This paper presents an automatic method for calculating the path condition for programs with real time constraints. We model concurrent systems using timed transition systems and translate them into extended timed automata. Then an acyclic extended timed automaton is constructed and the path condition is calculated backwards over it. This method can be used for the semiautomatic verification of a unit of code in isolation, i.e., without providing the exact values of parameters with which it is called. It can also be used for test case generation for real-time systems. Such a symbolic model checking algorithm was implemented previous in the PET system [10] for untimed systems. Our method can also be used for the automatic generation of test cases for unit testing. The current generalization of the calculation of path condition for the timed case turns out to be quite tricky, since not only the selected path contributes to the path condition, but also the timing constraints of alternative choices in the code.
Introduction
Software testing often involves the use of informal intuition and reasoning. Although there are several tools and techniques for mechanizing the testing process, many of the tools focus on bookkeeping and the administration of testing results. Formal methods such as automatic verification (model checking) and deductive verification are more systematic and comprehensive, but they involve some inherent complexity and decidability difficulties. The testing process, on the other hand, benefits from the ability to exploit human experience and intuition in order to accelerate the validation.
Although adding human intuition to the validation process suggests a manual technique, it is possible to employ some mathematical ideas and provide tools to support it. Such tools can help in translating the informal ideas and intuition into formal specification, assist in searching the code, support the process of inspecting it and help analyzing the results. A tester, who is typically also an experienced programmer, may have a vague idea where problems in the code may occur. For example, it may involve executing a particular loop twice, followed by another segment of code. This, along with some data satisfying some particular conditions exchanged with another process, may cause a certain overflow to occur. The following techniques may help the tester to confirm or refute such a suspicion:
• A search of the code, guided by some formal description (e.g., a temporal formula) of the suspicious case. Such a search, based on model checking [5] techniques, should suggest some sequences of instructions that meet the description of program locations mentioned in the suspicious case.
• The generation of a condition for a generated suspicious sequence. Such a condition describes the allowed values for the program variables at the beginning of the sequence. Starting the execution with values satisfying this condition allows one to recreate the execution.
In the current work, we concentrate on the automatic generation of test cases for concurrent real-time systems. In order to test a particular behavior of the system we generate path conditions for (concurrent real-time) execution paths. Instantiating such path conditions allows us to test the desired path. We do not assume finite state systems. Hence our modeled systems may reference unbounded variables in tests and assignments (when we ignore the particular word length in a given machine). Such a precondition characterizes all the states from which we can execute the path. However, there may be other possible executed paths, due to nondeterministic choice, which can be eliminated by adding further synchronization. The path condition calculation can be used in a model checking search, hunting for a path satisfying a given temporal property. This is done for the untimed case in [10] and was imple-mented in the PET system. It allows us to verify a procedure or collection of procedures in isolation, without providing initial values. Using the weakest precondition calculation, the verification is performed symbolically, or "for all parameters at once". The temporal property is translated into an automaton and contributes to the calculation of the path condition (i.e., it is a condition for executing a path while satisfying the temporal property).
For the real-time case, we need to generalize the calculation of a path condition, taking into account only the essential conditions to follow a particular path in the execution. For example, if the path is abcd, we may constrain only a to precede b, for being on the same process, c to precede d, again, for being on the other process, and b to precede d, for referring to the same variable. We start with a given path (in the flow chart, or interleaved from different flow charts for concurrent processes) merely from practical consideration; it is very simple to specify an interleaved execution sequence. However, we look at the essential partial order, which is consistent with the real-time constraints, rather than at the total order. We cannot assume that transitions must follow each other, unless this order stems from some sequentiality constraints (such as transitions belonging to the same process or using the same variable) or from timing constraints. Thus, with the above restrictions, acbd is equivalent to abcd and represents the same (partial order) execution.
For untimed systems, there is no difference between the condition for the partial order execution and the condition for executing any of the sequences (linearizations) consistent with it. Because of commutativity between concurrently executed transitions, we obtain the same path condition either way. However, when taking the time constraints into account, the actual time and order between occurrences of transitions does affect the path condition (which now includes time information).
After the introduction of the untimed path condition in [6] , weakest precondition for timed system was studied in [4, 12, 16] . The paper [4] extended the guarded-command language in [6] to involve time. But it only investigated sequential programs with time constraints. The paper [16] gave a definition of the weakest precondition for concurrent programs with time constraints, based on discrete time, rather than dense time. The weakest precondition in [12] is defined for timed guarded-command programs or, alternatively, timed safety automata.
