Abstractions and static analysis for verifying reactive systems by Yustinova, N. (Nataliya)
Abstraefions and Static J\roalysis 
~f~or ~erifying Reactive Systems 
Yustinova 
Abstractions and Static Analysis 
for Verifying Reactive Systems 
Nataliya Yustinova 
Centrum voor Wiskunde en Informatica 
The work reported in this thesis has been carried out at the CWI ( Centrum 
voor Wiskunde en Informatica) within the SVC (Systems Validation Centre) 
project funded by Telematics Institute and the KTVFM project funded by the 
Dutch Ministry of Defence. 
Nataliya Yustinova 
Abstractions and Static Analysis for Verifying Reactive Systems / 
by Nataliya Yustinova. - Amsterdam: CWI, 2004. 
Proefschrift. - ISBN 906196 525 X 
Subject headings: formal methods / software verification / model checking / 
static analysis / abstraction / reactive systems 
Copyright @2004 by Nataliya Yustinova, Amsterdam, The Netherlands. 
All rights are reserved. No part of this publication may be reproduced, stored 
in a retrieval system, or transmitted, in any form or by any means, electronic, 
mechanical , photocopying, recording or otherwise, without prior permission of 
the author. 
VRIJE UNIVERSITEIT 
Abstractions and Static Analysis for 
Verifying Reactive Systems 
ACADEMISCH PROEFSCHRIFT 
ter verkrijging van de graad van doctor aan 
de Vrije Universiteit Amsterdam, 
op gezag van de rector magnificus 
prof.dr.T. Sminia, 
in het openbaar te verdedigen 
ten overstaan van de promotiecommissie 
van de faculteit der Exacte Wetenschappen 
op donderdag 4 november 2004 om 10.45 uur 
in het auditorium van de universiteit, 
De Boelelaan 1105 
door 
Nataliya Yustinova 
geboren te Yaroslavl , Rusland 
promotor: 
copromotor: 
prof.cir . W .J. Fokkink 
dr. N. Sidorova 
Acknowledgments 
The work presented in this thesis has been started in the last year I was em-
ployed as a teaching assistant at the Chair of Information and Communication 
Services, Rostock University, Germany. A major part of this work was done 
during the three years I was working at the SEN2 (Specification and Analysis 
of Embedded Systems) group of the Department of Software Engineering , CWI 
(Centrum voor Wiskunde en Informatica) , within the SVC (Systems Valida-
tion Centre) project funded by Telematics Institute and the KTVFM project 
funded by the Dutch Ministry of Defence. 
There are many people who helped me to finish this thesis and whom I would 
like to thank. I am grateful to my promotor Wan Fokkink for his confidence 
in my ability to succeed, for his advice, constructive criticism and support 
at important moments. He carefully read all parts of this work and provided 
feedback that helped me to look at the results of my work from a broader 
perspective and to reach a significant progress in presenting the results. 
I deeply appreciate the help of my co-promotor Natalia Sidorova who guided 
me in my everyday research life. She encouraged and supported me by sharing 
with me scientific interests and by being patient explaining me complicated 
details. I am grateful for the time she spent reading and commenting on this 
thesis. I have learned a lot from her about planning research, writing scientific 
articles and giving presentations. Her optimism and good sense of humour kept 
me going in moments of uncertainty and helped me to finish this work. 
My sincere thanks to my other co-authors Martin Steffen, Dragan Bosnacki 
and Stefan Blom. I really enjoyed working with Martin. He never stopped 
asking crit ical questions until he was satisfied with the quality of the achieved 
results. I appreciate the t ime that Dragan spent helping me to get into subtle 
implementation details of Spin and DTSpin , and reading this work as a member 
of the reading committee. His comments helped me to improve the readability of 
this thesis. T he competent support of Stefan facilitated my work with the µCRL 
toolset and verification framework. Thanks for our discussions and scientific 
quarrels. 
I am grateful to Walter Vogler, Jaco van de Pol and Jan Willem Klop for 
their consent to be members of the reading committee. Their comments and 
remarks contributed to the quality of this thesis. I also thank Kees van Hee 
and Jan Bergstra who agreed to be members of the promotion committee. 
Leon Wolters and Michail Petreczky spent uncounted hours in proof-reading 
this thesis. 
I also owe my success to my former "bosses" Valery Sokolov and Clemens 
Cap who persuaded me to go on with my scientific career. 
In Rostock, I have really enjoyed the journeys to Riigen and playing squash 
with my colleagues Stephan Preuss, Mykhailo Lyubich , Nico Maibaum and 
Igor Sedov. Enormous thanks to my flatmates and friends Nadege Spella , Nina 
Kitzig, Helge Haufe, Katrin Zansinger, Karsten Kaika, Anja Gellert and Donald 
Reebs with whom I spent a lot of nice evenings. 
In Amsterdam, I very much enjoyed the company of Simona Orzan and 
Daniel Benden who showed me the nightlife of this wonderful town. Thanks to 
Vincent van Oostrom for scient ific hints. I am grateful to Paul Klint for true 
interest in the progress of my work. Thanks to Joost Visser , Alban Ponse and 
Engelbert Rubbers who helped me with learning Dutch. 
The most heartfelt thanks I want to express to my parents who encouraged 
my intellectual curiosity and gave me the opportunity to make my own choices 
and mistakes. I always t rusted in their help and support . 
Table of Contents 
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v 
1 Introduction. .. . . .. . . . . .. .. ... . ... ... . . ... .. . .... . . .. . .. .. 1 
1.1 Towards Reliable Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 
1.2 Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 
1.3 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 
1.4 Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 
1.5 Origins of Chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 
2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 
2.1 Partially Ordered Sets and Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 
2.2 Transition Systems and Behavioural Equivalences . . . . . . . . . . . . . . . . . 15 
2.3 Temporal and Modal Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 
2.4 Model Checking and Automata Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 24 
2.5 Verification by Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 
3 Timer Transformation to Verify SDL Specifications 31 
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 
3.2 SDL.. .. .. .. . .. .... .......... . . . .. . . . ............ . ... . . ... ... 33 
3.2.1 Syntax Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 
3.2.2 SDL Semantics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 
3.3 T imer Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 
3.4 Model Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 
3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 
4 Using Fairness to Make Abstractions Work . . . . . . . . . 69 
4. 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 
4.2 Timer Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 
4.3 Fair Timer Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 
4.4 Incorporating t-Fairness into the Verification Algorithm . . . . . . . . . . . . 82 
4.5 T-fairness in DTSpin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 
4.6 Experimental Results ... ... . .... . .. .. ... . ....... .. . . .. .... ..... 87 
4. 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 
5 Closing and Flow Analysis for Model Checking 
Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 
5.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 
5.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 
Vlll Contents 
5.3 Marking Chaotically-influenced Variables . . . . . . . . . . . . . . . . . . . . . . . . 105 
5.3.l Data-Flow Analysis.................... . ... .. ............. 105 
5.4 Program Transformation.......... .. ... . ... .. .. ....... . .. . . .. .. 110 
5.4.1 Preservation Result ........ ... . . . . .. . ... ... ............. . . 114 
5.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 
5.5.1 Extending the Vires Toolset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 
5.5.2 Implementation of the Program Transformation . . . . . . . . . . . . . . 130 
5.5.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 
5.5.4 Case Study: a Wireless ATM Medium-access Protocol . . . . . . . . . 139 
5.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 
6 Timed Verification with µCRL . . . . . . . . . . . . . . . . . . . . . . . . 147 
6.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 
6.2 µCRL: Basic Notions.... . ... . . .. . ... .. ... . . . . .. ..... . .. ... .. . . 149 
6.3 Semantics of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 
6.4 Specifying Timed Systems in µCRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 
6.5 Experiments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 
6.6 Timed Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 
6.6.1 Regular LTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 
6.6.2 Regular LTL with Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 
6.6.3 t i ck-encoding of Regular LTL with Time. . . . . . . . . . . . . . . . . . . 166 
6. 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 
7 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 
Samenvatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 
1 
lntrod uction 
2 Introduction 
1.1 Towards Reliable Reactive Systems 
In the last decades, the application domain of reactive systems has drastically 
increased. Nowadays, reactive systems are used in various areas, from avionics 
and automotive systems to telecommunication and manufacturing systems. Re-
active systems are the systems whose role is to maintain an ongoing interaction 
with their environment , rather than produce a final value on termination. A 
typical reactive system exhibits the following dist inctive characteristics [125, 
84]: 
It continuously interacts with its environment, using inputs and outputs. 
- The inputs and outputs are often asynchronous, meaning they may arrive 
and change values at any point of time. 
- Its operation and reaction to inputs often reflects strict time requirements. 
- It has many possible operational scenarios, depending on the current mode 
of operation and on the current values of its data as well as its past behavior. 
- Often, it is not expected to terminate. 
- In general, it consists of many interacting processes that operate in parallel. 
Typical examples of reactive systems are on-line interactive systems, such as 
flight reservation systems; traffic control systems; systems controlling mechan-
ical and electronic devices in a train or a plane; systems controlling ongoing 
processes in a nuclear reactor. 
Behaviour of reactive systems is usually very complex. It cannot be de-
scribed in an unambiguous , clear and concise way by giving a verbal descrip-
tion. Verbal descriptions tend to be lengthy, incomplete and usually not well-
structured. They contain phrases that can be misinterpreted and implemented 
in many different ways. Therefore, the need for formal description techniques 
was realized a long time ago. 
In the second half of the 1970s, ISO (International Organization for Stan-
dardization) started to work on formal description techniques (FDTs) that 
allow to specify reactive systems. After eight years of work, the outcome was 
standards for Estelle (Extended Finite State Machine Language), LOTOS (Lan-
guage of Temporal Ordering Specification) and SDL (Specification and Descrip-
tion Language) [161] . The last one is the subject of particular attention in this 
thesis. 
Nowadays SDL is a modern, high-level specification language suitable for 
the description of complex event-driven real-time communicating systems. SDL 
provides concepts for the specification of behaviour covering asynchronous com-
munication and parallelism. It also allows to express qualita tive and quantita-
tive time requirements for reactive systems. SDL concepts used for describing 
system behaviour and communication were integrated into those of UML (e.g. 
SDL process diagrams correspond to UML state diagrams; SDL communication 
links correspond to UML associations [141]). 
In the telecommunication field , SDL is the language of choice for the de-
velopment of a broad range of software and hardware. Examples are 3G prod-
ucts, cellular phones, switches, WAP stacks, Bluetooth devices, GPRS systems, 
1.1 Towards Reliable R eactive Systems 3 
DECT phones, radio systems, network management platforms and network ser-
vices systems. Other examples are telecommunication standards like UMTS, 
GSM , ISDN, V5.2, INAP, etc. SDL is also used in factory automation systems, 
aerospace and automotive applications, and other safety-critical systems, e.g. 
kidney-dialysis devices and train-control systems. SDL is used by standardiza-
tion organizations, universities and companies all over the world (e.g. Alca-
tel, Ericsson, Fujitsu, Hewlett-Packard , Lucent Technologies, Motorola, Nokia, 
Nortel, Siemens , BT, Deutsche Telekom and NTT) [157]. In this thesis , we 
chose an approach to the specification of reactive systems inspired by SDL. 
There is a wide range of reactive systems where errors can have catastrophic 
consequences leading to loss of lives, serious environmental damage, failure of 
an important mission, or major economic loss. Here are just two examples of 
such errors. 
Huge losses of monetary and intellectual investment were caused by a rocket 
boost failure in Ariane 5 in June, 1996 ([99]). Ariane 5, an expendable launch 
system, was designed by the European Space Agency (ESA) and manufactured, 
operated and marketed by Arianespace as part of the Ariane program. Ariane 
5 software reused old code from Ariane 4 that was not respecified and retested 
in the new environment. Ariane 5 being more powerful than Ariane 4 caused 
an unanticipated floating-point exception that would never have occurred on 
Ariane 4. The exception was not caught. Direct cost of this failure was estimated 
at 0.5 billion EUR, indirect cost at 2 billion EUR. 
Another example is a failure that caused a power shutdown of cruiser USS 
Yorktown in November 1998 ([99]). A crew member of the guided-missile cruiser 
USS Yorktown mistakenly entered zero for a data value, which resulted in a 
division by zero. The division by zero caused an arithmetic exception, which 
propagated through the system, crashed all LAN consoles and remote terminal 
units, and led to a power shutdown for about three hours. 
The failure in Ariane 5 software and the power shutdown of cruiser USS 
Yorktown are just a few of many reactive system's failures with serious conse-
quences. Therefore, the production of reliable reactive systems became a funda-
mental concern to computer scientists. Different techniques like static analysis, 
testing, and various formal methods were developed by academic and industrial 
communities to ensure the quality and reliability of reactive systems. 
Static analysis [131] is a broad term covering a wide range of analysis tech-
niques evaluating programs without executing them. Traditionally, static anal-
ysis was aimed at the optimization of programs. Typical applications include 
detecting redundant computations, e.g. loop invariants , and detecting super-
fluous computations that lead to results that are not used or results that are 
known already at compile-time. Static analysis is also applied for type checking, 
performance analysis and partial evaluation. Moreover, there are approaches 
integrating static analysis with formal methods. For example , static analysis 
is often used prior to model checking ( cf. Section 1.2) to slice programs into 
4 Introduction 
smaller parts or to identify independent fragments of a program that can be 
executed in parallel. 
Testing [172, 33] is still one of the most popular techniques that is used in 
industry to ensure the reliability of systems. In testing approaches, the system 
is simulated with certain inputs called stimuli, and the reaction of the system 
to stimuli is compared with the one defined by the requirement specification. 
Exhaustive testing covering all possible system scenarios is practically impossi-
ble, hence testing allows to gain confidence about the correctness of the system 
by looking at some of them but it cannot guarantee the absence of errors. This 
thesis does not deal with testing. 
Formal methods allow to determine system correctness by formal proofs 
that cover all possible scenarios of the system. They not only help to find er-
rors that are missed by testing but can also prove that the system meets its 
requirements. The usage of formal methods in early phases of system develop-
ment makes possible early detection of errors , which greatly reduces the costs 
of their correction. 
1. 2 Formal Methods 
The term formal methods covers different approaches to specification and verifi-
cation based on mathematical formalisms. Formal methods are aimed at estab-
lishing system correctness with mathematical precision. Every formal approach 
to system verification usually involves a mathematical model of a system, a for-
mal language to specify properties of the system, and a method to check whether 
the model satisfies the specification. 
Labelled transition systems (LTSs) are a common basis for modelling the 
behaviour of reactive systems. LOTOS, Estelle and SDL share LTSs as the 
formal basis of their operational semantics. Therefore, we have chosen LTSs as 
mathematical model for reactive systems. 
Various logics have been proposed to specify properties of systems, e.g. 
computation tree logic ( CTL [62]), linear temporal logic (LTL [137]) and µ-
calculus [112]. In this thesis, we use LTL and some subsets of µ-calculus to 
express properties of reactive systems. 
Verifying (or checking) whether a model of a system satisfies certain prop-
erties may be partially or completely automated. Two well-established formal 
approaches to computer-aided verification are theorem proving and model check-
ing. 
Theorem Proving. In theorem proving, a system and its properties are 
expressed in terms of some mathematical logic. This logic is defined by a for-
mal system that provides a set of axioms and a set of inference rules. Theorem 
proving consists in finding a proof of a property from the axioms of the system. 
Steps in the proof appeal to the axioms, rules , and, possibly, to derived defi-
nitions and intermediate lemmas. There are tools supporting machine-assisted 
theorem proving, e.g. PVS [134]. Theorem provers are increasingly being used 
1. 2 Formal Methods 5 
today in the mechanical verification of safety-critical properties of hardware 
and software designs [43, 149] . 
Theorem proving can deal directly with infinite state spaces. It relies on 
techniques like structural induction to construct proofs over possibly infinite 
domains. Interactive theorem provers, by definition, require a lot of interaction 
with a human, so the theorem proving process is slow and very expensive [43]. 
In the process of finding the proof, however, the user often gains better insight 
into the system or the property being proved. Theorem proving is out of the 
scope of this thesis. 
Model Checking. Model checking is considered as the method of choice 
in the verification of reactive systems and is increasingly accepted in industry 
for its push-button appeal. The term model checking designates a collection 
of formal techniques for the automatic analysis of reactive systems. Subtle 
errors in the design of reactive systems that often elude conventional verification 
techniques like testing can be and have been found in this way. Since model 
checking has been proved cost-effective and integrates well with conventional 
design methods, model checking has been accepted as a standard procedure to 
assure the quality of reactive systems [42, 43]. 
The input to a model checker is usually a finite-state description of the 
system to be analyzed and a number of properties that are expected to hold 
for the system, often expressed as formulas of some temporal logic. In contrast 
to theorem proving, model checking is completely automatic and relatively 
fast , often producing an answer in a matter of seconds. The model checker 
reports either that the property holds or that it is violated. In the latter case, 
it provides a counterexample, a run of the system that violates the property. 
Such a run can provide a valuable feedback and points to design errors. Model 
checking can be used to check partial specifications, and thus it can provide 
useful information about a system's correctness even if the system has not been 
completely specified. 
There are two approaches to model checking: symbolic as in NuSMV [37] 
and COSPAN [83], and explicit state (or enumerative) as in Spin [93] and 
CADP [65]. In the symbolic approach, a finite-state system is encoded using a set 
of binary variables, just as ordinary data types of programming languages are 
represented in binary form on a computer. The transition relation is expressed 
as a propositional formula in terms of two sets of variables, one set encoding 
the old state and the other encoding the new one. Propositional formulas are 
then represented as binary decision diagrams (BDDs [32]). The model checking 
algorithm is based on computing fixpoints of predicate transformers that are 
obtained from the transition relation [124]. 
Although the symbolic approach can lead to spectacular results, it is not a 
panacea. Effectiveness of symbolic model checking depends on finding a "good" 
variable ordering for the representation of a BDD. However, finding a "good" 
variable ordering is very difficult [127]. 
State space enumeration methods consider each reachable state of a model (a 
finite-state system) to determine whether the model satisfies a given property. 
6 Introduction 
The main obstacle in model checking of industrial reactive systems is the 
state explosion problem. The size of the model often grows exponentially with 
the number of system components working in parallel. The research questions 
considered in this thesis mainly deal with the development of techniques to 
cope with the state explosion problem in enumerative model checking. 
A number of techniques have been developed to mitigate the state explosion 
problem: abstraction [122, 41 , 50], compositional verification [148], partial-order 
reduction [74, 163, 95], and on-the-fly techniques [93] . 
Abstraction. The size of systems that can be analyzed by model checking 
directly remains rather limited. It is still far from the size of real reactive 
systems, which are often not only large but infinite. Therefore, model checking 
must be performed on abstract models. 
Abstraction methodologies are concerned with the following question [48]: 
Given a concrete system and a property to be checked, how to get a suitable 
abstract system of finite (smaller) size? To answer this question, an abstraction 
framework must provide three things: a method for obtaining abstract models, a 
method for relating abstract and concrete models , and a logic stating properties 
so that properties satisfied on the abstract system can be related to properties of 
the concrete system. In general, when we say that a system T°' is an abstraction 
of a system T, we mean that the observable behaviour of T is contained in the 
observable behaviour of T°'. 
Methods for obtaining abstract models range from slicing and variable hid-
ing to more general algorithmic approaches like program transformation based 
on Abstract Interpretation [46]. The relationship between abstract and concrete 
models is usually defined in terms of bisimulation, homomorphism, Galois con-
nection or simulation (cf. Chapter 2). Given a property of some logic, two types 
of preservation are considered: weak preservation, when every property that is 
true on the abstract model is also true on the concrete one, and strong preserva-
tion, when the same properties hold on the abstract and concrete models [121]. 
Compositional Verification. State explosion can be alleviated by decom-
posing a system into components and considering the components of the system 
one at a time. As in the case of abstraction, compositional verification requires 
additional input from the user who must specify appropriate properties of in-
dividual components. The components do not necessarily function properly in 
an arbitrary environment. Their behaviour relies on the properties of the rest 
of the system. Thus, corresponding assumptions have to be introduced in the 
statement of components' properties [122]. 
Partial-Order Reduction is aimed at reducing the size of a system by 
exploiting the commutativity of concurrently executed actions that result in 
the same state when executed in different orders. The effectiveness of partial-
order reduction methods in general depends on the structure of the system: 
they are useless for tightly synchronized systems, while they may dramatically 
reduce the number of states and transitions explored during model checking of 
loosely coupled, asynchronous systems [42]. 
1. 3 Research Questions 7 
O n-the-fly techniques allow to minimize the memory demands of model 
checkers by constructing only those parts of systems that are necessary to verify 
or refute a given property [93]. 
Verificat ion of T imed Systems 
Quantitative time aspects are often important for correct functionality of reac-
tive systems. Various formalisms such as timed transition systems [89], timed 
automata [1 J and logics [3] have been proposed to model them. When modelling 
time, two time domains, discrete and dense, are usually differentiated. In the 
case of a dense time domain, time is modelled by real numbers and time pro-
gression has a continuous nature. In the case of a discrete time domain, time 
is modelled by non-negative integers and time progresses by discrete steps. 
Dense time often allows a more adequate representation of reality than 
discrete time but it also leads to verification algorithms with higher complexity. 
UPPAAL [119] is a leading toolset produced in the academic community for the 
verification of timed systems with dense time. Various verification options like 
bit-hashing, inactive clock reduction, compact memory management , counter-
example generation, etc. are provided for the verification [15]. Designed for the 
analysis of timed aspects of reactive systems, UPPAAL is not aimed at the 
verification of the data aspects. 
In [88], Henzinger, Manna and Pnueli showed that discrete time suffices for 
a large and important class of systems and properties, including all systems 
that can be modelled as timed transition systems, and such properties as time-
bounded invariance and time-bounded response. In [29], the authors state that 
discrete-time automata can be analyzed using any representation scheme used 
for dense time, and additionally can benefit from enumerative and symbolic 
techniques, which are not naturally applicable to the systems with dense time. 
In this thesis, we limit our attention to reactive systems with discrete time. 
DTSpin [24, 55], a discrete time extension of the Spin model checker , was used 
for the majority of experiments mentioned in this thesis. 
1.3 Research Questions 
In this section, we formulate the research questions that are considered in 
this thesis. All research questions are related to the state explosion problem, 
which can be caused by various factors like interpretation of time, data aspects , 
asynchronous communication, etc. 
M od elling time asp ect s 
Reactive systems are usually timed systems that must respond within certain 
time limits. Interpretation of time and time constraints in a specification lan-
guage is very much affected by the intended mode of its use. In implementation-
orientated languages, time is modelled as an infinitely growing variable of inte-
8 Introduction 
ger or real type. One infinitely growing variable immediately leads to an infinite 
system. 
Timers are usually employed to express time constraints imposed on a reac-
tive system. They can be used for several purposes: to control the release of a 
limited resource, to control answers from unreliable resources , to issue actions 
on a regular basis, etc. Timers are modelled as alarm clocks that either send 
a signal or throw an exception at the right moment of time. Timers are set to 
moments in time when they should expire. Since reactive systems are usually 
not supposed to terminate, settings of timers are unbounded. This interpreta-
tion, natural for implementation purposes, is , however, not the best choice for 
verification. 
Taking SDL as an instance of the class of implementation-oriented lan-
guages, our objective is to provide an interpretation of time and timers that 
alleviates the state explosion problem and to show that systems with this in-
terpretation can safely be used for verification. 
Abstracting timers 
Correctness of reactive systems often depends on right timer settings. Model 
checkers can only verify a single finite-sta te system at a time. Direct model 
checking whether a system works for all settings of a timer larger than or 
equal to some k would require one iteration for each setting larger than some 
k, i. e., we would need infinitely many iterations. In some cases, it would be 
more convenient to reason automatically about a family of similar systems. 
The verification problem in this case can be formulated as follows: given a 
family of systems whose timer settings satisfy condition "larger than or equal 
to some k" and a property, check whether the property holds for each system in 
the family. This problem is undecidable for model checking [7]. In some cases, 
an abstraction that treats settings of a timer as a system parameter can be 
used to solve this problem. 
Abstractions, however , introduce infinite traces that do not correspond to 
any behaviour of the real system that can lead to false negatives. Our objective 
is to show how to exclude nuisance behaviour in case of a timer abstraction 
and how to do that in the most efficient way. 
Closing open systems 
Most model checkers cannot handle open systems. Therefore, the next step 
following the decomposition of a system into components is closing components 
with an environment. 
Closing open systems is commonly done by adding an environment that is 
an abstraction of the real environment. The simplest safe abstraction of the 
environment thus behaves chaotically. When done manually, this closing, as 
simple as it is , is tiresome and error-prone for large systems, for instance due 
to the sheer amount of signals. 
1.4 Road Map 9 
For model checking, the approach to closing should be well-considered, to 
counter the state explosion problem. This is especially true in the context of 
model checking reactive systems where components communicate asynchro-
nously. Sending arbitrary message streams to unbounded input queues will 
immediately lead to an infinite system, unless some assumptions restricting 
the environment behaviour are incorporated in the closing process. Even so, 
external chaos results in a combinatorial explosion caused by all combinations 
of messages in the input queues. 
Another problem addressed by closing is that the data carried with the 
messages coming from the environment is usually drawn from some infinite 
data domain. Special care must be taken to ensure that chaos also shows more 
behaviour with regards to timing issues such as timeouts and time progress. 
Our objective is to provide an automatic approach to closing asynchronous 
open timed systems. 
Reuse of untimed verification methods for timed verification 
Many formalisms have been proposed for timed verification. Most of them are 
designed for the analysis of timed aspects of reactive systems, while data aspects 
are usually not taken into account. On the other side, there exist powerful 
formalisms that are able to handle both data and behaviour aspects of reactive 
systems but are originally not aimed at the verification of time issues. Our 
challenge is to show how to reuse untimed formalisms with good support for 
data types and behaviours for the verification of reactive systems with discrete 
time. 
1.4 Road Map 
Chapter 2 reviews some mathematical notions and some notions from computer 
science that will be used in the rest of the thesis. 
Chapter 3 presents a transformation of SDL timers aimed at reducing the 
infinite domain of timer values to a finite one. We justify the proposed trans-
formation by proofs that allow us to transfer both negative and positive results 
of verification from the transformed model to the original one. We show that 
the transformed model and the original one are related by path equivalence 
up to stuttering. This guarantees that any LTL-X-formula satisfied by the 
transformed model is satisfied by the original one, and that a counterexample 
trace found in the transformed system can also be found in the original one. 
In Chapter 4, we propose a timer abstraction and argue its correctness. 
The abstraction introduces infinite traces that have no corresponding traces 
at the concrete level. We show how to exclude them by imposing a strong 
fairness constraint on the abstract model. By employing the fact that the timer 
abstraction introduces a self-loop, we render the strong fairness constraint into 
a weak fairness constraint and embed it into the verification algorithm. 
10 Introduction 
In Chapter 5, we propose an automatic transformation yielding a closed sys-
tem. By embedding the outside chaos into the system, we avoid the state-space 
penalty in the input queues mentioned above. To capture the chaotic timing 
behaviour of the environment , we introduce a non-standard three-valued timer 
abstraction. The transformation is based on data-flow analysis that detects 
instances of chaotic variables and timers. The approach is implemented in a 
tool that automatically closes DTPROMELA translations of SDL-specifications. 
To corroborate the usefulness of our approach, we compare the state space of 
a system closed by embedding chaos with the state space of the same system 
closed with chaos as external environment process on a case study for a wireless 
ATM medium-access protocol. 
In Chapter 6, we propose a manner of introducing discrete time into the 
µCRL language without extending the language. The specification language 
µCRL [78] (micro Common Representation Language) is a process algebraic 
language that was especially developed to take account of data in the study 
of communicating processes. The µCRL toolset [19] together with the CADP 
toolset [65] provides support for enumerative model checking. The semantics of 
discrete time we use makes it possible to reduce the time progress problem to 
the diagnostics of "no action is enabled" situations. The synchronous nature 
of µCRL facilitates this task. We show some experimental verification results 
obtained on a timed communication protocol. 
Each of these chapters contains an introduction giving an elaborated moti-
vation and an overview of rela ted work. 
Chapter 7 discusses how our research questions are answered in this thesis. 
1. 5 Origins of Chapters 
Chapter 3, "Timer Transformation to Verify SDL Specifications", was co-
authored with Natalia Sidorova . It was published earlier as: 
N. Ioustinova and N. Sidorova. Transformation of SDL specifications - a step 
towards the verification. In D. Bjorner , M. Broy, and A. Zamulin, editors , Post-
proceedings of Andrei Ershov Fourth International Conference Perspectives of 
System Informatics (PSI 01) , volume 2244 of Lecture Notes in Computer Sci-
ence, pages 64- 78. Springer, 2001. 
Chapter 4, "Using Fairness to Make Abstractions Work", was co-authored 
with Dragan Bosnacki and Natalia Sidorova. It was published earlier as: 
D. Bosnacki, N. Ioustinova, and N. Sidorova. Using fairness to make abstrac-
tions work. In S. Graf and L. Mounier , editors , Proc. of the 1 lth Int. Spin 
Workshop on Model Checking of Software, volume 2989 of Lecture Notes in 
Computer Science, pages 198- 215. Springer, 2004. 
1.5 Origins of Chapters 11 
Chapter 5, "Closing and Flow Analysis for Model Checking Reactive Sys-
tems" , was co-authored with Natalia Sidorova and Martin Steffen. It was pub-
lished earlier as: 
N. Ioustinova, N. Sidorova, and M. Steffen. Abstraction and flow analysis for 
model checking open asynchronous systems. In P. Strooper and P. Muenchaisri , 
editors, Proc. of the 9th Asia Pacific Software Engineering Conference ( APSEC 
2002), pages 227- 235. IEEE Computer Society, 2002. 
N. Ioustinova, N. Sidorova, and M. Steffen. Closing open SDL-systems for model 
checking with DTSpin. In L. H. Eriksson and P. A. Lindsay, editors , FME 
2002: Formal Methods - Getting IT Right, Proc. of International Symposium of 
Formal Methods Europe, FME 2002, volume 2391 of Lecture Notes in Computer 
Science, pages 531- 548. Springer , 2002. 
N. Ioustinova, N. Sidorova, and M. Steffen. Synchronous closing and flow ab-
straction for model checking timed systems. In Proc. of the Second International 
Symposium on Formal Methods for Components and Objects (FMC0 '03), vol-
ume (to appear) of Lecture Notes in Computer Science. Springer , 2004. 
Chapter 6, "Timed Verification with µCRL ", was co-authored with Stefan 
Blom and Natalia Sidorova . It was published earlier as: 
S. Blom, N. Ioustinova, and N. Sidorova. Timed verification with µCRL. In 
M. Broy and A. Zamulin, editors , Proc. of the Sth Int. Conf. Perspectives of 
System Informatics , volume 2890 of Lecture Notes in Computer Science, pages 
178- 192. Springer, 2003. 

2 
Preliminaries 
THIS CHAPTER REVIEWS SOME MATHEMATICAL NOTIONS AND SOME NOTIONS 
FROM COMPUTER SCIENCE THAT WILL BE USED IN THE REST OF THE THESIS. 
14 Preliminaries 
2.1 Partially Ordered Sets and Lattices 
The notions of a partially ordered set, a complete lattice and fixed points play a 
crucial role in static analysis. Here we review basic definitions and some results 
about partial orders, lattices, least and greatest fixed points [53]. 
