Improved Symbolic Model Checking of Real-Time Systems by NGUYEN TRUONG KHANH
IMPROVED SYMBOLIC MODEL CHECKING
OF REAL-TIME SYSTEMS
TRUONG KHANH NGUYEN
NATIONAL UNIVERSITY OF SINGAPORE
2014




A THESIS SUBMITTED FOR THE DEGREE
OF DOCTOR OF PHILOSOPHY
DEPARTMENT OF COMPUTER SCIENCE
NATIONAL UNIVERSITY OF SINGAPORE
2014
DECLARATION
I hereby declare that this thesis is my original work and it has been written by me
in its entirety. I have duly acknowledged all the sources of information which have
been used in the thesis.




First and foremost, I want to thank my supervisor, Dr. Dong Jin Song, for his
guidance, advice and encouragement throughout my Ph.D journey. Without his
constant support, this Ph.D would not have been achievable.
I am deeply grateful to Dr. Sun Jun, who acts like a co-supervisor. He has been
helpful in guiding me during my Ph.D. Every discussion with him is very fruitful in
helping my understanding of model checking. I am also grateful to Dr. Liu Yang for
his support in various ways.
I am grateful to Dr. P. S. Thiagarajan, Dr. Joxan Jaffar, and Dr. Khoo Siau
Cheng for their valuable suggestions and comments on my research works. I have
thanks to Dr. Shang-Wei Lin and Dr. Henri Hansen for their research collaborations.
I also thank my former university supervisor, Dr. Quan Thanh Tho. He is a
great supervisor who guided me during the first days of learning model checking.
I am indebted to all my friends who have supported me over the last few years:
Ta Quang Trung, Vu Thi Thuy Trang, Tran An, Le Quang Loc, Le Ton Chanh,
Le Duy Khanh, Nguyen Duong Thien Hoang, Nguyen Hieu, Luong Ba Linh, and
Nguyen Le Truc.
I also want to say a heartfelt thank you to my Mum and Dad for always believing
in me and encouraging me to pursue my Ph.D. Finally, I thank my wife, who has
been by my side throughout this Ph.D. Thank you for everything especially for your





List of Tables x
List of Figures xi
1 Introduction 1
1.1 Real-time Model Checking . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Objectives and Contributions of the Thesis . . . . . . . . . . . . . . . 5
1.4 Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Background 8
2.1 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Zone and Symbolic Semantics . . . . . . . . . . . . . . . . . . . . . . 13
2.3 BDD and Model Encoding . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.1 Binary Decision Diagram . . . . . . . . . . . . . . . . . . . . . 16
2.3.2 Finite-State Machine . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.3 Finite-State Machine Encoding . . . . . . . . . . . . . . . . . 20
2.3.4 Compositional Encoding Functions . . . . . . . . . . . . . . . 26
2.4 Symbolic Model Checking Algorithms . . . . . . . . . . . . . . . . . . 29
2.4.1 Reachability Analysis Algorithm . . . . . . . . . . . . . . . . . 30
v
2.4.2 LTL Model Checking Algorithm . . . . . . . . . . . . . . . . . 33
2.5 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3 Timed System Encoding 37
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 System Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3 Timed Finite-state Machine Encoding . . . . . . . . . . . . . . . . . . 44
3.3.1 Keeping Ticks Simple . . . . . . . . . . . . . . . . . . . . . . . 45
3.3.2 Generating TFSMs without Clock Variables . . . . . . . . . . 47
3.4 Closed Timed Automata Encoding . . . . . . . . . . . . . . . . . . . 50
3.5 Stateful Timed CSP Encoding . . . . . . . . . . . . . . . . . . . . . . 54
3.5.1 Stateful Timed CSP . . . . . . . . . . . . . . . . . . . . . . . 54
3.5.2 Generating TFSM From Stateful Timed CSP Process . . . . . 59
3.5.3 Compositional Encoding Functions . . . . . . . . . . . . . . . 63
3.6 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4 Reachability Analysis with Simulation 67
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.2 Reachability Analysis Algorithm . . . . . . . . . . . . . . . . . . . . . 70
4.3 Reachability Analysis with Simulation . . . . . . . . . . . . . . . . . 72
4.3.1 Simulation Relation in TFSMs . . . . . . . . . . . . . . . . . . 72
4.3.2 Reachability Analysis Algorithm with Simulation . . . . . . . 73
4.4 Implementation and Evaluation . . . . . . . . . . . . . . . . . . . . . 80
4.5 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5 Emptiness Checking with Simulation 84
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
vi
5.2.1 Timed Bu¨chi Automata . . . . . . . . . . . . . . . . . . . . . 88
5.2.2 Zone Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.2.3 Discrete Semantics . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3 Emptiness Checking with Simulation . . . . . . . . . . . . . . . . . . 91
5.3.1 Emptiness Checking Algorithm . . . . . . . . . . . . . . . . . 92
5.3.2 Emptiness Checking Algorithm with Simulation . . . . . . . . 93
5.4 Emptiness Checking of Timed Bu¨chi Automaton . . . . . . . . . . . . 99
5.5 Implementation and Evaluation . . . . . . . . . . . . . . . . . . . . . 100
5.6 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6 Conclusion and Future Work 104
6.1 Thesis Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
6.2.1 IC3 without SAT Solvers . . . . . . . . . . . . . . . . . . . . . 106
6.2.2 Inclusion Checking . . . . . . . . . . . . . . . . . . . . . . . . 106
6.2.3 Model Checking for Parametric Timed Automata . . . . . . . 107
6.2.4 Model Checking for Hybrid Systems . . . . . . . . . . . . . . . 107
Bibliography 108
A Compositional Encoding Functions for FSMs 117
B Stateful Timed CSP Symbolic Firing Rules 122
C Compositional Encoding Functions for TFSMs 126
vii
Summary
It is important to verify the correctness of real-time systems before launching them.
Although there exist many studies on real-time model checking, it is worth noting
that current techniques still encounter the state space explosion problem. The aim
of this thesis is to study the symbolic model checking problems of real-time systems
and to explore techniques to mitigate the state space explosion problem.
In the literature, the model checking technique based on binary decision diagrams
(BDDs) has been shown to be successful in handling the state space explosion. How-
ever, the application of BDD-based model checking requires knowledge of BDDs and
is difficult for hierarchical systems. Moreover, the performance of BDD-based model
checking for real-time systems depends much on the encoding techniques which en-
code the model into BDDs and the magnitude of maximal clock constants. In the
first part of this thesis, we present our encoding techniques for real-time systems. We
propose to use only tick transitions to explicitly represent the timing requirements.
This representation helps to reduce the problem of large maximal clock constants.
Furthermore, our encoding techniques include a set of compositional encoding func-
tions which compute the encoding of a system from the encodings of its subsystems.
Thus, the encodings of hierarchical systems can be obtained more easily by using
our compositional encoding functions. Overall, our encoding techniques are general
and have been applied to encode closed timed automata and Stateful Timed CSP
modeling languages.
viii
With regard to model checking algorithms, interesting problems are reachability
analysis and emptiness checking. In the second part of the thesis, we aim to improve
the current state-of-the-art algorithms by using the Lower Upper (LU) simulation
relation. We prove that the simulation relation preserves not only the reachability but
also the emptiness. We also show that symbolically computing the set of reachable
states can be enhanced by applying the simulation relation. Specifically, the number
of iterations to reach the fixpoint is reduced. The experimental results show that
our approach improves significantly the performance. Then, based on the automata
theory that the model checking of linear temporal logic (LTL) properties can be done
by checking the emptiness of timed Bu¨chi automata, we extend our framework to
support LTL properties.
In summary, the results of this thesis include two improved algorithms for the
reachability analysis and the emptiness checking. In addition, a BDD framework
is developed to support BDD-based model checking. Specifically, this framework
improves the application and the extension of BDD-based model checking. We note
that the application of this framework is not restricted to real-time verification. Other
domains such as sensor networks and probabilistic models are further examples that
can be benefited from our framework.
ix
List of Tables
3.1 Comparison of the two different encoding approaches . . . . . . . . . 47
4.1 Comparison between Algorithm 5 and Algorithm 6 in Fischer protocol
with 4 processes and b = 10 . . . . . . . . . . . . . . . . . . . . . . . 79
4.2 Comparison between Algorithm 5 and Algorithm 6 in Fischer protocol
with a = 5 and b = 10 . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.3 Experimental results in the reachability verification with large clock
constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.4 Experimental results in the reachability verification with large number
of processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.1 Experimental results on large maximal clock constants . . . . . . . . 102
5.2 Experimental results on large number of processes . . . . . . . . . . . 102
x
List of Figures
2.1 Binary decision tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2 BDD transformation from BDT in Figure 2.1 (a) with duplicate y-
nodes; (b) after removing duplicated y-nodes; and (c) after removing
redundant x-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3 BDD encoding of θ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 FSM of a microwave oven . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1 TFSM with clock variables . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2 TFSM without clock variables . . . . . . . . . . . . . . . . . . . . . . 45
3.3 Stateful Timed CSP process constructs . . . . . . . . . . . . . . . . . 55
3.4 TFSM of process P(pid) . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.5 Sample symbolic firing rules of Stateful Timed CSP . . . . . . . . . . 61




Real-time systems are now becoming pervasive and are playing a vital role in our
world. Examples of real-time systems range from biological systems and business
software to safety-critical systems such as air traffic controllers, medical systems,
and nuclear plant controllers. The correctness of these systems depends on not only
the logical correctness but also the timeline of the output. Since any failure of real-
time systems can cause catastrophic consequences, stability and reliability become
crucial features to be guaranteed. Model checking is a formal method to verify the
correctness of real-time systems. In this chapter, we give an overview of real-time
model checking and discuss the research gaps. Then, we present the objectives of
this thesis.
1.1 Real-time Model Checking
Real-time systems are systems whose correctness depends on not only the sequence
but also the timeline of the events. For example, when a car accident happens, the
airbag must inflate rapidly within a certain timing constraint. Any failure or lateness
of the airbag inflation can cause human loss. Moreover, the later the bug is found,
1
the more it costs. Therefore, it is crucial to verify the correctness of real-time systems
before launching them.
There are various methods to verify the correctness of real-time systems. While
testing and simulation can prove the presence of bugs, they do not guarantee the
absence of bugs. On the contrary, formal methods based on mathematics can guar-
antee the absence of bugs. Model checking is an automatic formal technique to verify
the correctness of systems. A model checking framework includes three components:
a modeling specification language to describe the system, a property specification
language to describe the properties, and a reasoning engine to verify the system with
respect to properties [73]. These three components will be discussed in detail in the
next section.
1.2 Literature Review
Many modeling languages have been proposed to model real-time systems. Among
of these modeling languages, timed automata proposed by Alur and Dill [4] are the
most popular. Timed automata are an extension of finite-state automata equipped
with clocks to represent timing constraints. Timed safety automata [50] are an
variant of timed automata with state invariants to limit the duration of the timed
automaton staying at a certain state. However, both timed automata and timed
safety automata lack support of hierarchical systems. They only support parallel
composition, and the model is often a network of timed automata running in parallel.
Thus, it is not simple to model more complex hierarchical systems by using those
modeling languages. Another modeling language is TCOZ [72], an integration of
Timed CSP [90] and Object-Z [43]. Inheriting the strengths of Timed CSP and
Object-Z, TCOZ provides a unified notation for modeling both the state and process
aspects of complex real-time systems. However, there is a lack of model checkers to
automatically verify TCOZ, and theorem proving is the best technique to reason on
2
TCOZ so far. A translation from TCOZ to timed automata is proposed in [39] to
make use of available model checkers on timed automata. Similarly, Sun et al. [95]
proposed Stateful Timed CSP, an extension of Timed CSP, to model hierarchical real-
time systems. Stateful Timed CSP extends Timed CSP with timed process constructs
to capture timing constraint patterns, for instance, delay, deadline, timeout, or timed
interrupt.
Temporal logic [84] with temporal operators like eventually or always is often
used to represent the desired properties. Some notable kinds are safety and liveness
properties. Safety properties specify that something bad never happens. An exam-
ple for a safety property is two processes are never in their critical sections at the
same time. Safety properties are usually verified by considering whether the set of
reachable states contains bad states which do not satisfy the safety condition. On
the contrary, liveness properties specify that something good eventually happens,
for example, if a process requests to enter the critical section, eventually this request
is granted. The most popular temporal logics used in model checking are linear
temporal logic (LTL) [84] and computation temporal logic (CTL) [34]. In LTL, the
properties are expressed over a single computation path. In contrast, in CTL, the
properties are expressed over a tree of all possible computation paths. Temporal logic
specifies the order of events in the computation paths; however, it does not require
the timing constraints in these paths. Timed CTL (TCTL) [2] is an extension of
CTL with time-bounded temporal operators. It can express quality properties like
CTL as well as quantity properties with timing constraints. For example, a property
in TCTL can be if a process requests to enter the critical section, it will be in the
critical section within 5 seconds.
After specifying the model of the system and the property to verify, some model
checking algorithm is called to verify whether the model satisfies the property. Since
the real-time model contains clocks whose values are real numbers, the number of
3
states in the model can be infinite. In [4], a set of clock valuations is stored in a
region, and the state space of timed automata is abstracted to a finite representation,
called region graph. While the region graph is useful in establishing some theories, it
is not implemented in practice because the number of states in the region graph grows
exponentially in the number of clocks as well as the maximal clock constants appear-
ing in the timed automata. Since then, many approaches were proposed to represent
the state space of timed automata efficiently. Dill proposed to use the Difference
Bounded Matrix (DBM) to store a convex set of clock valuations [37]. DBM becomes
the most popular representation to store clock valuations and has been adopted by
many model checkers such as Uppaal [68] and Kronos [28]. Unfortunately, DBMs
can cause infinite state space. To remedy this problem, many abstraction techniques
were proposed, including closure abstraction [27] and LU abstraction [16]. While
closure abstraction relies on the bisimulation relation, LU abstraction relies on the
simulation relation and is the biggest abstraction with respect to LU bounds [54].
Moreover, those abstraction techniques were shown to be correct for the reachability
analysis. With regard to the language emptiness problem, under those abstrac-
tion techniques, algorithms finding strongly connected components are still correct
if the timed automaton is strongly non-Zeno [99, 69]. Thus, earlier approaches of
the language emptiness problem required the strongly non-Zeno transformation [99].
Recently, Herbreteau et al. proposed guessing zone graphs to solve the language
emptiness problem without the strongly non-Zeno transformation [53, 51].
Since there are many successes of binary decision diagram (BDD)-based model
checking techniques in concurrent model checking [33, 85], BDD [31, 11, 21] and many
BDD-like data structures [76, 17, 100] have been adopted to real-time model checking.
It was shown that BDDs are more efficient than DBMs in many examples [17, 76,
21, 100]. However, the performance of the BDD-based approach is highly sensitive
to large maximal clock constants [23, 101], and most of the experiments of the BDD-
4
based approach are conducted with small maximal clock constants.
We have presented general literature review of real-time model checking. In the
following, we discuss specifically the research gaps and the objectives of this thesis.
1.3 Objectives and Contributions of the Thesis
Research gaps for the real-time model checking are summarized below:
• BDD-based model checking is a successful technique; however, most of the
BDD-based model checking tools require users to have some BDD background.
In addition, their modeling language is often simple with a flat structure and
lacks language features for modeling hierarchical systems.
• Timed automata are the most popular language to model real-time systems,
but they lack supporting hierarchical systems. On the contrary, Stateful Timed
CSP supports modeling of hierarchical real-time systems by providing many
timed process constructs. So far, probably due to the expressiveness of Stateful
Timed CSP language, there is no BDD-based model checking approach to verify
Stateful Timed CSP.
• Although there are many studies on adopting BDD data structure to real-time
model checking through digitization, the performance often degrades with the
large magnitude of maximal clock constants.
The main objectives of this thesis are to study the above research gaps and to
develop techniques to overcome those gaps. The specific contributions of this thesis
include:
• We developed a BDD framework for symbolic model checking. It allows or-
dinary users (with no or little BDD background) to quickly encode and com-
pose system components to model and verify hierarchical systems. Moreover,
5
the framework includes a set of symbolic model checking algorithms support-
ing reachability analysis, LTL, etc., and a number of interface classes through
which users can invoke or even modify the BDD encoding or the model checking
algorithms.
• We proposed a hierarchical approach to encode Stateful Timed CSP. Primitive
Stateful Timed CSP processes are encoded first and those encodings are then
combined by compositional encoding functions according to Stateful Timed
CSP process construct. In addition, we also support both reachability and
LTL model checking with non-Zeno condition. The BDD-based approach in
this thesis is more efficient than the zone-based approach [95] in many examples.
• We improved BDD-based reachability analysis and emptiness checking algo-
rithms for real-time systems. The improvement includes a new encoding tech-
nique for real-time models and two improved reachability analysis and empti-
ness checking algorithms using the LU simulation relation. As a result, our
approach can verify larger models with maximal clock constants up to thou-
sands. By using an intermediate representation, our approach is general and
does not depend on the modeling language.
The rest of this thesis is organized as follows. Chapter 2 is devoted to an in-
troduction of real-time model checking, where we introduce timed automata, define
the semantics of timed automata, and demonstrate how DBM and BDD data struc-
tures can be used for model checking. Chapter 3 presents our encoding techniques
of real-time models and demonstrates their application on the encoding of closed
timed automata and Stateful Timed CSP modeling languages. Chapter 4 and Chap-
ter 5 present our improved reachability analysis and emptiness checking algorithms
by using the simulation relation respectively. Chapter 6 concludes our thesis.
6
1.4 Publications
The work of the BDD framework development was presented at ASE 2011: 26th
IEEE/ACM International Conference On Automated Software Engineering (Nov
2011) [78]. The work in Chapter 3 and Chapter 4 was presented at FM 2012 :
18th International Symposium on Formal Methods (Aug 2012) [80]. The work of
BDD-based model checking for Stateful Timed CSP in Chapter 3 was presented at
ICFEM 2012: 14th International Conference on Formal Engineering Methods (Nov
2012) [79]. In addition, our BDD framework was used to develop CELL, a compo-
sitional model checking framework. This work was published in ATVA 2013: 11th
International Symposium on Automated Technology for Verification and Analysis
(Oct 2013) [59]. Finally, I also contributed to the work on partial order reduction
for timed automata. This work was presented at CAV 2014: 26th International




In this chapter, we introduce timed automata, the most popular modeling language
of real-time systems. Then, we define the semantics of this language and demonstrate
how DBM and BDD data structures can be used for model checking.
2.1 Timed Automata
We denote the finite alphabet by Σ. Let R≥0 be the set of non-negative real numbers.
Let X be the set of non-negative real variables called clocks. The set Φ(X ) contains
all clock constraints δ defined inductively by the grammar : δ := x ∼ c | x − y ∼ c |
δ ∧ δ where x , y ∈ X , ∼∈ {<,≤,=,≥, >}, and c ∈ N. Given a set of clocks X , a
clock valuation v : X → R≥0 is a function which assigns a non-negative real value to
each clock in X . A clock valuation v satisfies a clock constraint δ, written as v |= δ,
if and only if δ evaluates to true using the clock values given by v . We denote by
0 the clock valuation that assigns every clock the value 0. Given a clock valuation
v and d ∈ R≥0, the clock valuation v ′ = v + d is defined as v ′(x ) = v(x ) + d for
all clocks x in X . For R ⊆ X , let [R 7→ 0]v denote the clock valuation v ′ such that
8
v ′(x ) = v(x ) for all x ∈ X \ R and v ′(x ) = 0 for all x ∈ R.
Definition 2.1. A timed automaton is a tuple A = (Σ,X ,L, l0,T , I ) where
• Σ is the finite alphabet.
• X is the set of clock variables.
• L is the set of locations.
• l0 ∈ L is the initial location.
• T ⊆ L × Φ(X ) × Σ × 2X × L is the set of transitions (l , g , e,R, l ′) where l
and l ′ are the source and destination locations of this transition respectively,
g ∈ Φ(X ) is a guard, e ∈ Σ is an event name, and R ⊆ X is a set of resetting
clocks.
• I : L→ Φ(X ) assigns invariants to locations.
The (continuous) semantics of a timed automaton A = (Σ,X ,L, l0,T , I ) is a
transition system CS (A) = (S , s0,→) where S = L×RX≥0 is a set of states, s0 = (l0,0)
is the initial state, and → is the labeled transition relation satisfying the following
condition:
• Delay transition: (l , v) d−→ (l , v + d) if ∀ 0 ≤ d ′ ≤ d , v + d ′ |= I (l)
• Action transition: (l , v) t−→ (l ′, v ′) with t = (g , e,R) if there exists (l , g , e,R, l ′) ∈
T such that v |= g , v ′ = [R 7→ 0]v , and v ′ |= I (l ′)
We write (l , v)
d−→ t−→ (l ′, v ′) if there exists (l1, v1) where (l , v) d−→ (l1, v1) and
(l1, v1)
t−→ (l ′, v ′). A run of a timed automaton is a sequence (l0, v0) d0−→ t0−→ (l1, v1) d1−→ t1−→
(l2, v2) · · · . A state (ln , vn) is reachable from (l0, v0) if there is a run starting from
9
(l0, v0) and ending at (ln , vn). The duration of the run is defined as the total de-
lay over this run,
∑
i≥0
di . Then, an infinite run is called non-Zeno if it satisfies the
non-Zeno condition, i.e., its duration is unbounded. Otherwise, it is called Zeno.
Given a timed automaton A = (Σ,X ,L, l0,T , I ) and a location l ∈ L, reachability
analysis is the problem to decide whether there exists a state (l , v) reachable from
the initial state (l0,0). Let Acc ⊆ L be Bu¨chi condition, i.e., the set of accepting
locations. An accepting run of A is a run which visits a state in Acc infinitely often.
The language of A over Acc, L(A), is defined as the set of accepting non-Zeno runs.
The emptiness problem is to determine whether L(A) is empty.
In the above semantics, the clock values are continuous and events are observed
at real time points. In the following, we introduce the discrete semantics of timed
automata which is based on the assumption that events are observed at integer time
points only. In the discrete semantics, we assume that clock constraints are defined
by δ := x ∼ c | x − y ∼ c | δ ∧ δ where x ∈ X , ∼∈ {≤,=,≥}, and c ∈ N. Timed
automata whose constraints are generated from previous grammar are called closed
timed automata.
Given any clock x ∈ X , M (x ) denotes the maximal constant to which x is
compared in a clock constraint. Given a clock valuation v , v⊕d is the clock valuation
where v ⊕ d(x ) = min(v(x ) + d ,M (x ) + 1). Intuitively, for each clock x , once the
clock value is greater than its maximal constant M (x ), its exact value is no longer
important, but the fact v(x ) > M (x ) matters.
The discrete semantics of a timed automaton A = (Σ,X ,L, l0,T , I ) is a transition
system DS (A) = (S , s0,→) where S = L × NX is a set of states, s0 = (l0,0) is
the initial state, and → is the labeled transition relation satisfying the following
condition:
• Tick transition: (l , v) tick−−→ (l , v ⊕ 1) if v |= I (l) and v ⊕ 1 |= I (l)
10
• Action transition: (l , v) t−→ (l ′, v ′) with t = (g , e,R) if there exists (l , g , e,R, l ′) ∈
T such that v |= g , v ′ = [R 7→ 0]v , and v ′ |= I (l ′)
Discrete semantics is potentially inaccurate but easy to do model checking. It was
shown that given a property closed under inverse digitization, the discrete semantics
preserves the satisfiability of closed timed automata [12, 49, 83]. Untimed properties
are vacuously closed under inverse digitization and thus discrete semantics can be
used to verify untimed properties.
It is worth noting that two semantics definitions of timed automata introduced
earlier are based on the instant observability of events. There are other semantics of
timed automata based on the non-instant observability of events [63, 105]. Specifi-
cally, events remain observable during some  time units after having been released.
Since our model checking algorithms use simulation, we then introduce the bisim-
ulation and simulation relations over timed automata.
Definition 2.2. Given a timed automaton A, a (location-based) bisimulation relation
over states of CS (A) is a symmetric binary relation R ⊆ S × S such that for all
((l1, v1), (l2, v2)) ∈ R, it holds that:
• l1 = l2
• if (l1, v1) d−→ (l1, v1 + d) then there exists d ′ such that (l2, v2) d
′−→ (l2, v2 + d ′) and
((l1, v1 + d), (l2, v2 + d
′)) ∈ R.








States (l1, v1) and (l2, v2) are bisimulation equivalent, denoted as (l1, v1) ∼ (l2, v2),
if there exists a bisimulation relationR with ((l1, v1), (l2, v2)) ∈ R. We then introduce
a location-based bisimulation based on maximal clock constants. Intuitively, when
11
the clock value is greater than its maximal constant, its exact value is no longer
important, but the fact that it is greater than the maximal constant matters. Given
two clock valuations v and v ′, we denote v ∼ v ′ if and only if for all clocks x ∈ X ,
either v(x ) = v ′(x ) or (v(x ) > M (x ) and v ′(x ) > M (x )).
Lemma 2.3. ( [16]) The relation R = {((l , v), (l , v ′)) | v ∼ v ′} is a bisimulation
relation.
Definition 2.4. Given a timed automaton A, a (location-based) simulation relation
over states of CS (A) is a binary relationR ⊆ S×S such that for all ((l1, v1), (l2, v2)) ∈
R, it holds that:
• l1 = l2
• if (l1, v1) d−→ (l1, v1 + d) then there exists d ′ such that (l2, v2) d
′−→ (l2, v2 + d ′) and
((l1, v1 + d), (l2, v2 + d
′)) ∈ R.








State (l1, v1) is simulated by state (l2, v2) (or state (l2, v2) simulates state(l1, v1)),
denoted as (l1, v1) 4 (l2, v2), if there exists a simulation relationR with ((l1, v1), (l2, v2)) ∈
R.
For timed automata, it is known that there exists a simulation relation called LU
simulation, which can be obtained for free. Given a clock x , maximal lower bound
L(x ) (respectively maximal upper bound U (x )) is the maximal constant k if there
exists a constraint x > k or x ≥ k (respectively x < k or x ≤ k) in the timed
automaton. If the maximal constant k does not exist, we set L(x ) (respectively
U (x )) to −∞. Then, given two clock valuations v and v ′, we denote v 4 v ′ if for all
clocks x ∈ X , either v ′(x ) = v(x ) or L(x ) < v ′(x ) < v(x ) or U (x ) < v(x ) < v ′(x ).
12
Lemma 2.5. ( [16]) The relation R = {((l , v), (l , v ′)) | v 4 v ′} is a simulation
relation.
Reachability and emptiness problems are decidable [4]. The proof is based on
region graphs where a region is a set of clock valuations bisimulation with each
other. However, the number of states in region graphs can be exponential in the
size of the original timed automaton. Therefore, in practice, other specialized data
structures such as DBM and BDD are used to represent the clock valuations. In the
next section, we introduce DBM and BDD and how those data structures can be
used for model checking real-time systems.
2.2 Zone and Symbolic Semantics
A region is a set of clock valuations bisimulation with each other. However, region
graphs can grow exponentially. A coarser representation of clock valuations is based
on zones. A zone is a set of clock constraints which induces a convex set of clock
valuations satisfying those constraints. An example of a zone is (x1 − x2 > 2) ∧
(x2 ≤ 10). Zones can be stored in memory and manipulated efficiently by using
DBMs [18, 37]. Given a zone Z and a set of clocks R ⊆ X , we define Z ↑ = {v + d |
v ∈ Z , d ∈ R≥0} and [R 7→ 0]Z = {[R 7→ 0]v | v ∈ Z}.
A zone can be represented efficiently by using DBMs. A DBM is a two-dimension
array where each element records the difference between two clocks. Given a zone
over the set of n clocks x1 · · · xn , it can be represented as an (n + 1)-square matrix
D of pairs (∼, c) with ∼∈ {<,≤} and c ∈ Z∪{+∞}. For each pair of clocks xi and
xj , D [i , j ] = (∼, c) encodes the constraint xi − xj ∼ c with the convention that x0
is a special clock whose value is always 0 and if c = +∞, there is no constraint on
xi − xj .





