

































BRICS Report Series RS-96-59
ISSN 0909-0878 December 1996
Copyright c© 1996, BRICS, Department of Computer Science
University of Aarhus. All rights reserved.
Reproduction of all or part of this work
is permitted for educational or research use
on condition that this copyright notice is
included in any copy.
See back inner page for a list of recent publications in the BRICS
Report Series. Copies may be obtained by contacting:
BRICS
Department of Computer Science
University of Aarhus
Ny Munkegade, building 540
DK - 8000 Aarhus C
Denmark
Telephone: +45 8942 3360
Telefax: +45 8942 3255
Internet: BRICS@brics.dk
BRICS publications are in general accessible through World Wide
Web and anonymous FTP:
http://www.brics.dk/
ftp://ftp.brics.dk/
This document in subdirectoryRS/96/59/
Compositional and Symbolic
Model-Checking of Real-Time Systems∗
Kim G. Larsen† Paul Pettersson‡ Wang Yi‡
Uppsala University
Abstract
Efficient automatic model-checking algorithms for
real-time systems have been obtained in recent years
based on the state-region graph technique of Alur,
Courcoubetis and Dill. However, these algorithms are
faced with two potential types of explosion arising from
parallel composition: explosion in the space of control
nodes, and explosion in the region space over clock-
variables.
In this paper we attack these explosion problems by
developing and combining compositional and symbolic
model-checking techniques. The presented techniques
provide the foundation for a new automatic verifica-
tion tool Uppaal. Experimental results indicate that
Uppaal performs time- and space-wise favorably com-
pared with other real-time verification tools.
1 Introduction
Within the last decade model-checking has turned
out to be a useful technique for verifying temporal prop-
erties of finite-state systems. Efficient model-checking
algorithms for finite-state systems have been obtained
with respect to a number of logics. However, the major
problem in applying model-checking even to moderate-
size systems is the potential combinatorial explosion
of the state space arising from parallel composition.
In order to avoid this problem, algorithms have been
sought that avoid exhaustive state space exploration,
either by symbolic representation of the states space
using Binary Decision Diagrams [1], by application of
∗The work has been supported by the European Communi-
ties under CONCUR2, BRA 7166, NUTEK (Swedish Board for
Technical Development) and TFR (the Swedish Technical Re-
search Council).
†On leave from BRICS and the Department of Mathematics
and Computer Science, Aalborg University, Fredrik Bajers Vej
7–E, DK–9220 Aalborg, Denmark. E-mail: kgl@iesd.auc.dk.
‡Department of Computer Systems, Box 325, Uppsala Univer-
sity, S751 05, Uppsala, Sweden. E-mail: {paupet,yi}@docs.uu.se.
partial order methods [2, 3] which suppresses unnec-
essary interleavings of transitions, or by application of
abstractions and symmetries [4, 5, 6].
In the last few years, model-checking has been ex-
tended to real-time systems, with time considered to
be a dense linear order. A timed extension of fi-
nite automata through addition of a finite set of real-
valued clock-variables has been put forward [7] (so
called timed automata), and the corresponding model-
checking problem has been proven decidable for a num-
ber of timed logics including timed extensions of CTL
(TCTL) [8] and timed µ-calculus (Tµ) [9]. A state of
a timed automaton is of the form (l, u), where l is a
control-node and u is a clock-assignment holding the
current values of the clock-variables. The crucial ob-
servation made by Alur, Courcoubetis and Dill and the
foundation for decidability of model-checking is that
the (infinite) set of clock-assignments may effectively
be partitioned into finitely many regions in such a way
that clock-assignments within the same region induce
states satisfying the same logical properties.
Model-checking of real-time systems based on the re-
gion technique suffers two potential types of explosion
arising from parallel composition: Explosion in the re-
gion space, and Explosion in the space of control-nodes.
We attack these problems by development and combi-
nation of two new verification techniques:
1. A symbolic technique reducing the verification
problem to that of solving simple constraint sys-
tems (on clock-variables), and
2. A compositional quotient construction, which al-
lows components of a real-time system to be grad-
ually moved from the system description into the
specification. The intermediate specifications are
kept small using minimization heuristics.
The property-independent nature of regions leads to
an extremely fine (and large) partitioning of the set of
clock-assignments. Our symbolic technique allows the
partitioning to take account of the particular property
to be verified and will thus in practice be considerably
coarser (and smaller).
For the explosion on control-nodes, recent work by
Andersen [10] on (untimed) finite-state systems gives
experimental evidence that the quotient technique im-
proves results obtained using Binary Decision Diagrams
[1]. Our aim in this paper is to make this new success-
ful compositional model-checking technique applicable
to real-time systems. For example, consider the follow-
ing typical model-checking problem(
A1 | . . . |An
)
|= ϕ
where the Ai’s are timed automata. We want to ver-
ify that the parallel composition of these satisfies the
formula ϕ without having to construct the complete
control-node space of (A1 | . . . |An). We will avoid this
complete construction by removing the components Ai
one by one while simultaneously transforming the for-
mula accordingly. Thus, when removing the component
An we will transform the formula ϕ into the quotient
formula ϕ/An such that(








