Predicate Diagrams for the Verification of Real-Time Systems  by Kang, Eun-Young & Merz, Stephan
Predicate Diagrams for the Veriﬁcation of
Real-Time Systems
Eun-Young Kang1 Stephan Merz
MOSEL project, LORIA
Nancy, France
{Eun-Young.Kang,Stephan.Merz}@loria.fr
Abstract
We propose a format of predicate diagrams for the veriﬁcation of real-time systems. We consider
systems that are deﬁned as extended timed graphs, a format that combines timed automata and
constructs for modeling data, possibly over inﬁnite domains. Predicate diagrams are succinct
and intuitive representations of Boolean abstractions. They also represent an interface between
deductive tools used to establish the correctness of an abstraction, and model checking tools that
can verify behavioral properties of ﬁnite-state models. The contribution of this paper is to extend
the format of predicate diagrams to timed systems. We also establish a set of veriﬁcation conditions
that are suﬃcient to prove that a given predicate diagram is a correct abstraction of an extended
timed graph. The formalism is supported by a toolkit, and we demonstrate its use at the hand of
Fischer’s real-time mutual-exclusion protocol.
Keywords: Real-time systems, veriﬁcation, abstraction, XTG, predicate diagrams, theorem
proving, model checking
1 Introduction
Model checking has become a routine technique for the veriﬁcation of hard-
ware systems and communication protocols, which can essentially be modeled
as ﬁnite-state systems. Seminal work by Alur and Dill, Henzinger and oth-
ers [2,12] has shown that model checking techniques can also be developed
for real-time systems, and implementations of such tools have made signif-
icant progress and can handle signiﬁcant systems [4,22]. Model checking is
1 Supported by NWO, Faculty of EEMCS, The Technical University of Delft, The Nether-
lands.
Electronic Notes in Theoretical Computer Science 145 (2006) 151–165
1571-0661  © 2005 Elsevier B.V. 
www.elsevier.com/locate/entcs
doi:10.1016/j.entcs.2005.10.010
Open access under CC BY-NC-ND license.
attractive because it is fully automatic, but also because it provides counter-
examples when the property of interest does not hold of the system.
However, real-time model checking is applicable only under certain re-
strictions; most notably, it requires the system to be represented as a timed
automaton whose discrete state space (disregarding the real-valued clocks) is
ﬁnite. This restriction is in general not satisﬁed for software systems, and
ad-hoc approximations are therefore used in model checking. On the other
hand, deductive techniques can in principle be used to verify inﬁnite-state
systems, based on suitable sets of axioms and inference rules. Although they
can be supported by theorem provers and interactive proof assistants, their
use requires considerable expertise and tedious user interaction.
Algorithmic and deductive veriﬁcation techniques are therefore comple-
mentary, and combinations of the two approaches should give rise to powerful
veriﬁcation environments. For example, a theorem prover can be used to ver-
ify that a ﬁnite-state model is a correct abstraction of a given system, and
properties of that ﬁnite-state abstraction can then be established using model
checking. In order to make these idea more concrete, we need to identify a
suitable format that serves as an interface between deductive and algorithmic
techniques and gives rise to feasible veriﬁcation conditions.
Predicate abstraction [11,21] has emerged as a fruitful basis for software
veriﬁcation. It underlies tools such as slam [6] and blast [13], which more-
over contain algorithms for abstraction reﬁnement when the model checker re-
ports a counter-example for the abstracted model that cannot be reproduced
over the original model.
In previous work [8,9], we have proposed a format of presenting predicate
abstractions, called predicate diagrams, with an emphasis on proving liveness
properties of discrete systems. In this paper we propose a variant PDT of
predicate diagrams, intended for the veriﬁcation of real-time systems. We also
show how to relate PDTs to real-time systems described as extended timed-
automata graphs (XTGs), a representation developed at TU Delft [16,3]. Ba-
sically, a PDT shows a ﬁnite-state abstraction of an XTG, and the correctness
of the abstraction can be established by proving a number of veriﬁcation con-
ditions expressed in ﬁrst-order logic. On the other hand, model checking is
