Automatic generation of path conditions for concurrent timed systems  by Bensalem, Saddek et al.
Theoretical Computer Science 404 (2008) 275–292
Contents lists available at ScienceDirect
Theoretical Computer Science
journal homepage: www.elsevier.com/locate/tcs
Automatic generation of path conditions for concurrent timed systemsI
Saddek Bensalem a, Doron Peled b,∗, Hongyang Qu c, Stavros Tripakis a
a Verimag, 2 Avenue de Vignate, 38610 Gieres, France
b Deptment of Computer Science, Bar-Ilan University, Ramat Gan 52900, Israel
c Department of Computing, Imperial College London, London SW7 2RH, UK








a b s t r a c t
This paper presents an automatic method for calculating the path condition for programs
with real time constraints. We model concurrent systems using timed transition systems
and translate them into extended timed automata. Then an acyclic extended timed
automaton is constructed and the path condition is calculated backwards over it. This
method can be used for semiautomatic verification of a unit of code in isolation, i.e., without
providing the exact values of parameters with which it is called. It can also be used for
test case generation for real-time systems. Such a symbolic model checking algorithmwas
implemented previous in the PET system [E. Gunter, D. Peled, Unit checking: Symbolic
model checking for a unit of code, Verification: Theory and Practice 2003, Essays Dedicated
to Zohar Manna on the Occasion of his 64th Birthday, Lecture Notes in Computer Science,
vol. 2772, Springer, 548–567] for untimed systems. Our method can also be used for
the automatic generation of test cases for unit testing. The current generalization of the
calculation of path condition for the timed case turns out to be quite tricky, since not
only the selected path contributes to the path condition, but also timing constraints of
alternative choices in the code.
© 2008 Elsevier B.V. All rights reserved.
1. Introduction
Software testing often involves the use of informal intuition and reasoning. Although there are several tools and
techniques for mechanizing the testing process, many of the tools focus on bookkeeping and administration of test results.
Formal methods such as automatic verification (model checking) and deductive verification are more systematic and
comprehensive, but they involve some inherent complexity and decidability difficulties. The testing process, on the other
hand, benefits from the ability to exploit human experience and intuition in order to accelerate the validation.
Although adding human intuition to the validation process suggests a manual technique, it is possible to employ some
mathematical ideas and provide tools to support it. Such tools can help in translating informal ideas and intuition into
a formal specification, assist in searching the code, support the process of inspecting it and help analyzing the results. A
tester, who is typically also an experienced programmer, may have a vague idea where problems in the code may occur. For
example, it may involve executing a particular loop twice, followed by another segment of code. This, along with some data
satisfying some particular conditions exchanged with another process, may cause a certain overflow to occur. The following
techniques may help the tester to confirm or refute such a suspicion:
I A preliminary version appeared in the proceedings of the Fifth International Conference on Integrated Formal Methods, 29 Nov–2 Dec 2005.∗ Corresponding author.
E-mail address: doron.peled@gmail.com (D. Peled).
0304-3975/$ – see front matter© 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2008.03.012
276 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
• A search of the code, guided by some formal description (e.g., a temporal formula) of the suspicious case. Such a search,
based on model checking [5] techniques, should suggest some sequences of instructions that meet the description of
program locations mentioned in the suspicious case.
• The generation of a condition for a generated suspicious sequence. Such a condition describes the allowed values for the
program variables at the beginning of the sequence. Starting the execution with values satisfying this condition allows
one to recreate the execution.
In the current work, we concentrate on the automatic generation of test cases for concurrent real-time systems. In
order to test a particular behavior of the system, we generate path conditions for (concurrent real-time) execution paths.
Instantiating such path conditions allows us to test the desired path. We do not assume finite state systems. Hence our
modeled systems may reference unbounded variables in tests and assignments (when we ignore the particular word
length in a given machine). Such a precondition characterizes all the states from which we can execute the path. However,
there may be other possible executed paths, due to nondeterministic choice, which can be eliminated by adding further
synchronization. The path condition calculation can be used in a model checking search, hunting for a path satisfying a
given temporal property. This is done for the untimed case in [10] and was implemented in the PET system. It allows us to
verify a procedure or collection of procedures in isolation, without providing initial values. Using the weakest precondition
calculation, verification is performed symbolically, or “for all parameters at once”. The temporal property is translated into
an automaton and contributes to calculation of the path condition (i.e., it is a condition for executing a path while satisfying
the temporal property).
For the real-time case, we need to generalize the calculation of a path condition, taking into account only the essential
conditions to follow a particular path in the execution. For example, if the path is abcd, we may constrain only a to precede
b, for being on the same process, c to precede d, again, for being on the other process, and b to precede d, for referring to
the same variable. We start with a given path (in the flow chart, or interleaved from different flow charts for concurrent
processes) merely from a practical consideration; it is very simple to specify an interleaved execution sequence. However,
we look at the essential partial order, which is consistent with real-time constraints, rather than at the total order. We
cannot assume that transitions must follow each other, unless this order stems from some sequentiality constraints (such
as transitions belonging to the same process or using the same variable) or from timing constraints. Thus, with the above
restrictions, acbd is equivalent to abcd and represents the same (partial order) execution.
For untimed systems, there is no difference between the condition for partial order execution and the condition for
executing any of the sequences (linearizations) consistentwith it. Because of commutativity between concurrently executed
transitions, we obtain the same path condition either way. However, when taking time constraints into account, the actual
time and order between occurrences of transitions does affect the path condition (which now includes time information).
After introduction of the untimed path condition in [6], the weakest precondition for a timed system was studied in [4,
12,16]. The paper [4] extended the guarded-command language in [6] to involve time. But it only investigated sequential
programs with time constraints. The paper [16] gave a definition of the weakest precondition for concurrent programs with
time constraints, based on discrete time, rather than dense time. The weakest precondition in [12] is defined for timed
guarded-command programs or, alternatively, timed safety automata.
We model concurrent systems using timed transition systems. Our model is quite detailed in the sense that it separates
the decision to take a transition (the enabling condition) from performing the transformation associated with it. We allow
separate timing constraints (lower and upper bounds) for both parts. Thus, we do not find themodel proposed in [11], which
assigns a lower and upper time constraints for a transition that includes both enabling transition and a transformation,
detailed enough; this is because alternative choices (which were not taken) in the code may compete with each other, and
their time constraints may affect each other in quite an intricate way. Although we do not suggest that our model provides
the onlyway for describing a particular real-time system, it is detailed enough to demonstrate how to automatically generate
test cases for realistic concurrent real-time systems.
