TIOAUs can be considerably easier than doing so with DTAs. For example, TIOAUs support continuous time domains, parame- terised actions, more general data types and a powerful assertion language (for writing preconditions and effects). On t he other hand, the expressiveness of DTAs is limited to allow MONA to be used as a verification tool, whereas proofs for TIOAUs specifications are usually developed by hand. References 1. M. Abadi and L. Lamport. An old-fashioned recipe for real time. ACM Trans- actions on Programming Languages and Systems, 16(5):1543–1571, September 1994. 2. S. Abramsky. Observation equivalence as a testing equivalence. Theoretical Computer Science, 53:225–241, 1987. 3. L. Aceto, P. Bouyer, A. Burgue˜no, and K. Larsen. The power of reachability testing for timed automata. Theoretical Computer Science, 1-3(300):411–475, 2003. 4. L. Aceto and D. Murphy. On the ill-timed but well-caused. In CONCUR’93: Concurrency Theory, Lecture Notes in Computer Science, N0. 715. Springer- Verlag, 1993. 5. A. Aho and J. Ullman. Foundations of Computer Science. Computer Science Press, 1992. 6. R. Alur, C. Courcoubetis, and D. Dill. Model-checking in dense real-time. Information and Computation, 104(1):2–34, May 1993. 7. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183–235, 1994. 8. J.C.M. Baeten, J.A. Bergstra, and J.W. Klop. On the consistency of Koomen’s fair abstraction rule. Theoretical Computer Science, 51:129–176, 1987. 9. F. Balarin. Approximate reachability analysis of timed automata. In IEEE Real-Time Systems Symposium, pages 52–61, 1996. 10. D. Basin and S. Friedrich. Combining WS1S and HOL. In D.M. Gabbay and M. de Rijke, editors, Frontiers of Combining Systems 2, volume 7 of Studies in Logic and Computation, pages 39–56. Research Studies Press/Wiley, Baldock, Herts, UK, February 2000. 11. G. Behrmann, P. Bouyer, K.G. Larsen, and R. Pelanek. Lower and upper bounds in zone based abstractions of timed automata. In Proceedings of TACAS’04, LNCS 2988, pages 312–326. Springer, 2004. 12. J. Bengtsson. Efficient symbolic state exploration of timed systems: Theory and implementation. Technical Report 2001-009, Department of Information Technology, Uppsala University, 2001. 13. J. Bengtsson and W. Yi. Timed automata: Semantics, algorithms and tools. In W. Reisig and G. Rozenberg, editors, Lecture Notes on Concurrency and Petri Nets, LNCS 3098. Springer, 2004. 398 References 14. B. Berard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and P. Schnoebelen. Systems and Software Verification. Springer, 2001. 15. J.A. Bergstra and J.W. Klop. Algebra for communicating processes with ab- straction. Journal of Theoretical Computer Science, 37:77–121, 1985. 16. G. Berhmann, A. David, and K. Larsen. A tutorial on uppaal. In M. Bernardo and F. Corradini, editors, Formal Methods for the Design of Real-Time Sys- tems. International School on Formal Methods for the design of Computer, Communication and Software Systems, SFM-RT 2004. Revised Lectures,LNCS 3185, pages 200–236. Springer, 2004. 17. C. Bernardeschi, J. Dustzadeh, A. Fantechi, E. Najm, A. Nimour, and F. Olsen. Transformations and consistent semantics for ODP viewpoints. In H. Bowman and J. Derrick, editors, FMOODS’97, 2nd IFIP Conference on Formal Methods for Open Object Based Distributed Systems. Chapman & Hall, July 1997. 18. M. Bernardo and R. Gorrieri. A tutorial on empa: A theory of concurrent processes with nondeterminism, priorities, probabilities and time. Theoretical Computer Science, 202:1–54, 1998. 19. N.S. Bjørner. Integrating Decision Procedures for Temporal Verification.PhD thesis, Computer Science Department, Stanford University, November 1998. 20. N.S. Bjørner, A. Browne, and Z. Manna. Automatic generation of invari- ants and intermediate assertions. Theoretical Computer Science, 173(1):49–87, February 1997. 21. G. S. Blair, L. Blair, H. Bowman, and A. Chetwynd. Formal Specification of Distributed Multimedia Systems. UCL Press, 1998. 22. E. Boiten, H. Bowman, J. Derrick, and M. Steen. Viewpoint consistency in Z and LOTOS: A case study. In J. Fitzgerald, C.B. Jones, and P. Lucas, edi- tors, FME’97: Industrial Applications and Strengthened Foundations of Formal Methods, LNCS 1313, pages 644–664. Springer-Verlag, September 1997. 