We revisit the problem of real-time verification with dense time dynamics using timeout and calendar based models, originally proposed by Dutertre and Sorea, and simplify this to a finite state verification problem. To overcome the complexity of verification of real-time systems with dense time dynamics, Dutertre and Sorea, proposed timeout and calender based transition systems to model the behavior of real-time systems and verified safety properties using k-induction in association with bounded model checking. In this work, we introduce a specification formalism for these models in terms of Timed Transition Diagrams and capture their behavior in terms of semantics of Timed Transition Systems. Further, we discuss a technique, which reduces the problem of verification of qualitative temporal properties on infinite state space of (a large fragment of) these timeout and calender based transition systems into that on clockless finite state models through a two-step process comprising of digitization and canonical finitary reduction. This technique enables us to verify safety invariants for real-time systems using finite state model-checking avoiding the complexity of infinite state (bounded) model checking and scale up models without applying techniques from induction based proof methodology. Moreover, we can verify liveness properties for real-time systems, which is not possible by using induction with infinite state model checkers. We present examples of Fischer's Protocol, Train-Gate Controller, and TTA start-up algorithm to illustrate how such an approach can be efficiently used for verifying safety, liveness, and timeliness properties specified in LTL using finite state model checkers like SAL-smc and Spin. We also demonstrate how advanced modeling concepts like inter-process scheduling, priorities, interrupts, urgent and committed location can be specified as extensions of the proposed specification formalism, that can be subjected to the proposed two step reduction technique for verification purposes.
Introduction
Real-time systems are an important class of mission critical systems, which have been well studied for their design, implementation, performance and verification. Modeling and verification of real-time systems in dense time domain is an important problem area that evoked lot of research interest in the recent past. Because of the fact that the state space of real-time systems with continuous dynamics is uncountable, modeling and verification of them is rather difficult, in particular using explicit state model checkers. Many formalisms have been used to model and verify real-time systems. Notable among them are different kinds of timed transition models [Alu99, HMP92b] , timed process algebras [BeJ91, DaS95, NiS94] , and real-time logics [AlH91, BMN00] .
In [DuS04a] , Dutertre and Sorea, considered verification of a train-gate controller modeled as a timed automata. Though they could specify the timed automata model in terms of state transition system in infinite state model checker SAL [MOR04] , it however did not to produce the desired results. In particular, the clock variables occurring in timed automata would be updated in arbitrarily small increments leading to infinite trajectories during which the discrete state remained idle. This made proof of safety properties by k-induction quite hard, and sometimes impossible. The fact that the traditional semantics of timed automata allows several time steps to occur in succession is an obstacle in proving properties by k-induction.
To address this problem the same authors proposed timeout and calender based transition models, [DuS04a, DuS04b] , originally from discrete event simulation, to represent the behavior of timed triggered systems with dense time dynamics. These models are amenable to general-purpose verification environments, like SAL in which state machines and their compositions can be specified. In this modeling approach, each process in the system has a timeout that holds the time when the next discrete transition of the process would happen, and there is a global data structure, called calendar, which stores future events (message delivery) and the time points at which these events are scheduled to occur. During the time progress transition, time is advanced to the minimum of timeouts of processes, or to the least time point at which a message will be delivered in future, whichever is less. Further, Dutertre and Sorea, used this calendar based model along with timeouts for individual processes to model TTA startup protocol in SAL [DuS04b] . Using bounded model checking, they proved a safety property by k induction. However, these proofs using k-induction do not usually scale up well; a safety property often cannot be proved at induction depth 1. Sometimes safety properties are not at all inductive and need the support of auxiliary lemmas. In [DuS04b] , a safety property for the TTA startup algorithm with only 2 nodes has been proved by using 3 additional lemmas. A verification diagram based abstraction method proposed in [Rus00] has been used to prove the same safety (invariant) property for scaled up models (upto 10 nodes). However, liveness properties still remain beyond the scope of this approach.
While only safety properties can be verified on these models with dense time, discrete time modeling of the same can help verify liveness and timeliness properties, and also help scale up proofs for safety properties. It turns out that verification of a real-time system in dense domain is equivalent to verifying the system in discrete domain if both the behavior of the system captured by the model and the properties considered are digitizable [HMP92a] . It can be shown that if the timeout updates are not restricted to (0, 1)-intervals, then similar to the timed transition system of [HMP92a] (refer to theorem 2 therein), transition systems for timeout and calendar based models also give rise to digitizable behaviors (computations). Also verification of qualitative properties like safety and liveness, in discrete time domain is equivalent to verifying these properties in dense time domain (refer to proposition 1 in [HMP92a] ).
Techniques like bounded model checking [MRS03, DuS04a] can be useful for detecting bugs during the verification process even in discrete domain, where one systematically searches for counterexamples of length bounded by some integer k. The bound k is increased until a bug is found, or some pre-computed completeness threshold is reached. Unfortunately, it is usually very expensive to compute completeness thresholds. Also these thresholds may be too large to effectively explore the bounded search space. Additionally, such completeness thresholds may be absent for many infinite-state systems. A finite state modeling of the system can help exploring the state space much easily. Examples of finite state model checkers are Spin [Hol93] , SAL-smc solvers [DuS04a] etc. Spin has been used to finitely model TTA startup algorithm using a clockless calendar based model [SMR07] . In terms of scalability, finite state verification of TTA in Spin is almost comparable to the verification of TTA based on verification diagram oriented abstraction method [DuS04b] . Moreover, liveness properties can be verified in this framework.
In this work, we aim to carry out a finite state modeling and verification on timeout and calendar models without continuously varying clocks. As there are drawbacks of those models earlier proposed from the point of view of design considerations, like absence of formally defined syntactic models and associated semantics, we slightly deviate from them. We consider the specification framework of timed transition diagrams and extend it to formalize timeout and calendar based models as timeout and calendar based transition diagrams and their behavior in terms of semantics of transition systems. The benefits that we derive from using this formalization are many-fold. Our framework of timeout transition diagrams inherits most of the properties of classical timed transition system introduced in [HMP92b] . Most of the techniques, like digitization that can be applied to these timed transition systems are applicable to our formalization also. This can be also used to model time-triggered systems and reason about them. Finally we use this formal modeling framework to reduce continuous time verification problem to discrete time finite state verification, albeit under some restrictions. Towards that, we use a two step technique comprising of digitization and finitary reduction (a schematic diagram of this technique is shown in Figure 1 ). We show that the computations of timeout and calendar models are digitizable provided the timeout increments are not restricted to (0, 1)-interval. As LTL properties are qualitative and hence, are digitizable, verification of LTL properties on timeout and calendar models in dense time is equivalent to that in discrete time. The next step is to reduce this problem into an equivalent finite state verification problem. We could not directly proceed to extract finite state models from dense time models, since the latter models are inherently infinite (and dense) and hence it is not possible to render them finite even by bounding the variables. Also note that such a modeling cannot be directly subjected to finite state verification since for timeout and calendar based models, global time and timeouts always increase. Nonetheless, we propose a finitary reduction technique which effectively reduces the infinite state timeout and calendar based transition systems with discrete dynamics into a finite state transition system. We achieve this by using a clockless modeling technique which effectively strips the model of the global clock and keeps track of the relative updation of timeouts, and restricts the values of variables/timeout updates to bounded domains. We demonstrate by examples, how such a modeling approach can be efficiently used for verifying safety, liveness, and timeliness properties using finite state model checkers, SAL-smc and Spin. We also highlight the scalability of such models for verification purposes by comparing the performance of such models under dense time and finite state modeling. A preliminary version of this paper appeared in [SMR07] .
