Advertisement

Extending nuXmv with Timed Transition Systems and Timed Temporal Properties

  • Alessandro Cimatti
  • Alberto Griggio
  • Enrico Magnago
  • Marco RoveriEmail author
  • Stefano Tonetta
Open Access
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11561)

Abstract

nuXmv is a well-known symbolic model checker, which implements various state-of-the-art algorithms for the analysis of finite- and infinite-state transition systems and temporal logics. In this paper, we present a new version that supports timed systems and logics over continuous super-dense semantics. The system specification was extended with clocks to constrain the timed evolution. The support for temporal properties has been expanded to include \(\textsc {MTL}_{0,\infty }\) formulas with parametric intervals. The analysis is performed via a reduction to verification problems in the discrete-time case. The internal representation of traces has been extended to go beyond the lasso-shaped form, to take into account the possible divergence of clocks. We evaluated the new features by comparing nuXmv with other verification tools for timed automata and \(\textsc {MTL}_{0,\infty }\), considering different benchmarks from the literature. The results show that nuXmv is competitive with and in many cases performs better than state-of-the-art tools, especially on validity problems for \(\textsc {MTL}_{0,\infty }\).

1 Introduction

nuXmv [1] is a symbolic model checker for the analysis of synchronous finite- and infinite-state transition systems. For the finite-state case, nuXmv features strong verification engines based on state-of-the-art SAT-based algorithms. For the infinite-state case, nuXmv features SMT-based verification techniques, implemented through a tight integration with the MathSAT5 solver [2]. nuXmv has taken part to recent editions of the hardware model checking competition, where it has shown to be very competitive with the state-of-the-art. nuXmv also compares well with other model checkers for infinite-state systems. Moreover, it has been successfully used in several application domains both in research and industrial settings. It is currently the core verification engine for many other tools (also industrial ones) for requirements analysis, contract based design, model checking of hybrid systems, safety assessment, and software model checking.

In this paper, we put emphasis on the novel extensions to nuXmv to support timed synchronous transition systems, which extend symbolically-represented infinite-state transition systems with clocks. The main novelties of this new version are the following. The nuXmv input language was extended to enable the description of symbolic synchronous timed transition systems with super-dense time semantics (where signals can have a sequence of values at any real time t). The support for temporal properties has been expanded to include \(\textsc {MTL}_{0,\infty }\) formulas with parametric intervals [3, 4]. Therefore, nuXmv now supports model checking of invariant, \(\textsc {LTL}\) and \(\textsc {MTL}_{0,\infty }\) properties over (symbolic) timed transition systems, as well as validity/satisfiability checking of \(\textsc {LTL}\) and \(\textsc {MTL}_{0,\infty }\) formulas. This is done via a correct and complete reduction to verification problems in the discrete-time case (thus allowing for the use of mature and efficient verification engines). In order to represent and find infinite traces where clocks may diverge, we extended the representation for lasso-shape traces (over discrete semantics) and we modified the bounded model checking algorithm to properly encode timed traces. We remark that, nuXmv is more expressive than timed automata, since the native management of time is added on top of an infinite state transition system. This makes it straightforward to encode stopwatches and comparison between clocks. We carried out an experimental evaluation comparing nuXmv with other state-of-the-art verification tools for timed automata, considering different benchmarks taken from competitor tools distributions.
Fig. 1.

The high level architecture of nuXmv.

2 Software Architecture

The high level architecture of nuXmv is depicted in Fig. 1. For symbolic transition systems nuXmv behaves like the previous version of the system [1], thus allowing for full backward compatibility (apart from some new reserved keywords). It provides the user with all the basic model checking algorithms for finite domains both using BDDs (using CUDD [5]) and SAT (e.g. MiniSAT [6]). It supports various SMT-based model checking algorithms (implemented through a tight integration with the MathSAT5 solver [2]) for the analysis of finite and infinite state systems (e.g. IC3 [7, 8, 9], k-liveness [10], liveness to safety [11]). We refer the reader to [1] for a thorough discussion of these consolidated functionalities for the discrete-time setting.
Fig. 2.

A simple Timed-nuXmv program.

To support the specification and model checking of invariant, \(\textsc {LTL}\) and \(\textsc {MTL}_{0,\infty }\) properties for timed transitions systems, and for the validity checking of properties over dense time semantics, nuXmv has been extended w.r.t. [1] as discussed here after.