We model concurrent systems using timed transition systems. Our model is quite detailed in the sense that it separates the decision to take a transition (the enabling condition) from performing the transformation associated with it. We allow separate timing constraints (lower and upper bounds) for both parts. Thus, we do not find the model proposed in [11] , which assigns a lower and upper time constraints for a transition that includes both enabling transi- tion and a transformation, detailed enough; this is because alternative choices (which were not taken) in the code may compete with each other, and their time constraints may affect each other in quite an intricate way. Although we do not suggest that our model provides the only way for describing a particular real-time system, it is detailed enough to demonstrate how to automatically generate test cases for realistic concurrent real-time systems.
In our solution, we translate the timed transition system into a collection of extended timed automata, which is then synchronized with constraints stemming from the given execution sequence. We then obtain a directed acyclic graph of executed transitions. We apply to it a weakest precondition construction, enriched with time analysis based on time zone analysis (using difference bound matrices). The framework of the solution is displayed in Figure 1 .
Modeling Concurrent Timed Systems
As mentioned in the introduction, we describe concurrent real-time systems using timed transition systems (TTSes). We provide semantics for the latter model in terms of extended timed automata (ETAs). This is done by defining a modular translation, where each process in the TTS model is translated into an ETA. Thus the entire TTS model is translated into a network of synchronizing ETAs. This section defines the two models and the translation.
Timed Transition Systems
We consider a timed transition system over a finite set of processes P 1 . . . P n . Each process consists of a finite number of transitions. Although the processes are not mentioned explicitly in the transitions, each process P i has its own location counter loc i . The transitions involve checking and updating control variables i.e., location counters, and program variables 2 (over the integers). An enabling condition is an assertion over the variables. It is possible that a transition is jointly performed by two processes, e.g., a synchronous communication transition. We leave out the details for various modes of concurrency, and use as an example a model that has only shared variables.
A transition t includes (1) an enabling condition c, (2) an assertion over the current process P j location, of the form loc j =l, (3) a transformation f of the variables, and (4) a new valuel ′ for the location of process P j . For example, a test (e.g., while loop or if condition) from a control valuel of process P j to a control valuel ′ , can be executed when (loc j =l ) ∧ c, and result in the transformation f being performed on the variables, and loc j =l ′ .
We equip each transition with two pairs of time constraints
l is a lower bound on the time a transition needs to be continuously enabled until it is selected. u is an upper bound on the time the transition can be continuously enabled without being selected. L is a lower bound on the time it takes to perform the transformation of a transition, after it was selected. U is the upper bound on the time it takes to perform the transformation of a transition, after it was selected.
Writing (changing the value of) a variable can be done in the transformation part of the transition while reading (accessing its value) can be done in either the condition or transformation. We allow shared variables, but make some restrictions on reading and writing by transitions of different processes. In particular, we assume that in our models at most one variable v can be written by two transitions a and b in different processes. Moreover, if both write to v, then v is not read in either of their conditions (to achieve this, transitions may need to be broken into several parts).
Every process can be illustrated as a directed graph G. A location is represented by a node and a transition is represented by an edge. Figure 2 shows Fig. 3 . The description of an assignment node 
Capturing programs as TTS processes
A program is essentially a flow chart. A flow chart can be captured as a TTS process, sometimes in different ways. For instance, an assignment node can be described as a transition with an enabling condition true and a transformation that is an assignment (see Figure 3) . A branch node with predicate pred can be described as shown in Figure 4 . It uses two transitions with null transformation. pred and ¬pred are the enabling conditions of the two transitions respectively, depending on whether the corresponding edge of the diamond is labeled yes or no. Another way of capturing the branch node is shown in Figure 5 .
Extended Timed Automata
An extended timed automaton is a tuple V, X, Cl, B, F, S, S 0 , Σ, E where
• V is a set of variables.
• X is a finite set of assertions over the set of variables V .
• Cl is a finite set of clocks.
• B is a set of Boolean combinations of assertions over clocks of the form x #ĉ, where x is a clock, # is a relation from {<, >, ≥, ≤, =} andĉ is a constant (not necessarily a value, as our timed automaton can be parameterized).
• F is a set of transformations for the variables. Each component of F can be represented e.g., as a multiple assignment to some of the variables in V .
• S is a finite set of states 3 . A state s ∈ S is labeled with an assertion s X from X and an assertion s B on B that need to hold invariantly when we are at the state.
