Modelling and Analysis of Real-Time Coordination Patterns by Kemper, S. (Stephanie)
Modelling and Analysis of
Real-Time Coordination Patterns
Stephanie Kemper

Modelling and Analysis of
Real-Time Coordination Patterns
Proefschrift
ter verkrijging van
de graad van Doctor aan de Universiteit Leiden
op gezag van Rector Magnificus prof. mr. P.F. van der Heijden,
volgens besluit van het College voor Promoties
te verdedigen op dinsdag 20 december 2011
klokke 11:15 uur
door
Stephanie Kemper
geboren te Bremerhaven, Duitsland, in 1979
Promotiecommissie
Promotoren: Prof. Dr. F.S. de Boer Universiteit Leiden
Prof. Dr. F. Arbab Universiteit Leiden
Overige Leden: Prof. C. Baier Technische Universita¨t Dresden
Dr. E.P. de Vink Technische Universiteit Eindhoven
Prof. Dr. J.N. Kok Universiteit Leiden
Prof. Dr. J.J.M.M Rutten Radboud Universiteit Nijmegen
Dr. M. Bonsangue Universiteit Leiden
Dr. A. Silva Radboud Universiteit Nijmegen
The work in this thesis has been carried out at the Centrum Wiskunde & Infor-
matica (CWI), and under the auspices of the research school IPA (Institute for
Programming research and Algorithmics). The research was partially funded by the
Netherlands Organisation for Scientific Research (NWO) under the BRICKS project
(Basic Research in Informatics for Creating the Knowledge Society).
Copyright ©2011 by Stephanie Kemper
Cover design by Nils Kemper.
Printed and published by Boxpress BV ||Proefschriftmaken.nl
ISBN: 978-90-8891-360-0
IPA Dissertation Series 2011-24
Contents
Contents i
1 Introduction 1
1.1 Contents and Structure of this Thesis . . . . . . . . . . . . . . . . . . 2
1.2 Origin of Material and Main Contributions . . . . . . . . . . . . . . . 4
2 System Models 7
2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1 Syntax of Timed Automata . . . . . . . . . . . . . . . . . . . 12
2.2.2 Semantics of Timed Automata . . . . . . . . . . . . . . . . . . 13
2.2.3 Systems of Timed Automata . . . . . . . . . . . . . . . . . . . 15
2.2.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 Timed Constraint Automata . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.1 Syntax of Timed Constraint Automata . . . . . . . . . . . . . 19
2.3.2 Semantics of Timed Constraint Automata . . . . . . . . . . . 22
2.3.3 Systems of Timed Constraint Automata . . . . . . . . . . . . 24
2.3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4 Timed Network Automata . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4.1 Syntax of Timed Network Automata . . . . . . . . . . . . . . 29
2.4.2 Semantics of Timed Network Automata . . . . . . . . . . . . . 32
2.4.3 Systems of Timed Network Automata . . . . . . . . . . . . . . 33
2.4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3 SAT-based Verification 43
3.1 Formula Representation . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.1.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.1.2 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.1.3 Timed Constraint Automata . . . . . . . . . . . . . . . . . . . 49
i
ii CONTENTS
3.1.4 Timed Network Automata . . . . . . . . . . . . . . . . . . . . 53
3.2 Bounded Model Checking . . . . . . . . . . . . . . . . . . . . . . . . 57
3.2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.2.2 Unfolding for BMC . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.3 BMC of Properties . . . . . . . . . . . . . . . . . . . . . . . . 59
3.2.4 Completeness of BMC . . . . . . . . . . . . . . . . . . . . . . 59
3.2.5 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.1 Occurrence of Actions on Transitions of TA . . . . . . . . . . 61
3.3.2 Choice of Variable Types . . . . . . . . . . . . . . . . . . . . . 61
3.3.3 Temporal Difference Encoding of Clocks . . . . . . . . . . . . 62
3.3.4 Linear Boolean Encoding of Finite Sets . . . . . . . . . . . . . 63
3.3.5 Encoding of Transitions . . . . . . . . . . . . . . . . . . . . . 64
3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4 Abstraction Refinement 67
4.1 Abstraction by Merging Omission . . . . . . . . . . . . . . . . . . . . 68
4.2 Concretisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.3 Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.3.1 Craig Interpolants . . . . . . . . . . . . . . . . . . . . . . . . 75
4.3.2 Expressiveness of Interpolants . . . . . . . . . . . . . . . . . . 77
4.3.3 Sequential Formula Order for ϕ(S) . . . . . . . . . . . . . . . 79
4.4 Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.4.1 Ruling Out a Counterexample Trace . . . . . . . . . . . . . . 81
4.4.2 Refining a Previously Abstracted Parameter . . . . . . . . . . 82
4.4.3 Refinement Heuristics . . . . . . . . . . . . . . . . . . . . . . 83
4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5 Tool Development and Application to Case Studies 87
5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.1.1 The Extensible Automata framework in ECT . . . . . . . . . 88
5.1.2 The Timed Constraint Automaton Plugin . . . . . . . . . . . 91
5.1.3 From TCA to Formulas . . . . . . . . . . . . . . . . . . . . . . 92
5.1.4 Abstraction Refinement . . . . . . . . . . . . . . . . . . . . . 95
5.2 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.1 Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.2.2 Formula Generation . . . . . . . . . . . . . . . . . . . . . . . 100
5.2.3 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.3 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.3.1 Alternating Bit Protocol . . . . . . . . . . . . . . . . . . . . . 104
5.3.2 Lip-Synchronisation Protocol . . . . . . . . . . . . . . . . . . 108
5.3.3 Advantages of using TCA . . . . . . . . . . . . . . . . . . . . 120
6 Conclusions 123
6.1 Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
A Proofs 127
CONTENTS iii
A.1 Correctness of Representation . . . . . . . . . . . . . . . . . . . . . . 127
A.2 Correctness of Abstraction . . . . . . . . . . . . . . . . . . . . . . . . 136
Abstract 149
Samenvatting 151
Curriculum Vitae 153
Index 155
Bibliography 159

