Efficient Detection of Zeno Runs in Timed Automata by Gomez, Rodolfo & Bowman, Howard
Efficient Detection of Zeno Runs
in Timed Automata⋆
Rodolfo Go´mez and Howard Bowman
University of Kent, Computing Laboratory,
CT2 7NF, Canterbury, Kent, United Kingdom.
{R.S.Gomez, H.Bowman}@kent.ac.uk
Abstract. Zeno runs, where infinitely many actions occur in finite time,
may inadvertently arise in timed automata specifications. Zeno runs may
compromise the reliability of formal verification, and few model-checkers
provide the means to deal with them: this usually takes the form of live-
ness checks, which are computationally expensive. As an alternative, we
describe here an efficient static analysis to assert absence of Zeno runs on
Uppaal networks; this is based on Tripakis’s strong non-Zenoness prop-
erty, and identifies all loops in the automata graphs where Zeno runs may
possibly occur. If such unsafe loops are found, we show how to derive
an abstract network that over-approximates the loop behaviour. Then,
liveness checks may assert absence of Zeno runs in the original network,
by exploring the reduced state space of the abstract network. Experi-
ments show that this combined approach may be much more efficient
than running liveness checks on the original network.
Key words: Zeno Runs, Timed Automata, Model-checking, Uppaal.
1 Introduction
Timed automata [1] are often used to specify timed systems, as they provide
a graphic notation that is easy to use, and can be automatically verified [2–4].
However, specifications may exhibit so-called Zeno runs, which are executions
where actions occur infinitely often in a finite period of time. Knowing whether
Zeno runs occur increases our confidence on the specification at hand. Zeno runs
are unintended (real processes cannot execute infinitely fast); in general, the
verification of correctness properties cannot be trusted in specifications where
Zeno runs may occur. For example, liveness properties are usually meaningless
unless time-divergence is assumed. In addition, Zeno runs may conceal deadlocks
and thus compromise safety properties. In most timed automata models, the
semantics of urgency allow states (so-called timelocks) where time-divergent runs
⋆ This research has been supported by the UK Engineering and Physical Sciences
Research Council under grant EP/D067197/1. This paper appeared in Proceedings of
the 5th. International Conference FORMATS 2007 (Formal Modelling and Analysis
of Timed Systems), LNCS 4763, pp. 195–210, Salzburg, Austria, October 2007, J.-F.
Raskin and P.S.Thiagarajan (eds.), Springer.
are no longer possible. Typically, as progress depends on delays, a timelock
will have a global effect and make part of the state space unreachable. Hence,
systems may be deemed safe, but unfound erroneous states may arise lately in
implementations. A common class of timelocks involve (action) deadlocks (e.g.,
due to mismatched blocking synchronisation). Usually, such timelocks may be
found by checking deadlock-freedom; however, if a Zeno run is possible when the
timelock occurs (e.g., due to some time-unconstrained loop), no deadlock will
occur and the timelock will remain unnoticed.
Certain classes of timelocks can be avoided in a number of formal notations,
including timed automata. For instance, in process algebras with asap [5], only
internal actions can be made urgent, preventing timelocks that arise due to
mismatched synchronisation. The same is achieved in Timed I/O Automata
[6], Discrete Timed Automata [7], and Timed Automata with Deadlines [8, 9],
where construction ensures that either actions or delays are always possible.
However, Zeno runs cannot be prevented by construction, as a suitable semantics
would be too restrictive for the specifier. In Kronos [2] and Red [4], timelock-
freedom can be verified as a liveness property. Kronos, Red and Profounder [10]
verify properties only over time-divergent runs, i.e. algorithms must identify and
discard Zeno runs in the process. Instead, more efficient algorithms may be used
whenever absence of Zeno runs can be guaranteed in advance. Uppaal [3] does
not distinguish time-divergent from Zeno runs during verification, but a liveness
property can be verified to ensure that all runs are time-divergent. However,
liveness checks can be very time-consuming (for instance, on-the-fly verification
does not help, as the whole state space must be explored to confirm that Zeno
runs cannot occur).
In [11, 12], we refined Tripakis’s strong non-Zenoness property [13] in a num-
ber of ways, which permitted an efficient check for absence of Zeno runs in simple
timed automata models. Here we offer a more precise analysis of synchronisa-
tion and its effects on Zeno runs, and take into account Uppaal features such
as non-zero clock updates, broadcast synchronisation and parametric templates.
This results in a tool that is precise enough to assert absence of Zeno runs for
a larger class of specifications than previously possible. When absence of Zeno
runs cannot be inferred from the syntax of clock constraints and synchronisation,
the analysis is inconclusive but returns all loops where Zeno runs may possibly
occur. To benefit from this diagnosis, and avoid running liveness checks on the
whole state space of the original network, we show how to obtain an abstract net-
work that reduces the set of relevant behaviours to (an over-approximation of)
those of unsafe loops. Then, by exploring the abstract network, liveness checks
may assert absence of Zeno runs in the original network more efficiently. Exper-
iments show that our analysis based on strong non-Zenoness, possibly followed
by a liveness check on the abstract network, may be much more efficient than
running liveness checks on the original network.
This paper is organised as follows. Section 2 introduces the timed automata
model, and discusses timelocks and Zeno runs. Section 3 presents the static
analysis based on strong non-Zenoness. Section 4 defines abstract networks. In
Section 5 we present our tool and experimental results. We conclude the paper
in Section 6, with suggestions for further research.
2 Timed Automata
Many extensions of Alur and Dill’s model [1] have been proposed in the literature,
and implemented in model-checkers. Uppaal’s specification language, which we
focus on in this paper, provides many features which facilitate the description
of complex networks. Here we offer a brief account of the model (we refer to [3],
and Uppaal’s help files, for a more detailed presentation).
Uppaal automata are finite state machines (locations and edges), augmented
with global (shared) clock and data variables, and synchronisation primitives.
Concurrent systems are represented by networks of communicating automata.
Concurrency is modeled by interleaving, and communication is achieved by syn-
chronisation on channels and shared variables. Clocks range in the non-negative
reals, and advance synchronously at the same rate (but may be updated inde-
pendently). Edges denote instantaneous actions, and delays are possible only
in locations. Clock and data variables can be used to constrain the execution
of automata. Locations may be annotated with invariants, which constrain the
allowed delays. Edges may be annotated with guards (enabling conditions), syn-
chronisation labels (to distinguish observable from internal actions), and variable
updates. Binary channels are blocking: matching input and output actions may
only occur in pairs (a?/a!). More elaborate specifications can be obtained with
the following features.
Variables. Available types include clocks, channels, bounded integers and
Booleans, and arrays and record types can be defined over these types. Common
arithmetic operators (and user-defined C-like functions) may be used in expres-
sions. Clock constraints are (in)equalities between clocks (and clock differences)
and integer expressions. Clocks can be assigned non-negative integer expressions.
Urgent and Committed locations. Urgent and committed locations disallow
delays, forcing the immediate execution of enabled actions as soon as they are
entered. In addition, committed locations restrict interleaving: only components
that are currently in committed locations may execute enabled actions.
Urgent and Broadcast Channels. Synchronisation on urgent channels is
binary, blocking, and must occur as soon as matching actions are enabled. Syn-
chronisation on broadcast channels matches one output action with multiple
input actions, and is non-blocking on the output side: input actions block until
the output action is enabled, but the output action may be executed even if no
input actions are enabled.
Templates and Selections. Parametric templates and selections provide a
concise specification of similar components. A template provides an automaton
and a number of parameters (bounded data variables), which can be read in the
automaton’s expressions (e.g., guards). Parameters are instantiated, generating
multiple processes with the same control structure (the template’s automaton).
A selection denotes non-deterministic bindings between an identifier and values
in a given range. Selections annotate edges, which may use the identifiers in
guards, synchronisation labels and updates. Every binding results in a different
(instantiated) edge between the same two locations.
By way of example, Fig. 1 shows an Uppaal network to control access to
a bridge for a number of trains (this model is a demo included with Uppaal’s
distributions; a similar model is explained in [3]). Incoming trains are represented
by a Train template (left), access to the bridge is controlled by a Gate template
(right). The Train template declares a local clock x, and an integer parameter id
of type id t= [0..N − 1], where N (a global constant) is the maximum number
of incoming trains the gate controller may handle. For a simple example of the
use of constraints and synchronisation, consider the edge Cross → Safe. The
invariant x<=5, and guard x>=3, constrain the action to occur when x ∈ [3, 5]
(with the action being urgent when x = 5). Channel leave is binary, hence
Cross → Safe and Occ → Free must occur simultaneously. To simulate and
verify this network, Uppaal instantiates id to create N different Train processes,
controlled by a single Gate process. This is modeled with arrays of channels
(leave, appr, stop and go) and multi-transitions in Gate: the selection e:id t
makes e (a train identifier) range in [0..N − 1], providing a matching action
for every Train process. The variables e, len (and an array list, not shown
in the figure), and the functions front(), enqueue(), dequeue(), and tail(),
manipulate a queue of approaching trains, some of which may be stopped (stop!)
and later restarted (go!) to avoid collisions (e.g., the committed location, marked
with C, ensures that the last approaching train is immediately stopped if a new




































