A Tool for the Syntactic Detection of Zeno-timelocks in Timed Automata  by Bowman, Howard et al.
A Tool for the Syntactic Detection of
Zeno-timelocks in Timed Automata
Howard Bowman1 , Rodolfo Gomez2 ,3 and Li Su4
Computing Laboratory
University of Kent,
Canterbury, United Kingdom
Abstract
Timed automata are a very successful notation for specifying and verifying real-time systems, but
timelocks can freely arise. These are counter-intuitive situations in which a speciﬁer’s description
of a component automaton can inadvertently prevent time from passing beyond a certain point,
possibly making the entire system stop. In particular, a zeno-timelock represents a situation where
inﬁnite computation is performed in a ﬁnite period of time. Zeno-timelocks are very hard to
detect for real-time model checkers, e.g. UPPAAL and Kronos. We have developed a tool which
can take an UPPAAL model as input and return a number of loops which can potentially cause
zeno-timelocks. This tool implements an algorithm which reﬁnes a static veriﬁcation approach
introduced by Tripakis. We illustrate the use of this tool on a real-life case-study, the CSMA/CD
protocol.
Keywords: Timed Automata, Zeno-timelocks, UPPAAL.
1 Introduction
Timed automata are one of the success stories of formal methods. This is
largely because they have proved to be amenable to automatic veriﬁcation
using symbolic model checking. Perhaps the most prominent incarnation of
such symbolic model checking is the UPPAAL tool [7], which has been used
1 Email: H.Bowman@kent.ac.uk
2 Supported by the ORS Award Scheme.
3 Email: rsg2@kent.ac.uk
4 Email: ls68@kent.ac.uk
Electronic Notes in Theoretical Computer Science 139 (2005) 25–47
1571-0661 © 2005 Elsevier B.V. Open access under CC BY-NC-ND license.
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.09.006
to verify a number of non-trivial real-time systems (visit www.uppaal.com
for examples and documentation). Despite these successful applications of
timed automata model checking, there are some diﬃculties with the approach.
Perhaps the most important is that timelocks can freely arise and furthermore,
it can be very diﬃcult to determine that a non-trivial system is free from such
timelocks.
Informally speaking a system can timelock if a state can be reached where
no possible subsequent run allows time to diverge, i.e. pass by an inﬁnite
amount. It is important to note that timelocks can arise for a number of
reasons and that diﬀerent classes of timelock need to be handled in diﬀerent
ways. In particular, we can distinguish between the following two classes of
timelock.
Time-actionlocks are states in which neither time or action transitions can
be performed, which typically arise when there is a conﬂict between the ur-
gency and the synchronisation properties of the system, i.e. when a location
invariant ensures that a component automaton must perform a half-action
at a time at which no other component automaton is oﬀering a matching
half-action. Thus, the synchronisation must happen (due to the urgency con-
straint) at a point at which it is not enabled.
Zeno-timelocks are situations in which time is unable to pass beyond a
certain point, but actions continue to be performed. Thus, the system is
continuing to evolve but none of these evolutions will enable time to diverge.
The hallmark of such paradoxical runs is that an inﬁnite number of actions
are performed in a ﬁnite period of time.
It is also important to realise that timelocks are quite diﬀerent from action-
locks, which are the analogue of deadlocks in untimed speciﬁcations. Critically,
actionlocks allow time to pass; the automaton may not be able to perform any
further “useful” computation, but it can still pass time, which means that it
does not prevent other component automata from passing time. The fact that
local actionlocks do not propagate globally is the reason why actionlocks are
much more palatable than timelocks. Global propagation in the timelock situ-
ation arises because global time passing is dependent upon local time passing.
As illustrated by the fact that a collection of timed automata can only pass
time by t time units if all component automata can pass time by t time units.
Thus, eﬀectively, automata synchronise on the passage of time.
In previous papers we have considered the timelock problem, classiﬁed dif-
ferent types of timelocks and highlighted solutions corresponding to the needs
of these diﬀerent classes [3,2,4]. Our main interest here though is with zeno-
timelocks; we present a analytical method to ensure absence of zeno-timelocks
which builds upon the notion of strong non-zenoness introduced by Tripakis
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4726
[9]. We show how Tripakis’ results can be extended, broadening the class of
timed automata speciﬁcations which can be guaranteed to be free from zeno-
timelocks. In particular, the relationship between strong non-zenoness and
synchronising components is analysed in more detail. Moreover, we present
a tool that we have developed which implements this syntactic veriﬁcation
on UPPAAL-like timed automata speciﬁcations. Also, new syntactic prop-
erties, in the spirit of strong non-zenoness, are presented which also ensure
zeno-timelock freedom. This suﬃcient-only approach can only guarantee that
zeno-timelocks do not occur, but it presents two important advantages: a)
it works at a syntactic level, and thus it is more eﬃcient than reachability
analysis, and b) it identiﬁes all potential sources of zeno-timelocks directly on
the timed automata models. Therefore, even if the method fails to recognise
that a model is free from zeno-timelocks, it helps the user in narrowing the
analysis to speciﬁc parts of the model.
To the best of our knowledge, no other tool implements syntactic checks
for zeno-timelock freedom. For example, UPPAAL does not support any form
of zeno-timelock checking. Some other tools do better, e.g. Kronos [10], but
they suﬀer from other problems. For example, Kronos is not as usable a
tool as UPPAAL. UPPAAL presents a well-developed GUI, a rich modelling
language, a graphical simulator, and a fast veriﬁer, among other features.
Kronos can verify the TCTL formula ∀∃=1true , whose satisfaction repre-
sents a suﬃcient and necessary condition to ensure timelock freedom, but its
veriﬁcation is based on reachability analysis. Thus, it could be that for some
speciﬁcations, checking timelock freedom in Kronos would be the most expen-
sive requirement to check and the need to check it could prevent a complete
veriﬁcation.
We begin by deﬁning timed automata and their syntax (see Section 2).
Then we present a summary of our classiﬁcation of deadlocks, and particu-
larly timelocks (see Section 3). Following this we highlight the theory behind
our zeno-timelock checking approach (see Section 4). Then the main body
of the paper describes our tool and presents a case study of zeno-timelock
checking via the veriﬁcation of a CSMA/CD protocol (Section 5). Finally,
Section 6 presents concluding remarks, and an appendix is provided which
includes proofs of the theorems presented in the paper. An extended version
of this paper appears in [5].
2 Timed Automata Notation
Basic Sets
CA is a set of completed (or internal) actions. HA= { a?, a! | a ∈ CA } is a
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 27
set of half (or uncompleted) actions. These give a simple CCS style [6] point-
to-point communication similar, for example, to the synchronisation primitives
found in UPPAAL [7]. Thus, two actions, a? and a! can synchronise and
generate a completed action a. A = HA ∪ CA is the set of all actions. R+
denotes the positive reals without zero and R+0 = R+ ∪ {0}. C is the set of
all clock variables, which take values in R+0. CC is a set of clock constraints
of the form x ∼ n, x− y ∼ n or φ1 ∧ φ2, where n ∈ N, x, y ∈ C, φ1, φ2 ∈ CC
and ∼ ∈ {<,>,=,≤,≥}. Also if C ⊆ C we write CCC for the set of clock
constraints generated from clocks in C. V = C → R+0 is the space of possible
clock valuations and VC = C → R+0 is the space of clock valuations for clocks
in C. L is the set of all possible automata locations.