Chapter 1
Introduction
Embedded software systems are nowadays found everywhere: in smartphones, in
cars and aeroplanes, even in coffee machines. Naturally, with an increased number
of software systems comes an increased number of observable system failures. While
for some systems, a system failure is not dangerous at all but merely annoying—for
example, if no coffee can be prepared—failure of other systems has safety critical or
even life threatening consequences—for example, an airbag failure or an aeroplane
crash. For this reason, it is important to verify that the system works correctly and
safely before it is being put into operation.
Verification of such systems is a difficult task by itself already, but two features
of present-day software systems complicate this task even more. First, due to the
increasing size of software systems, they are developed in a modular, component-
based way, such that the final system can be distributed over several (logical and/or
physical) locations. Second, to be able to truthfully express real-life situations, and
to specify lower and upper safety bounds on the occurrence of events—to ensure
that things happen at the right moment—systems involve handling of real-time. We
now look at these two aspects in a little more detail.
Component-based software engineering and system design amounts to construct-
ing large systems by composing individual components. That is, (typically at begin-
ning of the design phase) the behaviour of the system to be developed is split into
logical units, each encapsulating a certain behaviour or aspect of the system. These
units can then be developed in parallel and independently of each other. In the
end, the final system is obtained by composing these individual components. Nat-
urally, the correctness and safety of concurrent systems developed in this way not
only depends on the correctness and safety of the individual components, but also
(even more) on correct inter-component communication actions: even if the compo-
nents are correct—that means, they correctly implement the intended behaviour of
the respective logical unit—the final system cannot work as intended if the compo-
nents exchange inappropriate information or communicate with the wrong partner.
For example, consider an aeroplane controller that intends to request the status of
1
2 CHAPTER 1. INTRODUCTION
the fuel level sensor, but instead communicates with the cabin pressure sensor. In
case the cabin pressure is fine, but the fuel level is low, this wrong connection of
communication partners can have lethal consequences.
Another problem arises from the fact that when designing a new system, not
all components are/need to be developed from scratch. Instead, component-based
software engineering allows for reusing components from other systems, and for
simple or recurring tasks, even off-the-shelf components exist. Unfortunately, such
reused components are often only available as black boxes. As a consequence, to
correctly interlink the components, component connectors are required that provide
exogenous coordination, i.e., coordination from without [Arb98]. As such, these
component connectors require true concurrency in time, which combines synchrony
and asynchrony, to express complex coordination patterns.
The major advantages of the component-based approach are the possibility to
develop the system parts in parallel and deal with larger systems (scalability), and
the increased flexibility to exchange or modify components of the system, without
having to modify or even inform/touch the other components (modularity). The
major challenge for the verification of component-based systems is to adapt and
scale the verification techniques to large and distributed systems.
To guarantee correct behaviour of the system, in addition to the above, the
communication between components not only needs to happen correctly with respect
to exchanged information and involved components, but equally important needs to
happen at the right time. For example, a warning message indicating a low fuel level
is useless if it is displayed only after the fuel tank is completely empty. Yet, “at the
right time” does typically not mean “as fast as possible”, but involves both upper
and lower time bounds. For example, an airbag must not deploy immediately, but
with the correct delay (a couple of milliseconds), to properly slow down the forward
movement of the occupant at the right moment.
To develop component-based real-time systems which are correct—that means,
behave as expected—and safe—that means, nothing bad can ever happen—essential-
ly two things are needed. First, a formal model to describe the system components.
This formal model should be powerful enough to faithfully describe all aspects of
the system, and yet simple enough to allow being used in industrial practice by
non-experts in formal methods . Second, formal methods are needed to analyse the
system model before it is being put into operation, and to verify that it satisfies
certain requirements.
In this thesis, we aim at solving the problem described above. To this end, we
present formal models to specify real-time coordination patterns, and define formal
methods to analyse and verify these formal models, as well as formalisms to further
increase the manageable system size. We present our tool implementation featuring
a graphical editor, that supports users in the development and design process.
1.1 Contents and Structure of this Thesis
The contents of this thesis are structured as follows.
1.1. CONTENTS AND STRUCTURE OF THIS THESIS 3
Chapter 2 (System Models) We start with the formal models. In this Chapter,
we define a series of three automata-based system models. We start with the (among
the three) simplest model of Timed Automata [AD94, Alu99], followed by Timed
Constraint Automata [ABdBR07, Kem11] and Timed Network Automata [Kem10].
The formal models are presented based on increasing modelling power with respect to
communication. For each model, we discuss advantages and disadvantages, including
for example what kind of constraints on (inter-component) communication can be
imposed with the respective model, and what kind of constraints cannot be imposed.
Moreover, for each of the formal models, we define a formal semantics, and present
the product construction needed to compose larger systems.
Chapter 3 (SAT-based Verification) In this Chapter, we show how to use for-
mal methods to analyse and verify properties of the system models from Chapter 2.
We start by defining a translation into propositional logic with linear arithmetic
for each of the system models. This formula representation allows to apply well-
established model checkers to examine the systems and verify certain properties.
In particular, we show how to apply the technique of Bounded Model Checking
[CBRZ01, BCC+03] to our representation, show how to express certain common-
type properties, and we discuss correctness and completeness issues for Bounded
Model Checking. In the end of Chapter 3, we provide an in-depth discussion about
other possible translations, what influence these (would) have on the efficiency of
verification, and in this way motivate and justify our design decisions.
Chapter 4 (Abstraction Refinement) In this Chapter, we adapt the principles
of Abstraction Refinement [CGJ+03, HJMM04], such that they can be used in com-
bination with the formal methods presented in Chapter 3. These techniques allow
to increase the size of systems to be analysed, by removing system parts which are
considered irrelevant for the current examination or property under test. In par-
ticular, we consider a variant of Counterexample Guided Abstraction Refinement
[CGJ+03], where information from so-called spurious counterexamples (counterex-
amples to the property under test that only exist in the reduced system) is used to
identify the reason why verification has failed. Such information is extracted from
spurious counterexamples with the help of Craig interpolants [Cra57]. We briefly
refresh the principles of Craig interpolants, show what kind of information can be
obtained from these, how to modify the input to maximise the information, and in
the end of the Chapter present techniques to prevent the spurious counterexample
from happening again.
Chapter 5 (Tool Development and Application to Case Studies) The the-
oretical results obtained in this thesis have been implemented and integrated into an
existing tool suit for component-based systems. Chapter 5 is devoted to tool devel-
opment. We start by presenting the details of our implementation in the context of
the existing tool suite. We then show how to actually use the tool, by giving a little
workflow example, which can also be seen as a “getting started” tutorial. Finally,
we show the applicability and performance of our approach and tool on two small
case studies.
4 CHAPTER 1. INTRODUCTION
Chapter 6 (Conclusions) In this Chapter, we wrap up the results, and discuss
some directions for future research.
Appendix In the Appendix, we give correctness results for the formula represen-
tation presented in Chapter 3, and the abstraction function presented in Chapter 4.
1.2 Origin of Material and Main Contributions
Some parts of the research presented in this thesis have been published previously,
or have been included here for completeness. Other parts contain new, original
research which has not been presented elsewhere. We now give an overview for each
of the Chapters, and sum up the main contributions.
Chapter 2 (System Models)
Timed Automata have first been introduced in [AD94, Alu99]. Since they come in
many different variants (most of them with only subtle differences), in Section 2.2
we have outlined the exact nature of Timed Automata that we use in this thesis,
without changing the formal model itself.
In Section 2.3, we extend the formal model of Timed Constraint Automata from
[ABdBR07] (which has also been used in [Kem11]) with location memory. Loca-
tion memory for (Untimed) Constraint Automata [ABRS04] has been defined in
[PSHA09], but this is the first work on defining a formal syntax (including a prod-
uct construction) and semantics for the combination of Constraint Automata with
time and data. The new Timed Constraint Automaton model is an extension of the
model in [ABdBR07] and therefore extends the set of coordination patterns that can
be expressed, in that coordination patterns can not only reason about data values
received in the current step, but also about data values received in previous steps.
Timed Constraint Automata can—to a certain extend—be seen as an extension of
Timed Automata [AD94, Alu99] with data.
In Section 2.4, we extend the formal model of Timed Network Automata, as
presented in [Kem10], with memory cells and concrete data values, and define a
formal syntax and semantics. In particular, we define a product construction that
uses data variables to preserve information about data values contained in memory
cells. Timed Network Automata were inspired by the three-colouring idea for Reo
networks [CCA07], but lift the idea of considering environmental constraints to the
automaton level. Since the extended Timed Network Automata defined in this thesis
features the same concepts for data handling as Timed Constraint Automata (that
is, ports and memory cells), they can be seen as an extension of Timed Constraint
Automata with environmental constraints.
Summarising, this Chapter contains the following main contributions:
Contribution 1: memory cell extension of Timed Constraint Automata, with cor-
responding product construction and formal semantics
Contribution 2: definition of Timed Network Automata, with formal syntax, se-
mantics and product construction
1.2. ORIGIN OF MATERIAL AND MAIN CONTRIBUTIONS 5
extension of the basic Timed Network Automaton model with memory cells
and data-awareness, with corresponding formal syntax, semantics and product
construction
Chapter 3 (SAT-based Verification)
The formula representation of Timed Automata presented in Section 3.1.2 has been
published in [KP07]. Subsequent to the extensions of Timed Constraint Automata
in Section 2.3 and Timed Network Automata in Section 2.4, in Sections 3.1.3 and
3.1.4 we extend the formula representations (in propositional logic with linear arith-
metic) of Timed Constraint Automata (presented in [Kem11]) and Timed Network
Automata (presented in [Kem10]) accordingly. After that, we discuss completeness
issues of Bounded Model Checking in Section 3.2, which have only been briefly
sketched in [Kem11], and extend the correctness proof to the extended representa-
tion (note that the actual proofs are contained in the appendix). Finally, we give
an in-depth discussion about the quality of the representation with respect to speed
of verification, which has not been published before.
Summarising, this Chapter contains the following main contributions:
Contribution 1: application of SAT-based verification in the process of compo-
nent-based software engineering and to formal models of component-based
software
Contribution 2: adaptation of the formula representation of Timed Constraint
Automata and Timed Network Automata to the extended models of Chapter 2
Contribution 3: in-depth discussion of the quality of representation, including ad-
vantages and disadvantages of different translation options
Chapter 4 (Abstraction Refinement)
The abstraction function we present in Section 4.1 is essentially equivalent to the
abstraction function presented in [Kem11], but we show that it works uniformly
for both Timed Automata and Timed Constraint Automata, and that correctness
is preserved for both formal models (again, the actual proof is contained in the
appendix).
We restate the principles of Craig interpolation [Cra57] for the sake of com-
pleteness. After that, we provide a detailed discussion about the expressiveness of
interpolants, the possibilities to influence expressiveness, and refinement options and
heuristics, all of which has only been briefly and vaguely sketched in [KP07, Kem11].
Summarising, this Chapter contains the following main contributions:
Contribution 1: application of abstraction refinement in the process of compo-
nent-based software engineering and to formal models of component-based
software
Contribution 2: generalisation of the abstraction function and correctness results
6 CHAPTER 1. INTRODUCTION
Contribution 3: in-depth discussion of interpolation and refinement, to provide a
deep understanding of the underlying mechanisms
Chapter 5 (Tool Development and Application to Case
Studies)
We present the implementation that, in the context of this thesis, has been developed
as part of the Extensible Coordination Tools [ECT],1 a tool suit for component-based
systems. In Section 5.1, we present the details of the implementation in a comprehen-
sible way, which makes it easy to understand the overall structure and functioning,
and provides the basis for future extensions of the tool. Section 5.2 demonstrates
the applicability of the approach, by giving a workflow example/“getting started”
tutorial. We finish with two little case studies.
Apart from Section 5.1.1 (which provides the overall context for the description
of our implementation) and Section 5.3.1 (which has been published as part of
[Kem11]), all results presented in this Chapter describe original work that has not
been published before.
This Chapter contains the following main contribution:
Contribution: extensive tool-support for modelling and analysis of real-time coor-
dination patterns implemented with Timed Constraint Automata
1See http://reo.project.cwi.nl/
Chapter 2
System Models
When designing real-time systems, one—if not the—major design decision is the
choice of time domain. In [AD94], the authors phrased this problem as finding the
answer to the question “What is the nature of time?”.
Reasoning on a discrete time scale allows time values in the domain of natural
numbers N, that means events can happen at equidistant points in time, or multiples
thereof. Reasoning on a continuous (or dense) time scale allows time values in the
domain of real numbers R≥0, that means events can happen at any positive (to
express that time “starts at 0” and does not “run backwards”) real-valued point
in time. While discrete time is very close to physical hardware implementation of
real-time systems (for example, a discrete time step can be taken with every trailing
edge), continuous time is a more realistic approach, in that events do not always
happen at integer-valued times, even if the base value for “one time unit” is small.
To use a discrete time scale, the occurrence times of events would either have to
be restricted to integer values, or be approximated with the “closest” integer value.
The former is unrealistic, the latter comprises a serious information loss with respect
to sequential order and (a)synchrony of events. Therefore, in this thesis, we choose
continuous time as the time domain Time of real-time systems, that means,
Time = R≥0.
In the remainder of this chapter, we introduce the state-based system models that
we use to model real-time systems. We begin by introducing some general notions
of real-time systems in Section 2.1. In subsequent Sections, we introduce Timed
Automata (TA, Section 2.2), Timed Constraint Automata (TCA, Section 2.3), and
Timed Network Automata (TNA, Section 2.4). We conclude each Section with a
discussion about the advantages and disadvantages of the respective system model.
We conclude the Chapter in Section 2.5 with a clear identification of the parts that
represent original work in this thesis, and parts that are based on previous results.
7
8 CHAPTER 2. SYSTEM MODELS
2.1 Preliminaries
In this section, we introduce some general notions and concepts for modelling real-
time systems.
Notation 2.1.1 (Operator Precedence). To reduce the number of parenthesis,
we establish the following precedence rules. Among logical operators, ¬ has a higher
precedence than {∧,∨}, which have a higher precedence than {→,↔}. Among
arithmetical operators, - (unary minus) has a higher precedence than {+,−} (binary
minus), which have a higher precedence than {<,≤,=,≥, >}.
For operators with the same precedence, we may still have to add parenthesis,
for example, we need to make clear whether a∧b∨c means (a∧b)∨c or a∧(b∨c). We
do not need to define precedence rules between arithmetical and logical operators
though, since it is clear from the context which variables or constants the operators
bind to. For example, for integer variables x1, x2, x3, x4, it is clear that x1=x2∧x3≥x4
means (x1=x2)∧(x3≥x4).
2.1.1 Time
As explained above, we work with a dense time domain Time=R≥0. To measure the
passage of time, each model of a real-time systems is equipped with a finite set of
real-valued clocks X . All clocks evolve with the same slope 1 (they all “run with
the same speed”), i.e., after d time units have passed, the value of each clock has
advanced by d. Components of the system may be associated with clock constraints,
which restrict the behaviour of the system. The syntax of clock constraints is defined
as follows
Definition 2.1.2 (Clock Constraint). Let X be a finite set of real-valued vari-
ables, called clocks. Clock constraints cc∈CC(X ) over X are defined as follows:
cc ::= true | x∼c | x−y∼c | cc1 ∧ cc2,
with x, y∈X , c∈Z, and ∼ ∈{<,≤,=,≥, >}
We write X|cc⊆X to denote the set of clocks that occur in a clock constraint cc.
Remark 2.1.3 (Time Domain in Clock Constraints). Though clocks are real-
valued, we need to restrict the domain of constants in clock constraints, in order
to obtain/preserve decidability results (cf. [AD94]). For example, with real-valued
constants, reachability would become undecidable.
To preserve decidability results, it would be enough to restrict the domain to
Q (rational numbers) though. Yet, for simplicity, we further restrict it to integer
numbers. This does not reduce expressiveness (with respect to rational numbers):
if clock constraints involve rational constants, we can multiply all constants by the
least common multiple of their denominators to obtain clock constraints with integer
constants only.
2.1. PRELIMINARIES 9
The validity (“semantics”) of clock constraints is evaluated under a certain val-
uation of the clock variables.
Definition 2.1.4 (Clock Valuation). Let X be a finite set of clocks, X⊆X , x∈X
and t∈Time. A clock valuation ν∈V(X ) over X is a mapping ν:X→Time, assigning
to each clock x∈X an element from the time domain Time, its current value. The
restriction ν|X of ν from X to X is a valuation that agrees with ν on clocks x∈X,
and is undefined otherwise, that means ν|X(x)=ν(x) iff x∈X, and ν|X(x)=undefined
otherwise.
We may write V if X is clear from the context.
We use |= for the standard satisfaction relation on clock constraints. For example,
ν|=(x∼c) iff ν(x)∼c, ∼∈{<,≤,=,≥, >}.
To model the semantics of real-time systems, we need the following operations
on valuations.
Definition 2.1.5 (Timeshift, Update). Let X be a finite set of clocks, x, y∈X ,
t∈Time and ν∈V(X ).
The timeshift operation ν+t (or simply timeshift) increases (with respect to ν)
the values of all clocks simultaneously by the same amount of time t, that means,
(ν+t)(x)=ν(x)+t for all x∈X .
An update map λ∈Λ(X ) over X [AM04] is a mapping λ:X→(X∪N). The update
operation ν[λ] (or simply update) modifies the values of clocks under valuation ν, by
either setting them to the value of another clock or to a natural number, according
to the update map λ (λ is the identity for clocks not meant to be modified). That
is, ν[λ](x)=ν(y) iff λ(x)=y,1 and ν[λ](x)=n iff λ(x)=n∈N.
We do not allow negation on clock constraints (cf. [Alu99, AM04]), which results
in clock constraints being convex.
Remark 2.1.6 (Convexity of Clock Constraints). Clock constraints defined ac-
cording to Definition 2.1.2 are convex under timeshift and update (Definition 2.1.5),
for any clock valuation ν∈V(X ) (Definition 2.1.4).
Intuitively, convexity of clock constraints means that if the value of a clock
satisfies the same clock constraint under two different valuations, then it also satisfies
the clock constraint for all valuations “in between”. Formally: for a clock constraint
cc and two valuations ν and ν ′ over clock x∈X |cc, such that ν(x)<ν ′(x), if ν|=cc
and ν ′|=cc, then ν ′′|=cc for all ν ′′ with ν(x)<ν ′′(x)<ν ′(x).
Convexity of clock constraints is an important property used for efficient repre-
sentation (and verification) of real-time systems in Chapter 3.
Note that we do not impose any semantic constraints on clock constraints. For
example, they may “overlap” on a clock, like (x≤4)∧(x≥3). Yet, due to convexity,
this simply reduces the number of satisfying valuations.
1In case of an update λ(x)=y, λ(y)=n, the equation ν[λ](x)=ν(y) ensures that x is assigned
the value of y before y is updated.
10 CHAPTER 2. SYSTEM MODELS
2.1.2 Data
Communication in real-time systems may involve exchange of data values. We as-
sume a global (possibly infinite but) countable data domain Data, with a special
element ⊥∈Data representing “no data”, which we use in Chapter 3 to explicitly
represent absence of data. Real-time systems use a finite set of ports P , through
which they exchange data values with the environment. Further, they can make
use of a finite set of data variables D. The intended idea is that ports are used to
exchange data values with the environment, while data variables are used to store
and exchange data values within the real-time system.
To restrict the admissible data values to be exchanged, components of real-time
systems may be associated with data constraints. These restrict the behaviour of
the system, by reasoning about the data values exchanged through ports, or stored
in data variables. The syntax of data constraints is defined as follows.
Definition 2.1.7 (Data Constraint). Let P be a finite, nonempty set of ports,
D a finite, nonempty set of data variables, Data a data domain. Data constraints
dc∈DC(P∪D) over P and D are defined as
dc ::= true | d=d′ | dc1∧dc2 | ¬dc, with d,d′∈P∪D∪Data
If there exists a total order 6 on Data\⊥, we also allow data constraints of the form
dc ::= d6d′, with d,d′∈P∪D∪Data\⊥
If on top of 6 there exists an operation + (addition) on Data\⊥,2 we also allow data
constraints of the form
dc ::= D∼D′, with ∼ ∈{=,6}, and
D ::= d | D1+D2 | (D1−D2), with d,d′∈P∪D∪Data\⊥
We write D|dc⊆D to denote the set of data variables that occur in a data con-
straint dc. Equivalently, P|dc⊆P denotes the set of ports that occur in dc, and
Data|dc⊆Data denotes the set of data values that occur in dc.
We may write DC(P ,D) instead of DC(P∪D), and we use DC(P) as a shorthand
for DC(P , ∅), equivalently we use DC(D) as a shorthand for DC(∅,D).
Other data constraints, like for example p∈A (for some set A⊆Data), dc1∨dc2,
or dc1→dc2, are defined as abbreviations (“syntactic sugar”) in the standard way.
The validity (“semantics”) of data constraints is evaluated under a certain data
assignment. Data assignments describe the data values which are pending at ports,
or stored in data variables.
2Formally, + is required to be an operation such that (Data\⊥,+) is an abelian group, i.e.
a group which satisfies the abelian group axioms (1) closure, (2) associativity, (3) existence of
identity element, (4) existence of inverse element, and (5) commutativity. As usual, the operation
“−” (negation) is a shorthand for addition of the inverse.
2.2. TIMED AUTOMATA 11
Definition 2.1.8 (Data Assignment). Let P and D be as in Definition 2.1.7, and
Data a data domain. A data assignment δ∈DA(P∪D) over P and D is a mapping
δ:(P∪D)→Data, assigning to each port p∈P the data value which is currently pend-
ing at p, and to each data variable d∈D the data value which is currently contained
in d.
If δ(p)=⊥ (“no dataflow through p”), p is called inactive. Otherwise, p is called
active. If δ(d)=⊥, d is called empty.
The restriction δ|A of δ from (P∪D) to any subset A⊆P∪D is a data assignment
that agrees with δ on elements a∈A, and is undefined otherwise.
We may write DA(P ,D) instead of DA(P∪D), and we use DA(P) as a shorthand
for DA(P , ∅), equivalently we use DA(D) as a shorthand for DA(∅,D).
Definition 2.1.7 allows for trivial data constraints involving only data constants
(i.e., elements from Data), for example d1=d2, with d1, d2∈Data. Since the validity
of such data constraints does not depend on a specific data assignment δ, they can
be evaluated statically (to either true or false
def
=¬true). Therefore, we assume
that every data constraint involves at least one port or one data variable. We use |=
for the standard satisfaction relation of data assignments on data constraints. For
example, δ|=(p=q) iff δ(p)=δ(q), and δ|=(p6q) iff δ(p)6δ(q).
Remark 2.1.9 (Use of ⊥ in Data Constraints). Notice that we only allow the
special value ⊥ in simple data constraints of the form (d=d′). The idea is that a
data constraint (p=⊥), with p∈P , represents a “check” whether port p is inactive.
Equivalently, a data constraint (d=⊥), with d∈D, represents a check whether data
variable d is empty.
We do not allow ⊥ to be used in combination with 6, since it is not clear how to
define the result of such a comparison. One possible solution would be to define ⊥ as
supremum or infimum of Data; yet, the constraints involving ⊥ could be simplified
to true or false in this case. Apart from that, many countably infinite sets have
neither a supremum nor an infimum (take for example Z), and actually we do not
consider a comparisons of the form (d6⊥), with d∈Data, useful at all.
A similar argumentation holds for the use of ⊥ in combination with +.
2.2 Timed Automata
In this section, we present the first and most basic system model for modelling
real-time systems: Timed Automata.
Timed Automata (TA) were introduced in the seminal paper of Alur and Dill
in 1994 [AD94], and have been studied intensively since. TA are finite automata,
extended with real-valued clock variables, that can measure the passing of time.
Their behaviour consists of a sequence of events (or actions) happening over time.
Conceptually, this is represented by an infinite sequence of events, which is paired
with an infinite sequence of time instants, with the intended meaning that a specific
events takes place at the specific time.
12 CHAPTER 2. SYSTEM MODELS
To model this behaviour, TA comprise two kinds of events: visible (external)
and invisible (internal) events. The former are used for synchronisation with other
automata, while the latter are used for internal activities of a single automaton,
independent from others.
The underlying idea is that transitions (location changes) are instantaneous, time
may only elapse while the automaton remains in one of its locations. The firing of
transitions, and the dwell time in locations, are restricted by constraints on the
clocks—called clock guards and clock invariants, respectively—which the current
clock values have to satisfy. That means, a TA is only allowed to fire a transition
if the associated clock guard is satisfied, and is only allowed to stay in a location
as long as the associated clock invariant is satisfied. In addition, transitions may
update the values of (a subset of the) clocks to a natural number or to the value of
another clock [AM04].
In the literature, many slightly different variants of TA can be found. Our defi-
nitions are essentially based on [AD94]. Please refer to Section 2.2.4 for a discussion
of other variants.
2.2.1 Syntax of Timed Automata
Each transition of a TA is labelled with a distinct event, which captures “what
is being performed” when the transition is fired. In this work, we distinguish be-
tween two types of events: visible (external) and invisible (internal) actions, cf.
[BK08, KP07, AM04]. The former are used to synchronise with other automata
when considering systems of TA, while the latter are used for internal steps of a
single automaton, independent from other automata. Since internal actions can be
regarded as “being of no further interest” [BK08], they are commonly denoted by
the single distinguished action symbol τ . We denote the set of visible events of a
TA by Σv, and the set of all events (visible and invisible) by Σ, i.e., Σ=Σv∪˙τ . For
a discussion of other possibilities to define the set of admissible events, please refer
to Section 2.2.3.
Recalling Definitions 2.1.2, 2.1.4 and 2.1.5, we define the syntax of TA as follows.
Definition 2.2.1 (Timed Automaton). A TA is a tuple A=(S, s0,Σ,X , I, E),
with S a finite set of locations, s0∈S the initial location, Σ a finite set of visible
events, X a finite set of real-valued clocks, I:S→CC(X ) a function assigning a clock
constraint (location invariant) to every location, and E⊆(S×Σ×CC(X )×Λ(X )×S)
the finite set of transitions.
The idea of transitions of TA is as follows: an element e=(s, a, cc, λ, s′)∈E de-
scribes a transition from the source location s to the target location s′ on occurrence
(“execution”) of action a. The firing of the transition is restricted by the (clock)
guard cc, and updates clocks according to the update map λ. For every such tran-
sition, we require cc to be satisfiable. If a∈Σv, we call e an external (or visible)
transition, otherwise (i.e., if a=τ), e is called internal (or invisible).
2.2. TIMED AUTOMATA 13
Example 2.2.2 (Timed Automaton). Two examples for TA are given in Figures
2.1 and 2.2. The TA in Figure 2.1 models an “intelligent light switch”: it consists
of three locations off , light and bright , representing the corresponding states of the
light, and a clock x. In the initial location (marked by the incoming arrow), the
light is off. If the switch is pressed (modelled by action press), the light turns on
(location light), and the clock x is reset to measure the temporal difference to the
next press action. If the switch is pressed again before the value of x reaches 3
(modelled by the guard x≤3), the light becomes bright, otherwise (i.e., if the value
of x is greater than 3, modelled by the guard x>3), it switches off again.
The automaton in Figure 2.2 shows a “user” of the light switch. The automaton
consists of a single location and a clock y. The location has an invariant y≤4, which
forces the automaton to leave the location after having delayed there for at most 4
time units. Together with the guard y≥2 and the update y:=0 on the transition,
this models a user which executes the press action every 2 to 4 time units.
off light bright
press
x:=0
press
x≤3
press , x>3
press
Figure 2.1: Intelligent Light Controller
user
y≤4 press
y≥2, y:=0
Figure 2.2: User pressing
the Light Switch
In the graphical representation of TA, we use assignment rather than functional
notation for the updates, and we omit guards and invariants equal to true as well
as identity updates of the form λ(x)=x.
Notation 2.2.3 (TA). If not stated otherwise, we shall assume the constituents of
a TA A to be denoted as A=(S, s0,Σ,X , I, E), and of a TA Ai to be denoted as
Ai=(Si, s0,i,Σi,Xi, Ii, Ei), for i∈N.
By CC(X )|A, we denote the set of clock constraints (over clock set X ) that occur
in a TA A (invariants or guards).
2.2.2 Semantics of Timed Automata
As mentioned above, the idea of TA is that transitions are instantaneous, time only
elapses while the automaton remains in one of its locations. The semantics of a TA
A is defined as the set of runs of the associated labelled transition system (LTS) SA,
cf. for example [BK08].
Definition 2.2.4 (Associated Labelled Transition System). Let A be a TA.
The associated LTS SA is a tuple SA=(Q, q0,→), with Q⊆(S×V(X )) the set of
configurations, such that ν|=I(s) for every (s, ν)∈Q, q0=〈s0,0〉 the initial configura-
tion, with 0(x)=0 for all x∈X , and the transition relation → ⊆(Q×(Time∪Σ)×Q)
is given in (2.1) and (2.2).
14 CHAPTER 2. SYSTEM MODELS
(s, a, cc, λ, s′)∈E,
ν|=cc, ν[λ]|=I(s′)
〈s, ν〉 a−→〈s′, ν[λ]〉 (2.1)
s∈S, t∈Time, t>0,
∀t′, t≥t′≥0 : ν+t′|=I(s)
〈s, ν〉 t−→〈s, ν+t〉 (2.2)
A run of SA (starting in configuration q) is an infinite sequence of transitions
q0
a0−→q1 a1−→ . . ., with ai∈(Σ∪Time) for all i>0. A run is called initial if it starts in the
initial configuration q0, it is called loop-free if all configurations are different.
Rule (2.1) describes an action transition (with action a) of SA, based on a
transition e∈E of A. The valuation ν of the source configuration 〈s, ν〉 needs to
satisfy (“enable”) the clock guard cc, and the updated valuation ν[λ] after the
execution of the transition needs to satisfy the invariant of location s′ (otherwise,
the automaton could not enter location s′). On execution of the transition, the
values of the clocks of A are updated according to the update map λ. Rule (2.2)
describes a delay transition (in location s) of SA: the invariant I(s) of the location
needs to be satisfied at all times (for all t′), and the clock values of all clocks increase
by the same amount of time t.
Definition 2.2.5 (Semantics of Timed Automata). Let A be a TA, SA the
associated LTS as defined in Definition 2.2.4. The trace semantics of A is given by
the set RunA of initial runs of SA. With RunA,k, we denote the set of finite prefixes
of elements of RunA of (at most) length k.
Note that we do not require clock guards of outgoing transitions of a location to
be complete, i.e., cover every possible valuation. This may lead to so-called timelocks
[Tri99]: consider a location with invariant x≤3 and a single outgoing transition with
clock guard x≤2. The location cannot be left once ν(x)>2, and as soon as ν(x)=3,
from a theoretical point of view, time is not allowed to progress anymore, since the
automaton is neither allowed stay in the location nor allowed to leave it. However,
using the above definitions, such behaviour is excluded from the semantics.
Example 2.2.6 (Run of a Timed Automaton). In (2.3), we show a run of the
intelligent light switch from Figure 2.1 of length 10.
〈off , x=0〉 2−→〈off , x=2〉 press−−→〈light , x=0〉 2.5−→〈light , x=2.5〉 press−−→
〈bright , x=2.5〉 1−→〈bright , x=3.5〉 press−−→〈off , x=3.5〉 press−−→
〈light , x=0〉 6−→〈light , x=6〉 3−→〈light , x=9〉 press−−→〈off , x=9〉 (2.3)
Convexity of clock constraints (cf. Remark 2.1.6) gives rise to the following
property for sequences of delay transitions, cf. [Alu99].
Remark 2.2.7 (Time-Additivity). For two consecutive delay transitions in a run,
time-additivity holds. That means, for a TA A and associated LTS SA=(Q, q0,→),
with configurations q1, q2, q3∈Q, and t1, t2∈Time, if q1 t1−→q2∈ → and q2 t2−→q3∈ →, then
also q1
t1+t2−−−→q3∈ →.
2.2. TIMED AUTOMATA 15
2.2.3 Systems of Timed Automata
In this section, we present a product construction for TA which is compositional,
and therefore allows to build complex and/or distributed systems by first designing
the individual components separately, and then combining them with the product
operation.
The intended idea of a system of TA is that the automata work in parallel, while
synchronising via transitions labelled with the same event. In this work, we assume
TA to perform joint broadcast synchronisation on visible events (cf. [Alu99]). That
means, if some visible event a occurs, every automaton Ai in the system, with a∈Σi
(“knowing about a”) must execute a transition labelled with a, while an automaton
Ai with a6∈Σi performs a zero-delay step (“nothing”). If, instead, event τ occurs,
automata may decide to either execute a transition labelled with τ or do a zero-
delay step. Delay steps with delay t>0 have to be executed synchronously by all
automata. The product automaton for two TA A1 and A2 is defined as follows.
Definition 2.2.8 (Product of TA). Let A1, A2 be TA, with X1∩X2=S1∩S2=∅ (can
be achieved by renaming the constituents in one of the TA). The product of A1 and
A2 is a new TA A1./A2=(S, s0,Σ,X , I, E), with S=S1×S2, s0=(s0,1, s0,2), Σ=Σ1∪Σ2,
X=X1∪X2, I:S1×S2→CC(X ) such that for s=(s1, s2)∈S, I(s)=I(s1)∧I(s2), and E
is defined in (2.4) and (2.5), and the symmetric rule of the latter.
(s1, a, cc1, λ1, s
′
1)∈E1,
(s2, a, cc2, λ2, s
′
2)∈E2,
((s1, s2), a, cc1∧cc2, λ1◦λ2, (s′1, s′2))
(2.4)
(s1, a, cc1, λ1, s
′
1)∈E1,
(a6∈Σ2) or (a=τ), s2∈S2
((s1, s2), a, cc1, λ1, (s′1, s2))
(2.5)
Rule (2.4) describes synchronisation, that means the automata execute a tran-
sition labelled with the same event (note that this can be a visible event as well as
the internal action τ) in parallel. The resulting transition in the product involves a
location change in both underlying TA, the transition is guarded by the combined
guard cc1∧cc2, and clocks are updated according to the combined update maps
λ1◦λ2. Note that since X1∩X2=∅, we have λ1◦λ2=λ2◦λ1, see also Proposition 2.2.9.
Rule (2.5) describes the execution of a local transition (visible or invisible) in one of
the TA, while the other automaton remains in its current location.
Proposition 2.2.9 (Product of TA). The product of TA is commutative and
associative, up to isomorphy of location names.
Proof.
1. Commutativity follows from the commutativity of ∧ on clock constraints, and
the commutativity of ◦ (function composition) on update maps over disjoint
clock sets.
2. Associativity follows from the associativity of ∧ on clock constraints, and the
associativity of ◦ on update maps over disjoint clock sets.
16 CHAPTER 2. SYSTEM MODELS
Example 2.2.10 (Product of TA). An example for the product construction can
be found in Figure 2.3. The automaton shows the product TA for the intelligent
light switch and user, as presented in Example 2.2.2.
off , user
y≤4
light , user
y≤4
bright , user
y≤4
press , y≥2,
x:=0, y:=0
press , x≤3,
y≥2, y:=0
press , x>3,y≥2, y:=0
press , y≥2, y:=0
Figure 2.3: Product of Light Switch and User
The semantics of a system of two TA A1 and A2 (with X1∩X2=∅ and S1∩S2=∅,
as required in Definition 2.2.8) is defined as the semantics (Definition 2.2.5) of the
corresponding product automaton A1./A2 (Definition 2.2.8), i.e., the set of runs of
the associated LTS SA1./A2 (Definition 2.2.4). In (2.6), we show a run of the product
automaton from Figure 2.3 of length 9.
〈(off , user), x=0y=0 〉 2−→〈(off , user), x=2y=2 〉 press−−→〈(light , user), x=0y=0 〉 2.5−→
〈(light , user), x=2.5y=2.5 〉 press−−→〈(bright , user), x=2.5y=0 〉 1−→
〈(bright , user), x=3.5y=1 〉 press−−→〈(off , user), x=3.5y=0 〉 press−−→〈(light , user), x=0y=0 〉 4−→
〈(light , user), x=4y=4 〉 press−−→〈(off , user), x=4y=0 〉 (2.6)
Remark 2.2.11 (Size of the Product). The product automaton is exponential
in the size of the underlying TA in the worst case. Therefore, for model check-
ing/verification, we provide a technique to avoid the explicit construction of the
exponential cross product in Section 3.1.2.
2.2.4 Discussion
TA were introduced a long time ago, and are by now well-studied. As a result,
TA have been extended and adapted in many ways and for many purposes, like for
example Timed Automata with Deadlines [BS00, GS05], Task Automata [FKPY07],
or Probabilistic Timed Automata [Bea03, KNSS02]. Yet, even for the “basic” ver-
sion of TA, slightly different variants of how to define them can be found in the
literature, each of which has advantages and disadvantages. We now discuss the
major distinctions, and motivate our design decisions.
2.2.4.1 Internal Actions
The original work [AD94, Alu99] did not consider internal actions, but only consid-
ered visible actions in the set of admissible events. As a consequence, every transition
of a TA could synchronise with a transition in another TA, if a transition labelled
2.2. TIMED AUTOMATA 17
with the same event was enabled. In this work, in addition to visible events, we also
allow for invisible internal actions. We consider this more realistic: typically, the
behaviour of a real-time system not only depends on the environment (modelled by
synchronisation via visible actions), but also on internal state changes, which cannot
be influenced by other TA in any way. Consider for example a deadline expiration,
after which the behaviour of the system changes.
It has been shown in [AM04] that internal actions add to the expressive power of
TA, i.e., a TA with internal actions is more expressive than a TA without internal
actions. As an example, consider the TA in Figure 2.4. The automaton consists of
a single location s , a clock x, and can synchronise with other automata via action
a. The automaton requires all actions to occur at integer times, and no two actions
occur at the same time: both transitions become enabled exactly one time unit after
the system started, modelled by the guard x=1. At this time, the invariant x≤1
forces the automaton to leave location s , by performing either of the transitions. If
no synchronisation via action a (left transition) is possible, the automaton executes
the internal action τ (right transition). Both transitions reset clock x to zero, such
that the automaton can reenter location s after the execution of the transition.
s
x≤1a,x=1,x:=0 τ ,x=1,x:=0
Figure 2.4: Use of Invisible Transitions
This behaviour cannot be modelled with a TA which does not allow for τ -
transitions (cf. [AM04]): if the largest constant occurring in guards and invariants
was c,3 the TA could not distinguish between occurrences of action a which happen
at times c+1 and c+1.1 (after the start of the computation).
2.2.4.2 Synchronisation
Within systems of TA, we assume joint broadcast synchronisation (cf. Section 2.2.3),
that means, on occurrence of a visible event a, all TA “knowing about” a have to
synchronise on this event. In particular, there is no restriction on how many au-
tomata can participate in a single synchronisation, the number is determined only
by the fact whether a is contained in the event set of an automaton. Another pos-
sibility of defining synchronisation (which is closer to the approach taken in process
algebras) is to assume the synchronisation to be binary : under this assumption, ex-
actly two automata synchronise, i.e., execute a transition labelled with some event
a in parallel. If more than two automata are ready to synchronise on a, the choice
which pair—i.e., which two automata—executes the synchronisation transitions is
made nondeterministically.
The expressiveness of these two ways of modelling synchronisation is the same.
We have chosen for joint broadcast synchronisation, since we consider this closer
3Such largest constant always exists, since both the set of locations as well as the set of
transitions of TA are finite, cf. Definition 2.2.1
18 CHAPTER 2. SYSTEM MODELS
to the nature of component-based systems. The ideas of modelling each approach
with the respective other can roughly be sketched as follows: using TA with joint
broadcast synchronisation to model binary synchronisation is straightforward, by
using each action in exactly two automata only. Using TA with binary synchroni-
sation to model joint broadcast synchronisation uses the fact that transitions are
instantaneous, therefore, multiple transitions (all labelled with the same action) can
take place at the same time instant.
2.2.4.3 Input- and Output Actions
A special case of binary synchronisation is the distinction between input and out-
put actions. While we consider two types of actions (visible/external and invisi-
ble/internal), some authors prefer to further divide the set of visible actions into
input and output actions, cf. for example [BDL04]. Usually, input and output
actions are used to distinguish between actions that are controlled by the TA, and
actions that are controlled by the environment. Since we do not make this distinction
here, we regard two types of actions (external and internal) to be sufficient.
2.2.4.4 Clock Constraints and Updates
In the original work presented in [AD94, Alu99], so-called diagonal clock constraints
of the form x−y∼c (i.e., involving clock differences, cf. Definition 2.1.2) were not
allowed. However, it has been shown by Alur and Madhusudan [AM04] that adding
these constraints does not add to the expressive power of TA. Therefore, we allow
diagonal clock constraints, since they may be used for more concise modelling.
Moreover, [AD94, Alu99] only allowed transitions to reset a (sub)set of clocks to
zero. It has been shown in [AM04] that this restriction can be relaxed in favour of
more general update maps, without adding to the expressiveness. We follow their
approach and use the update maps presented in [AM04], cf. Definition 2.1.5.
In contrast to [AD94], but following [Alu99], we do not allow negation in clock
constraints, cf. Definition 2.1.2. This is done to obtain convex clock constraints
(cf. Remark 2.1.6), which are used for efficient representation in Chapter 3. Yet,
non-convex clock constraints can be simulated by splitting locations (for non-convex
invariants) and transitions (for non-convex guards).
These considerations on clock constraints and update maps directly carry over
to TCA (Section 2.3) and TNA (Section 2.4).
2.3 Timed Constraint Automata
In this section, we define the second system model for modelling real-time systems:
Timed Constraint Automata (TCA). TCA [ABdBR07, Kem11] arise from combin-
ing the concepts of constraint automata [ABRS04] (CA) and timed automata (TA,
Section 2.2). CA were originally defined as a semantical model for the channel-based
coordination language Reo [Arb04], and consequently, TCA were intended to serve
as a semantical model of a timed variant of Reo. Yet, TCA offer a powerful co-
ordination mechanism for channel-based coordination languages in general. They
2.3. TIMED CONSTRAINT AUTOMATA 19
are specially tailored for implementing coordinating connectors in networks where
timed components communicate by exchanging data through multiple channels. The
behaviour of the network is given by synchronisation between channel ends (ports).
For this, TCA allow for two types of transitions: internal (invisible) location
changes caused by some timing constraints, and external (visible) transitions repre-
senting data flow at some of the ports. Transitions in TCA are labelled with sets
of actions (ports). The underlying general idea is that all actions which happen at
the same time (i.e., atomically) collapse into a single transition. As a consequence,
a positive amount of time elapses before every visible transitions.
The major conceptual difference to TA and other action-based coordination mod-
els, like e.g. finite state machines, or timed I/O automata [KLSV03a, KLSV03b],
is thus the “non-instantaneous” handling of transitions. While in TA, every tran-
sition can be fired immediately (provided that the guard is satisfied), TCA require
a positive delay before every visible transition. Moreover, TA permit only a single
action per transition, such that synchrony—and concurrent execution in the parallel
composition—of different actions is reduced to arbitrary interleavings plus nonde-
terminism. This is unintuitive, since it imposes a sequential order on actions which
conceptually happen at the same time. Moreover, from a technical point of view,
the presence of all possible interleavings amplifies the state explosion problem. TCA
permit true concurrency, as they directly model truly atomic synchronous commu-
nication through different ports.
2.3.1 Syntax of Timed Constraint Automata
The syntactic concepts for handling real-time (i.e., clocks, guards, invariants), as
defined in the previous section, directly carry over from TA to TCA. For handling
data values, each TCA is equipped with a finite set of ports, through which it ex-
changes data values with other TCA. Transition of TCA are labelled with a subset
of these ports, with the intended meaning that data flows through these ports (the
ports are active) when the transition is fired. Transitions can be labelled with a
data constraint (cf. Definition 2.1.7), restricting the admissible data values flowing
through the active ports. In addition, the coordination pattern implemented by a
TCA may depend on data values which have been exchanged before (i.e., through
ports that were active in previous steps). To keep track of this, we extend the basic
definition of TCA, presented in [Kem11], with location memory, cf. also [PSHA09]:
each TCA is equipped with a finite set of data variables, which can be used by loca-
tions to store data values, cf. Section 2.1.2. We call these data variables associated
to locations memory cells.4
The underlying idea is that memory cells enable the current location to store
data values. The same memory cell can be used by both source and target location
of the same transition, in this case, its contents carry over unchanged, unless they
are updated by the transition. The contents of memory cells which are used by the
source locations but not by the target location are discarded, i.e., unused memory
4In the remainder of this Section, we may use the terms memory cell and data variable inter-
changeably.
20 CHAPTER 2. SYSTEM MODELS
cells are empty by definition. Consequently, data constraints on transitions may
only refer to memory cells used by the source or target location.
Recalling Definitions 2.1.2, 2.1.4, 2.1.5, 2.1.7 and 2.1.8, TCA are defined as fol-
lows.
Definition 2.3.1 (Timed Constraint Automaton). A TCA over data domain
Data is a tuple T=(S, s0,P ,X , I,D,#, E), with S a finite set of locations, s0∈S the
initial location, P a finite set of ports, X a finite set of clocks, I:S→CC(X ) a function
assigning a clock constraint (location invariant) to every location, D a finite set of
data variables, called memory cells, #:S→2D a function assigning to each location
the set of memory cells it may use, and E⊆(S×2P×DC(P ,D)×CC(X )×Λ(X )×S)
the finite set of transitions.
For every element e=(s, P, dc, cc, λ, s′)∈E, we require that the data guard dc
only reasons about active ports, and only about memory cells of the source location
s and the target location s′, i.e., dc∈DC(P,#(s)∪#(s′)). We require both dc and cc
(clock guard) to be satisfiable. If P=∅, transition e is called invisible, otherwise, it
is called visible.
The idea of invisible transitions is that they do not represent observable data flow:
the port set P is empty, so no ports are active. The data constraint dc of an invisible
transition may thus only reason about memory cells, i.e., dc∈DC(∅,#(s)∪#(s′)).
In this way, invisible transitions only serve for internal synchronisation purposes, for
example by changing to another location, or updating clocks. Visible transitions,
on the other hand, correspond to observable behaviour: on location change from s
to s′, data flows through all ports in the port set P . After the TCA has delayed
in location s for a positive amount of time,5 during which the invariant I(s) of s
needs to be satisfied, it executes the transition and moves to location s′, provided
that the data values pending at the active ports (in P ) and contained in memory
cells of the source location s satisfy the data guard dc, and the clock values satisfy
the clock guard cc and the invariant I(s′) of the target location s′. The firing of the
transition, i.e., the location change from s to s′, is considered to be instantaneous.
On execution of the transition, all clocks are updated according to the update map λ.
These informally described timing constraints will be made explicit in the definition
of semantics (Definition 2.3.6).
Remark 2.3.2 (Use of Memory Cells). We do not impose any restrictions on
the set of memory cells used by locations. In particular, the same memory cell m
may be used by both source and target location of a transition. This may lead to
an ambiguous data constraint dc in case dc reasons about m. Yet, such behaviour
is necessary for example when it comes to product definition (cf. Definition 2.3.9).
To avoid ambiguities, we indicate in the data constraint to which location a memory
cell m belongs, i.e., whether the occurrence of m refers to its value before or after the
execution of the transition. We add to m the prefix “s.” if it refers to the value used
5As explained in the beginning of the section, the general idea of TCA is that all data flow
actions which happen at the same time atomically collapse to a single transition, therefor, every
such transition is preceded by a positive time delay.
2.3. TIMED CONSTRAINT AUTOMATA 21
by the source location, and the prefix “t.” if it refers to the value used by the target
location. For example, instead of (m=d1)∧(m=d2) (which would obviously evaluate
to false), we write (s.m=d1)∧(t.m=d2). Any data assignment δ will consider s.m
and t.m to be different elements.
Our definition allows to leave the value of a memory cell m used by the target
location unspecified, i.e., neither does the source location use m, nor does m occur
in the data constraint. In this case, we assume m to take a random value.
While unused memory cells are empty be definition (cf. the intuition at the be-
ginning of this section, and also Definition 2.3.5), we may explicitly require memory
cells used by the current location to be empty as well, using data constraints of the
form (m=⊥) (cf. Definition 2.1.7).
Example 2.3.3 (Timed Constraint Automaton). An example for a TCA is
given in Figure 2.5. It models a FIFO buffer with capacity 1 and expiration: the
buffer consists of two locations empty and full , uses clock x to measure the time
until the data expires, and two ports p and q for exchanging data values. The full
location has an associated memory cell m, which is denoted [m] in the graphical
representation. In the initial location, the buffer is empty. On receiving a data
value through port p, the TCA moves to location full , updates (resets) clock x to
0, and stores the data value in the location memory of full , indicated by the data
guard p=t .m. Since we do not impose any further data constraints, this means that
any value can be received through p. If data flow through port q is possible before
3 time units have elapsed (clock guard x<3), the TCA sends the data item from the
memory cell through port q, and moves to back to the initial location. If data flow
through q is not possible, at time 3, the invariant of location full forces the TCA to
leave that location, and execute the invisible transition back to the initial location.
No data is transmitted, which models “loosing” the stored data item.
empty
full
x≤3
[m]
{p}, p=t.m, x:=0
{q}, q=s.m, x<3
x=3
Figure 2.5: 1-bounded FIFO Buffer with Expiration
Notation 2.3.4 (TCA). If not stated otherwise, we shall assume the constituents
of a TCA T to be denoted as T=(S, s0,P ,X , I,D,#, E), and of a TCA Ti to be
denoted as Ti=(Si, s0,i,Pi,Xi, Ii,Di,#i, Ei), for i∈N. We lift # to reason about sets
of locations, and we may omit curly braces: #(s, s′) def= #(s)∪#(s′).
By CC(X )|T, we denote the set of clock constraints (over clock set X ) that occur
in a TCA T (invariants or guards). Equivalently, by DC(P ,D)|T, we denote the set
of data constraints over port set P and memory cells D that occur in a TCA T.
22 CHAPTER 2. SYSTEM MODELS
As for TA, in the graphical notation of TCA, we use assignment rather than
functional notation for updates, and we omit guards and invariants equal to true,
as well as identity updates. We denote a set of memory cells {m1, . . . ,mn} associated
to a location as a bracketed list [m1, . . . ,mn].
2.3.2 Semantics of Timed Constraint Automata
TCA model true concurrency, by allowing sets of ports on each transition. As a
consequence, a positive amount of time has to elapse before every visible transition
(while invisible transitions may be instantaneous). The underlying idea is that all
actions which happen at the same time are truly atomic and thus collapse to a single
transition. The semantics of a TCA T is defined as the set of runs of the associated
labelled transition system (LTS) ST.
Definition 2.3.5 (Associated LTS). Let T be a TCA. The associated LTS ST is
a tuple ST=(Q, q0,→), with Q⊆(S×DA(D)×V(X )) the set of configurations, where
for every (s, δ, ν)∈Q, δ∈DA(D), with δ(m)=⊥ if m6∈#(s), and ν|=I(s). The initial
configuration is q0=〈s0,0,0〉, with 0(x)=0 for all x∈X and 0(m)=⊥ for all m∈#(s0).
The transition relation→ ⊆(Q×2P×DA(P ,D)×Time×Q) is given in (2.7) and (2.8).
(s, P, dc, cc, λ, s′)∈E
t>0, t≥t′≥0 : ν+t′|=I(s), ν+t|=cc, (ν+t)[λ]|=I(s′)
δ¯∈DA(P ,D) : δ¯|=dc
δ¯(s.m)=
{
δ(m), if m∈#(s)
⊥, otherwise
δ¯(t.m)=δ(m) if m∈#(s),m∈#(s′), t.m6∈D|dc
δ¯(m)=⊥ if m∈D\#(s, s′),
δ¯(p)=⊥ iff p∈P\P,
δ′(m)=δ¯(t.m) for all m∈#(s′)
〈s, δ, ν〉 P,δ¯,t−−→〈s′, δ′, ν+t[λ]〉
(2.7)
(s, ∅, dc, cc, λ, s′)∈E
ν|=cc, ν[λ]|=I(s′)
δ¯∈DA(P ,D) : δ¯|=dc
δ¯(s.m)=
{
δ(m), if m∈#(s)
⊥, otherwise
δ¯(t.m)=δ(m) if m∈#(s),m∈#(s′), t.m6∈D|dc
δ¯(m)=⊥ if m∈D\#(s, s′),
δ¯(p)=⊥ iff p∈P ,
δ′(m)=δ¯(t.m) for all m∈#(s′)
〈s, δ, ν〉 ∅,δ¯,0−−→〈s′, δ′, ν[λ]〉
(2.8)
2.3. TIMED CONSTRAINT AUTOMATA 23
A run of ST (starting in configuration q) is a sequence of transitions q
P,δ,t−−→q1 P ′,δ′,t′−−−→ . . .
which is either time divergent (i.e. infinite, and t+t′+ . . .=∞) or finite and ends
in a terminal configuration 〈s, δ, ν〉 (i.e. without outgoing transitions, allowing for
infinite passage of time: ∀t>0:ν+t|=I(s)). A run is called initial if it starts in the
initial configuration q0, it is called loop-free if all configurations are different.
Rule (2.7) captures the constraints described after Definition 2.3.1, for both
visible and invisible transitions: before the transition can be fired, a positive amount
of time (t>0) has to elapse, during which the invariant I(s) needs to be satisfied
at all times.6 At time t, the transition is fired, and updates all clocks according to
the update map λ, provided that the clock guard cc is satisfied before the resetting
of clocks, and the invariant of the target location is satisfied (after the time delay
and) after the resetting of clocks (all second row). The data values have to satisfy
the data guard (third row), the values of memory cells before the execution of the
transition remain unchanged if used by the source location s, otherwise, they are
empty (fourth row). The values of memory cells which are used in both source and
target location carry over to s′ if they are not modified in the data constraint (fifth
row). Note that if a memory cell is not used in the target location, its value t.m
after the execution of the transition is unspecified, cf. also Remark 2.3.2. All other
memory cells are empty (sixth row), data is only pending at active ports (seventh
row), and the data assignment on the transition determines the data values of the
memory cells of the target location (eighth row).
Rule (2.8) captures the fact that invisible transitions may be instantaneous; it
can be seen as a simplification of (2.7) for P=∅ and t=0. Note that data may not
be pending at any port (seventh row), yet data constraints of invisible transitions
may still reason about memory cells of the involved locations, for example to copy
values from one memory cell to another, or to model data loss.
As mentioned in Remark 2.3.2, memory cells which are used by the target loca-
tion, but are neither used by the source location nor occur in the data constraint,
can take a random value. As can be seen from the fifth rows in (2.7) and (2.8),
we do not impose any constraints on the values (t.m) of these memory cells, which
indeed allows δ¯ to assign a random (up to the fact that δ¯|=dc has to hold) value to
them.
Definition 2.3.6 (Semantics of Timed Constraint Automata). Let T be a
TCA, ST the associated LTS as defined in Definition 2.3.5. The trace semantics of
T is given by the set RunT of initial runs of ST. With RunT,k, we denote the set of
finite prefixes of elements of RunT of (at most) length k.
Note that as for TA, we do not require clock guards to be complete, nor do we
require this for data guards, cf. Page 14.
Example 2.3.7 (Run of a Timed Constraint Automaton). In (2.9), we show
a run of the 1-bounded FIFO buffer from Figure 2.5 of length 4.
6Due to convexity, these constraints can be relaxed in the representation, since it is enough to
check the invariant at the beginning and at the end of the time delay.
24 CHAPTER 2. SYSTEM MODELS
〈empty ,⊥, x=0〉 {p},
p=2
t.m=2
,4
−−−−−−−→〈full ,m=2, x=0〉
{q}, q=2
s.m=2
,2.5
−−−−−−−−→
〈empty ,⊥, x=2.5〉 {p},
p=5
t.m=5
,10
−−−−−−−→〈full ,m=5, x=0〉 ∅,⊥,3−−→
〈empty ,⊥, x=3〉 (2.9)
Here, we omit data assignments on transitions which evaluate to ⊥, and we abuse
the single symbol ⊥ to denote the data assignment assigning ⊥ to all elements.
Remark 2.3.8 (Maximal Progress). The semantics of TCA, as defined above,
requires maximal progress with respect to active ports : on execution of a (visible)
transition, data is pending on all active ports, and on none of the non-active ports,
ensured by the constraints δ¯(p)=⊥ iff p∈P\P in (2.7) and δ¯(p)=⊥ iff p∈P in (2.8).
For example, if data is pending at ports p and q, and two transitions with port
sets {p} and {p, q}, respectively, are ready to fire, then only the latter transition is
enabled.
2.3.3 Systems of Timed Constraint Automata
In this section, we present a compositional product construction for TCA, which
allows to easily build complex connectors by composing simpler ones. We also
present a hiding operation on ports, which allows to hide ports on which two (or
more) TCA synchronise from the environment. The idea is that the ports become
“internal” to the new (composed) connector.
The idea of TCA synchronisation is as follows: within a system of TCA, two
automata synchronise (communicate, exchange data values) if the port sets of the
involved transitions coincide on common ports. Invisible transitions, and local visible
transitions (i.e., transitions involving ports known to only one automaton) can be
executed independently of other automata. This gives rise to the following definition.
Definition 2.3.9 (Product of TCA). Let T1, T2 be TCA over Data1 and Data2, re-
spectively, with X1∩X2=∅, D1∩D2=∅, and S1∩S2=∅ (can be achieved by renaming
the constituents in one of the TCA). The product of T1 and T2 is a new TCA
T1./T2=(S, s0,P ,X , I,D,#, E) over data domain Data1∪Data2, with S=S1×S2,
s0=(s0,1,s0,2), P=P1∪P2, X=X1∪X2, I:S→CC(X1,X2), with I(s)=I1(s1)∧I2(s2) for
s=(s1, s2)∈S, D=D1∪D2, #:S→2D, with #((s1, s2))=#1(s1)∪#2(s2), and E is de-
fined in (2.10) and (2.11), and the symmetric rule of the latter.
(s1, P1, dc1, cc1, λ1, s
′
1)∈E1
(s2, P2, dc2, cc2, λ2, s
′
2)∈E2
P1∩P2 = P2∩P1, P1 6=∅, P2 6=∅, dc1∧dc2 6=false
((s1, s2), P1∪P2, dc1∧dc2, cc1∧cc2, λ1◦λ2, (s′1, s′2))∈E
(2.10)
(s1, P1, dc1, cc1, λ1, s
′
1)∈E1, P1∩P2 = ∅, s2∈S2
((s1, s2), P1, dc1, cc1, λ1, (s′1, s2))∈E
, (2.11)
2.3. TIMED CONSTRAINT AUTOMATA 25
Rule (2.10) captures the synchronisation of visible transitions: the nonempty
port sets have to coincide on common ports, i.e. data flows through the same set
of shared ports on both transitions. The case where P1∩P2=P2∩P1=∅ (i.e., the set
of shared ports is empty) represents a system step where each automaton performs
a local visible transition (concurrent execution of independent actions). Rule (2.11)
describes the execution of a local transition (visible or invisible) in one automaton,
while the other automaton remains in its current location (is idle). The semantics of
TCA, in particular the fifth and sixth row of (2.7), ensures that the values stored in
memory cells of the idle automaton correctly carry over to the next location. Note
that in case such a local transition is preceded by a time delay, the idle automaton
actually performs a delay transition.
Example 2.3.10 (Product of TCA). An example for the product construction
can be found in Figure 2.7: it shows the product TCA of two instances of the 1-
bounded FIFO buffer (cf. Example 2.3.3), as show in Figures 2.5 and 2.6 (the two
instances are identical except for renaming). The resulting TCA models a FIFO
buffer with capacity 2, where each of the buffer cells has its own expiration timer
(clocks x and x′, respectively). The buffer accepts data through port p, and releases
it through port r. The synchronisation on port q models the step where the data
from the first buffer cell is transferred to the second buffer cell.
For readability, we have abbreviated the location names in Figure 2.7 with e, e′,
f and f ′, for empty , empty ′, full and full ′, respectively.
empty ′
full ′
x′≤3
[m ′]
{q}, q=t.m′, x′:=0
{r}, r=s.m′, x′<3
x=3
Figure 2.6: 1-bounded FIFO Buffer with Expiration, Second Instance
Proposition 2.3.11 (Product of TCA). The product of TCA is commutative and
associative, up to isomorphy of location names.
Proof.
1. Commutativity follows from the commutativity of ∪ on port sets, the commu-
tativity of ◦ on update maps over disjoint clock sets, and the commutativity
of ∧ on data and clock constraints.
2. Associativity follows from the associativity of ∪ on port sets, the associativ-
ity of ◦ on update maps over disjoint clock sets, the associativity of ∧ on
data and clock constraints, and the fact that for Pi⊆Pi, i=1, 2, 3, if we have
P2∩P3=P3∩P2, P1∩(P2∪P3)=P1∩(P2∪P3) and P1∩P2=P2∩P1, then holds
P3∩(P1∪P2)=P3∩(P1∪P2).
26 CHAPTER 2. SYSTEM MODELS
e,e ′
f ,e ′,
x≤3,
[m]
e,f ′,
x′≤3,
[m ′]
f ,f ′,
x≤3∧x′≤3,
[m,m ′]
{p}, p=t.m
x:=0
x=3
{q},
q=s.m∧
q=t.m′,
x<3,
x′:=0
{r}, r=
s.m ′, x ′<
3
x ′=
3
{p}
, p
=t
.m
, x
:=
0
x=
3
{r}, r=s.m′
x′<3
x′=3
Figure 2.7: Product of two 1-bounded FIFO Buffers
It may be required to hide some ports of a TCA from the environment. For
example, in the product construction, the common ports (on which the TCA syn-
chronise) could be considered to become “internal” ports, and thus not be visible
from the outside anymore. Consider for example port q in Example 2.3.10. The
hiding operation removes all information about a set of ports O⊆P from a TCA.
To ensure correct timed behaviour of transitions with port sets P⊆O—namely that
such transitions may only be taken after a positive amount of time—we need to
introduce an additional clock.
Definition 2.3.12 (Hiding in TCA). Let T be a TCA, x 6∈X a fresh clock, and
O⊆P . The hiding of O in T yields a new TCA T\O=(S, s0,P\O,X∪x, I,D,#, E ′),
where E ′ is given in (2.12) and (2.13).
(s, P, dc, cc, λ, s′)∈E, ((P=∅)∨(P\O 6=∅))
(s, P\O, dc\O, cc, λx, s′)∈E
(2.12)
(s, P, dc, cc, λ, s′)∈E, ∅6=P⊆O
(s, ∅, true, cc∧(x>0), λx, s′)∈E ′ (2.13)
Here, dc\O denotes the data constraint which is derived from dc by replacing
all literals dc′, with dc′=(D∼D′) or dc ′=¬(D∼D′), by true iff p∈P|dc′ (cf. Defini-
tion 2.1.7), for all p∈O. The update map λx updates the new clock x to zero, and
agrees with λ on other clocks: λx(x
′)=λ(x′) if x′∈X , and λx(x)=0 otherwise.
2.3. TIMED CONSTRAINT AUTOMATA 27
The basic idea is to obtain transitions of T\O from transitions of T by reducing
the port set (and data constraints) to ports not contained in O (2.12). If the resulting
transition in T\O is invisible, while the underlying transition in T is visible (2.13),
the new clock x is used to ensure correct timed behaviour: since x is updated to zero
on all transitions, the additional constraint (x>0) ensures the elapse of a positive
amount of time before the (now invisible) transition can be taken.
The semantics of a system of two TCA T1 and T2 (with disjoint sets of clocks, lo-
cations and memory cells, as required in Definition 2.3.9) is defined as the semantics
(Definition 2.3.6) of the corresponding product automaton T1./T2 (Definition 2.3.9),
i.e., the set of runs of the associated LTS ST (Definition 2.3.5). In (2.14), we show
a run of the product automaton from Figure 2.7 of length 5.
〈(e, e ′),⊥, x=0x′=0 〉
{p}, p=3
t.m=3
,4
−−−−−−−→〈(f , e ′),m=3, x=0x′=4 〉
{q},
q=3
s.m=3
t.m′=3
,2.5
−−−−−−−−→
〈(e, f ′),m′=3, x=2.5x′=0 〉
{p},
p=5
t.m=5
s.m′=3
t.m′=3
,0.5
−−−−−−−−→
〈(f , f ′), m=5m′=3 , x=0x′=0.5 〉
∅, s.m=5
t.m=5
,2.5−−−−−−→
〈(f ,e ′),m=5, x=2.5x′=3 〉 ∅,⊥,0.5−−−→〈(e,e ′),⊥, x=3x′=3.5 〉 (2.14)
This run correspond to an execution of the buffer as follows: first, after a delay
of 4, it receives data element 3 through port p, and stores it in memory cell m of
target location (f ,e ′). Next, it transfers the data item to memory cell m′ of (e,f ′)
through port q, then receives data item 5 through port p and stores it in the memory
cell m of target location (f ,f ′). The buffer is now completely full. In location (f ,f ′),
the buffer delays for 2.5, which—together with previous delays—increases the value
of clock x′ to 3, such that the buffer takes the invisible transition to location (f ,e ′),
loosing data item 3. After delaying for another 0.5, the value of clock x reaches the
threshold 3 as well, the second data item is lost as well, and the buffer returns to
the initial location (e,e ′).
Remark 2.3.13 (Size of the Product). The result of the product construction
for TCA, as presented in Definition 2.3.9, is exponential in the worst case. For model
checking/verification, we present a linear technique to avoid the explicit construction
of the product automaton in Section 3.1.3.
2.3.4 Discussion
TCA arise from combining the real-time concepts of TA, as presented in Section 2.2,
with the coordination concepts of constraint automata (CA) [ABRS04]. We further
extend the basic definition from [ABdBR07, Kem11] with location memory, which
allows to reason about and base the coordination pattern on data values which have
been exchanged prior to the current step.
In this way, TCA are specially tailored for implementing coordinating connec-
tors in networks where timed components communicate by exchanging data values
through multiple channels. The behaviour of the network is given by synchronisation
28 CHAPTER 2. SYSTEM MODELS
between channel ends (ports). While the functionality of channels is often limited
to synchrony and (FIFO) buffering, TCA allow connectors with arbitrary behaviour.
These connectors provide exogenous coordination, by imposing a certain communi-
cation pattern—for example reordering or delays—on associated components. TCA
are compositional, which allows to easily build complex connectors out of simpler
ones.
One of the major advantages of TCA (which is also one of the major distinc-
tions to TA) is the fact that they provide true concurrency. Most action-based
(coordination) models, like e.g. finite state machines, timed I/O automata, but also
TA, permit only a single action per transition. As a consequence, synchrony, and
concurrent execution of actions in the parallel composition, is reduced to arbitrary
interleavings plus nondeterminism. Especially for timed systems involving exchange
of data values—aside from being unintuitive—this does not correctly capture the
nature of distributed systems, since it imposes a sequential order on actions which
conceptually happen at the same time. Furthermore, the sequential order might
influence the availability of data items, depending on the execution order of tran-
sitions. What is more, from a technical point of view, the presence of all possible
interleavings amplifies the state explosion problem. In contrast, TCA allow sets of
actions on each transition, which permits true concurrency, as this directly models
(truly atomic) synchronous communication through different ports.
Under true concurrency, all actions which happen at the same time (atomically)
collapse into a single transition. As a consequence, a positive amount of time has
to elapse before every visible transition (i.e., transitions involving visible data flow).
This allows for a more “concise” semantics compared to TA: transitions in the
associated LTS SA of a TA A correspond to either the execution of a transition of
A, or to a system delay,7 cf. Definition 2.2.4. In contrast, every transition in the
associated LTS ST of a TCA T corresponds to the execution of a transition in T,
possibly preceded by a time delay, cf. Definition 2.3.5. Thus, on average, runs of
ST are shorter than runs of SA while containing the same number of visible events,
i.e., providing the same “information content”.
2.4 Timed Network Automata
In this section, we define the third system model: Timed Network Automata (TNA).
TNA [Kem10] can be seen as an extension of TCA with environmental constraints
(see for example [CCA07, Cos10]). Such constraints are imposed on the TNA by
the surrounding network (hence the name), and capture information about whether
the environment is ready to communicate. Thus, presence and absence of dataflow
in the connector (which is modelled by the TNA) no longer depend on the internal
state of the automaton only, but also take into account whether the environment is
ready to communicate. Thereby, the behaviour of the environment is represented
through constraints on the transitions of the TNA, i.e., there is no need to specify
the environment explicitly. In this way, TNA provide a modular framework for
compositional construction of a real-time generalisation of dataflow networks.
7Remember that subsequent delays can be combined into a single transition, cf. Remark 2.2.7)
2.4. TIMED NETWORK AUTOMATA 29
The underlying idea of TNA is that absence of dataflow needs a reason. For
example, a simple empty buffer (without any constraints on the input) should always
be ready to accept data, communication can only be delayed if the reason comes
from the outside the connector (if the environment does not provide a data item,
i.e., is not ready to communicate). To capture where the reason for delaying the
communication comes from, TNA distinguish between input ports and output ports.
2.4.1 Syntax of Timed Network Automata
The (externally visible) behaviour of a TNA is given by the possible dataflow through
its (externally visible) ports, which not only depends on the TNA itself, but also on
the environment it occurs in. In particular, there needs to be a reason for the absence
of dataflow, from either the TNA or the environment; if both are ready to commu-
nicate, dataflow cannot be delayed. Consequently, we define the environmental
constraints over the ports of a TNA. Essentially following the three-colouring idea
presented in [CCA07], we define three different states of ports—called colours8—
which not only capture presence and absence of dataflow, but in case of no dataflow
also describe where the reason for delaying the communication comes from.
Definition 2.4.1 (Colours, Colourings). Let P be a finite set of ports, Q⊆P ,
and p∈P . A colouring c∈C(P) over P is a mapping c:P→Clr , assigning to each
port p∈P a colour from the set of colours Clr={ , ! , ? }. We denote the
colouring of a port p (i.e., the colour assigned to that port) by p: , p: ! and
p: ? , respectively. Port p is called active (under colouring c) iff c(p)= , and
inactive (under colouring c) otherwise.
The restriction c|Q of colouring c from P to Q is a colouring that agrees with
c on ports in Q, and is undefined otherwise, i.e., c|Q:Q→Clr , c|Q(p)=c(p), p∈Q.
We may write colourings in either orientation (i.e., p: or :p ), and we may
omit the port name p if it is clear from the context. Further, we may write C if P
is clear from the context.
The intended idea of the colourings of a port p is to denote dataflow through p
(p: ) and delay on p, with the underlying TNA to which the port belongs either
providing (p: ! ) or getting (p: ? ) a reason for the delay on its port p. Intuitively,
p: ? means that the TNA cannot actively delay dataflow through p, instead, delay
requires a reason from the outside. On the other hand, p: ! denotes that the TNA
itself delays the communication, for example because no data is available to be
transmitted.
A TNA consists of the externally visible ports, plus the internal behaviour. We
specify this internal behaviour by means of finite automata, which are equipped
with real-valued clocks. As for TA (cf. Section 2.2), we assume location changes
to be instantaneous, time may only elapse while the automaton remains in one of
8We here adopt the term colour and related notions, as introduced in [CCA07], to avoid
confusion with other uses of the word state.
30 CHAPTER 2. SYSTEM MODELS
its locations.9 The delays may depend on environmental constraints. Therefore, we
specify the admissible delays as explicit transitions of the automaton modelling the
internal behaviour of the TNA.
Similar to TCA, TNA are equipped with a finite set of data variables Data.
These can be used by locations, to store data values for use in subsequent steps.
In addition, data constraints on transitions may reason about data variables which
are not used by source or target location of the transition (this was not allowed
for TCA, cf. Definition 2.3.1). This feature is primarily used for conciseness of the
definition of TNA composition, but also to retain information when hiding ports
from the environment (cf. Definitions 2.4.13 and 2.4.14).
Recalling Definitions 2.1.2, 2.1.4, 2.1.5, 2.1.7 and 2.1.8, we define TNA as follows.
Definition 2.4.2 (Timed Network Automaton). A TNA N over data domain
Data is a tuple N=(S, s0,P ,X , I,D,#, E), with S a finite set of locations, s0∈S
the initial location, P=Pr∪˙Pw a finite set of ports, with Pr and Pw disjoint sets
of read respectively write ports, X a finite set of real-valued clocks, I:S→CC(X )
a function assigning a clock constraint (location invariant) to every location, D a
finite set of data variables, #:S→2D a function assigning to each location the set
of data variables it may use, and E⊆(S×C(P)×DC(P ,D)×CC(X )×Λ(X )×S) the
finite transition relation. The set P of ports is also called the external interface of
N.
An element e=(s, c, dc, cc, λ, s′)∈E describes a transition from source location s
to target location s′, with dataflow/delay according to colouring c, enabled under
data guard dc and clock guard cc, and updating all clocks according to the update
map λ. For every such transition, we require that dc only reasons about active
ports, i.e., dc∈DC(Q,D), with Q={p∈P | c(p)= }. We require both dc and cc
to be satisfiable. Transition e is called delay iff s′=s, λ=id (identity mapping), and
c(p) 6= for all p∈P , and communication otherwise. Two TNA are called disjoint if
the respective constituents (i.e., locations, ports, clocks, data variables) are disjoint.
A communication (s, c, dc, cc, λ, s′) describes the conditions for a location change
from s to s′, while a delay (s, c, dc, cc, id , s) describes the conditions under which N
may delay in location s—namely, as long as guard cc is satisfied, and a reason for
delay exists which satisfies colouring c. Note that the data constraint dc on delays
may not involve ports (since no dataflow is allowed), but only data variables (the
duration of the delay or whether the delay is possible at all may still depend on the
contents of the memory cells).
Remark 2.4.3 (Use of Data Variables). As for TCA, we not impose any re-
strictions on the set of data variables used by locations, cf. Remark 2.3.2. This
may lead to the same ambiguities as described in the Remark, if for a transition
(s, c, dc, cc, λ, s′), both locations use the same data variable d, and d occurs in dc.
We use the same conventions as introduced for TCA (cf. Remark 2.3.2 again):
9Yet, it is straightforward to model duration of data flow in a TCA like style, for example by
adding a fresh clock and appropriate clock guards >0 on transitions, which forces the automaton
to delay in every location.
2.4. TIMED NETWORK AUTOMATA 31
we prefix the occurrence of a data variable d in dc by “s.” if it belongs to the
source location, and by “t.” if it belongs to the target location. That means,
instead of (d=d1)∧(d=d2) (which would obviously evaluate to false), we write
(s.d=d1)∧(t.d=d2), and any data assignment δ will consider s.d and t.d to be dif-
ferent elements. A data variable without prefix is used in the data constraint only
and does not correspond to a memory cell of source or target location.
As for TCA before, unconstrained memory cells of the target location can take
random values, and we may explicitly require data variables to be empty.
Example 2.4.4. An example for a TNA can be found in Figure 2.8. We model again
the 1-bounded FIFO buffer with expiration from Example 2.3.3, but now in addition
take into account environmental constraints. To model dataflow and environmental
constraints, the TNA has a read port r, through which it receives the data item,
a write port w, through which it releases the data item to the environment again,
and uses a data variable m, to model the memory cell in location full . We denote
communications by solid lines, and delays by dashed lines.
empty
full
x≤3
[m]
r: , ! :w, r=t.m, x:=0
r: ! , :w,w=s.m, x<3
r: ! , ! :w, x=3r: ? ,
! :w
r: ! ,
? :w,
x≤3
Figure 2.8: 1-bounded FIFO Buffer with Expiration and Environmental Constraints
The general idea of the TNA in Figure 2.8 is identical to the TCA presented
in Figure 2.5. The three communications correspond almost directly to the three
transitions in the TCA. On each communication, the inactive port always provides
(and never requires) a reason to delay. On the upper communication (from empty
to full), for example, this is due to the fact that the buffer is empty, so no data can
flow out of it (through w), so the TNA itself provides a reason to delay on write
port w. The reason can be read as “no data available”. The explanation for the
lower transition is similar. On the middle transition, both ports provide a reason
to delay: port r cannot be active, since the buffer is full and no (more) data can
be accepted through r. The fact that port w is inactive models the loss of the data
item: once the deadline of 3 time units is reached, the data item is lost and cannot
be sent through w anymore.
To handle environmental constraints, we add two delays, one for each location.
The delay in location empty models the fact that no data item can be written to the
environment (since there is no data, i.e., the buffer is empty), therefore, w provides
a reason to delay. Since the TNA itself is ready to accept data through r, the read
port requires a reason for delay. Stated differently: if the buffer is empty, it is
always ready to accept data. The explanation for the delay in full is symmetrical,
the additional clock constraint x≤3 is used to enforce the expiration threshold of 3
time units.
32 CHAPTER 2. SYSTEM MODELS
Notation 2.4.5 (TNA). If not state otherwise, we shall assume the constituents
of a TNA N to be denoted as N=(S, s0,P ,X , I,D,#, E), with port set P=Pr∪Pw,
and of a TNA Ni to be denoted as Ni=(Si, s0,i,Pi,Xi, Ii,D,#i, Ei), with port set
Pi=Pri ∪Pwi , for i∈N. We lift # to reason about sets of locations, and we may omit
curly braces: #(s, s′)=#(s)∪#(s′).
By CC(X )|N, we denote the set of clock constraints (over clock set X ) that occur
in a TNA N (invariants or guards). Equivalently, by DC(P ,D)|N, we denote the set
of data constraints over port set P and data variables D that occur in a TNA N.
In the graphical representation of TNA, we use (as before) assignment rather
than functional notation for updates, and we omit guards equal to true as well as
identity updates. We denote a set of memory cells {m1, . . . ,mn} associated to a
location as a bracketed list [m1, . . . ,mn].
2.4.2 Semantics of Timed Network Automata
The semantics of a TNA is given by the set of runs of the associated LTS SN.
Definition 2.4.6 (Associated LTS). Let N be a TNA. The associated LTS SN is
a tuple SN=(Q, q0,→), with Q⊆(S×DA(D)×V(X )) the set of configurations, such
that for every (s, δ, ν)∈Q, δ∈DA(D), with δ(m)=⊥ if m 6∈#(s), and ν|=I(s). The
initial configuration is q0=〈s0,0,0〉, with 0(x)=0 for all x∈X and 0(m)=⊥ for all
m∈#(s0), and the transition relation→ ⊆(Q×C×(DA(P ,D)∪Time)×Q) is given by
(s, c, dc, cc, λ, s′)∈E,
ν|=cc, ν[λ]|=I(s′)
δ¯∈DA(P ,D) : δ¯|=dc
δ¯(s.m)=
{
δ(m), if m∈#(s)
⊥, otherwise
δ¯(t.m)=δ(m) if m∈#(s),m∈#(s′), t.m6∈D|dc
δ¯(d)=⊥ if d∈D\(D|dc∪#(s, s′))
δ¯(p)=⊥ iff c(p) 6=
δ′(m)=δ¯(t.m) for all m∈#(s′)
〈s, δ, ν〉 c,δ¯−→〈s′, δ′, ν[λ]〉
(2.15)
(s, c, dc, cc, id , s)∈E,
t>0, t≥t′≥0 : ν+t′|=cc, ν+t′|=I(s),
δ|=dc
〈s, δ, ν〉 c,t−→〈s, δ, ν+t〉
(2.16)
A run of SN (starting in configuration q0) is a sequence of transitions q0
γ0−→q1 γ1−→ . . .,
with γi∈(C×DA(P ,D))∪(C×Time). A run is called initial if it starts in the initial
configuration q0, it is called loop-free if all configurations are different.
2.4. TIMED NETWORK AUTOMATA 33
Transitions of SN directly correspond to the two types of transitions of TNA, cf.
Definition 2.4.2: an action transition (2.15) describes the firing of an instantaneous
communication in N, with dataflow according to colouring c. The clock guard cc
is satisfied before the execution of the transition, and the invariant of the target
location is satisfied after the execution, i.e., after updating the clocks (second row).
The data assignment satisfies the data guard dc (third row). As for TCA (cf. (2.7)),
the values of memory cells before the execution of the transition remain unchanged
if used by the source location s, otherwise, they are empty (fourth row). The values
of memory cells which are used in both source and target location carry over to s′
if they are not modified in the data constraint, if a memory cell is not used in the
target location, its value after the execution of the transition is unspecified (fifth
row). Data variables which are not used in source or target location, nor in the
data constraint, are empty (sixth row), and data may only be pending at active
ports (sixth row). Data variables used by the target location s′ obtain their values
according to the data assignment on the transition. A delayed action transition
(2.16) describes the firing of a delay of N: if a reason for delay exists that satisfies
colouring c, the TNA can delay for a positive amount of time t, during which the
invariant I(s) and the clock guard cc need to be satisfied at all points (second row),10
and the data guard dc has to be satisfied. Since by definition, all ports are inactive
(i.e., have a colouring 6= ) during the execution of a delay, the data values stored in
data variables do not change (new data values can only be received through active
ports), i.e., the data assignment δ is identical in both configurations, it can only
reason about memory cells that are used by s.
Definition 2.4.7 (Semantics of Timed Network Automata). Let N be a TNA,
SN the associated LTS. The trace semantics of N is given by the set RunN of initial
runs (also called executions) of SN. With RunN,k, we denote the set of finite prefixes
of elements of RunN of (at most) length k.
Example 2.4.8 (Execution of a Timed Network Automaton). In (2.17), we
show an execution of the TNA from Example 2.4.4 of length 8. Again (cf. Exam-
ple 2.3.7), we omit data assignments on transitions which evaluate to ⊥, and we
abuse the single symbol ⊥ to denote the empty data assignment, which assigns ⊥ to
all elements. In order not to clutter up the illustration, we further omit port names;
the colourings correspond to port r on top, and port w below.
2.4.3 Systems of Timed Network Automata
In this section, we present a compositional product construction for TNA, which
allows to build complex TNA out or simpler ones. The basic idea of the composition
operator is to join sets of (read and write) ports, which conceptually yields invisible
internal ports. Note that internal ports are theoretical constructs, in that they do
not actually appear in the composed TNA. The notion of internal ports is used for
explanatory purposes, and to reason about the validity of the composition.
10Due to convexity, it is actually enough to check the clock constraints at the beginning and at
the end of the time delay only. We will use this fact in the representation, cf. Section 3.1.4.
34 CHAPTER 2. SYSTEM MODELS
〈empty ,⊥, x=0〉
?
!
,4
−−−−→〈empty ,⊥, x=4〉 !
, r=2
t.m=2−−−−−−−→〈full ,m=2, x=0〉
!
?
,2.5
−−−−→
〈full ,m=2, x=2.5〉
! , w=2
s.m=2−−−−−−−→〈empty ,⊥, x=2.5〉
?
!
,10
−−−−→
〈empty ,⊥, x=10〉 !
, r=5
t.m=5−−−−−−−→〈full ,m=5, x=0〉
!
?
,3
−−−−→
〈full ,m=5, x=3〉
!
!
, w=⊥
s.m=5−−−−−−−→〈empty ,⊥, x=3〉 (2.17)
The intended behaviour of internal ports is to act as self-contained, stateless
“pumping stations” [BSAR06], merging data from write ports, and replicating data
to read ports. If data flows through an internal port, then it flows through exactly one
underlying write port and through all underlying read ports. Absence of dataflow
is subject to environmental constraints on the involved ports: if there is a reason for
delay ( ! ) on at least one read port (i.e., the TNA contributing the port provides
a reason to delay on that port) or on all write ports, data cannot flow. Stated
differently, a valid colouring of an internal port must not involve the colour ?
only. We do not restrict composition to one-to-one relations (as is done in [Arb04,
CCA07, CPLA09], for example). On the contrary, we do not impose any restrictions
on the number, type (read/write) or origin (same or different TNA) of ports to be
merged; the only condition is that a port cannot be merged more than once. Though
the composition of colourings would be slightly simpler in a one-to-one approach, our
many-to-many composition provides a direct and more intuitive way of specifying
compositions, for example for mergers, replicators or multi-synchronisations.
We now formalise these ideas.
Definition 2.4.9 (Merge Set, Validity of Colouring). Let P be a set of ports,
Q⊆P a subset, Qr⊆Pr and Qw⊆Pw the sets of read respectively write ports in Q,
and c∈C(P) a colouring. If ports in Q are intended to be joined (merged), we call
Q a merge set (over P), the resulting internal port is denoted as p≺Q.
Colouring c is valid over merge set Q (or valid over p≺Q ), if it satisfies the
following conditions for all ports w,w′, r∈Q:
1. If ∃w∈Qw:c(w)= , then ∀r∈Qr:c(r)= , and
∀w′∈Qw, w′ 6=w:c(w′)6=
2. If ∃r∈Qr:c(r)= , then ∃w∈Qw:c(w)=
3. If @w∈Q:c(w)= , then ((∀w′∈Qw:c(w′)= ! ) or (∃r∈Qr:c(r)= ! ))
Colouring c is valid over a set Q′ of disjoint merge sets Q′={Q1, . . . ,Qn}, n≥1, if
it is valid over each Qi.
Only valid colourings correctly reflect/model the aforementioned behaviour of
internal ports: conditions 1 and 2 in Definition 2.4.9 describe simultaneous dataflow
2.4. TIMED NETWORK AUTOMATA 35
through exactly one write port and all read ports of p≺Q. Condition 3 describes the
propagation of environmental constraints (delays): no dataflow is possible only if
either all write ports or at least one read port in Q provide a reason to delay.
Example 2.4.10 (Validity of Colourings). To illustrate validity of colourings
over internal ports, consider a merge set which contains two write ports w,w′, and
two read ports r, r′. The internal port resulting from this merge set is conceptually
depicted on the left side of the illustration below (note that the ports do not need to
come from different TNA, as suggested in the picture). Some of the valid colourings
of the internal port are given in the middle (the layout of colourings reflects the
layout of the ports on the left), there are 17 valid colourings in total.
w r
w′r′
!
!
? !
? ?
! ?
! ?
? ?
? !
? ?
! ?
The colouring in the lower right, for example, can be read as follows: if read port
r′ provides a reason to delay ( ! ), while the other ports can only delay if they get
a reason ( ? ), then the reason from r′ is enough to delay dataflow through the
internal port.
The colouring on the right side of the illustration is an example for an invalid
colouring. It corresponds to a situation where there is no actual reason for delay:
neither of the read ports can delay the communication, both read ports require a
reason for delay. Write port w′ provides a reason for delay, but write port w requires
a reason, that means, w is actually ready to communicate. Thus, data could flow
through ports w, r and r′, since they are all ready to communicate, so this “no flow”
colouring is not valid.
The flip rule, introduced in [CCA07], is used to reduce the size of composed
TNA, by identifying redundant (with respect to compositionality) colourings.
Remark 2.4.11 (Flip Rule). Let P be a set of ports, p∈P , and c1, c2∈C(P). If c1
and c2 are identical except for c1(p)= ! and c2(p)= ? , then c2 is redundant and
can be removed: the set of colourings with which c2 can compose over p is a strict
subset of the set of colourings with which c1 can compose over p.
Example 2.4.12 (Flip Rule). To illustrate the flip rule, consider the following
simple example.
w w
w w
r
r
r
r
! !
! ?
? !
? ?
36 CHAPTER 2. SYSTEM MODELS
A write port w with colouring w: ! can compose with a read port r under both
possible “no flow” colourings of r (left side). But the colouring w: ? can compose
with the colouring ! :r only (right side), the colouring in the lower right is not
valid, since it corresponds to a situation where both ports delay, without actually
having a reason to delay (cf. also Example 2.4.10). Therefore, the colouring w: ?
is redundant and can be removed.
As explained above, internal ports are theoretical constructs, and do not actu-
ally appear in the composed TNA. In particular, the ports in the merge set are
removed from the composed TNA. Consequently, we would have to remove the data
constraints on these ports as well, since data constraints may only reason about
(active) ports. If we want to ensure that data values are transmitted correctly over
internal ports, we need to preserve the information from data constraints on ports
in the merge set; simply removing such data constraints would not correctly reflect
the intended behaviour.
To illustrate this, consider the following example: a TNA N1 has a data value
stored in a memory cell m, then writes it to the environment through a write port
w. The corresponding transition contains a data constraint of the form s.m=w, to
ensure the value that is written through w is indeed that value that was contained
in m. A second TNA N2 reads a data value from the environment into a memory
cell m′, the corresponding transition contains a data constraint of the form r=t.m′.
Ports w are r are to be merged, i.e., there exists a merge set Q={w, r}. This scenario
is conceptually depicted as
[m] [m ′]
s.m=w r=t.m′
w r
The expected result of merging ports w and r is to create a permanent link, with
the expected behaviour that the data value that arrives in m′ is always identical to
the one that was contained in m. Yet, if we simply remove the two data constraints,
we cannot guarantee this behaviour, since the correlation between m and m′ is
completely lost. So instead, we would like to obtain a data constraint (that is
equivalent to) s.m=t.m′. For this, we define reduced (with respect to a merge set)
data constraints.
Definition 2.4.13 (Reduced Data Constraint). Let P be a set of ports, Q⊆P
a merge set over P , Q′={Q1, . . . ,Qn}, n≥1, a set of disjoint merge sets over P ,
dc∈DC(P) a data constraint, d, d1, . . . , dn∈D distinct data variables not occurring
in dc, i.e., d, d1, . . . , dn 6∈D|dc. The reduced data constraint dc|Q of dc (with respect to
Q) is obtained by replacing every occurrence of a port q∈Q in dc by data variable d.
The reduced data constraint dc|Q′ of dc (with respect to Q′) is obtained by replacing
every occurrence of port qi∈Qi by data variable di.
The reduced data constraint dc|Q removes the occurrence of all ports in the merge
set Q, while preserving the information on admissible data values. By replacing all
occurrences of ports q∈Q by the same data variable d, we ensure that the transmitted
2.4. TIMED NETWORK AUTOMATA 37
data value is the same on all ports contained in the merge set. Note that the
constraints about whether dataflow is possible at all are already covered by valid
colourings (see Definition 2.4.9).
We now have all the necessary concepts for defining the composition of TNA.
The basic idea of TNA composition is along the same lines as the standard cross
product in other automata models: the sets of read and write ports are joined, the
ports in the merge sets are removed from the TNA, and the colourings of the involved
transitions are composed. The composition of colourings (over disjoint port sets)
is defined by standard function composition: for two colourings c1∈P1 and c2∈P2,
with P1∩P2=∅, the composition c1∪c2 is a new colouring c=c1∪c2∈C(P1∪P2), with
c(p)=c1(p) iff p∈P1, and c(p)=c2(p) iff p∈P2, for all ports p∈P1∪P2.
Definition 2.4.14 (TNA Composition). Let N={N1, . . . ,Nk}, k≥1, be a set
of disjoint TNA, Q={Q1, . . . ,Qn}, n≥1, be a set of disjoint merge sets over
⋃Pi,
i=1, . . . , k. The composition of the Ni over Q , denoted N1./Q . . . ./QNk (or simply
N ./Q), is a new TNA N ./Q=(S, s0,P ,X , I,D,#, E), with S=
∏
Si (Cartesian prod-
uct), s0=(s0,1, . . . , s0,k), P=
⋃Pi\⋃Qi, X=⋃Xi, I((s1, . . . , sk))=∧Ii(si), D=⋃Di,
#:S→2D, with #((s1, . . . , sk))=
⋃
#(si), and E is defined in (2.18).
(s1, c1, dc1, cc1, λ1, s
′
1)∈E1, . . . , (sk, ck, dck, cck, λk, s′k)∈Ek,
c=(c1∪ . . .∪ck)|P valid over Q
dc=(dc1∧ . . .∧dck)|Q
cc=cc1∧ . . .∧cck, λ=λ1◦ . . . ◦λk
((s1, . . . , sk), c, dc, cc, λ, (s′1, . . . , s
′
k))∈E
(2.18)
We call the Ni the underlying TNA of N ./Q.
A transition in the composed TNA results from composing k transitions (called
underlying transitions) from the underlying TNA. If all underlying transitions are
delays, the resulting transition in N ./Q is a delay as well. If at least one of the un-
derlying transitions is a communication, the transition in N ./Q is a communication
as well. In the latter case, the associated TNA of underlying delays (i.e., TNA which
contribute a delay to the composed transition) perform zero-delay steps. As for
TCA (cf. Definition 2.3.9 and explanations thereafter), we have that the semantics
of TNA (in particular the fourth and fifth row of (2.15)) ensures that data values
stored in data variables used by locations correctly carry over to the next location.
Example 2.4.15 (TNA Composition). Consider two instances of the TNA from
Example 2.4.4. The second instance is identical to the TNA in Figure 2.8, except that
we add a prime to all names (locations, ports, data variables, clocks). We compose
the two TNA over the merge set Q={w, r′}, the result is shown in Figure 2.9. As has
been done in Figure 2.7, we abbreviate location names for readability. The resulting
TNA models an expiring FIFO buffer with capacity 2, where each buffer cell has its
own expiration timer.
The explanation of the behaviour of the TNA is essentially equivalent to the ex-
planation in Example 2.3.10. A significant difference is the fact that it is not possible
38 CHAPTER 2. SYSTEM MODELS
e,e ′
f ,f ′
x≤3∧x′≤3
[m,m′]
f ,e ′
x≤3
[m]
e,f ′
x′≤3
[m′]
r:
,
!
:w
′ , r
=
t.m
, x
:=
0
r:
!
,
!
:w
′ , x
=
3
r:
!
,
!
:w
′ ,
d
=
s.
m
∧d
=
t.
m
′ ,
x
<
3,
x
′ :=
0
r:
,
!
:w
′ ,
r=
t.
m
,
x
′ =
3,
x
:=
0
r:
,
:w
′ ,
r=
t.
m
∧w
′ =
s.
m
′ ,
x
′ <
3,
x
:=
0
r:
?
,
!
:w ′, x ′=
3
r:
?
,
:w ′, w ′=
s.m ′, x ′<
3 r:
,
?
:w
′ , r
=
t.m
, x
′ ≤3
, x
:=
0
r:
!
,
?
:w
′ , x
=
3,
x
′ ≤3
r:
!
,
!
:w ′, x≤
3∧x ′=
3
r:
!
,
:w ′, w ′=
s.m ′, x≤
3∧x ′<
3
r: ! , :w′, w′=s.m′, x=3∧x′<3
r: ! , ! :w′, x=3∧x′=3
r: ? ,
! :w′
r: ? , ? :w′, x′≤3
r: ! ,
? :w′,
x≤3∧x′≤3
Figure 2.9: TNA Composition: Example
to delay in location (f ,e ′) (while this was possible in the TCA in Example 2.3.10).
After entering this location, the only possible transitions are the communications
to locations (e,e ′) and (e,f ′). The first transition is taken if x=3, i.e., the timer of
the first buffer cell has expired. The second transition corresponds to an “internal”
transition, where the data item is transmitted from the first to the second buffer
cell. This transition shows that the composed TNA is indeed a FIFO buffer: data
items may not remain in the first buffer cell if the second buffer cell is empty, but
are pushed towards the “end” as far as possible.
Also note that on the transition from (e,f ′) to (f ,f ′), the value of m′ is uncon-
strained. Since the underlying transition in the second (primed) TNA is a delay, the
semantics ensures that the value carries over to (f ,f ′) unchanged.
2.4. TIMED NETWORK AUTOMATA 39
Proposition 2.4.16 (TNA Composition). The composition of TNA over disjoint
merge sets is commutative and—after applying the flip rule to remove redundant
colourings—associative, up to isomorphy of location names.
Proof.
1. Commutativity follows from the commutativity of ∪ on port sets, clock sets
and data variable sets, the commutativity of ∧ on clock and data constraints,
the commutativity of ∪ on colourings over disjoint ports sets, and the commu-
tativity of ◦ on update maps over disjoint clock sets.
2. Associativity follows from the associativity of ∪ on port sets, clock sets and
data variable sets, the associativity of ∧ on clock and data constraints, the
associativity of ∪ on colourings over disjoint port sets, the associativity of
◦ on update maps over disjoint clock sets, and the fact that for disjoint Pi,
i=1, 2, 3,, and disjoint Qj, j=1, 2, 3, with Qj⊆
⋃Pi, we have
(((P1∪P2) \ (Q1∪Q2))∪P3)\Q3=(((P2∪P3) \ (Q2∪Q3))∪P1)\Q1
The semantics of a composed TNA N ./Q (Definition 2.4.14) is defined in the
same way as for simple TNA (Definition 2.4.7), i.e., by executions of the associated
LTS (Definition 2.4.6).
In (2.19), we show a run of the composed TNA from Figure 2.9 of length 7.
Again, we omit data assignments on transitions which evaluate to ⊥, and we abuse
the single symbol ⊥ to denote the empty data assignment. Further, we omit port
names, the colourings correspond to port r on top and port w′ below.
〈(e,e ′),⊥, x=0x′=0 〉
?
!
,4
−−−−→〈(e,e ′),⊥, x=4x′=4 〉 !
, r=3
t.m=3−−−−−−−→〈(f ,e ′),m=3, x=0x′=4 〉
!
!
,
t.m=3
s.m′=3
d=3−−−−−−−−→〈(e,f ′),m′=3, x=0x′=0 〉
?
?
,0.5
−−−−→〈(e,f ′),m′=3, x=0.5x′=0.5 〉
?
,
r=5
t.m=5
s.m′=3
t.m′=3−−−−−−−−→〈(f ,f ′), m=5m′=3 , x=0x′=0.5 〉
!
?
,2.5
−−−−→〈(f ,f ′), m=5m′=3 , x=2.5x′=3 〉
!
!
, s.m=5
t.m=5−−−−−−−→〈(f ,e ′),m=5, x=2.5x′=3 〉
!
!
,
t.m=5
s.m′=5
d=5−−−−−−−−→〈(e,f ),m′=5, x=2.5x′=0 〉
?
?
,3
−−−−→〈(e,f ),m′=5, x=5.5x′=3 〉
?
!
,⊥
−−−−→〈(e,e ′),⊥, x=5.5x′=3 〉 (2.19)
The run describes almost the same behaviour as the TCA run presented in (2.14).
In particular, the time values on transitions, that means the lengths of delays, are
identical wherever possible. Yet, as mentioned in Example 2.4.15, the significant
difference is that it is not possible to delay in location (f ,e ′): whenever the TNA
enters that location, it (in this example) immediately transfers the data item from
the first to the second buffer cell, thereby moving to location (e,f ′).
40 CHAPTER 2. SYSTEM MODELS
Remark 2.4.17 (Size of the Composition). The size of a TNA, i.e., the number
of locations and transitions, can be exponential (in the number of locations and tran-
sitions of the underlying TNA) in the worst case. For model checking/verification,
we present a linear technique to avoid the explicit construction of the composed
TNA in Section 3.1.4.
2.4.4 Discussion
In this Section, we have described a powerful framework for compositional construc-
tion of and coordination in real-time dataflow networks, which takes into account
environmental constraints from outside the network. The approach is suitable to
model both the “algorithmic” behaviour of components and connectors (for example
the internal implementation of the coordination pattern), and the inter-component
coordination behaviour. In this way, whole networks can easily be described with
our formalism.
The development of TNA in [Kem10] was—amongst others—motivated by the
fact that in TCA, it is not possible to enforce a transition to be taken as soon as
dataflow through some port is possible. For example, consider again the FIFO buffer
in Figure 2.5: the TCA is not required to take the transition from location empty
to full as soon as data is available through p, instead, it can delay for an arbitrary
amount of time. In contrast, in the corresponding TNA in Figure 2.8, when data is
available through r , the TNA can no longer delay in location empty . Yet, we could
still permit to delay for an arbitrary amount of time in Figure 2.8, by changing the
colouring r: ? to r: ! on the delay in location empty .
In this thesis, we have further extended the basic definition of TNA from [Kem10]
in two ways, by introducing data guards and data variables (together with a domain
Data of admissible data values). Data guards on transitions allow to model coordi-
nation patterns which depend on concrete data values, rather than only on presence
and absence of dataflow (which was the case in [Kem10]). The benefits of introducing
data variables are twofold: as for TCA, using data variables in locations (“location
memory”) allows the coordination pattern to reason about data values which were
exchanged prior to the current step. Secondly, in the composition of TNA, using
data variables and data guards allows us to preserve the information about the data
values which are exchanged through internal ports (cf. Definitions 2.4.13 and 2.4.14,
and explanations before that).
With TNA, we have defined a powerful yet simple framework for defining and
describing the behaviour of connectors and whole networks. Our liberal notion
allows to encode many common (coordination) models, like for example TA and
TCA, in our framework.11 On the other hand, the state-based approach makes our
framework easy to understand (and thus, use), and facilitates the introduction of
new, user-defined coordination patterns.
11The basic idea for TCA is to restrict the use of data variables to locations, and to use the
no-flow colour ! only. For TA, the basic idea is to not allow data variables or data guards at
all, and permit only one port per transition. We skip the technical details.
2.5. CONCLUSION 41
2.5 Conclusion
In this Chapter, we have presented general concepts for handling time and data in
real-time systems, and we have presented three formal models for specification of
real-time systems and real-time coordination patterns.
The formal model of Timed Automata, presented in Section 2.2, has first been
introduced in [AD94] (and later in [Alu99]), and—as has been outlined in Sec-
tion 2.2.4—has been studied, modified and extended intensively since that time.
The Definitions and results in Section 2.2 have not been developed by us, but are
entirely based on previous work on this field, which we have made clear by providing
pointers to corresponding fundamental literature all throughout the Section. The
nonetheless in-depth character of Section 2.2 is owed to the facts that there exist so
many variants of TA (with sometimes only minor differences) that it is impossible
to use the notion of the Timed Automaton without further explanations, and that
the time-related notions (guards, invariants, update maps) directly carry over to
TCA and TNA. Section 2.2 thus serves the purpose to make clear which notions and
concepts of TA we use in this thesis, and to establish the concepts for handling of
real-time. Moreover, it serves as the formal basis for the formula representation and
SAT-based verification of TA introduced in the next Chapter.
We have presented the second formal model, Timed Constraint Automata, in
Section 2.3. The first formal definition of syntax and semantics of TCA can be found
in [ABdBR04] (and its extended version [ABdBR07]), though the authors do not
handle memory cells. In [PSHA09], memory cells are added to constraint automata,
resulting in the formal model of CASM (Constraint Automata with Memory Cells),
but as the name suggests, CASM do not include time. While the underlying idea
of handling data and memory cells in CASM is similar to the approach presented
here, the semantics of CASM is not defined formally, which leaves a number of open
questions. For example, it is unclear whether a memory cell used by the target
location of a CASM transition has to be initialised in the data guard of ingoing
transitions, or what happens in case it is not initialised (is the value undefined,
empty, random). From [PSHA09], we have adopted the notion of prefixing memory
cells with “s.” and “t.” on transitions (cf. Remark 2.3.2), but to the best of our
knowledge, this is the first work on combining TCA with memory cells, and defining
a formal semantics.
Finally, in Section 2.4, we have presented our third and most powerful (with
respect to expressiveness of the three models) formal model: Timed Network Au-
tomata. As explained in Section 2.4.4, we have originally developed TNA as an
enhancement of TCA, to be able to specify constraints under which it is admissible
to delay (further). In this work, we have improved the TNA model from [Kem10], by
adding data guards and data values, with the advantages discussed in Section 2.4.4.