used to establish correctness properties (expressed in temporal logic) over the
PDT.
This paper is structured as follows. Section 2 presents XTGs as models
of real-time systems. Section 3 introduces PDTs, deﬁnes the notion of con-
formance to relate XTGs and PDTs, and establishes a set of suﬃcient proof
obligations to verify conformance. To illustrate the approach, we present a
veriﬁcation of Fischer’s mutual-exclusion protocol in section 4. Section 5 dis-
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165152
cusses future work and concludes the paper.
2 Extended Timed Automata Graphs
We model real-time systems as XTGs (extended timed automata graphs) [3],
a notation that combines the familiar framework of timed automata [1], syn-
chronous value passing between parallel processes, and a language for modeling
data. The semantics of XTGs is deﬁned in terms of timed (Kripke) structures,
also known as timed transition systems.
Deﬁnition 2.1 A timed structure is a tuple 〈S , S0,T 〉 where
• S is a set of states,
• S0 ⊆ S is the subset of initial states, and
• T ⊆ S × (R≥0 ∪ {µ})× S is a transition relation.
A run of a timed structure is a (ﬁnite or inﬁnite) sequence
π = s0
λ0−→ s1
λ1−→ s2 . . .
where s0 ∈ S0 is an initial state and 〈si , λi , si+1〉 ∈ T is a transition for all i .
Timed structures distinguish two kinds of transitions: time-passing transi-
tions are labeled by a non-negative real number that represents the amount of
time that has elapsed during this transition. Discrete transitions model state
changes and have a special label µ.
Our deﬁnition of XTGs is parameterized by an underlying language for
modeling data. In this paper, we do not need to ﬁx a precise signature, but
assume the following generic syntactic framework:
Deﬁnition 2.2 A data language provides the following syntactic domains:
• V : a ﬁnite set of variables,
• Vc ⊆ V : a subset of clock variables,
• Expr: value expressions (over the set V of variables), and
• Bexpr ⊆ Expr: the subset of Boolean expressions.
Similarly, we do not ﬁx a precise semantics, but simply require the existence
of a suitable semantic domain and evaluation function.
Deﬁnition 2.3 We assume a universe Val of values that includes the set R≥0
of non-negative real numbers and the Boolean values tt and ﬀ . A valuation
is a mapping ρ : V → Val from variables to values such that ρ(c) ∈ R≥0
for all c ∈ Vc. For a valuation ρ and δ ∈ R
≥0 we write ρ[+δ] to denote the
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 153
environment that increases each clock in Vc by δ:
ρ[+δ](v) =
⎧⎨
⎩
ρ(v) + δ if v ∈ Vc
ρ(v) otherwise
We assume given an evaluation function
[[ ]] : Expr → (V → Val) → Val
that associates a value [[e]]ρ with any expression e ∈ Expr and valuation ρ.
We require that [[e]]ρ ∈ {tt ,ﬀ } for all e ∈ Bexpr.
An XTG consists of a ﬁxed, ﬁnite number of processes. The control part
of any process is described as a ﬁnite state machine. The full state space is
given by a set of variables (which can be local to the process or shared between
processes), communication channels, and clocks. As in timed automata, clocks
are continuous variables that all increase at a ﬁxed, uniform rate. Clock values
can be tested in transition guards, and clocks can be reset during transitions.
Moreover, locations of a process are associated with invariants. These are
particularly useful to ensure upper bounds on clocks, limiting the amount of
time that a location can remain active. Finally, transitions of an XTG process
can be marked as urgent, implying that they should be taken as soon as they
are enabled.
Processes of an XTG are executing asynchronously in parallel. They com-
municate by means of shared variables or by synchronous value passing in the
spirit of value-passing CCS [17]. A deﬁnition of the core syntax and semantics
of XTGs was given by Spelberg [19]. In the present paper we restrict ourselves
to shared variables and for simplicity do not consider value passing.
Deﬁnition 2.4 An XTG process is a tuple 〈Init ,L, l0, I ,E ,U 〉 where
• Init ∈ Bexpr indicates the initial condition for (the data part of) the process,
• L is a ﬁnite set of locations,
• l0 ∈ L is the initial location,
• I : L → Bexpr assigns an invariant to each location,
• E ⊆ L×Bexpr×2V×Expr×L is a set of edges, represented as tuples 〈l , g , u, l ′〉
where
· l ∈ L is the source location,
· g ∈ Bexpr is a boolean expression, the guard,
