Abstract. To overcome the complexity of verification of real-time systems with dense time dynamics, Dutertre and Sorea proposed timeout and calender based transition systems to model real-time systems and verify safety properties using k-induction. In this work, we propose a canonical finitary reduction technique, which reduces the infinite state space of timeout and calender based transition systems to a finite state space. The technique is formalized in terms of clockless finite state timeout and calendar based models represented as predicate transition diagrams. Using the proposed reduction, we can verify these systems using finite state model checkers and thus can avoid the complexity of induction based proof methodology. We present examples of Train-Gate Controller and the TTA startup algorithm to demonstrate how such an approach can be efficiently used for verifying safety, liveness, and timeliness properties using the finite state model checker Spin.
Introduction
Modeling and verification of timeout based real-time systems with continuous dynamics is an important and hard problem that has evoked a lot of prime research interest with industrial focus for many years in the recent past. The problem of faithfully modeling and consequently formally verifying such timeout based real-time systems is rather difficult because the state space of these systems is essentially infinite owing to the diverging valuation required by the timing and timeout variables. Because of this infiniteness of the state space none of the known formal verification techniques can be applied to completely verify some of the interesting properties, e.g., liveness properties, timing deadlocks etc. Although infinite state model checkers like SAL (Symbolic Analysis Laboratory) [10] have been used with limited success for verifying safety properties. The verification process employed by these tools demands significant additional manual efforts in defining supporting lemmas and abstractions for scaling up the model.
Spin [9] is a tool for automatically verifying finite state distributed systems. There are broadly two attempts for extending Spin with time [4, 5, 16] . Realtime extension of Spin (RT-Spin [16] ) is one such work, which provides timed automata (TA) [1] with real-valued clocks as a modeling framework, though is incompatible with the partial order reduction implementation of Spin. Another is the work on DT-Spin [4, 5] , which allows one to quantify (discrete) time elapsed between events, by specifying the time slice in which they occur. DT-Spin is compatible with the partial order reduction of Spin and has been used to verify industrial protocols, e.g., AFDX Frame management protocol [13] and TTCAN [14] . Nonetheless, systems with asynchronous communication with bounded delays between components cannot be modeled directly by using the mechanism of asynchronous channels that Spin provides since there is no explicit provision to capture message transmission delays. One possibility is to model each channel as a separate process with delay as a state variable. In [4] , the channels in the example of PAR protocol have been implemented in the same way. But for systems with relatively large number of components and dense connectivity among the components, modeling channels in this way is difficult and state space explosion becomes an unavoidable problem. UPPAAL [2] , which can model TA, has the same limitation when modeling asynchronous communications with bounded delays -every channel has to be modeled as a separate TA capturing the message transmission delays.
Dutertre and Sorea [6] proposed timeout based modeling of time triggered systems with dense time dynamics, which have been traditionally used as a model of execution in discrete event system simulations. They presented a modeling approach, where expected delivery delays for all undelivered messages can be stored in a global data structure called calendar [6, 7] . Formally, a calendar is a set of bounded size of the form C = { e 1 , t 1 , . . . , e r , t r }, where each event e i is associated with the time point t i when it is scheduled to occur. The calendar based model along with the timeouts for individual processes has been used to model the TTA startup protocol [7] . Using the infinite bounded model checker of SAL [10] , they proved the safety property by k induction. Unfortunately, not all of the safety properties are inductive in nature and therefore may require support of auxiliary lemmas. In [7] , proof of the safety property for the TTA startup having just 2 nodes itself required 3 additional lemmas. A verification diagram based abstraction method proposed in [12] , was used to prove the invariant property for models having upto 10 nodes. However, liveness properties still remain beyond the scope of this approach. Pike [11] builds on the work of [6] and proposes a new formalism called Synchronizing Timeout Automata (STA) to reduce the induction depth k required for k-induction. STA is defined using shared timeouts such that the resulting transition system does not involve a clock.
