Timed Automata Benchmark Description by Fontana, Peter & Cleaveland, Rance
Timed Automata Benchmark Description∗
Peter Fontana and Rance Cleaveland
May 28, 2020
Abstract
This report contains the descriptions of the timed automata (models) and the prop-
erties (specifications) that are used as the “benchmark examples in Data structure
choices for on-the-fly model checking of real-time systems” and “The power of proofs:
New algorithms for timed automata model checking.” The four models from those
sources are: CSMA, FISCHER, LEADER, and GRC. Additionally we include in this re-
port two additional models: FDDI and PATHOS. These six models are often used to
benchmark timed automata model checker speed throughout timed automata model
checking papers.
Contents
1 Overview of Protocols 3
2 PES Modeling framework 4
2.1 Equation Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Invariant Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Transition Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 CSMA/CD 9
3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Timed Automata Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Specifications Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Model in PES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4 FISCHER’s MUX 17
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2 Timed Automata Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3 Specifications Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.4 Model in PES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
∗Research supported by NSF grants CCF-0820072 and CCF-0926194.
ar
X
iv
:2
00
5.
13
15
1v
1 
 [c
s.F
L]
  2
7 M
ay
 20
20
5 GRC 23
5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 Timed Automata Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.3 Specifications Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.4 Model in PES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6 LEADER Election 32
6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.2 Timed Automata Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.3 Specifications Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.4 Model in PES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
References 39
2
1 Overview of Protocols
This report describes some of the benchmarks used in [7, 8]. to assess the performance
of different timed-automaton model-checking algorithms. Our intention is to document
both the models and formulas used in some detail so that other researchers can use them
for their own purposes.
In general, the examples are used in [20], which were based on the examples used in
[17] and the RED (http://cc.ee.ntu.edu.tw/~farn/red/red.5.0.linux.tar.
gz) and updated RED code (http://sourceforge.net/projects/redlib/ . How-
ever, various sources were consulted (sources cited for each benchmark). When modeling
differences existed, we mostly followed [17] but we sometimes changed the event names
(though not the transitions allowed) to adapt the models to meet the baseline notion of
timed automata in Fontana and Cleaveland [9].
The following benchmarks are described:
CSMA/CD Carrier Sense, Multiple Access with Collision Detection. This involves n processes
who wish to send a message on 1 bus, where the bus can only handle one message
at a time.
FISCHER Fischer’s Mutual Exclusion. This involves n processes that wish to access a crit-
ical section. They access a critical section by first assigning their id to a global vari-
able, which serves as a lock.
GRC Generalized Railroad Crossing. This describes n trains (“processes”) who wish to cross
train tracks that is gated. Each process is on a different train track, but shares a
gate for all tracks. There is a gate and a controller that synchronize the raising and
lowering of the gate with the crossing of the trains.
LEADER Leader Election Protocol. This involves n processes that wish to elect a leader
among themselves. They choose a leader by requesting fellow processes (in an asyn-
chronous manner) to be their parent until only on process has no parent.
For each model we model-checked one valid safety specification (as), one invalid safety
specification (bs), one valid liveness specification (al), and one invalid liveness specifica-
tion (bl). Each of these cases involves only one temporal operator: φ1 involves conjunc-
tions and disjunctions of atomic propositions and clock constraints. In addition we tested
4 additional specifications on each property (M1, M2, M3, and M4). Out of these specifi-
cations, at least one (usually M4) is a property with no known equivalent TCTL formula.
The specifications checked are listed below. The specifications that are not supported by
UPPAAL are in italics and are marked with a ∗.
For the specifications, they will be documented in the following way:
• AS Example: Valid Safety Specification: This describes a safety specification that is
expressed via a safety property that the system does satisfy. These specs are the A
examples taken from [20].
3
• BS Example: Invalid Safety Specification This describes a safety specification that
the system does not satisfy. These specs are the B examples taken from [20].
• AL Example: Valid Liveness Specification: This describes a liveness specification
that is expressed via a safety property that the system does satisfy.
• BL Example: Invalid Liveness Specification This describes a liveness specification
that the system does not satisfy. These specs are the B examples taken from [20].
• M1 Example: This provides an additional formula that the model may or may not
satisfy. This formula may or may not be expressible in TCTL.
• M2 Example: This provides an additional formula that the model may or may not
satisfy. This formula may or may not be expressible in TCTL.
• M3 Example: This provides an additional formula that the model may or may not
satisfy. This formula may or may not be expressible in TCTL.
• M4 Example: This provides an additional formula that the model may or may not
satisfy. This formula may or may not be expressible in TCTL.
The A Example, B Example and C Example specifications are the ones used in our
benchmark suite when testing the model checkers on safety properties. Unless otherwise
specified, when modeling the systems the default parameter values are used for all pa-
rameters.
Remark 1. When either constructing an implementation safety specification, when the system is
symmetric for all processes the representation of the specification can be written to only inquire
about a few processes, since if it is true for those then it must be true for all processes. All spec-
ifications for the models are written in full because the additional formula results in a changed
performance.
When specifying the specifications, the TCTL and the Lrelν,µ formulas are specified when
possible using variables i, j, k to simplify the notation of process conjunctions. For the
Tool formulas, the formulas are specified in full but using the fewest number of processes
that can be generalized. The number of processes used is two processes unless specified
otherwise.
2 PES Modeling framework
Here we discuss the structure of a PES (Predicate Equation Systems) model. A Predicate
Equation system is a way of combining both a model and a formula together into a
system of equations, where the set of states satisfying the equation are the set of states in
the model that satisfy the formula. In this report, we encode both a timed automaton and
a timed-automaton formula (as a modal equation system) into a PES.
4
Modal Equation Systems (MES) express a modal-logic formula as an equation. Timed
MES (TMES), exist. One version of Timed MES are in: [14]. The version of Timed MES we
used are described in Fontana and Cleaveland [8], Fontana [10].
Here are the different components of a PES Model:
• Comments (//). Any line starting with “//” are ignored by the parser and can be
used to provide descriptive text.
• Constants (# define). Any line starting with “# define” indicates a name of a con-
stant that can be used throughout the example.
• Clocks (xi, yj). The variables after the word “CLOCKS:” are the variable names used
to indicate all of the timed automata clocks in the model. Clock names begin with
an “x” or a “y” (lowercase) and are (optionally but usually) followed with a number.
Unless specified otherwise, all clocks are initialized to 0.
• State Variables or Atomic Propositions (pi, qj). The variables after “CONTROL:”
are the variable names used for all of the atomic propositions or the state variables.
The proposition variables take on non-negative integer variables, and by default
are initialized to 0. Atomic propositions start with a “p” or a “q” (lowercase) and
are (optionally but usually) followed by a number. Optionally, in parentheses, one
can specify the number of intended values for each proposition, such as p1(2). The
parentheses are ignored by the parser.
• Predicate Variables (Xi). The variables after the word “PREDICATE:” are the pred-
icate or equation variables used in the mu-calculus formula. Each predicate variable
starts with an “X” (uppercase) and is (optionally but usually) followed with a num-
ber.
• Initial Equation Variable (START:). The predicate variable listed after “START:” is
the initial equation variable.
• Logical Formula (EQUATIONS:). The formula after “EQUATIONS:” and within the
braces is an alternation-free Lrelν,µ formula. There are also a few implementation short-
cuts used in the PES Formula syntax. Additionally, substitutions of state variables
are allowed in addition to clock resets.
• Location Invariants (INVARIANT:). The “INVARIANT” Block lists all of the invari-
ants. Each invariant is described by a subset of atomic propositions, then followed
by a “->” and then followed by a clock constraint. There is one specification per
line. For time to advance, all of the invariants must be true. However, this is often
shortcut by vacuity: if the automaton is currently not in a state where the premise
of the implication is true, the invariant is vacuously true.
• Automata Edges (TRANSITIONS:). The “TRANSITIONS:” section lists all of the
transitions of the timed automaton. Each edge of the timed automata is a transition.