23. E. Boiten, J. Derrick, H. Bowman, and M. Steen. Consistency and refine- ment for partial specification in Z. In M C. Gaudel and J. Woodcock, editors, FME’96: Industrial Benefit of Formal Methods, Third International Sympo- siumofFormalMethodsEurope, LNCS 1051, pages 287–306. Springer-Verlag, March 1996. 24. T. Bolognesi and E. Brinksma. Introduction to the ISO specification language LOTOS. Computer Networks and ISDN Systems, 14(1):25–29, 1988. 25. T. Bolognesi and F. Lucidi. LOTOS-like process algebras with urgent or timed interactions. In FORTE’91. North-Holland, 1991. 26. T. Bolognesi, F. Lucidi, and S. Trigila. Converging towards a timed LOTOS standard. Computer Standards & Interfaces, 16:87–118, 1994. 27. G. Booch. Object-oriented Analysis and Design. Benjamin/Cummings, 1994. 28. M. Boreale, P. Inverardi, and M. Nesi. Complete sets of axioms for finite basic LOTOS behavioural equivalences. Information Processing Letters, 43:155–160, 1992. 29. S. Bornot and J. Sifakis. On the composition of hybrid systems. In Hybrid Systems: Computation and Control, LNCS 1386, pages 49–63. Springer, 1998. 30. S. Bornot, J. Sifakis, and S. Tripakis. Modeling urgency in timed systems. In Compositionality: The Significant Difference, International Symposium, COM- POS’97, Bad Malente, Germany, September 8-12, 1997. Revised Lectures, LNCS 1536, pages 103–129. Springer, 1998. References 399 31. G. Boudol and I. Castellani. Flow models of distributed computations: Three equivalent semantics for CCS. Information and Computation, 114:247–314, 1994. 32. H. Bowman. A true concurrency approach to time extended LOTOS (revised version). Technical Report 17-96, Computing Laboratory, University of Kent at Canterbury, 1996. 33. H. Bowman. A LOTOS based tutorial on formal methods for object-oriented distributed systems. New Generation Computing, 16:343–372, 1998. 34. H. Bowman. Modelling timeouts without timelocks. In ARTS’99, Formal Methods for Real-Time and Probabilistic Systems, 5th International AMAST Workshop, LNCS 1601, pages 335–353. Springer-Verlag, 1999. 35. H. Bowman. Time and action lock freedom properties for timed automata. In M. Kim, B. Chin, S. Kang, and D. Lee, editors, FORTE 2001, Formal Tech- niques for Networked and Distributed Systems, pages 119–134, Cheju Island, Korea, 2001. Kluwer Academic. 36. H. Bowman, L. Blair, G.S. Blair, and A. Chetwynd. Time versus abstraction in formal description. In R.L. Tenney, P.D. Amer, and M.U. Uyar, editors, Formal Description Techniques VI, FORTE’93, pages 467–482, Boston, October 1993. North-Holland. 37. H. Bowman, E.A. Boiten, J. Derrick, and M. Steen. Viewpoint consistency in ODP, a general interpretation. In E. Najm and J. Stefani, editors, First IFIP International Workshop on Formal Methods for Open Object-based Distributed Systems, pages 189–204, Paris, March 1996. Chapman & Hall. 38. H. Bowman, C. Briscoe-Smith, J. Derrick, and B. Strulo. On behavioural subtyping in LOTOS. In H. Bowman and J. Derrick, editors, FMOODS’97, Second IFIP International Conference on Formal Methods for Open Object- based Distributed Systems. Chapman & Hall, 1997. 39. H. Bowman and J. Derrick. Extending LOTOS with time; a true concurrency perspective. In M. Bertran and T. Rus, editors, Proceedings 4th Amast Work- shop on Real-Time Systems, Concurrent and Distributed Software, LNCS 1231. Springer-Verlag, 1997. 40. H. Bowman and J. Derrick. A junction between state based and behavioural specification. In Formal Methods for Open Object-based Distributed Systems, pages 213–239. Kluwer, February 1999. 41. H. Bowman and J. Derrick, editors. Formal Methods for Distributed Processing, A Survey of Object-Oriented Techniques. Cambridge University Press, 2001. 42. H. Bowman, J. Derrick, P. Linington, and M. Steen. Cross viewpoint con- sistency in open distributed processing. IEE Software Engineering Journal, 11(1):44–57, January 1996. 43. H. Bowman, G. Faconti, and M. Massink. Specification and verification of media constraints using uppaal.In5th Eurographics Workshop on the Design, Specification and Verification of Interactive Systems, DSV-IS 98, Eurographics Series. Springer-Verlag, August 1998. 