• S 0 ⊆ S are the initial states.
• Σ is a finite set of labels.
• E the set of edges over S × 2
Cl × Σ × X × B × F × S. The first component of an edge e ∈ E is the source state. The second component e
Cl is the set of clocks that reset to 0 upon firing this edge. A label e Σ from Σ allows synchronizing edges from different automata, when defining the product. We allow multiple labels on edges, as a terse way of denoting multiple edges. An edge e also includes an assertion e X over the variables, an assertion e B over the clocks that has to hold for the edge to fire, a transformation e The above definition extends timed automata [1] by allowing conditions over variables to be associated with the edges and states, and transformations on the variables on the edges (similar to the difference between finite state machines and extended finite state machines).
Semantics
The semantics of extended timed automata is defined as a set of executions. An execution is a (finite or infinite) sequence of triples of the form s i , V i , T i , where
1. s i is a state from S, 2. V i is an assignment for the variables V over some given domain(s), such that V i |= s X i and 3 We use the term "state" for extended timed automata to distinguish from "location" for timed transition systems.
3. T i is an assignment of (real) time values to the clocks in Cl such that
In addition, for each adjacent pair s i , V i , T i s i+1 , V i+1 , T i+1 one of the following holds:
An edge is fired. There is an edge e from source s i to target s i+1 , where T i |= e B , V i |= e X , T i+1 agrees with T i except for the clocks in e Cl , which are set to zero, and V i+1 = e F (V i ), where e F (V i ) represents performing the transformation over V i . Passage of time. T i+1 = T i + δ, i.e., each clock in Cl is incremented by some real value δ. Then V i+1 = V i and s i+1 = s i .
An infinite execution must have an infinite progress of time. An initialized execution must start with s ∈ S 0 and with all clocks set to zero. However for generation of test cases we deal here with finite consecutive segments of executions, which do not have to be initialized.
The product of ETA
Let us consider two ETAs,
Assume the clock sets Cl 1 and Cl 2 are disjoint. Then the product, denoted 1 ∈ B 1 and s 2 ∈ S 2 with s X 2 2 ∈ X 2 and s
2 . The set E of edges are defined as follows. For every edge e 1 = s 1 , e 
2 , e
• edges only in ETA 1 or ETA 2 : if e
Cl 1 1 , e
1 , e
Translating Timed Transition Systems into Extended Timed Automata
We describe the construction of a set of extended timed automata from a timed transition system. We should emphasize that this construction defines the semantics of a timed transition system as the corresponding set of extended timed automata.
We first show how to construct states and edges for one particular location. An ETA is generated after all locations in a TTS process are translated. Any location in a process is said to be the neighborhood of the transitions that must start at that location. The enabledness of each transition depends on the location counter, as well as an enabling condition over the variables. Location counters are translated in an implicit way, such that each different location is translated into a different set of states. For a neighborhood with n transitions t 1 , . . . , t n , let c 1 , . . . , c n be the enabling conditions of n transitions respectively. A Boolean combination of these conditions has the form of
where C i is c i or ¬c i . Each transition t j in the neighborhood has its own local clock x j . Different transitions may have the same local clocks, if they do not participate in the same process or the same neighborhood.
1. We construct 2 n enabledness states, one for each Boolean combination of enabling condition truth values. For any enabledness states s i and s k , there is an internal edge starting at s i and pointing to s k . Let C i and C k be the combinations for s i and s k , respectively. The edge from s i to s k is associated with C k as the assertion over the variables. For any condition C j which appears negative (¬c j ) in C i and positive (c j ) in C k , the clock x j is reset (x j := 0) upon the edge, for measuring the amount of time that the corresponding transition is enabled. We do not reset x j in other cases. We add a self loop to each state in order to generate the product of automata. The self loop is labeled with the same combination as the state has, but it does not reset any clocks. 2. We construct a target state per each transition in the neighborhood to represent its target location. 3. We also have an additional intermediate state per each transition in the neighborhood, from which the transformation associated with the selected transition is performed. For any enabledness state s with the combination C in which the condition corresponding to the transition t j is c j , let s ′ j be the intermediate state for t j and do the following: 3a. We have the conjunct x j < u j as part of s X , the assertion over the clock of t j , disallowing t j to be enabled in s more than its upper limit u j . 3b. We add a decision edge with the assertion x j ≥ l j from s, allowing the selection of t j only after t j has been enabled at least l j time continuously since it became enabled. On the decision edge, we also reset the clock x j to measure now the time it takes to execute the transformation. 3c. We put the assertion x j < U j into s ′ j , not allowing the transformation
. A neighborhood of two TTS transitions to be delayed more than U j time. 3d. We add a transformation edge from s ′ j to the target state of t j with the enabling condition x j ≥ L j and the transformation of t j .