Fig. 1. An Uppaal network for a Train-Gate controller
2.1 Syntax and Semantics
We define a timed automata model which considers the main constructs of Up-
paal’s specification language. For the sake of simplicity, we omit an explicit
formalisation of array and record types, functions, templates and selections.
Timed Automaton. Let C be a set of clocks, which range on the non-negative
reals (R+0), and D be a set of data variables, which range in bounded domains
(e.g., Booleans and bounded integers). Let V = C ∪ D, and Const(V) be the
set of constraints (boolean expressions) on V . Clock constraints are terms of
the form x ∼ e or x − y ∼ e, where x, y ∈ C, ∼ ∈ {<,>,=,≤,≥} and e is
an integer expression. We assume the usual set of arithmetic, Boolean and rela-
tional operators over data variables. Guards are conjunctions of clock constraints
and boolean expressions not containing clocks. Invariants follow the syntax of
guards but disallow lower bounds in clock constraints. Let G(V) ⊆ Const(V)
and I(V) ⊆ Const(V) denote the sets of guards and invariants on V , resp. Up-
dates are (comma-separated) sequences of assignments of the form var := e,
where var ∈ V and e is an expression. If var is a clock, then e must be a
non-negative integer expression. Let U(V) denote the set of updates on V . Syn-
chronisation is defined over a set Ch of channels, some of which may denote
urgent or broadcast channels. Let UCh ⊆ Ch and BCh ⊆ Ch denote all urgent
and broadcast channels in Ch. Following restrictions in Uppaal, we require that
edges labeled with urgent channels are not guarded with clock constraints. For
any a ∈ Ch, observable actions may be labeled either with a? (input, or receiving
actions) or a! (output, or emitting actions). Internal actions are labeled with ǫ.
Let Act = {a?, a! | a ∈ Ch} ∪ {ǫ} denote the set of all synchronisation labels.
A timed automaton is a tuple A = (L, l0,Lab, E, I,V). L is the set of locations,
some of which may be tagged either as urgent or committed. Let ULocs ⊆ L,
CLocs ⊆ L, and NULocs = L \ (ULocs ∪ CLocs) denote the subsets of urgent,
committed and non-urgent locations in L (ULocs ∩ CLocs = ∅). l0 ∈ L is the
initial location, Lab ⊆ Act is the set of synchronisation labels, E ⊆ L × Lab ×
G(V) × U(V) × L is the set of edges, I : NULocs → I(V) maps non-urgent
locations to invariants, and V is a set of variables. Edges (l, a, g, u, l′) ∈ E are
also denoted l a,g,u−−−−→ l′, where a is the label, g is the guard and u is the update.
Semantics of a Network. A valuation maps clocks to non-negative reals, and
data variables to corresponding domains. Let V(V) denote all possible valuations
over V , and let |= denote constraint satisfiability over valuations. For any v ∈
V(V), and δ ∈ R+, v + δ ∈ V(V) is defined s.t. ∀x ∈ C. (v + δ)(x) = v(x) + δ
and ∀ d ∈ D. (v + δ)(d) = v(d). Let u ∈ U(V) denote the sequence var 1 :=
e1, . . . , varm := em, and v1 ∈ V(V). We define vi+1 ∈ V(V), 1 ≤ i ≤ m s.t.
vi+1(var i) = [[e]](vi) and vi+1(var) = vi(var) for any var ∈ V \ {var i} ([[e]]v
denotes the value of expression e in v). Then, we define u(v1) = vm+1.
A network is a collection of automata |A = |〈A1, ... , An〉, where
Ai = (Li, li,0,Labi, Ei, Ii,Vi). The set of global (i.e., shared) variables of the
network is given by
⋃
1≤i6=j≤n(Vi ∩ Vj); all other variables are considered local
to components. A location vector is denoted l¯ = 〈l1, . . . , ln〉, where li ∈ Li.
We use l¯[l′i/li] to denote that li in l¯ is replaced by l
′
i. For any set of indices J ,
we use l¯[(l′j/lj)j∈J ] to denote the replacement of lj by l
′
j in l¯, for each j ∈ J .
For J = {j0, . . . , jm} and j0 < j1 < . . . < jm, we use uJ to denote the se-
quential execution of updates uj0 , . . . , ujm . Let V =
⋃n