In our solution, we translate the timed transition system into a collection of extended timed automata, which is then
synchronized with constraints stemming from the given execution sequence. We then obtain a directed acyclic graph of
executed transitions. We apply to it a weakest precondition construction, enriched with time analysis based on time zone
analysis (using difference bound matrices). The framework of the solution is displayed in Fig. 1.
2. Modeling concurrent timed systems
As mentioned in the introduction, we describe concurrent real-time systems using timed transition systems (TTSes). We
provide semantics for the latter model in terms of extended timed automata (ETAs). This is done by defining a modular
translation, where each process in the TTS model is translated into an ETA. Thus the entire TTS model is translated into a
network of synchronizing ETAs. This section defines the two models and the translation.
2.1. Timed transition systems
We consider a timed transition system over a finite set of processes P1 . . . Pn. Each process consists of a finite number
of transitions. Although the processes are not mentioned explicitly in the transitions, each process Pi has its own location
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 277
Fig. 1. The framework of the solution.
Fig. 2. A transition.
counter loci. The transitions involve checking and updating control variables i.e., location counters, and program variables1
(over the integers). An enabling condition is an assertion over the variables. It is possible that a transition is jointly performed
by two processes, e.g., a synchronous communication transition. We leave out the details for various modes of concurrency,
and use as an example a model that has only shared variables.
A transition t includes (1) an enabling condition c, (2) an assertion over the current process Pj location, of the form locj = lˆ,
(3) a transformation f of the variables, and (4) a new value lˆ′ for the location of process Pj. For example, a test (e.g., while
loop or if condition) from a control value lˆ of process Pj to a control value lˆ′, can be executed when (locj = lˆ )∧ c, and result
in the transformation f being performed on the variables, and locj = lˆ′.
We equip each transition with two pairs of time constraints [l, u], [L,U] such that:
l is a lower bound on the time a transition needs to be continuously enabled until it is selected.
u is an upper bound on the time the transition can be continuously enabled without being selected.
L is a lower bound on the time it takes to perform the transformation of a transition, after it was selected.
U is the upper bound on the time it takes to perform the transformation of a transition, after it was selected.
Writing (changing the value of) a variable can be done in the transformation part of the transitionwhile reading (accessing
its value) can be done in either the condition or transformation. We allow shared variables, but make some restrictions on
reading and writing by transitions of different processes. In particular, we assume that in our models at most one variable
v can be written by two transitions a and b in different processes. Moreover, if both write to v, then v is not read in either of
their conditions (to achieve this, transitions may need to be broken into several parts).
Every process can be illustrated as a directed graph G. A location is represented by a node and a transition is represented
by an edge. Fig. 2 shows the graphic representation of a transition.
2.1.1. Capturing programs as TTS processes
A program is essentially a flow chart. A flow chart can be captured as a TTS process, sometimes in different ways. For
instance, an assignment node can be described as a transition with an enabling condition true and a transformation that is
an assignment (see Fig. 3). A branch node with predicate pred can be described as shown in Fig. 4. It uses two transitions
with a null transformation. pred and ¬pred are the enabling conditions of the two transitions respectively, depending on
whether the corresponding edge of the diamond is labeled yes or no. Another way of capturing the branch node is shown in
Fig. 5.
1We shall use the term “variable” for program variables.
278 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 3. The description of an assignment node.
Fig. 4. A possible description of a branch node.
Fig. 5. Another possible description of a branch node.
2.2. Extended timed automata
An extended timed automaton is a tuple 〈V, X, Cl, B, F, S, S0,Σ, E〉where
• V is a set of variables.
• X is a finite set of assertions over the set of variables V .
• Cl is a finite set of clocks.
• B is a set of Boolean combinations of assertions over clocks of the form x # cˆ, where x is a clock, # is a relation from
{<,>,≥,≤,=} and cˆ is a constant (not necessarily a value, as our timed automaton can be parameterized).
• F is a set of transformations for the variables. Each component of F can be represented e.g., as a multiple assignment to
some of the variables in V .
• S is a finite set of states.2 A state s ∈ S is labeled with an assertion sX from X and an assertion sB on B that need to hold
invariantly when we are at the state.
• S0 ⊆ S are the initial states.
• Σ is a finite set of labels.
• E the set of edges over S × 2Cl × Σ × X × B× F × S. The first component of an edge e ∈ E is the source state. The second
component eCl is the set of clocks that reset to 0 upon firing this edge. A label eΣ fromΣ allows synchronizing edges from
different automata, when defining the product. We allow multiple labels on edges, as a terse way of denoting multiple
edges. An edge e also includes an assertion eX over the variables, an assertion eB over the clocks that has to hold for the
edge to fire, a transformation eF over the variables and a target state.
The above definition extends timed automata [1] by allowing conditions over variables to be associated with edges and
states, and transformations on variables on the edges (similar to the difference between finite state machines and extended
finite state machines).
2We use the term “state” for extended timed automata to distinguish from “location” for timed transition systems.
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 279
2.2.1. Semantics
The semantics of extended timed automata is defined as a set of executions. An execution is a (finite or infinite) sequence
of triples of the form 〈si, Vi, Ti〉, where
1. si is a state from S,
2. Vi is an assignment for the variables V over some given domain(s), such that Vi |H sXi and
3. Ti is an assignment of (real) time values to the clocks in Cl such that Ti |H sBi .
In addition, for each adjacent pair 〈si, Vi, Ti〉 〈si+1, Vi+1, Ti+1〉 one of the following holds:
An edge is fired. There is an edge e from source si to target si+1, where Ti |H eB, Vi |H eX , Ti+1 agrees with Ti except for
the clocks in eCl, which are set to zero, and Vi+1 = eF(Vi), where eF(Vi) represents performing the transformation
over Vi.
Passage of time. Ti+1 = Ti + δ, i.e., each clock in Cl is incremented by some real value δ. Then Vi+1 = Vi and si+1 = si.
An infinite execution must have an infinite progress of time. An initialized execution must start with s ∈ S0 and with all
clocks set to zero. However for the generation of test cases we deal here with finite consecutive segments of executions,
which do not have to be initialized.