The connection of translations of locations to generate an ETA is done by merging target states with enabledness states that are translated from the same location. Since target states may correspond, by our transformation, to multiple enabled states of a new location, each edge pointing to the target state is replicated to have a copy pointing to every enabledness state. Moreover, each duplicated edge uses the corresponding combination of conditions of its target state as its enabling condition, and needs to reset clocks that appear in the invariant assertion of its target state. Figure 6 illustrates a neighborhood with two transitions and Figure 7 provides the ETA construction for this neighborhood. The states s 1 , s 2 , s 3 and s 4 are enabledness states, corresponding to the subset of enabling conditions of t 1 and t 2 that hold in the current locationl. The states s 5 and s 6 are intermediate states. The edges to s 5 correspond to t 1 being selected, and the edges to s 6 correspond to t 2 being selected. The edges into s 5 also reset the local clock x 1 that times the duration of the transformation f 1 of t 1 , while the edges into s 6 zero the clock x 2 that times the duration of f 2 . The state s 5 (s 6 , respectively) allows us to wait no longer than U 1 (U 2 , resp.) before we perform t 1 (t 2 ). The states s 7 and s 8 are target states. The edge from s 5 (s 6 ) to s 7 (s 8 ) allows delay of no less than L 1 (L 2 ) before completing t 1 (t 2 ). Note that s 7 (as well as s 8 ) actually represents one of a set of enabledness states, in the pattern of s 1 to s 4 , for the locationl ′ (l ′′ , resp), according to the enabledness of transitions in it. Figure 8 shows two consecutive transitions and Figure 9 provides the ETA construction for these transitions. For simplicity, the self loops are omitted. 
Fig. 7. The ETA for the neighborhood of two TTS transitionŝ In order to compute the path condition, the first step of our method involves generating an acyclic ETA (which we will call a DAG, or directed acyclic graph). Then the path condition is computed by propagating constraints backwards in this DAG. The DAG is generated using the set of ETAs corresponding to the TTS in question and the TTS path (i.e., program transition sequence) provided by the user.
The partial order of a TTS path
Given a selected sequence σ of occurrences of transitions, we calculate the essential partial order, i.e., a transitive, reflexive and asymmetric order between the execution of the transitions, as described below. This essential partial order is represented as a formula over a finite set of actions Act = A c ∪ A f , where the actions A c represent the selections of transitions, i.e., waiting for their enabledness, and the actions A f represent the transformations. Thus, a transition a is split into two components, a c ∈ A c and a f ∈ A f . For two transitions a with a c and a f and b with b c and b f , and a occurs earlier in σ than b does, the ordering relation ≺ over {a c , a f , b c , b f } is defined as follows. 
By applying the above definition to every pair of transitions in the sequence, we obtain a partial order ≺⊂ Act × Act. The transitive relations in the partial order can be removed to form the essential partial order whose transitive closure is the partial order. For example, if actions α, β, γ ∈ Act and (α ≺ β) ∧ (β ≺ γ) ∧ (α ≺ γ), α ≺ γ can be removed since it can be deduced from (α ≺ β) ∧ (β ≺ γ). This simplification is done by applying Floyd-Warshall algorithm [8, 17] . From here on, we use the term "partial order" for "essential partial order".
The partial order can be illustrated as a directed graph, where a node represents an action and an edge represents a ≺ relation. For example, we assume that transitions a and b belong to different processes. Let a c and a f be the enabling condition and the transformation of a respectively, and b c and b f the enabling condition and the transformation of b respectively. Moreover, a and b have a shared variable v that is read by the enabledness condition of transition a and updated by the transformation of transition b. The corresponding partial order requires then a c ≺ a f , b c ≺ b f and a c ≺ b f . The partial order is shown in Figure 10 . 