The remainder of the paper is organized as follows. In the next section, we briefly discuss the timeout and calendar based modeling as presented in [DuS04a, DuS04b] . In Section 3, we present the formalization of these models in terms of timeout transition diagrams and their behavior in terms of the semantics of transition systems. We discuss the technique of digitization in Section 5 and present our first step of reduction of dense-time verification problem to integral time verification problem. In Section 6, we describe the finitary reduction technique and subsequently, formalize it in terms of clockless modeling. We present experimental results in Section 7. A few extensions of our framework are described in Section 8 followed by concluding remarks in Section 9.
Related Work
There have been earlier attempts to model and verify time-triggered systems using extensions of finite state model checkers, e.g., Spin. Spin [Hol93] is a tool for automatically model checking distributed systems, but it does not allow explicit representation for time. There are mainly two attempts for extending Spin with time. Real-time extension of Spin (RT-Spin [TrC96] ) is one such attempt, that makes use of timed Buchi automata [AlD94] with real-valued clocks as a modeling framework. However, this formalism is incompatible with the partial order reduction which is supported by Spin. Another is the work on DT-Spin [BoD98a, BoD98b] , which allows one to quantify (discrete) time elapsed between events, by specifying the time slice in which they occur. DT-Spin is compatible with the partial order reduction and has been used to verify industrial protocols, like, AFDX Frame management protocol [SaR06a] and TTCAN [SaR06b] . Nonetheless, systems with asynchronous communication with bounded delays between components cannot be modeled directly by using the kind of asynchronous channels that Spin provides, since there is no explicit provision to capture message transmission delays. A possible way is to model each channel as a separate process with delay as a state variable. In [BoD98a] , the channels in the example of PAR protocol have been implemented in the same way. But for systems with relatively large number of components and high degree of connectivity among them, modeling channels in this way is difficult, and hence state space explosion becomes an unavoidable problem.
The concept of clockless modeling has been introduced in [Pik05] . In that Pike builds on the work of [DuS04a] and proposes a new formalism called Synchronizing Timeout Automata (STA) to reduce the induction depth k required for k-induction. He introduces a clockless semantics for STA so that the resulting transition system does not involve a clock. STA in effect, describes the overall system architecture in terms of timeout transition system introduced in [DuS04a] . A closer analysis of the SAL model for the example of Train-Gate Controller presented in [Pik05] , reveals that the considered model is not deadlock free. This is because the model fails to specify the timeout updation rules precisely for the transitions leading to a waiting state. When a process is waiting for an external signal, its timeout should be set to a value greater than the current value of the timeouts of the senders of the expected signal. This kind of modeling errors could possibly be eliminated with a suitable modeling framework such as the one proposed in this paper. To our knowledge, the first attempt to convert TA to untimed TA is taken up in [AlD94] . Building upon these, in [ChH04] the authors discuss how a special kind of model for specifications written in Duration Calculus (DC) [CHR91] can be generated in which, DC formulas would correspond to regular expressions over a state of special symbols. The models for DC formulas contain discrete states and digitization of continuous states, thereby enabling reasoning in a single framework of both discrete and continuous time. Applying discretization on the continuous component of real-time systems, these models could be further translated into Promela models for verification experiments using SPIN.
Timeout and Calendar-based Real-Time Models
In this section we briefly discuss the timed automata [AlD94] , timeout, and calendar-based models introduced earlier in [DuS04b] .
Timed Automata
Timed automata (TA) was introduced by Alur et al. in [AlD94] as a clock based model for specifying real-time system designs. TA is widely used for modeling and verification of real-time systems. Many tools are available for analyzing timed automata e.g., UPPAL [BDL04] , Kronos [Bozga] , Rabbit [BLN03] . For further details on TA, the reader is referred to [AlD94] .
Timeout Transition Model
Dutertre and Sorea [DuS04a, DuS04b] used timeout based modeling to formally verify real-time systems using k−induction in SAL model checker. A Timeout Transition Model (TTM), which is a model of the combined system behavior, contains a finite set of timeouts and a global clock variable t. Timeouts define the time points when discrete transitions will be enabled in the future. The clock variable t keeps track of the current time. In practice a typical real-time system may contain a number of processes. Every process is associated with one timeout which records the future point of time when the next discrete transition for the process is scheduled to occur. Transitions in this model are classified into two types: time progress transitions and discrete transitions. In time progress transition, t (time) advances to the minimum valued timeout(s). Discrete transition occurs when t is equal to the minimum valued timeout(s). If there are more than one processes, which have their timeouts equal to the minimum value, one of them is randomly chosen and corresponding discrete transition occurs updating the value of the timeout for the selected process. Timeout based modeling approach is suited to model systems where the processes communicate via shared variables or the communication between the processes is a rendezvous one.
Calendar Transition Model
Interprocess communication delay during message transfers cannot be modeled using timeout based modeling because delays are beyond the control of individual processes. Addition of an event calendar, a globally shared data structure, is proposed as a convenient way to model such delays [DuS04b] . This model is called Calendar Transition Model (CTM). A calendar is a set of bounded size of the form C = { e 1 , t 1 , . . . , e r , t r }, where each event e i is associated with the time point t i when it is scheduled to occur. There is fundamental difference between a clock and a calendar in the sense that while the former measures the time elapse since its last reset, the latter stores expected delivery delays for all undelivered messages. Asynchronous communication with bounded delay can be easily modeled by using calendar as a global data structure. When a message is transmitted by a process, it is added to the calendar as an event e i to occur at time t i , where t i denotes the expected delivery time for the message. On receiving the message, the event is removed from the calendar. Thus at any state, the calendar C can be seen as a set of messages that have been sent but are yet to be received with corresponding expected delivery delays.
Limitation of Existing Formalisms
Timed automata is one of the most frequently used formalism for specifying real-time system designs. However as it turns out that for systems with asynchronous communication with bounded delays between components TA does not offer any efficient means of specification. Two possible choices have been considered in literature. First choice is to use state variables for encoding the behavior of asynchronous channels however without any explicit provision to capture message transmission delays. Second choice is to model each channel as a separate TA with delay as a state variable. However with relatively large number of components and high degree of connectivity among them, modeling channels in this way is difficult, and state space explosion becomes an unavoidable problem. UPPAAL [BDL04] , which can model TA, has the same problem when it is used to model asynchronous communications with bounded delays -every channel has to be modeled as a separate TA capturing the message transmission delays.
On the other hand, although TTM and CTM are expressive enough to capture a range of behaviors associated with time triggered systems including asynchronous communication delays, they however have two specific design limitations:
• These models are not well suited for actual system design purpose since they describe the behavior of the combined system without (explicitly) specifying the design of the modular components.
• Absence of formally defined syntactic design models corresponding to these transitions systems would demand that additional correctness measures are put in place because for verification purposes actual designs models need to be (manually) interpreted and translated into these transition systems as per the underlying system dynamics and on discovering an error during verification, such errors need to comprehended by a designer, and subsequently, translated back into his design for a remedial action.
Keeping in view of such limitations in the existing specification formalisms, we will next define and elaborate using examples a new timeout based formalism, which can effectively overcome these barriers.
Formalization of Timeout and Calendar based Models
In [HMP92b] an abstract model of timed transition system was proposed which could represent a wide variety of behaviors of the timed execution of concurrent processes. In this section we adapt and extend the Timed Transition System (TTS) described therein to represent timeout and calendar based models. Further we describe their associated semantics in terms of state transition systems.