Since in timeout and calendar based models, global time and timeouts always increase, such models cannot be directly used for finite state verification. To that end, we propose a finitary reduction technique which effectively reduces the infinite state timeout and calendar based transition systems with discrete dynamics to finite state transition systems. This technique enables us to model a real-time system without considering a clock explicitly. We formalize the timeout and calendar based models as predicate transition diagrams and their behavior in terms of timeout and calendar based transition systems. Such a formal modeling framework provides background to effectively reason about the correctness of the various possible hypotheses for efficiently verifying these models beyond limited experiments. We demonstrate by examples, how such a modeling approach can be efficiently used for verifying safety, liveness, and timeliness properties using the finite state model checker Spin.
The remainder of the paper is organized as follows: section, In Section 2, we describe the finitary reduction technique and formalize it in terms of clockless modeling in Section 3. In Section 4 we discuss models of time and executablitiy conditions for dense time model. Section 5 presents the experimental results followed by concluding discussion in section 6.
Finitary Reduction
With reference to the timeout and calendar based modeling presented in [6, 7] , notice that although these models can be used to efficiently capture dense time semantics without using a continuously varying clock, it is difficult to use these models for finite state model checking. The difficulty arises because of the fact that the valuations for the global clock t and the timeout variables in T diverge and thus are not bounded by a finite domain. Unlike TA one cannot reset the global clock or the individual timeouts in these models because straightforward attempts for such resetting results only in incorrect behaviors. One possible solution may be to bound the value of the global clock and the timeouts by appropriate large constants based upon the system specification. But such a upper bound is quite difficult to estimate in case of practical industrial applications and also with such an approach liveness properties cannot be verified.
We propose a finitary reduction technique, which is formalized in terms of clockless modeling and semantics in the next section. This technique effectively reduces the timeout and calendar based transition systems with discrete dynamics into finite state systems, which, in turn, can be expressed and model checked by finite state model checkers.
Informally, the technique can be described as follows: To implement time progress transition, a special process is required to increase the global clock to the minimum of timeouts, when each of the timeout values is strictly greater than the current value of the clock. Other processes wait until their timeouts are equal to the global clock, and when it is so, they take the discrete transitions and updates their timeouts in future. We propose to model the special process which is responsible for time progress transition in such a way that it does not explicitly use the clock variable and prevents the timeout variables to grow infinitely. We call this process time progress. When no discrete transition is possible in the system due to the fact that the discrete transitions for all the systems are scheduled in the future, time progress finds out the minimum of all the timeouts in T and scales down all these timeouts by the minimum. In this way at least one of the timeouts becomes zero. A process is allowed to take a discrete transition when its timeout becomes zero. When it happens the process updates its timeout and does other necessary jobs.
If the timeouts are always incremented by finite values then it is guaranteed that the value of a timeout will always be in a finite domain. But there are cases when a timeout increment cannot be bounded by finite value. For example, a process may have to wait for an external signal before its next discrete transition. In this case, next discrete transition of the process does not depend on its own timeout, so the timeout of the process is set to the relatively large value, so that it does not affect the next discrete transitions of other processes. In another situation, it may be desired that the next discrete transition of a process may happen at any time in the future, for example, the process may be in a sleeping mode and can wake up at any future point of time. In that case all what we need is to limit the value of the timeout without omitting any of the possible interleaving of the process steps. To do that we limit the timeout value in [0, M + 1], where M is the maximum of all the integer constants that are used to define the upper limit of different timeouts for different processes in the system.
The suggested technique gives rise to a canonical representation of the clock and timeout valuations in any state in the sense that for the timeout and calendar based models considered here, there cannot be any further reduction possible without actually loosing the relative timing delay information. This is because this technique effectively reduces timeout valuations into a canonical partial ordering structure and also simultaneously keeps the information on the actual timeout increments intact. This approach can be seamlessly extended for the calendar based models as well.
It should be added that the finitary reduction considered in this work is effective only under discrete dynamics since with dense modeling such a reduction though reduces an infinite region (e.g., R n ) to a finitely bounded region (e.g., [0, 1] n ), it would still contain infinitely many points resulting into infinite permissible paths.
Above discussion is formalized in terms of "clockless" modeling and associated semantics in the next section.
Timeout and Calendar based Clockless Models
In this section we provide a formalization of timeout and calendar based clockless models as predicate transition diagrams and associated semantics in terms of state transition systems.