D efinition 2.1. [PARTIAL ORDER] 
Let S be a set. An order (or partial order) on S is a binary relation [;;;; on S 
such that for all s, s 1 , s2 , s3 E S, 
s [;;;; s, 
- s1 [;;;; s2 /\ s2 [;;;; s1 =;. s1 = s2 , 
- S1 [;;;; S2 /\ S2 [;;;; S3 =} S1 [;;;; S3 · 
These conditions are referred to as reflexivity, antisymmetry and transitivity, 
respectively. A set S equipped with an order relation [;;;; is called an ordered set 
(or partially ordered set) denoted (S; [;;;;).Further we use the shorthand poset. 
Many important posets are expressed in terms of existence of certain upper 
and lower bounds of subsets of S. The most important classes of posets defined 
in this way are lattices and complete lattices. s E S is the least element of S 
if s [;;;; s' for all s' E S . The greatest element of S is defined dually. A subset 
S' of S has s E S as an upper bound if for all s' E S': s' [;;;; s . A subset S' of 
S has s E S as an lower bound if for all s' E S': s [;;;; s'. A least upper bound s 
of S' is an upper bound of S' such that s [;;;; s" for all upper bounds s" of S'. 
A greatest lower bound s of S' is a lower bound of S' such that s" [;;;; s for all 
lower bounds s" of S'. 
D efinition 2.2. [COMPLETE LATTICE] 
A complete lattice is a poset S such that all its subsets have a least upper bound 
and a greatest lower bound. 
Further, greatest lower bound and least upper bound of S, when they exist , 
are denoted as lub(S) and glb(S) , respectively. 
D e finition 2.3. [FIXPOINT] 
Let S be a poset and f: S ---; S be a function . We say s E S is a fixpoint off 
if f(s) = s. The set of all fixpoints off is denoted fix(!). The least element 
of fix(!) , when it exists, is called the least fixpoint of f. Similarly we defin e 
the greatest fixpoint off . 
Let (S, [;;;;) be a complete lattice and f: S ---; S be a function. We say that 
f is monotonic if f ( s) [;;;; f ( s') whenever s [;;;; s'. 
Theorem 2.1. [KNASTER/ TARSKI] 
Let (S, [;;;;) be a complete lattice and f: S ---; S be a monotonic function. Then 
f has a greatest fixpoint gfp(f) and a least fixpoint lfp(f) . 
Definition 2.4. [GALOIS CONNECTION] 
Let (S; [;;;;) and (A; ::5) be posets. A pair of mappings a : S --> A, / : A --> S 
is a Galois connection (a, /) from S to A iff for all s E S and a E A , a( s) ::5 
a {o} s [;;;; 1(a). 
2.2 Transition Systems and B ehavioural Equivalences 15 
2.2 Transition Systems and Behavioural Equi-
valences 
D efinition 2.5 . [TRANSITION SYSTEM] 
A transition system T is a tuple (S, R) where S is a set of states and R ~ S x S 
is a transition relation . 
A transition system can have various attributes. Often a subset So ~ S is 
designated to represent the initial states. A transition system may come with 
an interpretation function I: P ---+ 25 that specifies interpretation of atomic 
propositions from P over the states (see Section 2.3). Alternatively, valuation of 
literals in states may be given by a labelling function£,: S ---+ 2P specifying the 
propositions that hold in a state. A transition system with initial states and an 
interpretation function L is also called Kripke structure [113] (see Section 2.3) . 
Not only states but also transitions of the system can be labelled. 
D efinit ion 2.6. [LTS] 
A labelled transition system (LTS) T is a tuple (S, Lab ,---+, s0 ) where 
- S is a set of states or locations; 
- Lab is a set of labels; 
- ---+~ S x Lab x S is a labelled transition relation; 
- s0 E S is an initial state . 
Further we writes---+-' s' for a triple (s, >. , s') E---+ . A triple (s, >. , s') is 
also referred to as a >.-step of T. 
D efinit ion 2. 7. [TRACE] 
Let T = (S, Lab ,---+, s0 ) be an LTS . A trace ( of T is a pair of mappings 
( -y : N ---> S and (-' : N \ {O} ---> Lab, where either N = {O, 1, 2, . .. , n} or 
N = N, and ((-y(i) ---+("(i+l) (-y(i+ 1) ) E---+ for all i, (i+ 1) EN. If N = N, trace 
( is called an infinite trace; otherwise, it is called a finite trace. The length of 
( is defined as IN\ {O}I and referred to as 1(1 . 
We use ((m) to denote the prefix of (ending at (-y(m). We also use ((m) to 
denote the suffix of ( starting at (-y(m). Of course ( Cm) is defined iff ( has a 
length at least m . ((m) is defined only in case ( has a length at least m + l. 
D efinition 2.8 . [PARTITIONING] 
Let ( = ((-y, (-') be a trace of an LTS T. Let N be the domain of (-y- Let I 
be a connected subset of N, i.e., it is either I = {z I k ::::; z ::::; m}, where 
k < m, or I = { z I z 2: k}. A pair ( 1 = ( (~, ({) of mappings (~ : I ---> S and 
({ : I \ { k} ---> Lab is called a part of trace ( iff the following conditions are 
satisfied: 
- for all i E I : (~(i) = ( -y(i); 
- for all j E I\ { k}: ({ (j) = (-' (j). 
16 Preliminaries 
Let ( 1 ' and (12 be two parts of(. ( 11 u12 is called the concatenation of ( 11 
and (h iff Ii = {k, . . . , m} and miniEhi = m. 
A partitioning of trace (is a finite or infinite sequence ( 11 ( 12 ... of parts of 
( such that the concatenation of the parts coincides with (. 
D efinition 2.9. [REACHABLE STATE] 
Let T = (S , Lab ,--+, s0 ) be an LTS. A state s E S is reachable from the initial 
state of the system if there is trace ( of T such that ( -y (O) = s0 and ( -y (i) = s 
for some i 2: 0. 
A wide range of behavioural equivalences and relations has been developed 
to distinguish two systems. Often the notion of equivalence between two sys-
tems is based upon the idea that we only distinguish between system Ti and 
system T2 if the distinction can be detected by an external system interact-
ing with each of them. [71] provides an overview and comparison of existing 
behavioural equivalences. Further we review notions of trace equivalence, simu-
lation, bisimulation and isomorphism for LTSs. Trace equivalence requires that 
systems can execute the same traces but does not require that systems have the 
same branching structure. Bisimulation and isomorphism allow to distinguish 
systems that have different branching structures. Let Ti = (Si, Labi, --+i, sb) 
and T2 = (S2 , Lab2,--+2, s6) be two LTSs. 
D efinition 2.10. [STRONG EQUIVALENCE OF TRACES] 
Let ( and p be traces of LTSs T1 and T2 respectively. W e say that ( '=tr p iff 
1(1 = IPI and (,\(i + 1) = p,\(i + 1) for all i = 0 .. 1(1. 
D efinition 2.11 . [STRONG TRACE INCLUSION] 
We say that the set of traces generated by LTS T2 includes the set of traces 
generated by LTS T1, written as T1 =Str T2, iff for every trace ( of T1 there 
exists a trace p in T2 such that ( '=tr p. 
D efinition 2.12. [STRONG TRACE EQUIVALENCE] 
Two LTSs T1 and T2 are trace equivalent , written as T1 '=tr T2, iff both T1 =Str 
T2 and T2 =Str T1. 
D efinition 2.13. [STRONG SIMULATION] 
A relation R ~ S1 x S2 is a strong simulation relation between LTS T1 and 
LTS T2 iff sbRs6, and pRq together with p --+i p' implies q --+~ q' and p' Rq' , 
for some q' E S2. 
We write T1 :5 T2, if there exists a strong simulation relation R between T1 
and T2 . 
D efinition 2.14. [STRONG BISIMULATION] 
A relation R ~ S1 x S2 is a strong bisimulation relation between LTS T1 and 
LTS T2 iff both R and R- 1 are strong simulations. 
We write T1 +-+ T2, if there exists a strong bisimulation relation R between 
T1 and T2. 
2.2 Transition Systems and Behavioural Equivalences 17 
It is straightforward to check that f-+ is an equivalence relation, i.e., f-+ is 
reflexive, symmetric and transitive. 
Definition 2.15. [ISOMORPHISM] 
Two LTSs T1 and T2 are isomorphic ifj' there is a bijection g: 8 1 ---+ 8 2 such 
that Vs, s' E 81 , s ---+ ls' iff g(s) ---+1 g(s'). 
Isomorphism implies strong bisimulation; strong bisimulation implies strong 
trace equivalence; strong simulation implies strong trace inclusion. 
[72] provides an overview of existing process equivalences and relations in 
context of process algebras with silent moves. There, only a set of external 
actions of a system is visible to an observer and the internal structure of the 
system is hidden. Which activities of the system are hidden is a matter of choice 
that depends on the level of detail at which one wants to analyse the system. 
The hidden activities of the system are denoted as T. 
Weak trace equivalence relates two systems that can perform exactly the 
same sequence of observable actions. 
Definition 2.16. [WEAK EQUIVALENCE OF TRACES] 
Let ( and p be traces of LTSs T1 and T2 respectively. W e say that ( =wtr p 
iff ( and p can be partitioned as ( 1 ( 2 . .. and p1 p2 . . . respectively, so that the 
fallowing conditions are satisfied: 
every (k, pk has at most one step labelled with >. =f. T; 
- (k contains a step labelled by >. =f. T iff pk contains a step labelled by >. =f. T. 
Definition 2.17. [WEA K TRACE INCLUSION] 
We say that the set of traces generated by LTS T2 weakly includes the set of 
traces generated by LTS T1 , written as T1 ~wtr T2 , iff for every trace ( of T1 
there exists a trace p in T2 such that ( =wtr p. 
Definition 2.18. [WEAK TRACE EQUIVALENCE] 
Two LTSs T 1 and T2 are weakly trace equivalent, written as T1 =wtr T2 , ifj' 
both T1 ~wtr T2 and T2 ~wtr T1 . 
Intuitively, a T-step is not truly silent if it results in a change of "potential" 
of the system. For example, consider the LTS on Fig. 1. After execution of the 
T-step the system loses the option to execute step a. Therefore, the T-step of 
the system is not truly silent. The intuition of a truly si lent T-step is formalized 
in the notions of branching simulation and branching bisimulation [70]. 
Definition 2.19. [BRANCHI NG SIMULATION] 
A relation R <;;;; 8 1 x 8 2 is a branching simulation relation between LTSs T1 and 
T2 iff s6Rs6 and pRq together with p ---+l p' implies that one of the following 
conditions holds: 
1. q ---+r q; ---+r .. . ---+r q~ ---+ >. q', for some n :'.'.'. 0 and q' , q; , . .. , q;1 E 82 such 
that pRq~ for all i = 1..n and p' Rq' ; 
18 Preliminaries 
a 't 
b 
• 
Fig. 1. Not truly silent T 
2. >. = T andp'Rq. 
We write T1 ~br T2 if there exists a branching simulation relation R between 
T1 and Tz. 
D efinition 2.20. [BRANCHI NG BISIMULATION] 
A relation R s;;: S1 x S2 is a branching bisimulation relation between LTSs T1 
and T2 iff both R and R- 1 are branching simulations. 
We write T1 ,_..; brT2 if there exists a branching bisimulation relation R be-
tween T1 and T2 . 
In [13], it was shown that branching bisimulation is indeed an equivalence 
relation. 
2.3 Temporal and Modal Logic 
Various logics have been developed to specify properties of systems and pro-
grams, e.g., computation tree logic ( CTL*) [62], linear temporal logic (LTL) 
[137] and µ- calculus [112]. They allow to express universal and existential prop-
erties that hold for all or some traces of a system respectively. Various safety 
("nothing bad will ever happen") and liveness ("something good must eventu-
ally happen") properties can be expressed as well. 
Definition 2.21. [ CTL*] 
Given a set of atomic proposition P , the logic CTL* consists of state <p and 
path 'I/; formulas defined by the following grammar: 
<p :: = P •<p <p V <p I <p /\ <p I A 'I/; I E 'I/;, where p E P 
'I/; :: = 'P I •'I/; I 'I/; v 'I/; I 'I/;/\ 'I/; I X 'I/; I F 'I/; I G 'lj; I 'l/;U 'I/; I 'l/;R 'I/; 
In definition 2.21 , A and E are path quantifiers meaning "for all paths" 
and "for some paths" respectively; F , G , X , U , R are temporal operators 
expressing properties of a single path . Formally, the CTL* semantics is defined 
by Def. 2.24. The "eventually" operator F specifies that a property holds at 
some state of the path . The "always" operator G requires that a property holds 
2. 3 Temporal and Modal Logic 19 
at every state of the path. The "next" operator X expresses that a property 
holds in the second state of the path. The "unless" operator U holds if there 
is a state on the path where the second property holds and the first property 
holds at every state preceding this state. The "release" operator R is used to 
specify that the second property holds in all states along a path up to and 
including the first state that satisfies the first property. The first property is 
not required to be eventually satisfied. 
Linear Temporal Logic, LTL, is a subset of CTL* that consists of formu-
las having the form A 'lj; where 'ljJ is a path formula in which the only state 
subformulas permitted are atomic propositions. 
Definition 2.22. [LTL] 
Given a set of atomic prepositions P , the logic LTL consists of path formulas 
of the form defined by the following grammar: 
'lj; ::=p I •'l/J I 'lj;V'lj; I 'lj;/\'lj; I F 'lj; I G 'lj; I X 'lj; I 'lj;U 'lj; I 'lj;R 'lj; 
where p E P. 
In LTL context, D is often used instead of G to denote the "always" operator 
and 0 is used instead of F to denote the "eventually" operator. 
CTL* formulas are interpreted over Kripke structures. 
Definition 2.23. [KRIPKE STRUCTURE] 
A Kripke structure K is a tuple (T, So , .C) , where T is a transition system 
(S, R) , S 0 is a set of initial states, .C: S ----+ 2P is an interpretation function 
and P is a set of atomic propositions. 
A sequence in the Kripke structure K = (S, R, 8 0 , .C) is 7r = s0 s 1s2 .. . 
such that (si, si+l) E R holds for all i 2: 0. A path in the Kripke structure 
K = (S , R, So , .C) is an infinite sequence. We use 'lr(i) to denote the suffix of 
7r starting at state Si; 7r( i) is used to denote the prefix of 7r starting at s0 and 
ending at Si· In case a state s has no outgoing transitions, we say that there is 
a deadlock in this state. Both paths and finite sequences 7r = s0 s 1 . .. sk ending 
at a state sk that has a deadlock are called computations of K. The length of 
7r (denoted j7rl) is the number of states on it. The satisfaction of a formula is 
defined inductively. 
Definition 2.24. [CTL* SEMANTICS]/42} 
Let K = (S,R,S0 ,.C) be a Kripke structure over P. Let p E P , </>, </>1, </>2 be 
state formulas and 'ljJ, 'lj;1 , 'l/J2 be path formulas , s E S and 7r be a path in K. 
The relation f= is defined inductively as follows: 
K , sf= p if! p E .C(s ); 
K , s f= •</> if! K , s ~ </>; 
K , s f= </>1 V </>2 if! K , s f= </>1 or K , s f= </>2; 
- K , s f= </>1 /\ </>2 if! K , s f= </>1 and K , s f= </>2; 
- K , s f= E 'lj; if! there exists a path 7r starting in s such that K , 7r f= 'lj;; 
20 
K , sf= A 'lj; iff for every path 7r starting ins , K , 7r f= 'lj;; 
K , 7r f= </> iff 7r starts in s and K, s f= </>; 
K , 7r F •'l/J ifj' K , 7r ~ 'l/J; 
K , 7r f= 'l/J1 V 'l/J2 iff K , 7r f= 'l/J1 or K , 7r f= 'l/J2; 
K , 7r f= 'l/J1 /\ 'l/J2 if! K , 7r f= 'l/J1 and K , 7r f= 'l/J2; 
K , 7r F X 'lj; if! K , 'lr(l) F 'l/J; 
K , 7r f= F'lj; iff there exists a k 2: 0 such that K , 'lr(k) f= 'lj;; 
K , 7r f= G 'lj; iff for all i 2: 0, K , 'lr(i) f= 'l/J; 
Preliminaries 
K , 7r f= 'l/J1 U 'l/J2 iff there exists a k 2: 0 such that K , 'lr(k) f= 'l/J2 and for all 
0 ::::; j < k, K , 'lr(j) F 'l/J1; 
K , 7r f= 'l/J1 R 'l/J2 if! for all k 2: 0, Vi < k K , 'lr(i) ~ 'l/J1 implies K , 'lr (k) f= 'l/J2. 
There are several approaches to the interpretation of CTL* path formulas . 
Although in the original definition of CTL* in [62] both finite and infinite 
computations are t aken into consideration, definition of CTL* in [63] and in 
[60] revise the original definition by quantifying over paths only. A similar 
definition is given in [41] . In [61 , 39], a transition relation of a Kripke structure 
is required to be total (i.e. , every state must have an outgoing transition so 
that all computations are infinite). 
In case only paths are taken in consideration, no properties about fini te 
computations of the system can be expressed. If a Kripke structure contains a 
deadlock, this will not be caught by checking some CTL* formula. 
This deficiency is often repaired by assuring that all computations of the sys-
tem are infinite before checking any other properties. In [47], a Kripke structure 
is extended by adding an extra state s and a transition leading to s from every 
state having no outgoing transitions (including s itself). New atomic proposi-
tion is_in_s, which is true only in s, is added to the set of atomic propositions. 
The check of deadlocks can be performed by checking AG·is_in_s over system 
transformed as described above. If this check succeeds, this implies that the 
original system is deadlock free. Once the system has been checked to be free 
from deadlocks, the extra transitions and state s can be removed again. 
Similar approach is taken in [129]. There, the transition relation of Kripke 
structure does not have to be total. The authors propose a livelock extension 
for Kripke structures that is obtained by applying the following t ransformation: 
For each state that has no outgoing transitions or occurs in a cycle of states 
with the same labels, a new outgoing transition is added. The transition leads 
to a new state s that is labelled by a new proposition that occurs in no other 
labels on st ates. 
Further in this thesis, we deal with transition systems (LTSs) where the 
transition relation is total due to the fact that a system is timed and time can 
progress even if the system can not do anything useful. 
Next-free logic 
Reactive systems are usually developed by a number of successive steps. At each 
step, the system is described in more detail and closer to the implementation 
2. 3 Temporal and Modal Logic 21 
level. Refinement allows the replacement of a higher level system specification 
by a lower, more detailed one. Refinement often changes the granularity of 
actions, i. e. , high-level actions are mapped to multiple low-level actions, and 
therefore, high-level actions lose their atomicity. 
The next operator X is closely related to the notion of a next state that can 
be reached by one step of the system. The X operator can be useful to express 
system properties, but it should be used with caution. The intuitive meaning of 
the X operator is not associated with the granularity of actions that the system 
can perform. In case the X operator is employed to express properties of the 
system, a change of the granularity can lead to a situation where properties 
satisfied by a higher level model become false for a lower level one. 
The necessity of the X operator was already questioned in [117]. The main 
objection against the X operator was that it allows the designer to express 
irrelevant properties of the model. Using the X operator one can write a spec-
ification of a queue that includes a requirement: "removing an element from 
the queue should take exactly 17 steps" . This property is not meaningful if one 
gives a high-level specification of a queue. It is a property of an implementa-
tion of the "remove" operation, but not a property of the "remove" operation 
itself. Therefore, Lamport proposed to drop the X operator from temporal log-
ics. Further we refer to next-free CTL* and to next-free LTL as CTL*-X and 
LTL-X respectively. 
The work of Lamport is related to developments in the field of process 
equivalences, namely to the research on comparative concurrency semantics [71] 
in the context of process algebras with silent moves [72]. In [73], it is argued that 
branching bisimulation equivalence is the coarsest equivalence that respects 
the branching structure of a process with silent moves. In [129], De Nicola 
and Vaandrager showed that CTL*-X induces on LTSs the same identification 
as branching bisimulation. According to [73], considering CTL* would induce 
an equivalence that is too fine for processes with silent moves. In [47], Dams 
considers the development from strong bisimulation to branching bisimulation 
as the parallel of the shift of attention from CTL* to CTL*-X in specification 
logics. 
Formulas of temporal logic are usually interpreted over Kripke structures; 
LTSs are mainly used for modelling purposes. In [129] , De Nicola and Vaan-
drager introduced a new kind of structure that can be naturally projected on 
both LTSs and Kripke structures. The structure is called doubly labelled tran-
sition systems. 
Definition 2.25 . [DOUBLY LABELLED TRANSITION SYSTEMS] (1 29} 
A doubly labelled transition system (L2TS) is a structure V = (S, Lab, ---->, 
s0 , £) , where (S , Lab ,---->, s0 ) is an LTS and £: S ____, 2P is a labelling func-
tion that associates a set of atomic propositions to each state. With LTS(V) 
we denote the substructure (S, Lab ,----> , s0 ) and KS(V) denotes the substructure 
(S , R, so , £) such that Vs, s' ES, (s, s') E R iff s ---> .x s' E ---> for some>. E Lab. 
22 Preliminaries 
Equivalences defined on LTSs or Kripke structures can be naturally lifted 
to L2TSs by ignoring state or transition labels respectively. The notions of a 
path and a computation in an L2TS are defined analogously to the notion of 
a path and a computation in a Kripke structure. The notion of a trace in an 
L2TS is defined analogously to the notion of a trace in an LTS. For an L2TS 
D and a formula cp of LTL, we write D I= cp iff KS (D) I= cp . Further we give a 
definition of path equivalence up to stuttering and an overview of results from 
[135, 136] relating path equivalence up to stuttering with LT~X. 
D efinition 2.26 . [STUTTERING-FREE PROJECTION] {135, 136} 
Let 7f = s0 sis2 . .. be a sequence in L2TS D = (S , -+, So , £). The stuttering-free 
projection Pr( 7f) of 7f is defin ed coinductively as follows: 
- Pr(sosis2 . . . ) =so if Vi > 0 (or VO < i::; J7rJ), L(si) = L(so); 
Pr( so . . . sksk+i . . . ) = Pr( so ... sk)Pr(sk+i . . . ) if L (sk) =/= L (sk+i). 
D efinition 2.27. [EQUIVALENCE UP TO STUTTERING] {135, 136} 
Let 7f and p be paths in L2 TSs Di = (Si , _, i, s6, Li) and D2 = (S2 , -+2, s6, L2) 
respectively, where the range of labelling fun ctions L i and L 2 is 2P . W e say that 
7f and pare equivalent up to stuttering, written as 7f =st p, iff Li (Pr(7r)(i)) = 
L2(Pr(p)(i)) for all i 2':: 0 (or VO < i ::; JPr(7r)J and JPr(p)J = JPr(7r)J), i .e., 
the interpretations of the stuttering-free projections of 7f and p are the same. 
D efinition 2 .28. [PATH EQUIVALENCE UP TO STUTTERING] {135, 136} 
Let Di = (Si , _, i , s6, Li) and D2 = (S2, -+2, s6 , L2) be two L2TSs where the 
range of labelling fun ctions Li and L 2 is 2P. 
W e write Di ~sL D2 iff for each path 7f in Di there is a path p in D2 such 
that 7f =st p . 
Di and D2 are path equivalent up to stuttering, written as Di =st D2, iff 
Di ~s t D2 and Dz ~st Di. 
T heorem 2 .2 . {135} 
Let D i and D2 be two L2TSs, where the range of labelling fun ctions Li and L2 
is 2p. 
Let Di ~st D2 . Then D i I= cp if D2 I= cp for any LT~X formula cp over P. 
Let Di =st D2 . Then Di I= cp iff D2 I= cp for any LT~X formula cp over 
P . 
Modal µ-calculus 
Definition 2 .29 . [MODAL µ-CAL CULUS , Lµ] {112, 51} 
Let Var be a set of propositional variables. Let P be the set of atomic proposi-
tions. Moreover, let p E P , x E Var , <p ELµ- The logic Lµ is the set of formulas 
that is defin ed by the following grammar: 
<p :: = P I •P I x I <p V <p I <p A <p I Dcp I Ocp I µ x.cp I vx.cp 
2. 3 Temporal and Modal Logic 23 
Formula D<p expresses that <p is true for every immediate successor, while 
O<p expresses that there is at least one successor for which <p is true. µx.<p and 
vx.<p are the least and greatest fixpoint operators respectively. Their meaning 
is the smallest (respectively, greatest) set x of states in which <p holds. 
Here we consider only formulas in positive normal form, where all negations 
occurring in the formula are applied to atomic propositions and no variable is 
quantified twice [112] . The universal and existential fragments DLµ and OLµ 
are subsets of Lµ in which the only allowed next-state operators are D and 0 
respectively. Lt denotes the positive fragment of Lµ, where the use of negation 
is forbidden even on the atomic propositions. 
Lµ formulas are interpreted over a transition system (see Def. 2.5) with an 
interpretation function associated to the transition system. Intuitively, I(p) is 
the set of states where p holds. A function II · II interprets an Lµ formula over 
a given transition system with an interpretation function. 
Definition 2.30. [Lµ SEMANTICS] (51} 
Let T = (S, R) be a transition system and I: P ---+ 28 be an interpretation 
function. The function II· II: (Lµ x ( Var ---+ 28 )) ---+ 28 is defined as follows . Let 
p E P , x E Var , <p, <p1 , <p2 E Lµ and e: Var---+ 28 . 
= I(p) 
= I(p) 
llxlle = e(x) 
ll'P1 V 'P2lle = ll'Pille U ll'P2lle 
ll'P1 (\ 'P2lle = ll'P1 lie n ll'P2lle 
llD'Plle = {s ES I 't:/ s' ES sRs' =? s' E ll'Plle} 
llO'Plle = {s ES I 3 s' ES sRs' I\ s' E ll'Plle} 
llµx.<plle = n{ S' ~ s I ll'Plle[x >-> S'] ~ S'} 
llvx.<plle = LJ{S' ~SI S' ~ ll 'P ll e[x>->S'J } 
e[x >-> s'] is the same as e except that x is mapped to S'. We write s f= <p for 
s E 11'P 11- For a set of states S', the notation S' f= <p abbreviates 't:/ s E S', s f= <p. 
When there may be confusion between different systems and interpretation 
functions we write T , (I), s f= <p to denote that s f= <pin T with interpretation 
function I. 
The existential and universal fragments of µ-calculus subsume the existen-
tial and universal fragments of CTL* ([87]). 
24 Preliminaries 
2.4 Model Checking and Automat a Theory 
Model checking [38, 120, 165, 35, 42] is a formal technique for verifying finite-
state systems with respect to their specification. The properties of a system 
are expressed as formulas in some temporal logic [137, 60] . A model checker 
either confirms that the system satisfies the properties or reports that they 
are violated. In case a property gets violated, the model checker produces a 
counter-example that is a system run that violates the property. 
Model checking comes in two fashions: symbolic model checking as e.g. in 
NuSMV [37] and COSPAN [83], where Ordered Binary Decision Diagrams [32] 
are used to represent states of the system symbolically, and explicit state model 
checking as in Spin [93] and CADP [65], where the states of the system are ex-
plicitly enumerated. Here we give an overview of the explicit-state automata-
based approach to model checking [165, 93]. In this approach, both the system 
and the negation of a property are t urned into a finite automaton on infinite 
words [158]. The verification consists in checking whether the language recog-
nized by the synchronous product of the above automata is empty. 
Further we focus on finite automata over infinite words. The simplest au-
tomata over infinite words are Biichi automata [34]. 
D efinition 2.31. [BUCH! AUTOMATON] {1 27} 
A Biichi automaton B = ( Q, I , 8, F) over an alphabet E is given by a finit e 
set Q of states, a non- empty set I s;; Q of initial states, a transition relation 
8 s;; Q x E x Q and a set F s;; Q of accepting states. 
A run of B over an w-word w = a0 a1 . . . E E w is an infinite sequence 
p = qoq1 q2 .. . such that qo E I and (qi , a; , q;+1) E 8 holds for all i E N. The run 
p is accepting iff there exists some q E F such that q; = q holds for infinitely 
many i E N . 
A language L(B) s;; Ew is the set of w-words for which there exists some 
accepting run p of B. A language L s;; E w is called w-regular iff L = L(B) for 
some Biichi a'utomaton B. 
Finite automata can be used to model concurrent and interactive systems. A 
Kripke structure directly corresponds to a finite automaton over infinite words 
where all states are accepting. Specifically, a Kripke structure J( = (S, R, s0 , £) 
where £: S --> 2P can be seen as an automaton A = (S, S0 , 8, S) over 2P , where 
(s , a , s') E 8 for s , s' E S iff (s , s') E Rand a = L(s) [168]. (Note that in the 
general case there is a set of initial states, but for model checking we only 
require a single initial state.) The specifica tion can be transformed into an 
automaton B , over the same alphabet . The system A satisfi es the specification 
B when L(A ) s;; L(B ). That can be rewritten as L (A ) nL(B ) = 0, i.e., there 
is no behaviour of A that is disallowed by B . If the intersection is not empty, 
any behaviour in it corresponds to a counter-example. 
Biichi automata arc closed under intersection and complement [34]. This 
means that there exists an automaton tha t accepts exactly the intersection of 
the languages of two automata and an automaton that recognizes exactly the 
2.4 Model Checking and Automata Theory 25 
complement of the language of a given automaton. In some implementations 
such as Spin [93], the automaton for the complement of the specification is 
used instead of the automaton for the specification. In this case, not the good 
behaviour is specified, but the bad behaviour. 
We show how to construct an automaton that recognises the intersection of 
two languages accepted by a pair of Bi.ichi automata. Since all the states of the 
automaton for the modelled system are accepting, we give the definition of the 
product for the case when all the states of one of the automata are accepting. 
D efinition 2.32. [SYNCHRONOUS PRODUCT] [42} 
Let B1 = ( Q1 , c51 , Q? , Qi) and B2 = ( Q2, c52 , Qg , F2) be Buchi automata 
over E. The synchronous product of B1 and B2 is the automaton B over E 
given by (Qi x Q2, c5, Q? x Qg , Q1 x F2) such that ((q1, q2), a, (q~, q~)) E c5 iff 
(q1,a,qi) E c51 and (q2,a,q~) Eh 
It is straightforward to show that the synchronous product of automata B 1 and 
B2 accepts L(B1) n L(B2) . 
Let p be an accepting run of a Bi.ichi automaton B = ( Q, I , c5, F) over an 
alphabet E. Then p contains infinitely many accepting states from F. Since Q 
is a finite set, there is some suffix p' of p such that every state of Q that is met 
along the suffix appears infinitely many times. Each state on p' is reachable 
from any other state on p', i. e. , the states in p' form a cycle. This component 
is reachable from some initial state. It contains an accepting state of the au-
tomaton and generates an accepting run of it. Checking non-emptiness of L(B) 
is equivalent to finding a strongly connected component that is reachable from 
an initial state and contains an accepting state. In other words, the language 
L(B) is non-empty if and only if there is a reachable accepting state that is on 
a cycle [42]. 
The automaton for the specification can have as many as 2°<nl states where 
n is the number of subformulas in the specification [165]. The size of the product 
automaton which determines the overall complexity of the method is propor-
tional to N · 20(n), where N is the number of reachable states of the mod-
elled system. Model checking on-the-fly a llows to detect a property violation 
by constructing and visiting only some part of the search space containing a 
counter-example. 
The nested depth first search ( ndfs) algorithm (Fig.2) is used for finding 
cycles with accepting states (accepting cycles) "on-the-fly" [96,45 , 127]. Given 
a property r.p and a Kripke structure I<, the model checking problem is re-
formulated as follows: Docs there exist a run of I< that does not satisfy r.p? 