Now, the transformation of transitions in one process may change the enabledness of other transitions that read these values in other processes. Thus, we must synchronize such potential change of enabledness with these transformations as follows. Let a be a transition of some process P i that changes some variable v. Then a f appears as a label on all the edges between enabledness states of other processes that have a condition which reads the value of v (obviously, v is not a program counter, as a cannot change the value of program counters other than that of its own process, P i ). For the graph in figure 7 , the edges between nodes s 1 , s 2 , s 3 and s 4 , including self loops, are labeled with d f for each transition d that is not included in the same process, and has a transformation that can change a variable appearing in the conditions c 1 or c 2 . (These labels do not appear in figure 9 .)
Recall that edges between enabledness nodes can be labeled by several actions.
Formally, that means that such an edge is copied into several copies that are identical except for the label. Moreover, each edge of the ETA generated needs to be labeled by at least some action in order to be executable.
Let ≺ be a finite partial order among occurrences St of Act . Note that an action from Act can occur multiple times. An occurrence is then a pair from Act × N , where N are the natural numbers. We generate an automaton Lin ≺ with edges labeled with actions of Act. The automaton Lin ≺ accepts all the linearizations of ≺. Hence, it also necessary accepts the original sequence from which we generated ≺. Fig. 11 . A partial order automaton
The algorithm for generating Lin ≺ is as follows. The sets of states of Lin ≺ are subsets S ⊆ St, the set of occurrences of ≺, such that for each such subset S, it holds that if α ≺ β and β ∈ S then also α ∈ S. They are the history closed subsets of St. A transition of the automaton Line ≺ is of the form S α −→ S ∪ {α}, where α is an occurrence of an action. The empty set is the initial state and the set St is the accepting state. Figure 11 shows the automaton for the partial order in Figure 10 .
The product of ETAs for several processes with an automaton Lin ≺ is the standard one. That is, we start with a common initial state of all ETAs, which will be in some enabledness state of their initial label. The automaton Lin ≺ will be in a state corresponding to the empty set of actions taken so far. Then we progress by taking an action µ from Act in all automata that is labeled by µ.
Calculating Untimed Path Conditions
A path of a program is a consecutive sequence of nodes in the flow chart. The projection of an execution sequence on the program counter values is a path through the nodes labeled with these program counter values in the corresponding flow chart. (Not every node has to have an explicit program counter value labeling it, but our implementation automatically provides such a value when translating code to a flow chart.) Thus, in general, a path may correspond to multiple executions. A path condition is a first order predicate that expresses the condition to execute the path, starting from a given node. In deterministic code, when we start to execute the code from the first node in the path in a state that satisfies the path condition, we are guaranteed to follow that path. In case of nondeterminism, this is the condition on assignments at the beginning of the path that can execute the path (if favorable nondeterministic choices are made). Or stated differently, one can avoid executing the path when starting at its beginning exactly with assignments not satisfying the path condition.
We first translate the flow chart nodes into (untimed) transitions. The translation is the same as the way described in Figure 3 and 4 except that we do not consider time here. We obtain a graph with nodes representing locations and edges representing transitions. When we translate the path at the left of Figure 12 , we obtain the graph on the right of that figure (for simplicity, we do not use the program counter in the translation). To avoid confusion, we use the term "node" for the flow chart nodes in this section, while use "point" for the nodes in the translated graph.
An accumulated path condition represents the condition to move from the current point in the calculation to the end of the path. The path condition is the accumulated path condition at the first point of the path. The current point moves at each step in the calculation of the path condition backwards, over one node to the previous point. We start with the condition true, at the end of the path (i.e., after the last node). Going backwards from a given point over an edge marked with a transition with condition c and transformation f and into another point, we perform the following transformations to the accumulated path condition ϕ to obtain a new path condition ϕ R :
• We "relativize" the ϕ with respect to the assignment representing the transformation; if the assignment is of the form v := expr, where v is a variable and expr is an expression, we substitute expr for each free occurrence of v in the path condition. This is denoted by ϕ[expr/v], and is generalized to multiple assignment
• Conjunct the condition c. We simplify the new accumulated path condition obtained using various first order logic equivalences.
Thus, ϕ R is defined as follows:
Calculating the path condition for the example in Figure 12 backwards, we start at the end of the path, i.e., point D, with an accumulated path condition true. Moving backwards through the assignment v1 := v1 * 2 to point C, we substitute every occurrence of v1 with v1 * 2. However, there are no such occurrences in true, so the accumulated path condition remains true.