· u ⊆ V × Expr is an update, i.e. a set of assignments, and
· l ′ ∈ L is the destination location.
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165154
(a) XTG: text form
c:=0 x:=0
c<=3
x:=x+1
c:=0
x:=0
go:=0
n_0 n_1
n_t n_2
l_0  x=0
c<=3, go=0
l_1      x=1
3<=c<5, go=0
l_1   x=1
c=5, go=0
l_2   x=1
c>=5,go=0
l_0
[c=3 /\ go=0]
l_1 l_2
[c>=5]
(b) XTG: graphical form
(c) A PDT for this XTG
system example
state integer x:=0,go:=0
process P p1;
graph P
state clock c:=0
init l_0
locations
l_0 inv(c<=3)
{when go=0 and c=3
do x:=x+1
goto l_1}
   do c:=0 and x:=0
 { when true
l_1
   when c>=5 asap
goto l_2
l_2 { end }
}
goto l_0
Fig. 1. Example XTG and PDT.
Note that an assignment is deﬁned as a set of pairs 〈v , e〉 where v is a
variable and e is an expression whose value is to be assigned to the variable.
• U ⊆ E identiﬁes the subset of urgent edges.
An XTG is a ﬁnite set of XTG processes.
Figure 1 shows a sample XTG consisting of a single process, both in its
textual (Fig. 1.a) and graphical (Fig. 1.b) representations. The XTG process
consists of three locations l0, l1, and l2. The edge from l1 to l2 is urgent, as
indicated by the keyword asap in Fig. 1.a and by the black dot at the source
of the transition in Fig. 1.b.
With any XTG we associate a timed structure whose states are given by
the active locations of the XTG and the valuations of the underlying variables.
Deﬁnition 2.5 Assume given an XTG X with processes P1, . . . ,Pn. The
timed structure T = 〈S , S0,T 〉 generated by X is the smallest structure such
that
• S0 consists of all tuples 〈l1,0, . . . , ln,0, ρ〉 where li ,0 is the initial location of
process Pi and [[Initi ]]ρ = tt for the initial conditions Initi of all processes
Pi .
• For any state s = 〈l1, . . . , ln , ρ〉 ∈ S, any i ∈ {1, . . . , n}, and any edge
〈li , g , u, l
′
i〉 ∈ Ei of process Pi such that [[g ]]ρ = tt, T contains a transition
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 155
〈s , µ, s ′〉 ∈ T where s ′ = 〈l ′1, . . . , l
′
n , ρ
′〉 and l ′j = lj for j = i , and where
ρ′(v) =
⎧⎨
⎩
[[e]]ρ if 〈v , e〉 ∈ u
ρ(v) otherwise
provided that [[I (l ′j )]]ρ′ = tt for all j ∈ {1, . . . , n}.
• For a state s = 〈l1, . . . , ln , ρ〉 ∈ S and δ ∈ R
≥0, T contains a transition
〈s , δ, s ′〉 ∈ T where s ′ = 〈l1, . . . , ln , ρ[+δ]〉 provided that for all 0 ≤ ε ≤ δ,
the location invariants evaluate to true, i.e. [[I (li)]]ρ[+ε] = tt, and that for
all 0 ≤ ε < δ, the guards of any urgent edge 〈li , g , u, l
′
i〉 leaving an active
location li of state s evaluate to false, i.e. [[g ]]ρ[+ε] = ﬀ .
Discrete transitions correspond to edges of one of the XTG processes. They
require the guard of the edge to evaluate to true in the source state. The
destination state is obtained by activating the target location of the edge and
by applying the updates associated with the edge. Time-passing transitions
uniformly update all clock variables; time is not allowed to elapse beyond any
value that activates some urgent edge of an XTG process. In either case, the
invariants of all active locations have to be maintained.
3 Predicate Diagrams for Timed systems
Due to their rich data model, standard real-time model checking techniques
do not apply to XTGs. We now introduce the PDT notation that we use
to represent predicate abstractions of XTGs. The veriﬁcation problem then
reduces to (a) establishing the correctness of the abstraction and (b) verify-
ing the desired property over the abstract model. Because our abstractions
give rise to ﬁnite-state models, the second subproblem is amenable to model
checking. Subproblem (a) can be addressed using theorem proving, and we
identify a set of suﬃcient, non-temporal veriﬁcation conditions in Section 3.2.
3.1 The PDT Notation
Predicate abstraction has been found to be a powerful tool for software ver-
iﬁcation, and we transfer this idea to the domain of real-time systems. The
basic assumption underlying predicate abstraction is that for the veriﬁcation
of a given property, the state space of an XTG can be partitioned into ﬁnitely
many equivalence classes. For example, the precise amount of time elapsed
in a transition does not really matter as long as the clock values are within
certain bounds and similarly, the precise values of the data can be abstracted
with the help of predicates that indicate characteristic properties.
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165156
The formal deﬁnition of PDTs is given with respect to a set L that rep-