Now clearly, if the quotient is not much larger than the
original formula we have succeeded in simplifying the
problem. Repeated application of quotienting yields(
A1 | . . . |An
)
|= ϕ iff 1 |= ϕ/An /An−1 / . . . /A1
(2)
where 1 is the unit with respect to parallel composition.
However, these ideas alone are clearly not enough as the
explosion may now occur in the size of the final formula
instead. The crucial and experimentally “verified” ob-
servation by Andersen was that each quotienting should
be followed by a minimization of the formula based on a
small collection of efficiently implementable strategies.
In our setting, Andersen’s collection is extended to in-
clude strategies for propagating and simplifying timing
constraints.
Our new symbolic and compositional verification
technique is developed for a real-time logic designed
specifically for expressing safety and bounded liveness
properties. Comparatively less expressive than TCTL
and Tµ, the logic is still sufficiently expressive for prac-
tical purposes, and the logic allows a number of oper-
ators of other logics to be derived. Most importantly,
the somewhat restrictive expressive power of our logic
allows for efficient model-checking as demonstrated by
our experimental results, which includes a comparison
with other existing automatic verification tools for real-
time systems (HyTech, Kronos and Epsilon).
For the logics TCTL and Tµ, [9] offers a sym-
bolic verification technique. However, due to the high
expressive power of these logics the partitioning em-
ployed in [9] is significantly finer (and larger) and
implementation-wise more complicated than the sym-
bolic technique we present in this paper. Our symbolic
method is based on the constraint solving technique
presented in [11], where the technique was developed
for simple reachability problems.
An initial effort in applying the compositional quo-
tienting technique to real-time systems has been given
in [12]. This work also contains experimental evidence
of the potential benefits of the quotient technique in a
real-time setting. However, being based directly on the
(very fine) notion of regions, [12] suffers from a poten-
tial explosion in the region-space.
The outline of this paper is as follows: In the next
section we give a short presentation of the notions of
timed automata and networks; in section 3, the safety
logic is presented and its expressive power is illustrated.
Section 4 describes the symbolic verification technique
based on constraint solving and section 5 describes the
compositional quotienting technique. Both techniques
are illustrated by an example. In section 6, we report on
our experimental results, which indicate that Uppaal
performs time- and space-wise favorably compared with
other real-time verification tools.
2 Real-Time Systems
We shall use timed transition systems as a basic se-
mantic model for real-time systems. The type of sys-
tems we are studying will be a particular class of timed
transition systems that are syntactically described by
networks of timed automata [11, 12].
2.1 Timed Transition Systems
A timed transition system is a labelled transition
system with two types of labels: atomic actions and
delay actions (i.e. positive reals), representing discrete
and continuous changes of real-time systems.
Let Act be a finite set of actions ranged over by a, b
etc, and P be a set of atomic propositions ranged over
by p, q etc. We use R to stand for the set of non-
negative real numbers, ∆ for the set of delay actions
{ε(d) | d ∈ R}, and L for the union Act ∪∆.
Definition 1 A timed transition system over Act and
P is a tuple S = 〈S, s0,−→, V 〉, where S is a set of
states, s0 is the initial state, −→⊆ S × L × S is a
2
transition relation, and V : S → 2P is a proposition
assignment function. 2
Note that the above definition is standard for labelled
transition systems except that we introduced a proposi-
tion assignment function V , which for each state s ∈ S
assigns a set of atomic propositions V (s) that hold in
s.
In order to study compositionality problems we in-
troduce a parallel composition between timed transi-
tion systems. Following [13] we suggest a composition
parameterized with a synchronization function general-
izing a large range of existing notions of parallel com-
positions. A synchronization function f is a partial
function (Act ∪ {0}) × (Act ∪ {0}) ↪→ Act, where 0
denotes a distinguished no-action symbol1. Now, let
Si = 〈Si, si,0,−→i, Vi〉, i = 1, 2, be two timed transition
systems and let f be a synchronization function. Then
the parallel composition S1 |f S2 is the timed transi-
tion system 〈S, s0,−→, V 〉, where s1 |f s2 ∈ S whenever
s1 ∈ S1 and s2 ∈ S2, s0 = s1,0 |f s2,0, −→ is inductively
defined as follows:
• s1 |f s2
c−→ s′1 |f s′2 if s1
a−→1 s′1, s2
b−→2 s′2 and
f(a, b) = c
• s1 |f s2
ε(d)−→ s′1 |f s′2 if s1
ε(d)−→1 s′1 and s2
ε(d)−→2 s′2
and finally, the proposition assignment function V is
defined by V (s1 |f s2) = V1(s1) ∪ V2(s2).
Note also that the set of states and the transition
relation of a timed transition system may be infinite.
We shall use networks of timed automata as a finite
syntactical representation to describe timed transition
systems.
2.2 Networks of Timed Automata
A timed automaton [7] is a standard finite-state au-
tomaton extended with a finite collection of real-valued
clocks2. Conceptually, the clocks may be considered as
the system clocks of a concurrent system. They are
assumed to proceed at the same rate and measure the
amount of time that has been elapsed since they were
reset. The clocks values may be tested (compared with
natural numbers) and reset (assigned to 0).
Definition 2 (Clock Constraints) Let C be a set of
real-valued clocks ranged over by x, y etc. We use B(C)
1We extend the transition relation of a timed transition sys-
tem such that s
0−→ s′ iff s = s′.
2Timed transition systems may alternatively be described us-
ing timed process calculi.
to stand for the set of formulas ranged over by g, gen-
erated by the following syntax: g ::= c | g ∧ g, where c
is an atomic constraint of the form: x ∼ n or x−y ∼ n
for x, y ∈ C, ∼∈ {≤,≥,=, <,>} and n being a natural
number. We shall call B(C) clock constraints or clock
constraint systems over C. 2
We shall use tt to stand for a constraint like x ≥ 0 which
is always true, and ff for a constraint x < 0 which is al-
ways false as clocks can only have non-negative values.
Definition 3 A timed automaton A over actions
Act, atomic propositions P and clocks C is a tuple
〈N, l0, E, I, V 〉. N is a finite set of nodes (control-
nodes), l0 is the initial node, and E ⊆ N × B(C) ×
Act × 2C × N corresponds to the set of edges. In the
case, 〈l, g, a, r, l′〉 ∈ E we shall write, l g,a,r−→ l′ which
represents an edge from the node l to the node l′ with
clock constraint g (also called the enabling condition of
the edge), action a to be performed and the set of clocks
r to be reset. I : N → B(C) is a function which for each
node assigns a clock constraint (also called the invari-
ant condition of the node), and finally, V : N → 2P is
a proposition assignment function which for each node
gives a set of atomic propositions true in the node. 2
Note that for each node l, there is an invariant con-
dition I(l) which is a clock constraint. Intuitively, this
constraint must be satisfied by the system clocks when-
ever the system is operating in that particular control-
node.
Informally, the system starts at node l0 with all its
clocks initialized to 0. The values of the clocks increase
synchronously with time at node l as long as they sat-
isfy the invariant condition I(l). At any time, the au-
tomaton can change node by following an edge l
g,a,r−→ l′
provided the current values of the clocks satisfy the en-
abling condition g. With this transition the clocks in r
get reset to 0.
Example 1 Consider the automata Am, Bn and Cm,n
in Figure 1 where m,n,m′, n′ are natural numbers. We
use m,n,m′, n′ as parameters. The automaton Cm,n
has four nodes, l0, l1, l2 and l3, two clocks x and y,
and three edges. The edge between l1 and l2 has b as
action, {x, y} as reset set and the enabling condition
for the edge is x ≥ m. The invariant conditions for
nodes l1 and l2 are x ≤ m′ and y ≤ n′ respectively. 2
Now we introduce the notion of a clock assignment.
Formally, a clock assignment u for C is a function from
C to R. We denote by RC the set of clock assignments










