0 (≤, 0) (<,∞) (<,∞)
x1 (<,∞) (≤, 0) (<,∞)
x2 (≤, 10) (<,−2) (≤, 0)

Given a zone Z , we denote [Z ] the DBM representing Z . [Z ] can be built with
the time complexity O(|X |2). There are efficient algorithms to build [[R 7→ 0]Z ] and
[Z ↑] and manipulate DBMs [19].
The symbolic semantics [50, 19] of a timed automaton A = (Σ,X ,L, l0,T , I ) is a
transition system (zone graph) ZG(A) = (S , s0,→) where S = L × 2RX≥0 is a set of
states, s0 = (l0, {0↑}) is the initial state, and (l ,Z ) t−→ (l ′,Z ′) where Z and Z ′ are two
zones if for all clock valuations v ′ ∈ Z ′, there exists v ∈ Z and d ∈ R≥0 such that
(l , v)
d ,t−→ (l ′, v ′). Specifically, Z ′ can be computed as Z ′ = ([R 7→ 0](Z ↑ ∧ I (l) ∧
g)) ∧ I (l ′) where g is the guard condition and R is the set of resetting clocks in the
transition t .
The induced zone graph may be infinite [36]. To obtain a finite zone graph, some
finite sound and complete abstractions α : 2R
X
≥0 → 2RX≥0 such that Z ⊆ α(Z ) and
α(α(Z )) = α(Z ) were proposed, including closure abstraction [27] and LU abstrac-
tion [16]. The abstract zone graph contains the transition (l ,Z )
t−→α (l ′, α(Z ′)) if
there is a transition (l ,Z )
t−→ (l ′,Z ′) in the original zone graph.
The closure abstraction is based on the bisimulation relation defined in Lemma 2.3.
It is defined as αM (Z ) = {v | ∃ v ′ ∈ Z , v ∼ v ′}. However, in general, given a zone Z ,
αM (Z ) can be non-convex and is not represented efficiently by using DBM. Thus, in
practice, the maximal extrapolation ExtraM (Z ) [36, 16] is used to return a convex
subset of αM (Z ).
14
The LU abstraction depends on the simulation relation defined in Lemma 2.5.
It is defined as αLU (Z ) = {v | ∃ v ′ ∈ Z , v 4 v ′}. The LU abstraction is coarser
than the closure abstraction, Z ⊆ αM (Z ) ⊆ αLU (Z ). However, like αM , given a
zone Z , αLU (Z ) can be non-convex and is not represented efficiently by using DBM.
One remedy of this problem is to use the LU extrapolation ExtraLU (Z ) to return a
convex subset of αLU (Z ) [16]. Another remedy proposed by Herbreteau et al. [54] is
to store αLU (Z ) implicitly by using Z . Then, the author proposed an algorithm to
check on-the-fly whether Z1 ⊆ αLU (Z2) given Z1 and Z2 without the computation of
αLU (Z2). The complexity of this algorithm is only O(|X |2).
ExtraM and ExtraLU are sound and complete, and the resulted zone graphs pre-
serve finite paths [27, 16] and infinite paths [69, 98]. Therefore, zone graphs can
be used to verify the reachability. For the emptiness checking with the non-Zeno
condition, it is highly non-trivial to determine whether a run in a zone graph can in-
stantiate a non-Zeno run in the timed automaton [97]. Tripakis et al. [99] proposed
a strongly non-Zeno transformation which requires an additional clock. Unfortu-
nately, this transformation can cause an exponential blowup. Recently, Herbreteau
et al. [51] proposed guessing zone graphs which are of polynomial size.
In this section, we have presented shortly how DBMs are used to do the model
checking based on the symbolic semantics. In the following, we introduce BDDs and
the encoding and verification techniques.
2.3 BDD and Model Encoding
The application of BDDs in real-time model checking is based on the discrete se-
mantics defined in Section 2.1. Under this semantics, clock values are assumed to be
integer and in a finite domain. Specifically, given any clock x ∈ X , the value of x
is in the range [0,M (x ) + 1]. Consequently, BDD can be used to model and verify




0 1 100 1
y
1 0
Figure 2.1: Binary decision tree
how a finite-state machine can be encoded.
2.3.1 Binary Decision Diagram
To start our discussion of BDDs, we first study the Binary Decision Trees (BDTs).
A binary decision tree is a rooted directed tree with two kinds of nodes, terminal
nodes and variable nodes. Each variable node u is labeled by a variable var(u) and
has two successors: low(u) corresponds to the case where var(u) is assigned 0 (false)
and high(u) corresponds to the case where var(u) is assigned 1 (true). Each terminal
node v is labeled by 0 or 1. For example, Figure 2.1 shows the binary decision tree
of the formula f (x , y , z ) = (¬z ∧ y) ∨ (z ∧ ¬x ∧ y) ∨ (z ∧ x ∧ ¬y).
The binary decision tree is an alternative to represent boolean formulas, beside
the truth table. It is essentially of the same size as the truth table; however, there
is usually a lot of redundancies in this representation. For example, in Figure 2.1,
there are four subtrees with roots labeled by y , but only two of them are distinct.
Intuitively, we can obtain a more compact representation for boolean formulas by
merging isomorphic subtrees. This results in a directed acyclic graph called a binary
decision diagram. Definition 2.6 gives the definition of a binary decision diagram.
Definition 2.6 ([7]). A binary decision diagram (BDD) is a rooted, directed, acyclic
graph with:
• One or two terminal nodes out-degree zero labeled 0 or 1
16
• A set of variable nodes u of out-degree two. The two outgoing edges are given
by two functions low(u) and high(u). A variable var(u) is associated with each
variable node.
A BDD is ordered (OBDD) if on all paths through the graph, the variables respect
a given linear ordering x1 < x2 < · · · < xn . An OBDD is reduced (ROBDD) if:
• Unique: no two distinct variable nodes u and v have the same variable name
and low- and high-successors, i.e.,
(var(u) = var(v) ∧ low(u) = low(v) ∧ high(u) = high(v))⇒ u = v .
To remove these duplicated nodes, we eliminate one of them, say u, and redirect
all its coming edges to the other one, v .
• Non Redundant : no variable node u has identical low- and high-successor, i.e.,
low(u) 6= high(u).
Suppose both outgoing edges of u point to the same node m, then we eliminate
that node u and redirect all its coming edges to m.
Figure 2.2 shows the process of transforming from the BDT in Figure 2.1 to a
ROBDD. First, Figure 2.2 (a) represents the BDT with only two terminal nodes. In
Figure 2.2 (a), from the left, the first three variable nodes labeled y are the same.
Thus, we remove two of them and keep only one node. Then, all edges to the removed
nodes are redirected to the remaining node, and we have Figure 2.2 (b). Similarly,
in this figure, the left variable node labeled x is redundant because its low and high
point to the same node. Therefore, we remove this node labeled x and redirect all its
coming edges to its low . Finally, we have the ROBDD in Figure 2.2 (c) representing
the same boolean formula as Figure 2.1 but more compact.
ROBDDs (hereafter BDDs for short) have many useful properties for model

















Figure 2.2: BDD transformation from BDT in Figure 2.1 (a) with duplicate y-
nodes; (b) after removing duplicated y-nodes; and (c) after removing redundant
x-node
quently, a large set of states or transitions of the model can be represented in a single
compact BDD. Moreover, BDDs are canonical which means that there is exactly one
BDD representing a boolean formula. Lastly, there are efficient algorithms for per-
forming logical operations on BDDs. Those operations are provided by many BDD
packages. In our work, we use the CUDD package [92] to manipulate BDDs and
develop algorithms of encoding and model checking by using BDDs. In the follow-
ing, we introduce the finite-state machine, our data structure to model concurrent
systems.
2.3.2 Finite-State Machine
We use finite-state machines (FSMs) to describe the behavior of concurrent systems.
A system model may contain many FSMs and they share the same global variables.
Each FSM has finitely many local control states and finite-domain local variables.
A transition is a link from one local control state to another state, which is labeled
with a guard condition (constituted by global and local variables), an optional event,
and a transaction. An event can be either a channel input/output or a compound
name constituted by local variables as well as global variables.
Definition 2.7. A FSM is a tuple M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T )
18
where
• GV is a set of finite-domain shared variables.
• initg is the initial valuation of GV .
• LV is a set of finite-domain local variables such that GV ∩ LV = ∅.
• initl is the initial valuation of LV .
• S is a finite set of control states.
• init ∈ S is the initial state.
• Act is the alphabet which contains action names.
• Ch is a set of synchronous channels1.
• T is a labeled transition relation. A transition label is of the form [guard ]e{prog}
where guard is an optional guard condition constituted by variables in GV and
LV ; the event name e is either an action name or a synchronous channel
input/output; and prog is an optional transaction, i.e., a sequential program
which updates global or local variables.
We denote the set of event names Event = Act ∪ Ch the union of action names
and channel names. A transaction, which may contain program constructs like if -
then-else or while-do2, is executed atomically. A non-atomic operation is thus to be
broken into multiple transitions. Moreover, the transaction is assumed to take no
time to execute.
FSMs support many system features. For instance, FSMs may communicate with
each other through shared variables GV , multi-party event synchronization (common
1 Asynchronous channels can be mimicked using shared variables and supported in our implemen-
tations.
2 The while-loop always takes finite number of iterations despite any initial valuation
19
events in parallel composition are synchronized), or pair-wise channel communica-
tion.
Given a FSM M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ) and two states q , r ∈
S , we denote by q
t−→ r or simply q → r the fact that there exists a transition labeled
t = [guard ]e{prog} from state q to state r . Then, the set of predecessors of a state
r is defined as pre(r) = {q ∈ S | q → r}, and the set of successors of a state r is
defined as succ(r) = {q ∈ S | r → q}.
The semantics of M is a transition system S (M ) = (C , initc,→) such that C con-
tains finitely many configurations of the form (σg , σl , s) where σg is the valuation of
GV , σl is the valuation of LV , and s ∈ S is a control state; initc = (initg , initl , init)
and → is defined as follows: For any (σg , σl , s), if (s , [guard ]e{prog}, s ′) ∈ T , then
(σg , σl , s)
t−→ (σ′g , σ′l , s ′) where t = [guard ]e{prog} if the following holds: guard is true
given σg and σl ; e is not a synchronous channel input/output; and prog updates σg




l respectively. Notice that the synchronous channel input/output
cannot occur on their own. Rather, the synchronous channel input of one FSM is
synchronized with a synchronous channel output of another FSM executing concur-
rently. Moreover, two or more FSMs must synchronize their transitions with common
event names.
2.3.3 Finite-State Machine Encoding
Since all variables in FSMs are discrete, we explain how discrete variables and tran-
sitions in FSMs are encoded. Note that we only show how to encode variables and
transitions by representing them as boolean formulas. We assume that the BDD
package handles how to represent boolean formulas as BDDs.
20
Discrete Variable Encoding
Given any discrete variable x whose type is X , encoding x is to enumerate elements
of X in binary and to represent them as boolean functions. Therefore, to encode x ,
we need at least n boolean variables x0, · · · , xn−1 where n = dlog2 |X |e and |X | is the
number of elements in X. Then, each element in X is mapped with a bit vector of
length n by an injective encoding function fX : X → {0, 1}n . Note that this mapping
is fixed throughout the BDD encoding. From now on, given any s ∈ X , we use s
and fX (s) interchangeably.
For example, encoding a variable x of elements in a set of four elements X =
{a, b, c, d} requires a bit vector of two boolean variables x0 and x1, denoted as (x0, x1).
The encoding functions fX could be defined as fX (a) = (0, 0), fX (b) = (0, 1), fX (c) =
(1, 0), and fX (d) = (1, 1). Then, for example, the expression θ = (x = a ∨ x =
b ∨ x = d) can be represented as the logic formula over boolean variables x0 and
x1 as fθ = ((x0, x1) = fX (a) ∨ (x0, x1) = fX (b) ∨ (x0, x1) = fX (d)). Thus, the BDD
encoding of the formula θ is the BDD representing the formula fθ shown in Figure 2.3.
For simplicity, we use the same label x to denote the bit vector (x0, · · · , xn−1). Then,
the logic formula can be rewritten shortly as fθ = (x = fX (a) ∨ x = fX (b) ∨ x =
fX (c)). By applying logical operations over BDDs such as not , and , or , etc., we can
encode complex expressions. Using this technique, the set of states S and the set of
event names Event in a FSM are encoded similarly. The bit vectors to encode the
set of states and the set of event names are denoted by state = (state0, · · · , statem−1)
and event = (event0, · · · , eventn−1) respectively. Moreover, we can also encode all
the data types in the FSM whose domains are finite, e.g., boolean, integer, array of





Figure 2.3: BDD encoding of θ
Transition Relation Encoding
The transition relation represents the status of the FSM before and after transi-
tions. Thus, to encode the transition relation, for each variable x , we need two
copies of boolean variables, (x0, · · · , xn−1) to encode x before the transition and
(x ′0, · · · , x ′n−1) to encode x after the transition. Let x ′ (prime copy) denote the bit
vector (x ′0, · · · , x ′n−1). Then, given any formula f , we denote Swap(f ) the formula
obtained by swapping each variable x with x ′ and vice versa.
Given any transition labeled by [guard ]e{prog} from state s0 to state s1, variables
updated in prog are encoded by using prime copies. The encoding of that transition
is the BDD representing the formula state = fS (s0) ∧ guard ∧ event ′ = fEvent(e) ∧
prog ∧ state ′ = fS (s1).
The encoding of the transaction prog is more complicated. Basically, under our
current setting, a transaction is a sequential program which can contain assignment,
if -then-else or while-do commands. Note that to handle arithmetic operations effi-
ciently, we use Algebraic Decision Diagram (ADD) library [14] provided in CUDD
package.
• If the command is the assignment x := f where x is a variable and f is an
expression. We assume that f does not contain variable x . Otherwise, we
replace that assignment with two assignments temp = f ; x = temp where
22
temp is a temporary variable. When encoding f , if a variable a is updated
previously, the copy a ′ is used instead of a. For example, encoding b = a in
the transaction a = 1; b = 2; b = a; . We have the condition before b = a
is a ′ = 1 ∧ b ′ = 2. Since a is updated earlier, the encoding of b = a is
b ′ = a ′. Moreover, the value of b ′ in the condition is no longer valid and the
final encoding of the transaction is a ′ = 1 ∧ b ′ = a ′.
• If the command is if (b) then s1 else s2 where b is an boolean expression and
s1 and s2 are two sequential programs, the encoding of that command is that
(b ∧ s1) ∨ (¬ b ∧ s2).
• If the command is while(b)s1, the encoding of that command can be obtained
as below program
result = false; init = true;
while (init 6= false) do
temp = init ∧ s1
result = result ∨ (temp ∧ ¬ b ′)
init = Swap(init ∧ b ′)
end while
return result
Example 2.8. In this example, we present how to encode a FSM based on the
techniques of encoding discrete variables and transition relations. Figure 2.4 shows
the microwave oven model as a FSM [35]. The model contains four global boolean
variables: Start, Close, Heat, and Error which are initialized as false. Each transition
has the event name (which is expressed in the first line of the transition label) and the
program to capture how the system changes from the source state to the destination
state (which is the second line of the transition label). For example, in the transition
from state 0 to state 1, the event name is start oven. After this event happens, the
23
variables Start and Error become true, but other variables which are not updated






























Figure 2.4: FSM of a microwave oven
To encode this FSM, we need a variable state to encode the states and another
variable event to encode the event names. There are 7 states so 3 boolean variables
are used to encode the states. The encoding of those states are as follows: (0, 0, 0)
for state 0, (0, 0, 1) for state 1, . . . , and (1, 1, 0) for state 6. Similarly, 8 event names
{start oven, open door, close door, reset, warm up, start cooking, cooking, done} are
encoded as follows: (0, 0, 0) for start oven, (0, 0, 1) for open door, . . . , and (1, 1, 1) for
done. The encoding of a transition includes 4 parts: the source and the destination
states, the event name, the guard condition, and the transaction. For instance, the
formula for the transition from state 0 to state 1 is given as (state = fS (state 0)) ∧
(event ′ = fEvent(start oven)) ∧ (Start ′ = 1 ∧ Error ′ = 1 ∧ Close ′ = Close ∧ Heat ′ =
Heat) ∧ (state ′ = fS (state 1)). Informally, this formula says that the source state is
state 0, the destination state is state 1, the event name is start oven and after the
transition, Start and Error become true, but other variables including Close and
24
Heat are not changed. Finally, the transition relation encoding of the model is the
disjunction of the encodings of all the transitions in the model. 2
A BDD encoding of a FSM is a tuple B = (
−→
V ,−→v , Init ,Trans ,Out , In) where
−→
V is a set of boolean variables encoding global variables and event names3; −→v is
a set of boolean variables encoding local variables and local control states; Init is
a formula over
−→
V and −→v encoding the initial valuation of the variables; Trans is
a set of encoded transitions; and Out (In) is a set of encoded transitions labeled
with synchronous channel output (input). Note that transitions in Out and In are
matched with corresponding transitions in In and Out from the environment or
equivalently other system components.
Given a FSM M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ), its encoding is a
tuple B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• −→V = V1 ∪ event where V1 and event = {event0, · · · , eventn−1} are the sets of
boolean variables to encode global variables GV and the set of event names
Event respectively.
• −→v = v1 ∪ state where v1 and state = {state0, · · · , statem−1} are the sets of
boolean variables to encode local variables LV and the set of states S respec-
tively.
• Init = initg ∧ initl ∧ (state = init)
• Trans = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} and e is
not a channel input/output.
3 Note that
−→
V is fixed before encoding the system components.
25
• Out = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} where e
is a synchronous channel output.
• In = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} where e
is a synchronous channel input.
The BDD size is very sensitive to the variable ordering. There exist functions
whose BDD sizes vary from linear to exponential for different variable orderings. For
example, given a boolean formula (x1 ∨ x ′1) ∧ (x2 ∨ x ′2) ∧ · · · ∧ (xn ∨ x ′n), if we
choose the ordering x1 < x
′
1 < x2 < x
′
2 < · · · < xn < x ′n , the size of the BDD is 2n +2.
However, if we choose the ordering x1 < x2 < · · · < xn < x ′1 < x ′2 < · · · < x ′n , the size
of the BDD is 2n+1. Intuitively, it is possible to decide the value of the formula with
the values of only x1 and x
′
1. For example, if both x1 and x
′
1 are false, the formula is
evaluated as false. Thus, we should order x1 and x
′
1 next to each other.
It is beneficial to find the optimal ordering for a formula. Unfortunately, this
problem is NP-complete [96]. In practice, heuristics are often used. In our work, we
collect such known heuristics from the literature to produce a fairly good ordering [44,
13, 21, 87].
2.3.4 Compositional Encoding Functions
Complex systems are composed of smaller components. In this section, given a
system composed of several components through some operator, we present how to
obtain the encoding of that system from the encodings of its components. Please
refer to Appendix A for a complete list of other compositional operators. Given
two components P0 and P1, we denote the encoding of the component Pi by Bi =
(
−→
V ,−→vi , Initi ,Transi ,Outi , Ini) where i ∈ {0, 1}. We assume that −→v0 and −→v1 are
26
disjoint (otherwise variable renaming is necessary). Note that
−→
V is always shared.
In the following, we illustrate how to obtain the encoding of a compositional system
P through some sample compositional operators.
Interleaving Composition Let P be the interleaving composition of two components
P0 and P1. In other words, P includes two components P0 and P1 running in parallel
and synchronizing through channel communication. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ v1
• Init = Init0 ∧ Init1
• Trans = ∨i∈{0,1}((Transi ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i)). The transition
relation contains two kinds of transitions, local transitions from each Pi and
synchronous channel communication from both P0 and P1.
• Out = ∨i∈{0,1}(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨i∈{0,1}(Ini ∧ (−−→v1−i = −−→v1−i ′)). Although channel inputs/outputs of P
cannot occur by themselves, we still compute Out and In in case later, P will
combine with other components through interleaving composition.
Choice Composition Let P be the choice composition of P0 and P1. Then, P can
behave like either P0 or P1. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In)
such that:
• v = v0 ∪ v1 ∪ {choice} where choice is a fresh boolean variable, and choice = i
means Pi is selected.
• Init = Init0 ∧ Init1. The variable choice is not initialized, and thus P0 and P1
can be randomly selected.
27
• Trans = ∨i∈{0,1}((choice = i) ∧ Transi ∧ (choice ′ = i))
• Out = ∨i∈{0,1}((choice = i) ∧ Outi ∧ (choice ′ = i))
• In = ∨i∈{0,1}((choice = i) ∧ Ini ∧ (choice ′ = i))
Other choices like external choice, internal choice, or conditional choice in litera-
ture [56] can be supported similarly.
Sequential Composition Let P be the sequential composition of P0 and P1. At the
beginning, P behaves like P0 until P0 terminates. Then, it behaves like P1. The
encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ v1 ∪ {terminated} where terminated is a fresh boolean variable to
check whether P0 terminates.
• Init = Init0 ∧ (¬ terminated)
• Let X denote the special event of program termination (like executing of a
return statement in Java or the event generated by process Skip in CSP).
Trans = (¬ terminated ∧ Trans0 ∧ ((event ′ = X ∧ terminated ′ ∧ Init ′1) ∨
(event ′ 6= X ∧ ¬ terminated ′))) ∨ (terminated ∧ Trans1 ∧ terminated ′). Note
that Init ′1 is obtained from Init1 by replacing each variable x with its prime
copy x ′. When P0 terminates, we will initialize P1 on the termination event.
• Out = (¬ terminated ∧ Out0 ∧ ¬ terminated ′) ∨ (terminated ∧ Out1 ∧
terminated ′)
• In = (¬ terminated ∧ In0 ∧ ¬ terminated ′) ∨ (terminated ∧ In1 ∧ terminated ′)
28
Interrupt Composition Let P be the interrupt composition of P0 and P1. At the
beginning, P behaves like P0. However, P1 can interrupt at any time and takes
the control. After the interruption, P will behave like P1. The encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ v1 ∪ {interrupted} where interrupted is a fresh boolean variable to
manage whether P1 interrupts P0
• Init = Init0 ∧ Init1 ∧ ¬ interrupted
• Trans = (¬ interrupted ∧ Trans0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (Trans1 ∧
interrupted ′)
• Out = (¬ interrupted ∧ Out0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (Out1 ∧
interrupted ′)
• In = (¬ interrupted ∧ In0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (In1 ∧ interrupted ′)
The process P1 can interrupt P0 at any time because there is no guard condition on
the transition of P1. Moreover, when P1 interrupts P0, interrupted is set to true,
and all transitions and channel inputs/outputs of P0 are disabled.
We have presented how compositional encoding functions are implemented. The
encoding of hierarchical systems can be obtained by applying those compositional
encoding functions with regard to the structure of the systems. Finally, the encodings
of models and properties are ready for symbolic model checking algorithms. In the
next section, we present our symbolic model checking algorithms for reachability
analysis and LTL properties.
2.4 Symbolic Model Checking Algorithms
In this section, we present BDD-based reachability analysis and LTL model checking
algorithms. We assume that the encodings of the model and properties are available.
29
Algorithm 1 Forward Fixpoint Algorithm
1: function Reach(Q, Trans)
2: Sp = ∅; S = Q
3: while (Sp 6= S ) do
4: Sp = S