Timeout based Timed Transition Model

Syntax
A Timeout based Model (ToM) is represented as
Each process P i is a sequential non-deterministic process having τ i as its local timeout and X i as a set of local timing variables. Local timing variables are used for determining the relative delay between events. A shared variable {t} represents the global clock. The operator "||" denotes parallel composition. The formula θ, called the data pre-condition of P , restricts the initial values of variables in
where the set of all timeouts is T = {τ 1 , τ 2 , . . . , τ n }, and
is the set of other state variables. The variables in G are globally shared among all the processes while L i contains variables local to process P i . Let f Var be the set of computable functions on Var . Each process P i is represented using a timeout transition diagram (TTD), which is a finite directed graph with a set of nodes Loc i = {l , where update i specifies the way timeout τ i is to be updated on taking a transition on the edge when the guard ρ evaluates to true. γ ⊆ X i specifies the local timing variables which capture value of the clock t while taking transition on the edge. This value may be used during future transitions while estimating relative delay w.r.t. this transition. f ∈ f
Var manipulates the state variables in G ∪ L i . update i is defined using the rule:
where l + z ≺ k 1 ≺ m + z for ≺, ≺ ∈ {<, ≤} and k 2 l + z for ∈ {>, ≥}; z, z := t|w and l, m ∈ N are non negative integer constants specifying the lower and upper limits for a timeout increment interval 1 , and w ∈ X i is a local timing variable. The variable z makes such an interval relative to the occurrence of specific events. M is the set of all the integer constants that are used to define the upper limit of different timeouts for different processes in the system. max(M) returns the maximum of all the integers in M.
Constraints on k 1 , k 2 specify how new value of timeout τ i should be determined based upon the current value of the clock t and/or w, which would have captured the value of t in some earlier transition. Setting a timeout to ∞ tends to capture the requirement of indefinite waiting for an external signal/event. The selection of the timeout value using max(M) is used to capture the situation where the next discrete transition of a process may happen at any time in the future, for example, the process may be in a sleeping mode and can wake up at any future point of time.
Synchronous Communication Edges:
Rendezvous communication between a pair of processes (P s , P r ) is represented by having an edge pair (e s , e r ) s.t. e s ∈ P s and e r ∈ P r and e s : l where ch is the channel name, m ∈ L i is the message sent, andm ∈ L r the message received, and g, h ∈ f Var are the computable functions.
Semantics
With a given ToM
we associate the following transition system S P = (V, Σ, Σ 0 , Γ), referred to as timeout based clocked transition system (TCTS) where,
. . , π n }. Each control variable π i ranges over the set Loc i ∪ {⊥}. The value of π i indicates the location of the control for the process P i and it is ⊥ (undefined) before the start of the process.
2. Σ is the set of states. Every state σ ∈ Σ is an interpretation of V, that is, it assigns values to clock variable t, every timeout variable in T , timing variables in X , state variables in Var , and control variables π 1 , . . . , π n , in their respective domains. For x ∈ V, let σ(x) denote its value in state σ.
3. Σ 0 ⊆ Σ is the set of initial states such that for every σ 0 ∈ Σ 0 , θ is true in σ 0 and σ 0 (π i ) =⊥ for each process P i .
4. Γ = Γ e ∪ Γ + ∪ Γ 0 ∪ Γ syn comm is the set of transitions. Every transition ν ∈ Γ is a binary relation on Σ defined further as follows:
Entry Transitions: Γ e , the set of entry transitions contains an entry transition ν i e for every process P i . In particular, ∀σ 0 ∈ Σ 0 ,
Time Progress Transition: The first kind of edges ν + ∈ Γ + are those where the global clock is increased to the minimum of all timeouts. In particular, and is labeled by the instruction ρ ⇒ τ i := update i , γ, f , then Synchronous Communication: For a pair of processes P s , P r having synchronous communication edges (e s , e r ) as defined before, ν sr syn comm ∈ Γ syn comm exists such that:
This semantic model defines the set of possible computations of the ToM P as a (possibly infinite) set of state sequences ξ : σ 0 → σ 1 → . . ., which starts with some initial state σ 0 in Σ 0 and follows with consecutive edges in Γ, i.e., ∀i.
be the set of all these computations of a ToM P as defined by its TCTS S P .
Calendar Based Timed Transition Model
Syntax
Next we capture bounded message transfer delay associated with an asynchronous communication. Towards that the ToM is extended with a calendar data structure. A calendar is a linear list of bounded size, where each element of the list contains the following information: message, sender id, receiver id, and expected delivery time. Assuming C to denote the calendar array, a globally shared object, we set
Sending a message in a TTD of process P i is represented using the following edge:
where Ω ⊆ R × Λ, R ⊆ {1, 2, . . . n} is the index set for the processes and Λ is the set of expected message delays. send(. . .) specifies that a message m is to be sent to each of the processes P r with expected delivery time of λ r where (r, λ r ) ∈ Ω. On taking a transition on this edge an entry { m, i, r, λ r } is added to C for each (r, λ r ) ∈ Ω.
Receiving of the corresponding message is represented in the TTD for each of the processes P r , ∀ r ∈ R using the following edge:
, where receive(. . .) specifies that a message m sent by process P i is to be received by the process P r . On taking a transition on this edge, the entry {m, i, r, λ r } is deleted from C.
Semantics
Given a calendar C, we assume that the set of delays for all undelivered messages at any state σ can be found using the function ∆ : Time Progress Transition: The first kind of edges ν + are those where the global clock is increased to the minimum of all the timeouts and message delays. In particular, 
We additionally define new transitions corresponding to send() and receive() to capture asynchronous communication:
Send Transition: If there is an edge in process P i , which connects source location l i j to target location l i k and is labeled by the instruction ρ ⇒ send(m, i, Ω), τ i := update i , γ, f , then we have the corresponding edge ν i send ∈ Γ asyn comm , which adds |Ω| cells to the calendar array C:
Receive Transition: If there is an edge in process P r , which connects source location l r j to target location l r k and is labeled by the instruction T rue ⇒ receive(m, i, r), τ r := update r , γ, g , then we have the corresponding edge ν r receive ∈ Γ asyn comm , which deletes the entry {m, i, r, λ r } from the calendar array C when the clock t reaches λ r :
Similar to the case of TCTS, this semantic model also defines the set of possible computations of the calendar based ToM as a (possibly infinite) set of state sequences starting with some initial state in Σ 0 and following consecutive edges in Γ. Let [ |S P | ] be the set of all these computations of a calendar based ToM P as defined by its CCTS S P .
Models for Time:
It remained unspecified as to what would be the underlying model of time for clock, timeouts etc that appear in the definitions of TCTS and CCTS. There are two natural choices for time, the set of non-negative integers N (discrete time) or the set of non-negative reals R (dense time). Given the model of time as TIME , let [ |S P | ] TIME be the set of all the computations of a ToM (or calendar based ToM) P as defined by its TCTS (or CCTS) S P .
When we consider that the underlying model of time as R, we need to add the following non-zenoness condition to ensure effective time progress in the model. There must not be infinitely many time progress (or timeout increment) transitions effective within a finite interval. Formally,
nonzenoness:
∀ξ :
Parametric Processes
We consider the case of finite family of processes specified in a parametric way. A completely parametric process family would be specified as
] where N ≥ 1 is some finite positive integer and θ = θ 1 ∧ . . . ∧ θ N such that θ i (1 ≤ i ≤ N ) initializes the variables for the i th copy of the process. Process P (i) could be a TTD or a calender based TTD. The semantic interpretation of such parametrically specified process family is given by first flattening the specification as
Figure 2: TTD for the i th process in the Fischer's Protocol and then applying the semantics presented before as per the case of P (i) being a TTD or a calendar based TTD. Such parametric specification can be generalized to a homogeneous set of process families as
where N 1 , . . . N l are some finite positive integers and
initializes the variables for the i th process family. The term homogeneous arises because processes in all the process families should uniformly be either TTDs or calender based TTDs. We do not consider the case of hetrogeneous set of process families, where processes across different process families might be different. Similar to the case of a single parametric process family, the generalized process family can be interpreted by flattening the process specification.