Cm,n :Bn :Am :
Figure 1: Three timed automata
the time assignment which maps each clock x in C to
the value u(x) + d. For C′ ⊆ C, [C′ 7→ 0]u denotes
the assignment for C which maps each clock in C′ to
the value 0 and agrees with u over C\C′. Whenever
u ∈ RC , v ∈ RK and C and K are disjoint, we use
uv to denote the clock assignment over C ∪ K such
that (uv)(x) = u(x) if x ∈ C and (uv)(x) = v(x) if
x ∈ K. Given a clock constraint g ∈ B(C) and a clock
assignment u ∈ RC , g(u) is a boolean value describing
whether g is satisfied by u or not. When g(u) is true,
we shall say that u is a solution of g.
A state of an automaton A is a pair (l, u) where l
is a node of A and u a clock assignment for C. The
initial state of A is (l0, u0) where u0 is the initial clock
assignment mapping all clocks in C to 0.
The semantic of A is given by the timed transition
system SA = 〈S, σ0,−→, V 〉, where S is the set of states
of A, σ0 is the initial state (l0, u0), −→ is the transition
relation defined as follows:
• (l, u) a−→(l′, u′) if there exist r, g such that l g,a,r−→ l′,
g(u) and u′ = [r → 0]u
• (l, u) ε(d)−→(l′, u′) if (l = l′), u′ = u+ d and I(u′)
and V is extended to S simply by V (l, u) = V (l).
Example 2 Reconsider the automaton Cm,n of Fig-
ure 1. Assume that d ≥ 0, m ≤ e ≤ m′ and n ≤ f ≤ n′.
We have the following typical transition sequence:
(l0, (0, 0))
ε(d)−→ (l0, (d, d)) a−→ (l1, (0, d))
ε(e)−→
(l1, (e, d+ e))
b−→ (l2, (0, 0))
ε(f)−→ (l2, (f, f)) c−→ (l3, (f, 0))
Note that we need to assume that m ≤ e ≤ m′ and
n ≤ f ≤ n′ because of the invariant conditions on l1
and l2. 2
Parallel composition may now be extended to timed
automata in the obvious way: for two timed automata
A and B and a synchronization function f , the par-
allel composition A |
f
B denotes the timed transition
system SA |f SB . Note that the timed transition sys-
tem SA |f SB can also be represented finitely as a timed
automaton. In fact, one may effectively construct the
product automaton A⊗
f
B such that its timed transi-
tion system SA⊗
f
B is bisimilar to SA |f SB . The nodes
of A ⊗
f
B is simply the product of A’s and B’s nodes,
the invariant conditions on the nodes of A⊗
f
B are the
conjunctions of the conditions on respectiveA’s andB’s
nodes, the set of clocks is the (disjoint) union of A’s and
B’s clocks, and the edges are based on synchronizable
A and B edges with enabling conditions conjuncted and
reset-sets unioned.
Example 3 Let f be the synchronization function de-
fined by f(a, 0) = a, f(b, b) = b and f(0, c) = c. Then
the automaton Cm,n in Figure 1 is isomorphic to the
part of Am ⊗f Bn which is reachable from (h0, k0). 2
3 A Logic for Safety and Bounded Live-
ness Properties
It has been pointed out [14, 11], that the practical
goal of verification of real-time systems, is to verify sim-
ple safety properties such as deadlock-freeness and mu-
tual exlusion. Our previous work [11] shows that such
properties can be verified on-the-fly by simple reacha-
bility analysis which avoids construction of the whole
reachable state-space of systems.
3.1 Syntax and Semantics
We shall present a timed modal logic to specify safety
properties. In fact, the logic can also be used to specify
bounded liveness properties such as “whenever p be-
comes true, q will be true within a given time bound”.
The logic may be seen as a fragment of the timed µ-
calculus presented in [9], and also studied in [15].
Definition 4 Let K be a finite set of clocks. We shall
callK formula clocks. Let Id be a set of identifiers. The
set Ls of formulas over K, Id, Act, and P is generated
by the abstract syntax with ϕ and ψ ranging over Ls:
ϕ ::= cp | cp ∨ ϕ | ϕ ∧ ψ |
∀ϕ | [a] ϕ | z in ϕ | Z
4
where cp may be an atomic clock constraint c in the
form of x ∼ n or x − y ∼ n for x, y ∈ K and natural
number n, or an atomic proposition p ∈ P , a ∈ Act (an
action), z ∈ K and Z ∈ Id (an identifier). 2
As before, we shall use tt to stand for a formula like
x ≥ 0 which is always true, and ff for a formula x < 0
which is always false for a formula clock x ∈ K.
Note that the logic is essentially the fragment of the
timed modal logic presented in [15] by eliminating ex-
istential quantification over delay transitions, general
disjunction over formulas, and existential quantification
over a-transitions.
We do allow a simple form of disjunction, in that a
clock constraint or an atomic proposition may be dis-
juncted with an arbitrary formula. We disallow gen-
eral disjunction in the logic to achieve efficient compo-
sitional and symbolic model-checking algorithms. How-
ever, the logic is expressive enough to specify safety and
bounded liveness properties. We shall see, that the sim-
ple form of disjunction allows us to specify bounded
liveness properties such as “p will be true within n”.
The meaning of the identifiers is specified by a dec-
laration D assigning a formula of Ls to each identifier.
When D is understood we write Z def= ϕ for D(Z) = ϕ.
Given a timed transition system S = 〈S, s0,−→, V 〉
described by a network of timed automata, we inter-
pret the Ls formulas over an extended state 〈s, u〉 where
s ∈ S is a state of S, and u is a clock assignment for
K. A formula of the form: x ∼ m and x − y ∼ n is
satisfied by an extended state 〈s, u〉 if the values of x, y
in u satisfy the required relationship. Informally, an
extended state 〈s, u〉 satisfies ∀ϕ means that all future
states reachable from 〈s, u〉 by delays will satisfy prop-
erty ϕ; ∀ denotes universal quantification over delay
transitions. Similarly, a state 〈s, u〉 satisfies [a]ϕ means
that all intermediate states reachable from 〈s, u〉 by an
a-transition (performed by s will satisfy property ϕ; [a]
denotes universal quantification over a-transitions. The
formula (x inϕ) initializes the formula clock x to 0; i.e.
an extended state satisfies the formula in case the mod-
ified state with x being reset to 0 satisfies ϕ. Finally,
an extended state satisfies an identifier Z if it satisfies
the corresponding declaration (or definition) D(Z).
Let D be a declaration. Formally, the satisfaction re-
lation |=D between extended states and formulas is de-
fined as the largest relation satisfying the implications
of Table 1. Any relation satisfying the implications in
Table 1 is called a satisfiability relation. It follows from
standard fixpoint theory [16] that |=D is the union of
all satisfiability relations. For simplicity, we shall omit
the index D and write |= instead of |=D whenever it is
understood from the context.
〈s, u〉 |= c ⇒ c(u)
〈s, u〉 |= p ⇒ p ∈ V (s)
〈s, u〉 |= cp ∨ ϕ ⇒ 〈s, u〉 |= cp or 〈s, u〉 |= ϕ
〈s, u〉 |= ϕ ∧ ψ ⇒ 〈s, u〉 |= ϕ and 〈s, u〉 |= ψ
〈s, u〉 |= ∀ϕ ⇒ ∀d, s′ : s ε(d)−→ s′ ⇒
〈s′, u+ d〉 |= ϕ
〈s, u〉 |= [a] ϕ ⇒ ∀s′ : s a−→ s′ ⇒ 〈s′, u〉 |= ϕ
〈s, u〉 |= x in ϕ ⇒ 〈s, v′〉 |= ϕ where
v′ = [{x} → 0]v
〈s, u〉 |= Z ⇒ 〈s, u〉 |= D(Z)
Table 1: Definition of satisfiability.
We say that S satisfies a formula ϕ and write S |= ϕ
when 〈s0, v0〉 |= ϕ where s0 is the initial state of S and
v0 is the assignment with v0(x) = 0 for all x. Similarly,
we say that a timed automaton A satisfies ϕ in case
SA |= ϕ. We write A |= ϕ in this case.
Example 4 Consider the following declaration F of