Timed Automata
An arbitrary element of A, the set of all timed automata, has the form
(L, l0, T, I, C), where the elements are as follows. L ⊆ L is a ﬁnite set of
locations; l0 ∈ L is a designated start location. C is the set of clocks of the
timed automaton. T ⊆ L × A × CCC × P(C ) × L is a transition relation
(where P(S) denotes the powerset of S). A typical element of T would be,
(l1, a, g, r, l2), where l1, l2 ∈ L are automaton locations; a ∈ A labels the
transition; g ∈ CCC is a guard; and r ∈ P(C ) is a reset set. (l1, a, g, r, l2) ∈ T
is typically written, l1
a,g,r−−−→ l2, stating that the automaton can evolve from
location l1 to l2 if the (clock) guard g holds and in the process action a will
be performed and all the clocks in r will be set to zero. I : L → CCC is
a function which associates an invariant with every location. Informally, the
automaton can remain on a given location only as long as the invariant is true.
Thus, invariants are used to model urgency: (enabled) outgoing transitions
must be taken immediately when the corresponding location invariant is false.
We will be precise about the interpretation of invariants when we discuss the
semantics of TAs shortly, however, it is important to understand the diﬀerence
between the role of guards and invariants. In this respect we can distinguish
between may and must timing. Guards express may behaviour, i.e. they state
that a transition is possible or in other words may be taken. However, guards
cannot “force” transitions to be taken. In contrast, invariants deﬁne must
behaviour. This must aspect corresponds to urgency , since an alternative
expression is that when an invariant expires, outgoing transitions must be
taken straightaway.
Semantics
Timed automata are semantically interpreted over transition systems which
are triples, (S, s0,⇒), where S ⊆ L×V is a set of states; s0 ∈ S is a start state;
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4728
and⇒⊆ S×Lab×S is a transition relation, where Lab = A∪R+. Thus, tran-
sitions can be of one of two types: discrete transitions, e.g. (s1, a, s2), where
a ∈ A and time transitions, e.g. (s1, d , s2), where d ∈ R+ and the passage of d
time units is denoted. Transitions are written: s1
a
=⇒ s2 respectively s1
d
=⇒ s2.
For a clock valuation v ∈ VC and a delay d, v+d is the clock valuation such
that (v+d)(c) = v(c)+d for all c ∈ C. For a reset set r, we use r(v) to denote
the clock valuation v′ such that v′(c) = 0 whenever c ∈ r and v′(c) = v(c)
otherwise. v0 is the clock valuation that assigns all clocks to the value zero.
The semantics of a timed automaton A = (L, l0, T, I, C) is a transition
system, (S, s0,⇒), where S = { s
′ ∈ L × VC | ∃s ∈ S, y ∈ Lab . s
y
=⇒ s′ } ∪
{ [l0, v0] } is the set of reachable states, s0 = [l0, v0] and ⇒ is deﬁned by two
inference rules (I(l0)(v0) is required to hold):
l a,g,r−−−→ l′ g(v) I(l′)(r(v))
[l, v]
a
=⇒ [l′, r(v)]
∀d′ ≤ d . I(l)(v + d′)
[l, v]
d
=⇒ [l, v + d]
The ﬁrst rule gives an interpretation to invariants such that locations cannot
be entered if the corresponding invariant is false. This interpretation, usually
known as the strong-invariant interpretation, is the one adopted by UPPAAL
and also assumed by our non-urgency properties presented in Section 4.
Parallel Composition
We assume our system is described as a network of timed automata. These
are modelled by a vector of automata 5 denoted, |A = |〈A[1], ..., A[n]〉 where
A[i] is a timed automaton. In addition, we let u, u′, etc, range over the set
U of vectors of locations, which are written, 〈u[1], ..., u[n]〉. We use a substi-
tution notation as follows: 〈u[1], ..., u[j], ..., u[n]〉[u[j]′/u[j]] = 〈u[1], ..., u[j −
1], u[j]′, u[j+1], ..., u[n]〉 and we write [u[j]′/u[j]] as [j′/j] and u[i′1/i1]...[i
′
m/im]
as u[i′1/i1, ..., i
′
m/im].
If ∀i(1 ≤ i ≤ n) . A[i] = (Li, li,0, Ti, Ii, Ci) then the product automaton,
which characterises the behaviour of |〈A[1], ..., A[n]〉 is given by, (L, l0, T, I, C)
where L = { |u | u ∈ L1× ...×Ln }, l0 = |〈l1,0, ..., ln,0〉, T is as deﬁned by the
following two inference rules, I(|〈u[1], ..., u[n]〉) = I1(u[1]) ∧ ... ∧ In(u[n]) and
C = C1 ∪ ... ∪ Cn.
u[i] x?,gi,ri−−−−−→u[i]′ u[j]
x!,gj,rj−−−−−→ u[j]′
|u
x,gi ∧ gj ,ri∪rj−−−−−−−−−→|u[i′/i, j′/j]
u[i] x,g,r−−−→u[i]′ x ∈ CA
|u x,g,r−−−→|u[i′/i]
5 Although our notation is slightly diﬀerent, our networks can be related, say, to the process
networks used in UPPAAL.
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 29
where 1 ≤ i = j ≤ |u|. Note, we write x ≤ k = r ≤ y in place of x ≤ k ≤
y ∧ x ≤ r ≤ y ∧ k = r.
3 Classiﬁcation of Deadlocks
In a very broad sense, deadlocks are states where the system is unable to
progress further. We would expect the system to be able to run forever hence
deadlocks can be seen as error situations. In untimed systems, deadlocks are
states where the system will never be able to perform an action. However, in
timed automata, the range of transitions has been broadened to time passing
and discrete transitions (actions). Consequently, in this setting the ways of
violating the requirements of progress can vary. So deadlocks in timed au-
tomata can be of diﬀerent types. We will highlight these diﬀerent types and
in addition, as an assessment of the state of the art we will also consider the
means that UPPAAL provides for checking for such locks.
Before giving the formal deﬁnitions of various types of deadlocks, we brieﬂy
review the terminology we will use, this is largely inherited from [3,9]. Given
s = [l, v], we will write s+d instead of [l, v+d]. Also, we will write s
x
=⇒ to de-
note ∃ s′. s
x
=⇒ s′. A run of A ∈ TA starting from state s0 is a ﬁnite or inﬁnite
sequence: ρ = s0
d0==⇒ s0 + d0
a1==⇒ s1 . . . sn−1
dn−1
===⇒ sn−1 + dn−1
an==⇒ sn
dn==⇒ . . .,
where ∀ 0 ≤ i ≤ n. si ∈ S, ai ∈ A; ∀ 0 ≤ i ≤ n− 1. di ∈ R+0; dn ∈ R+0 ∪ {∞}
(sn
∞
==⇒ denotes ∀ t ∈ R+0. sn
t
=⇒ ). Notice that inﬁnite runs contain an inﬁ-
nite number of discrete transitions (i.e. actions). Let Tr(A) denote the set of
all runs of A, and deﬁne the function delay(ρ), ρ ∈ Tr(A) as the sum of all
delays di in ρ. If delay(ρ) =∞ we say that the ρ is a divergent run.