Examples
Following two examples would illustrate the expressiveness and effectiveness of the proposed timeout and calendar based modeling framework.
Fisher's Mutual Exclusion Protocol
Fischer's protocol is a well studied protocol to ensure mutual exclusion among real time concurrent processes. Let there be n processes P 1 , . . . , P n trying to access shared resources in a real-time fashion to be discussed later. A process P i is initially idle (Sleeping state), but at any time, may begin executing the protocol provided the value of a global variable lock is 0 and then move to Wait state. There it can wait up to maximum of d 1 time units before assigning the value i to lock and moving to Trying state. It may enter the Critical section after a delay of at least of d 2 time units provided the value of lock is still i. Otherwise it has to move to Sleeping state. Upon leaving the Critical section, it re-initializes lock to 0. There is another global variable, in critical, used to keep count of the number of processes in the critical section. The auto-increment (auto-decrement) of the variable is done before a process enters the Critical section (leaves the Critical section). Mutual exclusion is ensured if d 1 < d 2 . The timeout-based TTD of the i th process P i executing Fischer's protocol is shown in Figure 2 .
TTA Startup Algorithm
The TTA startup algorithm can be formalized using the calendar based model described above. This algorithm executes on a logical bus meant for safety-critical application in both automotive and aerospace industries. In a normal operation, N processors or nodes share a TTA bus using a TDMA schedule. The goal of the startup algorithm is to bring the system from the power-up state, in which the processors are not synchronized, to the normal operation mode in which all processors are synchronized and follow the same TDMA schedule.
True⇒ 〈receive(i_frame, j, i),
True⇒〈receive(cs_frame, j, i), 
When a node is powered-on, it performs some internal initialization, and transits to the Listen state. In this state it listens for the unique duration τ listen i to determine if there is a synchronous set of nodes communicating on the medium. The nodes which are in the Active state are already synchronized, and periodically transmit i-frames that carry the TDMA cycle structure. If a node in the Listen state receives such an i-frame, it adjusts its state to the frame contents and is thus synchronized with the set of already synchronous nodes. If the above does not happen, there are two possibilities. Each node listens for a cold-start message (cs-frame) from another node indicating the beginning of the cold-start sequence; cs-frames are similar to i-frames but carry a protocol state suggested by the sending node. When a node completes the reception of a cs-frame, it enters the Coldstart state and resets its local clock to δ cs (that is the transmission duration of the cs-frame). Thus, all nodes that received the cs-frame have synchronized local clocks (within system tolerances, including the propagation delay). Each node that receives neither an i-frame nor a cs-frame during the Listen phase enters the Coldstart state on its listen timeout, resets its local clock to 0 and broadcasts a cs-frame. Thus, after the transmission of the cs-frame (δ cs later), the local clock of the sending node is also synchronized to the local clocks of the set of receiving nodes.
Each node in the coldstart state waits for reception of another cs-frame or i-frame until its local clock reaches the value of its individual cold-start timeout. If it receives such a frame it synchronizes on its contents and enters the Active state; if not, it resets its local clock and again broadcasts a cs-frame. No further collision can occur at this point, because cold-start timeouts have a strict order and that is why no two nodes that caused a collision can collide again. The listen timeout of any node is greater than coldstart timeout of any node. No node which has come in the Listen state after the collision cannot move to the Coldstart state before the collision is resolved. For further details of startup protocol, we refer the reader to [StP02] .
The calendar based TTD of the i th node is depicted in Figure 3 . In TTA startup algorithm, all the communications are asynchronous and hence, message delivery delays, which are finite and specified by the designer have to be taken into account for correct operation of the protocol. The timeouts τ listen i and τ cs i represent how much time a node spends in Listen state and Coldstart state respectively, if no external signal is received. The timeout τ round denotes the time a node spends in Active state before sending its next massage. R i = {1, . . . , N } \ {i} represents the set of nodes except the sender i that are required to receive the message in the network. We use λ i 's to denote the message delivery time for the corresponding send events. In TTA, message delivery times for all the receivers are considered to be the same, and that is why we have considered a single variable λ i to represent that delay.
Verification Results for Digitization
In literature the verification problem for real-time systems assumes two descriptions of real-time behavior, implementation I and specification S, and poses the question whether I implements/satisfies S. The implementation language L I describes systems and behavior over time while the specification language L S describes the timing requirements of the system. The verification obligation involves presenting algorithms and/or proof rules that facilitate a formal argument that a particular implementation meets the requirement of a particular system under some particular assumption of semantics of computation and time. Assuming C and T to be mathematical models of computation and time respectively, the real-time verification problem parameterized by (C, T, L I , L S ) states: does the implementation of the system I, given as an expression of L I meet the specification φ given as an expression of L S , with respect to the semantical assumption (C, T ), written as
In particular, we would consider two important instances of the real-time verification problem -one with an integral model of time and one with a dense model of time. In the following, we assume TTS as the implementation language and linear time temporal logic (LTL) as the specification formalism.
Timed Sequences
We shall adopt discrete trace model (using the terminology from [HMP92a, Bos99] ) as a mathematical model of computation. By discrete trace model one can capture the behavior of a system as an infinite sequence of snapshots of the global system state at certain times. We assume our time domain T IM E has a total ordering ≤ defined on it. We define an observation to be a pair (σ i , T i ), where σ i is a state and T i ∈ T IM E. A timed state sequence η = (σ, T ) is an infinite sequence η :
Further, the infinite sequence T i ∈ T of time stamps in η satisfy (i) monotonicity: T i ≤ T i+1 for all i ≥ 0, and (ii) progress: time progresses, for all T ∈ T IM E, T i ≥ T for some i ≥ 0. Now onwards, we shall work with dense-time models when T IM E = R and integral-time models when T IM E = N. A timed state sequence under dense-time model will be referred to as precisely timed and under integral-time model as digitally timed.
Let us denote the set of all timed state sequences over the T IM E domain as T SS TIME . A real-time property is a subset of T SS T IM E . Every real-time system S defines a real-time property, denoted as [ |S| ], which is the set of all timed state sequences of S. Also, every real-time specification φ defines a real-time property [ |φ| ], the set of real-time sequences that satisfy φ. Now let us formulate the real-time verification problem. We say a real-time system S satisfies the specification φ, written as
Consider a dense-time property Π R ⊆ T SS R , a set of of timed state sequences over R. Its clockindependent semantics N(Π R ) is the subset of digitally timed state sequences in Π R , i.e., N(Π R ) = Π R ∩T SS N . In [HMP92a] , it is shown that clock-independent semantics is not very adequate for reasoning about dense time. As a remedy of this, another approximate semantics was introduced, which was called digitization.
2 Note that any ξ ∈ [ |S P | ] (previously defined) essentially defines a timed state sequence. This is because, states in ξ have implicit representation for time stamps as σ 0 (t), σ 1 (t), . . ., which are otherwise explicitly present in the definition of η as T 0 , T 1 , . . .
The following definitions will be useful for our subsequent discussions. For any timed state sequence η = (σ, T ), we introduce it untime operation η − as its state component σ. Also, η i = (σ i , T i ), for i ≥ 0, denotes the timed state sequence that results from η by deleting the first i observations (note, η 0 = η).
Digitization
Given We state some concepts from [HMP92a] . Let Π be a dense-time property. Π is closed under digitization iff for all η ∈ T SS R , η ∈ Π implies [η] ⊆ Π. Π is closed under inverse digitization iff [η] ⊆ Π implies η ∈ Π, for all η ∈ T SS R . Finally, Π is digitizable iff it is closed under both digitization and inverse digitization, i.e., η ∈ Π iff [η] ⊆ Π for all η ∈ T SS R . We state the following important result (see [HMP92a] ).