Timeout based Models: Clockless Modeling
Syntax The Timeout based Model (ToM) ( [6] ) can be represented as
Where each process P i is a sequential non-deterministic process having τ i as its local timeout and X i as a set of local timing variables used for determining the relative delay between events. "||" is the parallel composition operator. Formula θ restricts the initial values of variables in
where the set of all timeouts is T = {τ 1 , τ 2 , . . . , τ n }, and
is the set of other state variables assuming values from finite domains. Variables in G are globally shared among all the processes while L i contains variables local to process P i . f
Var is the set of computable functions on Var .
Each process P i is represented using a predicate transition diagram, which is a finite directed graph with nodes Loc i = {l 
where update i specifies how timeout τ i is to be updated on taking a transition on the edge when guard ρ evaluates to True. η ⊆ X i specifies the local timing variables which capture the relative increment in the value of timeout τ i while taking transition on the edge. f ∈ f Var manipulates the state variables in G∪L i . update i is defined using the rule:
l − z, ∈ {>, ≥}; z, z := w|0 and l, m ∈ N 0 are non-negative integer constants. M is the set of all the integer constants that are used to define the upper limit of different timeouts for different processes in the system. max(M) returns the maximum of all the integers in M.
Constraints on k 1 , k 2 specify how the new value of timeout τ i should be determined based upon the value of some local timing variable w, which would have captured the increments in the value of timeout τ i in some earlier transitions. Setting a timeout to ∞ is used to capture the requirement of indefinite waiting for an external signal/event. Setting the timeout value using max(M) is used to capture the situation where the next discrete transition of a process may happen at any time in the future, for example, the process may be in a sleeping mode and can wake up at any future point of time.
Synchronous Communication Edges:
As rendezvous communication between a pair of processes (P s , P r ) is represented by having an edge pair (e s , e r ) s.t. e s ∈ P s and e r ∈ P r : e s : l where ch is the channel name, m ∈ L s is the message sent, andm ∈ L r receives the message; g, h ∈ f Var .
Semantics With a given ToM
we associate the following transition system S P = (V, Σ, Σ 0 , Γ ), which will be referred to as a timeout based clockless transition system :
The value of π i indicates the location of the control for the process P i and ⊥ denotes before the start of the process. 2. Σ is the set of states. Every state σ ∈ Σ is an interpretation of V such that, for x ∈ V, σ(x) is its value in state σ. 3. Σ 0 ⊆ Σ is the set of initial states such that for every σ 0 ∈ Σ 0 , θ is true in σ 0 and σ 0 (π i ) = ⊥ for each process P i . 4. Γ = Γ e ∪ Γ + ∪ Γ 0 ∪ Γ syn comm is the set of transitions. Every transition ν ∈ Γ is a binary relation on Σ defined further as follows:
Entry Transitions: Γ e is the set of entry transitions and contains an entry transition ν i e for every process P i . In particular ∀σ 0 ∈ Σ 0 ,
Time Progress Transition: The first kind of edges ν + ∈ Γ + are those where all the timeouts are decremented by the minimum of the current timeout values. In particular,
is an edge in the predicate transition diagram for process P i , then there is a corresponding edge
This semantic model defines the set of possible computations of the timeout system P as a set of state sequences (possibly infinite) starting with some initial state in Σ 0 and following edges in Γ .
Example: Train-Gate Controller
We will illustrate the timeout based model as formalized above using the example of the Train-Gate Controller (TGC) (adapted from [1] .) The example of TGC demonstrates synchronous communication between system components, since the communications between Train and Controller, and between Controller and Gate are assumed to be synchronous.