Conjoining true with the transition condition true maintains true. Progressing backwards to point B, we now conjoin the accumulated path condition with ¬v > v1, obtaining (after simplification, which gets rid of the conjunct true) ¬(v > v1). This is now the condition to execute the path from B to D. Passing further back to point A, we have to relativize the accumulated path condition ¬(v > v1) with respect to the assignment v := v + 1, which means replacing the occurrence of v with v + 1, obtaining ¬(v + 1 > v1). Again, conjoining that with true does not change the accumulated path condition. The accumulated path condition at point A is the path condition for the path in Figure 12 .
Path condition for a DAG
Without timing constraints, the condition to perform at least one path in the DAG can be calculated as follows: 4. Suppose an initial state of the DAG is reached during the backward calculation. By the product of automata, such a node can consist of several components from different ETAs. For each such a component that is an enabledness node, there is some combination of conditions associated with it (this condition appears on any incoming edge for such component; refer to Section 2.3 for details). These combinations, one per each such component node, must be conjuncted with the accumulated precondition. For non initial states this is not needed, as these combinations are processed during the backward calculation. 5. Finally, all initial preconditions of initial states are disjuncted together to form the initial precondition of the DAG.
Adding Time Constraints
We describe now how to add the time constraints for the DAG condition. Time constraints are a set of relations among local clocks. We also use a global clock to count system execution time from its initial state to its last state which, unlike local clocks, is not reset during the execution. Time constraints can be obtained from reachability analysis of clock zones. Difference-Bound Matrix (DBM) [7] is a data structure for representing clock zones.
The data structure
A DBM is a (m + 2) × (m + 2) matrix where m is the number of local clocks of all processes. Each element D i,j of a DBM D is an upper bound of the difference of two clocks x i and x j , i.e., x i − x j ≤ D i,j . We use x 1 to represent the global clock and x 2 , · · · , x m+1 to represent local clocks. The clock x 0 is a special clock whose value is always 0. Therefore, D i,0 (i > 0), the upper bound of x i − x 0 , is the upper bound of clock x i ; D 0,j (j > 0), the lower bound of x 0 − x j , is the negative form of the lower bound of clock x j . To distinguish non-strict inequality ≤ with strict inequality <, each element D i,j has the form of (r, F ) where r ∈ R ∪ {∞} and F ∈ {≤, <} with an exception that F cannot be ≤ when r is ∞. Addition + is defined over F, F ′ ∈ {≤, <} as follows:
Now we define addition + and comparison < for two elements (r 1 , F 1 ) and (r 2 , F 2 ).
The minimum of (r 1 , F 1 ) and (r 2 , F 2 ) is defined below:
. An unsatisfiable DBM D represents an empty clock zone.
Calculating time constraints following an edge τ backwards from its target state s to its source state s ′ has been explained in [18] . Let I(s ′ ) τ be the assertion on clocks in state invariant of s ′ , and ψ τ be the assertion on clocks on the edge τ . The DBM D represents the time constraints at s. Assertions I(s ′ ) τ and ψ τ are represented by DBMs too. The time constraints D ′ at s ′ is defined as follows:
The operators appearing in formula (2) c 2 ) . Therefore, when we calculate time constraints from after resetting back to before resetting, we substitute
. Therefore, for a clock x i that is not reset, update its upper and lower bounds as follows:
2. On the other hand, for a clock x k that is reset, its value before resetting can be any non-negative real number. Thus its lower bound is 0 and upper bound is ∞, i.e., D
3. For a clock x i that is not reset and a clock x k that is reset, update
(Note that this step must be done after the upper bound of x i is updated.) 4. For two clocks x i and x j that are not reset,
Note that intermediate DBMs in the calculation of formula (2) need to be changed to canonical form after each operation. This is done using FloydWarshall algorithm to find the all-pairs shortest paths.
Reset operation in backward DBM calculation needs special treatment, which is not explained in [18] . Consider the example in Figure 13 . We start computation at state s 3 with the following DBM D (for the sake of simplicity, we neglect the global clock here.).
The clock x 1 is encoded in the second row and x 2 in third. After backward calculation to s 2 , we obtain a new DBM D ′ .
The DBM calculated backwards at s 1 appears below.
That the last DBM is satisfiable means that the path from s 1 to s 3 is possible, while in fact, it is not. This situation implies that backward reset operation loses some useful information which can tell whether the path is possible or not. The element D ′ 2,1 represents x 2 −x 1 < −2, which means that x 1 goes longer than x 2 . However, the fact that x 1 and x 2 are reset at same time requires that their readings are also the same after being reset. This contradiction reveals that this path is impossible. Therefore, we add extra operation before reset Fig. 13 . An example operation: If more than one clock is reset at the same time, check whether an upper bound of the differences among them is smaller than 0. If the answer is yes, the DBM cannot be satisfiable.