2.2.2. The product of ETA
Let us consider two ETAs, ETA1 = 〈V1, X1, Cl1, B1, F1, S1, S01,Σ1, E1〉 and ETA2 = 〈V2, X2, Cl2, B2, F2, S2, S02,Σ2, E2〉. Assume
the clock sets Cl1 and Cl2 are disjoint.
Then the product, denoted ETA1 ‖ ETA2, is the ETA 〈V, X, Cl, B, F, S, S0,Σ, E〉, where V = V1 ∪ V2, X = X1 ∪ X2, Cl =
Cl1 ∪ Cl2, B = B1 ∪ B2, F = F1 ∪ F2, S = S1× S2, S0 = S01 × S02, and Σ = Σ1 ∪Σ2. For a compound state s = (s1, s2)where s1 ∈ S1
with sX11 ∈ X1 and sB11 ∈ B1 and s2 ∈ S2 with sX22 ∈ X2 and sB22 ∈ B2, sX1∪X2 = sX11 ∧ sX22 and sB1∪B2 = sB11 ∧ sB22 . The set E of edges are
defined as follows. For every edge e1 = 〈s1, eCl11 , eΣ11 , eX11 , eB11 , eF11 , s′1〉 in E1 and e2 = 〈s2, eCl22 , eΣ22 , eX22 , eB22 , eF22 , s′2〉 in E2,
• joint edges: if eΣ11 ∩ eΣ22 6= ∅, E contains
〈(s1, s2), eCl11 ∪ eCl22 , eΣ11 ∪ eΣ22 , eX11 ∧ eX22 , eB11 ∧ eB22 , eF11 ∪ eF22 , (s′1, s′2)〉.
• edges only in ETA1 or ETA2: if eΣ11 ∩ eΣ22 = ∅, E contains
〈(s1, s′′), eCl11 , eΣ11 , eX11 , eB11 , eF11 , (s′1, s′′)〉 for every state s′′ ∈ S2 and
〈(s′, s2), eCl22 , eΣ22 , eX22 , eB22 , eF22 , (s′, s′2)〉 for every state s′ ∈ S1.
2.3. Translating timed transition systems into extended timed automata
We describe the construction of a set of extended timed automata from a timed transition system.We should emphasize
that this construction defines the semantics of a timed transition system as the corresponding set of extended timed
automata.
We first show how to construct states and edges for one particular location. An ETA is generated after all locations in
a TTS process are translated. Any location in a process is said to be the neighborhood of the transitions that must start at
that location. The enabledness of each transition depends on the location counter, as well as an enabling condition over
the variables. Location counters are translated in an implicit way, such that each different location is translated into a
different set of states. For a neighborhoodwith n transitions t1, . . . , tn, let c1, . . . , cn be the enabling conditions of n transitions
respectively. A Boolean combination of these conditions has the form of
C1 ∧ · · · ∧ Cn,
where Ci is ci or¬ci. Each transition tj in the neighborhood has its own local clock xj. Different transitions may have the same
local clocks, if they do not participate in the same process or the same neighborhood.
1. We construct 2n enabledness states, one for each Boolean combination of enabling condition truth values. For any
enabledness states si and sk, there is an internal edge starting at si and pointing to sk. Let Ci and Ck be the combinations
for si and sk, respectively. The edge from si to sk is associated with Ck as the assertion over variables. For any condition
Cj which appears negative (¬cj) in Ci and positive (cj) in Ck, the clock xj is reset (xj := 0) upon the edge, for measuring
the amount of time that the corresponding transition is enabled. We do not reset xj in other cases. We add a self loop to
each state in order to generate the product of automata. The self loop is labeled with the same combination as the state
has, but it does not reset any clocks.
2. We construct a target state per each transition in the neighborhood to represent its target location.
3. We also have an additional intermediate state per each transition in the neighborhood, from which the transformation
associated with the selected transition is performed. For any enabledness state s with the combination C in which the
condition corresponding to the transition tj is cj, let s′j be the intermediate state for tj and do the following:
3a. We have the conjunct xj < uj as part of sX , the assertion over the clock of tj, disallowing tj to be enabled in s more
than its upper limit uj.
280 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 6. A neighborhood of two TTS transitions.
Fig. 7. The ETA for the neighborhood of two TTS transitions.
3b. We add a decision edge with the assertion xj ≥ lj from s, allowing the selection of tj only after tj has been enabled at
least lj time continuously since it became enabled. On the decision edge, we also reset the clock xj to measure now
the time it takes to execute the transformation.
3c. We put the assertion xj < Uj into s′j , not allowing the transformation to be delayed more than Uj time.
3d. We add a transformation edge from s′j to the target state of tj with the enabling condition xj ≥ Lj and the
transformation of tj.
The connection of translations of locations to generate an ETA is done by merging target states with enabledness states
that are translated from the same location. Since target states may correspond, by our transformation, to multiple enabled
states of a new location, each edge pointing to the target state is replicated to have a copy pointing to every enabledness
state. Moreover, each duplicated edge uses the corresponding combination of conditions of its target state as its enabling
condition, and needs to reset clocks that appear in the invariant assertion of its target state.
Fig. 6 illustrates a neighborhood with two transitions and Fig. 7 provides the ETA construction for this neighborhood.
The states s1, s2, s3 and s4 are enabledness states, corresponding to the subset of enabling conditions of t1 and t2 that hold
in the current location lˆ. The states s5 and s6 are intermediate states. The edges to s5 correspond to t1 being selected, and
the edges to s6 correspond to t2 being selected. The edges into s5 also reset the local clock x1 that times the duration of the
transformation f1 of t1, while the edges into s6 zero the clock x2 that times the duration of f2. The state s5 (s6, respectively)
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 281
Fig. 8. Two sequential TTS transitions.
Fig. 9. The ETA for the two sequential TTS transitions.
allows us towait no longer than U1 (U2, resp.) beforewe perform t1 (t2). The states s7 and s8 are target states. The edge from s5
(s6) to s7 (s8) allows a delay of no less than L1 (L2) before completing t1 (t2). Note that s7 (as well as s8) actually represents one
of a set of enabledness states, in the pattern of s1 to s4, for the location lˆ′ (lˆ′′, resp), according to the enabledness of transitions
in it.