TGC is an automatic controller that controls the opening and closing of a Gate at railroad crossing. The system is composed of three components: Train, Gate, and Controller. Before entering the railroad crossing the Train sends the signal approach. The Controller on receiving this signal is supposed to send the signal lower to the Gate within 10 time units and the Gate has to be down within another 10 time units. The Train can enter the crossing at any time after 20 time units since it sent the approach signal. While exiting the crossing the Train sends the exit signal to the Controller. The requirement is that after sending the approach signal the Train must send the exit signal within 50 time units. The Controller sends the raise signal to the Gate within 10 time units after it receives the exit signal. The Gate is required to be up within another there is no message transmission delay. Figure 1 demonstrates the clockless timeout based model of TGC. The timing requirements are captured by suitably defining the update functions on the edges. For example, consider the edge (t 0 , t 1 ) for the train labeled with (τ t = 0) ⇒ ch!approach, (τ t := k|20 ≤ k ≤ 50), x . Here (τ t = 0) indicates that the system starts when train sends the approach signal over the shared channel ch and nondeterministically sets its timeout τ t to some value k between [20, 50] indicating that after sending the approach signal it can enter the crossing any time after 20 time units. Upper limit of 50 is used to indicate that the train cannot enter later than 50 time units because it is required that train has to indeed exit the crossing on or before 50 time units. Having spent k units of time in state t 1 , train takes transition on the next timeout to state t 2 and resets its timeout to some value k between [0, 50 − k], which indicates that the train must exit (and send exit signal to the controller) from state t 2 no more than before it has spent at most total of 50 units of time in states t 1 and t 2 , that is, 0 ≤ k + k ≤ 50. Similarly on taking a transition on edge from g 1 to g 2 for the gate, τ g := ∞ denotes that the Gate would be waiting for the signal raise in state g 2 to be received on channel ch 1 from the Controller.
Calendar Based Models: Clockless Modeling
Syntax To capture (lossless) asynchronous communication with bounded message transfer delay, timeout based model is extended with a calendar data structure. A calendar is a linear array of bounded size, where each cell contains the following information: {message, sender id, receiver id, expected delivery time}. Let C to denote the calendar array, a globally shared object. We have
Sending a message is represented in the predicate transition diagram of process P i using the following edge:
, where send(..) specifies that a message m is to be sent to each of the processes P r , where r ∈ R ⊆ {1, 2, . . . n}, and with expected delivery time of λ r ∈ Λ for each P r . On taking a transition on this edge an entry {m, i, r, λ r } is added to C for each r ∈ R.
Corresponding receiving of the message is represented in the predicate transition diagram of each of the processes P r (∀ r ∈ R) using the following edge: , where receive(..) specifies that a message m sent by process P i is to be received by the process P r . When 'time' elapsed in terms of timeout increments approaches some expected delivery time λ r as specified by the sender process in the calendar C for entry e = {m, i, r, λ r }, a transition is taken on this edge and the entry e is deleted from C. Semantics Given a calendar C, we assume that the set of delays for all undelivered messages at any state σ can be extracted using function ∆ : Time Progress Transition: The edges ν + are redefined so that all the timeout and calendar delay entries are decremented by the minimum of all timeouts and the message delays in calendar. Let α = min{σ(T ) ∪ ∆(σ(C))},
We additionally define new transitions Γ asyn comm corresponding to send() and receive() to capture asynchronous communication:
is an edge in process P i , then we have a corresponding edge ν i send which adds |R| cells to the calendar array C:
Receive Transition: If (l r j , T rue ⇒ receive(m, i, r), τ r := update r , η, g , l r k ) is an edge in the graph of process P r , then we have a corresponding edge ν r receive ∈ Γ asyn comm , which deletes the entry {m, i, r, λ r } from the calendar array C when λ r is 0: Above formalization of the calendar based model can be illustrated using the TTA startup algorithm. TTA startup executes on a logical bus meant for safetycritical applications in both automotive and aerospace industries. In a normal operation, N computers or nodes share a TTA bus using a TDMA schedule. The goal of the startup algorithm is to bring the system from the power-up state, in which all processors are unsynchronized, to the normal operation mode in which all processors are synchronized and follow the same TDMA schedule. For detailed understanding of startup protocol, we refer the reader to [15] . Figure 2 depicts the calendar based clockless predicate transition diagram of the i th node. In the TTA startup algorithm, all the communications are asynchronous and message delivery delays, which are finite and specified by the designer, have to be taken into account for correct operation of the protocol. τ listen i and τ cs i represent how much time a node spends in the Listen state and the Coldstart state respectively, if no external signal is received. τ round denotes the time a node spends in the Active state before sending its next massage. R = {1, . . . , N } \ {i} represents that all the nodes except the sender i are required to receive the message in the network. λ i 's denote the message delivery time for the corresponding send events. In the TTA, message delivery times for all the receivers are considered to be the same, and that is why we have considered a single variable λ i to represent that delay. 