Generally speaking, actionlocks are states where no discrete transition can
be performed, while timelocks are states where time cannot pass beyond a
certain point. Formally, given A ∈ TA, a state s = [l, v] is an actionlock if
∀ d ∈ R+0. [l, v + d] ∈ S ⇒  a ∈ A. [l, v + d]
a
=⇒ . Thus, however long the
system idles in location l no action can be performed. However, a state s
is a timelock if there is no divergent run ρ ∈ Tr(A) starting at s. A timed
automaton A is actionlock-free (timelock-free) if none of its reachable states is
an actionlock (timelock). Actionlocks and timelocks can be further reﬁned as
pure-actionlocks, time-actionlocks or zeno-timelocks (or pure timelocks), which
are explained next.
Deﬁnition 3.1 (Pure-actionlock) Pure-actionlocks are states of a system
where it cannot perform any discrete transitions, but can still pass time ar-
bitrarily. Given A ∈ TA, a state s = [l, v] is a pure-actionlock if ∀ d ∈
R+0. [l, v + d] ∈ S ∧  a ∈ A. [l, v + d]
a
=⇒ .
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4730
Fig. 1a shows an example of a timed automaton with a pure actionlock: no
action is enabled once the automaton reaches location S0, however time is not
prevented from passing.
Deﬁnition 3.2 (Time-actionlock) Time-actionlocks are states where nei-
ther discrete nor time transitions can be performed. Given A ∈ TA, a state s
is a time-actionlock if  a ∈ A, d ∈ R+. s
a
=⇒ ∨ s
d
=⇒ .
An example of a time-actionlock is shown in Fig. 1b. The upper automaton
must perform an action a! before more than 5 time units have passed, while
the bottom one can only perform an a? after 5 units have passed. The system,
then, enters in a time-actionlock immediately after 5 time units have elapsed.
Deﬁnition 3.3 (Zeno-timelock) Given A ∈ TA, a zeno run is an inﬁnite
run ρ ∈ Tr(A) s.t. delay(ρ) = ∞. A state s is a zeno-timelock if a) there is at
least one inﬁnite run starting at s, b) all inﬁnite runs starting at s are zeno,
and c) there is no run ρ′ ∈ Tr(A) starting at s s.t. delay(ρ′) = ∞ 6 .
When a system enters a zeno-timelock, transitions can still be performed
(which can be either discrete or time transitions) but time cannot pass beyond
a certain point. This models a situation where the system performs an inﬁnite
number of transitions in a ﬁnite period of time. Fig. 1c shows a zeno-timelock,
where transition a must be performed an inﬁnite number of times before more
than 5 time units have passed.
S0
P0
S1
P1
a!
x>5 a?
x<=5
a) b) c)
S0
x<=10
S1
a
S0
x<=5
a
b
c
Fig. 1. Classiﬁcation of deadlocks
Discussion
One reason for presenting our classiﬁcation is that we believe that diﬀer-
ent types of deadlocks bring diﬀerent types of problems and, hence, should
be treated diﬀerently. Firstly, although pure-actionlocks may be undesirable
within the context of a particular speciﬁcation, they are not of themselves
counter-intuitive situations. It is wholely reasonable that a component or a
system might reach a state from which it cannot perform any actions, as long as
6 According to our deﬁnition of run, ρ′ is not necessarily inﬁnite.
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 31
such an actionlock does not stop time. Thus, although analytical tools which
detect pure-actionlocks certainly have value, we do not believe there is any fun-
damental reason why actionlocks should be prevented (by construction) at the
level of the speciﬁcation notation. In contrast, we are strongly of the opinion
that time-actionlocks are counter-intuitive. In particular, and as previously
discussed, a local “error” in one component has a global eﬀect on the entire
system, even if the remainder of the system has no actions in common with
the timelocked component. Because of these particularly counter-intuitive as-
pects, we believe that time-actionlocks should be prevented by construction,
i.e. the timed automata model should be reinterpreted in such a way that
time-actionlocks just cannot arise. Bowman [3] presents such a method for
Timed Automata with Deadlines [1]. Finally, to come to zeno-timelocks. Our
position here is that analytical methods should be provided to check on a
speciﬁcation by speciﬁcation basis whether zeno-timelocks occur. Our rea-
sons for advocating this approach are largely pragmatic, since it is not clear
how the timed automata model could be changed in order to constructively
prevent such situations. In particular, any mechanism that ensured at the
level of the semantics that a minimum time (say ) was passed on every cycle,
would impose rigid constraints on the speciﬁers ability to describe systems
abstractly 7 . Section 4 considers just such an analytical method for detecting
zeno-timelocks.
4 Zeno-timelocks
We now present an analytical method to ensure absence of zeno-timelocks
which builds upon the notion of strong non-zenoness introduced by Tripakis
[9]. We show how Tripakis’ results can be extended to guarantee zeno-timelock
freedom for systems which may not be strongly non-zeno. In particular, the
relationship between strong non-zenoness and synchronising components is
analysed in more detail. Also, new syntactic properties, in the spirit of strong
non-zenoness, are presented which also ensure zeno-timelock freedom.
The strong non-zenoness property, which we recall below, represents a suf-
ﬁcient but not necessary condition to ensure zeno-timelock freedom; systems
which are strongly non-zeno are guaranteed to be free from zeno-timelocks,
but there exists some systems which are free from zeno-timelocks but are not
strongly non-zeno.
Deﬁnition 4.1 (Strong non-zenoness) Given A ∈ TA, a structural loop in
A is a sequence of locations and edges in A, l0
a1,g1,r1
−−−−→ l1
a2,g2,r2
−−−−→ . . .
an,gn,rn
−−−−−→ ln,
7 Note that early versions of timed CSP did employ exactly such an approach.
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4732
s.t. l0 = ln. A is strongly non-zeno if for every such loop there exists a clock
c ∈ C,  ∈ R+ and 0 ≤ i, j ≤ n s.t. (1) c ∈ ri and (2) c is bounded from
below in step j, i.e. gj ⇒ c > . Every loop which satisﬁes these properties
is also called strongly non-zeno. Strong non-zenoness guarantees absence of
zeno-timelocks, and it is preserved by parallel composition. Lemma 4.2 below
formalises these results [9].
Lemma 4.2 If A ∈ TA is strongly non-zeno then Tr(A) does not contain
zeno-timelocks. Moreover, if A[1], . . . , A[n] ∈ TA are strongly non-zeno then
|A is also strongly non-zeno.
