Timed Automata From Theory to Implementation

Size: px

Start display at page:

Download "Timed Automata From Theory to Implementation"

Arabella Bryant
5 years ago
Views:

1 Timed Automata From Theory to Implementation Patricia Bouyer LSV CNRS & ENS de Cachan France Chennai january 2003 Timed Automata From Theory to Implementation p.1

2 Roadmap Timed automata, decidability issues Some extensions of the model Implementation of timed automata Chennai january 2003 Timed Automata From Theory to Implementation p.2

3 Timed automata, decidability issues presentation of the model decidability of the model the region automaton construction Chennai january 2003 Timed Automata From Theory to Implementation p.3

4 Timed automata x, y: clocks [Alur & Dill s] guard action reset p y < 4, a, x := 0 x = 5, b q c, y := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.4

5 Timed automata x, y: clocks [Alur & Dill s] guard action reset p y < 4, a, x := 0 x = 5, b q c, y := 0 a c b p q q p value of x value of y timed word (a, 3.2)(c, 5.1)(b, 8.2)... Chennai january 2003 Timed Automata From Theory to Implementation p.4

6 Emptiness checking Emptiness problem: is the language accepted by a timed automaton empty? reachability properties basic liveness properties (final states) (Büchi (or other) conditions) Chennai january 2003 Timed Automata From Theory to Implementation p.5

7 Emptiness checking Emptiness problem: is the language accepted by a timed automaton empty? reachability properties basic liveness properties (final states) (Büchi (or other) conditions) Theorem: The emptiness problem for timed automata is decidable. It is PSPACE-complete. [Alur & Dill 1990 s] Chennai january 2003 Timed Automata From Theory to Implementation p.5

8 The region abstraction y 2 Equivalence of finite index x Chennai january 2003 Timed Automata From Theory to Implementation p.6

9 The region abstraction y 2 Equivalence of finite index x compatibility between regions and constraints Chennai january 2003 Timed Automata From Theory to Implementation p.6

10 The region abstraction y 2 Equivalence of finite index x compatibility between regions and constraints compatibility between regions and time elapsing Chennai january 2003 Timed Automata From Theory to Implementation p.6

11 The region abstraction y 2 Equivalence of finite index x compatibility between regions and constraints compatibility between regions and time elapsing Chennai january 2003 Timed Automata From Theory to Implementation p.6

12 The region abstraction y 2 Equivalence of finite index x compatibility between regions and constraints compatibility between regions and time elapsing a bisimulation property Chennai january 2003 Timed Automata From Theory to Implementation p.6

13 The region abstraction y 2 1 Equivalence of finite index region defined by I x =]1; 2[, I y =]0; 1[ {x} < {y} x compatibility between regions and constraints compatibility between regions and time elapsing a bisimulation property Chennai january 2003 Timed Automata From Theory to Implementation p.6

14 The region automaton timed automaton region partition q g,a,c:=0 q is transformed into: (q, R) a (q, R ) if there exists R Succ t (R) s.t. R g [C 0]R R L(reg. aut.) = UNTIME(L(timed aut.)) where UNTIME((a 1, t 1 )(a 2, t 2 )... ) = a 1 a 2... Chennai january 2003 Timed Automata From Theory to Implementation p.7

15 An example [AD 90 s] y x Chennai january 2003 Timed Automata From Theory to Implementation p.8

16 Partial conclusion a timed model interesting for verification purposes Numerous works have been (and are) devoted to: the theoretical comprehension of timed automata extensions of the model (to ease the modelling) expressiveness analyzability algorithmic problems and implementation Chennai january 2003 Timed Automata From Theory to Implementation p.9

17 Some extensions of the model adding constraints of the form x y c adding silent actions adding constraints of the form x + y c adding new operations on clocks Chennai january 2003 Timed Automata From Theory to Implementation p.10

18 Adding diagonal constraints x y c and x c Decidability: yes, using the region abstraction y x Expressiveness: no additional expressive power Chennai january 2003 Timed Automata From Theory to Implementation p.11

19 Adding diagonal constraints (cont.) c is positive copy where x y c x := 0 y := 0 x c x := 0 x y c y := 0 x := 0 x > c y := 0 y := 0 proof in [Bérard,Diekert,Gastin,Petit 1998] copy where x y > c Chennai january 2003 Timed Automata From Theory to Implementation p.12