  • We extended the parser to allow the user to choose the time semantics to use for the read model. Depending on the time model some parse constructs and checks are enabled and/or disabled. For instance, variables of type clock and \(\textsc {MTL}_{0,\infty }\) properties are only allowed if the dense time semantics has been specified. By default the system uses the discrete time semantics of the original nuXmv. Notice also that, depending on the specified semantics, the commands available to the user change to allow only the analyses supported for the chosen semantics.

  • We extended the parser to support the specification of symbolic timed automata (definition of clock variables, specification of urgent transitions and state invariants, etc.). Moreover, we extended the parser to allow for the specification of \(\textsc {MTL}_{0,\infty }\) properties, and we extended the \(\textsc {LTL}\) bounded operators not only to contain constants, but also complex expressions over clock variables. See Fig. 2 for a simple example showing some of the new language constructs.

  • We extended the symbol table to support the specification of clock variables, and we extended the type checker to properly handle the new defined variables, expression types and language constructs.

  • We added new modules for the encoding of the symbolic timed automata into equivalent transition systems to verify with the existing algorithms of nuXmv.

  • We extended the traces for nuXmv to support timed traces (lasso-shaped traces where some clock variables may diverge).

  • We modified the encoding for the loops in the bounded model checking algorithms to take into account that traces may contain diverging variables to allow for the verification and validation of \(\textsc {LTL}\) and \(\textsc {MTL}_{0,\infty }\) properties.

For portability, nuXmv has been developed mainly in standard C with some new parts in standard C++. It compiles and executes on Linux, MS Windows, and MacOS.

3 Language Extensions

Timed Transition Systems. Discrete-time transition systems are described in nuXmv by a set V of variables, an initial condition I(V), a transition condition \(T(V,V')\) and an invariant condition Z(V). Variables are introduced with the keyword VAR and can have type Boolean, scalar, integer, real or array. The initial and the invariant conditions are introduced with the keyword INIT and INVAR and are expressions over the variables in V. The transition condition is introduced with TRANS and is an expression over variables in V and \(V'\), where for each variable v in V, \(V'\) contains the “next” version denoted in the language by \(\texttt {\small next}(v)\). Expressions may use standard symbols in the theory associated to the variable types and user-defined rigid functions that are declared with the keyword \(\texttt {\small FUN}\).

The input language of nuXmv has been extended to allow the specification of timed transition systems (TTS), which are enabled by the annotation @TIME_DOMAIN continuous at the beginning of a model description.

Besides the standard types, in the timed case, state variables can be declared of type clock. All variables of type different from clock are discrete variables.

The language provides a built-in clock variable, accessible through the reserved keyword time. It represents the amount of time elapsed from the initial state until now. time is initialized to 0 and its value does not change in discrete transitions. While all other clock variables can be used in any expression in the model definition, time can be used only in comparison with constants.

Initial, transition, and invariant conditions are specified in nuXmv with the keywords INIT, TRANS, and INVAR, as in the discrete case. In particular, TRANS allows to specify “arbitrary” clock resets. Like all other nuXmv state variables, if a clock is not constrained during a discrete transition, its next value is chosen non-deterministically.

Clock variables can be used in INVAR only in the form \(\varphi \rightarrow \phi \), where \(\varphi \) is a formula built using only the discrete variables and \(\phi \) is convex over the clock variables. This closely maps the concept of location invariant described for timed automata: all locations satisfying \(\varphi \) have invariant \(\phi \).

An additional constraint, not allowed in the discrete-time case, is introduced with the keyword URGENT followed by a predicate over the discrete variables, which allows to specify a set of locations in which time cannot elapse.

Comparison with Timed Automata. Timed automata can be represented by TTSs by simply introducing a variable representing the locations of the automaton. Note that, in TTS, it is possible to express any kind of constraint over clock variables in discrete transitions, while in timed automata it is only possible to reset them to 0 in transitions or compare them to constants in guards. Moreover, the discrete variables of a timed automaton always have finite domain, while in TTSs, also the discrete variables might have an infinite domain. This additional expressiveness allows to describe more complex behaviors (e.g. it is straightforward to encode stopwatches and comparison between clocks) losing the decidability of the model checking problem.