5
1 #define CPD 2
2 CLOCKS: {x1,x2,x3,x4}
3 CONTROL: {p1,p2,p3,p4, p}
4 PREDICATE: {X}
5 START: X
6 EQUATIONS: {
7 1: nu X = ((p1 == 0 && p2 == 0 && p3==0)
8 ||(p1 == 0 && p2 == 0 && p4==0)
9 ||(p1 == 0 && p3 == 0 && p4==0)
10 ||(p2 == 0 && p3 == 0 && p4==0)
11 ) && \forall time(\AllAct(X))
12 }
13 INVARIANT:
14 p1 == 0 && p==0 -> x1 <= CPD
15 p2 == 0 && p==0 -> x2 <= CPD
16 p3 == 0 && p==0 -> x3 <= CPD
17 p4 == 0 && p==0 -> x4 <= CPD
18 TRANSITIONS:
19 (p2 == 0 && p1 == 0, x2 <= CPD && x1 <= CPD)->(p2 = 1){x2,
x1};
20 (p3 == 0 && p1 == 0, x3 <= CPD && x1 <= CPD)->(p3 = 1){x3,
x1};
21 (p3 == 0 && p2 == 0, x3 <= CPD && x2 <= CPD)->(p3 = 2){x3,
x2};
22 (p4 == 0 && p1 == 0, x4 <= CPD && x1 <= CPD)->(p4 = 1){x4,
x1};
23 (p4 == 0 && p2 == 0, x4 <= CPD && x2 <= CPD)->(p4 = 2){x4,
x2};
24 (p4 == 0 && p3 == 0, x4 <= CPD && x3 <= CPD)->(p4 = 3){x4,
x3};
25 (p==0 && p1==0 && p2!=0 && p3!=0 && p4!=0)->(p=1){x1, x2, x3
, x4};
Figure 1: Full PES Example used to illustrate the different components of a PES.
Each transition starts with the guard in parentheses, and then has an “->” to separate
the guard from the transition to the new state. After the “->”, the destination state
is specified in parentheses, the clocks to be reset are specified in braces, and each
transition ends with a semicolon.
We illustrate this with an example. Figure 1 is the PES for the LEADER benchmark
with 4 processes, using the formula for category “bs”.
Remark 2 (Transitions are syntactic sugar). The PES framework is general enough that timed
automata edges can either be specified within the PES formula (using substitutions and resets in
addition to atomic propositions) or by using the TRANSITIONS directly. See Example 1.
6
Performance can be greatly enhanced by using the “TRANSITIONS” feature to separate the
model from the specification, but there is no requirement to do so.
Example 1 (Encoding a PES in multiple ways). Consider timed automaton TA6, given in
Figure 2, with one clock x, and consider the following timed modal equation system MES with one
equation (and hence one block):
X ν= 〈a〉(X) (1)
s1
x < 2
s2
x < 2
a, x := 0
a
x > 1
s1 s2
a, x := 0
a
Figure 2: Timed automaton TA6.
Note that this automaton has zeno runs; we use it to provide a simple example on an untimed
formula.
We encode this model into our tool using TRANSITIONS as follows:
1 CLOCKS: {x1}
2 CONTROL: {p1}
3 INITIALLY: x1 == 0
4 PREDICATE: {X}
5 START: X
6 EQUATIONS: {
7 1: nu X =\ExistAct(X)
8 }
9 TRANSITIONS:
10 (p1 == 0)->(p1=1){x1};
11 (p1 == 1)->(p1=0);
Alternatively, we can use the original Predicate Equation System (PES) form by encoding the
transitions as proposition assignments with resets. In this case, we have two equivalent alternative
versions
1 CLOCKS: {x1}
2 CONTROL: {p1}
3 INITIALLY: x1 == 0
4 PREDICATE: {X}
5 START: X
7
6 EQUATIONS: {
7 1: nu X =((p1==0)->X[p1=1]{x1}) && ((p1==1)->X[p1=0])
8 }
or
1 CLOCKS: {x1}
2 CONTROL: {p1}
3 INITIALLY: x1 == 0
4 PREDICATE: {X1, X2}
5 START: X1
6 EQUATIONS: {
7 1: nu X1 = X2{x1})
8 1: nu X2 = X1
9 }
Notice that we have two choices: represent location variables with new predicate variables, or
to use new control variables. This equivalence gives the intuition behind the correctness of blocking
and computing fixpoints simultaneously when their parities are the same (Bekic’s Theorem, see
[5]). The “1:” is the equation block number, indicating that both equations are in the same block.
The Model checker would then ask the question: does the initial state (s1, {x = 0}) satisfy X?
(One can show that this timed automaton does satisfy the formula; the formal details are outside
the scope of this document.)
Some more implementation details specific to the PES are described in the following
subsections.
2.1 Equation Syntax
Equations support the Lrelν,µ syntax. Additionally, to aid in the efficiency of model checking,
there are two formulas that are hard-coded shorthands for Lrelν,µ subformulae. These are
UnableWaitIn f and AbleWaitIn f . They are:
UnableWaitIn f := ∃(z.(∀(z ≤ 1))) (2)
AbleWaitIn f := ∀(z.(∃(z > 1))) (3)
These two subformulas are very important in expressing liveness (AF) properties and
their duals. See [10] (Lemma 4.7.2) for more information. Although these formula utilize
freeze quantification, the implementation of these can be implemented without subfor-
mulas and instead just checking if one can diverge in a state by examining the invariants.
2.2 Invariant Syntax
Invariants are always constructed as a set of conditions, with one line per condition. Each
condition starts with a partial conjunction of state variable constraints, then has a “->” and
8
then has a conjunction of clock constraints. The invariant is interpreted as the conjunction
of conditions.
2.3 Transition Syntax
Transitions encode the variables checked for the start state, then the guard of clock con-
straints after a comma “,” symbol, then a “->”, then the change of state variables to mark
the destination state, and then in “{” “}” the set of clocks that are reset to 0 on the transi-
tion. Each transition is separated by a semicolon “;”.
Consider this example transition:
(p5==2 && p==5, x5 > CB)->(p5=3, p=5);
It adds a transition for all states with p5 = 2 and p = 5 and insists that clock x5 must
have value at least the constant CB (Defined above with a “#define CB 19”). When this
transition executes, it changes the state value of p5 from 2 to 3 and maintains the value of
p at 5. It does not reset any clocks.
3 CSMA/CD
The Carrier Sense, Multiple Access with Collision Detection (CSMA/CD) example descrip-
tion is also taken from [19], which also provided figures that these figures are based on.
Additionally, [15] was consulted when generating these notes.
3.1 Overview
There are multiple processes (n) who are sharing 1 Ethernet bus. The processes will wish
to send messages, but the bus can only send one message at a time. At various times pro-
cesses will try to transmit a message. If the process detects that the bus is busy (thus, the
other process has transmitted for at least σ, the worst-case propagation delay, units), then
the process will wait a random amount of time before it will retry without interrupting
the currently transmitting process. If multiple processes are transmitting, which would
happen if they try to transmit simultaneously or in intervals before it can detect that the
other processes are transmitting, a collision will occur, and all current messages are lost
and must be sent again. At this point the bus detects the collision and stops transmitting.
Thus, even though only one process can send a message at a time, it is possible for more
than one process to be in a transmit state (in these cases the bus will be in the collision
state). All processes then detect the collision and the bus goes from the collision state to
the idle state. With the collision detected, all transmitting processes retry, idle processes
either remain idle or retry and processes programmed to retry reset their waiting cycle
before they retry. Parameters:
9
CSMACD Figures [1/2] 
0: waiti 1: transi 
xi < ? 
2: retryi 
xi < 2? 
cd, xi := 0 
endi, xi = ?, xi := 0 
begini, xi := 0 
cd, xi < 2?, 
xi := 0 
begini, xi < 2?, xi := 0 
cd, xi < ?, xi := 0 
busyi,  xi := 0 
cd, xi := 0 
busyi, x:= 0 
Figure 3: Timed Automaton for process i in the CSMA/CD Example.