resents locations (or, more precisely, location tuples) of the underlying XTG,
as well as with respect to a set P of predicates (i.e., Boolean expressions) of
interest. We write P to denote the set containing the predicates in P and
their negations.
Deﬁnition 3.1 Assume given ﬁnite sets L and P. A PDT (over L and P)
is given by a tuple 〈N ,N0,Rµ,Rτ 〉 as follows:
• N ⊆ L × 2P is a ﬁnite set of nodes of the PDT; each node is a pair 〈l ,P〉
for l ∈ L and P ⊆ P,
• N0 ⊆ N is the set of initial nodes,
• Rµ,Rτ ⊆ N × N are two relations that represent discrete and time-passing
transitions of the PDT. We require that Rτ be reﬂexive. We usually write
n →µ n
′ and n →τ n
′ for (n, n ′) ∈ Rµ and (n, n
′) ∈ Rτ .
A run of a PDT is a (ﬁnite or inﬁnite) sequence
σ = n0
lab0−→ n1
lab1−→ n2 . . .
where n0 ∈ N0, labi ∈ {µ, τ}, and ni →labi ni+1 for all i .
Thus, a PDT is a labelled transition system with two transition relations.
A PDT node represents a set of XTG states by indicating the active locations
and certain predicates satisﬁed by these states. The transition relations corre-
spond to discrete transitions and time-passing transitions of the XTG. When
drawing a PDT, as in Fig. 1.c, we use solid arrows for edges in Rµ and dashed
arrows for edges in Rτ . Every node has a τ -loop associated with it, which we
do not show explicitly.
3.2 Conformance: Relating XTGs and PDTs
We now formally deﬁne what it means for a PDT to conform to an XTG, i.e.
when the PDT is a correct abstraction of the XTG. We also establish a set of
veriﬁcation conditions that guarantee conformance. Our purpose in deﬁning
conformance is to ensure that any property veriﬁed over the PDT also holds
for the XTG. Because we are interested in verifying linear-time properties,
and such properties hold of a system if they are satisﬁed by each system run,
we should verify that each run of an XTG can be mapped to a run of the
PDT. The following deﬁnition makes this intuition precise.
Deﬁnition 3.2 Given an XTG X , a PDT ∆, and a run π = 〈l0, ρ0〉
λ0−→
〈l1, ρ1〉 . . . of X , we say that a run σ = n0
lab0−→ n1 . . . of ∆ is a trace of π iﬀ
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 157
• π and σ are of equal length (in particular, either both ﬁnite or both inﬁnite),
• ni = 〈li ,P〉 for some P ⊆ P such that [[p]]ρi = tt for all p ∈ P and all i ,
i.e. the states of π and the nodes of σ activate the same locations and all
predicates of ni are satisﬁed in the corresponding state of π, and
• labi = µ if λi = µ, and labi = τ if λi ∈ R
≥0, i.e. the two runs agree on
which transitions are discrete and which are time-passing.
We say that ∆ conforms to X if every run of X has a trace in ∆.
The deﬁnition of conformance requires to inspect all runs of an XTG. For
practical purposes, we are interested in establishing a reasonably small set
of ﬁrst-order veriﬁcation conditions that are suﬃcient to ensure conformance.
The following theorem gives such conditions. Intuitively, we verify that some
initial PDT node corresponds to any state satisfying the initial condition of the
XTG. Inductively, given any XTG state s corresponding to some PDT node
and any transition from s to some successor XTG state s ′, that transition
can be mapped to a transition of the PDT. In formulating the veriﬁcation
conditions, we introduce two copies V ′ and V ′′ of the set of variables V
whose elements are decorated with single and doube primes (v ′ and v ′′ for
each v ∈ V ). When P is a set of predicates, we sometimes also denote by P
the conjunction of the predicates in P , and we write P ′ or P ′′ to denote the
formula obtained by replacing each variable v ∈ V by its copy v ′ or v ′′.
Theorem 3.3 Assume that X is an XTG that consists of m processes Pi =
〈Initi ,Li , l0,i , Ii ,Ei ,Ui〉, and that ∆ = 〈N ,N0,Rµ,Rτ 〉 is a PDT over L1 ×
· · ·×Lm and a set P of predicates. If all of the following conditions hold then
∆ conforms to X :
(i)
m∧
j=1
Initj ∧ I (l0,j ) ⇒
∨
〈l0,1,...,l0,m ,P〉∈N0
P
In words, the conjunction of the initial conditions of X and the invariants
of the initial locations imply that the predicates of one of the initial nodes
of ∆ marked with the initial locations must be true.
(ii) For any node n = 〈l1, . . . , lm ,P〉 of ∆ and any edge 〈li , g , u, l
′
i〉 of XTG
process Pi , let Vu denote the set of variables v that are updated by u (i.e.
such that 〈v , e〉 ∈ u for some e), and let N ′ denote the set of all nodes
n ′ = 〈l ′1, . . . , l
′
m ,Q〉 where l
′
j = lj for j = i such that n →µ n