z < i ∧ [a]Zi ∧ [b]Zi ∧ [c]Zi ∧ ∀Zi
)

Assume that at(l3) is an atomic proposition meaning
that the system is operating in control-node l3. Then,
Xi expresses the property that after an a-transition,
the system must reach node l3 within i time units.
Now, reconsider the automata Am, Bn and Cm,n of
Figure 1. It may be argued that Cm,n |= Xm′+n′ and
(consequently), that Am |f Bn |= Xm′+n′ . 2
3.2 Derived Operators
The property Zi described in Example 3 is an at-
tempt to specify bounded liveness properties: namely
that a certain proposition must be satisfied within a
given time bound. We shall use the more informative
notation at(l3) BEFORE i to denote Zi. In the follow-
ing, we shall present several such intuitive operators
that are definable in our logic.
For simplicity, we shall assume that the set of actions
Act is a finite set {a1...am}, and use [Act]ϕ to denote
the formula [a1]ϕ∧ ...∧ [am]ϕ. Now, let ϕ be a general
formula, cp be an atomic clock constraint or an atomic
proposition and n be a natural number. A collection of
derived operators are given in Table 2.
5
INV(ϕ) ≡ X where X def= ϕ ∧ ∀X ∧ [Act]X





ϕ ∧ ∀X ∧ [Act]X
)
ϕ UNTIL<n cp ≡ z in
(
(ϕ ∧ z < n) UNTIL cp
)
cp BEFORE n ≡ tt UNTIL<n cp
Table 2: Derived Operators
The intuitive meanings of these operators are as fol-
lows: INV(ϕ) is satisfied by a timed automaton means
that the automaton must enjoy the property ϕ now,
and for all future time points, the reachable states
should satisfy INV(ϕ) (i.e. X), and after any action
transition, the reachable states should again satisfy
INV(ϕ) (i.e. X): namely that ϕ is an invariant property
of the automaton. ϕ UNTIL cp is satisfied by a timed
automaton means that the automaton enjoys the prop-
erty cp now, or otherwise all reachable states by ac-
tion transitions and delay transitions should satisfy ϕ.
This simply means that ϕ must hold at least before cp
becomes true. The bounded version of the UNTIL -
construct ϕ UNTIL<n cp is similar to ϕ UNTIL cp
except that cp must be true within n time units. A
simpler version of this operator is cp BEFORE n mean-
ing that property cp must be true within n time units.