We ask whether the language of the automaton defined by the product of the 
automaton for J( and the automatou for --. r.p is empty or not. 
ndf5 is an "on-the-fly" algori thm because the exploration of reachable states 
is interleaved with the search for acceptance cycles. The algorithm keeps the 
stack of all states whose successors need to be explored and the set of states 
that have already been visited. Starting from an initial state, the procedure 
ndfs generates reachable states unt il an accepting state is met. The search 
26 
Procedure 2.3 (emptyness ) [127} 
\ \ initialization 
stack= emptystack(); visited = emptyset() ; seed= nil; 
for each qo E Qo { 
} 
push qo onto stack ; 
enter (qo , fals e) into visited; 
ndf s(false) 
Procedure 2.4 (ndf s(boolean search_cycle)) 
q = top( stack); 
for each q' E successors(q) { 
} 
if ( search_cycle /\ ( q' == seed)) 
report acceptance cycle and exit; 
if ( ( q', search_cycle) rj visited) { 
push q' onto stack; 
enter ( q' , search_cycle) into visited; 
ndf s ( search_cycle); 
if (-.search_cycle /\ ( q' is accepting)) { 
seed: = q' ; ndf s(true); 
} 
} 
pop( stack) ; 
} 
Fig. 2. Nested depth-first search a lgorithm 
Preliminaries 
2.4 Model Checking and Automata Theory 27 
then switches to the cycle search mode (indicated by the boolean variable 
search_cycle) and tries to find a path that leads back to the accepting state. 
The algorithm reports an acceptance cycle if one exists , although it does not 
guarantee to find all cycles, because the exploration stops as soon as an error 
has been found [127]. 
Lemma 2.1. [CORRECTN ESS OF ndfs ALGORITHM] (45} 
The ndfs algorithm returns a counterexample for the emptiness of the automa-
ton B exactly when the language L(B) is not empty. 
If the acceptance cycle is found , the sequence of system states in the stack 
represents a path of K that violates property rp . The algorithm needs to store 
only the path from the current sta te back to the initial state and the set of 
visited sta tes. If no acceptance cycle is found , all reachable sta tes have to be 
visited. 
Spin and DTSpin 
For the majority of experiments mentioned in this thesis, we used DTSpin [24, 
55], a discrete time extension of the Spin model checker. 
Spin [93] is a state-of-the-art , enumerative model-checker with an expres-
sive input-language PRO MELA. In an extensive list of industrial applications , 
Spin and PROME LA have proven to be useful for the verification of industrial 
systems. Spin can be used not only as a simulator for rapid prototyping that 
supports random, guided and interactive simulation , but also as a powerful state 
space analyzer for proving user-specified correctness properties of the system. 
As standard Spin does not deal with t iming aspects of protocols, DTSpin, a 
discrete time extension of Spin , has been developed [24, 55], tha t can be used 
for verification of propert ies depending on timing parameters. The extension is 
compatible with the standard untimed version of the Spin validator , except for 
the timeout st atement , which has different semantics and its usage is no longer 
allowed (nor necessary) in discrete-time models. 
Fairness 
The behavior of a reactive system depends not only on the properties of the indi-
vidual components running in parallel, but also on the interactions among those 
components. These interactions depend on external fac tors such as the rela tive 
speed of processors or the par ticular scheduler implementation whose details 
can be complex or even unknown. By int roducing appropriate fairness assump-
t ions stating that every sufficiently enabled component eventually proceeds, we 
can abstract away from these details without ignoring them completely. 
Most of the common notions of fairness share t he same general form : Every 
entity that is enabled sufficient ly often will eventually make progress. Depend-
ing on the interpretations of "entity" and "sufficiently often" we get different 
notions of fairness. In the context of communicating processes, there are many 
28 Preliminaries 
different kinds of entities to consider , each choice leading to a different notion 
of fairness. In particular, Francez [68] and Kuiper and de Roever [114] have 
identified a hierarchy of fairness notions for CSP that includes the following 
forms of fairness: process fairness, channel fairness , guard fairness, and commu-
nication fairness. Each of these fairness notions have weak and strong varieties, 
which differ in the interpretation of "sufficiently often" : weak forms of fairness 
concern with continuously enabled entities , whereas strong forms of fairness 
concern with infinitely (but not necessarily continuously) enabled entities. 
Process fairness is one of the most common notions of fairness, due to its ap-
plicability in the context of communicating processes. W eak (process) fa irness 
(also known as justice [110]) states that every continuously enabled process will 
eventually make progress. Intuitively, weak fairness ensures that the scheduler 
will never forget the process forever. It is straightforward to implement weak 
fairness as a scheduling policy, using a simple round-robin scheduling queue. An 
alternative to weak fairness, strong (process) fairn ess (also known as compas-
sion [110]) , states that every infinitely enabled process makes progress infinitely 
often. 
2.5 Verification by Abstraction 
Model checking can be applied to programs that have a relatively small finite 
state space. State space explosion remains a stumbling block of model check-
ing. Various techniques were developed to solve this problem. One of them is 
verification by abstraction. Abstraction means replacing a semantical model by 
an abstract, in general simpler (finite) one. In addition to the requirement that 
an abstract (verification) model should have a smaller state space than the con-
crete (implementation) one, the abstraction needs to be safe, which means that 
every property checked to be true on the abstract model , holds for the concrete 
one as well. A safe abstract system is, intuitively, a system whose behaviour 
contains at least the behaviour of the concrete system [47]. This allows the 
transfer of positive verification results from the abstract model to the concrete 
one. 
Let M be a system, whose semantics is given by transition system T = 
(S, R ) , and let a.T = (a.S , a. R). Description relation p <:;;; S x a.S gives for the 
states from T their "descriptions" in a.T. 
D efinition 2.33. [PRE-IMAGE AND POST-IMAGE FUNCTIONS] {121} 
Given a relation p <:;;; S x a.S we define pre[p]: 2° 8 _, 25 and post[p]: 25 _, 2" 5 
by: 
pre [p](X) = {s E S I :3sa. E X , (s, sa.) E p} 
post[p](Y) = { s°' E a S I :3s E Y , (s , s°' ) E p} 
The duals pre[p]: 2° 8 _, 25 and post[p]: 25 --+ 2° 8 are defined by 
pre [p](X) = pre[p](X) and post[p](Y) = post[p](Y) . 
2. 5 Verification by Abstraction 29 
Given a description relation p, the functions a = post[p] and I = pre[p], 
called abstraction and concretization respectively, form a Galois connection (see 
Def. 2.4) from 25 to 2°s . 
Le mma 2 .2. [GALOIS CONNECTION GENERATED BY RELATION] {121} 
If p <;;;:; S x 50., then (post[p], pre [p]) is a Galois connection from 25 to 2° 8 and 
(pre[p], post[p]) is a Galois connection from 2° 8 to 25 . 
Further we review the definit ion of simulation parameterized by a Galois 
connection and the definition of simulation parameterized by a description re-
lation p. Lemma 2.3 and Lemma 2.4 from [121] show that these two notions 
of simulation coincide. Let T = (S, R) and o.T = (o.S, o.R) be two transition 
systems. 
D efinition 2 .34. [SIMULATION PARAMETERIZED BY CONNECTION] {121} 
Let (a, 1) be a Galois connection from 25 to 2° 8 . Define T i;;;;(o. ,-y) o.T iff 
a o pre[R] o 1 <;;;:; pre[aR]. 
D efinition 2.35. [SIMULATION PARAMETERIZED BY DESCRIPTION] {121} 
Let p be a description relation, p <;;;:; S x o:S· Define T i;;;P o.T iff 
R - 1 P <;;;:; p o. R -1. 
Lemma 2.3. [FROM i;;;(o. ,-y ) TO i;;;p] {121} 
For any description relation p <;;;:; S x o. S , there exists a Galois connection (a, 1) 
from 25 to 2° 8 such that T i;;;P o:T iff T i;;;(o.,-y) o.T. 
Le mma 2.4. [FROM i;;;p TO i;;;;(o:,-yJ] {121} 
For any Galois connection (a, I) from 25 to 2° s, there exists a description 
relation p <;;;:; S x o.S such that T i;;;(o. ,-y) aT i.ff T i;;;P o.T. 
D efinition 2.36. [ABSTRACTION] 
We say that o. T is an abstraction of T iff there exists a description relation 
p <;;;:; S x o.S such that T i;;;P o.T. 
The notion of consistency defined below shows when an abstraction function 
a: 25 --t 2° 8 preserves the meaning of the atomic propositions defined by an 
interpretation function I (see Sec. 2.3) on 25 . The abstraction function a is 
consistent with I: P --t 25 , where P is a set of atomic propositions, if for all 
atomic propositions p the abstractions of I(p) and I(p) by a are disjoint, i.e., 
abstractions of interpretation of p and •pare not contradictory. In case (a, 1) 
is a Galois connection, consistency of a with I expresses the fact that -:Y o a 
strongly preserves the interpretation of all atomic propositions (see Lemma 2.5). 
D efinit ion 2 .37. [CONSISTENT ABSTRACTION FUNCTION] {121} 
Let I: P --t 25 be an interpretation function. a: 25 --t 2° 8 is consistent with 
I if 'V p E P , a(I(p)) n a(I(p)) = 0. 
30 Preliminaries 
Lemma 2.5. [CHARACTERIZATION OF CONSISTENCY] {121} 
If (a, 1) is a Galois connection from 28 to 2" 8 , then a is consistent with I iff 
l::/p E P , 1(a(I (p))) = I (p) 
We give here an overview of the preservation results for the DL~ and DLµ 
fragments of modal µ-calculus from [121]. The preservation results allow the use 
of the following verification method: Given a concrete system T and some Galois 
connection (a, 1), compute an abstract system °' T, such that T ~(n ,,,) °'T. In 
order to verify a property expressed as a formula r.p of DLµ , verify the property 
on °' T. If r.p holds on °' T , it also holds on T. 
Theorem 2.5. [PRESERVATION OF DL~ AND DLµ] {121} 
Let T ~(n,,,) °'T. Let I : P ---> 28 and °'I: P ---> 2" 8 be two interpretation func -
tions. Then ;;;; preserves the formulas of DL ~ from °' T to T and if;;;; is consistent 
with °'I then i' preserves the formulas of DLµ from°' T to T. 
3 
Timer Transformation to Verify SDL 
Specifications 
INDUSTRIAL-SIZE SPECIFICATIONS/MODELS, WHOSE STATE SPACES ARE OF-
TEN INFINITE , CAN IN GENERAL NOT BE MODEL CHECKED IN A DIRECT WAY. 
PROGRAM TRANSFORMATION IS A WAY TO BUILD A FINITE-STATE VERIFICA-
TION MODEL THAT CAN BE SUBMITTED TO A MODEL CHECKER. THIS CHAP-
TER PRESENTS A TRANSFORMATION OF SDL TIMERS AIMED AT REDUCING 
THE INFINITE DOMAIN OF TIMER VALUES TO A FINITE ONE WHILE PRESERV-
ING SYSTEM BEHAVIOURS. 
The chapter is based on [101]. 
32 Timer Transformation to Verify SDL Specifications 
3.1 Introduction 
The development of a specification language and its semantical concept are 
greatly affected by the intended mode of its use, its application domain. Often, 
the final objective is to provide an executable specification/implementation. 
In that case, the specification language and its semantics should provide a 
framework for constructing faithful and detailed descriptions of systems. No 
wonder that specifications written in these implementation-oriented languages 
are harder to verify than the ones written in the languages developed as in-
put languages for model checkers. In this chapter, we concentrate on some 
aspects of modelling time in implementation-oriented languages, taking SDL 
(Specification and Description Language) [133] as an instance of this class of 
languages. 
SDL is used for the specification of real-time systems like telecommunication 
software as well as aircraft and train control, medical and packaging systems, 
all of which must respond within certain time limits. Time-supervision is em-
ployed to control response time from unreliable resources and release of shared 
or limited resources. It can also be used to establish activit ies that must be re-
peated on a regular basis. Behaviour of a system specified in SDL is scheduled 
with the help of timers declared in the specification. The model of SDL timers 
was induced by manners of implementation of timers in real systems. An SDL 
timer can be activated by setting it to a value (NOW + 6) where the expres-
sion NOW provides an access to the current system time and 6 is a delay after 
which this timer expires, i. e., the timer expires when the system time (system 
clock) reaches the point (NOW + 6) . Such an implementation of timers immedi-
ately means that the state space of SDL specifications is infinite just because 
timer variables take an infinite number of values due to the value of NOW which 
grows during the system run. An inverse t imer model is normally employed in 
verification-oriented languages: a timer indicates the delay left until its expi-
ration, i.e. , a timer is set to a value 6 instead of (NOW + 6), and this value is 
decreased at every tick of the system clock. When the timer value reaches zero, 
the timer expires. This model of timers guarantees that every timer variable 
takes only a finite (and relatively small) number of values. 
Another SDL peculiarity that adds to the complexity of verification is the 
manner in which timers expire. SDL is based on the Communicating Extended 
State Machines; communication is organized via message passing. For the uni-
formity of communication, timers arc considered as a special kind of signals and 
a process learns about a timer expiration by dint of a signal with the name of 
the expired timer, inserted in the input port of the process. The timeout mes-
sage can be added in the input port at any point of the time slice, in which the 
timer is ready to expire. From the verification point of view it would be better 
if a timer expiration had been diagnosed by a simple check of the timer value. 
Treating timeouts as messages, one gets all possible combinations of timeouts 
with messages exchanged by the processes, which increases the state space of 
the system. 
3.2 SDL 33 
Though formal verification of SDL specifications is an area of rather active 
investigations [25, 94, 91 , 147, 160], for a long time the time-concerned difficul-
ties were being got around by means of abstracting out time and timers. Due to 
engineering rather than formal approaches to constructing abstractions, some 
proposed abstractions turned out to be unsafe (see [25] for details). 
In [25], a toolset and a methodology for the verification of time-dependent 
properties of SDL-specifications are described. The SDL-specifications are first 
translated into DTPROMELA, the input language of the DTSpin (Discrete Time 
Spin) model checker [24], and then verified against LTL formulas. Some infor-
mal arguments in favour of correctness of the DTPROMELA translation to the 
original specification are given, but no formal proof that the results of the 
verification of the transformed system are transferable to the original one is 
provided. 
In this chapter, we propose a transformation that substitutes the traditional 
SDL timers by timer variables. In the transformed model, the timers are inverse 
and timeouts are not put into the input queue, but modelled directly by guards. 
The underlying idea is similar to the one in [25], but we provide a formal proof 
of path equivalence up to stuttering, which substantiates that the transformed 
system can be safely used for verification. The semantics of transformed systems 
will be further used in Chapter 5 to present an approach to automatic closing 
SDL specifications. 
The chapter is organized as follows . In Section 3.2, we give an overview 
of syntax and define the semantics of the subset of SDL we concentrate on. 
The transformation substituting timeouts-as-messages by timeouts-by-guards 
is given in Section 3.3. This section also gives the semantics of transformed 
systems. The proof that the results of the verification of the transformed system 
are transferable to the original one is provided in Section 3.4. We conclude this 
chapter with Section 3.5. 
3.2 SDL 
The development of SDL started in 1972 when a study group within the 
telecommunications union ITU-T ( CCITT at this time) representing several 
countries and large telecommunication companies began research on a speci-
fication language for the telecommunication industry. SDL is standardized by 
ITU-T as standard Z.100. The first version of the language issued in 1976 was 
followed by new versions every fourth year since. The formal semantics of SDL, 
defined in 1988 and further updated for subsequent versions of the SDL lan-
guage in 1992 and 1996, is based on the combination of the VDM meta language 
Meta-IV with a CSP-like communication mechanism. It provides a formaliza-
tion of the static [143] and dynamic semantics [145] of SDL. The semantics 
is documented by more than 500 pages of Meta-IV descriptions and hardly 
manageable because of its size. The latest version of SDL called SDL-2000 was 
approved as an international standard in 1999 [142, 144, 146] . 
34 Timer Transformation to Verify SDL Specifications 
Besides an official semant ics developed within ITU-T there are other ap-
proaches to the formalization of the semantics of SDL. In [30, 90, 92], semantics 
of various subsets of SDL are defined based on stream processing functions of 
FOCUS [31] . SDL processes are modelled as discrete streams of signals. This 
stream based semantics neither supports the concept of states and transitions 
nor provides an adequate treatment of t ime aspects of SDL. It restricts the 
fundamental notion of system time that makes it not suitable for our purposes. 
The transformation proposed in this chapter deals mainly with time aspects, 
so the stream based semantics is not suitable for proving the correctness of the 
transformation. 
In [66], SDL Time Nets (an extended Petri Net model) are proposed as a 
basis for the formal verification of communication protocols specified in SDL. A 
process algebra semantics of a restricted version of SDL is defined in [16]. The 
authors admit that the extension of discrete time process algebra with relative 
timing, used to describe the meaning of language constructs of SDL, is fairly 
large and rather intricate. A compiler-oriented semantics of SDL-2000 [64] is 
defined by an SDL semantics group. The key issues of this approach that uses 
abstract state machines as a formal basis are maintenance and executability of 
an SDL specification. 
Further in this section, we provide an example of an SDL process, give an 
overview of the syntax, define the set of specifications we work with, and define 
their semantics. The transformation that we propose is related to behavioural 
aspects of SDL syst ems, rather than to structural ones. Therefore, we concen-
trate on a subset of SDL that is used for specification of behaviour , without 
considering structuring concepts used for describing large system. We also do 
not deal with abstract data types, but assume a specification to be well-typed 
and a few data types together with their interpretations to be predefined. 
3.2.1 Syntax Overview 
Systems described by SDL consist of many processes that run simultaneously 
and communicate with each other by exchanging signals via channels. An SDL 
system is specified by a system diagram that consists of a system text area, 
where channels and signals are defined, and a process interaction area. Further, 
we refer to the set of channel names defined in a system text area as Chan. The 
set Chan is partitioned into Chani and Chan0 of input and output channels, 
and we write ci, c~, ... to denote membership of a channel in one of these 
classes. The set of signal names defined by the signal declarations is denoted 
as Sig . A process interaction area is formed by one or more process diagrams. 
A process diagram is formed by a process heading, a process text area and 
a process graph area enclosed by a frame symbol (see Fig. 3). A process text 
area contains declarations of process variables and timers. For variables, we 
assume data types Integer, Boolean, Time and Duration together with 
their natural interpretations Z, Boal, Z and Z to be predefined. 
3.2 SDL 35 
process heading proce~s diagram 
...-'~ ~~~~~~~~~~~----',~~~~~~~~~~~~~ 
process ACM 
text area - - - TIMER T; busy 
start state - - - - - - - - - • T 
j nput 
-- -state _ 
-decision 
transition ...... 
( 'success' ) ( 'failure' ) 
,output 
task - - - - - - - ; - SET (NOW+k, T ) ACQUI RE_AP _OK ACQUI RE_AP _KO 
____________ , 
busy idle 
Fig . 3 . An SDL process 
A process graph area contains a graph defining process behaviour in terms of 
states and transitions with a start state as its root. Transitions are decorated by 
input, output, task and decision symbols. The process diagram in Fig. 3 defines 
process RCM. The process stays in state idle until it gets the ACQUIRKAP 
signal as input . After this input , the process sets timer T and waits in sta te 
busy until timer T expires. Upon expiration of the timer , the process makes 
a non-deterministic decision between sending either the ACQUIRKAP _OK or 
the ACQUIRE_AP _KO signal and returns to the idle state. 
Formally, we define a specification of a process P by a tuple (p id , In , Out , 
Var , Tim er , Loe, Act , Edg , lo ), where pid is a unique process identity, In is 
a finite set of input channel names of the process, Out is a finite set of output 
channel names, Var denotes a finite set of variables, Tim er denotes a finite set 
of timers, and Loe denotes a finite set of locations or control st ates; Act is the 
finite set of actions; t he set Edg ~ Loe x Act x Loe denotes the set of edges. 
For an edge (l , a, i) E Edg of P , we write more suggestively l --+a i. 
The set Loe consists of states declared by the process diagram and inter-
mediate control sta tes between statements decorating arrows of transitions. In 
the set Loe, we distinguish the subset Loci of input locations, i.e. the locations 
where input actions are allowed. Note that only input actions are allowed in 
these locations. The initial location lo does not necessarily belong to Loci . 
36 Tim er Transformation to Verify SDL Specifications 
The set Edg defines possible changes of locations by performing actions from 
the set Act. As untimed actions , we distinguish (1) input of a signal s containing 
a value to be assigned to a local variable, (2) sending over a channel c a signal s 
together with a value described by an expression, and (3) assignments. In SDL, 
each transition starts with an input action, hence we assume the inputs to be 
unguarded, while output and assignment are guarded by a boolean expression 
g, its guard. The three classes of actions are written as ?s (x), g I> c!s(e), and 
g I> x := e, respectively, and we use a , a ' . . . when leaving the class of actions 
unspecified. We use env to denote environment , the world outside the system. 
We define the set of internal signals Sig inl as the set of all signals sent by the 
processes within the system. The set of signals exchanged with environment is 
denoted as Sig ext. Note that it can be the case that the same signal can come 
both from the environment and from a process of the system. 
Time aspects of a system behaviour are specified by actions dealing with 
tim ers. A timer is a stopwatch, defined by a local declaration of a process. 
Each process has the finite set Tim er of timers with typical elements t , t 1 , .... 
A timer can be either set to a value, i. e., activated until the system time reaches 
a certain point , or deactivated by a reset action. Actions setting and resetting 
a timer t are denoted as g I> SET(e, t) and g I> RESET(t), respectively. There is 
a timeout signal associated with each timer t . Further , we assume T to be the 
set of timeout signals defined by the specification. 
D efinition 3.1. [PROCESS SPECIFI CATION] 
A process specification Specp is a tuple (pid, In , Out , Var , Tim er , Loe, Act , 
Edg , l0 ), where pid is a unique process identity, In is a finite set of input 
channel names, Out is a finite set of output channel names, Var is a fin ite set 
of variables, Timer is a finite set of tim ers, Loe is a finite set of locations with 
an initial location l0 , Act is a finite set of actions, and Edg s;; Loe x Act x Loe 
is a finite set of edges. 
We assume the sets of variables and timers , sets of locations and sets of 
input channels of processes Pi in a specification to be disjoint . A mapping 
from variables to values is called a valuation ; we denote the set of valuations 
by Val = { <P I <P : Var -+ D} . We write D when leaving the data domain 
unspecified , and we silently assume all expressions to be well-typed. 
D efinition 3.2. [SYSTEM SPECIFICATION] 
A system specification Spee is given by a finite set of channels Chan , a finite 
set of signals Sig and a finit e set of process specifi cations, {Spee p1 , ••• , Spee Pn} 
such that the f ollowing conditions hold fo r all j , k = l.. n : 
In1 n Ink = 0 if j -:/- k; 
Var1 n Var k = 0 and Tim er1 n Tim er k = 0 if j -:/- k; 
Loc1 n Lock = 0 if j -:/- k; 
n n 
LJ In1 s;; Chani and LJ Out1 s;; Chan 0 . 
j=l j=l 
3.2 SDL 37 
Note, that Spee specifies an open system. The channel names used by the 
n 
environment are not necessarily in LJ ln j. Further we refer to the the channels 
j= l 
and processes specified by a system specification as entities. 
3.2.2 SDL Semantics 
Here, we define a small step structural operational semantics [131] of a speci-
fication in terms of configurations and a transition relation expressing how a 
configuration is changed by one step of computations. First , we consider the lo-
cal semantics of separate ent ities like a process and a channel. The semantics of 
a process (channel) is an LTS , which is defined with the help of the rules of Ta-
ble 1 and Table 2 mapping an edge from Edg to a transition. Rule EX P IRATION 
of Table 1 and rules IN, OUT of Table 2 have no edges in premises. Further , 
we give a definition of n-ary composition that allows to put n processes into 
communication with each other. 
Local semantics 
B ehaviour of a single process is given by sequences of transitions CTo _, >'1 
CT1 _, _x 2 •.• start ing from the initial state. 
A process state, denoted as CT , consists of an actual process location, a 
valuation of process variables, a valuation of timers and an input queue of the 
process. The process starts from the initial location with the default valuation 
of variables, all timers being deactivated and an empty input queue. The set of 
process states E is a subset of the Cartesian product Loe x Val x TVal x Q, where 
Val denotes the valuations of process variables, TVal denotes the valuations of 
timers and Q denotes the contents of the input queue. 
An input queue receives and holds signals (both timeout and nontimeout) 
until they are consumed by the process. We write f for the empty queue; 
s(pid , v) :: q denotes a queue with message s(pid , v) (consisting of a signal s, an 
identity of a sender pid and a value v) at the head of the queue, i.e., s( pid , v ) is 
the message to be input next ; likewise the queue q :: s(pid , v ) contains s (pid , v) 
most recently entered. We use M to denote a set of messages that can be sent 
in the system, M = Sig x Id x D . The set of input queue contents is defined 
as Q = Seq(M U T) where Seq(X) denotes the set of all sequences over X . 
Definition 3.3. [PROCESS STATE] 
A state CT of a process P is a tuple ( l , efJ, () , q), where l is a location, efJ is a 
valuation of process variables, () is a valuation of tim ers and q is an input 
queue of the process . E denotes the set of process states. 
The step semantics is given as a labelled transition rela tion between states. 
The labels differentiate between internal T-steps, tick-steps, which represent 
time progress, and communication steps (either input c?s (pid , v) or output 
c!s(pid , v ) ) which are labelled by a quadruple of a channel name, a signal, 
38 Timer Transformation to Verify SDL Specifications 
an identity of a sender and a value being transmitted , so Lab p = { T , tick , 
ci?s(pid,v), c0 !s(pid,v) I s E Sig , v E D , pid E Id} . 
Depending on location, valuation of process variables, valuation of t imers, 
the possible next actions, and the content of the input queue, the possible 
successor states are given by the rules of Table l. In the table, the notation 
</>[x ...... v] stands for the valuation equalling </> for all y E Var\ { x} and mapping 
variable x to the value v . 
An input of a signal, l ____, ?s(x ) i E Edg , is enabled if the signal at the head 
of the queue matches signal s expected by the process. Input ?s(x) results in 
removing the signal s( v) from the head of the queue and updating the valuation 
</> of process variables to <f>[x ,__. v] (rule INPUT). 
Discard is a specific feature of SDL92: if the signal from the head of the 
queue does not match any input defined as possible for the current input lo-
cation , then the signal is removed from the queue, and the location, the val-
uation of process variables and the valuation of timers remain the same (rule 
DISCARD). 
Receiving and sending are communication steps of a process. Denoted by a 
label ci? s(pid , v), receiving a signal s with a value v via a channel c leads to 
adding the message s( v, pid ) to the input queue and does not influence process 
variables, timers and current location (rule R ECEIVE). 
Output is guarded , so sending a message involves evaluating the guard and 
the expression to be sent according to the current valuation of variables. It 
leads to a change of location of the process that sends the message. The mes-
sage is sent along the channel with name c and the output step is labelled by 
c0 !s(pid , v) (rule OUTPUT) . 
An assignment l ____, 9 C> x :=e i E Edg is enabled if the guard g evaluates 
to true. It results in a change of the current location and an update of the 
valuation <f>[x ...... v]> where [e] .p = v (rule ASSIGN) . 
Modelling time in SDL 
In SDL, the concept of t imers is employed to specify timing conditions im-
posed on a system. Two predefined data types , Time and Duration, are used 
to specify values related to time. A Time value indicates some point of time, 
whereas a Duration value denotes a time delay. A process can access the cur-
rent system time by means of the NOW expression. A valuation [NOW] maps this 
expression to a value of the predefined type Time representing current system 
time. SDL is intended to specify distributed systems with asynchronous com-
munication, so no assumption on the temporal ordering of events in different 
processes can be based on reading NOW. 
Each timer is related to a process; a timer is either active (set to a value) 
or inactive (reset). Two operations are defined on timers: SET and RESET (rules 
SET and RESET). A timer can be activated by setting it to a value on(v) , where 
vis the time when the timer should expire. The value v is given by an expression 
3.2 SDL 
l -->?s(x) [ E Edg S rj T 
A INPUT 
(l, cp, () , s(pid ,v) ::q) --->.,- (l ,cp[x~vJ, (} , q) 
s' r/ {s I l -->?s(x) [ E Edg} l E Loe; s' rj T 
------------------DISCARD 
(l ,cp, () ,s'(pid, v) ::q) --->.,- (l ,cp,() , q) 
VE D eEln 
---------------RECEI VE 
(l, cp, (), q) --->c,?s(pid,v) (l , c/J, () , q :: s(pid , v)) 
l -->g C> c !(s,e) [ E Edg [g] <t> =true [e]<t> = v 
------------------OUTPUT 
(l , c/J, () , q) --->c0 's(pid,v) (l, c/J, (} , q) 
l -->g C>x=e [ E Edg [g] <t> =true [e]<t> = v 
-----------------ASSI GN 
(l ,cp,(),q)--->.,- (l,cp[x~vJ, (},q) 
l -->9 C> SET(e ,t) [ E Edg [g] <t> = true [e]<t> = v 
A SET 
(l ,cp, () , q) --->.,- (l ,cp, () [t~on(v)], Irt(q)) 
l -->9 C> RESET(t) [ E Edg [g] <t> = true 
A RESET 
(l,cp,(),q) --->.,- (l ,cp ,() [ t ~off],Irt (q)) 
v::::; now [t]e = on(v) 
----------- EXPIRATION 
(l , cjJ, () , q) -+.,- (l , cjJ, O[t ~off], q :: t) 
l -->?t [ E Edg t E T 
-------,---TlNPUT 
(l,cp,(),t::q) --->.,- (l,cp,(),q) 
t' rj {t I l -->?t [ E Edg} l E Loe; t' E T 
----------------- TDISCARD 
(l ,cp, () , t' ::q)--->.,- (l ,cp, () , q) 
blocked(a) 
-------TICKp 
now --->tick now + 1 
Table 1. Step semantics of process specification Spee P 
39 
40 Timer Transformation to Verify SDL Specifications 
(NOW+ e). A RESET action sets the timer to off. So the set TVal of valuations of 
timers is defined as follows: TVal = {BIB: Timer ----> {off , on(v) Iv E Time}}. 
If a SET or RESET operation is performed on an expired timer after adding 
the timer signal to the process queue but before the signal is consumed from 
the queue, the timer signal is removed from the queue. We write 1ft(q) for the 
queue obtained from q by projecting out the timeout signal t. 
There are a pseudo-signal and an implicit transition, called a timeout tran-
sition, associated with each timer. A timer expires when the system time now 
reaches the value to which the timer was set, i.e., the timeout transition of the 
timer set to on(v) becomes enabled and may occur when now is larger than or 
equal to v. Execution of the timeout transition, captured by the EXPIRATION 
rule, adds the corresponding pseudo-signal to the process input queue and re-
sets the timer to off. The TINPUT rule captures consumption of a timeout 
signal from the input queue. The TDISCARD is similar to DISCARD. 
Rule TICKp allows time progression by action tick that increases the value 
of system time now by 1 and does not change the state of the process. Time 
can progress only when the process is blocked, i. e., it cannot do anything ex-
cept receiving signals from the outside world. Due to the discarding feature, 
this implies that the input queue of processes should be empty. This situation 
is determined by a predicate blocked that is true if the process is in a state 
(l , </>, e, 1:) and l E Loci. None of the other steps can change the system time. 
Definition 3.4. [PROCESS P] 
A process P is an LTS (Ex Time,Labp ,----> ;... , (a0 ,0),In , Out) where a0 = 
(lo, </>0 , 80 , 1:) is an initial state, 0 is the initial system time, In is a set of input 
channel names, Out is a set of output channels names and ---->~ ( E x Time) x 
Lab x ( E x Time) is a labelled transition relation derived by applying the rules 
in Table 1 to some process specification Spee p. 