i=1 CLocs i, where CLocsi ⊆ Li is the set of committed locations of
Ai. We use CLocs(l¯) to denote the committed locations in l¯.
The semantics of |A are given by a timed transition system (S, s0, {ǫ}∪R+, T ),
where S ⊆ L × V(V) is the set of reachable states (denoted s = 〈l¯, v〉); s0 =
〈l¯0, v0〉 is the initial state (l¯0 = 〈l1,0, . . . , ln,0〉, ∀ var ∈ V . v0(var ) = 0); and
T ⊆ S × {ǫ} ∪ R+ × S is the transition relation. Action transitions are denoted
s
ǫ
=⇒ s′; delay transitions are denoted s
δ
=⇒ s′ (δ ∈ R+). We will use s
ǫ
=⇒ to
denote any action transition from s. Transitions are computed:




ǫ,gi,ui−−−−−→ l′i ∈ Ti s.t. v |= gi, ui(v) |= I(l¯[l
′
i/li]), and li ∈ CLocsi or
CLocs(l¯) = ∅.








b?,gj ,uj−−−−−−→ l′j ∈ Tj (j 6= i) s.t. v |= gj , and li ∈ CLocsi or CLocs(l¯) = ∅.






a!,gi,ui−−−−−−→ l′i ∈ Ti and lj
a?,gj ,uj−−−−−−→ l′j ∈ Tj (j 6= i) s.t. a /∈ BCh ,
v |= gi ∧ gj , uj(ui(v)) |= I(l¯[l′i/li, l
′
j/lj]), and {li, lj} ∩ CLocs(l¯) 6= ∅ or
CLocs(l¯) = ∅.






b!,gi,ui−−−−−→ l′i ∈ Ti s.t. b ∈ BCh , J ⊆ [1..n] \ {i} is the maximal set of
indices s.t. for any j ∈ J there is a lj







j/lj)j∈J ), and ({li} ∪ {lj | j ∈ J}) ∩ CLocs(l¯) 6= ∅ or
CLocs(l¯) = ∅.
5. (from delays) 〈l¯, v〉
δ
=⇒〈l¯, v + δ〉,
for any δ ∈ R+ s.t. (v+δ) |= I(l¯), CLocs(l¯)∪ULocs(l¯) = ∅, and no transition
〈l¯, v + δ′〉
ǫ
=⇒ (δ′ < δ) can be computed from synchronisation over urgent
channels (either by rules 2,3 or 4).
Runs, Zeno Runs and Timelocks. A run is a path in the timed transition