We have presented a model to describe real-time sys-
tems, i.e. networks of timed automata, and a logic to
specify properties of such systems. The next question
is how to check whether a given formula in the logic
is satisfied by a given network of automata. This is
the so-called model-checking problem. As the systems
we are studying are in general infinite-state due to the
real-valued clocks, we need efficient methods to rep-
resent the state-space symbolically. The region-graph
technique by Alur, Courcoubetis and Dill allows the
state space of a real time system to be partitioned into
finitely many regions in such a way that states within
the same region satisfy the same properties. It follows
that model-checking is decidable as the region parti-
tioning enables standard finite-state algorithmic model-
checking techniques to be applied. However, as the no-
tion of region is property-independent and the number
of such regions depends on the constants used in the
clock constraints of an automaton, this leads to an ex-
tremely fine (and large) partitioning.
Recall that a semantical state of a network of timed
automata is a pair (l, u) where l is a control-node and
u ∈ RC is a clock assignment. The model-checking
problem is in general to check whether an extended
state in the form 〈(l, u), v〉 satisfies a given formula ϕ,
that is,
〈(l, u), v〉 |= ϕ
Note that u is a clock assignment for the automata
clocks and v is a clock assignment for the formula
clocks. Now, the problem is that we have too many
(in fact, infinitely many) such assignments to check in
order to conclude 〈(l, u), v〉 |= ϕ.
In this section, we shall use clock constraints B(C ∪
K) for automata clocks C and formula clocks K, as
defined in section 2 to symbolically represent clock as-
signments. We shall use D to range over B(C ∪ K).
Instead of checking 〈(l, u), v〉 |= ϕ for each u and v, we
develop an algorithm to simultaneously check
[l,D] |= ϕ
which means that for each u and v such that uv is a so-
lution to the constraint system D, we have 〈(l, u), v〉 |=
ϕ.
Thus the space RC∪K is partitioned in terms of clock
constraints. As for a given network and a given formula,
we have only finite many such constraints to check, the
problem becomes decidable, and in fact as the parti-
tioning takes account of the particular property, the
number of partitions is in practice considerably smaller
compared with the region-technique.
4.1 Operations on Clock Constraints
To develop the model-checking algorithm, we need a
few operations to manipulate clock constraints. Given
a clock constraint D, we shall call the set of clock as-
signments satisfying D, the solution set of D.
Definition 5 LetA and A′ be the solution sets of clock
constraints D,D′ ∈ B(C ∪K). We define
A↑ = {w + d | w ∈ A and d ∈ R}
A↓ = {w |∃d ∈ R : w + d ∈ A}
{x}A = {[{x} 7→ 0]w | w ∈ A}
A ∧A′ = {w | w ∈ A and w ∈ A′}
2
First, note that A ∧ A′ is simply the intersection of
the two sets. Consider the set A for the case of two
clocks, shown in (a) of Figure 2. The three operations
A↑, A↓ and {x}A are illustrated in (b), (c) and (d)
respectively of Figure 2. Intuitively, A↓ is the largest
6
set of time assignments that will eventually reach A af-
ter some delay; whereas A↑ is the dual of A↓: namely
that it is the largest set of time assignments that can
be reached by some delay from A. Finally, {y}A is the
projection of A down to the x-axis. We extend the pro-
jection operator to sets of clocks. Let r = {x1...xn} be a
set of clocks. We define r(A) recursively by {}(A) = A
and {x1...xn}(A) = {x1}({x2...xn}A).
The following Proposition establishes that the class
of clock constraints B(C ∪K) is closed under the four
operations defined above.
Proposition 1 Let D,D′ ∈ B(C ∪ K) with solution
sets A and A′, and x ∈ C ∪ K. Then there exist
D1, D2, D3, D4 ∈ B(C ∪K) with solution sets A↑, A↓,
{x}A and A ∧A′ respectively. 2
In fact, the resulted constraints Di’s can be effec-
tively constructed from D and D′, as shown in section
4.3. In order to save notation, from now on, we shall
simply use D↑, D↓, {x}D and D ∧ D′ to denote the
clock constraints which are guaranteed to exist due to
the above proposition. We will also need a few predi-
cates over clock constraints for the model-checking pro-
cedure. We write D ⊆ D′ to mean that the solution set
of D is included in the solution set of D′ and D = ∅ to
mean that the solution set of D is empty.
4.2 Model-Checking by Constraint Solv-
ing
Given a network of timed automaton A over clocks
C, we shall interprete formulas over clocks K with re-
spect to symbolic states of the form [l,D] where l is
a control-node of A and D is a clock constraint of
B(C ∪ K). Let D be a declaration. The symbolic
satisfaction relation `D between symbolic states and
formulas is defined as the largest relation satisfying the
implications in Table 3. We call a relation satisfying
the implications in Table 3 a symbolic satisfiability re-
lation. Again, it follows from standard fixpoint theory
[16] that `D is the union of all symbolic satisfiability
relations. For simplicity, we shall omit the index D and
write ` instead of `D whenever it is understood from
the context.
The following Theorem shows that the symbolic in-
terpretation of Ls in Table 3 expresses the sufficient and
necessary conditions for a timed automata to satisfy a
formula ϕ3.
3Note that Theorem cannot be extended to a logic with gen-
eral disjunction (or existential quantifications): the obvious re-
quirement that [l,D] |= ϕ1 ∨ ϕ2 should imply either [l,D] |= ϕ1
or [l,D] |= ϕ2 will fail to satisfy the Theorem.
D = ∅ ⇒ [l,D] ` ϕ
[l,D] ` c ⇒ D ⊆ c
[l,D] ` p ⇒ p ∈ V (s)
[l,D] ` c ∨ ϕ ⇒ [l,D ∧ ¬c] ` ϕ
[l,D] ` p ∨ ϕ ⇒ [l,D] ` p or [l,D] ` ϕ
[l,D] ` ϕ1 ∧ ϕ2 ⇒ [l,D] ` ϕ1 and [l,D] ` ϕ2
[l,D] ` [a] ϕ ⇒ [l′, r(D ∧ g)] ` ϕ whenever
l
g,a,r−→ l′
[l,D] ` ∀ϕ ⇒ [l,D] ` ϕ and
[l, (D ∧ I(l))↑ ∧ I(l)] ` ϕ
[l,D] ` x in ϕ ⇒ [l, {x}D] ` ϕ
[l,D] ` Z ⇒ [l,D] ` D(Z)
Table 3: Definition of symbolic satisfiability.
Theorem 2 Let A be a timed automaton over clock
set C and ϕ a formula over K. Then the following
holds:
A |= ϕ if and only if [l0, D0] ` ϕ
where l0 is the initial node of A and D0 is the linear
constraint system {x = 0 | x ∈ C ∪K}.
Proof: It is proved by co-induction (on `) that [l,D] `
ϕ holds precisely when 〈(l, u), v〉 |= ϕ for all uv in D.
2
Given a symbolic satisfaction problem [l,D] ` ϕ we
may determine its validity by using the implications of
Table 3 as rewrite rules. Due to the maximal fixed point
property of `, rewriting may be terminated successfully
in case cycles are encountered. As the rewrite graph of
any given problem [l,D] ` ϕ can be shown to be finite
this yields a decision procedure for model checking.
The operations and predicates on clock constraint
systems discussed in Section 4.1 can be efficiently
implemented by representing constraint systems as
weighted directed graphs. The basic idea is to use a
shortest-path algorithm to close a constraint system un-
der entailment so that operations and predicates can be
easily computed [17].
5 Compositional Model-Checking
The symbolic model-checking presented in the pre-
vious section provides an efficient way to deal with the
potential explosion caused by the addition of clocks.
However, a potential explosion in the node-space due
to parallel composition still remains. In this section
we attack this problem by development of a quotient
7
(a) (b) (c) (d)
y y y y






Figure 2: Operations on Solution Sets
construction, which allows components to be gradu-
ally moved from the parallel system into the specifi-
cation, thus avoiding explicit construction of the global
node space. The intermediate specifications are kept
small using minimization heuristics. Recent experi-
mental work by Andersen [10] demonstrates that for
(untimed) finite-state systems the quotient technique
improves results obtained using Binary Decision Dia-
grams. Also, an initial experimental investigation of
the quotient technique to real-time systems in [12] has
indicated that these promising results will carry over
to the setting of real-time systems. In this section we
shall provide a new (and compared with [12] simple)
quotient construction and show how to integrate it with
the symbolic technique of the previous section.
5.1 Quotient Construction
Given a formula ϕ, and two timed automataA andB