Fig. 8 shows two consecutive transitions and Fig. 9 provides the ETA construction for these transitions. For simplicity, the
self loops are omitted. Location lˆ is translated into states s0 and s1, location lˆ′ into s′0 and s′1, and location lˆ′′ into s′′. States r
and r′ are intermediate states.
3. Calculating path conditions
In order to compute the path condition, the first step of our method involves generating an acyclic ETA (which we will
call a DAG, or directed acyclic graph). Then the path condition is computed by propagating constraints backwards in this DAG.
The DAG is generated using the set of ETAs corresponding to the TTS in question and the TTS path (i.e., program transition
sequence) provided by the user.
3.1. The partial order of a TTS path
Given a selected sequence σ of occurrences of transitions, we calculate the essential partial order, i.e., a transitive,
reflexive and asymmetric order between the execution of the transitions, as described below. This essential partial order
is represented as a formula over a finite set of actions Act = Ac ∪ Af , where the actions Ac represent the selections of
transitions, i.e., waiting for their enabledness, and the actions Af represent transformations. Thus, a transition a is split into
two components, ac ∈ Ac and af ∈ Af . For two transitions awith ac and af and bwith bc and bf , and a occurs earlier in σ than
b does, the ordering relation ≺ over {ac, af , bc, bf } is defined as follows.
1. ac ≺ af and bc ≺ bf .
2. If a and b belong to the same process, then af ≺ bc.
3. If bf writes to v and ac (af , respectively) reads (or writes to) v, then ac ≺ bf (af ≺ bf , respectively).
4. If af writes to v and bc (bf , respectively) reads v, then af ≺ bc (af ≺ bf , respectively).
By applying the above definition to every pair of transitions in the sequence, we obtain a partial order ≺⊂ Act × Act. The
transitive relations in the partial order can be removed to form the essential partial order whose transitive closure is the
partial order. For example, if actions α,β, γ ∈ Act and (α ≺ β) ∧ (β ≺ γ) ∧ (α ≺ γ), α ≺ γ can be removed since it can be
deduced from (α ≺ β) ∧ (β ≺ γ). This simplification is done by applying the Floyd–Warshall algorithm [8,17]. From here
on, we use the term “partial order” for “essential partial order”.
The partial order can be illustrated as a directed graph, where a node represents an action and an edge represents a ≺
relation. For example,we assume that transitions a and b belong to different processes. Let ac and af be the enabling condition
and the transformation of a respectively, and bc and bf the enabling condition and the transformation of b respectively.
Moreover, a and b have a shared variable v that is read by the enabledness condition of transition a and updated by the
transformation of transition b. The corresponding partial order requires then ac ≺ af , bc ≺ bf and ac ≺ bf . The partial order is
shown in Fig. 10.
282 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 10. A partial order.
Fig. 11. A partial order automaton.
3.2. Generation of an acyclic ETA from a partial order
After we generate the set of the ETAs for different processes, we label each transition in the ETAs with respect to Act.
First, we label the edges from enabledness to intermediate states with corresponding actions from Ac and the edged from
intermediate to target states with actions from Af . For example, in Fig. 7, the edges s2 → s5 and s3 → s5 can be labeled with
ac, the edges s3 → s6 and s4 → s6 can be labeled with bc. The edge s5 → s7 can be marked by af and s6 → s8 by bf .
Now, the transformation of transitions in one process may change the enabledness of other transitions that read these
values in other processes. Thus, we must synchronize such potential change of enabledness with these transformations
as follows. Let a be a transition of some process Pi that changes some variable v. Then af appears as a label on all the edges
between enabledness states of other processes that have a conditionwhich reads the value of v (obviously, v is not a program
counter, as a cannot change the value of program counters other than that of its own process, Pi). For the graph in Fig. 7, the
edges between nodes s1, s2, s3 and s4, including self loops, are labeled with df for each transition d that is not included in the
same process, and has a transformation that can change a variable appearing in the conditions c1 or c2. (These labels do not
appear in Fig. 9.)
Recall that edges between enabledness nodes can be labeled by several actions. Formally, that means that such an edge
is copied into several copies that are identical except for the label. Moreover, each edge of the ETA generated needs to be
labeled by at least some action in order to be executable.
Let ≺ be a finite partial order among occurrences St of Act. Note that an action from Act can occur multiple times. An
occurrence is then a pair from Act × N , where N are the natural numbers. We generate an automaton Lin≺ with edges
labeled with actions of Act. The automaton Lin≺ accepts all linearizations of≺. Hence, it also necessarily accepts the original
sequence from which we generated ≺.
The algorithm for generating Lin≺ is as follows. The sets of states of Lin≺ are subsets S ⊆ St, the set of occurrences of ≺,
such that for each such subset S, it holds that if α ≺ β and β ∈ S then also α ∈ S. They are the history closed subsets of St. A
transition of the automaton Line≺ is of the form S
α−→ S ∪ {α}, where α is an occurrence of an action. The empty set is the
initial state and the set St is the accepting state. Fig. 11 shows the automaton for the partial order in Fig. 10.
The product of ETAs for several processes with an automaton Lin≺ is the standard one. That is, we start with a common
initial state of all ETAs, which will be in some enabledness state of their initial label. The automaton Lin≺ will be in a state
corresponding to the empty set of actions taken so far. Then we progress by taking an actionµ from Act in all automata that
is labeled by µ.
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 283
Fig. 12. A flow chart path (left) and its transitions (right).
3.3. Calculating untimed path conditions
A path of a program is a consecutive sequence of nodes in the flow chart. The projection of an execution sequence on
the program counter values is a path through the nodes labeled with these program counter values in the corresponding
flow chart. (Not every node has to have an explicit program counter value labeling it, but our implementation automatically
provides such a valuewhen translating code to a flow chart.) Thus, in general, a pathmay correspond tomultiple executions.
A path condition is a first order predicate that expresses the condition to execute the path, starting from a given node. In
deterministic code, when we start to execute the code from the first node in the path in a state that satisfies the path
condition, we are guaranteed to follow that path. In case of nondeterminism, this is the condition on assignments at the
beginning of the path that can execute the path (if favorable nondeterministic choices are made). Or stated differently, one
can avoid executing the path when starting at its beginning exactly with assignments not satisfying the path condition.