2.4.1 Reachability Analysis Algorithm
We introduce the list data structure to represent a linear list of states. Let λ be the
empty list. Given two lists L1 = (s1, · · · , sm) and L2 = (q1, · · · , qn), we denote by
L1 + L2 = (s1, · · · , sm , q1, · · · , qn) the concatenation of the two lists. In addition,
last(L1) is defined as the last element of L1 which is sm and L
−1
1 is the list obtained
by reversing the order of the elements in L1. Finally, we denote by choose(Q) the
random choice of one of the states in Q .
Given a set of source states source, a set of destination states dest , and a transi-
tion relation Trans , the reachability problem is to verify whether there exists a state
in dest reachable from a state in source by the transition relation Trans . In case
dest is reachable from source, a path from source to dest is desirable. In standard
algorithms, reachability analysis is done by computing the forward fixpoint or the
backward fixpoint. If the forward fixpoint (respectively the backward fixpoint) con-
tains a state in dest (respectively source), dest is reachable from source. Algorithm 1
presents the forward fixpoint algorithm which computes the set of reachable states
from Q given the transition relation Trans . To check whether dest is reachable from
source, during the while-loop of Reach(source,Trans), we can check whether the in-
tersection of S and dest is not empty to have an early termination. The algorithm
to compute backward fixpoint can be implemented similarly.
The problem of forward or backward fixpoint algorithms is the large size of the
BDDs for intermediate results. As shown in [26], the size of BDDs at the beginning
30
and the end of the fixpoint computation is much smaller than the size of intermedi-
ate BDDs. Ravi et al. proposed guided search with hints to speed up the compu-
tation [86]. Basically, based on hints, at each iteration, a simplified version of the
transition relation is used instead of the whole transition relation. By using a simpli-
fied version, we can achieve smaller BDDs for intermediate results and speed up the
computation. This approach is also extended to apply for CTL verification [26] and
LTL verification [25]. Another approach is to mix forward and backward traversals.
Sahoo et al. suggested not to fix to any algorithm but to allow the algorithm to
decide which direction to traverse dynamically [89]. His algorithm also considered
whether to store the intermediate results in a single BDD or partition in many BDDs.
Our implementation of the reachability analysis algorithm can switch between
forward and backward traversals dynamically. The BDD sizes of intermediate results
for each direction are stored. For each iteration, the program calculates the increasing
speed of BDD sizes for each direction and selects the direction which results in smaller
BDDs4. Algorithm 2 presents the function PATH (source, dest ,Trans , path) which
returns whether a state in dest can be reachable from a state in source. If that is the
case, the shortest path from a state in source to a state in dest is stored in path. For
simplicity, we do not include the code which allows the switch between forward and
backward traversals. In this algorithm, forward and backward traversals are done
one by one.
Next, we explain variables declared in the function PATH . Variables forward
and backward are two lists to keep the transitions for each iteration to build the
counterexample later. Variables reachToDest and reachFromSource store the set of
states can reach to dest and the set of states reachable from source respectively.
Finally, variables currentBackward and currentForward store new states found in
4 The BDD sizes of reachToDest , and reachFromSource in Algorithm 2 are used to decide which
direction to search in the each iteration.
31
Algorithm 2 Reachability Analysis Algorithm
1: function PATH(source, dest, Trans, path)
2: if (source ∧ dest 6= ∅) then return true
3: forward , backward
4: reachToDest , reachFromSource
5: currentBackward , currentForward , s, common
6:
7: currentBackward = dest ; currentForward = source
8: while (true) do
9: backward = backward + (Trans ∧ currentBackward ′)
10: currentBackward = pred(currentBackward ,Trans)
11: if (reachToDest = reachToDest ∨ currentBackward) return false
12: if (currentBackward ∧ currentForward 6= ∅) then break
13: reachToDest = reachToDest ∨ currentBackward
14:
15: forward = forward + (currentForward ∧ Trans)
16: currentForward = succ(currentForward ,Trans)
17: if (reachFromSource = reachFromSource ∨ currentForward) then return false
18: if (currentBackward ∧ currentForward 6= ∅) then break
19: reachFromSource = reachFromSource ∨ currentForward
20: end while
21:
22: common = currentBackward ∧ currentForward
23: for all (backwardTransition in backward−1) do
24: forward = forward + (common ∧ backwardTransition)
25: common = succ(common, backwardTransition)
26: end for
27:
28: s = source
29: for all (forwardTransition in forward) do
30: s = choose(succ(s, forwardTransition))




backward and forward respectively.
The function starts by checking the trivial case that dest is already reachable
from source (line 2). The while-loop checks in both directions, backward (lines 9-
13) and forward (lines 15-19). In backward direction, first, backward transitions
in the current loop are added to the list backward (line 9), and currentBackward
is updated to the set of its predecessors (line 10). Then, if backward fixpoint is
achieved (line 11), we conclude dest is unreachable from source. Otherwise, if the
intersection of currentBackward and currentForward is not empty, we conclude that
dest is reachable from source (line 12). Then, we generate the counterexample from
32
line 22 to line 32. Similarly, in forward direction, forward transitions are added to
the list forward (line 15), and currentForward is updated to the set of its successors
(line 16). Then, if forward fixpoint is obtained (line 17), we return false. Moreover,
if the intersection of currentBackward and currentForward is not empty, dest is
reachable from source (line 18), and then we escape from the while-loop to generate
the counter example.
2.4.2 LTL Model Checking Algorithm
In the following, we present a symbolic model checking algorithm proposed in [61]
for LTL properties based on the automata-based approach. According to automaton
theory, given the model M and the LTL property ϕ, model M satisfies the property
ϕ if and only if the compositional Bu¨chi automaton of the model M and the negation
of the LTL property ¬ ϕ is empty. The LTL model checking algorithm consists of two
parts: checking the Bu¨chi automaton emptiness and constructing a counterexample
if it exists.
Checking for Emptiness
A Bu¨chi automaton is empty if and only if there is no infinite run visiting an accepting
state infinite times. Algorithm 3 presents the function IsEmpty . Given a Bu¨chi
automaton, the function receives the initial states Init , the transition relation Trans ,
and accepting states Acc as inputs and checks whether the automaton is empty. If the
Bu¨chi automaton is not empty, a set of all accepting strongly connected components
(SCCs) (SCCs contain an accepting state) is returned. At the beginning, new is
computed as the set of all reachable states. Then, the outer while-loop converges
when the values of the variable new coincide on two successive visits (line 5). In this
while-loop, at line 7, new is updated to store only states reachable from reachable
accepting states. Then, in the inner loop, from line 8 to line 10, we successively
33
Algorithm 3 Algorithm IsEmpty
1: function IsEmpty(Init ,Trans,Acc)
2: new , old
3: old = ∅
4: new = Reach(Init)
5: while (new 6= old) do
6: old = new
7: new = Reach(new ∧ Acc)
8: while (new 6= new ∧ succ(new)) do





remove from new all states which do not have a predecessor in new . This loop
is iterated until all states in the set new have a predecessor in new . Finally, new
contains all accepting SCCs in this automaton. The correctness of the function
IsEmpty is proved in [61].
Constructing a Counterexample
The function IsEmpty helps us to verify whether a Bu¨chi automaton is empty. How-
ever, if the compositional Bu¨chi automaton of M and ¬ ϕ is not empty, a counterex-
ample would be helpful to understand and to locate the bug that M does not satisfy
ϕ. Algorithm 4 presents an algorithm which verifies whether a Bu¨chi automaton is
empty and returns a counterexample if exists.
Although a counterexample σ is infinite, it always has a lasso form:
σ = (s0, · · · , sm), (q0, · · · , qn), (q0, · · · , qn), · · · = prefix (period)ω such that prefix =
(s0, · · · , sm) and period = (q0, · · · , qn). Then, the input of this algorithm is the
initial states Init , the transition relation Trans , and accepting states Acc of the Bu¨chi
automaton. The output of this algorithm is two lists prefix and period representing
the counterexample.
The algorithm starts by checking whether the automaton is empty. If the automa-
ton is empty, the algorithm returns a pair of empty lists(line 7). If the automaton
is not empty, final stores SCCs returned by the function IsEmpty . Next, we restrict
34
Algorithm 4 Algorithm Witness
1: function Witness(Init ,Trans,Acc)
2: s,final
3: R
4: prefix , period
5: final = IsEmpty(Init ,Trans,Acc)
6: if (final = ∅) then
7: return [λ, λ]
8: end if
9: R = final ∧ Trans
10: s = choose(final)
11: while (Reach(s,R′) \ Reach(s,R) 6= ∅) do
12: s = choose(Reach(s,R′) \ Reach(s,R))
13: end while
14: final = Reach(s,R′) ∧ Reach(s,R)
15: R = (final ∧ R ∧ final ′)
16: PATH (Init ,final ,Trans, prefix )
17: period = last(prefix )
18: if (last(prefix ) ∧ Acc = ∅) then
19: PATH (last(period),final ∧ Acc,R, period)
20: end if
21: PATH (last(period), last(prefix ),R, period)
22: return [prefix , period ]
23: end function
the transition relation R to depart only from states in final (line 9). Then, we per-
form a search for an initial SCC within final . The search starts at an arbitrary
state s within final . In the loop at lines 11-13, we search for a state s satisfying
Reach(s ,R′) ⊆ Reach(s ,R). This is done by successively replacing s by a state
s ∈ Reach(s ,R′) \ Reach(s ,R) as long as Reach(s ,R′) * Reach(s ,R). Finally, the
loop terminates when s reaches an initial SCC. Termination is guaranteed because
each of such replacements moves the state s from one SCC to its preceding SCC in
the canonical decomposition of final .
Line 14 computes the SCC containing s and assigns it to the variable final .
Line 15 restricts the transition relation R to transitions connecting states within
final . Then, the counterexample can be constructed where the prefix is the path
from the initial state to a state q within final , and the period is the cycle from state
q to itself within the SCC final . Line 19 guarantees that the cycle must traverse
through an accepting state.
35
Based on the encoding and verification techniques, we build a framework so that
the encoding and verification techniques can be easily applied to encode and to verify
different modeling languages [78]. We have applied our framework to verify three
application domains including LTS for modeling hierarchical systems by composing
label transition systems, CSP for modeling concurrent system modeled using com-
municating sequential process, and NesC for modeling sensor networks based on the
NesC language.
2.5 Chapter Summary
In this chapter, we have introduced timed automata and model checking techniques
including the zone-based approach based on symbolic semantics and the BDD-based
approach based on the discrete semantics. We have also reviewed abstraction tech-
niques over DBMs and introduced our encoding and verification techniques of con-
current system. In the next chapter, we continue by presenting our work on the




Model checking timed systems through digitization is relatively easy, compared to
the zone-based approach. However, the application of digitization is limited mainly
by two reasons, i.e., it is only sound for closed timed systems and clock ticks cause
state space explosion. The former is mild because many practical systems are subject
to digitization. It has been shown that BDD-based techniques can be used to tackle
the latter to some extent. In this chapter, we present our extension of the BDD
framework to support real-time systems. We also propose a different BDD encoding
of tick transitions that results in a smaller encoding.
3.1 Introduction
Model checking real-time systems has been studied extensively. One popular ap-
proach is zone abstraction [20, 37]. The scalability and effectiveness of the zone-
based approach have been proved with successful industrial applications, e.g., the
verification of an audio/video protocol with about 2800 lines of assembler code by
using Uppaal [47]. Meanwhile, it is known that for a large class of timed verification
37
problems, correctness can be established using an integral model of time as opposed
to a dense model of time [49]. For instance, Lamport argued that model checking
for real-time systems can be really simple if digitization is adopted [66]. Based on
the discrete semantics defined in Section 2.1, digitization translates a real-time ver-
ification problem to a discrete one by using clock ticks to represent time elapsing.
The advantage of digitization is that the techniques developed for classic automata
verification can be applied without the complexity of zone operations. Furthermore,
experimental results in [22] show that BDD-based model checking for digitized sys-
tems is more robust with the increment in the number of processes, compared to the
zone-based approach.
One disadvantage of digitization is that the number of reachable states of the
digitized system is an increasing function of the number of clock ticks, which is de-
termined by the maximal clock constants. Experimental results in [66] show that
Uppaal has a clear advantage over TLC [106] or Spin [57] in verifying digitized
systems when the maximal clock constants are bigger than 10. The same experimen-
tal results show that the symbolic model checker [74] is robust with the increment
in maximal clock constants. The question is then: Can BDD-based symbolic model
checkers scale better with large maximal clock constants? In [23], the size of BDDs is
shown to be very sensitive to maximal clock constants through a theoretical analysis.
As a result, the maximal clock constants are thus kept very small in the experiments,
i.e., 2 for Fischer protocol [36] and 4 for CSMA/CD protocol [81].
In this work, we revisit the problem of verifying real-time systems through digi-
tization and make the following new technical contributions.
Firstly, we study the compositional encoding of digitized timed systems. The
motivation is that complex timed systems are often composed of many components
at multiple levels of hierarchies. We propose to use timed finite-state machines (TF-
SMs) to model timed system components, which are designed to capture different
38
ways of communication among system components. Next, we define a rich set of
compositional encoding functions accordingly based on TFSMs. The usefulness of
the library is evidenced by showing its applications to build model checkers for two
different timed modeling languages, e.g., closed timed automata and Stateful Timed
CSP [94].
Secondly, we demonstrate that if we keep clock ticks simple by avoiding clock
variables altogether, we are able to obtain a smaller BDD encoding of the transition
relation, which scales better than existing approaches. Specifically, in our approach,
clock variables are removed from the model and replaced with tick transitions which
represent one time unit elapsing. By generating an equivalent model without clock
variables, many unreachable states are omitted from the encoding. As a result, we
have a smaller encoding using fewer boolean variables.
Thirdly, based on the LU simulation defined in Lemma 2.5, we improve the
BDD-based reachability analysis and emptiness checking algorithms. By making use
of simulation relation, our improved algorithms can converge to the fixpoint faster.
Specifically, the number of iterations in the fixpoint computation can be reduced
significantly. Therefore, we are able to verify systems with maximal clock constants
in the order of thousands and with larger number of processes.
Related Work Zone-based model checking for timed systems has been imple-
mented in tools like Kronos [28] and Uppaal [68] where clock valuations are repre-
sented as DBMs. However, DBMs can represent only convex zones. Moreover, since
locations are enumerated explicitly, these tools can encounter state space explosion.
To overcome this problem, many symbolic data structures are introduced to repre-
sent the state space. BDD is first proposed to encode zones for asynchronous system
by Wang et al. [102]. Using a similar idea, Møller et al. introduced Difference De-
cision Diagram (DDD) and many manipulation techniques [76]. A DDD is a data
structure for representing a boolean logic over inequalities of the form x − y ∼ d
39
where the variables are integer or real. Clock Difference Diagram (CDD) [17] is a
BDD-like data structure for effective representation and manipulation of non-convex
clock valuations. In this data structure, nodes are labeled by clock differences like
x − y and edges are labeled by disjoint intervals. Clock Restriction Diagram (CRD)
which is used in the tool RED [100] is a variant of CDD with a very similar structure.
The main difference between them is that in CRD, edges are labeled by upper bound
for clock differences instead of disjoint intervals as in CDD.
This work follows the line of research on using digital clocks for modeling and
verifying timed systems. In [49], the usefulness and limitations of digital clocks
have been formally established, which forms the theoretical background of this work.
Based on the discretization of time, Asarin et al. introduced Numerical Decision
Diagram (NDD) [11] which is a BDD-based data structure to represent locations
and clock valuations. However, the performance is very sensitive to the magnitude
of the maximal clock constants. In contrast to the approach in [66] where integer
clock variables are used, we use tick transitions only and avoid clock variables in
order to obtain a smaller BDD encoding of tick transitions. In term of improving
modularity, Lamport’s method is slightly improved by [103]. Our work continues
the line of work by Beyer et al. [23, 22] to cope with large maximal clock constants
and large number of processes. It is remotely related to the work on symbolic model
checking for timed systems [77].
In this chapter, we present the extension of our BDD framework for real-time
system encoding. We also show applications of our encoding techniques for closed
timed automata and Stateful Timed CSP. Improved algorithms of reachability anal-
ysis and emptiness checking are presented in Chapters 4 and Chapter 5. The rest
of this chapter is organized as follows. Section 3.2 introduces timed finite-state
machines (TFSMs), our formal model to represent real-time systems. Section 3.3
demonstrates our encoding techniques for TFSMs. Section 3.4 presents the appli-
40
cation of our encoding techniques for closed timed automata. Section 3.5 presents
another application of our encoding techniques which is Stateful Timed CSP encod-
ing. Section 3.6 concludes this chapter.
3.2 System Modeling
A timed system may be built from the bottom-up way by gradually composing
subcomponents. In this work, we propose to model subcomponents using timed
finite-state machines, which are designed to capture a variety of system features.
Definition 3.1. A timed finite-state machine (TFSM) is a tuple
M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ) where:
• GV is a set of finite-domain shared variables.
• initg is the initial valuation of GV .
• LV is a set of finite-domain local variables such that GV ∩ LV = ∅. LV may
include clock to represent timing constraints.
• initl is the initial valuation of LV .
• S is a finite set of control states.
• init ∈ S is the initial state.
• Act is the alphabet which contains action names.
• Ch is a set of synchronous channels.1
• T is a labeled transition relation. A transition label is of the form [guard ]e{prog}
where guard is an optional guard condition constituted by variables in GV and
1 Asynchronous channels can be mimicked using shared variables and are supported in our imple-
mentations.
41
LV ; the event name e is either an action name, a synchronous channel in-
put/output, or the special tick event (which denotes the passage of one time);
and prog is an optional transaction, i.e., a sequential program which updates
global and local variables.
TFSM is an extension of FSM with clock variables and transitions labeled with
tick to represent timed constraints. Tick transitions denote the passage of one time
unit. Moreover, clock variables are used to record the passage of time and may be
reset to zero when an action transition is taken. Note that we assume the transac-
tion’s execution takes no time. Complex programs which may take time to execute
in real-time systems are abstracted at the modeling step and only timed constraints
from those programs are represented.
The semantics of M is a transition system S (M ) = (C , initc,→) such that C con-
tains finitely many configurations of the form (σg , σl , s) where σg is the valuation of
GV , σl is the valuation of LV , and s ∈ S is a control state; initc = (initg , initl , init);
and → is defined as follows: For any (σg , σl , s), if (s , [guard ]e{prog}, s ′) ∈ T , then
(σg , σl , s)
t−→ (σ′g , σ′l , s ′) where t = [guard ]e{prog} if the following holds: guard is
true given σg and σl ; e is not a synchronous channel input/output; and prog updates




l respectively. For optimization, in states where the values
of clocks are not important, updating clocks in the tick transition can be removed.
Notice that the synchronous channel input and output cannot occur on their own.
Rather, the synchronous channel input of one TFSM is synchronized with a syn-
chronous channel output of another TFSM executing concurrently. Moreover, two
or more TFSMs must synchronize their transitions with common event names. We
remark that timing constraints are captured explicitly by allowing or disallowing





[id = 0] start{clk := 0}
set
{id := pid; clk := 0}
[id ≠ pid & clk ≥ b ] 
reset{clk := 0}
[id = pid & clk ≥ b] 
enter {counter++}
exit





Figure 3.1: TFSM with clock variables
Example 3.2. Figure 3.1 shows a TFSM which models a process in Fischer’s mutual
exclusion protocol. GV contains two variables, id and counter . Variable id denotes
the identifier of the latest process attempting to access the critical session. It is
initialized to 0, which means that no process is attempting. Variable counter counts
the number of processes currently accessing the critical session. By design, counter
should be always less than 2. The local variable pid is a unique process identifier
which is a natural number constant. In addition, clk ∈ LV is a clock variable which
tracks the elapsing of time. Initially, each process awaits until id = 0 and then
performs event start . At state A, it can set id to its pid (indicating that it is trying
to get into the critical session). The event set must occur within a time units as the
tick transition is guarded by clk < a. At state B , the TFSM waits for at least b
time units and then checks whether id is still the same as its pid . If so, it enters the
critical session; otherwise, it restarts from the beginning via the reset event. Since
the exact value of clock variable clk is not important at both state init and state
CS , we do not need to increase the value of clk after each tick transition. 2
43
3.3 Timed Finite-state Machine Encoding
Encoding TFSM is similar to encoding FSM. Please refer to Section 2.3.2 for the
details of how to encode discrete variables and transitions. In the following, we
present the data structure to store the encoding of TFSMs.
The encoding of a TFSM is a tuple B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick). −→V
is a set of boolean variables encoding global variables, event names including ac-
tion names and channel names, which are calculated for the whole system before
encoding. −→v is a set of variables encoding local variables and local control states.
Init is a formula over
−→
V and −→v , which encodes the initial valuation of the variables
including the initial control state. Trans is the encoding of transitions excluding
tick transitions. Out (respectively In) is the encoding of transitions labeled with a
synchronous channel output (respectively input). Note that transitions in Out and
In cannot occur by themselves but must be paired with corresponding In and Out of
other TFSMs. Out and In are separated from the rest of the transitions so that they
can be synchronized later. Lastly, Tick is the encoding of all the tick transitions.
They must be synchronized among all concurrent TFSMs.
Let B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) be the encoding of a TFSM M =
(GV , initg ,LV , initl , S , init ,Act ,Ch,T ) where
• −→V = V1 ∪ event where V1 and event = {event0, · · · , eventn−1} are the sets of
boolean variables to encode global variables GV and the set of event names
Event = Act ∪ Ch respectively.
• −→v = v1 ∪ state where v1 and state = {state0, · · · , statem−1} are the sets of
boolean variables to encode local variables LV and the set of states S respec-
tively.
• Init = initg ∧ initl ∧ (state = init)
44
init A0 A1 A2 A3
B0
B1B2B3B4CS