′.
P ∧ g ∧
m∧
j=1
I (lj ) ∧ I
′(l ′j ) ∧
∧
〈v ,e〉∈u
v ′ = e ∧
∧
v∈V \Vu
v ′ = v ⇒
∨
〈l ′
1
,...,l ′m ,Q〉∈N
′
Q ′
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165158
In words, the predicate label of node n and the invariants of all active
locations before and after the transition of X should imply the predicate
label of some node in N ′.
(iii) For any node n = 〈l1, . . . , lm ,P〉 of ∆, let N
′′ denote the set of all nodes
n ′′ = 〈l1, . . . , lm ,Q〉 that agree with n on the location components such
that n →τ n
′′.
P ∧ δ ∈ R≥0 ∧
∧
c∈Vc
c ′ = c + δ ∧
∧
v∈V \Vc
v ′ = v ∧
m∧
j=1
I (lj ) ∧ I
′(lj )
∧ ∀ε ≤ δ :
∧
c∈Vc
c ′′ = c + ε ∧
∧
v∈V \Vc
v ′′ = v ⇒
m∧
j=1
I ′′(lj )
∧ ∀ε < δ :
∧
c∈Vc
c ′′ = c + ε ∧
∧
v∈V \Vc
v ′′ = v ⇒
m∧
j=1
∧
〈lj ,g ,u,l ′j 〉∈Uj
¬g ′′
⇒
∨
〈l1,...,lm ,Q〉∈N ′′
Q ′
In words, assuming the predicate label of n and the invariants of all active
locations before and after a time passing transition by amount δ that does
not activate any urgent transition of X , the PDT must contain some node
n ′′ that is reachable from n by a τ -transition and whose predicate label is
guaranteed to hold.
Proof (sketch). Given a run π = 〈l0, ρ0〉
λ0−→ 〈l1, ρ1〉 . . . of X , we can induc-
tively construct a trace σ of π in PDT ∆ as follows: because ρ0 must satisfy
the initial conditions of all processes as well as the invariants of the initial
locations, condition (i) ensures that there exists some initial node of ∆ that is
associated with the tuple of initial locations of X and whose predicate label
is true in ρ0. Inductively, assume that a node n = 〈l ,P〉 corresponding to the
XTG conﬁguration si = 〈li , ρi〉 has already been identiﬁed. If the transition
in π from si is a discrete transition, it is due to some edge of some process
Pj (cf. Def. 2.5), and therefore the guard of that edge must be true in ρi
and its updates will be performed during the transition to state 〈li+1, ρi+1〉.
Moreover, the location invariants must be true in the states before and after
the transition. According to condition (ii) we can therefore ﬁnd a node n ′
associated with li+1 such that n →µ n
′ and that the predicate label of n ′
holds in ρi+1. Similarly, a time-passing transition from conﬁguration si can
be matched according to condition (iii). 
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 159
For example, theorem 3.3 can be used to show that the PDT in Fig. 1.c
conforms to the XTG of Fig. 1.b. For the initial condition, we obtain the
proof obligation
c = 0 ∧ x = 0 ∧ go = 0 ∧ c ≤ 3 ⇒ c ≤ 3 ∧ x = 0 ∧ go = 0
As an example for the veriﬁcation conditions of type (ii), we consider the XTG
transition from l0 to l1, which has to be matched with the transitions leaving
node n0 of the PDT:
x = 0 ∧ c ≤ 3 ∧ go = 0 ∧ c = 3 ∧ go = 0 ∧ x ′ = x + 1 ∧ go ′ = go ∧ c ′ = c
⇒ x ′ = 1 ∧ 3 ≤ c ′ ∧ c ′ < 5 ∧ go ′ = 0
Finally, we consider the possible time passing transitions leaving location l1,
focussing on the PDT node n1:
x = 1 ∧ 3 ≤ c ∧ c < 5 ∧ go = 0 ∧ δ ∈ R≥0 ∧ c ′ = c + δ ∧ x ′ = x ∧ go ′ = go
∧ ∀ε < δ : c ′′ = c + ε ∧ x ′′ = x ∧ go ′′ = go ⇒ ¬(c ′′ ≥ 5)
⇒ (x ′ = 1 ∧ 3 ≤ c ′ ∧ c ′ < 5 ∧ go ′ = 0) ∨ (x ′ = 1 ∧ c ′ = 5 ∧ go ′ = 0)
Observe in particular that time cannot advance beyond a clock value of 5
because the transition from l1 to l2 is marked as urgent.
3.3 Veriﬁcation
We now turn to establishing behavioral properties of an XTG from a con-
formant PDT. We assume that the properties of interest are expressed in
linear-time temporal logic LTL, and that they are built from the predicates
in P. We can thus simply consider the predicates that appear as labels of the
PDT as uninterpreted atomic propositions. We add atomic predicates of the
form atl to identify the control locations of XTG processes.
Any PDT ∆ is a ﬁnite-state transition system and can be encoded in the
modeling language of conventional ﬁnite-state model checkers, following the
approach described in [8]. For our experiments, we use the dixit tool [10].
We claim that any property ϕ that model checking establishes over some PDT
∆ also holds of the XTG X provided that ∆ conforms to X . Indeed, let π be
any run of X . By the deﬁnition of conformance, we can ﬁnd a trace σ of π in
∆. Since ϕ is assumed to hold of ∆, it follows that σ satisﬁes ϕ, and given
that only predicates in P appear in ϕ, a straightforward induction on LTL
formulas shows that ϕ must also hold of π.
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165160
[k = 1 ∧ c1 ≥ 2]
l3,1
ﬀ