We first translate the flow chart nodes into (untimed) transitions. The translation is the same as the way described in
Figs. 3 and 4 except that we do not consider time here. We obtain a graph with nodes representing locations and edges
representing transitions. When we translate the path at the left of Fig. 12, we obtain the graph on the right of that figure
(for simplicity, we do not use the program counter in the translation). To avoid confusion, we use the term “node” for flow
chart nodes in this section, while use “point” for nodes in the translated graph.
An accumulated path condition represents the condition tomove from the current point in the calculation to the end of the
path. The path condition is the accumulated path condition at the first point of the path. The current pointmoves at each step
in the calculation of the path condition backwards, over one node to the previous point. We start with the condition true,
at the end of the path (i.e., after the last node). Going backwards from a given point over an edge marked with a transition
with condition c and transformation f and into another point, we perform the following transformations to the accumulated
path condition ϕ to obtain a new path condition ϕR:
• We “relativize” the ϕ with respect to the assignment representing the transformation; if the assignment is of the form
v := expr, where v is a variable and expr is an expression, we substitute expr for each free occurrence of v in the path
condition. This is denoted by ϕ[expr/v], and is generalized to multiple assignment3 as ϕ[expr1/v1, . . . , exprm/vm].
• Conjunct the condition c. We simplify the new accumulated path condition obtained using various first order logic
equivalences.
Thus, ϕR is defined as follows:
ϕR = ϕ[expr1/v1, . . . , exp rm/vm] ∧ c. (1)
Calculating the path condition for the example in Fig. 12 backwards, we start at the end of the path, i.e., point D, with
an accumulated path condition true. Moving backwards through the assignment v1 := v1 ∗ 2 to point C, we substitute
every occurrence of v1 with v1 ∗ 2. However, there are no such occurrences in true, so the accumulated path condition
remains true. Conjoining true with the transition condition true maintains true. Progressing backwards to point B, we now
conjoin the accumulated path condition with ¬v > v1, obtaining (after simplification, which gets rid of the conjunct true)
¬(v > v1). This is now the condition to execute the path from B to D. Passing further back to point A, we have to relativize
the accumulated path condition¬(v > v1)with respect to the assignment v := v+1, whichmeans replacing the occurrence
of vwith v+ 1, obtaining ¬(v+ 1 > v1). Again, conjoining that with true does not change the accumulated path condition.
The accumulated path condition at point A is the path condition for the path in Fig. 12.
3 Calculating first the expressions expr1 to exprm , then assigning the calculated value to variables v1 to vm , respectively.
284 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
3.4. Path condition for a DAG
Without timing constraints, the condition to perform at least one path in the DAG can be calculated as follows:
1. Mark all the states of the DAG as new.
2. Attach the assertion true for each leaf state, which does not have successors, and mark these states as old.
3. While there are states marked with new do
3a. Pick up a state z that is marked new such that all its successors Y = {y1, . . . , yk} are marked old.
3b. For each state yi, calculate ϕRi from the assertion ϕi already attached to the state yi ∈ Y and the transition c →
(v1, . . . , vm) := (expr1, . . . , exprm) on the edge between z and yi, according to the formula (1).
3c. Attach ϕR1 ∨ . . . ∨ ϕRk to state z. Mark z as old.
4. Suppose an initial state of the DAG is reached during the backward calculation. By the product of automata, such a node
can consist of several components from different ETAs. For each such a component that is an enabledness node, there is
some combination of conditions associated with it (this condition appears on any incoming edge for such a component;
refer to Section 2.3 for details). These combinations, one per each such component node, must be conjuncted with the
accumulated precondition. For non initial states this is not needed, as these combinations are processed during the
backward calculation.
5. Finally, all initial preconditions of initial states are disjuncted together to form the initial precondition of the DAG.
3.5. Adding time constraints
We describe now how to add the time constraints for the DAG conditions. Time constraints are a set of relations among
local clocks. We also use a global clock to count the system execution time from its initial state to its last state which,
unlike local clocks, is not reset during execution. Time constraint can be obtained from reachability analysis of clock zones.
Difference-Bound Matrix (DBM) [7] is a data structure for representing clock zones.
3.5.1. The data structure
A DBM is a (m + 2) × (m + 2) matrix where m is the number of local clocks of all processes. Each element Di,j of a DBM
D is an upper bound of the difference of two clocks xi and xj, i.e., xi − xj ≤ Di,j. We use x1 to represent the global clock and
x2, · · · , xm+1 to represent local clocks. The clock x0 is a special clock whose value is always 0. Therefore, Di,0 (i > 0), the
upper bound of xi − x0, is the upper bound of clock xi; D0,j (j > 0), the lower bound of x0 − xj, is the negative form of the
lower bound of clock xj. To distinguish non-strict inequality ≤ with strict inequality <, each element Di,j has the form of
(r, F) where r ∈ R ∪ {∞} and F ∈ {≤,<} with an exception that F cannot be ≤ when r is ∞. Addition + is defined over
F, F′ ∈ {≤,<} as follows:
F + F′ =
{
F, if F = F′ and
<, if F 6= F′
Now we define addition+ and comparison< for two elements (r1, F1) and (r2, F2).
(r1, F1)+ (r2, F2) = (r1 + r2, F1 + F2).
(r1, F1) < (r2, F2) iff r1 < r2 or (r1 = r2) ∧ (F1 =<) ∧ (F2 =≤).
The minimum of (r1, F1) and (r2, F2) is defined below:
min((r1, F1), (r2, F2)) =
{
(r1, F1) if (r1, F1) < (r2, F2)
(r2, F2) otherwise.
A DBM D is canonical iff for any 0 ≤ i, j, k ≤ (m+ 2), Di,k ≤ Di,j + Dj,k. A DBM D is satisfiable iff there is no such a sequence
of indices 0 ≤ i1, . . . , ik ≤ (m+2) that Di1,i2 +Di2,i3 +· · ·+Dik,i1 < (0,≤). An unsatisfiable DBM D represents an empty clock
zone.
