Abstract. The context of this study is timed temporal logics for timed automata. In this paper, we propose an extension of the classical logic TCTL with a new Until modality, called "Until almost everywhere". In the extended logic, it is possible, for instance, to express that a property is true at all positions of all runs, except on a negligible set of positions. Such properties are very convenient, for example in the framework of boolean program verification, where transitions result from changing variable values. We investigate the expressive power of this modality and in particular, we prove that it cannot be expressed with classical TCTL modalities. However, we show that model-checking the extended logic remains PSPACE-complete as for TCTL.
Introduction
Verification of timed temporal logic properties. Temporal logic provides a fundamental framework for formally specifying systems and reasoning about them. Furthermore, model-cheking techniques lead to the automatic verification that a finite-state model of a system satisfies some temporal logic specification. Since the introduction of timed automata [AD90, AD94] and timed logics like MITL, L ν or TCTL [AH92, LLW95, AFH96] , model-checking has been extended to real-time models [HNSY94] and analysis tools have been developped [DOTY96, HHWT95, LPY97] and successfully applied to numerous case studies. Among these case studies, some examples concern the verification of programs which handle boolean or integer variables. The usual way to build a (possibly timed) model of the program consists in defining the discrete control states as tuples of variable values. The transitions are thus equipped with updates for the variables (and possibly time constraints). In such a model, a variable may change its value exactly upon leaving a control state and reaching another one, which gives an ambiguous semantics: a variable can have several different values at a given time. This may lead to detect errors in the system, which are only due to the modeling phase. Such problems occur in the area of industrial automation, for the verification of Programmable Logic Controllers. In this case, programs are written from a set of languages described by the IEC-61131-3 specification [IEC93] .
Example. Consider the SFC (Sequential Function Chart, one of the languages of the IEC standard) in Figure 1 below. It describes the control program of a device, designed to start some machine when two buttons (L and R for left and right button respectively) are pushed within 0.5 seconds. If only one button is pushed (then L+R is true) and the 0.5 seconds delay is reached (time-out Et has occurred), then the whole process must be started again. After the machine has started, it stops as soon as one button is released, and it can start again only after both buttons have been released (L.R is true). This device can be modeled with three timed automata (Figure 2 ), which communicate through the boolean variables L and R. The two automata for the buttons simply give arbitrary values in {0, 1} to L and R, while the automaton for the control program is a straightforward translation of the SFC, with the only addition of an initialization step. The latter automaton handles a clock to measure the time interval of length 0.5. Note that some transitions must be urgent: for instance, the transition into state running, which sets the output variable s to 1, must be taken as soon as both buttons are pushed (if t < 0.5). Consider now the following property: it is always true that the machine has started only if both buttons have been pushed, i.e. if s=1 then L=1 and R=1. This property does not hold because the automaton is still in state running when one of the buttons has been released, even if the transition into the next state will occur instantaneously afterward. What we should require instead is that this property be true almost everywhere, meaning that it could be false only on intervals with null duration.
A similar problem can occur when a sequence of transitions must be executed in an atomic way. To this purpose, a convenient feature was introduced in Uppaal: when a location of a timed automaton is labeled as committed, no time delay is permitted in this location and a new action transition has to be performed to leave this location. This mechanism is used in particular to obtain n-ary synchronization when only binary synchronization is possible. For example, the sequence s 1 a1 − → s 2 a2 − → s 3 executes atomically if location s 2 is committed. Like above, a given property may be true before s 1 and after s 3 but false in the intermediate location s 2 where the control stays for a null duration. Again in this case, a property true "almost everywhere" would be sufficient.
Some solutions. A basic method to solve the particular example of the "two buttons machine" described above would be to synchronize the update transitions of the L and R variables with the control transitions. This would amount to remove the variables in the model, introducing synchronizing channels instead. However, the resulting models do not faithfully represent the control program of the device, which receives the values of L and R by intermediate variables updated through sensors. Since the control program may later be translated into some other language of the standard (like Ladder Diagram), the model should remain as close as possible to the original specification.