We say that a process specification is well-! armed iff at least one guard 
evaluates to true in each non-input state. At the SDL source language, this 
assumption corresponds to the natural requirement that each conditional con-
struct must cover all cases, for instance by having at least a default branch. 
The system should not block because of a non-covered alternative in a decision-
construct [133]. In the sequel, we assume that we work only with well-formed 
process specifications. 
Channels 
In SDL's asynchronous communication model, a process receives messages via 
channels into a single input port associated with the process. Input ports as 
well as asynchronous channels are modelled as queues. A channel is represented 
explicitly by a separate entity consisting of the channel name together with 
a queue modelling the channel. To allow a uniform presentation of parallel 
composition below, we use the symbol a not only for typical element of process 
states, but also for states (c, q) of queues. Note that timeout signals may appear 
3.2 SDL 41 
only in an input queue of a process, but not in a queue modelling a channel. 
Only nontimeout signals are transferred via channels, so the set of possible 
channel states of channel c is defined as E = {(c, q) I q E Seq(M)}. 
Definition 3.5. [CHANNEL STATE] 
A state a of a channel c is a pair (c, q) , where c is the name of the channel and 
q is a FIFO queue. 
We require for the input and the output names of a channel that Inc = { c0 } 
and Outc = { ci}. The step semantics of a channel c is given by a labelled tran-
sition relation ---+~ Ex Labc x E defined by the operational rules IN and O UT of 
Table 2. Rule IN enables a step c0 ?s(pid , v) that adds a message s(pid , v) to the 
channel queue, whereas rule O UT makes it possible to take a step ci !s(pid , v ) 
that removes the message s(pid, v) from the channel queue in order to deliver 
it to a destination process or an environment. The set of labels Labc is defined 
as {ci!s(pid),c0 ?s(pid ,v) Is E Sig , pid E Id ,v E D} , so the labels marking 
the communication steps of channels differ from those labelling communication 
steps of processes. 
A channel process may also tick, if it can not do anything else except re-
ceiving messages. This is possible in case the queue modelling the channel is 
empty. Otherwise, the channel still can deliver a message to some destination 
process or environment. So blocked is true only in state (c, E). 
Definition 3.6. [CHANNEL c] 
A channel process c is an LTS S = (E x Time, Labc, ---+, (ao , 0), Inc, Outc), 
where a0 = ( c, E) is an initial state, 0 is the initial system time, and a transition 
relation---+~ (E x Time) x Labc x (Ex Time) that is defin ed by the rules in 
Table 2. 
Time in SDL 
We use an interpretation of time progression supported by the commercial 
SDL design-tools [166, 156]. It regards transitions as instantaneous, i.e., taking 
zero-time. Time is allowed to pass when SDL processes are in an idle state 
-------------OUT 
(c, s (pid , v) :: q) ->c; !s(pid ,v) (c, q) 
blocked(c, q) 
-------- TICKQ 
now ->tick now + 1 
-------------IN 
(c, q) ->co?s(pid,v) (c, q :: s(pid, v)) 
Table 2. Step semantics for channel c 
42 Timer Transformation to Verify SDL Specifications 
and waiting for further signals to arrive, i.e., the input ports are empty. Time 
proceeds until an active timer expires or a process receives a signal from the 
environment , i.e., time progress has least priority. We refer to a time period 
between two tick-steps as a time slice. When the system time becomes equal 
to a timer value, the timeout transition becomes enabled and can be executed 
at any point of the time slice. A time slice starts with firing some enabled 
timeout transition or an input from the environment. This action unblocks the 
system. In case several timeout transitions become enabled at the same time, 
one of them is taken non-deterministically to unblock the system, and the rest 
is taken later at any point of the time slice since they have the same priority 
as normal transitions. In case none of timeout transition is enabled and there 
are no inputs from the environment, the system is still blocked and time can 
progress further. 
We say that a system is blocked if it can only wait for signals to arrive 
from the outside world. We use the predicate blocked to determine whether 
the system is in this state. The system time is allowed to pass if all entities of 
the system are blocked. This interpretation conforms to the interpretation of 
time given by the dynamic semantics of SDL [145 , 146]. The dynamic semantics 
states that global system time is represented by a function clock whose value 
increases monotonically and does not increase as long as a signal is in transit on 
a channel. Moreover , it also fits into the interpretation of time given in Section 
11.12.l of SDL standard Z.100 [140 , 142]. 
In SDL, real numbers are used for Time and Duration. So, whenever a 
timer is set, its expiration is given by a real number. Every tick increases system 
time with a certain amount, so the system time proceeds in a discrete man-
ner. Therefore, we may use a discrete approach to the interpretation of Time 
values, i.e., N and Z are used as the interpretations of Time and Duration, 
respectively. We assume a global system time represented by a system variable 
now that has a value of the type Time. A tick-step, which increases the value 
of this variable, is enabled only if the system is blocked. 
Though complicated, such a time semantics is suitable for implementation 
purposes [133]. It is natural to model a timer as a unit advancing from the 
current moment of time derived by the evaluation of the NOW expression to the 
time point specified by the expression (NOW + c5) , where c5 is time left until the 
expiration of the timer. Expression NOW always evaluates to the system time, 
i.e. , [NOW] =now. 
n-ary parallel composition 
A global semantics of an SDL specification is given by an n-ary parallel com-
position of processes and channels defined by the specification. 
The semantics of parallel composition of n processes is given by the rules of 
Table 3. We call a vector of states of n system entities (processes and channels) 
a configuration and write/ , 1 1, ... E I' for typical elements. We call a sequence 
3.2 SDL 43 
(a j, now) --->oj (0-j , now) (ak, now) --->ok (ilk, now) comm( O:j, o:k) 
------------------------------ COMM ( ... , a J , ... , a k , . .. , now) ----+ -r ( ... , Oj , . .. , 0-k , ... , now) 
(ai, now) ---tco?s(env,v) (0-i, now) 
------------------~lNTERLEAVEin 
( .. . ' (J' i, .. . , llQW ) ---t Co? s ( env, v) ( .. . l a il · · · l llQW ) 
C E fn en v ( U i, now) ---> ci !s(pid ,v) ( 0-;, now) 
------------------- l NTERLEAVEout 
( . .. ' O'i, . .. ' now) -+c.i !s(pid,v) ( .. . 'ai, ... ' now) 
(a;, now) --->T (0-; , now) 
----------------lNTERLEAVET 
( ... , CTi, .. . , now) ---tr ( .. . , fri, ... , now) 
(a1 , now) ->tick (a1 , now + 1) (an , now) -> tick (an , now + 1) 
(a1 , . .. , U n, now) ->tick (a1 , ... , Un , now + 1) 
Table 3. n-ary parallel composition 
of configurations 10 --+ .>,0 1 1 --+ .>, 2 ... starting from an initial configuration a 
run. 
Communication between two system entities is performed by exchanging 
a common signal and a value over a channel name (c0 or ci)· According to 
the syntactic restriction on the use of input and output channel names, only 
synchronization of communication steps between a process and a queue may 
happen. Sending of a message over the channel consists in synchronizing an 
output step of the process with an input step that adds the message into the 
channel queue, i.e., a c0 !s(pid , v)-step of the process should be synchronized 
with a c0 ? s(pid , v )-step of the channel c. Receiving a message consists in syn-
chronizing an output step that removes the first element from the channel 
queue with a receiving step that adds the message into the input queue of the 
process, i.e., a ci !s(pid, v )-step of the channel should be synchronized with a 
Ci ?s(pid , v)-step of the destination process. A predicate comm, which is true 
when communication steps should be synchronized , is defined as follows: 
Definition 3. 7. 
For two labels o:1 and 0:2, the predicate comm is true iff one of the following 
conditions is satisfied for j, k E {1 , 2} , j =/= k : 
(i) O:j = c0 !s(pid ,v), O:k = c0 ?s(pid , v) 
(ii) O:j = ci!s(pid,v), o:k = ci?s(pid,v) 
44 Timer Transformation to Verify SDL Specifications 
Otherwise the predicate is false. 
The initial configuration of an n-ary parallel composition is a vector of 
initial configurations of n system entities (processes and channels), i.e., l o = 
(IJ, .. . , lo). As it is defined by the rule COMM, two common steps are glued 
and relabelled to a T-step by the synchronization. Inputs and outputs from 
the environment are interleaved by rules INTERLEAVEin and INTERLEAYEaut, 
respectively. As far as T-steps are concerned, each system entity can act on its 
own according to the rule INTERLEAVET. 
The rule T ICK states that time progresses if the system is blocked. A time 
progression step tick increases the system variable now modelling system time. 
Expression NOW always evaluates to the system t ime, i.e., [NOW] = now. 
Definition 3.8. [PARALLEL COMPOSITION] 
The n-ary parallel composition of n system entities Sk =(Ek, Labk, -+k, Ink, 
Outk , <Jg) is a LTS S = (I',Lab,-> , ln , Out ,10 ), where 
I' = E 1 x ... x En x Time is a set of states with an initial state lo 
(<JJ , ... , <Jo) and projections fk: I' --> n , k E {1, ... , n} ; 
n 
Lab = LJ Labk is a finit e set of labels; 
k=l 
n 
In = LJ Ink is a finite set of input channel names; 
k = l 
n 
Out = LJ Outk is a finit e set of output channel names; 
k= l 
--> ~ (I' x Time) x Lab x (I' x Time) is a labelled transition relation given 
by the rules of Table 3. 
The following lemma expresses that the blocked predicate is compositional 
in the sense that the parallel composition of processes is blocked iff each process 
is blocked and there are no messages in transit on channels and no messages in 
input queues. 
Lemma 3.1. 
For a configuration 1, blocked (I ) iff blocked ( <J) for all states <J that are a part 
of I · 
Proof. If I is not blocked, it can perform an output step or a T-step. The 
output step must originate from a process, which is not blocked or from a 
channel which contains a signal in transit in this case. 
The T-step is either caused by a single process or by a synchronizing action 
of a process and a channel; in both cases at least one entity is not blocked. 
For the reverse direction, a T-step of a single process being thus not blocked, 
entails that I is not blocked. 
An output step of a single process or a channel causes I either to do the 
same output step or, in case of internal communication, to do a T-step. In both 
cases, I is not blocked. D 
3.3 Timer Transformation 45 
3.3 Timer Transformation 
A state of an SDL process is given by its current location, the valuations of 
timers and variables , and the content of the input queue. There are several 
reasons why the way of modelling timers in SDL is not quite suitable for model 
checking purposes. Since NOW gives access to the current system time, executing 
SET(NOW + e, t) with different (infinitely growing) values of NOW, we get different 
process configurations. Moreover, a timeout transition can add a timer signal 
at any point of the time slice. This blows up the state space due to the number 
of possible interleaving sequences of events. Furthermore, keeping a timeout 
signal in a process queue adds to the length of the state vector. In this section, 
we solve this problem by a transformation replacing the SDL concept of timers 
with a new one. 
The transformation of process specifications is given by the rules of Table 4. 
A new syntax is introduced for setting and resetting timer variables. Note 
that the transformation rules are developed under the assumption that the 
NOW operator appears in the original system specification in the scope of SET 
operations only, and all the SET operations are of the form SET(NOW + 8, t). In 
the sequel, we consider only systems of this type. 
To avoid the state explosion due to the interpretation of timers and the 
overhead caused by the management of timeout signals , we substitute the SDL 
concept of timeouts as a special kind of signals by a concept of t imeouts as 
guards. A declaration of a timer t is transformed to the declaration of a timer 
variable t. We use off to represent inactive timers. The value of a timer variable 
representing an active timer shows the delay left until timer expiration. 
l --->? t [ E Edg t E T 
-------,---,- TINPUT TO T!MEOUT 
l ---> 9< I> reset t l E Edg 
l ---> 9 1> SET(Now+e, t) [ E Edg 
----------,---, SET TO SET1 
l --->[g fl (e 2 O)] 1> set t '=e l E Edg 
l ---> g I> SET(NOW+e, t) [ E Edg 
---------,---, SET TO SET2 
l --->[g A(e<O)) I> set t '= O l E Edg 
l --->gl>RESET(t) [ E Edg' 
---------RESET TO RESET 
l ~gt:> reset t [ E Edg' 
Table 4. Transformation rules 
46 Timer Transformation to Verify SDL Specifications 
We use the integer domain Z as a natural interpretation of Duration, since 
the delay specified by an expression e in a setting action SET(NDW + e, t) may 
take positive and negative values. Setting a timer to a time value less than the 
actual system time results in an immediate expiration of the timer and adding a 
timeout signal to the input queue of the process. In this case, immediate means 
that the expiration must take place within the current time slice. Therefore, an 
action g l> SET(NDW + e, t) on timers is substituted by the choice between setting 
timer variable t to the value of the expression e and setting t to zero. The first 
action is allowed if the expression has a nonnegative value (rule SET TO SET 1 
of Table 4). Otherwise, the second action is enabled and the timer variable is 
set to zero (rule SET TO SET2 of Table 4). The RESET(t) action is transformed 
into an assignment of the off value to the timer variable t , denoted by reset t 
(rule RESET TO R ESET of Table 4) . 
In the original system, a timer whose value is larger than or equal to the 
current system time may expire. The transformed system should demonstrate 
the same behaviour . Since we suppose the value of a transformed timer to be 
the delay left until its expiration, only timers whose values are equal to 0 may 
expire. Therefore, we replace each input of a timeout signal t by resetting a 
timer t that is guarded by the timeout guard gi , namely, (t = on(O)) . Resetting 
guarantees deactivation of the timer (rule TINPUT TO TIMEOUT of Table 4). 
The set of actions of the transformed process coincides with the set of actions of 
the original one, except for SET and RESET actions on timers that are substituted 
by set and reset actions on timer variables. 
Applying the rules of Table 4 to a process specification Spee p , we get the 
process specification Specp,. Given Specp = (pid, In, Out , Var, Timer, Loe, 
Act , Edg , l0 ) , we get Specp, = (pid, In , Out , Var' , Loe , Act' , Edg' , l0 ) , where 
Var' = Var U { t I t E Tim er }. Settings, timeouts and resettings of timers are 
substituted by settings, timeouts and resettings of timer variables according to 
the rules of Table 4. The other actions and edges are left unmodified. Further 
we refer to the set of timer variables as TVar . 
Table 5 gives the local step semantics of the transformed process speci-
fica tion. Further, we refer to an LTS derived from some transformed process 
specification Spee P' by the rules of Table 5 as a transformed process P' . A state 
of a transformed process is given by a location, a valuation of process and timer 
variables and a process input queue. A valuation of process and timer variables 
is denoted as T/· Since timeout signals are not put into an input queue anymore, 
we do not distinguish between timeout and non-timeout signals in rule INPUT. 
Setting a timer and resetting a timer do not influence the input queue of a 
process (rules SET and RESET). The set E' of process states is defined by the 
Cartesian product Loe x Val x Seq(M) . 
Definition 3.9. [STATE OF THE TRA NSFORMED PROCESS] 
A state a' of a process P' is a triple (l , TJ , q) , where l is a location, T/ is a 
valuation of variables and q is a content of the input queue of the process. E' 
denotes the set of states of a transformed process. 
3. 3 Timer Transformation 
l ---->?s(x) [ E Edg' 
, I NPUT 
(l , 1] , s(pid , v) :: q) -->.,. (l , 1J lx ,_. v), q) 
l E Loe; 8 1 \{' { S j l ---->?s(x) [ E Edg} 
---------------DISCARD 
(l,cp , (} ,s'(pid ,v)::q)-->.,. (l ,cp, (} , q) 
v E D C E fnp 
--------------RECEIVE 
(l, 1] , q) -->c,?s(pid>v) (l , 1], q :: s(pid, v)) 
l ----> 9 1> c!(s ,e) [ E Edg' [g] 11 = true [e] 11 = v ------------------~OUTPUT 
(l , 1] , q) -->c0 !s(pid,v) (L, 1] , q) 
l ---->g1> x:=e [ E Edg' [9] 11 =true [e] 11 = v 
------------------ASSIGN 
(l , 1] , q) -->.,. (l, 1J lx >-+ v), q) 
l ---->g1> set t:=e [ E Ed9 1 [9] 11 =true [e] 11 = V ------------------~SET 
(l , 1] , q) -->.,. (f, 1Jit >-+ on(v)), q) 
l ---->g 1> reset t [ E Edg' [9]11 = true 
R ESET 
(l, 1] , q) -->.,. (l, 1Jit >-+off), q) 
l ---->g , I> reset t [ E Ed9 1 [t] ,1 = on(O) 
---------------TIMEOUT (t , 11 , q) __,.,. (i, 111t ...... off!, q) 
t' \{' {t j l --> 9 , I> reset t f E Ed9 1 } [t'] 11 = on(O) l E Loci 
----------------------TDISCARD 
(l , 1] , q) -->.,. (l , 1J it' ,_.off) , q) 
blocked ( <J) 
--------TICKp 
(l, 1], q) ->tick (l, 1]dec 1 q) 
Table 5. Step semantics of transformed process specification Spee P' 
47 
48 Timer Transformation to Verify SDL Specifications 
-------TICK c 
(c, E) ->tick (c, E) 
Uj ->aj 0-j a k ->ak ifk j =/= k comm(aj , O!k ) 
----------
----------
--COMM 
( . .. ' a j, . . . ' CTk , .. . ) --+ T ( ... ' &j , ... ' ak , .. . ) 
CTi -+c0 ?s ( env ,v ) (Ji 
--------------~lNTERLEAVE;n 
(. · · , CTi, · · . ) --+c0 ?s(env,v) (. · · , (Ji, ·· .) 
C E fn env O"i --+ ci !s(pid,v) ai 
-----------
----lNTERLEAVEout 
(. · · , G i, · · . ) --+ ci !s( pid ,v) ( . · ·, fr i, · · .) 
------------
lNTERLEAVEr 
( . . .,a;, .. . ) -> r ( .. .,if;,. .. ) 
CTn -+tick Gn 
Table 6. tick-step of a channel and n-ary parallel composition 
3.4 Model Equivalence 49 
Definition 3.10. [TRANSFORMED PROCESS] 
A transformed process P' is an LTS (E' , Lab' , -+1 ,In, Out , u0) where u0 = 
(lo , TJo , E) is the initial state and -+ 1 ~ E' x Lab' x E' is a labelled transition 
relation derived by applying the rules in Table 5 to some transformed process 
specification Spee P' . 
Note that the system time is not present in the transformed system explicitly 
- one infinitely growing variable would be enough to cause state explosion. 
Instead of increasing the system t ime, the t ick transit ion (rule TICKp of Table 
5) decreases the values of timer variables. Like the TICK transition of the 
original system, this transition can take place only if the system is blocked , 
and "blocked" has exactly the same meaning as before. The dee operation 
decreases all the positive values of timer variables by one and leaves the other 
variables unchanged. The evaluation obtained by applying the dee operation is 
denoted T/dec . 
Table 6 defines n-ary parallel composition of channels and transformed pro-
cesses. Here, we need to define a tick-step not only for processes but also for 
channels. (Note that I N and O UT rules for channels in the transformed system 
coincide with the same rules in Table 2. ) A tick-step of a channel does not 
change the state of the channel and becomes enabled only if the channel is 
blocked , i. e. it has no message to deliver and it may receive only messages from 
the environment (rule TICKc of Table 6). The definition of n-ary parallel com-
position for transformed systems coincides with the one for original systems 
except the TICK rule. According to the TICK rule of Table 6, all components of 
the transformed system are synchronized on their tick-steps decreasing values 
of active timer variables. 
3.4 Model Equivalence 
The goal of the transformation described in Section 3.3 is to overcome sta te 
explosion caused by the traditional interpretation of timers and t ime in SDL. 
In this section, we will show that the results of the verification of the trans-
formed system are transferable to the original one. Namely, we show that there 
is a branching simulation relation (see Def. 2.19) relating the original system 
to its transformation. The branching simulation relation guarantees that the 
transformed system contains at least the behaviour of the original system. We 
also show that there is a weak trace inclusion relation (sec Dcf. 2.17) relating 
the transformed system to the original one. We also show that that the origi-
nal system and the transformed 011e are path equivalent up to stut tering (sec 
Def. 2.28). 
The transformC'd system docs not give a straightforward reflection of the 
original system behaviour. While actions that arc not related to timers arc left 
unchanged , sendings of timcout signals are projected out , and consumption 
of t imeout signals from the process qncue are mimicked by the corresponding 
TIMEOUT, whose c11abling conditions are guaranteed to be true in this case. 
50 Tim er Transformation to Verify SDL Specifications 
Such a projection is not harmful from verification point of view, because not 
the presence or absence of a timeout signal but the consumption of it and 
the choice of the following actions are important. The same concerns process 
queues: by saying that the content of some queue in the transformed system is 
the same as the content of the corresponding queue in the original system, we 
mean that the projections of the queues on Sig coincide (note tha t Sig contains 
only nont imeout signals) . The main requirement imposed on configurations 
is that the valuations of variables should be equal. Since the sets of process 
variables are disjoint , we may use [x] ..,, to denote the valuation of variable x in 
configuration /. Further , we define a relation ~ on configurations. 
Definition 3.11. [RE LATION ~J 
We write/ ~ 1 ' iff [x].,, = [x]..,,, for all process variables x . 
Since a configuration is defined as a parallel composition of one or more 
local states of processes and channels, the definition of ~ on configurations is 
defined analogously. 
The transformation ought to preserve timing aspects of the behaviour of the 
original system. In order to guarantee this, the timers of the original system 
should be related to the timer variables of the t ransformed one in such a way 
that whenever a timeout is possible in the original system, it is also enabled in 
the transformed one. It means that if a timer expires in the original system, the 
timer variable representing the timer should carry the value zero. Further , we 
define a relation ~* , that relates timing and input/ output aspects of system 
configurations. The relation connects a configuration of the original system 
with a configuration of the transformed one: 
the process variables have the same values; 
both systems have the same input possibilities wrt . nontimeout signals; 
timeouts enabled in the original system are also enabled in the transformed 
one; 
the transformed system can establish the same communication steps as 
the original one , i.e., the queues representing channels of the transformed 
system have the same contents as the corresponding queues of the original 
system. 
Definition 3.12. [RE LATIO N ~* O N STATES] 
Let Spee p be a process specifi cation and Spee P' be the process specification ob-
tained from Spee p by applying the rules from Table 4. Let P and P' be processes 
derived from Spee p and Spee P' by applying rules of Table 1 and Table 5, respec-
tively. Let a = (l , </> , e, q) and a' = (l , ry , q' ) be states of P and P' , respectively. 
Let now be the system tim e related to process P. W e write (a , now) ~* a' iff 
the follo wing conditions are satisfied: 
1. a:=:::::: a' ; 
2. q' = 7ry(q ), where 7r y (q ) is obtained from q by projecting out the tim eout 
signals fro m T ; 
3.4 Model Equivalence 51 
3. for all t E TVar , t E Timer: if [t]o on(v) and [t]'7 = on(w) , then 
w + now= max{now,v}; 
4. for all t E TVar , t E Timer: if [t]o = off and the timeout signal t is not in 
q, then [t]'7 = off; 
5. for all t E TVar , t E Timer: if [t]o = off and the timeout signal t is in q, 
then [t]'7 = on(O). 
Let now be the system time related to channel c. For channel states (c, q) 
and (c, q'), we write ((c, q), now) ~* (c, q') ifj q = q'. 
Now consider a specification Spee that consists of n components (channels 
and processes) and the specification Spee' obtained from Spee by applying the 
transformation rules of Table 4. It is straightforward that the specification 
Spee' specifies n components as well. Let S be the LTS derived from Spee 
by applying rules from Tables 1, 2, 3, and S' be the LTS derived from Spee' 
by applying rules from Tables 5, 6. Suppose / = (a1 , ... , ai , ... , an) is a 
configuration of S consisting of n entities (processes and channels), and let 
1 ' = (a~ ... , a~ , ... , a~) be a configuration of S'. Moreover , ai denotes a 
state of Pi and a~ a state of PJ . 
Definition 3.13. [RELATION ~* ON CONFIGURATIONS] 
We write (r, now) ~* 1 ' for configuration/ of LTS S and system time now 
related to S and configuration 1 ' of S' ifj (a i, now) ~ * a~ for all i E { 1, ... , n} . 
Lemma 3.2. 
Let / and 1 ' be configurations of S and S' respectively, (r, now) ~* 1 ' and e 
be a non-timed expression. Then [e].,, = v ifj [e].,,, = v. 
Proof. The process variables have the same values both in / and 1 ' by Def. 3.11 , 
and hence the non-timed expression e has the same value v both in I and in 
~· D 
Lemma 3.3. 
Let / and 1 ' be configurations of S and S' respectively, now be the system tim e 
of Sand (!, now) ~* / 1 . Then blocked(!) ifjblocked(r'). 
Proof. 
blocked( /) ==? blocked( 1') 
If S is blocked in configuration /, then (i) all queues (modelling both channels 
and input ports) are empty, as otherwise communication or input steps might 
take place (rules DISCARD, INPUT, TDISCARD, TINPUT and RECEIVE of Ta-
ble 1 and rules OUT and IN of Table 2) ; (ii) guards of guarded steps are false, as 
otherwise there would be a guarded step possible (rules NONEI NPUT, OUTPUT, 
ASSIG N, SET, RESET of Table 1) ; (iii) there are no active timers ready to expire 
in S, as otherwise an expiration step would be enabled (rule EXPIRATION of 
Table 1) . 
52 Timer Transformation to Verify SDL Specifications 
According to Def. 3.12, queues in 1 ' are projections of corresponding queues 
in 1 on timeout signals. Since all queues in 1 are empty, the queues in 1 ' are 
empty as well and no input or communication step is possible in S'. 
There is no timer in 1 that satisfies condition 5 of Def. 3.12 and so there is 
no timer variable in 1 ' having a zero value, as otherwise, ('Y, now) and 1 ' are 
not related by ::::::*. Therefore, no timeout step is possible in S'. 
According to Lemma 3.2 , untimed guards that are false in 1 are also false 
in 1 ' . Since all guards in S valuate to fals e, there is no guarded step enabled 
in the configuration 1 ' of S' . 
Communication, input , discard, timeout , guarded steps are disabled in 1 ' , 
so the only steps that may happen are inputs from the environment and time 
progression. Therefore, blocked( 1 ') is true. 
blocked("(') =} blocked("() 
If the transformed system is blocked, then (i) all queues of S' are empty, as 
otherwise an internal communication step or an input would be enabled (rules 
DISCARD, INPUT, R ECEIVE of Table 5 and rules OUT and IN of Table 2) ; 
(ii) none of the timer variables of S' has the value zero, as otherwise a timeout 
or a discard of a timeout would be enabled (rules TIMEOUT and TDISCARD of 
Table 5); (iii) none of the non-timeout conditions imposed on guarded steps in 
S' is valuated to true, as otherwise one of the guarded steps would be enabled 
(rules OUTPUT, ASSIGN, SET, RESET of Table 5). 
Since all queues in 1 ' are empty and none of the time variables has the 
value zero, all queues are also empty in 1, according to conditions 2 and 5 of 
Def. 3.12. All nontimeout guards that are false in 1 ' are also false in 1 by 
Lemma 3.2. So all guarded steps possible in 1 are disabled. 
Since all queues are empty and none of the guarded steps is enabled in 1, 
the only steps that may happen are inputs from the environment and time 
progression, i.e., blocked("() is true. D 
To show that the transformed system shows at least the behaviour of the 
original one, we demonstrate that the relation :::::: * on their configurations is 
a branching simulation relation (Def. 2.19). To prove that ::::::* is a branching 
simulation relation on the configurations of S and S', we first check this relation 
on the rules of Table 1 and Table 5 for a process P of the system S and its 
counterpart P' in the system S'. Then, we proceed similarly by the case analysis 
on the rules of Table 2. Finally, we check the relation on rules for n-ary parallel 
composition of Table 3. 
Lemma 3.4. 
Let Spee p be a process specification and Spee P ' be the process specification ob-
tained from Spee p by applying rules from Table 4. Let P and P' be processes 
derived from Spee p and Spee P ' by applying rules of Table 1 and Table 5, respec-
tively. Then there exists a relation R ~(Ex Time) x E' such that (O", now)RO"' 
implies (Cl , now) :::::: * 0"1 and R is a branching simulation. 
3.4 Model Equivalence 53 
Proof. Let CTo be the initial configuration of the process P, CTb be the initial 
configuration of the process P' and now be the system time of P. The trans-
formation rules defined in Table 4 do not change initial locations of system 
entities. Application of transformation rules does not modify default valuation 
of process variables. Initially, the timers are deactivated and the input queue 
is empty in P , thus the queues are empty and the timer variables are off for 
P'. The condition of Def. 3.11 and the conditions of Def. 3.12 are satisfied and 
(uo , now) ;:::::* CTb holds for the initial states. 
Now assume that (CT , now) ;:::::* CT 1 holds for some CT , CT 1 and now. To show 
that P :Sbr P' we proceed with a case analysis on the rules of Table l. 
Case: INPUT 
Let transition (l,r/>,B,s(pid,v)::q) ____,r (l,r/>[x>->v],(),q) be enabled in P. Let 
((l,r/>,B, s(pid ,v) ::q), now);:::::* CT 1 • According to rule INPUT of Table 1, there 
exists an edge l -??s(x) [ E Edg . By the transformation rules of Table 4, t here 
' I is an edge l -??s(x) l E Edg . 
Since (CT, now) ;:::::* CT 1 , the input queue of P' is a projection of s(pid,v)::q 
on timeout signals, s(pid, v) is the head element of the queue and transition 
(l,17,s(pid,v) :: q') ____,r (l,17[x>->v],q 1 ) is enabled in P' (rule INPUT of Table 5) . 
The input of P can be mimicked by the input of P'. The valuation of variable 
x is changed to v in both systems. Timers, timer variables and system time are 
not influenced in this case. q' is the projection of q on Sig. So the conditions of 
Def. 3.12 are satisfied and ((l, r/>[x>->v], () , q) , now) ;:::::* (l,17[x>->v] ,q1 ) holds. Input 
steps are labelled by T in both systems, so condition 1 of Def. 2.19 is satisfied. 
Case: DISCARD 
Let transition (l , </> , () , s(pid, v) :: q) ____,r (l, </>, () , q) be enabled in P. We also as-
sume that ((l,r/>,B,s(pid,v) ::q) , n ow ) ;:::::* CT 1• 
Rule DISCA RD of Table 1 shows that signal s is not expected by process P in 
location l. According to the transformation rules of Table 4, l -??s(x) [ fj Edg'. 
So, the discard in P can be mimicked by a discard in P' (rule DISCARD of 
Table 5). Further, this case is analogous to the case INPUT and (a, now) ;:::::*a' 
for the resulting states. Moreover, the condition 1 of Def. 2.19 is satisfied. 
Case: RECEIVE 
A receiving step (l, </>, e, q) ____,c,?s(pid ,v) (l, </>, e, q :: s(pid , v)) of p (rule RECEIVE 
of Table 1) can always be mimicked by the receiving step (l , 77 , q' ) ____,c,?(s,v) 
(l, 77, q' :: s(pid , v)) of P' (rule RECEIVE of Table 5) . Both the step of the origi-
nal system and the mimicking step of the transformed system add s(pid, v) to 
the input queue. So q' :: s(pid , v) is the projection of q :: s(pid, v) to the timeout 
signals. Nothing else is changed by the steps. Therefore, ( (l , </> , B, q:: s(pid, v ), 
n ow);:::::* (l, 77 , q'::s(pid,v) holds for the resulting states. Both steps are la-
belled by c;?s(pid,v), so condition 1 ofDef. 2.19 holds. 