Fact 5.1 Assume a real-time system S whose dense-time semantics [ |S| ] R is closed under digitization, and a specification φ whose dense-time semantics φ R is closed under inverse digitization. Then in order to prove S |= R φ it suffices to check if S |= N φ.
A dense-time property Π is said to be qualitative if η ∈ Π implies η ∈ Π for all precisely timed sequences η and η with identical state components (i.e., η
Fact 5.2 [HMP92a] Every qualitative property is digitizable.
Digitization of Timeout and Calendar based Transition Systems
Recall a TCTS is S = (V, Σ, Σ 0 , Γ) (we drop the subscript P because we assume the ToM P is implicit) where V is a set of variables, Σ a set of states, Σ 0 ⊆ Σ a set of initial states and Γ a set of transitions.
We would like to show that the computations for this transition system are digitizable. Our approach follows [Bos99] . A run of S over a timed state sequence η : (σ 0 , T 0 )→(σ 1 , T 1 )→ · · · is a sequence of pairs of S of the
→ · · · where σ i denotes the state and ν i the mapping of variables in U in state σ i and further, it satisfies the following conditions:
2. (consecution:) for i ≥ 1 there is an edge (σ i−1 , σ i ) ∈ Γ = (Γ e ∪ Γ + ∪ Γ 0 ∪ Γ syn comm ) such that the following hold:
3. (time progress:) for any real number T there exists an i ≥ 0 such that T i > T .
We say that η ∈ T SS TIME is time-consistent (for S) if S has a run over it. In the sequel we consider only time-consistent behaviors η ∈ [ |S| ] TIME of S, i.e., η ∈ [ |S| ] TIME iff there is run over η. If TIME = N then we get integral behavior of TCTS. Now it is obvious that time at state j ≥ 1 in a given run, is given by ν j (t) = T j . We define -digitization of the mapping ν j for any variable x ∈ U ⊆ V as ν j (x) = [ν(x)] .
Given a computation
→ · · · , where ν j for j ≥ 1 are defined above, and ν 0 (t) = [T 0 ] . The result above indicates a precise characterization for the digitization for a TCTS. All timeout increments in (0, 1) result into a TCTS, which are not closed under digitization and therefore cannot be model checked for all LTL properties under discrete time dynamics.
A similar argument can be used to show that the dense computations of a (digitizable) calendar based clocked transition system (CCTS) are also closed under digitization.
Linear Temporal Logic
Let us briefly describe propositional linear temporal logic [Pnu77] , more popularly known as LTL. The vocabulary of LTL consist of a set P of atomic propositions. The formulas of LTL are built using boolean connectives, next operator and until operator U as follows:
The other temporal operators can be introduced as abbreviations, e.g., F φ = T rue U φ, Gφ = ¬F ¬φ.
The formulas of LTL can be interpreted over timed state sequences whose states are from Σ such that each state in Σ gives rise to an interpretation for propositions in P. Let η = (σ, T ) be a timed state sequence with σ i ∈ Σ for i ≥ 0. The satisfaction relation η |= φ is defined inductively as follows:
, where T i ≥ T 0 + α, and ∀j.0 ≤ j < i.η j |= φ 1 .
For a LTL-formula φ, let the set [ |φ| ] T IM E ⊆ T SS TIME contain all timed state sequences η over the time domain T IM E such that η |= φ. Thus, [ |φ| ] R is the analog dense-time property for the formula φ. Note that for any specification φ expressed in LTL, [ |φ| ] R is closed under inverse digitization. To see this consider two timed sequences η and η with identical state components. Suppose η |= φ, i.e., η ∈ [ |φ| ] R . Now the proof is by induction on the structure of φ. At the induction stage, we only consider the case φ = φ 1 Uφ 2 . Now η |= φ 1 Uφ 2 iff for some i ≥ 0, α ∈ N, η i |= φ 2 , where T i ≥ T 0 + α, and η j |= φ 1 for all 0 ≤ j < i. By induction hypothesis, we have η i |= φ 2 and η j |= φ 1 . Since, T i ≥ T 0 , there exists some α ∈ N such that T i ≥ T 0 + α . Therefore η |= φ and hence η ∈ [ |φ| ] R .
An Integral Verification Problem
We conclude this section with this important observation. Given a TCTS or CCTS S, corresponding to a timeout-based or a calender-based model and a specification formula φ in LTL we may check S |= R φ by verifying whether S |= N φ. In the next section we shall try to further simplify this problem.
Clockless Modeling
A finite state model-checker like Spin [Hol93] uses finite state automata to model the behavior of concurrent processes in distributed systems. The combined execution of a system of asynchronous processes is described as a product of automata each of which models an individual process. The product automaton is finite if the number of processes, message channels, number of messages in a channel, and the range of values for various variables are finite in the automaton for each individual process.
Though timeout and calendar based models can be used to efficiently capture dense time semantics without using a continuously varying clock, it is difficult to use these models for finite state model checking, even though we have seen that in most of the cases the verification problem reduces to an integral one thanks to digitization. The difficulty arises from the fact that the value of the global clock t and the values of the timeout variables in T diverge and thus are not bounded by a finite domain. Unlike TA there is no provision of resetting the global clock or timeouts in these models, as a result of which the timeout and calendar based models cannot be directly used for finite state model checking.
We propose a finitary reduction technique, which is formalized in terms of clockless modeling and semantics in the next section. This technique effectively reduces the timeout and calendar based transition systems with discrete dynamics into finite state systems, which, in turn, can be expressed and model checked by finite state model checkers. The assumption of discrete time as the underlying model is particularly relevant to cases where we are left with integral verification problem exploiting digitization results.
From the semantics of the timeout based systems it is clear that to implement time progress transition, a special process is required to increase the global clock to the minimum of timeouts, when each of the timeout values is strictly greater than the current value of the clock. A process P i waits until its timeout is equal to global clock, and when it is so, P i takes the discrete transition and updates its own timeout according to the specified updation rule. We model this special process, which is responsible for time progress transition in such a way that it does not explicitly use the clock variable and prevents the timeout variables from growing infinitely. We call this process as time progress.
The process time progress is implemented as follows. When the global clock is less than all the timeouts no discrete transition is possible in the system. In such a situation, time progress finds out the minimum of all the timeouts in T and scales down all these timeouts in T by this amount. In this way at least one of the timeouts becomes zero. The guards of the processes are defined in such a way that the processes wait until their timeouts become zero. When it happens the process updates its timeout and does other necessary jobs.
If update function always increments the timeouts by a finite value then it is guaranteed that the value of a timeout will always be in a finite domain. But in some cases it is possible that a timeout may take any value in the future. In those cases, the value of the timeout is taken as the largest possible value defined by the system. This approach can also be extended for the calendar based models as well.
The discussion above is formalized in terms of "clockless" modeling as below:
Timeout based Models: Clockless Modeling
Clockless Syntax
In order to capture the effect of finite state reduction in a timeout model, we restrict the set U and redefine update i as follows:
update − i is given by the following rule:
where l − z ≺ k 1 ≺ m − z for ≺, ≺ ∈ {<, ≤} and k 2 l − z for ∈ {>, ≥}; z, z := w|0 and l, m ∈ N are non negative integer constants. For any z ∈ U let σ − i (z) stand for the value of the variable z in (clockless) state σ − i . Note that update − i is different from the update function update i for clocked transition system in the sense that this one updates the timeouts in bounded domain.