44. H. Bowman and R. Gomez. How to stop time stopping. Submitted for publi- cation, 2005. 45. H. Bowman, R. Gomez, and L. Su. A tool for the syntactic detection of zeno- timelocks in timed automata. In Proceedings of the 6th AMAST Workshop on Real-Time Systems, Stirling, July 2004. 46. H. Bowman and J. Katoen. A true concurrency semantics for ET-LOTOS. Technical Report 12/97, Univeristy of Erlangen, 1997. 400 References 47. H. Bowman and J. Katoen. A true concurrency semantics for ET-LOTOS. In CSD’98 International Conference on Application of Concurrency to System Design. IEEE Computer Society, 1998. 48. H. Bowman, M.W.A. Steen, E.A. Boiten, and J. Derrick. A formal framework for viewpoint consistency. Formal Methods in System Design, 21:111–166, 2002. 49. M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos: A model-checking tool for real-time systems. In Proceedings of the 10th Inter- national Conference on Computer Aided Verification, pages 546–550. Springer- Verlag, 1998. 50. E. Brinksma. A theory for the derivation of tests. In S. Aggarwal and K. Sab- nani, editors, Protocol Specification, Testing and Verification, VIII, pages 63– 74, Atlantic City, USA, June 1988. North-Holland. 51. E. Brinksma, J. Katoen, R. Langerak, and D. Latella. Performance analysis and true concurrency semantics. In Theories and Experiences for Real-time System Development (ARTS’93), pages 309–337. World Scientific, 1994. 52. E. Brinksma and G. Scollo. Formal notions of implementation and confor- mance in LOTOS. Technical Report INF-86-13, Dept of Informatics, Twente University of Technology, 1986. 53. E. Brinksma, G. Scollo, and C. Steenbergen. Process specification, their im- plementation and their tests. In B. Sarikaya and G. V. Bochmann, editors, Protocol Specification, Testing and Verification, VI, pages 349–360, Montreal, Canada, June 1986. North-Holland. 54. R.E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986. 55. J.R. B¨uchi. On a decision method in restricted second-order arithmetic. Zeitschrift f¨ur Mathemathische Logik and Grundlagen der Mathematik, 6:66– 92, 1960. 56. CCITT Z.100. Specification and Description Language SDL, 1988. 57. E. Clarke and E. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In D. Kozen, editor, Logic of Programs, Workshop, Yorktown Heights, New York, May 1981, LNCS 131, pages 52–71. Springer-Verlag, 1982. 58. E.M. Clarke, O. Grumberg, and D.A. Peleg. Model Checking. The MIT Press, 1999. 59. J. Courtiat and R.C. de Oliveria. RT-LOTOS and its application to multi- media protocol specification and validation. In International Conference on Multimedia Networking, pages 30–47. IEEE Computing Press, 1995. 60. E. Cusack and G. H. B. Rafsanjani. ZEST. In S. Stepney, R. Barden, and D. Cooper, editors, Object Orientation in Z, Workshops in Computing, pages 113–126. Springer-Verlag, 1992. 61. E. Cusack, S. Rudkin, and C. Smith. An object oriented interpretation of LOTOS. In Proceedings 2nd International Conference on Formal Description Techniques (FORTE’89). North-Holland, December 1989. 62. A. David, G. Behrmann, K. Larsen, and W. Yi. A tool architecture for the next generation of uppaal.InUNU/IIST 10th Anniversary Colloquium. Formal Methods at the Cross Roads: From Panacea to Foundational Support,LNCS 2757. Springer, 2003. 63. A. David, G. Behrmann, K. Larsen, and W. Yi. Unification & sharing in timed automata verification. In SPIN Workshop 03, volume 2648 of LNCS, pages 225–229, 2003. [...]