Case: O UTPUT 
Let (l,r/>,B,q),now) ;:::::* (l,17,q'). Let (l,r/>,B,q) ____,c
0
!s(pid,v) (Z,r/>,B,q) be a step 
54 Timer Transformation to Verify SDL Specifications 
of P. By rule O UTPUT of Table 1, we get l --> 9 1> c!(s,e) [ E Edg. According to 
the transformation rules of Table 4, l --> 9 1> c!(s ,e) [ E Edg'. 
The guard g, which valuates to true in u, also valuates to true in u' by 
Lemma 3.2. According to the rule OUTPUT of Table 5, this edge is mapped to 
the step (l , T), q) -+c0 !s(pid,v) (l, TJ , q) of P' . Both the step of the original system 
and the mimicking step of the transformed one change the location of the 
process only. Therefore, ( (l, </> , e, q)' now) ~* (L, T) , q) for the resulting states. 
Moreover , both steps are labelled by c0 !s(pid, v), so condition 1 of Def. 2.19 is 
satisfied . 
Case: ASSIGN 
Let (l , </>, B, q) -+r (l, </>Ix ...... vJ, B, q) in P and (l , </>, e, q), now) ~* (l , TJ , q'). By rule 
ASSIGN, l -->g 1>x:=e [ E Edg. If this edge is present in Specp, then it is also 
available in Spee P' by the transformation rules of Table 4. 
The guard g, which valuates to true in u , also valuates to true in u' by 
Lemma 3.2. An expression e having a value v in u has the same value in u'. 
So the assignment is mapped to the (l,T), q' ) -+r (L,17[x ...... v], q1)-step of P' (rule 
ASSIGN of Table 5). 
The value of the variable x is changed to v both in the original system 
and in the transformed one. Neither timers, nor queues, nor system time are 
influenced by these steps. Therefore, ((L,</>[x ...... vJ, B,q), now) ~* (L,T][x,__,v], q') 
holds for the resulting states . Both steps are labelled by T , so condition 1 of 
Def. 2.19 is satisfied. 
Case: SET 
Let (l ,</>, B,q) -+r (L,</>,B[t.-.on(v)],?Tt(q)) in P and (l ,</>, B,q) ,now) ~* (l ,T] ,q1). 
By rule SET of Table 1, we get l -->gi>SET(exp,l) [ E Edg where exp is an 
expression of form (NOW + e) . 
According to the rules SET TO SET1 and SET TO SET2 of Table 4, there 
are two edges corresponding to the edge in Spee P ': 
(i) l -->[g /\ (e ;::: O)] !> sel t:=e [ E Edg' and 
(ii) l -->[g /\ (e<O)] !> sel l:=O [ E Edg'. 
The guard g , which valuates to true in u , also valuates to true in u' by 
Lemma 3.2. An expression e has the same value w both in u and in u'. 
If w 2". 0 then the step (l,T],q1 ) -+r (L,T][t,__,on(w)J,q') is enabled in P'. 
Otherwise, the step (l ,T] ,q') -+r (L,T][t ...... on(O)J, q' ) is enabled in P' (rule SET 
of Table 5). In both cases, condit ion 3 of Def. 3.12 is satisfied for t imer t of 
P and timer variable t of P'. Moreover , q' is a projection of ?Tt(q) on timeout 
signals, so condition 2 of Def. 3.12 holds. So ((L, </>, B[t ...... on(v)], ?Tt(q)), now) ~* 
(L, T) [t,__,on(w)J, q') and ((L,</> ,B[l ,__,on(v)],?Tt(q) ), now) ~* (l,T)[l,__,on(O)],q1) hold. 
In both cases the step of the original system and the mimicking step are 
labelled by T. Hence, condition 1 of Def. 2.19 is satisfied. 
Case: RESET 
Assume (l , </>, e, q) , now) ~* u' and (l ,</>, B,q) -+r (L,</>,B[t,__,off ], ?Tt(q)) of P. 
3.4 Model Equivalence 55 
By rule R ESET of Table 1, l ----; 9 1> RESET( t) [ E Edg. According to the rule 
A I 
RESET TO RESET, l ----; g I> reset t l E Edg . 
The guard g, which valuates to true in u , also valuates to true in u' by 
Lemma 3.2. So the reset step of P' is mapped to (l,rJ,q') --+T (l,TJ[t ...... off],q') 
that resets timer t in P' (rule RESET of Table 5). So the resetting step of P 
can be mimicked by the resetting step of P'. 
Both the step of the original system and the mimicking step of the trans-
formed one change the value of the timer t (the timer variable t resp.) to 
off i.e., condition 4 of Def. 3.12 is satisfied. Moreover, q' is a projection of 
7rt(q) on timeout signals. It means that condition 2 of Def. 3.12 holds. So 
((l, </J, B[t ...... off], 7rt(q)) , now)~* (l, TJ[t ...... off), q'). Both steps are labelled by T , 
hence condition 1 of Def. 2.19 is satisfied. 
Case: EXPIRATION 
Let (l,</J,B,q) --+T (l,</J,B[t ...... off),q::t) in P and ((l,</J,8,q),now) ~* u'. By rule 
EXPIRATION of Table 1, this step may take place only if now = v and [t]a = 
on(v). Since we also have (u, now) ~* u', ((l,</J,B[t ...... off],q::t), now) ~* u' 
holds (see conditions 3 and 5 of Def. 3.12). Expiration is a T-step, so we have 
case 2 of Def. 2.19. 
Case: TINPUT 
Let (l ,</J, B, t::q) --+T (l,</J, B, q) in P and ((l ,</J, B,q) , now) ~* (l , TJ ,q'). By rule 
TINPUT of Table 1, l ---;?t [ E Edg. According to the transformation rule 
TlNPUT TO TIMEOUT of Table 4, l ---;9 , I> reset t [ E Edg'. 
Since (u , now)~* u', timer variable t has the value zero in u' by condition 5 
of Def. 3.12. So (l,TJ , q') --+T (l,TJ[t ...... off ), q') is enabled in P' and inputting the 
timeout signal in P can be mimicked by the timeout in P' . 
Both the step of the original system and the mimicking step of the trans-
formed one are setting the timer t (the timer variable t resp.) to off , so con-
dition 4 of Def. 3.12 is satisfied. The input queue q' is the projection of q on 
timeout signals, hence condition 2 of Def. 3.12 holds. Therefore, 
((l,<jJ, B, q) , now) ~* (l,TJ[t ...... offJ , q'). The input step and the timeout step are 
labelled by T , thus condition 1 of Def. 2.19 is satisfied. 
Case: TDISCARD 
Let (l, </J, e, t :: q) --+T (l , </J, e, q) in P, l E Loe; and (l, </J, e, q) , now) ~* (l, TJ, q'). 
By rule TDISCARD of Table 1, the timeout signal t is not expected in location 
l of the process P. 
Since ( u, now) ~* u' , timer variable t has the value zero in u' wrt. condi-
tion 5 of the Def. 3.12. By TDISCARD of Table 5, (l , TJ , q') --+T (l , TJ[t ...... off], q') is 
enabled in P' and discarding the timeout signal in P can be mimicked by the 
timeout in P'. Further, this case coincides with the TINPUT case above. There-
fore , ((l ,<jJ, B, q) , now) ~* (l,TJ[t ...... offJ, q'). The discard step and the timeout 
step are labelled by T , so condition 1 of Def. 2.19 is satisfied. 
We showed that there exists a relation R s:~* on states of P and P' and 
that this relation is branching simulation. D 
56 Timer Transformation to Verify SDL Specifications 
Checking the rules of Table 1, we have demonstrated that there is R <;;; ::::;* 
that is a branching simulation relation on states of P and P'. Using the rules 
of n-ary parallel composition (Table 3) , we show the same for Sand S'. 
Theorem 3.1. [BRA NCHING SIMULATION] 
Let Spee be a specifi cation and Spee' be the result of the transformation of Spee 
wrt. the rules of Table 4. Let S be an LTS derived from Spee by applying rules 
of Tables 1, 2, 3 to Spee, and and S' be an LTS obtained from Spee' by applying 
rules of Tables 5, 2, 6. Then there exists a relation R <;;; (I' x Time) x I'' such 
that (r, now)R'"'f' implies (r, now) ::::;* '"'(1 and R is a branching simulation. 
Proof. By Lemma 3.4, for all i E {l , ... , n} , there exists ::::; ;<;;; (Ei x Time) x E: 
such that (a;0 , now)::::;; a:0 where aio and a:0 are the initial states of Pi and Pf, 
respectively. Let S be the LTS built by applying the n-ary parallel composition 
(Table 3) to P1 , .. . , Pn. Let S' be the LTS built by applying the n-ary paral-
lel composition (Table 6) to P{ , . .. , P~. Now given::::;; for all i E {l, ... ,n}, 
::::;*<;;; (E1 x ... x En x Time) x (E~ x ... x E~) is defined by Def. 3.13. It re-
mains to be shown that ::::;* is a branching simulation relation. First , we show 
that a channel process of the transformed system can simulate a channel pro-
cess of the original one. Finally, we check the relation on the rules for parallel 
composition (Table 3). 
Case: IN , OUT 
The transformation does not change the semantics of channels except for adding 
the TICKc rule. Suppose that ci !s(pid, v) is enabled in state a = (c, s(pid, v) :: q) 
of channel process Pc, and moreover, (a , now) ::::;*a' , where a' is the state of 
process channel P~ of the transformed system. According to Def. 3.12, the 
queue modelling channel c in system S' has the same content. Moreover , 
a'= (c, s(pid, v) :: q). So, the c; !s(pid, v)-step of Pc can be mimicked by the 
c; !s(pid, v)-step of P~. In both cases, message (s, v) is removed from the queue 
modelling the channel, so (0-, now) ::::;* 0-' and condition 1 of Def. 2.19 is satis-
fied. The OUT case is analogous to the I N case. 
Case: T rcK 
In this case, we have (a1, . . . , an, now) -+tick (a1 , ... , an , now + 1). By rule 
T ICK of Table 3, we obtain blocked(a1 , ... , an)- According to Lemma 3.3, 
blocked( a~ , . .. , a~) is true as well. So the tick-step of the original system 
can be mimicked by some tick-step of the transformed system (sec rule TICKp 
of Table 5, rules TICK c and TICK of Table 6). 
In S, the tick-step increases the system time now; the mimicking step of S' 
decreases all active timers. Suppose that timer t evaluates to on(v) in S. Note 
that v > now, as otherwise timer t can expire and S is not blocked. According 
to Def. 3.12, timer variable t should evaluate to on(w), where now + w = 
max(now, v) and w > 0. After tick-steps condition 3 of Def. 3.12 still holds 
because (w - 1) +(now + 1) = max(now, v). Therefore, (r , now + 1) ::::;* i', 
where i' is '"'( with all active timers decreased by 1, is valid and condition 1 of 
Def. 2.19 is satisfied. 
3.4 Model Equivalence 57 
Case: COMM 
Assume that ( . . . , ai, ... , aj , .. . ) -+ 7 ( . •. ,ai, .. . ,0-j,···)· By rule COMM of 
Table 3 we get ai -+a, ai, aj -+a; 0-j, i =/= j and comm(o:i , 0:1) is true. 
By Lemma 3.4, ai -+a, ai and a1 -+aJ 0-1 can be mimicked by steps with 
the same label in PJ and Pj . So we have a~ -+a, a~ , aj -+a; aj , i =/= j 
and comm(o:i, o:1) is true. By rule COMM , which is valid both for the orig-
inal systems and for the transformed ones, we obtain the following T-step: 
( . .. , a~ , ... , aj , ... )-+7 ( . .. ,a;, ... ,aj, ... ). So the communication of Pi with 
P1 can be mimicked by the communication of PJ with Pj. 
By Lemma 3.4, (ai, now) ~: a-; and (0-1, now) ~; aj. So, we obtain (( ... , ai, ... , aj , . . . ), now)~* ( . .. , a; , ... , 0-j, ... ). Moreover , condition 1 of 
Def. 2.19 is satisfied. 
Case: INTERLEAVEin 
Here we have ( ... , a i, . .. ) -+c
0
?s(pid,v) ( . . . ,0-i, . .. ). By rule INTERLEAVEin of 
Table 3, ai -+c
0
?s(pid,v) 0-i and s E Sigext · According to the case IN , OUT above, 
the c0 !s(pid,v)-step of Pi can be mimicked by a c0 !s(pid,v)-step of PJ. So we 
have a; -+c
0
?s(pid ,v) a-; and s E Sigext· Using rule INTERLEAVEin of Table 3, 
we get ( ... ,a;, ... ) -+c
0
?s(pid ,v) ( . .. ,a;, ... ). According to the case IN, OUT 
above, (ai, now) ~: a-; , so (( ... , ai , . . . ) , now)~* ( ... ,a-;, . .. ) and condition 1 
of Def. 2.19 is satisfied. 
Case: INTERLEAVEaut 
This case is analogous to the INTERLEAVEin case. 
Case: INTERLEAVE7 
Assume we have ( ... ,ai, ... ) -+7 ( .. . ,0-i, · ··) in S. By rule INTERLEAVE7 of 
Table 3, ai -+ 7 ai for some Pi in S. If the T-step corresponds to one of the cases 
(DISCARD, INPUT NONEINPUT, ASS IGN, EXPIRATION, SET, RESET) considered 
by Lemma 3.4, it can also be mimicked by a T-step of PJ . So we may conclude 
that there is a mimicking step ( ... , a;, ... ) -+7 ( ... , a-;, ... ) in S' and that (( ... , 0-i , ... ), now) ~* ( ... , a-; , ... ). Moreover , the condit ion 1 of Def. 2.19 is 
satisfied. 
We have shown that (10 , 0) ~* l'b holds for initia l configurations of S and 
S'. Assumed that the same relation holds for some (I, now) ~* /' ' , we also 
have demonstrated that every step that is possible in Scan be mimicked by a 
step of S' so that the conditions of Def 2.19 are satisfied, so S :Sbr S'. D 
Ideally, we would like ~* - 1 to be a branching simulation relation as well, 
and establish by that a branching bisimulation between S and S'. However, 
this is not the case- an attempt to establish a simulation in the reverse direc-
tion fails while considering the TJMEOUT case in the transformed system. In 
principle, TIMEOUT should be mimicked by taking EXPIRATION and TINPUT. 
But t he EXPIRATION step in the original system cannot be taken earlier than 
the decision about TIMEOUT in the transformed system. On the other hand, 
when T IMEOUT is taken, it could be already too late to take the EXPIRATION 
step, since the process queue of the original system can be non-empty, which 
58 Timer Transformation to Verify SDL Specifications 
would mean that the timeout signal could not be immediately consumed from 
the process queue. However, S' ~wtr (Def. 2.17) . 
Later we also show that the original system and the transformed system are 
path equivalent up to stuttering (Def. 2.28). To link the "equivalent" traces of 
the original and transformed systems, we introduce a relation requiring that 
each step of trace x of the transformed system can be mimicked either by the 
same step of trace ( of the original system or by the same step of ( preceded 
by one or more expiration steps, which do not change the valuation of process 
variables. 
Definition 3.14. 
Let ( and x be traces of S and S' respectively. We write ( =u x iff there exists 
a relation U ~ N x N such that: 
1. (i , j) EU implies ((1 (i) , now);:::::* x1 (j). 
2. (and x can be partitioned as ( 11 ( 12 ... and xJ'Xh .. . , respectively, so that 
for all k > 0 h = { m, ... , m + n} , Jk = {j , j + 1} and the following 
conditions are satisfied: 
{a) (m,j) and (m + n,j + 1) are in U , and (>.(m + n) = X>.(j + 1); 
{b) for all m < i < m + n: (i,j) E U and (>.(i) = T. 
We write S' ~u S iff for every trace x of S' there exists a trace ( in S such 
that ( =u x for some U ~ N x N. 
Le mma 3.5. 
Let ( and x be traces of S and S ' respectively. Let ( =u x for some U s;:; N x N. 
Then ( =wtr X· 
Proof. Follows directly from Def. 3.14 and Def. 2.16. D 
Let 7r ( and 7r x be paths corresponding to traces ( and x respectively, i.e., 
7rc; = ( 1 (0)(1 (1) . . . and 7rx = x,(O)x,(1) ... 
Le mma 3.6. 
Let ( and x be traces of S and S' respectively. Let ( =u x for some U s;:; N x N. 
Let .C, .C' be interpretation functions with the range 2P , where P is the set of 
atomic propositions m entioning only process variables. Then 'lr( =st 7rx. 
Proof. The transformation defined by the rules of Table 4 does not influence 
process variables. So Spee and Spee' obtained by applying the transformation 
to Spee have the same set of process variables. 
Since ( =u x for some U s;:; N x N, .C ((1 (i)) = .c'(x1 (j)) for all (i,j) EU by 
condition 1 of Def. 3.14 and condition 1 of Def. 3.12. By condition 2 of Def. 3.14, 
each step of trace x of the transformed system is mimicked either by the same 
step of trace ( of the original system or by the same step of ( preceded by one 
or more T steps, which do not change the valuation of process variables. Hence, 
it is straightforward to show that .C (Pr(7r<:)(k)) = .c'(Pr(7rx)(k)) for all k ~ 0 
(cf. Def. 2.27). D 
3.4 Model Equivalence 59 
i I t=O l 2 : 3 : 4 :s :6 
tick c?a 
• 
c?b 
• 
1: t=O i 1: t=of~ x ... .  "' . • "' . E ! E ' 0 ~ mi [!]: [!] : I I I I I 
I 
t=on(qow) 
t=on(r\ow) I tick I c?a I c?b I 1: 
..... .. . .. . • • • ? ! E! E' 0: '·,_ mi [!] : ! I . ' ! ·, I I 
' 
I I 
t=on~now) t=on(riow) 
' 
t=off 
I tick ' c?a ' 1: c?b I 1: I 1: I p • "' . . • • • 
..  
E! E! 0 i ~r ~ rH [!]: I I I I ! I I I ! 
2 3 4 5 6 7 
Fig. 4. Treatment of timeout 
Further, we show that for each trace x of S' there is a trace ( of S such 
that ( =u X· As we already mentioned, we do not take an expiration step in S 
until we meet a timeout in S' , so S cannot mimic each step of S'. However, we 
demonstrate that each time slice (all the steps between two tick-steps) of S' 
can be mimicked by a time slice of S. First, we consider a special treatment for 
the TIMEOUT case. We take a trace x of length n + 1 of S' which has a timeout 
as the (n + l)th-step, assume a trace (of S that is equivalent to the x(n), and 
show how to transform ( into a trace p of S such that p =u X· Since timeout 
and expiration are local steps, it is enough if we consider the special treatment 
for timeout only for processes P and P' given by process specifications Spee P 
and Spee P', respectively. 
Fig. 4 gives an illustration for the special treatment of TIMEOUT. There 
we consider a suffix of some trace x of P' starting with a tick-step. The tick-
step is followed by receive steps c?a and c?b, step T that inputs signal a from 
the input queue and a timeout T-step for timer variable t . ( is some trace of 
P that is equivalent to the prefix of x up to the timeout step, and relation 
U = {(1,1,),(2,2),(3, 3) , (4 , 4),(5,5)} (this is showed by the dashed lines in 
Fig. 4) . 
At the state (1 (5), the input queue of P contains signal b only, so we cannot 
mimic the timeout step of X· We transform trace ( into trace p by inserting an 
expiration step for timer t before the step receiving signal b. By definition of 
U, timer t may expire at state p1 (3) , and thus we can mimic the timeout step 
of x at state p1 (6). Since timer t may expire at any point of the time slice, 
trace p obtained in the result of the above mentioned transformation is still a 
60 Timer Transformation to Verify SDL Specifications 
valid trace of P. The step X.\(4) = c?b is mimicked by steps P.\(4) = T and 
P.\(5) = c?b, and U is modified to { (1, 1), (2 , 2) , (3 , 3) , ( 4, 3), (5 , 4) , (6 , 5) , (7, 6) }. 
Lemma 3.7. 
Let x be a trace of P' of length (n + 1) and the last step of x be a timeout of 
timer variable t. Let ( be a trace of P of the length m such that ( =u x<nl. 
Then ( can be transformed into a trace p of P such that p = u x for some 
U <;;;;NxN. 
Proof. The (n + l)th-step of x is the timeout of timer variable t. Since in P 
we cannot take the expiration of t before the timeout is taken in P' , there is 
no timeout signal t at the head of the queue of Pin the state (,, (m) for some 
m > 0. Further we consider two cases. 
Case: The queue of P is empty at (,, ( m). 
Since ((,, (m) , now) ~* x,,(n), we can take an expiration step for timer t at 
(,, ( m). After the expiration step, the step consuming the timeout signal is 
enabled in P due to rule TINPUT TO TIMEOUT of Table 4. So we can modify 
U and ( as follows. 
l. p is ( extended by the expiration step and the step inputting timeout 
signal t , i.e. , p,, (i) = (,,(i), P.\(j) = (,\(j) Vi= 0 .. m , j = 1..m. Initially, U' 
is defined as U. 
2. We add the expiration step, i.e., assuming (~(m) = (l, </>, e, E), p,, (m + 1) = 
(l , </>, B[t>-> off], t), P.\(m + 1) = T , and we add the pair (m + 1, n) to U' , i.e. , 
U' = U' LJ{(m + 1, n)}. In this case, (p,,(m + 1), now)~* x,,(n). 
3. Next , we add the input step, which consumes timeout signal t. Assuming 
X,,(n+ 1) = (l, 7][t >-+off], E), we define p,, (m+2) = (l, </>, 0, E) and P.\(m+2) = 
T, and we add the pair (m+ 2, n+ 1) to U' , i.e. , U' = U' LJ{ (m+ 2, n+ l)}. 
In this case, (p ,, (m + 2) , now) ~* x,,(n + 1). 
Since ( =u x<n), ( can be partitioned as ( 11 ... ( 1v and x<n) can be par-
titioned as x<nl 1 ' ... x<n)Jv (see condition 2 of Def. 3.14). Since U is left 
unmodified for the prefix of p that coincides with (, p and x can be partitioned 
as p1' ... p1vp1v+ • and x 1 ' .. . x 1vx 1v+•, where p1' = ( 1' and x 1' = X(n)J' for 
all 1 2 i 2 v. The last step of x forms part x1 "+ 1 • The expiration step to-
gether with the input step consuming the timeout signal form part plv+ •. All 
the conditions of Def. 3.14 are satisfied and p = u X· 
Case: The queue of P is not empty at (,,(m) . 
Here, we should find a receiving step for an element msg staying at the head 
of the queue at (,, ( m) , insert the expiration step before the step receiving msg , 
modify relation U with respect to this insertion, and extend ( by the step 
mimicking the timeout. Since the expiration can be taken at any point of the 
time slice, the trace that we get as the result of this insertion is a trace of P. 
For the sake of readability of the proof we assume that all the messages in the 
queue are different. In order to include the expiration step, we modify U and ( 
as follows. 
3.4 Model Equivalence 61 
- Let ( ,, (m) = (l , if>, e, msg :: q) . Going from m to 1, we find the first k along 
the trace ( such that (x. ( k) is labelled by Ci? msg (or an expiration step in 
case msg is a timeout signal). 
- We keep the k-prefix of ( and the corresponding subset of U. Initially, 
U' = {(i, j) I (i,j) E u, 0 ::::; i < k} , Vi = O .. k - 1: p,, (i) = ( ,, (i), Vi = 
l..k - 1 : p.x (i) = (.x(i) . 
- We add the expiration step in front of the step receiving msg . Let p,,(k -
1) = (l , ef>, B, q). Since ( =u x(n) , there is (k ,w) E U such that (.x(k), 
x.x(w) belong to the parts ( 1w, x(n)Jw respectively. We define p,,(k) = 
(l ,c/>, B[t>->of!], q ::t ), p.x(k) = T, and we add the pair (k ,w) to U' , i. e., U' = 
U' LJ{ (k, w)}. Moreover, (p,, (k) , now)::::::* x,, (l ). 
- The suffix of ( starting with the step receiving msg is shifted due to the 
inclusion of the expiration step. The shift is done as follows: Vi = k .. m: 
p,, (i + 1) = (l , if>, e, ij) where (,,(i) = (l, if>, e, ij), ij = q1 :: msg :: q2 and 
ij = q1 :: t :: msg :: q2 (i.e., the queue is modified wrt . the inclusion), and 
p.x (i + 1) = (.x(i). 
Relation U' is modified by inclusion as follows: V(i, j) E U s.t. k ::::; i ::::; m: 
we add the pair (i + 1, j) to U' , i.e. , U' = U' LJ{ (i + 1, j) }. Since condition 2 
of Def. 3.12 is still satisfied, ((,,(i + 1), now) ::::::* x,,(i) . 
- Let x,,(n + 1) = (i, 'T] [t>-> off], q). Finally, we add the input of the timeout 
signal t. Then p,,(m + 2) = (i, if>, e, q'), and p.x(m + 2) = T, and we add 
the pair (m + 2, n + 1) to U' , i. e., U' = U' LJ{ (m + 2, n + 1)}. Moreover , 
(p,,(m + 2), now) ::::::* x,, (n + 1). 
Since ( =u x(n), ( can be partitioned as ( 11 ... (1v and x(n) can be par-
titioned x(n)J' ... x(n)Jv. p(k - l) coincides with (Ck- l), so we can partition 
p(k - l) so that p1' = (1' and XJ' = x(n)J' for all 1 ::::; i < w, where ( 1w is a part 
containing the kth-step of(. 
The partition Iw of ( ends with the kth-step. We add the expiration step in 
front of the kth-step. The partition ( 1w is modified by the inclusion, so that the 
part p1w, which corresponds to the expiration step followed by the kth-step , 
still satisfies the conditions of Def. 3.14. 
Further, the suffix of p starting in state p,, (k + 1) can be partitioned in the 
same way as the corresponding suffix of (starting in ( ,, (k). The parts p11 differ 
from the parts ( 1J only by the presence of the timeout signal in the input queue. 
The condit ions of Def. 3. 14 are satisfied by p11 and x(n) J J for all w + 1 ::::; j ::::; v. 
The input step consuming the timeout signal forms part p1v+1 of the original 
system. The corresponding timeout step in x forms part xJv+ 1 • The conditions 
of Def. 3.14 are satisfied , sop =u X· 
Concluding, we have shown how to construct p such that p =u x for some 
U s;; N x N and p is a trace of P. D 
Lemma 3.8. 
Let Specp be a process specification and Specp , be the result of the transforma-
tion of Specp wrt. the rules of Table 4. Let P and P' be the processes derived 
62 Timer Transformation to Verify SDL Specifications 
from Specp and Specp, by applying the rules of Table 1 and Table 5, respec-
tively. Then for each trace x of P' there exists a trace ( of P such that ( =u x 
for some U <:;; N x N. 
Proof. Here we demonstrate that for each trace x of P' there exists a trace ( 
of P , such that ( =u x for some U <:;; N x N. 
In Lemma 3.4, we have already demonstrated that (/'0 , 0) ~* 'Yo is valid for 
the initial states of P and P' , so U = {(O, O)} and (-y(O) ='Yo initially. Further, 
trace ( and relation U are constructed by induction on the length of the trace 
X· Each step of P' is mimicked by a step of P , and configurations reached by 
the step of the transformed system and the mimicking step of the original one 
are related by~*. Assume that (i,j) E U. By Def. 3.14, ((-y(i), now) ~* X-y(j). 
Now we proceed with a case analysis on the rules of Table 5. 
Case: INPUT 
In this case we have a step (l,T),s(pid ,v) ::q') -+T (l, T)[x >->v], q') of P', and 
((-y(i), now) ~* X-y(j), where X-y(j) = (1, TJ, s(pid, v) :: q, and x.x(j + 1) = T and 
X-y(j + 1) = (l, T)[x>-> v], q'). 
Rule I NPUT of Table 5 gives an edge l ---+?s(x) [ E Edg' . Since the transfor-
mation leaves this edge untouched, there is an edge l ---+?s(x) [ E Edg. 
Since ((-y(i), now) ~* (1, TJ , s(pid, v) :: q), (-y(i) = (l, cp, B, s(pid , v) :: q) and 
the input is enabled in ( -y (i). So the input step of P' is mimicked by the following 
step: (l, cp, B, s(pid,v) :: q) -+T (l, cp[x>->v], B, q) (rule INPUT of Table 1). 
We define (.x(i + 1) = T , ( -y (i + 1) = (l,cp[x>->v],B,q) and we add the pair 
(i + 1, j + 1) to U , i.e., U = U LJ{ (i + 1, j + 1)} . Both the step of the trans-
formed system and the mimicking step of the original one form parts satisfying 
condition 2 of Def. 3.14. Since both the step of the transformed system and the 
mimicking step of the original one remove s(pid, v ) from the input queue and 
modify the value of x to v, ( (-y ( i + 1) , now) ~* x 'Y (j + 1). The other conditions 
of Def. 3.14 are satisfied as well. 
Case: DISCARD 
We have (l,TJ,s(pid,v) ::q) -+T (l,TJ,q) of P' and ((-y(i), now) ~* X-y(j) where 
X-y(j) = (l,TJ,s(pid,v) ::q') , x.x(j + 1) = T , and X-y(j + 1) = (l,T),q1). 
By rule DISCARD of Table 5, we derive that signal s is not expected by 
process P in location 1. The transformation rules of Table 4 leave the set of 
nontimeout signals expected at location l untouched. Therefore, a signal, which 
is not expected in location l of the transformed system, is also not expected 
in location l of the original system. Since ((-y (i), now)~* X-y(j), two cases are 
possible: (i) signals is at the head of the input queue of Pin ( -y (i), i.e. , ( -y (i) = 
(l , cp, B, s(pid , v) :: q) ; (ii) there are one or more timeout signals in front of s at 
the head of the queue of Pin ( -y (i), i.e., (-y(i) = (1 , cp, B, t 1 :: ... tn :: s(pid, v) :: q). 
In the first case, the discard step of P' can be mimicked by the discard step 
of P (rule DISCA RD of Table 1). We define (.x(i+ 1) = T, ( -y (i+ 1) = (l,cp,B , q) 
and we add the pair ( i + 1, j + 1) to U. Both the step of the transformed 
system and the mimicking step of the original one remove s(pid , v) from the 
3.4 Model Equivalence 63 
input queue, so ((, (i + 1), now) ~* x,(j + 1) . The conditions of Def. 3.14 are 
satisfied. 
Since we do not take an expiration step for timer t in P until t he timeout 
of t is met in P' , there is no need to consider the second case. 
Case: OUTPUT 
Here we have (l , ry , q') -.c
0
!s( pid ,v) (i, 'T/ , q') in S'p and ((, (i) , now) ~* x, (j) 
where x1 (j) = (l , ry , q') , X;..(j + 1) = c0 !s(pid , v) and X1 (j + 1) = (t, ry , q' ). 
By rule O UTPUT of Table 5, we get l -----+ 9 C> c!(s,e) i E Edg'. The transforma-
tion rules of Table 4 leave output edges unmodified , so l -----+ 9 C> c!(s,e) i E Edg'. 
Since guard g evaluates to true in x, (j ), it also evaluates to true in (1 (i) too. 
Expression e has the same value in x,(j) and in (1 (i) (see Lemma 3.2). So the 
output step of P' can be mimicked by the output step of P (rule O UTPUT of 
Table 1). 