 







c1 := 0
k := 0
[k = 0]
c1 ≤ 1
c1 := 0
k := 1
[k = 1]
l0,1
c1 := 0
l1,1
l2,1 

Fig. 2. An XTG for Fischer’s protocol (process 1).
On the other hand, counter-examples produced by the model checker need
not correspond to actual system runs because some detail may have been lost
in the abstraction. Nevertheless, these counter-examples can be helpful to
reﬁne the abstraction.
4 An example: Fischer’s protocol
We illustrate the use of PDTs at the hands of Fischer’s well-known real-time
protocol for ensuring mutual exclusion between two processes [5,15]. Figure 2
shows the structure of process 1 (the other process is symmetrical): k is a
shared variable accessed by both processes, whereas c1 is a local clock of the
process.
Intuitively, the protocol behaves as follows: in the ﬁrst phase each process
tries to register its process identiﬁcation in the shared variable k . In the
second phase each process tests whether its identity is still registered in k
after a predeﬁned lapse of time and then enters the critical section. The
purpose of the protocol is to ensure that there is never more than one process
in the critical section, expressed by the LTL formula ¬(atl3,1 ∧ atl3,2).
Figure 3 gives a PDT for Fischer’s protocol, which can be shown to conform
to the XTG by discharging the conditions of Theorem 3.3. As an example, we
consider the possible transitions of process 1 from the node marked (*) in the
PDT of Fig. 3 with corresponding control locations l2,1 and l3,2. For the XTG
transition from l2,1 to l0,1, we ﬁnd that the right neighbor node in the PDT
activates the corresponding locations, and we obtain the proof obligation
k = 2 ∧ k = 1 ∧ k ′ = k ∧ c ′1 = c1 ∧ c
′
2 = c2 ⇒ k
′ = 2
which obviously holds. The other possible transition of process 1 in the XTG
corresponds to a move to the critical section (location l3,1). Because no match-
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 161


	


k = 0
l0,1 l0,2


	


k = 0 c1 ≤ 1
l1,1 l0,2


	


k = 0
c1 ≤ 1 c2 ≤ 1
l1,1 l1,2


	


k = 0 c2 ≤ 1
l0,1 l1,2


	


k = 1
c2 ≤ 1 c1 ≤ c2
l2,1 l1,2


	


k = 2
c1 ≤ 1 c2 ≤ c1
l1,1 l2,2

	


k = 1
l2,1 l0,2 

	


k = 2
l0,1 l2,2


	


k = 1
l2,1 l2,2 

	


k = 2
l2,1 l2,2


	


k = 1
l3,1 l2,2 

	


k = 2
l2,1 l3,2 

	


k = 2
l0,1 l3,2


	


k = 0
l0,1 l2,2 

	


k = 0
l2,1 l0,2


	


k = 0 c1 ≤ 1
l1,1 l2,2 

	


k = 0 c2 ≤ 1
l2,1 l1,2


	


k = 1
l3,1 l0,2





	



 
 