20 Adding diagonal constraints (cont.) Open question: is this construction optimal? In the sense that timed automata with diagonal constraints are explonentially more concise than diagonal-free timed automata. Chennai january 2003 Timed Automata From Theory to Implementation p.12

21 Adding silent actions g, ε, C := 0 [Bérard,Diekert,Gastin,Petit 1998] Decidability: yes (actions has no influence on the previous construction) Expressiveness: strictly more expressive! x = 1 a x := x 1 0 < x < 1, b x = 1, ε, x := 0 a a b b a Chennai january 2003 Timed Automata From Theory to Implementation p.13

22 Adding constraints of the form x + y c x + y c and x c [Bérard,Dufourd 2000] Decidability: - for two clocks, decidable using the abstraction y x - for four clocks (or more), undecidable! Expressiveness: more expressive! (even using two clocks) x + y = 1, a, x := 0 {(a n, t 1... t n ) n 1 and t i = i } Chennai january 2003 Timed Automata From Theory to Implementation p.14

23 The two-counter machine Definition. A two-counter machine is a finite set of instructions over two counters (x and y): Incrementation: (p): x := x + 1; goto (q) Decrementation: (p): if x > 0 then x := x 1; goto (q) else goto (r) Theorem. [Minsky 67] The emptiness problem for two counter machines is undecidable. Chennai january 2003 Timed Automata From Theory to Implementation p.15

24 Undecidability proof c is unchanged c is incremented c c c c c c c c cc d d dd d d d d d d time d is decremented simulation of decrement of d increment of c We will use 4 clocks: u, tic clock (each time unit) x 0, x 1, x 2 : reference clocks for the two counters x i reference for c the last time x i has been reset is the last time action c has been performed [Bérard,Dufourd 2000] Chennai january 2003 Timed Automata From Theory to Implementation p.16

25 Undecidability proof (cont.) Increment of counter c: x 0 2, u + x 2 = 1, c, x 2 := 0 x 2 := 0 u = 1,, u := 0 x 0 > 2, c, x 2 := 0 u + x 2 = 1 ref for c is x 0 ref for c is x 2 Decrement of counter c: x 0 < 2, u + x 2 = 1, c, x 2 := 0 x 2 := 0 u = 1,, u := 0 x 0 = 2, c, x 2 := 0 u + x 2 = 1 u = 1, x 0 = 2,, u := 0, x 2 := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.17

26 Adding constraints of the form x + y c Two clocks: decidable! using the abstraction y x Four clocks (or more): undecidable! Chennai january 2003 Timed Automata From Theory to Implementation p.18

27 Adding constraints of the form x + y c Two clocks: decidable! using the abstraction y 2 1 Three clocks: open question x Four clocks (or more): undecidable! Chennai january 2003 Timed Automata From Theory to Implementation p.18

28 Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... Chennai january 2003 Timed Automata From Theory to Implementation p.19

29 Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... The general model is undecidable. (simulation of a two-counter machine) Chennai january 2003 Timed Automata From Theory to Implementation p.19

30 Adding new operations on clocks Several types of updates: x := y + c, x :< c, x :> c, etc... The general model is undecidable. (simulation of a two-counter machine) Only decrementation also leads to undecidability Incrementation of counter x z = 0 z = 1, z := 0 z = 0, y := y 1 Decrementation of counter x z = 0 x 1 z = 0, x := x 1 x = 0 Chennai january 2003 Timed Automata From Theory to Implementation p.19

31 Decidability y := 0 y := 1 x y < image by y := 1 the bisimulation property is not met The classical region automaton construction is not correct. Chennai january 2003 Timed Automata From Theory to Implementation p.20

32 Decidability (cont.) A Diophantine linear inequations system is there a solution? if yes, belongs to a decidable class Examples: constraint x c constraint x y c c max x c max x,y update x : y + c max x max y +c and for each clock z, max x,z max y,z + c, max z,x max z,y c update x :< c c max x and for each clock z, max z c + max z,x The constants (max x ) and (max x,y ) define a set of regions. Chennai january 2003 Timed Automata From Theory to Implementation p.21

33 Decidability (cont.) y := 0 y := 1 x y < 1 max y 0 max x 0 + max x,y max y 1 max x 1 + max x,y max x,y 1 = max x = 2 max y = 1 max x,y = 1 max y,x = 1 y 1 The bisimulation property is met x Chennai january 2003 Timed Automata From Theory to Implementation p.22

