Parking Can Get You There Faster Model Augmentation to Speed up Real-Time Model Checking1
		1A more detailed version of this paper is available as part of the author's thesis, see http://www.brics.dk/~omoeller/papers.html. by Möller, M.Oliver
Electronic Notes in Theoretical Computer Science 65 No. 6 (2002)
URL: http://www.elsevier.nl/locate/entcs/volume65.html 16 pages
Parking Can Get You There Faster
Model Augmentation to Speed up Real-Time Model Checking 2
M. Oliver Mo¨ller 1
BRICS, University of Aarhus
Ny Munkegade, building 540
DK - 8000 A˚rhus C, Denmark 3
Abstract
We present an approximation technique that can render real-time model checking of
safety and universal path properties more eﬃcient. It is beneﬁcial, when loops lead
to repetition of control situations. Basically we augment a timed automata model
with carefully selected extra transitions. This increases the size of the state-space,
but potentially decreases the number of symbolic states to be explored by orders of
magnitude.
We give a formal deﬁnition of a timed automata formalism, enriched with basic
data types, hand-shake synchronization, urgency, and committed locations. We
prove by means of a trace semantics that if a safety property can be established in
the augmented model, it also holds for the original model.
We extend our technique to a richer set of properties that can be decided via a
set of traces (universal path properties). In order for universal path properties to
carry over to the original model, the semantics of the timed automata formalism is
formulated relative to the applied augmentation.
Our technique is particularly useful in systems, where a scheduler dictates repeti-
tion of control over elapsing time. As a typical example we mention translations of
LEGO RCXTM programs to Uppaal models, where the Round-Robin scheduler
is a static entity. We allow scheduler and associated tasks to “park” until some
timing or environmental conditions are met.
We apply our technique on a bricks sorter model for a safety property and report
run-time data.
1 Email: omoeller@brics.dk
2 A more detailed version of this paper is available as part of the author’s thesis, see
http://www.brics.dk/~omoeller/papers.html.
3 Basic Research in Computer Science, funded by the Danish National Research Founda-
tion.
c©2002 Published by Elsevier Science B. V.
202
Open access under CC BY-NC-ND license.
Mo¨ller
1 Introduction
Failures of safety-critical systems are highly dangerous to human lives, and at
minimum incredibly costly. Errors in mass products are hard to correct once
the ﬁrst 100·000 units have been shipped.
This entails the strong need to validate the correctness of a system, or
better: to establish that a given design or implementation meets its speciﬁca-
tion. Formal Methods can be seen as a collection of systematic techniques to
achieve this. As opposed to simulation or testing, formal verification amounts
to proving, that a formal model of a system satisﬁes a set of properties, of-
ten expressed by means of a temporal logic. In the model checking approach
(e.g. [6]) a system is seen as a structure interpreting a formula and potentially
satisfying it (in short: Sys |= ϕ). Establishing or refuting Sys |= ϕ is then
performed fully automatically by specialized model checking algorithms.
Commonly a discrete control graph is used to represent the states of a
system, while transitions between states reﬂect evolution over time. In hybrid
models [3] this evolution entails a continuous change of variables according
to a mathematical description, usually a diﬀerential equation. Even for low
degrees of freedom the model checking problem then is undecidable.
Real-time models can be seen as a special version of hybrid models, where
the continuous parts are clocks that increase their values over time according
to a constant slope. As long as all clocks are running at the same speed (slope 1
over time), the model checking problem remains decidable [2]. A popular and
well-studied formalism for this are timed automata [4]. General decidability
results for ﬁxed formalism—both in the language of the model and the logic—
were followed by a number of model checking tools, like HyTech [9] for hybrid
models, or Kronos [13] and Uppaal [11] for real-time models. Since the state
space of the underlying models is fundamentally uncountable, the tools have
to resort to symbolic techniques. Here the continuous part is captured by a
ﬁnite quotient.
For real-time systems, the timed computation tree logic (TCTL, see [2]) is
of particular interest, since it can express a large number of naturally occur-
ring speciﬁcation properties like safety and timed response. Especially timed
reachability is the subject of intensive research, since it is powerful enough to
capture many routine checks and can be veriﬁed more eﬃciently than general
TCTL.
The State-Space Explosion in Real-Time Systems
Model checking techniques suﬀer from a phenomenon called state explosion
problem. In dense real-time, this is understood as the excessive number of
symbolic states. 4 A number of optimization techniques was developed that
4 In dense time there exists an intermediate clock evaluation between any two subsequent
clock evaluations, thus the state space is inﬁnite. For certain syntactic restrictions, however,
203
Mo¨ller
aim to enhance the scope of algorithmic treatment. Examples for such opti-
mizations are reducing the number of clocks wherever possible [8] or reducing
memory consumption [12]. Industrial sized examples still present a serious
challenge, since expanding their state space often exceeds the memory of the
machine or the patience of the user.