  
ﬀ 
 ﬀ
 
 ﬀ
 
ﬀ 
 ﬀ
(*)
Fig. 3. A PDT for Fischer’s protocol (cf. Fig. 2).
ing node is reachable in the predicate diagram, the proof obligation becomes
k = 2 ∧ k = 1 ∧ c1 ≥ 2 ∧ k
′ = k ∧ c ′1 = c1 ∧ c
′
2 = c2 ⇒ false
which holds because the left-hand side is contradictory. Eﬀectively, we demon-
strate that process 1 cannot enter when process 2 is already inside its critical
section. The remaining proof obligations are similar. (Observe that the PDT
of Fig. 3 contains no time-passing edges other than the self-loops, which we
do not show explicitly according to our convention.)
Because no node of the PDT corresponds to both processes being in their
critical sections, we conclude that Fischer’s protocol ensures mutual exclu-
sion. The veriﬁcation is supported by the dixit toolkit [10]. Centered around
a graphical editor for drawing a predicate diagram, proof obligations for prov-
ing conformance can be generated, LTL properties can be veriﬁed by model
checking, and counter-examples can be visualized. For our example, dixit
reports that the diagram satisﬁes mutual exclusion. While dixit generates
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165162
the proof obligations for establishing conformance, it does not yet contain a
theorem proving component.
5 Discussion and Future Work
In this paper, we have proposed the format of predicate diagrams for timed sys-
tems (PDT) as a notation to represent Boolean abstractions of real-time sys-
tems. This format is a variant of predicate diagrams for discrete systems [8,9],
in particular, by distinguishing discrete and time-passing transitions. We have
also established a set of proof obligations for proving conformance between an
XTG model of a timed system and a PDT.
In this sense, PDTs constitute an interface between veriﬁcation techniques
based on deduction and model checking. Basically, the idea is that only a
ﬁnite set of equivalence classes of system conﬁgurations need be distinguished
for the proof of a given LTL property. Predicates are interpreted during
the conformance proof, whereas they are considered as atomic propositions
during model checking. The format of predicate diagrams is supported by the
dixit toolkit, and we have demonstrated its use via Fischer’s mutual-exclusion
protocol for two processes.
It is well known that Fischer’s two-process protocol can be veriﬁed by
real-time model checking, and it can be argued that PDTs here simply re-
cast standard representations used for symbolic model checking in a format
based on predicates. However, these same techniques extend to systems with
unbounded or even inﬁnite state spaces (apart from the inﬁnity due to real
time) where model checking alone is no longer suﬃcient. For example, an
n-process version of Fischer’s protocol could be represented as a relatively
straightforward generalization of the two-process PDT shown in Fig. 3.
We consider this work as a ﬁrst step towards the application of Boolean
abstractions in the veriﬁcation of real-time systems. One of the current limi-
tations lies in the fact that we abstract from the precise amount of time that
may elapse in a time-passing transition. Thus, we cannot easily verify quan-
titative properties, such as upper bounds on global response times, although
properties that mention individual clocks can be veriﬁed. We intend to study
two possible solutions to this problem, either by using a timed temporal logic
(TLTL) or by introducing auxiliary clocks during veriﬁcation, as suggested
by Henzinger et al. [12] and by Tripakis [20]. This would in particular allow
us to take advantage of model checking tools for real-time systems such as
Uppaal [7] or PMC [18].
Besides, we aim at reducing the number of veriﬁcation conditions that
users have to discharge with the help of a theorem prover in order to establish
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 163
conformance. In fact, we consider the proof obligations of Theorem 3.3 mainly
as a litmus test to establish the conditions that a PDT should satisfy, and we
observe that most of them are quite trivial for typical examples. It will be
interesting to restrict attention to speciﬁc classes of systems that give rise to
decidable proof obligations.
We also intend to study techniques of abstract interpretation for the con-
struction of PDTs, given an XTG and a set of predicates of interest. Pre-
liminary work on combining tools for abstract interpretation and state space
exploration has been reported in [14], but more experience will be necessary
in order to identify adequate abstractions for real-time systems. Although a
PDT obtained by abstract interpretation is unlikely to already satisfy the de-
sired correctness properties, it can then be reﬁned, either by user intervention