Chapter 3
SAT-based Verification
Model checking [CGP99, BK08] is the problem of automatically verifying (prov-
ing or disproving) whether a system conforms to its specification, given as a set of
properties/constraints. Model checking usually consists of enumerating all reachable
configurations of the system, and then checking whether the properties hold in these.
Yet, the infinite state-space of real-time systems leads to severe limitations in scal-
ability, even in very well-established model checkers like Uppaal [upp]. Especially
for the verification of safety properties of real-time systems [CBRZ01, BCC+03],
Bounded Model Checking (BMC, [BCCZ99]) has turned out to be amongst the
most promising approaches. Safety properties declare what should not happen—or
equivalently, what should always happen—and are typically expressed as reachabil-
ity properties. Safety properties can be disproved with a finite counterexample, i.e.,
a finite run, where the last configuration contains a contradiction to the property.
The principle of BMC for safety properties is to examine prefix fragments of the
transition system, and successively increase the exploration bound until it reaches
(a computable indicator of) the diameter of the system—in which case the system
has been proven safe—or an unsafe run has been discovered [ACKS02].
In this chapter, for each of the system models defined in the previous chapter
(i.e., TA, TCA, TNA), we present an encoding in propositional logic, plus linear
arithmetic on the rational numbers, which is tailored towards BMC. A satisfiability
check on the resulting formula (SAT solving) using SMT solvers1 like FOCI [FOC]
or MathSAT [mat], is then used to find possible runs of the system.
The main idea is that for any system model S, with S∈{A,T,N} (cf. Defini-
tions 2.2.1, 2.3.1 and 2.4.2), we define a formula ϕ(S). This formula encodes the
transition characteristics of S, that means, the possibilities to evolve to the next
step t+1, based on the configuration in the current step t. For BMC, we unfold
1Satisfiability Modulo Theory (SMT) problems combine propositional satisfiability with an
underlying theory, for example the theory of linear arithmetic over the real numbers. Atoms in an
SMT problem can consist of propositional variables or theory atoms, and are combined with the
Boolean connectives.
43
44 CHAPTER 3. SAT-BASED VERIFICATION
the formula ϕ(S) k times, i.e., we instantiate the “abstract” indices t and t+1 for
all steps 1 up to bound k, which yields a variant ϕ(S)k. Intuitively, a satisfying
interpretation of the formula ϕ(S)k corresponds to a run of the associated LTS SS,
i.e., to one possible behaviour for the first k steps. Consequently, the set of all pos-
sible valuations of ϕ(S)k corresponds to the complete possible behaviour of S for
the first k steps.
The rest of this Chapter is organised as follows: in Section 3.1, we define the
formula representation. As in the previous Chapter, we start with a general part
(Section 3.1.1), and then discuss in detail the formula representation of the different
system models and their products (Sections 3.1.2 to 3.1.4). In Section 3.2, we present
the unfolding for BMC, and discuss some issues related to BMC. We discuss other
possibilities for encoding, and motivate our design decisions in Section 3.3, and
conclude the Chapter in Section 3.4.
3.1 Formula Representation
The possible behaviour (i.e., which transition can be taken) of a real-time system S
depends on the current system configuration (location, clock valuation, data vari-
ables, events, ports, memory cells) and changes over time. This time-dependent
behaviour needs to be reflected by the formula ϕ(S)k. Therefore, we “parametrise”
the variables representing the constituents of S by the step t they are evaluated in.
This is called localisation: the localisation ψt of a formula ψ is obtained by adding
index t to all variable symbols occurring in ψ. Thus, if ψ is of vocabulary x, s, p,
then ψt is of vocabulary xt, st, pt.
In the next section, we present the representation for constituents common to
more than one real-time system: clocks, locations, events, ports, and data vari-
ables/memory cells. In Sections 3.1.2, 3.1.3 and 3.1.4, we introduce the specific
transition characteristics of TA, TCA and TNA, respectively.
3.1.1 Preliminaries
We now show how to represent constituents common to more than one real-time
system.
3.1.1.1 Clocks, Clock Constraints
Let X be the set of clocks in S. For the representation of clocks, we first introduce a
fresh clock z, called absolute time reference, which is not used in any clock constraint
and which is never updated, thus, the value of z increases constantly. This clock is
used to measure the absolute amount of time that has passed since the beginning
of computation: for any step t, the rational variable zt (called representation of z)
represents the value of z in step t, i.e., the absolute amount of time which has passed
from the beginning of computation up to step t. For every clock x∈X , the rational
variable xt (clock reference (of clock x)) is used to compute the value of clock x in step
t, which is given by the difference zt−xt. Thus, for clock constraints cc=x∼n and
3.1. FORMULA REPRESENTATION 45
cc′=x−y∼n (cf. Definition 2.1.2), the formulas cct=zt−xt∼n and cc′t=yt−xt∼n,2
(called representation of cc and cc ′, respectively) evaluate to true iff cc and cc′ hold
in step t. The representation of other clock constraints is straightforward, by using
conjunctions of the above constraints.
The underlying idea of clock references is that the variable xt will keep its value
as long as clock x is not updated in S. When clock x is updated, there are two
possibilities (cf. Definition 2.1.5): either x is updated to a natural number n∈N, or
x is updated to the value of another clock x′. In the former case, the value of xt is
set to zt−n, in the latter case, it is set to the value of x′t. In both cases, the dif-
ference zt−xt yields the correct value of x. This temporal difference representation
significantly improves the SAT solving performance, due to the decreased number
of arithmetic operations, see Section 3.3 for a more detailed discussion.
We illustrate the idea describe above in Figure 3.1. Above the line representing
the value of z, we denote the updates, as found on transitions of S. Below the time
line (x-axis), we denote the formulas which are used to set xt to the correct value.
time
value
z
xx′
n
x=0
x=n
x=x′
xt=zt xt=zt−n xt=x′t
Figure 3.1: Representation of Clock Values, Concept
By definition of the allowed updates for a clock x, the value of xt is always
smaller than the value of zt. The value of xt can become negative in case of an
update λ(x)=n, with n>zt (or, obviously, in case x is updated to the value of
another clock x′ where x′t is already negative).
3.1.1.2 Locations
Let S be the set of locations of S. We use a linear Boolean encoding for locations:
for every location s∈S, the Boolean variable st (called representation of s) represents
whether S is in location s in step t. Please refer to Section 3.3 for a discussion of
other possible encodings.
3.1.1.3 Data Values
To represent the (possibly infinite, countable) set of data values Data for TCA and
TNA, we use an injective mapping ∆:Data→Z, which maps each element di∈Data,
2Actually, the formula is ((zt−xt)−(zt−yt))∼n, but this simplifies to yt−xt∼n.
46 CHAPTER 3. SAT-BASED VERIFICATION
di 6=⊥, to an integer number ni (called representation of di). If a total order 6
exists on Data (cf. Definition 2.1.7), we require ∆ to preserve this total order, i.e.,
for all di, dj∈Data such that di 6=dj, if di 6 dj, then ∆(di)=ni<nj=∆(dj). For the
representation of ⊥ , we introduce an integer constant, denoted by n⊥, without
assigning a specific value to it; see Remark 3.1.5 for further explanations. For
explanatory purposes, we treat n⊥ similarly to ni, i.e., as if it was an element of Z.
3.1.1.4 Events, Ports, Data Variables
To represent the set of events Σ of a TA A, we use a linear Boolean encoding: for
every event a∈Σ, the Boolean variable αt (called representation of a ) represents
whether A executes a transition in step t that is labelled with a. Please refer to
Section 3.3 for a discussion on other possible encodings of events.
The basic idea for ports (in TCA or TNA) is the same as for events: for every port
p∈P , the Boolean variable pt (called port activity variable of p) represents whether
port p is active in step t. In addition, to encode which data value is transmitted
over an active port, for every port p∈P , we introduce an integer variable Dpt (called
port data variable), which represents the data value pending on p in step t. If p is
inactive in step t, Dpt evaluates n
⊥; see Remark 3.1.5 for further explanations.
For data variables, we use a similar set of variables, though with a slightly dif-
ferent meaning: for every data variable d∈D, we introduce a Boolean variable dt,
and an integer variable Ddt. The variable dt (called data fullness variable) is used to
indicate whether d is full in step t. As for ports, the variable Ddt (called data content
variable) represents which data value (according to mapping ∆) is contained in d in
step t, in case d is not empty, Ddt evaluates to n
⊥ if d is empty in step t.
Though the encoding using two variables per port/data variable might seem
unnecessary, we need this for efficient abstraction. Please refer to Section 4.1 for
more details.
3.1.1.5 Data Constraints
For a data constraint dc=(D'D′), ' ∈{=,6} (cf. Definition 2.1.7), the formula dct
(the representation of dc) evaluates to true iff dc holds in step t. The constraint dct
is defined by replacing ports and data values occurring in dc with their corresponding
representations; i.e., replace p∈P|dc by Dpt, and di∈Data|dc by ∆(di)=ni. For data
variables d∈D|dc, we need to take into account whether they are used by the source or
the target location of the transition to which dc belongs (i.e., whether they occur as
s.d or as t.d in dc, cf. Remarks 2.3.2 and 2.4.3), or only in dc itself. In the latter two
cases, we replace d∈D by Ddt, in the first case, we replace d by Ddt 1. This corresponds
to the fact that d can be used by the source location only before the execution of
the transition, i.e., at step t−1. The representation of other data constraints is
straightforward, using conjunctions and negations of the aforementioned.
3.1.2 Timed Automata
The representation of the transition relation of TA has to model both action and
delay transitions, cf. Section 2.2. It constrains the possible valuations of variables
3.1. FORMULA REPRESENTATION 47
representing the automaton configuration at subsequent step t+1 depending on
those at t. Recalling the representation of clocks, locations and events from the
previous section, the representation of TA is defined as follows.
Definition 3.1.1 (TA Representation). Let A be a TA, with initial location s¯,3
let e=(s, a, cc, λ, s′) be a transition in A. The formula representation of the transition
relation of A, denoted ϕ(A), is defined in (3.7) of Table 3.2.
ϕinit(A) = s¯0∧
∧
s∈S,s6=s¯
¬s0∧I(s¯)0∧
∧
a∈Σ
¬α0∧(z0=0)∧
∧
x∈X
(x0=0) (3.1)
ϕaction(e) = st∧αt 1∧cct∧(zt=zt 1)∧
∧
λ(x)=id
(xt 1=xt)∧∧
λ(x)=x′
(xt 1=x
′
t 1)∧
∧
λ(x)=n
(xt 1=zt 1−n)∧s′t 1∧I(s′)t 1
(3.2)
ϕdelay(s) = st∧
∧
a∈Σ
¬αt 1∧(zt≤zt 1)∧
∧
x∈X
(xt=xt 1)∧st 1∧I(s)t 1 (3.3)
ϕtrans(A) =
∨
e∈E
ϕaction(e)∨∨
s∈S
ϕdelay(s) (3.4)
ϕlocation(A) =
∨
s∈S
(st 1∧
∧
s′∈S,s′ 6=s
¬s′t 1) (3.5)
ϕmutex(A) =
∨
a∈Σ
(αt 1∧
∧
a′∈Σ,a′ 6=a
¬α′t 1)∨
∧
a∈Σ
(¬αt 1) (3.6)
ϕ(A) = ϕinit(A)∧ϕtrans(A)∧ϕlocation(A)∧ϕmutex(A) (3.7)
Table 3.2: Transition Relation Representation of TA
The idea of these formulas is as follows: the TA starts in its initial location
(3.1), the invariant of which has to hold (by I(s)t, we denote the localisation of the
invariant I(s) of some location s, cf. Section 3.1), no action is enabled, and all clocks
start with value 0. Before executing an action transition e=(s, a, cc, λ, s′)∈E of step
t+1 in (3.2), the automaton is in location s (at step t), and the transition guard
cct is satisfied. On occurrence of event αt 1, the transition fires. The value of the
absolute time reference does not change (action transitions are instantaneous), other
clocks are updated according to their value under update map λ (they either keep
their value, are set to zt−n if λ(x)=n, cf. Section 3.1.1.1, or get the value of another
clock reference x′t). After the execution (at step t+1), the automaton is in location
s′, the invariant of which has to hold. For a delay transition (3.3), the automaton
remains in location s, the value of the absolute time reference increases, all clock
references keep their value (there is no update, cf. (2.2)), no event a∈Σ must occur,
and the invariant has to hold after the time delay. Due to convexity, the invariant of
the target location in both action and delay transitions only needs to be checked at
the end of the transition/delay (that means at step t+1), as it inductively holds at
3To avoid confusion with localisation indices, we denote the initial location as s¯ rather than
s0, so its representation is s¯0 rather than the odd-locking (s0)0).
48 CHAPTER 3. SAT-BASED VERIFICATION
the beginning (3.1). The disjunction of these formulas expresses (nondeterministic)
transition choice (3.4). In any step, the current location and event are unique
(mutual exclusion of location (3.5) and event variables (3.6)), to prevent ϕ(A) from
following multiple transitions simultaneously.
Example 3.1.2 (TA Representation). Consider again the intelligent light switch
presented in Figure 2.1 (Example 2.2.2). Let A be the name of the automaton, let
e1, e2, e3, e4 refer to the transitions from off to light, light to off, light to bright, and
bright to off, respectively. The representation of A is shown in Table 3.3. We omit
constraints equal to true, like for example clock guards or empty conjunctions.
ϕinit(A) = off0∧¬light0∧¬bright0∧¬press0∧¬τ0∧(z0=0)∧(x0=0)
ϕaction(e1) = offt∧presst 1∧(zt=zt 1)∧(xt 1=zt 1)∧lightt 1
ϕaction(e2) = lightt∧presst 1∧(zt=zt 1)∧(zt−xt>3)∧(xt 1=xt)∧offt 1
ϕaction(e3) = lightt∧presst 1∧(zt=zt 1)∧(zt−xt≤3)∧(xt 1=xt)∧brightt 1
ϕaction(e4) = brightt∧presst 1∧(zt=zt 1)∧(xt 1=xt)∧offt 1
ϕdelay(off ) = offt∧¬presst 1∧¬τt 1∧(zt≤zt 1)∧(xt=xt 1)∧offt 1
ϕdelay(light) = lightt∧¬presst 1∧¬τt 1∧(zt≤zt 1)∧(xt=xt 1)∧lightt 1
ϕdelay(bright) = brightt∧¬presst 1∧¬τt 1∧(zt≤zt 1)∧(xt=xt 1)∧brightt 1
ϕtrans(A) = ϕaction(e1)∨ϕaction(e2)∨ϕaction(e3)∨ϕaction(e4)∨
ϕdelay(off )∨ϕdelay(bright)∨ϕdelay(light)
ϕlocation(A) = (offt 1∧¬lightt 1∧¬brightt 1)∨
(lightt 1∧¬offt 1∧¬brightt 1)∨
(brightt 1∧¬offt 1∧¬lightt 1)
ϕmutex(A) = (presst 1∧¬τt 1)∨(τt 1∧¬presst 1)∨(¬presst 1∧¬τt 1)
ϕ(A) = ϕinit(A)∧ϕtrans∧ϕlocation(A)∧ϕmutex(A)
Table 3.3: Transition Relation Representation of TA: Example
The product of TA, as defined in Definition 2.2.8, in the worst case is expo-
nential in the size of the underlying TA. We now present a representation of the
product which is linear in the size of the underlying TA. The basic idea is to re-
tain the representations of the individual automata, and define the product as their
juxtaposition.
Definition 3.1.3 (TA Product Representation). Let A1 and A2 be TA, with
X1∩X2=∅ and S1∩S2=∅, let ϕ(A1) and ϕ(A2) be the respective representations, as
defined in Definition 3.1.1, with (3.3) replaced by (3.3’). The formula representation
ϕ(A1./A2) of the product A1./A2 is defined in (3.9).
3.1. FORMULA REPRESENTATION 49
ϕdelay(s) = st∧
∧
a∈Σv
¬αt 1∧(zt≤zt 1)∧
∧
x∈X
(xt=xt 1)∧st 1∧I(s)t 1 (3.3’)
ϕmutex(A1./A2) =
∨
a∈Σ1\Σ2
(αt 1∧
∧
a′∈Σ2\Σ1
¬α′t 1)∨
∨
a∈Σ2\Σ1
(αt 1∧
∧
a′∈Σ1\Σ2
¬α′t 1) (3.8)
ϕ(A1./A2) = ϕ(A1)∧ϕ(A2)∧ϕmutex(A1./A2) (3.9)
The product representation (3.9) faithfully models the intended behaviour of the
product of TA, as defined in Definition 2.2.8: to ensure that the event occurring
in step t is unique within the system, we add the constraint on mutual exclusion
between events that are local to one of the TA (3.8), shared events are already dealt
with in (3.6).
3.1.3 Timed Constraint Automata
The main ideas of the representation of the transition relation of TCA are similar
to the representation of TA, as defined in the previous section. In particular, the
modelling of locations and clocks is identical. Yet, the representation needs to take
care of the special behaviour of TCA, namely, that every visible transition is pre-
ceded by a positive time delay, whereas invisible transitions may be instantaneous.
Conceptually, on execution of a transition, the delay is represented by evolving from
step t to step t+1, while the (instantaneous) location change takes place at t+1.
To correctly represent these delayed transitions (cf. (2.7)) in the associated
LTS ST (cf. Definition 2.3.5), we need a second type of clock constraints. Clock
constraints in (2.7) are evaluated under two different valuations: the invariant I(s′)
of the target location s′ is evaluated under (ν+t)[λ], that means after the time
delay (+t) and after the execution (λ) of the transition. In contrast, the invariant
I(s) of the source location s and the clock guard cc of the transition are evaluated
under (ν+t), that means after the passage of time, but before the execution of
the transition. To access the clock values at this particular point in time “in the
middle” of the execution step, we define the inter-step representation cct∆ of a
clock constraint cc . For cc = (x∼n), the inter-step representation is given by
cct∆ = zt 1−xt∼n. Note that for a clock constraint cc′ = (x−y∼n), the inter-step
representation is equivalent to the representation of cc′ as defined in Section 3.1.1.1,
since this representation does not contain the absolute time reference z anymore,
and delaying does not change the difference of x and y.
We are now ready to define the formula representation of TCA.
Definition 3.1.4 (TCA Representation). Let T be a TCA, with initial location s¯
(as before, we denote the initial location as s¯ rather than s0), let e=(s, P, dc, cc, λ, s
′)
and e′=(s, ∅, dc, cc, λ, s′) be a visible and invisible transition in T, respectively. The
formula representation of the transition relation of T, denoted ϕ(T),4 is defined
in (3.16) in Table 3.4.
4Without confusion, we use the same formula identifiers for all real-time systems. For example,
we use ϕinit to denote the initial constraints for TA (3.1), TCA (3.10), and (in the next section)
TNA (3.20).
50 CHAPTER 3. SAT-BASED VERIFICATION
ϕinit(T) = s¯0∧
∧
s∈S,s6=s¯
¬s0∧I(s¯)0∧
∧
p∈P
(¬p0∧(Dp0=n⊥))∧∧
d∈D
(¬d0∧(Dd0=n⊥))∧(z0=0)∧
∧
x∈X
(x0=0)
(3.10)
ϕvisible(e) = st∧I(s)t∆∧
∧
p∈P
pt 1∧
∧
p 6∈P
¬pt 1∧
∧
d 6∈#(s′)
¬dt 1∧dct 1∧
cct∆∧(zt<zt 1)∧
∧
λ(x)=id
(xt 1=xt)∧
∧
λ(x)=x′
(xt 1=x
′
t 1)∧∧
λ(x)=n
(xt 1=zt 1−n)∧s′t 1∧I(s′)t 1
(3.11)
ϕinvisible(e′) = st∧I(s)t∆∧
∧
p∈P
¬pt 1∧
∧
d 6∈#(s′)
¬dt 1∧dct 1∧cct∆∧
(zt≤zt 1)∧
∧
λ(x)=id
(xt 1=xt)∧
∧
λ(x)=x′
(xt 1=x
′
t 1)∧∧
λ(x)=n
(xt 1=zt 1−n)∧s′t 1∧I(s′)t 1
(3.12)
ϕtrans(T) =
∨
e∈E,P 6=∅
ϕvisible(e)∨ ∨
e′∈E,P=∅
ϕinvisible(e′) (3.13)
ϕlocation(T) =
∨
s∈S
(st 1∧
∧
s′∈S,s′ 6=s
¬s′t 1) (3.14)
ϕmutex(T) =
∧
p∈P
(¬pt 1 ∨¬(Dpt 1=n⊥))∧(pt 1 ∨(Dpt 1=n⊥))∧∧
d∈D
(¬dt 1 ∨¬(Ddt 1=n⊥))∧(dt 1 ∨(Ddt 1=n⊥))
(3.15)
ϕ(T) = ϕinit(T)∧ϕtrans(T)∧ϕlocation(T)∧ϕmutex(T) (3.16)
Table 3.4: Transition Relation Representation of TCA
The automaton starts in its initial location s¯ (3.10) in step 0, the invariant of
which has to be satisfied, data must not flow through any port, all memory cells are
empty, and all clocks are set to zero. Before executing a visible transition (3.11) in
step t, T is in location s. After the elapse of a positive amount of time (zt 1<zt),
after which the invariant I(s)t∆ of s and the clock guard cct∆ of the transition
hold, T switches to location s′, the invariant of which has to hold. All clocks are
updated according to their value under λ, data flows through all ports p contained
in the port set P , while the other ports are inactive, and the data constraint dct is
satisfied. Memory cells which are not used by the target location s′ are empty after
execution of the transition, i.e. they get the value ⊥. As for TA (cf. explanations
after Definition 3.1.1), convexity allows to check the invariant at the end of the time
delay only, as it inductively holds at the beginning (3.10). The execution of an
invisible transition (3.12) is similar, except that the amount of time elapsed may
be zero, and data must not flow through any port. The disjunction of all visible
and invisible transitions expresses nondeterministic transition choice (3.13). In any
step, the current location is unique (3.14), the special value “no data” may only be
pending at inactive ports, and may only be “contained” in a memory cell if that
3.1. FORMULA REPRESENTATION 51
memory cells is indicated to be empty (3.15).
Remark 3.1.5 (Representation of ⊥). As explained in Section 3.1.1, we leave the
value of n⊥ initially unspecified. During Bounded Model Checking (see Section 3.2
for details), if a satisfying assignment for ϕ(T) exists, the solver will find and assign
to ⊥ a integer value such that the constraints in Table 3.4 are satisfied.
The actual value which is assigned to ⊥ is not important. By construction,
the constraints in Table 3.4 ensure that the value is different from all ni used in
the constraints, i.e., from (the representation of) all data values pending at any
active port or contained in any memory cell. Since we allow ⊥ to be used in data
constraints only in combination with equality (but not with 6, cf. Definition 2.1.7),
this uniqueness ensures that a data constraint (Dpt=⊥) is satisfied iff port p is
inactive in step t, and a data constraint (Ddt=⊥) is satisfied iff memory cell d is
empty in step t.
For finite data domains, we can make the following improvement to ϕ(T).
Remark 3.1.6 (Finite Data Domain). For finite domains, i.e., with |Data\⊥|=k
for some k∈N, we require that ∆ maps the elements of Data to subsequent integer
numbers, with smallest element ∆(⊥)=−1, such that ∆(Data)={−1, 0, . . ., k−1}⊂Z.
Further, we add the constraint
∧
p∈P
(Dpt 1≤k−1)∧(Dpt 1≥−1)∧
∧
d∈D
(Ddt 1≤k−1)∧(Ddt 1≥−1)
to ϕmutex (3.15). This speeds up verification, since the number of possible valuations
for ports and memory cells is decreased.
Example 3.1.7 (TCA Representation). Consider again the 1-bounded FIFO
buffer presented in Figure 2.5. Let T be the name of the automaton, let e1, e2, e3
refer to the transitions from empty to full, full to empty (visible), and full to empty
(invisible), respectively. The representation of T is shown in Table 3.5. Again, we
omit constraints equal to true.
We now present a linear representation of products of TCA, which avoids the
worst case exponential blow-up of the product definition in Definition 2.3.9. As for
TA, the basic idea is to define the representation of the product as the conjunction
of the individual representations. We require variables representing common ports
to have the same name in both representations, such that constraints involving these
ports are automatically satisfied simultaneously in both representations.
To correctly model transitions described by (2.11) in Definition 2.3.9, we first
need to introduce explicit delay transitions: as explained after Definition 2.3.9, in
case the transition described by (2.11) is preceded by a time delay, the other automa-
ton actually performs a delay transition. The representation of a delay transition
ϕdelay(s) in location s is defined in (3.17).
52 CHAPTER 3. SAT-BASED VERIFICATION
ϕinit(T) = empty0∧¬full0∧¬p0∧(Dp0=n⊥)∧¬q0∧(Dq0=⊥)∧
¬m0∧(Dm0=n⊥)∧(z0=0)∧(x0=0)
ϕvisible(e1) = emptyt∧pt 1∧¬qt 1∧(Dpt 1=mt 1)∧(zt<zt 1)∧
(xt 1=zt 1)∧fullt 1∧(zt 1−xt 1≤3)
ϕvisible(e2) = fullt∧qt 1∧¬pt 1∧(Dmt 1=n⊥)∧(Dqt 1=mt)∧(zt 1−xt<3)∧
(zt<zt 1)∧(xt 1=xt)∧(zt 1−xt≤3)∧emptyt 1
ϕinvisible(e3) = fullt∧(zt 1−xt≤3)∧¬pt 1∧¬qt 1∧(Dmt 1=n⊥)∧(zt 1−xt=3)∧
(zt≤zt 1)∧(xt 1=xt)∧emptyt 1
ϕtrans(T) = ϕvisible(e1)∨ϕvisible(e2)∨ϕinvisible(e3)
ϕlocation(T) = (emptyt 1∧¬fullt 1)∨(fullt 1∧¬emptyt 1)
ϕmutex(T) = (¬pt 1 ∨¬(Dpt 1=n⊥))∧(pt 1 ∨(Dpt 1=n⊥))∧
(¬qt 1 ∨¬(Dqt 1=n⊥))∧(qt 1 ∨(Dqt 1=n⊥))∧
(¬mt 1 ∨¬(Dmt 1=n⊥))∧(mt 1 ∨(Dmt 1=n⊥))
ϕ(T) = ϕinit(T)∧ϕtrans(T)∧ϕlocation(T)∧ϕmutex(T)
Table 3.5: Transition Relation Representation of TCA: Example
ϕdelay(s) = st∧
∧
p∈P
¬pt 1∧
∧
d∈D
(Ddt 1=Ddt)∧
∧
x∈X
(xt 1=xt)∧(zt≤zt 1)∧
I(s)t∆∧st 1∧I(s)t 1
(3.17)
Note that these delay transitions are in accordance with Definition 2.3.1, since they
correspond to the representation of invisible transitions (cf. (3.12)) of the form
(s, ∅,∧d∈D(s.d=t.d), true, id, s). Therefore, in particular, (3.17) permits zero-delays.
Definition 3.1.8 (TCA Product Representation). Let T1, T2 be TCA, with
X1∩X2=∅ and S1∩S2=∅, let ϕ(T1) and ϕ(T2) be the respective representations, as
defined in Definition 3.1.4, with (3.13) replaced by (3.13’) for i=1, 2. The formula
representation ϕ(T1./T2) of the product T1./T2 is defined in (3.18).
ϕtrans(Ti) =
∨
e∈Ei,P 6=∅
ϕvisible(e)∨ ∨
e′∈Ei,P=∅
ϕinvisible(e′)∨ ∨
s∈Si
ϕdelay(s) (3.13’)
ϕ(T1./T2) = ϕ(T1)∧ϕ(T2)∧
∧
s∈S1
ϕdelay(s)∧ ∧
s∈S2
ϕdelay(s) (3.18)
The product representation (3.18) faithfully models the intended behaviour, as
defined in Definition 2.3.9, but is still linear in the size of the underlying TCA. Note
that the existence of such a linear product is not immediately clear, but in fact is a
result of our design decision of explicitly mentioning all ports—active and inactive—
on each transition (cf. (3.11), (3.12) and (3.17)). This decision—though seeming
3.1. FORMULA REPRESENTATION 53
unnecessary at first glance—together with the assumption that common ports have
the same name in both TCA, ensures that transitions in different TCA may only be
executed in parallel (i.e., synchronise) if they fulfil the conditions described in Defi-
nition 2.3.9. In this way, we do not need to list all possible synchronisations (which
are allowed by (2.10) and (2.11)) explicitly, and in this way avoid the exponential
blow-up.
The hiding operation (cf. Definition 2.3.12) removes all information about a set
of ports O from a TCA T. Hiding a set of ports O in the formula representation
ϕ(T) amounts to existential quantification over the corresponding variables, i.e.,
port activity and data variables of the ports in O. For a TCA T, with formula
representation ϕ(T), and a port set O⊆P , the formula representation ϕ(T\O) of
automaton T\O corresponds to
∃ Oϕ(T), (3.19)
with O=
⋃
p∈O{pt, Dpt}
In Definition 2.3.12, an additional clock is introduced to ensure correct timed be-
haviour of invisible transitions in T\O which originate from visible transitions in T.
Here, we do not need to introduce an additional clock: the formula representation of
a visible transition explicitly requires a positive amount of time to elapse ((zt 1<zt),
cf. (3.11)). Since O does not contain clock variables, this constraint remains un-
changed even in case the transition becomes invisible, and therefore, correct timed
behaviour, as required by Definition 2.3.12, is guaranteed.
3.1.4 Timed Network Automata
The representation of TNA follows the same ideas as the representations of TA and
TCA. For clocks, clock constraints, locations, memory cells (data variables) and data
constraints, we use the concepts introduced in Section 3.1.1. Yet, for ports of TNA,
we need to extend the encoding with an additional variable, to be able to identify—in
case of no dataflow—where the reason to delay comes from (cf. Section 2.4.1).
As defined in Section 3.1.1.4, for every port p∈P , we have a Boolean variable
pt (port activity variable), with the intended meaning that pt evaluates to true iff
data flows through port p in step t, and an integer variable Dpt (port data variable),
which represents the data value pending at p in step t. In addition, the Boolean
variable cpt (called port colour variable) denotes where the reason for delay comes
from in case pt evaluates to false. For a given colouring c, the representation of p
under c in step t, denoted 〈pc〉t, is given by ¬pt∧¬cpt iff c(p)= ? , by ¬pt∧cpt iff
c(p)= ! , and by pt∧(cpt∨¬cpt) iff c(p)= . In the latter case, the representation
simplifies to t.
The representation of a TNA N is now given as follows.
Definition 3.1.9 (TNA Representation). Let N be a TNA, with initial location s¯
(as before, we denote the initial location as s¯ rather than s0), f=(s, c, dc, cc, λ, s
′)∈E
a communication, and d=(s, c, dc, cc, id, s)∈E a delay. The formula representation
of the transition relation of N, denoted ϕ(N), is defined in (3.26) in Table 3.6.
54 CHAPTER 3. SAT-BASED VERIFICATION
ϕinit(N) = s¯0∧
∧
s∈S,s6=s¯
¬s0∧I(s¯)0∧
∧
p∈P
(¬p0∧(Dp0=n⊥)∧cp0)∧∧
d∈D
(¬d0∧(Dd0=n⊥))∧(z0=0)∧
∧
x∈X
(x0=0)
(3.20)
ϕcommu(f) = st∧
∧
p∈P
〈pc〉t 1∧
∧
d6∈#(s′)
¬dt 1∧dct 1∧cct∧(zt 1=zt)∧∧
λ(x)=id
(xt 1=xt)∧
∧
λ(x)=x′
(xt 1=x
′
t 1)∧∧
λ(x)=n
(xt 1=zt 1−n)∧s′t 1∧I(s′)t 1
(3.21)
ϕdelay(d) = st∧
∧
p∈P
〈pc〉t 1∧
∧
d∈D
(Ddt 1=Ddt)∧dct 1∧cct∧(zt 1≥zt)∧∧
x∈X
(xt 1=xt)∧cct 1∧st 1∧I(s)t 1
(3.22)
ϕtrans(N) =
∨
f comm.
ϕcommu(f)∨ ∨
d delay
ϕdelay(d) (3.23)
ϕlocation(N) =
∨
s∈S
(st 1∧
∧
s′∈S,s′ 6=s
¬s′t 1) (3.24)
ϕmutex(N) =
∧
p∈P
(¬pt 1∨¬(Dpt 1=n⊥))∧(pt 1∨(Dpt 1=n⊥))∧∧
d∈D
(¬dt 1∨¬(Ddt 1=n⊥))∧(dt 1∨(Ddt 1=n⊥))
(3.25)
ϕ(N) = ϕinit(N)∧ϕtrans(N)∧ϕlocation(N)∧ϕmutex(N) (3.26)
Table 3.6: Transition Relation Representation of TNA
The TNA starts in its initial location, the invariant of which holds, all ports are
inactive, all memory cells are empty, and all clocks are set to zero (3.20).5 The
representation of a communication (3.21) ensures that the TNA is in location s
before firing, and the clock guard cc holds. On execution of the transition, data
flows according to colouring c, the data values satisfy the data guard dc, all clocks
are updated according to their value under λ, while the value of the absolute time
reference z does not change, and memory cells not used by the target location loose
their contents. After firing, the TNA is in location s′, the invariant of which holds.
The representation of a delay (3.22) is similar, except that the value of the absolute
time reference increases, while all other clocks keep their value, and all memory cells
keep their values as well. In addition, clock guard cc still needs to be satisfied after
the time delay. Again, convexity of clock constraints allows us to check the invariant
at the end of the time delay only, as it inductively holds at the beginning (3.20). The
disjunction of these formulas expresses (nondeterministic) transition choice (3.23).
In any step, the current location is unique (3.24), the special value “no data” may
only be pending at inactive ports, and may only be “contained” in a memory cell if
5Note that it is not necessary to specify initial values for the port colour variables cp0, since
the constraint ¬p0 is sufficient to express inactivity of port p. Yet, adding a valuation reduces the
number of unspecified variables, and in this way speeds up verification.
3.1. FORMULA REPRESENTATION 55
that memory cells is indicated to be empty (3.25).
The results of Remark 3.1.5 (representation of ⊥) and Remark 3.1.6 (represen-
tation of finite data domains) directly carry over from TCA to TNA.
Example 3.1.10 (TNA Representation). Consider again the 1-bounded FIFO
buffer presented in Figure 2.8. Let N be the name of the TNA, let f1, f2, f3 refer
to the communications from empty to full , full to empty (with clock guard x<3),
and from full to empty (with clock guard x=3), respectively, and let d1, d2 refer
to the delays in empty and full , respectively. The representation of N is shown in
Table 3.7. We omit constraints equal to true.
ϕinit(N) = empty0∧¬full0∧¬r0∧(Dr0=n⊥)∧cr0∧¬w0∧(Dw0=n⊥)∧cw0∧
(¬m0∧(Dm0=n⊥))∧(z0=0)∧(x0=0)
ϕcommu(f1) = emptyt∧rt 1∧(¬wt 1∧cwt 1)∧(Drt 1=Dmt 1)∧(zt 1=zt)∧
(xt 1=zt 1)∧fullt 1∧(zt 1−xt 1≤3)
ϕcommu(f2) = fullt∧(¬rt 1∧crt 1)∧wt 1∧¬mt 1∧(Dwt 1=Dmt)∧
(zt−xt<3)∧(zt 1=zt)∧(xt 1=xt)∧emptyt 1
ϕcommu(f3) = fullt∧(¬rt 1∧crt 1)∧(¬wt 1∧cwt 1)∧¬mt 1∧(zt−xt=3)∧
(zt 1=zt)∧(xt 1=xt)∧emptyt 1
ϕdelay(d1) = emptyt∧(¬rt 1∧¬crt 1)∧(¬wt 1∧cwt 1)∧(Dmt 1=Dmt)∧
(zt 1≥zt)∧(xt 1=xt)∧emptyt 1
ϕdelay(d2) = fullt∧(¬rt 1∧crt 1)∧(¬wt 1∧¬cwt 1)∧(Dmt 1=Dmt)∧(zt−xt≤3)∧
(zt 1≥zt)∧(xt 1=xt)∧(zt 1−xt 1≤3)∧fullt 1∧(zt 1−xt 1≤3)
ϕtrans(N) = ϕcommu(f1)∨ϕcommu(f2)∨ϕcommu(f3)∨ϕdelay(d1)∨ϕdelay(d2)
ϕlocation(N) = (emptyt 1∧¬fullt 1)∨(fullt 1∧¬emptyt 1)
ϕmutex(N) = (¬rt 1∨¬(Drt 1=n⊥))∧(rt 1∨(Drt 1=n⊥))∧
(¬wt 1∨¬(Dwt 1=n⊥))∧(wt 1∨(Dwt 1=n⊥))∧
(¬mt 1∨¬(Dmt 1=n⊥))∧(mt 1∨(Dmt 1=n⊥))∧
ϕ(N) = ϕinit(N)∧ϕtrans(N)∧ϕlocation(N)∧ϕmutex(N)
Table 3.7: Transition Relation Representation of TNA: Example
Though the flip rule (Remark 2.4.11) reduces the size of TNA, the size of a
composed TNA is still exponential in the worst case. We now present a linear size
representation of the composition of TNA. The basic idea is similar to the product
definition of TA and TCA (cf. Definitions 3.1.3 and 3.1.8): we do not explicitly
compute the composition, but instead retain the representations of the single TNA,
and define the representation of the composition via conjunction. Unfortunately,6
6Actually, we do not consider this a disadvantage, since we gain a composition that is linear.
56 CHAPTER 3. SAT-BASED VERIFICATION
this does not allow us to explicitly remove the ports contained in a merge set from the
representation, and replace them by the same data variable (cf. Definition 2.4.13).
Instead, we need to add additional constraints to ensure that (1) the representation
of the composition correctly models the dataflow behaviour of the resulting internal
port (cf. Definition 2.4.9), and that (2) all ports in the merge set agree on the same
data value (cf. Definition 2.4.13 and preceding explanations).
Definition 3.1.11 (Internal Port Representation). Let Q be a merge set,
Qr⊆Q and Qw⊆Q the subsets of read respectively write ports in Q. For p∈Q,
let pt, Dpt and cpt be the port activity, port data and port colour variable, respec-
tively, let d be a fresh data variable (i.e., not yet used elsewhere), with data fullness
variable dt and data content variable Ddt. The representation ϕ
int port(Q) of internal
port p≺Q is given in (3.27).
ϕvalid col1(Q) = ∨
w∈Qw
wt 1→
( ∧
r∈Qr
rt 1∧
∧
w,w′∈Qw,w 6=w′
¬(wt 1∧w′t 1)
)
ϕvalid col2(Q) = ∨
r∈Qr
rt 1→
∨
w∈Qw
wt 1
ϕvalid col3(Q) = ∧
p∈Q
¬pt 1→
( ∧
w∈Qw
cwt 1∨
∨
r∈Qr
crt 1
)
ϕdata flow(Q) = ∧
p∈Q
¬pt 1∨(Dpt 1=Ddt 1)
ϕint port(Q) = ϕvalid col1(Q)∧ϕvalid col2(Q)∧ϕvalid col3(Q)∧ϕdata flow(Q) (3.27)
The first three constraints directly correspond to the three conditions in Defi-
nition 2.4.9. For example, ϕvalid col3(Q) describes the constraints in condition 3 in
Definition 2.4.9: if there is no flow at all (
∧
p∈Q¬pt), then either all write ports
provide a reason for delay (
∧
w∈Qwcwt), or at least one read port provides a rea-
son for delay (
∨
r∈Qrcrt). These three constraints thus capture whether data flows
through p≺Q. The fourth constraint ϕdata flow(Q)—the conjuncts should be read as
pt→(Dpt=Ddt)—expresses the fact that all active ports in the merge set (if pt holds,
p is active, cf. the beginning of Section 3.1.4) agree on the same data value, we use
the data variable d as a placeholder for any possible data value. This constraint
thus captures which data flows through p≺Q.
Using this, the representation of TNA composition is defined as follows.
Definition 3.1.12 (TNA Composition Representation). Let N be a set of
disjoint TNA, Q a set of disjoint merge sets over ports of TNA in N . The formula
representation ϕ(N ./Q) of the composed TNA N ./Q is defined as
ϕ(N ./Q) =
∧
N∈N
ϕ(N)∧ ∧
Q′∈Q
ϕint portQ′ (3.28)
To accommodate the fact that a port cannot be merged more than once (cf.
beginning of Section 2.4.3), which now can be translated to “cannot be contained
in more than one merge set”, we hide the ports in a merge set, using existential
quantification: the reduction of ϕ(N ./Q) to the external interface (i.e., the set of
3.2. BOUNDED MODEL CHECKING 57
ports, cf. Definition 2.4.2) is defined as
∃ ⋃
Q′∈Q
Q′(ϕ(N ./Q))
In this way, ports that are contained in any merge set in Q cannot be merged
again when composing N ./Q with another TNA.
3.2 Bounded Model Checking
In this section, we briefly recall the concepts of Bounded Model Checking (BMC),
and show how they can be applied to the representations of real-time systems defined
in Section 3.1.
Bounded Model Checking (BMC) [BCC+03, BCCZ99, CBRZ01] has evolved from
Symbolic Model Checking (SMC) [McM93], and can be seen as a subcategory of
it. SMC techniques represent the system symbolically, and typically rely on binary
decision diagrams (BDDs) [Bry86]. These BDD representations can handle hundreds
of variables, but often blow up in space. In addition, the efficiency highly depends
on the variable ordering in the BDD, yet, the problem of finding an efficient order
is NP-hard, that means, there exists no efficient way of determining an efficient
ordering a priori.
BMC was introduced “in an attempt to replace BDDs with SAT in SMC” [Bie09].
The key idea is to represent the system and the property to be checked symbolically
(using propositional formulas), examine prefix fragments of the transition system for
whether the property holds, and successively increase the exploration bound until it
reaches (a computable indicator of) the diameter of the system—in which case the
results are guaranteed to be complete, and the property holds—or an unsafe run
violating the property has been discovered.
Although BMC is complete in theory once the diameter of the system is reached,
it is often impractical to increase the exploration bound that far (see Section 3.2.4
for a more detailed discussion). Therefore, BMC techniques focus on falsification of
(temporal) properties. Such properties can be disproved with a finite counterexam-
ple, i.e., a finite run, where at least one of the configurations contains a contradiction
to the property. Reachability properties are well-suited to express safety properties
of the form “a certain behaviour should not happen”, where the erroneous behaviour
is defined by the possibility to reach a certain error location.
We first introduce some notations in Section 3.2.1, and then formalise these
notions in Sections 3.2.2 and 3.2.3.
3.2.1 Notations
In the remainder of this section, we useS to refer to any of the system models defined
in Chapter 2: S∈{A,T,N}, cf. Definitions 2.2.1, 2.3.1 and 2.4.2. We use ϕ(S) to
refer to the corresponding formula representation of S: ϕ(S)∈{ϕ(A), ϕ(T), ϕ(N)},
for both simple (Definitions 3.1.1, 3.1.4 and 3.1.9) and composed (Definitions 3.1.3,
3.1.8 and 3.1.12) systems.
58 CHAPTER 3. SAT-BASED VERIFICATION
For a formula ϕ(S), we use Vars(ϕ(S)) to denote the set of variables of ϕ(S),
we write Vars(ϕ(S))|B, Vars(ϕ(S))|N and Vars(ϕ(S))|Q to denote the subsets
of Vars(ϕ(S)) of propositional, integer and rational variables, respectively. We
use Atoms(ϕ(S)) to denote the set of propositional atoms of ϕ(S), and write
Conts(ϕ(S)) (“contents”) as an abbreviation for Atoms(ϕ(S))∪Vars(ϕ(S)).
An interpretation σ of (the variables in) ϕ(S) is a mapping σ:Vars(ϕ(S)) →
(B∪N∪Q), assigning to each variable v∈Vars(ϕ(S)) a value from the appropriate
range (i.e., σ(v)∈B iff v∈Vars(ϕ(S))|B, σ(v)∈N iff v∈Vars(ϕ(S))|N, and σ(v)∈Q
iff v∈Vars(ϕ(S))|Q).
Interpretation σ is called model of ϕ(S), denoted σ|=ϕ(S), if it satisfies ϕ(S),
i.e., ϕ(S) evaluates to true under valuation σ. ϕ(S) is called satisfiable if at least
one model of ϕ(S) exists. We denote the set of all models of ϕ(S) by V(ϕ(S)). If
ϕ(S) evaluates to true under all valuations, then ϕ(S) is called tautology, denoted
|=ϕ(S).
We lift the above notations in the straightforward way from ϕ(S) to all types of
formulas.
3.2.2 Unfolding for BMC
The formula representation ϕ(S) of a real-time system S, as defined in the Sec-
tion 3.1, describes the transition characteristics of S in terms of “abstract” steps
t and t+1. In order to describe the reachability problem of BMC for k steps, the
formula representation ϕ(S) is unfolded, i.e., instantiated for all steps 1 up to bound
k. The resulting formula ϕ(S)k is called k-unfolding.
Definition 3.2.1 (k-unfolding). Let S be a real-time system, with formula rep-
resentation ϕ(S), let k∈N, k≥1 (called unfolding depth). The k-unfolding ϕ(S)k of
ϕ(S) is defined as
ϕ(S)k = ϕ
init(S)∧ ∧
0≤j≤k−1
(ϕtrans(S)j/t∧ϕlocation(S)j/t∧ϕmutex(S)j/t), (3.29)
where ψj/t denotes a variant of formula ψ with index t replaced by j.
Intuitively, a model σ of ϕ(S)k corresponds to a run of SS of length k, i.e., to
one possible behaviour of S for the first k steps. Consequently, the set V(ϕ(S)k) of
all models of ϕ(S)k describes all possible behaviours of S for the first k steps.
Notation 3.2.2 (Unfolding). For j∈N, j≥0, we write ϕtrans(S)(j) to denote the
transition constraints from step j to step j+1, that is, ϕtrans(S)(j)=ϕ
trans(S)j/t.
Equivalently, we write ϕlocation(S)(j) respectively ϕ
mutex(S)(j) to denote the mu-
tual exclusion constraints on locations respectively events or ports in step j, that
is, ϕlocation(S)(j)=ϕ
location(S)(j−1)/t, and ϕmutex(S)(j)=ϕmutex(S)(j−1)/t. Intuitively,
for a formula ψ(j), j denotes the (smallest) index which appears on variables in ψ.
3.2. BOUNDED MODEL CHECKING 59
3.2.3 BMC of Properties
BMC is best suited for checking safety properties of the form “a certain behaviour
should not happen”, expressed through reachability of error locations. If an error
location s is (not) reachable within k steps, s is called (not) k-step reachable. The
safety property φ saying s is not k-step reachable is expressed by the formula
φ =
∧
0≤i≤k
¬si, (3.30)
where s is the representation of s. To express that s is not reachable after exactly
k-steps (for example because we already know that s is not (k−1)-step reachable)
we simply choose φ = ¬sk.
Checking whether a system S is safe with respect to s amounts to conjoining the
k-unfolding (3.29) with the negated property ¬φ (as explained above, BMC focusses
on falsification of properties):
ϕ(S)k∧
∨
0≤i≤k
si. (3.31)
In this way, a model of (3.31) corresponds to a run of S that contains error location
s, that means to a system behaviour violating the property φ. In this case, S is
unsafe with respect to s, that means, the property φ does not hold in the system
S. If no such model exists, i.e., the formula (3.31) is unsatisfiable, S is safe with
respect to s within bound k, but nothing can be said about safety within bounds
>k.
Lifting (3.30) to reason about configurations or even execution sequences is
straightforward. For example, the property “if the location in the current step
is s, then the location in the next step will be s′” can be represented as
(s0∧s′1)∨(s1∧s′2)∨ . . . (sk 1∧s′k). (3.32)
Other properties can be represented using the encoding in [ACKS02], where the
authors have defined a translation from LTL to propositional formulas for BMC.
For example, (3.32) corresponds to the LTL property s→© s′. We skip the details
of the encoding, as they are beyond the scope of this thesis. In general, the only
restriction we impose on formulas φ used as properties is that they may only reason
about variables contained in ϕ(S)k, i.e., we require Vars(φ)⊆Vars(ϕ(S)k).
3.2.4 Completeness of BMC
BMC is used to inspect runs of a certain length k. If an error location is reachable
within k steps, a counterexample to the safety property has been found. Otherwise,
the exploration bound is increased, and the reachability check is repeated. The
question remains whether there exists a completeness threshold, i.e., some bound k′,
for which we can safely conclude that the error location is not reachable, even when
further increasing the exploration bound.
60 CHAPTER 3. SAT-BASED VERIFICATION
A first candidate is the diameter of the associated LTS SS, reduced to runs
which start in the initial configuration q0.
7 This is indeed a completeness threshold:
as soon as the exploration bound k is equal to the diameter, the results of BMC
are complete, since BMC considers all runs of length k, and thus every reachable
configuration will be reached by at least one of the runs. Unfortunately, no efficient
algorithms exist to compute the diameter of a timed system.
Another candidate is the recurrence diameter of the associated LTS SS, cf. also
[BCCZ99]: the recurrence diameter of SS is the length of the longest loop-free run
(cf. Definitions 2.2.4, 2.3.5 and 2.4.6). This is a completeness threshold as well: by
definition, any run with length greater than the recurrence diameter must contain
a loop, and thus cannot contain new configurations which have not been visited
before. Unfortunately, the recurrence diameter can be considerably larger than the
real diameter. Consider for example a fully connected graph with n nodes: while
the diameter is 1 (every node is reachable from every other node), the recurrence
diameter is n−1 (longest loop-free path). Yet, the recurrence diameter is more
practical than the (real) diameter, since the fact that a run is loop-free can easily
be expressed in our framework.
Definition 3.2.3 (Representation of Loop-Free Runs). Let S be a real-time
system, with set of locations S, set of clocks X , and set of data variables D (only for
TCA and TNA). Let ϕ(S)k be the k-unfolding, and σ∈V(ϕ(S)k) a model of ϕ(S)k.
The model σ corresponds to a loop-free run if it satisfies the loop-free condition
ϕlp freek (S), i.e. (in addition to σ|=ϕ(S)k) σ|=ϕlp freek (S), where ϕlp freek (S) is defined
as
ϕlp freek (S) =
∧
0≤i<j≤k
( ∨
s∈S
¬(si=sj)∨
∨
x∈X
¬(xi=xj)∨
∨
d∈D
¬(Ddi=Ddj)
)
(3.33)
If S is a TA, we omit the last disjunct.
For a run to be loop-free, all configurations need to be different. Configurations
consist of (cf. Definitions 2.2.4, 2.3.5 and 2.4.6) the current location, the valuation
of the clocks, and (only for TCA and TNA) the valuation of the data variables.
Condition (3.33) expresses that for any two configurations (in steps i and j), at
least one of these constituents is different.
We can use the loop-free condition in two ways: testing whether a model cor-
responds to a loop-free run, and calculating the recurrence diameter. The former
is done by checking whether σ|=ϕlp freek (S) for a model σ∈V(ϕ(S)k). To actually
calculate the recurrence diameter, we inductively check (i.e., for increasing values of
k) whether the formula ϕ(S)k∧ϕlp freek (S) is satisfiable.8 The recurrence diameter
is the smallest k such that ϕ(S)k+1∧ϕlp freek+1 (S) is not satisfiable anymore.
7The diameter of a system—a well-known concept from graph theory—is a natural number,
which corresponds to the longest shortest path between any two states. Here, the diameter is the
longest shortest run from the initial configuration q0 to any other configuration of SS.
8Assuming that the subformula ϕ(S)k, when checked in isolation, is satisfiable for all values of
k, i.e., we can always find a run of length k.
3.3. DISCUSSION 61
3.2.5 Correctness
Theorem 3.2.4 (Correctness). The formula representation ϕ(S) of a real-time
system S is correct, that means ϕ(S) exhibits the same behaviour as S.
The proof of Theorem 3.2.4 can be found in the Appendix, in Section A.1.
3.3 Discussion
In this section, for some of the constituents of real-time systems, we discuss other
possible encodings, and motivate our design decisions.
3.3.1 Occurrence of Actions on Transitions of TA
The transition relation representation of TA models transitions from step t to step
t+1 (cf. (3.2) and (3.3)), with the action α occurring at step t+1. The choice of
whether to model the occurrence of α at step t or t+1 is to a certain extend arbitrary,
since conceptually, the event occurs while taking the transition (that means, in
between steps t and t+1). We believe both ways are intuitive by some means or
other.
We decided to model the occurrence at step t+1 since this is in accordance with
the activity of ports in TCA and TNA, which also occurs at steps t+1. This results
in a uniform handling of all “transition labels”, whether they are actions in TA or
ports in TCA respectively TNA. We benefit from this point in the concretisation of
abstract counterexamples, cf. Section 4.3.3.
3.3.2 Choice of Variable Types
When designing the formula representation for a real-time system, different aspects
and requirements influence the design decisions, the two major ones being univer-
sality and efficiency. Universality in this context means that the resulting formulas
should be platform independent and general enough such that they can be integrated
seamlessly (or with only minor adaptations) into most (standard) frameworks. Ef-
ficiency is understood with respect to speed of verification.
To meet the first requirement, we have reduced the variable types used in the rep-
resentation to rational, integer and Boolean variables. Rational variables are needed
to represent real-time. Though clocks are real-valued (cf. Section 2.1.1), a rational
encoding is sufficient here, since linear arithmetic using only integer constants (as
is used in clock constraints, cf. Definition 2.1.2) is equisatisfiable for rational and
real numbers. Integer variables are used for data variables and data values. We
could have actually used rational variables for these as well, but this would have re-
quired additional constraints to restrict the admissible valuations of such variables,
for example, to preserve the total order, cf. Definition 2.1.7. Boolean variables are
used to represent the remaining constituents. Moreover, we reduce the number of
arithmetic operations to addition, subtraction, equality and comparison.
62 CHAPTER 3. SAT-BASED VERIFICATION
To meet the second requirement, we use Boolean variables whenever possible.
Propositional satisfiability (SAT solving) has been extensively studied in recent years
(see for example [PBG05] for an overview); as a result, existing techniques are by
now well-optimised and efficient, cf. for example [GN07, MMZ+01]. SAT solvers
internally work with formulas in conjunctive normal form (CNF).9 We design our
formulas in CNF whenever possible, to avoid unnecessary transformations in the
SAT solver. Moreover, most of the CNF clauses are binary (two literals) or even
unit (one literal) clauses. With respect to speed of verification, this is very efficient:
the 2-SAT problem (i.e., with binary clauses only) is polynomial, and formulas with
n unit clauses can be solved in O(n). Formulas (3.5), (3.6), (3.14) and (3.24) could
be expressed in CNF with binary clauses as well. Yet, they are not, but are rather
tailored for abstraction already: after abstraction, the formulas in CNF would loose
the information of mutual exclusion, and result in a too coarse (or even wrong)
abstraction. Due to the disjunctive nature of transition choices, (3.4), (3.13) and
(3.23) are not in CNF, but they could easily be transformed to short CNF (see
e.g. [Ha¨h93]) when introducing new symbols.
3.3.3 Temporal Difference Encoding of Clocks
For the representation of clock values, we use an approach similar to the one pre-
sented in [ACKS02]. We introduce a fresh clock z (the absolute time reference), to
measure the absolute amount of time that has passed since the beginning of com-
putation, cf. Section 3.1.1.1. The representation of the value of clock x in step t
is given by the difference zt−xt of the representation variables of z and x, this dif-
ference is also used in the representation of clock constraints. An update of clock x
according to some update map λ is represented by setting xt=zt−n iff λ(x)=n, and
by setting xt=x
′
t iff λ(x)=x
′ for some clock x′. If λ(x)=id , the value of xt carries
over to the next step: xt=xt 1.
This design decision might seem unintuitive at first glance. Yet, the major
advantage of the approach becomes clear when considering the representation of
delays. In our approach, on execution of a delay from step t to step t+1, all clock
variables keep their values, only the value of the absolute time reference changes:∧
x∈X
(xt=xt 1)∧(zt∼zt 1), with ∼ ∈{≤, <} (*)
(cf. (3.3), (3.11), (3.12), (3.17) and (3.22)). In an encoding which does not use
the absolute time reference, on the other hand, all clock variables of step t+1 are
different from those in step t. Furthermore, the representation needs take care of
the fact that all clock variables change by the same amount. The encoding of clock
variables in a delay step might look like∧
x∈X
(xt 1−xt=dt), with dt a rational variable. (**)
Here, dt is a variable representing the amount of time for which the system delays.
9A formula is in conjunctive normal form, if it is a conjunction of clauses, where a clause is a
disjunction of literals, and a literal is a propositional atom or its negation.
3.3. DISCUSSION 63
With respect to speed of verification, (*) is more efficient than (**): in the former
case, the values of all but one (namely zt 1) clock variable in step t+1 are prede-
termined by the values in step t. Thus, the satisfiability of the (clock constraint)
formulas of step t+1 depends on one variable only. All conflict clauses which the
solver learns while trying to find a model of the formula reason about zt 1, which
quickly restricts the number of possible valuations of zt 1, and in this way leads to
fewer backtracking steps. In the latter case, the satisfiability is subject to a number
of free variables. Since all variables of step t+1 depend on the values of a different
variable of step tt, each learnt conflict clause can only restrict the possible valuations
of a single variable, which potentially leads to more backtracking steps.
A second advantage of the encoding using the absolute time reference is the fact
that properties of the form “something happens after x time units” can be specified
more easily, by using the difference zj−zi, for some 0≤i<j≤k, i, j∈N.
3.3.4 Linear Boolean Encoding of Finite Sets
After having chosen to represent the set of locations of a real-time system S using
Boolean variables (cf. Section 3.1.1), there are still two options: using a linear
Boolean encoding or a logarithmic Boolean encoding.
Let S={s0, . . . , sn−1} be the set of locations. In the linear encoding which we
use in Section 3.1.1, we introduce one Boolean variable s for each location s, with
the intended meaning that the localisation st is true iff S is in location s in step
t. Since S can only be in one location at the same time, this encoding requires an
additional mutual exclusion constraint, to ensure exactly one of the variables is true
in every step (cf. (3.5), (3.14) and (3.24)).10 This mutual exclusion constraint is
quadratic in the number of locations.
For a logarithmic encoding, we would introduce a vector [s] of j=dlog2(n)e
Boolean variables, encoding a j-digit Boolean value. The intended meaning is that
the localisation [s]t of [s] encodes the value i, denoted by [s
i]t, iff the system S is in
location si in step t. No additional mutual exclusion constraint is needed. Depend-
ing on the representation of transitions (see below), we might however need an addi-
tional constraint to disallow superfluous valuations of [s], since in case 2dlog2(n)e>n,
the number of possible valuations of [s] exceeds the actual number of locations.11
While the logarithmic encoding is slightly more efficient, due to the decreased
number of variables, we have nevertheless chosen for Boolean encoding. One rea-
son is that the differences in speed of verification are small, the real bottleneck is
generated by rational clock variables. Moreover, abstraction of locations would be
more involved when using a logarithmic encoding, and there is no straightforward
way anymore of defining an abstraction function purely based on the syntactic cat-
egories of variables (cf. Definition 4.1.5).
10Observe that these mutual exclusion constraints could easily be expressed in CNF. Yet, they
are not, but are already tailored for abstraction, cf. Chapter 4. After abstraction, an equiva-
lent formula in CNF would loose the information of mutual exclusion, and result in a too coarse
abstraction.
11For example, for six locations, i.e., |S|=6, [s] consists of dlog2(6)e=3 Boolean variables, with
which we could represent 23=8>6 locations.
64 CHAPTER 3. SAT-BASED VERIFICATION
This argumentation holds in the same way for the set of events of TA, since every
transition in a TA is labelled with a distinct event. In TCA and TNA, however, a
set of ports can be active on each transition, so no mutual exclusion constraint is
needed.
3.3.5 Encoding of Transitions
For the encoding of transitions, there are a number possibilities of how to define the
logical structure of the representation. For explanatory purposes, let e∈E denote
a transition from location s to location s′. Let st and s′t 1 be the representations
of source location s (in step t) and target location s′ (in step t+1), let ϕt denote
the remaining constraints of step t (“preconditions of e”, e.g., the representation
I(s)t of the invariant of s), and let ϕt 1 denote the remaining constraints of step
t+1 (“postconditions of e”). Constraints involving variables of both t and t+1 are
also contained in ϕt 1. The exact structure of ϕt and ϕt 1 is irrelevant here, as we
only use them to explain the conceptual idea of transition representation.
The two main conceptual alternatives one can think of for encoding the transition
relation are ∧
e∈E
(st∧ϕt → s′t 1∧ϕt 1) (or, equivalently, using ←) and (3.34)∨
e∈E
(st∧ϕt ∧ s′t 1∧ϕt 1) (3.35)
Though (3.34) might seem more intuitive (it can be read as “if the preconditions
are fulfilled, move to the next location”), and is in a way closer to CNF (after
rewriting →, note that (3.35) is actually in DNF), our encoding is based (3.35),
cf. Section 3.1. The reason is that (3.34) cannot handle nondeterminism. To
illustrate this, consider the real-time system part in Figure 3.8. If (x ≤ 2), both
clock guards are satisfied, i.e., both transitions are enabled, and the next location is
chosen nondeterministically. The representation (omitting irrelevant constraints) of
s
s′
s′′
x ≤ 2, x := 0
x ≤ 3, y := 0
Figure 3.8: Representation of Transitions, Motivation
the two transitions in Figure 3.8, based on the two alternatives presented above, is
given in (3.36) respectively (3.37).12
12Note that (3.37) does not entirely correspond to the representations defined in Section 3.1,
but is used for illustration purposes only.
3.4. CONCLUSION 65
(st∧(zt−xt≤2)→ s′t∧(xt 1=zt 1)∧(yt 1=yt)∧(zt 1=zt))∧
(st∧(zt−xt≤3)→ s′′t∧(yt 1=zt 1)∧(xt 1=xt)∧(zt 1=zt))
(3.36)
(st∧(zt−xt≤2)∧ s′t∧(xt 1=zt 1)∧(yt 1=yt)∧(zt 1=zt))∨
(st∧(zt−xt≤3)∧ s′′t∧(yt 1=zt 1)∧(xt 1=xt)∧(zt 1=zt))
(3.37)
The obvious problem in (3.36) is the fact that there exists no satisfying valuation
in case x≤2: the left hand side of both implications is satisfied, but due to the mutual
exclusion constraint in locations,13 only one of the right hand sides can be satisfied;
thus, no satisfying valuation exists.
A second problem with a representation according to (3.34) is the fact that logical
implication allows the right hand side to be true, while the left hand side is false.
For the transition relation, this means that it would be possible to find a satisfying
valuation for the next step, even if there is no satisfying valuation for the current
step.
3.4 Conclusion
In this Chapter, we have established the formal basis for extensive model checking
and verification of the real-time systems presented in Chapter 2.
In Section 3.1, we have presented an encoding in propositional logic with linear
rational arithmetic for each of the system models defined in Chapter 2. The repre-
sentation of TA, as defined in Section 3.1.2, has essentially been presented in [KP07].
The representation of TCA, as defined in Section 3.1.3, is an extension of the work
presented in [Kem11] (which in turn in based on [Kem09]). Since in Chapter 2,
we have extended the formal model of TCA from [ABdBR07] (which was also used
in [Kem11]) with memory cells, consequently this extension had to be included in
the representation as well. Equivalently, we have extended the TNA model from
[Kem10] with data values and memory cells in Section 2.4, and have extended the
representation of TNA in Section 3.1.4 accordingly. For both TCA and TNA, we
have sketched the difficulties that arise from memory cells being used in source and
target location of the same transition in Section 3.1.1.5.
We have shown how to apply Bounded Model Checking to the representation
of real-time systems in Section 3.2. The notion of unfolding (Section 3.2.2) and
the concepts for representation of properties (Section 3.2.3) have been presented in
previous work, and have been restated here for clarity and consistency. We have
provided a discussion on completeness of BMC in Section 3.2.4, and a proof of
correctness in Section 3.2.5. The latter in particular takes into account the new
representation features regarding memory cells, data variables and data values.
Finally, in Section 3.3, we have provided an extensive discussion on other pos-
sibilities to represent real-time systems (using different encodings or variable types,
for example), and we have motivated our design decisions.
13This problem would occur in the very same way for logarithmic encoding, since the current
location is unique at any time.