A promising approach is to alter a model checking problem Sys |= ϕ into
a simpler one, Sys |= ϕ, that is conservative in the sense that a validity
of the latter implies validity of the former. We construct Sys by adding
carefully selected parts to the model. This increases the size of the reachable
state-space, but can reduce the number of symbolic states that have to be
explored. This (seemingly) paradox can best be explained for timed systems
that contain small loops in the control structure. If the same control situation
occurs repeatedly, the (potentially numerous) corresponding symbolic states
may be incomparable, since time has shifted by a delay. Now if a large number
of loops with small delays is bypassed by one added step with a large delay,
this yields a large set of clock evaluations. If the smaller sets are contained in
this (added) larger set, the corresponding steps vanish from the list of symbolic
states to be explored.
We use the model checking engine of Uppaal [11] for our experiments,
and consequently keep to the Uppaal timed automata model for the descrip-
tion of our technique. However, our technique is general enough to be applied
on other timed automata dialects. As a class of problems that is likely to
beneﬁt from our technique, we mention Uppaal models of control programs
running in LEGO RCXTM micro-controllers. There exist automatic trans-
lations of LEGO RCXTM programs to Uppaal models [10]; our technique
can make direct use of the program as a hint on where to apply augmentations.
Plan.
The paper is organized as follows. Section 2 introduces the Uppaal timed
automata model with formal syntax and semantics. Section 3 deﬁnes our
model augmentation technique and proves it sound for safety properties. In
Section 4 we extend our technique to universal path properties. In Section 5 we
apply model augmentation on a bricks sorter. We conclude with a summary.
2 Uppaal Timed Automata
We give formal syntax of the timed automata model as used in Uppaal [11,5].
Basically this means networks of timed automata with discrete data and hand-
shake synchronization. The formal semantics is deﬁned by associating models
with sets of traces.
Uppaal is a tool for modeling, simulation and veriﬁcation of real-time
systems, developed jointly by BRICS at Aalborg University and the Depart-
ment of Computer Systems at Uppsala University. Typical application areas
the number of sets of clock evaluations that can be treated uniformly is always ﬁnite [2].
204
Mo¨ller
include real-time controllers and communication protocols, in particular those
where timing aspects are critical. More information and documentation can
be found on the home page. 5
2.1 Formal Syntax of Uppaal Timed Automata
We deﬁne the formal syntax of Uppaal models as a parallel composition of
processes, where in each process control locations are connected by transitions
and equipped with various labels.
As a preliminary, we assume disjoint sets of variables (Vars), clocks (Cl),
and synchronization channels (Ch). Variables denote either integers or bound-
ed arrays of integers. Expressions are constructed over variables, clocks, and
integer constants. Assignments are of the form v := expr, and either variable
assignments or clock resets. In the ﬁrst case, v is an integer variable (or
a position in an array) and expr is an arithmetic expression over variables
and constants. In the second case, v is a clock and expr is required to be the
constant 0. A guard is a conjunction of Boolean expressions over variables and
clock constraints of form x∼const or x-y∼const, where x,y are clocks, ∼∈
{<, <=, ==, >=, >}, and const is an integer constant. An invariant is of the form
x∼const, where x,y are clocks, ∼∈ {<, <=}, and const is an integer constant.
A synchronization is of the form s! or s?, where s is a synchronization channel.
We understand synchronization to be hand-shake, i.e., one transition equipped
with s! and one equipped with s? can be taken simultaneously.
For simplicity, we assume a set of labels—Labels—that ranges over syn-
tactically correct invariants, assignments, guards, and synchronizations. As a
well-formedness condition, labels of the described syntax are constrained to
occur only in the appropriate places, contain only declared variables, clocks,
and synchronization channels, and arrays are used in a syntactically correct
way.
Locations can optionally be declared urgent or committed . In both cases
the location has to be left before time elapses. Leaving committed locations
has precedence over taking other transitions. If synchronization channels are
declared urgent, transitions synchronizing on these channels have precedence
over time delay.
Def. 1 (Uppaal process)
An Uppaal process A is a tuple 〈L, T,Type, l0〉, where
• L is a set of locations,
• T is a set of transitions l
g,s,a−−→ l′, where l, l′ ∈ L, g is a guard, s is a
synchronization label (optional), and a is a list of assignments (possibly
empty); we call l the source and l′ the target of the transition,
• Type : L→{o, u, c} is the type function for locations (ordinary, urgent, or
committed),
5 http://www.uppaal.com
205
Mo¨ller
• l0 ∈ L is the initial location.
We use the following access functions to refer to invariants, guards, synchro-
nizations, and assignments.
• Inv : L→ Labels maps to the invariant of a location (possibly true),
• Guard : T → Labels maps to the guard of a transition (possibly true),
• Sync : T → Labels ∪ {∅} maps to the synchronization label of a transition
(if any), and
• Assign : T → Labels∗ maps to the assignments associated with a transition
(possibly the empty list).
Def. 2 (Uppaal model)
An Uppaal model is a tuple 〈A,Vars,Cl, Ch,Type〉, where
• A is a vector of processes A1, . . . , An;
we use the index i to refer to Ai-specific parts Li, Ti, Typei, and l
0
i ,
• Vars is a set of variables, corresponding to bounded integers and arrays,
• Cl is a set of clocks, Cl ∩ Vars = ∅,
• Ch is a set of synchronization channels, Ch∩Vars = ∅ and Ch∩Cl = ∅,
• Type is a polymorphic type function extending the Typei, i.e., Type maps
· locations to {o, u, c} (ordinary, urgent, or committed—according to Typei),
· channels to {o, u} (ordinary or urgent),
· variables to {int, array}.