or by algorithmic abstraction reﬁnement guided by counter-examples. This
would signiﬁcantly raise the degree of automation possible in the veriﬁcation
of complex real-time systems.
References
[1] R. Alur and D. Dill. Automata for modeling real-time systems. In Proceedings of the 17th
International Colloquium on Automata, Languages and Programming, volume 443 of Lecture
Notes in Computer Science, pages 322–335. Springer-Verlag, 1990.
[2] R. Alur and D. Dill. The theory of timed automata. Theoretical Computer Science, 126:183–
235, 1994.
[3] M. Ammerlaan, R. Lutje Spelberg, and W.J. Toetenel. XTG – an engineering approach to
modelling and analysis of real-time systems. In Proceedings of the 10th Euromicro Workshop
on Real-Time Systems, pages 88–97. IEEE press, 1998.
[4] Tobias Amnell and many others. Uppaal: Now, next, and future. In F. Cassez et al., editor,
Modeling and Veriﬁcation of Parallel Processes, volume 2067 of Lecture Notes in Computer
Science, pages 99–124. Springer-Verlag, Berlin, 2001.
[5] E. Asarin, M. Bozga, A. Kerbrat, O. Maler, A. Pnueli, and A. Rasse. Data-structures for the
veriﬁcation of timed automata. In Proceedings of the 1st International Workshop on Hybrid
and Real-Time Systems, volume 1201 of Lecture Notes in Computer Science, pages 346–360.
Springer-Verlag, 1997.
[6] T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis.
In Principles of Programming Languages (POPL 2002), pages 1–3, 2002.
[7] J. Bengtsson, K. Larsen, F. Larsson, P. Pettersson, and Wang Yi. UPPAAL - a tool suite
for automatic veriﬁcation of real-time systems. In Hybrid Systems III, volume 1066 of Lecture
Notes in Computer Science, pages 232–243. Springer-Verlag, 1995.
[8] Dominique Cansell, Dominique Mery, and Stephan Merz. Predicates diagrams for the
veriﬁcation of reactive systems. In Proceedings the 2nd International Conference on Integrated
Formal Methods, volume 1945 of Lecture Notes in Computer Science. Springer-Verlag, 2000.
[9] Dominique Cansell, Dominique Mery, and Stephan Merz. Diagram reﬁnements for the design
of reactive systems. Journal of Universal Computer Science,7(2):159-174, 2001.
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165164
[10] Loic Fejoz, Dominique Me´ry, and Stephan Merz. Dixit: a graphical toolkit for predicate
abstractions. In R. Bharadwaj and S. Mukhopadhyay, editors, Intl. Workshop Automatic
Veriﬁcation of Inﬁnite-State Systems (AVIS 2005), pages 39–48. LFCS, Univ. of Edinburgh,
2005. see also http://www.loria.fr/equipes/mosel/dixit.
[11] S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In Proceedings 9th
International Conference on Computer Aided Veriﬁcation, CAV’97, volume 1254 of Lecture
Notes in Computer Science, pages 72–83. Springer-Verlag, 1997.
[12] T.A. Henzinger and O. Kupferman. From quantity to quality. In Proceedings of the 1st
International Workshop on Hybrid and Real-Time Systems, volume 1201 of Lecture Notes in
Computer Science. Springer-Verlag, 1997.
[13] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth McMillan. Abstractions
from proofs. In 31st Annual Symp. Princ. of Prog. Lang. (POPL 2004). ACM Press, 2004.
[14] Eun-Young Kang. Parametric analysis of real-time embedded systems with abstract
approximation interpretation. In 26th International Conference on Software Engineering, 2004.
[15] K.J. Kristoﬀersen, F. Laroussinie, K.G. Larsen, P. Pettersson, and W. Yi. A compositional
proof of a real-time mutual exclusion protocol. Technical report, BRICS, Aalborg University,
Denmark, 1996.
[16] R.F. Lutje Spelberg, W.J. Toetenel, and M. Ammerlaan. Partition reﬁnement in real-time
model checking. In Proceedings of the 5th International Symposium on Formal Techniques in
Real-Time and Fault-Tolerant Systems, volume 1486 of Lecture Notes in Computer Science,
pages 143–157. Springer-Verlag, 1998.
[17] R. Milner. Communication and Concurrency. Prentice Hall International, 1989.
[18] R.F. Lutje Spelberg and W.J. Toetenel. Parametric real-time model checking using splitting
trees. Nodic Journal of Computing 8(2001), 88-120, 2001.
[19] Ronald Lutje Spelberg. Model Checking Real-Time Systems based on partition reﬁnement.
PhD thesis, Delft University, 2004.
[20] S.Tripakis. The Formal Analysis of Timed Systems in practice. PhD thesis, University of
Joseph Fourrier de Grenoble, 1998.
[21] Y.Kesten and A.Pnueli. Modularization and abstraction: The keys to practical formal
veriﬁcation. In Proceedings of the 23th International Sumposium on Mathematical Foundations
of Computer Science, volume 1450 of Lecture Notes in Computer Science, pages 54–71.
Springer-Verlag, 1998.
[22] S. Yovine. Kronos: A veriﬁcation tool for real-time systems. Springer International Journal of
Software Tools for Technology Transfer, 1997.
E.-Y. Kang, S. Merz / Electronic Notes in Theoretical Computer Science 145 (2006) 151–165 165