Chapter 4
Abstraction Refinement
Abstraction refinement [CGJ+03, HJMM04] is a promising direction of research to
overcome the challenges of the state explosion problem and infinite state model
checking, while preserving correctness of verification results. The general abstrac-
tion refinement paradigm [CGJ+03] consists of three steps: (1) generate the initial
abstraction, (2) model check the abstract system, and, if required, (3) refine the
abstraction, and repeat.
The general idea of abstraction is to reduce the system complexity, by removing
information which is considered irrelevant for the verification of a particular property,
and therefore can be safely removed from the system. The obvious problem is
how to determine which information is relevant: if the abstraction is too fine—
i.e., removes too little information—verification still suffers from the state explosion
problem. If, on the other hand, the abstraction is too coarse—i.e., removes too much
information—verification suffers from too much information loss,1 and the results
are likely to be wrong. Consequently, abstraction techniques are distinguished based
on how they deal with the information loss [CGJ+03].
Over-approximation techniques (also called conservative techniques), for example
predicate abstraction [GS97], enrich the system behaviour by releasing constraints,
such that correctness of the abstract system implies correctness of the concrete
system. Over-approximation techniques admit false negatives (also called spuri-
ous counterexamples), i.e., a system behaviour which violates the property in the
abstract system, but is not reproducible on the original (concrete) system. Under-
approximation techniques, on the other hand, constrain the system behaviour by
removing irrelevant parts, such that a property violation in the abstract system im-
plies a property violation in the concrete system. Under-approximation techniques
admit false positives, i.e., a system behaviour which satisfies the property in the
abstract system, but violates it in the concrete system. In this work, we deal with
1By definition, abstraction always means information loss. Yet, with respect to the property
to be verified, some information is irrelevant, and can be safely removed.
67
68 CHAPTER 4. ABSTRACTION REFINEMENT
over-approximation techniques. For a more detailed description of abstraction tech-
niques, see for example [CGP99, CGJ+03].
In the context of abstraction, the general idea of refinement can be described
as “undo part of the abstraction”. If a counterexample to the property under test
has been detected in the abstract system (using over-approximation techniques, for
under-approximation, the reasoning is different), it needs to be checked whether the
counterexample comprises a violation of the property, or whether it is spurious. In
the former case, the counterexample to the property is reproducible in the original
system, which means the property does not hold in the original system. In the latter
case, the counterexample is not reproducible in the original system, which means the
spurious counterexample is due to wrong (too coarse) abstraction, and the abstract
system needs to be refined. The refinement ideally takes into account the reason
why the counterexample has been feasible in the abstract system, in order to prevent
this erroneous behaviour in further verification steps.
The remainder of this Chapter is organised as follows: in Section 4.1, we de-
scribe our uniform abstraction methodology abstraction by merging omission. The
methodology is flexible to operate on different system types, since it is defined based
on syntactical categories of variables, and takes the constituents of the system under
consideration that are to be abstracted as parameters. In Section 4.2, we explain
how to translate a counterexample (to the property under test) obtained from the
abstract system back into the concrete system. Section 4.3 gives a brief overview
of Craig interpolation [Cra57], discusses the expressiveness of the generated inter-
polants, and how they can be used to derive information about the cause of a spurious
counterexample. In the end, we show how to syntactically reorder the input problem
(without changing the semantics) to increase the expressiveness of the interpolants.
In Section 4.4, we show how to refine the abstraction in case it has turned out to be
too coarse, and discuss heuristics on the application of different refinement options.
We conclude the Chapter in Section 4.5.
4.1 Abstraction by Merging Omission
In this section, we present a simple and fast, but nevertheless powerful, uniform ab-
straction technique specifically tailored to work on logical formulas: abstraction by
merging omission (MO) [KP07, Kem11]. By removing constraints which are consid-
ered irrelevant to a particular (safety) property, MO yields an over-approximation.
The basic idea of MO is to reduce the system complexity of a real-time system
S, S∈{A,T} (i.e., S is a TA or a TCA, for discussion of abstraction of TNA,
please refer to Section 6.1), by decreasing the number of symbols in the formula
representation ϕ(S), while retaining as much information as possible about the
transition characteristics (the abstract formula is weaker than ϕ(S), though). MO
is defined for formulas in negation normal form (NNF),2 to which ϕ(S) can be easily
2A formula is defined to be in NNF if negation only appears in front of literals, and {¬,∨,∧} are
the only allowed Boolean connectives. In propositional logic, every formula can be transformed into
an equivalent formula in NNF, by (1) replacing implications and equivalences by their definitions
(i.e., using only {¬,∨,∧}), (2) using De Morgan’s laws to push negation inside, and (3) eliminating
double negations.
4.1. ABSTRACTION BY MERGING OMISSION 69
transformed. MO uniformly works on the different syntactical categories contained
in ϕ(S): it merges Boolean variables, by mapping them to the same image according
to a map of merging γ, and it removes rational variables and arithmetic constraints
according to a set of omission O.
The intended idea of the set of omission O is to contain constraints and param-
eters whose removal from ϕ(S) enriches the behaviour of the represented system
S, i.e., whose removal enlarges the set of valuations satisfying the formula repre-
sentation ϕ(S) of S. For example, removing a clock constraint from a transition
enriches the behaviour, in that the transition is enabled more often. Note that this
is only true for convex clock constraints, because with logical conjunction ∧ as the
only logical connective (cf. Definition 2.1.2), removing any of the conjuncts removes
a subconstraint, and thus enlarges the set of satisfying valuations.
The intended idea of the map of merging γ is to contain mappings for variables
whose mergence in ϕ(S) enriches the behaviour of S. For example, merging two
locations enriches the behaviour, in that the combined location allows for additional
runs containing in- and outgoing transitions of different underlying locations.
We allow merging for propositional variables only, and omission for rational vari-
ables and arithmetic constraints. We first introduce some notation.
Notation 4.1.1 (Variable Sets (cf. Section 3.1.1)). For any real-time system
S, let S and X be the sets of variables representing locations and clocks, respectively.
For a TA A, let Σ be the set of variables representing events. For a TCA T, let PA,
PDA, DF and DCO be the sets of variables representing port activity variables, port
data variables, data fullness variables and data content variables, respectively. All
variable sets are understood to be without indices.
We lift the notations from Section 2.1 in the straightforward way to reason about
representation variables rather than constituents of real-time systems. In particular:
• by CC(X) and X|cc, we denote the set of clock constraints over clock variables
in X, and the set of clock variables that occur in a clock constraint cc∈CC(X),
respectively (cf. Definition 2.1.2)
• by DC(PDA,DCO), PDA|dc and DCO|dc, we denote the set of data constraints over
port data variables in PDA and data content variables in DCO, the set of port data
variables that occur in a data constraint dc∈DC(PDA,DCO), and the set of data
content variables that occur in a data constraint dc∈DC(PDA,DCO), respectively
(cf. Definition 2.1.7)
• by CC(X)|S, we denote the set of clock constraints over clock variables in X that
occur in the formula representation of a real-time system S; by DC(PDA,DCO)|S,
we denote the set of data constraints over port data variables in PDA and data
content variables in DCO that occur in the formula representation of S (cf.
Notations 2.2.3 and 2.3.4).
The exact nature of the map of merging γ and the set of omission O (i.e., to
which system parts are γ and O applicable) depends on the the underlying system
S. We now define these for TA and TCA separately.
70 CHAPTER 4. ABSTRACTION REFINEMENT
Definition 4.1.2 (Map of Merging, Set of Omission for TA). Let A be a TA,
with formula representation ϕ(A), and variable sets as introduced in Notation 4.1.1,
let PA=(S∪Σ).
The map of merging γA of A is a total map γA:PA→(PA∪P′A), with P′A some fresh
set of propositional variables, and γA(p)=γA(p
′) only if (p, p′∈S) or (p, p′∈Σ). The set
of omission OA of A is OA⊆X∪CC(X), where CC(X) only contains atomic formulas
(i.e., which do not contain the logical operator ∧, cf. Definition 2.1.2).
The map of merging γA merges locations or actions, it is the identity for ele-
ments not intended to be merged. The additional constraint “only if (p, p′∈S) or
(p, p′∈Σ)” ensures that γ only maps variables to the same image if they are of the
same conceptual type (a location cannot be not merged with an action). The set
of omission OA allows to remove clocks or single clock constraints. In the former
case, the intended idea is to completely remove x from ϕ(A) (i.e., every occurrence
of x). For this reason, all clock constraints cc reasoning about x, that means with
x∈X|cc, need to be removed as well (even if cc itself is not contained in OA). The
abstraction function (Definition 4.1.5) automatically takes care of this.
Definition 4.1.3 (Map of Merging, Set of Omission for TCA). Let T be a
TCA, with formula representation ϕ(T), and variable sets as introduced in Nota-
tion 4.1.1, let PT=(S∪PA∪DF).
The map of merging γT of T is a total map γT:PT→(PT∪P′T), with P′T some fresh
set of propositional variables, and γT(p)=γT(p
′) only if (p, p′∈S), or (p, p′∈PA), or
(p, p′∈DF). The set of omission OT of T is OT⊆X∪CC(X)∪DC(PDA,DCO), where CC(X)
and DC(PDA,DCO) do not contain compound formulas (i.e., do not contain logical
operators ∧ and ¬, cf. Definitions 2.1.2 and 2.1.7). In addition, if for some data
constraint dc∈DC(PDA,DCO)|T, there exists Dp∈PDA|dc with γ(p) 6=id , or Dd∈DCO|dc with
γ(d) 6=id (where p and Dp are port activity and port data variable of the same port
p, and d and Dd are data fullness and data content variable of the same data variable
d, cf. Section 3.1.1.4), we require dc∈OT.
The map of merging γT allows to merge locations, ports (actually port activity
variables) or memory cells (actually data fullness variables), again it is the identity
for elements not intended to be merged, and can only merge variables of the same
conceptual type. The set of omission OT allows to remove clocks and single clock
constraints as before, and in addition allows to remove single data constraints. As for
TA, the abstraction function (Definition 4.1.5) automatically takes care of removing
all clock constraints cc with x∈X|cc for a clock x∈OT, even if cc6∈OT.
For ports intended to be merged, i.e., with γ(p)6=id , the automatic removal of
data constraints by the abstraction function does not work in the same way as
it does for clocks. The reason is that for a clock x and a clock constraint cc,
a simple syntactic check x∈X|cc is sufficient to determine whether cc needs to be
removed or not (see above). For ports, on the other hand, the set PT contains port
activity variables, while data constraints contain port data variables. Therefore, we
need to explicitly add all data constraints to OT that reason about ports intended
to be merged. This is done by the last condition in Definition 4.1.3. The same
4.1. ABSTRACTION BY MERGING OMISSION 71
argumentation holds for data fullness and data content variables.
Note that it is indeed necessary to completely remove data constraints that rea-
son about ports and memory cells intended to be merged. The naive approach
of replacing port data respectively data content variables in a data constraint by
their image under γT does not work, and may result in unsatisfiable data con-
straints. As an example, suppose a transition with port set {p, q} and data con-
straint ((p=1)∧(q=2)), and suppose γT(p)=γT(q)=r. Straightforward syntactic re-
placement of port data variables would yield a transition with port set {r} and
data constraint ((r=1)∧(r=2)). While the original (unabstracted) data constraint
is satisfiable, the abstract data constraint is not; such abstraction would not yield
an over-approximation.
Notation 4.1.4 (Abstraction). Since MO works uniformly on the different syn-
tactical categories, in the sequel, we omit indices A respectively T, and write γ, O,
P and P′ only.
We use the term domain of the abstraction, denoted by •α,3 to refer to the set
of parameters intended to be abstracted. That is, the domain of the abstraction
consists of all elements in O, and of those elements in P where γ is not the identity,
that means which are mapped to an element in P′. Formally, •α = O∪γ−1(P′). Note
that •α contains both (single) variables and (arithmetic) constraints.
We can now define the abstraction function.
Definition 4.1.5 (Abstraction by Merging Omission). Let S be a real-time
system, with ϕ(S) in NNF, and γ, O, P and P′ defined in Definitions 4.1.2 respec-
tively 4.1.3.
The abstraction of ϕ(S) (by merging omission) with respect to O and γ, denoted
as αO,γ(ϕ(S)), is defined in (4.4). We may write α(ϕ(S)) if O and γ are clear form
the context.
MO uniformly captures abstraction on all syntactic categories contained in ϕ(S):
variables and constraints (cf. Section 3.2.1 for the definition of Conts(·)) not meant
to be abstracted (i.e., which are not contained in the domain of the abstraction
•α) are kept unchanged (4.1a). The map γ is applied to all positive propositional
variables (4.1b). For negative propositional variables p (i.e., which occur as ¬p in
ϕ(S)) meant to be abstracted, we distinguish two cases: if there exists a positive
propositional variable p′ in the same conjunction as p,4 and with the same image
under γ (i.e., p and p′ are to be merged), we replace p with its positive image
under γ (4.1c). The idea is that positive propositional variables are used to describe
the “behaviour”—source and target of a transition, for example—while negative
propositional variables are used to ensure consistency—mutual location exclusion,
3This notation anticipates Definition 4.1.5, where we use the symbol α to denote the abstraction
function.
4In the same conjunction means enclosed by the same pair of parenthesis (note that some
parenthesis can be omitted though, cf. Notation 2.1.1). For example, in (p∧p′∧p′′)∨p′′′, p, p′ and
p′′ are in the same conjunction, but p′′′ is not.
72 CHAPTER 4. ABSTRACTION REFINEMENT
α′(L) =

L Conts(L)∩ •α=∅ (4.1a)
γ(L) Conts(L)∩ •α 6=∅, L=p∈P (4.1b)
γ(L) Conts(L)∩ •α 6=∅, L=¬p, p∈P,
∃p′∈P in the same conjunction as p : γ(p)=γ(p′)
(4.1c)
¬γ(L) Conts(L)∩ •α 6=∅, L=¬p, p∈P,
¬∃p′∈P in the same conjunction as p : γ(p)=γ(p′),
∃¬p′′, p′′∈P, in the same conjunction as p : γ(p)=γ(p′′)
(4.1d)
true otherwise (4.1e)
α′(F ∧G) = α′(F )∧α′(G) (4.2a)
α′(F ∨G) = α′(F )∨α′(G) (4.2b)
γα(P) =
∧
p∈γ(P)\P
(
((
∧
p′∈γ-1(p)
¬p′)∨ p)∧( ∨
p′∈γ-1(p)
p′ ∨¬p)) (4.3)
α(ϕ(S)) = α′(ϕ(S))∧ γα (4.4)
Here, F and G are formulas in NNF, and L is a literal.
Figure 4.1: Abstraction by merging omission
for example. Therefore, if such p′ exists, we can dismiss the literal ¬p, since p and
p′ are mapped to the same image under γ, and we do not need the consistency
constraint (for consistency between p and p′) anymore. Note that replacing ¬p by
true is possible as well, but this would yield a much coarser abstraction. If no such
p′ exists, but instead there exists a negative propositional variable p′′ with the same
image under γ (4.1d), then we replace p and p′′ by their negative image under γ.
Again, replacing ¬p and ¬p′ by true is possible but would yield a much coarser
abstraction. In all other cases, α′ maps the literal to true (4.1e). In particular, this
last case handles arithmetic constraints (both positive and negative) meant to be
abstracted. Remember that arithmetic constraints not meant to be abstracted are
handled in (4.1a) already.
In this way, α′ performs a quick variant of existential abstraction [CGJ+03],
while exploiting the syntactic categories and structural relationships of elemens in
our formula representation.
In order to guarantee that MO yields an over-approximation, we need to keep
track of the relation between symbols in P and their abstract counterparts in P′. For
this reason, we add the constraint γα (4.3) to the abstract formula (note that (4.3)
is in NNF, and is equivalent to
∧
p∈γ(P)\P
(
(
∨
p′∈γ-1(p) p
′)↔ p)).
As mentioned above after Definitions 4.1.2 and 4.1.3, the abstraction function
automatically removes clock constraints cc over clocks x∈•α (i.e., with x∈X|cc), even
if cc6∈•α. The reason is that the only applicable rule in (4.1) for literal cc is (4.1e).
Rule (4.1a) is not applicable, since the intersection Conts(cc)∩•α is not empty,
and all other rules only handle propositional variables. Therefore, constraint cc is
4.1. ABSTRACTION BY MERGING OMISSION 73
replaced by true by (4.1e).
In contrast, for ports intended to be abstracted (and equivalently for mem-
ory cells), the situation is different: a data constraint dc over port p contains the
port data variable Dp∈PDA (cf. Section 3.1.1), while the domain of the abstraction
•α contains the port activity variable p∈PA. As a consequence, the intersection
Conts(dc)∩•α in (4.1a) would be empty. To correctly abstract from the data con-
straint, we explicitly add dc to •α (cf. Definition 4.1.3), such that the intersection
is not empty anymore.
Notation 4.1.6 (Abstraction). Without confusion, in the sequel we use the sym-
bol α only, and omit the symbol α′. For example, for a literal L, we write α(L)
instead of α′(L).
We get the following results.
Lemma 4.1.7 (Abstraction by Weakening). Abstraction by merging omission,
as defined in Definition 4.1.5, yields an over-approximation, that means α(F ) is
weaker than F in the sense that the implication F→α(F ) is valid (true in all models).
Proof. The proof can be found in Section A.2 in the Appendix, on Page 138.
Theorem 4.1.8 (Correctness of Abstraction). Abstraction by merging omis-
sion, as defined in Definition 4.1.5, yields a correct over-approximation on sets of
runs.
Proof. The proof can be found in Section A.2 in the Appendix, on Page 146.
So far, we have assumed the variables to be without indices. Lifting α to the
presence of localisations is straightforward: γ and O are understood oblivious to in-
dices in the NNF of ϕ(S), such that indices directly carry over to ϕ(S)k unchanged.
Defining different abstractions for different steps is possible using the same definition
of α, but we consider it to be less useful. Note that α is homomorphic with respect
to {∧,∨}, which proves the equality of α(ϕ(S)k) and α(ϕ(S))k (except for speed of
computing the abstraction, where α(ϕ(S))k is superior).
Example 4.1.9 (Abstraction). Consider again the formula representation ϕ(A)
of the intelligent light switch, as shown in Table 3.3 in Example 3.1.2. According
to Definition 4.1.2, we have P=(S∪Σ)={off, light, bright, press, τ}. For merg-
ing locations light and bright into one location on, we define O=∅, P′={on},
γ(light)=γ(bright)=on, and γ(p)=id for p∈P\{light, bright}.
The abstraction by merging omission of ϕ(A) with respect to γ and O, α(ϕ(A)),
is shown in Table 4.2.
Note that we have simplified the formulas, by removing redundant parts. For
example, after applying the abstraction function α, the first entry in Table 4.2
74 CHAPTER 4. ABSTRACTION REFINEMENT
α(ϕinit(A)) = off0∧¬on0∧¬press0∧¬τ0∧(z0=0)∧(x0=0)
α(ϕaction(e1)) = offt∧presst 1∧(zt=zt 1)∧(xt 1=zt 1)∧ont 1
α(ϕaction(e2)) = ont∧presst 1∧(zt=zt 1)∧(zt−xt>3)∧(xt 1=xt)∧offt 1
α(ϕaction(e3)) = ont∧presst 1∧(zt=zt 1)∧(zt−xt≤3)∧(xt 1=xt)∧ont 1
α(ϕaction(e4)) = ont∧presst 1∧(zt=zt 1)∧(xt 1=xt)∧offt 1
α(ϕdelay(off )) = offt∧¬presst 1∧¬τt 1∧(zt≤zt 1)∧(xt=xt 1)∧offt 1
α(ϕdelay(light)) = ont∧¬presst 1∧¬τt 1∧(zt≤zt 1)∧(xt=xt 1)∧ont 1
= α(ϕdelay(bright))
α(ϕtrans(A)) = α(ϕaction(e1))∨α(ϕaction(e2))∨α(ϕaction(e3))∨α(ϕaction(e4))∨
α(ϕdelay(off ))∨α(ϕdelay(light))
α(ϕlocation(A)) = (offt 1∧¬ont 1)∨(ont 1∧¬offt 1)
α(ϕmutex(A)) = (presst 1∧¬τt 1)∨(τt 1∧¬presst 1)∨(¬presst 1∧¬τt 1)
γα(P) = ((¬lightt∧¬brightt)∨ont)∧(lightt∨brightt∨¬ont)
α(ϕ(A)) = α(ϕinit(A))∧α(ϕtrans)∧α(ϕlocation(A))∧α(ϕmutex(A))∧γα(P)
Table 4.2: Abstraction by Merging Omission: Example
contains conjunct ¬on0 twice, resulting from applying γ to ¬bright0 and ¬light0
in the original formula (cf. Table 3.3).
4.2 Concretisation
In the previous Section, we have defined abstraction by merging omission on the
formula representation ϕ(S) of a real-time system S. We have explained how to
obtain the abstract formula α(ϕ(S)) from ϕ(S), by removing parameters that are
considered irrelevant for the verification of a particular safety property.
The general problem with abstraction is that typically, it is not clear up front
what is the set of relevant parameters that need to be kept in order to preserve
correctness of verification results. It can therefore happen that one or more param-
eters from this set of relevant parameters are removed by the abstraction. If this
happens, we get false negatives : a false negative is a “proof” that the property is
violated in the abstract system, while in the original (concrete) system it is not (cf.
the explanations at the beginning of this Chapter).
Thus, if a counterexample to the property under test has been found in the
abstract system, we need to check whether this counterexample is real (i.e., corre-
sponds to a true violation of the property, also in the original system) or spurious
(i.e., is due to wrong abstraction, and the abstraction needs to be refined). To
this end, the abstract counterexample is translated back into the original system,
to determine whether it is reproducible there. This is called concretisation. In our
context, concretisation works as follows.
4.3. INTERPOLATION 75
First recall that to check whether a property expressed by formula φ holds in the
abstract system α(ϕ(S)), we check the conjunction α(ϕ(S))k∧¬φ for satisfiability
(cf. Section 3.2.3). If the formula is satisfiable, this indicates that the property does
not hold in the abstract system, and every model σ of α(ϕ(S))k∧¬φ corresponds to
a run of the abstract system which violates the property.
Next, observe that every model σ of α(ϕ(S))k∧¬φ is a total assignment to the
variables in Vars(α(ϕ(S))k∧¬φ), but only a partial assignment to the variables in
Vars(ϕ(S)k∧¬φ), that means some variables in ϕ(S)k are left unconstrained by σ.
This reflects the fact that one run in the abstract system can correspond to a set of
runs in the original system.
Concretisation now consists in trying to extend the model σ of α(ϕ(S))k∧¬φ to
a model of ϕ(S)k∧¬φ, that agrees with σ on variables in Vars(α(ϕ(S))k∧¬φ). This
is done by interpreting σ as a conjunction of variable assignments:
ρσ =
∧
v∈Vars(α(ϕ(S))k∧¬φ)
σ(v)=v
(v=v), (4.5)
and trying to find a model for the conjunction ϕ(S)k∧¬φ∧ρσ. We call ρσ the witness
run (for φ). As the witness run is highly restrictive (it singles out only one abstract
path), the abstract counterexample guides the search through the concrete system
with a very narrow focus and is highly efficient. If such a model for ϕ(S)k∧¬φ∧ρσ
exists, that means, if the witness run is concretisable, we have found a run in the
original system that violates the property. If no such model exists, i.e, ϕ(S)k∧¬φ∧ρσ
is unsatisfiable, the counterexample is spurious, and the abstraction needs to be
refined.
Remark 4.2.1 (Concretisation). Since σ|=(α(ϕ(S))k∧¬φ) (i.e., σ is a model of
α(ϕ(S))k∧¬φ), in particular σ|=¬φ. By construction of ρσ, we have |=ρσ→¬φ.
For every valuation σ′, we thus have σ′|=ϕ(S)k∧¬φ∧ρσ iff σ′|=ϕ(S)k∧ρσ. For this
reason, we can safely remove the conjunct ¬φ from the formula ϕ(S)k∧¬φ∧ρσ during
concretisation, and check the satisfiability of ϕ(S)k∧ρσ only, without affecting the
results. We will use this fact for interpolation.
In the next Section, we describe how to use Craig interpolants to derive infor-
mation about which parameters need to be refined.
4.3 Interpolation
In this section, we introduce Craig interpolants (Section 4.3.1), and discuss their
expressive power in the context of SAT-based verification (Section 4.3.2). We do not
show how to derive/compute interpolants, since powerful tools exist for this task.
The interested reader is referred to [McM03, McM05b], for example.
4.3.1 Craig Interpolants
Craig interpolants have been defined in [Cra57]. They are defined for pairs of incon-
sistent formulas (i.e., formulas which are unsatisfiable together), and provide a way
76 CHAPTER 4. ABSTRACTION REFINEMENT
of capturing the reason of inconsistency.
Definition 4.3.1 (Craig Interpolant). Let (F1, F2) be a pair of inconsistent for-
mulas, i.e., with |= ¬(F1∧F2). A Craig interpolant for F1 and F2 (or simply inter-
polant) is a formula G such that
|= F1 → G, (4.6)
|= G→ ¬F2, 5 and (4.7)
Vars(G) ⊆ Vars(F1)∩Vars(F2). (4.8)
Here, Vars(ϕ) denotes the set of variables in a formula ϕ. F1 is called prefix of
G, and F2 is called suffix of G.
For a pair of inconsistent formulas, an interpolant always exists [Cra57], and can
be derived from a resolution proof of inconsistency of F1 and F2 in time linear in the
size of the proof [Pud97, McM03, McM05b]. Originally [Cra57], interpolants were
defined for purely propositional formulas, but it has been shown that they can be
derived in the same way for formulas with linear (in)equalities over rational numbers,
see [McM04] for details. Interpolants are not unique: for a pair of inconsistent
formulas, typically many formulas exist which fulfil the conditions in Definition 4.3.1.
Furthermore, resolution proofs are not unique either, that means the same pair
of formulas can have different resolution proofs of inconsistency, depending on for
example to which subformulas the resolution rule is applied first.
An interpolant G for an inconsistent pair of formulas (F1, F2) captures the reason
of inconsistency as follows: G is always an over-approximation of the prefix F1 (4.6),
that means every model of F1 is also a model of G. In this way, G captures the facts
that can be derived from the prefix, that means the maximal set of facts that holds
for every valuation of the prefix. Moreover, G is also an under-approximation of the
negated suffix ¬F2 (4.7), that means every model of G is also a model of ¬F2. In
this way, G captures facts that are inconsistent with F2, that means the minimal
set of facts that can never be extended to a satisfying valuation of the suffix. Since
the interpolant contains only common symbols of prefix and suffix (4.8), it captures
the cause of inconsistency, in that the constraints expressed by the interpolant are
sufficient to show the inconsistency of prefix and suffix.
Interpolants are defined for pairs of formulas. If we have a single unsatisfiable
formula F that is a conjunction of two subformulas, i.e., F=F1∧F2, we can split F
around this top-level conjunction, and derive an interpolant for the resulting pair
(F1, F2). If F is a conjunction of more than two subformulas, i.e., F=F1∧ . . .∧Fn,
for n>2, we can interpret F as a sequence of formulas F1, . . . , Fn, and derive an
interpolant for every possible nonempty bisection (i.e., both subsequences contain at
least one formula each) of the sequence. This corresponds to deriving an interpolant
for every possible split around a top-level conjunction of F . In this way, we get a
sequence of n−1 interpolants G1, . . . , Gn−1, such that Gi is an interpolant for the
pair (F1∧ . . .∧Fi, Fi+1∧ . . .∧Fn), i∈{1, . . . , n−1}. In [McM05a], the author showed
5The notion |= ¬(G∧F2) is also commonly found in the literature, but in this context, we
consider our (equivalent) notion |= G→ ¬F2 more comprehensible.
4.3. INTERPOLATION 77
that if the sequence of interpolants G1, . . . , Gn−1 is derived from the same refutation
proof for the inconsistency of F1, . . . , Fn, then
|= (Gi∧Fi+1)→ Gi+1 (4.9)
holds for every i∈{1, . . . , n−1}.
There exist a number of tools that support interpolant generation for SMT for-
mulas, like for example CSIsat [BZM08, csi], FOCI [FOC] or MathSAT [mat]. The
former only supports interpolant generation for a pair of formulas. The latter two
support the approach just described: when called on a sequence of n inconsistent
formulas, they generate a sequence of n−1 interpolants with the property (4.9).
4.3.2 Expressiveness of Interpolants
In this section, we discuss what kind of information about the cause of unsatisfiability
can be derived from interpolants, and we show how the sequential order of formulas
can influence the generated interpolants.
For a pair of inconsistent formulas (F1, F2), we can derive a single interpolant G.
Without further taking into account the concrete structure of prefix F1 and suffix
F2, we can derive the following information about the inconsistency of F1 and F2
from G:
• G=true: we do not get any information about the prefix, since F1 → true
(4.6) holds for every F1. We know that the suffix by itself is inconsistent, since
true→ ¬F2 (4.7) only evaluates to true if F2 evaluates to false
• G=false: we know that the prefix by itself is inconsistent, since F1 → false
(4.6) only evaluates to true if F1 evaluates to false. We do not get any
information about the suffix, since false→ F2 (4.7) holds for every F2.
• G=F for some formula F , F 6=true, F 6=false: we do not get any information
about prefix or suffix alone, but we know that the conjunction is unsatisfiable.
As explained above, the constraints expressed by F are sufficient to prove the
inconsistency of F1 and F2.
Obviously, changing the sequential order of F1 and F2— that means deriving
an interpolant G′ for the pair (F2, F1)—does not yield additional information about
the cause of unsatisfiability. In particular, observe that if G is an interpolant for
(F1, F2), then it follows directly from Definition 4.3.1 that ¬G is an interpolant for
(F2, F1). However, when deriving a sequence of n−1 interpolants from a sequence of
n formulas, the sequential order of the formulas has a considerable influence on the
generated interpolants, and thus on their expressiveness, as the following example
shows.
Example 4.3.2 (Sequential Formula Order and Expressiveness of Inter-
polants). Consider two sequential orders for a set of inconsistent formulas:
(a↔b), (a↔c), (b↔e), (e↔f), (c↔d), (a↔¬b), and (4.10)
(c↔d), (a↔c), (a↔b), (a↔¬b), (b↔e), (e↔f). (4.11)
78 CHAPTER 4. ABSTRACTION REFINEMENT
The inconsistency is solely caused by the two formulas (a↔b) and (a↔¬b). If we
apply the SMT solverMathSAT to each of the two sequences, we get the interpolant
sequences shown in Table 4.3 (for (4.10) on the left, for (4.11) on the right).6
formulas interpolants formulas interpolants
(a↔b) (c↔d)
(a↔b) true
(a↔c) (a↔c)
(a↔b)∧(a↔c) true
(b↔e) (a↔b)
(a↔b)∧(a↔c)∧(b↔e) (a↔b)
(e↔f) (a↔¬b)
(a↔b) false
(c↔d) (b↔e)
(a↔b) false
(a↔¬b) (e↔f)
Table 4.3: Interpolant sequences for different formula orders
Notice that the interpolants derived for sequence (4.11) (on the right side of
Table 4.3) are much simpler than the interpolants derived for (4.10). In particular,
there is only one interpolant 6∈{true, false} on the right side. This is due to the
fact that the formulas in the sequence (4.11) are arranged in such a way that the
number of common variables of prefix and suffix is minimised. As a result, the
cause of unsatisfiability becomes clear immediately from the interpolants derived for
(4.11): the third interpolant (a↔b) (the only interpolant 6∈{true, false}) precisely
describes the constraints that cause the inconsistency.
The interpolants derived for sequence (4.10) (on the left side of Table 4.3), on the
other hand, are more complex,7 because the number of common variables of prefix
and suffix is larger. As a result, the cause of unsatisfiability is not immediately clear
(though the repeated occurrence of interpolant (a↔b) gives an indication already,
but this is in general not the case for larger formula sequences and larger numbers
of common variables).
The example has shown that reducing the number of common variables of prefix
and suffix helps to obtain more expressive interpolants: in the best case, a number
of interpolants simplify to true or false, which allows to reduce the sequence of for-
mulas to an inconsistent subsequence. Moreover, less common variables of prefix and
suffix—and thus less variables that can be contained in the interpolant—yield less
complex invariants, which in turn capture the reason of inconsistency more precisely.
To illustrate this last statement, consider the third interpolant (a↔b)∧(a↔c)∧(b↔e)
6Read the Table as follows: for each interpolant, the prefix of the interpolant consists of
all formulas above it, and the suffix consists of all formulas below it. For example, for the
second interpolant on the left, (a↔b)∧(a↔c), the prefix is (a↔b)∧(a↔c), and the suffix is
(b↔e)∧(e↔f)∧(c↔d)∧(a↔¬b).
7More complex in the sense that they involve more variables, and have more satisfying inter-
pretations.
4.3. INTERPOLATION 79
derived for (4.10) (left side of Table 4.3), and the third interpolant (a↔b) derived for
(4.11) (right side of Table 4.3). While the latter precisely describes the constraints
causing the inconsistency of (4.11) (as explained above), the former contains the
superfluous conjuncts (a↔c) and (b↔e).
Note that the argumentation for interpolants true and false about the unsat-
isfiability of prefix and suffix directly carries over from pairs of formulas. That is,
the suffix of an interpolant true (which is now a set of formulas) is inconsistent by
itself, and so is the prefix of an interpolant false. For example, for the second inter-
polant true on the right side of Table 4.3, the suffix (a↔b)∧(a↔¬b)∧(b↔e)∧(e↔f)
is inconsistent by itself. We will come back to this fact in the next section.
4.3.3 Sequential Formula Order for ϕ(S)
We now present a sequential formula order for the subformulas of ϕ(S) that takes
into account the considerations from the previous Section.
Remember that we need to refine the abstraction if the witness run ρσ represents
a spurious counterexample, that means if the conjunction α(ϕ(S))k∧¬φ (of abstract
system and property) is satisfiable, but the conjunction ϕ(S)k∧ρσ (of original system
and witness run) is not, cf. Section 4.2 and in particular Remark 4.2.1. To find the
parameters that were wrongly abstracted, we derive a sequence of interpolants for
ϕ(S)k∧ρσ, and from these determine the ill-abstracted parameters. To increase the
expressiveness of the interpolants, we take into account the results from the previous
section, by syntactically reordering the subformulas of ϕ(S)k∧ρσ (without changing
the semantics), such that the number of common variables is minimised. Intuitively,
the resulting sequence results from “interleaving” elements from ϕ(S)k and ρσ, based
on their unfolding depth. In detail, we construct the sequence as follows.
First, we split ϕ(S)k around top-level conjunctions, based on the partition in
(3.29), and reconjunct elements where all variables have the same unfolding depth,
resulting in the following set
{ϕinit(S), ϕtrans(S)(0), ϕlocation(S)(1)∧ϕmutex(S)(1), . . .
. . . , ϕtrans(S)(k−1), ϕlocation(S)(k)∧ϕmutex(S)(k)}
(4.12)
Next, we do the same for the witness run: we split ρσ around the conjunctions
(cf. (4.5)), and reconjunct elements (variable assignments) with the same unfolding
depth, which yields the set
{ ∧
v0∈Vars(ρσ)
σ(v0)=v
(v0=v), . . . ,
∧
vk∈Vars(ρσ)
σ(vk)=v
(vk=v)} (4.13)
Finally, we join the two sets, conjunct elements with the same unfolding depth,
and stratify (i.e., sort by unfolding depth) the formulas. The result is the following
80 CHAPTER 4. ABSTRACTION REFINEMENT
sequence of formulas
ϕinit(S)∧ ∧
v0∈Vars(ρσ)
σ(v0)=v
(v0=v),
ϕtrans(S)(0),
ϕlocation(S)(1)∧ϕmutex(S)(1)∧
∧
v1∈Vars(ρσ)
σ(v1)=v
(v1=v),
ϕtrans(S)(1), . . . ,
ϕtrans(S)(k−1),
ϕlocation(S)(k)∧ϕmutex(S)(k)∧
∧
vk∈Vars(ρσ)
σ(vk)=v
(vk=v)
(4.14)
In the sequel, without confusion we may use ϕ(S)k∧ρσ to refer to the “reordered”
variant (4.14). For example, by “the sequence of interpolants derived for ϕ(S)k∧ρσ”
(in Section 4.4, for example), we actually mean to the sequence of interpolants
derived for (4.14).
Reordering the subformulas of ϕ(S)k∧ρσ in this way has two major advantages.
The first advantage is that we have minimised the number of common as much as
possible: elements of the sequence alternately contain variables of one respectively
two unfolding depths,8 and due to the stratification, every two subsequent elements
of the sequence share variables of exactly one unfolding depth. In this way, every
interpolant derived for any bisection of the sequence into prefix and suffix can con-
tain variables of (at most, cf. interpolants true and false) one unfolding depth.
Minimising the number of common variables has the advantages illustrated in the
previous Section.
The second advantage is that prefixes and suffixes of any interpolant directly
correspond to prefixes and suffixes of the witness run: for any interpolant Gi, with
1≤i≤2k,9 a model of the prefix of Gi directly corresponds to a prefix of length
b i
2
c of the run through S represented by the witness run ρσ. Again, this is due
to the fact that we stratified the formulas in (4.14). If Gi=false, we can thus
conclude that the prefix of length b i
2
c of the witness run, which is represented by
those elements of (4.13) with unfolding depth smaller or equal to b i−1
2
c, is not
concretisable. Equivalently, if Gi=true, we can conclude that the suffix of length
d2k−i
2
e of the witness run, which is represented by those elements of (4.13) with
unfolding depth greater or equal to d i
2
e, is not concretisable.
Remark 4.3.3. To illustrate the bounds in the above explanations (for example,
to illustrate that the prefix of interpolant Gi indeed corresponds to a prefix of the
witness run of length b i
2
c), consider the following example. For unfolding depth
8In (4.14), odd-numbered elements contain variables of one unfolding depth. For example,
the first element ϕinit(S)∧∧v0∈Vars(ρσ),σ(v0)=v(v0=v) contains variables of unfolding depth 0 only.
Even-numbered elements contain variables of two unfolding depths. For example, the second
element ϕtrans(S)(0) contains variables of unfolding depths 0 and 1.
9Observe that for unfolding depth k, the sequence (4.14) has 2k+1 elements, which allows to
derive a sequence G1, . . . , G2k of 2k interpolants.
4.4. REFINEMENT 81
3, the sequence (4.14) has 2∗3+1 = 7 elements, for which we can derive 2∗3 = 6
interpolants G1, . . . , G6:
ϕinit(S)∧∧v0∈Vars(ρσ),σ(v0)=v(v0=v)
G1
ϕtrans(S)(0)
G2
ϕlocation(S)(1)∧ϕmutex(S)(1)∧
∧
v1∈Vars(ρσ),σ(v1)=v(v1=v)
G3
ϕtrans(S)(1)
G4
ϕlocation(S)(2)∧ϕmutex(S)(2)∧
∧
v2∈Vars(ρσ),σ(v2)=v(v2=v)
G5
ϕtrans(S)(2)
G6
ϕlocation(S)(3)∧ϕmutex(S)(3)∧
∧
v3∈Vars(ρσ),σ(v3)=v(v3=v)
Consider the case i=3: the prefix of interpolant G3 consists of three formulas,
which correspond to a run of length b3
2
c = 1, and this run is represented by the
variable valuations (i.e., the elements of (4.13)) with unfolding depths smaller or
equal to b3−1
2
c = 1. The suffix of G3 consists of four formulas, which correspond
to a run of length d6−3
2
e = 2, and this run is represented by the variable valuations
with unfolding depths greater or equal to d3
2
e = 2.
4.4 Refinement
If a counterexample to the property under test has been detected in the abstract
system, and this counterexample has turned out to be spurious in the concretisation
step, the abstraction is too coarse and needs to be refined.
Most refinement approaches are based on information obtained from the spurious
counterexample; the most well-known technique is called counterexample-guided ab-
straction refinement (CEGAR) [CGJ+03]. In CEGAR, one spurious abstract coun-
terexample (corresponding to a set of runs in the concrete system, cf. Section 4.2)
is ruled out within every refinement step, that means the abstraction is modified in
such a way that the spurious counterexample is not feasible anymore.
We propose a variant of CEGAR, by defining two possibilities of refining the
abstraction, both based on information obtained from the spurious counterexample.
4.4.1 Ruling Out a Counterexample Trace
The first refinement option is to rule out the spurious counterexample just found.
The spurious counterexample is given by the set of valuations that constitute the
witness run ρσ, cf. (4.5). To ensure that the behaviour expressed by the witness
run is not feasible anymore in future verification steps, we could simply add ¬ρσ as
an additional conjunct to the representation of the abstract system α(ϕ(S))k, and,
82 CHAPTER 4. ABSTRACTION REFINEMENT
instead of checking α(ϕ(S))k∧¬φ (cf. Section 4.2), model check α(ϕ(S))k∧¬ρσ∧¬φ
in the next verification step. This is essentially equivalent to basic CEGAR.
Yet, we can do better, by taking into account information obtained from the
interpolants. Let G1, . . . , Gn be the sequence of interpolants derived for ϕ(S)k∧ρσ,
let Gf , 1≤f≤n, be the first interpolant in the sequence which is equal to false, and
let Gt, 1≤t≤n, be the last interpolant in the sequence which is equal to true (note
that Gt and Gf do not necessarily exist).
If Gf exists, we know (cf. Definition 4.3.1 and Section 4.3.3) that the prefix of
Gf is unconcretisable. Let i be the unfolding depth of variables contained in the in-
terpolant Gf−1, which is the interpolant directly preceding Gf (remember that every
interpolant contains variables of at most one unfolding depth). We reduce the wit-
ness run ρσ of length k to a subset ρσ≤i of length i containing only variable valuations
of variables with unfolding depth i or smaller, and model check α(ϕ(S))k∧¬ρσ≤i∧¬φ
in the next verification step. In this way, in a single refinement step, we not only
rule out one abstract counterexample, as is done in basic CEGAR, but we rule out
a set of abstract counterexamples at once.
If Gt exists, we can use this interpolant in a similar way: let j be the unfolding
depth of variables contained in the interpolant Gt+1, which is the interpolant directly
following Gt. We reduce the witness run ρσ of length k to a subset ρσ≥j+1 of length
k−j+1 containing only variable valuations of variables with unfolding depth j+1 or
larger, and model check α(ϕ(S))k∧¬ρσ≥j+1∧¬φ in the next verification step.
If neither Gf nor Gt exists, or if Gt=Gf−1 (the latter typically only happens with
small toy examples), this refinement step is not applicable. If both Gf and Gt ex-
ists, and Gt 6=Gf−1, we choose the interpolant that leads to a shorter counterexample
fragment being ruled out, that is, we choose Gf if i<k−j+1 (with i, j as above),
and Gt otherwise. The underlying idea is that a shorter witness run fragment cor-
responds to a larger set of witness runs of the full length k, and thus a larger set of
counterexamples is ruled out at once.
4.4.2 Refining a Previously Abstracted Parameter
The second refinement option is to reduce the domain of the abstraction •α, by
removing a parameter from it (that means, either remove a parameter from O,
or remove a mapping from γ). In this way, the parameter is put back into the
abstract system, such that it is considered again in future verification steps. More
concretely, the current abstraction αO,γ is transformed into a new abstraction α˜O˜,γ˜
with •α˜O˜,γ˜⊂•αO,γ, where either O˜⊂O, or γ˜−1(P′)⊂γ−1(P′). The new abstraction
α˜O˜,γ˜ is computed as follows.
To refine a parameter e∈O (a clock, a clock constraint or a data constraint),
the parameter is simply removed from O, that means O˜=O\e. However, it is only
possible to refine a clock constraint cc over a clock x∈X|cc if x itself is not abstracted,
that means x6∈•α, since otherwise, the new abstraction α˜O˜,γ˜ would produce a system
that contains a clock constraint over an undefined clock. Equivalently, it is only
possible to refine a data constraint dc over over a port p with Dp∈PDA|dc, or over a
memory cell m with Dm∈DCO|dc if p and m themselves are not abstracted, that means
m6∈•α, and p6∈•α.
4.4. REFINEMENT 83
If, instead, a parameter e∈γ−1(P′) (a location, an event, a port or a memory cell)
is to be refined, the mapping {e7→e′}, with e′∈P′, is removed from γ and replaced
by the identity mapping. If e was merged with one other parameter ~e only, that
means there exists exactly one ~e∈P with γ(~e)=γ(e)=e′, then the mapping for ~e
is removed as well: γ˜=γ ⊕ {e7→e, ~e 7→~e}, where ⊕ denotes function overriding.10
Otherwise, that means if |γ−1(γ(e))| > 2, no further changes need to be made to γ:
γ˜=γ ⊕ {e7→e}.
To solve the question which parameters from •α are to be considered for re-
finement, that means to identify the ill-abstracted parameters, we consider the set
Conts(Gf )∩•α def= •α|Gf−1 , with Gf−1 as before, of elements which are potentially
responsible for the spurious counterexample. Alternatively, we can consider the set
•α|Gt+1 , with Gt+1 as before. After choosing one of the parameters from any of the
sets, we refine it according to the procedure explained above. In the next verifica-
tion step, the property is checked on the abstract system computed with the new
abstraction function α˜O˜,γ˜, that means model checking is applied to α˜O˜,γ˜(ϕ(S))k∧¬φ.
Note that we could actually take any interpolant for this refinement option, that
means consider any set •α|Gi , with 1≤i≤n, since by definition, every interpolant
captures the reason of inconsistency of its prefix and suffix (cf. Definition 4.3.1 and
Section 4.3.2). However, since Conts(Gf ) = Conts(Gt) = ∅, choosing either Gf or
Gt is not reasonable. Choosing any interpolant Gf ′ , with f
′>f (that means, which
occurs in the sequence G1, . . . , Gn at some point after Gf ), is not reasonable either:
the prefix of Gf is inconsistent by itself, that means the cause of unsatisfiability is
entirely contained in this prefix. An interpolant Gf ′ , whose prefix contains the prefix
of Gf , can therefore not provide more information about the cause of unsatisfiability.
A similar argumentation holds for interpolants Gt′ , with t
′<t, which occur in the
sequence G1, . . . , Gn at some point before Gt. Note that in SMT solver tools like
[csi, FOC, mat], such interpolants Gf ′ and Gt′ are simplified to false respectively
true, even if the solver derived an interpolant 6=false respectively 6=true for the
particular bisection.
Let F1, . . . , Fn+1 be the sequence of formulas in α(ϕ(S))k∧¬φ for which the in-
terpolants G1, . . . , Gn are derived. The reason why we choose Gf−1 to determine
candidates for refinement is the following: we know that the prefix of Gf (the set
of formulas F1, . . . , Ff ) is unsatisfiable, but the prefix of Gf−1 (the set of formulas
F1, . . . , Ff−1) is not. Thus, the addition of “suffix” Ff to the prefix F1, . . . , Ff−1
causes the whole sequence F1, . . . , Ff to be unsatisfiable, and interpolant Gf de-
scribes the cause of this unsatisfiability (cf. also (4.9)). The argumentation for
choosing Gt+1 is similar.
4.4.3 Refinement Heuristics
For conciseness of explanation, we refer to the refinement option presented in Sec-
tion 4.4.1 as the first (refinement) option, and to the refinement option presented in
10The mapping for ~e could actually remain in γ, since a single mapping {~e 7→e′}, with
|γ−1(γ(~e))| = 1, corresponds to pure syntactic replacement of ~e by e′, and therefore does not
change the satisfiability of the result. Yet, ~e is a parameter in the original system ϕ(S), while e′
is not, therefore, we prefer to remove e′.
84 CHAPTER 4. ABSTRACTION REFINEMENT
Section 4.4.2 as the second (refinement) option.
The problem with the second refinement option is which parameter to choose
from •α|Gf−1 (respectively from •α|Gt+1) for refinement: since interpolants are not
unique, typically not all parameters in the set are responsible for the present spurious
counterexample, and some of the parameters might not be ill-abstracted at all. As
an example, consider again the interpolants in the left column of Table 4.3: the
second and the third interpolant contain parameters b and c, respectively b, c and
e, which are completely irrelevant to the cause of inconsistency of the formulas in
(4.10). Additionally, it is in general not clear under which conditions to apply either
the first or the second refinement option. Thus, the remaining difficulty is to define
heuristics describing the application of the two refinement options. Finding adequate
heuristics is a problem common to almost all refinement approaches, cf. for example
[CGJ+03, CCK+02].
While the first refinement option is quick and easy to apply, in that the ap-
plication is straightforward once a counterexample has been found, it cannot yield
results as long as essential parameters are inadequately abstracted. Application of
the second option is not so straightforward and in addition involves more computa-
tional effort (recomputing the abstraction), but this option is indispensable to add
ill-abstracted parameters back into the system. However, if the second option is ap-
plied too frequently, the abstract system quickly collapses to the original system. It
is thus necessary to define heuristics that strike a suitable balance between options
one and two.
The best solution to solving this problem is to leave the decision (which option
and—for option two—which parameter to choose) to the human experts. The rea-
soning is that system developers who have designed and improved the system in a
number of iterations in the development process have a deep insight into the func-
tioning of the system, and, when presented with a counterexample and/or a set of
potentially responsible parameters, these experts will be able to deduce information
about the quality/applicability of the different refinement options.
To support the developers in reaching a decision, and as a first step towards
automatic abstraction refinement, we propose the following heuristic, which in par-
ticular uses both refinement options one and two. We first rule a fixed number of
counterexamples (for example k
2
), using option one, and in every iteration record the
set •α|Gf−1 (respectively •α|Gt+1) of parameters that are potentially responsible. Let•α|Gif−1 denote the set obtained in the i-th iteration. After this, we inspect the multi-
set •α|G1f−1∪•α|G2f−1∪ . . .∪•α|Gnf−1 , and determine the parameter(s) with the highest
multiplicity. If there exists a single such parameter, we refine it with refinement
option two. Otherwise, if there are two or more parameters with the same (highest)
multiplicity, we can either randomly choose a parameter among these, or continue
applying option one until one parameter in the multiset has a higher multiplicity
than the others.
The idea of this heuristic is as follows: as explained above, applying refinement
option one is quick and easy, moreover, it will never result in an abstraction that is
too fine (in contrast, when refining a parameter with option two that is irrelevant to
the property, the abstraction becomes unnecessarily fine). We can therefore apply
option one a number of times, without loosing efficiency. By taking into account
4.5. CONCLUSION 85
the set of potentially responsible parameters •α|Gf−1 obtained from (many) different
iterations, we increase the probability of choosing a parameter that is indeed ill-
abstracted, since ill-abstracted parameters will occur more frequently.
4.5 Conclusion
In this Chapter, we have presented a general framework for abstraction and re-
finement of TA and TCA that are represented in propositional logic with linear
arithmetic.
In Section 4.1, we have defined our uniform abstraction function. It is essentially
equivalent to the abstraction function presented in [Kem11] (which in turn is an
improved variant of the abstraction functions presented in [KP07, Kem09]). The
major difference between the abstraction function presented here and the one in
[KP07, Kem09] is the fact that we do not in general map negative propositional
variables to true. Such an abstraction function would effectively remove the mutual
exclusion constraint for locations (cf. (3.5), (3.14) and (3.24)) and TA events (3.6),
as well as part of the consistency constraint on data values in TCA and TNA ((3.15)
and (3.25)). Instead, we take into account the special characteristics of our formula
representation, and the syntactic context of the propositional variable (4.1c), (4.1d),
and in this way retain more information. See Section A.2 for further details.
In addition, while the abstraction functions presented in previous work were
tailored to one system type each, we have shown in Section 4.1 that the abstraction
function presented here uniformly handles both TA and TCA. We have provided
correctness results, which in particular take into account the new representation
features of memory cells and data values. In Section 4.2, we have restated in more
detail the concept of concretisation, which has been briefly sketched in previous work
[KP07, Kem11].
Section 4.3 deals with Craig interpolation. After a brief introduction to Craig
interpolants, presented mainly for completeness, we have provided an extensive dis-
cussion on expressiveness of interpolants, and the type of information that can be
derived from (a sequence of) interpolants. We use these results in Section 4.3.3 to
reorder the formulas in the representation of TA and TCA such that the information
derived from interpolants is maximised.
Finally, in Section 4.4, we have discussed two refinement options in detail. While
these options were sketched in previous work already ([KP07, Kem11]), we here
provide a detailed discussion of how and when to apply each of the options, and
discuss advantages and disadvantages. Section 4.4.3 discusses refinement heuristics
based on the two refinement options. Apart from automatic abstraction refinement,
these heuristics can also be used to support user decisions on which refinement option
to choose.