==⇒ . . ., where si ∈ S, γi ∈ {ǫ} ∪ R+, s.t. ρ ends in
some state sn ∈ S (if ρ is finite). A run ρ is time-divergent if the sum of all
delays occurring in ρ is infinite. A Zeno run performs infinitely many actions in
finite time. A timelock is a state where time-divergent runs are not possible. Ab-
sence of Zeno runs does not guarantee timelock-freedom, or vice versa. However,
both absence of Zeno runs and deadlocks suffice to guarantee timelock-freedom
(detailed presentations of timelocks and Zeno runs can be found in [9, 11, 12]).
Figure 2 illustrates the occurrence of timelocks and Zeno runs. Assume that
all loops belong to different components, and that all clock values are initially
zero. Consider the network Net1. If L1 → L2 does not occur early enough, the
loop at L3 will not have the chance to synchronise. Eventually, the invariant y<=1
will prevent further delays and the entire network will block: a time-actionlock
has occurred. A Zeno-timelock, where the only possible infinite runs are Zeno
runs, occurs if the loop in L3 synchronises with L2→ L1: Eventually, the network
will reach a state where the invariant z<=3 prevents further delays, but a Zeno
run is induced by synchronisation between the loops in L3 and L4 (z is never
reset). Note that, in any case, the loop in T cannot iterate more than three times.
In contrast, in Net2, the loop in L1 exhibits Zeno runs but delays are always
possible in other runs; the loop in T may always iterate (once per time unit).
However, Zeno runs make Net2 unfair to T: if the loop in L1 would not be able
to iterate arbitrarily fast, fairness would be guaranteed by the invariant t<=1.
T
t<=1


















Fig. 2. Timelocks, Zeno runs, and test automata
Verifying Time-Divergence in Uppaal. In Uppaal, both absence of time-
locks and Zeno runs can be characterised by a liveness formula, defined over an
extended network augmented with a test automaton [14]. Figure 2 illustrates the
approach, where the loop in T represents the test automaton. Uppaal leads-to
operator [3], -->, can be used to define the formula λU , t==0 --> t==1, which
is satisfiable when any (t==0)-state is eventually followed by a (t==1)-state in
every run. Equivalently, λU is satisfiable if all runs in the original network are
time-divergent. For instance, λU is not satisfiable in Net1 in Fig. 2 (and, perhaps
against our intuition, neither is it satisfiable in Net2).
Test automata, and corresponding λU properties, give us a simple, robust way
to verify time-divergence. However, this approach has a number of disadvantages.
Liveness verification is computationally expensive in general (it requires a form
of nested reachability analysis), and in the case of λU , it is likely to suffer from
state-explosion (absence of Zeno runs cannot be confirmed unless the whole state
space has been explored, i.e., on-the-fly verification will not give any benefits).
Unfortunately, Uppaal also disallows symmetry reduction [15] for leads-to for-
mulas. A further limitation of λU is that, in networks with timelocks, it will fail
to hold even if Zeno runs do not occur. This may be problematic whenever time-
locks are intentionally introduced. For instance, “sink” committed locations were
used to enforce global termination in the protocol of [16], which is nonetheless
free from Zeno runs (see our notes on the lipsync case study, in Sect. 5).
3 Strong Non-Zenoness
Strong non-Zenoness [13] is a static property of loops (defined as cycles in the
automaton’s graph), which suffices to guarantee absence of Zeno runs. A loop
is strongly non-Zeno (SNZ) if, from the syntax of guards and updates, a clock
can be inferred to be bounded from below (x ≥ n, n ≥ 1) and reset (x := 0)
in the loop. A network is free from Zeno runs if all loops are SNZ [13] (strong
non-Zenoness guarantees cumulative n-delays between loop iterations).
In [11, 12], we obtained weaker conditions to guarantee absence of Zeno runs
in a network: (a) it suffices to consider loops that correspond to elementary
cycles (i.e., cycles with exactly one repeating location), and (b) Zeno runs cannot
occur if all NSNZ loops have at least one observable action, which cannot be
matched against any other NSNZ loop (blocking synchronisation with any SNZ
loop guarantees time-divergence). Our analysis in [11, 12] was able to assert
absence of Zeno runs for a larger class of specifications (w.r.t. [13]), but it assumes
a simple timed automata model. In what follows, we show that the analysis is not
sound when Uppaal extensions such as non-zero clock assignments and broadcast
channels are considered, and that synchronisation can be better exploited to
improve precision. On the other hand, the analysis is insensitive to urgent and
committed locations and urgent channels (urgent actions cannot make a SNZ
loop iterate faster than its witness clock permits), and it presents advantages
when parameters and selections are ignored. These issues are taking into account
to define a more comprehensive analysis on Uppaal networks (Sect. 3.1).
Non-zero Clock Assignments. If a clock x is assigned a non-zero value in a
loop, then Zeno runs may occur even if x is a witness for strong non-Zenoness.
For instance, in Fig. 3, a Zeno run may occur in lp1 if x=4 occurs immediately
after x=0. On the other hand, x is a SNZ witness for lp2: x=4 has no effect
on x>3 because x=0 occurs after it. Similarly, x is a witness for lp3: time must
necessarily pass to enable x>3 after x=1 has occurred. In general, we must ensure
that no conflicting updates may occur between an update and a lower bound,








Fig. 3. Non-zero clock updates
Broadcast Channels. Due to non-blocking semantics, a NSNZ loop that emits
on a broadcast channel may complete its iterations even if the receivers are not
enabled. Thus, in general, synchronisation between NSNZ and SNZ loops may
not be free from Zeno runs. For instance, in Fig. 4 (where b is a broadcast
channel and a is binary channel), Zeno runs may occur between lp1 and lp2.
Zeno runs cannot occur between lp3 and lp4 (input actions are always blocking),





















