Schedulability analysis by exhaustive state space construction: translating CCSL to transition-based Generalized Buchi Automata by Yin, Ling et al.
Schedulability analysis by exhaustive state space
construction: translating CCSL to transition-based
Generalized Buchi Automata
Ling Yin, Julien Deantoni, Fre´de´ric Mallet, Robert De Simone
To cite this version:
Ling Yin, Julien Deantoni, Fre´de´ric Mallet, Robert De Simone. Schedulability analysis by
exhaustive state space construction: translating CCSL to transition-based Generalized Buchi
Automata. [Research Report] RR-8102, 2012, pp.22. <hal-00743874>
HAL Id: hal-00743874
https://hal.inria.fr/hal-00743874
Submitted on 21 Oct 2012
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
IS
S
N
0
2
4
9
-6
3
9
9
IS
R
N
IN
R
IA
/R
R
--
8
1
0
2
--
F
R
+
E
N
G
RESEARCH
REPORT
N° 8102
October 2012
Project-Teams Aoste
Schedulability analysis by
exhaustive state space
construction:
translating CCSL to
transition-based
Generalized Bu¨chi
Automata
Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone

RESEARCH CENTRE
SOPHIA ANTIPOLIS – MÉDITERRANÉE
2004 route des Lucioles - BP 93
06902 Sophia Antipolis Cedex
Schedulability analysis by exhaustive state
space construction:
translating CCSL to transition-based
Generalized Bu¨chi Automata
Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
Project-Teams Aoste
Research Report n° 8102 — October 2012 — 22 pages
Abstract: In previous work we defined a language (CCSL) made to express real-time temporal
scheduling constraints. It uses the notion of partially independent logical clocks (or time threads),
of which seemingly physical discrete time is a special case, hence the name Clock Constraint Spec-
ification Language. Constraints can represent (asynchronous) causality and precedence relations,
or (synchronous) simultaneity ones. A solution to a set of such constraints is called a schedule,
as it brings back all the clocks down to a single, totally ordered discrete time (and thus allows
to timing events a schedule slot). In the current paper we study the formal semantics of CCSL,
by translation into specific automata recognizing infinite sequences of clock steps. We consider
the appropriate acceptance criteria for omega-languages (transition-based generalized Bu¨chi), and
motivate this choice. We also study how the automata can be minimized, by removing useless
states (which is more than the usual check for emptiness of the whole language in classical model-
checking approaches). We feel our work builds a definite link between the scheduling and the
formal semantic model-checking communities.
Key-words: CCSL; Scheduling; Automata
Schedulability analysis by exhaustive state space
construction:
translating CCSL to transition-based Generalized Bu¨chi
Automata
Résumé : In previous work we defined a language (CCSL) made to express real-time temporal
scheduling constraints. It uses the notion of partially independent logical clocks (or time threads),
of which seemingly physical discrete time is a special case, hence the name Clock Constraint Spec-
ification Language. Constraints can represent (asynchronous) causality and precedence relations,
or (synchronous) simultaneity ones. A solution to a set of such constraints is called a schedule,
as it brings back all the clocks down to a single, totally ordered discrete time (and thus allows
to timing events a schedule slot). In the current paper we study the formal semantics of CCSL,
by translation into specific automata recognizing infinite sequences of clock steps. We consider
the appropriate acceptance criteria for omega-languages (transition-based generalized Bu¨chi),
and motivate this choice. We also study how the automata can be minimized, by removing use-
less states (which is more than the usual check for emptiness of the whole language in classical
model-checking approaches). We feel our work builds a definite link between the scheduling and
the formal semantic model-checking communities.
Mots-clés : CCSL; Scheduling; Automata
Schedulability analysis by exhaustive state space construction 3
1 Introduction
Previously we defined a formalism to express time relations between various events and operations
of a given (discrete) system, named the Clock Constraint Specification Language [1]. ccsl is
meant to capture some essential time and timing notions as found in various theories of timed
concurrent processes, both from the synchronous and asynchronous sides. In this paper, we
explore the use of ccsl for scheduling requirements modeling and schedulability analysis.
Historically, ccsl is based on a notion of “discrete clocks", which deserves (at least) a bit
of explanation to avoid confusion. In our case a clock is not a physical device that provides
regular physical time intervals (as a watch). It is instead an abstract measure unit, possibly
user defined, by which durations and dates may be set or measured, as long as a sequence of
occurrences (“ticks") on that clock can be observed or produced. In that sense a logical clock
could also be named “logical time base", and largely corresponds in fact to just an abstract event
(considered as a sequence of event occurrences), simply stressing more its temporal relevance
and role in the design. Besides, logical clocks need not in any case be related to regular physical
realities, but they can, and often do. To provide a simple example, a modern processor execution
cycle, in these days of low-power and thermal budgets, is often quite irregular (it can even be
paused on hold at times) with respect to physical time; nevertheless it is still a useful logical
time unit when accounting for software complexity. Numerous other examples can be made up
in the case of embedded systems, where contextual environment may produce meaningful events
that punctuates the system behavior.
Based on clocks, ccsl introduces formal constructs, called clock constraints, both to define
new clocks as functions of existing ones and also to specify relations between existing clocks
as well. A significant list of primitive ccsl clock constraints will be presented in the paper,
accounting for the language expressiveness and scheduling model description.
The logical clocks and clock constraints give ccsl the power to express most of the tasks/events
models in (both real-time and non real-time) scheduling theories. A set of clocks and constraints
among them can model the scheduling requirements (including functional requirements, platform
features, resource limitations, extra timing requirements and etc), and will form a ccsl specifi-
cation of the system. Solving the specification constraints amounts to computing a schedule of
the system.
Under ccsl context, a schedule is a possibly infinite sequence of steps; for each step (index),
several clocks (or maybe one) are assigned to tick simultaneously at that step. Then a schedule
can be regarded as an infinite words on powerset of clocks. The general scheduling issues, like
finding valid schedules or finding if a system under specific scheduling requirements is schedulable,
can be related to formal language and automata theory on infinite words. Modeling scheduling
concerns in ccsl allows the use of model checking technique and formal analysis to solve issues
taken from the scheduling theory.
We do schedulability analysis by translating a ccsl specification into a transition-based
Generalized Bu¨chi automata. Proper acceptance criteria is defined to recognize valid schedules.
Instead of finding an individual optimal schedule under a specific consideration, the automata
representation represents all schedules that satisfy the requirements, and can be used as a basis
for further analysis. The schedulability of a specification is equivalent to checking the emptiness
of recognizable language of a corresponding automata. We also provide an algorithm to construct
a trim canonical version for a given transition-based generalized automata. The trim automata
can be used to guide later on scheduling.
The paper is constructed as follows: We introduce ccsl informally in section 2. Then we
discuss its relation with existing scheduling practices and theories and the scheduling issues we
want to deal with in section 3. In section 4 we show the translation from ccsl to transition-based
RR n° 8102
4 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
Generalized Bu¨chi automata. Automata based solutions to the scheduling issues are provided in
section 5. Then we conclude this paper, discuss related work and our future plans in section 6.
2 An introduction to ccsl
Tick and clock ordering relations
As already mentioned, clock ticks amount to event occurrences. Two event occurrences e
and e′ may temporally be: simultaneous/coincident, denoted as e ≡ e′, meaning that the two
occurrences will occur in the same time step; or one may precede the other, denoted as e ≺ e′,
introducing a temporal ordering between them. We also note e#e′ for not (e ≡ e′), and e ¹ e′
for (e ≺ e′ or e ≡ e′). Note that causality intentions in design will in general allow relation ¹,
when instantaneous/combinatorial causality is also legible.
At the clock level (again, a clock being a sequence of ticks/instants), we find that two natural
ordering relations extend the former. First, based on synchronous notions, a subClock relation
can be defined: we note c ⊏ c′ iff ∀i, j : ci ¹ cj ∃k, l : (ci ≡ c
′
k)∧ (cj ≡ c
′
l)∧ (c
′
k ¹ c
′
l), ci being the
ith tick of clock c; this definition means that every tick of c has to be made on a tick of c′, but
not always the other way around, so there are potentially more ticking instants in c′. Moreover,
this relation is order preserving. Second, based on asynchronous notions, faster than relation
can be defined: we note c ≺ c′ iff ∀i, ci ≺ c
′
i; similarly, c ¹ c
′ iff ∀i, ci ¹ c
′
i (strictly vs weakly
faster).
The subClock relation will in practice be used to define new clocks from existing ones, with a