... On specifying real-time systems in a causality-based setting In B Jonsson and J Parrow, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 113 5, pages 385–405 Springer- Verlag, 1996 110 D Kaynar, N Lynch, R Segala, and F Vaandrager Timed I/O automata: a mathematical framework for modelling and analyzing real-time systems In Proceedings 24th IEEE International Real-Time Systems Symposium... & Verification North-Holland, 1993 169 W Reisig Petri Nets, An Introduction Springer- Verlag, 1982 170 A Rensink Posets for configurations! In CONCUR’92, LNCS 30 SpringerVerlag, 1992 171 A.W Roscoe The Theory and Practice of Concurrency Prentice-Hall, 1997 172 G.A Rose Object-Z In S Stepney, R Barden, and D Cooper, editors, Object Orientation in Z, Workshops in Computing, pages 59–78 SpringerVerlag, 1992... (RTSS03), pages 166–177 IEEE Computer Society, 2003 111 N Klarlund and A M¨ller MONA Version 1.4 User Manual BRICS, Unio versity of Aarhus, Denmark, January 2001 112 D Kozen Results on the propositional mu-calculus Theoretical Computer Science, 27:333–354, 1983 113 L Lamport Hybrid systems in TLA+ In Hybrid Systems, LNCS 736, pages 77–102 Springer- Verlag, 1993 114 R Langerak Transformations and Semantics... 270–284 Springer- Verlag, 1998 175 S Schneider Timewise refinement for communicating processes Science of Computer Programming, 28:43–90, 1997 176 S Schneider Concurrent and Real-time Systems, the CSP Approach Wiley, 2000 177 S Schneider, J Davies, D.M Jackson, G.M Reed, J.N Reed, and A.W Roscoe Timed CSP: Theory and practice In Real-Time: Theory in Practice, LNCS 600, pages 640–675 Springer- Verlag,... Reactive Systems: Safety Springer- Verlag, 1995 138 R Mateescu and M Sighireanu Efficient on-the-fly model-checking for regular alternation-free mu-calculus In I Schieferdecker S Gnesi and A Rennoch, editors, FMICS’2000, 5th International Workshop on Formal Methods for Industrial Critical Systems, GMD Report 91, pages 65–89, 2000 139 A Mazurkiewicz Basic notions of trace theory In Linear Time, Branching... specify time constraint among non-adjacentactions using 1st-order logic In FORTE’93 North-Holland, 1993 153 R De Nicola and M Hennessy Testing equivalences for processes Journal of Theoretical Computer Science, 34:83–133, 1984 154 X Nicollin and J Sifakis An overview and synthesis on timed process algebra In Real-time Theory in Practice, LNCS 600, pages 549–572 Springer- Verlag, June 1991 155 M Nielsen,... Timing-based systems Information and Computation, 128(1):1–25, July 1996 135 Z Manna, Y Kesten, and A Pnueli Verifying clocked transition systems In Hybrid Systems III, LNCS 1066, pages 13–40 Springer- Verlag, 1996 136 Z Manna and A Pnueli The Temporal Logic of Reactive and Concurrent Systems: Specification Springer- Verlag, 1992 137 Z Manna and A Pnueli Temporal Verification of Reactive Systems: Safety Springer- Verlag,... Theory of Processes MIT Press, 1988 90 M Hennessy and R Milner Algebraic laws for non-determinism and concurrency Journal of the ACM, 32(1):137–161, 1985 91 T Henzinger, X Nicollin, J Sifakis, and S Yovine Symbolic model checking for real-time systems Information and Computation, 111 (2):193–244, 1994 92 T.A Henzinger and Pei-Hsin HyTech: The Cornell HYbrid TECHnology tool In Proceedings of TACAS, Workshop... Tuttle Time-constrained automata In CONCUR: 2nd International Conference on Concurrency Theory LNCS, SpringerVerlag, 1991 References 405 143 C Miguel, A Fernandez, and L Vidaller Extending LOTOS towards performance evaluation In M Diaz and R Groz, editors, Formal Description Techniques, V, Lannion, France, October 1992 North-Holland 144 G.J Milne CIRCAL and the representation of communication concurrency. .. structure and state-space reduction for model checking real time systems Real-Time Systems, 25(2):255–275, September 2003 118 K Larsen and A Skou Bisimulation through probabilistic testing In 6th ACM Symposium on Principles of Programming Languages, 1989 119 K.G Larsen, B Steffen, and C Weise A constraint oriented proof methodology based on modal transition systems Technical Report RS-9 4-4 7, University . Science, 1-3 (300): 411 475, 2003. 4. L. Aceto and D. Murphy. On the ill-timed but well-caused. In CONCUR’93: Concurrency Theory, Lecture Notes in Computer Science, N0. 715. Springer- Verlag, 1993. 5 specifying real-time systems in a causality-based setting. In B. Jonsson and J. Parrow, editors, For- mal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 113 5, pages 385–405. Springer- Verlag,. Verification of Reactive Systems: Safety. Springer- Verlag, 1995. 138. R. Mateescu and M. Sighireanu. Efficient on-the-fly model-checking for regu- lar alternation-free mu-calculus. In I. Schieferdecker S.