Lemma 4.2 suggests a static veriﬁcation method; a system is free from
zeno-timelocks if all its components are strongly non-zeno or in other words,
if every loop in every component is strongly non-zeno. This result is justiﬁed
by the structure of the product automaton, where every loop is the result
of either two loops with matching half actions in two diﬀerent component
automata (we refer to them as synchronising loops), or a loop with no half
actions in a component automaton (called complete loops). Since a) every
component loop is strongly non-zeno, b) strong non-zenoness depends only
on the existence of a clock which is bounded from below in a given guard in
the loop, and also reset at some point in the loop, and c) these conditions
are preserved in the edges of resulting loops in the product automaton, then
every loop in the product automaton is strongly non-zeno. But notice that a
strongly non-zeno loop in a component is, in fact, “preserved” in every loop
in the product which results from the synchronisation of this loop with any
other loop in a diﬀerent component, whether this is also strongly non-zeno
or not. Therefore, synchronisation between a strongly non-zeno loop and any
other loop must also be considered “safe”. This may have a considerable
impact from the user’s side: a system will no longer be considered unsafe
just because there is a loop in one of its components which is not strongly
non-zeno (this happens if we analyse the system according to Lemma 4.2).
Instead, we can pair all synchronising loops in the collection of components,
and for each pair, ask just for one loop to be strongly non-zeno. It is also
required that all loops which do not contain half-actions are strongly non-
zeno, because these loops are preserved in the product automaton, but the
beneﬁts of this approach are still evident. We have found, then, that the
requirements imposed by Lemma 4.2 to ensure absence of zeno-timelocks can
be “weakened” to consider just a subset of all structural loops appearing in the
component automata. This result is formalised by Lemma 4.3 below (proof is
given in the appendix).
Lemma 4.3 Let HL be the set of all pairs of synchronising loops in
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 33
A[1], . . . , A[n], and, respectively, CL the set of all complete loops. If (at least)
one loop in every pair of HL is strongly non-zeno and all loops in CL are
strongly non-zeno then |A is also strongly non-zeno and thus free from zeno-
timelocks.
We now present two other properties, location non-urgency and reset non-
urgency which also work at the level of the timed automata syntax, and rep-
resent suﬃcient-only conditions. However, they can guarantee that a system
is free from zeno-timelocks even when it may not be strongly non-zeno; in this
way the scope of syntactic detection of zeno-timelock free systems is further
broadened. The intuition is the same as that which underlies strong non-
zenoness: we have to show for any state s that if there exist some inﬁnite
runs starting at s, then at least one of them must diverge (therefore s is not
a zeno-timelock). Now by deﬁnition, inﬁnite runs must necessarily traverse
some loop an inﬁnite number of times (otherwise the run could not contain
an inﬁnite number of discrete transitions). Therefore, we just need to ensure
that time can pass by at least  ∈ R+ time units on every iteration of any
loop (where  is considered a constant value). Because these conditions focus
on invariants, they cover some kinds of safe loops which are not strongly non-
zeno. In the following deﬁnitions, we use Clocks(I(l)) ⊆ C to denote the set
of clocks appearing in the invariant expression I(l) (where l is a location).
Deﬁnition 4.4 (Location non-urgency) A ∈ TA is called location non-
urgent if in every structural loop there is a location where either the invariant
is True or every clock appearing in the invariant has no upper bound. For
example, True and x > 1 (where x ∈ C) can be two such invariants. Formally,
let l0
a1,g1,r1
−−−−→ l1
a2,g2,r2
−−−−→ . . .
an,gn,rn
−−−−−→ ln, s.t. l0 = ln be a structural loop in A. A
is called location non-urgent if for every such structural loop there exists 0 ≤
i ≤ n s.t. ∃ d ∈ R+. ∀ c ∈ Clocks(I(li)), v ∈ VC . (v(c) > d ⇒ I(li)(v)) (notice
that this formula vacuously holds for True invariants, since Clocks(True) = ∅).
These loops are also called location non-urgent.
Deﬁnition 4.5 (Reset non-urgency) A ∈ TA is called reset non-urgent if
in every structural loop there is a location where at least one clock in the
invariant has a non-zero lower bound, and this clock is reset in the loop.
Formally, let l0
a1,g1,r1
−−−−→ l1
a2,g2,r2
−−−−→ . . .
an,gn,rn
−−−−−→ ln s.t. l0 = ln, be a structural
loop in A. A is called reset non-urgent if for every such structural loop there
exists 0 ≤ i ≤ n s.t. ∃ d ∈ R+, c ∈ Clocks(I(li)), v ∈ VC . (v(c) = d ∧ I(li)(v) ∧
(∀ v′ ∈ VC . v′(c) < d ⇒ ¬I(li)(v′)) ∧ ∃ j(0 ≤ j ≤ n). c ∈ rj). These loops
are also called reset non-urgent.
The following lemma states the relation between location non-urgency, reset
non-urgency and zeno-timelock freedom (proof is given in the appendix).
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4734
Lemma 4.6 If A ∈ TA is either location non-urgent or reset non-urgent,
then it is also free from zeno-timelocks.
Location non-urgency is not compositional, i.e. the product of location
non-urgent automata is not guaranteed to be free from zeno-timelocks; but we
believe this property would be of use when applied to the product automaton.
Its beneﬁts are even more evident when we consider that its application to the
product automaton may be less “expensive” than a semantic-based check [9].
On the other hand reset non-urgency is compositional, but it has not been
applicable to the speciﬁcations we have been working with. Nevertheless, it
remains an interesting alternative given the fact that (at least in principle)
invariants with lower-bounds (e.g. 1 < x ≤ 2) might occur when modelling
real-time constraints.
5 Zeno-timelocks: Practice
This section presents a brief description of our zeno-timelock checker, and
illustrates its application on a concrete example: the widely used Ethernet
protocol CSMA/CD (Carrier Sense Multiple Access with Collision Detection).
We will show how a seemingly reasonable timed automata speciﬁcation of the
CSMA/CD (which is inspired by a previous Kronos speciﬁcation of the same
problem [10]) suﬀers from timelocks. In particular, the example will show how
a zeno-timelock occurs which also, and perhaps more dangerously, hides the
occurrence of a time-actionlock.
It is important to mention that one can verify that a given UPPAAL speci-
ﬁcation is free from actionlocks by checking satisﬁability of A[]not deadlock
(deadlock is a UPPAAL predeﬁned formula). However, this check cannot
distinguish between pure-actionlocks and time-actionlocks. Detection of time-
locks, and in particular of zeno-timelocks, is hard in UPPAAL. Zeno-timelocks
can only be detected with the help of a test automaton. Fig. 2a shows a test
automaton in UPPAAL; this is included in the original system as a new au-
tonomous component, it does not synchronise with any other component, and
t is a clock local to the automaton. The original system would be free from
timelocks if a state where t==1 can be reached from every state where t==0,
i.e. if the system can always pass time by 1 unit (clocks in UPPAAL can be
compared only with integer constants). The formula (t==0)-->(t==1) can be
written in UPPAAL to verify that the system is free from timelocks. However,
this approach provides a suﬃcient but not necessary condition: if the formula
is satisﬁed the system is guaranteed to be timelock-free, but the formula may
be unsatisﬁable in some timelock-free systems. The formula (t==0)-->(t==1)
is actually implementing A[]((t==0)=>A<>(t==1)), which is satisﬁable only
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 35
t<=1 t==1t:=0 t<=1
t==1
t:=0 true
a) b)
Fig. 2. Test automaton (a) and a timelock-free system (b)
if for every (t==0)-state, a (t==1)-state is reachable in every possible run
from the (t==0)-state. But this condition is too strong; a system with a zeno
run but that is free from timelocks will falsify A[]((t==0)=>A<>(t==1)) as
the zeno run is a path where a (t==1)-state is unreachable. Fig. 2b shows such
a system. In fact, a system is timelock-free if there exists at least one run start-
ing at every (t==0)-state where a (t==1)-state is reachable. It turns out that
this condition can be expressed by the formula A[]((t==0)=>E<>(t==1)), but
unfortunately such a formula cannot be written in UPPAAL. Also, reachabil-
ity analysis may suﬀer from state-explosion, and should a zeno-timelock occur
in the system, the trace which witnesses the failure of (t==0)-->(t==1) may
not be meaningful enough to discover the cause of the timelock.