Figure 3.2: TFSM without clock variables
• Trans = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} and e is
neither a tick event nor a synchronous channel input/output.
• Out = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} and e is a
synchronous channel output.
• In = ∨(state = s0 ∧ guard ∧ event ′ = e ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]e{prog} and e is a
synchronous channel input.
• Tick = ∨(state = s0 ∧ guard ∧ event ′ = tick ∧ prog ′ ∧ state ′ = s1) for all
transitions from any state s0 to state s1 labeled with [guard ]tick{prog}.
3.3.1 Keeping Ticks Simple
In order to handle systems with large maximal clock constants, it is important that
we keep the encoding of tick transitions small. There are different ways of capturing
timing constraints. For instance, in Figure 3.1, the timing constraints at states A
and B are captured by using clock variable clk , i.e., by increasing clk with the tick
transitions and guarding system transitions with conditions on clk . Using clock
variables to model timed systems with timing constraints and then directly encoding
45
those variables is a classical technique. In this work, we propose to use only tick
transitions without clock variables to model timed system. For instance, we assume
that a is 3, and b is 4 in Example 3.2. Figure 3.2 models the same TFSM without
clock variables. At state A, at most three tick transitions are allowed to occur before
the event set occurs to capture that the event set must occur within three time units.
We argue that clock variables should be avoided altogether if possible for the
following reason. Without clock variables, both the tick transitions and other tran-
sitions become simpler since there is no need to introduce a new variable clk or to
have transactions to increment clk as well as transition guards on clk . Moreover,
by generating explicitly the model with tick transitions, we can reduce the state
space. For example, in Figure 3.1, the total number of states (i.e., the product of the
control state and the clock value) is 24, whereas in Figure 3.2, it is only 11. Thus,
the encoding of the TFSM in Figure 3.2 requires two boolean variables less than the
encoding of the TFSM in Figure 3.1. This reduction is because the latter has more
‘domain knowledge’. For instance, some of the 24 states are in fact not reachable
(e.g., state (A, clk = 4)) or bisimilar to each other (e.g., state (init , clk = 0) and
(init , clk = 1)).
If tick transitions are used instead of the clock variables, the number of tick tran-
sitions in one TFSM is bigger, i.e., being linear to the product of all maximal clock
constants in the TFSM. If we store Tick as a disjunctive partitioned transition func-
tion as [32], the number of BDDs encoding tick transitions can grow exponentially.
Given a system with n TFSMs running in parallel, and each of which has m tick
transitions, Tick of the resulted composition contains mn BDDs. As a result, the
number of BDD-based pre-image and post-image operations grows exponentially too.
Thus, we store Tick as a single BDD to encode all the tick transitions in a TFSM.
It reduces the time spending on BDD-based computations by taking one complex
operation instead of mn simpler operations. Lastly, we compare the two different
46
Table 3.1: Comparison of the two different encoding approaches
#proc 4 5 6 7 8
time without clock vars 0.24 0.81 2 6 12
(seconds) with clock vars 0.62 2 10 28 58
memory without clock vars 23 29 44 63 86
(Mb) with clock vars 25 35 60 151 202
approaches of encoding timing constraints (i.e., with or without clock variables) and
show that avoiding clock variables leads to a smaller BDD (as suggested by the
memory consumption) and subsequently is more efficient (as suggested by the ver-
ification time). Table 3.1 summarizes the experimental results of mutual exclusion
check on Fischer’s protocol using the model in Figure 3.1 and Figure 3.2. Thus, in
the following, we always avoid clock variables whenever possible.
3.3.2 Generating TFSMs without Clock Variables
In the previous section, we have shown that modeling time systems using TFSMs
without clock variables is more efficient than with clock variables. However, most of
the timed modeling languages include the clocks in the model explicitly. Therefore, a
function to generate a TFSM without clock variables from a TFSM with clock vari-
ables is required. In this section, we explain how this function can be implemented.
Given the TFSM with clock variables M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ),
the TFSM without clock variables M ′ = (GV ′, init ′g ,LV
′, init ′l , S
′, init ′,Act ′,Ch ′,T ′)
is obtained as follows:
• GV ′ = GV
• init ′g = initg
• LV ′ = LV \ X where X is the set of clock variables in M .
• init ′l (x ) = initl(x ) for all x ∈ LV ′
47
• S ′ = {(s , v) | s ∈ S ∧ ∀ x ∈ X , v(x ) ≤ M (x ) + 1}
• init ′ = (init ,0)
• Act ′ = Act
• Ch ′ = Ch
• For each transition (s [g]e{p}−−−−→ s ′):
– if (e = tick): (s , v)
[g ′]e{p′}−−−−−→ (s ′, v ⊕ 1) if v satisfies the clock constraints
in g .
– if (e 6= tick): (s , v) [g
′]e{p′}−−−−−→ (s ′, v ′) if v satisfies the clock constraints in g
and v ′ = [r 7→ 0]v where r is a set of clocks reset via this transition.
where g ′ only contains non-clock constraints in g , and p ′ only contains updates
on non-clock variables from p.
Basically we compose the state and the clock valuation as a single state. Then,
by combining original states and clock valuation in that state, clock variables are
removed including clock guards and clock resets from the TFSM. Tick transitions are
used to capture the timed constraints in the model. Each tick transition represents
1 time unit elapsing. After having the TFSM without clock variables, optimizations
are carried on to reduce the number of states. First, unreachable states are removed,
for example, states (A, v) where v(clk) > a in Figure 3.1. The second optimization is
to identify states s ∈ S where the exact value of clocks is not required, for example,
the initial state in Figure 3.1. Then, all of the states (s , v) in S ′ where v is any
clock valuation at state s can be grouped as a unique state. Formally, these states
bisimulate each other. This is how we convert a TFSM to a new TFSM without
clock variables. For any state (s , v) in the new TFSM, we denote the location of
48
that state by the functions location((s , v)) = s and the clock valuation of that state
by clockValuation((s , v)) = v .
Thus, in our approach, given a TFSM with clock variables, we convert it to
another TFSM without clock variables by the transformation presented above. Then,
we encode the resulted TFSM. In the following, we demonstrate how to encode the
TFSM without clock variables in Figure 3.2.
Example 3.3. The BDD encoding B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) of the
TFSM in Figure 3.2 as follows:
• −→V = {id0, id1} ∪ {counter0, counter1} ∪ {event0, event1, event2} assuming that
there are 3 processes running in parallel in this protocol.
• −→v = {state0, state1, state2, state3}. Note that the process parameter pid in the
definition of P(pid) is constant and is replaced with its value before encoding.
In the encoding functions of Trans and Tick , we still keep pid to show how all
processes P(pid) in the Fischer’s protocol are encoded.
• Init = (id = 0) ∧ (counter = 0) ∧ (state = init)
• Trans = (state = init ∧ id = 0 ∧ event ′ = start ∧ state ′ = A0)
∨ (state = A0 ∧ event ′ = set ∧ id ′ = pid ∧ state ′ = B0)
∨ (state = A1 ∧ event ′ = set ∧ id ′ = pid ∧ state ′ = B0)
∨ (state = A2 ∧ event ′ = set ∧ id ′ = pid ∧ state ′ = B0)
∨ (state = A3 ∧ event ′ = set ∧ id ′ = pid ∧ state ′ = B0)
∨ (state = B4 ∧ id 6= pid ∧ event ′ = reset ∧ state ′ = init)
∨ (state = B4 ∧ id = pid ∧ event ′ = enter ∧ counter ′ = counter + 1 ∧ state ′ = CS )
∨ (state = CS ∧ event ′ = exit ∧ id ′ = 0 ∧ counter ′ = counter − 1 ∧ state ′ = init)
• Out = In = false
49
• Tick = (state = init ∧ event ′ = tick ∧ state ′ = init)
∨ (state = A0 ∧ event ′ = tick ∧ state ′ = A1)
∨ (state = A1 ∧ event ′ = tick ∧ state ′ = A2)
∨ (state = A2 ∧ event ′ = tick ∧ state ′ = A3)
∨ (state = B0 ∧ event ′ = tick ∧ state ′ = B1)
∨ (state = B1 ∧ event ′ = tick ∧ state ′ = B2)
∨ (state = B2 ∧ event ′ = tick ∧ state ′ = B3)
∨ (state = B3 ∧ event ′ = tick ∧ state ′ = B4)
∨ (state = B4 ∧ event ′ = tick ∧ state ′ = B4)
∨ (state = CS ∧ event ′ = tick ∧ state ′ = CS ) 2
Introducing the intermediate structure TFSM allows us to support different real-
time modeling languages. Given a model of a real-time system in some modeling
language, according to the semantics of the modeling language, we generate the
corresponding TFSMs. After encoding those TFSMs, we compose those encodings
by using compositional encoding functions to have the encoding of the whole model.
Then, real-time model checking of reachability and LTL properties based on the
Algorithm 2 and Algorithm 3 is ready to use. In the following, we show how closed
timed automata and Stateful Timed CSP can be encoded in our framework.
3.4 Closed Timed Automata Encoding
In timed automata, a modeling of real-time systems is a network of timed automata
running in parallel. It is noted that TFSMs and timed automata have similar se-
mantics. Thus, to encode a network of timed automata, we first translate each timed
automaton to a corresponding TFSM and encode that TFSM. After having the en-
codings of all the TFSMs, we compose those encodings to obtain the encoding of
the whole system. According to [55], it is more efficient to first encode separately
50
TFSMs and only then combine their encodings into a global encoding. The reason is
because if the regularity in the high-level description can be reflected in the low-level
BDD encoding, there is an increase in the number of shared nodes which results in
a decrease in the size of the BDD encodings.
Given a timed automaton A = (Σ,X ,L, l0,TA, IA), A can be transformed to the
corresponding TFSM M = (GV , initg ,LV , initl , S , init ,Act ,Ch,TM ) with the state
invariants IM where:
• GV = ∅
• initg = true
• LV = X
• initl = 0
• S = L
• init = l0
• Act = Σ ∪ {tick}
• Ch = ∅
• TM = TA ∪ {(s , tick{increaseClocks}, s) | s ∈ S} where increaseClocks is a set
of commands which increase clock variables after a tick transition, x = x ⊕ 1
for all x ∈ X .
• IM : S → Φ(X ) assigns invariants to states
Note that we keep the state invariants IM for the generation of TFSM without
clock variables as defined in Section 3.3.2. The generation procedures can be adopted
easily to handle the state invariants IM .
51
In the following, we define parallel and interleave compositional encoding func-
tions which compute the encoding of a system based on the encodings of its compo-
nents. We fix two TFSMs Mi = (GV , initg ,LVi , init
i
l , Si , initi ,Acti ,Chi ,Ti) where
i ∈ {0, 1}, and Bi = (−→V ,−→vi , Initi ,Transi ,Outi , Ini ,Ticki) is the encoding of Mi .
Notice that −→v0 and −→v1 are disjoint, and −→V is always shared.
Parallel Composition Let M be the parallel composition of M1 and M2 over a set of
common action names Acts = Act0 ∩ Act1. Note that common actions must be syn-
chronized between M0 and M1. Then, M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T )
such that LV = LV0 ∪ LV1; initl = init0l ∧ init1l ; S = S0 × S1; init = (init0, init1);
Act = Act0 ∪ Act1; Ch = Ch0 ∪ Ch1; and T is the transition relation such that for
any (s0, [g0]e0{prog0}, s ′0) ∈ T0; (s1, [g1]e1{prog1}, s ′1) ∈ T1,
• if e0 6∈ Acts , ((s0, s1), [g0]e0{prog0}, (s ′0, s1)) ∈ T
• if e1 6∈ Acts , ((s0, s1), [g1]e1{prog1}, (s0, s ′1)) ∈ T
• ((s0, s1), [g0 ∧ g1]e0{prog0; prog1}, (s ′0, s ′1)) ∈ T if e0 = e1 ∈ Acts . In order to
prevent data race, we assume that prog0 and prog1 do not conflict, i.e., update
the same variables to different values.
• if e0 = ch!v is a channel output with the value v , and e1 = ch?x is a matching
channel input, ((s0, s1), [g0 ∧ g1]ch.v{prog0; prog1}, (s ′0, s ′1)) ∈ T
• if e1 = ch!v is a channel output with the value v , and e0 = ch?x is a matching
channel input, ((s0, s1), [g0 ∧ g1]ch.v{prog1; prog0}, (s ′0, s ′1)) ∈ T
Notice that a channel input/output from Mi is matched with a channel out-
put/input from M1−i to form a transition in T . Similarly, an event in Acts must be
synchronized by both processes. If Acts = ∅, then M0 and M1 communicate only
52
through shared variables or channels, which is often referred to as interleave. For
instance, Fischer’s protocol is the interleave of multiple TFSMs defined in Figure 3.1.
The encoding of M is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) where
• −→v = −→v0 ∪ −→v1
• Init = Init0 ∧ Init1
• Trans = (∨((Transi ∧ ¬ Acts ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i))) ∨ (Trans0 ∧
Trans1 ∧ Acts)
• Out = ∨(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨(Ini ∧ (−−→v1−i = −−→v1−i ′))
• Tick = Tick0 ∧ Tick1
Interleave Composition Let M be the interleave composition of M1 and M2. Then,
M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ) such that LV = LV0 ∪ LV1; initl =
init0l ∧ init1l ; S = S0 × S1; init = (init0, init1); Act = Act0 ∪ Act1; Ch = Ch0 ∪
Ch1; and T is the transition relation such that for any (s0, [g0]e0{prog0}, s ′0) ∈ T0;
(s1, [g1]e1{prog1}, s ′1) ∈ T1,
• if e0 ∈ Act ∧ e0 6= tick , ((s0, s1), [g0]e0{prog0}, (s ′0, s1)) ∈ T
• if e1 ∈ Act ∧ e1 6= tick , ((s0, s1), [g1]e1{prog1}, (s0, s ′1)) ∈ T
• if e0 = ch!v is a channel output with the value v , and e1 = ch?x is a matching
channel input, ((s0, s1), [g0 ∧ g1]ch.v{prog0; prog1}, (s ′0, s ′1)) ∈ T
• if e1 = ch!v is a channel output with the value v , and e0 = ch?x is a matching
channel input, ((s0, s1), [g0 ∧ g1]ch.v{prog1; prog0}, (s ′0, s ′1)) ∈ T
• ((s0, s1), [g0 ∧ g1]e0{prog0; prog1}, (s ′0, s ′1)) ∈ T if e0 = e1 = tick
53
The encoding of M is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) where
• −→v = −→v0 ∪ −→v1
• Init = Init0 ∧ Init1
• Trans = ∨((Transi ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i))
• Out = ∨(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨(Ini ∧ (−−→v1−i = −−→v1−i ′))
• Tick = Tick0 ∧ Tick1
3.5 Stateful Timed CSP Encoding
We continue to demonstrate another application of our encoding techniques on State-
ful Timed CSP. Stateful Timed CSP has been recently proposed to model and ver-
ify hierarchical real-time systems [95, 70]. It is an expressive modeling language
which combines data structures, operations, complicated control flows modeled us-
ing composition operators adopted from Timed CSP, and real-time requirements
like deadline and within. It has been shown that Stateful Timed CSP is equivalent
to closed timed automata with silent transitions [94]. Thus, BDD can be used to
verify this language. Due to the rich language features, BDD-based encoding and
verification are non-trivial.
3.5.1 Stateful Timed CSP
In this section, we briefly introduce the syntax and the semantics of Stateful Timed
CSP processes. The readers are referred to [94] for a complete list of syntax and
semantics. Let the labels e and c be the names of an event and a channel respectively.
We use tick to denote the passage of one time unit and τ to denote an internal event
which is never synchronized with other processes.
54
P = Stop | Skip – primitives
| e → P – event prefixing
| e  P – urgent event prefixing
| e{program} → P – data operation prefixing
| If (b){P}Else{Q} – conditional choice
| P | Q – general choice
| P \ X – hiding
| P ; Q – sequential composition
| P ‖ Q – parallel composition
| c?{program} → P | c!{program} → P – Channel Input/Output
| Q – process referencing
| Wait [t ] – delay*
| P timeout [t ] Q – timeout*
| P interrupt [t ] Q – timed interrupt*
| P within[t ] – timed responsiveness*
| P deadline[t ] – deadline*
Figure 3.3: Stateful Timed CSP process constructs
A Stateful Timed CSP model is a tuple (Var , σ0,P0) where Var is a set of finite-
domain global variables, σ0 is the initial valuation of Var (which maps one variable
to one value only), and P0 is a Stateful Timed CSP process. A process is a block of
computations, which can be defined under Backus-Naur form as Figure 3.3.
Process Stop could not make any progress and must still be in the same state
after any time period has elapsed. Process Skip is ready to terminate and becomes
Stop afterward. However, time may elapse before this termination. The process
event prefixing e → P prepares to engage the event e and behaves as P afterward.
Similar to Skip, delay on this event may occur. Urgent event prefixing e  P , on
the contrary, requires event e to occur as soon as it is enabled. Process data op-
eration prefixing e{program} → P performs the program with the event e. Note
that program can include from simple assignments to complicated sequential struc-
tures like if , while and is executed atomically with the event. Process conditional
choice, defined as If (b){P}Else{Q}, behaves as P or Q based on the evaluation of
55
the expression b. Process unconditional choice P | Q offers an unconditional choice
between P and Q2. Sequential composition P ; Q behaves as P until P terminates
and then behaves as Q immediately. Process P \ X hides occurrences of events in
X from the environment. In other words, any event in X engaged by P becomes the
invisible event τ . The parallel composition of two processes P and Q is written as
P ‖ Q where P and Q may communicate via event synchronization (following CSP
rules [56]) or shared variables. Notice that if P and Q do not communicate through
event synchronization, then it is written as P‖|Q , which reads as ‘P interleave Q’. In
addition to multi-party synchronization based on event names, Stateful Timed CSP
also provides pairwise synchronization via channel communications. Transitions la-
beled with a synchronous channel input/output of a process cannot be taken on their
own but must be matched by transitions labeled with the corresponding channel out-
put/input of another process running in parallel. A process may be given a name,
written as P =̂ Q , and then referenced through its name. Recursion is allowed by
process referencing.
In addition to two traditional timed process constructs Delay (Wait) and Time-
out (timeout) from Timed CSP, Stateful Timed CSP introduces three new process
constructs Time Interrupt (interrupt), Timed Responsiveness (within), and Deadline
(deadline). This extension allows us to capture common real-time system behavior
patterns easily (all timed process constructs are marked with * in Figure 3.3) [40].
Let t ∈ N be a natural number constant. Process Wait [t ] idles for exactly t time
units before terminating. Process P timeout [t ] Q imposes a constraint on the pro-
cess P to engage the first visible event within t time units. Otherwise, after t time
units, process Q takes the execution control. In process P interrupt [t ] Q , if P ter-
minates before t time units, P interrupt [t ] Q behaves exactly as P . Otherwise,
P interrupt [t ] Q behaves as P until t time units, and then Q takes over. P may
2 For simplicity, we omit external and internal choices [56] in the discussion.
56
engage in multiple visible events before it is interrupted. Process P within[t ] requires
process P to engage a visible event within t time units. In process P deadline[t ],
P must terminate within t time units, possibly after engaging in multiple visible
events. Notice that a timed process construct is always associated with a natural
number constant t which is referred to as its parameter.
Example 3.4. We use Fischer’s mutual exclusion protocol [65] to illustrate system
modeling using Stateful Timed CSP. The protocol is designed to guarantee mutually
exclusive accesses to critical sections among competing processes P(pid) where pid ∈
[1..n] is the unique identifier of that process. Each process P(pid) executes the






until (id = pid);
critical section;
id := 0;
Note that await (cond) is an abbreviation for while (¬ cond) do skip, and delay
corresponds to an explicit delay statement. The role of the delay statement is that
while the process delays itself, other processes after passing the await statement
must finish the assignment id := pid . The correctness of the protocol depends on
the assumptions about the time taken to read and write to the shared variable id and
the delay length. The mutual exclusion is guaranteed if the upper bound a on the
time taken at the assignment id := pid is less than the lower bound b on the delay
length. Since other reading and writing statements to the shared variable id are
not important, we do not impose any timing constraint on them. The protocol can
be modeled as a Stateful Timed CSP model (Var , σ0,Fischer) where Var = {id},
σ0(id) = 0, and process Fischer is defined as: P(1)‖| · · · ‖|P(n) where
57
P(pid) =̂ if (id = 0){
(set{id := pid} → Skip) deadline[a];
Wait [b];






Critical(pid) =̂ enter → exit{id := 0} → P(pid);
Each process P(pid) has a unique identifier described as pid . As we can see in the
definition of process P(pid), timing constraints on each operation can be translated
directly by using a set of timed process constructs. For example, (set{id := pid} →
Skip) deadline[a] imposes a constraint on the event set , i.e., it must occur within a
time units. The delay statement which delays at least b time units can be expressed
as Wait [b]. Note that after waiting exactly b time units in Wait [b], the process
P(pid) behaves as the process If (id = pid){· · · }. Since we do not put any constraint
on this process, it can idle as long as it wants. Therefore, the process P(pid) can
delay totally at least b time units before entering the critical section. 2
There are two approaches to verify Stateful Timed CSP. One is based on the
zone abstraction, which has been proposed in [94]. The other is through digitization,
since it has been proved that Stateful Timed CSP is equivalent to some variant of
closed timed automata [94]. On one hand, while the zone abstraction works well
in many examples, its complexity is exponential in the number of clocks and its
performance, in practice, can be strongly related to the ratio of constants appearing in
the clock constraints. For instance, in the Leader Algorithm (which has a very small
maximal clock constants), Uppaal’s execution time is strongly dependent on the ratio
MsgDelay/Period [66]. Specifically, for ratios greater than 0.6, Uppaal easily runs out
of memory. On the other hand, although digitization suffers from large maximal clock
constants, it is not affected by the ratio of the constants. Furthermore, some problems
58
init A0 A1 A2 A3
B0
B1B2B3B4CS















Figure 3.4: TFSM of process P(pid)
like the non-Zenoness checking problem are much easier with digitization. We thus
propose an approach complementary to the zone abstraction approach in [94], using
BDD and digitization to verify Stateful Timed CSP.
In the next section, we show how we systematically encode Stateful Timed CSP
processes in BDD. There are two ways. One is to generate a TFSM for each Stateful
Timed CSP process and encode the TFSM in the standard way. The other is to
define a set of BDD compositional encoding functions according to the process con-
struct semantics. Based on compositional encoding functions, Stateful Timed CSP
processes are encoded into BDDs directly without the TFSM construction. Both
ways of encoding have their own advantages and therefore are used in different cases.
We remark that Stateful Timed CSP is expressive enough so that a process ex-
pression generated by the operational semantics may be unbounded. For example,
the process P0 = e → (P0‖|Pnew) forks a new process Pnew every time e occurs.
Thus, P0 may contain infinitely many copies of Pnew . In this work, we assume that
a process always has a bounded length, following [88, 82].
3.5.2 Generating TFSM From Stateful Timed CSP Process
According to the operational semantics of Stateful Timed CSP, Stateful Timed CSP
processes are interpreted as TFSMs. For example, we can manually generate the
TFSM as Figure 3.4 from the process P(pid) of Fischer’s protocol in the Example 3.4
59
with a = 3 and b = 4. In the following, we show how to systematically generate
the corresponding TFSM from a Stateful Timed CSP process. This approach relies
on symbolic firing rules, which are different from concrete firing rules in [95] as
variables valuations are irrelevant. Specifically, the symbolic firing rules are used to
generate the whole control flow of a certain process. In other words, the valuation
of variables and the effect of transactions are ignored at this step, but they will
be considered when transitions are encoded in BDD. For instance, the symbolic
firing rule of the process Data Operation Prefixing Q = b{x := x + 1} → R is
interpreted that when the system is at the process Q , if the transition labeled with
b{x := x + 1} is taken, the system will behave as R. In contrast, the concrete
firing rule is interpreted that when the system is at the process Q , and x = 0, if
the transition labeled with b{x := x + 1} is taken, the system will behave as R,
and x = 1. The concrete firing rules, therefore, are used to generate on-the-fly the
whole state space explicitly. In this work, we propose to use symbolic firing rules to
generate the corresponding TFSM from a Stateful Timed CSP process systematically




[ side condition ]
conclusion
The conclusion can be deduced if all the antecedents and the side condition are
true. In the case where antecedents or the side condition are missing, they are
considered as vacuously true. A number of conclusions which can be drawn from the
same set of antecedents and the side condition can be grouped below the line one
after the other.
The TFSM generation procedure basically works as follow. Each process P
is mapped with a state in the TFSM called state ‘P ’, and this state is also the
60
initial state of the TFSM of process P . There is a transition labeled with t =
[guard ]evt{prog} from state P to state P ′ when the relation P t−→ P ′ can be deduced
from the symbolic firing rule of P . The symbolic firing rules are applied until there
is no new state or new transition generated. In the following, we present the sample
symbolic firing rules of Event Prefixing, Delay, and Timed Responsiveness process
constructs. For a complete list of symbolic firing rules, please refer to Appendix B.
(e → P) e−→ P (e → P) tick−−→ (e → P)
[ t ≥ 1 ]
Wait [t ]








τ−→ P ′0 within[t ]
P0
tick−−→ P ′0 [ t ≥ 1 ]
P0 within[t ]
tick−−→ P ′0 within[t − 1]
Figure 3.5: Sample symbolic firing rules of Stateful Timed CSP
• According to the symbolic firing rules of the process e → P , there is a transition
labeled with the event e from the state e → P to the state P . In addition,
there is a transition labeled with the event tick looping at the state e → P . For
the events marked as urgent, this looping transition labeled with the event tick
is not available. It forces the process to engage the event without any delay.
• In the symbolic firing rules of process Wait [t ], tick transitions are used to track
the passage of one time unit. Specifically, there is a transition labeled with tick
61
from the state Wait [t ] to state Wait [t − 1]. After delaying itself, it will behave
as SKIP by the τ transition from state Wait [0] to state SKIP .
• The last three rules are the symbolic firing rules of process P0 within[t ]. These
rules are self-explanatory. Tick transitions are used to track the passage of
time. Unless a visible event is engaged, the timed responsiveness condition is
not resolved.
Example 3.5. Process P(pid) of Fischer’s protocol in the Example 3.4 is used
again to demonstrate how symbolic firing rules are applied to generate the TFSM as
Figure 3.4. We assume the state for P(pid) is the state init , and we then explain the
TFSM generation procedure starting at process Critical(pid) whose corresponding
state is the state B4. According to the firing rules of process Event Prefixing in
Figure 3.5, in the TFSM of the process P(pid), there is a transition labeled with
[id = pid ]enter from the state Critical(pid) (state B4 in the figure) to state exit{id :=
pid} → P(pid) (state CS in the figure) and a transition labeled with tick looping at
the state of process Critical(pid) (state B4 in the figure). Then, by applying those
firing rules again for the process exit{id := pid} → P(pid), there is a transition
labeled with exit{id := pid} from the state exit{id := pid} → P(pid) (state CS
in the figure) back to the state P(pid) (state init in the figure) and a transition
labeled with tick looping at the state exit{id := pid} → P(pid) (state CS in the
figure). The TFSM generation procedure ends because there is no new state or new
transition created. 2
After generating the TFSM from a Stateful Timed CSP process, the encoding of
the TFSM is obtained as presented in Section 3.3. In the following, we present how
to encode Stateful Timed CSP processes with compositional encoding functions.
62
3.5.3 Compositional Encoding Functions
By using the approach presented in the last section, in theory, we can translate any
Stateful Timed CSP process to a TFSM and encode it. However, we do not apply
that approach to generate the TFSM of parallel processes because the numbers of
states and transitions grow exponentially with the number of subprocesses running in
parallel. Moreover, it becomes completely redundant when guards and transactions
of the transitions in a certain subprocess are encoded to BDD many times. For
example, if we apply the TFSM generation procedure to the process P1‖|P2, suppose
the state of that TFSM is of the form (s1, s2) where s1 and s2 are states in the TFSMs
of P1 and P2 respectively. For any transition t from state s1 to s
′
1 in the TFSM of P1,
there is a corresponding transition t from state (s1, s2) to state (s
′
1, s2) in the TFSM of
P1‖|P2. Obviously, the guard and the transaction of the transition t will be encoded
m times where m is the number of states in the TFSM of P2. This overhead makes
the encoding of parallel processes with TFSMs inefficient. Therefore, we provide
compositional encoding functions to encode parallel processes without translating
it to TFSMs. As a result, compositional encoding functions for all compositional
operators must be provided because after using the compositional encoding functions,
the TFSMs are no longer available.
In the following, we demonstrate how to define the compositional encoding func-
tions through several examples. Note that the interleave and parallel encoding func-
tions are the same as the ones presented in Section 3.4 and are not presented here.
We fix two tuples Bi = (
−→
V ,−→vi , Initi ,Transi ,Outi , Ini ,Ticki), i ∈ {0, 1} which are
the encoding of processes Pi .
−→v0 and −→v1 are disjoint, and −→V is always shared. Sym-
bolic firing rules of process constructs Event Prefix and Timed Responsiveness in
Figure 3.5 can be referred to follow the compositional encoding. For a complete list
of compositional encoding functions, please refer to Appendix C.
63
Event Prefix Let P be the event prefix composition P = e → P0. P is ready to
engage the event e, and afterward P behaves as P0. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the event e happens
• Init = ¬ happened .
• Trans = (¬ happened ∧ event ′ = e ∧ happened ′ ∧ Init ′0) ∨ (happened ∧
Trans0 ∧ happened ′)
• In = happened ∧ In0 ∧ happened ′
• Out = happened ∧ Out0 ∧ happened ′
• Tick = (¬ happened ∧ event ′ = tick ∧ ¬ happened ′) ∨ (happened ∧ Tick0 ∧
happened ′)
Timed Responsiveness Let P be the within composition of P0, P = P0within[t ].
Then, P0 requires to make a visible event within in t time units. The encoding of P
is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• −→v = −→v0 ∪ {clk} where −1 ≤ clk ≤ t records the number of elapsed time units
so far, and clk = −1 indicates a visible action happens
• Init = Init0 ∧ clk = 0
• Trans = (Trans0 ∧ [(event 6= τ ∧ clk ′ = −1) ∨ (event = τ ∧ clk ′ = clk)])
• In = (In0 ∧ clk ′ = −1)
• Out = (Out0 ∧ clk ′ = −1)
64
• Tick = (Tick0 ∧ [(clk ≥ 0 ∧ clk < t ∧ clk ′ = clk + 1) ∨ (clk = −1 ∧ clk ′ =
−1)])
As we can observe, unlike encoding TFSMs, many auxiliary variables are in-
troduced in compositional encoding functions to control the flow, for example, clk
variable in Timed Responsiveness to record the number of elapsed time units. There-
fore, our strategy for encoding a Stateful Timed CSP process is to find its maximum
primitive components which can be translated to TFSMs and then encode these
TFSMs. Identifying the maximum primitive components is straightforward because
maximum primitive components are the maximum components whose semantics does
not require synchronization between two or more subcomponents. Finally, BDD en-
codings of maximum primitive components are gradually composed to achieve the
final BDD encoding of the given process. For instance, in Example 3.4, the identified
maximum primitive components are n processes P(i) where i ∈ {1, · · · , n}. Next,
TFSMs translated from these components are encoded. The resulted encodings are
then composed using the interleave compositional encoding function to generate the
BDD encoding of the model of Fischer protocol.
A limitation of compositional encoding functions is that they could not be applied
to recursive processes, e.g., P = a → P . Compositional encoding functions are used
to achieve the encoding of a process based on the known encodings of subprocesses.
Therefore, it is obvious that using compositional encoding functions on a process
whose definition has a reference call to itself is not possible and will create an infinite
number of recursive calls of the compositional encoding function.
We have presented how to encode a Stateful Timed CSP by introducing the
generation of TFSMs from primitive components and composing the encodings of
primitive components through many compositional encoding functions. After hav-
ing the encoding of the Stateful Timed CSP processes, verification algorithms in
65
Chapter 2 can be adopted to verify Stateful Timed CSP processes.
3.6 Chapter Summary
In this chapter, we have presented our encoding techniques for real-time systems. We
proposed a different way of encoding timed system which only uses tick transitions
without clock variables. Moreover, a set of compositional encoding functions for
real-time systems is implemented. Since our encoding techniques are independent
of the modeling languages, in general, they can be applied to different modeling
languages, such as closed timed automata and Stateful Timed CSP as shown in
Sections 3.4, 3.5. Note that although verification algorithms in Chapter 2 can be
used to verify real-time models under digitization, the performance is not good and
depends much on the magnitude of maximal clock constants. Specific optimization
techniques are thus required. In the next two chapters, we present our improved




Reachability Analysis with Simulation
While digitization simplifies BDD-based model checking for real-time systems, special
optimization techniques are required to improve the performance. The performance
of BDDs is highly sensitive to the maximal clock constants. This chapter presents
our improved reachability analysis algorithm with LU simulation. The improved
algorithm is proved to be efficient and can have early termination. Experimental
results show that the algorithm is able to handle large clock constants, and the
performance of BDDs is enhanced significantly.
4.1 Introduction
Timed automata are an extension of finite automata with clock variables which
represent timed constraints. Since proposed by Alur et al. [4], timed automata
have become the most popular language to model real-time systems. An interesting
problem of timed automata is the reachability analysis which is shown to be decidable
through the construction of region graphs [4]. However, since the size of region graphs
grows exponentially, verification based on region graphs is impractical. A coarser
67
representation, DBM, was proposed to represent a set of clock valuations satisfying
a set of clock constraints. The resulted zone graphs are much coarser than region
graphs. The main problem of zone graphs is that DBM cannot represent non-convex
zones. In addition, by storing locations and clock valuations separately, zone graphs
easily encounter state space explosion problem with models having large number of
processes.
The BDD-based approach is a successful technique to overcome the state space
explosion. BDD [21] and many BDD-like data structures such as CDD [17] and
CRD [100] are used to represent states and the transition relation. There are several
advantages of BDD compared to DBM. First, BDD provides a canonical and compact
representation of states and the transition relation where both locations and clock
valuations are stored together in BDD. Second, BDD can represent non-convex zones.
As a result, BDD-based model checking is more efficient than zone-based model
checking in many examples [29, 12, 21, 100, 23]. However, the main problem of
BDD-based model checking is the large maximal clock constants, and most of the
experiments of the BDD-based approach are conducted with small maximal clock
constants.
In this work, we continue the research of Beyer et al. [21, 23] on improving
BDD-based reachability analysis. Specifically, in the symbolic reachability analy-
sis algorithm, we propose to combine with the simulation relation to improve the
performance. We show that by using the simulation relation, computing the set
of reachable states from initial states can be enhanced by reducing the number of
iterations required to reach the fixpoint. Experimental results confirm that the per-
formance is improved significantly. In particular, we show that in some cases, large
maximal clock constants do not degrade the performance of our verification algorithm
due to the use of LU simulation. It is worth noting that LU simulation depends on
two kinds of clock bounds, the maximal lower bound and the maximal upper bound.
68
There are cases where the fact that the clock value is greater than one of the clock
bounds is sufficient. Whether the clock value is greater than the other clock bound
does not matter, even though this clock bound might be very large. This is how we
can alleviate the problem of large maximal clock constants.
Related Work On the effort of improving reachability analysis of timed au-
tomata, this work is related to studies on the abstraction techniques to reduce the
number of states in zone graphs, such as [27, 16, 54]. The idea is to abstract a DBM
with a larger DBM but still guarantee the correctness. Those abstraction techniques
are sound and complete. They thus can be used to verify the reachability. Among the
proposed abstraction techniques, LU abstraction [16] is proved to be the coarsest ab-
straction given LU bounds [54]. Moreover, the performance of those abstractions can
be enhanced by computing the maximal lower and upper bounds for each location.
It was shown that location-based zone abstraction is sound and complete [15].
The idea of this work is inspired by [104] which uses simulation to improve the
language inclusion checking. In this work, we make use of LU simulation in timed
automata discovered by Behrmann et al. [16]. While the works in [16, 54] apply LU
simulation to zones, in our work, we apply LU simulation to BDDs to obtain the
fixpoint faster.
This work continues the research on using BDD and BDD-like data structures to
improve the reachability analysis of timed automata [29, 12, 21, 100, 23]. We inherit
the encoding techniques presented in Chapter 3 and focus on the algorithm. Our
work is also related to the recent work of Morbe´ [77] which introduces the parallelized
interleaving behavior to reduce the number of steps in the verification.
The remainder of this chapter is organized as follows. Section 4.2 presents the
reachability analysis algorithm based on Beyer’s work [21]. Section 4.3 introduces
our improved reachability analysis algorithm by using LU simulation. Experimental
results and further discussions are given in Section 4.4. Section 4.5 concludes this
69
Algorithm 5 Reachability Analysis
1: function IsReach(Init ,Tick ,Trans, g)
2: Qp = ∅
3: Q = Init
4: Q = Reach(Q ,Trans)
5: while (Qp 6= Q) do
6: Qp = Q
7: Q = Q ∪ Reach(succ(Q ,Tick),Trans)