The bi-implication indicates that we are moving parts
of the parallel system into the formula. Clearly, if the
quotient is not much larger than the original formula,
we have simplified the task of model-checking, as the
(symbolic) semantics of A is significantly smaller than
that of A |
f
B. More precisely, whenever ϕ is a formula
over K, B is a timed automaton over C and l is a node
of B, we define the quotient formula ϕ
/
f
l over C ∪K
in Table 4 on the structure of ϕ45.
4For g = c1 ∧ . . . cn a clock constraint we write g ⇒ ϕ as
an abbreviation for the formula ¬c1 ∨ . . . ∨ ¬cn ∨ ϕ. This is an
Ls-formula as atomic constraint are closed under negation.
5In the rule for [a]ϕ, we assume that all nodes l of a timed











tt ; p ∈ V (l)






















































g,c,r−→ l′ ∧ f(b,c)=a
(





















l expresses the sufficient and nec-
essary requirement to a timed automaton A in order
that the parallel composition A |
f
B with B at node l
satisfies ϕ. In most cases quotienting simply distributes
with respect to the formula construction. The quotient
construction for ∀ϕ reflects that A |
f
B can only delay
provided I(l) is satisfied. The quotient construction for
[a]ϕ must quantify over all actions of A which can pos-
sibly lead to an a-transition of A |
f
B: according to the
semantics of parallel composition, b is such an action
provided B (at node l) can perform a synchronizable
action c (according to some edge l
g,c,r−→ l′) such that
f(b, c) = a. The guard as well as the reset set of the
involved A-edge l
g,c,r−→ l′ is reflected in the quotient for-
mula.
Note that the quotient construction for identifiers
8
introduces new identifiers of the form Xl. These new






collected in the (quotient) declaration DB.




l0 expresses the sufficient and necessary
requirement to a timed automaton A in order that the
parallel composition A |
f
B satisfies ϕ. This is stated in
the following Theorem 3:
Theorem 3 Let A and B be two timed automata and
let l0 be the initial node of B. Then
A |
f







Example 5 Reconsider the network and synchroniza-
tion function from Examples 1, 2 and 3. We want to
establish that the network Am |f Bn satisfies the follow-









= (z ≥ i) ∨
(
[c]ff ∧ [a]X ∧ [b]X ∧ ∀X
)
The property Y expresses that the accumulated time
between an initial a-action and a following c-action
must exceed i. We want to show that Cm,n satisfies
this property provided the sum of the delays m and n
exceeds the required delay i. That is, we must show
[l0, D0] ` [a](z in X) provided n+m ≥ i.
From Theorem 3 it follows that the sufficient and
necessary requirement to Am in order that Am |f Bn
satisfies Y is that Am satisfies Y
/
f
k0. Using the quo-






























= (z ≥ i) ∨
(







It is obvious that repeated quotienting leads to an
explosion in the formula. The crucial observation made
by Andersen in the (untimed) finite-state case is that
simple and effective transformations of the formulas in
practice may lead to significant reductions.
In presence of real-time we need, in addition to
the minimization strategies of Andersen, heuristics for
propagating and eliminating constraints on clocks in
∅ ⇒ ϕ ≡ tt
D ⇒ c ≡ tt ; if D ⊆ c
D ⇒ ([a]ϕ) ≡ [a](D ⇒ ϕ)
D ⇒ (ϕ1 ∧ ϕ2) ≡ (D ⇒ ϕ1) ∧ (D ⇒ ϕ2)
D ⇒ (x in ϕ) ≡ x in ({x}D ⇒ ϕ)
D ⇒ (p ∨ ϕ) ≡ p ∨ (D ⇒ ϕ)
D ⇒ (c ∨ ϕ) ≡ (D ∧ ¬c)⇒ ϕ
D ⇒ (∀ϕ) ≡ ∀(D↑ ⇒ ϕ) ; if D↓ ⊆ D
D ⇒ X ≡ D ⇒ D(X)
Table 5: Constraint Propagation
formulas and declarations. Below we describe the trans-
formations considered:




l0 not all identifiers in DB may be reach-
able. In Uppaal an “on-the-fly” technique insures that
only the reachable part of DB is generated.
Boolean Simplification Formulas may be simplified
using the following simple boolean equations and their
duals: ff∧ϕ ≡ ff, tt∧ϕ ≡ ϕ, 〈a〉ff ≡ ff, ∃ff ≡ ff, x in ff ≡ ff,
〈a〉ϕ ∧ [a]ff ≡ ff.
Constraint Propagation: Constraints on formula
clocks may be propagated using various distribution
laws (see Table 5). In some cases, propagation will lead
to trivial clock constraints, which may be simplified to
either tt or ff and hence made applicable to Boolean
Simplification.
Constant Propagation: Identifiers with identifier-
free definitions (i.e. constants such as tt or ff) may be
removed while substituting their definitions in the dec-
laration of all other identifiers.
Trivial Equation Elimination: Equations of the
form X
def
= [a]X are easily seen to have X = tt as so-
lution and may thus be removed. More generally, let
S be the largest set of identifiers such that whenever
X ∈ S and X def= ϕ then ϕ[tt/S]6 can be simplified to tt.
Then all identifiers of S can be removed provided the
value tt is propagated to all uses of identifiers from S
(as under Constant Propagation). The maximal set S
6ϕ[tt/S] is the formula obtained by substituting all occurrences
of identifiers from S in ϕ with the formula tt.
9
may be efficiently computed using standard fixed point
computation algorithms.
Equivalence Reduction: If two identifiers X and Y
are semantically equivalent (i.e. are satisfied by the
same timed transition systems) we may collapse them
into a single identifier and thus obtain reduction. How-
ever, semantical equivalence is computationally very
hard7. To obtain a cost effective strategy we approx-
imate semantical equivalence of identifiers as follows:
Let R be an equivalence relation on identifiers. R may
be extended homomorphically to formulas in the obvi-
ous manner: i.e. (ϕ1 ∧ ϕ2)R(ϑ1 ∧ ϑ2) if ϕ1Rϑ1 and
ϕ2Rϑ2, (x in ϕ)R(x in ϑ) and [a]ϕR[a]ϑ if ϕRϑ and so
on. Now let ∼= be the maximal equivalence relation on
identifiers such that whenever X ∼= Y , X def= ϕ and
Y
def
= ϑ then ϕ ∼= ϑ. Then ∼= provides the desired
cost effective approximation: whenever X ∼= Y then X
and Y are indeed semantically equivalent. Moreover, ∼=
may be efficiently computed using standard fixed point
computation algorithms.
In the following Examples we apply the above trans-
formation strategies to the quotient formula obtained
in Example 5. In particular, the strategies will find the
quotient formula to be trivially true in certain cases.











is the sufficient and necessary requirement to Am in
order that Am |f Bn satisfies Y . From the definition of
satisfiability for timed automata we see that:




