Nicolas Halbwachs

The Algorithmic Analysis of Hybrid Systems

We present a general framework for the formal specification and algorithmic analysis of hybrid systems. A hybrid system consists of a discrete program with an analog environment. We model hybrid systems as finite automata equipped with variables that evolve continuously with time according to dynamical laws. For verification purposes, we restrict ourselves to linear hybrid systems, where all variables follow piecewise-linear trajectories. We provide decidability and undecidability results for classes of linear hybrid systems, and we show that standard program-analysis techniques can be adapted to linear hybrid systems. In particular, we consider symbolic model-checking and minimization procedures that are based on the reachability analysis of an infinite state space. The procedures iteratively compute state sets that are definable as unions of convex polyhedra in multidimensional real space. We also present approximation techniques for dealing with systems for which the iterative procedures do not converge.

Verification of Real-Time Systems using Linear Relation Analysis

Linear Relation Analysis [11] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.

Programming and verifying real-time systems by means of the synchronous data-flow language LUSTRE

The benefits of using a synchronous data-flow language for programming critical real-time systems are investigated. These benefits concern ergonomy (since the dataflow approach meets traditional description tools used in this domain) and ability to support formal design and verification methods. It is shown, using a simple example, how the language LUSTRE and its associated verification tool LESAR, can be used to design a program, to specify its critical properties, and to verify these properties. As the language LUSTRE and its uses have already been discussed in several papers, emphasis is put on program verification. >

Synchronous Observers and the Verification of Reactive Systems

Synchronous programming [20, 14] is a useful approach to design reactive systems. A synchronous program is supposed to instantly and deterministically react to events coming from its environment. The advantages of this approach have been pointed out elsewhere [20]. Synchronous languages are simple and clean, they have been given simple and precise formal semantics, they allow especially elegant programming style. They conciliate concurrency (at least at the description level) with determinism. They can be compiled into a very efficient sequential code, by means of a specific compiling technique: The control structure of the object code is a finite automaton which is synthesized by an exhaustive simulation of a finite abstraction of the program.

Verification of linear hybrid systems by means of convex approximations

We present a new application of the abstract interpretation by means of convex polyhedra, to a class of hybrid systems, i.e., systems involving both discrete and continuous variables. The result is an efficient automatic tool for approximate, but conservative, verification of reachability properties of these systems.

Minimization of Timed Transition Systems

15 For a formula = 93 c , the algorithm is the same; the initial partition now distinguishes between the cases ~ x0] = 0 and 0 < ~ x0] c and 0 < ~ x0] 6 6 c. The analysis for = 83 c is similar; the initial partition now needs to account for the progressiveness assumption also (as in the case of 83). Automatic veriication of nite-state concurrent systems using temporal-logic speciications. 14 certain sets of regions. In particular, these constraints require that for every clock i, the constraint ~ xi] = 0 or ~ xi] > c i holds at innnitely many regions along the path (here, c i is the largest constant in a constraint involving x in the enabling conditions of G). We can use this fact to handle progressiveness in our reduced region graphs.

Delay Analysis in Synchronous Programs

Linear relation analysis [CH78, Hal79] has been proposed a long time ago as an abstract interpretation which permits to discover linear relations invariantly satisfied by the variables of a program. Here, we propose to apply this general method to variables used to count delays in synchronous programs. The “regular” behavior of these counters makes the results of the analysis especially precise. These results can be applied to code optimization and to the verification of real-time properties of programs.

Minimal Model Generation

This paper adresses the problem of generating a minimal state graph from a program, without building first the whole state graph. The minimality is considered here with respect to bisimulation. A generation algorithm is presented and illustrated.

Automatic testing of reactive systems

The paper addresses the problem of automatizing the production of test sequences for reactive systems. We particularly focus on two points: (1) generating relevant inputs, with respect to some knowledge about the environment in which the system is intended to run; (2) checking the correctness of the test results, according to the expected behavior of the system. We propose to use synchronous observers to express both the relevance and the correctness of the test sequences. In particular, the relevance observer is used to randomly choose inputs satisfying temporal assumptions about the environment. These assumptions may involve both Boolean and linear numerical constraints. A prototype tool called LURETTE has been developed and experimented with, which works on observers written in the LUSTRE programming language.

An implementation of three algorithms for timing verification based on automata emptiness

Three algorithms for checking the emptiness of a timed transition system have been implemented. The first algorithm performs a straightforward reachability analysis on sets of states of the system, rather than on individual states. This corresponds to stepping symbolically through the system many states at a time. The other two algorithms are minimization algorithms. These simultaneously perform reachability analysis and minimization from an implicit system description. The paradigm for verification is to test for the emptiness of the set of all timed system executions that violate a requirements specification. Preliminary results over two simple examples indicate that memory usage is a more limiting factor than time.<<ETX>>