Another point to note is that clockless semantics reduces infinite state transition system to a finite state transition system only in case of the choice of discrete domain for the clock and timeout variables. This is because for the dense domain, clockless semantics can only limit unbounded set R + to a bounded interval. Nonetheless, verification of a real-time system in a dense domain is equivalent to verifying the system in the discrete domain if the behavior of the system captured by the model and the properties considered are digitizable [8] . It can be shown that if we restrict the update function to weakly constrained intervals (e.g.,
and k 2 ≥ l) then similar to the timed transition system of [8] (refer theorem 2), transition systems for timeout and calendar based models also give rise to digitizable behaviors (computations). Also for qualitative properties like the safety and liveness properties, their verification in the discrete domain is equivalent to verifying these properties in dense domain (refer to proposition 1 in [8] ).
Experimental Results
In this section, we report experimental results of verification of TGC and the TTA startup algorithm using the model checker Spin. We carry out our experiments on an Intel (R) P4 machine with 2.60 GHz speed and 1 GB RAM, and running Windows 2000.
Train-Gate Controller
For the TGC example as discussed before, we consider safety and timeliness properties for verification.
The safety property considered is: "When the Train crosses the line, the Gate should be down". The property can be expressed in LTL as follows:
where, t state denotes different states of the Train and it is t 2 when the Train comes into the crossing, g state denotes different states of Gate and is g 2 when the Gate is down.
The timeliness property considered states that the time between two states in execution will by bounded by a particular value. We can find many timeliness properties in this example. We mention one of them here: "The time between the transmission of the approach signal by the Train and when the Gate is down should not be more than 20 time units". To verify this property we use two auxiliary flags: f lag 1 and f lag 2 in our model. When the first event occurs f lag 1 is set to true. When the second event happens, f lag 2 is set to true and f lag 1 is reset to f alse. Also, the proctype time progress is modeled as follows: A global variable time diff (initially set to 0) captures the time difference between the instants when these two flags are set. During every discrete transition between the two discrete transitions of interest, minimum timeout value is added to time diff . The property is specified as:
(time diff ≤ 20) Table 1 illustrates computational resources and time required to prove the safety and the timeliness property for TGC. Both the properties have been proved by exhaustive verification keeping the option of partial order reduction turned on.
TTA Startup Algorithm
For TTA startup algorithm, we consider the following safety property: "Whenever two nodes are in their active states, the nodes agree on the slot time". For The Safety property ensures that when the nodes are in the active state, then they are indeed synchronized. But it does not answer the question whether all the nodes will eventually be synchronized or not. To ensure that all the nodes will eventually be synchronized, it has to be specified in the form of a liveness property: "Eventually all the nodes will be in the active state and remain so". This liveness property for two nodes can be specified in LTL as follows: To verify the safety and the liveness property for the TTA startup we used clockless modeling together with the options of exhaustive verification and bitstate hashing technique offered by Spin, in both the cases keeping the the option of partial order reduction turned on. By exhaustive verification technique, the safety property can be verified for the TTA models with upto 5 nodes and liveness property can be verified upto 4 nodes. Bitstate hashing enables us to verify both the properties for models with upto 9 nodes. For 10 nodes, the verification does not terminate even in 4 hours. Table 2 describes the computational resources and time required to prove the safety and liveness properties for the TTA Startup protocol using bitstate hashing technique.
Experiments with dense time modeling with clockless reduction using SAL were also carried out on the TGC model presented in [6] . The safety property has been verified at depth 14 as done in [6] . Nonetheless, applying the clockless reduction in SAL models do not scale up the existing results further, primarily because the clockless reduction even though reduces the unbounded set R + to a bounded interval, such an interval still will contain uncountably many points giving rise to infinite many possible execution paths of finite lengths.