Calculating time constraints following an edge τ backwards from its target state s to its source state s′ has been explained
in [18]. Let I(s′)τ be the assertion on clocks in a state invariant of s′, andψτ be the assertion on clocks on the edge τ. The DBM
D represents the time constraints at s. Assertions I(s′)τ and ψτ are represented by DBMs too. The time constraint D′ at s′ is
defined as follows:
D′ = ((([λ := 0]D) ∧ I(s′)τ ∧ψτ) ⇓) ∧ I(s′)τ. (2)
The operators appearing in formula (2) are calculated as follows:
“∧” is the conjunction of two clock zones. Let D1 and D2 be two DBMs. Calculating D′ = D1 ∧ D2 is to set each
element D′i,j in D′ to be the minimum value of the element D1i,j in D1 and the element D2i,j in D2, i.e.,
D′i,j = min(D1i,j,D2i,j).
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 285
“⇓” is time predecessor. Calculating D′ = D ⇓ is to set lower bound of each clock to 0, i.e.,
D′i,j =
{
(0,≤) if i = 0
Di,j if i 6= 0
“[λ := 0]D” is reset predecessor. Calculating D′ = [λ := 0]D is as follows:
1. Resetting a clock x to 0 can be seen as substituting x by x0. Let x′ be a clock that is not reset. Before resetting, we
have constraints x′−x0 ≤ c1 and x′−x ≤ c2. After resetting, we obtain constraints x′−x0 ≤ c1 and x′−x0 ≤ c2 by
replacing xwith x0. Then these constrains are conjunct into x′−x0 ≤ min(c1, c2). Therefore, whenwe calculate
time constraints from after resetting back to before resetting, we substitute x′ − x0 by min(x′ − x0, x′ − x) and
x0 − x′ by min(x0 − x′, x− x′). Therefore, for a clock xi that is not reset, update its upper and lower bounds as
follows:
1a.D′i,0 = min{Di,k|xk ∈ λ ∪ {x0} for every k}.
1b.D′0,i = min{Dk,i|xk ∈ λ ∪ {x0} for every k}.
2. On the other hand, for a clock xk that is reset, its value before resetting can be any non-negative real number.
Thus its lower bound is 0 and upper bound is∞, i.e., D′0,k = (0,≤) and D′k,0 = (∞,<). Furthermore, for any
other clock xj (j 6= k ∧ j > 0), D′k,j = (∞,<).
3. For a clock xi that is not reset and a clock xk that is reset, update xi − xk as D′i,k = D′i,0. (Note that this step must
be done after the upper bound of xi is updated.)
4. For two clocks xi and xj that are not reset, D′i,j = Di,j.
Note that intermediate DBMs in the calculation of formula (2) need to be changed to canonical form after each operation.
This is done using the Floyd–Warshall algorithm to find the all-pairs shortest paths.
Reset operation in backward DBM calculation needs special treatment, which is not explained in [18]. Consider the
example in Fig. 13. We start the computation at state s3 with the following DBM D (for the sake of simplicity, we neglect the
global clock here). (0,≤) (0,≤) (0,≤)(∞,<) (0,≤) (∞,<)
(∞,<) (∞,<) (0,≤)
 .
The clock x1 is encoded in the second row and x2 in third. After backward calculation to s2, we obtain a new DBM D′. (0,≤) (−2,<) (0,≤)(20,<) (0,≤) (20,<)
(8,<) (−2,<) (0,≤)
 .
The DBM calculated backwards at s1 appears below. (0,≤) (0,≤) (0,≤)(∞,<) (0,≤) (∞,<)
(∞,<) (∞,<) (0,≤)
 .
That the last DBM is satisfiable means that the path from s1 to s3 is possible, while in fact, it is not. This situation implies that
backward reset operation loses some useful information which can tell whether the path is possible or not. The element
D′2,1 represents x2 − x1 < −2, which means that x1 goes longer than x2. However, the fact that x1 and x2 are reset at same
time requires that their readings are also the same after being reset. This contradiction reveals that this path is impossible.
Therefore, we add an extra operation before the reset operation: If more than one clock is reset at the same time, check
whether an upper bound of the differences among them is smaller than 0. If the answer is yes, the DBM cannot be satisfiable.
3.5.2. The algorithm
We can now calculate the condition for that DAG from the leaf states backwards. The condition would use the usual
weakest precondition for variables, and a similar update for time variables that involve local clocks and time parameters.
When a state has several successors, we disjoin the conditions obtained on different edges. The backward calculation of the
precondition for a DAG is described as follows:
1. Mark all the states as new.
2. Attach the assertion on variables ϕ = true and the assertion on clocks represented by DBMD0 to each leaf state, noted
by ϕ ∧D0. The DBMD0 is defined below.
D0 =

(0,≤) (−d,≤) (0,≤) · · · (0,≤)
(d,≤) (0,≤) (d,≤) · · · (d,≤)






(∞,<) (∞,<) (∞,<) · · · (0,≤)
 (3)
286 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 13. An example.
Fig. 14. An example.
InD0, the upper bound and the lower bound of the global clock are both d. This is because when we start at a leaf state
to calculate time constraints backwards, we do not know the exact value of the global clock when the system enters the
leaf state, and therefore assume its value is d. We need not assume a value for any local clock. Thus their values ranges
from 0 to∞. Their exact value scopes can be computed during backward calculation. Mark these states as old.
3. While there are states marked with new do
3a. Pick up a state z that is marked new such that all its successors Y = {y1, . . . , yk} are marked old.
3b. For each yi ∈ Y there is an assertion over variables ϕi and over clocks Di already attached. We obtain ϕRi from ϕi
according to the formula (1) andDRi fromDi according to the formula (2).
3c. Attach∨
yi∈Y
(ϕRi ∧DRi ) (4)
to the state z. Mark z as old.
4. As in the untimed case, as the construction propagates backwards, we need to consider each initial state of the DAG. For
each such node, the combination of conditions associated with its components that are enabledness states of ETAs are
conjuncted with its accumulated precondition.
5. All initial preconditions of initial states are disjuncted together to form the initial precondition of the DAG.
Note that wemust record in each step the status of each shared variable in order not to evaluate a condition which contains
a non-accessible shared variable. The precondition calculated by the algorithm is a set of conditions, each of which contains
a Boolean expression on variables and a DBM. We allow some time bounds to be parameters. In this case, the Boolean
expression may contain a subexpression on the parameters.
4. An example
We give an example to show the whole process of how to obtain a DAG from a timed transition system and a given
partial order, and then the precondition of the partial order. A system consists of two concurrent programs. The variable v
is a shared variable and variables f1 and f2 are local variables. The code is given in Fig. 14.