15: function Reach(Q ,R)
16: Qp = ∅
17: while (Qp 6= Q) do
18: Qp = Q





4.2 Reachability Analysis Algorithm
This section describes the reachability analysis algorithm without simulation. Given
a TFSM M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ) and a set of states g , the
reachability problem is to determine whether the initial state can reach a state in g .
Note that the reachability problem of TFSMs can be translated to the reachability
problem of LTSs. Then, given a set of states g , the reachability analysis is performed
by computing the set of reachable states and checking whether this set contains some
state belonging to g . The issue of BDD-based computing efficiently reachable states
in timed systems is considered by Beyer in [21]. There are two important observa-
tions. First, separating action transitions and tick transitions is more efficient than
using the union of these transitions as monolithic transitions. Second, to compute
the fixpoint, using action transition before applying tick transitions is successful to
achieve smaller encodings of intermediate reachable states.
70
Algorithm 5 shows the reachability analysis algorithm based on Beyer’s observa-
tion [21]. Let B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) be the encoding of the TFSM
M . The function IsReach takes Init , Tick , Trans , and g as input. It checks whether
a state in g is reachable from an initial state in Init by transitions in Tick or Trans .
Moreover, given a set of states Q and a transition relation R, the utility function
Reach(Q ,R) computes the set of states reachable from Q by transitions in R.
In the following, we briefly prove that Algorithm 5 is correct [21]. Given a, b ∈ N,
and a ≤ b, we denote by Reach(a, b) the set of reachable states by transitions in
Trans and Tick between time unit a and time unit b. Then, the set of reachable
states at time unit a is denoted by Reach(a, a). In the function IsReach, two variables
Q and Qp are declared where Q is initialized with Reach(0, 0) (line 4), and Qp is an
auxiliary variable used to store the current value of Q before the while-loop (lines 5
to 11). By induction, Q stores the set of states Reach(0, i) after the i th iteration
of the while-loop. The algorithm returns true if the intersection of Q and g is
not empty. Moreover, if the fixpoint is reached, Reach(0, i) = Reach(0, i − 1), the
algorithm returns false.
While it is efficient to compute the reachable states as Algorithm 5, this algorithm
still has the problem of large maximal clock constants. Models with large maximal
clock constants require a large number of iterations to obtain the fixpoint, i.e., at
the i th iteration where Reach(0, i) = Reach(0, i − 1). In the next section, we present
our improved algorithm by using the simulation relation. We prove that the number
of iterations can be reduced, and experimental results given in Section 4.4 confirm
that our improved algorithm is much more efficient.
71
4.3 Reachability Analysis with Simulation
As discussed in Chapter 3, our new encoding allows us to obtain a smaller encoding.
Nonetheless, larger clock bounds lead to a larger number of tick transitions which
slows down the model checking algorithm. In this section, we further improve the
reachability analysis algorithm by using the simulation relation defined in Lemma 2.5.
4.3.1 Simulation Relation in TFSMs
Definition 4.1. Let M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ) be a TFSM. A
simulation for M is a binary relation R ⊆ S × S such that for all (s1, s2) ∈ R, if
s1
t−→ s ′1, then there exists s ′2 ∈ S such that s2 t−→ s ′2 and (s ′1, s ′2) ∈ R.
Given a TFSM, state s1 is simulated by state s2 (or state s2 simulates state s1),
denoted by s1 4 s2, if there exists a simulation R for that TFSM with (s1, s2) ∈ R.
As we explain how to generate a TFSM without clock variables from a TFSM
with clock variables in Chapter 3, a state in the resulted TFSM is a composition
of the state in the original TFSM and the clock valuation. Based on the simula-
tion relation defined in Lemma 2.5, we have the corresponding simulation relation
in the resulted TFSM. Specifically, R = {(s1, s2) | location(s1) = location(s2) ∧
clockValuation(s1) 4 clockValuation(s2)} is a simulation relation in the resulted
TFSM without clock variables. Thus, in the following, given a TFSM, we denote by
4 the simulation relation on TFSM obtained as Lemma 2.5. We continue by defining
the simulation relation over the semantics of TFSMs.
Definition 4.2. Let L = (C , initc,→) be the semantics model of the TFSM M =
(GV , initg ,LV , initl , S , init ,Act ,Ch,T ). A simulation for L is a binary relation











2) such that (σg2, σl2, s2)













Given an LTS, the configuration (σg1, σl1, s1) is simulated by the configuration
(σg2, σl2, s2) (or the configuration (σg2, σl2, s2) simulates the configuration (σg1, σl1, s1)),
denoted (σg1, σl1, s1) 4 (σg2, σl2, s2), if there exists a simulation R for that LTS with
((σg1, σl1, s1), (σg2, σl2, s2)) ∈ R.
Lemma 4.3. Given a TFSM M = (GV , initg ,LV , initl , S , init ,Act ,Ch,T ), let L =
(C , initc,→) be the LTS semantics of M . If s1 and s2 are 2 states in S and s1 4 s2,
then (σg , σl , s1) 4 (σg , σl , s2) for any global valuation σg and local valuation σl .
Proof: We show that the relation R = {((σg , σl , s1), (σg , σl , s2)) | s1 4 s2} is a
simulation relation for L. Assume ((σg , σl , s1), (σg , σl , s2)) ∈ R. For any transi-
tion (σg , σl , s1)
t−→ (σ′g , σ′l , s ′1), there exists a transition (s1, [guard ]a{prog}, s ′1) ∈ T
where t = [guard ]a{prog}. Thus, guard is satisfied by σg and σl , and prog updates




l respectively. Since s1 4 s2, there also exists a transition





2). Moreover, since s
′
1 4 s ′2, it holds that ((σ′g , σ′l , s ′1), (σ′g , σ′l , s ′2)) ∈ R.
Therefore, R is a simulation relation for L. 2
Finally, based on Lemma 4.3, given SimM the BDD encoding of the simulation
relation on the TFSM M , the BDD encoding of the simulation relation on the LTS
L can be obtained as SimL = SimM ∧ (−→V = −→V ′) ∧ (−→v = −→v ′). Then, the encoding
of the simulation relation of a parallel/interleave composition is the conjunction of
all the encodings of the simulation relations of all subcomponents.
4.3.2 Reachability Analysis Algorithm with Simulation
In this section, we describe our improved reachability analysis algorithm with simu-
lation. Given the LTS L, a simulation relation 4 over states of L and a set of states
g , our algorithm determines whether the initial state can reach a state in g . The
reachability analysis is performed similarly as Algorithm 5 by computing the set of
73
reachable states and checking whether this set contains some state in g
We assume that the simulation on L is compatible with the set g which means
that for any (s1, s2) ∈4, s1 ∈ g ⇔ s2 ∈ g . In our reachability verification for timed
automata, the LU simulation relation satisfies this condition because the reachability
verification is over locations. Given the simulation relation 4 and a set of states Q ,
we denote the abstraction of Q by Abs(Q) = {s1 | ∃ s2 ∈ Q .s1 4 s2}1. Since
the simulation relation is reflexive and transitive, it follows that Q ⊆ Abs(Q) and
Abs(Abs(Q)) = Abs(Q). Next, given an LTS and its simulation relation, we define
its abstract LTS.
Definition 4.4. Given the LTS L = (C , initc,→) and the simulation relation 4, the
abstract LTS of L is L′ = (C ′, init ′c,⇒) such that:
• C ′ = C
• init ′c = Abs(initc)
• Given any state s ′1, s ′2 ∈ L′, there is a transition s ′1 ⇒ s ′2 in L′ if there exists a
transition s ′1 → s2 in L and s ′2 4 s2.
For any transition s ′1 → s2 in L, we allow other states simulated by s2 to be
successor states of s ′1 in L′. Thus, given a set of states Q ⊆ C , succ(Q ,⇒) =
Abs(succ(Q ,→)). In the following, we prove that the abstract LTS preserves the
reachability.
Lemma 4.5. Given q ′1 4 q1, if there exists a path of length n, q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′n
in L′, there exists a path of length n, q1 → q2 → · · · qn in L such that q ′i 4 qi for all
1 ≤ i ≤ n.
Proof: We prove by induction that the lemma is true for all cases of n.
1 The term abstraction is used as in zone abstraction which enlarges the DBM.
74
• n = 1: This is vacuously true because q ′1 4 q1
• Suppose for any path of length n = k , q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′k in L′, there exists
a path of length k , q1 → q2 → · · · qk in L such that q ′i 4 qi for all 1 ≤ i ≤ k .
We prove that this is still true for n = k + 1. Given any path of length k + 1,
q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′k ⇒ q ′k+1, in L′, by the induction assumption, there exists
q1 → q2 → · · · qk in L such that q ′i 4 qi for all 1 ≤ i ≤ k . By definition of
L′, q ′k ⇒ q ′k+1 implies q ′k → r ′ where q ′k+1 4 r ′. Moreover, since in L, q ′k 4 qk ,
there exists a transition qk → r in L such that r ′ 4 r . Thus, q ′k+1 4 r . There-
fore, we can select qk+1 = r , and the lemma is proved. 2
Theorem 4.6. Given the LTS L, the abstract LTS L′, and a set of states g, g is
reachable in L if and only if g is reachable in L′.
Proof: If g is reachable in L, there exists a finite path q1 → q2 → · · · qn in L such
that q1 ∈ initc and qn ∈ g . As the definition of L′, this path also exists in L′ and
q1 ∈ init ′c. Thus, g is reachable in L′.
If g is reachable in L′, there exists a finite path q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′n in L′ such
that q ′1 ∈ init ′c and q ′n ∈ g . According to Lemma 4.5, there exists a finite path
q1 → q2 → · · · qn in L such that q1 ∈ initc and q ′i 4 qi for all 1 ≤ i ≤ n. Thus,
qn ∈ g . Therefore, g is also reachable in L. 2
As Theorem 4.6, we can use the abstract LTS L′ as the input for Algorithm 5.
However, explicitly computing the transition relation of L′ is not efficient. Instead,
we apply Abs to the result of any call succ(Q) on the fly in Algorithm 5 because
succ(Q ,⇒) = Abs(succ(Q ,→)).
Algorithm 6 presents our improved reachability analysis algorithm by using the
simulation relation. We rename the two functions as IsReachabs and Reachabs respec-
75
Algorithm 6 Reachability Analysis with Simulation
1: function IsReachabs(Init ,Tick ,Trans, g)
2: Qp = ∅
3: Q = Abs(Init)
4: Q = Reachabs(Q ,Trans)
5: while (Qp 6= Q) do
6: Qp = Q
7: Q = Q ∪ Reachabs(Abs(succ(Q ,Tick)),Trans)







15: function Reachabs(Q ,R)
16: Qp = ∅
17: while (Qp 6= Q) do
18: Qp = Q




tively. The difference between Algorithm 6 and Algorithm 5 is that in the function
IsReachabs , at the beginning, we update Q = Abs(Init) at line 3, and throughout
the algorithm, we call the functions Reachabs(Q ,R) and Abs(succ(Q ,R)) instead of
Reach(Q ,R) and succ(Q ,R) respectively. Actually, we always apply the abstraction
function Abs to the results of the succ function. Next, we prove that Algorithm 6 is
sound and complete.
Theorem 4.7. Algorithm 6 is sound and complete.
Proof: As we discussed the difference between Algorithm 6 and Algorithm 5, given
a LTS L, while IsReach(Init ,Tick ,Trans , g) checks the reachability of g on L,
IsReachabs(Init ,Tick ,Trans , g) actually checks the reachability of g on L′. Thus,
the correctness of Algorithm 6 is obtained based on Theorem 4.6. 2
Since the reachability analysis requires a lot of fixpoint computations, the ratio-
nale of Algorithm 6 is to converge faster to the fixpoint. In the following, we prove
that Reachabs(Abs(Q)) requires the same or smaller number of iterations to reach
76
the fixpoint than Reach(Q). In our proof, to distinguish with Algorithm 5, we use
Q ′ to denote the value of the variable Q in Algorithm 6.
Corollary 4.8. If Q1 ⊆ Q2, Abs(Q1) ⊆ Abs(Q2).
Proof: Given any state s ′ ∈ Abs(Q1), there exists s ∈ Q1 such that s ′ 4 s . Since
Q1 ⊆ Q2, it follows that s ∈ Q2. Thus, s ′ ∈ Abs(Q2). 2
Corollary 4.9. Abs(Q1 ∩Q2) ⊆ Abs(Q1) ∩ Abs(Q2).
Proof: According to Corollary 4.8, Abs(Q1 ∩ Q2) ⊆ Abs(Q1) and Abs(Q1 ∩ Q2) ⊆
Abs(Q2). Thus, Abs(Q1 ∩Q2) ⊆ Abs(Q1) ∩ Abs(Q2). 2
Corollary 4.10. Abs(Q1 ∪Q2) = Abs(Q1) ∪ Abs(S2)
Proof: According to Corollary 4.8, Abs(Q1) ⊆ Abs(Q1 ∪ Q2) and Abs(Q2) ⊆
Abs(Q1 ∪ Q2). Thus, Abs(Q1) ∪ Abs(S2) ⊆ Abs(Q1 ∪ Q2). Then, we prove that
Abs(Q1 ∪ Q2) ⊆ Abs(Q1) ∪ Abs(S2). Given any s ′ ∈ Abs(Q1 ∪ Q2), there exists
s ∈ Q1 ∪ Q2 such that s ′ 4 s . If s ∈ Q1, then s ′ ∈ Abs(Q1). Otherwise, if s ∈ Q2,
then s ′ ∈ Abs(Q2). Therefore, s ′ ∈ Abs(Q1) ∪ Abs(Q2). 2
Corollary 4.11. Abs(succ(Q)) = Abs(succ(Abs(Q)))
Proof: Since Q ⊆ Abs(Q), succ(Q) ⊆ succ(Abs(Q)). It follows that Abs(succ(Q)) ⊆
Abs(succ(Abs(Q))). We prove Abs(succ(Abs(Q))) ⊆ Abs(succ(Q)). Given any
s ∈ Abs(succ(Abs(Q))), there exists s1 ∈ Q , s2, and s3 such that s2 4 s1, s2 → s3,
and s 4 s3. However, since s2 4 s1, there exists s ′3 such that s1 → s ′3 and s3 4 s ′3.
Thus, s 4 s ′3. We have s1 ∈ Q , s1 → s ′3, and s 4 s ′3, therefore, s ∈ Abs(succ(Q)). 2
77
Lemma 4.12. Assume Q ′ = Abs(Q), after n iterations, if Reach(Q ,R) reaches
the fixpoint, Reachabs(Q
′,R) also reaches the fixpoint. Moreover the results of those
functions satisfy Reachabs(Q
′,R) = Abs(Reach(Q ,R)).
Proof: Let Qi (respectively Q
′
i) be the value of Q in the function Reach (respectively
Reachabs) after the i
th iteration in the while-loop . We prove by induction that
Q ′i = Abs(Qi) for all i ≥ 0.
• i = 0: Q ′0 = Q ′ = Abs(Q) = Abs(Q0)
• Suppose Q ′k = Abs(Qk), we prove that Q ′k+1 = Abs(Qk+1). We have Q ′k+1 =
Q ′k∪Abs(succ(Q ′k)) = Abs(Qk)∪Abs(succ(Abs(Qk))) = Abs(Qk)∪Abs(succ(Qk)) =
Abs(Qk ∪ succ(Qk)) = Abs(Qk+1).
Since Q ′i = Abs(Qi), when the function Reach convergences, Qi = Qi+1, Reachabs
also convergences, Q ′i = Q
′
i+1. Moreover, the results of those functions satisfy
Reachabs(Q
′,R) = Abs(Reach(Q ,R)). 2
Lemma 4.13. Assume Q ′ = Abs(Q), Q ′ ∪ Reachabs(Abs(succ(Q ′,Tick)),Trans) =
Abs(Q ∪ Reach(succ(Q ,Tick),Trans))
Proof: By Corollary 4.11, it follows that Abs(succ(Q ′,Tick)) = Abs(succ(Abs(Q),Tick)) =
Abs(succ(Q ,Tick)). Thus, by Lemma 4.12, we obtain Reachabs(Abs(succ(Q
′,Tick))) =
Abs(Reach(succ(Q ,Tick))). Therefore, Q ′∪Reachabs(Abs(succ(Q ′,Tick)),Trans) =
Abs(Q ∪ Reach(succ(Q ,Tick),Trans)) by Corollary 4.10. 2
Theorem 4.14. Algorithm 6 requires less or the same number of iterations than
Algorithm 5.
78
Proof: According to Lemmas 4.12 and 4.13, in Algorithms 5 and 6, Q ′ = Abs(Q)
holds. Thus, if Algorithm 5 terminates when Q∩g 6= ∅, Algorithm 6 also terminates
because Q ′ ∩ g 6= ∅. Otherwise if Q = Qp holds in Algorithm 5, Q ′ = Q ′p also holds
in Algorithm 6. 2
Table 4.1: Comparison between Algorithm 5 and Algorithm 6 in Fischer protocol
with 4 processes and b = 10
a 1 3 5 7 9
#succ(Q, Tick)
Algorithm 5 21 21 21 21 21
Algorithm 6 13 15 17 19 21
Algorithm 5 59 77 95 113 131
#succ(Q, Trans) Algorithm 6 37 43 49 55 61
Table 4.2: Comparison between Algorithm 5 and Algorithm 6 in Fischer protocol
with a = 5 and b = 10
#proc 4 8 12 16 20
#succ(Q, Tick)
Algorithm 5 21 21 21 21 21
Algorithm 6 17 17 17 17 17
Algorithm 5 95 151 207 263 319
#succ(Q, Trans) Algorithm 6 49 69 89 109 129
We demonstrate through experiments the speed up by applying simulation in the
reachability analysis. Table 4.1 and Table 4.2 compare the computation effort in the
reachability analysis of Fischer protocol between Algorithm 5 and Algorithm 6. Note
that in this Fischer model, clk is a clock whose LU bounds are b and a respectively.
We count the number of function calls succ(Q ,Tick) and the number of function
calls succ(Q ,Trans) during the verification.
In Table 4.1, we fix the number of processes as 4 and b = 10 and increase a
while in Table 4.2, we fix a = 5 and b = 10 and increase the number of processes.
From Figure 3.1 and Figure 3.2, we can see that state (A, clk = i) simulates state
(A, clk = j ) where 0 ≤ i ≤ j ≤ a. In addition, state (B , clk = m) simulates
79
state (B , clk = n) where b < m ≤ n. According to Table 4.1 and Table 4.2,
in Algorithm 5, the number of function calls succ(Q ,Tick) depends only on the
maximal clock constant which is b = 10. On the contrary, in Algorithm 6, the
number of function calls succ(Q ,Tick) depends on two clock constants which are the
maximal lower bound b and the maximal upper bound a. Therefore, in the Table 4.1
where b is fixed and a is changed from 1 to 9, the number of calls succ(Q ,Tick) of
Algorithm 5 is unchanged, whereas in Algorithm 6, the number of function calls
succ(Q ,Tick) increases from 13 to 21. Moreover, simulation also helps to reduce the
number of calls succ(Q ,Trans) in the discrete fixpoint calculation Reachabs(Q ,R).
We have demonstrated both by theory and by experiment that using the LU
simulation relation in the reachability analysis can reduce the number of iterations
in the fixpoint computation and thus reduce the verification time. In the following, we
present more experimental results comparing our approach with Rabbit and Uppaal.
4.4 Implementation and Evaluation
Our approach has been implemented as a BDD library for the reachability analysis of
timed automata in PAT framework [93, 41, 42]. It is based on the CUDD package [92].
To demonstrate the efficiency of our approach, we conduct two experiments and
measure the number of succ function calls, the verification time (in seconds), and
the memory usage of BDDs (in MBs) over four benchmark systems: Fischer mutual
exclusion protocol [36], Lynch-Shavit protocol [71], CSMA/CD protocol [81], and
Critical Region [77]. Table 4.3 and Table 4.4 show the results of our experiments.
We run PAT in 2 settings, with and without simulation which are referred to as PAT-
Sim and PAT-NonSim respectively. Then, we compare the results to two state-of-the-
art model checkers, DBM-based model checker Uppaal version 4.0 and BDD-based
model checker Rabbit version 2.1. Although RED [100] and BDD-based version of
Kronos [28] are related to our work as real time verification tools using BDD (BDD-
80
Table 4.3: Experimental results in the reachability verification with large clock con-
stants
PAT-Sim PAT-NonSim Rabbit
MCC #succ Time Memory #succ Time Memory Time
Fischer 256 796 14 73 2,838 1,033 1089 58
Fischer 512 1,564 112 252 - - oom 1,076
Fischer 1024 3,100 867 931 - - - oom
Lynch 64 481 12 66 1,347 217 498 256
Lynch 128 929 104 287 2,627 2,163 1562 oot
Lynch 256 1,825 859 1003 - - oom oom
CSMA/CD 808 4,369 6 34 17,794 1,563 577 208
CSMA/CD 1616 8,721 36 59 - oot - 1,494
CSMA/CD 3232 17,425 228 181 - - - oot
Critical 80 1,290 61 149 2,039 176 168 124
Critical 160 2,530 298 372 4,039 807 330 1,210
Critical 320 5,010 1,914 1083 8,039 4,697 974 oot
like) data structure, Rabbit was shown to outperform them [22]. Therefore, only
Rabbit is used in our experiments. All of the experiments are performed on a PC
with Intel Core i7-2600 CPU at 3.4GHz and 4GB RAM with a time limit of 2 CPU
hours. An entry ‘oot’ in the table means that the time limit is reached, and an entry
‘oom’ means that the program runs out of memory.
Since our approach is digitization-based, naturally, the first question is how well
the library scales with the number of clock ticks. In the first experiment, for each
benchmark, we exponentially increase the maximal clock constants while keeping
the number of processes as 4. Since Uppaal’s performance does not depend on the
maximal clock constants, it is not used in our first experiment. Table 4.3 summarizes
the experimental results of PAT-Sim, PAT-NonSim, and Rabbit. The column MCC
is the maximal clock constant values in the corresponding models. According to the
Table 4.3, PAT-Sim outperforms both PAT-NoSim and Rabbit. Compared to PAT-
NoSim, PAT-Sim takes smaller number of succ function calls. Specifically, by using
simulation, the number of succ function calls is reduced from two to four times. As
a result, PAT-Sim is faster than PAT-NoSim and can handle larger maximal clock
81
Table 4.4: Experimental results in the reachability verification with large number of
processes
PAT-Sim PAT-NonSim Rabbit Uppaal
#Proc #succ Time Memory #succ Time Memory Time Time
Fischer 8 308 52 482 - oot - 7,258 0.7
Fischer 16 356 366 1442 - - - oom oom
Fischer 32 452 3,351 1651 - - - - -
Lynch 8 169 8 72 696 6,203 1690 2,494 1.1
Lynch 16 217 104 290 - - oom oom oom
Lynch 32 313 2,971 1201 - - - - -
CSMA/CD 16 7,377 62 85 - oot - 5,638 oom
CSMA/CD 32 14,289 453 187 - - - oot -
CSMA/CD 64 26,801 3,912 477 - - - - -
Critical 6 1,507 486 382 2,296 965 492 929 479
Critical 7 1,926 1,668 804 2,915 2,552 951 3,558 oot
Critical 8 2,397 6,150 1248 - oot - 13,268 -
constants.
In the second experiment, we compare PAT, Rabbit, and Uppaal by using the
same benchmark systems. However, in this experiment, we set the maximal clock
constant value reasonably large to have a fair comparison with Uppaal. In particular,
we set the maximal clock constants to 64 in Fischer protocol, 16 in Lynch-Shavit
protocol, 404 in CSMA/CD protocol, and 50 in Critical. Then, we increase the
number of processes in each benchmark system to find out which tool can verify
most processes. Table 4.4 shows the experimental results. By using simulation,
the number of succ function calls is reduced. Thus, PAT-Sim is faster and can
handle larger number of processes compared to PAT-NoSim. For example, in the
Lynch model with 8 processes, PAT-Sim requires 169 succ function calls and takes 8
seconds, while PAT-NoSim requires 696 succ function calls and takes 6,203 seconds.
The verification time is thus reduced significantly. According to Table 4.4, PAT-
Sim also outperforms Rabbit and Uppaal. Both Rabbit and Uppaal easily run out
of memory with large number of processes. On the contrary, PAT-Sim can verify