Fig. 4. Broadcast channels
Synchronisation of Multiple Loops.Whenever two NSNZ loops have at least
a pair of matching observable actions, the analysis in [12] is unable to guarantee
absence of Zeno runs. However, the occurrence of Zeno runs may nonetheless
be prevented if the NSNZ loops need a SNZ loop to complete their iterations.
This suggests that a more precise analysis can be obtained, which finds groups
of NSNZ loops that may not need to match with SNZ loops to complete their
iterations (and thus, to exhibit Zeno runs).
Templates and Selections. In many cases, the analysis of strong non-Zenoness
will benefit from parametric templates and selections: SNZ witnesses may be
computed directly from the template’s structure, regardless of the actual pa-
rameter values and selection bindings. Consider again the network of Fig. 1. All
loops in Train are SNZ due to guards and updates on x, i.e., parameters and
selection bindings can be ignored. Loops in Gate are NSNZ, but they may syn-
chronise only with loops in Train, on binary channels. Thus, the network is free
from Zeno runs. Furthermore, strong non-Zenoness was guaranteed regardless
of actual parameter values, which allows us to infer that the network is safe for
any number of trains. In contrast, λU may only assert absence of Zeno runs for
a fixed number of trains (with limitations in scalability).
3.1 Strong non-Zenoness for Uppaal Networks
Let A be a timed automaton (Sect. 2.1). A loop is an elementary cycle in A;
i.e., a sequence 〈l0
a1,g1,r1
−−−−−→ l1 · · · ln−1
an,gn,rn
−−−−−−→ ln〉, where l0 = ln and li 6= lj for
all 0 ≤ i 6= j < n. An observable loop is one that contains observable actions
(otherwise, it is an internal loop). We say that a run covers a loop when it visits
all its edges infinitely often. For any clock constraint φ and guard g, φ ∈ g
denotes that φ can be inferred from g. For any clock x, m ∈ N, and update
u, x := m ∈ u denotes that the value of x is m after all assignments in u are
sequentially executed. Let e be an edge in lp with guard g, a clock x occurring in
g, and n ∈ N, n > 0. We use x⊒n ∈ g to denote either x ⊒ n ∈ g (⊒∈ {=, >,≥}),
or x − y ⊒ n ∈ g (⊒∈ {>,≥}); we use x≥n if x − y = n ∈ g. We say that x⊒n
(⊒∈ {=, >,≥}) is the lower bound for x in g if x⊒n ∈ g and there is no n′ > n
s.t. x⊒n′ ∈ g. A refined strong non-Zenoness property can be defined as follows.
Definition 1. (SNZ loop) A loop lp is strongly non-Zeno (SNZ) if there is a
clock x and two edges e1, e2 in lp, where u is the update in e1 and g is the guard
in e2, x := m ∈ u, x⊒n is the lower bound for x in g, m < n, and there is no
x := m′, m′ ≥ n, in any update in the loop in the path from e1 to e2. We refer
to x as a (SNZ) witness of lp.
Definition 2. (Safe loop) A loop lp is safe if (a) lp is a SNZ loop, and (b) lp
has a local witness, or every loop that may update any witness of lp is a SNZ
loop with a local witness.
Proposition 1. If lp is a safe loop, any run that covers lp is time-divergent.
Proof. By definition, a SNZ witness clock x guarantees time-divergence for any
run that covers lp, unless x is externally updated infinitely often, and with delay
δ < 1 between updates. Such conflicting updates cannot happen if lp is safe. ⊓⊔
Definition 3. (Synchronisation Group) Let ULsync be the set of all unsafe
observable loops in a network |A. A synchronisation group (or sync group, for
short) is a maximal, non-empty set S ⊆ ULsync, s.t. for any lp ∈ S, and any
observable action in lp that synchronises on a binary channel or emits on a
broadcast channel, there is a matching action in some lp′ ∈ S.
For example, for the network shown in Fig. 5, the analysis returns only the
group {lp3, lp4}: the loops lp2 and lp3 cannot synchronise together (not with-