The semantics ofwait statement is described as follows: It has three parameters. The first one is the condition itwaits for
to become true. The second is the time limit and the third is a variable. A timer is started when the statement is executed.
If the time limit is reached before the condition becomes true, a timeout is triggered and the variable is set to 1. If the
condition becomes true before timeout, the variable is set to 0 and the timer is canceled. It is not appropriate to detect
whether the wait statement timeouts or not by testing the condition because the condition may not be accessed after
the wait statement. That the time limit is -1 means the process can wait for the condition forever without timeout. In
this example, l is a parameter which is the time limit of a timer.4 (Note that l can be substituted to a constant as well.)
4 Here we use l to emphasize that the parameter will be translated to time bounds in the TTS.
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 287
Fig. 15. The flow charts.
Fig. 16. The transition system.
If the condition v > 0 is not detected before the time limit is reached, a timeout would be triggered. The value range of
l is computed automatically during precondition calculation and given by a predicate in the precondition. The ranges for
variables are given in the precondition as well.
Flow charts for the programs are shown in Fig. 15. Program 1 is modeled by the left part of the figure and Program 2
by the right part. There are 4 flow chart nodes in Program 1: the wait statement, the condition of the if statement, the
statement when the condition is satisfied and the one when it is not satisfied. Program 2 contains only one flow chart node,
which sets v to 1.
The time transition system is shown in Fig. 16. Program 1 appears on the left and Program 2 appears on the right.
Assignments are translated according to Fig. 3 andbranch structure according to Fig. 4. Thewait statement has twoneighbor
transitions, one for testing the condition v > 0 and the other for timeout. The node in ellipse shapes are initial locations.
The bounds for enabling conditions and transformations are shown beside them respectively.
Time bounds are chosen as follows: the bound for condition true in timeout transition is [l, l + 1] and the bound for
condition true is [0, 1] for other transitions that do not reference a shared variable or [10, 15] for those writing a shared
variable. The bounds for evaluating the nontautological enabling condition of a transition which does not access any shared
variable are [8, 10]. The bounds for an enabling condition are [10, 15] if the transition accesses a shared variable. Assigning
288 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 17. The extended time automata.
a value to a variable has bounds [8, 10]. The addition operation has bounds [10, 20] and the No_op has bounds [1, 2]. The
transformation v := v+ 1 has bounds [26, 40] because it has one addition and accesses the variable twice.
The extended timed automata are shown in Fig. 17. Program 1 is on the left and Program 2 is on the right as well.
Initial states are displayed in ellipse. Program 1 has two initial states, one representing the condition v > 0 and the other
representing the condition¬(v > 0). Program 2 has one initial condition true since it has only one neighbor transition. Each
location in the time transition system is translated into a set of states which are named by the location name with different
suffix, such “−0” and “−1”. The states whose names are ended in “-tran” are intermediate states. In order to give a succinct
demonstration, only the states’ names are shown in the figure. Other information, such as assertions for states and edges,
can be deduced from the timed transition system according to translation rules in Section 2.3. For the same reason, self loops
are omitted in the figure as well.
The product extended timed automaton is shown in Fig. 18. Only states and edges are displayed. Every state in the product
automaton contains one state from Program 1 and one from Program 2. The name of the latter is shown above the name of
the former. The product automaton has two initial states because Program 1 has two initial states and Program 2 has one.
Note that a product does not contain self-loops.
For a given sequence “q1_1→q1_4, q1_4→q1_2, q1_2→q1_5, q2_1→q2_2” of transitions in Fig. 16, the calculated partial
order is shown in Fig. 19. The left part of the figure is the partial order composed of flow chart nodes in order to give users
some intuition about the partial order relation. To generate the DAG, it is decomposed into the one on the right part of the
figure, which is composed of ETA edges. The node “q1_1=> q1_1_q1_4-tran” represents the edge from state “q1_1” to state
“q1_1_q1_4-tran” in Program1. Other nodes have similarmeaning. Thewait statement in Program1 behaves as no timeout
occurs since testing the condition f1 = 0 succeeds (and thus f2 is set to 0). Therefore, the wait statement in Program 1 and
the assignment in Program2 compete each other for accessing the shared variable v. In this partial order, thewait statement
gains access first and the assignment acquires the shared variable after the wait statement releases it. Therefore, there is
an edge in the partial order starting at the wait statement and pointing to the assignment, representing that the wait
statement must be executed earlier than the assignment. However, only the enabling condition en of the transition in the
wait statement references the shared variable, while the transformation does not. That is, the wait statement reads the
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 289
Fig. 18. The product.
shared variable. Thus, the assignment v := v+ 1 can be started after the evaluation of en finishes, which is illustrated as the
edge from the node “q1_1=> q1_1_q1_4-tran” to the one “q2_1=> q2_1_q2_2-tran”.
The DAG is shown in Fig. 20. There is only one initial state in this DAG. For other partial orders, there could be multiple
initial states. A path from an initial state to a leaf state represents a linearization of the partial order. The precondition of the
given partial order is
(v ≥ 1) ∧ (l ≥ 10).
TheDBMsare omitted from theprecondition since they aremainly used for reachability analysis. Not only is there a condition
over v in the precondition, but also a condition over l. The condition l ≥ 10 means that when we use a value to replace l in
Program 1, no linearization of the partial order can be executed if the value is smaller than 10. This example shows that our
methodology can be used to calculated the bounds for time parameters, in addition for preconditions over variables. This
characteristic is very useful when constructing test cases for real-time systems.
5. Implementation
We have implemented the path condition calculation as the real-time extension to the PET system [10], according to the
construction described in this paper. The figures in the previous section are based on output generated by PET.
When we translate a timed transition system into extended timed automata, a location can be translated into 2n states
if it has a neighborhood with transitions. In practice, however, the number of states is limited by program structures. For
example, theif statement has two branches: one satisfies the condition and the other satisfies the negation of the condition.
After the branches are translated into transitions, there are less than four combinations of enabling conditions, since the two
290 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
Fig. 19. The partial order.
enabling conditions cannot be both satisfied. Combinations that are equivalent to false can be removed, together with the
edges attached to them. The wait statement in the previous section only generates two combinations because one enabling
condition is true.