• σ: The worst case propagation delay. The default value is 26µs. This is the worst case
time for a packet to be detected. Thus, a process may not detect if another process is
sending if that process has been sending for less than σ units.
• λ: The time to send a complete message (including the propagation delay). The
default value is 808µs.
Remark 3. This model assumes that at no time do two processes begin to transmit simultaneously.
A collision thus only occurs when one process is transmitting, and another tries to transmit without
detecting it.
3.2 Timed Automata Modeling
These are the actions which the processes and the bus are “synchronized” on. the i sub-
script represents process i:
• begini: Process (Sender) i starts sending a message.
• busyi: Process i senses that the bus is busy.
• endi: Process i ends the transmission of the message.
• cd: All processes detect a collision on a bus.
All currently transmitting processes go to the retry state, those retrying retry again
and each idle process either remains idle or decides to retry sending.
The Timed Automaton Figure for a single process (the ith process) is in Figure 3
The states of Process i are as follows:
10
CSMA/CD Figures [2/2] 
0: idle 1: active 
2: coll 
y < ? 
begini, y := 0 
endi, y := 0 
begini, y < ?, y := 0 
cd, y < ?, y := 0 
busyi, y > ? 
Figure 4: Timed Automaton for the Bus in the CSMA/CD Example.
0. waiti: Process i is waiting for a message.
1. transi: Process i is sending a message.
2. retryi: Process i is waiting to retry (usually after detecting a collision).
The Timed Automaton Figure for the bus is in Figure 4
The States of the Bus are:
0. idle: The bus is currently idle and waiting for a message from a process.
1. active: The bus is currently transmitting a message from some process.
2. collision: There is a collision on the bus.
For the notation of the Bus Automata, there is an transition with symbol i for each
process i. Thus, the edge idle
begini−→ active[y := 0] represents a different edge for each
process. If there are 2 processes, then the bus would have 2 such edges,
begin1−→ active[y := 0]
and
begin2−→ active[y := 0]. Each collision detection involves a pair of precesses. Thus it
involves an event cdij there is an edge per pair/trio of cd’s).
Each process has a clock xi, and the bus has its own clock y. Initially, we have y =
0, xi = 0 (all i) and each process i is in the initial state 0 : waiti, and the bus is initially in
0 : idle.
3.3 Specifications Checked
The specifications checked on the CSMA protocol are:
AS∗: At most one process is in a transmission state for less than 52 (2σ) units. (Valid)
11
TCTL Formula:
AG
∧
i 6=j
(pi 6= 1 ∨ pj 6= 1) ∨ (x1 ≤ 52 ∧ x2 ≤ 52)
 (4)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 #define CB 52
2 PREDICATE: {X}
3 START: X
4 EQUATIONS: {
5 1: nu X = \forall time((p1 != 1 || p2 != 1 || ((x1 < CB) && (
x2 < CB))) && \AllAct(X))
6 }
BS: At any time, a third process can retry while two are already in transmission status.
(Invalid)
TCTL Formula:
AG
 ∧
i 6=j 6=k∧ i 6=k
(
(pi = 1 ∧ pj = 1) → pk = 2)
) (5)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = (((p1==1 && p2==1)->(p3==2)) && ((p1==1 && p3==1)
->(p2==2)) && ((p2==1 && p3==1)->(p1==2)))
5 && \forall time(\AllAct(X))
6 }
AL: It is inevitable that all processes are waiting. (Valid)
TCTL Formula:
AF
[∧
i
(
pi = 0 ∧ xi ≥ 52
)]
(6)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
12
convenience).
Tool MES Specification:
1 #define CB 52
2 PREDICATE: {X}
3 START: X
4 EQUATIONS: {
5 1: mu X = \forall time\rel[((p1 == 0 && x1 >= CB) || (p2 == 0
&& x2 >= CB))](((p1 == 0 && x1 >= CB) || (p2 == 0 && x2 >= CB)
) || \AllAct(X)) && (UnableWaitInf || \exists time(((p1 == 0
&& x1 >= CB) || (p2 == 0 && x2 >= CB))))
6 }
BL: It is inevitable that some process needs to retry transmitting a message. (Invalid)
TCTL Formula:
AF
[∨
i
(
pi = 2
)]
(7)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 2) || (p2 == 2))](((p1 ==
2) || (p2 == 2)) || \AllAct(X)) && (UnableWaitInf || \exists
time(((p1 == 2) || (p2 == 2))))
5 }
M1: It is always the case that if the first process needs to retry that it will inevitably
transmit. (Invalid)
TCTL Formula:
AG [p1 6= 2 → AF [p1 = 1]] (8)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X,X2}
2 START: X
3 EQUATIONS: {
13
4 1: nu X = \forall time( ({p1 != 2} || X2) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p1 == 1)]((p1 == 1) || \AllAct(X2
)) && (UnableWaitInf || \exists time((p1 == 1)))
6 }
M2: It is always the case that if a bus experiences a collision that it will inevitably become
idle. (Valid)
TCTL Formula:
AG [p 6= 2 → AF [p = 0]] (9)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X,X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p != 2} || X2) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p == 0)]((p == 0) || \AllAct(X2))
&& (UnableWaitInf || \exists time((p == 0)))
6 }
M3∗: The bus is always idle until a process is active. (Invalid)
TCTL Formula:
A
[
[p = 0]U
[∨
i
(
pi = 1
)]]
(10)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 1) || (p2 == 1))]( ((p ==
0) || ((p1 == 1) || (p2 == 1))) && (((p1 == 1) || (p2 == 1))
|| \AllAct(X))) && ( UnableWaitInf || \exists time\rel[(p ==
0)](((p1 == 1) || (p2 == 1))))}
M4∗: For all paths with an infinite number of actions, the bus is always idle until a process is
active (Valid)
14
TCTL Formula:
There is no known TCTL formula
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = ((p1 == 1) || (p2 == 1)) || ((p == 0) && \forall
time(\AllAct(X)))
5 }
3.4 Model in PES
Below is the CSMA/CD Model for 2 processes specified in PES Code. The equation is the
formula, and for this model the formula is the “as” formula.