Fig. 5. Synchronisation Groups
Proposition 2. If a Zeno run occurs which covers an observable loop lp, then
there is at least one sync group S s.t. lp ∈ S.
Proof. Any Zeno run contains a suffix ρ that only visits edges of a set UL of
unsafe loops, infinitely often [12]. Let lp ∈ UL be an observable loop. There is
some UL′ ⊆ UL, lp ∈ UL′, composed entirely by observable loops that synchro-
nise together (otherwise, ρ could not cover lp). Necessarily, for any observable
action with synchronisation label lb in any loop in UL′, there is a loop in UL′
with a matching action (if lb = a? or lb = a!, where a is a binary channel, or
lb = b?, where b is a broadcast channel). By definition, every loop in UL′ must
be part of a sync group. ⊓⊔
Note that, synchronisations that are subject to Zeno runs will be identified by
sync groups (i.e., the analysis is conservative), but a sync group may represent
synchronisations that are not possible at run-time (e.g., due to the ordering of
observable actions in a loop or unreachable valuations).
Proposition 3. If all internal loops in a network are safe, and no sync groups
can be formed, the network is free from Zeno runs.
Proof. Follows from Props. 1 and 2. ⊓⊔
Implementation Notes. Templates are largely regarded as component au-
tomata, in the sense of Sec. 2.1. Lower bounds and clock assignments are in-
ferred from the syntax of guards and updates, whenever constant values can be
directly computed (in general, witnesses may not be extracted where variables,
parameters, functions or selection identifiers occur). For any array of channels, a
say, we assume that a[ei]! and a[ej]? match, unless ei and ej can be resolved
to different constant values. Sync groups may include unsafe loops in parametric
templates, whose observable actions match other actions in the loop or other
loops in the template (albeit rare in practice, this is permitted in Uppaal).
4 Helping Liveness Checks
In some networks, data constraints prevent Zeno runs from occurring, even
though unsafe loops may be found. Moreover, any Zeno run has a suffix that
visits edges of unsafe loops only, and does so infinitely often [12]. Therefore, live-
ness checks could in principle assert absence of Zeno runs by exploring solely the
behaviour of unsafe loops. In particular, our aim is to reduce the state space that
Uppaal needs to explore to verify the λU property (Sect. 2). Given a network |A,
and a set of unsafe loops UL found by static analysis (Sect. 3), an abstract net-
work α(|A,UL) can be obtained that contains just the loops in UL. In addition,
α(|A,UL) provides the necessary valuations that allow the loops in UL to behave
as they do in |A, such that, if a liveness check ensures the absence of Zeno runs in
α(|A,UL), then this also holds for |A. Our aim is to offer an static abstraction,
hence, the valuations that can be reached in |A at the loops’ entry locations
may have to be over-approximated. A consequence of this over-approximation is
that liveness checks will be sufficient-only: Zeno runs may be found in α(|A,UL)
which do not occur in |A. Hence, the precision of the abstraction depends on
how accurately we can approximate the relevant valuations at entry locations.
For example, Fig. 6(left) shows a template for processes running the Fischer’s
mutex protocol. Declarations are as follows: x is a local clock, pid and k are
integer parameters (pid, k > 0), and id is a global integer variable. The only
unsafe loop (a NSNZ loop) is 〈req→ wait→ req〉, and it is free from Zeno runs.
This loop may complete iterations only after id = 0, but this may not occur
arbitrarily fast (the update occurs only in the SNZ loops of competing processes).
The abstract network (Fig. 6, right) needs to consider only the NSNZ loop, and
provides initial valuations so the loop may behave as in the original network. The
liveness check may now work on a reduced state space, where the loop cannot
complete a single iteration (thus, the abstract network is free from Zeno runs,
and so is the original network). Section 5 shows that the abstract network allows
























Fig. 6. A process template in Fischer’s protocol: original (left) and abstract (right)
4.1 Abstract Network
Let |A = 〈A1, . . . , An〉 be a network, s.t. UL 6= ∅ is the set of unsafe loops
in |A. Let UL1, . . . ,ULm be a partition of UL w.r.t. network components, i.e.
UL =
⋃m
j=1 ULj and all loops in ULj (1 ≤ j ≤ m) belong to the same component
Ai (1 ≤ i ≤ n) (we define |A(ULj) = Ai). For any loop lp ∈ UL, L(lp) is the
set of locations, E(lp) is the set of edges, Lab(lp) is the set of labels, and V(lp)
is the set of variables occurring in lp. Let Entry(lp) be the set of locations of lp
that are either a component’s initial location, or have at least one ingoing edge
that is not part of any lp′ ∈ UL. From every ULj , we will define a component of
the abstract network that includes all loops in ULj , and provides the necessary
valuations so that loops in ULj may be entered and behave as they do in |A.
A variable is read in lp if it occurs in a guard, invariant or rhs-expression of
an assignment in lp. A variables is set in lp if it occurs in the lhs-expression of
an assignment in lp. A variable is used in lp if it occurs in a guard or invariant in
lp, or it occurs in the rhs-expression of an assignment in lp, whose lhs-expression
involves a variable that is used in lp′ ∈ UL. Let R(lp, l) ⊆ V(lp) be the set of
variables that are used in lp, and are read before they are set (or just read) in
any edge of lp, in the path starting at l ∈ Entry(lp). R(lp, l) denotes a group
of variables which may cause Zeno runs, if lp is entered at l; for such variables,
the valuations that are reachable in |A should also be reachable in the abstract
network. On the other hand, whenever lp is entered at l, the values of variables
that are not in R(lp, l) are irrelevant to the occurrence of Zeno runs, and the
abstract network may simply provide default initial values.




Clocks(lp), where |Clocks(ULj)| = k. Let NewL(ULj) =
{loc0, . . . , lock} be a set of new (non-urgent) locations. We define a set of edges,
ResE (ULj) = {(loci, ǫ, true, x := 0, loci+1) | 0 ≤ i < k, x ∈ Clocks(ULj)}
which allows loops in UL to be entered with valuations where two or more clocks
differ (otherwise, all clocks will have the same value when loops are entered,
possibly missing valuations that are reachable in |A and are the cause for Zeno
runs). We also assume that a set of edges InitE(lp) can be defined, which connect
lock with every l ∈ Entry(lp). For every variable in R(lp, l), edges in EntryE (lp)
must provide an over-approximation of the valuations that are reachable at l
in |A. We do not prescribe here the guards and updates that will define such
edges: approximations should be informed by the syntax of the network at hand,
both to obtain a static abstraction and to provide accurate valuations (as much
as possible). For instance, in Uppaal, selections may be used to assign a range
of values to data variables (ranges may represent, in the worst case, the entire
domain), and extrapolation will implicitly generate reachable clock valuations
(Uppaal compute the possible delays at each location vector, during verification).
From ULj with |A(ULj) = (L, l0,Lab, E, I,V), we derive a component of the
abstract network, α(ULj) = (L
′, loc0,Lab
′, E′, I ′,V ′), where








