Abstract. Model checking timed systems through digitization is relatively easy, compared to zone-based approaches. The applicability of digitization, however, is limited mainly for two reasons, i.e., it is only sound for closed timed systems; and clock ticks cause state space explosion. The former is mild as many practical systems are subject to digitization. It has been shown that BDD-based techniques can be used to tackle the latter to some extent. In this work, we significantly improve the existing approaches by keeping the ticks simple in the BDD encoding. Taking advantage of the 'simple' nature of clock ticks, we fine-tune the encoding of ticks and are able to verify systems with many ticks. Furthermore, we develop a BDD library which supports not only encoding/verifying of timed state machines (through digitization) but also composing timed components using a rich set of composition functions. The usefulness and scalability of the library are demonstrated by supporting two languages, i.e., closed timed automata and Stateful Timed CSP.
Introduction
Model checking of real-time systems has been studied extensively. One popular approach is zone abstraction [1, 2] . The scalability and effectiveness of the zone-based approach have been proved with successful industrial applications, e.g., [3] . Meanwhile, it is known that for a large class of timed verification problems, correctness can be established using an integral model of time (digital clocks) as oppose to a dense model of time [4] . For instance, Lamport argued that model checking of real-time systems can be really simple if digitization is adopted [5] . Digitization translates a real-time verification problem to a discrete one by using clock ticks to represent elapsed time. The advantage is that the techniques which are developed for classic automata verification can be applied without the added complexity of zone operations. One particularly interesting example is model checking with the assumption of non-Zenoness. A timed execution is Zeno if infinitely many discrete steps are taken within finite time. For obvious reasons, Zeno executions are impractical and must be ruled out during the system verification. It is, however, nontrivial to check whether an execution is Zeno or not based on zone graphs [6, 7] system is non-Zeno if and only if it contains infinitely many clock ticks. Thus a finitestate system is non-Zeno if on any of its control cycles, time advances with at least one time unit. In other words, this cycle contains at least one clock tick transition, which can be determined efficiently with cycle-detection algorithms. Further, the experiment in [8] showed that BDD-based model checking of digitized systems is more robust with the increment in the number of processes, compared with zone-based approaches.
The disadvantage of digitization is that the number of reachable states of the digitized system is an increasing function of the number of clock ticks, which is determined by the upper-bound of the timing constraints. The experiments in [5] showed that UP-PAAL has a clear advantage (over TLC or Spin in verifying the digitized systems) when the time upper-bound is bigger than 10. The same experiments showed that the symbolic model checker SMV is more robust with the increment in time upper-bounds. The question is then: Can BDD-based symbolic model checker scale better with large time upper-bounds? In [9] , it has been shown that the size of BDD is very sensitive to time upper-bounds through a theoretical analysis. As a result, the time upper-bounds were thus kept very small in their experiments, i.e., no more than 16.
In this work, we re-visit the problem in order to develop efficient model checking techniques for timed systems. Our investigation shows that if we keep clock ticks simple, by avoiding clock variables altogether, we are able to obtain a small BDD encoding of all ticks in a system which scales significantly better than existing approaches. We are able to verify systems with time upper-bounds in the order of thousands. Furthermore, to make this technique available for different timed modeling languages, we build a BDD library for encoding and composing digitized timed systems. The motivation is that complex timed systems are often composed of many components at multiple levels of hierarchies. We propose to use timed finite-state machines (TFSMs) to model timed system components, which are designed to capture useful system features like different ways of communication among system components. Next, we define a rich set of system composition functions accordingly based on TFSMs. The library further complements the previous approaches (e.g., UPPAAL, Rabbit [8] ) by supporting linear temporal logic (LTL), LTL with weak/strong fairness, non-Zenoness, etc. The usefulness of the library is evidenced by showing that it can be readily used to build model checkers for two different timed modeling languages, e.g., closed timed automata and Stateful Timed CSP [10] .
We evaluate the efficiency of the library using benchmark systems with different settings. In the first experiment, systems are modeled and verified with an increment in time upper-bounds. The objective is to show that, by taking advantage of characteristics of clock ticks, our library is reasonably robust with larger number of clock ticks than Rabbit. In the second experiment, the systems are verified with the increment in the number of processes so as to show that our model checker scales up better than model checkers like UPPAAL. Lastly, we show that our model checker verifies LTL properties, with/without non-Zenoness, efficiently.
The rest of the paper is organized as follows. Section 2 presents the design of the library. Section 3 presents the work on supporting two languages. Section 4 evaluates the performance of the library. Section 5 concludes the work.