We define (>.(i + 1) as c0 !s(pid, v), (1 (i + 1) = (i, </J, () , q) and we add the 
pair (i + l , j + 1) to U . Condition 2 of Def. 3.14 is satisfied. Both the step of 
the transformed system and the mimicking step of the original one change the 
location only, thus ((, (i + 1), now) ~* x, (j + 1), and condition 1 of Def. 3.14 
is satisfied. 
Case: R ECEIVE 
We have (l , ry , q' ) -.c,?s(pid,v) (l , ry , q' ::s(pid , v)) for some v E D, where c is an 
input channel of P' (rule R ECEIVE of Table 5) and ((, (i) , now) ~* x1 (j ) where 
x, (j) = (l , ry , q' ), X;..( j + 1) = c;?s(pid,v), and x, (j + 1) = (l , ry , q::s(pid ,v)). 
The transformation rules of Table 4 do not change the structure of the 
system, i. e., P' and P have the same set of input channels. By rule RECEIVE 
of Table 1, the receive step of P' can be mimicked by the following receive step 
(l , </J, () , q) -.c,?s(pid,v) (l , </J, () , q :: s(pid , v)) enabled in (1 (i) of P . 
We define (;..(i+ 1) = c;?s(pid ,v), (1 (i+ 1) = (l ,</Y, B, q::s(pid ,v)) and add 
the pair (i + 1,j + 1) to U. Condition 2 of Def. 3.14 is satisfied. Both the step 
of the transformed system and the mimicking step add s(pid , v) to the input 
queue, thus ((, (i + 1), now) ~* x, (j + 1) , and condition 1 of Def. 3.14 is 
satisfied. 
Case: ASSIGN 
We have (l , ry , q' ) -.T (Z, ry[x>->v], q') and ((, (i), now) ~* x, (j) where x, (j) = 
(l , ry ,q' ), n(j + 1) = T , and x, (j + 1) = (Z, ry [x >->v], q') . 
By rule ASSIGN of Table 5, l -----+ 9 C> x :=e i E Edg'. The transformation rules 
of Table 4 leave output edges unmodified, sol -----+gC>x:=e i E Edg. According 
to Lemma 3.2, guard g and expression e have in ( 1 (i) the same value as in 
x,(j). Therefore , the assignment in P' can be mimicked by assignment step 
(l ,<fy, () , q) _,T (Z,</J[x >->v], () , q) of P. 
Here (;..(i+ l ) = T , ( , (i+ l ) = (i, </J[x>->vJ, e, q) and we add the pair (i+ l , j+l ) 
to U . Condition 2 of Def. 3.14 is satisfied. The value of variable x is changed to 
v both by the step of t he transformed system and by the mimicking step, thus 
((, (i + 1), now) ~* x, (j + 1) , and condition 1 of Def. 3.14 is satisfied as well. 
64 Tim er Transformation to Verify SDL Specifications 
Case: SET 
Assume (l , T) , q') _,T (i, T) [t >-> on(v)], q') and ((,, (i) , now)~* x ,, (j) where we have 
x,, (j) = (l , T) , q') , X;..(j + 1) = T , and x ,, (j + 1) = (l, T) [t >->on(v)J, q'). 
' I 
By rule SET of Table 5, l ____, 9 , t> set t: =e l E Edg . According to rules 
SET TO SET1 and SET TO SET2 of Table 4, l ----> 9 t> SET(Now+e , t ) i E Edg . 
Two cases are possible: (i) g' is a condition of the form [g f\ (e 2 O)] for some 
gin P, and (ii) g' is a guard of the form [g /\ (e < 0)]. 
In both cases, g evaluates to true in ( ,, (i ) iff g' is true in x,, (j) by Lemma 3.2 , 
and the setting of timer variable t in P' can be mimicked by setting timer t in 
P , i.e. , by the step (l , TJ , q) _,T (i, T) [t >-> on(w)], q) where w = [NOW + ek, (i) (rule 
SET of Table 1). 
Here (;..(i + 1) = T , ( ,, (i + 1) = (i, </J , B[t >-> on(w)], q) and we add the pair 
(i + 1, j + 1) to U. Condition 2 of Def. 3.14 is satisfied . 
If e 2 0 is true, then guard [g /\ (e 2 O)] is true in x,, (j) , and w = now + v , 
i. e., condition 3 of Def. 3.12 is satisfied . Otherwise, guard [g f\ (e < O) ] is true 
in x,, (j ) and e has the value zero , so condition 3 of Def. 3.12 is satisfied as well. 
Hence, ((,, (i + 1) , now)~* x,, (j + 1), and condition 1 of Def. 3.14 is satisfied . 
Case: R ESET 
Here we have (l , ri , q' ) _,T (l, T) [t >->o!JJ, q' ), l </ Loe~ and ((,, (i), now) ~* x,, (j ) 
where X,, (j) = (l , T) , q' ), X>-.U + 1) = T , and X,, (j + 1) = (l, T) [l >-> off], q1). 
' I 
By rule R ESET of Table 5, l ----> 9 t> reset t l E Edg for some l </ Loci. By 
transformation rule R ESET TO R ESET of Table 4, l ---->gt> RESET(l) i E Edg. 
Since l </ Loci, guard g is not a timeout guard. By Lemma 3.2, guard 
g evalua tes to true both in x,, (j ) and in (,,(i) , so the reset step of P' can be 
mimicked by the reset step ( l , ef>, e, q) _,T (i, ef>, 8[t .._.off], 'lrt ( q)) of P (rule R ESET 
of Table 1). 
Here (;..(i + 1) = T, (,,(i + 1) = (i, c/>, B[t>-> off], 7rt(q)) and we add the pair 
(i + 1,j + 1) to U. Condition 2 of Def. 3.14 is satisfied. 
Both the reset step of P' and the reset step of P change the value of t imer 
variable (resp. timer) t to off and the reset step of P removes all t imeout signals 
oft from the input queue, thus condition 4 of Def. 3.12 is satisfied . Therefore, 
((,, (i + 1), now) ~* x ,, (j + 1), and condi t ion 1 of Def. 3.14 is satisfied . 
Case: TICKp 
Here we have (l , ri , q' ) _,tick (l , TJ[t>->dec(t)J,q' ) and ((,, (i ), now) ~* x,, (j) where 
x ,, (j ) = (l, T) , q') , x;..(j + 1) = tick , and x ,, (j + 1) = (l , 1][t >-> dec( t) ]> q'). 
The premise of rule T rCKp of Table 5 says that blocked(x ,, (j)) is true . By 
Lemma 3.3, blocked((,, (i)) also holds. So the tick-step of P ' can be mimicked 
by the tick-step of P that is now _, tick now + 1 (rules T rcK of Table 3). 
In this case, (;..(i + 1) = tick , ( ,, (i + 1) = ( ,, (i), ( now (i + 1) = ( now (i) + 1 
and we add the pair (i + 1, j + 1) to U. Condit ion 2 of Def. 3.14 is satisfied . 
The tick-step of P' decreases values of t imer variables and the tick-step of P 
increases the system time, i.e. (w - 1) +(now + 1) = v where w is t he posit ive 
value of the t imer variable and v is t he value of the corresponding timer , thus 
3.4 Model Equivalence 65 
condition 3 of Def. 3.12 is satisfied. Moreover , ((-y (i+ 1), now + 1) ::::::* X-y (j + 1) , 
and condition 1 of Def. 3.14 is satisfied. 
Case: TIMEOUT, TDISCARD 
See Lemma 3.7. 
We have shown that for trace x of P' there exists a trace ( of P such that 
( =u X· Each construction step preserves the relation ::::::* on resulting states. 
D 
Lemma 3.9. 
Let Spee be a specification, Spee' be the result of transforming Spee according 
to the rules of Table 4. Let S be the LTS derived from Spee by applying rules 
of Tables 1, 2, 3 to Spee, and S' be the LTS obtained from Spee' by applying 
rules of Table 5, rules IN and OUT of Table 2, rules of Table 6. Then for each 
trace x of S' there exists a trace ( of S such that ( =u x for some U ~ N x N. 
Proof. By Lemma 3.8, we have already shown that P' ju P for single pro-
cesses. For systems consisting of n components, it is straightforward to prove 
that P[ ju Pi for all i E {1 , . .. , n} implies S' ju S , proceeding similarly by 
case analysis on the rules of Table 6 and by using Lemma 3.3. 
(i,j) E U implies ((-y (i), now) ::::::* X-y(j). Trace ( of Sand relation U are 
constructed by induction on the length of trace x of S'. Initial configurations 
/ o and lo of S and S' respectively are related by ::::::* , so U is initially (0 , 0) 
and ( -y (O) = 'YO· Assume that (i,j) E U . (is a trace of the length i of Sand 
equivalent to x(j) of S'. Further we proceed by a case analysis on the rules of 
Table 6. 
Case: IN, OUT 
Since the transformation does not influence in- and out-behaviour of channels 
and (i , j) E U implies ((-y (i),now) ::::::* X-y (j) , i.e. , channel c has in ( -y (i) the 
same contents as in X-y (j) . So a c0 ?s(pid , v)-step of channel c in S' can always 
be mimicked by the same step of channel c in S. Moreover, the configurations 
reached by the mimicking step of the original system and the step of the trans-
formed one are related by::::::*. The same is valid for ci !s(pid, v)-steps. 
Case: COMM 
We have X-y(j) -+T X-y (j + 1) and ((-y(i), now) ::::::* X-y(j) where we have X-y (j) = 
(X -y (j)i , ... , X-y (j)n) , ( -y (i) = ((-y (i)i , ... , ( -y (i)n) , X-y (j + 1) = (x-y (j + l)i , ... , 
X-y (j + l )n)· By the premises of rule COMM, this implies that there are some 
k , m E {1, ... , n} such that X-y(J)m ->a,,. X-y (j + l)m, X-y(j)k ->ak X-y(j + l)k 
and predicate comm( am , ak) is true. 
Due to Lemma 3.8 and case (IN, OuT) considered above, steps labelled 
by am and ak can be mimicked by steps with the same labelling in Pm and 
Pk. So we have ( -y (i)m -+ 0 ,,. ( -y (i + l)m and ( -y (i)k -+0 k ( -y (i + l)k. More-
over, ((-y (i + l )m, now) ::::::* X-y (j + l)m, ((-y (i + l )k , now) ::::::* X-y (j + l)k and 
comm(ak, am) holds. By rule COMM, which is valid both for the original sys-
tem and for the transformed one, we derive for some k, m E {l. .. n} transi-
66 Timer Transformation to Verify SDL Specifications 
tion ( (, ( i)i, ... , ( , ( i)n) ->T ( ( , ( i + 1 )i , ... , (,( i + 1 )n). So the communication 
of P:r,, with P~ can be mimicked by the communication of Pm with Pk . 
In this case, (;.,(i + 1) = T , (,(i + 1) = ((, (i + l)i , ... , ( ,(i + l)n) and we 
add the pair (i + 1,j + 1) to U. Condition 2 of Def. 3.14 is satisfied. 
Since ((, (i + l)k , now)~* x,(j + l)k and ((, (i + l)k, now) ~* x,(j + l)k 
for all k E {1 , ... , n} , ((,(i+ 1) , now) ~* x,(j + 1) , and condition 1 of Def. 3.14 
is satisfied. 
Case: TICK 
Here we have x,(j) ->tick x,(j+ 1) decreasing values of non-zero timer variables 
of S' , and ((,(i), now)~* x,(j). 
By rule TICK of Table 6, predicate blocked is true in x,(i). According to 
Lemma 3.3, blocked is also true in (, (j). So the tick-step of S' can be mimicked 
by the tick-step of S. 
In this case, (;,(i + 1) is defined as tick, (,(i + 1) = ( ,(i), ( now (i + 1) = 
( naw(i ) + 1 and we add the pair (i + 1, j + 1) to U. The condition 2 of Def. 3.14 
is satisfied. 
The tick-step of S' decreases values of non-zero timer variables and the tick-
step of S increases system time, i.e., (w - 1) +(now+ 1) = v where w is the 
value of a non-zero timer variable and v is the value of the corresponding timer. 
Condition 3 of Def. 3.12 is satisfied, hence ((,(i + 1) , now + 1) ~* x,(j + 1) . 
Moreover, condition 1 of Def. 3.14 is satisfied. 
Case: INTERLEAVEin 
Here we have (x, (j)i , ... , x,(j)n) ->c!s( pid ,v} (x,(j + l)i , . . . , x,(j + l)n), and 
((, (i), now) ~* x , (j) where x,(j) = (x,(j)i , ... , x,(j)n), (,(i) = ((, (i)i , 
... , (,(i)n) , and x,(j + 1) = (x,(j + l)i , ... , x,(j + l)n)· By the premises of 
rule l NTERLEAVEin, x,(j)k -'>c?s(pid,v) X,(j + l )k for some k E {1 , ... , n} and 
SE Sig ext · 
The set of external signals for S coincides with the set of external signals 
for S', thus there is a step (,(i)k -'>cJs(pid ,v) (,(i + l)k. By rule INTERLEAVEin, 
(;.,(i + 1) = c!s(pid , v ), ( , (i + 1) = ( ... , (,(i + l)k , .. . ) and we add the pair 
(i + 1, j + 1) to U. Condition 2 of Def. 3.14 is satisfied. 
Since ((, (i)m , now) ~* x, (j)m for all m E {1 , . .. , n}, ((,( i + 1), now) ~* 
x,(j + 1) , i.e. , condition 1 of Def. 3.14 is satisfied. 
Case: 1NTERLEAVE0 ut 
The proof of this case is analogous to the proof of the l NTERLEAVEin case. 
Case: l NTERLEAVET 
Assume that x;.,(j + 1) is a T-step and that x,(j) = (x,(j)i, ... 'x,( j)n) · Let 
x,(j)k ->T x,(j + l) k for some k E {1 , . . . , n}. The T-step corresponds to one of 
the cases DISCARD, NONEINPUT, ASSIGN , EXPIRATIO N, SET, RESET of Table 5 
or the case COMM considered above. As we already showed, it can be simulated 
by a T-step of Pk in all the cases. 
The configurations reached by the T-step in S' and the mimicking T-step of 
S are related by ~* for all cases. Therefore , we add the pair ( i + 1, j + 1) to U 
3.4 Model Equivalence 67 
and define (x ( i + 1) = T , ( 1 (j + 1) = r where r is the configuration reached in 
S by the mimicking T-step. 
By the construction mechanism described above, we have shown that for 
each trace x of S' there is a trace ( of S such that ( =u x for some U <;;; N x N. 
D 
Lemma 3 .10. [WEAK TRACE EQUIVALENCE] 
Let Spee be a specification and Spee' be the result of transforming Spee according 
to the rules of Table 4. Let S be the LTS derived from Spee by applying the rules 
of Tables 1, 2, 3 to Spee, and S' be the LTS obtained from Spee' by applying the 
rules of Table 5, rules IN and O UT of Table 2, rules of Table 6. Then S =wtr S'. 
Proof. Case: S -:!cwtr S' 
Follows from Theorem 3.1. 
Case: S' -:!cwtr S 
Follows from Lemma 3.9 and Lemma 3.5. 
Lemma 3 .11. 
D 
Let Spee be a specification and Spee' be the result of transforming Spee according 
to the rules of Table 4. Let S be the LTS derived from Spee by applying the rules 
of Tables 1, 2, 3 to Spee, and S' be the LTS obtained from Spee' by applying 
the rules of Table 5, rules IN and OuT of Table 2, rules of Table 6. Let £, and 
L' be interpretation functions for the set of atomic proposition P mentioning 
only process variables. Then (S, £) = s t (S' , £'). 
Proof. Both (S, £ ) and (S' , £') are doubly LTSs (Def. 2.25). Here we assume 
that neither system S nor system S' contains deadlocks, because even if the 
system cannot proceed, time can progress. So all the traces of S and S' are 
infinite. 
Case: (S, £) -:!est (S', £' ) 
Follows from Def. 3.12 and Theorem 3.1. 
Case: (S', L') -:!est (S, £) 
The expiration steps present in S and absent in S' do not change the valuation 
of process variables. By Lemma 3.9 and Lemma 3.6, it is straightforward to 
show that (S', £') -:!e st (S, £ ) wrt . formulas mentioning process variables only. 
(S, £ ) -:!est (S' , £') and (S', £') -:!est (S, £) imply (S , £ ) =st (S' , £'). D 
Theorem 3 .2 . 
For all formulas cp from LT~X m entioning only process variables, S f= cp if! 
S' F cp. 
Proof. Straightforward from Lemma 3.11 and Theorem 2.2. D 
68 Tim er Transformation to Verify SDL Specifications 
3.5 Conclusion 
The transformation proposed in this chapter alleviates sta te explosion caused 
by the traditional SDL interpretation of time and timers. In the transformed 
model, timeouts are not placed into input queues but modelled by timeout 
guards , so we will have fewer possible combinations of messages in the input 
queues. Treating timers as variables is simpler than treating them as signals. 
There is no global time in the transformed system, thus the factor leading to 
infinite sta te space is eliminated . 
The transformation preserves both negative and positive results of verifica-
tion. A branching simulation rela tion R ( cf. Theorem 3.1) guarantees that any 
LT L-X -formula sa tisfied by the transformed model is satisfied by the original 
one. Path equivalence up to stuttering ( cf. Lemma 3.11) allows us to find a 
trace of the original system equivalent to a counterexample trace found in the 
transformed system. The proof of path equivalence up to stuttering also con-
nects the presented subset of SDL with DTPROMELA that can be considered 
as an implementa tion of the "timers as variables" idea. The semantics of the 
transformed model will also be used in Chapter 5 to present an approach to 
automatic closing of SDL specifications. 
4 
Using Fairness to Make Abstractions Work 
THE STATE EXPLOSION REMAINS A STUMBLING BLOCK OF MODEL CHECK-
ING. ABSTRACTION TECHNIQUES HELP TO SOLVE THIS PROBLEM REPLACING 
ONE MODEL BY AN ABSTRACT SMALLER ONE. HERE WE PROPOSE A T IMER 
ABSTRACTION AND ARGUE ITS CORRECTNESS. 
ABSTRACTIONS OFTEN INTRODUCE INFINITE TRACES THAT HAVE NO COR-
RESPONDING TRACES AT THE CONCRETE LEVEL AND CAN LEAD TO THE FAIL-
URE OF THE VERIFICATION. WE SHOW HOW ONE CAN EXCLUDE THEM BY 
IMPOSING A STRONG FAIRNESS CONSTRAINT ON THE ABSTRACT MODEL. 
BY EMPLOYING THE FACT THAT THE TIMER ABSTRACTION INTRODUCES A 
SELF-LOOP, WE RENDER THE STRONG FAIRNESS CONSTRAINT INTO A WEAK 
FAIRNESS CONSTRAINT AND EMBED IT INTO THE VERIFICATION ALGORITHM. 
The chapter is based on [26]. 
70 Using Fairness to Make Abstractions Work 
4.1 Introduction 
Currently, most model checkers provide facilities to (automatically) reduce 
a state space, like partial-order reduction techniques. These techniques deal 
mainly with the control flow of a model. However, data (values stored and 
transmitted in a system) , whose domain is often infinite or very large, are not 
handled by them; it is a task of a user to present data in a verification model 
in a finite form of reasonable size. 
Abstraction techniques are widely used to make the verification of com-
plex/parameterised / infinite systems feasible. Abstraction intuitively means re-
placing a semantical model by an abstract, in general simpler one. Depending 
on the property to be verified, the actual values of dat a may sometimes be ig-
nored or replaced by some abstract values. In an abstract model, the operations 
on data are mimicked by new ones on the abstract data. The main requirement 
for an abstraction is that the abstract system behaviour should correctly re-
flect the behaviour of the original system with respect to a verification task 
in the sense that (1) an abstraction should capture all essential points in the 
system behaviour, i. e. , be not "too abstract", and (2) an abstraction should 
be safe, which means that every property checked to be true on the abstract 
model, holds for the concrete one as well. This allows the transfer of positive 
verification results from the abstract model to the concrete one. 
The concept of safe abstraction is well-developed within the Abstract In-
terpretation framework [46, 47, 51]. The relation between the concrete model 
and its safe abstraction is formalized there as a requirement on the relation 
between the data operations of the concrete system and their abstract coun-
terparts. Every value of the concrete state space is mapped by the abstraction 
function a into an abstract value that "describes" the concrete value. As an 
example consider the abstraction of integers into their signs in which e.g. -3 is 
mapped by a into neg. For every operation (function) f on the concrete level, 
an abstraction f a needs to be defined which "mimics" f. In general , the ab-
straction can be nondeterministic. For example, addition ( +) over the integers 
is abstracted into an operation (+a) such that pos +a neg may yield pos or 
neg nondeterministically. This is formally captured by letting f a be a function 
into the powerset over the domain of abstract values. 
Working within the Abstract Interpretation framework guarantees the pre-
servation (in the direction from the abstract to the concrete model) of the truth 
of formulas of temporal logics without existential quantification over paths, e.g. 
D L µ (cf. Theorem 2.5). Counterexamples can be spurious. In case a counter-
example is found , the abstraction should be refined and the refined model is 
then model-checked. Such a sequence of refinements can happen to be infinite; 
in this case one needs different techniques to prove or disprove the property. 
The systems we consider are specified as parallel compositions of communi-
cating processes. A process consists of a number of locations, variables and tran-
sitions connecting the locations and changing the valuations of variables. Pro-
cesses can communicate by rendezvous/ buffered message passing and through 
4.1 Introduction 71 
tick ~ tick _ n tick - n tick _(). 
~u~~
Fig. 5. Abstracted timer 
shared memory. There are explicit timing constraints in the specification im-
posed by timer operations. 
We assume that the properties are given in the universal fragment of the 
µ-calculus , DLµ, consisting of formulas in positive normal form , where the 
negations are applied only to atomic propositions. Since every Lµ formula has 
an equivalent in positive normal form (see [112]) , this is not a significant loss 
of generality. The verification methodology we propose works for any formula 
of the universal fragment without negation DLt and, under certain conditions 
that occur relatively often in practice (for instance, if the formula does not refer 
to abstracted variables), for the whole DLµ-
In this chapter, we consider a simple abstraction for (discrete) timers similar 
to the one from [49]. This abstraction is often used to prove that a property 
holds for all instantiations of timer settings that are greater than or equal to 
some value k. It leaves all values below k unchanged and maps all other values 
to the abstract value k+. Being a deterministic operation on the concrete model , 
the time progress operation tick becomes nondeterministic on the abstract one 
(see Fig. 5). That introduces infinite traces with k+ -;tick k+ being chosen 
whenever tick is enabled. As a result the timer never expires , which in general 
does not correspond to any trace of the concrete model. For instance, properties 
of the form D ( <P --..; O'lj;) get disproved on the abstract model whenever they 
depend on the fact that the timer in question eventually expires after being 
set. Refining the model by taking a greater value knew, we still keep the loop 
at k;tew· So refinement gives no solution to this problem. 
To exclude the infinite loop k+ -;tick k+ that causes spurious counterexam-
ples, we impose a strong fairness condition .pa on the abstract model, which we 
call t-faimess: "For any trace where k+ -;tick ( k-1) is enabled infinitely often, 
k+ -;tick (k - 1) is taken infinitely often or t is set to a new value infinitely 
often". We show that the concrete property tP that corresponds to the t-fairness 
condition .pa trivially holds on the concrete model. Therefore, in order to prove 
a formula <P on the concrete system, we check validity of the formula .pa --..; <Pa 
on the abstract one, where <Pa is the corresponding abstract version of efl. If 
.pa --..; <Pa holds , we conclude that efJ holds on the concrete system. 
By exploiting some specifics of the class of systems we are working with, 
we show that the strong fairness criterion can be reformulated into a weak 
fairness criterion. When one deals with explicit model checking, this is often 
a significant advantage, because algorithmically it could be easier to deal with 
the latter. 
72 Using Fairness to Make Abstractions Work 
Moreover, when one stays in the realm of explicit-state model checking, it 
is much more efficient to build the t-fairness check into the model checking 
algorithm, than to express it as a formula. In this case, one can check for 
the validity of </> on the abstract model , assuming a built-in t-fairness check. 
The t-fairness check algorithm we propose here is inspired by Choueka's flag 
algorithm [36], and it is a version of the algorithm for weak process fairness 
which is implemented in Spin. 
We implemented our algorithm in DTSpin [24] (a discrete-time version of 
the Spin model checker [93]) and tested the prototype implementation on some 
examples from the literature with encouraging results. 
Related work. Counter abstractions similar to the timer abstraction we use 
are quite standard and they can be traced to [123]. Such abstractions are often 
applied to abstract (discrete) timers for the verification of saf ety properties (see 
e.g. [49]). We study here the verification of liveness properties, which gives rise 
to the use of fairness requirements on the abstract model. 
There are several papers that deal with the problem of eliminating spuri-
ous execution sequences caused by abstraction. Closest to our approach is the 
theory of linear abstraction from [108] (also described in [109]). The general 
method of data abstraction presented there can also suffer from the problem of 
spurious execution sequences. To eliminate those, it is suggested to augment the 
system under consideration by an auxiliary monitoring module (executed syn-
chronously with the system) and then to abstract the system obtained by such 
a composition. In one of the examples , [108] features a three-valued counter 
abstraction ( {O , 1, 2+}, using our notation). Thus, one could apply the idea of 
a monitoring process to eliminate extra sequences introduced by self-loops to 
abstract states. However, this would lead to a solution based on strong fairness 
on the transition level. The monitor labels the "critical" transitions with -1 or 
+ 1. The (strong) fairness criterion requires that if a -1 transition is executed 
infinitely often then also a + 1 transition is executed infinitely often. This en-
sures leaving the artificial self-loops in the abstract state space introduced by 
the abstraction. 
As it was already emphasized, we show that in the context of timer abstrac-
tion, such a straightforward strong fairness can be transformed into a weak 
one, which is a significant advantage in the context of explicit model checking. 
In [138] the authors present a three-valued counter abstraction in the con-
text of the verification of parameterized systems, i. e. , networks of N identical 
concurrent processes, where N is an arbitrary finite number. The counters count 
the number of processes at a particular control (program) location. The solu-
tion to the problem of spurious execution sequences in this case also boils down 
to strong fairness. To this end two new variables from and to are introduced. 
The unwanted self-looping sequences are eliminated by the natural requirement 
that for each process location l if the processes enter l infinitely many times, 
then they must also leave it infinitely many times. 
4. 2 Timer Abstraction 73 
The problem of parameterized networks of processes is also treated in [14], 
with a solution for the spurious sequences which resembles both of the above 
given approaches. The role of the monitors from [108] is played by "rank-
ing functions", similar to the ones used to ensure termination of sequential 
programs. The ranking functions count how many processes have executed a 
particular transition in the concrete system. By abstracting a ranking function 
value, similarly to [138], one obtains a separation of the "critical" transitions 
into "negative" and "positive" ones. The "marking algorithm" which solves 
the problem of spurious sequences is based on strong fairness. The efficiency 
remarks in favor of our solution in the context of explicit model checking would 
also apply to [14] and [138] . 
a-Spin [69] is an extension of Spin with abstraction. The abstraction frame-
work of a-Spin is based on the Abstract Interpretation theory and in that 
regard it is similar to our approach. However, to the best of our knowledge, 
there is no work that deals with spurious executions in the context of a-Spin. 
Another approach to use abstractions in combination with Spin can be found 
in [93]. 
The chapter is organized as follows: In Section 4.2 we describe the timer 
abstraction and prove that it is safe. In Section 4.3 we introduce the notion of 
t-fairness. In Section 4.4 we present the verification algorithm. In Section 4.5 we 
describe our implementation oft-fairness in DTSpin. In Section 4.6 we discuss 
some experimental results. Finally, we give some conclusions in Section 4.7. 
4.2 Timer Abstraction 
Abst ract ion of Tempora l Formu las 
Given a system specification M whose semantics is given by transition system 
T = (S, R) , a system property is usually formulated as a formula ef> of temporal 
logic and the main question of model checking is formulated as T f= ef>. Given 
a description relation p ~ S x Of.S that gives for concrete states in S their 
"descriptions" in Of. S , we can derive a transition system etT = (Of.S, Of. R) such 
that it is an abstraction of T (Def. 2.36) . Data abstraction can influence system 
variables mentioned in the temporal formula. Further, we consider how an 
abstract temporal formula ef>Of. can be built from a concrete formula ef> so that 
etT f= ef>et implies T f= ef>. 
First we define how to construct abstract versions of atomic propositions. 
Let P be the set of atomic propositions of ef>. Since a.T is an abstraction of 
T , there exists a Galois connection (a, 1 ) from 28 to 2° 8 (see Def. 2.36 and 
Lemma 2.3). We define pet to be the proposition that corresponds to the subset 
a(I(p)) - a(I(p)) of the abstract state space etS, obtained under the Galois 
connection (a, 1). We say that pet is the contracting abstraction of p under a. 
The notion of contracting abstraction is similar to one given in [107] . 
74 Using Fairness to Make Abstractions Work 
l(p) GO 
" ..... ! .. 
Fig. 6. Contracting a bs t raction 
D efinition 4.1. [CONTRACTING ABSTRACTION] 
Let p be a proposition from P , (a,1) be a Galois connection, and I: P ----> 25 
and aI : P ----> 2° s be two interpretation functions for transition system s T = 
(S , R) and aT = (a S , a R) respectively. p°' is the contracting abstraction of p 
under a iff aI(p°' ) = a (I(p) ) - a(I(p)). 
The contracting abstraction of a formula 4> is 4>°' that is obtained by replacing 
each atomic proposition p in 4> with its contracting abstraction p°'. 
Fig. 6 gives an example of a contracting abstraction. There concrete states 
{ - 2, - 1, 0} are mapped to abstract state {neg} , and concrete sta tes { 0, 1, 2} are 
mapped to {pos }. We want to build a contracting abstraction for the atomic 
proposition (x :'.:'. 0). It is satisfied on concrete stat es {O, 1,llind not satis-
fied on concrete sta tes {- 2, - 1} , i. e. I(p) = {O, 1, 2} and I(p) = {- 2, - 1}. 
By abstracting { 0, 1, 2} , we get {neg, pos}. We remove n eg , because it can 
be mapped back to -2 or - 1, where the concrete proposition is not satis-
fied , i.e. aI(p°' ) = {pos }. The contracting abstraction of the concrete propo-
sition (x :'.:'. 0) is the proposition corresponding to the set of abstract states 
c.I(p°' ) = {pos }. Note that for all s E S , s°' E s a such that Sa E a ({s}) , s FP 
if s°' F p°' when p°' is contracting. The contracting abstraction p°' of (x :'.:'. 0) is 
not satisfied in abstract state neg. However , abstract state n eg can be mapped 
back to concrete sta te 0, where the concrete proposition (x :'.:'. 0) is satisfied. 
s°' ~ p°' does not imply s ~ p. 
To be able to transfer not only positive results but also negative results 
from the abstract system to the original one, we define the notion of consistent 
abstraction. Abstraction function a is called consistent with interpretation I 
(Def. 2.37), if the images by a of the interpreta tions of p and • pare disjoint. 
D efinit ion 4.2. [CONSISTENT ABSTRACTION] 
Let a be consistent with interpretation I and p°' be the contracting abstraction 
of p under a . W e call the proposition p°' the consistent abstraction of p under 
a. 
The consistent abstraction of a formula 4> is c/>a that is obtained by replacing 
each atomic proposition p in 4> with its consistent abstraction pa. 