We claim that in many situations our tool will more conveniently assist the
user to ﬁnd zeno-timelocks. Like the test automaton, our tool implements a
strategy which is suﬃcient to detect that a system is free from zeno-timelocks,
but does not necessarily imply that a system contains zeno-timelocks. Un-
like the test-automaton strategy, however, the analysis here is syntactic (and
therefore it may be considerably less demanding than reachability), and it also
identiﬁes potential causes of zeno-timelocks directly on the automata struc-
ture. This section will then show how our tool complements UPPAAL in the
veriﬁcation of the protocol.
5.1 A zeno-timelock checker
The tool receives a timed automata speciﬁcation (as an XML ﬁle) as input
and returns a list of loops which can potentially cause zeno-timelocks. The
tool is intended to be integrated with UPPAAL; the user can take advantage
of UPPAAL’s graphical interface and its rich modelling language to specify
the system. This speciﬁcation is stored by UPPAAL as an XML ﬁle which can
be input to the zeno-timelock checker. Basically, a cycle-detection algorithm
is performed on this speciﬁcation to discover all structural loops. A second
stage determines which loops are strongly non-zeno. Then, loops are matched
according to their half-actions; this stage returns a list of matching pairs and
a second list of loops which do not contain half-actions. Finally, Lemma 4.3
is applied to both lists to return unsafe pairs/single loops: a pair is unsafe if
neither loop is strongly non-zeno, similarly a non-synchronising loop is unsafe
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4736
if it is not strongly non-zeno.
5.2 The CSMA/CD protocol
The CSMA/CD (Carrier Sense Multiple Access with Collision Detection) pro-
tocol is widely used on Ethernet networks, where the protocol controls the
transmission of data between stations sharing a common medium. The fol-
lowing description is mainly taken from [8].
A station wishing to transmit a frame ﬁrst listens to the medium to deter-
mine if another transmission is in progress. If the medium is idle, the station
begins to transmit. Otherwise the station continues to listen until the medium
is idle, then it begins to transmit immediately. It may happen that two or
more stations begin to transmit at about the same time. If this happens, there
will be a collision and the data from both transmissions will be garbled and
not received successfully. If such a collision is detected during transmission,
the station transmits a brief jamming signal (to ensure that all stations know
that there has been a collision) and then it ceases transmission. After trans-
mitting the jamming signal, the station waits a random amount of time and
then attempts to retransmit the frame.
Collisions can only occur when more than one station begins transmitting
within a short time (the period of the propagation delay). If a station attempts
to transmit a frame and there are no collisions during the time it takes for the
leading edge of the packet to propagate to the farthest station, then there will
be no collision for this frame because all other stations are now aware of the
transmission (i.e. the medium will be found busy). Secondly, the time needed
to detect a collision is no greater than twice the propagation delay.
Fig. 3(a-c) show part of a possible CSMA/CD speciﬁcation in UPPAAL.
Only two stations have been considered in this speciﬁcation, Station1 (Fig. 3a)
and Station2 (similar to Fig. 3a modulo renaming). The main role of Station1
is to model the transmission of frames and retransmission in case collision has
been detected. Medium (Fig. 3c) will model the state of the medium, i.e.
whether collisions have been detected and the broadcast of the jamming sig-
nal should any collision occur. Both Station1 and Medium have temporal
constraints derived from either the end-to-end propagation delay (26 μs.) or
the frame-transmission time (782 μs.) 8 . We have also included the automaton
UpperLayer1 (Fig. 3b) to model a client layer which uses the protocol service
in the station (UpperLayer2 is similar). It simply provides frames to the pro-
tocol layer, acknowledges ongoing transmission and successful termination.
Automaton Station1 starts in state Idle, waiting for UpperLayer1 to
8 Constants respect the IEEE 802.3 standard (Ethernet CSMA/CD)
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 37
Idle
Send U Retry
U Transmittingx1<=782
fin1!
send1? cd1?
x1<26begin1!
x1:=0
busy1!
end1!
x1==782
begin1!
x1:=0
Idle Transmitting
send1!
fin1?
begin1? y:=0
begin2? y:=0
end1? y:=0
end2? y:=0
Active
Idle
Collision
y<=26
Next2
y<=26
Next1
y<=26
cd1!
cd1!
cd2!
cd2! begin2?
y<26
y:=0
begin1?
y<26
y:=0
busy2? y>=26
busy1? y>=26trans1!
trans1?
Transmitting
x1<=782
trans1!
Transmitting
trans1?
Retry
Transmitting
x1<=782
cd1?
x1<26begin1!
x1:=0
begin1? y:=0
begin2? y:=0
end1? y:=0
end2? y:=0
ActiveIdle
Collision
y<=26
Next2
y<=26
Next1
y<=26
cd1!
cd1!
cd2!
cd2! begin2?
y<26
y:=0
begin1?
y<26
y:=0
Retry
||
||
||
begin2!
x2:=0
cd1?
x2<26
Transmitting
x2<=782
Station1
UpperLayer1
Medium
Station1
UpperLayer1
Station1
Station2
Medium
a)
b) c)
d) e)
Fig. 3. CSMA/CD in UPPAAL (a,b,c) and unsafe loops (d,e)
send a new frame (send1?). If this happens Station1 moves to Send, which
is an urgent state: the station may ﬁnd that either the medium is idle, and
so the transmission of the new frame can start immediately (begin1!), or
that the medium is busy and so the station has to wait (busy1!). Urgent
states must be left immediately after they are entered; immediate interleaving
of actions is permitted but outgoing transitions will be taken with no delay.
State Transmitting denotes that a transmission has started. Transmission
of a complete frame takes 782 μs, which is modelled both by the invariant
x1<=782 and the guard x1==782 on transition end1!. Immediately after end-
ing a transmission, a signal fin1! is sent to the upper layer to indicate
that transmission is completed. While transmission is taking place a signal
trans1! might be sent to the upper layer to indicate this fact. A collision
with another station may occur in Transmitting, in which case the jamming
signal cd1? will be detected. The related guard x1<26 denotes that no colli-
sion can occur after 26 μs. have passed since a station begun sending a frame.
State Retry denotes that a collision indeed occurred and that the station is
waiting to attempt a retransmission (begin1!). The station will remain in
Retry if a retransmission attempt ﬁnds a busy medium; transition begin1?
is not enabled in such a situation (x1>=26).