1 #define CA 26
2 #define CB 52
3 #define CLAMBDA 808
4 CLOCKS: {x1,x2,y}
5 CONTROL: {p1,p2,p}
6 PREDICATE: {X}
7 START: X
8 EQUATIONS: {
9 1: nu X = \forall time((p1 != 1 || p2 != 1 || ((x1 < CB) && (
x2 < CB))) && \AllAct(X))
10 }
11 INVARIANT:
12 p1 == 1 -> x1 <= CLAMBDA
13 p1 == 2 -> x1 < CB
14 p2 == 1 -> x2 <= CLAMBDA
15 p2 == 2 -> x2 < CB
16 p == 2 -> y < CA
17 TRANSITIONS:
18 (p==0 && p1==0)->(p=1,p1=1){y,x1};
19 (p==0 && p1==2, x1 < CB)->(p=1,p1=1){y,x1};
20 (p==0 && p2==0)->(p=1,p2=1){y,x2};
21 (p==0 && p2==2, x2 < CB)->(p=1,p2=1){y,x2};
22 (p==1 && p1==1, x1 == CLAMBDA)->(p=0,p1=0){y,x1};
15
23 (p==1 && p2==1, x2 == CLAMBDA)->(p=0,p2=0){y,x2};
24 (p==1 && p1==0, y >= CA)->(p=1,p1=2){x1};
25 (p==1 && p1==2, y >= CA)->(p=1,p1=2){x1};
26 (p==1 && p2==0, y >= CA)->(p=1,p2=2){x2};
27 (p==1 && p2==2, y >= CA)->(p=1,p2=2){x2};
28 (p==1 && p1==0, y < CA)->(p=2,p1=1){y,x1};
29 (p==1 && p1==2, y < CA && x1 < CB)->(p=2,p1=1){y,x1};
30 (p==1 && p2==0, y < CA)->(p=2,p2=1){y,x2};
31 (p==1 && p2==2, y < CA && x2 < CB)->(p=2,p2=1){y,x2};
32 (p == 2 && p1==0 && p2==0, y < CA)->(p=0,p1=0,p2=0){y};
33 (p == 2 && p1==0 && p2==0, y < CA)->(p=0,p1=0,p2=2){y,x2};
34 (p == 2 && p1==0 && p2==1, y < CA && x2 < CA)->(p=0,p1=0,p2
=2){y,x2};
35 (p == 2 && p1==0 && p2==2, y < CA && x2 < CB)->(p=0,p1=0,p2
=2){y,x2};
36 (p == 2 && p1==0 && p2==0, y < CA)->(p=0,p1=2,p2=0){y,x1};
37 (p == 2 && p1==0 && p2==0, y < CA)->(p=0,p1=2,p2=2){y,x1,x2
};
38 (p == 2 && p1==0 && p2==1, y < CA && x2 < CA)->(p=0,p1=2,p2
=2){y,x1,x2};
39 (p == 2 && p1==0 && p2==2, y < CA && x2 < CB)->(p=0,p1=2,p2
=2){y,x1,x2};
40 (p == 2 && p1==1 && p2==0, y < CA && x1 < CA)->(p=0,p1=2,p2
=0){y,x1};
41 (p == 2 && p1==1 && p2==0, y < CA && x1 < CA)->(p=0,p1=2,p2
=2){y,x1,x2};
42 (p == 2 && p1==1 && p2==1, y < CA && x1 < CA && x2 < CA)->(p
=0,p1=2,p2=2){y,x1,x2};
43 (p == 2 && p1==1 && p2==2, y < CA && x1 < CA && x2 < CB)->(p
=0,p1=2,p2=2){y,x1,x2};
44 (p == 2 && p1==2 && p2==0, y < CA && x1 < CB)->(p=0,p1=2,p2
=0){y,x1};
45 (p == 2 && p1==2 && p2==0, y < CA && x1 < CB)->(p=0,p1=2,p2
=2){y,x1,x2};
46 (p == 2 && p1==2 && p2==1, y < CA && x1 < CB && x2 < CA)->(p
=0,p1=2,p2=2){y,x1,x2};
47 (p == 2 && p1==2 && p2==2, y < CA && x1 < CB && x2 < CB)->(p
=0,p1=2,p2=2){y,x1,x2};
16
4 FISCHER’s MUX
The Fischer’s Mutual Exclusion (MUX) example description is also taken from [3], [4], [1]
and [6], which also provided figures that these figures are based on.
4.1 Overview
The FISCHER MUX Protocol involves n processes vying for access to a critical section. The
Critical Section is modeled as a state machine representing the process that currently has
access to the critical section or if the critical section is available. Each process asks for the
critical section and then waits until it gets it, re-requesting for access if it is not granted
it for a period of time. The critical section represents a global variable of which process
currently has access to the critical section (like a lock). Each process assigns the variable
to itself when requesting to enter the critical section and sets it to 0 when they have left
the critical section. The value of the variable keeps track of whose turn it is to access the
critical section (process in state 3). Note that a process can assign the variable to itself and
not yet be in the critical section.
Parameters:
• ∆ (CA): This is the time the process must delay before it assigns the global variable
to itself, thus vying for the critical section. The default value is 10.
• δ (CB): This gives the amount of time a process must wait before entering the critical
section after claiming access to it. The default value is 19.
4.2 Timed Automata Modeling
These are the actions which the processes and the global section are “synchronized” on.
• tryi Here process i will try to access the critical section
• setXi Here the process sets the global variable to value i.
• setX0i Here process i sets the global variable to 0 (section empty).
• enteri Here process i enters the critical section.
The Timed Automaton Figure for a single process is in Figure 5.
The states of Process i are as follows:
0. idle: The process is idle.
1. req: The process is ready to enter the critical section and will ask to do so
2. wait: The process is waiting to enter the critical section
3. crit: The process is in the critical section.
17
FISCHER (MUX) Figures [1/2] 
0: idle 
3: crit 
1: req 
xi < Δ 
2: wait 
tryi, xi := 0 
setXi, xi < Δ 
xi := 0 
retryi setX0i 
enteri, xi > ? 
Figure 5: Timed Automaton for a Process in the MUX Example.
Remark 4. Here we follow [17] and [3] and include the edge given from state 2 to state 0 to prevent
starvation. This edge is omitted in many sources, including [4], [1] and [6]. Some of those sources,
instead have an edge (2, tryi, xi > δ, {xi := 0}, 1). That edge from state 2 to state 1 is given
to prevent starvation, so that every process will be able to access the critical section eventually.
Some models (including [1]) omit this edge as well. Also some models omit the invariant on state
1, which prevents a timelock.
The Timed Automaton Figure for the Critical Section is in Figure 6
There are n + 1 states of the Critical Section. They are:
1. State 0. The Critical Section is empty.
2. States 1 through n. The Critical Section is being used by processor i (processor 1 is
the first processor).
Notice that the more processes there are, the more states the automata has. Here, the
token is passed around in a cyclic manner, where
Each process has a clock xi, while the global (critical) section has no clock. Initially,
each clock is 0 xi = 0 (for all i), each process is initially in state 0 : idle and the critical
section is initially in state 0 (empty).
4.3 Specifications Checked
The specifications checked on the FISCHER protocol are:
AS: At any time, at most one process is in the critical section. (Valid)
18
FISCHER (MUX) Figures [2/2] 
0: 1: 
n: 
… 
tryi, retryi 
… 
setX0n 
setX01 
setX1 
setX1 
setXn 
setXn 
setXn, enterXn, 
retryi (i ? n) 
setX1, enterX1, 
retryi (i ? 1) 
Figure 6: Timed Automaton for the Critical Section in the MUX Example.
TCTL Formula:
AG
∧
i 6=j
(pi 6= 3 ∨ pj 6= 3)
 (11)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = (p1 != 3 || p2 != 3) && \forall time(\AllAct(X))
5 }
BS: At any moment, at most four processes in their waiting state at the same time. (Valid
for four processes, Invalid for five or more processes)
TCTL Formula:
AG [p1 6= 5)] (12)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
19
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = (p1 != 5)&& \forall time(\AllAct(X))
5 }
AL: It is inevitable that all processes are idle. (Valid)
TCTL Formula:
AF
∧
i 6=j
(pi = 0 ∨ pj = 0
 (13)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 0) && (p2 == 0))](((p1 ==
0) && (p2 == 0)) || \AllAct(X)) && (UnableWaitInf || \exists
time(((p1 == 0) && (p2 == 0))))
5 }
BL: It is inevitable that some process accesses the critical section. (Invalid)
TCTL Formula:
AF
[∨
i
(pi = 2)
]
(14)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 2) || (p2 == 2))](((p1 ==
2) || (p2 == 2)) || \AllAct(X)) && (UnableWaitInf || \exists
time(((p1 == 2) || (p2 == 2))))
5 }
M1: It is always the case that if the first process is not idle, it will eventually access the
critical section. (Invalid)
20
TCTL Formula:
AG [p1 6= 0 → AF [p1 = 3]] (15)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X,X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p1 == 0} || X2) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p1 == 3)]((p1 == 3) || \AllAct(X2
)) && (UnableWaitInf || \exists time((p1 == 3)))
6 }
M2: It is always the case that if the third process is not idle, it will eventually access
the critical section. (Invalid)
TCTL Formula:
AG [p3 6= 0 → AF [p3 = 3]] (16)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X,X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p3 == 0} || X2) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p3 == 3)]((p3 == 3) || \AllAct(X2
)) && (UnableWaitInf || \exists time((p3 == 3)))
6 }
M3∗: It is possible for the first process to enter the critical section without waiting. (Invalid)
TCTL Formula:
No Known TCTL Formula. (17)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
21
3 EQUATIONS: {
4 1: mu X = \exists time( (p1 == 3 && x1 <= 0) || \ExistAct(X))
5 }
M4∗: After at most five action transitions, some process will enter the critical section. (Invalid)
TCTL Formula:
No Known TCTL Formula. (18)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ((p1 == 3) || (p2 == 3)) || \AllAct(\
forall time( ((p1 == 3) || (p2 == 3)) || \AllAct(\forall time(
((p1 == 3) || (p2 == 3)) || \AllAct(\forall time( ((p1 == 3)
|| (p2 == 3)) || \AllAct(\forall time( ((p1 == 3) || (p2 == 3)
) || \AllAct(((p1 == 3) || (p2 == 3)))) )) )) )) ))
5 }
4.4 Model in PES
Below is the FISCHER Model for 2 processes specified in PES Code. The equation is the
formula, and for this model the formula is the “as” formula.