A simple way of dealing with the general case consists in defining restricted semantics for timed automata, requiring that at most one configuration be associated with a given time. This holds for instance when only strictly increasing time sequences are permitted. However, when practical issues are considered, it is often useful to assume that several actions are executed in an atomic way (as described above for synchronization), which leads to simpler models. Restricting the expressive power of a model is generally not a good idea. When such atomicity hypotheses are made, it is then possible to modify the property to be checked, requiring it to be true only in specified states where no ambiguity can occur. Such methods were used for instance in the verification with HyTech of the ABR protocol [BFKM03] . But this is an ad-hoc construction, where all the details of the system must be carefully investigated. Finally, one could think of introducing an observer automaton. For example, to test if some atomic proposition a is true almost everywhere, such an automaton would move to an error state if it has stayed in ¬a for a non null duration. However, it is well known that this method does not apply to full TCTL, but is restricted to a fragment expressing safety properties [ABBL03] .
Contribution. In this paper, we propose a solution that does not depend on the model, which can thus remain as it was originally designed (often in a long and difficult process) for a given system. This solution consists in extending the syntax of the TCTL logic with an almost everywhere until modality U a . We obtain for instance formulae like AG a ϕ, meaning that property ϕ is true almost everywhere. Section 2 recalls the main features of the timed automata model and gives definitions for the syntax and semantics of our extended logic. In Section 3, we investigate the expressive power of this extension, comparing it with TCTL. In particular, we prove that the modality U a cannot be expressed with TCTL operators and conversely that U a cannot express TCTL modalities. Finally, in the last section, we show that model-checking the extended logic TCTL ext is decidable by some labeling procedure, with the same complexity as TCTL.
2 Timed Automata and TCTL ext Let N and R ≥0 denote respectively the sets of natural and non-negative real numbers. Let X be a set of real valued clocks. The set of valuations is the set R X ≥0 of mappings from X to R ≥0 . We write C(X) for the set of boolean expressions over atomic formulae of the form x ∼ k with x ∈ X, k ∈ N, and ∼ ∈ {<, ≤, =, ≥, >}. Constraints of C(X) are interpreted over clock valuations. For every v ∈ R X ≥0 and d ∈ R ≥0 , we use v + d to denote the time assignment which maps each clock x ∈ X to the value v(x) + d. For a subset r of X, we write v[r ← 0] for the valuation which maps each clock in r to the value 0 and agrees with v over X \ r. Let AP be a set of atomic propositions.
Timed Automata
Definition 1. A timed automaton (TA) is a tuple A = X, Q A , q init , → A , Inv A , l A where X is a finite set of clocks, Q A is a finite set of locations or control states and q init ∈ Q A is the initial location. The set → A ⊆ Q A × C(X) × 2 X × Q A is a finite set of action transitions: for (q, g, r, q ) ∈ → A , g is the enabling condition and r is a set of clocks to be reset with the transition (we write q g,r − → A q ). Inv A : Q A → C(X) assigns an invariant to each control state. Finally l A : Q A → 2 AP labels every location with a subset of AP.