– E′ = ResE (ULj) ∪
⋃
lp∈ULj
(E(lp) ∪ EntryE (lp))
– I ′ = I/L′ ∪ {(l, true) | l ∈ NewL(ULj)} (I/L′ denotes I restricted to L′)




Finally, the abstract network is given by α(|A,UL) = 〈α(UL1), . . . , α(ULm)〉.
Proposition 4. |A is free from Zeno runs if α(|A,UL) is free from Zeno runs.
Proof. For any lp ∈ UL, l ∈ Entry(lp), and var ∈ R(lp, l), every valuation
that is reachable in |A at l is also reachable in α(|A,UL). These valuations are
over-approximated either by edges in ResE (ULj) or EntryE (lp), or generated
by clock extrapolation. On the other hand, if lp is entered at l, then the values
of any var ∈ V \ R(lp, l) may not be related in α(|A,UL) and |A; however, the
iterations of any lp ∈ UL will not depend on such initial values. Consider now
a Zeno run ρ in |A s.t. (a) ρ only visits edges of a set of loops UL′ ⊆ UL, and
does so infinitely often; and (b) any variable that does not occur in UL′ has a
constant value along ρ (we can prove that if a Zeno run occurs in |A, then ρ
is a suffix of that run [12]). Let ρ′ be the Zeno run that is the projection of ρ
onto UL. Let s = 〈l¯, v〉 be any state of ρ′. Necessarily, for any variable var in
UL, either (a) v(var ) is the value at some entry location l of some lp ∈ UL, or
v(var ) can be derived from a valuation reachable at l by visiting a sequence of
edges in UL′, or (b) the value of var is irrelevant to iterations of loops in UL′.
By construction of the abstract network, we can infer the occurrence of a Zeno
run in α(|A,UL), which is similar to ρ′ except possibly for the value of any var
that never prevents iterations or enforces δ ≥ 1 delays. ⊓⊔
Implementation Notes. In certain cases, it may be necessary to convert urgent
or committed locations to non-urgent locations, to avoid spurious timelocks in
the abstract network. This over-approximates the valuations reachable at the
location in question and, therefore, does not compromise the conservative nature
of our abstraction.
5 Experimental Results
Our ZenoChecker tool (ZC) implements the analysis of Sect. 3.1 over Uppaal
networks. ZC runs a cycle detection algorithm [17], checks strong non-Zenoness,
and identifies sync groups. All unsafe internal loops, and observable loops in any
sync group, are grouped by template and returned as an Uppaal network. The
network is free from Zeno runs if no such loops are found.
Table 1 compares the analysis performed by ZC, with verification of λU in
Uppaal (Sect. 2). Very efficient tests were obtained either from ZC alone, or
from λU verified on abstract networks (when ZC found unsafe loops). For gbox,
train-gate-q and fischer, the returned unsafe loops readily revealed that
Zeno runs could not occur (we have included the abstraction just for compari-
son purposes). Uppaal found a timelock in lipsync, hence it could not inform
on the occurrence of Zeno runs. It turns out that the timelock is intentional in
lipsync [16], and ZC was able to confirm that the network is free from Zeno
runs. In the abstract networks obtained for train-gate-q, fischer, yahalom
[18] and zeroconf [19], committed and urgent locations were made non-urgent,
and a number of unsafe loops were removed before λU was verified (it was ev-
ident that the removed loops could not contribute to the occurrence of Zeno
runs). A timelock was found in yahalom, and yahalomABS was used to refine
the analysis and show that Zeno runs could also occur. Zeno runs were found
both yahalomABS and zeroconfABS; as the abstractions are conservative, this
required close examination of the networks to ensure that the Zeno runs were
not spurious.
6 Conclusions
We discussed an efficient analysis of Zeno runs on timed automata (based on
Tripakis’ strong non-Zenoness property), tailored to Uppaal’s rich specification
language. This is implemented in a tool, which accepts Uppaal networks and finds
all possible loops where Zeno runs may occur. The analysis is static and thus
conservative; if no unsafe loops are found the network is free from Zeno runs,
but this may be the case even if unsafe loops are found. A good tradeoff be-
tween precision and efficiency is achieved thanks to a refined definition of strong
non-Zenoness, and a comprehensive examination of synchronisation scenarios. In
general, whenever the static analysis is inconclusive, absence of Zeno runs must
Table 1. Checking absence of Zeno runs. Performance figures are rounded up, and were
obtained with memtime (www.uppaal.com), running on 2 Pentium 3, 1.4GHz processors,
1GB RAM, Debian Linux 2.6.8. Uppaal’s verifyta executed with default options. ZC:
our tool; λU : liveness check in Uppaal; ⊥: aborted (out of time); - = not applicable;
?: inconclusive (N = number of NSNZ loops found by ZC); X: free from Zeno runs; P:
parameter value; *ABS: abstract network. For fddi and csmacd-u, all instances were
modeled by different, non-parametric templates (e.g., csmacd-u32 denotes the csma/cd