34 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

35 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

36 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

37 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

38 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

39 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 Chennai january 2003 Timed Automata From Theory to Implementation p.23

40 What s wrong when undecidable? Decrementation x := x 1 max x max x 1 etc... Chennai january 2003 Timed Automata From Theory to Implementation p.23

41 Decidability (cont.) x := c, x := y x := x + 1 x := y + c x := x 1 x :< c x :> c x : y + c y + c <: x :< y + d y + c <: x :< z + d Diagonal-free constraints PSPACE-complete Undecidable PSPACE-complete Undecidable General constraints PSPACE-complete Undecidable PSPACE-complete Undecidable [Bouyer,Dufourd,Fleury,Petit 2000] Chennai january 2003 Timed Automata From Theory to Implementation p.24

42 Implementation of Timed Automata analysis algorithms the DBM data structure a bug in the forward analysis Chennai january 2003 Timed Automata From Theory to Implementation p.25

43 Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Chennai january 2003 Timed Automata From Theory to Implementation p.26

44 Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Algorithms for minimizing the region automaton have been proposed... [Alur & Co 1992] [Tripakis,Yovine 2001] Chennai january 2003 Timed Automata From Theory to Implementation p.26

45 Notice The region automaton is not used for implementation: suffers from a combinatorics explosion (the number of regions is exponential in the number of clocks) no really adapted data structure Algorithms for minimizing the region automaton have been proposed... [Alur & Co 1992] [Tripakis,Yovine 2001]...but on-the-fly technics are preferred. Chennai january 2003 Timed Automata From Theory to Implementation p.26

46 Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

47 Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

48 Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F backward analysis algorithm: compute the predecessors of final configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

49 Reachability analysis forward analysis algorithm: compute the successors of initial configurations I F backward analysis algorithm: compute the predecessors of final configurations I F Chennai january 2003 Timed Automata From Theory to Implementation p.27

50 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Chennai january 2003 Timed Automata From Theory to Implementation p.28

51 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z Chennai january 2003 Timed Automata From Theory to Implementation p.28

52 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) Chennai january 2003 Timed Automata From Theory to Implementation p.28

53 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) Chennai january 2003 Timed Automata From Theory to Implementation p.28

54 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) [C 0] 1 (Z (C = 0)) g Chennai january 2003 Timed Automata From Theory to Implementation p.28

55 Note on the backward analysis of TA g, a, C := 0 l l [C 0] 1 (Z (C = 0)) g Z Z [C 0] 1 (Z (C = 0)) [C 0] 1 (Z (C = 0)) g The exact backward computation terminates and is correct! Chennai january 2003 Timed Automata From Theory to Implementation p.28

56 Note on the backward analysis of TA (cont.) If A is a timed automaton, we construct its corresponding set of regions. Because of the bisimulation property, we get that: Every set of valuations which is computed along the backward computation is a finite union of regions Chennai january 2003 Timed Automata From Theory to Implementation p.29

57 Note on the backward analysis of TA (cont.) If A is a timed automaton, we construct its corresponding set of regions. Because of the bisimulation property, we get that: Every set of valuations which is computed along the backward computation is a finite union of regions But, the backward computation is not so nice, when also dealing with integer variables... i := j.k + l.m Chennai january 2003 Timed Automata From Theory to Implementation p.29

58 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) A zone is a set of valuations defined by a clock constraint ϕ ::= x c x y c ϕ ϕ Chennai january 2003 Timed Automata From Theory to Implementation p.30

59 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Chennai january 2003 Timed Automata From Theory to Implementation p.30

60 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Chennai january 2003 Timed Automata From Theory to Implementation p.30

61 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g Chennai january 2003 Timed Automata From Theory to Implementation p.30

62 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g [y 0]( Z g) Chennai january 2003 Timed Automata From Theory to Implementation p.30

63 Forward analysis of TA g, a, C := 0 l l zones Z [C 0]( Z g) Z Z Z g [y 0]( Z g) a termination problem Chennai january 2003 Timed Automata From Theory to Implementation p.30

64 Non Termination of the Forward Analysis y := 0, x := 0 x 1 y = 1, y := 0 y x an infinite number of steps... Chennai january 2003 Timed Automata From Theory to Implementation p.31

65 Solutions to this problem (f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998]) inclusion checking: if Z Z and Z still handled, then we don t need to handle Z correct w.r.t. reachability... Chennai january 2003 Timed Automata From Theory to Implementation p.32