Specifications. nuXmv ’s support for \(\textsc {LTL}\) has been extended to allow for the use of \(\textsc {MTL}_{0,\infty }\) operators [12] and other operators such as event-freezing functions [13] and dense version of \(\textsc {LTL}\) X and Y operators. \(\textsc {MTL}_{0,\infty }\) bounded operators extend the \(\textsc {LTL}\) ones of nuXmv to allow for bounds either of the form [c,\(\infty \)), where c is a constant greater or equal to 0, e.g. F[0,+oo) \(\varphi \), or generic expressions over parametric/frozen variables: e.g. F [0, 3+v] \(\varphi \) where v is a frozen variable.

In timed setting, next and previous operators come in two possible versions. The standard \(\textsc {LTL}\) operators X and Y require to hold, respectively after and before, a discrete transition. Dually, X~ and Y~ have been introduced to allow to predicate about the evolution over time of the system. They are always FALSE in discrete steps and hold in time elapses if the argument holds in the open interval immediately after/before (resp.) the current step. The disjunction Open image in new window allows to check if the argument \(\varphi \) holds after the current state without distinction between time or discrete evolution.

The event-freezing operators at next and at last, written @F~ and @O~, are binary operators allowed in \(\textsc {LTL}\) specifications. The left-hand side is a term, while the right-hand side is a temporal formula. They return the value of the term respectively at the next and at the last point in time in which the formula is true. If the formula will [has] never happen [happened] the operator evaluates to a default value.

time_until and time_since are two additional unary operators that can be used in \(\textsc {LTL}\) specifications of timed models. Their argument must be a Boolean predicate over current and next variables. \(\texttt {\small time\_until}(\varphi )\) evaluates to the amount of time elapse required to reach the next state in which \(\varphi \) holds, while \(\texttt {\small time\_since}(\varphi )\) evaluates to the amount of time elapsed from the last state in which \(\varphi \) held. As for the @F~ and @O~ operators if no such state exists they are assigned to a default value.

4 Extending Traces

Timed Traces. The semantics of nuXmv has been extended to take into account the timing aspects in case of super-dense time. While in the discrete time case, the execution trace is given by a sequence of states connected by discrete transitions (i.e., satisfying the transition condition), in the super-dense time case the execution trace is such that every pair of consecutive states is a discrete or a timed transition. As in the discrete case, discrete transitions are pair of states satisfying the transition condition. As in timed automata, in a timed transition time elapses for a certain amount (referred to as delta_time), clocks increase of the same amount, while discrete variables do not change.

Lasso-Shaped Traces with Diverging Variables. Traditionally, the only infinite paths supported by nuXmv have been those in lasso shape, i.e. those traces which can be represented by a finite prefix \(s_0,s_1,\dots , s_l\) (called the stem) followed by a finite suffix \(s_{l+1}, \ldots , s_{k} \equiv s_l\) (called the loop), which can be repeated infinitely many times. While this representation is sufficient for finite-state systems (because in a finite-state setting if a system does not satisfy an \(\textsc {LTL}\) property, then a lasso-shaped counter-example trace is guaranteed to exist), this is an important limitation in an infinite-state context, in which lasso-shaped counter-examples are not guaranteed to exist. (As a simple example, consider a system \(M := \langle \{x\}, (x = 0), (x' = x+1)\rangle \) in which \(x \in {\mathbb {Z}}\). Then \(M\not \models \mathbf{G}\mathbf{F}(x = 0)\), but clearly M has no lasso-shaped trace). In fact, this is especially relevant for timed transition systems, which, by the presence of the always-diverging variable \(time\), admit no lasso-shaped trace.

In order to overcome this limitation, we introduce new kinds of infinite traces, which we call lasso-shape traces with diverging variables (to allow also for representing traces with variables whose value might be diverging). We modified the bounded model checking algorithms to leverage on this new representation to then extend the capabilities to find witnesses for a given property. This representation significantly extends the capabilities of nuXmv to find witnesses for violated \(\textsc {LTL}\) and \(\textsc {MTL}\) properties on timed transition systems (see experimental evaluation).