This provides an initial basis for constraint propaga-













where D0 = (y = 0 ∧ z = 0). This makes the implica-





(z ≥ i) ∨
(




















7For the full logic Tµ the equivalence problem is undecidable.
(D0 ⇒ X0) ≡ [b]
(








↑ ⇒ X0) ≡ [b]
(







(D1 ⇒ X1) ≡
(




(D0 ⇒ X1) ≡
(





↑ ⇒ X1) ≡
(
(D0
↑ ∧ z < i ∧ y ≥ n)⇒ [c]ff
)
∧
∀((D0↑ ∧ z < i)
↑ ⇒ X1)
(D1
↑ ⇒ X1) ≡
(
(D1
↑ ∧ z < i ∧ y ≥ n)⇒ [c]ff
)
∧
∀((D1↑ ∧ z < i)
↑ ⇒ X1)
Table 6: Equations after Constraint Propagation
Continuing constraint propagation yields the equations
in Table 6, where D1 = (y = 0 ∧ z < i). 2
Example 7 (Example 6 Continued) Now consider
the case when n ≥ i. That is the delay n of the com-
ponent Bn exceeds the delay i required as a minimum
by the property Y . Thus the component Bn ensures on
its own the satisfiability of Y ; i.e. for any choice of A
the system A |
f
Bn will satisfy Y . In this particular case
(i.e. n ≥ i) it is easy to see that (Di↑∧z < i∧y ≥ n) = ff
for i = 0, 1 as Di
↑ ensures z ≥ y. Also for i = 0, 1,
(Di ∧ y ≥ n) = ff as Di ⇒ y = 0 and we assume n > 0.
Finally, it is easily seen that (Di
↑ ∧ z < i)↑ = Di↑ for
i = 0, 1.
Inserting these observations — which all may be effi-
ciently computed — in the equations of Table 6 we get
equations which after application of Boolean Simplifi-
cation and Trivial Equation Elimination all simplifies
to tt.
Thus, in the case n ≥ i, our minimization heuristics
will yield tt as the property required of A in order that
A |
f
Bn satisfies Y . 2
6 Experimental Results
The techniques presented in previous sections have
been implemented in our verification tool Uppaal in
C++. We have tested Uppaal by various examples. We
8Note that (z < i ∧D0) = D0.
10
also perform experiments on three existing real-time
verification tools: HyTech (Cornell), Kronos (Greno-
ble), and Epsilon (Aalborg). Though the compositional
model-checking technique is still under implementation,
our experimental results show that Uppaal is not only
faster than the other tools but also able to handle larger
systems.
In particular, we have used the so called Fischer’s
mutual exclusion protocol [17, 18, 19] in our experi-
ments on the tools. The reason for choosing this ex-
ample is that it is well-known and well-studied by re-
searchers in the context of real-time verification. More
importantly, the size of the example can be easily scaled
up by simply increasing the number of processes in the
protocol, thus increasing the number of control-nodes
— causing state-space explosion — and the number of
clocks — causing region-space explosion.
6.1 Performance Evaluation
Using the current version of our tool Uppaal, in-
stalled on a SparcStation 10 running SunOS 4.1.2 with
64MB of primary memory and 64MB of swap mem-
ory, we have verified the mutual exclusion property of
Fischer’s protocol for the cases9 n = 2, . . . , 8. The
time-performance of this experiment can be found in
Figure 3. Execution times have been measured in sec-
onds with the standard UNIX program time. We have
also attempted to verify Fischer’s protocol using three
other existing real-time verification tools: HyTech [20]
(version 0.6 and version 1.0), Kronos 1.1c [21] and Ep-
silon 3.0 [22] using the same machine as for the Up-
paal experiment. As illustrated in Figure 3 the ex-
periment showed that Uppaal is faster than all these
tools and able to deal with larger systems; all the other
tools failed10 to verify Fischer’s protocol for more than
5 processes.
The four tools can be devided into two categories:
HyTech and Kronos both produce the product of the
automata network before the verification is carried out,
whereas Epsilon and Uppaal verifies properties on-the-
fly without ever explicitly producing the product au-
tomaton (recently another on-the-fly verification tech-
nique for timed automata has been studied in [23]). A
potential advantage of the first strategy is the reusabil-
ity of the product automaton. The obvious advantage
of the second strategy is that only the necessary part
of product automaton needs to be examined saving
9In fact we have verified the case of 9 processes, but on a
different machine.
10Failure occured either because the verification ran out of