Chapter 5
Tool Development and Application
to Case Studies
In the previous Chapters, we have presented the theoretical foundations of a frame-
work for modelling and analysing distributed real-time systems. While it is of course
very important to have a well-grounded and correct theoretical basis to start from,
any formalism can only be used in practice if it comes along with adequate tool sup-
port. Such tool support can in turn be used to show the usability and applicability
of a formalism. In particular, graphical editors offer intuitive and easy access to a
new formalism, even for the unexperienced user. In this Chapter, we present our
work on tool development, which has been done in the context of this thesis.
The rest of this chapter is organised as follows: in Section 5.1, we present the
details of the tool implementation. We start by giving a brief introduction to the
Extensible Coordination Tools (ECT) in Section 5.1.1, a tool suite that is being
developed in the Foundations of Software Engineering group1 (SEN3) at CWI. In
the remainder of Section 5.1, We then present the support for modelling and analysis
of TCA that we have integrated into ECT . In Section 5.2, we use a small example to
explain the most important features of our tool, and show the typical workflow when
using it. Finally, in Section 5.3, we introduce two case studies, present experimental
results when using our tool to model check them, and discuss the advantages of
using our formalism and tool over using other formalisms.
Except for Sections 5.1.1 (which is presented to provide a deep insight into the
functioning of our implementation in the overall context of ECT) and 5.3.1 (which
has been presented in [Kem11]), this Chapter describes original work, which has not
been presented elsewhere.
1http://www.cwi.nl/research-groups/Foundations-of-software-engineering
87
88 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
5.1 Implementation
We have implemented our work on TCA and integrated it as part of the Extensi-
ble Coordination Tools (ECT, [ECT]), building on the Extensible Automata (EA)
framework. In the next section (Section 5.1.1), we give a high-level overview of
ECT, and briefly introduce the architecture of the EA framework. In Section 5.1.2,
we present the implementation of the TCA editor plugin. Finally, Section 5.1.3 ex-
plains the implementation of the formula generation from TCA. If not explicitly
mentioned, all implementation is done in Java [GJSB05].
5.1.1 The Extensible Automata framework in ECT
ECT is an integrated graphical development environment available for the Eclipse
[Ecl] platform. It consists of a set of plugins that support modelling and analysis of
component-based systems. The core of ECT has been developed and implemented in
the context of the PhD thesis of Christian Krause [Kra11]. ECT provides extensive
support for systems which are specified in the channel-based coordination language
Reo [Arb04], including a graphical modelling environment (editor), conversion to
and from other models (for example to quantitative intentional automata (QIA) and
(in turn) markov chains [AMM+09], to CA [ABRS04], to mCRL2 [KKdV10, Kra11],
from BPMN, UML sequence diagrams and BPEL [CKA10]), java code generation,
and animation. In addition, ECT comprises plugins to directly edit most of the
aforementioned models, amongst other for CA, QIA and mCRL2 (for BPMN, an
Eclipse plugin outside ECT already exists [BPM]). Please refer to [Kra11, ECT] for
a complete and detailed description of ECT.
Our implementation of the TCA plugin uses the Extensible Automata (EA)
framework in ECT. The framework was developed and implemented with the in-
tention to “provide a unified framework for deriving automata-based models for
Reo” [Kra11], but allows to extend existing and define new automata-based models
in general (i.e., detached from Reo). In the remainder of this Section, we give a
brief overview of the EA framework; again, we refer to [Kra11] for a complete and
detailed description.
The meta model of the framework comprises the packages cwi.ea.automata (cf.
Figure 5.1) and cwi.ea.extensions (cf. Figure 5.2).2 Conceptually, there are two
different types of elements in the EA framework: extensible elements and extensions
(extending elements). The interfaces IExtensible in cwi.ea.automata and IExtension
in cwi.ea.extensions mirror this structure. Every IExtensible owns a number of IEx-
tensions.
Package cwi.ea.automata contains classes for the basic extensible elements that
make up every automata-based model: Automaton, State,3 and Transition. These ex-
tend the abstract base class ExtensibleElement (in package cwi.ea.extensions), which
implements interface IExtensible.
2Figures 5.1 and 5.2 are essentially taken from [Kra11]. Equivalent diagrams can also be found
as part of the source code of the ECT tools, publicly available at http://reo.project.cwi.nl/.
3Our notion of location (cf. Chapter 2) equates to the notion of state in the EA framework.
5.1. IMPLEMENTATION 89
ExtensibleElement
(in cwi.ea.extensions)
State
Automaton
#usedExtensionIds:String
Transition
automaton
1
states0..*
automaton
1
transitions 0..*
source
1
outgoing
0..*
incoming
0..*
target
1
Figure 5.1: Package cwi.ea.automata
interface
IExtensible
interface
IExtension
∼id:EString
ExtensibleElement ExtensionElement
IntegerExtension
#value:int
StringExtension
#value:String
StringListExtension
#values:EList<String>
BooleanExtension
#value:boolean
owner
1 0..*
extensions
Figure 5.2: Package cwi.ea.extensions
90 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
Extensions are key/value pairs, where the key is a unique ID of type String, and
the value contains the content information of the extension. There are four prede-
fined extension value types in cwi.ea.extensions : StringExtension, StringListExtension,
BooleanExtension and IntegerExtension. These extend the abstract base class Exten-
sionElement, which implements IExtension. New custom types can be easily defined
by extending ExtensionElement or one of its subclasses.
To make clear the difference between plugin and extension: a plugin is an encap-
sulation of behaviour, providing support for a certain feature. For example, the TCA
plugin provides support for modelling and analysing TCA in various ways. A plugin
typically comprises several extensions. Every extension implements one aspect of
the feature, for example, modelling TCA transitions by adding real-time aspects to
transitions. Every extension is enabled for (i.e., applicable to) exactly one of the
extensible elements Automaton, State or Transition.
Every extension has a provider class (extension provider), cf. Figure 5.3. An
extension provider has to implement the interface IExtensionProvider , and one of the
interfaces ITextualExtensionProvider (for textual extensions, i.e. labels) or ICustomEx-
tensionProvider (for other types of extensions), all contained in package cwi.ea. The
provider class defines how to handle the extension in the editor, it contains methods
amongst others for parsing, editing and validating (syntax and semantic checks) the
extension, or for providing a default extension. For conciseness of explanation, in
the sequel, we refer to extensions by the name of their provider class, while omitting
the suffix Provider.
interface
ITextualExtensionProvider
+editExtension(IExtension extension):String
+parseExtension(String value, IExtensible owner):IExtension
interface
IExtensionProvider
+validateExtension(IExtension x):IValidationResult
+createDefaultExtension(IExtensible owner):IExtension
interface
ICustomExtensionProvider
Figure 5.3: Package cwi.ea
An EA automaton can in principle use any combination of the extensions de-
fined in plugins within the EA framework (see [Kra11] for a complete overview of
supported extensions). In the manifest file plugin.xml that accompanies every plu-
5.1. IMPLEMENTATION 91
gin definition in Eclipse, it is possible to define dependencies and mutual exclusion
constraints among extensions (either among extensions of the particular plugin, or
among extensions of the particular plugin and other plugins). Moreover, in the
plugin.xml files of EA plugins, it is possible to define an automaton type, that has
a predefined set of extensions enabled on creation.
5.1.2 The Timed Constraint Automaton Plugin
We have added support for TCA to the EA framework. Since TCA are an ex-
tension of CA, we were able to use the existing extensions for initial locations
(StartStateExtension), port names on automaton level (AutomatonPortNames), ac-
tive ports (TransitionPortNames), and location memory (StateMemoryExtension). To
support the particular features of TCA, we implemented a number of new exten-
sions. All of the new extensions implement interface ITextualExtensionProvider (cf.
Figure 5.3), and are simple enough such that we were able to use the predefined ex-
tension value type StringExtension (cf. Figure 5.2). All extensions are contained in
package cwi.ea.extensions.clocks . The following overview shows the new extensions,
their format as seen in the editor, and their most important features. The default
value is generated when calling createDefaultExtension() , the syntactic checks are
performed when calling validateExtension (both from IExtensionProvider).
AutomatonClocks (all clocks defined for a TCA): comma separated list of clock
names. Enabled for Automaton.4 Default value ”” (empty string, i.e., no
clocks).
StateInvariant (location invariants): clock constraint formula according to Def-
inition 2.1.2. Enabled for State. Default value true. Syntactic check that
formula is well-formed, and that every clock used in the formula is defined in
AutomatonClocks.
TransitionGuard (clock guards on transitions): clock constraint formula according
to Definition 2.1.2. Enabled for Transition. Default value true. Syntactic
check that formula is well-formed, and that every clock used in the formula is
defined in AutomatonClocks.
TransitionUpdate (clock updates on transitions): comma separated list of clock
assignments according to Definition 2.1.5.5 Enabled for Transition. Default
value ”” (i.e., all clocks keep their value). Syntactic check that no clock is
assigned more than once, and that every clock used in an assignment is defined
in AutomatonClocks.
TCADataConstraints (data guards on transitions): data constraint formula ac-
cording to Definition 2.1.7. Enabled for Transition. Default value true. Syn-
tactic check that every port used in the data constraint is defined in Transi-
4See above, every extension is enabled for exactly one of Automaton, State, Transition.
5More concretely, write x=n for an update λ(x)=n, and x=y for an update λ(x)=y. Clocks
not mentioned are assumed to keep their value.
92 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
tionPortNames, and every memory cell used in the data constraint is defined
in StateMemoryExtension of either source or target location of the transition.
Despite the fact that a data constraint extension for CA already existed (Con-
straintExtension), we had to provide the new extension TCADataConstraints for data
guards in TCA. The reason is that both types of data constraints provide distinct
features, which are not supported by the other data constraint type. For example,
CA data constraints allow to reason about functions on the data values, which is
not supported in TCA. On the other hand, CA data constraints require that every
memory cell used by the target location of the transition is initialised in the data
constraint, while for TCA, we do not impose this restriction (cf. Remark 2.3.2).
In the plugin.xml file, we defined a number of constraints on (in)admissible and
required combinations of extensions, as shown in Table 5.4. We also defined a new
automaton type Timed Constraint Automaton. When a new automaton of this type
is created in the editor, it has the aforementioned extensions (except of course for
ConstraintExtension) enabled.
Extension Requires Extension Mutually exclusive with
TransitionGuard AutomatonClocks,
TransitionUpdate
TransitionUpdate AutomatonClocks,
TransitionGuard
StateInvariant AutomatonClocks
TCADataConstraints ConstraintExtension (CA
data constraints)
Table 5.4: Dependencies between extensions in the TCA plugin
The syntactic checks described above are executed in methods parseExtension ,
editExtension and validateExtension (cf. Figure 5.3). For these checks, the new
extensions use the helper classes TCAClocksParser and TCADataParser, contained
in package cwi.ea.extensions.clocks.parsers . These parsers are generated from the
grammar files TCAClocks.g and TCAData.g using the parser generator ANTLR
[ANT].
5.1.3 From TCA to Formulas
We have implemented the translation of TCA to propositional formulas with linear
arithmetic, as presented in Section 3.1.3, in ECT. In this section, we describe the
implementation of our TCA formula generation.
ECT provides support for code generation (into an arbitrary target language)
in package cwi.codegen, cf. Figure 5.5. A new code generator is defined by imple-
menting the interface ICodeGenerator (or extending one of its abstract subclasses).
Interface IGenModel encapsulates the data needed for code generation, that means,
the properties (content information) of the underlying model that influence the
generated code. It offers methods to manipulate these properties. Properties are
5.1. IMPLEMENTATION 93
interface
ICodeGenerator
+generateCode(IGenModel genModel)
+initGenModel(IGenModel genModel)
+validateGenModel(IGenModel genModel):IStatus
interface
IGenModel
PROJECT LOCATION:String
PROJECT NAME:String
+getProperty(String key):String
+setProperty(String key,String value)
AbstractCodeGenerator
JavaCodeGenerator
GenericGenModel
content 1
Figure 5.5: Package cwi.codegen
key/value pairs of type String, new properties can be easily defined by calling set-
Property(key,value) on an (until then) undefined key. IGenModel defines the two
properties PROJECT LOCATION and PROJECT Name which every code genera-
tor should support.
The sources for the TCA formula generation extension are located in package
cwi.ea.extensions.clocks.codegen, cf. Figure 5.6. Interface SMTFormulaTemplate can
be seen as the main class of the extension. It defines a generic template for in-
termediate representation of TCA, and serves as a superclass for template classes
that generate formulas for different back-ends. Currently, there exists only one class
that implements SMTFormulaTemplate in package cwi.ea.extensions.clocks.codegen,
MathSATFormulaTemplate. This class is used to generate input files for the Math-
SAT [mat] tool.6
For each of the constituents ϕX of the formula representation (3.16) (cf. Table 3.4
on Page 50), SMTFormulaTemplate defines a method signature buildX to generate
the corresponding formula: buildInit() for ϕinit (3.10), buildTrans() for ϕtrans (3.13),
buildLocation() for ϕlocation (3.14), and buildMutex() for ϕmutex (3.15). The boolean
parameter unfold in the latter three is used to determine whether to generate the
step-abstract variant of the formula, that means with indices t and t+1, or the
unfolded variant (cf. Section 3.2.2). In the former case, the return value should be a
singleton list, in the latter case, the list should contain one entry for every unfolding
depth, sorted in ascending order. The boolean parameter product in buildTrans()
determines whether to generate delay transitions for products of TCA, cf. (3.17).
Subclasses of SMTFormulaTemplate will have to implement these methods such that
they generate formulas in the appropriate input format for the intended back-end
solver, while following the constraints explained above.
6For MathSAT version 4.2.17.
94 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
SMTFormulaGenerator
+generateCode(IGenModel genModel)
+initGenModel(IGenModel genModel)
+validateGenModel(IGenModel genModel):IStatus
AbstractCodeGenerator
(in cwi.codegen)
interface
SMTFormulaTemplate
+buildInit():String
+buildTrans(boolean unfold,boolean product):EList<String>
+buildLocation(boolean unfold):EList<String>
+buildMutex(boolean unfold):EList<String>
+toString():String
+toProductString(EList<SMTFormulaTemplate> templates):String
MathSATFormulaTemplate
−Automaton automaton
−int unfoldingDepth
−int upperBound
−String reachableStateName
+MathSATFormulaTemplate(Automaton auto,String state, int depth, int upB)
content 1..*
Figure 5.6: Package cwi.ea.extensions.clocks.codegen
The formula representation (in String format) for a single SMTFormulaTemplate
object is obtained by calling method toString() . Method toProductString() is used
to generate the product representation for a list of templates. Subclasses of SMT-
FormulaTemplate will typically implement these methods such that they call the
buildX methods (passing the runtime value of unfold to the latter three), add addi-
tional information for the intended back-end solver as needed, and possibly sort the
formulas in a specific way (cf. Section 4.2). Any implementation of the toProduct-
String() method should be robust enough to produce the same result, independently
of whether the object on which it is called (this) is contained in the list or not.
The constructor of MathSATFormulaTemplate is used to initialise the private
fields with the appropriate values. It can be used for both finite and infinite data
domains: for finite data domains, a lower bound of 0 is assumed by default. If the
fourth parameter, upB (“upper bound”), is 0 as well, the data domain is assumed to
be infinite. Otherwise, upB is required to have a value ≥1, which then determines
the upper bound of the data domain (cf. also Remark 3.1.6 on finite data domains).
5.1. IMPLEMENTATION 95
Parameter state can be used to specify the name of a location to be checked for k-step
reachability, cf. Section 3.2.3; it is stored in field reachableStateName. The imple-
mentation of toString() respectively toProductString() generates the corresponding
formulas. If parameter state is the empty string, no such property is generated.
Invocation of the formula generation from the editor (cf. Section 5.2.2) creates an
instance of class SMTFormulaGenerator, which is a subclass of AbstractCodeGenerator
from cwi.codegen, cf. Figure 5.6. SMTFormulaGenerator implements the methods
from ICodeGenerator (cf. Figure 5.5) as follows. Method initGenModel() initialises
the properties of the genModel required for formula generation: unfolding depth,
data domain, location of the resulting output file, the set of automata to translate
to formulas (this is a subset of all automata contained in the currently open file),
and the target language (currently, only MathSAT format is supported). These
settings are determined from user input to the formula generation wizard pages, cf.
Figures 5.13, 5.14 and 5.15.
Method validateGenModel() checks that the genModel initialised in this way satis-
fies a number of additional (with respect to the constraints described in Section 5.1.2)
syntactic and semantic requirements. This is needed for the resulting formulas to
be well-defined: formula generation can be invoked for any EA automaton, but the
results are well-defined only for TCA. The constraints include for example unique-
ness of names, appropriate choice of finite data domain with respect to data values
used in data constraints, or appropriate choice of enabled extensions (according to
Section 5.1.2).
Method generateCode() starts the actual formula generation. It creates an SMT-
FormulaTemplate instance for each TCA selected for formula generation. The target
language property determines the runtime type of these objects, that means which
subclass of SMTFormulaTemplate to use. Actual parameters of the constructor of the
appropriate runtime class are determined from the properties of the genModel. gen-
erateCode() then calls either toString() or toProductString(), depending on whether
one or more TCA were selected for formula generation, and writes the resulting string
to a file, using the corresponding property of genModel to determine the location.
5.1.4 Abstraction Refinement
Abstraction and refinement of TCA is not directly part of the ECT, in that it is
not implemented as a plugin or extension within the graphical ECT interface. In-
stead, it is implemented as a standalone program, which performs abstraction and
refinement on a file obtained from the ECT plugin (as explained in the preceding
Section 5.1.3), and calls the preferred (corresponding) SMT solver for the verification
part. The reason is that many SMT solvers already offer a graphical user interface
(MathSAT does not, though). If needed, abstraction and refinement can be in-
tegrated into ECT on a command line basis, similar to the integration of mCRL2
(cf. [Kra11]), but we consider this less useful. The sources are found in package
cwi.ea.extensions.clocks.absref , cf. Figure 5.7.
The interface TCAAbstractor serves as a base class for all implementations of
abstraction functions working on TCA, independent of a specific target language.
It defines method signatures that need to be supported by all such abstractors.
96 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
interface
TCAAbstractor
+getMergings():Set<Set<String>>
+getOmissions():Set<String>
+addMerging(Set<String> params):boolean
+addOmission(String param):boolean
+performAbstraction()
+getResult():TCAFile
MathSATTCAAbstractor
−MathSATTCAFile file
−Set<Set<String>> mergings
−Set<String> omissions
−MathSATTCAFile result
+MathSATTCAAbstractor(String file)
+MathSATTCAAbstractor(String file,
Set<String> omit,Set<Set<String>> merge)
TCAFile
#Set<String> clockNames
#Set<String> portNames
#Set<String> memcellNames
#Set<String> stateNames
#int unfDepth
+addClockName(String name)
+addPortName(String name)
+addMemcellName(String name)
+addStateName(String name)
+setDepth(int d)
+getClockNames():Set<String>
+getPortNames():Set<String>
+getMemcellNames():Set<String>
+getStateNames():Set<String>
+getDepth():int
+toString():String
MathSATTCAFile
+MathSATTCAFile(String file)
content
1
content
1
Figure 5.7: Package cwi.ea.extensions.clocks.absref
5.2. WORKFLOW 97
Implementing class MathSATTCAAbstractor is tailored to work on files containing
formulas in MathSAT format. In particular, MathSATTCAAbstractor implements
the performAbstraction() method, by essentially implementing abstraction function
α presented in Figure 4.1 in Section 4.1.
The abstract container class TCAFile encapsulates the intermediate represen-
tation of TCA in the process of abstraction, independent of a specific target lan-
guage. It is used for both intermediate and final results.7 Though TCAFile is ab-
stract, it provides implementations for all methods except toString() , since this
is the only method that depends on the target language, all other operations are
performed on the internal/intermediate representation. Class MathSATTCAFile ex-
tends TCAFile, by implementing toString() such that the resulting String is in proper
MathSAT format. Parser class MathSATFormatParser (not shown in Figure 5.7)
is used by MathSATTCAAbstractor to parse a text file in MathSAT format and
generate a MathSATTCAFile object from it. The text file can be obtained either
from ECT, as explained in Section 5.1.3), or be generated by the toString() method
of MathSATTCAFile itself. Class MathSATFormatParser is generated from grammar
file MathSATFormat.g using the parser generator ANTLR [ANT].
Finally, class TCAMain uses the aforementioned classes to provide a little (com-
mand-line based) application to perform interactive abstraction refinement. Es-
sentially, the application implements the three steps of the abstraction refinement
paradigm (cf. the beginning of Chapter 4), looping through steps two and three.
Figure 5.8 shows a conceptual overview of the application, where grey boxes indicate
calls to external tools. The implementation is completely interactive, that means
the user has to choose the initial abstraction (the application shows the list of ab-
stractable parameters, though) as well as a refinement option and parameter to be
refined (the application shows a list of potentially responsible parameters as well as
the current counterexample, though). The type of the input file, and thus the SMT
solver to be called, are determined from the input file ending. At the moment, only
MathSAT is supported (file ending .msat or .mathsat), but it is easy to extend
TCAMain to support other file types and solvers.
Notice that the abstraction refinement loop in Figure 5.8 has two exit points:
either the conjunction of property and abstract system is unsatisfiable, in this case,
the property holds for k steps (cf. Section 3.2.3); or the conjunction of original
system, property and witness run is satisfiable, in this case, a counterexample to the
property has been found.
5.2 Workflow
In this Section, we describe the typical workflow when working with the TCA plugin,
using the FIFO buffers with expiration from Examples 2.3.3 and 2.3.10. The Section
7It would have been possible to extend interface SMTFormulaTemplate from package
cwi.ea.extensions.clocks.codegen (cf. Figure 5.6) in such a way that it can be used for interme-
diate results of abstraction as well. Yet, this would have prevented us from providing method
implementations in abstract class TCAFile. Moreover, we prefer to keep the approach modular and
flexible, by maintaining two intermediate formats (SMTFormulaTemplate for code generation, and
TCAFile for abstraction).
98 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
solve abstract concretise solve original
refineabstract
property satisfied for k steps property not satisfied
unsatisfiable satisfiable
Figure 5.8: Implementation of Abstraction Refinement Loop, Conceptual Overview
can also be seen as a little “Getting started” tutorial to the TCA plugin. We assume
that ECT and in particular the EA framework is installed already.8 For instructions
how to install the plugins, please refer to the ECT website http://reo.project.
cwi.nl.
5.2.1 Editing
The first step is to draw the TCA. From the Eclipse workbench, create a new General
Project (File  New  Project  General  Project) with name Workflow. In the
project, create a new EA automaton file (File  New  Other , scroll down to the
Reo wizard and choose Automaton), and name it Workflow.ea. From the palette
that appears on the right, choose Automaton and left-click on the empty canvas
to create a new EA automaton. A menu appears that allows to choose one of the
predefined automaton types. If none of the types is chosen, the new automaton has
no extensions enabled. Choose Timed Constraint Automaton and give it the name
Buffer. A rectangle, indicating the drawing area for the new automaton, appears
on the canvas, cf. Figure 5.9.
The upper part of the drawing area contains general information: the name of
the automaton, and information from extensions which are applicable on automa-
ton level. The two symbols below the name indicate that extensions Automaton-
PortNames ( ) and AutomatonClocks ( ) are already enabled for this TCA (these
extensions were enabled automatically when automaton type Timed Constraint Au-
tomaton was chosen). The StateMemoryExtension is not enabled by default. To en-
able it, right-click on the automaton, choose Extensions from the context menu, and
check State Memory . Since StateMemoryExtension is not applicable to Automaton,
there is no visible change. Add two ports p and q and a clock x to the automaton:
click on the respectively label until a text field shows up, then enter the text
p,q respectively x.
Next, we add locations. From the palette on the right, choose State, and click
inside the (lower part of the) rectangle to add a location. Give it the name empty.
The ingoing arrow indicates that StartStateExtension is enabled for this automaton
8All descriptions and images in this section are based on version 3.2.0 of ECT, and version
3.2.9 of the EA framework.
5.2. WORKFLOW 99
Figure 5.9: Workbench Overview
(again, this extension was enabled automatically when automaton type Timed Con-
straint Automaton was chosen), by default, the first location that is created is set to
be the initial location. The initial location can be changed from the context menu
of locations. Add a second location with the name full. The symbols next to the
locations show that StateMemoryExtension ( ) and StateInvariant ( ) are enabled.
Add a memory cell m to full, and set the invariant of full to x<=3.
To add a transition from empty to full, choose Transition from the palette, click
on empty, and drag the other end of the transition to full. For every (enabled)
extension which is applicable to Transition, the new transition has a corresponding
label. The four labels are for TransitionGuard, for TransitionUpdate, for
TCADataConstraint, and for TransitionPortNames. Set the labels pursuant to Fig-
ure 2.5, add two transitions from full to empty, and set the labels accordingly. Note
that memory cell references (s.m and t.m) in the data guards have to be prefixed
with an additional $ in the editor. This is due to liberal naming conventions in ECT
which allow dots . to appear in names. The final TCA should look similar to the
one shown in Figure 5.10 (in order not to clutter up the picture, we have removed
empty transition labels).
Repeat the above steps, and create a second instance of the buffer in the same
file Workflow.ea. Name it Buffer2, with locations empty2 and full2, memory cell
m2 (in full2), clock x2 and ports q and r (cf. Figure 2.6). Make sure to use q on
the transition from empty2 to full2. The resulting TCA should look similar to the
one shown in Figure 5.11.
Throughout the editing process, every modification is checked for syntactic cor-
rectness, according to the syntactic requirements explained in Section 5.1.2. If a
syntactic error is detected, the label of the extension (for example or ) in which
the error occurred is replaced by the error marker . A tooltip appears on mouseover
which gives information about the error, and in this way helps to resolve it. As an
example, while composing the Buffer automaton, we could try to use port p on a
100 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
Figure 5.10: First Buffer Figure 5.11: Second Buffer
transition before declaring it on automaton level. Figure 5.12 shows the resulting
error marker and tooltip. To resolve the error, we need to do two things: first, add
Figure 5.12: Indication of Errors
p on automaton level (i.e., in the field with label field just below the name). After
that, the error marker remains active, because the editor only checks the extension
that has just been edited (AutomatonPortNames in this case). Therefore, we need to
edit the TransitionPortNames extension again (simply click on the error marker until
the text field appears, and confirm). The TransitionPortNames extension is checked
again, and since p is now declared on automaton level, the error marker disappears.
5.2.2 Formula Generation
Formula generation is invoked from the context menu of automata: right-click on
one of the automata, and choose Generate code  SMT Formula Generator to open
the code generation wizard.
The first page of the wizard allows to specify the name and directory of the
resulting file, the unfolding depth, the range of data values, and the target language
(Figure 5.13). Since currently only the MathSAT solver back-end is supported, the
only admissible entry in the target language field is msat, which naturally is also
the default. Enter Workflow as Project name, 2FIFO.msat as Output file name, and
click Next> at the bottom of the wizard page.
The second page (Figure 5.14) allows to choose the (combination of) automata
to generate code for (the resulting formulas contain delay transitions, cf. Defini-
5.2. WORKFLOW 101
tion 3.1.8, iff more than one automaton is selected). Select both TCA and click
Next>.
Finally, the third wizard page (Figure 5.15) allows to select up to one loca-
tion for each automaton that was selected on the previous (second) wizard page,
to check for k-step reachability. Unfold the lists of locations, select locations full
and full2, and click Finish. Note that if locations are selected for a (non-empty)
subset of automata only, then k-step reachability is checked for all possible combi-
nations of the selected locations with any location from the other automata. For
example, if we would select location full only, i.e., not select a location for Buffer2,
reachability would be checked for any of the product locations (full,empty2) and
(full,full2).
Figure 5.13: Code Generation Wiz-
ard, First Page
Figure 5.14: Code Generation Wiz-
ard, Second Page
Figure 5.15: Code Generation Wiz-
ard, Third Page
After clicking Finish, the resulting file 2FIFO.msat can be found in the Project
Explorer view to the left of the canvas, it is located in the src subdirectory in the
102 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
Workflow project, cf. Figure 5.16.
Figure 5.16: Workbench, Project Explorer View
5.2.3 Verification
We now have two options to continue. The first option is to directly call Math-
SAT on the generated file 2FIFO.msat. In general, MathSAT is invoked by calling
mathsat [options] input file from the command line. In our context, the min-
imal set of options includes:9
-solve: tells the solver to solve the formula (other options include for example
transformation to CNF)
-input=msat: specifies the input format (other options are smt or dimacs)
-logic=QF LRA: specifies the logic to be used (Quantifier Free Linear Real Arith-
metic)
Other useful options include for example
-print model: prints one satisfying valuation (model), if it exists
-allsat: prints all satisfying valuations, if they exist (only recommended for small
problems)
-outfile=FILE: redirects the output from stdout to file FILE
9For a complete and detailed overview and explanation of the available options, please refer to
[mat]
5.2. WORKFLOW 103
The output of a call to MathSAT always starts with some statistical infor-
mation about the input problem and the involved theory solvers. The essential
information can be found at the very end of the output: the last line of the output
of the call mathsat -solve -input=msat -logic=QF LRA 2FIFO.msat says sat,
which means the set of input formulas is satisfiable, and thus the “error state”
(full,full2) is reachable.
The second option is to call the abstraction refinement application (cf. Sec-
tion 5.1.4) on the generated file 2FIFO.msat: java TCAMain 2FIFO.msat. As ex-
plained in Section 5.1.4, the application first asks the user to create the initial
abstraction. For ports, for example, the application outputs
Choose ports to abstract/merge (type numbers of ports
to be merged, separated by blanks, type ’X’ to end):
1: r
2: p
3: q
and for clocks, it outputs
Choose clocks to abstract/remove (type numbers,
separated by blanks):
Set of clocks is
1: x
2: x2
Type 1 (and confirm) to remove clock x. After this initial abstraction is determined,
the application internally calls MathSAT on the abstract system. Since the “error
state” (full,full2) was already reachable in the original system, it is of course
reachable in the abstract system as well. The next output of the application is
Spurious counterexample found, abstraction needs to be refined.
Choose refinement option (type number):
1: rule out counterexample trace
2: refine a parameter
Type 2, this gives the output
Choose parameter to refine (type number):
1: x
Now type 1 to refine clock x. The application refines the abstraction, and calls
MathSAT again on the resulting system (which is the original system already).
The next (final) output is
Property does not hold.
and the application terminates.
104 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
5.3 Case Studies
As stated in Chapter 2, TCA are specially tailored to implement coordinating connec-
tors in networks where timed components communicate by exchanging data through
multiple channels. In this way, TCA impose a certain communication pattern on
associated components, that means, they force the components to behave (commu-
nicate) in a certain way. An obvious application area is therefore to use TCA for
modelling time- and data-aware communication protocols.
In this section, we describe two such protocols, present experimental results we
got from modelling and analysing the protocols with our TCA plugin for ECT, and
discuss the benefits of using TCA as underlying formalism for these case studies and
in general.
5.3.1 Alternating Bit Protocol
In this section, we present the alternating bit protocol (ABP). The ABP is a network
protocol, which ensures successful transmission of data elements between a sender
and a receiver over unreliable channels. It is one of the standard benchmarks in the
context of component based systems and process algebra, and has been discussed in
detail for example in [Mil89, Fok00, LM87].
Essentially following the description in [Mil89], we design the protocol from four
subcomponents: the Sender, the Receiver, and two unreliable channels Channel1 and
Channel2 connecting the former two. Each of these components is modelled with a
separate TCA. We assume that the channels may loose, but not corrupt or duplicate,
data at random. Yet, it is very easy to change this behaviour, simply by exchanging
the TCA that model the channels. For an overview of how to model timed channels
with different behaviour, see for example [ABdBR07]. A conceptual overview of
the components is shown in Figure 5.17. Arrows indicate the intended direction of
dataflow, labels indicate the ports through which the components communicate.
Sender Receiver
Channel1
Channel2
A C
DB
I O
ABP
Figure 5.17: ABP Connector, Conceptual Overview
The protocol works as follows: after accepting input (from the environment)
through port I , the Sender starts a timer, and sends the message to the Receiver via
Channel1, i.e., it sends the message to Channel1 through port A, and Channel1 in
turn sends the message to the Receiver via port C . The Sender attaches a control
bit b to the message, and expects the Receiver to send back the corresponding
control bit b through Channel2 as acknowledgement. After having received the
5.3. CASE STUDIES 105
acknowledgement, the Sender is ready to accept another input from the environment,
which it sends to the Receiver with attached control bit ¬b (this is where the name
alternating stems from). If the timer of the Sender expires before it receives the
acknowledgement bit b, or if it receives acknowledgement bit ¬b (which it ignores),
it assumes an error has occurred, resets the timer and resends the message with
bit b.
The Receiver works complementary: it receives a message, together with a con-
trol bit b, from the Sender through Channel1. After delivering the message to the
environment through port O , the Receiver sets a timer, and sends bit b as acknowl-
edgement to the Sender through Channel2. Next, it expects a message tagged with
bit ¬b. If the timer expires, or the next message is tagged with b again (which the
Receiver ignores), the Receiver assumes an error has occurred, resets the timer and
resends the acknowledgement bit b.
We assume an arbitrary but fixed, finite set of messages Msg. The data do-
main is Data=Msg∪Msg×{0, 1}∪{0, 1}. The three subsets of Data correspond to
messages sent from the environment to the Sender, and from the Receiver to the
environment (Msg), messages tagged with control bits sent from the Sender to the
Receiver (Msg×{0, 1}), and acknowledgement bits sent from the Receiver to the
Sender ({0, 1}).
The TCA for the Sender, the Receiver and the two channels are shown in Fig-
ures 5.18, 5.19 and 5.20. Since ports can only transmit a single data item, we
model ports A (between Sender and Channel1) and C (between Channel1 and Re-
ceiver) using two ports A1,A2 and C1,C2, respectively. This is because for a pair
(m, b)∈(Msg×{0, 1}), we need to be able to reason about the constituents m and b
separately. For both Sender and Receiver, we assume a timeout of 2 for resending
the message and acknowledgement, respectively. For example, after the Sender has
sent a message and has moved to location wait0, it waits for acknowledgement bit 0
before moving to location idle1. If this bit does not arrive before clock x has reached
value 2, the Sender moves back to location send0, where it waits at most one more
time unit before it resends the message.
The TCA modelling the entire protocol component—we call it TABP—is obtained
by composing the TCA of the four subcomponents (cf. Definition 2.3.9), that means
TABP = (Sender ./ Receiver ./ Channel1 ./ Channel2)
5.3.1.1 Verification
While the internal behaviour of the ABP ensures reliable transmission of messages
over unreliable channels, from the outside, it behaves as a perfect buffer of capacity
one (cf. [Mil89]). That is, it accepts and delivers messages from and to the network
(through ports I and O , respectively) alternately, and the order of data elements is
not changed.
The alternation is described by the LTL formula
((I →©(¬IUO))∧(O →©(¬OUI))),
106 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
idle0
send0
x≤1
[in]
wait0
x≤2
[in]
idle1
send1
x≤1
[in]
wait1
x≤2
[in]
{I}, (I=t .in),
x:=0
{A1, A2},
(A1=s.in)∧(A2=0),
x:=0
(t .in=s.in), x=2, x:=0
{B}, B=1
{B}, B=0
{I}, (I=t .in),
x:=0
{A1, A2},
(A1=s.in)∧(A2=1),
x:=0{B}, B=0
(t .in=s.in), x=2, x:=0
{B}, B=1
Figure 5.18: ABP, Sender
recv0
y≤2
out0
[out ]
ack0
y≤1
recv1
y≤2
out1
[out ]
ack1
y≤1
{C1, C2}, (C2=1)
{C1, C2},
(C1=t .out)∧(C2=0),
y:=0
{O},
(O=s.out)
{D}, D=0, y:=0
{C1, C2}, (C2=0)
y=2, y:=0{C1, C2},
(C1=t .out)∧(C2=1),
y:=0
{O},
(O=s.out)
{D}, D=1, y:=0
y=2, y:=0
Figure 5.19: ABP, Receiver
5.3. CASE STUDIES 107
c1 c2
{A1, A2, C1, C2},
(A1=C1)∧(A2=C2) {A1, A2}
{B,D},
B=D {D}
Figure 5.20: ABP, Channel1 (left), Channel2 (right)
which expresses that between any two communications through port I, there is a
communication through port O, and vice versa. We call this property Buffer.
To check for the correct order of data elements, we identify a set of error lo-
cations. First recall that locations in TABP comprise one location for each of the
four subcomponents, for example, the initial location of TABP is (idle0, revc0, c1, c2).
The error locations are
{(waiti, outi, c1, c2) | in 6=out, i=0, 1}∪{(sendi, outi, c1, c2) | in 6=out, i=0, 1}
Each of these locations corresponds to a configuration where the Sender subcom-
ponent has received a data item through port I and stored it in memory cell [in],
but the Receiver subcomponent has stored a different data item in memory cell out
which it is about to send to the environment through port O . Note that the formu-
lation of this property relies on the first property of alternating dataflow through I
and O . We call the property expressing that none of the error states is reachable
Error.
We have modelled the TCA of the ABP with the ECT plugin. For performance
comparison, and to show that our approach scales very well on reachability prop-
erties, we compare three unfolding depths k∈{20, 50, 100}. We have generated the
corresponding formula representation from within the editor, as described in Sec-
tion 5.2.2. To show the performance improvements gained from abstraction, we have
identified a tailored abstraction function for each of the properties. First observe
that timing information can be considered irrelevant for both properties. Moreover,
observe that Buffer does not rely on exact data values, but only reasons about
activity on ports. For Error, we define an abstraction function α1 that removes all
timing information from the system: O1={x, y}, and γ1=id. For Buffer, we define
an even coarser abstraction function α2, which in addition removes all information
about the exact data values: O2={x, y, (I=t.in), (A1=s.in), (t.in=s.in), (C1=t.out),
(O=s.out)}, and γ2=id.
Table 5.21 shows our experimental results for the different unfolding depths,
properties and abstractions. Note that since Buffer describes correct alternation
of data flow through ports I and O, we need to check the negation of Buffer. Ab-
straction function α2 removes all information about concrete data values, therefore,
the error states are trivially reachable under this abstraction, and we cannot expect
Error to hold. We have marked the corresponding entries with a slanted font and
the additional entry (S) (for “satisfiable”). All other properties are satisfied, which
means that the result of verification is “unsatisfiable”.
The results in Table 5.21 clearly show that our approach is tailored to reachability
properties, and that on these, it scales very well for large unfolding depths. While
108 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
k=20 k=50 k=100
¬Buffer Error ¬Buffer Error ¬Buffer Error
ϕ(TABP)k
1.050s
20.79MB
1.013s
18.85MB
52.50s
61.59MB
13.12s
39.19MB
1690s
508.53MB
80.98s
111.62MB
α1(ϕ(TABP))k
1.704s
20.93MB
0.799s
19.44MB
519.9s
215.02MB
7.082s
32.76MB
segm.
fault
32.92s
57.09MB
α2(ϕ(TABP))k
1.430s
19.23MB
0.175s (S)
15.99MB
458.7s
232.60MB
0.880s (S)
21.215MB
segm.
fault
3.984s (S)
29.11MB
All experiments have been carried out with MathSAT, version 4.2.17, on an
Intel Core2 Duo CPU E4500, with 2.20GHz and 2.5GB RAM
Table 5.21: Experimental Results for the ABP
for k=20, the two properties take around the same time and memory consumption,
checking Error is factor 4 faster, with factor 1.5 less memory, than Buffer for k=50,
and almost factor 20 faster, with factor 4 less memory, for k=100. Comparing the
same property on different unfolding depths, time and memory consumption increase
by factors 50 and 3 (k=20 to k=50), and factors 30 and 8 (k=50 to k=100) for
Buffer, while these factors are limited to 13 and 2 (k=20 to k=50) and 6 and 3
(k=50 to k=100) for Error.
As a second result, Table 5.21 shows the improved performance for Error on the
abstract system, resulting in a speed-up of factor 1.2 for k=20, factor 1.8 for k=50,
and almost factor 2.5 for k=100. Memory consumption is almost the same for k=20
and k=50, but reduces to half for k=100. Note that verification is very fast in case
the reachability property Error does not hold (i.e., where the input is satisfiable).
In contrast to this, performance of Buffer on the abstract system decreases, even
leading to a segmentation fault for k=100. Though this might seem surprising at
first glance, the reason is obvious: since Buffer reasons about all possible runs, and
the abstract system permits more runs than the concrete system, checking Buffer
on the abstract system is more expensive. What can be seen though is a slightly
improved performance when comparing the two abstractions.
5.3.2 Lip-Synchronisation Protocol
In this section, we describe a Lip-synchronisation protocol (LSP). The LSP was first
described in the synchronous language Esterel [SHH92]. Later, specifications were
presented amongst others using timed LOTOS [Reg93], LOTOS/QTL [BBBC94,
BBBC97], timed CSP [ABSS96], timed automata [BFK+98, KLP10], and the Du-
ration Calculus [MLWZ01].
The problem of lip-synchronisation is the following: a presentation device (for
example a media player) receives input from two media sources: a Sound Stream
and a Video Stream, and should display the two streams synchronously. Yet, small
5.3. CASE STUDIES 109
delays are not human-perceivable, therefore, synchrony needs not be perfect, but
certain deviations of the actual presentation times from the optimal presentation
times are acceptable. The LSP is used to ensure this degree of synchrony. For this,
it has to take into account three major points:
Firstly, the frequencies of the two streams may be different, i.e., there is no
(at least not necessarily) one-to-one correspondence between frames of the two
streams.10
Secondly, the streams may experience a phenomenon called jitter. In an ideal
scenario, frames are received from the streams with a constant frequency. Yet,
the actual arrival times of frames may deviate from these optimal arrival times, for
example due to transmission delays. These deviations from the optimal presentation
time on the same stream are called jitter. Intuitively, the user perceives jitter in case
the sound (equivalently video) presentation does not run “smoothly”, for example
because some parts are skipped or presented too fast.
From [BFK+98], we adopt the notions of anchored and non-anchored jitter:
anchored jitter describes deviations that only depend on the current frame. That
means, each frame arrives within a certain interval around its own optimal arrival
time. Non-anchored jitter, on the other hand, describes deviations that depend on
the previous frame. That means, each frame arrives within a certain interval after
the previous frame.
The last point the LSP has to consider is that the two streams can “drift apart”:
each frame has an optimal position on the respective other stream. The term skew
describes deviations from this optimal position on the other stream. Intuitively, the
user perceives skew in case the sound and video presentation “do not agree”, that
means if a sound (for example the sound of breaking pottery) is audible significantly
before or after the corresponding action (for example a falling mug) is visible.
Summing up, the LSP has to ensure that the two streams are interleaved in
the right way, and that the presentation of frames does not violate the acceptable
bounds on jitter and skew.
Notation 5.3.1 (Arrival Times of Frames). In the sequel, we use topti to refer to
the optimal arrival time of the i-th frame (sound or video), and tacti to refer to the
actual arrival time of the i-th frame.
In line with previous specifications ([SHH92, Reg93, BFK+98]), we design the
protocol as follows. A sound frame should be displayed every 30 milliseconds (ms), no
jitter is allowed on the Sound Stream, i.e., tacti =t
opt
i , and t
act
i =(t
act
i−1+30) for all frames.
A video frame should ideally be displayed every 40ms, but we allow non-anchored
jitter of ±5ms: (tacti −5)≤(tacti−1+40)≤(tacti +5). That means, to ensure that a human
perceives the media presentation as synchronous, it is sufficient to display each video
frame within the interval [35ms,45ms] after the previous frame. The video presen-
tation may precede the sound presentation by 15ms (skew), and may lag behind by
150ms. The fact that jitter is not allowed on the Sound Stream actually allows us to
10As pointed out in [BFK+98], if there was a one-to-one correspondence, the obvious solution
to achieve synchrony would be to multiplex the streams for transmission, and demultiplex them at
the presentation device.
110 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
interpret skew as anchored jitter on the Video Stream: (tacti −15)≤topti ≤(tacti +150).
We restrict the models of the streams to the arrival times of frames received from
the streams. Similarly, we do not model the presentation device, but assume that
frames are presented when the corresponding signal (from the LSP) occurs. Further,
we assume that the presentation of a video frame can be delayed for an arbitrary
amount of time if the frame arrives too early.
We model the protocol with five TCA: Sound Manager, Video Manager, Skew
Observer, Jitter Observer, and Initialiser. The design of the TCA is inspired by
the timed automata in [BFK+98]. Yet, due to the extended modelling power of
TCA, we obtain a more concise model (cf. also Section 5.3.3), in particular for the
Skew Observer, which we model using a single counter (rather than using multiple
clocks in [BFK+98]). A conceptual overview of the protocol components is shown in
Figure 5.22. We omit the Initialiser, since its only purpose is to start the protocol
components in the right order. The presentation device is added to Figure 5.22 for
illustration only, it is not part of the protocol. As for the ABP (Figure 5.17), arrows
indicate the intended direction of communication, labels indicate the ports through
which the TCA communicate.
Presentation DeviceSound Stream Video Stream
Sound Manager Video Manager
Jitter ObserverSkew Observer
SR SP VRVP
VPSk VPJ
LSP
Figure 5.22: LSP: Conceptual Overview
Since the TCA of the LSP (and their interaction) are more complex than the TCA
of the ABP, we now describe each TCA in detail. In the end, the TCA modelling the
protocol component—we call that TCA TLSP—is obtained by composing the TCA
of the five subcomponents (cf. Definition 2.3.9), that means
TLSP = (Initialiser ./ SoundManager ./ VideoManager (5.1)
./ SkewObserver ./ JitterObserver) (5.2)
5.3.2.1 Sound Manager
The conditions on presentation of sound are very strict: a sound frame should be
presented every 30ms, and no jitter is allowed on the Sound Stream. The task of
5.3. CASE STUDIES 111
s0 s1 sE
{IS}, (xS :=0)
{SR,SP}, (xS=30), (xS :=0)
{SR}, (xS>30)
Figure 5.23: LSP, Sound Manager
the Sound Manager (Figure 5.23) is to ensure this behaviour. It uses a clock xS
to measure the time distance between two subsequent sound frames. After being
initialised by the Initialiser (cf. Section 5.3.2.5) through port IS on presentation of
the first sound frame, the Sound Manager starts its cyclic behaviour, waiting for a
sound frame to be ready (signalled through port SR) every 30ms, and sending to
the presentation device the order to present the sound frame (through port SP) at
the same moment. If the signal that a sound frame is ready arrives late, the Sound
Manager moves to its error location sE .
For explanatory purposes, in the sequel we use the terms “presentation of a sound
frame” and “communication through port SP” interchangeably.
5.3.2.2 Video Manager
vm0 aVR
aVP
vmE
{IV }
{VP ,VR,Sk , J}, (Sk=OK )∧(J=OK )
{VR,Sk , J},
(Sk=wait)∨
(J=wait))
{VP ,Sk , J},
(Sk=OK )∧(J=OK )
{J}, (J=error)
{Sk}, (Sk=error)
{VR,Sk}, (Sk=error)
{VR, J}, (J=error)
Figure 5.24: LSP, Video Manager
The Video Manager (Figure 5.24) ensures that the timing of video presentation
conforms to the bounds described above. Yet, the Video Manager does not control
the timing itself, but for this consults the two “helper” components Jitter Observer
(cf. Section 5.3.2.3) and Skew Observer (cf. Section 5.3.2.4). In particular, the Video
Manager does not use any clocks. The Video Manager is initialised by the Initialiser
(cf. Section 5.3.2.5) through port IV when the first video frame is presented. In
112 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
location aVR, it awaits a signal VR from the Video Stream, indicating that the
next video frame is ready. When receiving this signal, the Video Manager checks
the timing conditions with the Skew Observer through port Sk , and with the Jitter
Observer through port J . If both return OK (loop in aVR), the next video frame
can be presented immediately, which is signalled to the presentation device through
port VP . If either of the observers returns wait , video presentation is too early and
needs to be delayed. In this case, the Video Manager moves to location aVP , and
waits until both observers return OK . If at any point, either of the observers returns
error , the Video Manager moves to its error location vmE .
For explanatory purposes, in the sequel we use the terms “presentation of a video
frame” and “communication through port VP” interchangeably.
5.3.2.3 Jitter Observer
j0 j1 jE
{IJ}, (xJ :=0)
{VP , J}, (J=OK ), (xJ≥35)∧(xJ≤45), (xJ :=0)
{J}, (J=OK ), (xJ≥35)∧(xJ≤45){J}, (J=wait), (xJ<35)
{J}, (J=error),
(xJ>45)
Figure 5.25: LSP, Jitter Observer
The Jitter Observer (Figure 5.25) checks that non-anchored jitter on video pre-
sentation remains within the acceptable bounds, that means, that every video frame
is presented within an interval of [35ms,45ms] after the previous frame. It uses
clock xJ to measure the time distance between two subsequent frames. When the
Jitter Observer is initialised by the Initialiser (cf. Section 5.3.2.5) through port IJ
on presentation of the first video frame, it resets its clock to zero, and moves to
location j1 . The Video Manager can now request the current status of jitter—i.e,
whether presenting a video frame at the current point in time would conform to the
bounds—by communicating with the Jitter Observer through port J . Depending
on the value of xJ , the Jitter Observer returns either wait (lower left loop in j1 ),
OK (lower right loop and upper loop in j1 ) or error (transition from j1 to jE ).
If the Video Manager communicates through both ports J and VP , it request the
status of jitter and simultaneously sends the order to present a video frame, which
is only possible if presentation is acceptable. In this case, the Jitter Observer resets
its clock xJ to start the timer for the next frame.
Note that by construction, the Jitter Observer can only enter its error location
jE if the Video Manager enters its error location vmE at the same time.
5.3. CASE STUDIES 113
sk0
sk1
xSk≤40
[cnt ]
skE
{ISk}, (t .cnt=0),
xSk :=0
{Sk},
(s.cnt≤-4)∧(Sk=error)
(xSk>30)
(t .cnt=s.cnt−1),
(xSk=40), (xSk :=0)
{Sk},
(s.cnt=0)∧
(t .cnt=s.cnt)∧
(Sk=wait),
(xSk<25)
{VP ,Sk},
(t .cnt=s.cnt)∧
(Sk=OK )
(xSk=40),
(xSk :=0)
{VP ,Sk},
(s.cnt=0)∧
(t .cnt=s.cnt+1)∧
(Sk=OK ),
(xSk≥25)
{VP ,Sk},
(s.cnt≤-4)∧
(t .cnt=s.cnt+1)∧
(Sk=OK ),
(xSk≤30)
{VP ,Sk},
(-3≤s.cnt≤-1)∧
(t .cnt=s.cnt+1)∧
(Sk=OK )
Figure 5.26: LSP, Skew Observer
5.3.2.4 Skew Observer
The task of the Skew Observer (Figure 5.26) is to measure the skew (i.e., non-
anchored jitter, see above) on video presentation. For this, the Skew Observer uses
a clock xSk and a memory cell cnt . Clock xSk is used to determine the optimal
presentation time topti for video frames. The counter cnt is used to calculate—
together with xSk—the exact amount of skew at any given point in time. The Skew
Observer is initialised by the Initialiser (cf. Section 5.3.2.5) through port ISk on
presentation of the first sound frame. When this communication occurs, the Skew
Observer resets xSk to zero, sets cnt to zero, and moves to location sk1 .
The general idea of cnt can be roughly described as keeping track of the “over-
flow” of video frame presentations in case the presentation lags behind by more
than one period (of 40ms). In detail, this works as follows: every 40ms (measured
by xSk), that means every time a video frame should be presented, the value of cnt
is decreased by one (upper left loop in location sk1 ), and every time a video frame
is presented, it is increased by one (lower three loops in location sk1 ). In this way,
a negative value of cnt indicates that tacti >t
opt
i for the last (i-th) video frame, i.e.,
video lags behind its ideal position; equivalently, a positive value of cnt indicates
that tacti <t
opt
i for the last (i-th) video frame, i.e., video is ahead of its ideal position.
The exact values of clock xSk and memory cell cnt are used to determine how much
the presentation is ahead of/behind its ideal position. To explain how this works,
we look at the following three situations: on presentation of a video frame, cnt is
(1) incremented to 1, (2) incremented to zero, and (3) incremented to a value <0.
When cnt is incremented to 1 on presentation of the i-th video frame at time
tacti , video is ahead of its ideal position (since cnt>0). This ideal position is at time
114 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
topti , which is the next point in time when xSk reaches 40.
11 The amount of time by
which video is ahead of its ideal position at time tacti is thus given by the difference
between the current value of xSk and 40. Therefore, if a video frame is about to be
presented when cnt=0 (i.e., cnt would be set to 1) and xSk<25, the presentation
of the video frame would be more than 15ms (40−25) early, and thus needs to be
delayed (upper right loop in location sk1 ). As soon as xSk≥25, the presentation
time is within the acceptable bounds, and the video frame can be presented (lower
left loop in location sk1 ). An example for this is depicted in Figure 5.27, showing
a situation where each video frame is presented as early as possible: if the fourth
video frame would be presented after 140ms, it would be 20ms too early, so the
presentation needs to be delayed for at least 5ms.
tacti
cnt
topti
skew
40 80 120 160
35 70 105 140
1 1 1 1
0 0 0
5 10 15 20
Figure 5.27: Video Presentation ahead: Example
When cnt is incremented to zero on presentation of the i-th video frame at time
tacti , video lags behind its ideal position (since cnt was -1 just before, see above),
and the amount by which it lags behind is given by the difference (tacti −topti ), which
is equal to the value of xSk at time t
act
i .
12
Finally, when cnt is incremented to a value <0 on presentation of the i-th video
frame at time tacti , video lags behind its ideal position by more than one period (i.e,
more than 40ms). Figure 5.28 shows an illustration of this: if each video frame is
presented as late as possible, after 405ms, cnt is incremented to -1, and video is 45ms
(more than one period) late by that time. In general, if cnt is incremented to -k,
video lags behind its ideal position by k∗40+xSk . As an example, consider Figure 5.28
again: at time 405, the last time xSk was reset was at time 400, that means 5ms
before, and video presentation lags behind by k∗40 + xSk=45ms. The lower loop
in location sk1 thus represents the last possible time where it is still acceptable to
present a video frame: on execution of the transition, cnt is incremented to -3, that
means video lags behind by -3∗40 + xSk, and since the clock guard only permits
values xSk≤30, video lags behind by at most 150ms. In case cnt would be set to -3,
and xSk>30 on presentation of a video frame, an out-of-synchronisation error has
occurred (transition from location sk1 to skE ).
The remaining loops in location sk1 represent the case where video lags behind,
but within the acceptable bounds (lower right loop), and the case where a video
11Note that this is indeed topti (and not t
opt
j , with j< i), since otherwise cnt would have been
set to a value >1.
12Note that the last time xSk was reset was indeed t
opt
i (and not t
opt
j , with j>i), since otherwise
cnt would have been set to a value <0.
5.3. CASE STUDIES 115
frame is presented at an optimal presentation time (upper middle loop), that means
tacti =t
opt
j . Note that apart from i=j, i<j is possible as well in case video presentation
lags behind, but i>j is not possible due to the bound of 15ms acceptable for video
presentation being ahead (cf. Figure 5.27 again).
tacti
cnt
topti
skew
200 240 280 320 360 400
180 225 270 315 360 405
0 0 0 0 -1
-1 -1 -1 -1 -2
-1
20 25 30 35 40 45
. . .
. . .
. . .
. . .
Figure 5.28: Video Presentation behind: Example
Note that by construction, the Skew Observer can only enter its error location
skE if the Video Manager enters its error location vmE at the same time.
5.3.2.5 Initialiser
i0
sf1 sf2
vf1 vf2
sviE
{fSR, fSP , IS , ISk}, (xi :=0)
{fVR, fVP , IV , IJ},
(xi≤150)
{fVR, fVP , IV , IJ}, (xi :=0)
{fSR, fSP , IS , ISk},
(xi≤15)
{fSR, fVR, fSP , fVP , IS , IV , ISk , IJ}
(xi>150)
(xi>15)
Figure 5.29: LSP, Initialiser
The task of the Initialiser (Figure 5.29) is to start the other protocol components
in the right order on occurrence of the first frame(s), and to check for initial out-of-
synchronisation errors. From its initial location i0 , there are three options: either a
sound frame is ready first (signalled through port fSR), in this case, the Initialiser
sends to the presentation device the order to present the first sound frame (port
116 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
fSP), starts the Sound Manager (port IS ) and the Skew Observer (port ISk) and
a timer xi , and moves to location sf1 . If the first video frame is ready (signalled
through fVR) before the timer reaches 150 (maximum allowed time for video lagging
behind), it sends to the presentation device the order to present the first video frame
(port fVP), and starts the Video Manager (IV ) and the Jitter Observer (port IJ ).
If xi reaches 150 and no video frame is ready (initial out-of-synchronisation error),
the Initialiser moves to its error location iE . In case a video frame arrives first, the
behaviour is (mostly) symmetric: the Initialiser moves to location vf1 , starts the
Video Manager and the Jitter Observer, and waits for the first sound frame to be
ready. The timeout in this case is 15, which is the maximum amount of time by
which the video presentation may precede the sound presentation. The third option
from the initial location is the case where both frames (video and sound) arrive at
the same time. In this case, all communication (presentation of frames, initialisation
of other components) takes place at the same time, and no further check for initial
out-of-synchronisation errors is required.
5.3.2.6 Verification
We consider the behaviour of the LSP in different environments, i.e., with different
streams. As explained above, the LSP is designed in such a way that no jitter is
allowed on the Sound Stream. Consequently, every Sound Stream that allows jitter
would immediately cause an out-of-synchronisation error. We therefore only consider
a model of an ideal Sound Stream, as shown in Figure 5.30. Every 30ms, the Sound
Stream emits a signal that a sound frame is ready, through port fSR for the first
sound frame, and through port SR for all subsequent frames. The extra port for the
first sound frame is introduced to ease proper initialisation of the protocol (cf. the
Initialiser in Section 5.3.2.5).
For the Video Stream, we consider two different variants, cf. [BFK+98]. Fig-
ure 5.31 shows a Video Stream with non-anchored jitter of 5ms, i.e., every video
frame is ready at least 35ms and at most 45ms after the previous frame. As a sec-
ond variant, Figure 5.32 shows a Video Stream with anchored jitter of 5ms, i.e.,
every video frame is send not earlier than 5ms before its ideal presentation time,
and not later than 5ms after its ideal presentation time. As for the Sound Stream,
the signal indicating that the first video frame is ready is sent through port fVR, for
all subsequent frames, it is sent through port VR. The TCA modelling the entire
system (including the environment) is obtained by composing the TCA TLSP (cf.
Page 110) with the TCA of the Sound Stream (Figure 5.30) and the TCA of the
Video Stream with Anchored Jitter (5.32) or Non-Anchored Jitter (Figure 5.31).
For brevity of explanation, we may identify the system by the type of jitter of the
included Video Stream, for example, we may refer to the fact that “a property holds
in the system including the Video Stream with Anchored Jitter” by simply saying
“the property holds in the system with anchored jitter” or “the property holds under
anchored jitter”.
To identify out-of-synchronisation errors, we check for reachability of the error
locations sE in the Sound Manager, jE in the Jitter Observer, and skE in the
Skew Observer component. Note that instead of the latter two, we could also check
5.3. CASE STUDIES 117
ss0
ss1
xSS≤30
{fSR}, (xSS :=0)
{SR},
(xSS=30),
(xSS :=0)
Figure 5.30: LSP, Sound Stream
vs0
vs1
xVS≤45
{fVR}, (xVS :=0)
{VR},
(35≤xVS≤45),
(xVS :=0)
Figure 5.31: LSP, Video Stream, Non-Anchored Jitter
vs0
vs1
xVS≤40
vs2
xVS≤10
fVR, (xVS :=5)
(xVS=40), (xVS :=0)
{VR}
{VR}, (xVS=40), (xVS :=0)
Figure 5.32: LSP, Video Stream, Anchored Jitter
whether the error location vmE in the Video Manager component is reachable, since
vmE is only reachable if either jE or skE is reachable at the same time, cf. Sections
5.3.2.3 and 5.3.2.4. However, the results would be less meaningful in that case, since
we would not be able to identify the exact reason of the error.
For the verification, we further assume that the streams start at the same time,
that means the first frames on the two streams are ready at the same time. This
is implemented by restricting the runs of the system to those where the Initialiser
takes the transition from its initial location i0 to location sv (cf. Section 5.3.2.5).
Without this assumption, there can be an arbitrary delay between the first frames
on the two streams, and initial out-of-synchronisation errors are trivially possible.
We have modelled the TCA of the LSP with the ECT plugin. As for the ABP
(cf. Section 5.3.1.1), we compare three unfolding depths k∈{20, 50, 100}. Table 5.33
shows the experimental results for the different unfolding depths, error locations
and Video Streams (anchored or non-anchored jitter).13 Again, slanted entries (to-
gether with the entry (S)) indicate that the input problem is satisfiable. The LSP is
modelled in a very concise way already, therefore, we do not provide an abstraction
function. In particular, there exists no obvious abstraction function (and probably
there exists no non-empty abstraction function at all) that would preserve the results
13Note that for k=100, we have added information to the input problem that was obtained
from the case k=50, namely that locations sE and skE are not reachable within 50 steps, and that
location jE is not reachable within 50 steps under non-anchored jitter. Without this assumption,
verification would take much longer for k=100, for example more than 10 hours to detect that
location skE is not reachable under anchored jitter.
118 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
in Table 5.33.
k=20 k=50 k=100
anc. non-anc. anc. non-anc. anc. non-anc.
sE
1.145s
22.02MB
0.584s
21.14MB
13.46s
36.77MB
4.171s
32.79MB
43.15s
69.79MB
20.99s
67.22MB
jE 1.225s (S)
21.91MB
1.153s
21.67MB
3.881s (S)
32.98MB
2.075s
31.31MB
92.27s (S)
79.06MB
73.75s
79.90MB
skE
5.250s
22.66MB
4.401s
22.56MB
9.795s
35.22MB
7.769s
33.26MB
1155s
142.44MB
781.5s (S)
140.05MB
All experiments have been carried out with MathSAT, version 4.2.17,
on an Intel Core2 Duo CPU E4500, with 2.20GHz and 2.5GB RAM
Table 5.33: Experimental Results for the LSP
The first row in Table 5.33 shows that the error location sE in the Sound Manager
is unreachable under all unfolding depths and for both types of jitter, that means
sound frames can never arrive late. This is the expected result, since we have
assumed an ideal Sound Stream in Figure 5.30, which does not experience any jitter.
Out-of-synchronisation errors on the Video Stream (jitter) can occur under an-
chored jitter only, as shown in the second row of Table 5.33. The reason is that under
anchored jitter, the maximal distance of two subsequent video frames is 50ms, which
is 5ms more than what is allowed by the protocol. The error can occur in case a
video frame arrives as early as possible (namely 5ms before its ideal presentation
time), and the following video frame arrives as late as possible (namely 5ms after
its ideal presentation time). Under non-anchored jitter however, this error is not
possible.
In contrast, out-of-synchronisation error between the two streams (skew) can
occur under non-anchored jitter only. The reason is that only in this case, the pre-
sentation of the video frames can “drift off”, that means deviations from the optimal
presentation time can sum up, while under anchored jitter, this is not possible. Re-
member that we allow the video presentation to lag behind by at most 150ms (cf.
the beginning of Section 5.3.2). Assuming all video frames arrive as late as possible,
i.e., after 45ms, the first time this error can occur is when the protocol has run for
1395ms: after 1350ms, video presentation lags behind by exactly 150ms, and on
arrival of the next video frame 45ms later, the limit of 150ms is exceeded. Due to
the periodic nature of the Sound Stream and the Video Stream, the protocol needs
more than 80 steps to reach this point, which is why the error occurs under unfolding
depth 100 only.
As for performance, we make the following observations: comparing the verifica-
tion times for reachability of different locations, but with the same unfolding depth
and Video Streams, it can be seen that checking the reachability of sE is mostly
faster than checking the reachability of jE , which in turn is faster than checking
5.3. CASE STUDIES 119
the reachability of skE . The reason lies in the complexity of the TCA, and the for-
mula representation generated for them. The transition relation representation (cf.
(3.13)) of the Sound Manager contains three elements for source location s1 (two el-
ements of type (3.11) corresponding to the two visible transitions in location s1 , and
one element of type (3.17) for the delay in location s1 ). For the Jitter Observer, the
transition relation representation contains five elements for source location j1 (four
elements of type (3.11), and one element of type (3.17)), and for the Skew Observer,
the transition relation representation contains eight elements for source location sk1
(six elements of type (3.11), one element of type (3.12), and one element of type
(3.17)). In particular, the Skew Observer has an invisible transition, which can be
executed independently of other TCA (subject to the clock guard being satisfied).
Intuitively, this means that the transition relation representation of the Skew Ob-
server is “more nondeterministic” than the transition relation representation of the
Jitter Observer, which in turn is more nondeterministic than the transition relation
representation of the Sound Manager. Thus, when searching for a system run ending
in the respective error location, the MathSAT solver needs to try more options for
the Jitter Observer than for the Sound Manager, and in turn more options for the
Skew Observer than for the Jitter Observer.
A second observation is the fact that in case the property is satisfied for a certain
unfolding depth (i.e., the error location is unreachable) for both types of Video
Streams, verification of the system with anchored jitter still takes up to factor 3
longer than verification of the system with non-anchored jitter, though the number
of possible executions of a given length in both systems is the same. Again, the
reason lies in the complexity of the TCA and the formula representation of the
transition relation. For the Video Stream with Non-Anchored Jitter, the transition
relation representation contains two elements for source location vs1 , while for the
Video Stream with Anchored Jitter, it contains three element for source location
vs1 , and two more for source location vs2 .
In contrast to the ABP, where reachable error locations where found comparably
fast even for k=100 (less than four seconds, cf. Table 5.21), it takes MathSAT
more than 13 minutes to detect that location skE is reachable for k=100 (under
non-anchored jitter). Equivalently, it takes MathSAT about one and a half minutes
to detect that location jE is reachable for k=100 (under anchored jitter), which is
comparably long given the fact that reachability of location jE is detected in a bit
more than a second for k=20. The reason is that the LSP is considerably more
complex than the ABP. Moreover, even though jE is reachable very quickly (in
actually less than ten steps), MathSAT still needs to find a valid execution for the
remaining steps when checking the system with k=100.
This last point shows the benefits of starting the verification process with compa-
rably small unfolding depths, and successively increasing the bound (cf. Section 3.2).
In case the error location is k-step reachable already for small values of k, there is
no need to consider larger unfolding depths, since this might take disproportionately
longer (in Table 5.33, we have added the results for location jE under anchored jitter
for k=50 and k=100 to illustrate exactly this point). If, instead, the error location
is not k-step reachable for small values of k, this information can be used to reduce
verification times in subsequent checks for k′-step reachability (for k′>k).
120 CHAPTER 5. TOOL DEVELOPMENT AND CASE STUDIES
5.3.3 Advantages of using TCA
The case studies presented above have highlighted the advantages of using TCA in
the development process. In general, TCA have—just like other automata-based
models—a rather shallow learning curve, compared to other formal models like for
example process algebra. This is thanks to the intuitive graphic approach, and the
state-transition notion in the drawings that closely corresponds to mental models of
such systems. This allows for an easy entry into the subject even for unexperienced
users, who can quickly design simple models with TCA. One of the main advantages
of TCA over other automata-based models is that they allow for true concurrency,
while combining the notions of time and data. Thus, once the designer gets ac-
customed to the formalism, TCA offer a powerful formalism to design concurrent
distributed systems.
Comparing our TCA-based models of the ABP and the LSP to models of the
protocols found in the literature further illustrates the modelling power of TCA. The
model of the ABP presented in [Mil89] is based on the calculus of communicating
system (CCS) [Mil82]. The model does not use concrete data values, but only works
with the alternating bits. Moreover, the timing for resending of messages is modelled
with a timer that only sends a timeout at “some point” after being activated, but the
model does not use concrete time values. Our approach allows for concrete time and
data values, and therefore provides a more faithful model of the ABP. The process-
algebraic model of the ABP presented in [Fok00] handles different data values, but
does not include time at all. Instead, components are assumed to emit messages
and acknowledgements with bit b periodically until they receive the next message or
acknowledgement with bit ¬b. Our TCA model provides a more flexible approach,
and can be adapted to different environments (where channels have different delays,
for example), in that it allows to specify different delays for the resending of the
different messages and acknowledgements.
The model of the LSP presented in [BFK+98] is based on TA, and therefore
enjoys the general advantages of automata-based models described above. However,
we observe a number of advantages when using TCA instead of TA to model the LSP.
Remember that TA do not allow for true concurrency, that means only a single event
can be executed in every step. As a consequence, the model in [BFK+98] needs a
large number of so-called committed locations14 (large compared to the total number
of locations) to model the synchronous execution of a set of actions. This becomes
particularly evident when considering the initialising component (called “Sync”) in
[BFK+98]: it is less powerful than the Initialiser presented here (cf. Section 5.3.2.5),
in that it does not check for initial out-of-synchronisation errors, yet the “Sync”
component needs 11 locations to ensure certain actions happen at the same time,
while the Initialiser needs only seven. Even more, the model in [BFK+98] needs two
additional helper components “Video Manager” and “Sound Manager” (not to be
confused with our Sound Manager and Video Manager), whose only purpose is to
ensure that certain (sequences of) events in different automata are executed at the
14The notion of committed location is taken from Uppaal [upp], which is the solver used for
protocol verification in [BFK+98]. A committed location in a TA must be left immediately after
it has been entered, without delay or interleaving of other (instantaneous) actions.
5.3. CASE STUDIES 121
same time. In contrast, with TCA, we simply put all events that are to be executed
at the same time on a single transition.
To detect a negative delay on the Video Stream (that means, video lagging
behind), [BFK+98] uses a helper component “Sound Clock”. This component models
a “backward running” clock, by decreasing a variable by one every time the value of
its clock has increased by one. As a consequence, the maximal delay of the system
between two subsequent steps is 1, which results in very long execution traces. In our
model, we use a memory cell to keep track of the negative delay. This considerable
increases the “step length” of the system, since we only need to update the memory
cell on optimal presentation times of video frames (i.e, every 40 time units), and on
actual presentation of a video frame (cf. Figure 5.26 and Section 5.3.2.4).