subsampling mechanism. Often, the latter will be a regular pattern, so that periodic subsystems,
or even periodically patterned one, will fall into this design style. Also, when original specifi-
cations are themselves not synchronously patterned, the results of scheduling methods are often
computed of that nature, so that subclock relations with regular patterns will also be a mean
to describe (full or partial solutions to) the system ordering; having a way to deal with partial
solutions inside the syntax of the specification itself is useful, as it allows solving approaches by
incremental time refinements.
The faster than relations can a priori lead to unbounded drifts between clocks (to ensure
that the second clock does not tick too soon, we need to monitor how many ticks the first one
has performed “in advance”, just so it does not drop below 0, and this requires an integer in
simulation). In frequent cases the specification will provide an interval between the clocks to
bound drifts.
So far we have implicitly assumed that clocks were infinite sequences of ticks. Often, for
technical reasons, one has to assume they can also be finite. So we will let |c| denote the length
of c, with the convention that |c| = ∞ when the clock is infinite. The previous definitions of
clock ordering have to be adjusted so that they only apply where ticks are actually defined. This
introduces no real change for the subClock relation, but it should be noted that, in the case of
the faster than relation, c′i may occur without a prior ci, if i > |c|. This defeats the notion of
causality between c and c′ being encoded as a time ordering relation. To avoid such problem,
when later constructs represent causality as such a time ordering, they will always rely on the
fact that clock lengths will carefully match. Later, in dynamic operational semantic definitions,
we shall use the predicate Term(c) to mean that the proper termination of clock c, that is it has
ticked up to its limit (whose value is generally dynamically reached).
2.1 Primitive ccsl clock functions
We now provide a set of primitive functions to build new clocks out of others. They are mostly
of synchronous nature (subClock constructed).
Inria
Schedulability analysis by exhaustive state space construction 5
The main function, filteredBy, will use an explicit mask to decide on each new tick (of the
superclock) whether it should be preserved or discarded in the subclock definition. Such a mask
consists of a binary word (with “1" meaning keep and “0" discard) of length at least equal to
the length of the superclock. In practice, for syntactic reasons, the mask will have to be an
ultimately periodic pattern, consisting of some initialization prefix part, and a steady/repeated
part.
Simpler forms can be extracted using suitable masks, like delay_n, with n a constant number of
ticks from the superclock; it simply discards the n first ticks of its input clock. Similarly await_n
only ticks once, on the original nth tick of its input clock, or until_n, which selects only the
first n ticks of its input clock.
The upto operator takes two input clock arguments, and ticks with the first clock as long as the
second one has not started.
The concat sequential composition also takes two input clocks. It will tick with the first until
it has reached its length limit, then starts ticking as the second (when the first is terminated).
Of course in practice this will require that checking for the first clock lifespan (or its length) is
feasible, at least at run time. In simulation it can also mean that the property can be enforced
by the simulation policy, but then it has to be checked that it is valid in the future.
Union (and intersect) functions work directly at the level of steps, and create new clocks that
tick when at least one (or both) input clocks do.
The sampledOn function is a mix of synchronous and asynchronous spirit. It takes two input
clocks and ticks synchronously with the second, but only in case the first input clock ticked since
the previous tick of the second. So, its role is essentially to record whether there was a tick of
the first clock since “last time”.
Inf (and sup) functions also take two clocks as input, and create new clocks that is faster (or
slower) than both of the input clocks. The ith tick of the new defined clock is coincident with
the earlier (or later) of the ith tick of input clocks.
2.2 Primitive ccsl clock relations
Clock relations are provided to specify relations between two existing clocks. Both synchronous
and asynchronous aspects are considered.
The fundamental synchronous relation is the subClock discussed above, restricting that the sub-
clock cannot tick if its superclock does not. It is one direction specified, and can be extended
into two directions, that is the equality relation stating the equality between the two clocks,
one ticks iff the other one ticks.
The exclusion relation is the opposite of equality. Two clocks are exclusive means that they
never tick at the same step.
The basic asynchronous relations are the two versions of faster than discussed in last subsec-
tion, the strictPre ≺ and causes ¹. For the strict one, the second clock cannot tick when the
index difference is 0. While for the weak one, when their index different is 0, the second clock
can tick if the first one ticks. They both limit the drift between the two clocks in the range of
[0,∞].
BoundedDiff_i_j bounds an integer interval [i,j] to the drift of the two involved clocks, denoted
as i ≤ left − right ≤ j. It can be viewed as an extension of faster than, not restricting which
clock is faster, but stating their index difference cannot exceed the range.
The relation alternate indicates the alternate occurrences of instants of the two clocks, starting
from the left one.
Considering clock termination: the filteredBy operator preserves termination, and may
create a finite clock from an infinite one (if the mask is of finite length); The delay_n, await_n
RR n° 8102
6 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
and upto operators create finite clocks (unless the second clock of upto never starts); concat
will be of real use only if its first clock argument terminates; finite union clock requires the two
clock arguments to be finite, while intersect may produce a finite clock even both arguments
are infinite; sampledOn is finite if one of its argument is; by convention inf provides infinite
clocks as soon as one of their arguments is infinite, while sup provides finite one as soon as one
argument is finite. A subclock of a finite clock is finite (while subclock of an infinite clock may
be finite too); a clock in bounded drift of a finite one is finite (a clock with a finite faster than
clock is finite as well).
3 The issue: schedulability analysis through formal trans-
lation to a proper operational semantic domain
We want to play the connection between the scheduling theory and the automata theory through
ccsl, modeling the issues taken from scheduling theory by ccsl, and solving them by translating
a ccsl specification into a proper automata with acceptance criteria recognizing specific infinite
words. First we discuss the relation between ccsl and existing scheduling theories. Then we
present the scheduling issues in ccsl context and provide the overview of our automata based
solutions to the issues.
3.1 Relations between ccsl and existing scheduling theories
Real-time scheduling theories rely on task models that supposedly abstract real applications.
Originally they were rather simple (e.g., independent periodic tasks only for Rate Monotonic
Analysis). Always more sophisticated models now appear in the literature. They are all based
on numerous distinct parameters, providing numerical constraint values for timing aspects (dis-
patch time, period, deadline, jitter drift,...). Tasks are considered as iterations of jobs (or jobs as
instances of tasks). In our view, the successive timing values for characteristic feature of succes-
sive jobs can be seen each as a logical clock, and the time constraint relations between such clocks
are usually expressed as simple equalities and bounded inequalities that fall well into the range
of ccsl constructs descriptive power. As an example, the notion of sporadicity which states
that tasks are invoked at random but with a minimum inter-invocation interval, can be handled
by ccsl, as for instance, c = (p filteredBy (001)ω) sampledOn d, 0 ≤ d − c ≤ 1 and d ≺ (p
wait_1), states at least three ticks of p between two ticks of d; the fact that p ticks are regular
in physical time is ignored in ccsl modeling. Note that logical clock in ccsl can also be used
to represent realities of different nature, more ad-hoc to the application, with added intuitive
expressiveness. For instance, the exclusive access to a critical resource is modeled by exclusion
between corresponding clocks, the size limit of a buffer (3 as an example) can be expressed by
a special case of boundedDiff relation, making 0 as the left bound and buffer size as the right
bound between write and read clocks, 0 ≤ write − read ≤ 3. With such formal specification,
ccsl is not able to say anything about the way to find efficient resulting schedule(s) for specific
class of problems modeled that way (for instance, Earliest Deadline First plans to schedule first
the job with least time remaining, this remaining time being dynamically computed due to past
activities). Further comparisons of ccsl and usual real-time scheduling models would be out of
the scope of the current paper. But it should still be mentioned that models closer to ccsl, as
for instance AADL and AutoSar-related EAST-ADL models, are also now making their way to
mainstream scheduling concerns.
Classical (non real-time) scheduling, on its side, provides generally models where the initial
constraints are less on timing and more on dependencies (as for program instruction scheduling
Inria
Schedulability analysis by exhaustive state space construction 7