Figure 3: Execution Times.
not only time but also (more importantly) space. For
HyTech and Kronos we have measured both the total
time as well as the part spent on the actual verification
i.e. not measuring the time for producing the product
automaton.
7 Conclusion and Future Work
In developing automatic verification algorithms for
real-time systems, we need to deal with two potential
types of explosion arising from parallel composition:
explosion in the space of control nodes, and explosion
in the region space over clock-variables. To attack these
explosion problems, we have developed and combined
compositional and symbolic model-checking techniques.
These techniques have been implemented in a new au-
tomatic verification tool Uppaal. Experimental results
show that Uppaal is not only faster than other real-
time verification tools but also able to handle larger
systems.
We should point out that the safety logic we de-
signed in this paper enables the presented techniques
to be implemented in a very efficient way. Though the
logic is less expressive than the full version of the timed
µ-calculus Tµ, it is expressive enough to specify safety
properties as well as bounded liveness properties. As
future work, we shall study the practical applicability
of this logic and Uppaal by further examples. Our ex-
perience shows that the practical limits of Uppaal is
caused by the space-complexity rather than the time-
complexity of the model-checking algorithms. Thus, fu-
ture work includes development of more space-efficient
methods for representation and manipulation of clock
11
constraints. For a verification tool to be of practical
use in a design process it is of most importance that the
tool offers some sort of diagnostic information in case
of errors. Based on the synthesis technique presented
in [24] we intend to extend Uppaal with the ability
to generate diagnostic information. Finally, more so-
phisticated minimization heuristics are sought to yield
further improvement of our compositional technique.
Acknowledgment
The Uppaal tool has been implemented in large
parts by Johan Bengtsson and Fredrik Larsson. The
authors would like to thank them for their excellent
work. The first author would also like to thank Francois
Laroussinie for several interesting discussions on the
subject of compositional model-checking. The last two
authors want to thank the Steering Committee mem-
bers of NUTEK, Bengt Asker and Ulf Olsson, for useful
feedback on practical issues.
References
[1] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill,
and L. J. Hwang. Symbolic Model Checking: 1020
states and beyond. Logic in Computer Science, 1990.
[2] P. Godefroid and P. Wolper. A Partial Approach to
Model Checking. Logic in Computer Science, 1991.
[3] A. Valmari. A Stubborn Attack on State Explosion.
Theoretical Computer Science, 3, 1990.
[4] E. M. Clarke, T. Filkorn, and S. Jha. Exploiting Sym-
metry in Temporal Logic Model Checking. Lecture
Notes in Computer Science, 697, 1993. In Proceedings
of CAV’93.
[5] E. M. Clarke, O. Grümberg, and D. E. Long. Model
Checking and Abstraction. Principles of Programming
Languages, 1992.
[6] E. A. Emerson and C. S. Jutla. Symmetry and Model
Checking. Lecture Notes in Computer Science, 697,
1993. In Proceedings of CAV’93.
[7] R. Alur and D. Dill. Automata for Modelling
Real-Time Systems. Theoretical Computer Science,
126(2):183–236, April 1994.
[8] R. Alur, C. Courcoubetis, and D. Dill. Model-checking
for Real-Time Systems. In Proceedings of Logic in
Computer Science, pages 414–425. IEEE Computer So-
ciety Press, 1990.
[9] T. A. Henzinger, Z. Nicollin, J. Sifakis, and S. Yovine.
Symbolic model checking for real-time systems. In
Logic in Computer Science, 1992.
[10] H. R. Andersen. Partial Model Checking. In Proc. of
LICS’95, 1995.
[11] Wang Yi, Paul Pettersson, and Mats Daniels.
Automatic Verification of Real-Time Systems By
Constraint-Solving. In the Proceedings of the 7th Inter-
national Conference on Formal Description Techniques,
1994.
[12] F. Laroussinie and K.G. Larsen. Compositional Model
Checking of Real Time Systems. Lecture Notes in Com-
puter Science, 1995. Proc. of CONCUR’95.
[13] H. Hüttel and K. G. Larsen. The use of static con-
structs in a modal process logic. Lecture Notes in Com-
puter Science, Springer Verlag, 363, 1989.
[14] Nicolas Halbwachs. Delay Analysis in Synchronous
Programs. Lecture Notes in Computer Science, 697,
1993. In Proceedings of CAV’93.
[15] F. Laroussinie and K.G. Larsen. From Timed Au-
tomata to Logic — and Back. Lecture Notes in Com-
puter Sciencie, 1995. Proc. of MFCS’95.
[16] A. Tarski. A lattice-theoretical fixpoint theorem and
its applications. Pacific Journal of Math., 5, 1955.
[17] Kim G. Larsen, Paul Pettersson, and Wang Yi. Model-
checking for real-time systems. In Proc. of Fundamen-
tals of Computation Theory, 1995.
[18] Martin Abadi and Leslie Lamport. An Old-Fashioned
Recipe for Real Time. Lecture Notes in Computer Sci-
ence, 600, 1993.
[19] N. Shankar. Verification of Real-Time Systems Using
PVS. Lecture Notes in Computer Science, 697, 1993.
In Proceedings of CAV’93.
[20] Thomas A. Henzinger and Pei-Hsin Ho. HyTech: The
Cornell HYbrid TECHnology Tool. Proc. of TACAS,
Workshop on Tools and Algorithms for the Construc-
tion and Analysis of Systems, 1995. BRICS report se-
ries NS–95–2.
[21] C. Daws, A. Olivero, and S. Yovine. Verifying ET-
LOTOS programs with KRONOS. In Proceedings of
7th International Conference on Formal Description
Techniques, 1994.
[22] K. Cerans, J. C. Godskesen, and K. G. Larsen. Timed
modal specifications — theory and tools. Lecture Notes
in Computer Science, 697, 1993. In Proceedings of
CAV’93.
[23] Oleg V. Sokolsky and Scott A. Smolka. Local model
checking for real-time systems. In Proc. of CAV’95,
volume 939, pages 211–224. Springer Verlag, 1995.
[24] J.C. Godskesen and K.G. Larsen. Synthesizing Dist-
inghuishing Formulae for Real Time Systems — Ex-
tended Abstract. Lecture Notes in Computer Science,
1995. Proc. of MFCS’95.
12
Recent Publications in the BRICS Report Series
RS-96-59 Kim G. Larsen, Paul Pettersson, and Wang Yi.Compo-
sitional and Symbolic Model-Checking of Real-Time Sys-
tems. December 1996. 12 pp. Appears in16th IEEE
Real-Time Systems Symposium, RTSS ’95 Proceedings,
1995.
RS-96-58 Johan Bengtsson, Kim G. Larsen, Fredrik Larsson, Paul
Pettersson, and Wang Yi. Uppaal — a Tool Suite for
Automatic Verification of Real–Time Systems. December
1996. 12 pp. Appears in Alur, Henzinger and Sontag,
editors,DIMACS Workshop on Verification and Control of
Hybrid Systems, HYBRID ’96 Proceedings, LNCS 1066,
1996, pages 232–243.
RS-96-57 Kim G. Larsen, Paul Pettersson, and Wang Yi.Diagnostic
Model-Checking for Real-Time Systems. December 1996.
12 pp. Appears in Alur, Henzinger and Sontag, editors,
DIMACS Workshop on Verification and Control of Hybrid
Systems, HYBRID ’96 Proceedings, LNCS 1066, 1996,
pages 575–586.
RS-96-56 Zine-El-Abidine Benaissa, Pierre Lescanne, and Kristof-
fer H. Rose.Modeling Sharing and Recursion for Weak Re-
duction Strategies using Explicit Substitution. December
1996. 35 pp. Appears in Kuchen and Swierstra, editors,
8th International Symposium on Programming Languages,
Implementations, Logics, and Programs, PLILP ’96 Pro-
ceedings, LNCS 1140, 1996, pages 393–407.
RS-96-55 K̊are J. Kristoffersen, François Laroussinie, Kim G.
Larsen, Paul Pettersson, and Wang Yi.A Compositional
Proof of a Real-Time Mutual Exclusion Protocol. Decem-
ber 1996. 14 pp. To appear in Dauchet and Bidoit, editors,
Theory and Practice of Software Development. 7th Inter-
national Joint Conference CAAP/FASE, TAPSOFT ’97
Proceedings, LNCS, 1997.
RS-96-54 Igor Walukiewicz. Pushdown Processes: Games and
Model Checking. December 1996. 31 pp. Appears in
Alur and Henzinger, editors, 8th International Confer-
ence on Computer-Aided Verification, CAV ’96 Proceed-
ings, LNCS 1102, 1996, pages 62–74.