We use o, u, c, int, and array as predicates, i.e., for a synchronization
channel s the expression u(s) evaluates to true, if and only if Type(s) = u.
Def. 3 (configuration) A conﬁguration of an Uppaal model 〈A,Vars,Cl,
Ch, Type〉 is a triple (l, e, ν), where l is the control vector, e is the environment
for discrete variables, and ν is the clock evaluation, i.e.:
• l = (l1, . . . , ln), where li ∈ Li is a location of process Ai,
• e : Vars→ (Z)∗ maps every variable v either to a value (if int(v)) or to a
tuple of values (in case of array(v)).
• ν : Cl→ R≥0 maps every clock to a non-negative real number. For d > 0,
the notation (ν + d) : Cl→ R≥0 describes the function “ν shifted by d” in
the following sense: ∀x ∈ Cl. (ν(x) + d) = ν(x) + d.
For simplicity we allow only one initial conﬁguration, denoted
(
(l01, . . . , l
0
n),
[Vars → (0)∗], [Cl → 0]), where all processes are in their initial location, all
variables and all array positions evaluate to 0, and all clocks are 0.
A local property is a Boolean expression ϕ over Vars, Cl, and terms Ai.li.
In any conﬁguration of a model ϕ is either true or false. We use the notation
e, ν |= ϕ to state that a local property ϕ holds true under the evaluations e, ν
for the contained variables and clocks. Analogously we write (l, e, ν) |= ϕ in
the case that ϕ contains expressions of the form Ai.li. Ai.li is true if and only
if process Ai is in location li, i.e., l = (. . . , li, . . .).
206
Mo¨ller
2.2 Trace Semantics of Uppaal Timed Automata
We associate an Uppaal model M with a—typically uncountable—set T (M)
of traces that are either inﬁnite or maximally extended (deadlocked). The
model M does then satisfy the safety property ψ, if no trace in T (M) leads
to a conﬁguration that violates ψ. An universal path property is true in M ,
if all traces conform to this property.
We start by formulating simple action, synchronized action, and delay
steps. To modify the control vector l, we use the notation l[l′i/li] to indicate,
that at position i, li is replaced by l
′
i, and the other positions do not change.
We readily use assignments a as transformers on the function e (and ν) and
write a(e) (and a(ν)) for the resulting evaluations. The assignments in a are
considered to be applied in the order of occurrence.
Def. 4 (simple action step) For a configuration (l, e, ν), a simple action
step is enabled, if there is a transition li
g,a−−→ l′i ∈ Ti, li in l, such that
(i) e, ν |= g, and
(ii) a(e),a(ν) |= Inv(l′i), and
(iii) if ∃lc in l with c(lc), then c(li).
We abbreviate this with (l, e, ν)
a
=⇒ (l[l′i/li],a(e),a(ν)).
Def. 5 (synchronized action step) For a configuration (l, e, ν), a synchro-
nized action step is enabled if and only if for a channel s there exist two
transitions li
gi,s!,ai−−−−→ l′i ∈ T and lj
gj ,s?,aj−−−−→ l′j ∈ T , li, lj in l, i = j, such that
(i) e, ν |= gi ∧ gj, and
(ii) aj(ai(e)),aj(ai(ν)) |= Inv(l′i) ∧ Inv(l′j), and
(iii) if ∃lc in l with c(lc), then c(li) ∨ c(lj).
We abbreviate this with (l, e, ν)
s!?
=⇒ (l[l′i/li][l′j/lj ], aj(ai(e)), aj(ai(ν)
)
.
Def. 6 (delay step) For a configuration (l, e, ν), a delay step with delay d
is enabled, if and only if all of the following holds.
(i) e, (ν + d) |= ∧
i
Inv(li),
(ii) ∀li in l. ¬c(li),
(iii) no action step leaving an urgent location is enabled, i.e., if u(li) for some
li ∈ l, then ¬
(
(l, e, ν)
a
=⇒ (l′, e′, ν ′)) ∧ ¬((l, e, ν) s!?=⇒ (l′, e′, ν ′)), and
(iv) no synchronized action on a urgent channel is enabled, i.e.,
(l, e, ν)
s!?
=⇒ (l′, e′, ν ′) implies ¬u(s).
We abbreviate this with (l, e, ν)
d
=⇒ (l, e, (ν + d)).
Def. 7 (timed trace)
A trace of a Uppaal model 〈A,Vars,Cl,Ch,Type〉 is a finite or infinite
sequence of configurations {(l, e, ν)}K = ((l, e, ν)0, (l, e, ν)1, ..) with K steps,
K ∈ N ∪ {∞}, such that
207
Mo¨ller
(i) (l, e, ν)0 =
(
(l01, . . . , l
0
n), [Vars → (0)∗], [Cl → 0]
)
,
(ii) for every k < K, the two subsequent configurations k and k + 1 are
connected via a simple action step, a synchronized action step, or a
delay step, i.e., (l, e, ν)k
a
=⇒ (l, e, ν)k+1 or
(l, e, ν)k
s!?