In this chapter, we revisited the reachability analysis of timed automata using BDDs.
The technical contributions of this work are two-fold. Firstly, we make use of the
simulation relation in our reachability analysis algorithm. As a result, the verifica-
tion can be improved significantly. Secondly, our approach has been implemented
in our BDD framework for model checking timed systems. The framework is shown
to be reasonably robust with a large number of tick transitions and efficient in veri-
fying benchmark systems. In the next chapter, we continue to present our work on
improving emptiness checking algorithm of timed automata.
83
Chapter 5
Emptiness Checking with Simulation
The verification of LTL properties for timed automata can be solved as the emptiness
problem for timed automata with Bu¨chi condition. With the assumption of digital
clocks, BDD-based model checking techniques can be applied. The problem is that
the number of tick transitions increases rapidly with the increase of maximal clock
constants. On the contrary, model checking with non-Zenoness assumption is easier
with explicit tick transitions. In particular, it is known that handling non-Zenoness
assumption based on zone abstraction is highly non-trivial. In this work, we im-
prove the BDD-based emptiness checking algorithm with non-Zenoness assumption
by LU simulation. We show that using LU simulation can improve the performance
significantly. Specifically, LU simulation allows us to get rid of large maximal clock
constants and to converge faster to the fixpoint.
5.1 Introduction
Timed Bu¨chi automata (TBA) [4] extend Bu¨chi automata with real-valued clocks.
That is, transitions of TBA may be guarded with a clock constraint and may reset a
84
set of clocks. Compared to the emptiness checking of Bu¨chi automata, the emptiness
checking of TBA is more complicated. The language of a TBA is defined as the set
of runs which are not only accepting but also non-Zeno. A run is called Zeno if there
are infinite actions happening in finite time. Zeno runs are unrealistic and therefore
should be excluded during the system verification. The emptiness checking problem
of TBA is to decide whether there exists an infinite accepting run which is also non-
Zeno. The problem has been shown to be decidable [4] based on the construction of
region graphs from the given TBA.
Alternatively, the semantics of timed automata can be defined with the assump-
tion of integer clock values. Verification results based on this discrete semantics are
consistent with the results based on the dense-time semantics for a large class of
timed automata, in particular, closed TBA whose clock constraints are closed [49].
Through digitization, a TBA can be transformed into a finite transition system.
Therefore, symbolic model checking techniques such as BDD-based ones can be used
to verify the emptiness of closed TBA based on the discrete semantics. The advantage
of using BDDs is that it can potentially handle models with a large number of pro-
cesses. Moreover, by explicitly representing time elapse with tick transitions, check-
ing whether a run is non-Zeno becomes straightforward, i.e., by checking whether the
run contains infinitely many tick transitions. On the contrary, it is highly non-trivial
to determine whether a run in a zone graph can instantiate a non-Zeno run in the
timed automaton [97].
Symbolic model checking algorithms to find accepting runs such as [61] can be
adopted to verify the emptiness of TBA. The problem of model checking timed
system based on digitization is that the number of tick transitions increases rapidly
with the increase of maximal clock constants, and therefore the model may contain
a large number of tick transitions. Thus, the BDD performance is often degraded
with large maximal clock constants [23]. However, the results in [23] should not be
85
taken as BDD-based model checking for TBA is infeasible.
In this work, we propose to improve the symbolic emptiness checking algorithm
with the assumption of non-Zenoness for TBA by using LU simulation [16] as we
improve the reachability analysis algorithm in Chapter 4. We show that it is sound to
apply the simulation relation to the emptiness checking problem. Moreover, we prove
that several fixpoint computations in emptiness checking algorithm are benefited
from the simulation relation. Specifically, those fixpoint computations can require
smaller number of iterations to reach the fixpoint. Overall, our improved emptiness
checking algorithm is expected to require smaller number of iterations and is more
efficient. Experimental results confirm that the performance is improved significantly
by using the LU simulation relation. In particular, we show that in some cases, large
maximal clock constants do not degrade the performance of our model checking
algorithm due to the use of LU simulation. It is worth noting that LU simulation
depends on two kinds of clock bounds, the maximal lower bound and the maximal
upper bound. There are cases where the fact that the clock value is greater than one
of the clock bounds is sufficient, i.e., the clock value is greater than the other clock
bound does not matter, although this clock bound might be very large. This is how
we can alleviate the problem of large maximal clock constants.
The technical contributions of the work are two-fold. First, we present an algo-
rithm which improves the emptiness checking of TBA using the simulation relation.
In particular, we prove that it is sound to combine simulation with symbolic empti-
ness checking. We show that generally, it is not guaranteed that our algorithm
requires the same or smaller number of iterations to terminate. However, several
fixpoint computations in our algorithm, especially the fixpoint to compute the set of
reachable states, take the same or smaller number of iterations. This observation is
important because in our experiences, the algorithm without simulation often runs
out of time or memory before finding the set of reachable states. Moreover, we show
86
that in the algorithm with simulation, the temporary result is always a superset of
the temporary result in the algorithm without simulation. Thus, the algorithm with
simulation is expected to converge faster to the fixpoint. Second, we integrate the
proposed algorithm into PAT model checker and apply it to multiple benchmark
systems. Experimental results show that the improved algorithm is much faster and
can handle larger models.
Related Work This work is related to the research on applying the simulation
relation (e.g., [38, 104]) as well as on emptiness checking of TBA. The emptiness
checking problem of TBA is firstly defined and analyzed in [4]. It is shown to be de-
cidable based on region graphs, and the complexity is PSPACE-complete. However,
the approach of the region graph construction is not efficient because the number of
states in region graphs grows exponentially with both the number of clocks and the
maximal clock constants. The zone-based approach is proposed as an alternative for
the region graph construction. In [97], the authors discovered that it is non-trivial to
check whether a run in a zone graph can induce a non-Zeno run in the original TBA.
The proposed remedy is to transform a TBA to an equivalent strongly non-Zeno TBA
so that algorithms for emptiness checking of Bu¨chi automata can be used to solve the
emptiness problem of TBA. In [99], Tripakis et al. defined a subclass of TBA with
persistent acceptance conditions, i.e., every outgoing transition of accepting states
targets an accepting state. That is, once a TBA enters accepting states, it never
exits. Then, the authors distinguished four cases and proposed algorithms for each
case, depending on whether the automaton is strongly non-Zeno and/or whether it
has persistent acceptance conditions. In [98], Tripakis questioned whether coarser
extrapolation techniques, specifically inclusion abstraction [36] and LU extrapola-
tion [16], can also be used to check TBA emptiness. In [69], Li showed that LU
extrapolation indeed preserves the emptiness of TBA. However, LU extrapolation is
also proved to make the emptiness checking of TBA NP-complete [52]. In [64], Laar-
87
man et al. showed that inclusion abstraction only preserves the emptiness of TBA
in one direction. The above works rely on the strongly non-Zeno transformation,
which requires an additional clock and may result in a zone graph with exponen-
tially more states [53, 51]. The remedy based on the construction of guessing zone
graphs requires no additional clock [53, 51].
While previous work is based on zone abstraction, our work is based on digi-
tization and uses BDD to encode the digitized system. This work is also related
to [11, 17, 76, 21, 100] which use BDD and other BDD-like data structures to over-
come the state space explosion. However, the performance of BDD approach in
previous works is often degraded with large maximal clock constants [23, 101].
The chapter is organized as follows. Section 5.2 introduces TBA and the empti-
ness problem of TBA. In Section 5.3, we first present the classical symbolic emptiness
checking algorithm for a transition system. Then, we show how to improve that sym-
bolic emptiness checking algorithm with the simulation relation. Section 5.4 demon-
strates how we extend those algorithms to support emptiness checking for TBA.
Section 5.5 shows the experimental results. Section 5.6 concludes this chapter.
5.2 Preliminaries
5.2.1 Timed Bu¨chi Automata
Definition 5.1. A timed Bu¨chi automaton (TBA) is a tuple A = (Σ,X ,L, l0,T ,Acc)
where Σ is a finite alphabet, X is the set of clocks, L is the set of locations, l0 ∈ L
is the initial location, Acc ⊆ L is a set of accepting locations, and T ⊆ L× Φ(X )×
Σ × 2X × L is the set of transitions (l , g , e,R, l ′) where l and l ′ are the source and
destination locations of this transition respectively, g ∈ Φ(X ) is a guard, e ∈ Σ is an
event name, and R ⊆ X is a set of clocks to be reset to 0.
The semantics of A, denoted as C (A), is a transition system C (A) = (S , s0,→)
88
where S = L×RX≥0 is a set of states; s0 = {(l0,0)} is the set of initial states; and →
is the labeled transition relation satisfying the following condition: (l , v)
d ,t−→ (l ′, v ′)
with t = (g , e,R) if there exists (l , g , e,R, l ′) ∈ T such that v + d |= g and v ′ =
[R 7→ 0](v + d).
A run of A is an infinite sequence (l0, v0)
d0,t0−−→ (l1, v1) d1,t1−−→ · · · where v0 = 0.
The duration of the run is defined as the total delay over this run,
∑
i di . A run
is Zeno if its duration is bounded. Otherwise, it is non-Zeno. A state (l , v) in
C (A) is accepting if l is an accepting location. A run is accepting if and only if
it visits an accepting state infinitely often. We assume that the TBA is deadlock
free which means that given any finite sequence (l0, v0)
d0,t0−−→ · · · dn−1,tn−1−−−−−→ (ln , vn),
there exists a state (ln+1, vn+1) such that (ln , vn)
dn ,tn−−−→ (ln+1, vn+1). The language
of A, denoted by L(A), is the set of non-Zeno accepting runs in C (A). Emptiness
checking is thus to search for a non-Zeno accepting run. The problem is known to
be PSPACE-complete [4].
5.2.2 Zone Abstraction
The proof that the emptiness of TBA is PSPACE-complete is based on the region
graph construction [4]. However, the number of states in region graphs can grow
exponentially with the number of clocks and maximal clock constants. Thus, the
region graph is not used in practice. A coarser representation of clock valuations is
based on zones.
The symbolic semantics of a TBA A = (Σ,X ,L, l0,T ,Acc) is a transition system
(zone graph) ZG(A) = (S , s0,→) where S = L × 2RX≥0 is a set of states, s0 =
{(l0, {0↑})} is the set of initial states and (l ,Z ) t−→ (l ′,Z ′) where Z and Z ′ are
two zones if for all clock valuations v ′ ∈ Z ′, there exists v ∈ Z and d ∈ R≥0
such that (l , v)
d ,t−→ (l ′, v ′). However, the induced zone graph can be infinite [36].
89
To obtain a finite zone graph, some finite sound and complete abstractions α :
2R
X
≥0 → 2RX≥0 such that Z ⊆ α(Z ) and α(α(Z )) = α(Z ) were proposed, including
Extra+M and Extra
+
LU [16]. Then, the abstract zone graph contains the transition
(l ,Z )
t−→α (l ′, α(Z ′)) if there is a transition (l ,Z ) t−→ (l ′,Z ′) in the original zone graph.
Although we can determine whether there exists a run in the timed automaton if
and only if there exists a run in the abstract zone graph, it is infeasible to determine
whether that run in the timed automaton is non-Zeno.
There are two solutions for this problem. The first solution is to transform
the zone graph to a strongly non-Zeno zone graph whose accepting runs are non-
Zeno. Based on this transformation, Extra+M and Extra
+
LU can be used to verify the
emptiness of TBA [99, 69]. However, this transformation requires adding one clock
and can cause an exponential blowup [53]. Another solution is the construction of
guessing zone graphs [53, 51] which guarantees a polynomial size.
Although there are many extrapolation techniques proposed, state space explo-
sion remains the main challenge. While clock valuations are stored symbolically
as DBMs, locations are stored explicitly which causes state space explosion with
large number of processes. On the contrary, in BDD-based approach, both locations
and clock valuations are represented as BDDs which can potentially lead to a more
compact representation.
5.2.3 Discrete Semantics
The discrete semantics of a timed Bu¨chi automaton A = (Σ,X ,L, l0,T ,Acc) is a
finite transition system DS (A) = (S , s0,→) where S = L × NX is a set of states,
s0 = {(l0,0)} is the set of initial states, and → is the labeled transition relation
satisfying the following condition:
• Tick transition: (l , v) tick−−→ (l , v ⊕ 1)
90
• Action transition: (l , v) t−→ (l ′, v ′) with t = (g , e,R) if there exists (l , g , e,R, l ′) ∈
T such that v |= g and v ′ = [R 7→ 0]v .
It was shown that discrete semantics preserves untimed properties of closed timed
automata [12, 49]. As a result, the closed TBA A is not empty if and only if there
exists an infinite run in DS (A) which visits an accepting state infinitely often and
contains an infinite number of both tick transitions and action transitions. The
requirement of an infinite number of tick transitions makes the run non-Zeno. In
addition, the requirement of an infinite number of action transitions guarantees the
run makes progress. Thus, BDD can be used to encode and verify the emptiness of
closed TBA. The symbolic emptiness checking algorithm searching for accepting runs
proposed by Kesten et al. [61] can be adopted to check the emptiness of closed TBA
(hereafter TBA for short). Specifically, given a transition system and a set of justice
requirements J where each requirement Ji ∈ J is a set of states, Kesten’s algorithm
checks whether there exists a run visiting a state in the set Ji infinitely often for
all Ji ∈ J . Then, the requirement that the run in DS (A) visits an accepting state
infinitely often and contains an infinite number of both tick transitions and action
transitions can be represented as a set of justice requirements J .
5.3 Emptiness Checking with Simulation
In this section, we present the algorithm of Kesten [61] to check whether given a
transition system, there exists a run satisfying a set of justice requirements J . Then,
we introduce our improved algorithm by using the simulation relation. In Section 5.4,
we show how we apply the algorithm of Kesten and our improved algorithm in the
emptiness checking of TBA.
91
Algorithm 7 Algorithm IsEmpty
1: function IsEmpty(Init ,Trans, J )
2: old = ∅
3:
4: new = Reach(Init ,Trans)
5: while (new 6= old) do
6: old = new
7: for all Ji ∈ J do
8: new = Reach(new ∩ Ji ,Trans)
9: end for
10: while (new 6= new ∩ succ(new)) do
11: new = new ∩ succ(new)
12: end while
13: end while
14: return (new = ∅)
15: end function
5.3.1 Emptiness Checking Algorithm
Given a transition system and a set of justice requirements J , an accepting run is
an infinite run which visits a Ji -state (a state in Ji) infinitely often for all Ji ∈ J .
Algorithm 7 [61] presents the symbolic algorithm which checks whether there exists
an accepting run. Specifically, function IsEmpty takes the set of the initial states Init ,
the transition relation Trans , and a set of justice requirements J as input. Function
IsEmpty checks whether the transition system contains an accepting run. Given a set
of states Q , the utility function Reach(Q ,Trans) returns the set of states reachable
from a state in Q by the transition relation Trans . Function Reach(Q ,Trans) is
introduced in Section 4.2. We denote by succ(Q ,Trans) (or simply succ(Q) if the
transition relation Trans is clear from the context) the set of successor states of Q .
In Algorithm 7, function IsEmpty searches for an accepting strongly connected
component (SCC) which contains a Ji -state for every justice requirement Ji ∈ J .
The algorithm computes the set of all accepting SCCs. If this set is empty, there
is no accepting run in the given transition system. At line 4, new is assigned as
the set of all reachable states from the initial states. Then, the while-loop (from
line 5 to line 13) continuously refines the set of states new until a fixpoint is reached,
new = old at line 5. Inside this while-loop, first, we backup the current value of
92
new in old (line 6). Then, from line 7 to line 9, we continue to refine new as the set
of states reachable by a Ji -state for all Ji ∈ J . Next, in the inner while-loop from
line 10 to line 12, we again refine new by successively removing from new states
which do not have a successor in new (line 11). This loop is iterated until all states
in the set new have a successor also in new . At the end, new contains all accepting
SCCs in this transition system.
5.3.2 Emptiness Checking Algorithm with Simulation
In this section, we present our improved algorithm of Algorithm 7 by using the simu-
lation relation. Before introducing the algorithm, we define the simulation relation in
transition systems. Simulation relations are preorders on the state space. Intuitively,
a state s2 simulates state s1 if s2 can mimic all behaviors of s1.
Definition 5.2. Given a transition system C = (S , s0,→) with a set of justice
requirements J , a simulation relation for C is a binary relation R ⊆ S ×S such that
for any (s1, s2) ∈ R, it holds that:
• If s1 → s ′1, there exists s ′2 such that s2 → s ′2 and (s ′1, s ′2) ∈ R.
• For any Ji ∈ J , s1 ∈ Ji if and only if s2 ∈ Ji .
A state s1 is simulated by a state s2 (i.e., s2 simulates s1), denoted s1 4 s2, if
there exists a simulation relation R such that (s1, s2) ∈ R. Then, the simulation
relation 4 is reflexive and transitive. Note that our simulation relation is compatible
with the set of justice requirements J as Definition 5.2 to make sure that if s1 4 s2,
s1 is a Ji -state if and only if s2 is a Ji -state.
Given the simulation relation 4 and a set of states Q , we denote the abstraction
of Q by Abs(Q) = {s1 | ∃ s2 ∈ Q .s1 4 s2}. Since simulation relation is reflexive and
transitive, it follows that Q ⊆ Abs(Q) and Abs(Abs(Q)) = Abs(Q). Next, we define
the abstract transition system based on the simulation relation.
93
Definition 5.3. Given the transition system C = (S , s0,→) with a set of justice
requirements J and the simulation relation 4, the abstract transition system of C is
C ′ = (S ′, s ′0,⇒) with a set of justice requirements J ′ such that:
• S ′ = S
• s ′0 = Abs(s0)
• Given any state s ′1, s ′2 ∈ S ′, there is a transition s ′1 ⇒ s ′2 in C ′ if there is a
transition s ′1 → s2 in C and s ′2 4 s2.
• J ′ = J
Intuitively, whenever we have a transition s ′1 → s2 in C , we allow other states
simulated by s2 to be successor states of s
′
1 in C
′. Thus, given a set of states Q ⊆
S , succ(Q ,⇒) = Abs(succ(Q ,→)). In the following, we prove that the abstract
transition system contains an accepting run if and only if the original transition
system contains an accepting run.
Lemma 5.4. Given q ′1 4 q1, if there exists a path of length n, q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′n
in C ′, there exists a path of length n, q1 → q2 → · · · qn in C such that q ′i 4 qi for all
1 ≤ i ≤ n.
Proof: We prove by induction that the lemma is true for all cases of n.
• n = 1: This is vacuously true because q ′1 4 q1
• Suppose for any path of length n = k , q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′k in C ′, there exists
a path of length k , q1 → q2 → · · · qk in C such that q ′i 4 qi for all 1 ≤ i ≤ k .
We prove that this is still true for n = k + 1. Given any path of length k + 1,
q ′1 ⇒ q ′2 ⇒ · · · ⇒ q ′k ⇒ q ′k+1, in C ′, by the induction assumption, there exists
q1 → q2 → · · · qk in C such that q ′i 4 qi for all 1 ≤ i ≤ k . By definition of
94
C ′, q ′k ⇒ q ′k+1 implies that there exists r ′ such that q ′k → r ′ and q ′k+1 4 r ′.
Moreover, since in C , q ′k 4 qk , there exists a transition qk → r in C such that
r ′ 4 r . Thus, q ′k+1 4 r . Therefore, we can select qk+1 = r , and the lemma is
proved. 2
Lemma 5.5. Given q ′1 4 q1, if there exists a cycle q ′1 ⇒ · · · ⇒ q ′1 in C ′ which
contains a Ji -state for all Ji ∈ J , there exists a cycle q1 → · · · → q1 in C which
contains a Ji -state for all Ji ∈ J .
Proof: We prove by induction that for all n ≥ 2, in C , there exists q1, · · · , qn such
that for all 1 ≤ i < n, qi → · · · → qi+1 and q ′1 4 qi for all 1 ≤ i ≤ n.
• n = 2: Since q ′1 4 q1, and there exists q ′1 ⇒ · · · ⇒ q ′1 in C ′, by applying
Lemma 5.4, there exists q1 → · · · → q2 in C where q ′1 4 q2.
• Assume if n = k , there exists q1, · · · , qk such that for all 1 ≤ i < k , qi → · · · →
qi+1 and q
′
1 4 qi for all 1 ≤ i ≤ k . Since q ′1 4 qk and q ′1 ⇒ · · · ⇒ q ′1 in C ′,
by applying Lemma 5.4, there exists a path qk → · · · → r such that q ′1 4 r .
Thus, we can select qk+1 = r , and there exists q1, · · · , qk+1 such that for all
1 ≤ i < k + 1, qi → · · · → qi+1 and q ′1 4 qi for all 1 ≤ i ≤ k + 1.
By induction, there are infinite states q1, q2, · · · such that qi → · · · → qi+1 in
C . Since the number of states in C is finite, there exists qj = q1 where j > 1.
Therefore, there exists a cycle q1 → · · · → q1 in C . Moreover, since the simulation
relation is compatible with the set of justice requirements J , the fact that the cycle
q ′1 ⇒ · · · ⇒ q ′1 in C ′ contains a Ji -state for all Ji ∈ J implies that for all 1 ≤ i < j ,
the path qi → · · · → qi+1 also contains a Ji -state for all Ji ∈ J . Thus, the cycle
q1 → · · · → q1 also contains a Ji -state for all Ji ∈ J . Therefore, there exists an
95
accepting cycle q1 → · · · → q1 in C . 2
Lemma 5.6. If there exists an accepting run in C ′, there exists an accepting run in
C .
Proof: Since the number of states in C ′ is finite, the accepting run in C ′ has a lasso
form q ′0 ⇒ · · · ⇒ q ′m ⇒ (r ′0 ⇒ · · · ⇒ r ′n)w where q ′0 ∈ s ′0. By applying Lemma 5.4 for
the path q ′0 ⇒ · · · ⇒ q ′m ⇒ r ′0, there exists a path q0 → · · · → qm → r0 in C where
q0 ∈ s0. Then, by applying Lemma 5.5 for the cycle r ′0 ⇒ · · · ⇒ r ′n ⇒ r ′0, there exists
a cycle r0 → · · · → rk → r0 in C . Moreover, this cycle also contains a Ji -state for all
Ji ∈ J . Thus, there exists an accepting run q0 → · · · → qm → (r0 → · · · → rk)w in
C . 2
Theorem 5.7. Given a transition system C , a set of justice requirements J , and a
simulation relation 4 over states of C , C has an accepting run if and only if C ′,
defined as in Definition 5.3, has an accepting run.
Proof: Clearly that C ′ is an abstract transition system of C therefore if there exists
an accepting run in C , this run also exists in C ′. In the other direction, if there
exists an accepting run in C ′, by Lemma 5.6, there exists an accepting run in C .
Thus, the theorem is proved. 2
Following Theorem 5.7, we can use the abstract transition system C ′ as the
input for Algorithm 7. However, explicitly computing the transition relation of C ′ is
computationally expensive. Instead, we apply Abs for the result of any call succ(Q)
on the fly in Algorithm 7 because of the fact that succ(Q ,⇒) = Abs(succ(Q ,→)).
Algorithm 8 presents our improved emptiness checking algorithm of timed au-
tomata by using the simulation relation. We rename the function as IsEmptyabs . The
96
Algorithm 8 Algorithm IsEmpty
1: function IsEmptyabs(Init ,Trans, J )
2: old = ∅
3: Init = Abs(Init)
4: new = Reachabs(Init ,Trans)
5: while (new 6= old) do
6: old = new
7: for all Ji ∈ J do
8: new = Reachabs(new ∩ Ji ,Trans)
9: end for
10: while (new 6= new ∩Abs(succ(new))) do
11: new = new ∩Abs(succ(new))
12: end while
13: end while
14: return (new = ∅)
15: end function
difference between Algorithm 8 and Algorithm 7 is that in the function IsEmptyabs ,
at the beginning, we update Init = Abs(Init) at line 3, and throughout the algorithm,
we call the functions Reachabs(Q ,Trans) and Abs(succ(Q)) instead of Reach(Q ,Trans)
and succ(Q) respectively. Note that the function Reachabs(Q ,Trans) is introduced
in Section 4.3. In other words, we always apply the abstraction function Abs on the
results of the succ function. We prove that Algorithm 8 is sound and complete.
Theorem 5.8. Algorithm 8 is sound and complete.
Proof: As we discussed the difference between Algorithm 8 and Algorithm 7, given
a transition system C with a set of initial states Init , the transition relation Trans
and a set of justice requirements J , while IsEmpty(Init ,Trans , J ) is checking the
emptiness of C , IsEmptyabs(Init ,Trans , J ) is actually checking the emptiness of the
abstract transition system C ′ of C defined as Definition 5.3. Thus, the correctness
of Algorithm 8 is obtained based on Theorem 5.7. 2
Since emptiness checking requires a lot of fixpoint computations, the rationale of
Algorithm 8 is to converge faster to the fixpoint. As we proved in Chapter 4, the
call Reachabs(Abs(Q),Trans) requires less or the same number of iterations than the
call Reach(Q ,Trans). Moreover, Reachabs(Abs(Q),Trans) = Abs(Reach(Q ,Trans)).
97
In the following, we show that Abs is not only preserved in the reachability function
but also the intersection with justice requirements (line 8 in Algorithms 7, 8). In our
proof, to distinguish with Algorithm 7, we use Q ′ and new ′ to denote the values of
variables Q and new in Algorithm 8 respectively.
Lemma 5.9. If new ′ = Abs(new), then Reachabs(new ′∩Ji) = Abs(Reach(new ∩Ji))
for any justice requirement Ji ∈ J .
Proof: Note that Ji = Abs(Ji), we prove that new
′ ∩ Ji = Abs(new ∩ Ji) and then
apply Lemma 4.12. We have Abs(new∩Ji) ⊆ Abs(new)∩Abs(Ji) = new ′∩Ji . Then,
we prove new ′ ∩ Ji ⊆ Abs(new ∩ Ji). Given any s ′ ∈ new ′ ∩ Ji , there exists s ∈ new
such that s ′ 4 s . Moreover, s ′ ∈ Ji implies s ∈ Ji . So s ∈ new ∩ Ji . Therefore,
s ′ ∈ Abs(new ∩ Ji). 2
Thus, the same or smaller number of iterations is required to reach the fixpoint
at line 8 in Algorithm 8. However, the invariant new ′ = Abs(new) is no longer valid
at line 11 in Algorithms 7, 8.
Lemma 5.10. If new ′ = Abs(new), Abs(new∩Abs(succ(new))) ⊆ new ′∩Abs(succ(new ′))
Proof: We have Abs(new ∩Abs(succ(new))) ⊆ Abs(new)∩Abs(Abs(succ(new))) =
new ′ ∩ Abs(succ(new)) = new ′ ∩ Abs(succ(new ′)). 2
new ′ = Abs(new) is valid throughout the computation of all reachable states
from initial state at line 4 and the first run of the while-loop in lines 7-9. In the rest
of Algorithms 7 and 8, we have new ⊆ Abs(new) ⊆ new ′. Since new ′ is a super set
of new , it is possible that we can reach the fixpoint with smaller number of iterations
too.
98
5.4 Emptiness Checking of Timed Bu¨chi Automaton
Based on the discrete semantics of TBA, Algorithm 7 can be adopted to verify the
emptiness of TBA. Specifically, given a TBA A, BDDs are used to encode the tran-
sition system DS (A) as [80, 21]. Then, we obtain the BDD encodings of the initial
state and the transition relation of DS (A). The requirement that the run must visit
an accepting state infinite times and contain an infinite number of tick transitions
and action transitions is represented as justice requirements J = {F , J0, J1}. F is
a set of accepting states in DS (A). J0 (respectively J1) is the set of states which
are the destination states of the action transition (respectively tick transition). A
boolean variable isTick can be introduced during the encoding of the TBA. For each
transition, isTick is updated to false if the transition is an action transition. Other-
wise, isTick is updated to true. Then, J0 is the set of states where isTick is false,
and J1 is the set of states where isTick is true. After having the BDD encodings of
the initial state, the transition relation, and justice requirements, Algorithm 7 can
be implemented by using the corresponding BDD operations, and the TBA is empty
if and only if the BDD returned by the algorithm is equal to the BDD of false.
Algorithm 8 can also be adopted to verify the emptiness of TBA if we have the
encoding of the simulation relation in the given TBA. We remark that although in
general identifying the simulation relation is computationally expensive [1, 67], we
can obtain LU simulation relations for TBA without exploring the state space as
shown in Lemma 2.3.
The benefit of using LU simulation is to allow us to handle large maximal clock
constants. Given a clock x , assume L(x ) < U (x ) and U (x ) is much larger than
L(x ), the clock valuation v ′ where v ′(x ) = L(x ) + 1 can simulate all other clock
valuations v where v ′(x ) < v(x ). Thus, as we define the function Abs , when we find
the state with clock valuation v ′, we do not need to follow many tick transitions to
99
l0 l1
[1 ≤ x ≤ 106]
Figure 5.1: Example of LU Simulation
find states with clock valuation v(x ) > v ′(x ), but those states can be obtained by
our Abs function. This prevents us from calling succ functions many times.
Figure 5.1 shows the TBA including two locations l0, l1 and one clock x where
L(x ) = 1 and M (x ) = U (x ) = 106. For simplicity, given a state (l , v) where l
is the location, and v is the clock valuation such that v(x ) = i , we write (l , i) to
denote that state. Then, it needs 106 + 1 iterations to find all of the reachable
states Reach({(l0, 0)}). However, by using LU simulation, it only needs 4 itera-
tions to find all of the reachable states Reachabs(Abs({(l0, 0)})): Q ′0 = {(l0, 0)}, Q ′1 =
{(l0, 0), (l0, 1)}, Q ′2 = {(l1, 1)}∪{(l0, i) | 0 ≤ i ≤ 106+1}, Q ′3 = Reachabs(Abs({(l0, 0)})),