1 #define CA 10
2 #define CB 19
3 CLOCKS: {x1,x2}
4 CONTROL: {p1,p2,p}
5 PREDICATE: {X}
6 START: X
7 EQUATIONS: {
8 1: nu X = (p1 != 3 || p2 != 3) && \forall time(\AllAct(X))
9 }
10 INVARIANT:
11 p1 == 1 -> x1 < CA
12 p2 == 1 -> x2 < CA
13 TRANSITIONS:
14 (p1==0 && p==0)->(p1=1, p=0){x1};
15 (p1==1, x1 < CA)->(p1=2, p=1){x1};
22
16 (p1==2 && p==1, x1 > CB)->(p1=3, p=1);
17 (p1==2 && p!=1)->(p1=0);
18 (p1==3)->(p1=0, p=0);
19 (p2==0 && p==0)->(p2=1, p=0){x2};
20 (p2==1, x2 < CA)->(p2=2, p=2){x2};
21 (p2==2 && p==2, x2 > CB)->(p2=3, p=2);
22 (p2==2 && p!=2)->(p2=0);
23 (p2==3)->(p2=0, p=0);
5 GRC
The Generalized Railroad Crossing (GRC)example description is also taken from [2, 11, 12,
18, 22] and [1], which [1] also provided figures that influenced these figures. are based
on. Unlike the other examples, this was not taken from [21]. These figures are based off of
various models and specifications, but is slightly different than all of them.
5.1 Overview
The GRC (Generalized Railroad Crossing Protocol involves n trains (processess) who are
each on a separate track that may want to cross through a region of interest. This region
is supervised by a gate that must be down when a train is crossing through and should
be up when no train is in the region, and a controller that issues the gate instructions.
The problem formulation is described well by [12], quoted here:
The system to be developed operates a gate at a railroad crossing. The
railroad crossing I lies in a region of interest R, i.e., I ⊆ R. A set of trains travel
through R on multiple tracks in both directions. A sensor system determines
when each train enters and exits region R. To describe the system formally, we
define a gate function g(t) ∈ [0, 90], where g(t) = 0 means the gate is down
and g(t) = 90 means the gate is up. We also define a set {λi} of occupancy
intervals, where each occupancy interval is a time interval during which one or
more trains are in I. The ith occupancy interval is represented as λi = [τi, νi],
where τi is the time of the ith entry of a train into the crossing when no other
train is in the crossing and νi is the first time since τi that no train is in the
crossing (i.e., the train that entered at τi has exited as have any trains that
entered the crossing after τi).
Given two constants ξ1 and ξ2, ξ1 > 0, ξ2 > 0, the problem is to develop a
system to operate the crossing gate that satisfies the following two properties:
Safety Property t ∈ ∪iλi ⇒ g(t) = 0 (The gate is down during all occupancy
intervals)
23
Utility Property t 6∈ ∪i[τi − ξ1, νi + ξ2]⇒ g(t) = 90 (The gate is up as often as
possible)
For our modeling, it involves n trains that wish to cross. When each train is approach-
ing the track, it sends a signal to the controller to lower the gate (if the gate is not already
down). When it leaves, it sends a signal to the controller that it leaves. The controller has a
counter of the current number of trains that are approaching or in, so it knows when the
first train enters and when the last one leaves. A train is the “last train” if no other train is
either near or in (requires a gate lower or down). After some delay, the controller can send
a signal to raise or lower the gate. The gate takes some time to raise or lower the gate. If
the gate is currently being raised when there is a signal to lower, it will switch directions,
and is modeled to take the full amount of time to raise/lower the gate regardless of when
it was switched midway.
Remark 5. Farn Wang in [18] used a linear hybrid automata to model the gate. One condition we
relax is if a signal to lower the gate is received by the gate while it is raising the gate (or vice versa),
the gate takes the full amount of time to lower the gate as if it was already raised. This is weaker
than in [18] where the gate can start lowering from its current position and thus finish sooner.
Parameters:
• CD (Controller Delay). This parameter specifies the time that it takes for the controller
to send a signal to the gate to raise/lower upon receiving a signal from a train. (It
is assumed that once the controller sends a signal, that the gate instantaneously
receives it and responds, so this delay incorporates those delays). The default value
is 1.
• GLT (Gate Lowering Time) This is the time it takes to lower a gate from the up position
to the down position. The default value is 2.
• GRT (Gate Raising Time) This is the time it takes to raise a gate from the down
position to the up position. The default value is 2, (the same as GRT).
• TP (Train Pending). This is the amount of time in advance a train sends a signal to
the controller that it is approaching the track. The default value is 4.
• TDU (Train Duration Upper). This is an upper bound of time that the train is in the
tracks. The default value is 15.
• TDL (Train Duration Lower). This is a lower bound of time that the train is in the
tracks. The default value is 1.
5.2 Timed Automata Modeling
These figures (as well as the symbols and state names) were created by us but based off
of [1].
24
GRC Figures - Train [3/3] 
0: far 1: near 
xi < TP 
2: in 
xi < TDU in, xi = TP, 
xi := 0 
approach, xi := 0 
exit, xi > TDL 
Figure 7: Timed Automaton for a Process (train) in the GRC Example.
These are the actions which the processes and the global section are “synchronized”
on.
• approach: This is the signal the train gives to the controller when it is approaching
the region.
• exit: This is the signal the train gives to the controller when it leaves the region.
• lower: This is the signal to begin lowering the gate.
• raise: This is the signal to begin raising the gate.
• in: This is the signal the train gives when it just enters the region.
• down: This is the signal the gate gives when it has finished lowering the gate (the
gate is now down).
• up: This is the signal the gate gives when it has finished raising the gate (the gate
is now up).
The Timed Automaton Figure for a single process (train) is in Figure 7. The process’s
state is the parallel composition of the trains, gate and controller.
The states of Process (Train) i are as follows:
0. far: The train is far away.
1. near: The train is approaching and will enter soon.
2. in: The train is currently in the region.
Now the figure of the gate is in Figure 8 and the controller is in Figure 9.
The states of the gate are:
0. up: The gate is currently up.
1. lower: The gate is currently being lowered.
2. down: The gate is currently down.
3. raise: The gate is currently being raised.
25
GRC Figures - Gate [1/3] 
0: up 
3: raise 
y < GRT 
1: lower 
y < GLT 
2: down 
lower, y := 0 
down, y = GLT  
up, y = GRT  
raise, y := 0 
lower 
raise 
lower, y := 0 
raise, y:= 0 
Figure 8: Timed Automaton for the gate in the GRC Example.
GRC Figures - Controller [2/3] 
0:up 
n+1:down1 2n+1:raise 
z < CD 
exit,  
z := 0 
raise 
1:lower1 
z < CD 
approach 
lower  
approach, z := 0  
approach, z := 0 
exit, z := 0 
n+2:down2 
2:lower2 
z < CD 
2n:downn 
n:lowern 
z < CD 
lower  lower  
… 
exit … 
… 
… 
approach 
exit 
Figure 9: Timed Automaton for the controller in the GRC Example.