Clockless Semantics
For clockless modeling of timeout based models we associate a transition system S 
Time Progress Transition:
The edges ν + are redefined such that all the timeouts are decremented by the minimum of the current timeout values. In particular, 
Observe that update − i is a slight modification of update i . If update Synchronous Communication For a pair of processes P s , P r having edges (e s , e r ) :
Calendar based Models: Clockless Modeling
Clockless Syntax
Similar to the ToM, calendar based models can also be defined in a clockless manner. However we restrict the set U to,
where update − i is defined using same rule as in the case of clockless ToM.
Clockless Semantics
Similar to the clockless ToM, we can define a transition system for clockless calendar based models. Here we need to modify the Time Progress, Timeout Increment, Send, and Receive Transitions as defined earlier for CCTS. Synchronous Communication transition is similar to the one for timeout based model with clockless semantics.
Time Progress Transition:
The first kind of edges ν + are redefined so that all the timeout and calendar delay entries are decremented by the minimum of all timeouts and the message delays in calendar.
In particular, 
If there is an edge in process P i , which connects source location l 
Receive Transition: If there is an edge in process P r , which connects source location l r j to target location l r k and is labeled by the instruction T rue ⇒ receive(m, i, r), γ, f , then we have corresponding edge ν r receive which deletes the cell containing {m, i, r, λ r } from the calendar array C: 
LTL formulas for Clockless Models
A remark about the LTL formulas that would be verified against clockless models, is in order. These formulas will not involve the global timing variable t. The LTL formulas will be built using finitely many atomic propositions (constraints), which may be defined in terms of state variables for which the possible combinations of valuations needs to be finite.
Assuming that typical arithmetic constraints are defined in terms of variables in U (as defined before for clockless timeout and calender models), let us now define a point-wise or event based semantics for LTL formulas based on its classical semantics [CGP99] . A model for a LTL formula would consist of a sequence of states of the form σ 0 , σ 1 , · · · , such that each state σ i gives a boolean interpretation (true, false) to the propositions, and non-negative integer valued interpretation to the timeout variables in T , timing variables in X , and state variables in Var , all of which are bounded above by some positive integer constant. In a state σ i , let us assume σ i (v) to be the value of v ∈ U. Considering an example of an arithmetic constraint as t j − t k ≥ c, where t j , t k ∈ T ∪ X and c an integer constant, the satisfaction relation |= can be defined as
In terms of these LTL formulas, using Clockless ToM, one can essentially verify all those qualitative properties of the associated real-time system, which are otherwise prohibitively difficult to do using the clocked ToM models and timed temporal logics. This is because clockless models preserve the qualitative behavior of the clocked models and LTL can effectively specify these properties. As the valuations of the variables in the clockless models are bounded, the clockless models effectively give rise to finite state behaviors. Indeed, we can also estimate the approximate size of the clockless TCTS having direct bearing on the time complexity of its LTL model-checking. Assume a clockless ToM with n parallel processes with k local timing variables. Let the valuations of timeouts and timing variables be bounded above by M = max(M). Also let the sizes of the clockless TTDs of these processes are bounded by D. In terms of these, the size of the clockless TTS could be bounded by F = O(max{M n+k D n , |Γ − |}), using asymptotic notation. This, in turn implies that complexity of model checking such clockless TTS for a LTL formula φ would be O(F2 |φ| ) [VaW86] .
Clockless Models (Bi-)Simulate Clock Models
In this section we will show that clockless models (bi-)simulate clock models with respect to LTL formulas. Let us consider a ToM P and its TCTS S P = (V, Σ, Σ 0 , Γ) and also the clockless ToM P − and corresponding timeout based clockless transition system S
; both of them modeling the same system. Given a computation ξ : σ 0 →σ 1 → · · · over S P let us generate a clockless computation as a sequence of states σ
• Timeout increment transition: if (σ i−1 , σ i ) ∈ Γ e (which is labeled by the instruction ρ ⇒ τ i := update
where update − i is defined in P − .
• Synchronous communication:
. forms a clockless computation over S − P . We can associate a mapping Tr : Σ × Σ → Σ − parameterized by an entry transition as follows. Fix two states,
We say that computations ξ : σ 0 σ 1 . . . in S P and ξ − : σ , where γ = (σ 0 , σ 1 ). Let σ ∈ Σ and σ − ∈ Σ − be two states and there be a computation in S P which starts in σ. Then it is easy to see that there exists a corresponding computation in S − P beginning with σ − [CGP99]. We consider LTL formulas consisting of propositions and variables appearing in clockless transition system of S − P . Assume σ ∈ Σ and σ − ∈ Σ − are two states such that Tr γ (σ, σ ) = σ − for some σ ∈ Σ and some entry transition γ. Then for any LTL formula φ, σ − |= φ implies σ |= φ (using the semantics of LTL formulas as discussed in Section 6.3). This can be proved using the induction on the structure of φ. Finally, S − P |= φ implies S P |= φ. This is in some sense, we can say S − P simulates S P [CGP99] . Thus it is enough to verify properties on the clockless transition system S − P instead of on S P . Similar results can be established for calendar-based clocked transition system (CCTS) also. In fact a reverse mapping cane be defined too. To see this let us assume ξ − = σ − 0 , σ − 1 . . . to be a clockless computation over S − . Now generate a sequence of states σ 0 , σ 1 . . . as follows.
• σ 0 (t) = min{σ
Clearly, ξ : σ 0 →σ 1 → · · · is a computation over S. Associate a mapping Tr : Σ − → Σ with this such that Tr : σ • for every state s 1 ∈ Σ : (s, s 1 ) ∈ Γ there exists s
. Hence B is a bisimulation relation between S and S − . Finally, we can see for this bisimulation relation B, for every initial state s 0 ∈ Σ in S there is an initial state s
. Hence S and S − are bisimulation equivalent [CGP99] . Since bisimulation equivalent structures preserve LTL formulas [CGP99] we shall be dealing with clockless timeout based models for our verification purposes.
Experimental Evaluation
In this section we illustrate finite state verification of real-time systems through clockless modeling on three real-time protocols introduced earlier -Fisher's Mutual Exclusion Protocol, TGC, and TTA startup protocol. We perform finite state model checking of these protocols by Spin and SAL-smc model checkers. For applying our technique we assume that the timeout increments of these protocols are more than one time unit. We carry out our experiments on a machine with 2.26GHz Intel Core 2 Duo processor, 3 MB shared level 2 cache and 2GB 1066MHz DDR3 SDRAM, running MAC OS X Version 10.5.7. For experimentation with Spin, we use XSpin graphical interface. To verify a property prop for a SAL specification model.sal we use the following SAL command:
sal-smc -v 3 model prop -enable-dynamic-reorder
Here enable-dynamic-reorder is a flag used with SAL-smc that enables dynamic reordering of BDD variables.
Fischer's Mutual Exclusion Protocol
A clockless model of the Fisher's mutual exclusion protocol is depicted in Figure 4 . We consider the following safety property for Fischer's protocol, "no more than one processor can be in the critical region at any time". The property is frequently referred as mutual exclusion property. This can be represented in LTL as:
(in critical ≤ 1)
To verify the safety property for Fischer's mutual exclusion protocol in Spin we used exhaustive verification and bitstate hashing technique available in Spin, in both the cases keeping the the option of partial order reduction turned on. By exhaustive verification technique, we could verify models containing only upto 4 nodes. Bitstate hashing enabled us to verify the same property for models with upto 6 nodes. Table 1 illustrates the computational resources and time required to prove the safety property for Fischer's mutual exclusion protocol using bitstate hashing technique.