The algorithm
We can now calculate the condition for that DAG from the leaf states backwards. The condition would use the usual weakest precondition for variables, and a similar update for time variables that involve local clocks and time parameters. When a state has several successors, we disjoin the conditions obtained on the different edges. The backward calculation of the precondition for a DAG is described as follows: 
In D 0 , the upper bound and the lower bound of the global clock are both d. This is because when we start at a leaf state to calculate time constraints backwards, we do not know the exact value of the global clock when the system enters the leaf state, and therefore assume its value is d. We need not assume a value for any local clock. Thus their values ranges
Pick up a state z that is marked new such that all its successors Y = {y 1 , . . . , y k } are marked old. 3b. For each y i ∈ Y there is an assertion over variables ϕ i and over clocks D i already attached. We obtain ϕ R i from ϕ i according to the formula (1) and D R i from D i according to the formula (2). 3c. Attach
to the state z. Mark z as old. 4. As in the untimed case, as the construction propagates backwards, we need to consider each initial state of the DAG. For each such node, the combination of conditions associated with its components that are enabledness states of ETAs are conjuncted with its accumulated precondition. 5. All initial preconditions of initial states are disjuncted together to form the initial precondition of the DAG.
Note that we must record in each step the status of each shared variable in order not to evaluate a condition which contains a non-accessible shared variable. The precondition calculated by the algorithm is a set of conditions, each of which contains a Boolean expression on variables and a DBM. We allow some time bounds to be parameters. In this case, the Boolean expression may contain a subexpression on the parameters.
An Example
We give an example to show the whole process of how to obtain a DAG from a timed transition system and a given partial order, and then the precondition of the partial order. A system consists of two concurrent programs. The variable v is a shared variable and variables f 1 and f 2 are local variables.
The semantics of wait statement is described as follows: It has three parameters. The first one is the condition it waits for to become true. The second is the time limit and the third is a variable. A timer is started when the statement is executed. If the time limit is reached before the condition becomes true, a timeout is triggered and the variable is set to 1. If the condition becomes true before timeout, the variable is set to 0 and the timer is canceled. It is not appropriate to detect whether the wait statement timeouts or not by testing the condition because the condition may not be accessed after the wait statement. That the time limit is -1 means the process can wait for the [10, 15] for those writing a shared variable. The bounds for evaluating the nontautological enabling condition of a transition which does not access any shared variable are [8, 10] . The bounds for an enabling condition are [10, 15] if the transition accesses a shared variable. Assigning a value to a variable has bounds [8, 10] . The addition operation has bounds [10, 20] The product extended timed automaton is shown in Figure 18 . Only states and edges are displayed. Every state in the product automaton contains one state from Program 1 and one from Program 2. The name of the latter is shown above the name of the former. The product automaton has two initial states because Program 1 has two initial states and Program 2 has one. Note that a product does not contain self-loops.
For a given sequence "q1 1→q1 4, q1 4→q1 2, q1 2→q1 5, q2 1→q2 2" of transitions in Figure 16 , the calculated partial order is shown in Figure 19 . The left part of the figure is the partial order composed of flow chart nodes in order to give users some intuition about the partial order relation. To generate the DAG, it is decomposed into the one on the right part of the figure, which is composed of ETA edges. The node "q1 1 => q1 1 q1 4-tran" represents the edge from state "q1 1" to state "q1 1 q1 4-tran" in Program 1. Other nodes have similar meaning. The wait statement in Program 1 behaves as no timeout occurs since testing the condition f 1 = 0 succeeds (and thus f 2 is set to 0). In this partial order, the wait statement gains the access first and the assignment acquires the shared variable after the wait statement releases it. Therefore, there is an edge in the partial order starting at the wait statement and pointing to the assignment, representing the wait statement must be executed earlier than the assignment. However, only the enabling condition en of the transition in the wait statement references the shared variable, while the transformation does not. That is, the wait statement reads the shared variable. Thus, the assignment v := v + 1 can be started after the evaluation of en finishes, which is illustrated as the edge from the node "q1 1 => q1 1 q1 4-tran" to the one "q2 1 => q2 1 q2 2-tran".