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4738
The Medium starts in Idle, waiting for stations to begin their transmis-
sions (begin1?/begin2?); then it moves to Active and clock y is reset. State
Active denotes that a station is currently using the medium. In Active,
y denotes the time elapsed since the station begun its transmission. Tran-
sitions busy1?/busy2? denote that stations can already acknowledge that
the medium is in use and thus, that no new transmission is yet possible.
The guard y>=26 in these transitions denote that, in the worst case, a sec-
ond station cannot acknowledge that the medium is busy before 26 μs. (the
propagation delay) have passed since the ﬁrst station begun its transmission.
State Collision denotes that a collision has happened, and that the jam-
ming signal is about to reach the stations. The Medium moves from Active
to Collision through begin1?/begin2? happening at y<26, i.e. a second
station has started transmitting a frame before it could acknowledge that the
medium was already in use. In Collision, y denotes the time elapsed since
a collision occurred; notice that y is reset when the second transmission be-
gins while Medium is in Active (to simplify matters, we have assumed that
a collision occurs as soon as this second transmission begins). The group of
transitions cd1!-Next2-cd2! and cd2!-Next1-cd1! model the jamming sig-
nal reaching Station1 and Station2, in any order. Moreover, the invariants
y<26 in Collision, Next1/Next2 indicate that the jamming signal will reach
the stations not later than 26 μs. after the collision.
5.3 Veriﬁcation
We will see how the inclusion of automaton UpperLayer1 (UpperLayer2) dis-
guises a time-actionlock which is already present in the protocol speciﬁcation,
making it undetectable to UPPAAL. In fact, this hidden time-actionlock re-
sults in a zeno-timelock which our tool will help to identify.
We begun our veriﬁcation by checking actionlock-freedom; UPPAAL ﬁnds
that A[]not deadlock is satisﬁable in our CSMA/CD speciﬁcation. We then
use our zeno-checker which discovers that a number of synchronising pairs of
loops are unsafe and could thus potentially cause zeno-timelocks. These un-
safe loops correspond to the interaction between Station1 and UpperLayer1
(Fig. 3d), respectively between Station2 and UpperLayer2 (not shown), and
between Station1, Station2 and Medium (Fig. 3e).
Fig. 3e shows a number of loops which could potentially cause zeno-
timelocks. We describe these loops below; we use <s1,m,s2> to denote a
state in the product automaton where s1, m and s2 are respectively states in
Station1, Medium and Station2. R, I, T, A, C, N1 and N2 respectively denote
states Retry, Idle, Transmitting, Active, Collision, Next1 and Next2.
Complete actions begin1, begin2, cd1 and cd2 result from synchronisation
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 39
between the corresponding half-actions.
(i) <R,I,R>, begin1, <T,A,R>, begin2, <T,C,T>, cd1, <R,N2,T>, cd2, <R,I,R>
(ii) <R,I,R>, begin2, <R,A,T>, begin1, <T,C,T>, cd1, <R,N2,T>, cd2, <R,I,R>
(iii) <R,I,R>, begin1, <T,A,R>, begin2, <T,C,T>, cd2, <T,N1,R>, cd1, <R,I,R>
(iv) <R,I,R>, begin2, <R,A,T>, begin1, <T,C,T>, cd2, <T,N1,R>, cd2, <R,I,R>
These loops correspond to situations in which stations continue to retransmit
their frames too soon, therefore colliding again after every attempt. They are
considered unsafe because there are no structural conditions ensuring that time
will pass in every iteration; i.e. they are not strongly non-zeno (notice in Fig. 3e
that clocks are reset but there are no guards with non-zero lower-bounds). In
other words, these loops allow zeno runs corresponding to retransmissions
following collisions with no delay. However the composite state <R,I,R>,
whose invariant is True (because invariants in Retry and Idle are True), is
included in every loop. Therefore every loop satisﬁes the location non-urgency
property presented in Section 4, and thus they do not cause zeno-timelocks
(see Lemma 4.6). Intuitively, there will always exist some inﬁnite execution
of every loop which can pass time in state <R,I,R>.
Now we will focus our attention on the unsafe loop in Station1 (Fig. 3d);
a zeno-timelock would occur in state Transmitting (Fig. 3a) if trans1! is
the only enabled transition at x1==782. If this is the case then the invariant
in Transmitting will make this transition urgent, and so it will be inﬁnitely
taken without time passing at all. Should such a zeno-timelock occur in this
speciﬁcation, an actionlock should occur in a speciﬁcation where transition
trans1! is removed. As a rationale for this conclusion one has to consider
that for a zeno-timelock to involve trans1!, this has to be the only transition
enabled by Station1 at x1==782. Therefore UPPAAL should be able to detect
a “hidden” actionlock if trans1! is removed from the speciﬁcation. This does
indeed turn out to be the case, speciﬁcally if trans1! is removed, UPPAAL
detects an actionlock in the resulting system. This is caused by an error in the
guard of transition cd1? in Station1, x1<26 (note: [10] highlighted the same
error). This guard expresses the fact that if there is a collision, this cannot
occur after 26 μs. have passed since Station1 started transmitting a frame.
But 26 μs. happens to be too small an upper bound for collision detection, as
the following scenario illustrates. This scenario is set with Station1 starting
the transmission, a similar scenario can be described for Station2.
(i) Station1 starts transmitting a frame, therefore Station1 moves to state
Transmitting and Medium moves to Active.
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4740
(ii) Station2 starts transmitting a frame just before 26 μs have passed since
Station1 started transmitting. This means that Station2, because of
the propagation delay, has not yet been able to detect that the medium
is in use. In terms of the protocol speciﬁcation, notice that in Medium,
transition begin2! can be taken in state Active as long as y<26. At
this point, Station1 remains in Transmitting, Station2 has changed
to Transmitting and Medium has changed to Collision. Also, it is im-
portant to see that the value of clock x1 is just about to become 26, and
that both x2 and y have been reset.
(iii) Based on the previous observations, and given the invariant y<26 in state
Collision, notice that it is possible for x1 to progress to 26<x1<52. But
then the transition cd1! in Collision will not be able to synchronise
with cd1? in Station1, as the latter is constrained to x1<26. Should this
happen, transition cd2! can still be taken to Next1, but here again cd1!
cannot be taken. It is evident, then, that no action will be enabled in the
system while Medium remains in Next1. Furthermore, the invariant y<26
in Next1 will also prevent time from diverging, raising a time-actionlock
when the value of y reaches 26.
This time-actionlock shows that the guard x1<26 in transition cd1? in Station1
(and respectively in Station2) should be modiﬁed to account for a big-
ger delay, i.e. it should be x1<52. This is saying that after a transmission
has started the jamming signal could be detected up to 52 μs. later, that
is, twice the propagation delay (see [8] for a detailed explanation). Also,
notice that the timelock in this speciﬁcation resulted in a zeno-timelock in
the original speciﬁcation (i.e. before trans1! was removed). When Medium
is in state Collision and y=26, and Station1 and Station2 are in state
Transmitting, transition trans1! (trans2!) will be inﬁnitely taken while
time is prevented from passing (since synchronisation is always possible with
UpperLayer1/UpperLayer2).