Definition 1

Let \(\pi := s_0, s_1, \ldots , s_l, \ldots \) be an infinite trace of a system M over variables V. We say that \(\pi \) is a lasso-shaped trace with diverging variables iff there exist indexes \(0\le l\le k\), a partitioning of V into sets X and Y (\(V = X \uplus Y\)) and an expression \(f_y(V)\) over V for every variable \(y\in Y\) such that, for every \(i>k\),
$$\begin{aligned} s_{i}(v) := \left\{ \begin{array}{ll} s_{l+((i-l)\text {~mod~} (k-l))}(v) &{} \text {if~} v \in X \text { (like in lasso-shaped traces);}\\ f_v(s_{i-1}) &{} \text {if~} v \in Y \text { (as function of previous state).} \end{array} \right. \end{aligned}$$

Intuitively, the idea of lasso-shaped traces with diverging variables is to provide a finite representation for infinite traces that is more general then simple lasso-shaped ones, and which allows to capture more interesting behaviors of timed transition systems.

Example 1

Consider the system \(M := \langle \{y, b\}, \lnot b \wedge y = 0, (b' = \lnot b) \wedge (b \rightarrow y' = y+1) \wedge (\lnot b \rightarrow y' = y)\rangle \). Then one lasso-shaped trace for M is given by: \(\pi := s_0, s_1, s_2\), where \(s_0 := \{ b \mapsto \bot , y \mapsto 0 \}\), \(s_1 := \{ b \mapsto \top , y \mapsto 0 \}\), and \(s_2 := \{ b \mapsto \bot , y \mapsto 1 \}\); the trace is lasso-shaped with diverging variables considering \(Y := \{ y \}\); the loop-back at index 0, and \(f_y(b, y) := b ~?~ y+1 ~:~ y\).

Extended BMC for Traces with Divergent Clocks. The definition above requires the existence of the functions \(f_y\) for computing the updates of diverging variables. In case y is a clock variable, we can define a region \(\llbracket \phi _y\rrbracket \) in which y can diverge (i.e., \(f_y=y+\delta \), where \(\delta \) is the delta time variable).

In order to capture lasso-shaped traces with diverging variables, we can modify the BMC encoding as follows. Let \(\bigvee _{l=0}^k(\bigwedge _{v \in X\uplus Y}(v^l = v^k) \wedge {}_l\llbracket \varphi \rrbracket _k^0)\) be the formula representing the BMC encoding of [14] at depth k with all possible loop-backs \(0 \le l \le k\) for a given formula \(\varphi \). The encoding is extended as follows:
$$\begin{aligned} \bigvee _{l=0}^k\left( \left( \bigwedge _{x\in X} (x^l = x^k) \wedge \bigwedge _{y \in Y} (y^l = y^k ~ \vee ~ \bigwedge _{i=l}^k\llbracket \phi _y\rrbracket _i)\right) \wedge {}_l\llbracket \varphi \rrbracket _k^0\right) . \end{aligned}$$
The correctness of the encoding relies on a safe choice of the set Y, falling back to the incomplete lasso-shaped case when some syntactic restrictions on the expressions containing clocks are not met (see appendix for more details).

5 Related Work

There are many tools that allow for the specification and verification of infinite state symbolic synchronous transition systems. Given the focus of this paper, here we restrict our attention to tools supporting timed systems and/or \(\textsc {MTL}\) properties.

Uppaal [15], the reference tool for timed systems verification, supports only bounded variable types and therefore finite asynchronous TTS. Properties are limited to a subset of the branching-time logic TCTL [16, 17]. LTSmin [18] and Divine [19] are two model checkers that support the Uppaal specification language and properties specified in \(\textsc {LTL}\). RTD-Finder [20] handles only safety properties for real-time component-based systems specified in RT-BIP. The verification is based on a compositional computation of an invariant over-approximating the set of reachable states of the system and leverages on counterexample-based invariant refinement algorithm. The ZOT Bounded Model/Satisfiability Checker [21] supports different logic languages through a multi-layered approach based on \(\textsc {LTL}\) with past operators. Similarly to nuXmv, ZOT supports dense-time \(\textsc {MTL}\). It leverages only on SMT-based Bounded Model Checking, and is therefore unable to prove that properties hold. Atmoc [22] implements an extension of IC3 [7] and K-induction [23] to deal with symbolic timed transition systems. It supports both invariant and \(\textsc {MTL}_{0,\infty }\) properties, although for the latter it only supports bounded model checking. CTAV [24] reduces the model checking problem for an \(\textsc {MTL}_{0,\infty }\) property \(\varphi \) to a symbolic language emptiness check of a timed Büchi automata for \(\varphi \).