	ABCD
 EF

E


C
C
E


C
C
CFİ Cİ 
F







C



C
FEF
EF
EF







C


C



C
C



EF
E
E
E
E
E







Figure 1: Execution of specification in Example 1
and software pipelining) or on exclusive resource allocation. But resulting schedules are almost
always of modulo periodic nature, here again matching the ccsl expressiveness.
3.2 Automata based solution to ccsl scheduling issue
A ccsl specification formally describes expected requirements and represents a set of valid
schedules, i.e. a set of valid sequences of steps; where for each steps (index), clocks are said to
tick or not. Solving the specification constraints consists in assigning clock ticks to steps, and
consequently to provide one schedule of the system.
The purpose of scheduling is to assign resources and time slots to tasks so that all tasks are
accomplished under some constraints (e.g., fair share of resources or time, using as little time slots
as possible, etc). In this sense, a valid schedule should be a sequence of steps where every clock
ticks as far as it meant to (infinitely often or up to its proper termination). Specifications may
become unschedulable because of contradictory constraints, or more subtly because it becomes
unfeasible to pack a number of ticks in a given time interval to get a valid schedule.
We provide a typical example below, which will reveal a number of concerns involved in ccsl
schedulability.
Example 1. For three clocks a, b and c, where b is a subclock of a, c is a wait 3, b is strictly
faster than c and their index difference is bounded in [0,2]:
b subClock a, c = a wait 3, b ≺ c, 0 ≤ b− c ≤ 2
The automata like representation in Figure 1 is informally used here to give readers an intuitive
view of the issue. Formal semantics is given later. The global behaviors of a specification
(on the right in Figure 1) have to respect to all its constraints (on the left in Figure 1). One
major problem is that during the construction of the schedules, some choices can lead to invalid
schedules. For instance, what is expected from our example is: At least one tick of b should occur
before the third tick of a, then c ticks together with the third tick of a and then terminates.
Clock b terminates when the index difference between b and c reaches 2, and a ticks infinitely.
However, none of the constraints forbids a to tick two times without one b. In state < s, t2, r0 >
it becomes unfeasible to fire any clock with respect to the conjunction of constraints: every clocks
get halted (cannot tick anymore though it is not proper terminated). The run < s, t0, r0 >
{a}
−−→<
s, t1, r0 >
{a}
−−→< s, t2, r0 > consequently cannot produce a valid schedule.
To decide the schedulability of a specification and to recognize valid schedules from spec-
ification runs, we provide a state-based operational semantics for ccsl, ccAutomata. Such
ccAutomata will represent all possible runs of a specification, and thus all valid schedules of its
clock ticks. Recognizing valid schedules from runs can be achieved by defining acceptance criteria
RR n° 8102
8 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
for infinite words on ccAutomata. The schedulability issue, which demands that one such valid
schedule exists, will thus amounts to the emptiness checking problem.
4 Formal translation of CCSL into (Generalized Transition
Bu¨chi) ccAutomata
We will provide the formal translation of CCSL clock constraints into appropriate state-based
models using operational semantics. We will first describe how the “stateful" features of operators
expand into states, providing the general skeletons for the expanded models; then we will consider
the acceptance criteria issue, so that exactly valid schedules are recognized. In the next section
we will show how the resulting models can be used to solve the schedulability issues.
Acceptance criteria for languages of infinite words have been amply studied in the past. This
gave rise to recognition patterns such as Bu¨chi (repeated states), certainly the most famous,
but also Muller, Rabin, and Street types of acceptance criteria. The Bu¨chi acceptance criterion
also supports variants, such as transition Bu¨chi (rather than state Bu¨chi), or Generalized Bu¨chi
criteria (in which several sets of repeated states are provided and must be satisfied collectively).
We shall show how CCSL naturally leads to transition Bu¨chi automata translation for in-
dividual constraints, and why state Bu¨chi is less natural; we shall also see how the generalized
version is needed when specification are composed of several distinct clocks (and there will be one
recognition set per clock). It is known from the literature that both variants can be expanded at
some cost into plain (state) Bu¨chi automata, but we will consider how direct analysis may prove
to be more efficient.
For homogeneity reasons we shall also see how termination states and finite clocks can be
unified with infinite ones (by noticing infinitely the termination). We will also have to rely on
stuttering transitions so that the construction of a global automaton from the various constraints
(and their individual automaton form) can be considered as a synchronous product, even though
some may idle in it. These can be seen as “classical tricks" in the model-checking community,
but they are to be applied on models and theories meant to the (distinct) scheduling theory
community.
4.1 State-based operational semantics of CCSL—ccAutomata
Definition 3. A ccAutomata is a tuple A = (S,Clocks, Terms, I, T ) where
• S is a nonempty set of states, and I ⊆ S is the set of initial states.
• Clocks is a finite nonempty set of clock names, which can be regarded as sorts of the
automata.
• Terms is a set of clock termination predicates Terms = {Term(c)|c ∈ Clocks}.
• T ⊆ S× 2Clocks × 2Terms ×S defines the transition relation, each transition is labeled by
a subset of Clocks that tick simultaneously in that step, and a subset of Terms indicating
the proper terminations of corresponding clocks.
A transition (s, C, Tm, s
′
) ∈ T is also denoted as s
C,Tm
−−−−→T s
′
or simply s
C,Tm
−−−−→ s
′
if clear
from context. A ccAutomata is deterministic iff ∀s ∈ S, (s
C,Tm
−−−−→ s1 ∧ s
C,Tm
−−−−→ s2) ⇒ (s1 = s2).
A path of A is a sequence of transitions, either finite or infinite, ρ = s0
C0,Tm0
−−−−−→ s1
C1,Tm1
−−−−−→
· · ·
Ck−1,Tmk−1
−−−−−−−−−→ sk · · · . A run is a path from an initial state, and its ticking trace is the series of
ticking labels: C0;C1; · · ·Ck; · · · .
Inria
Schedulability analysis by exhaustive state space construction 9
¥