A configuration of a TA A is a pair (q, v), where q ∈ Q A is the current location and v ∈ R X ≥0 is the current clock valuation. The initial state of A is (q init , v 0 ) with v 0 (x) = 0 for any x in X. There are two kinds of transition. From (q, v), it is possible to perform the action transition q g,r − → A q if v |= g and v[r ← 0] |= Inv A (q ) and then the new configuration is (q , v[r ← 0]). It is also possible to let time elapse, and reach (q, v + t) for some t ∈ R whenever the invariant is satisfied along the delay. Formally the semantics of a TA A is given by a Timed Transition System (TTS) T A = (S, s init , → TA , l) where:
A run of A is an infinite path s 0 → TA s 1 → TA s 2 . . . in T A such that (1) time diverges and (2) there are infinitely many action transitions. Note that a run can always be described as an alternating infinite sequence s 0 t0 − →→ a s 1 t1 − →→ a · · · for some t i ∈ R. Such a run ρ goes through any configuration s reachable from some s i by a delay transition of duration t ∈ [0, t i ]. We write Exec(s) for the set of all runs starting from s. A configuration can occur several times along some run ρ. A particular occurrence p of a configuration is called a position, we write p ∈ ρ. For such a p, the corresponding configuration is denoted by s p . The standard notions of prefix, suffix and subrun apply for paths in TTS: given a position p ∈ ρ, ρ ≤p is the prefix leading to p, ρ ≥p is the suffix issued from p. Finally a subrun σ from p to p is denoted by p σ → p . Given two positions p and p , we say that p precedes strictly p along ρ (written p < ρ p ) iff there exists a finite subrun σ of ρ s.t. p σ → p and σ contains at least one non null delay transition or one action transition (i.e. σ is not reduced to 0 − →). Note that the set of positions along ρ is totally ordered by < ρ , independently of the representation of the run. Given a position p ∈ ρ, the prefix ρ ≤p has a duration, Time(ρ ≤p ), defined as the sum of all delays along ρ ≤p . Since time diverges along an execution, we have: for any t ∈ R, there exists p ∈ ρ such that Time(ρ ≤p ) > t. For a subset P ⊆ ρ of positions in ρ, we define a natural measureμ(P ) = µ{Time(ρ ≤p ) | p ∈ P }, where µ is Lebesgue measure on the set of real numbers.
Definition of TCTL
We extend the syntax of TCTL to express that a formula holds almost everywhere: TCTL 
where P i ∈ AP, ∼ belongs to the set {<, >, ≤, ≥, =} and c ∈ N.
Standard abbreviations include , ⊥, ϕ ∨ ψ, ϕ ⇒ ψ, . . . as well as :
The following clauses define when a state s of some TTS T = S, s init , →, l satisfies a TCTL ext formula ϕ, written s |= ϕ, by induction over the structure of ϕ (the semantics of boolean operators is omitted).
Note that in the case of the almost modality U a , we ask that ϕ holds almost everywhere before ψ occurs. Moreover, we require that ψ holds not only at a single position (which has a measure equal to 0), like in the usual framework, but on a whole interval around the position satisfying the time constraint. For example, AG a ≥0 ϕ specifies that along every run, the set of positions at which ϕ does not hold has a measure equal to 0, i.e. ϕ holds almost everywhere along all paths. It was precisely this kind of property we wanted to be able to express. Note that the positions where some formula ϕ does not hold are not restricted to discrete transitions, contrary to some intuition. Indeed, consider the automaton below, with two atomic propositions a and b, and the formula ϕ = EaU =1 b. Let ρ be a run starting in (q 0 , 0). Clearly, the only position where ϕ is satisfied is (q 0 , 1), which does not correspond to a discrete transition. In this case, we have
The standard TCTL logic is the fragment of TCTL 3 Expressiveness of U a
Modality
In this section we show that the modality U a cannot be expressed with TCTL operators and conversely that U a cannot express TCTL modalities. Formally we say that two formulae ϕ and ψ are equivalent for a class of models C whenever their truth value is the same for any element of C, this is denoted
First we show that U a cannot be expressed with standard U modality. The proof is based on classical techniques used in untimed temporal logics (see for ex. [Eme91, EH86] ). However, adapting them to the timed framework results in more involved constructions. Let Ψ be the TCTL a formula E(aU a >0 b). We will prove that there is no TCTL formula equivalent to Ψ . Consider the timed automata M i and N i with i ≥ 1 in Figure 3 . Clearly we have M i , (q i , 0) |= Ψ while N i , (q i , 0) |= Ψ . The next lemma states that M i and N i satisfy the same TCTL formula whose size is less than i. We first introduce some notations. Given two configurations s and s , we write s ≡ k TCTL s iff for any ϕ ∈ TCTL with |ϕ| ≤ k, we have s |= ϕ ⇔ s |= ϕ. We write s ≡ TCTL s iff s ≡ k TCTL s for any k ≥ 1. Automata M i and N i contain only one clock, any configuration is then defined as a pair ( , t) where is a location and t ∈ R ≥0 is a value for x. Moreover the automata have only one cycle on r 0 : for any configuration of the form (q j , t), (q j , t), (r j , t), or (r j , t) with j ≥ 1, there is at most one such position along ρ. Proof of expressiveness will be a consequence of the following Lemma:
Lemma 4. Given the automata described in Figure 3 , ∀k ≥ 1, ∀i ≥ k and ∀t ∈ R, we have:
The run ρ is characterized by the time elapsed δ 0 in q i , the time elapsed δ 1 in r i and a suffix ρ 1 in N i−1 or M i−1 . Then ρ has the following structure: Note that the suffix ρ 1 is in
→. The same can be done for a run issued from (r i , t), but in this case there is only the delay transition labeled by δ 1 . Note that ρ and f Mi (ρ) share the same suffix ρ 1 . Given a run ρ in M i from (q i , t) or (r i , t), one can also define a corresponding run f Ni (ρ) in N i whenever the delay δ 1 spent in r i is strictly positive.