Differently from all the above tools nuXmv is able to prove \(\textsc {MTL}_{0,\infty } \) properties on timed transition systems with infinite domain variables.
Fig. 3.

Runtime for the Fisher mutual exclusion problem; x-axis: number of processes, y-axis: time (s). \(\textsc {LTL}\)-1 and \(\textsc {MTL}\)-1 properties are the bounded version of resp. \(\textsc {LTL}\)-0 and \(\textsc {MTL}\)-0.

6 Experimental Evaluation

We compared nuXmv with Atmoc [22], CTAV [24], ZOT [21], Divine [19], LTSmin [18], and Uppaal [25].

For the evaluation we considered (i) scalable benchmarks taken from competitor tools distributions and from the literature; (ii) handcrafted benchmarks to stress various language features. In particular, we considered different versions of the Fisher mutual exclusion protocol (correct and buggy) with different properties, different versions of the emergency diesel generator problem (previously studied with Atmoc [22]). Finally we considered also the validity checks of some \(\textsc {MTL}\) properties also taken from [22]. We run all the experiments on a PC equipped with a 3.7 GHz Xeon quad core CPU and 16 Gb of RAM, using a time/memory limit of 1000 s/10 Gb for each test. We refer the reader to [26] to retrieve all the data to reproduce this experimental evaluation.
Fig. 4.

Result for the runtime (s) for the emergency diesel generator family of problems: nuXmv (x) vs Atmoc (y).

The results of the evaluation are reported in Fig. 3 for the Fisher family of experiments, and in Fig. 4 for the emergency diesel generator family of problems (CTAV does not appear in the plot of MTL-0 because it wrongly reports a counterexample although MTL-0 is the bounded version of LTL-0). While the results for the validity check of pure \(\textsc {MTL}\) properties are reported in Fig. 5. In the plots nuXmv refers to runtime for the IC3 with implicit abstraction in lockstep with BMC with the modified loop condition algorithm, and nuXmv-bmc refers to runtime for BMC alone with the modified loop condition algorithm. The results show that nuXmv is competitive with and in many cases performs better than other state-of-the-art tools, especially on validity problems for \(\textsc {MTL}_{0,\infty }\).
Fig. 5.

Runtime (s) for the validity checks of \(\textsc {MTL}\) properties.

7 Conclusions

We presented the new version of nuXmv, a state-of-the art symbolic model checker for finite and infinite-state transition systems, that we extended to allow for the specification of synchronous timed transition systems and of \(\textsc {MTL}_{0,\infty }\) properties. To support the new features, we extended the nuXmv language, we allowed for the specification \(\textsc {MTL}_{0,\infty }\) formulas with parametric intervals, we adapted the model checking algorithms to find for lasso-shaped traces (over discrete semantics) where clocks may diverge. We evaluated the new features comparing nuXmv with other verification tools for timed automata, considering different benchmarks. The results show that nuXmv is competitive with and in many cases performs better than state-of-the-art tools, especially on validity problems for \(\textsc {MTL}_{0,\infty }\).