66 Solutions to this problem (f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998]) inclusion checking: if Z Z and Z still handled, then we don t need to handle Z correct w.r.t. reachability activity: eliminate redundant clocks [Daws,Yovine 1996] correct w.r.t. reachability q g,a,c:=0 q = Act(q) = clocks(g) (Act(q ) \ C)... Chennai january 2003 Timed Automata From Theory to Implementation p.32

67 Solutions to this problem (cont.) convex-hull approximation: if Z and Z are computed then we overapproximate using Z Z. semi-correct w.r.t. reachability Chennai january 2003 Timed Automata From Theory to Implementation p.33

68 Solutions to this problem (cont.) convex-hull approximation: if Z and Z are computed then we overapproximate using Z Z. semi-correct w.r.t. reachability extrapolation, a widening operator on zones Chennai january 2003 Timed Automata From Theory to Implementation p.33

69 The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x Chennai january 2003 Timed Automata From Theory to Implementation p.34

70 The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x Existence of a normal form Chennai january 2003 Timed Automata From Theory to Implementation p.34

71 The DBM data structure DBM (Difference Bounded Matrice) data structure [Dill89] (x 1 3) (x 2 5) (x 1 x 2 4) x 0 x 1 x 2 x 0 x 1 x Existence of a normal form All previous operations on zones can be computed using DBMs Chennai january 2003 Timed Automata From Theory to Implementation p.34

72 The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

73 The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints 2 2 ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

74 The extrapolation operator Fix an integer k ( represents an integer between k and +k) > k + < k k intuitively, erase non-relevant constraints 2 2 ensures termination Chennai january 2003 Timed Automata From Theory to Implementation p.35

75 Challenge Propose a good constant for the extrapolation: keep the correctness of the forward computation Solution by the past: maximal constant appearing in the automaton Several correctness proofs can be found Implemented in tools like UPPAAL, KRONOS, RT-SPIN... Successfully used on real-life examples Chennai january 2003 Timed Automata From Theory to Implementation p.36

76 Challenge Propose a good constant for the extrapolation: keep the correctness of the forward computation Solution by the past: maximal constant appearing in the automaton Several correctness proofs can be found Implemented in tools like UPPAAL, KRONOS, RT-SPIN... Successfully used on real-life examples However... Chennai january 2003 Timed Automata From Theory to Implementation p.36

77 A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 Chennai january 2003 Timed Automata From Theory to Implementation p.37

78 A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 v(x 1 ) = 0 v(x 2 ) = d v(x 3 ) = 2α + 5 v(x 4 ) = 2α d Chennai january 2003 Timed Automata From Theory to Implementation p.37

79 A problematic automaton x 3 3 x 2 = 3 x 1 = 2, x 1 := 0 x 1, x 3 := 0 x 2 := 0 x 1 = 2 x 1 := 0 x 2 = 2, x 2 := 0 x 2 x 1 > 2 x 1 = 3 x 2 = 2 The loop Error x 4 x 3 < 2 x 1 := 0 x 2 := 0 v(x 1 ) = 0 v(x 2 ) = d v(x 3 ) = 2α + 5 v(x 4 ) = 2α d [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] Chennai january 2003 Timed Automata From Theory to Implementation p.37

80 The problematic zone [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] implies x 1 x 2 = x 3 x 4. [2α + 2; 2α + 4] [2α + 6; 2α + 8] Chennai january 2003 Timed Automata From Theory to Implementation p.38

81 The problematic zone [1; 3] [2α + 5] x 2 x 1 x 3 x 4 [2α + 5] [1; 3] implies x 1 x 2 = x 3 x 4. [2α + 2; 2α + 4] [2α + 6; 2α + 8] If α is sufficiently large, after extrapolation: [1; 3] x 2 x 1 x 3 x 4 [1; 3] does not imply x 1 x 2 = x 3 x 4. > k Chennai january 2003 Timed Automata From Theory to Implementation p.38

82 General abstractions Criteria for a good abstraction operator Abs: [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

83 General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone [Effectiveness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

84 General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite [Effectiveness] [Termination] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

85 General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) [Effectiveness] [Termination] [Completeness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

86 General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) soundness of the abstraction the computation of (Abs Post) is correct w.r.t. reachability [Effectiveness] [Termination] [Completeness] [Soundness] [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