26
The states of the controller are:
1. State 0:up. The controller has already sent the “raise” signal to the gate.
2. States 1–n:loweri. The controller needs to send a “lower” signal and there are i
trains either approaching or in.
3. States (n+1)–2n:downi. The controller has sent the “lower” signal and there are i
trains either approaching or in.
4. State (2n+1):raise. The last train has left and the controller needs to send the “raise”
signal.
Each process (train) has one clocks xi, the gate has clock y and the controller has clock
z. Initially, each clock is 0. Thus, xi = 0 (for all i) and y = 0, z = 0. Furthermore, each
process (train) is initially in state 0 : f ar, the gate is initially in 0 : up and the controller is
initially in 0 : up.
Remark 6. Some of these edges are unreachable, given that the safety property holds (which it
does, since we check it as our A Example. These edges include the loweri
exit−→ loweri−1 when
i > 1 for the controller, as well as the lower raise−→ raise edge for the gate, since the gate is always
down when train is in. Thus, the controller will be in the down state since the gate will be down
before a train exits.
5.3 Specifications Checked
When modifying the specifications for GRC, p1 . . . pt are the t trains, pt+1 is the gate (pg)
and pt+2 (notated pc) is the controller. In TCTL formulae, Iterations over i are iterations
over all trains pi but do not iterate over the gate or the controller. In the Tool MES Speci-
fications, there are t = 2 trains. This means that in those formulae p3 is the gate and p4 is
the controller
The specifications checked on the GRC protocol are:
AS: It is always the case that if at least one train (process) is in the track region, the gate
is always down. (Valid)
TCTL Formula:
AG
[∨
i
(pi = 2) → pg = 2
]
(19)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
27
3 EQUATIONS: {
4 1: nu X = ((p1 != 2) || (p3 == 2)) && \forall time(\AllAct(X))
5 }
BS: It is always the case that if the gate is raising then the controller (when one train is
approaching or in) will not want to lower the gate. (Invalid)
TCTL Formula:
AG
[
pg = 3 → pc 6= 1
]
(20)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = ((p3 != 3) || (p4 != 1)) && \forall time(\AllAct(X))
5 }
AL: It is inevitable that the gate is up. (Valid)
TCTL Formula:
AF
[
pg = 0
]
(21)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[(p3==0)]((p3==0) || \AllAct(X)) &&
(UnableWaitInf || \exists time((p3==0)))
5 }
BL: It is inevitable that the train is near the gate. (Invalid)
TCTL Formula:
AF
[∨
i
(pi = 1)
]
(22)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
28
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 1) || (p2 == 1))](((p1 ==
1) || (p2 == 1)) || \AllAct(X)) && (UnableWaitInf || \exists
time(((p1 == 1) || (p2 == 1))))
5 }
M1: It is always the case that if the gate is down, then it will inevitably come up (Invalid).
TCTL Formula:
AG
[
pg = 2 → AF
[
pg = 0
]]
(23)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X, X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p3 != 2} || X2) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p3 == 0)]((p3 == 0) || \AllAct(X2
)) && (UnableWaitInf || \exists time((p3 == 0)))
6 }
M2∗: It is always the case that if the gate is down, then it will inevitably come up after 30 seconds
(Invalid).
TCTL Formula:
No known TCTL Formula. (24)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X, X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p3 != 2} || X2[z]) && \AllAct(X))
5 2: mu X2 = \forall time\rel[(p3 == 0 && z <= CWAIT)]((p3 == 0
&& z <= CWAIT) || \AllAct(X2)) && (UnableWaitInf || \exists
time((p3 == 0 && z <= CWAIT)))
6 }
29
M3: It is always the case that at most one train is in the region at one time (Invalid).
TCTL Formula:
AG
∧
i 6=j
(pi 6= 2 ∨ pj 6= 2)
 (25)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( ({p1 != 2} || p2 != 2) && \AllAct(X))
5 }
M4∗: For all paths with an infinite number of actions, the gate is up until a train approaches
(Valid).
TCTL Formula:
No known TCTL formula. (26)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = ((p1 == 1) || (p2 == 1)) || ((p3 == 0) && \forall
time(\AllAct(X)))
5 }
M4ap∗: For all paths, the gate is up until a train approaches (Invalid).
TCTL Formula:
No known TCTL formula. (27)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
30
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 1) || (p2 == 1))]( ((p3 ==
0) || ((p1 == 1) || (p2 == 1))) && (((p1 == 1) || (p2 == 1))
|| \AllAct(X))) && ( UnableWaitInf || \exists time\rel[(p3 ==
0)](((p1 == 1) || (p2 == 1))))}
5.4 Model in PES
Below is the GRC Model for 2 processes specified in PES Code. The equation is the for-
mula, and for this model the formula is the “as” formula.
1 #define CCD 1
2 #define CGLT 2
3 #define CGRT 2
4 #define CTP 4
5 #define CTDL 1
6 #define CTDU 15
7 CLOCKS: {x1,x2,x3,x4}
8 // p1-p2 are the trains.
9 // p3 is the gate.
10 // p4 is the controller.
11 CONTROL: {p1,p2,p3,p4}
12 INITIALLY: x1 == 0 && x2 == 0 && x3 == 0 && x4 == 0
13 PREDICATE: {X}
14 START: X
15 EQUATIONS: {
16 1: nu X = ((p1 != 2) || (p3 == 2)) && \forall time(\AllAct(X))
17 }
18 INVARIANT:
19 p1 == 1 -> x1 <= CTP
20 p1 == 2 -> x1 <= CTDU
21 p2 == 1 -> x2 <= CTP
22 p2 == 2 -> x2 <= CTDU
23 p3 == 1 -> x3 <= CGLT
24 p3 == 3 -> x3 <= CGRT
25 p4 == 1 -> x4 <= CCD
26 p4 == 2 -> x4 <= CCD
27 p4 == 5 -> x4 <= CCD
28 TRANSITIONS:
29 (p1 == 0 && p4 == 0)->(p1=1, p4=1){x1,x4};
30 (p1 == 0 && p4 == 5)->(p1=1, p4=1){x1,x4};
31 (p1 == 0 && p4 == 1)->(p1=1, p4=2){x1};
31
32 (p1 == 0 && p4 == 3)->(p1=1, p4=4){x1};
33 (p2 == 0 && p4 == 0)->(p2=1, p4=1){x2,x4};
34 (p2 == 0 && p4 == 5)->(p2=1, p4=1){x2,x4};
35 (p2 == 0 && p4 == 1)->(p2=1, p4=2){x2};
36 (p2 == 0 && p4 == 3)->(p2=1, p4=4){x2};
37 (p1 == 1, x1 == CTP)->(p1=2){x1};
38 (p2 == 1, x2 == CTP)->(p2=2){x2};
39 (p1 == 2 && p4 == 1, x1 >= CTDL)->(p1=0, p4=5){x4};
40 (p1 == 2 && p4 == 3, x1 >= CTDL)->(p1=0, p4=5){x4};
41 (p1 == 2 && p4 == 2, x1 >= CTDL)->(p1=0, p4=1);
42 (p1 == 2 && p4 == 4, x1 >= CTDL)->(p1=0, p4=3);
43 (p2 == 2 && p4 == 1, x2 >= CTDL)->(p2=0, p4=5){x4};
44 (p2 == 2 && p4 == 3, x2 >= CTDL)->(p2=0, p4=5){x4};
45 (p2 == 2 && p4 == 2, x2 >= CTDL)->(p2=0, p4=1);
46 (p2 == 2 && p4 == 4, x2 >= CTDL)->(p2=0, p4=3);
47 (p3 == 2 && p4 == 5)->(p3=3, p4=0){x3};
48 (p3 == 1 && p4 == 5)->(p3=3, p4=0){x3};
49 (p3 == 0 && p4 == 1)->(p3=1, p4=3){x3};
50 (p3 == 3 && p4 == 1)->(p3=1, p4=3){x3};
51 (p3 == 0 && p4 == 2)->(p3=1, p4=4){x3};
52 (p3 == 3 && p4 == 2)->(p3=1, p4=4){x3};
53 (p3 == 3, x3 == CGRT)->(p3=0);
54 (p3 == 1, x3 == CGLT)->(p3=2);
6 LEADER Election
Additional information about the protocol was obtained by [13, 16].