 ¥


­


­


(a)
∮
(c) =
∮
(c1) = Inf
¥

 ¥
↓
↓
↓
(b)
∮
(c) = Fin,
∮
(c1) =
Inf
¥

 ¥

 ­


­


↓ ↓
↓↓
	¤AB↓
(c)
∮
(c) =
∮
(c1) = Fin
Figure 2: c = c1 filteredBy u(v)
ω
4.1.1 ccAutomata encodings of CCSL clock constraints
One can easily build a ccAutomata for a clock constraint according to its semantics. If a clock
terminates in one transition, then it is terminated in any future transition, i.e., if s
C,Tm
−−−−→
s
′
, T erm(c) ∈ Tm, then ∀t, s
′ C
′
,Tm
′
−−−−−→ t, T erm(c) ∈ Tm
′
. Every state has a stutter transition
s
∅,Tm
−−−−→ s since no constraint is violated or changed if no clock ticks.
Function
∮
: Clocks → {Fin, Inf, Free} is provided to user to specify that a clock is supposed
to be finite (
∮
(c) = Fin), infinite (
∮
(c) = Inf), or either (
∮
(c) = Free). It needs to be in
consistent with the constraint semantics, for instance, for c = c1 await_3,
∮
(c) must be Fin.
The
∮
function can be used to simplify the ccAutomata encoding (for scheduling concerns). If
we know a clock is specified to be infinite, the the transitions labeled by its termination can be
removed since termination of that clock is not expected (transitions labeled by that will not lead
to valid schedules). We will show how the
∮
is used to simplify the encoding: for each primitive
clock constraint, we first show its ccAutomata encoding for the most natural case (usually the
case that
∮
(c1) =
∮
(c2) = Inf), then add corresponding termination transitions and states for
finite specified clocks. These transitions and states are colored for clear view, where “red” means
“un-conclusive”, some clocks have terminated while others haven’t, and “green” means “terminal”
that every clock has terminated.
For simplicity, termination predicts are denoted by ↓ clockname, and stutter transitions are
ignored in the figures.
• filteredBy, delay_n,await_n,until_n
Constraint c = c1 filteredBy w builds a sub clock c of clock c1 according to the binary
word w. Usually w is written as u(v)ω, where u is the transient part and v the periodic
part with length m, v is the periodic part with n bits, the power ω means v is repeated an
unbounded number of times. When the bit of w is 1, the instant of c1 is selected, otherwise
discarded.
∮
(c1) = Fin ⇒
∮
(c) = Fin.
The most natural case is
∮
(c) =
∮
(c1) = Inf shown in Figure 2(a), where δic = {c} if
ui = 1, otherwise δic = ∅, similarly µic = {c} when vi = 1, µic = ∅ when vi = 0, and γ = 1
if the next bit of w is 0.
If c is specified to be finite (
∮
(c) = Fin,
∮
(c1) = Inf), then v must be 0. Corresponding
transitions and states are added, c1 alone ticks infinitely after the termination of c, as
Figure 2(b) shows.
If c1 is also specified to be finite (
∮
(c) =
∮
(c1) = Fin), transitions labeled with Term(c1)
are added. As Figure 2(c) shows, if c1 terminates, c terminates directly. While c1 can still
tick until the bit of w is 1 after the termination of c.
RR n° 8102
10 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
 ↓

↓
 ↓


↓

↓
(a)
∮
(c1) =
∮
(c2) = Inf
 ↓
↓↓
↓↓

↓
 ↓


↓

↓
(b)
∮
(c1) = Fin,
∮
(c2) = Inf
 ↓

↓
 ↓


↓

↓
↓
↓↓
(c)
∮
(c1) = Inf,
∮
(c2) = Fin
 ↓
↓↓
↓↓

↓ ↓↓
↓
 ↓


↓

↓
↓ ↓↓
↓

↓↓
↓

↓
↓

↓ ↓↓
(d)
∮
(c1) =
∮
(c2) = Fin
Figure 3: ccAutomata encodings of c = c1 upto c2
Constraints delay_n,await_n,until_n can be regarded as special cases of filteredBy,
using 0n(1)ω, 0n1(0)ω and 1n(0)ω as masks respectively.
• upto
c = c1 upto c2 creates a finite clock unless c2 never starts and c1 is infinite. Clock c
terminates properly when c2 starts.
• concat
Constraint c = c1 concat c2 relies on dynamic terminations, c behaves like c1 until its
termination and then behaves c2. Usually c1 should be finite, otherwise c is just equal to
c1.
• union,intersection
Constraint c = c1 union c2 creates a new clock c which ticks whenever c1 or c2 ticks. c
is finite if and only if both c1 and c2 is finite. If only c1 (resp. c2) terminates, c can still
tick together with c2 (resp. c1) until the termination of c2 (resp. c1). On the opposite,
c = c1 intersection c2 creates c which ticks iff both of c1 and c2 tick. If one of c1 or c2
terminates, c terminates, and the other clock can tick till its termination; if c terminates,
c1 and c2 can tick infinitely in the future but not together.
• sampledOn
There are two versions of the sampling, either strict (c = c1 strictSamp c2), or non-strict
(c = c1 nstrictSamp c2). In both versions, clock c1 is considered as a trigger and c2 is a
time base, they do not affect each other, and clock c ticks in coincidence with the tick of
c2 immediately following a tick of the trigger c1. Their difference can be clearly described
by the following expressions:
Inria
Schedulability analysis by exhaustive state space construction 11

↓
↓



(a)
∮
(c1) = Fin,
∮
(c2) =
Inf




(b)
∮
(c1) =∮
(c2) = Inf

↓
↓



(c)
∮
(c1) = Inf,
∮
(c2) = Fin
↓ ↓↓

↓

↓
↓
↓



↓
 ↓
↓

↓

↓
↓
(d)
∮
(c1) =
∮
(c2) = Fin
Figure 4: ccAutomata encodings of c = c1 concat c2





(a)
∮
(c1) =∮
(c2) = Inf
↓
↓




(b)
∮
(c1) = Fin,
∮
(c2) =
Inf
↓
↓




(c)
∮
(c1) = Inf,
∮
(c2) =
Fin
↓
↓
↓
↓↓↓
↓
↓↓
↓↓






(d)
∮
(c1) =
∮
(c2) = Fin
Figure 5: ccAutomata encodings of c = c1 union c2




(a)
∮
(c1) =∮
(c2) = Inf
↓↓


↓


↓






↓
↓
↓
↓
↓

(b)
∮
(c1) = Fin,
∮
(c2) =
Inf
↓↓


↓


↓






↓
↓
↓
↓
↓

(c)
∮
(c1) = Inf,
∮
(c2) =
Fin
↓
↓
↓
↓

↓↓↓
↓↓
↓↓↓
↓↓
↓ 




↓

↓

↓

↓ 

↓

↓
↓

↓

↓



↓

(d)
∮
(c1) =
∮
(c2) = Fin
Figure 6: ccAutomata encodings of c = c1 intersect c2
RR n° 8102
12 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone














(a) c = c1 nstrictSamp c2


























(b) c = c1 strictSamp c2
Figure 7: ccAutomata encoding of sampledOn(
∮
(c1) =
∮
(c2) = Inf)


↓

↓




↓↓
↓↓

↓







↓

↓↓
(a) c = c1 nstrictSamp c2



↓























↓

↓





↓





↓







↓


↓↓
↓↓
↓↓
↓

↓

(b) c = c1 strictSamp c2
Figure 8: ccAutomata encoding of sampledOn(
∮
(c1) = Fin,
∮
(c2) = Inf)
strict: ∀i,∃j, k, c2[j − 1] ¹ c1[i] ≺ c2[j], c[k] ≡ c2[j]
weak: ∀i,∃j, k, c2[j − 1] ≺ c1[i] ¹ c2[j], c[k] ≡ c2[j]
Please check the difference reflected in ccAutomata encodings: Figure 4.1.1 for
∮
(c1) =∮
(c2) = Inf case; Figure 4.1.1 for
∮
(c1) = Fin,
∮
(c2) = Inf case; Figure 4.1.1 for
∮
(c1) =
Inf,
∮
(c2) = Fin case; and Figure 4.1.1 for
∮
(c1) =
∮
(c2) = Fin case.
• inf, sup
Constraint c = c1 sup c2 defines a new clock c which is slower than both c1 and c2. The
kth tick of c is coincident with the later of the ith tick of c1 and c2. The index difference δ
between c1 and c2 is recorded to determine if c should tick together with which clock, δ = i
at si. When δ = 0, if c1 (resp. c2) terminates, then c terminates; if c terminates, then
either only c1 ticks or only c2 ticks in the future. When δ 6= 0, the slower one c2 (resp. c1)
terminates iff c terminates; if c1 (resp. c2) terminates, then c can be alive till δ becomes 0,
c2 (resp. c1) can still tick after the terminations of c and c1 (resp. c2). Constraint c = c1
inf c2 is the dual of c = c1 sup c2. The k
th tick of c is coincident with the faster of the ith
tick of c1 and c2. When δ = 0, if c terminates, then both c1 and c2 terminates; if c1 (resp.
c2) terminates, then c2 (resp. c1) and c ticks together till their terminations. When δ > 0
(resp. δ 6= 0): if the slower one terminates then c and the faster one tick together in the
future up to their terminations; if c terminates, then the faster one terminates immediately,
the slower one can tick till δ becomes 0; if the faster one terminates, the slower one ticks
alone till δ becomes 0, then ticks together with c before terminate.
Inria
Schedulability analysis by exhaustive state space construction 13


↓




↓


↓

↓↓
↓




↓

↓

↓








↓↓



↓
↓

↓

↓↓




↓
↓
(a) c = c1 nstrictSamp c2



↓↓
↓



















↓



↓


↓


↓



↓









↓

↓

↓
 ↓



↓

↓




↓

↓↓
↓↓
(b) c = c1 strictSamp c2
Figure 9: ccAutomata encoding of sampledOn(
∮
(c1) = Inf,
∮
(c2) = Fin)
↓↓↓
↓

↓

↓




↓
↓

↓


↓




↓

↓

↓




↓

↓

↓
↓↓






↓

↓↓








↓↓




↓


↓

↓
↓↓
↓

↓


↓

↓


(a) c = c1 nstrictSamp c2



↓↓↓
↓



















↓


↓




↓

↓


↓





↓


↓


↓



↓





↓

 




↓


↓↓
↓


↓

↓
↓





↓


↓

↓

↓








↓




↓

↓↓
↓↓
(b) c = c1 strictSamp c2
Figure 10: ccAutomata encoding of sampledOn(
∮
(c1) =
∮
(c2) = Fin)
RR n° 8102
1
4
L
in
g
Y
in
,
J
u
li
en
D
eA
n
to
n
i,
F
re´
d
e´
ri
c
M
a
ll
et
,
R
o
be
rt
d
e
S
im
o
n
e
















	 

	


	




A

A



(a
)
∮ (
c
1
)
=
∮ (
c
1
)
=
I
n
f
 















	





	

	




A

A



↓B↓

↓B↓
 ↓ ↓B↓
↓
B↓
↓ ↓


↓

↓
↓



↓
B↓

↓

B↓


↓

B↓

↓

↓
(b
)
∮ (
c
1
)
=
I
n
f
,
∮ (
c
1
)
=
F
in
 















	





	

	




A

A







↓B↓ 


↓


B
↓

 ↓
↓B↓
↓ ↓




↓

B↓

 ↓





↓


↓
↓
B↓
↓

B↓


↓

B↓


↓
 ↓
 (
c)
∮ (
c
1
)
=
F
in
,
∮ (
c
1
)
=
I
n
f
 















	





	

	




A

A



↓B↓

↓B↓



↓


B
↓




↓


B
↓

 ↓ ↓B↓
↓B↓

↓

B
↓

B
↓

↓
B↓
↓

↓



↓

B↓

 ↓





↓


↓
↓
B↓
↓
↓


↓

↓
↓



↓
B↓

(d
)
∮ (
c
1
)
=
∮ (
c
1
)
=
F
in
F
ig
u
re
1
1
:
cc
A
u
to
m
a
ta
en
co
d
in
g
o
f
c
=
c 1
s
u
p
c 2
In
ri
a
S
ch
ed
u
la
bi
li
ty
a
n
a
ly
si
s
by
ex
h
a
u
st
iv
e
st
a
te
sp
a
ce
co
n
st
ru
ct
io
n
1
5






























	

	






(a
)
∮ (
c
1
)
=
∮ (
c
1
)
=
I
n
f
 





























	

	





AA


↓


↓

↓
↓

↓

↓

↓




↓






↓

 
↓

↓

↓


(b
)
∮ (
c
1
)
=
I
n
f
,
∮ (
c
1
)
=
F
in
 















	





	

	




A

A







↓B↓ 


↓


B
↓

 ↓
↓B↓
↓ ↓




↓

B↓

 ↓





↓


↓
↓
B↓
↓

B↓


↓

B↓


↓
 ↓
 (
c)
∮ (
c
1
)
=
F
in
,
∮ (
c
1
)
=
I
n
f
 





























	

	





↓
↓

AA
↓





↓




↓

A
↓

A
↓

↓

↓↓
↓A↓
↓
↓↓
↓↓
↓
↓



↓






↓
↓


↓


↓

↓
↓A↓



↓






↓
↓


↓


↓

↓
↓A↓
(d
)
∮ (
c
1
)
=
∮ (
c
1
)
=
F
in
F
ig
u
re
1
2
:
cc
A
u
to
m
a
ta
en
co
d
in
g
o
f
c
=
c 1
i
n
f
c 2
R
R
n
°
8
1
0
2
16 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
↓ ↓