Now, if we correct the speciﬁcation with the proper delay (x1<52 in cd1?),
we can verify that it is free from actionlocks (and thus from time-actionlocks)
using UPPAAL’s A[]not deadlock formula. Since now the time-actionlock
in question no longer arises, the loop trans1! in the original speciﬁcation
(Fig. 3a) will not cause a zeno-timelock. Time will not be prevented from
passing in Next1/Next2 (Fig. 3c), so the system is allowed to evolve normally
and after a collision the stations will move from Transmitting to Retry, i.e.
trans1! in Transmitting will no longer be enabled.
To clarify then we have taken a speciﬁcation of the CSMA/CD and at-
tempted to show it is free from zeno-timelocks. We have applied the only
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 41
check available in UPPAAL that can throw light on zeno-timelock freedom:
checking A[]not deadlock. This formula was found to be true, i.e. the sys-
tem was safe (from an UPPAAL perspective). However we then applied our
zeno-timelock checker, which identiﬁed a number of potentially unsafe loops
(in the sense that they could possibly yield zeno-timelocks). Furthermore, one
of these was indeed found to cause a zeno-timelock (note, since an action is
always oﬀered, A[]not deadlock cannot detect such a zeno-timelock). We
thus removed the oﬀending loop from the system and found that the zeno-
timelock was indeed “covering” a time-actionlock, which could of course, be
detected by UPPAAL once the zeno-loop was removed. The system was cor-
rected to remove this time-actionlock and by so doing we justiﬁed that the
original oﬀending loop was no longer causing a zeno-timelock.
6 Conclusions
We have identiﬁed diﬀerent types of timelocks which may arise in Timed Au-
tomata, and provided formal deﬁnitions for each one of them. One of the main
contributions of this paper is a new procedure to check whether a system is
free from zeno-timelocks. We have reﬁned the syntactic check based on strong
non-zenoness, suggested in [9], by carefully analysing the relationship between
strong non-zenoness and synchronisation. This allows for the recognition of a
wider class of safe (i.e. zeno-timelock free) systems. We have also presented
a tool which we have developed which implements this check on timed au-
tomata, and in particular UPPAAL speciﬁcations. Moreover, this tool can be
used to complement the veriﬁcation capabilities oﬀered by UPPAAL.
We have illustrated the use of our tool on a real-life case-study, the
CSMA/CD protocol. We have speciﬁed this protocol in UPPAAL and in-
troduced both communication with an upper layer and an incorrect bound for
one of the automaton transitions. This was intended to show how hard the de-
tection of some modelling errors can be. The ﬂaw in our speciﬁcation resulted
in a zeno-timelock, which UPPAAL cannot properly detect. The detection of
timelocks with the help of a test automaton depends upon a reachability for-
mula which expresses suﬃcient but not necessary conditions, and reachability
analysis may be computationally expensive. Our tool also helped to identify
the zeno-timelock in our case-study, showing which structural loops were po-
tentially unsafe (extending ideas devised by Tripakis). The tool is also based
upon suﬃcient but not necessary conditions, however the analysis is syntactic
and therefore less demanding than reachability, and it can directly point to
sources of zeno-timelocks. Therefore, even if some zeno-timelock free systems
are not guaranteed to be so by the suﬃcient-only conditions, the method pre-
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4742
sented in this paper is still useful for narrowing the analysis to speciﬁc parts
of the model. We are currently trying to develop suﬃcient and necessary
conditions for the detection of zeno-timelocks at the level of the product au-
tomaton. Also, we are considering new ways of exploiting the relationship
between strong non-zenoness and synchronisation which may further extend
the veriﬁcation scope of our suﬃcient-only method.
References
[1] Bornot, S. and J. Sifakis, On the composition of hybrid systems, in: Hybrid Systems:
Computation and Control, LNCS 1386, 1998, pp. 49–63.
[2] Bowman, H., Modelling timeouts without timelocks, in: ARTS’99, Formal Methods for Real-
Time and Probabilistic Systems, 5th International AMAST Workshop, LNCS 1601 (1999), pp.
335–353.
[3] Bowman, H., Time and action lock freedom properties for timed automata, in: S. K. M. Kim,
B. Chin and D. Lee, editors, FORTE 2001, Formal Techniques for Networked and Distributed
Systems (2001), pp. 119–134.
[4] Bowman, H., G. Faconti, J.-P. Katoen, D. Latella and M. Massink, Automatic veriﬁcation
of a lip synchronisation algorithm using UPPAAL, Formal Aspects of Computing 10 (1998),
pp. 550–575.
[5] Bowman, H., R. Gomez and L. Su, How to stop time stopping (preliminary version), Technical
Report 9-04, Computing Laboratory, University of Kent, UK (2004).
[6] Milner, R., “Communication and Concurrency,” Prentice-Hall, 1989.
[7] Pettersson, P. and K. G. Larsen, UPPAAL2K: Small Tutorial, Bulletin of the European
Association for Theoretical Computer Science 70 (2000), pp. 40–44.
[8] Stallings, W., “Data & Computer Communications,” Prentice Hall, 2000, 6th. edition.
[9] Tripakis, S., Verifying progress in timed systems, in: ARTS’99, Formal Methods for Real-Time
and Probabilistic Systems, 5th International AMAST Workshop, LNCS 1601 (1999).
[10] Yovine, S., Kronos: A veriﬁcation tool for real-time systems, Springer International Journal of
Software Tools for Technology Transfer (1997).
A Proofs
The following notation (where A ∈ TA refers to a single automaton, and
A[1], . . . , A[n] ∈ TA refers to a network of automata) will be used throughout
this section 9 :
• Loops(A) is the set of all structural loops in A.
• An edge e = (a, g, r) is the edge-labelling of l1
a,g,r
−−→ l2 ∈ T .
9 Elements which have been previously introduced in the paper are recalled here just for
the sake of completeness.
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 43
• Edges(A), Edges(lp) denote, respectively, the set of edges in A and in loop
lp.
• Loc(lp) is the set of locations in loop lp.
• A half loop is a loop which contains at least one edge labelled with a half
action, i.e. lp ∈ Loops(A) s.t. ∃ (a, g, r) ∈ Edges(lp). a ∈ HA. A complete
loop is a loop which is not a half loop.
• Two synchronising loops lp1, lp2, denoted sync(lp1, lp2), are half loops in dif-
ferent component automata with matching half actions, i.e.
∃A[i], A[j] (i = j), lp1 ∈ Loops(Ai), lp2 ∈ Loops(A2), e1 ∈ Edges(lp1), e2 ∈
Edges(lp2). e1 = (a?, g1, r1) ∧ e2 = (a!, g2, r2).
• A composite edge is any e = (a, g1∧g2, r1∪r2) = e1||e2, where e1 = (a?, g1, r1)
and e2 = (a!, g2, r2).
• A composite loop, denoted comp(lp), is s.t. ∃A[i], A[j], ei ∈ Edges(A[i]), ej ∈
Edges(A[j]). ei||ej ∈ Edges(lp).