Proof (of Lemma 4).
The proof is done by induction over k, the size of formulae. First note that, given the guards and the resets on transitions of M i and N i , we clearly have for every j ≥ 0 and locations ∈ {q j , r j , q j , r j }
For formulae of size k = 1, the equivalences of the lemma hold because q i and q i (resp. r i and r i ) are labeled by the same atomic propositions.
We assume now that k > 1 and that equivalences of the lemma hold for formulae with size < k. The case of boolean combinations is obvious, so we now concentrate on formulae A(ϕ 1 U ∼c ϕ 2 ) and E(ϕ 1 U ∼c ϕ 2 ). From equivalences (1) and (2) and from induction hypothesis, if ρ is a run in
Note that there exist some runs ρ in M i for which there is no corresponding f Ni (ρ) (when there is no delay in location r i ).
We thus deduce immediately that
To get all equivalences of Lemma 4, we need some extra work for several implications.
-Assume that (q i , t) |= E(ϕ 1 U ∼c ϕ 2 ) and take a run ρ from state (q i , t) satisfying ϕ 1 U ∼c ϕ 2 with no corresponding run f Ni (ρ) (the delay in location r i is thus 0). We note ( , v) the position along ρ which satisfies ϕ 2 while all previous positions satisfy ϕ 1 . If that position is before (q i−1 , 0), then taking a run which starts with the prime version of the prefix of ρ ending in ( , v), by induction hypothesis, we get a run which satisfies ϕ 1 U ∼c ϕ 2 . Otherwise we need to change delays in ρ (to get a run ρ ) as follows: on ρ, there is no delay in location r i , we add one small delay in this state, small enough such that the run is unchanged after state r i−1 (the accumulated delays in states r i and q i−1 in ρ corresponds to the delay in q i−1 on run ρ, see the figure below) and such that if = q i−1 (in which case v > 0 by assumption), then the corresponding position on ρ is some (q i−1 , v ) with v > 0.
The run ρ then satisfies ϕ 1 U ∼c ϕ 2 : the position which corresponds to ( , v) on ρ also satisfies ϕ 2 , and all previous positions satisfy ϕ 1 (using equivalences (1) and (2)). We thus get that f Ni (ρ ) also satisfies ϕ 1 U ∼c ϕ 2 . Thus, (q i , t) |= E(ϕ 1 U ∼c ϕ 2 ). A similar construction can be done to prove that
where ≺ is either < or ≤ and c > 0, we consider a location ∈ {q i , r i , q i , r i }. The following then holds:
|= ϕ 2 as we can take a run waiting at least c time units in location , and for some delay d ≺ c, ( , t + d) will have to satisfy ϕ 2 (which entails by (2) that ( , t) must satisfy ϕ 2 ) • similarly ( , 0) |= A(ϕ 1 U ≺c ϕ 2 ) iff ( , 0) |= ϕ 2 or (( , 0) |= ϕ 1 and ( , t) |= ϕ 2 for every t > 0) Using induction hypothesis (on formulae ϕ 1 and ϕ 2 ), we get that ( , t) |= A(ϕ 1 U ≺c ϕ 2 ) implies ( , t) |= A(ϕ 1 U ≺c ϕ 2 ) if ∈ {q i , r i }.