4.2 Timer Abstraction 75 
l(p)GG 
Fig. 7. Consistent abstraction 
Fig. 7 gives an example of a consistent abstraction. Concrete states { - 2, - 1} 
are abstracted to {neg} , Concrete states { 1, 2} are mapped to {pas} , and 
{ 0} is mapped to {zero}. We want to build a consistent abstraction of an 
atomic proposition (x 2'. 0) . The concrete proposition is satisfied on {O, 1, 2} 
and not satisfied on {-2, - 1} . By abstracting concret e states {O, 1, 2}, we get 
{ zero, pas}. The contracting abstraction of the proposition is the proposition 
corresponding to the set of abstract states a. I(po.) = {zero , pas}. The consis-
tent abstraction po. is not satisfied on neg. Abstract state neg is concretized 
to { - 2, - 1} , where •p is satisfied. Note that for all s E S, so. E so. such that 
so. E a( { s} ), s f= p iff so. f= po. , when po. is consistent. 
Lemma 4.1. 
Let (a, 1') be a Galois connection and a be surjective and consistent with I. 
Then 1 is consistent with a. I defined as in Def. 4 .1. 
Proof. First, we have to show that if a is consistent with I: P ----> 25 , then 
\fp E P , 1 (a(I(p))) = I(p) . 
By the definition of 1, 1 (a(I(p))) = 1' (a(I(p))). Since a is consistent and 
surjective, 1' (a(I(p))) = 1'(a(I(p))). By Lemma 2.5, 1'(a(I(p))) = I(p) = I(p). 
Further, we have to show that if a is consistent with I: P ----> 25 , then 1 
is consistent with a.I : o. P ---+ 2" 5 . According to Def. 4.1 , o.I(po.) = a(I(p)) -
a(I(p)). 1 is consistent with a. I iff 
1 (o.I(po.)) n 1 (o.I(po.)) = 0. 
By the definition of a.I(p) , we can rewrite the left part of this equality as 
1 [a(I(p)) - a(I(p))] n 1 [a(I(p)) - a(I(p))] . 
Since a is consistent with I , a(I(p)) n a(I(p)) = 0, and hence, a(I(p)) -
a(I(p)) = a(I(p)). Therefore, we rewrite the expression further to 
1 [a(I(p))] n 1 [a(I(p))]. 
76 Using Fairness to Make Abstractions Work 
Now we only have to show that a(I(p)) = a(I(p)). Since a is consistent , 
a(I(p))na(I(p)) = 0. Since a is surjective, a(I(p))Ua(I(p)) = a.S . Therefore, 
a(I(p)) = a(I(p)) . By Lemma 2.5 , we have 
::Y (a(I(p))) n ::Y (a(I(p)) = I(p) n I(p) = 0. 
D 
Theorem 4.1. 
Let T = (S, R) and a. T = (a. S , a. R) be two transition systems with interpre-
tation functions I , a.I defined as in Def. 4.1. Let T ~(a ,-y) a. T. Given a DLt 
(respectively DLµ.) formula </J , let <Pa. be a contracting (respectively consistent 
with I) abstraction of </J . Then a T f= <Pa implies T f= </J . 
Proof. By Lemma 4.1 , the consistency of a with I implies the consistency of 
i' with 0 I. The theorem is a corollary of Theorem 2.5. D 
Often it is more convenient to apply abstractions directly on system speci-
fication M than on its transition system T. Such an abstraction on the level of 
M is well-developed within the Abstract Interpretation framework [46, 47, 51]. 
The requirement that Abstract Interpretation imposes on the relation between 
the concrete model T and its safe abstraction T 0 can be formalized as a re-
quirement on the relation between the data and the operations of the concrete 
system and their abstract counterparts as follows: Each value of the concrete 
domain I; is mapped by a description function Pd to a value from the abstract 
domain a.I;· The abstract value "describes" the concrete value. We assume an 
ordering ::S on the abstract domain a.I; according to the "precision" of abstract 
values: given a concrete value x and its abstract description x 0 = Pd(x), we say 
that any ya E 0 I; such that xa. ::S ya. is a less precise description of x. 
For every operation (function) f on the concrete data domain, an abstract 
function f 0 is defined , which "mimics" f. (For simplicity, we assume f to be a 
unary operation.) In general, the abstraction can be nondeterministic. This is 
formally captured by letting f a be a function into the powerset over the domain 
of abstract values. The requirement of mimicking is then formally phrased with 
the following safety statement: 
l::/x EI; 3y E r(Pd(x)): Pd(/(x)) ::SY· (1) 
D efinition 4.3. SAFE ABSTRACTION 
Let Ma. be obtained by replacing each constant c and function f of M with 
their abstract versions. We say that Ma. is a safe abstraction of M iff the 
safety statement is satisfied for all the abstract versions of the functions. 
A state s can be seen as a valuation vector (v0 , v1 , ... , Vn- l ) and, thus , 
S = I;0 x ... x I;n_ 1 , with I;0 , . .. , I;n - l being the corresponding data domains. 
We relate Sand a.S via the description relation, which in our case is the function 
Ps: S-+ aS defined as Ps = (Pdo(vo) , ... , pdn- 1(Vn- 1)), where Pod,···,Pdn- 1 
4.2 Timer Abstraction 77 
Fig. 8. Two approaches to abstraction 
are description functions for the corresponding variables and the set of abstract 
states aS = aI::o x . . . x aI::n- l · We assume a trivial (identity) mapping as 
description function for unabst racted variables. 
Figure 8 illustrates two approaches to abstraction. In the first case, transi-
t ion system T = (S, R) giving the semantics of specification M is abstracted 
to transition system aT = (aS, aR ) by a description relation on the states of 
T and aT. In the second case, Ma is obtained by replacing each constant c 
and function f of M by their abstract versions. Let Ma be a safe abstrac-
t ion of M, and the semantics of Ma be given by ya = ( sa , Ra). 0 bviously 
s a = aI::o x . . . x aI::n-l = aS. Moreover, for "usual" modelling languages, 
like PROMELA, Ra :;2 aR , which follows from Lemma 4.4.1.1 of [47]. This 
trivially implies a T ~id T a, where id is the identity function . Given a DL t 
(respectively DL µ) formula efy, we can find </Ja that is a contracting (respec-
tively consistent with I) abstraction of <fJ . By Theorem 4.1 , we obtain that 
ra,aI F 'Pa=} aT ,aI F 'Pa=} T,I F cp . 
Timer Abstraction 
The timer abstraction proposed here is similar to abstractions given in [49] and 
in [25]. The abstraction from [25] is based on a natural idea of allowing timers to 
expire at an arbitrary moment after they are set. This means that the timer can 
expire immediately after setting. A typical problem arising when one starts to 
apply this abstraction in practice is the introduction of zero-time cycles (cycles 
without time progression) which are not present in the concrete model. A usual 
pattern for SDL-specifications is that a timer schedules some periodical activity; 
after a timeout signal is consumed by a process, some actions are taken, the 
timer is set again, and the process returns to the same control state where 
it was before consumption of the timer signal. Since the abstraction allows a 
timer to expire at any arbitrary moment after its setting (also immediately 
after it has been set) , undesirable cyclic behaviour can be introduced . The 
"timeout input - timer setting - timer expiration" chain of transitions can be 
executed infinitely many times and all the other behavioural branches may be 
ignored forever. Therefore, the properties which hold for the concrete model 
and which are expected to hold independently of the timer set tings, fail to 
hold for the abstract model, since "independently" means in this case that the 
78 Using Fairness to Make Abstractions Work 
property holds for the concrete model whatever positive delay is assigned to a 
timer. Another problem arises in case a timer serves as a guard to prevent from 
taking a transition too early. By abstracting time, this timer guard is broken. 
We propose an abstraction for timers that keeps this guard delaying the 
timer expiration. Moreover , we prove that the abstraction is safe. The concept 
of timers was defined in Section 3.3. The system semantics we use here is similar 
to one defined in Section 3.3. The only difference is that we do not require tick 
to have the least priority and leave the semantics of time partially open here, 
since our approach does not depend on it. 
For a timer t , the concrete domain of timer values I: = N U { - 1} , where 
- 1 represents a deactivated timer, is replaced with the abstract domain 0 I:i = 
{ - l , O, ... , kt - l,ki }, where the value kt is a positive value defined by the 
user , assuming that the property we want to verify still holds even if we do 
not distinguish between the values of the timer greater than or equal to kt . 
We overload the notation by using c ( - 1 :::; c < ki) as an abstract value 
representing the single concrete value c, while c+ describes the set of concrete 
values { c, c + 1, c + 2, ... } . We do not consider o+ abstraction here. 
The description function Pt is defined as Pt ( c) = c if c < kt and Pt ( c) = k i 
otherwise . Abstract operations on timers are defined in an intuitive way: setting 
a timer to value x becomes setting it to value Pt ( x); the timeout guard gr is 
true iff [t] = 0; and tick°' is a nondeterministic operation that changes the 
value of a timer from a to b according to the following rules: (1) if a = - 1 then 
b = - 1, (2) if 0 :::; a< kt then b =a - 1 (where "-" works on abstract values 
as on integers), (3) if a= x+ then b E {x+,x - 1}. 
Varying kt, we can change the refinement degree of the abstraction. Taking 
k equal to 0, we get the most abstract version of it , which is an abstraction 
from [25] where not just timers but time is abstracted. Taking k equal to the 
lower boundary of the timer delays in the system, we get the most refined 
abstraction that can be obtained with this abstraction schema. 
Lemma 4.2. 
System M°' built from system M according to the rules given above is a saf e 
abstraction of M. 
Proof. Let M°' be obtained by replacing each constant c and function f of 
M with their abstract versions , and T°' = ( S °', R °') be the transition system 
that corresponds to M°'. ow we check whether the safety statement holds for 
all functions on timers. For the timer abstraction, we reformulate the safety 
statement as: Vx EI: 3y E f°'(Pd(x)) : Pd(f(x)) = y. 
Abstract setting of a timer obviously satisfies this safety statement . Since 
zero value of a timer is always mapped by the description function to zero, gr 
also satisfies the statement. 
For tick°' we consider three cases: Let x be the value of the timer t and 
(i) x < kt , (ii) x = kt or (iii) x > kt. 
4.3 Fair Timer Abstraction 79 
In the first case, tick decreases the value of the timer to ( x -1). Since x < kt, 
(x-1) is mapped to (x - 1) by Pd· If we apply tick<> to the value of the abstract 
timer, it becomes (x - 1) as well, hence the safety statement is satisfied. 
In the second case, tick decreases the value of the timer to (x - 1). Since 
x = kt, (x - 1) is mapped to (x - 1) by Pd· Abstract function tick<> chooses 
nondeterministically one of the values from { ki , ( x - 1)}. The safety statement 
is satisfied. 
In the last case, Pd(x - 1) = ki. If we apply tick<> to the value of the abstract 
timer, tick<> chooses nondeterministically one of the values from { ki , ( kt - 1)}. 
Therefore, the safety statement is satisfied as well. D 
4.3 Fair Timer Abstraction 
From now on we assume that systems under consideration have neither dead-
locks nor infinite zero-time cycles (infinite traces with a finite number of tick's). 
Note that if system contains a zero-time cycle, there is an infinite trace of the 
system where time never progresses. Such a trace is absolutely unrealistic for 
a real system. If Af<> is a safe abstraction of M , the absence of zero-time cy-
cles can be checked on the abstract model by verifying the property D0ticka, 
which is a consistent abstraction of D0tick. (tick is a formula that encodes 
an occurrence of a tick-step in the original system. tick<> is the consistent ab-
straction of tick. ) The absence of deadlocks follows straightforwardly from the 
fact that time can progress even when no other action is possible in the system, 
and thus the tick action is still possible. 
An abstracted system contains more behaviour than the original one. There-
fore, positive verification results can be transferred from the abstract to the 
concrete system, while counterexamples can be spurious. Abstraction refine-
ment is a common technique used in case spurious counterexamples are found 
(see e.g. [40]), though just a change of the granularity level does not always 
help- the sequence of refinements can turn out to be infinite. 
Suppose we use the timer abstraction described in the previous section to 
prove that some property holds for all timer settings greater than or equal to 
some kt. Due to the nondeterminism introduced with the abstract version of 
tick, it becomes possible that the timer once set will never expire. This means 
that the states that are always reachable in the concrete system are not reached 
in the abstract system if the ki -+tick ki step is always chosen. Such a trace 
gives a spurious counterexample: In the concrete system the timer expires after 
a finite number of time slices. The only possible refinement is taking the same 
abstraction with a greater value of k. But the same trace where the timer 
never expires is still possible, so a counterexample would be produced again. 
Therefore, we need a different technique to cope with this problem. 
Imposing a strong fairness condition that requires that for any trace where 
the transition ki -+tick (kt - 1) is infinitely often enabled it is infinitely often 
taken, gives incorrect results: One can easily build a (concrete) model where 
80 Using Fairness to Make Abstractions Work 
a timer t is infinitely often set to a new value (before it expires), so it can 
be seen every time as a new variable in the one-assignment framework. This 
observation leads us to the following definition oft-fairness: 
Definition 4 .4 . 
Given an LTS T of a system with a set of abstract timers TVar" . We say that a 
trace ofT is t-fair i.ff for any t E TVar" the follo wing holds: kt ---+ tick (kt - 1) is 
infinitely often enabled implies that kt ---+tick (ki - 1) is infinitely often executed 
or set(t, x), x E <> ~t ' is infinitely often executed. 
This definition has a strong fairn ess pattern. Interestingly, due to the fact 
that the loop introduced on a timer with the abstraction is a self-loop , this 
requirement can be reformulated as a condition with a weak fairness pattern: 
Lemma 4 .3. 
A trace ~ of T is t-fair if! for any t E TVar" the following holds: if there 
exists an infinite suffix a of~ such that [t] 81 = kt for every state of a , then 
set( t , kt) is infinitely often executed along the trace. 
Proof. Let p , q, and r denote the following propositions (from Def. 4.4) : 
"k t ---+tick (kt - 1) is enabled", "k t ---+ tick (ki - 1) is executed'', and "set(t,x), 
x E a I:1, is executed", respectively. Then the t-fairness condition from Def. 4.4 
can be expressed as the following LTL formula: 
DOp---+ (DOq V DOr). (2) 
We can split the proposition r into a disjunction of two propositions r 1 
and r2: "set(t, kt) is executed" and "set(t , x), where x =/:- kt, is executed", 
respectively. After straightforward transformations, (2) becomes 
(3) 
We will show that DOp A OD(-.q A •ri) (*), is semantically equivalent to 
O Dp' , where p' denotes the proposition "the value oft is k t". 
The conjunct D Op says that kt ---+tick (kt - 1) is infinitely often enabled. 
Since we assume the absence of zero-time cycles, by the timer abstraction defi-
nition, this implies the proposition "timer t has value kt infinitely often". The 
conjunct O D( •q A •r1) says that after some point in the execution sequence 
neither kt ---+tick ( kt - 1) nor set( t , x), with x =/:- kt, are executed. As these 
transitions are the only ones that can change the value of t from kt to a value 
different than kt, we can conclude that from some point on the value of t will 
remain kt forever. 
For the other direction, we first observe that if t has value kt from some 
point on, then k t ---+tick ( kt -1) is enabled infinitely many times. (Again, we use 
the absence of zero-time cycles, i.e., a tick transition is executed infinitely often 
along any execution sequence.) Also, the other conjunct of (*) follows immedi-
ately: As kt ---+tick (kt-1) and set(t , x), where x =/:- kt, are the only statements 
4.3 Fair Timer Abstraction 81 
which can change the value of the abstract timer t to a value d ifferent from ki, 
they also cannot be executed after some point on. 
Thus, we can replace (*) with the equivalent proposition <>op' and rewrite 
(3) as <>op' --+ 00r2 , which is the (weak t-fairness) condition of Lemma 4.3. 
D 
Thus we can express the t-fairness criterion by the following LTL formula 
<!>°' = /\.tE TVar" (<>op--+ OOq) , where p and q are propositions corresponding to 
the terms "[t] sJ = ki" and "set(t , ki)" from Lemma 4.3, respectively. Though 
this property is formula ted on states and transitions, it can be easily encoded 
as a property defined on the states of the system. (To express the fact that 
some transition q is taken infinitely often, one can e.g. extend the model with 
introducing a boolean variable bq that is negated every time the transition is 
taken and replace OOq with DObq /\ 00-.bq.) One can see the analogy be-
tween <!>°' and the definition of weak fairness for processes, where a timer set 
to ki corresponds to an enabled process and an execution of the set operation 
corresponds to an execution of an action by the process. 
Further , one can show that the t-fairness criterion <!>°' is a consistent (al-
so contracting) abstraction of the LTL formula <P = /\.tE TVar ( OOp' --+ O O q') , 
where p' q' are defined as "[t] . > k " and "set(t x) where x > k " respec-
' S; - t ' ' - l ' 
tively. This can be done by a simple check that p and q are consistent abstrac-
tions of p' and q', respectively. Indeed , let s°' E a( { s} ). Timer t has the value 
ki in the abstract state s°' iff t has a value greater than or equal to kt in s. 
Similarly, t is set to some x which is greater than or equal to ki by a transition 
which has s as the target state iff it is set by a transition in the abstract state 
which ends up in the state s"' with [t]s" = ki. 
Suppose we want to verify that T f= </>for some OLt (resp. OLµ) formula 
</> and a concrete system T without infinite zero-time traces. The "concrete" 
version of the abstract t-fairness condition, <P , holds on any trace of T: If from 
some point on the value of timer t remains greater than or equal to ki , then 
the t imer must be infinitely often set to some value greater t han kt. Otherwise, 
since t ick happens infinitely often, the value of t will eventually become less 
than ki. Thus, T f= </> iff T f= (<!>--+ </>). 
By Theorem 4. 1 we know that instead of verifying T f= ( <P --+ </>) on the 
concrete system, we can verify its contracting (resp. consistent) abstraction 
( <P --+ </> )"' on the abstract system. By definition of contracting (consistent) 
abstraction, the last formula is equivalent to <!>°' --+ </>"'. In case </> does not 
refer to variables (timers) that are abstracted, the abstraction a is trivially a 
consistent abstraction for all atomic proposit ions in </> and we have </>"' = cp. If </> 
does mention abstracted timers , one has to derive the contracting abstraction 
</>°' of</>. 
Finally, by Theorem 4.1 , T"' f= ( <!>°' --+ </>"') implies T f= ( <P --+ </>) and thus 
also T f= cp. 
82 Using Fairness to Make Abstractions Work 
So, by imposing the t-fairness condition on the abstract model, we eliminate 
spurious counterexamples caused by unfair nondeterministic choices made by 
abstract functions. 
4.4 Incorporating t-Fairness into the Verifica-
tion Algorithm 
To express the formula <1>0 as an LTL formula defined on the sta tes of the 
system, one needs to introduce additional variables (see Section 4.3). There-
fore, it is computationally expensive to verify the formula <1> 0 ----+ qP and it is 
more convenient to incorporate the t-fairness requirement into the verification 
algorithm that verifies </>0 by considering t-fair traces only. In this section we 
describe how to embed the t-fairness check into a model-checking algorithm for 
LTL. 
Since there is a strong analogy between t-fairness and weak process fairness, 
one can easily adapt any algorithm for model checking under weak process fair-
ness. The algorithm we propose here is inspired by the weak process fairness 
algorithm used in Spin [93 , 22], which is a combination of the Nested Depth 
First Search (ndfs) algorithm (see Algorithm 2.3) and Choueka's flag algo-
rithm [36]. In the automata-theoretic approach (see Section 2.4) , the negation 
of the formula is translated into a Biichi automaton and satisfaction of the LTL 
formula is proven by detecting acceptance cycles in the synchronous product of 
the Biichi automaton for the negation and a Biichi automaton representing the 
system. A Biichi automaton can also be seen as an LTS with a predefined set 
of accepting states, so the satisfaction of an LTL formula can also be proven by 
detecting acceptance cycles in an extended LTS that is the synchronous product 
of an L2TS representing the system and the Buchi automaton for the formula 
(see [95]) . Further we assume that we work directly with an extended LTS 
that is defined as follows: 
D efinition 4.5. EXTENDED LTS (95) 
Let V = (P, Lab ,-+, p0 , £) be an L2 TS and B = (Q , J, q0 , F) be a Biichi au-
tomaton over the alphabet 2P. 
The extended LTS E is given by a tuple (P x Q, Lab , -+ 1 , (p0 , q0 ), P x F) 
where labelled transition relation -+ 1 S: (P x Q) x Lab x (P x Q) is defined as 
follows: ((p , q) , a, (p' , q' )) E-/ iff (p , a ,p') E-+, (q , a, q') E J and £(s) = a. 
Given an extended LTS E = (S, Lab ,-----+, Sinit, F) , which is the synchronous 
product of the L2TS of a given abstract system with the Biichi automaton that 
represents the negation of a property to be verified , our goal is to construct 
an extension of E that contains an acceptance cycle iff there exists a t-fair 
acceptance cycle in E. (We say that a cycle so ~ ... sn ~ so is t-fair iff 
'Vt E TVar0 there exists i (0 :::; i:::; n) such t hat [t] s, :/= ki or ai = set(t, ki).) 
Therefore , we will define this extension in such a way that any acceptance cycle 
would be t-fair by construction. 
4.4 Incorporating t-Fairness into the Verification Algorithm 83 
Let the abstract system have N abstract timers. Then we construct the 
extended LTS £' = (S', Lab' , ---> 1 , s;nit' F') in the following way: The set of 
states of the extended system is a set of pairs ( s, c), where s E S and 0 :::; c :::; N. 
We call (s, c) a c-replica of s. (Note that not every replica (s , c) of a reachable 
state s of£ will be reachable in £'.) 0-replicas are the basic replicas of the 
states, while replicas 1, ... , N allow to track the behaviour of abstract timers 
t 1 , . .. , t N, respectively. The accepting states and the initial state of £' are 
0-replicas of the accepting states and the initial state of£, respectively. All 
transitions from accepting states of£' lead to 1-replicas only. Transitions from 
a c-replica (s, c), related to timer tc, lead either to c-replicas, or , when they 
guarantee t-fair behaviour wrt. timer tc, to the ((c + l)mod(N + 1))-replica. 
Since all the acceptance states of£' are 0-replicas, any acceptance cycle contains 
for every abstract timer at least one transition that either sets timer t to ki 
or results in a value oft different from ki. So every acceptance cycle of£' is 
t-fair. 
The verification algorithm starts the construction of£' from the initial state 
(sinit , 0) and proceeds by adding the 0-replicas in accordance with the tran-
sition function ----> until an accepting state is met. If an accepting state s is 
encountered, the algorithm adds a dummy 7-step that connects the 0-replica of 
s with the 1-replica of the same state. A move from a c-replica with 1 :::; c:::; N 
to the ( ( c + 1) mod ( N + 1) )-replica happens when a state is encountered in 
which tc has a value different from ki or a step setting timer tc is taken, i. e. 
when the t-fairness condition for tc is fulfilled. (A move from a 0-replica to a 
1-replica is possible only by 7-steps connecting the replicas of the same accept-
ing state.) For the rest, the algorithm adds transitions following the transition 
function ---->. 
Theorem 4.2. 
Given an extended LTS £ = (S , Lab ,---->, Sinit, F) and abstract timers t 1 , ... , 
t N, at-fair extension of£ is an extended LTS £' = (S',Lab',---> 1,s;nit,F') 
that satisfies the following conditions: 
1. Lab'= Lab U {7}; 
2. s;nit = (sinit , O); 
3. (s, O) ...!!:..+' (s',O) if (s , O) E S' and s ...!!:..+ s' and s tj F; 
4. (s, 0) ~' (s , 1) if (s, 0) E S' and s E F ; 
5. (s , c) ...!!:..+' (s', c') if (s, c) E S' and c > 0 and s ...!!:..+ s' with c' =((c + 1) 
mod (N + 1)) if ([tc]s -=f. kt or a= set(tc, kt)), and c' = c otherwise; 
6. F' = {(s,O) Is E F}. 
Then the fallowing statements hold: 
1. (S, Lab ,---->, Sinit) and (S', Lab', ---> 1 , s;nit) are branching bisimilar. 
2. £ contains a reachable t-fair acceptance cycle iff £' contains a reachable 
acceptance cycle . 
84 Using Fairness to Make Abstractions Work 
Proof. 1. Consider relation Q <:::; S x S' where (s, s ') E Q iff s' = (s, c) where 
0 :::; c:::; N. It is straightforward to check by case analysis that Q is a branching 
bisimulation (Def. 2.20). 
2. First we show that all acceptance cycles of the extended state space are t-fair 
by construction. An acceptance cycle contains at least one accepting state; this 
state is a 0-replica and has outgoing transitions to 1-replicas only. As transitions 
from a c-replica lead either to c-replicas, or to ((c + 1) mod (N + 1))-replicas 
(0 :::; c :::; N) , for any c, the cycle includes a c-replica. Every move from a 
c-replica to its neighbour satisfies the t-fairness condition for timer t c, so for 
every abstract timer there is a transition in the cycle satisfying the t-fairness 
condition and thus the cycle is t-fair. 
Due to the branching bisimulation result , any acceptance cycle of£' (which 
is always t-fair) has a corresponding t-fair acceptance cycle in£. 
In the opposite direction: Assume that there is a trace Sinit ~ s1 ~ ... of 
[ that contains a fair acceptance cycle. Then there are Si, Sj such that Si = Sj 
with j > i. The path 7r from Si to Sj contains at most m = (j - i) distinct 
states. Trace a = Sinit ....9'..., ... si· ·· ·si ···si going through the cycle N + 1 times 
is also a trace of£. Due to the branching bisimulation result, there is a trace 
a' in £' that mimics a . The suffix e of a' that mimics passing through the 
cycle N + 1 times contains at least m(N + 1) transitions, so it visits at least 
m(N + 1) + 1 states. The states of e are replicas of the states of 7r , therefore 
at most m(N + 1) of them are distinct. Thus, there is at least one state that is 
present in e twice, and e is a cycle. 
Now we shall show that e is an acceptance cycle. We denote the suffix of 
a corresponding toe as f, and pick an arbitrary state s off, . Then e contains 
some state ( s , c), 0 :::; c :::; N. Assume that c > 0 (for else we are done). Since f, 
is a t-fair cycle, there are some states q1 , q2 reachable from s such that q1 ....9'..., £ q2 
and ([tc]q, =/= kt or a= set(tc, kt)). Hence, there exists a transition from the 
c-replica q1 to the ((c+l) mod N)-replica q2 in e. Proceeding in the same way, 
we will obtain transitions leading to some ((c + 2) mod N)-replica, etc., and 
eventually we arrive at a 0-replica. Thus, we conclude that e contains at least 
one 0-replica of some state. In £' , transitions from 0-replicas of non-accepting 
states lead to 0-replicas. Since f, contains an accepting state and e is a cycle, f,' 
contains an accepting state as well and thus it is an acceptance cycle of£' . D 
We call the extension£' at-fair extension of£. An algorithm that generates 
the extended state space is given in Fig. 9. The algorithm is based on the depth 
first search ( dfs) algorithm ( [45]). It is straightforward to prove the following 
claim: 
Lemma 4 .4 . 
Given an extended LTS £ , let £' be an extended LTS produced from [ by 
applying Procedure 4.3. Then £' is at-fair extension of [. 
To detect acceptance cycles, dfs is extended with a cycle-check procedure 
(Fig. 10). Whenever Procedure 4.4 detects an accepting state, it starts P roce-
4.4 Incorporating t-Fairness into the Verification Algorithm 85 
P rocedure 4.3 (dfs(s, c)) 
add (s, c) to S' 
if c = 0 and s E F 
then if (s, 1) rj S' then dfs(s, 1); 
else 
for all s ~ s' do 
if c > 0 and (a= set(tc, kt) or [tc]s # kt ) 
then c' = (c+ 1) mod N 
else c' = c; 
if(s',c') rjS' then dfs(s' , c'); 
od; 
add a pair to the state space 
0-replica and state s is accepting 
T-step from 0-replica to I-replica 
for all transitions enabled in s 
t-faimess condition 
the next replica number 
the same replica number 
recursive call 
F ig. 9 . Generating t-fair extension of S 
<lure 4.5, which is again a dfs , that reports an accepting state if the seed state 
is matched within the cycle-check. Here we omit a detailed description of the 
ndfs algorithm and refer the interested reader to [45]. 
The correctness of the algorithm is given by the following claim: 
Theorem 4 .6 . 
Given an extended LTS £,Procedure 4.4 called with (sinit, 0) reports an accep-
tance cycle if! there exists a reachable t-fair acceptance cycle in E. 
Proof. Follows from the correctness of the ndfs algorithm from Lemma 2.1 by 
observing that the algorithm is actually ndfs from [45] applied on the extended 
state space E'. D 
The last result completes the series of claims that guarantee soundness of 
the verification approach proposed in this chapter. If no acceptance cycle is 
detected then the verified property holds fort-fair traces of the abstract system 
and therefore also for the concrete system. 
Time complexity of the ndfs Algorithm in Fig. 10 is O(N · IEJ), where N is 
the number of timers, while 1£1 is the size (states and transitions) of the abstract 
system state space. Memory space needed to save £' is virtually the same as 
the one for£. Instead of keeping each of the N replicas (s, i), (1 '.S i '.S N) one 
can save only the "useful" part s plus additional 2(N + 1) bits, like it is done 
for process fairness in Spin([93, 23]). The first N + 1 bits correspond to the 
replicas in the main depth first search of the ndfs algorithm, while the second 
group of (N + 1) bits corresponds to the nested dfs. If bit i of the first group 
is set then this means that the state (s , i) has been visited by the algorithm. 
Similarly for the second group. As the description of s is usually much greater 
than 2(N + 1) bits, the bookkeeping overhead is negligible [23]. 
86 Using Fairness to Make Abstractions Work 
Procedure 4.4 (ndfs1(s, c) ) 
add (s , c, 0) to S' 
if c = 0 and s E F 
then if ( s, I , 0) rj S' then ndf s 1 ( s, I) ; 
else 
for all s _!':_,c; s1 do 
if c > 0 and (a= set(tc, kt ) or [tc]s i= kt ) 
then c' = ( c + I) mod N 
else c' = c; 
if (s' , c', 0) rj S' then ndfs 1 (s' , c'); 
od; 
add a pair to the state space 
0-replica, and state s is accepting 
T-step from 0-replica to I-replica 
for all transitions enabled in s 
t-fairness condition 
the next replica number 
the same replica number 
recursive call 
if c = 0 and s E F then seed:= (s, 0, I) ; ndfs2(s , O); set the seed and start ndfs2 
Procedure 4 .5 (ndfs2(s, c) ) 
add (s, c, I) to S' 
if c = 0 and s E F 
then if (s, I , I) rj S' then ndfs2(s, I) ; 
else 
for all s _!':_,c; s' do 
if c > 0 and (a= set(t c, kt ) or [tc]s i= kt) 
then c' = ( c + I) mod N 
else c' = c; 
if seed = (s,c', I) then REPORT C YCLE! 
else if (s' , c' , I) </ S' then ndfs2(s ' , c'); 
od; 
add a pair to the state space 
0-replica, and state s is accepting 
T-step from 0-replica to I-replica 
for all transitions enabled in s 
t-fairness condition 
the next replica number 
the same replica number 
seed is matched, report the cycle 
recursive call 
Fig. 10. ndfs version of Procedure 4.3 
4.5 T-fairness in DTSpin 
DTSpin [24] is a discrete-time extension of Spin [93] that has all verification 
features of Spin. It was successfully applied for debugging and verification of 
t imed models of industrial size protocols (see e.g. [25, 103]). DTSpin is designed 
for the verification of systems where delays are significantly larger than the 
duration of the events within the system. Therefore , system transitions are 
assumed to be instantaneous. DTSpin employs the concept of timers to express 
time aspects of a system. In DTPROMELA, the input language of DTSpin, 
timers are modelled by variables of a predefined type timer. The data domain 
and the operations on timers are defined as in Section 4.2. 