6.1 Overview
The LEADER Protocol involves n processes that are electing a leader amongst themselves.
They do this by asking a fellow process to be their “parent". The process that is being asked
to be their parent either accepts the request or denies it. After the request, the request-
responding pair is resolved my making the smaller id process the parent of the other. Each
process can have at most one parent but can have any number of child processes. Each
request is executed instantaneously. When the election protocol is “finished”, the “root"
process is the leader.
Parameters:
• CPD (PERIOD). This is the length of time a request-respond cycle can take for a
process requesting a parent and then being accepted or denied. The default value is
2.
32
LEADER Figures [1/1] 
0: 
xi < CPD 
n: 1: 
reqi1 (i > 1), req1i (i > 1), 
xi < CPD, xi := 0 
j: … … 
reqij, (j > i), reqji (j > i), xi := 0, xi < CPD 
reqin (i > n), reqni (i > n), 
xi < CPD, xi := 0 
reqij (i > j), reqji (i > j), 
xi < CPD, xi := 0 
Figure 10: Timed Automaton for a Process in the LEADER Example.
6.2 Timed Automata Modeling
These are the actions which the processes are “synchronized” on.
• reqij, here process i asks j to be its parent. Note that the request always resolves
where i becomes j’s parent if i < j and if i > j, j becomes i’s parent. We do not allow
i = j.
The Timed Automaton Figure for a single process is in Figure 10.
The states of Process i are as follows:
0. 0: The process has no parent.
i. i: The process has process i as its parent. Here i ranges from 1–n.
Given the instantaneous resolution of requests, there is no need to store a global vari-
able. The local variable of the process’s parent is stored with the state.
Remark 7. The LEADER election process model here follows the model in [17]. This model sim-
plifies things from the models in [13, 16]:
• It assumes the network topology is the complete graph of processes.
• Then the labeling of numbers is a “symmetry”: although any process can request a parent,
requests are always resolved where the smaller process id becomes the parent of the other,
regardless of who made the initial request.
• The non-determinism is implemented in a manner that there are no cyclic conflicts. All the
resolved outcomes are still available.
33
Each process has one clock xi. Initially, each clock is 0 (xi = 0 for all i) and each process
is initially in state 0 (has no parent).
Remark 8 (Timelock). This model has a timelock (with the state when a leader is elected). To
ensure that the timed automaton is timelock-free, an additional final state where time can diverge
is added. This state can be transitioned to when a leader is elected.
6.3 Specifications Checked
In the specifications, the processes are p1 . . . pl for the l processes. In addition, there is a
variable p that is initially 0 but becomes 1 when the leader election process is finished.
The specifications checked on the LEADER protocol are:
AS: At any time, each process either has no parent or has a parent with a smaller process
id (and thus the first process has no parent at all times). (Valid)
TCTL Formula:
AG
[∧
i
(pi < i)
]
(28)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = ((p1 < 1)
5 &&(p2 < 2)
6 ) && \forall time(\AllAct(X))
7 }
BS: At any moment, at least three processes do not have parents. (Invalid)
TCTL Formula:
AG
 ∧
i 6=j 6=k
(pi = 0 ∧ pj = 0 ∧ pk = 0)
 (29)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 START: X
2 EQUATIONS: {
3 1: nu X = ((p1 == 0 && p2 == 0 && p3==0)
34
4 ) && \forall time(\AllAct(X))
5 }
AL: It is inevitable that the first process is elected the leader. (Valid)
TCTL Formula:
AF
p1 = 0 ∧ ∧
i 6=1
(pi 6= 0)
 (30)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[((p1 == 0) && (p2 != 0))](((p1 ==
0) && (p2 != 0)) || \AllAct(X)) && (UnableWaitInf || \exists
time(((p1 == 0) && (p2 != 0))))
5 }
BL: It is inevitable that the third processes’ parent is the second process. (Invalid)
TCTL Formula:
AF [p3 = 1] (31)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[( p3 == 1)](( p3 == 1) || \AllAct(X
)) && (UnableWaitInf || \exists time(( p3 == 1)))
5 }
M1∗: For all paths, a the second process cannot have a child until it has a parent. (Invalid)
TCTL Formula:
No known TCTL formula. (32)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
35
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: mu X = \forall time\rel[(p2 != 0)]( (((p1 != 2) && (p2 !=
2)) || (p2 != 0)) && ((p2 != 0) || \AllAct(X))) && (
UnableWaitInf || \exists time\rel[((p1 != 2) && (p2 != 2))]((
p2 != 0)))}
M2: It is always the case that if the third process is assigned a parent (chosen to not be
leader), then it will not be the leader. (Valid)
TCTL Formula:
AG [p3 6= 0 → AG [p3 6= 0]] (33)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X,X2}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time((({p3 == 0} || X2)) && \AllAct(X))2: nu
X2 = \forall time(((p3 != 0)) && \AllAct(X2))}
M3∗: It is possible that it takes longer than 3 time units to elect a leader. (Valid)
TCTL Formula:
EG>3 [p = 0] (34)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X, X2}
2 START: X
3 EQUATIONS: {
4 1: mu X = X2[z]2: mu X2 = \exists time(((p == 0 && z>=3)) || \
ExistAct(X2))}
5 INVARIANT:
6 p1 == 0 && p==0 -> x1 <= CPD
7 p2 == 0 && p==0 -> x2 <= CPD
8 TRANSITIONS:
36
9 (p2 == 0 && p1 == 0, x2 <= CPD && x1 <= CPD)->(p2 = 1){x2,
x1};
10 (p==0 && p1==0 && p2!=0)->(p=1){x1, x2};
M4∗: For all paths, in at most three votes, a leader is elected. (Valid for four or fewer processes,
invalid for five or more processes.)
TCTL Formula:
No known TCTL formula. (35)
The Lrelν,µ is included in the Tool MES Specification (with abbreviations for notational
convenience).
Tool MES Specification:
1 PREDICATE: {X}
2 START: X
3 EQUATIONS: {
4 1: nu X = \forall time( (p == 1) || \AllAct(\forall time( (p
== 1) || \AllAct(\forall time( (p == 1) || \AllAct(\forall
time( (p == 1) || \AllAct(\forall time( (p == 1))) )) )) )) )
5 }
Remark 9. The more typical A Example specification is that at all times, at least one process
has no parent. This is a corollary of the A Example specification that we check. While this is a
reasonable specification to check, we check a stronger one since this specification is not invalidated
by common bugs on the more simpler LEADER model that we took. Of course, errors can always
be introduced to invalidate this specification, but this weaker specification is
With these specifications, the process can by symmetric, but in this specification, it
is assumed that the lower numbered process becomes the leader. This results in shorter
specifications.
6.4 Model in PES
Below is the LEADER Model for 2 processes specified in PES Code. The equation is the
formula, and for this model the formula is the “as” formula.
1 #define CPD 2
2 CLOCKS: {x1,x2}
3 CONTROL: {p1,p2, p}
4 PREDICATE: {X}
5 START: X
6 EQUATIONS: {
7 1: nu X = ((p1 < 1)
37
8 &&(p2 < 2)
9 ) && \forall time(\AllAct(X))
10 }
11 INVARIANT:
12 p1 == 0 && p==0 -> x1 <= CPD
13 p2 == 0 && p==0 -> x2 <= CPD
14 TRANSITIONS:
15 (p2 == 0 && p1 == 0, x2 <= CPD && x1 <= CPD)->(p2 = 1){x2,
x1};
16 (p==0 && p1==0 && p2!=0)->(p=1){x1, x2};
38
References
[1] Rajeev Alur, Costas Courcoubetis, David Dill, Nicolas Halbwachs, and Howard
Wong-Toi. An implementation of three algorithms for timing verification based on
automata emptiness. In Proceedings of the Real-Time Systems Symposium (RTSS ’92),
pages 157–166, Phoenix, AZ, USA, December 1992. IEEE Computer Society. doi:
http://dx.doi.org/10.1109/REAL.1992.242667.