The DAG is shown in Figure 20 . There is only one initial state in this DAG. For other partial orders, there could be multiple initial states. A path from an initial state to a leaf state represents a linearization of the partial order. The precondition of the given partial order is
The DBMs are omitted from the precondition since they are mainly used for reachability analysis. Not only is there a condition over v in the precondition, but also a condition over l. The condition l ≥ 10 means that when we use a value to replace l in Program 1, no linearization of the partial order can be executed if the value is smaller than 10. This example shows that our methodology can be used to calculated the bounds for time parameters, in addition for preconditions over variables. This characteristic is very useful when constructing test cases for real-time systems.
Implementation
We have implemented the path condition calculation as the real-time extension to the PET system [10] , according to the construction described in this paper. The figures in the previous section are based on output generated by PET.
When we translate a timed transition system into extended timed automata, a location can be translated into 2 n states if it has a neighborhood with transitions. In practice, however, the number of states is limited by program structures. For example, the if statement has two branches: one satisfies the condition and the other satisfies the negation of the condition. After the branches are translated into transitions, there are less than four combinations of enabling conditions, since the two enabling conditions cannot be both satisfied. Combinations that are equivalent to false can be removed, together with the edges attached to them. The wait statement in the previous section only generates two combinations because one enabling condition is true.
Calculating a precondition for a partial order runs very fast if all time bounds in the system are constants. However, when we calculate time constraints symbolically in order to handle symbolic parameters appearing on time bounds in timed systems (as was shown in the example), the initial constraints on time parameters, such as l 1 ≤ u 1 and L 1 ≤ U 1 may remain unresolved in their parametrized form in the resulted precondition.
There are two DBM operations that need to be considered carefully during symbolic calculation. One is canonicalization. The other is to check whether a DBM is satisfiable. These two operations have higher complexity than other operations. Canonicalization can be computed by Floyd-Warshall algorithm, which has O(n 3 ) complexity. Checking satisfiability can be computed by BellmanFord algorithm [2, 9, 15] . Bellman-Ford algorithm checks a single source vertex to all other vertices and runs in O(nm), which is actually O(n 2 ) due to m equal to n − 1 in DBM. Bellman-Ford algorithm has to be applied to every source vertex so that checking satisfiability also runs in O(n 3 ). Therefore, both of them generate O(n 3 ) symbolic comparisons. Since each comparison may generate three new assumptions, the worst case complexity of computing one DBM is O(3 n 3 ). Although a worst case never occurs in practice, we still experience a very long execution time. Similar result was obtained on handling parametric DBM in forward reachability analysis in [13] .
There are several ways to accelerate the calculation in term of symbolic parameters. An intuitive way is to use parallel computer to do the calculation. Since the operations on one DBM does not communicate with operations on other DBMs, the current sequential algorithm can be modified to a parallel or distributed algorithm without theoretical difficulty. A second way is to apply partial order reduction to the current algorithm. Partial order reduction on model checking timed automata has been studied in [3, 14] . But their results need modification before being applied. Furthermore, both ways can be combined together.
Discussion
We described here a method for calculating the path condition for a timed system. The condition is calculated automatically, then simplified using various heuristics. Of course we do not assume that the time constraints are given. The actual time for lower and upper bounds on transitions is given symbolically. Then we can make various assumptions about these values, e.g., the relative magnitude of various time constants. Given that we need to guarantee some particular execution and not the other, we may obtain the time constraints as path conditions, including e.g., some equations, whose solutions provide the appropriate required time constants.
In addition to the basic TTS model with shared variables and corresponding translation to ETA described in Section 2, the TTS can be extended to handle shared communication. In this case, we need to label the different components, in the different processes, by the same label. The synchronization is done on both the condition edge (as the edge s 2 → s 5 in Figure 7 ) and on the transformation edge (as the edge s 5 → s 7 in Figure 7 ).
We believe that the constructed theory is helpful in the automatic generation of test cases. The test case construction can also be used to synthesize real time system time. Another way to use this theory is to extend it to encapsulate temporal specification. This allows verifying a unit of code in isolation. Instead of verifying each state in separation, one may verify the code according to the program execution paths. This was done for the untimed case in [10] , and we are working on extending this framework for the timed case. Such a verification method allows us to handle infinite state systems (although the problem is inherently undecidable, and hence we are not guaranteed to terminate), and parametric systems e.g., we may verify a procedure with respect to arbitrary allowed input. This is done symbolically, rather than state by state.