References

  1. 1.
    Cavada, R., et al.: The nuXmv symbolic model checker. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 334–342. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08867-9_22CrossRefGoogle Scholar
  2. 2.
    Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT Solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36742-7_7CrossRefzbMATHGoogle Scholar
  3. 3.
    Koymans, R.: Specifying real-time properties with metric temporal logic. Real-Time Syst. 2(4), 255–299 (1990)CrossRefGoogle Scholar
  4. 4.
    Ouaknine, J., Worrell, J.: On the decidability of metric temporal logic. In: Proceedings of the 20th Annual IEEE Symposium on Logic in Computer Science. LICS 2005, pp. 188–197. IEEE (2005)Google Scholar
  5. 5.
    Somenzi, F.: CUDD: Colorado University Decision Diagram package – release 2.4.1Google Scholar
  6. 6.
    Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24605-3_37CrossRefGoogle Scholar
  7. 7.
    Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-18275-4_7CrossRefGoogle Scholar
  8. 8.
    Hassan, Z., Bradley, A.R., Somenzi, F.: Better generalization in IC3. In: FMCAD, pp. 157–164. IEEE (2013)Google Scholar
  9. 9.
    Vizel, Y., Grumberg, O., Shoham, S.: Lazy abstraction and sat-based reachability in hardware model checking. In: Cabodi, G., Singh, S. (eds.) FMCAD, pp. 173–181. IEEE (2012)Google Scholar
  10. 10.
    Claessen, K., Sörensson, N.: A liveness checking algorithm that counts. In: Cabodi, G., Singh, S. (eds.) FMCAD, pp. 52–59. IEEE (2012)Google Scholar
  11. 11.
    Schuppan, V., Biere, A.: Liveness checking as safety checking for infinite state spaces. Electr. Notes Theor. Comput. Sci. 149(1), 79–96 (2006)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing punctuality. J. ACM 43(1), 116–146 (1996)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Tonetta, S.: Linear-time Temporal Logic with Event Freezing Functions. In: GandALF, pp. 195–209 (2017)Google Scholar
  14. 14.
    Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded model checking. Adv. Comput. 58, 117–148 (2003)CrossRefGoogle Scholar
  15. 15.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30080-9_7CrossRefGoogle Scholar
  16. 16.
    Bouyer, P.: Model-checking timed temporal logics. In: Areces, C., Demri, S. (eds.) Proceedings of the 4th Workshop on Methods for Modalities (M4M–5). Electronic Notes in Theoretical Computer Science, vol. 1, pp. 323–341. Elsevier Science Publishers, Cachan, March 2009Google Scholar
  17. 17.
    Bouyer, P., Laroussinie, F., Markey, N., Ouaknine, J., Worrell, J.: Timed temporal logics. In: Aceto, L., Bacci, G., Bacci, G., Ingólfsdóttir, A., Legay, A., Mardare, R. (eds.) Models, Algorithms, Logics and Tools. LNCS, vol. 10460, pp. 211–230. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63121-9_11CrossRefGoogle Scholar
  18. 18.
    Kant, G., Laarman, A., Meijer, J., van de Pol, J., Blom, S., van Dijk, T.: LTSmin: high-performance language-independent model checking. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 692–707. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46681-0_61CrossRefGoogle Scholar
  19. 19.
    Baranová, Z., et al.: Model checking of C and C++ with DIVINE 4. In: D’Souza, D., Narayan Kumar, K. (eds.) ATVA 2017. LNCS, vol. 10482, pp. 201–207. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-68167-2_14CrossRefGoogle Scholar
  20. 20.
    Ben-Rayana, S., Bozga, M., Bensalem, S., Combaz, J.: RTD-finder: a tool for compositional verification of real-time component-based systems. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 394–406. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49674-9_23CrossRefGoogle Scholar
  21. 21.
    Pradella, M.: A user’s guide to zot. CoRR abs/0912.5014 (2009)Google Scholar
  22. 22.
    Kindermann, R., Junttila, T.A., Niemelä, I.: Smt-based induction methods for timed systems. CoRR abs/1204.5639 (2012)Google Scholar
  23. 23.
    Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SAT-solver. In: Hunt, W.A., Johnson, S.D. (eds.) FMCAD 2000. LNCS, vol. 1954, pp. 127–144. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-40922-X_8CrossRefGoogle Scholar
  24. 24.
    Li, G.: Checking timed büchi automata emptiness using LU-abstractions. In: Ouaknine, J., Vaandrager, F.W. (eds.) FORMATS 2009. LNCS, vol. 5813, pp. 228–242. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04368-0_18CrossRefGoogle Scholar
  25. 25.
    Larsen, K.G., Lorber, F., Nielsen, B.: 20 years of UPPAAL enabled industrial model-based validation and beyond. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11247, pp. 212–229. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03427-6_18CrossRefGoogle Scholar
  26. 26.
    Cimatti, A., Griggio, A., Magnago, E., Roveri, M., Tonetta, S.: Extending nuXmv with timed transition systems and timed temporal properties (extended version) (2019). Extended version with data to reproduce experiments https://nuxmv.fbk.eu/papers/cav2019

Copyright information

© The Author(s) 2019

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Alessandro Cimatti
    • 1
  • Alberto Griggio
    • 1
  • Enrico Magnago
    • 1
  • Marco Roveri
    • 1
    Email author
  • Stefano Tonetta
    • 1
  1. 1.Fondazione Bruno KesslerTrentoItaly

Personalised recommendations