-We consider formula A(ϕ 1 U =c ϕ 2 ) with c > 0. Any reachable state from some ( , t) can be reached in exactly c units of time and in strictly less than c units of time (because there is no real constraints on delays in states). This formula is then equivalent to ϕ 1 ∧ϕ 2 over states ( , t) with ∈ {q i , r i , q i , r i } and t > 0, and ( , 0) |= A(ϕ 1 U =c ϕ 2 ) iff ( , 0) |= ϕ 1 and all reachable states from ( , 0) satisfy ϕ 1 ∧ϕ 2 ( is in {q i , r i , q i , r i }). Using induction hypothesis, we get that ( , t) |= A(ϕ 1 U =c ϕ 2 ) implies ( , t) |= A(ϕ 1 U =c ϕ 2 ) for ∈ {q i , r i }. -We assume that (q i , t) |= A(ϕ 1 U ≥c ϕ 2 ) and we want to prove that (q i , t) |=
is not defined (the delay in state r i is 0). We will construct a run in N i from state (q i , t) "equivalent" to ρ, and distinguish two cases, depending on the delay δ in location q i . We first consider the case where δ < c.
In ρ, the delay in q i is < c whereas the delay in r i is null. We first construct a run ρ with a positive delay in r i (however smaller than the initial delay of ρ in state q i−1 ) such that the accumulated delay in q i and r i is still < c (see the figure above). From ρ we construct run f Ni (ρ ) in N i . Using induction hypothesis, at all positions, the two runs ρ and f Ni (ρ ) agree on properties ϕ 1 and ϕ 2 . As (q i , t) |= A(ϕ 1 U ≥c ϕ 2 ), this implies that f Ni (ρ ) |= ϕ 1 U ≥c ϕ 2 , and thus that ρ |= ϕ 1 U ≥c ϕ 2 . In particular, ϕ 1 has to hold in states (r i , t) for every t ≥ 0. Moreover, property ϕ 2 holds at some position along ρ , and ϕ 2 will also hold at the same position on ρ. We thus get that ρ also satisfies property ϕ 1 U ≥c ϕ 2 . We now assume that δ ≥ c. From ρ which does not delay in state r i , we construct a run ρ which waits a small amout of time (as in the previous case), and then consider the corresponding run f Ni (ρ ) in N i . By assumption, this runs satisfies ϕ 1 U ≥c ϕ 2 . Then several cases can happen: (i) the property ϕ 2 holds in some (q i , t+d) with d ≥ c, in which case ϕ 2 also holds in (q i , t+d) by induction hypothesis, and ϕ 1 holds in all (q i , t + d ) for d < d (also by induction hypothesis) which implies that ρ |= ϕ 1 U ≥c ϕ 2 ; (ii) the property holds in some (r i , d) for some d ≥ 0, which implies that ϕ 2 also holds in (r i , d) by i.h. and thus that (r i , 0) |= ϕ 2 using (1), thus ρ |= ϕ 1 U ≥c ϕ 2 ; (iii) the property ϕ 2 holds for some other state ( , d), which will be also true on run ρ, thus in that case also ρ |= ϕ 1 U ≥c ϕ 2 . In both cases we can conclude that (q i , t) |= A(ϕ 1 U ≥c ϕ 2 ). Similar constructions can be done to prove that (r i , t) |= A(ϕ 1 U ≥c ϕ 2 ) implies (r i , t) |= A(ϕ 1 U ≥c ϕ 2 ).