↓
↓

↓ ↓

(a) c = c1 subClock c2
↓ ↓

(b) c = c1 equality c2

↓

↓
↓

↓
↓

↓
↓ ↓
(c) c = c1 exclusion c2
Figure 13: ccAutomata encodings of subClock, equality,exclusion







































	
A










 B
C
(a)
∮
(c1) =
∮
(c2) = Inf









































	A
B
	C






↓

 ↓






↓





↓



 ↓D↓
↓




↓


↓

↓





↓






↓


↓


↓






↓







D
↓ 


↓


↓
↓


D↓



(b)
∮
(c1) =
∮
(c2) = Fin
Figure 14: ccAutomata encoding of BoundedDiff
• subClock, equality,exclusion
c1 subClock c2, c1 is a subclock of c2, so either both of them tick, or only c2 tick, or none
of them tick. If c2 terminates, c1 also terminates. While after the termination of c1, c2
can still tick till its termination. If a clock is specified to be infinite, the ccAutomata is
obtained by just removing the transitions labeled by its termination.
c1 equality c2 means c1 subClock c2 and c2 subClock c1, as Figure 13(b) shows.
c1 exclusion c2 specifies that they cannot tick together. Their terminations do not affect
each other.
• BoundedDiff, strictPre, causes
If m ≤ c1 − c2 ≤ n (i, j ∈ N), then
∮
(c1) =
∮
(c2). Similar to sup and inf, the index
difference δ = i at state si. The ccAutomata encoding for Inf case is shown in Figure 14(a).
For Fin case, at si, if c2 (resp. c1) terminates, c1 (resp. c2) can at most n− i times before
termination.
Constraint causes is a special case of BoundedDiff that m = 0, n = ∞. strictPre is the
same as causes except that at s0 the slower clock cannot tick.
• alternate
c1 alternate c2 indicates the alternate occurrences of instants of c1 and c2. It implies
Inria
Schedulability analysis by exhaustive state space construction 17
↓


↓ ↓
↓
 



↓


↓



↓



Figure 15: c1 alternate c2
0 ≤ c1 − c2 ≤ 1. Its ccAutomata encoding for Fin case is shown in Figure ??. The Inf
case is easy gotten by removing transitions labeled by terminations.
4.1.2 ccAutomata semantics of CCSL specifications—composition of individual
ccAutomatas
A specification is a conjunction of constraints so its resulting behavior have to respect all its
constraints. Transitions from two ccAutomatas can be composed only if there is no conflict;
conflict here means that a common involved clock ticks in one transition while does not in the
other, or it terminates in one transition while stays alive in the other.
Definition 2. Given a set of ccAutomatas, Ai = {Si, Clocksi, T ermsi, Ii, Ti}, where i ∈ ζ =
{1, ..., n}, their composition is a proper synchronized product, ||{Ai}i∈ζ = {S,Clocks, Terms, I, T},
where
S = S1 × · · · × Sn; I = I1 × · · · × In;
Clocks = Clocks1 ∪ · · · ∪ Clocksn;Terms = Terms1 ∪ · · · ∪ Termsn;
∀i, j ∈ ζ(i 6= j), si
Ci,Tmi
−−−−−→Ti s
′
i, sj
Cj ,Tmj
−−−−−→Tj s
′
j ,∀c ∈ Clocksi ∩ Clocksj ,
c ∈ Ci ⇔ c ∈ Cj , T erm(c) ∈ Tmi ⇔ Term(c) ∈ Tmj
(s1, ..., sn)
C1∪···∪Cn,Tmi∪···∪Tmn
−−−−−−−−−−−−−−−−−→T (s
′
1
, ..., s
′
n)
4.2 Acceptance criteria for valid schedules
A valid schedule is the ticking trace of a run, in which every clock ticks as far as it meant to.
That is to say, every infinite specified clock ticks infinitely often and every finite specified clock
ticks up to its proper termination.Thanks to the stutter transitions and the preservation of clock
terminations, a clock ticks up to its proper termination can be noticed by the infinite visit of
its termination predict. A run ends in a state sf where every clock is terminated properly can
always be extended to infinite by sf
∅,Terms
−−−−−−→ sf . Then acceptance criteria for infinite words can
be used to recognize valid schedules.
We say path ρ passes infinitely often through a state (or transition in transition-based style)
if there are infinitely many occurrences of it in ρ. The set of states (or transitions) which occur
infinitely often in ρ is denoted by Inf(ρ).
RR n° 8102
18 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone

 