Chapter 6
Conclusions
Component connectors that implement real-time coordination patterns are an es-
sential ingredient of component-based software engineering. They are needed to
connect, coordinate and orchestrate the distributed components of large real-time
systems, and in this way guarantee correct and safe behaviour of the entire system.
Adaptation (and extension) of such systems to different needs is facilitated by the
encapsulated modular nature of the component connectors, which allows to replace
a coordination pattern by another, unnoticed by the other parts of the system. In
this thesis, we have established a formal framework for exhaustive modelling and
analysis of real-time coordination patterns, with a focus on the formal model of
Timed Constraint Automata (TCA) with Data.
In Chapter 2, we have started with the formal definition of the system models,
intended to be used to model the real-time coordination patterns. Each of the mod-
els is suited to model certain classes of real-time coordination patterns, depending
on whether the pattern takes into account data, true concurrency of actions or envi-
ronmental constraints. We present the models with increasing complexity and mod-
elling power based on these features: Timed Automata (TA) [AD94, Alu99] are well-
known (and well-studied), but lack the ability to handle data and true concurrency.
As a consequence, we have extended the formal model of TCA [ABdBR07, Kem11]
(handling true concurrency) with memory cells to handle data. To incorporate en-
vironmental constraints (for example, whether the environment in which a system
operates is ready to communicate), we have finally introduced the formal model of
Timed Network Automata (TNA) with memory cells and data (which allow for true
concurrency as well) as an extension of the model presented in [Kem10]. The intu-
itive visual representation of each of the models (corresponding to a certain extend
to mental models of such systems) allows to quickly and easily sketch and develop
systems with the formalism.
In Chapter 3, we define a representation in propositional logic with linear ratio-
nal arithmetic for each of the system models from Chapter 2. We try to keep the
representation as general as possible, by using only those variable types and oper-
123
124 CHAPTER 6. CONCLUSIONS
ations that are compulsory to faithfully represent the underlying formal model. In
this way, the representation can serve as an intermediate format and can be trans-
lated into the input language of many common SMT-solvers, which in turn can be
used to analyse the underlying system. We have discussed how to apply the tech-
nique of Bounded Model Checking to the formula representation, and have presented
correctness and completeness results.
A major challenge in component-based software engineering is the fact that the
systems to be analysed are getting bigger and more complex, while correctness and
safety still need to be guaranteed. In Chapter 4, we have presented an approach
to (partially) solve this problem: we have defined an abstraction function that can
be used to reduce the size of the system representation. The abstraction function
works on the formula representation from Chapter 3, and removes parts that are
considered irrelevant to the verification of a particular property. We have shown
how to undo part of the abstraction in case it has turned out to be too coarse, based
on information obtained from so-called spurious counterexamples (counterexamples
to the property under test that only exist in the abstract system). We have provided
correctness results proving the abstract system to be an over-approximation of the
original system.
Theoretical results can only be beneficial if they can be used and applied in prac-
tice. In Chapter 5, we have presented in detail the available tool support for the
theoretical framework developed in the preceding Chapters (as of now, the imple-
mentation only supports the formal model of TCA). Our implementation of the TCA
plugin is part of the Extensible Coordination Tools [ECT], an integrated graphical
development environment for the Eclipse [Ecl] platform that supports modelling and
analysis of component-based systems. We have provided detailed information about
the implementation structure of both our plugin and the ECT in general, and we
have sketched the typical workflow when using the tool. In this way, Chapter 5 can
be seen as a “getting started” tutorial for users, and at the same time as a reference
manual for developers. In the end of the Chapter, we have presented two case studies
(including experimental results), to show how TCA can be used to model protocol
coordination in a concise and understandable way, and we have discussed the ben-
efits of using TCA, for the case studies in particular and for real-time coordination
patterns in general.
6.1 Future Directions
In parts of this thesis, some questions have remained unaddressed. For other parts,
we see obvious directions for future research and extensions of the work. We now
give an overview of the most important points.
In Section 5.3.3, we have discussed the disadvantages of TA when it comes to
concurrent execution of actions, and the advantages of TCA regarding this aspect.
However, there are situations where a notion similar to committed locations in TA
(remember that a committed location in a TA must be left immediately, without
delay or interleaving of other actions, cf. Footnote 14 on Page 120) could be benefi-
cial also for TCA: suppose a committed location in a TA, with n ingoing transitions
6.1. FUTURE DIRECTIONS 125
and m outgoing transitions, all with disjoint transition labels. To model the same
behaviour with a TCA, we would need n∗m transitions (while the TA only has n+m
transitions and one location). We consider it interesting to investigate how a no-
tion similar to committed locations can be defined for TCA, and whether there is a
noticeable improvement on performance when it comes to verification.
The model checker Vereofy (http://www.vereofy.de) provides tools for model
checking (untimed) Constraint Automata (CA). As input, it accepts amongst others
CARML (Constraint Automata Reactive Module Language [BBKK09]), which is a
textual description language for CA. Extending CARML with the notion of time
would yield a textual description language for TCA, which for example could be
used as an exchange format for TCA specifications between different tools.
Untimed CA where originally defined as a semantical model for the channel-based
coordination languageReo. Consequently, TCA were defined to serve as a semantical
model for timed Reo, yet TCA and timed Reo have by now to a certain degree
evolved independently of each other. In particular, timed Reo is still restricted to
the definitions presented in [ABdBR07]: timed behaviour is incorporated in Reo
through special timer channels. These accept any (data) type of input, delay for a
certain amount of time, and then emit a special “timeout” signal. In addition, some
timer channels can be stopped and/or restarted. It is obvious to see that TCA are
more powerful. However, now that syntax and semantics for TCA with data have
been defined formally, it should be straightforwardly possible to establish the link
between TCA and timed Reo. This of course includes extending the implementation
as well: in ECT, timer channels for Reo are already supported, and a translation
from Reo to CA already exists. Similar to this translation, a translation from timed
Reo to TCA can be implemented once the formal basis for this has been established.
The time that is needed for verification may be a bottleneck for very large sys-
tems. For this reason, we consider it worth to investigate how other SAT and SMT
solvers perform on our formula generation. A drawback however is the fact that at
the moment, there exist only very few SMT solvers that can generate interpolants
for unsatisfiable SMT problems. For this reason, it might be worth to decouple
interpolant generation from SMT solving. A tailored (re)implementation of inter-
polant generation would allow to optimise the generation algorithm such that it
always generates the strongest interpolant (the notion of the strongest interpolant
is well-defined, and the strongest interpolant can be computed iteratively, cf. for
example [EKS06]). Another approach to decrease verification times is to investigate
how the formula order of the input problem influences the performance of different
SMT solvers (for example, whether variable valuations of the witness run occur at
the beginning or at the end of the input sequence, or are distributed throughout the
sequence).
We expect the largest potential for future research in the field of abstraction
refinement. A straightforward extension of the work presented in this thesis is
to extend the abstraction function to TNA. Assuming that ports in TNA can be
merged just like ports in TCA, questions that need to be solved before an abstraction
function for TNA can be defined include (1) how to define the colouring of merged
ports, and (2) whether read and write ports can be merged, or (if this should not
be possible) how to avoid this. From a more practical point of view, for most parts
126 CHAPTER 6. CONCLUSIONS
of the formula representation we expect the abstraction function for TNA to work
in the same way as it does for TCA. The only exception to this are port colour
variables: the explanations after Definition 4.1.5 (positive propositional variables
are used to describe the behaviour, negative propositional variables are used to
ensure consistency) do not apply to port colour variables, which means they cannot
be handled in the same, uniform way (only based on syntactical categories) as other
variables. A possibility to solve this is to impose additional constraints on the set of
omission and map of merging for TNA, in a similar way as has been done for data
constraints involving merged ports in TCA (cf. Definition 4.1.3).
Apart from extending the abstraction function to other system types (like TNA),
it is also possible to extend it with other concepts of abstraction. By concept, we
mean the way how information is removed from the system. The abstraction function
currently features two concepts: merging and omission. Examples of other concepts
include weakening, and (variants of) abstract interpretation. By weakening, we
mean to replace a constraint by a weaker variant instead of completely removing it.
For example, replace a constraint x<5 by x<10 (note that convexity is required for
this to work for compound constraints). We expect this concept to be applicable
to clock constraints. In abstract interpretation (cf. for example [CC77, CC92]), a
large (possibly infinite) set of concrete values is restricted to a smaller, finite set
of abstract values, using a suitable abstraction function. For example, the set Z of
integer numbers could be abstracted to the set {-1, 0, 1}, by mapping all negative
integers to -1, all positive integers to 1, and 0 to 0. Abstract interpretation resembles
our idea of abstraction by merging, and we expect it to be applicable to the domain
of data values of TCA and TNA.
Finally, a question that has not been addressed in this thesis is how to determine
the initial abstraction automatically, and how to automate the refinement step. We
rely on human experts to provide the initial abstraction and decide which parameter
to refine. As an intermediate step towards automatic abstraction refinement, the
initial abstraction could be determined automatically based on the property to be
verified. A related approach can be found in [CGKS02, CCK+02], where the initial
abstraction leaves the parameters contained in the property in the system, and
removes all other parameters. In [MA03], the initial abstraction is obtained from a
proof of unsatisfiability (in the original system, for some small unfolding depth). We
believe these approaches can be adapted to the work presented in this thesis, but it
should be one of the major goals for future research to aim towards a framework for
fully automatic abstraction refinement.
Appendix A
Proofs
A.1 Correctness of Representation
In this Section, we prove that the formula representation ϕ(S) of a real-time system
S, as presented in Definitions 3.1.1, 3.1.4 and 3.1.9 in Chapter 3, is correct, that
means that ϕ(S) exhibits the same behaviour as S. For this, every model of ϕ(S)k
has to correspond to a run of length k, and vice versa. To prove this, we show that
the diagram in Figure A.1 commutes.
S ϕ(S)k
RunS,k models of ϕ(S)k
ϕ
run model↓rσ
↓σr
Figure A.1: Correctness of Representation
The commutative property expresses that models of ϕ(S)k have a bijective cor-
respondence to runs of the original system S, denoted by the maps ↓rσ and ↓σr :
the run ↓σr (↓rσ (r)) of the model ↓rσ (r) belonging to a run r again is r, and the
model ↓rσ(↓σr(σ)) of a run ↓σr(σ) belonging to a model σ again is σ.
Remark A.1.1 (Notation). In the sequel, we use the notation of representation
variables introduced in Section 3.1.1, and we use the symbol ∼ to refer to any
arithmetic comparison (cf. Definitions 2.1.2 and 2.1.7).
As before, we use SS to refer to the associated LTS of a system S, with
S∈{A,T,N}, and we use RunS,k to refer to the set of all runs of SS up to length k.
127
128 APPENDIX A. PROOFS
Further, we use the symbols ϕ(S)k, σ and V(ϕ(S)k) to refer to the k-unfolding of
S, a model of ϕ(S)k, and the set of all models of ϕ(S)k, respectively.
We first show that the formula representation is sound, i.e., that every model
σ∈V(ϕ(S)k) yields a run r∈RunS,k.
Definition A.1.2 (Derived Run). For σ∈V(ϕ(S)k), the derived run rσ is
rσ=〈l0, ν0〉 a1−→〈l1, ν1〉 a2−→ . . . ak−→〈lk, νk〉, if S = A,
rσ=〈l0, δ0, ν0〉 P1,δ¯1,t1−−−−→〈l1, δ1, ν1〉 P2,δ¯2,t2−−−−→ . . . Pk,δ¯k,tk−−−−→〈lk, δk, νk〉, if S = T,
rσ=〈l0, δ0, ν0〉 c1,γ1−−→〈l1, δ1, ν1〉 c2,γ2−−→ . . . ck,γk−−−→〈lk, δkνk〉, if S = N,
(i)
where we have for all 0≤k0≤k, 1≤k1≤k
lk0 = s, iff σ(sk0)=tt, (ii)
νk0(x) = σ(zk0)−σ(xk0) (iii)
ak1 =
{
a, iff σ(αk1)=tt,
t, with t=σ(zk1)−σ(zk1−1), otherwise
(iv)
Pk1 =
⋃
σ(pk1 )=tt
p, (v)
δk0(d) =
{
∆−1(ni), iff σ(Ddk0)=n
i 6=n⊥
⊥, otherwise , d∈D (vi)
δ¯k1(q) =

δ(m)k1−1, iff q=s.m,m∈D
δ(m)k1 , iff q=t.m or q=m,m∈D
∆−1(ni), iff q=p, p∈P , σ(Dpk1)=ni 6=n⊥
⊥, otherwise
(vii)
tk1 = σ(zk1)−σ(zk1−1) (viii)
ck1(p) =

iff σ(pk1)=tt,
? iff σ(pk1)=ff and σ(cpk1)=ff
! iff σ(pk1)=ff and σ(cpk1)=tt
(ix)
γk1 =
{
δ¯k1 , iff σ(zk1)=σ(zk1−1)
tk1 , otherwise
(x)
The derived run for a products, that means for σ∈V(ϕ(S1./S2)k) is defined in the
same way, except for replacing li in (i) by (li,1, li,2), and rewriting (ii) to
lk0,i = s, iff σ(sk0) = tt for s∈Si, i=1, 2, (ii’)
Remark A.1.3 (Derived Run). Note that in (ii), for each k0, there exists exactly
one location s such that σ(sk0)=tt, cf. (3.5), (3.14) and (3.24). Similarly, in (iv),
there exists at most one event a such that σ(αk1)=tt, cf. (3.6).
Since ∆ is injective (cf. Section 3.1.1.3), there exists a di∈Data with ∆(di)=ni,
such that ∆−1(ni) is well-defined in (vii), (vi) and (x).
A.1. CORRECTNESS OF REPRESENTATION 129
Lemma A.1.4 (Soundness). For σ∈V(ϕ(S)k), the derived run rσ is a run of SS
of length k, i.e., rσ∈RunS,k.
Proof. Induction on k.
IA σ|=ϕ(S)0: σ(s¯0)(3.1),(3.10),(3.20)= tt for the initial location s¯, thus l0(ii)=s¯. For all
clocks x, ν0(x)
(iii)
=σ(z0)−σ(x0)(3.1),(3.10),(3.20)= 0, therefore in particular ν0|=I(s¯), and
thus rσ=〈s¯,0〉∈RunS,0 for S=A.
For S6=A, in addition we have σ(Dd0)(3.10),(3.20)= n⊥ for d∈D, and σ(Dp0)(3.10),(3.20)= n⊥
for p∈P , thus rσ=〈s¯,0,0〉∈RunS,0 for S∈{T,N}.
IH σ|=ϕ(S)k: rσ∈RunS,k for some k≥0.
IS σ|=ϕ(S)k+1: we consider the different systems separately
S = A: rσ=〈l0, ν0〉 a1−→ . . . ak−→〈lk, νk〉 ak+1−−→〈lk+1, νk+1〉, and either for some e∈E
σ|=ϕaction(e)k+1/t, or σ|=ϕdelay(s)k+1/t for some s∈S (cf. (3.7) and (3.29)).
Case σ|=ϕaction(e)k+1/t (∗): let e=(s, a, cc, λ, s′) (cf. (3.2)), then
• lk
IH
=s, lk+1
(ii)
=s′
• ak+1
(iv)
= a
• νk+1=νk[λ]: for all clocks x, we have
λ(x)=id: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1)(∗)=σ(zk)−σ(xk)(iii),IH= νk(x)
λ(x)=x′: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1)(∗)=σ(zk+1)−σ(x′k+1)(iii)=νk+1(x′)
λ(x)=n: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1)(∗)=σ(zk+1)−(σ(zk+1)−n)=n
• νk|=cc: for cc=x∼n,1 we have cck=(zk−xk)∼n. Because of (∗), we
have σ|=cck, that means (σ(zk)−σ(xk))∼n holds, and since νk(x)IH,(iii)=
(σ(zk)−σ(xk)) for all clocks x, we have νk|=cc. The argumentation
for νk+1|=I(s′) is similar
Thus, 〈s, νk〉 a−→〈s′, νk[λ]〉 is gained from e using (2.1)
Case σ|=ϕdelay(s)k+1/t (∗∗): let s∈S (cf. (3.3)), then
• lk
IH
=s, lk+1
(ii)
=s
• ak+1=t, with t
(iv)
= σ(zk+1)−σ(zk)
• νk+1=νk+t: for all clocks x, we have
νk+1(x)
(iv)
=σ(zk+1)−σ(xk+1)(∗∗)= σ(zk+1)−σ(xk)=σ(zk+1)−σ(xk)+
σ(zk)−σ(zk)=(σ(zk)−σ(xk))+(σ(zk+1)−σ(zk))(iii),(iv),IH= νk(x)+t
• νk+1|=I(s) as above, νk+t′|=I(s) for all t′≤t because of convexity (cf.
Remark 2.1.6)
Thus, 〈s, νk〉 t−→〈s, νk+t〉 is gained from s using (2.2).
Together, we get rσ∈RunS,k+1 for S=A.
1Here and in the remainder of the proof, we only show the basic cases for simple clock con-
straints (without clock differences) and simple data constraints (without addition/subtraction),
but the results directly carry over to constraints involving arithmetic operations, and to Boolean
combinations of these.
130 APPENDIX A. PROOFS
S = T: rσ=〈l0, δ0,ν0〉 P1,δ¯1,t1−−−−→ . . . Pk,δ¯k,tk−−−−→〈lk, δk, νk〉 Pk+1,δ¯k+1,tk+1−−−−−−−−→〈lk+1, δk+1,νk+1〉,
and either σ|=ϕvisible(e)k+1/t or σ|=ϕinvisible(e)k+1/t for some e∈E (cf.
(3.16) and (3.29)).
Case σ|=ϕvisible(e)k+1/t (†): let e=(s, P, dc, cc, λ, s′) (cf. (3.11)), then
• lk
IH
=s, lk+1
(ii)
=s′, tk+1
(viii)
= σ(zk+1)−σ(zk)
• νk+1=νk+tk+1[λ]: for all clocks x, we have
λ(x)=id: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1)(†)=σ(zk+1)−σ(xk)=
σ(zk+1)−σ(xk)+σ(zk)−σ(zk)=
(σ(zk)−σ(xk))+(σ(zk+1)−σ(zk)(iii),(viii),IH= νk(x)+tk+1
λ(x)=x′: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1) †=σ(zk+1)−σ(x′k+1)=
σ(zk+1)−σ(x′k+1)+σ(zk)−σ(zk)=
(σ(zk)−σ(x′k+1))+(σ(zk+1)−σ(zk))(iii),(viii),IH= νk+1(x′)+tk+1
λ(x)=n: νk+1(x)
(iii)
=σ(zk+1)−σ(xk+1)(†)=σ(zk+1)−(σ(zk+1)−n)=n
• νk+tk+1|=cc: for cc=x∼n, we have cck=(zk−xk)∼n. Because of
(†), we have σ|=cck, that means (σ(zk)−σ(xk))∼n holds, and since
νk(x)+tk+1
IH,(iii),(viii)
= σ(zk)−σ(xk)+σ(zk+1)−σ(zk)=σ(zk+1)−σ(xk) for
all clocks x, we have νk+tk+1|=cc.
• Pk+1
(v)
=
⋃
σ(pk 1)=tt
p
(†)
=P
• δ¯k+1|=dc: let dc=(D'D′), ' ∈{=,6} (cf. Section 3.1.1.5). For the
constituents of dc, we have
for p∈P|dc: δ¯k+1(p)(vii)= ∆−1(ni)def .∆= di if σ(Dpk+1)=di
for s.m∈D|dc: δ¯k+1(s.m)(vii)= ∆−1(ni)def .∆= di if σ(Dmk)=di
for t.m∈D|dc: δ¯k+1(t.m)(vii)= ∆−1(ni)def .∆= di if σ(Dmk+1)=di
for m∈D|dc: δ¯k+1(m)(vii)= ∆−1(ni)def .∆= di if σ(Dmk+1)=di
Because of (†), we have σ|=dck+1, thus for all possible instantiations
of D and D′ with Dpk+1, Dmk, Dmk+1 or elements of Data (cf. Sec-
tion 3.1.1.5), we have δ¯k+1|=dc
• δk+1(m)=⊥ if m 6∈#(s′): because of (†), in particular σ|=(Dmt 1=n⊥)
(cf. (3.11)), and thus δk+1(m)
(vi)
=⊥ for all m 6∈#(s′)
Thus, 〈s,δk,νk〉 P,δ¯k+1,tk+1−−−−−−→〈s′,δk+1,νk+tk+1[λ]〉 is gained from e using (3.11).
Case σ|=ϕinvisible(e)k+1/t (‡): let e=(s, ∅, dc, cc, λ, s′) (cf. (3.12)), then
• lk
IH
=s, lk+1
(ii)
=s′, tk+1
(viii)
= σ(zk+1)−σ(zk),
• νk+1=νk+tk+1[λ], νk+tk+1|=cc, δk+1(m)=⊥ if m6∈#(s′), and δ¯k+1|=dc
as before
• Pk+1
(v)
=
⋃
σ(pk+1)=tt
p
(‡)
=∅
• δk+1(p)
(vii)
=⊥ for all p∈P , because σ(pk+1)(‡)=ff, and σ(Dpk+1)(‡)=n⊥ for
all p∈P
Thus, 〈s, δk, νk〉 ∅,δ¯k+1,tk+1−−−−−−→〈s′, δk+1, νk+tk+1[λ]〉 is gained from e using (3.11)
in case tk+1>0, and using (3.12) in case tk+1=0.
A.1. CORRECTNESS OF REPRESENTATION 131
Together, we get rσ∈RunS,k+1 for S=T.
S = N: rσ = 〈l0, δ0, ν0〉 c1,γ1−−→ . . . ck,γk−−−→〈lk, δk, νk〉 ck+1,γk+1−−−−−→〈lk+1, δk+1, νk+1〉, and
either σ|=ϕcommu(e)k+1/t or σ|=ϕdelay(e)k+1/t for some e∈E (cf. (3.26)
and (3.29))
Case σ|=ϕcommu(e)k+1/t (?): let e=(s, c, dc, cc, λ, s′) (cf. (3.21)), then
• lk
IH
=s, lk+1
(ii)
=s′
• νk+1=νk[λ], νk|=cc, νk+1|=I(s′): equivalent to the respective cases for
S=A above
• δk+1(m)=⊥ if m6∈#(s′): equivalent to the respective case for S=T
above
• γk+1
(x),(?)
= δ¯k+1
• δ¯k+1|=dc: equivalent to the respective case for S=T above
• δ¯k+1(p)=⊥ iff ck+1(p)6= : because of (?), in particular σ|=〈pc〉k+1
for all p∈P . If σ|=¬pk+1, then either c(p)(ix)= ! or c(p)(ix)= ? , and
σ(Dpk+1)
(3.25),(?)
= n⊥
Thus, 〈s, δk, νk〉 ck+1,δ¯k+1−−−−−→〈s, δk+1, νk[λ]〉 is gained from e using (2.15).
Case σ|=ϕdelay(e)k+1/t (??): let e=(s, c, dc, cc, id, s) (cf. (3.22)), then
• lk
IH
=s, lk+1
(ii)
=s′
• γk+1
(x),(??)
= tk+1
• νk+1=νk+tk+1: equivalent to the respective case for S=A above
• νk|=cc, νk+1|=I(s): equivalent to the respective cases for S=A above,
νk+t
′|=cc and νk+t′|=I(s) for all t′≤tk+1 because of convexity (cf.
Remark 2.1.6)
• δk|=dc: equivalent to the respective case above, with δk instead of
δ¯k+1
Thus, 〈s, δk, νk〉 ck+1,tk+1−−−−−→〈s, δk, νk+tk+1〉 is gained from e using (2.16).
Together, we get rσ∈RunS,k+1 for S=N.
Finally, we get rσ∈RunS,k+1 for all systems S∈{A,T,N}, and we define the map
↓σr :V(ϕ(S)k)→RunS,k such that for every interpretation σ∈V(ϕ(S)k), we have that
↓σr(σ)=rσ∈RunS,k is the derived run.
Proposition A.1.5 (Derived Run, Product). For σ∈V(ϕ(S1./S2)k), the de-
rived run rσ is a run of ST1./T2 of length k, i.e., rσ∈RunS1./S2,k.
Proof (Idea). The proof is along the same lines as the proof of Lemma A.1.4. In
IS, we first show that for i=1, 2, reducing a transition of the product S1./S2 (of the
form 〈(lk,1, lk,2), νk〉 ak−→〈(lk+1,1, lk+1,2νk+1〉 for S=A, for example) to the constituents
of Si yields a transition ei in Si. We then argue that all possible combinations of
e1 and e2 correspond to a valid execution in the product automaton (cf. Definitions
2.2.8, 2.3.9 and 2.4.14). In end, we get rσ∈RunS1./S2,k.
132 APPENDIX A. PROOFS
We now show that the formula representation is complete, i.e, for every run
r∈RunS,k, we can find a model σ∈V(ϕ(S)k).
Definition A.1.6 (Derived Interpretation). For r∈RunS,k, the derived inter-
pretation σr over (the variables in) ϕ(S)k is (we use the notation of (i))
σr(sk0) = tt, iff s=lk0 (xi)
σr(zk0) =