• Given two loops lp1, lp2 we say that lp1 is included in lp2, denoted lp1 ⊆ lp2,
if Loc(lp1) ⊆ Loc(lp2) and ∀e ∈ Edges(lp1).(e ∈ Edges(lp2) ∨ ∃A[i], ei ∈
Edges(A[i]). e||ei ∈ Edges(lp2))
• HL is the set of all pairs of synchronising loops in A[1], . . . , A[n], i.e. HL =
{(lpi, lpj) | ∃A[i], A[j], (i = j). lpi ∈ Loops(A[i]) ∧ lpj ∈ Loops(A[j]) ∧
sync(lpi, lpj)} .
• CL is the set of all complete loops in A[1], . . . , A[n], i.e. CL = {lp | ∃A[i]. lp ∈
Loops(A[i]) ∧ ∀(a, g, r) ∈ Edges(lp). a ∈ CA}.
Lemma A.1 Every composite loop contains at least two synchronising loops.
Formally, ∀lp ∈ Loops(|A). comp(lp) ⇒
∃lpi ∈ Loops(A[i]), lpj ∈ Loops(A[j]). sync(lpi, lpj) ∧ lpi ⊆ lp ∧ lpj ⊆ lp
Proof. Automata theory gives us the necessary clues,
1 Given l1, l2 as two locations in |A, any path l1
∗
→ l2 in |A must include a
path l1[i]
∗
→ l2[i] from every A[i].
2 Moreover, if there is a composite edge e = ei||ej in l
∗
→ l′, ei must be an
edge in l1[i]
∗
→ l2[i] and ej an edge in l1[j]
∗
→ l2[j].
Therefore, since every loop is by deﬁnition a path, the lemma easily follows.
Lemma A.2 Clock reset and “lower-boundeness” are preserved in composite
edges. Formally, let e1 = (a1, g1, r1), e2 = (a2, g2, r2), e3 = (a3, g3, r3) denote
three edges, c ∈ C a given clock and  ∈ R+ a given constant. If e3 = e1||e2
then
1 c ∈ r1 ∪ r2 ⇒ c ∈ r3
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4744
2 (g1 ⇒ c > ) ∨ (g2 ⇒ c > ) ⇒ (g3 ⇒ c > )
Proof. Follows from the deﬁnition of edge composition. 
Lemma A.3 Loop inclusion preserves strong non-zenoness. Formally, let
lp1, lp2 be two loops s.t. lp1 ⊆ lp2. If lp1 is strongly non-zeno then lp2 is also
strongly non-zeno.
Proof.
1 lp1 ⊆ lp2 (hyp.).
2 lp1 is strongly non-zeno (hyp.).
3 ∃ei, ej ∈ Edges(lp1), c ∈ C,  ∈ R+, a, a′ ∈ A. ei = (a, gi, ri) ∧ ej =
(b, gj, rj) ∧ c ∈ ri ∧ gj ⇒ c >  (by 2 and def. of strong non-zenoness).
4 ei ∈ Edges(lp2) ∨ ∃A[k], ek ∈ Edges(A[k]), e ∈ Edges(lp2). e = ek||ei (by
1, 3 and def. of edge composition).
5 ej ∈ Edges(lp2) ∨ ∃A[k], ek ∈ Edges(A[k]), e ∈ Edges(lp2). e = ek||ej
(by 1, 3 and def. of edge composition).
6 ∃ei, ej ∈ Edges(lp2), c ∈ C,  ∈ R+, a, a′ ∈ A. ei = (a, gi, ri) ∧ ej =
(a′, gj, rj) ∧ c ∈ ri ∧ gj ⇒ c >  (by 3, 4 and Lemma A.2)
7 lp2 is strongly non-zeno (by 6 and def. of strong non-zenoness).

Lemma A.4 If at least one loop in every element of HL is strongly non-zeno,
then all composite loops in |A are strongly non-zeno.
Proof.
1 lp ∈ Loops(|A), comp(lp) (hyp.).
2 ∃A[i] = A[j], lpi ∈ Loops(A[i]), lpj ∈ Loops(A[j]). sync(lpi, lpj) ∧ lpi ⊆
lp ∧ lpj ⊆ lp (by Lemma A.1).
3 (lpi, lpj) ∈ HL (by 2 and def. of HL).
4 Suppose lpi strongly non-zeno (hyp.).
5 lp is strongly non-zeno (by 2 and Lemma A.3).

Lemma 4.3 If (at least) one loop in every pair of HL is strongly non-zeno
and all loops in CL are strongly non-zeno then the product automaton |A is
also strongly non-zeno and thus free from zeno-timelocks.
Proof.
1 Consider any loop lp ∈ Loops(|A).
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 45
2 lp is s.t. either comp(lp) or there exists a complete loop lpi ∈ CL s.t.
lpi ⊆ lp (by automata theory).
3 We know that at least one loop in every element of HL is strongly non-
zeno, and that all loops in CL are strongly non-zeno (hyp.).
4 If comp(lp) then lp is strongly non-zeno (by hyp. and Lemma A.4).
5 If lpi ⊆ lp, lpi ∈ CL then lp is strongly non-zeno since lpi is strongly
non-zeno (by hyp. and Lemma A.3).
6 Therefore all loops in |A are strongly non-zeno, and so |A is free from
zeno-timelocks (by Lemma 4.2).

Lemma 4.6 If A ∈ TA is either location non-urgent or reset non-urgent, then
it is also free from zeno-timelocks.
Proof.
1 Consider A ∈ TA as either location non-urgent or reset non-urgent (hyp.).
2 Consider a given state s, and ρ an inﬁnite run starting at s (hyp.).
3 ρ must visit a given loop lp in A an inﬁnite number of times (by def. of
inﬁnite run).
4 If A is location non-urgent there must be a location l in the loop lp where
either I(l) : True or all clocks in the invariant are unbounded (by def. of
location non-urgency).
5 Any execution of A which reaches l can wait indeﬁnitely in l (by 4). Note
that because we are assuming strong invariants, invariant expressions
such as I(l) : x > c (where x ∈ Clocks(I(l)) and c ∈ R+0) do not
force any execution to leave location l immediately. Moreover, l is only
reachable if at least c time units have passed since the last time x was
reset.
6 The location l is reachable in ρ, i.e. ρ = s
∗
=⇒ [l, v]
∗
=⇒ , where v ∈ VC (by
3).
7 There exists a time-unbounded run ρ′ starting at s, i.e. ρ′ = s
∗
=⇒ [l, v]
∞
==⇒ .
Therefore, if A is location non-urgent then s cannot be a zeno-timelock
(by 5, 6 and def. of zeno-timelock).
8 If A is reset non-urgent there must be a location l in the loop lp where
at least a clock in the invariant has a non-zero lower-bound, say d ∈ R+,
and it is reset in a given transition i of lp (by def. of reset non-urgency).
9 Any execution of A which takes transition i and then reaches location l
must have elapsed at least d time units between these two events (by 8
H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–4746
and assuming strong invariants).
10 ρ takes transition i and visits location l an inﬁnite number of times (by
3 and 8).
11 ρ accumulates an inﬁnite number of d time units, so delay(ρ) = ∞.
Therefore, if A is reset non-urgent then s cannot bet a zeno-timelock (by
9, 10 and def. of zeno-timelock).
12 A is free from zeno-timelocks (by 7 and 11).

H. Bowman et al. / Electronic Notes in Theoretical Computer Science 139 (2005) 25–47 47