Figure 16: Expand state s1 in Figure 13(a) into s11 and s12
Acceptance criteria in Bu¨chi recognizing pattern is a set of repeated states, i.e., a state-based
Bu¨chi ccAutomata (denoted as state BA for short) is a tuple (A, F ), where A is a ccAutomata,
F ⊆ S is a finite set of accepting states. A run of A is accepted if Inf(ρ) ∪ F 6= ∅. For instance,
for the ccAutomata of c1 subClock c2 with
∮
(c1) =
∮
(c2) = Inf (Figure 13(a)), the acceptance
criteria would be F = {s1}. The fairness between the two clocks cannot be guaranteed. A
run with infinite ticks of c2 but no tick of c1 would be accepted, while it can not produce
a valid schedule. To solve this problem, we can either expand s1 into two sates (s11, s12 in
Figure 16) and make only s12 accepting, or use transition-based Bu¨chi automata (tBA) instead,
F = {s1
{c1,c2},∅
−−−−−−→ s1}. Forcing state-based accepting sets would in fact amount to reiterating
locally the general expansion from tBA to BA. But counting on transitions comes more natural.
When composing local tBAs obtained from individual constraints into a global one to repre-
sent schedules from the whole specification, we want to avoid infinite runs where some clocks are
forbidden forever while non terminated. The problem is that such runs are actually accepted by
the naive acceptance criterion. For this type of problems, literature has come up in the past with
the notion of Generalized BA, in which a collection of acceptance conditions would be provided,
each needing to be checked independently. In our case we shall associate such a condition to
every specified finite or infinite clock.
Definition 1. A transition-based Generalized Bu¨chi ccAutomata (tGBA) is a tuple (A,
∮
, F )
where A is a ccAutomata,
∮
is the finiteness specifying function, F is a finite set of elements called
acceptance conditions, F = {c|c ∈ Clocks,
∮
(c) = Inf} ∪ {Term(c)|c ∈ Clocks,
∮
(c) = Fin}.
A run ρ is accepted if transitions are labeled by each acceptance condition infinitely often.
Let Inftick(ρ) = {c|s
C,Tm
−−−−→ s
′
∈ Inf(ρ), c ∈ C} and Infterm(ρ) = {Term(c)|s
C,Tm
−−−−→ s
′
∈
Inf(ρ), T erm(c) ∈ Tm}, ρ is accepted if ∀f ∈ F, f ∈ Inftick)(ρ)∨f ∈ Infterm(ρ). This means
that in an accepted run, every infinite clock ticks infinitely often, and every finite clock terminates
properly (guaranteed by the infinitely often visited termination). Under these conditions we avoid
runs where clocks are forbidden to tick while they should (we avoid local deadlock of clocks) and
consequently the ticking trace of an accepted run would be a valid schedule.
For Example 1, its accepting criteria would be F = {a, Term(b), T erm(c)}, since both b and
c are supposed to be finite while a should be infinite. Runs where at least one tick of b occurs
before the third tick of a would be recognized as accepted runs, while runs that lead to state
(s, t2, r0) would be ruled out.
Note that in practice, the number of clocks considered in defining accepting conditions could
be minimized, as some of them can imply others. For instance, if c = c1 sampledOn c2, one only
needs to find schedules in which c ticks infinitely often, as that implies c1 and c2 do too. Please
check the detail rules for minimizing accepting conditions in Table 1.
Inria
Schedulability analysis by exhaustive state space construction 19
Table 1: Acceptance condition minimizing rules
Constraint Implication
c = c1 filteredBy w, c = c1 delay_n
∮
(c1) = Fin ⇒
∮
(c) = Fin,
∮
(c) = Inf ⇒
∮
(c1) = Inf
c = c1 await_n / until_n
∮
(c1) = Fin ⇒
∮
(c) = Fin
c = c1 upto c2
∮
(c) = Inf ⇒
∮
(c1) = Inf
c = c1 concat/union/inf c2
∮
(c1) = Inf ∨
∮
(c2) = Inf ⇔
∮
(c) = Inf ,
∮
(c1) =
∮
(c2) = Fin ⇔
∮
(c) = Fin
c = c1 intersect/sampledOn c2
∮
(c1) = Fin ∨
∮
(c2) = Fin ⇒
∮
(c) = Fin,
∮
(c) = Inf ⇒
∮
(c1) =
∮
(c2) = Inf
c = c1 sup c2
∮
(c1) = Fin ∨
∮
(c2) = Fin ⇔
∮
(c) = Fin,
∮
(c) = Inf ⇔
∮
(c1) =
∮
(c2) = Inf
c subClock c1
∮
(c) = Inf ⇒
∮
(c1) = Inf
c equality/alternate/boundedDiff_i_j c1
∮
(c) =
∮
(c1) = Inf
c1 strictPre/causes c2
∮
(c2) = Inf ⇒
∮
(c1) = Inf ,
∮
(c1) = Fin ⇒
∮
(c2) = Fin
5 Schedulability checked on automata translation
Once the tGBA built, schedulability analysis is equivalent to finding the existence of accepted
infinite words. This (non)emptiness check has also been identified in model-checking context
(where automata are generated from temporal logical formulaes). It is straightforward to check
the emptiness on plain (state) Bu¨chi automata (existence of a loop or SCC (Strongly Connected
Component) including an accepting state, of course amongst the reachable states). But it is a bit
more subtle to be checked on extended tGBAs directly, and we will consider this in the current
section.
In addition to checking for emptiness, we will even attempt to compute the actual subset
of states from which a valid infinite word may be continued. This will then allow to trim the
structure and make the automata canonical so that it accepts the same language and no useless
(undesired) state remains. This is helpful if one considers an approach where the resulting
automata will be used later to guide an actual run-time simulation (similar as in controller
synthesis aims). Hopefully, most related model-checking techniques actually do compute such
sets of states and decide later language emptiness (or not) by checking whether the initial state
was preserved as one of the useful states. The previous definition of transition-based Generalized
Bu¨chi Automata can be read as: a state is useful if it can be the root of a path which goes
infinitely often through an accepting transition for every accepting state (in our case it is a path
where each infinite specified clock ticks infinitely often, and proper termination of every finite
specified clock is visited infinitely often), otherwise it is useless. We derive an algorithm from
this. It is important to note here that a state may already be useless (in the sense that it leads to
no valid infinite behavior) while it takes several steps in any way before bad states where clocks
get halted.
For technical reasons, we require the finiteness of state space so that the fixpoints converge
(and if not finite-state, the intuitive explanations have to be adapted because an infinite path does
not mean a loop or SCC anymore). If a specification contains a constraint that may cause infinite
state space (strictPre, causes, sup and inf), there must a be boundedDiff restricting finite
drifts1. And we want the algorithm to be easily applicable on symbolic state set representations,
such as BDDs. The operations used in the algorithm (union, intersection, complementation,
Enable, Pre), can easily be manipulated on symbolic representation of state sets. For a given
specified (infinite or finite) clock c, EnableV (c) computes the set of states that immediately
perform a transition where c ticks (if
∮
(c) = Inf) or terminates (if
∮
(c) = Fin). PreV (Z)
1Actually this restriction is overstrict, because of the interactions among constraints, the state space of a spec-
ification may be finite even if it has unbounded constraints. However, since the semantics is built constructively,
it is not easy to check the finiteness from the syntactic constructors directly. So right now, we restrict to bounded
ccsl [2] instead of finiteness checking
RR n° 8102
20 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
computes the set of predecessors of states in Z. Subscript V is the scope where computations
are carried.
EnableV (c) =