1, we find the state (l0, 2) where v(x ) > L(x ), and this state simu-
lates all states (l0, i) where i > 2. Similarly, from Q
′
2, we find state (l1, 2), and this
state also simulates all states (l1, i) where i > 2. This example illustrates how we can
benefit from LU simulation to handle models with large maximal clock constants.
Note that the LU bounds can be defined on each location to further enhance the
efficiency of LU simulation [15].
5.5 Implementation and Evaluation
We have extended Algorithms 7 and 8 to verify timed automata against LTL prop-
erties with the requirement of non-Zenoness in the PAT model checker [93]. Specifi-
cally, given a timed automaton M and an LTL property ϕ, checking M satisfying ϕ
is equivalent to the emptiness checking on the TBA which is a composition of M and
negation of ϕ. The CUDD package [92] is used in our implementation. Our encoding
techniques follow techniques in [80, 21]. We evaluate the efficiency of our approach in
two experiments, and a set of four benchmark systems including CSMA/CD proto-
100
col, Fischer mutual exclusion protocol, Lynch-Shavit mutual exclusion protocol, and
TwoStates [29] are used in these experiments. The experiments are conducted on a
PC with Intel Core i7-2600 CPU at 3.4GHz and 4GB RAM with a time limit of 2
CPU hours. In order to show the efficiency of our improved algorithm, all properties
are valid so that the whole state space will be explored. We measure the number
of succ function calls, the verification time (in second), and memory usage (in MB).
An entry ‘oot’ in the table means that the time limit is reached, and an entry ‘oom’
means that the program runs out of memory. The column #succ in the tables is the
number of succ function calls.
In the first experiment, to demonstrate the efficiency of our approach in the
handling of large maximal clock constants, we fix the number of processes as 4 and
increase the maximal clock constants. Table 5.1 presents the results. The column
MCC is the maximal clock constant values in the corresponding models. The column
PAT-NonSim shows the results of Algorithm 7 implementation, and the column PAT-
Sim shows the results of Algorithm 8 implementation. According to the results,
by using the LU simulation relation, the number of succ function calls is reduced
significantly. TwoStates benchmark is a good example that the simulation relation
helps us to get rid of large maximal clock constants. The number of succ function
calls of PAT-SIM is unchanged while the number of succ function calls of PAT-NoSim
is linear with the maximal clock constants. As a result, PAT-Sim outperforms PAT-
NonSim on all the models. PAT-Sim not only is faster but also uses less memory
than PAT-NonSim. Thus, it can handle models with maximal clock constants up to
thousands.
In the second experiment, to demonstrate the efficiency of our approach in the
handling of large number of processes, we fix the maximal clock constant as 808
for CSMA/CD and 100 for other benchmarks. Then, we increase the number of
processes. In this experiment, we compare our approach with the CTAV tool [69].
101
Table 5.1: Experimental results on large maximal clock constants
PAT-Sim PAT-NonSim
MCC #succ Time Memory #succ Time Memory
CSMA/CD 404 4,334 5 36 14,169 493 876
CSMA/CD 808 8,608 18 75 28,257 2,857 1,489
CSMA/CD 1616 16,688 35 82 - - oom
Fischer 200 979 2 28 2,812 417 1,101
Fischer 400 1,779 3 29 5,412 3,847 1,600
Fischer 800 3,379 8 34 - oot -
Lynch 200 6,937 25 53 19,682 2,404 1,434
Lynch 400 13,137 45 62 - oot -
Lynch 800 25,537 90 63 - - -
TwoStates 400 234 0.33 25 4,896 3 25
TwoStates 800 234 1 28 9,696 8 30
TwoStates 1600 234 4 31 19,296 21 35
Table 5.2: Experimental results on large number of processes
PAT-Sim PAT-NonSim CTAV
#Proc #succ Time Memory #succ Time Memory Time
CSMA/CD 12 22,184 283 1,041 - oot - 562
CSMA/CD 16 28,972 511 756 - - - oom
CSMA/CD 20 35,760 839 1,063 - - - -
Fischer 8 608 5 39 1,974 10,275 1,689 4
Fischer 12 672 46 208 - - oom oom
Fischer 16 736 310 965 - - - -
Lynch 4 3,591 1 25 10,003 243 329 1
Lynch 8 9,839 42 65 - - oom 5
Lynch 12 19,551 585 326 - - - oom
TwoStates 3 964 0.79 25 1,580 1 25 oot
TwoStates 4 1,176 9 90 1,888 29 140 -
TwoStates 5 1,389 72 359 2,198 222 362 -
Both CTAV and our approach make use of the LU simulation relation. While CTAV
uses the LU simulation relation over DBMs as LU extrapolation, we use the LU
simulation relation over BDDs. CTAV outperforms Profounder [99] in [69]. Uppaal
is not used in this experiment because it does not support LTL model checking with
non-Zenoness requirement. Table 5.2 presents the experimental results. According to
the results, PAT-Sim approach outperforms PAT-NonSim approach and CTAV in all
the models. Specifically, it is faster and can handle more processes than PAT-NonSim
102
and CTAV. For example, in the CSMA/CD model with 16 processes, PAT-Sim can
verify within 511 seconds and 756 MBs while PAT-NonSim runs out of time, and
CTAV runs out of memory.
In summary, according to the results of two experiments, by using LU simulation,
it is possible for our approach to handle models with large maximal clock constants
and large number of processes.
5.6 Chapter Summary
This chapter considers the emptiness problem of TBA. We propose to use the sim-
ulation relation to improve the symbolic emptiness checking algorithm of transition
systems. Based on this, we apply LU simulation to the emptiness checking of TBA.
This allows us to handle models with larger maximal clock constants and larger num-
ber of processes. Finally, experimental results confirm that our improved algorithm
is faster and can handle larger models.
103
Chapter 6
Conclusion and Future Work
This thesis studies BDD-based model checking techniques for real-time systems.
Specifically, it investigates the problems of the BDD encoding and the state space
explosion in the reachability analysis and the emptiness checking. In this final chap-
ter, we summarize the contributions of this thesis and discuss directions for future
work.
6.1 Thesis Summary
The main objective of this thesis is to investigate the problems of BDD-based model
checking for real-time systems. The result of this thesis is a BDD framework for real-
time model checking which includes many encoding techniques and efficient model
checking algorithms.
In Chapter 1, an introduction and a literature review of real-time model checking
are presented. Then, research gaps of real-time model checking are listed. In sum-
mary, the first gap is how to encode hierarchical real-time systems efficiently. The
second gap is the state space explosion in the reachability analysis and the emptiness
104
checking on models with large clock constants. Those research gaps are investigated
and solved in the successive chapters.
In Chapter 2, preliminaries on real-time model checking are provided. First, we
present timed automata. Zone-based model checking approach is then explained.
Next, we introduce BDD data structure and the encoding techniques for hierarchical
concurrent systems. The encoding techniques include the FSM encoding and com-
positional encoding functions. Finally, we present the BDD-based algorithms of the
reachability analysis and the emptiness checking.
In Chapter 3, we study the encoding techniques for hierarchical real-time sys-
tems. Primitive components are encoded as TFSMs. The encodings of primitive
components are then composed by compositional encoding functions gradually to
obtain the encoding of the system. We propose to remove clock variables and to
use only tick transitions to represent clock constraints in order to obtain smaller
encodings. After having the encodings of the models, in the next two chapters, we
improve the algorithms of the reachability analysis and emptiness checking by using
the LU simulation relation.
In Chapter 4, we study the reachability analysis problem and propose to use
the LU simulation relation. We prove that the simulation relation preserves the
reachability. Moreover, even in models with large clock constants, the reachability
analysis algorithm with the simulation relation requires smaller number of iterations
and terminates earlier. The experimental results show that our improved algorithm
with the simulation relation outperforms significantly the algorithm without the
simulation relation.
In Chapter 5, we continue to study the emptiness checking problem and propose
to use the LU simulation relation to improve the performance similarly because the
emptiness checking problem requires to compute the set of reachable states. We
prove that the simulation relation also preserves the emptiness. However, in contrast
105
to the reachability checking, the emptiness checking algorithm might requires more
number of iterations. Specifically, we show that first operations in the emptiness
checking certainly require smaller number of iterations while the rest does not guar-
antee this. The experimental results on benchmark systems show that the emptiness
checking algorithm with the simulation relation requires smaller number of itera-
tion and the performance is improved significantly. We then extend the emptiness
checking algorithm to support LTL model checking.
We have summarized the thesis. In the following, we discuss directions for future
work.
6.2 Future Work
6.2.1 IC3 without SAT Solvers
With the advance of SAT solvers, SAT-based model checking techniques, including
bounded model checking [24], k-induction [91], and interpolant [75], were proposed.
Recently, a new approach, namely IC3 [30], was introduced by Bradley. IC3 gradually
refines the property without unrolling the transition relation. Thus, BDDs can be
used as a SAT solver in the IC3 algorithm. Since BDDs are canonical, if we have the
encodings, SAT queries are O(1). Moreover, Kindermann et al. showed that IC3 can
be applied to verify the safety properties for real-time systems [62]. However, the
implementation is based on the region abstraction. Perhaps, we can combine IC3
with BDDs under the zone abstraction. This could lead to a better performance.
6.2.2 Inclusion Checking
In this thesis, we investigated the reachability and emptiness problems. Basically,
those problems checks whether the behavior of a timed automaton contains an error
behavior or is included in the behavior defined by an LTL formula. Another problem
we want to investigate is the inclusion checking which checks whether the behavior
106
of a timed automaton is included in the behavior of another timed automaton. The
inclusion checking problem was shown to be undecidable [4] and many subclasses of
timed automata for which the inclusion checking is decidable are discovered such as
deterministic timed automata [4], digitization [49], robust timed automata [45], and
event clock automata [5].
6.2.3 Model Checking for Parametric Timed Automata
Parametric Timed Automata (PTA) was first introduced by Alur et al. [6]. While
in timed automata, clock values are compared to constants, in parametric timed
automata, clock values are compared to parameters, i.e., unknown constants. Un-
fortunately, the emptiness problem of PTA is undecidable. Hune et al. [58] proposed
a subclass of PTA, called lower bound/upper bound (L/U) automata, for which the
emptiness problem is decidable. Moreover, several synthesis algorithms developed to
handle parameterized clock constraints [60, 10, 9, 8]. It is possible the LU simulation
relation benefits model checking for PTA. Thus, a future work might be develop a
synthesis algorithm of reachability analysis for PTA.
6.2.4 Model Checking for Hybrid Systems
A hybrid system [48, 3] is a dynamic system with both discrete and continuous com-
ponents. An example of hybrid systems is an automobile engine whose fuel injection
(continuous) is regulated by a microprocessor (discrete) [48]. Hybrid automata can be
viewed as a generalization of timed automata. A possible direction of future research
is thus to continue our work to verify hybrid systems. Note that model checking for
hybrid automata is much more complex than model checking for timed automata.
For example, the reachability problem is undecidable even for very restricted classes
of hybrid automata [48].
107
Bibliography
[1] P. A. Abdulla, A. Bouajjani, L. Hol´ık, L. Kaati, and T. Vojnar. Computing
Simulations over Tree Automata. In TACAS, pages 93–108, 2008.
[2] R. Alur. Techniques for Automatic Verification of Real-time Systems. PhD
thesis, Stanford University, 1992.
[3] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho,
X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. The Algorithmic Analy-
sis of Hybrid Systems. Theor. Comput. Sci., 138(1):3–34, 1995.
[4] R. Alur and D. L. Dill. A Theory of Timed Automata. Theoretical Computer
Science, 126(2):183–235, 1994.
[5] R. Alur, L. Fix, and T. A. Henzinger. A Determinizable Class of Timed Au-
tomata. In CAV, pages 1–13, 1994.
[6] R. Alur, T. A. Henzinger, and M. Y. Vardi. Parametric Real-Time Reasoning.
In STOC, pages 592–601, 1993.
[7] H. R. Andersen. An Introduction to Binary Decision Diagrams. Lecture Notes
for Efficient Algorithms and Programs, Fall 1999.
[8] E´. Andre´, T. Chatain, L. Fribourg, and E. Encrenaz. An Inverse Method for
Parametric Timed Automata. Int. J. Found. Comput. Sci., 20(5):819–836,
2009.
[9] E´. Andre´, Y. Liu, J. Sun, and J. S. Dong. Parameter Synthesis for Hierarchical
Concurrent Real-Time Systems. In ICECCS, pages 253–262, 2012.
[10] E´. Andre´, Y. Liu, J. Sun, J. S. Dong, and S.-W. Lin. PSyHCoS: Parameter
Synthesis for Hierarchical Concurrent Real-Time Systems. In CAV, pages 984–
989, 2013.
108
[11] E. Asarin, M. Bozga, A. Kerbrat, O. Maler, A. Pnueli, and A. Rasse. Data-
Structures for the Verification of Timed Automata. In HART, pages 346–360,
1997.
[12] E. Asarin, O. Maler, and A. Pnueli. On Discretization of Delays in Timed
Automata and Digital Circuits. In CONCUR, pages 470–484, 1998.
[13] A. Aziz, S. Tasiran, and R. K. Brayton. BDD Variable Ordering for Interacting
Finite State Machines. In DAC, pages 283–288, 1994.
[14] R. I. Bahar, E. A. Frohm, C. M. Gaona, G. D. Hachtel, E. Macii, A. Pardo,
and F. Somenzi. Algebraic Decision Diagrams And Their Applications. In
ICCAD, pages 188–191, 1993.
[15] G. Behrmann, P. Bouyer, E. Fleury, and K. G. Larsen. Static Guard Analysis
in Timed Automata Verification. In TACAS, pages 254–277, 2003.
[16] G. Behrmann, P. Bouyer, K. G. Larsen, and R. Pela´nek. Lower and Upper
Bounds in Zone Based Abstractions of Timed Automata. In TACAS, pages
312–326, 2004.
[17] G. Behrmann, K. G. Larsen, J. Pearson, C. Weise, and W. Yi. Efficient Timed
Reachability Analysis Using Clock Difference Diagrams. In CAV, pages 341–
353, 1999.
[18] R. Bellman. The Theory of Dynamic Programming. Princeton University Press,
1957.
[19] J. Bengtsson and W. Yi. Timed Automata: Semantics, Algorithms and Tools.
In Lectures on Concurrency and Petri Nets, pages 87–124, 2003.
[20] B. Berthomieu and M. Menasche. An Enumerative Approach for Analyzing
Time Petri Nets. In IFIP Congress, pages 41–46, 1983.
[21] D. Beyer. Improvements in BDD-Based Reachability Analysis of Timed Au-
tomata. In FME, pages 318–343, 2001.
[22] D. Beyer, C. Lewerentz, and A. Noack. Rabbit: A Tool for BDD-Based Veri-
fication of Real-Time Systems. In CAV, pages 122–125, 2003.
[23] D. Beyer and A. Noack. Can Decision Diagrams Overcome State Space Explo-
sion in Real-Time Verification? In FORTE, pages 193–208, 2003.
109
[24] A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu. Symbolic Model Checking
without BDDs. In TACAS, pages 193–207, 1999.
[25] R. Bloem, K. Ravi, and F. Somenzi. Efficient Decision Procedures for Model
Checking of Linear Time Logic Properties. In CAV, pages 222–235, 1999.
[26] R. Bloem, K. Ravi, and F. Somenzi. Symbolic Guided Search for CTL Model
Checking. In DAC, pages 29–34, 2000.
[27] P. Bouyer. Forward Analysis of Updatable Timed Automata. Formal Methods
in System Design, 24(3):281–320, 2004.
[28] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos:
A Model-Checking Tool for Real-Time Systems. In CAV, pages 546–550, 1998.
[29] M. Bozga, O. Maler, A. Pnueli, and S. Yovine. Some Progress in the Symbolic
Verification of Timed Automata. In CAV, pages 179–190, 1997.
[30] A. R. Bradley. SAT-Based Model Checking without Unrolling. In VMCAI,
pages 70–87, 2011.
[31] R. E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation.
IEEE Transactions on Computers, 35(8):677–691, 1986.
[32] J. R. Burch, E. M. Clarke, and D. E. Long. Symbolic Model Checking with
Partitioned Transistion Relations. In VLSI, pages 49–58, 1991.
[33] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Sym-
bolic Model Checking: 1020 States and Beyond. Information and Computation,
98(2):142–170, 1992.
[34] E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronization
Skeletons Using Branching-Time Temporal Logic. In Logic of Programs, Work-
shop, pages 52–71, 1982.
[35] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press,
2000.
[36] C. Daws and S. Tripakis. Model Checking of Real-Time Reachability Properties
Using Abstractions. In TACAS, pages 313–329, 1998.
110
[37] D. L. Dill. Timing Assumptions and Verification of Finite-State Concurrent
Systems. In Automatic Verification Methods for Finite State Systems, pages
197–212, 1989.
[38] D. L. Dill, A. J. Hu, and H. Wong-Toi. Checking for Language Inclusion Using
Simulation Preorders. In CAV, pages 255–265, 1991.
[39] J. S. Dong, P. Hao, S. Qin, J. Sun, and W. Yi. Timed Patterns: TCOZ to
Timed Automata. In ICFEM, pages 483–498, 2004.
[40] J. S. Dong, P. Hao, S. C. Qin, J. Sun, and W. Yi. Timed Automata Patterns.
IEEE Transactions on Software Engineering, 34(6):844–859, 2008.
[41] J. S. Dong, J. Sun, and Y. Liu. Build Your Own Model Checker in One Month.
In ICSE, pages 1481–1483, 2013.
[42] J. S. Dong, J. Sun, Y. Liu, and Y. Li. Event Analytics. In ICTAC, pages
17–24, 2014.
[43] R. Duke, G. Rose, and G. Smith. Object-Z: a Specification Language Advo-
cated for the Description of Standards. Computer Standards and Interfaces,
17:511–533, 1995.
[44] H. Fujii, G. Ootomo, and C. Hori. Interleaving Based Variable Ordering Meth-
ods for Ordered Binary Decision Diagrams. In ICCAD, pages 38–41, 1993.
[45] V. Gupta, T. A. Henzinger, and R. Jagadeesan. Robust Timed Automata. In
HART, pages 331–345, 1997.
[46] H. Hansen, S.-W. Lin, Y. Liu, T. K. Nguyen, and J. Sun. Diamonds Are a Girl’s
Best Friend: Partial Order Reduction for Timed Automata with Abstractions.
In CAV, pages 391–406, 2014.
[47] K. Havelund, A. Skou, K. G. Larsen, and K. Lund. Formal Modeling and
Analysis of an Audio/video Protocol: an Industrial Case Study using UPPAAL.
In RTSS, pages 2–13, 1997.
[48] T. A. Henzinger. The Theory of Hybrid Automata. In LICS, pages 278–292,
1996.
[49] T. A. Henzinger, Z. Manna, and A. Pnueli. What Good Are Digital Clocks?
In ICALP, pages 545–558, 1992.
111
[50] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic Model Check-
ing for Real-Time Systems. Information and Computation, 111(2):193–244,
1994.
[51] F. Herbreteau and B. Srivathsan. Efficient On-the-Fly Emptiness Check for
Timed Bu¨chi Automata. In ATVA, pages 218–232, 2010.
[52] F. Herbreteau and B. Srivathsan. Coarse Abstractions Make Zeno Behaviours
Difficult to Detect. In CONCUR, pages 92–107, 2011.
[53] F. Herbreteau, B. Srivathsan, and I. Walukiewicz. Efficient Emptiness Check
for Timed Bu¨chi Automata. In CAV, pages 148–161, 2010.
[54] F. Herbreteau, B. Srivathsan, and I. Walukiewicz. Better Abstractions for
Timed Automata. In LICS, pages 375–384, 2012.
[55] H. Hermanns, J. Meyer-Kayser, and M. Siegle. Multi Terminal Binary Decision
Diagrams to Represent and Analyse Continuous Time Markov Chains. In
NSMC, pages 188–207, 1999.
[56] C. A. R. Hoare. Communicating Sequential Processes. International Series in
Computer Science. Prentice-Hall, 1985.
[57] G. J. Holzmann. The SPIN Model Checker: Primer and Reference Manual.
Addison Wesley, 2003.
[58] T. Hune, J. Romijn, M. Stoelinga, and F. W. Vaandrager. Linear Parametric
Model Checking of Timed Automata. In TACAS, pages 189–203, 2001.
[59] K. Ji, Y. Liu, S.-W. Lin, J. Sun, J. S. Dong, and T. K. Nguyen. CELL: A
Compositional Verification Framework. In ATVA, pages 474–477, 2013.
[60] A. Jovanovic, D. Lime, and O. H. Roux. Integer Parameter Synthesis for Timed
Automata. In TACAS, pages 401–415, 2013.
[61] Y. Kesten, A. Pnueli, and L. Raviv. Algorithmic Verification of Linear Tem-
poral Logic Specifications. In ICALP, pages 1–16, 1998.
[62] R. Kindermann, T. A. Junttila, and I. Niemela¨. SMT-Based Induction Methods
for Timed Systems. In FORMATS, pages 171–187, 2012.
[63] P. Krca´l, L. Mokrushin, P. S. Thiagarajan, and W. Yi. Timed vs. Time-
Triggered Automata. In CONCUR, pages 340–354, 2004.
112
[64] A. Laarman, M. C. Olesen, A. E. Dalsgaard, K. G. Larsen, and J. van de
Pol. Multi-core Emptiness Checking of Timed Bu¨chi Automata Using Inclusion
Abstraction. In CAV, pages 968–983, 2013.
[65] L. Lamport. A Fast Mutual Exclusion Algorithm. ACM Transactions on
Computer Systems, 5(1):1–11, 1987.
[66] L. Lamport. Real-Time Model Checking Is Really Simple. In CHARME, pages
162–175, 2005.
[67] F. Laroussinie and P. Schnoebelen. The State Explosion Problem from Trace
to Bisimulation Equivalence. In FoSSaCS, pages 192–207, 2000.
[68] K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a Nutshell. STTT,
1(1-2):134–152, 1997.
[69] G. Li. Checking Timed Bu¨chi Automata Emptiness Using LU-Abstractions.
In FORMATS, pages 228–242, 2009.
[70] Y. Liu, J. Sun, and J. S. Dong. Analyzing Hierarchical Complex Real-time
Systems. In SIGSOFT FSE, pages 365–366, 2010.
[71] N. A. Lynch and N. Shavit. Timing-Based Mutual Exclusion. In RTSS, pages
2–11, 1992.
[72] B. P. Mahony and J. S. Dong. Timed Communicating Object Z. IEEE Trans-
actions on Software Engineering, 26(2):150–177, 2000.
[73] Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems - Safety.
Springer, 1995.
[74] K. L. McMillan. Symbolic Model Checking. Kluwer, 1993.
[75] K. L. McMillan. Interpolation and SAT-Based Model Checking. In CAV, pages
1–13, 2003.
[76] J. B. Møller, J. Lichtenberg, H. R. Andersen, and H. Hulgaard. Difference
Decision Diagrams. In CSL, pages 111–125, 1999.
[77] G. Morbe´, F. Pigorsch, and C. Scholl. Fully Symbolic Model Checking for
Timed Automata. In CAV, pages 616–632, 2011.
113
[78] T. K. Nguyen, J. Sun, Y. Liu, and J. S. Dong. A Model Checking Framework
for Hierarchical Systems. In ASE, pages 633–636, 2011.
[79] T. K. Nguyen, J. Sun, Y. Liu, and J. S. Dong. Symbolic Model-Checking of
Stateful Timed CSP Using BDD and Digitization. In ICFEM, pages 398–413,
2012.
[80] T. K. Nguyen, J. Sun, Y. Liu, J. S. Dong, and Y. Liu. Improved BDD-based
Discrete Analysis of Timed Systems. In FM, pages 326–340, 2012.
[81] X. Nicollin, J. Sifakis, and S. Yovine. Compiling Real-Time Specifications into
Extended Automata. IEEE Trans. Software Eng., 18(9):794–804, 1992.
[82] J. Ouaknine and J. Worrell. Timed CSP = Closed Timed Safety Automata.
Electronic Notes in Theoretical Computer Science, 68(2):142–159, 2002.
[83] J. Ouaknine and J. Worrell. Revisiting Digitization, Robustness, and Decid-
ability for Timed Automata. In LICS, pages 198–207, 2003.
[84] A. Pnueli. The Temporal Logic of Programs. In FOCS, pages 46–57, 1977.
[85] K. Ravi and F. Somenzi. High-density reachability analysis. In ICCAD, pages
154–158, 1995.
[86] K. Ravi and F. Somenzi. Hints to accelerate Symbolic Traversal. In CHARME,
pages 250–264, 1999.
[87] M. Rice and S. Kulhari. A Survey of Static Variable Ordering Heuristics for
Efficient BDD/MDD Construction. Technical report, University of California,
Riverside, 2008.
[88] A. W. Roscoe, P. H. B. Gardiner, M. Goldsmith, J. R. Hulance, D. M. Jackson,
and J. B. Scattergood. Hierarchical Compression for Model-Checking CSP or
How to Check 1020 Dining Philosophers for Deadlock. In TACAS, pages 133–
152, 1995.
[89] D. Sahoo, J. Jain, S. K. Iyer, D. L. Dill, and E. A. Emerson. Predictive
Reachability Using a Sample-Based Approach. In CHARME, pages 388–392,
2005.
[90] S. Schneider. Concurrent and Real-Time Systems: The CSP Approach. Wiley,
2000.
114
[91] M. Sheeran, S. Singh, and G. St˚almarck. Checking Safety Properties Using
Induction and a SAT-Solver. In FMCAD, pages 108–125, 2000.
[92] F. Somenzi. CUDD: CU Decision Diagram Package. http://vlsi.colorado.
edu/~fabio/CUDD/.
[93] J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards Flexible Verification
under Fairness. In CAV, pages 709–714, 2009.
[94] J. Sun, Y. Liu, J. S. Dong, L. Shi, and E. Andre´. Modeling and Verifying
Hierarchical Real-time Systems using Stateful Timed CSP. ACM Transactions
on Software Engineering and Methodology, 22(1), 2012.
[95] J. Sun, Y. Liu, J. S. Dong, and X. Zhang. Verifying Stateful Timed CSP Using
Implicit Clocks and Zone Abstraction. In ICFEM, pages 581–600, 2009.
[96] S. Tani, K. Hamaguchi, and S. Yajima. The Complexity of the Optimal Vari-
able Ordering Problems of Shared Binary Decision Diagrams. In ISAAC, pages
389–398, 1993.
[97] S. Tripakis. Verifying Progress in Timed Systems. In ARTS, pages 299–314,
1999.
[98] S. Tripakis. Checking Timed Bu¨chi Automata Emptiness on Simulation
Graphs. ACM Transactions on Computational Logic, 10(3):1–19, 2009.
[99] S. Tripakis, S. Yovine, and A. Bouajjani. Checking Timed Bu¨chi Automata
Emptiness Efficiently. FMSD, 26(3):267–292, 2005.
[100] F. Wang. Symbolic Verification of Complex Real-Time Systems with Clock-
Restriction Diagram. In FORTE, pages 235–250, 2001.
[101] F. Wang. Formal Verification of Timed Systems: a Survey and Perspective.
Proceedings of the IEEE, 92(8):1283–1305, 2004.
[102] F. Wang, A. K. Mok, and E. A. Emerson. Symbolic Model Checking for
Distributed Real-Time Systems. In FME, pages 632–651, 1993.
[103] H. Wang and W. MacCaull. Verifying Real-Time Systems using Explicit-time
Description Methods. In QFM, pages 67–78, 2009.
115
[104] M. D. Wulf, L. Doyen, T. A. Henzinger, and J.-F. Raskin. Antichains: A New
Algorithm for Checking Universality of Finite Automata. In CAV, pages 17–30,
2006.
[105] M. D. Wulf, L. Doyen, and J.-F. Raskin. Almost ASAP Semantics: From
Timed Models to Timed Implementations. In HSCC, pages 296–310, 2004.
[106] Y. Yu, P. Manolios, and L. Lamport. Model Checking TLA+ Specifications.
In CHARME, pages 54–66, 1999.
116
Appendix A
Compositional Encoding Functions for FSMs
In this chapter, we show how compositional encoding functions for FSMs are imple-
mented. Given two components P0 and P1, we denote the encoding of the component
Pi by Bi = (
−→
V ,−→vi , Initi ,Transi ,Outi , Ini) where i ∈ {0, 1}. We assume that −→v0 and
−→v1 are disjoint (otherwise variable renaming is necessary). Note that −→V is always
shared.
Parallel Composition Let P be the parallel composition of P0 and P1 over a set of
common action names Acts = Act0 ∩ Act1. Note that common actions must be syn-
chronized between P0 and P1. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In)
where
• −→v = −→v0 ∪ −→v1
• Init = Init0 ∧ Init1
• Trans = (∨((Transi ∧ ¬ Acts ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i))) ∨ (Trans0 ∧
Trans1 ∧ Acts)
• Out = ∨(Outi ∧ (−−→v1−i = −−→v1−i ′))
117
• In = ∨(Ini ∧ (−−→v1−i = −−→v1−i ′))
Interleaving Composition Let P be the interleaving composition of two components
P0 and P1. In other words, P includes two components P0 and P1 running in parallel
and synchronizing through channel communication. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ v1
• Init = Init0 ∧ Init1
• Trans = ∨i∈{0,1}((Transi ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i)). The transition
relation contains two kinds of transitions, local transitions from each Pi and
synchronous channel communication from both P0 and P1.
• Out = ∨i∈{0,1}(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨i∈{0,1}(Ini ∧ (−−→v1−i = −−→v1−i ′)). Although channel inputs/outputs of P
can not occur by themselves, we still compute Out and In in case later, P will
combine with other components through interleaving composition.
Event Prefix Let P be the event prefix composition P = e → P0. P is ready to
engage the event e, and afterward P behaves as P0. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the event e happens
• Init = ¬ happened .
• Trans = (¬ happened ∧ event ′ = e ∧ happened ′ ∧ Init ′0) ∨ (happened ∧
Trans0 ∧ happened ′)
• In = happened ∧ In0 ∧ happened ′
118
• Out = happened ∧ Out0 ∧ happened ′
Channel Output Let P be the channel output composition P = c!→ P0. P is ready
to engage the channel output c!, and afterward P behaves as P0. However, the chan-
nel output c! can not occur itself but must be synchronized with the corresponding
channel input c? of another process running in parallel with P . Then, the encoding
of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the channel output c! happens
• Init = ¬ happened .
• Trans = (happened ∧ Trans0 ∧ happened ′)
• In = happened ∧ In0 ∧ happened ′
• Out = (¬ happened ∧ event ′ = c ∧ happened ′ ∧ Init ′0) ∨ (happened ∧ Out0 ∧
happened ′)
Channel Input Let P be the channel input composition P = c? → P0. P is ready
to engage the channel input c?, and afterward P behaves as P0. However, the chan-
nel input c? can not occur itself but must be synchronized with the corresponding
channel output c! of another process running in parallel with P . Then, the encoding
of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the channel input c? happens
• Init = ¬ happened .
• Trans = (happened ∧ Trans0 ∧ happened ′)
• In = (¬ happened ∧ event ′ = c ∧ happened ′ ∧ Init ′0) ∨ (happened ∧ In0 ∧
happened ′)
119
• Out = happened ∧ Out0 ∧ happened ′
Choice Composition Let P be the choice composition of P0 and P1. Then, P can
behave like either P0 or P1. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In)
such that:
• v = v0∪v1∪{choice} where choice is a fresh boolean variable, choice = i means
Pi is selected.
• Init = Init0 ∧ Init1. The variable choice is not initialized and thus P0 and P1
can be randomly selected.
• Trans = ∨i∈{0,1}((choice = i) ∧ Transi ∧ (choice ′ = i))
• Out = ∨i∈{0,1}((choice = i) ∧ Outi ∧ (choice ′ = i))
• In = ⋃i∈{0,1}((choice = i) ∧ Ini ∧ (choice ′ = i))
Other choices like external choice, internal choice or conditional choice in litera-
ture [56] can be supported similarly.
Sequential Composition Let P be the sequential composition of P0 and P1. At the
beginning, P behaves like P0 until P0 terminates. Then, it behaves like P1. The
encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0∪v1∪{terminated} where terminated is a fresh boolean variable to check
whether P0 terminates.
• Init = Init0 ∧ (¬ terminated)
• LetX denote the special event of program termination (like executing of a return
statement in Java or the event generated by process Skip in CSP). Trans =
(¬ terminated ∧ Trans0 ∧ ((event ′ = X ∧ terminated ′ ∧ Init ′1) ∨ (event ′ 6=
X ∧ ¬ terminated ′))) ∨ (terminated ∧ Trans1 ∧ terminated ′). Note that Init ′1
120
is obtained from Init1 by replacing each variable x with its prime copy x
′. So,
when P0 terminates, we will initialize P1 on the termination event.
• Out = (¬ terminated ∧ Out0 ∧ ¬ terminated ′) ∨ (terminated ∧ Out1 ∧
terminated ′)
• In = (¬ terminated ∧ In0 ∧ ¬ terminated ′) ∨ (terminated ∧ In1 ∧ terminated ′)
Interrupt Composition Let P be the interrupt composition of P0 and P1. At the
beginning, P behaves like P0. However, P1 can interrupt at any time and takes
the control. After the interruption, P will behave like P1. The encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In) such that:
• v = v0 ∪ v1 ∪ {interrupted} where interrupted is a fresh boolean variable to
manage whether P1 interrupts P0
• Init = Init0 ∧ Init1 ∧ ¬ interrupted
• Trans = (¬ interrupted ∧ Trans0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (Trans1 ∧
interrupted ′)
• Out = (¬ interrupted ∧ Out0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (Out1 ∧
interrupted ′)
• In = (¬ interrupted ∧ In0 ∧ ¬ interrupted ′ ∧ (−→v1 = −→v1 ′)) ∨ (In1 ∧ interrupted ′)
The process P1 can interrupt P0 at any time because there is no guard condition on
the transition of P1. Moreover, when P1 interrupts P0, interrupted is set to true,
and all transitions and channel inputs/outputs of P0 are disabled.
121
Appendix B
Stateful Timed CSP Symbolic Firing Rules
Stop STOP can not engage any event.
STOP
tick−−→ STOP
Skip SKIP can engage the termination event and becomes STOP .
SKIP
X−→ STOP SKIP tick−−→ SKIP
Parallel If P1 and P2 are running in parallel on the common events A, common
events A including termination event and tick must be synchronized. Moreover,
channel inputs/outputs of each process are also synchronized.
P1
µ−→ P ′1 [ µ 6∈ AX ]
P1 ‖ P2 µ−→ P ′1 ‖ P2