=⇒ (l, e, ν)k+1 or
(l, e, ν)k
d
=⇒ (l, e, ν)k+1 , and
(iii) traces are infinite or maximally extended, i.e.,
if K <∞, then for (l, e, ν)K no action step or delay step is enabled.
Def. 8 (trace semantics) LetM be a Uppaal timed automata model. Then
the trace semantics of M , written T (M), is the set of traces that can be con-
structed according to Definition 7.
We are now ready to formally deﬁne timed reachability and timed safety.
Def. 9 (timed reachability/safety) We define timed reachability as a bi-
nary relation between an Uppaal timed automata model M and reachability
predicates E<> ϕ, where ϕ is a local property for M .
M |= E<>ϕ if an only if ∃{(l, e, ν)}K ∈ T (M). ∃k < K. (l, e, ν)k |= ϕ.
Timed safety, denoted by M |=A[]ϕ, is then dual to timed reachability:
M |= A[] ϕ if and only if ¬ (M |= E<> ¬ϕ ) .
3 Model Augmentation
We introduce model augmentation as a technique to enrich the behavior of a
given model. This is shown to be conservative with respect to timed safety
properties in one direction. Model augmentation entails an increase in the
size of the reachable state space. Nevertheless, the number of symbolic states
to explore can be smaller, because larger portions can be covered in one step.
We illustrate this phenomenon by a simple delay-loop example.
We deﬁne the transformation of an original Uppaal model formally as
follows.
Def. 10 (model augmentation) Let M = 〈A,Vars,Cl,Ch,Type〉 be an
Uppaal model, and let A = 〈li g,a−−→ l′, LA, TA,TypeA〉, where
• li ∈ Li for some process Ai, that is part of A, where we require o(li);
we call li the augmentation point of A,
• g a guard,
• a a list of assignments,
• l′ ∈ LA, LA a set of fresh locations, LA ∩ (
⋃
Li) = ∅,
• TA a set of transitions, such that all sources are in LA and all targets are
in LA ∪
⋃
Li, and
• TypeA : LA→{o, u, c} the type function for the fresh locations.
208
Mo¨ller
M AugA(M)
LARGE #states time[sec] memory[KB] #states time[sec] memory[KB]
10 8 0.01 376 9 0.01 448
100 35 0.01 440 9 0.01 376
1000 305 0.04 424 9 0.01 440
10·000 3·005 1.51 1·704 9 0.01 440
100·000 30·005 175.21 5·440 9 0.02 416
1·000·000 300·005 22·449.94 42·792 9 0.02 400
Table 1
Then AugA(M) is the Uppaal model 〈A′,Vars,Cl,Ch,Type′〉 that enriches
M in the following sense:
(i) A′ = A1, . . . , Ai−1, A′i, Ai+1, . . . , An, with
A′i = 〈Li unionmulti LA, Ti unionmulti TA unionmulti {li g,a−−→ l′},Typei unionmulti TypeA, l0i 〉, 6
(ii) Type′ extends Type by mapping locations lA ∈ LA to TypeA(lA).
We call A the model augmentation and AugA(M) the augmented model.
Example 11 (delay loop) Consider a model M with a single process P
(Figure 1). P performs a number of delay loops of duration 10, and leaves the
loop when a total delay LARGE was reached. When the property E<> P.QUICK
is veriﬁed in forward state space exploration, a large number of these delay
loops are explored before it is established that the location QUICK indeed
cannot be reached. Figure 1 shows the augmented model AugA(M) on the
right, where
A =
〈
T
x <= LARGE−−−−−−−→ AUGMENT, {AUGMENT[Inv: x <= LARGE]} , {AUGMENT −→ S}
〉
.
The augmented process can be understood to “park” in location AUGMENT,
until time has progressed enough to pass the guard x > LARGE.
ST
y <= 0
QUICK
y <= 10
y := 0
x > LARGE
x < 10
x <= LARGE
y == 10
ST
y <= 0
QUICK
y <= 10
AUGMENT
x <= LARGE
y := 0
x > LARGE
x < 10
x <= LARGE
y == 10
x <= LARGE
Fig. 1. The original process P (left), and P with model augmentation A (right).
Table 1 shows data for forward reachability analysis with Uppaal. 7 The
6 The symbol unionmulti denotes disjoint union.
7 All run-time measurements were performed with the command-line version of Uppaal,
verifyta 3.1.58, executing on a UltraSPARC-II 300 MHz under SolarisOS.
209
Mo¨ller
number of explored states in the original model with process P (left) increases
linearly in the parameter LARGE, whereas this numbers stays constant, when
AugA(P ) (right) is used.
3.1 Soundness of Model Augmentation
Our technique is sound for proving that some local property holds invariantly.
Theorem 12 (soundness) Let M = 〈A,Vars,Cl,Ch,Type〉 be an Uppaal
model and ϕ be a local property. Then for any model augmentation A =
〈lA g,a−−→ l′A, LA, TA〉 with lA ∈ Li for some i, the following holds.