We perform clockless modeling of Fischer's protocol in SAL language. Table 2 presents the number of states visited and time required to prove the mutual exclusion property. We have been able to verify
Sleeping
Waiting
Critical Trying the mutual exclusion property for Fischer's protocol with 16 processors in around 3 hours (except the model for 14 nodes, which took around 6 hours). We tried to verify the protocol for 17 and 18 nodes, and in both the cases, verification ran for more than 7 hours. We did not go for higher number of nodes. The Fisher's protocol has been verified under dense time for the same mutual exclusion property in [DuS04a] . A direct attempt to prove the property by k-induction with induction depth up to 15 fails for even 2 processors. However, using a sequence of lemmas it was possible to prove the property by induction at depth 1 for upto 13 processors for the same SAL specification (Table 3 .1 of [DuS04a] ). The property was also proved by induction by a sequence of lemmas for a different SAL specification for a maximum number of 53 processors (Table 3 .5 of [DuS04a] ).
To compare the performance and scalability of our verification approach with UPPAAL, we verified Fischer's mutual exclusion protocol available with UPPAAL distribution. The UPPAAL model is based on the framework of timed automaton. The mutual exclusion property could be verified successfully for up to 12 nodes. For 13 nodes, the verification process did not stop even in 7 hours. In verification with UPPAAL, the TA is reduced to the zone automata which are finite representations of infinite state systems. Although both our clockless verification scheme and UPPAAL's zone automata based verification are based on abstracting an infinite system to a finite one, this experimental result shows that our technique is more scalable than UPPAAL, while using SAL-smc model checker. 
where, t state denotes different states of the Train, and it is t 2 , when it comes into the crossing, g state denotes different states of Gate, and is g 2 , when the Gate is down. Timeliness property, in general ensures that the time between two states will by bounded by a particular value. We can find many timeliness properties in this example. We select an important one, "the time between the transmission of the approach signal by the Train and when the Gate is down should not be more than 20 time units". To verify this property we use two auxiliary flags, f lag 1 and f lag 2 in our model. When the first event occurs f lag 1 is set as true. When the second event happens, f lag 2 is set as true and f lag 1 is reset to f alse.
A global variable time diff initially set to 0, captures the time between the instants when two flags are set. During every discrete transition between the two discrete transitions of interest, minimum timeout value is added to time diff . The timeliness property is then specified as follows, "the value of time diff never goes above 20". This is expressed in LTL as, (time diff ≤ 20)
In Table 3 , we illustrates computational resources and time required to prove the safety and the timeliness properties for TGC by Spin model checker. Both the properties have been proved by exhaustive verification keeping the the option of partial order reduction turned on.
We verify the safety and timeliness properties for TGC by SAL-smc, and the result is shown in Table 4 .
It may be noted that dense time verification of the safety property for TGC took 46.15 seconds [DuS04a] . This was proved by k-induction at depth 14 using SAL-inf-bmc.
TTA Startup Algorithm
Figure 6 depicts the clockless model for the TTA startup algorithm as discussed before in the Section 4.2. We consider the following safety property, "whenever any two nodes are in their active state the nodes agree on the slot time". For two nodes participating in the startup process, the corresponding LTL property is given below: th node. state active characterizes the synchronized state of a node. The safety property ensures that when the nodes are in active state, then they are indeed synchronized. But it does not address the question whether all the nodes will be eventually synchronized or not. To ensure that this happens, it is specified in the form of the following liveness property, "eventually all the nodes will be in active state and continue to do so". This liveness property for two nodes can be specified in LTL as follows:
To verify the safety and the liveness property for TTA startup in Spin, we use both exhaustive verification and bitstate hashing techniques with partial order reduction availed. By exhaustive verification technique, the safety property can be verified for TTA models containing upto 5 nodes, and the liveness property can be verified upto 4 nodes. Bitstate hashing enables us to verify both the properties for models with upto 9 nodes. For 10 nodes, the verification does not terminate even in 4 hours. Table 5 illustrates the computational resources and time required to prove the safety and liveness properties for TTA Startup protocol using bitstate hashing technique.
In Table 6 we describe the number of states and time required to prove the safety and liveness properties for the TTA Startup protocol using SAL-smc. We have been able to verify both safety and liveness properties for TTA startup protocol for upto 8 nodes in around 1 hour. Let us contrast our verification effort with the dense time modeling and verification of the same protocol reported in [DuS04a, DuS04b] . Using bounded model checking the same safety property was proved for only 2 nodes by k-induction at depth 8, that too using 3 auxiliary lemmas (the proof failed for 3 nodes). However, the invariant can be strengthened by constructing an abstraction of the transition systems using a verification diagram-based approach [Rus00] , and subsequently the property was verified for upto 10 nodes.
Extension of Timeout and Calendar based Models
In this section we extend our model to incorporate other modeling concepts like inter-process scheduling, priorities and interrupts, and urgent and committed locations. These extensions will be illustrated using ToM as a base model, however they can be easily adapted for calendar based ToM also. Also note that the digitization result presented in Section 5.3, and the finitary reduction and associated clockless modeling proposed in Section 6 are applicable to these extended models as well because the additional components defined in these (extended) models are independent of the variables present in the base model and therefore, do not affect the underlying semantics of the base model. 
Modeling Inter-Process Scheduling
So far, we have considered models capturing true parallelism with non-determinism. However, in some cases the ability of a system to meet real-time constraints crucially depends on the number of processors that are available and also, on the process scheduling algorithm. Thus, we need to distinguish between the models of multiprocessing and multiprogramming. We show how ToM can be extended to include fixed number of programs that are executed by time sharing, on a single processor. Subsequently we use our framework to model priorities and interrupts for a general distributed multiprogramming system. These are motivated by the framework of multiprogramming system introduced in [HMP92b] . A Multiprogramming Timeout based Model (MToM) P has the form
where each process P i1 . . . P ili , 1 ≤ i ≤ m is a sequential non-deterministic process as we have seen before. By P α |||P β we mean processes P α and P β share a single processor and are executed on one transition at a time according to some scheduling policy. Thus there are m groups of processes in the above MToM such that all the processes in a group share the same processor, e.g., the processes P 11 . . . P 1l1 would execute on the first processor. Processes in different groups running on different processors execute concurrently as in the case of ToM defined in Section 3.1.1. A special case of synchronous communication needs special care because both the processes need to be simultaneously active: If process P ij and P i j have a synchronous communication, these processes must be executing on different processors, that is, i = i . For example, [(P 11 |||P 12 |||P 13 )||(P 21 |||P 22 )] is the model of a system with five processes running on two processors. The first three processes share the first processor and next two the second processor. A synchronous communication can take place between two processes only when these processes belong to different groups.
A timed transition system S P = (V, Σ, Σ 0 , Γ) can be associated with an MToM also. The key difference now is that V contains additional processor control variables µ 1 , . . . , µ m , such that µ i ranges over {1, . . . , l i , ⊥}, i.e., V = U ∪ {µ 1 , π 11 , . . . , π 1l1 } ∪ {µ 2 , π 21 , . . . , π 2l2 } ∪ . . . ∪ {µ m , π m1 , . . . , π mlm }. The processor control variables assume the value ⊥ before the processor starts executing the processes in a group. Thereafter, the control of the process P iµi resides at the location π µi executing on the i th processor. In other terms, only the process P iµi is active on the i th processor, while all other processes P ij , j = µ i are suspended. When the execution of the process P iµi is suspended as per the scheduling policy, in future it can only resume at the last suspended location π iµi .
For simplicity, we will next consider the case of a single processor, that is m = 1 and will drop the subscript 1 in the notations e.g., µ would stand for µ 1 and π j for π 1j . Let us now discuss some of the transitions that would additionally occur in this framework. For example, Γ will contain a set of scheduling transitions, Γ sch .