{s ∈ V |∃s
′
∈ V, s
C,Tm
−−−−→ s
′
, c ∈ C},
∮
(c) = Inf ,
{s ∈ V |∃s
′
∈ V, s
C,Tm
−−−−→ s
′
, T erm(c) ∈ Tm},
∮
(c) = Fin
PreV (Z) = {s
′
∈ V |∃s ∈ Z, s
′ C,Tm
−−−−→ s}.
Our algorithm (Algorithm 1) consists of three steps:
The first step computes the set of potentially useful states, PU . A state is potentially useful if
in its future, every infinite clock can tick and every finite clock can properly terminate (may sev-
eral times, infinitely, or immediately). For each specified clock, we compute independently the set
of states that may reach a transition where it ticks (infinite specified) or terminates (finite speci-
fied) in a finite but unbounded number of steps, which is a straightforward backward (smallest) fix-
point of functional f(X) = EnableS(c) ∪ PreS(X). PU is then the intersection of all those result
sets. PU is closed by co-reachability (if a state is in it, all states that may reach it also are). So
if PU does not contain an initial state then we are done, the ccsl specification is not schedulable.
algorithm Trimming1
Input: tgba = ((S, Clocks, Terms, I, T ),
∮
, F )
Output: set of states U
begin2
set of states PU,OU,U,Ufront,Uprev;3
if S=∅ then return;4
PU :=markState(tgba,S);5
OU :=markState(tgba,PU);6
U :=OU; Ufront := OU;7
while U6= Uprev do8
Uprev:=U;9
Ufront:=PreS(Ufront);10
U:=U ∩ Ufront;11
end12
if U=∅ then tgba is not schedulable13
end14
algorithm markState15
Input: tgba = ((S, Clocks, Terms, I, T ),
∮
, F ), scope state set SS ⊆ S
Output: set of states intersect
begin16
set of states cLabeled,cLabeledfront;17
intersect := S;18
for every specified clock c ∈ Clocks do19
cLabeled :=EnableSS(c); cLabeledfront :=EnableSS(c);20
while cLabeledfront6= ∅ do21
cLabeledfront:=PreSS(cLabeledfront)\cLabeled;22
cLabeled:=cLabeled ∪ cLabeledfront;23
end24
intersect := intersect ∩ cLabeled;25
end26
end27
Algorithm 1: The Trimming algorithm
Obviously a state that is not potentially useful is useless (from it there are clocks that get halted). But a
PU state may not turn out to be actually useful: consider the case of a loop (or more generally a SCC)
inside which two distinct clocks never tick, but from which there may be two actual transitions (leaving
the SCC at different points), each of them allowing one of the two clocks to tick (and never the other
Inria
Schedulability analysis by exhaustive state space construction 21
anymore). Then seemingly all states inside the SCC were labeled by both (here, all) clocks, while in fact
the tickings cannot occur in the same path. (Case for finite clocks on proper terminations is similar.)
Our solution to this is to apply the same algorithm as before, but this time restricting to PU as the set
of reachable states (as thus regarding accepting transitions only if both their target and source states
are in it). The set OU of once-useful states contains states that remain potentially useful. OU is also
co-reachability closed.
The last step is to check the emptiness and get the set of useful states, U . We check if there is at
least one loop (or SCC) inside U , by computing a greatest fixpoint on function f(X) = OU ∩ PreS(X).
It computes the set of states from which there is an unbounded path inside U , containing SCCs plus
extra states that may lead to them (the emptiness problem is therefore preserved between SCCs and
this slight extension). U is the set of states preserved by this step. Since the state space is finite, the
algorithm eventually ends.
Proposition 5.1 A state is in U iff there is an infinite path from it in which each infinite clock ticks
infinitely often and the termination of each finite clock is visited infinitely often (or in general terms
where an accepting transition is performed infinitely often for each acceptance condition of the tGBA).
Proof (sketch): The ⇐ direction is easy: if there is such an infinite path, then the states found in it are
all in OU by definition, and fold itself into a SCC in the end, so that all states remain in U .
For the ⇒ part: if s is in U , then it is in OU . From s, for a given infinite (resp. finite) specified
clock c, (or equivalently, an accepting condition in generalized Buchi mode), there has to be a transition
labeled as “c ticks" (resp. “c terminates”), with source and destination states (t, u) in OU . Now these
states can also be chosen in U , otherwise the last state s′ in the path from s would not remain labeled
by at least one of the clock during the second step, a contradiction. Now we can reiterate this process
from state u and any clock since U ultimately ends in (one or several) SCC, and progressively build an
accepting infinite path. This concludes the proof. ¤
6 Conclusion and future work
In this paper we use a translation from logical time constraint language to automata expansion to study
schedulability. This work bears some similarity with previous attempts by Alur and Weiss [3, 4], which
define schedules as infinite words expressed in regular expressions and then construct corresponding
Bu¨chi automatas, and have counterparts in more classical real-time and timed automata in[5, 6, 7, 8].
Comparing to them, we use ccsl as the bridge to connect scheduling and automata theories. This allows
to take full of advantages of ccsl in modeling, such as the flexibility provided by logical time, multi-form
time bases, unified expressing of both functional requirements and extra performance constraints. And
we can construct automata naturally from ccsl specifications, avoiding the high costing of translation
from regular expressions to automata.
We propose an algorithm for emptiness-checking and canonical trimming of translated automata,
tGBA. As far as we know, it is a new way of handling generalized acceptance conditions, comparing to the
existing two classes of emptiness-check algorithms: nested depth-first searches (NDFSs) based [9, 10, 11],
and strongly connected components (SCCs) computation based [12, 13, 14]. And we believe it has
relevance larger than our specific problem, being extended for general model-checking for transition or
state GBAs.
In the future we want to inspect how finer relations between logical clocks can be used to detect
unschedulability at construction time, in states even prior the full model is built. And we also want
to make use of “latency-insensitive” property embedded in the interactions among constraints, which is
distinct valid schedules depart from one another by shifting the exact timing placement they each assign
to otherwise independent clock ticks.
RR n° 8102
22 Ling Yin, Julien DeAntoni, Fre´de´ric Mallet, Robert de Simone
References
[1] Charles André. Syntax and semantics of the clock constraint specification language (ccsl). Research
Report RR-6925, INRIA, 2009.
[2] Régis Gascon, Frédéric Mallet, and Julien Deantoni. Logical time and temporal logics: comparing
UML MARTE/CCSL and PSL. In 18th International Symposium on Temporal Representation and
Reasoning (TIME’11), pages 141–148, Lubeck, Germany, September 2011.
[3] Rajeev Alur and Gera Weiss. Regular specifications of resource requirements for embedded control
software. In Proceedings of the 2008 IEEE Real-Time and Embedded Technology and Applications
Symposium, RTAS ’08, pages 159–168, Washington DC, USA, 2008. IEEE Computer Society.
[4] Rajeev Alur and Gera Weiss. Rtcomposer:a framework for real-time components with scheduling
interfaces. In Proceedings of the 8th ACM international conference on Embedded software, EMSOFT
’08, pages 159–168, New York, NY, USA, 2008. ACM.
[5] Yasmina Abdeddaim and Damien Masson. Real-time scheduling of energy harvesting embedded
systems with timed automata. In Embedded and Real-Time Computing Systems and Applications
(RTCSA), IEEE 18th International Conference on, pages 31 –40, 2012.
[6] Gerd Behrmann, Kim G. Larsen, and Jacob I. Rasmussen. Optimal scheduling using priced timed
automata. SIGMETRICS Perform. Eval. Rev., 32(4):34–40, 2005.
[7] Elena Fersman, Leonid Mokrushin, Paul Pettersson, and Wang Yi. Schedulability analysis of fixed-
priority systems using timed automata. Theoretical Computer Science, 354(2):301 – 317, 2006.
[8] Elena Fersman, Pavel Krcal, Paul Pettersson, and Wang Yi. Task automata: Schedulability, decid-
ability and undecidability. Information and Computation, 205(8):1149 – 1172, 2007.
[9] C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memory efficient algorithms for the
verification of temporal properties. In Computer-Aided Verification, volume 531 of Lecture Notes
in Computer Science, pages 233–242. Springer Berlin / Heidelberg, 1991.
[10] H. Tauriainen. Nested emptiness search for generalized buchi automata. Fundam. Inf., 70(1):127–
154, 2005.
[11] Heikki Tauriainen. On translating linear temporal logic into alternating and nondeterministic au-
tomata. Research Report A83, Helsinki University of Technology, Laboratory for Theoretical Com-
puter Science, Espoo, Finland, December 2003.
[12] Jaco Geldenhuys and Antti Valmari. More efficient on-the-fly ltl verification with tarjan’s algorithm.
Theor. Comput. Sci., 345(1):60–82, November 2005.
[13] Hammer Moritz, Alexander Knapp, and Stephan Merz. Truly on-the-fly ltl model checking. In
Tools and Algorithms for the Construction and Analysis of Systems, volume 3440 of Lecture Notes
in Computer Science, pages 191–205. Springer Berlin/Heidelberg, 2005.
[14] Jean-Michel Couvreur, Alexandre Duret-Lutz, and Denis Poitrenaud. On-the-fly emptiness checks
for generalized bu¨chi automata. In Model Checking Software, volume 3639 of Lecture Notes in
Computer Science, pages 903–903. Springer Berlin / Heidelberg, 2005.
Inria
RESEARCH CENTRE
SOPHIA ANTIPOLIS – MÉDITERRANÉE
2004 route des Lucioles - BP 93
06902 Sophia Antipolis Cedex
Publisher
Inria
Domaine de Voluceau - Rocquencourt
BP 105 - 78153 Le Chesnay Cedex
inria.fr
ISSN 0249-6399