-Formula A(ϕ 1 U >c ϕ 2 ) is almost handled in a similar way as A(ϕU ≥c ϕ 2 ). Like before, we consider a run ρ in M i which has no corresponding run f Ni (ρ). If δ is the delay in location q i , we have also to distinguish three cases (instead of two): cases where δ < c or δ > c can be done exactly as previously. The only different case is when δ = c. As previously we first construct a run ρ which waits some positive delay in location r i , and then consider run f Ni (ρ ) which has to satisfy ϕ 1 U >c ϕ 2 , and then using induction hypothesis we get that ρ |= ϕ 1 U >c ϕ 2 , from which we get that ρ |= ϕ 1 U >c ϕ 2 (using equivalences (1) and (2)). In that case, the delay in location q i is shortened, and the accumulated delay in q i and r i (in run ρ ) is precisely c, as seen in the figure below.
-It is easy to see that formula A(ϕ 1 U =0 ϕ 2 ) is equivalent to ϕ 2 over states of
This concludes the proof of Lemma 4.
Now we have the following result:
Theorem 5. TCTL ext is strictly more expressive than TCTL.
Proof. This is a consequence of Lemma 4: assume that there exists a TCTL formula Φ equivalent to formula E(aU Proof. Let A be the automaton described in Figure 4 . It can be easily proven that (q 0 , t) and (q 0 , t) agree on the same TCTL a formulae. Indeed the only difference is that the state (r 0 , 0) belongs to any run from q 0 . But this state has to be left immediately and then this position has a measure null along any run and cannot have an effect on the truth value of TCTL a formulae. 
Region equivalence
Given A and some clock x ∈ X, we use c x ∈ N to denote the maximal constant that x is compared with in the guards and invariants of A. Let ∼ = be the following equivalence [AD90] over clocks valuations of v, v ∈ R
for any x ∈ X, and (2) for any x, y ∈ X s.t. v(x) ≤ c x and v(y) ≤ c y , we have: 
Proof (sketch). The proof follows the same steps as the corresponding one for TCTL. First, given a run ρ ∈ Exec(q, v), we can build a run ρ ∈ Exec(q, v ) where the same action transitions are taken at "almost" the same times and where the regions visited for a duration strictly positive are the same. Let ρ ∈ Exec(q, v) be the run (q 0 , v 0 ) 
The set of positions {p |p < ρ p ∧ s p |= ϕ} corresponds to a set of regions along ρ where no time elapses. In ρ the same regions are visited and no delay transition occur. Then this set will also have a null measure. Thus (q, v ) |= EϕU a ∼c ψ The same argument can be used for AϕU a ∼c ψ because any run from (q, v) has a corresponding run from (q, v ) and vice versa.
Region graph
Given some region γ ∈ R X / ∼ = , the successor region of γ, when it exists, is the region distinct from γ s.t. for any v ∈ γ, there exists some t ∈ R + s.t. v + t ∈ Succ(γ) and v + t ∈ γ ∪ Succ(γ) for any 0 ≤ t < t. We will write γ(x) ∼ c when any
Model-checking TCTL ext reduces to a model-checking problem for a CTL-like logic over a finite graph, called the region graph. Let X * be the set of clocks X ∪{x Φ }. The new clock x Φ is used to handle subscripts ∼ c in U modalities, the value c xΦ is the maximal constant occurring in a subscript. For any subscript ∼ c in Φ we add new atomic propositions p <c , p >c and p =c , that hold for regions γ s.t. γ(x Φ ) ∼ c. Let p b be another proposition that holds for boundary regions: γ |= p b iff there is some clock x ∈ X * with frac(x) = 0 in γ. Let AP + = AP∪{p b , p <c , . . .} be the extended set of atomic propositions. We can now recall the region graph of [ACD93] : For a TA A = X, Q A , q init , → A , Inv A , l A and a TCTL ext formula Φ, the region graph R A,Φ is the finite fair graph (V, →, l, F ) with:
The set of transitions →=→ t ∪ → a contains two kinds of transitions:
AP
+ labels the vertices with the atomic propositions it satisfies: l(q, γ) contains l A (q) and the propositions for γ.