M |= E<> ϕ ⇒ AugA(M) |= E<> ϕ
Proof. We show that T (M) ⊆ T (AugA(M)). For this it suﬃces to show,
that for any conﬁguration s = (l, e, ν) is reached in M , every enabled step is
also enabled in the corresponding conﬁguration sA = (l, e, ν) in AugA(M).
Assume a simple or synchronized action step is enabled in s. For every
transition of M , there is an equivalent transition in AugA(M). By Deﬁni-
tion 10, o(lA), thus ¬c(lA) and the transition lA g,a−−→ l′A has no precedence over
other action steps. Since l, e, and ν of s and sA are identical, the same simple
or synchronized action step is then enabled in sA.
Assume a delay step of duration d is enabled in s. Then conditions (i) to
(iv) from Deﬁnition 6 are met. For sA, the conditions (i) and (ii) then also
hold true, since l, e, and ν are identical for s and sA. Condition (iii) is met,
since no action step leaving an urgent location is enabled in s. o(lA) entails
¬u(lA), thus lA g,a−−→ l′A does not introduce an additional one for sA.
As for condition (iv), lA
g,a−−→ l′A does not carry a synchronization by deﬁ-
nition. Thus no synchronization on an urgent channel can be enabled in sA,
unless it was also enabled in s, which is not the case.
Thus a delay step of duration d is also enabled in conﬁguration sA, com-
pleting the proof. 
Corollary 13 (conservative for safety) Let M be an Uppaal model and
ϕ a local property. For any model augmentation A:
AugA(M) |= A[] ϕ ⇒ M |= A[] ϕ
3.2 Suitable Augmentations
Though not formally required, model augmentations have to return to the
original control structure. Otherwise they never yield an improvement.
Model augmentation adds both to the state space and to the level of non-
determinism. In general this is a bad thing. The modiﬁcation is only bene-
ﬁcial, if the additional loop cuts out long and tedious repetitions of control
sequences that are only distinguishable by the passage of time. I.e., repetitions
210
Mo¨ller
modulo a certain clock shift must exist. It is necessarily to apply augmentation
in all processes of the model before this phenomenon can be exploited.
It is crucial that the newly introduced loop is taken early in the state space
exploration. In forward reachability analysis this can be achieved by using
a breadth-ﬁrst search order. Then one augmented loop is explored before
the concrete control returns to the augmentation point. A more rigorous
possibility is to modify the model checking algorithm in such a way that the
transitions starting model augmentations are explored ﬁrst.
The challenges for successful model augmentation are
(i) To ﬁnd promising augmentation points,
(ii) To identify suitable delays, and
(iii) To construct conditions that should trigger a return to the original control
structure.
In section 5 we exemplify this on a medium sized example with two parallel
tasks, where a Round-Robin scheduler dictates repetitions over time.
4 Model Augmentation for Universal Path Properties
Universal path properties are the fragment of TCTL, where a property can be
refuted by a single counter-example trace. We extend our model augmentation
technique to be conservative with respect to this richer set of properties. In
order to preserve deadlocks, we modify the transition relation relative to the
model augmentation.
Universal path properties ζ are of the form
ζ ::= A[]ζ
∣∣ A<>ζ ∣∣ ζ ∨ ζ ∣∣ ζ ∧ ζ ∣∣ ϕ
where ϕ a local property. In particular the deﬁnition of unbounded response,
A[]ϕ ⇒ A<>ψ, is equivalent to A[]¬ϕ ∨ A<>ψ and thus is a universal path
formula.
The operator A<> expresses inevitability : at some point in the future, some
property will necessarily hold. A<> ζ is violated, if there exists either an inﬁnite
trace not containing a conﬁguration, where ζ holds, or some ﬁnite trace, that
reaches a deadlock without passing through a state where ζ holds.
A trace σ = (s0, s1, . . .) ∈ T (M) satisﬁes an universal path formula ζ at
position i according to the following rules:
(σ, i) |= A[]ζ ⇐⇒ ∀j ≥ i.(σ, j) |= ζ
(σ, i) |= A<>ζ ⇐⇒ ∃j ≥ i.(σ, j) |= ζ
(σ, i) |= ζ1 ∨ ζ2 ⇐⇒ (σ, i) |= ζ1 or (σ, i) |= ζ2
(σ, i) |= ζ1 ∧ ζ2 ⇐⇒ (σ, i) |= ζ1 and (σ, i) |= ζ2
(σ, i) |= ϕ ⇐⇒ si |= ϕ
A model M satisﬁes a formula ζ , if for all traces σ = (s0, s1, . . .) ∈ T (M),
211
Mo¨ller
(σ, 0) |= ζ . 8
Applying model augmentation with universal path properties raises a tech-
nical problem. It could be the case, that the new transition at the augmenta-
tion point allows to escape from a deadlock situation, where no further action
transitions are possible. In this situation, A<> properties in the augmented
model could hold, though they do not for the original system.
The solution is conceptually simple; we require, that in the augmentation
point, the added transition can only be taken, if another action transition can
be taken as well. We formalize this as follows.