0, if k0=0
σr(zk0−1)+t, if S=A and ak0=t
σr(zk0−1)+tk0 , if (S=T) or (S=N and γk0=tk0)
σr(zk0−1), otherwise
(xii)
σr(xk0) = σr(zk0)−νk0(x) (xiii)
σr(αk0) =

ff, if k0=0
tt, iff ak0=a
ff, otherwise
(xiv)
σr(pk0) =

ff, if k0=0
tt, if (p∈Pk0 and S=T) or (ck0(p)= and S=N)
ff, otherwise
(xv)
σr(Dpk0) =

n⊥, if k0=0
∆(δ¯k0(p)), if (p∈Pk0 and S=T) or (ck0(p)= and S=N)
n⊥, otherwise
(xvi)
σr(Ddk0) =

n⊥, if k0=0
∆(δk0(d)), if d∈#(lk0)
∆(δ¯k0(d)), otherwise
(xvii)
σr(dk0) =
{
ff, if σr(Ddk0)=n
⊥
tt, otherwise
(xviii)
σr(cpk0) =

tt, if (k0=0) or (ck0(p)= ! )
ff, if ck0(p)= ?
unspecified, otherwise
(xix)
for all 0≤k0≤k. The derived interpretation for a run of the product, that means for
r∈RunS1./S2,k, is defined in the same way, except for rewriting (xi) to
σr(sk0) = tt, iff s=lk0,i for s∈Si, i=1, 2 (xi’)
Lemma A.1.7 (Completeness). For r∈RunS,k, the derived interpretation σr is a
model of the k-unfolding of S, that means σr|=ϕ(S)k.
Proof. Induction on k.
IA r=〈l0, ν0〉 respectively r=〈l0, δ0, ν0〉 (cf. (i) again). We have σr(s¯0)(xi)=tt for the
initial location s¯=l0, and σr(s0)
(xi)
=ff otherwise. For clocks, we have σr(z0)
(xii)
= 0,
A.1. CORRECTNESS OF REPRESENTATION 133
and σr(x0)
(xiii)
= σr(z0)−ν0(x)=0 for all other clocks x. For I(s¯)=x∼c,2 we have
I(s¯)0=z0−x0∼n. Because ν0|=I(s¯) (cf. Definitions 2.2.4, 2.3.5 and 2.4.6), in
particular 0=ν0(x)∼n, therefore σr(x0)∼n holds, and thus σr|=I(s¯)0.
We have σr(p0)
(xv)
= ff, σr(Dp0)
(xvi)
= n⊥, and σr(cp0)
(xix)
= tt for all ports p, and for all
data variables d we have σr(Dd0)
(xvii)
= n⊥ and σr(d0)
(xviii)
= ff.
Thus, σr|=ϕinit(S) (cf. (3.1), (3.10) and (3.20)), and therefore σr|=ϕ(S)0.
IH r∈RunS,k: σr|=ϕ(S)k, for some k≥0.
IS r∈RunS,k+1: we again consider the different systems separately
S = A: r=〈l0, ν0〉 a1−→ . . . ak−→〈lk, νk〉 ak+1−−→〈lk+1, νk+1〉∈RunA,k+1, and either the
last step 〈lk, νk〉 ak+1−−→〈lk+1, νk+1〉 is an action transition (2.1) resulting from
execution of a transition e=(s, a, cc, λ, s′), or it is a delay transition (2.2)
in location s.
In case of an action transition, we have lk=s, lk+1=s
′, ak+1=a for some
a∈Σ, and νk+1=νk. Then
• σr(sk+1)
(xi)
=tt for s=lk+1, and ff otherwise
• σr(zk+1)
(xii)
= σr(zk)
• σr(xk+1)
(xiii)
= σr(zk+1)−νk+1(x)=

λ(x)=id,(xii)
= σr(zk)−νk(x)=σr(xk)
λ(x)=x′
= σr(zk+1)−νk+1(x′)(xiii)= σr(x′k+1)
λ(x)=n
= σr(zk+1)−n
• σr(αk+1)
(xiv)
= tt for a=ak+1, and ff otherwise
• For cc=x∼n, we have cck=(zk−xk)∼n. Because νk|=(x∼n) (Defini-
tion 2.2.4), we have σr(zk)−σr(xk)(xiii),(IH)∼ n, thus σr|=cck. The argu-
mentation for σr|=I(s′)k+1 is similar.
From the above, we get σr|=ϕaction(e)k+1/t (3.2) (so σr|=ϕtrans(A)k+1/t
(3.4)), σr|=ϕlocation(A)k+1/t (3.5), and σr|=ϕmutex(A)k+1/t (3.6).
In case of a delay transition, we have lk=s=lk+1, ak+1=t for some t∈Time,
and νk+1=νk+t. Then
• σr(sk+1)
(xi)
=tt for s=lk+1, and ff otherwise
• σr(zk+1)
(xii)
= σr(zk)+t
• σr(xk+1)
(xiii)
= σr(zk+1)−νk+1(x)(xii)= σr(zk)+t−(νk(x)+t)=
σr(zk)−νk(x)(xiii)= σr(xk)
• σr(αk+1)
(xiv)
= ff for all a∈Σ
• σr|=I(s)k+1: similar to the argumentation for σr|=cck above
From the above, we get σr|=ϕdelay(e)k+1/t (3.3) (so σr|=ϕtrans(A)k+1/t
(3.4)), σr|=ϕlocation(A)k+1/t (3.5), and σr|=ϕmutex(A)k+1/t (3.6).
Together, we get σr|=ϕ(S)k+1 for S=A
2Here and in the remainder of the proof, again we only show the basic cases for simple clock
constraints (without clock differences) and simple data constraints (without addition/subtraction).
134 APPENDIX A. PROOFS
S = T: r=〈l0, δ0, ν0〉 P1,δ¯1,t1−−−−→ . . . Pk,δ¯k,tk−−−−→〈lk, δk, νk〉 Pk+1,δ¯k+1,tk+1−−−−−−−−→〈lk+1, δk+1, νk+1〉
∈RunT,k+1, and the last step 〈lk, δk, νk〉 Pk+1,δ¯k+1,tk+1−−−−−−−−→〈lk+1, δk+1, νk+1〉 re-
sults from following either a visible transition (2.7) or an invisible transi-
tion transition (2.7), (2.8).
In case of a visible transition e=(s, P, dc, cc, λ, s′), we have lk=s, lk+1=s′,
Pk+1=P , and νk+1=νk+tk+1, with tk+1>0. Then
• σr(sk+1), σr(xk+1): equivalent to the respective cases for S=A above
• σr(zk+1)
(xii)
= σr(zk)+tk+1
• σr(pk+1)
(xv)
= tt for p∈P , ff otherwise
• σr(Dpk+1)
(xvi)
= ∆(δ¯k+1) for p∈P , n⊥ otherwise
• σr(Ddk+1)
(xvii)
= ∆(δk+1(d)) if d∈#(s′), ∆(δ¯k+1(d)) otherwise
• σr(dk+1)
(xviii)
= ff if σr(Ddk+1)=n
⊥, tt otherwise
• For I(s)=(x∼n), we have I(s)k+1∆=(zk+1−xk)∼n. Since νk+t|=I(s)
for all 0≤t≤tk+1 (Definition 2.3.5), in particular νk(x)+tk+1|=(x∼n);
so σr(zk+1)−σr(xk)IH,(xiii)= (σr(zk)+tk+1)−(σr(zk)−νk(x))=νk(x)+tk+1,
which means that σr(zk+1)−σr(xk)∼n holds. Therefore σr|=I(s)k+1∆.
The argumentation for σr|=cck+1∆ is similar, and the argumentation
for σr|=I(s′)k 1 is equivalent to the respective case for S=A above
• For dc=(D'D′), '∈{=,6} (cf. Definition 2.1.7 and Section 3.1.1.5),
we have dck+1=(D'D′), where D and D′ are either port data variables
Dpk+1 or data content variables Ddk, Ddk+1 (cf. Section 3.1.1.5). Be-
cause δ¯k+1|=dc (Definition 2.3.5), in particular δ¯(D) and δ¯(D′) such
that δ¯(D)'δ¯(D′) holds. Therefore, σr(D)'σr(D′) holds as well ((xvi),
(xvii)),3 and thus σr|=dck+1.
The case where D∈Data and/or D′∈Data, that means where D or D′
are data element representations ni, is a simplification of the above.
From the above, we get σr|=ϕvisible(e)k+1/t (3.11) (so σr|=ϕtrans(T)k+1/t
(3.16), σr|=ϕlocation(T)k+1/t (3.14), and σr|=ϕmutex(T)k+1/t (3.15).
In case of an invisible transition e=(s,∅,dc,cc,λ,s′), we have lk=s, lk+1=s′,
Pk+1=∅, and νk+1=νk+tk+1, with tk+1≥0. Then
• σr(sk+1), σr(zk+1), σr(xk+1) as above
• σr(pk+1)
(xv)
= ff for all p∈P
• σr(Ddk+1), σr(dk+1), σr|=I(s)k+1∆, σr|=cck+1∆, σr|=I(s′)k 1 σr|=dck+1:
as above
From the above, we get σr|=ϕinvisible(e)k+1/t (3.12) (so σr|=ϕtrans(T)k+1/t
(3.16), σr|=ϕlocation(T)k+1/t (3.14), and σr|=ϕmutex(T)k+1/t (3.15).
Together, we get σr|=ϕ(S)k+1 for S=T
S = N: r=〈l0, δ0, ν0〉 c1,γ1−−→ . . . ck,γk−−−→〈lk, δk, νk〉 ck+1,γk+1−−−−−→〈lk+1, δk+1, νk+1〉, where
r∈RunN,k+1, and either the last step 〈lk, δk, νk〉 ck+1,γk+1−−−−−→〈lk+1, δk+1, νk+1〉
3Note that (Definition 2.3.5) δ(d) and δ¯(d) coincide in case d∈#(s) for any location s.
A.1. CORRECTNESS OF REPRESENTATION 135
is an action transition (2.15) resulting from executing a communication,
or it is a delayed action transition (2.16) resulting from executing a delay.
In case of a communication e=(s, c, dc, cc, λ, s′), we have lk=s, lk+1=s′,
and γk+1=δ¯k+1. Then
• σr(sk+1), σr(xk+1), σr(zk+1), σr(dk+1): equivalent to the respective
cases for S=T above
• σr(pk+1)
(xv)
= tt if ck+1(p)= , ff otherwise
• σr(cpk+1)
(xix)
= tt if ck+1(p)= ! , σr(cpk+1)=ff if ck+1(p)= ? , unspec-
ified otherwise
• σr(Dpk+1)
(xvi)
= ∆(δ¯k+1(p)) if ck+1(p)= , n
⊥ otherwise
• σr(Ddk+1), σr(dk+1), σr|=cck, σr|=dck+1, σr|=I(s′)k+1: equivalent to
the respective cases for S=T above
From the above, we get σr|=ϕcommu(e)k+1/t (3.21) (so σr|=ϕtrans(N)k+1/t
(3.26)), σr|=ϕlocation(N)k+1/t (3.24), and σr|=ϕmutex(N)k+1 (3.25).
The case of a delay e=(s, c, dc, cc, id, s) is essentially equivalent to the
case of a communication, and needs not be considered separately. For
a delay, we get σr|=ϕdelay(e)k+1/t (3.22) (so σr|=ϕtrans(N)k+1/t (3.26)),
σr|=ϕlocation(N)k+1/t (3.24), and σr|=ϕmutex(N)k+1 (3.25).
Together, we get σr|=ϕ(S)k+1 for S=N
Finally, we get σr|=ϕ(S)k+1 for all systems S∈{A,T,N}, and we define the map
↓rσ:RunS,k→V(ϕ(S)k) such that for every run r∈RunS,k, ↓rσ(r)=σr∈V(ϕ(S)k) is the
derived interpretation.
Proposition A.1.8 (Derived Interpretation, Product). For r∈RunS1./S2,k, the
derived interpretation σr is a model of ϕ(S1./S2)k, i.e. σ∈V(ϕ(S1./S2)k).
Proof (Idea). The proof is along the same lines as the proof of Lemma A.1.7: in
IS, we show that for i=1, 2, the derived interpretation σr for a run r∈RunS1./S2,k+1,
reduced to the variables of ϕ(Si)k, is a model of ϕ(Si)k.
Using the above, the proof of Theorem 3.2.4 (found on Page 61) is straightfor-
ward:
Proof of Theorem 3.2.4. This follows directly from Lemma A.1.4 and Lemma
A.1.7.
Theorem A.1.9 (Soundness, Completeness). The formula representation ϕ(S)
of a real-time system S, as defined in Definitions 3.1.1, 3.1.4 and 3.1.9, is correct,
that means ϕ(S) exhibits the same behaviour as S.
Proof. This follows directly from Lemma A.1.4 and Lemma A.1.7.
136 APPENDIX A. PROOFS
A.2 Correctness of Abstraction
In this Section, we prove that the abstraction function α, as presented in Section 4.1,
yields a correct over-approximation. To yield an over-approximation, every finite run
of the concrete system S (represented by a model of ϕ(S)k, see Theorem A.1.9) has
to be reproducible in the abstract case.4 This is captured in Lemma 4.1.7. Here,
we prove an even stronger correctness result, which in particular emphasises the
structural relationships between concrete and abstract formula. We show that the
diagram in Figure A.2 commutes, which allows us to conclude the existence of a
homomorphism hR between concrete and abstract set of runs.
RunS,k V(ϕ(S)k) V(ϕ(S˜)k) RunS˜,k
S ϕ(S)k ϕ(S˜)k S˜
i ii iii
ϕ α ϕ
run model model run↓rσ
↓σr
⊆
↓σr
↓rσhR
Figure A.2: Strong Correctness of Abstraction
The idea of the proof is as follows: since α works locally, it retains the formula
structure of ϕ(S) if S=A (cf. (3.7)), and it retains the formula structure of ϕ(S)
up to data constraints if S=T (cf. (3.16)).5 Therefore, there exists some system S˜
of the same representation ϕ(S˜)k = α(ϕ(S)k) (up to logical equivalence and data
constraints). With this, subdiagrams (i) and (iii) in Figure A.2 commute according
to Theorem A.1.9. Moreover, subdiagram (ii) in Figure A.2 commutes according
to Lemma 4.1.7 (since every model of ϕ(S˜)k is a model of α(ϕ(S)k)), such that the
whole diagram commutes.
Notation A.2.1 (Notation of Systems). If not stated otherwise, we shall assume
the constituents of a TA A to be denoted as A=(S, s0,Σ,X , I, E), and of a TCA T as
T=(S, s0,P ,X , I,D,#, E). We use the general notion S, with S∈{A,T}, whenever
possible, and if applicable, we may refer to common constituents (i.e., S, s0, X , I,
E) without explicitly mentioning A or T. For a system with identifier S˜, we add
the symbol ˜ to all constituents, equivalently, for a system with identifier Si, we
add index i to all constituents.
We use the notation of representation variables introduced in Section 3.1.1.
4Note that unlike in Section A.1, where we had S∈{A,T,N}, here we only have S∈{A,T}, cf.
Section 4.1.
5To guarantee that α yields an over-approximation, we may retain only those data constraints
that reason about ports not merged by γ, cf. Definition 4.1.3 and the explanations thereafter.
Therefore, we cannot expect that the formula structure of data constraints is preserved.
A.2. CORRECTNESS OF ABSTRACTION 137
Definition A.2.2 (Homomorphism of Runs). Let A, A˜ be TA, T, T˜ be TCA,
both with X⊇X˜ and |S|≥|S˜|. Let |Σ|≥|Σ˜|, |P|≥|P˜|, and |D|≥|D˜|. Let SA, ST,
SA˜ and ST˜ be the associated transition systems, and let RunA, RunT, RunA˜ and
RunT˜ be the sets of runs. Let γS:S→S˜, γΣ:Σ→Σ˜, γP :P→P˜ and γD:D→D˜ be total,
surjective mappings.
A function hR:RunA→RunA˜ is called a homomorphism of runs (between RunA
and RunA˜) iff for each run
r=〈l0, ν0〉 a1−→〈l1, ν1〉 a2−→〈l2, ν2〉∈RunA,
there exists a run h(r)=r˜,
r˜=〈l˜0, ν˜0〉 a˜1−→〈l˜1, ν˜1〉 a˜2−→〈l˜2, ν˜2〉 . . .∈RunA˜,
with γS(li)=l˜i, ν˜i=νi|X˜ , and γΣ(γi)=γ˜i for all i≥0.
A function hR:RunT→RunT˜ is called a homomorphism of runs (between RunT
and RunT˜) iff for each run
r=〈l0, δ0, ν0〉 P1,δ¯1,t1−−−−→〈l1, δ1, ν1〉 P2,δ¯2,t2−−−−→〈l2, δ2, ν2〉∈RunT,
there exists a run h(r)=r˜,
r˜=〈l˜0, δ˜0, ν˜0〉 P˜1,˜¯δ1,t˜1−−−−→〈l˜1, δ˜1, ν˜1〉 P˜2,˜¯δ2,t˜2−−−−→〈l˜2, δ˜2, ν˜2〉∈RunT˜,
with γS(li)=l˜i, ν˜i=νi|X˜ , γP (Pi)=P˜i, ˜¯δi(p˜)=n only if δi(p)=n for some p∈γ−1P (p˜),
δ˜i(d˜)=n only if δi(d)=n for some d∈γ−1D (d˜), and ˜¯δi(d˜)=n only if δ¯i(d)=n for some
d∈γ−1D (d˜), for all i≥0.
For the sets of finite runs RunA,k, RunT,k, RunA˜,k and RunT˜,k, hR is defined
analogously.
Intuitively speaking, an abstraction is correct if the semantics of the abstract
system is not reduced with respect to the semantics of the concrete system. That
means, every behaviour that is possible in the concrete system has to be possible
in the abstract system as well. Since we have defined the semantics of a real-time
system S via sets of runs (Definitions 2.2.4 and 2.3.5), an abstraction of S is correct
if for all systems S and S˜, such that S˜ is obtained from S by abstraction, there
exists a homomorphism of runs hR:RunS→RunS˜, as defined in definition A.2.2. To
prove the existence of hR, we show that Figure A.2 is a commuting diagram.
The general proof idea is shown in Figure A.3: let S be a real-time system, with
k-unfolding ϕ(S)k. The abstraction function α preserves the structure of ϕ(S)k,
that means the abstraction α(ϕ(S)k) of ϕ(S)k is the k-unfolding ϕ(S˜)k of some
system S˜. Though the abstraction function α is defined on formulas rather than on
systems, the system S˜ can be “derived” from the formula representation α(ϕ(S)k)
(Proposition A.2.7). For r∈RunS,k and r˜∈RunS˜,k, such that hR(r)=r˜, there exists
an interpretation σ∈V(ϕ(S˜)k), such that r˜ is the derived run rσ of σ.
In other words, the commutative property can be summarised as follows: the
possible behaviour of the abstract system S˜, given by the set of runs RunS˜,k, is
138 APPENDIX A. PROOFS
RunS,k V(ϕ(S)k) V(ϕ(S˜)k) RunS˜,k
S ϕ(S)k ϕ(S˜)k S˜
ϕ α ϕ
run model model run↓rσ
↓σr
⊆ ↓
σ
r
↓rσhR
Figure A.3: Abstraction by Omission: Basic proof idea
obtained from the possible behaviour of the original system RunS,k and the homo-
morphism of runs hR (lower path in Figure A.3). RunS˜,k is also obtained from the
k-unfolding ϕ(S)k of S, the abstraction function α, the set of models of α(ϕ(S)k),
and the set of derived runs for these interpretations (upper path in Figure A.3).
We can already state that
Proposition A.2.3 (Commuting Subdiagrams). The subdiagrams (i) and (iii)
in Figure A.2 are a commuting diagram each.
Proof. This follows directly from Theorem A.1.9.
The subdiagram (iii) in Figure A.2 is a commuting diagram when considered
separately. Yet, with respect to the overall context of Figure A.2, the fact that MO
is not defined on systems S but on formulas has to be taken into account. However,
Proposition A.2.7 below will show the existence of such an abstract system S˜.
We first show that the abstract formula α(ϕ(S)) is weaker than the concrete
formula ϕ(S) (cf. Lemma 4.1.7 on Page 73).
Proof of Lemma 4.1.7. Let L be a literal. The proof is done inductively on the
structure of the formula F :
IA: We need to consider the different cases in (4.1)
• If F=L, Conts(L)∩•α=∅, then α(F )(4.1a)= L. (L→ L) holds trivially.
• If F=L, Conts(L)∩•α 6=∅, L=p∈P, then α(F )(4.1b)= γ(p). By definition of γ,
γ(p)=q for some q∈P′. By definition of γα (4.3), (p→ q) holds.
• For all other literals L, α(L)(4.1e)= true. (L→ true) holds trivially.
• If F=¬p∧p′, with p, p′∈P and γ(p)=γ(p′)=q (basic case of (4.1c)), then
α(F )
(4.1c),(4.2a)
= α(¬p)∧α(p′)(4.1c),(4.1b)= q∧q=q. By definition of γα, ((¬p∧p′)→
q) holds.
• If F=¬p∧¬p′′, with p, p′′∈P and γ(p)=γ(p′′)=q (basic case of (4.1d)),
then α(F )
(4.1d),(4.2a)
= α(¬p)∧α(¬p′′)(4.1d),(4.1b)= ¬q∧¬q = ¬q. By definition of
γα, ((¬p∧¬p′′)→ ¬q) holds.
IH: For formulas F1 and F2, (F1 → α(F1)) and (F2 → α(F2)) holds.
A.2. CORRECTNESS OF ABSTRACTION 139
IS: • If F=F1∧F2, then α(F )(4.2a)= α(F1)∧α(F2). ((F1∧F2) → (α(F1)∧α(F2)))
holds by IH and propositional logic.
• If F=F1∨F2, then α(F )(4.2b)= α(F1)∨α(F2). ((F1∨F2) → (α(F1)∨α(F2)))
holds by IH and propositional logic.
• If F=F1∧γα, then α(F )(4.4)= α(F1)∧ γα. ((F1∧γα)→ (α(F1)∧γα)) holds by
IH and propositional logic.
We want to show that MO preserves the formula representation. Since MO is
defined for formulas in NNF (cf. Definition 4.1.5), we first show that transformation
to NNF preserves the formula representation.
Remark A.2.4 (NNF preserves the Formula Representation). Let S be a
real-time system, with formula representation ϕ(S) and k-unfolding ϕ(S)k. The
transformation to NNF of ϕ(S) and ϕ(S)k preserves the formula structure, that
means, NNF (ϕ(S)) is a formula of the form (3.7) respectively (3.16), and similarly,
NNF (ϕ(S)k) is a formula of the form (3.29).
Proof. For S=A, the formulas ϕ(A) and ϕ(A)k are in NNF already, so nothing
needs to be shown.
For S=T, the only parts of ϕ(T) and ϕ(T)k which are not yet in NNF are the
representations of data constraints. It is easy to see that for a data constraint
dc∈DC(P ,D), with representation dc∈DC(PDA,D), the transformation NNF (dc) to
NNF is a well-formed data constraint according to Definition 2.1.7, too, that means
NNF (dc)∈DC(PDA,D).
Next, we show that MO preserves the structure of data and clock constraints.
Lemma A.2.5 (MO preserves Data and Clock Constraints). Let P be a set
of ports, D a set of data variables, and X a set of clocks. Let dc∈DC(P ,D) be a data
constraint (cf. Definition 2.1.7), cc∈CC(X ) a clock constraint (cf. Definition 2.1.2).
Let dc∈DC(PDA,DCO) be the representation of dc, and cc∈CC(X) the representations
of cc (cf. Section 3.1.1). The abstraction function α preserves the structure of data
and clock constraints, that means α(dc) and α(cc) are also valid representations of
data and clock constraints.
Proof. By definition, α changes only literals. Since dc and cc do not contain
propositional variables, neither of (4.1b), (4.1c) or (4.1d) is applicable. Therefore,
α preserves the logical structure,6 and literals are either kept unchanged (4.1a) or
mapped to true (4.1e). Thus, α(dc)∈DC(PDA,DCO), and α(cc)∈CC(X).
6The logical structure of a formula is the order of its literals and the logical operators ∧, ∨
and ¬. For example, for a formula F = (p∨¬q)∧¬(r∧¬(x = 5)), with p, q, r ∈ P being atomic
propositions and x ∈ V being a variable, the logical structure is F = (l1 ∨ l2)∧¬(l3 ∧ l4) (for literals
li). Note that an occurrence of ¬ is part of the logical structure only if it is not part of a literal.
140 APPENDIX A. PROOFS
Remark A.2.6 (Lifting of MO). For argumentation purposes, we lift α in the
straightforward way to reason about constituents of systems rather than formulas.
For example, for a clock x with representation x, we may write x∈O instead of x∈O.
Similarly, we lift α to reason about sets rather than single variables. For example,
for the set of locations S and the set of clocks X , we may write α(S) and α(X ) to
denote the set of locations respectively clocks in the abstract system, that means
α(S)={s′ | s∈S, γ(s)=s′}, and α(X )={x | x 6∈O}=X\O. By α(λ), we denote the
update map λ, reduced to the clocks of the abstract system. That is, α(λ)=λ|α(X ).
We are now ready to show that MO preserves the formula representation of TA,
and preserves the formula representation of TCA up to data constraints.
Proposition A.2.7 (MO preserves the Formula Representation). Let A =
(S, s0,Σ,X , I, E) be a TA, T=(S, s0,P ,X , I,D,#, E) a TCA, with formula repre-
sentations ϕ(A), ϕ(T), and k-unfoldings ϕ(A)k, ϕ(T)k in NNF (cf. Remark A.2.4).
Let α be an abstraction function, with γ and O as in Definition 4.1.5.
The abstraction by merging omission preserves the formula representation and
k-unfolding of A, and it preserves the formula representation and k-unfolding of T up
to data constraints. That means, there exists a TA A˜, with formula representation
ϕ(A˜) and k-unfolding ϕ(A˜)k, such that
ϕ(A˜) = α(ϕ(S)), and
ϕ(A˜)k = α(ϕ(A)k),
(xx)
and there exists a TCA T, with formula representation ϕ(T˜) and k-unfolding ϕ(T˜)k,
such that
ϕ(T˜)\dc = α(ϕ(T))\dc, and
ϕ(T˜)k\dc = α(ϕ(T )k)\dc,
(xxi)
where \dc is a function that replaces all literals of the form (D'D′) or ¬(D'D′), with
' ∈{=,6}, and D, D′ either port data variables Dpt, data content variables Ddt, or
data element representations ni (cf. Definition 2.1.7 and Section 3.1.1.5), and t∈N,
in a formula by true.
Proof of (xx). (for the proof of (xxi), please refer to Page 143).
Let A′=(S ′, s′0,Σ
′,X ′, I ′, E ′) be a TA, with S ′=α(S), s′0=α(s0), Σ′=α(Σ), X ′=α(X ),
I ′(s)=α(I(s)) for all s∈S ′, and E ′={(α(s), α(a), α(cc), α(λ), α(s′)) | (s, a, cc, λ, s′) ∈
E}. Let ϕ(A′) and ϕ(A′)k be the formula representation and k-unfolding of A′.
Observe that we have
S ′=α(S)={s|s∈S, α(s)=id}∪{s′|s∈S, α(s)=s′}, and (*)
Σ′=α(Σ)={a|a∈Σ, α(a)=id}∪{a′|a∈Σ, α(a)=a′} (**)
We first show that ϕ(A′)=α(ϕ(A)). By Definitions 3.1.1 and 4.1.5, we have
α(ϕ(A)) = α(ϕinit(A)∧ϕtrans(A)∧ϕlocation(A)∧ϕmutex(A))
= α(ϕinit(A))∧α(ϕtrans(A))∧α(ϕlocation(A))∧α(ϕmutex(A))
ϕ(A′) = ϕinit(A′)∧ϕtrans(A′)∧ϕlocation(A′)∧ϕmutex(A′)
A.2. CORRECTNESS OF ABSTRACTION 141
Consider the corresponding parts in α(ϕ(A)) and ϕ(A′) separately
1. Initial constraints ϕinit:
α(ϕinit(A)) = α
(
s¯0 ∧
∧
s∈S,s6=s¯
¬s0 ∧ I(s¯)0 ∧
∧
a∈Σ
(¬α0)∧(z0=0)∧
∧
x∈X
(x0=0)
)
= α(s¯0)∧
∧
s∈S,s6=s¯
α(¬s0)∧α(I(s¯)0)∧
∧
a∈Σ
α((¬α0))∧
α((z0=0))∧
∧
x∈X
α((x0=0))
= α(s¯0)∧
∧
s∈S,s6=s¯,
α(s)=id
¬s0 ∧
∧
s∈S,s6=s¯,
α(s)=s′ 6=α(s¯)
¬s′0 ∧α(I(s¯)0)∧
∧
a∈Σ,
α(a)=id
(¬a0)∧
∧
a∈Σ,
α(a)=a′
(¬α′0)∧(z0=0)∧
∧
x∈X\O
(x0=0)
ϕinit(A′) = s¯′0 ∧
∧
s∈S′,s 6=s¯′
¬s0 ∧ I(s¯′)0 ∧
∧
a∈Σ′
(¬α0)∧(z0=0)∧
∧
x∈X ′
(x0=0)
By definition of A′, we have α(s¯0)=s¯′0, and α(I(s¯)0)=I(s¯
′)0. Because of (*),
(**), and the fact that X ′=X\O, we finally get
α(ϕinit(A)) = ϕinit(A′)
2. Transition relation ϕtrans:
α(ϕtrans(A)) = α(
∨
e∈E
ϕaction(e)∨ ∨
s∈S
ϕdelay(s))
=
∨
e∈E
α(ϕaction(e))∨ ∨
s∈S
α(ϕdelay(s))
ϕtrans(A′) =
∨
e∈E′
α(ϕaction(e))∨ ∨
s∈S′
α(ϕdelay(s))
Consider an action transition e=(s, a, cc, λ, s′)∈E:
α(ϕaction(e)) = α(st ∧αt 1 ∧ cct ∧(zt=zt 1)∧
∧
λ(x)=id
(xt 1=xt)∧∧
λ(x)=x′
(xt 1=x
′
t 1)∧
∧
λ(x)=n
(xt 1=zt 1−n)∧ s′t 1 ∧ I(s′)t 1)
= α(st)∧α(αt)∧α(cct)∧α(zt=zt 1)∧
∧
λ(x)=id
α(xt 1=xt)∧∧
λ(x)=x′
α(xt 1=x
′
t 1)∧
∧
λ(x)=n
α(xt 1=zt 1−n)∧α(s′t 1)∧ I(s′)t 1
= α(st)∧α(αt 1)∧α(cct)∧(zt=zt 1)∧
∧
λ(x)=id,
x∈X\O
(xt 1=xt)∧
∧
λ(x)=x′,
x,x′∈X\O
(xt 1=x
′
t 1)∧
∧
λ(x)=n,
x∈X\O
(xt 1=zt 1−n)∧α(s′t 1)∧ I(s′)t 1
and its counterpart e′=(α(s), α(a), α(cc), α(λ), α(s′))∈E ′:
142 APPENDIX A. PROOFS
ϕaction(e′) = α(st)∧α(αt 1)∧α(cct)∧(zt=zt 1)∧
∧
α(λ)(x)=id
(xt 1=xt)∧∧
α(λ)(x)=x′
(xt 1=x
′
t 1)∧
∧
α(λ)(x)=n
(xt 1=zt 1−n)∧α(s′t 1)∧α(I(s′)t)
Because X ′=X\O, we have
α(ϕaction(e)) = ϕaction(e′)
For a delay transition in s, we have
α(ϕdelay(s)) = α(st∧
∧
a∈Σ
¬αt 1∧(zt≤zt 1)∧
∧
x∈X
(xt=xt 1)∧st 1∧I(s)t 1)
= α(st)∧
∧
a∈Σ
α(¬αt 1)∧α(zt≤zt 1)∧
∧
x∈X
α(xt=xt 1)∧α(st 1)∧α(I(s)t 1)
= α(st)∧
∧
a∈Σ,
α(a)=id
¬αt 1∧
∧
a∈Σ,
α(a)=a′
(¬α′t 1)∧(zt≤zt 1)∧
∧
x∈X ,
x∈X\O
(xt=xt 1)∧α(st 1)∧α(I(s)t 1)
and for the corresponding delay transition in s′, we have
ϕdelay(s′) = α(st)∧
∧
a∈Σ′
¬αt 1∧(zt≤zt 1)∧
∧
x∈X ′
(xt=xt 1)∧α(st 1)∧α(I(s)t 1)
Because of (**), we have
α(ϕdelay(s)) = ϕdelay(s′)
Since there is a one-to-one relation between transitions in E and E ′, and by
definition of ∨, we finally have
α(ϕtrans(A)) = ϕtrans(A′)
3. Mutual exclusion of locations ϕlocation:
α(ϕlocation(A)) = α(
∨
s∈S
(st 1∧
∧
s′∈S,s′ 6=s
¬s′t 1))
=
∨
s∈S
(α(st 1)∧
∧
s′∈S,s′ 6=s
α(¬s′t 1))
=
∨
s∈S
α(s)=id
(st ∧
∧
s′∈S,s′ 6=s
α(s′)=id
¬s′t ∧
∧
s′∈S,s′ 6=s
α(s′)=s¯ 6=s
¬s¯t)∨
∨
s∈S
α(s)=sˆ
(s^t ∧
∧
s′∈S,s′ 6=s
α(s′)=id
¬s′t ∧
∧
s′∈S,s′ 6=s
α(s′)=s¯ 6=s
¬s¯t)
ϕlocation(A′)) =
∨
s∈S′
(st 1∧
∧
s′∈S′,s′ 6=s
¬s′t 1)
A.2. CORRECTNESS OF ABSTRACTION 143
Because of (*), we have
α(ϕlocation(A)) = ϕlocation(A′))
4. Mutual exclusion of events ϕmutex:
α(ϕmutex(A)) = α(
∨
a∈Σ
(αt 1∧
∧
a′∈Σ,a′ 6=a
¬α′t 1)∨
∧
a∈Σ
(¬αt 1))
=
∨
a∈Σ
(α(αt 1)∧
∧
a′∈Σ,a′ 6=a
α(¬α′t 1))∨
∧
a∈Σ
α(¬αt 1)
=
∨
a∈Σ
α(a)=id
(αt ∧
∧
a′∈Σ,a′ 6=a
α(a′)=id
¬α′t ∧
∧
a′∈Σ,a′ 6=a
α(a′)=a¯6=a
¬α¯t)∨
∨
a∈Σ
α(a)=aˆ
(α^t ∧
∧
a′∈Σ,a′ 6=a
α(a′)=id
¬α′t ∧
∧
a′∈Σ,a′ 6=a
α(a′)=a¯6=a
¬α¯t)∨
∧
a∈Σ,
α(a)=id
(¬a)∧ ∧
a∈Σ,
α(a)=a¯
(¬α¯t 1)
ϕmutex(A′)) =
∨
a∈Σ′
(αt 1∧
∧
a′∈Σ′,a′ 6=a
¬α′t 1)∨
∧
a∈Σ′
(¬αt 1)
Because of (**), we have
α(ϕmutex(A)) = ϕmutex(A′)),
From the four cases above, we get
α(ϕ(A)) = ϕ(A′)
The argumentation for
α(ϕ(A)k)=ϕ(A
′)k
is similar.
Thus, the TA A′ satisfies the conditions (xx), and we have shown that MO
preserves the formula representation and k-unfolding of TA.
Proof of (xxi). Let T′ = (S ′, s′0,P ,X ′, I ′,D′,#′, E ′) be a TCA, with S ′=α(S),
s′0=α(s0),P ′=α(P),X ′=α(X ), I ′(s)=α(I(s)) for all s∈S ′, D′=α(D), #′(s)=α(#(s))
for all s∈S ′, and E ′={(α(s), α(P ), α(dc), α(cc), α(λ), α(s′))|(s, P, dc, cc, λ, s′)∈E}.
Let ϕ(T′) and ϕ(T′)k be the formula representation and k-unfolding of T′. Observe
that we have
S ′=α(S)={s|s∈S, α(s)=id}∪{s′|s∈S, α(s)=s′}, (†)
Σ′=α(Σ)={a|a∈Σ, α(a)=id}∪{a′|a∈Σ, α(a)=a′}, and (‡)
D′=α(D)={d|d∈D, α(d)=id}∪{d′|d∈D, α(d)=d′} (††)
144 APPENDIX A. PROOFS
We first show that ϕ(T′)\dc=α(ϕ(T))\dc. By definition of \dc, and Definitions
3.1.4 and 4.1.5, we have
α(ϕ(T))\dc = α(ϕinit(T)∧ϕtrans(T)∧ϕlocation(T)∧ϕmutex(T))\dc
= α(ϕinit(T))\dc ∧α(ϕtrans(T))\dc ∧
α(ϕlocation(T))\dc ∧α(ϕmutex(T))\dc
ϕ(T′)\dc = ϕinit(T′)\dc ∧ϕtrans(T′)\dc ∧ϕlocation(T′)\dc ∧ϕmutex(T′)\dc
Consider the corresponding parts in α(ϕ(T))\dc and ϕ(T′)\dc separately
1. Initial constraints ϕinit:
α(ϕinit(T))\dc = α
(
s¯0 ∧
∧
s∈S,s6=s¯
¬s0 ∧ I(s¯)0 ∧
∧
p∈P
(¬p0 ∧(Dp0=n⊥))∧∧
d∈D
(¬d0 ∧(Dd0=n⊥))∧(z0=0)∧
∧
x∈X
(x0=0)
)\dc
= α(s¯0)\dc ∧
∧
s∈S,s6=s¯
α(¬s0)\dc ∧α(I(s¯)0)\dc ∧
∧
p∈P
α(¬p0)\dc ∧∧
p∈P
α((Dp0=n
⊥))\dc ∧
∧
d∈D
α(¬d0)\dc ∧
∧
d∈D
α((Dd0=n
⊥))\dc ∧
α((z0=0))\dc ∧
∧
x∈X
α((x0=0))\dc
= α(s¯0)∧
∧
s∈S,s6=s¯,
α(s)=id
¬s0 ∧
∧
s∈S,s6=s¯,
α(s)=s′ 6=α(s¯)
¬s′0 ∧α(I(s¯)0)∧
∧
p∈P,
α(p)=id
(¬p0)∧
∧
p∈P,
α(p)=p′
(¬p′0)∧
∧
d∈D,
α(d)=id
(¬d0)∧
∧
d∈D,
α(d)=d′
(¬d′0)∧
(z0=0)∧
∧
x∈X\O
(x0=0)
ϕinit(T′)\dc = s¯′0\dc ∧
∧
s∈S′,s 6=s¯′
¬s0\dc ∧ I(s¯′)0\dc ∧
∧
p∈P ′
(¬p0 ∧(Dp0=n⊥))\dc ∧∧
d∈D′
(¬d0 ∧(Dd0=n⊥))\dc ∧(z0=0)\dc ∧
∧
x∈X ′
(x0=0)\dc
= s¯′0 ∧
∧
s∈S′,s 6=s¯′
¬s0 ∧ I(s¯′)0 ∧
∧
p∈P ′
(¬p0)∧∧
d∈D′
(¬d0)∧(z0=0)∧
∧
x∈X ′
(x0=0)
By definition of T′, we have α(s¯0) = s¯′0, and α(I(s¯)0) = I(s¯
′)0. Because of
(†), (‡) and (††), and the fact that X ′=X\O, we finally get
α(ϕinit(T))\dc = ϕinit(T′)\dc
2. Transition relation ϕtrans:
α(ϕtrans(T))\dc = α(
∨
e∈E,e visible
ϕvisible(e)∨ ∨
e∈E,e invisible
ϕinvisible(e))\dc
=
∨
e∈E,e visible
α(ϕvisible(e))\dc ∨
∨
e∈E,e invisible
α(ϕinvisible(e))\dc
A.2. CORRECTNESS OF ABSTRACTION 145
ϕtrans(T′)\dc =
∨
e∈E′,e visible
ϕvisible(e)\dc ∨
∨
e∈E′,e invisible
ϕinvisible(e)\dc
Consider a visible transition e=(s, P, dc, cc, λ, s′) ∈ E:
α(ϕvisible(e))\dc = α(st∧I(s)t∆∧
∧
p∈P
pt 1∧
∧
p 6∈P
¬pt 1∧
∧
d6∈#(s′)
¬dt 1∧dct 1∧
cct∆∧(zt<zt 1)∧
∧
λ(x)=id
(xt 1=xt)∧
∧
λ(x)=x′
(xt 1=x
′
t 1)∧∧
λ(x)=n
(xt 1=zt 1−n)∧s′t 1∧I(s′)t 1)\dc
= α(st)∧α(I(s)t∆)∧
∧
p∈P,
α(p)=id
pt 1 ∧
∧
p∈P,
α(p)=p′
p′t 1 ∧
∧
p 6∈P,
α(p)=id
¬pt 1 ∧
∧
p 6∈P,
α(p)=p′ 6∈α(P )
¬p′t 1 ∧
∧
d6∈#(s′),
α(d)=id
(¬dt 1)∧
∧
d6∈#(s′),
α(d)=d′
(¬d′t 1)∧
α(cct∆)∧(zt<zt 1)∧
∧
λ(x)=id,
x∈X\O
(xt 1=xt)∧
∧
λ(x)=x′,
x,x′∈X\O
(xt 1=x
′
t 1)∧
∧
λ(x)=n,
x∈X\O
(xt 1=zt 1−n)∧α(s′t 1)∧ I(s′)t 1
and its counterpart e′=(α(s), α(P ), α(dc), α(cc), α(λ), α(s′))∈E ′:
ϕvisible(e′)\dc = α(st)\dc∧α(I(s)t∆)\dc∧
∧
p∈α(P )
pt 1\dc∧
∧
p 6∈α(P )
(¬pt 1)\dc∧∧
d 6∈#(α(s′))
(¬dt 1)\dc∧α(dct 1)\dc∧α(cct∆)\dc∧α(zt<zt 1)\dc∧∧
α(λ)(x)=id
(xt 1=xt)\dc∧
∧
α(λ)(x)=x′
(xt 1=x
′
t 1)\dc∧∧
α(λ)(x)=n
(xt 1=zt 1−n)\dc∧α(s′t 1)\dc∧α(I(s′)t 1)\dc
= α(st)∧α(I(s)t∆)∧
∧
p∈α(P )
pt 1∧
∧
p6∈α(P )
(¬pt 1)∧∧
d 6∈#(α(s′))
(¬dt 1)∧α(cct∆)∧(zt<zt 1)∧∧
α(λ)(x)=id
(xt 1=xt)∧
∧
α(λ)(x)=x′
(xt 1=x
′
t 1)∧∧
α(λ)(x)=n
(xt 1=zt 1−n)∧α(s′t 1)∧α(I(s′)t 1)
Because of (‡) and (††), and the fact that X ′=X\O, we have
α(ϕvisible(e))\dc = ϕvisible(e′)\dc
146 APPENDIX A. PROOFS
Equivalently, we can show for an invisible transition e=(s, ∅, true, cc, λ, s′) and
its counterpart e′=(α(s), ∅, true, α(cc), α(λ), α(s′)) that
α(ϕinvisible(e)\dc = ϕinvisible(e′)\dc
Since there is a one-to-one relation between transitions in E and E ′, and by
definition of ∨, we finally have
α(ϕtrans(T))\dc = ϕtrans(T′)\dc
3. Mutual exclusion of locations ϕlocation: because \dc does not change ϕmutex(T′)
or α(ϕmutex(T)), equivalently to the case for TA above, we have
α(ϕlocation(T))\dc = ϕlocation(T′)\dc
4. Data consistency constraints ϕmutex: trivially,
α(ϕmutex(T)))\dc = true = ϕmutex(T′)\dc
From the four cases above, we get
α(ϕ(T))\dc = ϕ(T′)\dc
With a similar argumentation, we get
α(ϕ(T)k)\dc=ϕ(T′)k\dc
Thus, the TCA T′ satisfies the conditions (xxi), and we have shown that MO
preserves the formula representation and k-unfolding of TCA, up to data constraints.
Proposition A.2.8 (Commuting Subdiagram). The subdiagram (ii) of Fig-
ure A.2 is a partially commuting diagram.7
Proof. This follows directly from Proposition A.2.7.
We now have all the results to give the proof of Theorem 4.1.8.
Proof of Theorem 4.1.8. For the abstraction by omission to be correct, every
finite run in the original system S has to be reproducible in the abstract system S˜.
We show this by defining a homomorphism hR between original and abstract sets of
runs RunS,k and RunS˜,k, such that Figure A.2 commutes.
7Here, “partially commuting” means that every model σ∈V(ϕ(T)k) is also a model of V(ϕ(T˜)k),
but not necessarily vice versa.
A.2. CORRECTNESS OF ABSTRACTION 147
Let S be a real-time system, with formula representation ϕ(T) and k-unfolding
ϕ(S)k, let V(ϕ(S)k) be the set of models of ϕ(S)k, let RunS,k be the set of finite
runs of length k of S.
Let α be an abstraction function, with γ and O as in Definition 4.1.5, let S˜ be
the abstract system that results from applying α to the formula representation ϕ(S)
and the k-unfolding ϕ(S)k, that means ϕ(S˜)=α(ϕ(S)) and ϕ(S˜)k=α(ϕ(S)k), cf.
Proposition A.2.7, let V(ϕ(S˜)k) be the set of models of ϕ(S˜)k, and RunS˜,k the set of
finite runs of length k of S˜. Let ξ:V(ϕ(S)k)→V(ϕ(S˜)k) be a mapping assigning to
each interpretation σ∈V(ϕ(S)k) the interpretation σ˜∈V(ϕ(S˜)k), which is obtained
from restricting σ to the variables in ϕ(S˜)k.
8
We define a homomorphism hR (cf. Definition A.2.2) as
hR:RunS,k→RunS˜,k
hR(r) =↓σr(ξ(↓rσ(r)))
(cf. Lemmas A.1.4 and A.1.7). That means, a run rσ˜ ∈RunS˜,k is obtained from
a run r∈RunS,k by mapping r to the derived interpretation ↓rσ (r)=σr∈V(ϕ(S)k)
(Definition A.1.6), reducing it to the interpretation ξ(↓rσ(r))=σ˜∈V(ϕ(S˜)k) over the
variables in ϕ(S˜)k, and mapping it to the derived run ↓σr (ξ(↓rσ (r)))=rσ˜ ∈RunS˜,k
(Definition A.1.2).
We define γS:S→S˜, with γS(s)=s˜ iff γ(s)=s˜,9, γΣ:Σ→Σ˜, with γΣ(a)=a˜ iff γ(a)=a˜,
γP :p→p˜, with γP (p)=p˜ iff γ(p)=p˜, and γD:d→d˜, with γD(d)=d˜ iff γ(d)=d˜. With this,
hR is a homomorphism as defined in Definition A.2.2. Together with the results
of Proposition A.2.3, Proposition A.2.7, and Proposition A.2.8, Figure A.2 is a
commuting diagram, that means every run of the original system S is reproducible
in the abstract system S˜, and therefore the abstraction by omission is correct.
8σ˜ is well-defined, as by definition of α: Vars(α(ϕ(S)k))⊆Vars(ϕ(T)k), cf. Proposition A.2.7.
9Remember that we lifted α to constituents of TCA, cf. Remark A.2.6.

