Alfredo Olivero

The tool KRONOS

Both approaches presented in this paper considerably improve Kronos performance and functionalities.

Kronos: A model-checking tool for real-time systems

KRONOS is a software tool aiming at assisting designers of real-time systems to develop projects meeting the specified requirements. One major objective of KRONOS is to provide a verification engine to be integrated into design environments for real-time systems in a wide range of application areas. Real-time communication protocols, timed asynchronous circuits and hybrid systems are some examples of application domains where KRONOS has already been used. KRONOS has been also used in analysing real-time systems modeled in several other process description formalisms, such as ATP, AORTA, ET-LOTOS, and T-ARGOS. On the other direction, the tool itself provides an interface to untimed formalisms such as labeled-transition systems (LTS) which has been used to exploit untimed verification techniques.

Kronos: A Model-Checking Tool for Real-Time Systems

KRONOS [9, 11,8, 21, 17, 4, 3, 10] is a software tool aiming at assisting designers of real-time systems to develop projects meeting the specified requirements. One major objective of KRONOS is to provide a verification engine to be integrated into design environments for real-time systems in a wide range of application areas. Real-time communication protocols [9, 11], timed asynchronous circuits [17,4], and hybrid systems [19,11] are some examples of application domains where KRONOS has already been used. KRONOS has been also used in analyzing real-time systems modeled in several other process description formalisms, such as ATP [18], AORTA [5], ET-LOTOS [9], and T-ARGOS [16]. On the other direction, the tool itself provides an interface to untimed formalisms such as labeled-transition systems (LTS) which has been used to exploit untimed verification techniques [21].

Verifying ET-LOTOS programmes with KRONOS

ET-LOTOS is a timed extension of LOTOS proposed for modeling real-time systems. KRONOS is a tool that checks whether an automaton extended with clocks (called timed automaton) satisfies a real-time requirement expressed as a formula of the logic TCTL. This paper shows that real-time systems described in a reasonable subset of ET-LOTOS can be verified with KRONOS by compiling them into timed automata. We illustrate the practical interest of our approach with a case study: the Tick-Tock protocol.

Visual timed event scenarios

Formal description of real-time requirements is a difficult and error prone task. Conceptual and tool support for this activity plays a central role in the agenda of technology transference from the formal verification engineering community to the real-time systems development practice. In this article we present VTS, a visual language to define complex event-based requirements such as freshness, bounded response, event correlation, etc. The underlying formalism is based on partial orders and supports real-time constraints. The problem of checking whether a timed automaton model of a system satisfies these sort of scenarios is shown to be decidable. Moreover, we have also developed a tool that translates visually specified scenarios into observer timed automata. The resulting automata can be composed with a model under analysis in order to check satisfaction of the stated scenarios. We show the benefits of applying these ideas to some case studies.

A scenario-matching approach to the description and model checking of real-time properties

A major obstacle in the technology transfer agenda of behavioral analysis and design methods is the need for logics or automata to express properties for control-intensive systems. Interaction-modeling notations may offer a replacement or a complement, with a practitioner-appealing and lightweight flavor, due partly to the sub specification of intended behavior by means of scenarios. We propose a novel approach consisting of engineering a new formal notation of this sort based on a simple compact declarative semantics: VTS (visual timed event scenarios). Scenarios represent event patterns, graphically depicting conditions over traces. They predicate general system events and provide features to describe complex properties not expressible with MSC-like notations. The underlying formalism supports partial orders and real-time constraints. The problem of checking whether a timed-automaton model has a matching trace is proven decidable. On top of this kernel, we introduce a notation to state properties over all system traces: conditional scenarios, allowing engineers to describe uniquely rich connections between antecedent and consequent portions of the scenario. An undecidability result is presented for the general case of the model-checking problem over dense-time domains, to later identify a decidable-yet practically relevant-subclass, where verification is solvable by generating antiscenarios expressed in the VTS-kernel notation.

Verifying Quantitative Real-Time Properties of Synchronous Programs

We propose to apply the verification techniques available for Timed Graphs [ACD90], and particularly the symbolic model-checking algorithm of [HNSY92], to the Argos [Mar92] synchronous language. We extend the language with a single delay construct that allows to express watchdogs and timeouts, at any level in the parallel or hierarchic structure of a program. We define the semantics of this extended language in terms of Timed Graphs, and show that it is a “convenient” extension of the pure Argos synchronous semantics. Indeed, for discrete time, the two semantics coincide. The Timed Graph semantics can be viewed as a continuous time semantics for Argos. We extend the Argos compiler and connect it to the KRONOS tool which implements the abovementioned model-checking algorithm.

Improving the Verification of Timed Systems Using Influence Information

The parallel composition with observers is a well-known approach to check or test properties over formal models of concurrent and real-time systems. We present a newtec hnique to reduce the size of the resulting model. Our approach has been developed for a formalism based on Timed Automata. Firstly, it discovers relevant components and clocks at each location of the observer using influence information. Secondly, it outcomes an abstraction which is equivalent to the original model up to branching-time structure and can be treated by verification tools such as Kronos [12] or OpenKronos [23]. Our experiments suggest that the approach may lead to significant time and space savings during verification phase due to state space reduction and the existence of shorter counterexamples in the optimized model.

Issues in distributed timed model checking: Building Zeus

In this work we present Zeus, a distributed timed model checker that evolves from the TCTL model checker Kronos [13] and that currently can handle backwards computation of reachability properties [2] over timed automata [3].Zeus was developed following a software architecture-centric approach. Its conceptual architecture was conceived to be sufficiently modular to house several features such as a priori graph partitioning, synchronous and asynchronous computation, communication piggybacking, delayed messaging, and dead-time utilization.Surprisingly enough, early experiments pinpointed the difficulties of getting speedups using asynchronous versions and showed interesting results on the synchronous counterpart, although being intuitively less attractive.

ObsSlice: A Timed Automata Slicer Based on Observers

OBSSLICE is an optimization tool suited for the verification of timed automata using virtual observers. It discovers the set of modelling elements that can be safely ignored at each location of the observer by synthesizing behavioral dependence information among components. OBSSLICE is fed with a network of timed automata and generates a transformed network which is equivalent to the one provided up to branching-time observation. Preliminary results have proven that eliminating irrelevant activity mitigates state space explosion and has a positive -and sometimes dramatic- impact on the performance of verification tools in terms of time, size and counterexample length.