Def. 14 (augmented path semantics) Let M be an Uppaal timed au-
tomata model and A = 〈li g,a−−→ l′, LA, TA,TypeA〉 a model augmentation of M .
We define the set of weak traces of AugA(M) as the subset of the set of traces
according to Definition 7, that is generated from T (AugA(M)) by the following
side condition:
in a configuration (l, e, ν) with li ∈ l, the action transition li g,a−−→ l′ is only
enabled, if another action transition is enabled.
All traces violating this condition are removed from T (AugA(M)) to yield
T A (AugA(M)). We write AugA(M) |=Aζ, if and only if for all traces σ =
(s0, s1, . . .) ∈ T A (AugA(M)), (σ, 0) |= ζ.
Proposition 15 (conservative over universal path properties)
Let M be an Uppaal timed automaton model and ζ a universal path property.
For any model augmentation A:
AugA(M) |=A ζ ⇒ M |= ζ
Example 16 For the Uppaal model M with the single process P in Figure 1:
AugA(M) |=A A[](¬P.T ∨A<> P.S), and thus M |= A[](¬P.T∨A<> P.S).
Note that whenever transition T → AUGMENT is enabled, then due to the
invariant y ≤ 0 in T , one of the original transitions in M is enabled as
well. Thus, the side-condition is always fulfilled for T → AUGMENT, and
T (AugA(M)) = T A (AugA(M)).
5 Faster Verification of a Bricks Sorter
We demonstrate how to apply our model augmentation technique on a special
class of examples, namely Uppaal models of task-based LEGO RCXTM
programs, which can be automatically translated to Uppaal models. We use
the bricks sorter example from [10] as a case study.
The bricks sorter model is augmented in the places where control loops in
8 Since our semantics of a model contains traces where time converges, A<> properties hold
true only under the time progress assumption: a global reference clock must eventually
exceed any time bound, compare [1, 2].
212
Mo¨ller
the structure were detected. For safety properties this yields a speed-up in
terms of model checking time.
5.1 The Bricks Sorter Model
The bricks sorter (Figure 2) is a machine consisting of a conveyor belt, a
light sensor, and a kick-oﬀ arm. Red and black bricks are transported on the
conveyor belt past the sensor, which is sensitive enough to distinguish the
two colors. Some time later, the kick-oﬀ arm can push a brick oﬀ the belt.
A controller coordinates sensor and kick-oﬀ arm and tries to make sure that
every black brick is pushed oﬀ, while every red brick is allowed to pass.
In a physical implementation, this system was built in LEGO, with a
RCXTM Mindstorm micro-controller as the control unit. This controller ex-
ecutes up two ten tasks that are organized by a deterministic scheduler in
Round-Robin fashion. Two tasks main and kick-off are used in the RCXTM
program, which are translated to three Uppaal processes [10]. Three pro-
cesses model the environment. and one Hurry_Dummy was added to perma-
nently oﬀers synchronization on the urgent channel Hurry. This composes the
Uppaal model Sorter. We want to establish a safety property stating that
the second brick is kicked oﬀ, regardless of when precisely it enters the belt.
Formally we model check Sorter |= A[]¬ black_brick2.PASSED.
? !
Kick-Off ArmSensor
Processes of Sorter:
RCX model Scheduler
RCX0 maintask
RCX0 kick off task
Environment black brick
black brick2
kick off arm
Hurry Dummy
Fig. 2. Schematic description of the bricks sorter.
5.2 Augmentation of the Bricks Sorter Model
However, some classes of examples exhibit a fairly regular structure, where
this technique can be applied more systematically. We mention here LEGO
RCXTM micro-controller, where NQC programs can be automatically trans-
lated toUppaalmodels for analysis. We use the translation of NQC programs
to Uppaal models from [10]. Original tasks are translated to Uppaal pro-
cesses and WAIT-UNTIL statements correspond to augmentation points. Addi-
tionally, the Scheduler has to be modiﬁed to allow a parking state.
One problem with model checking the Uppaal model Sorter is that at
some points in time, the processes perform a busy loop. More precisely, when
the sensor waits to get sight of a brick or the kick-oﬀ arm waits for a brick
213
Mo¨ller
to be in the right position, all processes return to the same control situation
(after some delay) very often.
We try to avoid this busy loop by an appropriate augmentation of the
model. This can be understood as allowing processes to park in some situa-
tions, until an enabling timing condition holds true.
Starting with the Uppaal model Sorter we deﬁne a sequence of model
augmentations. The processes Scheduler, RCX0_main, and RCX0_kick_off
are augmented. The augmentation points are chosen according to the nature
of the particular process.
RCX0_inSched
RCX0_timer<=CS
RCX0_inTask
RCX0_startRCX0_timer <1
RCX0_active[0]:=1,
RCX0_currentTask:=0,
RCX0_timer:=0
RCX0_active[RCX0_currentTask]==0,
RCX0_timer==CS
RCX0_timer:=0,
RCX0_currentTask:=
    RCX0_currentTask+1
RCX0_active[RCX0_currentTask]==1,
RCX0_timer==CS
RCX0_Go!
RCX0_timer:=0
RCX0_Go?