-F is a set of fairness constraints: F = {F x |x ∈ X * } with F x = {(q, γ)|γ(x) = 0 ∨ γ(x) > c x }. A fair path in R A,Φ has to visit infinitely often a state in F x for any x ∈ X * . We now define R + A,Φ an extension of R A,Φ where we consider the transitive closure of → a : R + A,Φ = (V, →, l, F ) where V , l and F are defined as for R A,Φ , and
corresponds to a sequence of action transitions in A which can be performed with no delay in between. Note that all the intermediary states along such a sequence are visited but the set of their positions is of measure 0 w.r.t.μ. We call these states transient states, and more formally, a state along a run ρ is non-transient iff its region is non-boundary and the previous or the next transition on ρ is a delay transition (a strictly positive delay has to elapse in the state along ρ). We will use this extended region graph when looking for the existence of a run satisfying ϕU Finally we also assume that for any state (q, γ) of R A,Φ , there is a fair path rooted at (q, γ).
Equivalences for AϕU
a ∼c ψ formulae Before explaining the labeling algorithm, we establish some equivalences for A_U a ∼c _ formulae, which make the labeling procedures easier to describe. These equivalences hold for any state of a TTS generated by a TA.
⇒ Assume s |= AϕU a ψ. Let ρ ∈ Exec(s), we have ρ |= ϕU a ψ. Then there exists some subrun σ of ρ s.t.μ(σ) > 0, σ |= ψ, and there exists some position p ∈ σ s.t.μ({p | p < ρ p ∧ s p |= ϕ}) = 0. Then this clearly implies ρ |= F a ψ and s |= AF a ψ. Now assume ρ |= (¬ψ)U a (¬ψ ∧ ¬ϕ)). Then there exists a subrun σ preceding σ (because σ |= ψ) s.t.μ(σ ) > 0, and σ |= ¬ψ ∧ ¬ϕ. But this contradicts thatμ({p | p < ρ p ∧ s p |= ϕ}) = 0. Then we have ρ |= ¬(¬ψU
We have ρ |= F a ψ, and then there exists some subrun σ of ρ s.t.μ(σ) > 0 and σ |= ψ. We also have ρ |= (¬ψ)U a (¬ψ ∧ ¬ϕ) . This means that any subrun σ withμ(σ ) > 0 satisfies either σ |= ¬ϕ ∧ ¬ψ (i.e. ∃p ∈ σ s.t. p |= ϕ ∨ ψ), or for any p ∈ σ we haveμ({p < ρ p | s p |= ψ} > 0. Now assume that the subrun σ satisfying ψ is the first one along ρ (this can be done because executions of TAs satisfy the finite variability property). Consider the subrun σ of ρ leading to σ. Then we clearly have for any p ∈ σ we haveμ({p < ρ p | s p |= ψ}) = 0 due to the choice of σ. Then we have that any subrun before σ has to contain position satisfying ϕ∨ψ entails that the set of positions satisfying ¬ϕ has a null measure. This entails s |= AϕU a ψ. 
Labeling algorithm.
We finally propose a labeling procedure to label every state of R A,Φ with the Φ-subformulae it satisfies. The procedures for TCTL are well known [ACD93] . For example, a state (q, γ) is labeled with the formula EϕU ∼c ψ iff there exists a path π in R A,Φ from the state (q, γ[x Φ ← 0]) leading to a state (q , γ ) verifying ψ and p ∼c (as the clock x Φ is never reset along π, it means that the time elapsed from (q, γ) verifies ∼ c). Moreover the states between (q, γ) and (q , γ ) have to satisfy ϕ. Finally the state (q , γ ) has to verify ϕ if γ is not a boundary region and the last transition along π is a delay transition predicate 4 that holds for a state (q, γ) along a path iff the state (q, γ) has just been reached via an action transition in π. Then the verification of EϕU ∼c ψ over (q, γ) reduces to verify the following CTL formula over (q, γ[
Consider now the U = (q n , γ n ) satisfying ∼ c (there exists a corresponding run in the TA having duration ∼ c). Moreover we have: (q n , γ n ) |= ψ. Any state along the path has to verify ϕ unless it is a transient state. And there is a non-empty interval containing π(n) along which ψ holds. A non-empty interval means a sequence of regions containing at least one nonboundary region γ with a delay transition → t arriving in γ or rooted at γ. This region is γ n or may be located either just before the position satisfying p ∼c , or just after (in this case the existence of a non-boundary region verifying ψ is sufficient). We then obtain the following CTL-like formula:
Quantifying over the transitions of R + A,Φ allows us to abstract the transient states -they may not satisfy ϕ -, moreover one does not require ϕ for boundary regions since time cannot elapse in these states. The right-hand side of the formula distinguishes the two following cases:
-Ψ 1 states that there is a non-empty interval verifying ψ and ϕ, starting from some non-boundary region (i.e. where time elapses) and leading to the position satisfying p ∼c . -Ψ 2 states that there is an non-empty interval verifying ψ, starting from the position satisfying p ∼c and leading to some non-boundary region (where time may elapse).