protocol with 32 competing stations).
Network Time (sec) RSS (MB) VSize (MB) Result
ZC λU ZC λU ZC λU ZC λU
gbox 1 11644 16 25 256 68 ? (7) sat
gboxABS - 1 - 1 - 2 - sat
lipsync 1 1 16 3 256 53 X not sat(?)
train-gate(P=8) 1 1496 16 715 256 762 X sat
bocdp 890 ⊥ 21 ⊥ 260 ⊥ X sat
fddi(32/4) 2 ⊥ 18 ⊥ 255 ⊥ X sat
csmacd 1 5204 15 16 255 60 X sat
watersystem 1 1897 16 41 256 82 X sat
train-gate-q(P=8) 1 2361 15 949 256 1335 ? (1) sat
train-gate-qABS(P=8) - 1 - 1 - 1 - sat
fischer(P=6) 1 ⊥ 14 ⊥ 256 ⊥ ? (1) sat
fischerABS(P=6) - 3665 - 17 - 63 - sat
csmacd-u32 1 1 18 54 256 5 ? (97) not sat
bmp 1 1 15 1 256 1 ? (4) not sat
yahalom 1 1 15 1 255 2 ? (13) not sat(?)
yahalomABS - 1 - 1 - 2 - not sat
zeroconf 1 1676 16 274 256 315 ? (15) not sat
zeroconfABS - 1 - 1 - 1 - not sat(?)
be verified through liveness properties. This verification, however, can hardly
avoid state-explosion. We improved this case with an abstraction that reduces
the original network to (an approximation of) the behaviours of unsafe loops. In
this way, a liveness check may be spared much of the state space where Zeno runs
cannot occur. Positive experimental evidence was obtained, which showed that
the combined approach of static analysis and abstraction may be much more effi-
cient than direct liveness verification, and yet precise enough to assert absence of
Zeno runs. As future work, our tool could be extended to infer absence of Zeno
runs from expressions where parameters and data variables occur, given that
data domains are bounded in Uppaal. In addition, as the analysis is insensitive
to urgent behaviour, it could be adapted easily to deal with Timed Automata
with Deadlines [8, 9] (where absence of Zeno runs imply timelock-freedom).
Acknowledgments:We are grateful to the researchers who made the bench-
mark models available, and to the reviewers for their insightful comments.
References
1. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science
126 (1994) 183–235
2. Yovine, S.: Kronos: A verification tool for real-time systems. International Journal
of Software Tools for Technology Transfer 1(1-2) (1997) 123–133
3. Berhmann, G., David, A., Larsen, K.: A tutorial on uppaal. In: Formal Methods
for the Design of Real-Time Systems (SFM-RT 2004). LNCS 3185, Springer (2004)
200–236
4. Wang, F.: Model-checking distributed real-time systems with states, events, and
multiple fairness assumptions. In: Proceedings of AMAST 2004. Volume 3116 of
LNCS., Springer (2004) 553–568
5. Regan, T.: Multimedia in temporal LOTOS: A lip synchronisation algorithm. In:
PSTV XIII, 13th Protocol Spec., Testing & Verification, North-Holland (1993)
6. Gebremichael, B., Vaandrager, F.: Specifying Urgency in Timed I/O Automata.
In: Proceedings of SEFM 2005, IEEE Computer Society (2005) 64–73
7. Gomez, R., Bowman, H.: Discrete timed automata and MONA: Description, spec-
ification and verification of a multimedia stream. In: Proceedings of FORTE 2003.
LNCS 2767, Springer (2003) 177–192
8. Bornot, S., Sifakis, J., Tripakis, S.: Modeling urgency in timed systems. In: Compo-
sitionality: The Significant Difference (COMPOS’97). LNCS 1536, Springer (1998)
103–129
9. Bowman, H.: Time and action lock freedom properties for timed automata. In:
Proceedings of FORTE 2001, Kluwer Academic (2001) 119–134
10. Tripakis, S., Yovine, S., Bouajjani, A.: Checking Timed Bu¨chi Automata emptiness
efficiently. Formal Methods in System Design 26(3) (2005) 267–292
11. Gomez, R.: Verification of Real-Time Systems: Improving Tool Support. PhD
thesis, Computing Laboratory, University of Kent (October 2006)
12. Bowman, H., Gomez, R.: How to stop time stopping. Formal Aspects of Computing
18(4) (December 2006) 459–493
13. Tripakis, S.: Verifying progress in timed systems. In: ARTS’99, Formal Methods
for Real-Time and Probabilistic Systems, 5th International AMAST Workshop.
LNCS 1601, Springer-Verlag (1999)
14. Aceto, L., Bouyer, P., Burguen˜o, A., Larsen, K.: The power of reachability testing
for timed automata. Theoretical Computer Science 1-3(300) (2003) 411–475
15. Hendriks, M., Behrmann, G., Larsen, K., Niebert, P., Vaandrager, F.: Adding
symmetry reduction to uppaal. In Larsen, K., Niebert, P., eds.: Proceedings of
FORMATS 2003. LNCS 2791, Springer-Verlag (2004) 46–59
16. Bowman, H., Faconti, G., Katoen, J.P., Latella, D., Massink, M.: Automatic ver-
ification of a lip synchronisation protocol using uppaal. Formal Aspects of Com-
puting 10(5-6) (August 1998) 550–575
17. Szwarcfiter, J., Lauer, P.: A search strategy for the elementary cycles of a directed
graph. BIT 16 (1976) 192–204
18. Corin, R., Etalle, S., Hartel, P.H., Mader, A.: Timed model checking of security
protocols. In: Proceedings of FMSE ’04, ACM Press (2004) 23–32
19. Gebremichael, B., Vaandrager, F., Zhang, M.: Analysis of the zeroconf protocol
using Uppaal. In: Proceedings of EMSOFT ’06, ACM Press (2006) 242–251