RCX0_timer:=0,
RCX0_currentTask:=RCX0_currentTask+1
RCX0_inSched
RCX0_timer<=CS
Parking
RCX0_inTask
RCX0_start
RCX0_timer < 1
Driving
RCX0_active[0]:=1,
RCX0_currentTask:=0,
RCX0_timer:=0
RCX0_active[RCX0_currentTask]==0,
RCX0_timer==CS
RCX0_timer:=0,
RCX0_currentTask:=
RCX0_currentTask+1
RCX0_active[RCX0_currentTask]==1,
RCX0_timer==CS
RCX0_Go!RCX0_timer:=0
RCX0_Go?
RCX0_timer:=0,
RCX0_currentTask:=RCX0_currentTask+1
RCX0_active[0] == 0,
RCX0_active[1] == 0
RCX0_active[0] == 1Hurry?
RCX0_active[1] == 1Hurry?
RCX0_timer:=0
(i) Original Scheduler Process (ii) Augmented Scheduler Process
Fig. 3. The Round-Robin Scheduler repeatedly toggles through the list of tasks.
*** Task 0 = main
...
031 InType 2, Switch
034 InMode 2, Boolean
037 OutDir A, Fwd
039 OutMode A, On
041 OutPwr A, 1
045 OutDir B, Fwd
047 OutMode B, On
049 OutPwr B, 6
053 Display 1
057 StartTask 1
059 Test Input(0) <= var[4], 70
067 Jump 59
070 ...
Augment_2Augment_1
RCX0_timer <= 143
RCX0_main_51_S3
RCX0_timer <= 143
RCX0_main_51_S1
RCX0_main_51_S0
RCX0_main_59_S1
RCX0_timer <= 20
RCX0_main_59_S0
R
R
RCX0_tim
RCX0_Go!
RCX0_currentTask==0
RCX0_Go?
RCX0_timer:=0
RCX0_IN_1<=42
RCX0_IN_1>42
RCX0_timer==143
RCX0_Go!
RCX0_currentTask==0
RCX0_Go?
RCX0_timer:=0
RCX0_timer==20
RCX0_Go!
RCX0
RCX0
RCX0_IN_1 > 42
RCX0_active[0] := 0
RCX0_timer == 143
RCX0_Go!
RCX0_IN_1 <= 42
Hurry?
RCX0_active[0] := 1
RCX0_active[0] := 1
Fig. 4. Part of a LEGO RCXTM task and the corresponding Uppaal process.
Scheduler.
Figure 3 (i) displays the Uppaal process Scheduler. It uses the array
RCX0_active and the integer variable RCX0 current task to keep track of
the next task to release. It does so by taking the transition to RCX0_inTask,
if possible, and otherwise idles via the self loop at RCX0_inSched.
If one respective task is active, execution of this task is released (RCX0 -
inTask). The task executes an instruction, and then hands back control to
the scheduler by synchronizing on channel RCX0 go. If the respective task is
inactive, it is skipped (self-loop to the right).
214
Mo¨ller
average number time memory
#explored states of successors #deadlocks [sec] [KB]
Sorter 151·103 1.28 0 86.84 1·840
Aug∗A(Sorter) 22
·966 2.09 20 21.15 2·512
Table 2
Hereafter, the scheduler moves on to the next task. The variable RCX0 -
current task wraps around to 0, when the number of existing processes is
exceeded.
The augmented scheduler (ii) is shown on the right. If all tasks are inactive,
the location Parking can be reached. If one of the tasks become active again,
this location has to be left immediately. This is achieved via synchronization
on urgent channel Hurry and declaring the location Driving urgent.
Tasks.
In the processes RCX0_main and RCX0_kick_off the conditional tests cause
loops in the control structure. Model augmentations are applied in eight
places. Six of them were wait conditions for conditions to hold true, like the
one shown in Figure 4. The remaining two are allowing optional time delay,
whenever progress depends on timing conditions to be met.
This amounts to nine model augmentations, that add 16 locations and
34 transitions in total. We refer to the obtained model as Aug∗A(Sorter).
The comparison of Sorter and Aug∗A(Sorter) is given in Table 2. All runs
use the optimization options -sWabA -S 2 (active clock reduction, breadth-
ﬁrst search, convex hull approximation, minimal space. On Aug∗A(Sorter),
forward state space exploration runs four times faster, but consumes slightly
more memory. This is a consequence the applied convex-hull optimization. In
Sorter the convex hull is constructed over the many encountered zones, each
one shifted by small delay. I.e., at most one zone is stored for each discrete
part. Aug∗A(Sorter) additionally needs to store symbolic states for the new
control locations.
Aug∗A(Sorter) exhibits a considerably higher average number of successors,
which can be understood as additional non-determinism. Also, Aug∗A(Sorter)
yields additional deadlock states, apparently due to unfortunate timing clashes.
In general this is undesirable, for it remains unclear whether the original model
is deadlock-free. In this class of examples, however, the original model is by
construction deadlock-free and thus the deadlocks are necessarily spurious.