Calculating a precondition for a partial order runs very fast if all time bounds in the system are constants. However,
whenwe calculate time constraints symbolically in order to handle symbolic parameters appearing on time bounds in timed
systems (as was shown in the example), the initial constraints on time parameters, such as l1 ≤ u1 and L1 ≤ U1 may remain
unresolved in their parametrized form in the resulted precondition.
There are two DBM operations that need to be considered carefully during symbolic calculation. One is canonicalization.
The other is to check whether a DBM is satisfiable. These two operations have a higher complexity than other operations.
Canonicalization can be computed by the Floyd–Warshall algorithm, which has O(n3) complexity. Checking satisfiability
can be computed by a Bellman–Ford algorithm [2,9,15]. The Bellman–Ford algorithm checks a single source vertex to all
other vertices and runs in O(nm), which is actually O(n2) due to m equal to n − 1 in DBM. The Bellman–Ford algorithm
has to be applied to every source vertex so that checking satisfiability also runs in O(n3). Therefore, both of them generate
O(n3) symbolic comparisons. Since each comparison may generate three new assumptions, the worst case complexity of
computing one DBM is O(3n3). Although a worst case never occurs in practice, we still experience a very long execution
time. A similar result was obtained on handling parametric DBM in forward reachability analysis in [13].
There are several ways to accelerate the calculation in term of symbolic parameters. An intuitive way is to use a parallel
computer to do the calculation. Since the operations on one DBMdoes not communicatewith operations on other DBMs, the
current sequential algorithm can be modified to a parallel or distributed algorithm without theoretical difficulty. A second
way is to apply partial order reduction to the current algorithm. Partial order reduction on model checking timed automata
has been studied in [3,14]. But their results needmodification before being applied. Furthermore, bothways can be combined
together.
6. Discussion
We described here a method for calculating the path condition for a timed system. The condition is calculated
automatically, then simplified using various heuristics. Of course we do not assume that time constraints are given. The
actual time for lower and upper bounds on transitions is given symbolically. Then we can make various assumptions
about these values, e.g., the relative magnitude of various time constants. Given that we need to guarantee some particular
execution and not the other, we may obtain time constraints as path conditions, including e.g., some equations, whose
solutions provide the appropriate required time constants.
In addition to the basic TTS model with shared variables and corresponding translation to ETA described in Section 2,
the TTS can be extended to handle shared communication. In this case, we need to label different components, in different
S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292 291
Fig. 20. The DAG.
processes, by the same label. Synchronization is done on both the condition edge (as the edge s2 → s5 in Fig. 7) and on the
transformation edge (as the edge s5 → s7 in Fig. 7).
We believe that the constructed theory is helpful in automatic generation of test cases. Test case construction can also be
used to synthesize real time system time. Anotherway to use this theory is to extend it to encapsulate temporal specification.
This allows verifying a unit of code in isolation. Instead of verifying each state in separation, one may verify the code
according to program execution paths. This was done for the untimed case in [10], and we are working on extending this
framework for the timed case. Such a verification method allows us to handle infinite state systems (although the problem
is inherently undecidable, and hence we are not guaranteed to terminate), and parametric systems e.g., we may verify a
procedure with respect to an arbitrary allowed input. This is done symbolically, rather than state by state.
Acknowledgement
Second author’s research was partially supported by Subcontract UTA03-031 to The University of Warwick under
University of Texas at Austin’s prime National Science Foundation Grant #CCR-0205483.
References
[1] R. Alur, D.L. Dill, A theory of timed automata, Theoretical Computer Science 126 (1994) 183–235.
[2] R. Bellman, On a routing problem, Quarterly of Applied Mathematics 16 (1) (1958) 87–90.
[3] J. Bengtsson, B. Jonsson, J. Lilius, W. Yi, Partial order reductions for timed systems, in: The 9th International Conference on Concurrency Theory,
in: Lecture Notes in Computer Science, vol. 1466, Springer, 1998, pp. 485–500.
[4] N. Budhiraja, K. Marzullo, F.B. Schneider, Derivation of sequential, real-time process-control programs, Foundations of Real-Time Computing: Formal
Specifications and Methods (1991) 39–54.
292 S. Bensalem et al. / Theoretical Computer Science 404 (2008) 275–292
[5] E.M. Clarke, O. Grumberg, D. Peled, Model Checking, MIT Press, 2000.
[6] E.W. Dijkstra, Guarded commands, nondeterminacy and formal derivation of programs, Communications of the ACM 18 (1975) 453–457.
[7] D.L. Dill, Timing assumptions and verification of finite-state concurrent systems, in: Automatic Verification Methods for Finite State Systems,
in: Lecture Notes in Computer Science, vol. 407, Springer, 1989, pp. 197–212.
[8] R.W. Floyd, Algorithm 97: shortest path, Communications of the ACM 5 (6) (1962) 345.
[9] L.R. Ford, Jr, D.R. Fulkerson, Flows in Networks, Princeton University Press, 1962.
[10] E. Gunter, D. Peled, Unit checking: Symbolic model checking for a unit of code, Verification: Theory and Practice 2003, Essays Dedicated to Zohar
Manna on the Occasion of his 64th Birthday, Lecture Notes in Computer Science, vol. 2772, Springer, 548–567.
[11] T.A. Henzinger, Z. Manna, A. Pnueli, Temporal proof methodologies for timed transition systems, Information and Computation 112 (1994) 273–337.
[12] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems, Information and Computation 111 (1994) 193–244.
[13] T.S. Hune, J. Romijn, M. Stoelinga, F.W. Vaandrager, Linear parametric model checking of timed automata, Journal of Logic and Algebraic Programming
52-53 (2002) 183–220.
[14] M. Minea, Partial order reduction for model checking of timed automata, in: The 10th International Conference on Concurrency Theory, in: Lecture
Notes in Computer Science, vol. 1664, Springer, 2002, pp. 431–446.
[15] E.F. Moore, The shortest path through a maze, in: The International Symposium on the Theory of Switching, Harvard University Press, 1959,
pp. 285–292.
[16] D.J. Scholefield, H.S.M. Zedan, Weakest precondition semantics for time and concurrency, Information Processing Letters 43 (1992) 301–308.
[17] S. Warshall, A theorem on boolean matrices, Journal of the ACM 9 (1) (1962) 11–12.
[18] S. Yovine, Model checking timed automata, in: Lectures on Embedded Systems, in: Lecture Notes in Computer Science, vol. 1494, Springer, 1998,
pp. 114–152.