e−→ P ′2 [ e ∈ AX ]






P1 ‖ P2 c.−→ P ′1 ‖ P ′2





P1 ‖ P2 tick−−→ P ′1 ‖ P ′2
Interleaving If P1 and P2 are running interleaving, they will synchronize on the
termination event and tick event. Moreover, channel inputs/outputs each process
must be synchronized.
P1
µ−→ P ′1 [ µ 6= X ]
P1‖|P2 µ−→ P ′1‖|P2










P1‖|P2 e.−→ P ′1‖|P ′2





P1‖|P2 tick−−→ P ′1‖|P ′2
Event Prefix The event prefix composition e → P is initially enable to engage only
event e, and after performing e, it behaves as P .









tick−−→ P ′1 ∧ P2 tick−−→ P ′2
P1[]P2
tick−−→ P ′1[]P ′2
Conditional Choice
b ∧ P1 e−→ P ′1
if (b)then P1else P2
e−→ P ′1
¬ b ∧ P2 e−→ P ′2
if (b)then P1else P2
e−→ P ′2
if (b)then P1else P2




µ−→ P ′1 [ µ 6= X ]
P1; P2









tick−−→ P ′1; P2
Interrupt
P1
µ−→ P ′1 [ µ 6= X ]
P1 interrupt P2


















tick−−→ P ′1 interrupt P ′2
Wait
[ t ≥ 1 ]
Wait [t ]








P1 timeout [t ]P2
τ−→ P ′1 timeout [t ]P2
P1
tick−−→ P ′1 [ 1 ≤ t ]
P1 timeout [t ]P2






µ−→ P ′1 [ µ 6= X ]
P1interrupt [t ]P2






tick−−→ P ′1 [ 1 ≤ t ]
P1interrupt [t ]P2





µ−→ P ′1 [ µ 6= X ]
P1deadline[t ]






tick−−→ P ′1 [ 1 ≤ t ]
P1deadline[t ]











τ−→ P ′1within[t ]
P1
tick−−→ P ′1 [ 1 ≤ t ]
P1within[t ]
tick−−→ P ′1within[t − 1]
125
Appendix C
Compositional Encoding Functions for TFSMs
In this chapter, we show how compositional encoding functions for TFSMs are imple-
mented. Given two components P0 and P1, we denote the encoding of the component
Pi by Bi = (
−→
V ,−→vi , Initi ,Transi ,Outi , Ini ,Ticki) where i ∈ {0, 1}. We assume that
−→v0 and −→v1 are disjoint (otherwise variable renaming is necessary). Note that −→V is
always shared.
Stop The encoding of STOP is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) where
• −→v = ∅
• Init = true
• Trans = In = Out = false
• Tick = (event ′ = tick)
Skip The encoding of SKIP is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) where
• −→v = {isTerminated} where isTerminated is a fresh boolean variable to check
whether SKIP terminates.
126
• Init = ¬ isTerminated
• Trans = (¬ isTerminated ∧ event ′ = X ∧ isTerminated)
• In = Out = false
• Tick = (event ′ = tick ∧ isTerminated ′ = isTerminated)
Parallel Composition Let P be the parallel composition of P0 and P1 over a set of
common action names Acts = Act0 ∩ Act1. Note that common actions must be syn-
chronized between P0 and P1. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick)
where
• −→v = −→v0 ∪ −→v1
• Init = Init0 ∧ Init1
• Trans = (∨((Transi ∧ ¬ Acts ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i))) ∨ (Trans0 ∧
Trans1 ∧ Acts)
• Out = ∨(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨(Ini ∧ (−−→v1−i = −−→v1−i ′))
• Tick = Tick0 ∧ Tick1
Interleaving Composition Let P be the interleaving composition of two components
P0 and P1. In other words, P includes two components P0 and P1 running in parallel
and synchronizing through channel communication. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0 ∪ v1
• Init = Init0 ∧ Init1
• Trans = ∨i∈{0,1}((Transi ∧ (−−→v1−i = −−→v1−i ′)) ∨ (Ini ∧ Out1−i)). The transition
relation contains two kinds of transitions, local transitions from each Pi and
127
synchronous channel communication from both P0 and P1.
• Out = ∨i∈{0,1}(Outi ∧ (−−→v1−i = −−→v1−i ′))
• In = ∨i∈{0,1}(Ini ∧ (−−→v1−i = −−→v1−i ′)). Although channel inputs/outputs of P
can not occur by themselves, we still compute Out and In in case later, P will
combine with other components through interleaving composition.
• Tick = Tick0 ∧ Tick1
Event Prefix Let P be the event prefix composition P = e → P0. P is ready to
engage the event e, and afterward P behaves as P0. Then, the encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the event e happens
• Init = ¬ happened .
• Trans = (¬ happened ∧ event ′ = e ∧ happened ′ ∧ Init ′0) ∨ (happened ∧
Trans0 ∧ happened ′)
• In = happened ∧ In0 ∧ happened ′
• Out = happened ∧ Out0 ∧ happened ′
• Tick = (¬ happened ∧ event ′ = tick ∧ ¬ happened ′) ∨ (happened ∧ Tick0 ∧
happened ′)
Channel Output Let P be the channel output composition P = c!→ P0. P is ready
to engage the channel output c!, and afterward P behaves as P0. However, the chan-
nel output c! can not occur itself but must be synchronized with the corresponding
channel input c? of another process running in parallel with P . Then, the encoding
of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
128
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the channel output c! happens
• Init = ¬ happened .
• Trans = (happened ∧ Trans0 ∧ happened ′)
• In = happened ∧ In0 ∧ happened ′
• Out = (¬ happened ∧ event ′ = c ∧ happened ′ ∧ Init ′0) ∨ (happened ∧ Out0 ∧
happened ′)
• Tick = (¬ happened ∧ event ′ = tick ∧ ¬ happened ′) ∨ (happened ∧ Tick0 ∧
happened ′)
Channel Input Let P be the channel input composition P = c? → P0. P is ready
to engage the channel input c?, and afterward P behaves as P0. However, the chan-
nel input c? can not occur itself but must be synchronized with the corresponding
channel output c! of another process running in parallel with P . Then, the encoding
of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0 ∪ {happened} where happened is a fresh boolean variable to manage
whether the channel input c? happens
• Init = ¬ happened .
• Trans = (happened ∧ Trans0 ∧ happened ′)
• In = (¬ happened ∧ event ′ = c ∧ happened ′ ∧ Init ′0) ∨ (happened ∧ In0 ∧
happened ′)
• Out = happened ∧ Out0 ∧ happened ′
• Tick = (¬ happened ∧ event ′ = tick ∧ ¬ happened ′) ∨ (happened ∧ Tick0 ∧
happened ′)
129
Choice Composition Let P be the choice composition of P0 and P1. Then, P can be-
have like either P0 or P1. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick)
such that:
• −→v = −→v0∪−→v1∪{choice} where choice ∈ {−1, 0, 1} is a new variable. choice = −1
means the choice is not resolved, choice = 0 means P0 is selected, and choice = 1
means P1 is selected
• Init = Init0 ∧ Init1 ∧ choice = −1
• Trans = ∨i∈{0,1}((choice = −1 ∨ choice = i) ∧ Transi ∧ choice ′ = i)
• In = ∨i∈{0,1}((choice = −1 ∨ choice = i) ∧ Ini ∧ choice ′ = i)
• Out = ∨i∈{0,1}((choice = −1 ∨ choice = i) ∧ Outi ∧ choice ′ = i)
• Tick = (choice = −1 ∧ Tick0 ∧ Tick1 ∧ choice ′ = −1) ∨ (
∨
i∈{0,1}(choice = i ∧
Ticki ∧ choice ′ = i))
Conditional Choice Composition Let P be the conditional choice composition of P0
and P1, P = if (b) P0 else P1. Then, P can become P0 if b is true and can become
P1 if b is false. The encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such
that:
• −→v = −→v0∪−→v1∪{choice} where choice ∈ {−1, 0, 1} is a new variable. choice = −1
means the choice is not resolved, choice = 0 means P0 is selected, and choice = 1
means P1 is selected
• Init = Init0 ∧ Init1 ∧ choice = −1
• Trans = (((choice = −1 ∧ b) ∨ choice = 0) ∧ Trans0 ∧ choice ′ = 0) ∨
(((choice = −1 ∧ ¬ b) ∨ choice = 1) ∧ Trans1 ∧ choice ′ = 1)
• In = (((choice = −1 ∧ b) ∨ choice = 0) ∧ In0 ∧ choice ′ = 0) ∨ (((choice =
−1 ∧ ¬ b) ∨ choice = 1) ∧ In1 ∧ choice ′ = 1)
130
• Out = (((choice = −1 ∧ b) ∨ choice = 0) ∧ Out0 ∧ choice ′ = 0) ∨ (((choice =
−1 ∧ ¬ b) ∨ choice = 1) ∧ Out1 ∧ choice ′ = 1)
• Tick = (choice = −1 ∧ event ′ = tick ∧ choice ′ = −1) ∨ (∨i∈{0,1}(choice = i ∧
Ticki ∧ choice ′ = i))
Sequential Composition Let P be the sequential composition of P0 and P1. At the
beginning, P behaves like P0 until P0 terminates. Then, it behaves like P1. The
encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0∪v1∪{terminated} where terminated is a fresh boolean variable to check
whether P0 terminates.
• Init = Init0 ∧ (¬ terminated)
• LetX denote the special event of program termination (like executing of a return
statement in Java or the event generated by process Skip in CSP). Trans =
(¬ terminated ∧ Trans0 ∧ ((event ′ = X ∧ terminated ′ ∧ Init ′1) ∨ (event ′ 6=
X ∧ ¬ terminated ′))) ∨ (terminated ∧ Trans1 ∧ terminated ′). Note that Init ′1
is obtained from Init1 by replacing each variable x with its prime copy x
′. So,
when P0 terminates, we will initialize P1 on the termination event.
• Out = (¬ terminated ∧ Out0 ∧ ¬ terminated ′) ∨ (terminated ∧ Out1 ∧
terminated ′)
• In = (¬ terminated ∧ In0 ∧ ¬ terminated ′) ∨ (terminated ∧ In1 ∧ terminated ′)
• Tick = (¬ terminated ∧ Tick0 ∧ notTerminateEnable ∧ ¬ terminated ′) ∨
(terminated ∧ Tick1 ∧ terminated ′) where notTerminateEnable is a set of states
in P0 where termination event is not enable.
Interrupt Composition Let P be the interrupt composition of P0 and P1. At the
beginning, P behaves like P0. However, P1 can interrupt at any time and takes
131
the control. After the interruption, P will behave like P1. The encoding of P is
B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = v0 ∪ v1 ∪ {control} where −1 ≤ control ≤ 1 is a fresh variable to remember
which process takes the control. control = −1 means that the interrupt is not
resolved, but control = 0 (respectively control = 1) means that the interrupt is
resolved in favor of P0 (respectively P1).
• Init = Init0 ∧ Init1 ∧ control = −1
• Trans = (control = −1 ∧ Trans0 ∧ ((event ′ = X ∧ control ′ = 0) ∨ (event ′ 6=
X ∧ control ′ = −1 ∧ (−→v1 = −→v1 ′)))) ∨ (control = 0 ∧ Trans0 ∧ control ′ = 0) ∨
(control = −1 ∧ Trans1 ∧ ((event ′ = τ ∧ control ′ = −1 ∧ (−→v 0 = −→v ′0)) ∨
(event ′ 6= τ ∧ control ′ = 1)) ∧ (control = 1 ∧ Trans1 ∧ control ′ = 1)
• In = (control = −1 ∧ In0 ∧ (control ′ = −1 ∧ (−→v1 = −→v1 ′)) ∨ (control = 0 ∧
In0 ∧ control ′ = 0) ∨ (control = −1 ∧ In1 ∧ (control ′ = 1)) ∧ (control = 1 ∧
In1 ∧ control ′ = 1)
• Out = (control = −1 ∧ Out0 ∧ (control ′ = −1 ∧ (−→v1 = −→v1 ′)) ∨ (control = 0 ∧
Out0 ∧ control ′ = 0) ∨ (control = −1 ∧ Out1 ∧ (control ′ = 1)) ∧ (control =
1 ∧ Out1 ∧ control ′ = 1)
• Tick = (control = −1 ∧ Tick0 ∧ Tick1 ∧ control ′ = −1) ∨ (control = 0 ∧
Tick0 ∧ control ′ = 0) ∨ (control = 1 ∧ Tick1 ∧ control ′ = 1)
Delay P = Wait [t ] exactly delays for a period of t time units then terminates. The
encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• v = {c} where −2 ≤ c ≤ t is a variable to measure the time left. c = −1 means
that t time units elapse, and a τ transition happens, and c = −2 means that
after termination event, it becomes STOP .
132
• Init = (c = t)
• Trans = (c = 0 ∧ event ′ = τ ∧ c ′ = −1) ∨ (c ′ = −1 ∧ event ′ = X ∧ c′ = −2)
• Out = false
• In = false
• Tick = (c ≥ 1 ∧ event ′ = tick ∧ c ′ = c − 1) ∨ (c < 0 ∧ event ′ = tick ∧ c ′ = c)
Timeout Let P be the timeout composition of P0 and P1, P = P0timeout [t ]P1.
Initially, the control belongs to P0. If P0 performs any visible action, the timeout is
resolved in favor of P0, and P1 is discarded. However, if after t time units, P0 does
not engage any visible action, the control is passed to P1, and P0 is discarded. The
encoding of P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• −→v = −→v0 ∪ −→v1 ∪ {clk} where −1 ≤ clk ≤ t + 1 records the number of elapsed
time units so far. clk = −1 indicates that a visible event of P0 is engaged, and
clk = t + 1 indicates that t time units elapse and P1 takes the control
• Init = Init0 ∧ clk = 0
• Trans = (clk ≤ t ∧ Trans0 ∧ [(event = τ ∧ clk ′ = clk) ∨ (event 6= τ ∧ clk ′ =
−1)]) ∨ (clk = t ∧ event = τ ∧ clk ′ = t + 1 ∧ Init ′1) ∧ (clk = t + 1 ∧ Trans1 ∧
clk ′ = t + 1)
• In = (clk ≤ t ∧ In0 ∧ clk ′ = −1) ∨ (clk = t + 1 ∧ In1 ∧ clk ′ = t + 1)
• Out = (clk ≤ t ∧ Out0 ∧ clk ′ = −1) ∨ (clk = t + 1 ∧ Out1 ∧ clk ′ = t + 1)
• Tick = (Tick0 ∧ (clk ≥ 0 ∧ clk < t ∧ clk ′ = clk + 1) ∨ (clk = −1 ∧ clk ′ =
−1)) ∨ (clk = t + 1 ∧ Tick1 ∧ clk ′ = t + 1)
Timed Interrupt Let P be the time-interrupt composition of P0 and P1, P = P0interrupt [t ]P1.
P behaves as P0 until t time units elapse and then switches to P1. The encoding of
P is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
133
• −→v = −→v0 ∪ −→v1 ∪ {clk} where −1 ≤ clk ≤ t + 1 records the number of elapsed
time units so far
• Init = Init0 ∧ clk = 0
• Trans = (clk ≤ t ∧ Trans0 ∧ [(event = X ∧ clk ′ = −1) ∨ (event 6= X ∧ clk ′ =
clk)]) ∨ (clk = t ∧ event = τ ∧ clk ′ = t + 1 ∧ Init ′1) ∨ (clk = t + 1 ∧ Trans1 ∧
clk ′ = t + 1)
• In = (clk ≤ t ∧ In0 ∧ clk ′ = clk) ∨ (clk = t + 1 ∧ In1 ∧ clk ′ = t + 1)
• Out = (clk ≤ t ∧ Out0 ∧ clk ′ = clk) ∨ (clk = t + 1 ∧ Out1 ∧ clk ′ = t + 1)
• Tick = (Tick0 ∧ [(0 ≤ clk < t ∧ clk ′ = clk + 1) ∨ (clk = −1 ∧ clk ′ = −1)]) ∨
(clk = t + 1 ∧ Tick1 ∧ clk ′ = t + 1)
Deadline Let P be the deadline composition of P0 on t time units, P = P0deadline[t ].
Then, P0 requires to terminate within t time units. The encoding of P is B =
(
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
• −→v = −→v0 ∪ {clk} where −1 ≤ clk ≤ t records the number of elapsed time units
so far, and clk = −1 when the deadline is resolved
• Init = Init0 ∧ clk = 0
• Trans = (clk ≤ t ∧ Trans0 ∧ [(event 6= X ∧ clk ′ = clk) ∨ (event = X ∧ clk ′ =
−1)])
• In = (clk ≤ t ∧ In0 ∧ clk ′ = clk)
• Out = (clk ≤ t ∧ Out0 ∧ clk ′ = clk)
• Tick = ([(0 ≤ clk < t ∧ clk ′ = clk + 1) ∨ (clk = −1 ∧ clk ′ = −1)] ∧ Tick0)
Timed Responsiveness Let P be the within composition of P0, P = P0within[t ].
Then, P0 requires to make a visible event within in t time units. The encoding of P
is B = (
−→
V ,−→v , Init ,Trans ,Out , In,Tick) such that:
134
• −→v = −→v0 ∪ {clk} where −1 ≤ clk ≤ t records the number of elapsed time units
so far, and clk = −1 indicates a visible action happens
• Init = Init0 ∧ clk = 0
• Trans = (Trans0 ∧ [(event 6= τ ∧ clk ′ = −1) ∨ (event = τ ∧ clk ′ = clk)])
• In = (In0 ∧ clk ′ = −1)
• Out = (Out0 ∧ clk ′ = −1)
• Tick = (Tick0 ∧ [(clk ≥ 0 ∧ clk < t ∧ clk ′ = clk + 1) ∨ (clk = −1 ∧ clk ′ =
−1)])
135