Note that Aug∗A(Sorter) is also good for proving other safety properties. If
they hold in Aug∗A(Sorter), the whole state-space is expanded symbolically in
one run; thus the run-time data would be identical (modulo small run-time
diﬀerences in evaluating the invariant ϕ for one symbolic conﬁguration).
In the model checking run, we make use of the convex-hull approximation
technique. This approximation increases the number of reachable states but is
215
Mo¨ller
conservative with safety properties in one direction. Without this option, the
large number of created symbolic states in this example exceeded the available
1 GB of memory, both for Sorter and for Aug∗A(Sorter).
6 Summary
Model augmentation is a specialized approximation technique that is safe for
various timed automata dialects. Note that we restrain from the pruning of
processes, i.e., existing behavior of the system is never prohibited. This allows
for a general soundness proof of our technique and makes combination with
other approximation techniques possible.
In our application on LEGO RCXTM programs, the savings are not dras-
tic. Nevertheless the run-time improvements in a brick-sorter example demon-
strates that the technique has potential. The time savings were roughly 75%,
but slightly more memory was consumed with the augmented model. More
experiments are needed to determine whether this is speciﬁc only to this ex-
ample.
The augmentation points of the tasks can be either derived from the con-
trol structure of theUppaalmodel, or even directly from the LEGO RCXTM
program. There exists a translation translation from these programs to cor-
responding Uppaal models [10]. It is possible to modify this translation to
directly compute an augmented version of the Uppaal models, providing full
automation for this optimization technique in this class of application.
Our technique is related to the convex hull over-approximation in [7]. How-
ever, it has a ﬁner granularity in the choice of the approximation and can
even be combined with convex hull. Other than convex-hull, our technique
prescribes a way to modify a model checking algorithm such that universal
path properties carry over from the augmented model to the original one.
Acknowledgments. We thank Kim G. Larson for many helpful comments.
References
[1] Martin Abadi and Leslie Lamport. An Old-Fashioned Recipe for Real Time.
In Proc. of REX Workshop “Real-Time: Theory in Practice”, number 600 in
Lecture Notes in Computer Science, pages 1–27, 1992.
[2] Rajeev Alur, Costas Courcoubetis, and David Dill. Model Checking in Dense
Real Time. Information and Computation, 104:2–34, 1993.
[3] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A. Henzinger,
Pei-Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine.
The Algorithmic Analysis of Hybrid Systems. Theoretical Computer Science,
138(1):3–34, 6 February 1995.
216
Mo¨ller
[4] Rajeev Alur and David Dill. A Theory of Timed Automata. Theoretical
Computer Science, 2(126):183–236, 1994.
[5] Tobias Amnell, Gerd Behrmann, Johan Bengtsson, Pedro R. D’Argenio,
Alexandre David, Ansgar Fehnker, Thomas Hune, Bertrand Jeannet, Kim G.
Larsen, M. Oliver Mo¨ller, Paul Pettersson, Carsten Weise, and Wang Yi.
Uppaal - Now, Next, and Future. In F. Cassez, C. Jard, B. Rozoy, and
M. Ryan, editors,Modelling and Verification of Parallel Processes, number 2067
in Lecture Notes in Computer Science Tutorial, pages 100–125. Springer–Verlag,
2001.
[6] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking.
The MIT Press, Cambridge, Massachusetts, 1999.
[7] Conrado Daws and Stavros Tripakis. Model checking of real-time reachability
properties using abstractions. In Bernard Steﬀen, editor, Proc. of the 4th
Workshop on Tools and Algorithms for the Construction and Analysis of
Systems, number 1384 in Lecture Notes in Computer Science, pages 313–329.
Springer–Verlag, 1998.
[8] Conrado Daws and Sergio Yovine. Reducing the number of clock variables of
timed automata. In Proc. of the 17th IEEE Real-Time Systems Symposium,
pages 73–81. IEEE Computer Society Press, 1996.
[9] Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. HyTech: A Model
Checker for Hybrid Systems. In Orna Grumberg, editor, Proc. of the 9th
Int. Conf. on Computer Aided Verification, number 1254 in Lecture Notes in
Computer Science, pages 460–463. Springer–Verlag, 1997.
[10] Torsten K. Iversen, K˚are J. Kristoﬀersen, Kim G. Larsen, Morten Laursen,
Rune G. Madsen, Steﬀen K. Mortensen, Paul Pettersson, and Chris B.
Thomasen. Model-Checking Real-Time Control Programs — Verifying LEGO
Mindstorms Systems Using uppaal. In Proc. of 12th Euromicro Conference on
Real-Time Systems, pages 147–155. IEEE Computer Society Press, June 2000.
[11] Kim G. Larsen, Paul Pettersson, and Wang Yi. Uppaal in a Nutshell. Int.
Journal on Software Tools for Technology Transfer, 1(1–2):134–152, October
1997.
[12] Kim G. Larsen, Carsten Weise, Wang Yi, and Justin Pearson. Clock Diﬀerence
Diagrams. Nordic Journal of Computing, 6(3):271–298, 1999.
[13] Sergio Yovine. Kronos: A Veriﬁcation Tool for Real-Time Systems. Springer
International Journal of Software Tools for Technology Transfer, 1(1/2):123–
133, October 1997.
217