87 General abstractions Criteria for a good abstraction operator Abs: easy computation Abs(Z) is a zone if Z is a zone finiteness of the abstraction {Abs(Z) Z zone} is finite completeness of the abstraction Z Abs(Z) soundness of the abstraction the computation of (Abs Post) is correct w.r.t. reachability [Effectiveness] [Termination] [Completeness] [Soundness] For the previous automaton, no abstraction operator can satisfy all these criteria! [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.39

88 Why that? Assume there is a nice operator Abs. The set {M DBM representing a zone Abs(Z)} is finite. k the max. constant defining one of the previous DBMs We get that, for every zone Z, Z Extra k (Z) Abs(Z) Chennai january 2003 Timed Automata From Theory to Implementation p.40

89 Problem! Open questions: - which conditions can be made weaker? - find a clever termination criterium? - use an other data structure than zones/dbms? Chennai january 2003 Timed Automata From Theory to Implementation p.41

90 What can we cling to? Diagonal-free: only guards x c (no guard x y c) Theorem: the classical algorithm is correct for diagonal-free timed automata. [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.42

91 What can we cling to? Diagonal-free: only guards x c (no guard x y c) Theorem: the classical algorithm is correct for diagonal-free timed automata. General: both guards x c and x y c Proposition: the classical algorithm is correct for timed automata that use less than 3 clocks. (the constant used is bigger than the maximal constant...) [Bouyer03] Chennai january 2003 Timed Automata From Theory to Implementation p.42

92 Conclusion & Further Work Decidability is quite well understood. A rather big problem with the forward analysis of timed automata needs to be solved. a very unsatisfactory solution for dealing with diagonal constraints. maybe the zones are not the optimal objects that we can deal with. To be continued... Some other current challenges: adding C macros to timed automata reducing the memory consumption via new data structures Chennai january 2003 Timed Automata From Theory to Implementation p.43

93 Bibliography [ACD+92] Alur, Courcoubetis, Dill, Halbwachs, Wong-Toi. Minimization of Timed Transition Systems. CONCUR 92 (LNCS 630). [AD90] Alur, Dill. Automata for Modeling Real-Time Systems. ICALP 90 (LNCS 443). [AD94] Alur, Dill. A Theory of Timed Automata. TCS 126(2), [AL02] Aceto, Laroussinie. Is your Model-Checker on Time? On the Complexity of Model-Checking for Timed Modal Logics. To appear in JLAP [BD00] Bérard, Dufourd. Timed Automata and Additive Clock Constraints. IPL 75(1 2), [BDFP00a] Bouyer, Dufourd, Fleury, Petit. Are Timed Automata Updatable? CAV 00 (LNCS 1855). [BDFP00b] [BDGP98] [BF99] Bouyer, Dufourd, Fleury, Petit. Expressiveness of Updatable Timed Automata. MFCS 00 (LNCS 1893). Bérard, Diekert, Gastin, Petit. Characterization of the Expressive Power of Silent Transitions in Timed Automata. Fundamenta Informaticae 36(2 3), Bérard, Fribourg. Automatic Verification of a Parametric Real-Time Program: the ABR Conformance Protocol. CAV 99 (LNCS 1633). Chennai january 2003 Timed Automata From Theory to Implementation p.44

94 Bibliography (cont.) [Bouyer03] [Dill89] [DT98] [DY96] [LPY97] Bouyer. Untameable Timed Automata! To appear in STACS 03. Dill. Timing Assumptions and Verification of Finite-State Concurrent Systems. Aut. Verif. Methods for Fin. State Sys. (LNCS 1989). Daws, Tripakis. Model-Checking of Real-Time Reachability Properties using Abstractions. TACAS 98 (LNCS 1384). Daws, Yovine. Reducing the Number of Clock Variables of Timed Automata. RTSS 96. Larsen, Pettersson, Yi. UPPAAL in a Nutshell. Software Tools for Technology Transfer 1(1 2), [Minsky67] Minsky. Computation: Finite and Infinite Machines [TY01] Tripakis, Yovine. Analysis of Timed Systems using Time-Abstracting Bisimulations. FMSD 18(1), Hytech: Kronos: Uppaal: tah/hytech/ Chennai january 2003 Timed Automata From Theory to Implementation p.45

Timed Automata: Semantics, Algorithms and Tools

Timed Automata: Semantics, Algorithms and Tools Johan Bengtsson and Wang Yi Uppsala University Email: {johanb,yi}@it.uu.se Abstract. This chapter is to provide a tutorial and pointers to results and related