[2] M. Archer and C. Heitmeyer. Mechanical verification of timed automata: a case
study. In Real-Time Technology and Applications Symposium, 1996. Proceedings., 1996
IEEE, pages 192 –203, June 1996. doi: 10.1109/RTTAS.1996.509536.
[3] F. Balarin. Approximate reachability analysis of timed automata. In Proceedings of
the 17th IEEE Real-Time Systems Symposium, RTSS ’96, pages 52–61, Washington, DC,
USA, 1996. IEEE Computer Society. ISBN 0-8186-7689-2. URL http://portal.
acm.org/citation.cfm?id=827268.828972.
[4] Gerd Behrmann, Alexandre David, and Kim G. Larsen. A tutorial on Uppaal. In
Marco Bernardo and Flavio Corradini, editors, Formal Methods for the Design of Real-
Time Systems, International School on Formal Methods for the Design of Computer, Commu-
nication and Software Systems (SFM-RT ’04), volume 3185 of Lecture Notes in Computer
Science, pages 200–236, Bertinoro, Italy, September 2004. Springer Berlin Heidelberg.
ISBN 978-3-540-23068-7. doi: http://dx.doi.org/10.1007/b110123.
[5] Hans Bekic´. Definable operations in general algebras, and the theory of automata
and flowcharts. In C. B. Jones, editor, Programming Languages and Their Definition: H.
Bekicˇ (1936–1982), Lecture Notes in Computer Science, pages 30–55. Springer, Berlin,
Heidelberg, 1984. ISBN 978-3-540-38933-0. doi: 10.1007/BFb0048939. URL https:
//doi.org/10.1007/BFb0048939.
[6] Conrado Daws, Alfredo Olivero, Stavros Tripakis, and Sergio Yovine. The tool KRO-
NOS. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag, editors, Hybrid
Systems III, volume 1066 of Lecture Notes in Computer Science, pages 208–219. Springer
Berlin Heidelberg, 1996. doi: http://dx.doi.org/10.1007/BFb0020947.
[7] Peter Fontana and Rance Cleaveland. Data structure choices for on-the-fly model
checking of real-time systems. In Malay Ganai and Armin Biere, editors, Pro-
ceedings of the First International Workshop on Design and Implementation of Formal
Tools and Systems (DIFTS ’11), volume 832 of CEUR Workshop Proceedings, pages
13–21, Austin, TX, USA, November 2011. URL http://ceur-ws.org/Vol-832/
Difts11Proceedings.pdf#page=17.
[8] Peter Fontana and Rance Cleaveland. The power of proofs: New algorithms for timed
automata model checking. In Axel Legay and Marius Bozga, editors, Formal Model-
ing and Analysis of Timed Systems, pages 115–129, Cham, 2014. Springer International
Publishing. ISBN 978-3-319-10512-3.
39
[9] Peter Fontana and Rance Cleaveland. A menagerie of timed automata. ACM Comput-
ing Surveys, 46(3):40:1–40:56, January 2014. doi: http://dx.doi.org/10.1145/2518102.
[10] Peter Christopher Fontana. Towards a Unified Theory of Timed Automata. Ph.D. Disser-
tation, University of Maryland, College Park, 2014. URL http://drum.lib.umd.
edu/handle/1903/15232.
[11] Constance Heitmeyer and Nancy Lynch. The generalized railroad crossing: a case
study in formal verification of real-time systems. In Proceedings of the Real-Time
Systems Symposium (RTSS ’94), pages 120–131. IEEE, December 1994. doi: http:
//dx.doi.org/10.1109/REAL.1994.342724.
[12] Constance L. Heitmeyer, Bruce G. Labaw, and Ralph D. Jeffords. A benchmark for
comparing different approaches for specifying and verifying real-time systems. Tech-
nical Report ADA462244, Naval Research Laboratory, 1993. URL http://handle.
dtic.mil/100.2/ADA462244.
[13] Judi Romijn. A Timed Verification of the IEEE 1394 Leader Election Protocol. Formal
Methods in System Design, 19:165–194, 2001. ISSN 0925-9856. URL http://dx.doi.
org/10.1023/A:1011284000753. 10.1023/A:1011284000753.
[14] Oleg V. Sokolsky and Scott A. Smolka. Local model checking for real-time sys-
tems. In Pierre Wolper, editor, Proceedings of the 7th International Conference on Com-
puter Aided Verification (CAV ’95), volume 939 of Lecture Notes in Computer Science,
pages 211–224. Springer Berlin Heidelberg, July 1995. doi: http://dx.doi.org/10.
1007/3-540-60045-0_52.
[15] Andrew S. Tanenbaum. Computer Networks. Prentice Hall, fourth edition, 2002.
[16] Alberto Verdejo, Isabel Pita, and Narciso Martí-Oliet. The Leader Elec-
tion Protocol of IEEE 1394 in Maude. Electronic Notes in Theoretical Com-
puter Science, 36:383 – 404, 2000. ISSN 1571-0661. doi: DOI:10.1016/
S1571-0661(05)80133-1. URL http://www.sciencedirect.com/science/
article/B75H1-4G7MXPH-S/2/9ac69af4a141ad3fb4c8df067ef1a6a0. The
3rd International Workshop on Rewriting Logic and its Applications.
[17] Farn Wang. Efficient verification of timed automata with BDD-like data-structures.
In Lenore D. Zuck, Paul C. Attie, Agostino Cortesi, and Supratik Mukhopadhyay,
editors, Proceedings of the 4th International Conference on Verification, Model Checking,
and Abstract Interpretation (VMCAI ’03), volume 2575 of Lecture Notes in Computer
Science, pages 189–205. Springer Berlin Heidelberg, 2003. ISBN 3-540-00348-7. doi:
http://dx.doi.org/10.1007/3-540-36384-X_17.
[18] Farn Wang. Symbolic Parametric Safety Analysis of Linear Hybrid Systems with
BDD-Like Data-Structures. Computer Aided Verification, pages 379–382, 2004. URL
http://www.springerlink.com/content/xj7hqmgew0m5peje.
40
[19] Sergio Yovine. KRONOS: a verification tool for real-time systems. International Journal
on Software Tools for Technology Transfer, 1(1–2):123–133, 12 1997. doi: http://dx.doi.
org/10.1007/s100090050009.
[20] Dezhuang Zhang. Model Checking for Data-Based Concurrent Systems. PhD
thesis, State University of New York at Stony Brook, December 2005.
URL http://proquest.umi.com/pqdweb?did=1092095351&sid=1&Fmt=6&
clientId=41143&RQT=309&VName=PQD.
[21] Dezhuang Zhang and Rance Cleaveland. Fast generic model-checking for data-based
systems. In Farn Wang, editor, Proceedings of the International Conference on the Formal
Techniques for Networked and Distributed Systems (FORTE ’05), volume 3731 of Lecture
Notes in Computer Science, pages 83–97. Springer Berlin Heidelberg, 2005. ISBN 978-
3-540-29189-3. doi: http://dx.doi.org/10.1007/11562436_8.
[22] Dezhuang Zhang and Rance Cleaveland. Fast on-the-fly parametric real-time model
checking. In Proceedings of the 26th IEEE International Real-Time Systems Symposium
(RTSS ’05), pages 157–166. IEEE Computer Society, 2005. ISBN 0-7695-2490-7. doi:
http://dx.doi.org/10.1109/RTSS.2005.22.
41