Note that for Ψ 1 and Ψ 2 , we use the E quantifier -over transitions of R A,Φ -because we want ψ to hold for any encountered state.
Labeling procedure for Ψ • Ψ def = AF a ψ: a state satisfies Ψ iff every execution contains a non-empty subrun σ withμ(σ) > 0 s.t. σ |= ψ. A state (q, γ) in R A,Φ has to be labeled by Ψ whenever each execution π contains a non-transient state (q , γ ) satisfying ψ. Recall that a state along π is non-transient iff its region is non-boundary and the previous or the next transition is a delay transition (a strictly positive delay has to elapse in the state along π). One can consider the CTL
Quantifying over every execution in R + A,Φ allows us to ensure that every execution where non-boundary transient states are removed, satisfies the property. Then we label (q, γ) with Ψ iff (q, γ) satisfies ξ.
•
compared to the previous case, we just require that the property ψ holds before c t.u. Another possibility could be to express the dual of AF a <c . The formula EG a <c ϕ states that there exists an execution ρ such that any subrun σ s.t.μ(σ) > 0 and containing a position p satisfying < c, contains some position satisfying ϕ. Over the region graph, it means that there exists a path where any nontransient state satisfies ϕ unless it is located after c. This can be expressed by the CTL formula NB: the next operator (EX) allows us to ensure that the position for which the right-hand side part of the until has to hold, is the last position at duration = c along a run.
• Ψ def = AF a =c ψ: We also consider the dual operator EG a =c . A state satisfies EG a =c ϕ whenever there exists a run π such that any non-empty subrun containing a position located at duration c contains a position satisfying ϕ. We then have to verify that the first position located at duration c or its predecessor (via a delay transition) satisfies ϕ, and the last position located at duration c or its successor (via a delay transition) satisfies ϕ. This is expressed by the following CTL formula where the four cases are distinguished:
5 This formula is actually equivalent the dual of A + F(p<c ∧ ψ ∧ ¬p b ) thanks to the properties of the region graph.
we label a state (q, γ) by Ψ iff the state (q, γ[x Φ ← 0]) satisfies the formula Ap =0 U(p >0 ∧ AϕU a ψ).
The algorithm described above runs in time polynomial in the size of the region graph and the size of the formula. As the size of the region graph is exponential in the sizes of the TA and the formula, it provides an EXPTIME algorithm. However we have the following result stating that it is not harder than TCTL model-checking:
Theorem 8. Given a TA A and a TCTL ext formula Φ, deciding whether Φ holds for A is a PSPACE-complete problem.
The proof is similar to the one for TCTL: the PSPACE-hardness comes from TCTL, and the PSPACE-membership can be obtained by using an on-the-fly algorithm over the region graph.
Conclusion
In this work, we studied the extension TCTL ext of the classical logic TCTL, obtained by introducing a new modality U a ∼c . The superscript a means "almost everywhere" and expresses the fact that a property must be true except on a negligible set of positions. We proved that this modality cannot be expressed by the classical ones, and conversely. We also proposed a model-checking procedure for TCTL ext , with the same complexity result than TCTL, where the classical constructions must be adapted to take into account the set of negligible positions on a run. Further work could consist in extending this new modality for the verification of "permanent" properties, i.e. properties that hold on an sufficiently large interval, the length of which could be a parameter.