A scheduling policy determines the set of scheduling transitions. We consider only scheduling policies with a single entry transition, that is enabled on all states. The entry transition is assumed to be enabled on the initial states, and activates non-deterministically one of the competing processes. A very popular and simple scheduling policy is based on greedy scheduling. According to which, a process, currently in the control of the processor, continues to remain active until all its transition are disabled, when an arbitrary (other) process with an enabled transition takes over. More flexible scheduling strategies can be implemented by incorporating explicit scheduling instruction resume(s), where s ⊂ {1, . . . , n} determines a subset of processes. The scheduling operation resume(s) suspends the currently active process, P i and activates, nondeterministically, one of the processes P j , with j ∈ s. A scheduling edge in the process P i will be represented as:
Where [l, m], l < m specifies (optional) delay which the scheduling operation may take between l and m time units. Such an edge introduces an additional transition in Γ, and grouped in Γ sch as follows:
Where δ is a randomly selected constant such that l ≤ δ ≤ m. To add, a suspend(i, j) operation, which suspends a process P i and activates process P j , can also be defined as resume({1 ≤ j ≤ m | i = j}), that is, the instruction suspend(i, j) delegates the control from the currently active process P i to the process P j . In practice, processes P i and P j could have some operational relationship with each other, e.g., P i is the parent process, which spawns P j as its its child process, goes into waiting state and activates P j . On termination P j may hand over the control back to P i using the operation resume({i}).
Modeling Priorities and Interrupts
We will next discuss how interrupts can be handled by way of introducing static priorities with global preemption semantics. Priorities will be represented using non negative integers and will be assigned to every transition such that lower value would be interpreted as higher priority. During execution a transition with the highest priority at any time point is selected and current process would be suspended if the ready process having the transition with the highest priority happens not to be the current process. A Multiprogramming Timeout based Model (MToM) P with priority is one in which a priority is associated with every transition in the timed transition systems for P . Using priorities it is possible to design a simple, static scheduling strategy without resorting to explicitly constructing a scheduler.
As an example, in a ToM, an extended timeout edge e : (l where an additional parameter p e ∈ N is the priority associated with the transition e. All other edges e.g., synchronous communication and asynchronous communication would be extended similarly. Accordingly, we extend the semantics also. For the prioritized timeout edges, a transition with the highest priority is allowed by adding it in Γ 0 in the following way.
Prioritized Timeout Increment Transition: Collect all those extended timeout edges e for which corresponding transitions are enabled in the current state σ, that is, ρ e holds in σ. Let En σ be the set of these enabled edges. Now select those timeout edges e h ∈ En σ , which have the highest priority, i.e., ∀e ∈ En σ .p h ≤ p e . Add transition ν h ≡ (σ, σ ) in Γ 0 such that:
1. ρ h holds in σ 2. σ (t) = σ(t) 3. If σ(τ i ) = σ(t) then σ (τ i ) = update i > σ(τ i ) else σ (τ i ) = σ(τ i ) 4. ∀y ∈ γ : σ (y) = σ e (t) and ∀x ∈ X \ γ : σ (x) = σ(x) 5. ∀v ∈ G ∪ L i : σ (v) = f (σ(v)) and ∀v ∈ Var \ (G ∪ L i ) : σ (v) = σ(v) 6. σ(π i ) = l The remaining all other transitions can also be extended similarly. Under such extended syntax and semantics, an interrupt can be modeled as an edge having relatively high priority than other enabled transitions: e int : (l i j , T rue ⇒ τ i := update i , f, p int , l i k ) where update i specifies the delay in interrupt processing and f specifies the steps in interrupt processing. Note p int is such that ∀σ ∈ Σ.∀e ∈ En σ .p int ≤ p e .
Modeling Urgent Location and Committed Location
In UPPAAL there are three different types of locations: normal locations, urgent locations and committed locations [BDL04] . In a normal location time can progress, but in urgent and committed locations time is not allowed to proceed. Moreover, there is a subtle difference between urgent and committed locations. Urgent locations can be interleaved with the normal locations, but a committed location has to be followed by its immediate successor. The requirement of considering a location to be urgent or committed arises out of the nature of the application being modeled in UPPAAL. For example, committed locations are used to model atomic behaviors in multi-way synchronizations and atomic broadcasting in real-time systems [BGK02] .
In timeout and calendar based models, we model an urgent or a committed location in the following way. For all the incoming edges to the the urgent or committed location in process P i , update i is set to current time t, and in case of clockless modeling update i is set to 0.
If a process in a system has a committed location, we introduce a boolean variable committed f lag in the set of global variables G. For all the incoming edges to a committed location, committed f lag is set to 1 (part of f ) and for incoming edges to a non-committed state one is not allowed to set the flag to 1. The guard ρ for a transition following a committed location is always True and committed f lag is reset during this transition. For all the transitions except those following the committed locations, the existing guard ρ is replaced by ρ ∧ (committed f lag = 1). This will not allow any other process to take a discrete transition when a process is in a committed state.
Conclusion and Further Work
In this work we have considered the well-known problem of real-time verification with dense time dynamics using timeout and calendar based models and proposed a technique to simplify this to a finite state verification problem. Towards this, we define a specification formalism for these models as timeout transition diagrams with associated transition system semantics. Next, we proposed a two-step reduction technique for rendering these models amenable to finite state verification under discrete dynamics. Our experimental results bring out the advantages gained by this technique over infinite state modeling and verification. Experiments on Fisher's protocol and TTA startup protocol highlight that the verification technique scales reasonably well. Further, liveness properties can be verified in this framework, which is beyond the capability of infinite state verification. Though in [DuS04a] , it has been reported that verification of Fischer's protocol can be scaled up to 53 nodes, the verification process involved finding out auxiliary lemmas manually, which is a non-trivial process. On the other hand our finite state verification, though could not be scaled to this extent, is nonetheless simple and straight-forward. The verification effort involves only modeling the protocols faithfully. SAL offers a number of tools for finite state verification, for example, SAL-sim, SAL-path-finder and SAL-deadlock-checker, which help quite a lot in the verification process. Such tool support is yet not available for infinite state verification. Moreover, one can use any finite state verification engine of choice using our framework.
We limited our attention to the qualitative temporal properties that exclusively corresponds to LTL formulas. However, the proposed reduction technique is amenable to any specification logic which is closed under inverse digitization including branching time temporal logics CTL or CTL * . The effectiveness of the proposed finitary reduction technique can be further scaled up by integrating it with additional abstraction techniques to verify parametric systems, with arbitrary but finite number of identical processes. Saïdi and Lesens [LeS97] presented an algorithm for automatically constructing abstraction for such systems to verify safety properties. The (0, 1, ∞) counter abstraction method proposed in [PXZ02] deals with the verification of liveness properties by abstracting a parameterized system of unbounded size into a finite-state system. The proposed formalism can be further optimized by considering timeouts as shared variables among processes, so that timeout updation rules could specify new timeout values based upon those of other processes in the system. This optimization would increase the level of synchronization between component processes and would hopefully scale up the models.
In the larger perspective it can be said that for most of the timeout and calendar based models (i.e., for which timeout updates are not restricted to (0, 1)-interval) verification of LTL properties with dense time dynamics reduces to finite state modeling and verification of the same properties. In industrial designs, this could offer a significant advantage as it is easier for practitioners to use finite state model checkers to model and verify timed systems.
Decidability and complexity theoretic aspects of the reachability analysis on these models is an important research direction for further investigation. A comparison of expressiveness of ToM (or calender based ToM) with other known formal models of real-time systems including Timed Automata [Alu99] , Timed Petri Nets [Jia98] , and Timed Process Algebras [BeJ91] would shed light on the comparative strength of these models for practical purposes. For example, these comparisons could reveal other properties desirable of a modeling framework including compositionality, robustness against clock drifts, and may demonstrate the difficulty of modeling timeout models using these models as compared to ToM.
