Case study on distributed and fault tolerant system modeling based on timed automata
Journal of Systems and Software
A Compositional Translation of Timed Automata with Deadlines to Uppaal Timed Automata
FORMATS '09 Proceedings of the 7th International Conference on Formal Modeling and Analysis of Timed Systems
Efficient detection of Zeno runs in timed automata
FORMATS'07 Proceedings of the 5th international conference on Formal modeling and analysis of timed systems
Coarse abstractions make zeno behaviours difficult to detect
CONCUR'11 Proceedings of the 22nd international conference on Concurrency theory
Efficient emptiness check for timed Büchi automata
Formal Methods in System Design
FORMATS'12 Proceedings of the 10th international conference on Formal Modeling and Analysis of Timed Systems
Modeling and verifying hierarchical real-time systems using stateful timed CSP
ACM Transactions on Software Engineering and Methodology (TOSEM)
ACM Computing Surveys (CSUR)
Hi-index | 0.01 |
Zeno-timelocks constitute a challenge for the formal verification of timed automata: they are difficult to detect, and the verification of most properties (e.g., safety) is only correct for timelock-free models. Some time ago, Tripakis proposed a syntactic check on the structure of timed automata: if a certain condition (called strong non-zenoness’ SNZ) is met by all the loops in a given automaton, then zeno-timelocks are guaranteed not to occur. Checking for SNZ is efficient, and compositional (if all components in a network of automata are strongly non-zeno, then the network is free from zeno-timelocks). Strong non-zenoness, however, is sufficient-only: There exist non-zeno specifications which are not strongly non-zeno. A TCTL formula is known that represents a sufficient-and-necessary condition for non-zenoness; unfortunately, this formula requires a demanding model-checking algorithm, and not all model-checkers are able to express it. In addition, this algorithm provides only limited diagnostic information. Here we propose a number of alternative solutions. First, we show that the compositional application of SNZ can be weakened: some networks can be guaranteed to be free from Zeno-timelocks, even if not every component is strongly non-zeno. Secondly, we present new syntactic, sufficient-only conditions that complement SNZ. Finally, we describe a sufficient-and-necessary condition that only requires a simple form of reachability analysis. Furthermore, our conditions identify the cause of zeno-timelocks directly on the model, in the form of unsafe loops. We also comment on a tool that we have developed, which implements the syntactic checks on Uppaal models. The tool is also able to derive, from those unsafe loops in a given automaton (in general, an Uppaal model representing a product automaton of a given network), the reachability formulas that characterise the occurrence of zeno-timelocks. A modified version of the carrier sense multiple access with collision detection protocol is used as a case-study.