Abstract
The increasing size of present-day embedded software systems makes verification of
these systems an increasingly difficult task. Even more, not only the size of systems
increases, but to faithfully model and analyse real-life applications, an increasing
number of features and formalisms need to be developed and supported. The two
most important features demanded from embedded software systems are that they
need to involve handling of dense real-time, and that they can be developed in a
modular, component-based way. The last point amounts to specifying the system by
a set of components (implementing the behaviour), together with a set of component
connectors (implementing the coordination patterns for inter-component communi-
cation protocols).
To ensure that the behaviour of the final system is correct (that means, behaves
as expected) and safe (that means, nothing bad can ever happen), it needs to be
verified before it is being put into operation. To this end, two things are needed:
first, formal models that are powerful enough to faithfully describe all aspects of the
system, and in particular support handling of dense real-time as well as constructs to
combine components and connectors. Second, formal methods to analyse the formal
model of the system and verify that it satisfies certain properties, in particular
including correctness of the coordination pattern.
In this thesis, we propose both formal models and formal methods to model and
analyse component-based real-time systems and their coordination patterns. We
present three formal models of real-time systems: Timed Automata, Timed Con-
straint Automata, and Timed Network Automata, which have different modelling
power with respect to communication, communication primitives, and expressible
constraints on the communication. We then present a translation for each of these
formal models into a representation in propositional logic with linear arithmetic,
which allows to use well-established SAT and SMT solver tools to analyse real-time
properties of the underlying system. We give a correctness proof for the represen-
tation, which shows that results established for the representation carry over to the
respective formal model.
We then present an abstraction technique that works on the representation, and
reduces the size of the system by removing parts that are considered irrelevant
to the verification of a particular property. This allows to further increase the
manageable system size. We prove the abstract system to be an over-approximation
149
150 ABSTRACT
of the original system, such that infeasibility of some erroneous behaviour (up to a
certain execution bound) in the abstract system entails infeasibility of the erroneous
behaviour (up to a certain execution bound) in the original system. Finally, we
prove the applicability and usability of our framework with a tool implementation,
that supports the design and analysis process of component-based real-time systems.
Samenvatting
De toenemende omvang van huidige ingebedde software systemen maakt de ver-
ificatie van deze systemen een steeds moeilijker opgave. Sterker nog, niet alleen
de omvang van de systemen neemt toe, maar om toepassingen uit de praktijk zo
waarheidsgetrouw mogelijk te modelleren en te analyseren moeten ook een toene-
mend aantal nieuwe mechanismen en formalismen ontworpen en ondersteund wor-
den. De twee belangrijkste functies van ingebedde software systemen zijn dat ze in
real-time moeten kunnen reageren op invoer uit de omgeving, en dat ze in een mod-
ulair, op componenten gebaseerde manier ontwikkeld kunnen worden. Het laatste
komt neer op het specificeren van het systeem door middel van afzonderlijke compo-
nenten (elk waarvan een bepaald aspect van het gedrag implementeert), samen met
zogeheten connectoren die de coo¨rdinatiepatronen voor de communicatie tussen de
componenten implementeren.
Om ervoor te zorgen dat het gedrag van het uiteindelijke systeem correct is
(dat betekent, zich gedraagt zoals verwacht) en veilig (dat betekent, dat er geen
fouten optreden), moet het systeem gecontroleerd worden voordat het in werking
kan worden gesteld. Hiervoor zijn twee dingen nodig: ten eerste, formele modellen
die expressief genoeg zijn om alle aspecten van het systeem zo waarheidsgetrouw
mogelijk te beschrijven, en die in het bijzonder zowel real-time mechanismen bevat-
ten als constructies om componenten en connectoren te combineren. Ten tweede,
formele methoden om het formele model van het systeem te analyseren en te con-
troleren of deze voldoet aan bepaalde eigenschappen, zoals met name juistheid van
de coo¨rdinatiepatronen.
In dit proefschrift introduceren wij verschillende technieken met verschillende
uitdrukkingsmogelijkheden voor het modelleren en analyseren van de coo¨rdinatiepa-
tronen van op componenten gebaseerde real-time systemen. We presenteren de vol-
gende drie operationele modellen van real-time systemen: Timed Automata, Timed
Constraint Automata, en Timed Network Automata. Vervolgens geven we een ver-
taling voor elk van deze formele modellen naar een representatie in propositielogica
met lineaire wiskunde, die het mogelijk maakt om beproefde op logica gebaseerde
technieken, zogeheten SAT en SMT solvers, te gebruiken voor de analyse van de
real-time eigenschappen van de betreffende operationele modellen. We geven een
bewijs van juistheid voor de logische representatie, waaruit blijkt dat de resultaten
verkregen door middel van deze technieken eveneens gelden voor de verschillende
151
152 SAMENVATTING
operationele modellen.
Vervolgens presenteren wij een techniek voor verdere abstractie van de logische
representatie die ons in staat stelt de omvang en complexiteit van deze te vermin-
deren, door het verwijderen van die onderdelen die worden beschouwd als niet rele-
vant voor de verificatie van een bepaalde eigenschap. We bewijzen dat deze techniek
inderdaad leidt tot een over-abstractie die ons in staat stelt te concluderen dat een
fout die in het abstracte systeem niet kan optreden ook in het oorspronkelijke system
niet kan optreden. Tenslotte betogen we de toepasbaarheid en bruikbaarheid van
onze theorie met een implementatie die het ontwerp en de analyse van op compo-
nenten gebaseerde real-time systemen ondersteunt.
Curriculum Vitae
1979 Born on 20 July in Bremerhaven, Germany
1992-1999 High School (Gymnasium), Nordenham, Germany
1999-2006 Diplom (equivalent to master’s degree) in Computer Science, Carl-von-
Ossietzky Universita¨t, Oldenburg, Germany
Major in Theoretical Computer Science
Thesis title: SAT-based Verification for Abstraction Refinement
2006-2011 PhD student at Centrum Wiskunde & Informatica (CWI), Amsterdam,
The Netherlands, supervised by Prof. Dr. Frank S. de Boer
2011- Scientific Staff Member, Carl-von-Ossietzky Universita¨t Oldenburg, Germany
153

Index
V(·) (set of all models), 58
ν (valuation), 9
ν|X (restriction to clock set), 9
tact (actual arrival time), 109
topt (optimal arrival time), 109
Time (time domain), 7
•α (domain of the abstraction), 71
Atoms(·) (set of atoms), 57
A (timed automaton), 12
N (timed network automaton), 30
T (timed constraint automaton), 20
Conts(·) (set of atoms and variables),
57
⊕ (function overriding), 82
n⊥ (representation of ⊥), 45
⊥ (no data), 10
•α|. (candidate set for refinement), 83
dc|Q (reduced data constraint), 36
D|dc (data variables used in dc), 10
P|dc (ports used in dc), 10
Vars(·) (set of variables), 57
\dc (removal of data constraint liter-
als), 140
ABP, see alternating bit protocol
abstraction, 67
by merging omission, 68
domain, 71
abstraction by merging omission, 68
abstraction refinement, 67, 68
action transition, 33
active port, 10
alternating bit protocol, 104
anchored jitter, 109
associated labelled transition system,
13
BDD, see binary decision diagram
binary decision diagram, 57
BMC, see bounded model checking
bounded model checking, 3, 43, 57
completeness, 59
CASM, see constraint automata with
state memory
CEGAR, see counterexample-guided ab-
straction refinement
clause, 61
clock, 8
timeshift, 9
update, 9
valuation, 9
clock constraint, 8
convex, 9, 69
diagonal, 18
inter-step, 49
CNF (conjunctive normal form), 61
colouring, 29
colours, 29
completeness of bounded model check-
ing, 59
completeness threshold, 59
concretisation, 74
configuration
timed automaton, 13
timed constraint automaton, 22
timed network automaton, 32
155
156 INDEX
conjunctive normal form, 61
conservative approximation, 67
constraint automata with state mem-
ory, 41
convexity, 9, 69
counterexample
concretisation, 74
spurious, 3
counterexample guided abstraction re-
finement, 81
craig interpolant, see interpolant
data assignment, 10
restriction, 10
data constraint, 10
reduced, 36
data content variable, 46
data domain, 10
data fullness variable, 46
delayed action transition, 33
derived interpretation, 132
derived run, 128
diagonal clock constraint, 18
diameter, 59
domain of the abstraction, 71
EA, see extensible automata framework
Eclipse, 88
ECT (Extensible Coordination Tools),
88
environmental constraints, 28
extensible automata framework, 88
extension (in ECT), 90
false negative, 67
false positive, 67
flip rule, 35
formula representation, 44
n⊥, 45
clock constraints, 44, 62
clocks, 44, 62
data constraints, 46
data values, 45
data variables, 46
events/ports, 46
internal port, 56
localisation, 44
locations, 45, 63
soundness, 129
timed automaton, 47
timed automaton product, 48
timed constraint automaton, 49
timed constraint automaton prod-
uct, 52
timed network automaton, 53
timed network automaton compo-
sition, 56
hiding
on timed constraint automata, 26
inactive port, 10
inconsistent formulas, 75
inter-step clock constraint, 49
internal port, 33
interpolant, 76
prefix, 76
suffix, 76
interpretation, 57
jitter, 109
anchored, 109
non-anchored, 109
joint broadcast synchronisation, 15
k-step reachability, 59
k-unfolding, 58
labelled transition system, 13
lip-synchronisation protocol, 108
literal, 61
localisation, 44
loop-free run, 60
LSP, see lip-synchronisation protocol
LTS, see labelled transition system
memory cell, 19
MO, see abstraction by merging omis-
sion
model, 58
model checking, 43
modularity, 2
negation normal form (NNF), 68
NNF, see negation normal form
non-anchored jitter, 109
INDEX 157
operator precedence, 8
over-approximation, 67
plugin (in ECT), 90
port, 10
active, 10
in TCA, 19
in TNA, 29
inactive, 10
internal, 33
port activity variable, 46, 53
port colour variable, 53
port data variable, 46, 53
predicate abstraction, 67
prefix (interpolant), 76
QIA, see quantitative intentional au-
tomata
quantitative intentional automata, 88
reachability, 59
recurrence diameter, 60
reduced data constraint, 36
refinement, 68, 81
Reo, 125
conversion from, 88
conversion to, 88
run
loop-free, 13, 22, 32, 60
timed automaton, 13
timed constraint automaton, 22
timed network automaton, 32
witness, 75
SAT solving, 43, 61
satisfiability modulo theory, 43
satisfiable, 58
scalability, 2
skew, 109
SMC, see symbolic model checking
SMT, see satisfiability modulo theory
spurious counterexample, 3, 67, 74
suffix (interpolant), 76
symbolic model checking, 57
synchronisation
binary, 17
joint broadcast, 15
timed automaton, 15
TA, see timed automaton
TCA, see timed constraint automaton
time, 7
continuous, 7
discrete, 7
time domain, 7
timed automaton, 2, 11, 12
configuration, 13
external transition, 12
internal transition, 12
run, 13
synchronisation, 15
trace semantics, 14
timed constraint automaton, 2, 18, 20
configuration, 22
formula representation, 49
hiding, 26
invisible transition, 20
run, 22
trace semantics, 23
visible transition, 20
timed network automaton, 2, 29
action transition, 33
configuration, 32
delayed action transition, 33
run, 32
timeshift, 9
TNA, see timed network automaton,
30
trace semantics
timed automaton, 14
timed constraint automaton, 23
under-approximation, 67
unfolding depth, 58
update, 9
update map, 9
valuation, 9
restriction, 9
witness run, 75

Bibliography
[ABdBR04] Farhad Arbab, Christel Baier, Frank S. de Boer, and J.J.M.M. Rutten.
Models and temporal logics for timed component connectors. In SEFM,
pages 198–207. IEEE Computer Society, 2004. 41
[ABdBR07] Farhad Arbab, Christel Baier, Frank S. de Boer, and J.J.M.M. Rutten.
Models and temporal logical specifications for timed component con-
nectors. Software and System Modeling, 6(1):59–82, 2007. 3, 4, 18, 27,
41, 65, 104, 123, 125
[ABRS04] Farhad Arbab, Christel Baier, J.J.M.M. Rutten, and M. Sirjani. Mod-
eling component connectors in Reo by constraint automata (extended
abstract). Electr. Notes Theor. Comput. Sci., 97:25–46, 2004. 4, 18, 27,
88
[ABSS96] Ahmet F. Ates, Murat Bilgic, Senro Saito, and Behc¸et Sarikaya. Using
timed csp for specification verification and simulation of multimedia
synchronization. IEEE Journal on Selected Areas in Communications,
14(1):126–137, 1996. 108
[ACKS02] G. Audemard, A. Cimatti, A. Kornilowicz, and R. Sebastiani. Bounded
model checking for timed systems. In D. Peled and M.Y. Vardi, editors,
FORTE, volume 2529 of LNCS, pages 243–259. Springer, November
2002. 43, 59, 62
[AD94] Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183–235, 1994. 3, 4, 7, 8, 11, 12, 16, 18, 41,
123
[Alu99] Rajeev Alur. Timed automata. In N. Halbwachs and D. Peled, editors,
CAV, volume 1633 of LNCS, pages 8–22. Springer, 1999. 3, 4, 9, 14, 15,
16, 18, 41, 123
[AM04] Rajeev Alur and P. Madhusudan. Decision problems for timed au-
tomata: A survey. In Bernardo and Corradini [BC04], pages 1–24. 9,
12, 17, 18
159
160 BIBLIOGRAPHY
[AMM+09] Farhad Arbab, Sun Meng, Young-Joo Moon, Marta Z. Kwiatkowska,
and Hongyang Qu. Reo2mc: a tool chain for performance analysis of
coordination models. In Hans van Vliet and Vale´rie Issarny, editors,
ESEC/SIGSOFT FSE, pages 287–288. ACM, 2009. 88
[ANT] Antlr parser generator. release 3.3.
http://www.antlr.org. 92, 97
[Arb98] Farhad Arbab. What do you mean, coordination? In Bulletin of the
Dutch Association for Theoretical Computer Science (NVTI, pages 11–
22, 1998. 2
[Arb04] Farhad Arbab. Reo: a channel-based coordination model for component
composition. Mathematical. Structures in Comp. Sci., 14(3):329–366,
2004. 18, 34, 88
[BBBC94] Howard Bowman, Lynne Blair, Gordon S. Blair, and Amanda G.
Chetwynd. A formal description technique supporting expression of
quality of service and media synchronisation. In David Hutchison,
Andre´ A. S. Danthine, Helmut Leopold, and Geoff Coulson, editors,
COST 237 Workshop, volume 882 of Lecture Notes in Computer Sci-
ence, pages 145–167. Springer, 1994. 108
[BBBC97] G.S. Blair, L. Blair, H. Bowman, and A. Chetwynd. Formal Specifi-
cation of Distributed Multimedia Systems. University College London
Press, September 1997. 108
[BBKK09] Christel Baier, Tobias Blechmann, Joachim Klein, and Sascha
Klu¨ppelholz. A uniform framework for modeling and verifying com-
ponents and connectors. In J. Field and V.T. Vasconcelos, editors, CO-
ORDINATION, volume 5521 of LNCS, pages 247–267. Springer, 2009.
125
[BC04] Marco Bernardo and Flavio Corradini, editors. Formal Methods for the
Design of Real-Time Systems, International School on Formal Methods
for the Design of Computer, Communication and Software Systems,
SFM-RT 2004, Bertinoro, Italy, September 13-18, 2004, Revised Lec-
tures, volume 3185 of Lecture Notes in Computer Science. Springer,
2004. 159, 161
[BCC+03] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Ofer Strichman,
and Yunshan Zhu. Bounded model checking. Advances in Computers,
58:118–149, 2003. 3, 43, 57
[BCCZ99] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan
Zhu. Symbolic Model Checking without BDDs. In R. Cleaveland, editor,
TACAS, volume 1579 of LNCS, pages 193–207, London, UK, 1999.
Springer. 43, 57, 60
BIBLIOGRAPHY 161
[BDL04] Gerd Behrmann, Alexandre David, and Kim Guldstrand Larsen. A
tutorial on uppaal. In Bernardo and Corradini [BC04], pages 200–236.
18
[Bea03] Danie`le Beauquier. On probabilistic timed automata. Theor. Comput.
Sci., 292(1):65–84, 2003. 16
[BFK+98] Howard Bowman, Giorgio P. Faconti, Joost-Pieter Katoen, Diego
Latella, and Mieke Massink. Automatic verification of a lip-
synchronisation protocol using uppaal. Formal Asp. Comput., 10(5-
6):550–575, 1998. 108, 109, 110, 116, 120, 121
[Bie09] Armin Biere. Bounded model checking. In Armin Biere, Marijn Heule,
Hans van Maaren, and Toby Walsh, editors, Handbook of Satisfiability,
volume 185 of Frontiers in Artificial Intelligence and Applications, pages
457–481. IOS Press, 2009. 57
[BK08] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking.
The MIT Press, 2008. 12, 13, 43
[BPM] BPMN Eclipse plugin. http://www.eclipse.org/bpmn/. 88
[Bry86] Randal E. Bryant. Graph-based algorithms for boolean function ma-
nipulation. IEEE Trans. Computers, 35(8):677–691, 1986. 57
[BS00] Se´bastien Bornot and Joseph Sifakis. An algebraic framework for ur-
gency. Inf. Comput., 163(1):172–202, 2000. 16
[BSAR06] Christel Baier, M. Sirjani, Farhad Arbab, and J.J.M.M. Rutten. Mod-
eling component connectors in Reo by constraint automata. Science of
Computer Programming, 61(2):75–113, 2006. 34
[BZM08] Dirk Beyer, Damien Zufferey, and Rupak Majumdar. Csisat: Interpola-
tion for la+euf. In Aarti Gupta and Sharad Malik, editors, CAV, volume
5123 of Lecture Notes in Computer Science, pages 304–308. Springer,
2008. 77
[CBRZ01] E.M. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking
using satisfiability solving. Formal Methods in System Design, 19(1):7–
34, 2001. 3, 43, 57
[CC77] Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified
lattice model for static analysis of programs by construction or approx-
imation of fixpoints. In POPL, pages 238–252, 1977. 126
[CC92] Patrick Cousot and Radhia Cousot. Abstract interpretation frame-
works. J. Log. Comput., 2(4):511–547, 1992. 126
[CCA07] Dave Clarke, David Costa, and Farhad Arbab. Connector colouring
I: Synchronisation and context dependency. Sci. Comput. Program.,
66(3):205–225, 2007. 4, 28, 29, 34, 35
162 BIBLIOGRAPHY
[CCK+02] Pankaj Chauhan, Edmund M. Clarke, James H. Kukula, Samir Sapra,
Helmut Veith, and Dong Wang. Automated Abstraction Refinement for
Model Checking Large State Spaces Using SAT Based Conflict Analysis.
In Mark Aagaard and John W. O’Leary, editors, FMCAD, volume 2517
of Lecture Notes in Computer Science, pages 33–51. Springer, 2002. 84,
126
[CGJ+03] E.M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith.
Counterexample-guided abstraction refinement for symbolic model
checking. Journal of the ACM, 50(5):752–794, 2003. 3, 67, 68, 72,
81, 84
[CGKS02] Edmund M. Clarke, Anubhav Gupta, James H. Kukula, and Ofer
Strichman. SAT Based Abstraction-Refinement Using ILP and Machine
Learning Techniques. In Ed Brinksma and Kim Guldstrand Larsen, ed-
itors, CAV, volume 2404 of Lecture Notes in Computer Science, pages
265–279. Springer, 2002. 126
[CGP99] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model check-
ing. MIT Press, Cambridge, MA, USA, 1999. 43, 68
[CKA10] Behnaz Changizi, Natallia Kokash, and Farhad Arbab. A unified toolset
for business process model formalization. Tool Paper, 2010. 7th In-
ternational Workshop on Formal Engineering approaches to Software
Components and Architectures (FESCA). 88
[Cos10] David Costa. Formal Models for Component Connectors. PhD thesis,
Vrije Universiteit Amsterdam, 2010. 28
[CPLA09] Dave Clarke, Jose´ Proenc¸a, Alexander Lazovik, and Farhad Arbab.
Deconstructing reo. Electr. Notes Theor. Comput. Sci., 229(2):43–58,
2009. 34
[Cra57] William Craig. Three uses of the Herbrand-Gentzen theorem in relating
model theory and proof theory. Journal of Symbolic Logic, 22(3):269–
285, 1957. 3, 5, 68, 75, 76
[csi] CSIsat: A Tool for LA+EUF Interpolation.
http://www.sosy-lab.org/~dbeyer/CSIsat/. 77, 83
[Ecl] Eclipse platform. http://www.eclipse.org. 88, 124
[ECT] Extensible Coordination Tools. http://reo.project.cwi.nl/. 6, 88,
124
[EKS06] Javier Esparza, Stefan Kiefer, and Stefan Schwoon. Abstraction re-
finement with craig interpolation and symbolic pushdown systems. In
Holger Hermanns and Jens Palsberg, editors, TACAS, volume 3920 of
Lecture Notes in Computer Science, pages 489–503. Springer, 2006. 125
BIBLIOGRAPHY 163
[FKPY07] Elena Fersman, Pavel Krca´l, Paul Pettersson, and Wang Yi. Task au-
tomata: Schedulability, decidability and undecidability. Inf. Comput.,
205(8):1149–1172, 2007. 16
[FOC] FOCI: an interpolating prover.
http://www.kenmcmil.com/foci.html. 43, 77, 83
[Fok00] Wan Fokkink. Introduction to Process Algebra. Springer-Verlag New
York, Inc., Secaucus, NJ, USA, 2000. 104, 120
[GJSB05] James Gosling, Bill Joy, Guy L. Steele, and Gilad Bracha. The
Java Language Specification. The Java Series. Addison-Wesley, Mas-
sachusetts, third edition, 2005. 88
[GN07] Eugene Goldberg and Yakov Novikov. BerkMin: A fast and robust
sat-solver. Discrete Applied Mathematics, 155(12):1549–1561, 2007. 62
[GS97] Susanne Graf and Hassen Sa¨ıdi. Construction of abstract state graphs
with pvs. In Orna Grumberg, editor, CAV, volume 1254 of Lecture
Notes in Computer Science, pages 72–83. Springer, 1997. 67
[GS05] Gregor Go¨ßler and Joseph Sifakis. Composition for component-based
modeling. Sci. Comput. Program., 55(1-3):161–183, 2005. 16
[Ha¨h93] R. Ha¨hnle. Short CNF in finitely-valued logics. In H.J. Komorowski and
Z.W. Ras, editors, ISMIS, volume 689 of LNCS, pages 49–58. Springer,
1993. 62
[HJMM04] T.A. Henzinger, R. Jhala, R. Majumdar, and Kenneth L. McMillan.
Abstractions from proofs. In N.D. Jones and X. Leroy, editors, POPL,
pages 232–244. ACM, 2004. 3, 67
[Kem09] Stephanie Kemper. SAT-based verification for timed component con-
nectors. Electr. Notes Theor. Comput. Sci., 255:103–118, 2009. 65, 85,
163
[Kem10] Stephanie Kemper. Compositional construction of real-time dataflow
networks. In Dave Clarke and Gul A. Agha, editors, COORDINA-
TION, volume 6116 of Lecture Notes in Computer Science, pages 92–
106. Springer, 2010. 3, 4, 5, 28, 40, 41, 65, 123
[Kem11] Stephanie Kemper. SAT-based Verification for Timed Component Con-
nectors. Science of Computer Programming, 2011. This is an extended
version [Kem09]. 3, 4, 5, 6, 18, 19, 27, 65, 68, 85, 87, 123
[KKdV10] Natallia Kokash, Christian Krause, and Erik P. de Vink. Data-aware
design and verification of service compositions with reo and mcrl2.
In Sung Y. Shin, Sascha Ossowski, Michael Schumacher, Mathew J.
Palakal, and Chih-Cheng Hung, editors, SAC, pages 2406–2413. ACM,
2010. 88
164 BIBLIOGRAPHY
[KLP10] Piotr Kordy, Rom Langerak, and Jan Willem Polderman. Re-
verification of a lip synchronization protocol using robust reachability.
CoRR, abs/1003.0431, 2010. 108
[KLSV03a] Dilsun Kirli Kaynar, Nancy A. Lynch, Roberto Segala, and Frits W.
Vaandrager. The theory of timed I/O automata. Technical Report
MIT-LCS-TR-917, MIT Laboratory for Computer Science, 2003. 19
[KLSV03b] Dilsun Kirli Kaynar, Nancy A. Lynch, Roberto Segala, and Frits W.
Vaandrager. Timed I/O automata: A mathematical framework for
modeling and analyzing real-time systems. In RTSS, pages 166–177.
IEEE Computer Society, 2003. 19
[KNSS02] Marta Z. Kwiatkowska, Gethin Norman, Roberto Segala, and Jeremy
Sproston. Automatic verification of real-time systems with discrete
probability distributions. Theor. Comput. Sci., 282(1):101–150, 2002.
16
[KP07] Stephanie Kemper and A. Platzer. SAT-based abstraction refinement
for real-time systems. Electr. Notes Theor. Comput. Sci., 182:107–122,
2007. 5, 12, 65, 68, 85
[Kra11] Christian Krause. Reconfigurable Component Connectors. PhD thesis,
Leiden Institute of Advanced Computer Science (LIACS), 2011. 88, 90,
95
[LM87] Kim Guldstrand Larsen and Robin Milner. Verifying a protocol using
relativized bisimulation. In Thomas Ottmann, editor, ICALP, volume
267 of Lecture Notes in Computer Science, pages 126–135. Springer,
1987. 104
[MA03] Kenneth L. McMillan and Nina Amla. Automatic abstraction with-
out counterexamples. In Hubert Garavel and John Hatcliff, editors,
TACAS, volume 2619 of Lecture Notes in Computer Science, pages 2–
17. Springer, 2003. 126
[mat] The MathSAT 4 SMT solver. http://mathsat4.disi.unitn.it. 43,
77, 83, 93, 102
[McM93] Kenneth L. McMillan. Symbolic Model Checking. PhD thesis, Carnegie
Mellon University, Pittsburgh, USA, Norwell, MA, USA, 1993. 57
[McM03] Kenneth L. McMillan. Interpolation and SAT-based model checking.
In Warren A. Hunt and Fabio Somenzi, editors, CAV, volume 2725 of
LNCS, pages 1–13. Springer, 2003. 75, 76
[McM04] Kenneth L. McMillan. An interpolating theorem prover. In K. Jensen
and A. Podelski, editors, TACAS, volume 2988 of LNCS, pages 16–30.
Springer, 2004. 76
BIBLIOGRAPHY 165
[McM05a] Kenneth L. McMillan. Applications of craig interpolants in model
checking. In Nicolas Halbwachs and Lenore D. Zuck, editors, TACAS,
volume 3440 of Lecture Notes in Computer Science, pages 1–12.
Springer, 2005. 76
[McM05b] Kenneth L. McMillan. An interpolating theorem prover. Theor. Com-
put. Sci., 345(1):101–121, 2005. 75, 76
[Mil82] Robin Milner. A Calculus of Communicating Systems. Springer-Verlag,
1982. 120
[Mil89] R. Milner. Communication and concurrency. Prentice-Hall, Inc., Upper
Saddle River, NJ, USA, 1989. 104, 105, 120
[MLWZ01] Huadong Ma, Liang Li, Jianzhong Wang, and Naijun Zhan. Automatic
synthesis of the dc specifications of lip synchronisation protocol. In
APSEC, pages 371–. IEEE Computer Society, 2001. 108
[MMZ+01] M.W. Moskewicz, C.F. Madigan, Y. Zhao, L. Zhang, and S. Malik.
Chaff: Engineering an efficient SAT solver. In DAC, pages 530–535.
ACM, 2001. 62
[PBG05] Mukul R. Prasad, Armin Biere, and Aarti Gupta. A survey of recent
advances in SAT-based formal verification. STTT, 7(2):156–173, 2005.
62
[PSHA09] Bahman Pourvatan, Marjan Sirjani, Hossein Hojjat, and Farhad Arbab.
Automated analysis of Reo circuits using symbolic execution. Electr.
Notes Theor. Comput. Sci., 255:137–158, 2009. 4, 19, 41
[Pud97] Pavel Pudla´k. Lower bounds for resolution and cutting plane proofs
and monotone computations. Journal of Symbolic Logic, 62(3):981–998,
1997. 76
[Reg93] Tim Regan. Multimedia in temporal LOTOS: A lip-synchronization al-
gorithm. In Andre´ A. S. Danthine, Guy Leduc, and Pierre Wolper, edi-
tors, PSTV, volume C-16 of IFIP Transactions, pages 127–142. North-
Holland, 1993. 108, 109
[SHH92] Jean-Bernard Stefani, Laurent Hazard, and Franc¸ois Horn. Com-
putational model for distributed multimedia applications based on
a synchronous programming language. Computer Communications,
15(2):114–128, 1992. 108, 109
[Tri99] Stavros Tripakis. Verifying progress in timed systems. In Joost-Pieter
Katoen, editor, ARTS, volume 1601 of Lecture Notes in Computer Sci-
ence, pages 299–314. Springer, 1999. 14
[upp] Uppaal: modeling, simulation and verification of real-time system.
http://www.uppaal.com/. 43, 120
Titles in the IPA Dissertation Series since 2005
E. A´braha´m. An Assertional Proof
System for Multithreaded Java -Theory
and Tool Support- . Faculty of
Mathematics and Natural Sciences,
UL. 2005-01
R. Ruimerman. Modeling and Re-
modeling in Bone Tissue. Faculty of
Biomedical Engineering, TU/e. 2005-02
C.N. Chong. Experiments in Rights
Control - Expression and Enforce-
ment. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2005-03
H. Gao. Design and Verification of
Lock-free Parallel Algorithms. Faculty
of Mathematics and Computing Sci-
ences, RUG. 2005-04
H.M.A. van Beek. Specification and
Analysis of Internet Applications. Fac-
ulty of Mathematics and Computer Sci-
ence, TU/e. 2005-05
M.T. Ionita. Scenario-Based Sys-
tem Architecting - A Systematic Ap-
proach to Developing Future-Proof Sys-
tem Architectures. Faculty of Math-
ematics and Computing Sciences,
TU/e. 2005-06
G. Lenzini. Integration of Analy-
sis Techniques in Security and Fault-
Tolerance. Faculty of Electrical Engi-
neering, Mathematics & Computer Sci-
ence, UT. 2005-07
I. Kurtev. Adaptability of Model
Transformations. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2005-08
T. Wolle. Computational Aspects of
Treewidth - Lower Bounds and Net-
work Reliability. Faculty of Science,
UU. 2005-09
O. Tveretina. Decision Procedures
for Equality Logic with Uninterpreted
Functions. Faculty of Mathematics and
Computer Science, TU/e. 2005-10
A.M.L. Liekens. Evolution of Fi-
nite Populations in Dynamic Environ-
ments. Faculty of Biomedical Engineer-
ing, TU/e. 2005-11
J. Eggermont. Data Mining us-
ing Genetic Programming: Classifica-
tion and Symbolic Regression. Faculty
of Mathematics and Natural Sciences,
UL. 2005-12
B.J. Heeren. Top Quality Type Er-
ror Messages. Faculty of Science,
UU. 2005-13
G.F. Frehse. Compositional Verifi-
cation of Hybrid Systems using Simu-
lation Relations. Faculty of Science,
Mathematics and Computer Science,
RU. 2005-14
M.R. Mousavi. Structuring Struc-
tural Operational Semantics. Faculty
of Mathematics and Computer Science,
TU/e. 2005-15
A. Sokolova. Coalgebraic Analysis
of Probabilistic Systems. Faculty of
Mathematics and Computer Science,
TU/e. 2005-16
T. Gelsema. Effective Models for the
Structure of pi-Calculus Processes with
Replication. Faculty of Mathematics
and Natural Sciences, UL. 2005-17
P. Zoeteweij. Composing Constraint
Solvers. Faculty of Natural Sciences,
Mathematics, and Computer Science,
UvA. 2005-18
J.J. Vinju. Analysis and Transfor-
mation of Source Code by Parsing and
Rewriting. Faculty of Natural Sciences,
Mathematics, and Computer Science,
UvA. 2005-19
M.Valero Espada. Modal Abstrac-
tion and Replication of Processes with
Data. Faculty of Sciences, Division
of Mathematics and Computer Science,
VUA. 2005-20
A. Dijkstra. Stepping through Haskell.
Faculty of Science, UU. 2005-21
Y.W. Law. Key management and link-
layer security of wireless sensor net-
works: energy-efficient attack and de-
fense. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2005-22
E. Dolstra. The Purely Functional
Software Deployment Model. Faculty of
Science, UU. 2006-01
R.J. Corin. Analysis Models for Se-
curity Protocols. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2006-02
P.R.A. Verbaan. The Computational
Complexity of Evolving Systems. Fac-
ulty of Science, UU. 2006-03
K.L. Man and R.R.H. Schiffel-
ers. Formal Specification and Anal-
ysis of Hybrid Systems. Faculty of
Mathematics and Computer Science
and Faculty of Mechanical Engineering,
TU/e. 2006-04
M. Kyas. Verifying OCL Specifi-
cations of UML Models: Tool Sup-
port and Compositionality. Faculty
of Mathematics and Natural Sciences,
UL. 2006-05
M. Hendriks. Model Checking Timed
Automata - Techniques and Applica-
tions. Faculty of Science, Mathematics
and Computer Science, RU. 2006-06
J. Ketema. Bo¨hm-Like Trees for
Rewriting. Faculty of Sciences,
VUA. 2006-07
C.-B. Breunesse. On JML: topics
in tool-assisted verification of JML pro-
grams. Faculty of Science, Mathematics
and Computer Science, RU. 2006-08
B. Markvoort. Towards Hybrid
Molecular Simulations. Faculty of
Biomedical Engineering, TU/e. 2006-09
S.G.R. Nijssen. Mining Structured
Data. Faculty of Mathematics and Nat-
ural Sciences, UL. 2006-10
G. Russello. Separation and Adap-
tation of Concerns in a Shared Data
Space. Faculty of Mathematics and
Computer Science, TU/e. 2006-11
L. Cheung. Reconciling Nondetermin-
istic and Probabilistic Choices. Faculty
of Science, Mathematics and Computer
Science, RU. 2006-12
B. Badban. Verification techniques for
Extensions of Equality Logic. Faculty of
Sciences, Division of Mathematics and
Computer Science, VUA. 2006-13
A.J. Mooij. Constructive formal
methods and protocol standardization.
Faculty of Mathematics and Computer
Science, TU/e. 2006-14
T. Krilavicius. Hybrid Techniques for
Hybrid Systems. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2006-15
M.E. Warnier. Language Based Secu-
rity for Java and JML. Faculty of Sci-
ence, Mathematics and Computer Sci-
ence, RU. 2006-16
V. Sundramoorthy. At Home In Ser-
vice Discovery. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2006-17
B. Gebremichael. Expressivity of
Timed Automata Models. Faculty of
Science, Mathematics and Computer
Science, RU. 2006-18
L.C.M. van Gool. Formalising
Interface Specifications. Faculty of
Mathematics and Computer Science,
TU/e. 2006-19
C.J.F. Cremers. Scyther - Semantics
and Verification of Security Protocols.
Faculty of Mathematics and Computer
Science, TU/e. 2006-20
J.V. Guillen Scholten. Mobile Chan-
nels for Exogenous Coordination of Dis-
tributed Systems: Semantics, Imple-
mentation and Composition. Faculty
of Mathematics and Natural Sciences,
UL. 2006-21
H.A. de Jong. Flexible Heterogeneous
Software Systems. Faculty of Natural
Sciences, Mathematics, and Computer
Science, UvA. 2007-01
N.K. Kavaldjiev. A run-time recon-
figurable Network-on-Chip for stream-
ing DSP applications. Faculty of
Electrical Engineering, Mathematics &
Computer Science, UT. 2007-02
M. van Veelen. Considerations
on Modeling for Early Detection of
Abnormalities in Locally Autonomous
Distributed Systems. Faculty of
Mathematics and Computing Sciences,
RUG. 2007-03
T.D. Vu. Semantics and Applications
of Process and Program Algebra. Fac-
ulty of Natural Sciences, Mathematics,
and Computer Science, UvA. 2007-04
L. Branda´n Briones. Theories for
Model-based Testing: Real-time and
Coverage. Faculty of Electrical Engi-
neering, Mathematics & Computer Sci-
ence, UT. 2007-05
I. Loeb. Natural Deduction: Shar-
ing by Presentation. Faculty of Sci-
ence, Mathematics and Computer Sci-
ence, RU. 2007-06
M.W.A. Streppel. Multifunctional
Geometric Data Structures. Faculty
of Mathematics and Computer Science,
TU/e. 2007-07
N. Trcˇka. Silent Steps in Transition
Systems and Markov Chains. Faculty
of Mathematics and Computer Science,
TU/e. 2007-08
R. Brinkman. Searching in encrypted
data. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2007-09
A. van Weelden. Putting types
to good use. Faculty of Science,
Mathematics and Computer Science,
RU. 2007-10
J.A.R. Noppen. Imperfect Infor-
mation in Software Development Pro-
cesses. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2007-11
R. Boumen. Integration and Test
plans for Complex Manufacturing Sys-
tems. Faculty of Mechanical Engineer-
ing, TU/e. 2007-12
A.J. Wijs. What to do Next?:
Analysing and Optimising System Be-
haviour in Time. Faculty of Sciences,
Division of Mathematics and Computer
Science, VUA. 2007-13
C.F.J. Lange. Assessing and Improv-
ing the Quality of Modeling: A Series of
Empirical Studies about the UML. Fac-
ulty of Mathematics and Computer Sci-
ence, TU/e. 2007-14
T. van der Storm. Component-
based Configuration, Integration and
Delivery. Faculty of Natural Sci-
ences, Mathematics, and Computer Sci-
ence,UvA. 2007-15
B.S. Graaf. Model-Driven Evolu-
tion of Software Architectures. Faculty
of Electrical Engineering, Mathematics,
and Computer Science, TUD. 2007-16
A.H.J. Mathijssen. Logical Calculi
for Reasoning with Binding. Faculty
of Mathematics and Computer Science,
TU/e. 2007-17
D. Jarnikov. QoS framework for
Video Streaming in Home Networks.
Faculty of Mathematics and Computer
Science, TU/e. 2007-18
M. A. Abam. New Data Structures
and Algorithms for Mobile Data. Fac-
ulty of Mathematics and Computer Sci-
ence, TU/e. 2007-19
W. Pieters. La Volonte´ Machi-
nale: Understanding the Electronic Vot-
ing Controversy. Faculty of Science,
Mathematics and Computer Science,
RU. 2008-01
A.L. de Groot. Practical Automa-
ton Proofs in PVS. Faculty of Science,
Mathematics and Computer Science,
RU. 2008-02
M. Bruntink. Renovation of Id-
iomatic Crosscutting Concerns in Em-
bedded Systems. Faculty of Electrical
Engineering, Mathematics, and Com-
puter Science, TUD. 2008-03
A.M. Marin. An Integrated System
to Manage Crosscutting Concerns in
Source Code. Faculty of Electrical En-
gineering, Mathematics, and Computer
Science, TUD. 2008-04
N.C.W.M. Braspenning. Model-
based Integration and Testing of
High-tech Multi-disciplinary Systems.
Faculty of Mechanical Engineering,
TU/e. 2008-05
M. Bravenboer. Exercises in Free
Syntax: Syntax Definition, Parsing,
and Assimilation of Language Conglom-
erates. Faculty of Science, UU. 2008-06
M. Torabi Dashti. Keeping Fair-
ness Alive: Design and Formal Verifica-
tion of Optimistic Fair Exchange Pro-
tocols. Faculty of Sciences, Division
of Mathematics and Computer Science,
VUA. 2008-07
I.S.M. de Jong. Integration and Test
Strategies for Complex Manufacturing
Machines. Faculty of Mechanical En-
gineering, TU/e. 2008-08
I. Hasuo. Tracing Anonymity with
Coalgebras. Faculty of Science,
Mathematics and Computer Science,
RU. 2008-09
L.G.W.A. Cleophas. Tree Algo-
rithms: Two Taxonomies and a Toolkit.
Faculty of Mathematics and Computer
Science, TU/e. 2008-10
I.S. Zapreev. Model Checking Markov
Chains: Techniques and Tools. Faculty
of Electrical Engineering, Mathematics
& Computer Science, UT. 2008-11
M. Farshi. A Theoretical and Exper-
imental Study of Geometric Networks.
Faculty of Mathematics and Computer
Science, TU/e. 2008-12
G. Gulesir. Evolvable Behavior Speci-
fications Using Context-Sensitive Wild-
cards. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2008-13
F.D. Garcia. Formal and Computa-
tional Cryptography: Protocols, Hashes
and Commitments. Faculty of Sci-
ence, Mathematics and Computer Sci-
ence, RU. 2008-14
P. E. A. Du¨rr. Resource-based Veri-
fication for Robust Composition of As-
pects. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2008-15
E.M. Bortnik. Formal Methods in
Support of SMC Design. Faculty of Me-
chanical Engineering, TU/e. 2008-16
R.H. Mak. Design and Perfor-
mance Analysis of Data-Independent
Stream Processing Systems. Faculty
of Mathematics and Computer Science,
TU/e. 2008-17
M. van der Horst. Scalable Block
Processing Algorithms. Faculty of
Mathematics and Computer Science,
TU/e. 2008-18
C.M. Gray. Algorithms for Fat Ob-
jects: Decompositions and Applications.
Faculty of Mathematics and Computer
Science, TU/e. 2008-19
J.R. Calame´. Testing Reactive Sys-
tems with Data - Enumerative Meth-
ods and Constraint Solving. Faculty of
Electrical Engineering, Mathematics &
Computer Science, UT. 2008-20
E. Mumford. Drawing Graphs for
Cartographic Applications. Faculty of
Mathematics and Computer Science,
TU/e. 2008-21
E.H. de Graaf. Mining Semi-
structured Data, Theoretical and Ex-
perimental Aspects of Pattern Evalua-
tion. Faculty of Mathematics and Nat-
ural Sciences, UL. 2008-22
R. Brijder. Models of Natural Compu-
tation: Gene Assembly and Membrane
Systems. Faculty of Mathematics and
Natural Sciences, UL. 2008-23
A. Koprowski. Termination of
Rewriting and Its Certification. Faculty
of Mathematics and Computer Science,
TU/e. 2008-24
U. Khadim. Process Algebras for Hy-
brid Systems: Comparison and Devel-
opment. Faculty of Mathematics and
Computer Science, TU/e. 2008-25
J. Markovski. Real and Stochas-
tic Time in Process Algebras for Per-
formance Evaluation. Faculty of
Mathematics and Computer Science,
TU/e. 2008-26
H. Kastenberg. Graph-Based Soft-
ware Specification and Verification.
Faculty of Electrical Engineering,
Mathematics & Computer Science,
UT. 2008-27
I.R. Buhan. Cryptographic Keys
from Noisy Data Theory and Applica-
tions. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2008-28
R.S. Marin-Perianu. Wireless Sen-
sor Networks in Motion: Clustering Al-
gorithms for Service Discovery and Pro-
visioning. Faculty of Electrical Engi-
neering, Mathematics & Computer Sci-
ence, UT. 2008-29
M.H.G. Verhoef. Modeling and Vali-
dating Distributed Embedded Real-Time
Control Systems. Faculty of Science,
Mathematics and Computer Science,
RU. 2009-01
M. de Mol. Reasoning about Func-
tional Programs: Sparkle, a proof as-
sistant for Clean. Faculty of Science,
Mathematics and Computer Science,
RU. 2009-02
M. Lormans. Managing Requirements
Evolution. Faculty of Electrical Engi-
neering, Mathematics, and Computer
Science, TUD. 2009-03
M.P.W.J. van Osch. Automated
Model-based Testing of Hybrid Systems.
Faculty of Mathematics and Computer
Science, TU/e. 2009-04
H. Sozer. Architecting Fault-Tolerant
Software Systems. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2009-05
M.J. van Weerdenburg. Effi-
cient Rewriting Techniques. Faculty
of Mathematics and Computer Science,
TU/e. 2009-06
H.H. Hansen. Coalgebraic Modelling:
Applications in Automata Theory and
Modal Logic. Faculty of Sciences, Divi-
sion of Mathematics and Computer Sci-
ence, VUA. 2009-07
A. Mesbah. Analysis and Testing
of Ajax-based Single-page Web Applica-
tions. Faculty of Electrical Engineer-
ing, Mathematics, and Computer Sci-
ence, TUD. 2009-08
A.L. Rodriguez Yakushev. Towards
Getting Generic Programming Ready
for Prime Time. Faculty of Science,
UU. 2009-9
K.R. Olmos Joffre´. Strategies for
Context Sensitive Program Transforma-
tion. Faculty of Science, UU. 2009-10
J.A.G.M. van den Berg. Reason-
ing about Java programs in PVS using
JML. Faculty of Science, Mathematics
and Computer Science, RU. 2009-11
M.G. Khatib. MEMS-Based Stor-
age Devices. Integration in Energy-
Constrained Mobile Systems. Faculty of
Electrical Engineering, Mathematics &
Computer Science, UT. 2009-12
S.G.M. Cornelissen. Evaluating Dy-
namic Analysis Techniques for Program
Comprehension. Faculty of Electrical
Engineering, Mathematics, and Com-
puter Science, TUD. 2009-13
D. Bolzoni. Revisiting Anomaly-
based Network Intrusion Detection Sys-
tems. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2009-14
H.L. Jonker. Security Matters: Pri-
vacy in Voting and Fairness in Digital
Exchange. Faculty of Mathematics and
Computer Science, TU/e. 2009-15
M.R. Czenko. TuLiP - Reshaping
Trust Management. Faculty of Electri-
cal Engineering, Mathematics & Com-
puter Science, UT. 2009-16
T. Chen. Clocks, Dice and Pro-
cesses. Faculty of Sciences, Division
of Mathematics and Computer Science,
VUA. 2009-17
C. Kaliszyk. Correctness and Avail-
ability: Building Computer Algebra on
top of Proof Assistants and making
Proof Assistants available over the Web.
Faculty of Science, Mathematics and
Computer Science, RU. 2009-18
R.S.S. O’Connor. Incompleteness &
Completeness: Formalizing Logic and
Analysis in Type Theory. Faculty of Sci-
ence, Mathematics and Computer Sci-
ence, RU. 2009-19
B. Ploeger. Improved Verification
Methods for Concurrent Systems. Fac-
ulty of Mathematics and Computer Sci-
ence, TU/e. 2009-20
T. Han. Diagnosis, Synthesis
and Analysis of Probabilistic Mod-
els. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2009-21
R. Li. Mixed-Integer Evolution Strate-
gies for Parameter Optimization and
Their Applications to Medical Image
Analysis. Faculty of Mathematics and
Natural Sciences, UL. 2009-22
J.H.P. Kwisthout. The Computa-
tional Complexity of Probabilistic Net-
works. Faculty of Science, UU. 2009-23
T.K. Cocx. Algorithmic Tools for
Data-Oriented Law Enforcement. Fac-
ulty of Mathematics and Natural Sci-
ences, UL. 2009-24
A.I. Baars. Embedded Compilers. Fac-
ulty of Science, UU. 2009-25
M.A.C. Dekker. Flexible Access Con-
trol for Dynamic Collaborative Environ-
ments. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2009-26
J.F.J. Laros. Metrics and Visualisa-
tion for Crime Analysis and Genomics.
Faculty of Mathematics and Natural
Sciences, UL. 2009-27
C.J. Boogerd. Focusing Automatic
Code Inspections. Faculty of Electrical
Engineering, Mathematics, and Com-
puter Science, TUD. 2010-01
M.R. Neuha¨ußer. Model Checking
Nondeterministic and Randomly Timed
Systems. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2010-02
J. Endrullis. Termination and Pro-
ductivity. Faculty of Sciences, Division
of Mathematics and Computer Science,
VUA. 2010-03
T. Staijen. Graph-Based Specification
and Verification for Aspect-Oriented
Languages. Faculty of Electrical Engi-
neering, Mathematics & Computer Sci-
ence, UT. 2010-04
Y. Wang. Epistemic Modelling and
Protocol Dynamics. Faculty of Science,
UvA. 2010-05
J.K. Berendsen. Abstraction, Prices
and Probability in Model Checking
Timed Automata. Faculty of Science,
Mathematics and Computer Science,
RU. 2010-06
A. Nugroho. The Effects of UML
Modeling on the Quality of Software.
Faculty of Mathematics and Natural
Sciences, UL. 2010-07
A. Silva. Kleene Coalgebra. Faculty
of Science, Mathematics and Computer
Science, RU. 2010-08
J.S. de Bruin. Service-Oriented Dis-
covery of Knowledge - Foundations, Im-
plementations and Applications. Fac-
ulty of Mathematics and Natural Sci-
ences, UL. 2010-09
D. Costa. Formal Models for Compo-
nent Connectors. Faculty of Sciences,
Division of Mathematics and Computer
Science, VUA. 2010-10
M.M. Jaghoori. Time at Your Ser-
vice: Schedulability Analysis of Real-
Time and Distributed Services. Faculty
of Mathematics and Natural Sciences,
UL. 2010-11
R. Bakhshi. Gossiping Models: For-
mal Analysis of Epidemic Protocols.
Faculty of Sciences, Department of
Computer Science, VUA. 2011-01
B.J. Arnoldus. An Illumination of
the Template Enigma: Software Code
Generation with Templates. Faculty
of Mathematics and Computer Science,
TU/e. 2011-02
E. Zambon. Towards Optimal IT
Availability Planning: Methods and
Tools. Faculty of Electrical Engineer-
ing, Mathematics & Computer Science,
UT. 2011-03
L. Astefanoaei. An Executable The-
ory of Multi-Agent Systems Refinement.
Faculty of Mathematics and Natural
Sciences, UL. 2011-04
J. Proenc¸a. Synchronous coordina-
tion of distributed components. Faculty
of Mathematics and Natural Sciences,
UL. 2011-05
A. Moralı. IT Architecture-Based
Confidentiality Risk Assessment in Net-
works of Organizations. Faculty of
Electrical Engineering, Mathematics &
Computer Science, UT. 2011-06
M. van der Bijl. On changing mod-
els in Model-Based Testing. Faculty of
Electrical Engineering, Mathematics &
Computer Science, UT. 2011-07
C. Krause. Reconfigurable Component
Connectors. Faculty of Mathematics
and Natural Sciences, UL. 2011-08
M.E. Andre´s. Quantitative Analysis
of Information Leakage in Probabilistic
and Nondeterministic Systems. Faculty
of Science, Mathematics and Computer
Science, RU. 2011-09
M. Atif. Formal Modeling and Verifi-
cation of Distributed Failure Detectors.
Faculty of Mathematics and Computer
Science, TU/e. 2011-10
P.J.A. van Tilburg. From Com-
putability to Executability – A process-
theoretic view on automata theory. Fac-
ulty of Mathematics and Computer Sci-
ence, TU/e. 2011-11
Z. Protic. Configuration manage-
ment for models: Generic methods
for model comparison and model co-
evolution. Faculty of Mathematics and
Computer Science, TU/e. 2011-12
S. Georgievska. Probability and Hid-
ing in Concurrent Processes. Faculty
of Mathematics and Computer Science,
TU/e. 2011-13
S. Malakuti. Event Composition
Model: Achieving Naturalness in Run-
time Enforcement. Faculty of Electrical
Engineering, Mathematics & Computer
Science, UT. 2011-14
M. Raffelsieper. Cell Libraries and
Verification. Faculty of Mathematics
and Computer Science, TU/e. 2011-15
C.P. Tsirogiannis. Analysis of Flow
and Visibility on Triangulated Terrains.
Faculty of Mathematics and Computer
Science, TU/e. 2011-16
Y.-J. Moon. Stochastic Models for
Quality of Service of Component Con-
nectors. Faculty of Mathematics and
Natural Sciences, UL. 2011-17
R. Middelkoop. Capturing and Ex-
ploiting Abstract Views of States in OO
Verification. Faculty of Mathematics
and Computer Science, TU/e. 2011-18
M.F. van Amstel. Assessing and Im-
proving the Quality of Model Transfor-
mations. Faculty of Mathematics and
Computer Science, TU/e. 2011-19
A.N. Tamalet. Towards Correct Pro-
grams in Practice. Faculty of Sci-
ence, Mathematics and Computer Sci-
ence, RU. 2011-20
H.J.S. Basten. Ambiguity Detection
for Programming Language Grammars.
Faculty of Science, UvA. 2011-21
M. Izadi. Model Checking of Compo-
nent Connectors. Faculty of Mathemat-
ics and Natural Sciences, UL. 2011-22
L.C.L. Kats. Building Blocks for Lan-
guage Workbenches. Faculty of Elec-
trical Engineering, Mathematics, and
Computer Science, TUD. 2011-23
S. Kemper. Modelling and Analysis of
Real-Time Coordination Patterns. Fac-
ulty of Mathematics and Natural Sci-
ences, UL. 2011-24