Since the system transitions are assumed to be instantaneous, time progress 
has the least priority in the system and may take place only when the system 
is blocked. A special process Timer ticks all the act ive timers down in case the 
system is blocked. DTSpin employs PROM ELA 's statement timeout to check 
4. 6 Experimental Results 87 
whether the system is blocked. To ensure that t ime progression has the least 
priority, the usage of timeout is reserved for the implementation of time progres-
sion and forbidden in DTPROMELA specifications. Note that by the definition 
of tick , all DTPROMELA models are deadlock-free. 
To implement the timer abstraction defined in Section 4.2, we extend DT-
PROMELA with a new data type timer°' for abstract timers and define the 
operations on them as macros . The abstract version of tick , tick°' , decreases 
values of active abst ract timers if they are different from ki. If a timer has 
the ki value, a nondeterministic choice is made between decreasing the value 
of the timer to (kt - 1) and leaving it unmodified. Our fairness algorithm 
from Section 4.4 is implemented by means of a PA N2TFPAN Java program that 
transforms the pan verifier generated by Spin ([93, 154]) for the verification of 
a property without t-fairness into a new one that checks the property under t-
fairness. The transformation is automatic and does not require any interaction 
with the user. The prototype implementation PAN2TFPAN can be downloaded 
a t www. cwi . nl;- ust in/tf air. html. 
The user thus applies the following verification scheme : (1) Choose timers 
of a concrete model that should be abstracted and define a kt value for each of 
those timers. (2) Redefine the type of the chosen times to tim er°' and redefine 
the set operations according to the k t values. (3) Check whether the abstract 
system is free from zero-time cycles, i. e. check whether tick happens infinitely 
often. This is done by checking LTL formula DOtim eout. In DTSpin , time 
progresses if the statement timeout of PROMELA is true. Since this statement 
is forbidden to use in DTPROMELA specifications, DOtimeout expresses the 
absence of zero-time cycles. (4) Formulate the abstract version of the property 
to check and generate the pan verifier for this property. (5) Transform the pan 
verifier with PAN2TFPAN to the new pan verifier, which checks the property 
under the t-fairness condition. Positive verification results imply that the prop-
erty holds for the concrete system as well . If the property gets violated on the 
abstract system, a counterexample is generated , and the user checks whether 
the counterexample is spurious or not. 
4.6 Experimental Results 
In this section we describe some experimental results that show the efficiency of 
our approach. Our test cases are the positive acknowledgment retransmission 
protocol (PAR) [155] and Fischers mutual exclusion protocol [118]. We compare 
the results obtained when we specify t-fairness as LTL formulas according to 
strong fairness and weak fairness patterns (we will refer to this as verifying with 
strong/weak fairness respectively) with the results obtained with our prototype 
implementation of the algorithm from Section 4.4 in DTSpin, which we refer 
to as built-in t-fairness. Our prime goal here is to compare the performance of 
the three methods rather than to verify the protocols. 
88 Using Fairness to Make Abstractions Work 
ENV_SENDER ENV _RECEIVER 
MSG_CHAN 
msg 
mv T_MSG_CHAN ~,, 
msg 
SENDER RECEIVER 
T_SENDER "~ v", ACK_ CHAN 
T_ACK_CHAN 
Fig.11. PAR 
The strong fairness pattern for a timer t states that if the transition k i -> tick 
(kt - 1) is infinitely often enabled , then either this transition is infinitely often 
taken, or the timer is infinitely often set to a new value. To reformulate this 
property as a state property, we introduce two boolean variables for each ab-
stract timer. The first variable, Xt, is used to specify the fact that the timer is 
infinitely often set to a new value, and the second one, Yt , is employed to ex-
press enabledness of the ki ->tick (kt - 1) transition. The model of the system 
is extended so that Yt gets negated every time the tick-step is enabled while 
timer t is in the k+ -state; Xt is negated every time t is set to a new value. 
To check whether transition ki -> tick (kt - 1) is taken infinitely often, we 
also should introduce a new variable. However , we can avoid this since transition 
ki --> tick ( kt - 1) changes the value of timer t to a value different from k +. 
Instead of checking whether transition ki -> tick (k1 - 1) is taken infinitely 
often , we check whether timer t takes values different from k + infinitely often. 
So, the strong pattern oft-fairness is expressed by the LTL formula : 
/\ ((0 0 yt /\ 00-.yt)--> (00(t =J kt) V (00xt /\ 00-.xt))) 
l ETVar 
The weak fairness pattern requires that if eventually the value of timer t 
stays ki, t hen timer t is infinitely often set to a new value. To specify th is 
pattern as a state formula, we introduce a boolean variable Xt for each abstract 
t imer and extend the model so that the variable is negated each time t imer t 
is set . The formula for the weak fairness pattern looks then as follows: 
/\ (00(t = kt)--> (00xt /\ 00-.xt) ). 
t ETVar 
4. 6 Experimental Results 89 
Experiments with PAR 
PAR [155] is a classical example of a communication protocol where time is-
sues are essential for the correct functionality of the protocol. PAR involves a 
sender, a receiver , a message channel and an acknowledgment channel (Fig. 11). 
The sender receives a frame from the upper layer, sends it to the receiver via 
the message channel and waits for a positive acknowledgment from the receiver 
via the acknowledgment channel. When the receiver delivers the message to 
the upper layer, it sends the acknowledgment to the sender. After the positive 
acknowledgment is received , the sender becomes ready to send the next mes-
sage. The channels delay the delivery of messages. Moreover, they can lose or 
corrupt messages. Therefore , the sender handles lost frames by timing out. If 
the sender times out , it re-sends the message. 
The following is an example of a possible erroneous scenario. The sender 
times out while the acknowledgment is still on the way. The sender sends a 
duplicate, then receives the acknowledgment and believes that this is the ac-
knowledgment for the duplicate. The sender sends the next frame , which gets 
lost. The sender, however , receives the acknowledgment for the duplicate, which 
it believes to be the acknowledgment for the last frame. Thus, the sender does 
not retransmit the lost message and the protocol fails. To avoid this erroneous 
behaviour, the t imeout interval must be long enough to prevent a premature 
timeout , which means that the t imeout interval should be larger than the sum 
of delays on the message channel, acknowledgment channel and receiver , i.e. 
T _SENDER > T _MSG _CHAN + T_ACK _CHA . 
We specified PAR in DTPROMELA using concrete timers to represent delays 
on the channels and the sender timeout. Our goal was to check that if the 
channels do not lose messages continuously, no message reordering occurs and 
no message gets lost, for any timeout of the sender that is greater than the 
sum of the (given) delays on the channels. The system is open, i.e. both the 
sender and the receiver communicate with upper layers , hence we have closed 
the system by two environment processes: one provides frames for the sender, 
another receives frames delivered by the receiver. 
To prove the property for an arbitrary message sequence we used a well-
known canonical abstraction [75, 171]. The data domain is abstracted to {a , b, 
x} where a and b represent two data elements that we differentiate and x rep-
resents the rest. An environment for a sender that sends frames with any data 
Fig. 12. Environment 
90 Using Fairness to M ake Abstractions Work 
Table 7 . PAR 
pattern states transitions memory(Mb) time 
strong fairness 825761 5.10962e+06 52.286 0:21.00 
weak fairness 227569 1.49527 e+06 15.320 0:05.98 
built-in t-fairness 100275 390012 6.693 0:01.56 
chaotically is abstracted into the environment whose behaviour is illustrated 
by an automaton on Fig. 12. The environment for the receiver behaves anal-
ogously but it receives messages instead of sending them. Then we abst racted 
the sender 's timer to check the property for all values greater than the sum of 
the channels' delays. 
Without t-fairness , the property gets violated , since there exists a t race 
where the abstract timer of the sender never expires, staying in the loop 
ki -+tick ki (we obtained a t-unfair trace as counterexample) . Under the 
t-fairness condition, we proved that the property holds. Table 7 contains infor-
mation on the time and memory consumption for the verification with DTSpin 
of the property formulated with the strong and weak fairness patterns and for 
the verifier with built- in t-fairness. 
Fischer's mutual exclus ion protocol 
Our second test example is Fischer 's mutual exclusion protocol. The protocol 
uses time constraints and a shared variable to ensure mutual exclusion in a 
system that consists of N processes running in parallel and competing for a 
crit ical section. We assume that each process has a unique id from 1 to N. The 
initial value of the shared variable x is 0. When a process observes that x is 0, 
it waits for at most o1 time units and then writes its id to x. After tha t , it waits 
for at least Oz t ime units, and if x still equals t he process id , the process enters 
the cri t ical section . The process stays in the critical section for some t ime and 
then leaves it. 
We have specified Fischer's mutual exclusion protocol in DTPROMEL A using 
concrete t imers to represent delays not larger than o1 and abst ract t imers to 
represent delays which are at least Oz. As known, mut ual exclusion is ensured 
provided that o1 < Oz. We have checked the property that if there comes a 
request of access to the critical section, one of the processes will get it . Using 
timer abstraction, we checked that the proper ty is satisfied for all delays Oz 
greater than o1 . The main goal of the experiment was to check whether t-
fairness approach works well if we have more than one t imer abstracted . 
Table 8 contains results for strong, weak and built-in t-fairness for the case 
of two, three and four processes. Note that the number of abst racted t imers in 
this example is equal to the number of processes. In case of four abst ract t imers, 
4. 7 Conclusion 91 
the pan verifier for the property with t-fairness which was expressed as an LTL 
formula according to the strong fairness pattern was not able to generate the 
state space. The pan for the property with t-fairness expressed as an LTL for-
mula according to the weak fairness pattern has generated the state space much 
larger than the state space generated by the pan verifier for the same property 
with built-in t-fairness. The experiments were done on AMD Athlon(TM) XP 
2400+ with lGb of memory. In all experiments, the verification with built-in 
t-fairness took significantly less time and memory than the verification with 
strong and weak fairness patterns expressed as LTL formulas. The prototype 
implementation PAN2TFPAN and the models for PAR and Fischer's mutual ex-
clusion protocol are available at www. cwi. nl;- ustin/ t f air. html. 
4. 7 Conclusion 
In this chapter, we considered a timer abstraction that introduces a cyclic be-
haviour on abstract timers that is not present at the concrete level. This could 
lead to spurious counterexamples for liveness properties. We showed how one 
can eliminate those by imposing a strong fairness constraint on the traces of the 
abstract model. Using the fact that the loop on the abstract timer is a self-loop 
for this abstract timer (though there is possibly no self-loop on the correspond-
ing LTS), we transformed the strong fairness constraint into a constraint which 
has a weak fairness pattern, and embedded it into the verification algorithm. 
Our experiments with the prototype implementation of the algorithm were en-
couraging. We conjecture that the ideas in this chapter can also be used for 
other data abstractions that introduce self-loops on the abstracted data. 
92 Using Fairness to Make Abstractions Work 
Table 8. Fischer's mutual exclusion 
fairness num. of proc. states transitions memory(Mb) time 
strong 2 41384 171586 4.363 0:00.46 
weak 2 4705 13053 2.724 0:00.08 
built-in 2 1236 4181 1.573 0:00.01 
strong 3 3.28599e+06 2.01406e+07 190.539 1:01.79 
weak 3 115874 362068 8.561 0:01.22 
built-in 3 21592 110332 2.700 0:00.26 
strong 4 out of memory 
weak 4 2.60665e+06 9.2549e+06 151.729 0:38.34 
built-in 4 346903 2.45733e+06 20.927 0:05.69 
5 
Closing and Flow Analysis for Model Checking 
Reactive Systems 
STANDARD MODEL CHECKERS CANNOT HANDLE OPEN SYSTEMS DIRECTLY 
AND CLOSING IS COMMONLY DONE BY ADDING AN ENVIRONMENT PROCESS , 
WHICH IN THE SIMPLEST CASE BEHAVES chaotically. HOWEVER, FOR MODEL 
CHECKING, THE WAY OF CLOSING SHOULD BE WELL-CONSIDERED TO ALLE-
VIATE THE STATE EXPLOSION PROBLEM. 
IN THIS CHAPTER WE PROPOSE AN AUTOMATIC TRANSFORMATION YIELD-
ING A CLOSED SYSTEM. BY embedding THE OUTSIDE CHAOS INTO THE SYS-
TEM , WE AVOID THE STATE-SPACE PENALTY CAUSED BY ASYNCHRONOUS 
COMMUNICATION WITH THE ENVIRONMENT. TO CAPTURE THE CHAOTIC TIM-
ING BEHAVIOUR OF THE ENVIRONMENT , WE INTRODUCE A NON-STANDARD 3-
VALUED TIMER ABSTRACTION. THE TRANSFORMATION IS BASED ON data-flow 
analysis THAT DETECTS INSTANCES OF CHAOTIC VARIABLES AND TIMERS. 
The chapter is based on [102- 104]. 
94 Closing and Flow Analysis for Model Checking Reactive Systems 
5.1 Introduction 
Despite all algorithmic advances in model checking techniques and progress in 
raw computing power , the state explosion problem limits the applicability of 
model-checking [41, 139, 38] and thus partial-order reduction [74, 163], decom-
position and abstraction [122, 41, 50] are indispensable when confronted with 
checking large designs. Following a compositional approach and after singling 
out a subcomponent to check in isolation, the next step is often to close the 
subcomponent with an environment since most model checkers (e.g. Spin [93]) 
cannot handle open systems. 
Closing is commonly done by adding an environment process that, in order 
to be able to infer properties for the concrete system, must exhibit at least 
all the behaviour of the real environment. The simplest safe abstraction of the 
environment thus behaves chaotically , i.e. it sends and receives all possible mes-
sages in an arbitrary order. When done manually, this closing, as simple as it is, 
is tiresome and error-prone for large systems, already due to the sheer amount 
of signals. Moreover , for model checking, the way of closing should be well-
considered to counter the state explosion problem. This is especially true in 
the context of model checking SDL-specifications (Specification and Descrip-
tion Language) [140] with its asynchronous message-passing communication 
model. Sending arbitrary message streams to the unbounded input queues will 
immediately lead to an infinite state space, unless some assumptions restricting 
the environment behaviour are incorporated in the closing process. Even so, ex-
ternal chaos results in a combinatorial explosion caused by all combinations of 
messages in the input queues. This way of closing is even more wasteful, since 
most of the messages are dropped by the receiver due to the discard-feature of 
SDL-92. 
Another problem the closing must address is that the data carried with the 
messages coming from the environment are usually drawn from some infinite 
data domain. Since furthermore we are dealing with the discrete-time semantics 
[94, 25] of SDL, special care must be taken to ensure that the chaos also shows 
more behaviour wrt. timing issues such as timeouts and time progress. 
In [151] a program transformation based on static analysis which takes the 
most abstract, i.e., chaotic environment , and "embeds" it into the component 
was formalized. Embedding the external chaos eliminates the need to explore 
the combinatorial state space of the external queues. Part of the approach is 
the abstraction of environmental data , where, assuming a chaotic environment , 
a single abstract value is used. Interested in a fully-automatic approach, [151] 
stressed efficiency over precision of abstraction, and used a static data-flow 
analysis to mark all instances of variables potentially influenced from outside 
as chaotic, and to transform the program according to this reckoning. The 
transformation gets rid of all the data potentially influenced by the environ-
ment. A 3-valued timer abstraction is proposed to capture the chaotic timing 
behaviour. 
5.1 Introduction 95 
We improve on this abstraction and generalize the approach in the follow-
ing way. We combine may-analysis (that is reminiscent to the one presented 
in [103]) marking all the variables potentia lly influenced by chaotic environ-
ment with must-analysis that marks data definitely influenced from outside. 
The combination of may and must analysis allows to differentiate data defi-
nitely influenced from outside, and data definitely not influenced from outside, 
i.e., reliable data; then the rest forms a "don 't know" intermediate value for 
instances at those process locations where both chaotic and non-chaotic values 
can occur, depending on the system run leading to this instance. 
We propose a transformation based on the results of the combined analysis. 
It gets rid of all the data that are definit ely influenced by the environment 
and yields a closed system SU that treats the remaining data dynamically, 
which gives a more precise approximation and hence less false negatives in the 
verification. The transformation yields a closed system SU which shows more 
behaviour in terms of traces than the original one. For formulas of next-free 
LTL [137, 120], we thus get the desired property preservation: if stt f= <p then 
s F= <p. 
Typical practical applications we are interested in are protocol specifica-
tions in SDL [140] and PROMELA [93]. More concretely, the developed meth-
ods for closing open asynchronous systems are used to automate the model 
checking of translations of SDL-specifications into DTPROMELA , the input 
language of the discrete-time Spin, model checker DTSpin. The approach is 
implemented as a tool which automatically closes DTPROMELA translations of 
SDL-specifications by embedding the timed chaotic environment into the sys-
tem. To corroborate the usefulness of our approach, we compare the state space 
of models closed by embedding chaos with the state space of the same models 
closed with chaos as external environment process on some simple models and 
on a case study from a wireless ATM medium-access protocol. 
R e lated work 
Closing open (sub )systems is common for software testing. In this field , a work 
close to ours in spirit and techniques is the one of [44]. It describes a dataflow 
algorithm to close program fragments given in the C-language with the most 
general environment and at the same time eliminating the external interface. 
The algorithm is incorporated into the VeriSojt tool. Similar to the work pre-
sented here, they assume an asynchronous communication model, but do not 
consider timed systems and their abstraction. Similarly, [58] consider partial 
(i.e. , open) systems which are transformed into closed ones. To enhance the 
precision of the abstraction, their approach allows to close the system by an 
external environment more specific than the most general, chaotic one, where 
the closing environment can be built to conform to given assumptions , which 
they call filtering [59]. As in our work, they use LTL as temporal logic and 
Spin as model checker , but the environment is modelled separately and is not 
embedded into the system. 
96 Closing and Flow Analysis for Model Checking Reactive Systems 
A more fundamental approach to model checking open systems, also called 
reactive modules [4], is known as module checking [116][115]. Instead of trans-
forming the system into a closed one, the underlying computational model is 
generalized to distinguish between transitions under control of the module and 
those driven by the environment. MOCHA [6] is a model checker for reactive 
modules, which uses alternating-time temporal logic [5] as specification lan-
guage. 
Slicing, a well-known program analysis technique, resembles the analysis de-
scribed in this paper , in that it is a data-flow analysis computing - in forward 
or backward direction - parts of the program tha t may depend on certain 
points of interest ( cf. for a survey [159]). The analysis of Section 5.3 computes 
in a forward manner the cone of influence of all points of the system influ-
enced from the outside. The usefulness of slicing for model checking is explored 
in [128], where slicing is used to speed up model checking and simulation for 
programs in Promela, Spin 's input language. However , the program transforma-
tion in [128] is not intended to preserve program properties in general. Likewise 
in the context of LTL model checking, [57] use slicing to cut away irrelevant 
program fragments but the transformation yields a safe, property-preserving 
abstraction and potentially a smaller state space. 
The chapter is organized as follows: Section 5.2 gives a semantics that is a 
simplification of the semantics given in Section 3.3 and argues the correctness 
of the simplification. Section 5.3 describes data-fiow analysis. In Section 5.4, 
we describe our approach to closing and present some preservation results. Sec-
tion 5.5 describes an implementation of the approach, provides some examples 
motivating the necessity of embedding and presents a case study from a wireless 
ATM medium-access protocol. 
5.2 Semantics 
The transformation described in Section 3.3 subst itutes the SDL concept of 
timeouts as a special kind of signals that are kep t in input queues of the pro-
cesses by the concept of timeouts as guards. After the transformation, no time-
out signal is placed into the input queue of the process, so the input queue 
becomes just an ext ra buffer between a channel and a process. In this chap-
ter , we use the semantics that is a simplification of one in Section 3.3. Here , 
processes take messages directly from input channels witho'ut putting them first 
into an input queue. In this section, we show that the systems with input queues 
considered in Section 3.3 and the systems without input queues used in this 
chapter are path-equivalent up to stuttering (see Def. 2.28). 
The semantics of a process specification is the LTS defined by the rules 
of Table 9. The semantics coincides with the semantics given by the rules of 
Tables 5 and 6 except for rules R ECEIVE, INPUT and DISCA RD of Table 5 and 
the definition of a process state. Here, a state of a process is given by a location 
and a valuation of process and t imer variables. A valuation is denoted as ry . 
5.2 Semantics 97 
Definition 5.1. STATE OF A PROCESS 
A state er of a process Pisa pair (l , 'T]) , where l is a location and 'T] is a valuation 
of variables. E denotes the set of states of the process. 
Definition 5.2. PROCESS p 
A process P is an LTS S = (E , Labp ,->>., 1Jo,ln , Out) where/Jo= (lo,'T]o) is an 
initial state, In is a set of input channel names, Out is a set of output channels 
names and->~ Ex Lab x E is a labelled transition relation derived by applying 
the rnles of Table 9 to some process specification Spee p. 
Rules OUTPUT, ASSIGN, SET, RESET, TICKp , TIMEOUT, TDISCARD of 
Table 9 coincide with the same rules of Table 5. Rules R ECEIVE, INPUT and 
DISCARD of Table 5 are substituted by rules INPUT and DISCARD of Table 9. 
The semantics for channels and n-ary composition that allows to put n entities 
into communication is given by the rules IN and OUT of Table 2 and the rules 
of Table 6. 
Further , we consider a system specification Spee that consists of n compo-
nents (channels and processes), LTS S' obtained from Spee by applying the 
rules of Tables 5 and 6, and LTS S obtained from Spee by applying rules of 
Tables 9 and 6. Suppose 'Y = (1J1 , ... , !Ji, ... , !Jn) is a configuration of S con-
sisting of n entities (processes and channels), and let "( 1 = ( IJ~ ... , IJ~ , ... , 1J~) 
be a configuration of S'. Moreover , !Ji denotes a state of the ith-entity in the 
original system and IJ~ denotes a state of this entity in the transformed system. 
In S', each process has an input queue, and in S there are no input queues. 
The following lemma expresses that the blocked predicate is compositional 
in the sense that the n-ary composition of entities (processes and channels) is 
blocked iff each entity is blocked (rule TICK of Table 6). 
Lemma 5.1. 
For a state 'Y = ( 1J1 , . . . , /J n) of a system S , blocked ('Y) iff blocked (iJ i) for all 1J i. 
Proof. If 'Y is not blocked, it can perform a T-step or an output-step. The 
output-step must originate from a process, which thus is not blocked. The T-
step is either caused by a single process or by a synchronizing action of a sender 
and a receiver; in both cases at least one process is not blocked. 
For the reverse direction, a T-step of a single process being thus not blocked, 
entails that 'Y is not blocked. An output-step of a single process causes 'Y either 
to do the same output-step or, in case of internal communication, to do a T-
step. In both cases, 'Y is not blocked. 0 
Lemma 5.2. 
Let S be a system and 'Y E I' one of its states. 
1. If 'Y ->tick i, then [t]"Y # on(O) , for all timers t. 
2. If 'Y ->tick i, then for all channel states ( c, q), q = E. 
98 Closing and Flow Analysis for Model Checking Reactive Systems 
l ----tc?s(x) [ E Ed9 
, INPUT 
(l , TJ) ->c,?s(pid,v) (l , T] [x ~ vJ ) 
l E Loe; s' \t' {s I l ----tc?s(x) l E Ed9} 
---------
------DISCARD 
(l , TJ ) ->c,?s'(pid,v) (l , TJ ) 
l ----t 9 [> c!(s,e) l E Ed9 [9] 17 = true [e] 17 = V 
-------
-------
-----OUTPUT 
(l , TJ) ->c 0 !s(pid,v) (L, TJ) 
l ----tg [> x:=e i E Ed9 [9]17 = true [e]17 = v 
-------
-------
----ASSIGN 
(l , TJ ) ->r (L, T] [x~vJ) 
l ----t9 [>set t:=e [ E Ed9 [9] 17 = true [e]17 = V 
---------
---------
-SET 
(l , TJ) ->r (l, T] [t ~ on(v)J) 
l ----t 9 [>reset t [ E Ed9 [9] 17 = true 
-------
-------
RESET 
(l , TJ) ->r (L, T] [t ~off]) 
l ---7 9t [> reset t l E Ed9 [t]17 = on(O) 
------
------
-- TIMEOUT 
(l, TJ) ->r (L, T] [t ~ offl) 
t' \t' { t I l -> 9 , [>reset t [ E Ed9 1 } [t'] 17 = on(O) 
bloeked(l, ry ) 
-------TICKp 
(l, TJ ) ->tick (l , T/dec) 
l E Loe; 
--------
--------
------TDISCARD 
(l,ry)->r (l , T] [t'~offJ ) 
Table 9. Step semantics for process specification Spee P 
5.2 Semantics 99 
Proof. For part (1), if [t]'l = on(O) for a timer tin a process P , then a T-step 
is allowed due to either rule TIMEOUT or rule TDISCARD of Table 9. Hence, 
the system is not blocked and therefore cannot do a tick-step. 
Part (2) follows from the fact that a channel can perform a tick-step only 
when it is empty (rule TICKc of Table 6). D 
We want to be sure that the absence of the input queues does not influence 
verification results, i. e . S' f= ef> iff Sf= ef> for all formulas ef> of LTL-X. Namely, 
we show that there is a branching simulation relation (see Def. 2.19) relating 
system S' to system S. In the other direction, there is a weak trace inclusion 
relation (see Def. 2.17) between S and S'. This implies that the system with 
input queues and the system without them are weakly trace equivalent (see 
Def. 2.18). We also show that they are path-equivalent up to stuttering (see 
Def. 2.28). 
Let P' be the LTS obtained by applying the rules of Table 5 to some pro-
cess specification Spee p , and let P be the LTS obtained by applying the rules 
of Table 9 to Spee P· The absence/ presence of input queues influences only 
communication between a process and its input channels. Therefore, we first 
consider LTSs E and E' that are the compositions of P and P' , respectively, 
with the LTSs of its input channels according to the rules of Table 6. 
For E' and E , we define a relation Q <;;; I'' x I' on configurations of E' 
and E respectively. Here the typical element of I'' is a configuration 1 ' = 
((l , TJ , q) , (c1, q1), ... , (en , qn)) and the typical element of I' is I = ( (l, ry) , (c1, iii), 
.. . , ( Cn , iin)), where c1, . . . , Cn are input channel names of P and P' , qi and iii 
are queues modelling the channels and q is the input queue of process P' . We 
assume that all the messages kept in the input queue and in the queues mod-
elling channels are different . The first requirement imposed on configurations is 
that the valuations of variables should be equal. The second one requires that 
the contents of the channel queues of E should allow process P to consume 
messages in the same order in which they can be consumed by P' from its in-
put queue. 7r(q)Msg-Msgiii denotes the projection of q on all the messages that 
are not an element of ii;. 
Definition 5 .3. INPUT QUEUE APPROXIMATION RELATION 
W e call Q <;;; I'' x I' an input queue approximation relation iff for all 1 ' Qr: 
1 1 = ((l , T) , q) , (c1 , q1) , ... , (en , qn)) and I = ((l, TJ) , (c1, iii) ,. . ., (en, iin)) , and 
the fallowing conditions hold: 
- for all i = 1..n, 7r(q)Msg-Msg - ::q; = ii;; 
q , 
- for all m essages msg in q, msg is an elem ent of ii; for some i = 1..n . 
Further, we prove that there is a Q that is an input queue approximation 
relation and a branching simulation on E' and E (Def. 2.19). 
Lemma 5.3. 
Let Spee p be a process specifi cation and P' be the LTS obtained by applying the 
rules of Table 5 to Specp . Let P be the LTS obtained by applying the rules of 
100 Closing and Flow Analysis for Model Checking Reactive Systems 
Table g to the same process specification. Let E be the composition of P with 
the LTSs of its input channels, and let E' be the composition of P' with the 
LTSs of its input channels according to the rules of Table 6. Then there exists 
Q ~ I'' x I' that is an input queue approximation relation and a branching 
simulation between E' and E. 
Proof. Let 'Yo be the initial configuration of E' and 'Yo be the initial configura-
tion of E. Since all queues (modelling channels and the input queue of P') are 
initially empty, 1'oQ1'o· Assume that 1''Q1' holds for some states "(1 and1' of E' 
and E respectively. To show that E' :5br E , we proceed with a case analysis 
on the rules in Table 5 and rule COMM of Table 6. Note that here we consider 
rule COMM only for the case of receiving a message by a process that involves 
the use of input queues. 
Case: COMM 
Assume that 1'' = ((l,TJ,q), ... , (ci , msg::qi) , ... ) and that E' makes step 
((l , TJ , q) , ... , (ci,msg::qi), ... )-+T ((l , T} , q::msg) , .. . , (ci , Qi), . . . ). Since "('Q/', 
1' = ((l , TJ), ... , (ci , msg :: iii), ... ). 
After the T-step of E', where i' = ((l, TJ , q :: msg) , . . . , (ci, qi) , ... ). More-
over, i' Q 1' still holds. Condition 2 of Def. 2.19 is satisfied. 
Case: INPUT 
Assume that "(1 = ((l,TJ,s(pid,v)::q), ... , (cn , Qn)) and that E' makes step 
((l , 17 , s(pid ,v): :q) , ... , (cn , Qn)) -+T ((L,17[x>->v],q), ... , (cn,qn)). 
By rule INPUT of Table 5, l ---+c;?s(x) i E Edg. Since "(1 Q/', the mimicking 
step ((l, 17) , . . . , (cj, s(pid, v) :: ijj) , ... ) -+T ((i, 17[x>->vJ), ... , (cj, ijj) , ... ) is 
possible in E by rule INPUT of Table 9 and rule COMM of Table 6. For i' = 
((L, 17[x >->v], q) , ... , (cn,Qn)) and i = ((L, 17[x>->vJ), . . . , (cj, ijj) , .. . ), :y'Q ,:Y . 
Moreover , condition 1 of Def. 2.19 is satisfied. 
Case: DISCARD 
Analogous to the case INPUT. 
Rules OUTPUT, ASSIGN , SET, RESET, TICKp , TIMEOUT, TDISCARD of 
Table 9 coincide with the rules of Table 5. The channels have the same semantics 
in both cases. It is straightforward to show that condition 1 of Def. 2.19 is 
satisfied for OUTPUT, ASSIGN , SET, RESET, TICKp , TIMEOUT and TDISCARD 
cases, and so E' :5br E. D 
Proposition 5 .1. BRANCHING SIMULATION 
Let Spee be a system specification, S' be the LTS obtained by applying the rules 
of Tables 5 and 6 to Spee , and S be the LTS obtained by applying the rules of 
Tables 9 and 6 to Spee . Then there exists Q ~ I'' x I' that is an input queue 
approximation relation and a branching simulation between S' and S. 
Proof. For each channel , there is only one process reading from the channel (see 
Def. 3.2). Relation Q as given in Def. 5.3 can be easily lifted to the definition of 
Q on configurations of S' and S. S' and Sare the LTSs obtained using the same 
rules for n-ary composition that allows to put n processes into communication. 
5.2 Semantics 101 
c I 
~---~ E' : 
I c I 
~---~ E I 
P' I a I 
p 
c 2 c 2 
Fig. 13. Input queue 
By Lemma 5.3 and by a case analysis on rules of Table 6, it is straightforward 
to show that S' ~br S. D 
Intuitively, we would like Q - 1 to be a branching simulation. An attempt to 
establish a simulation in the reverse direct ion fails. In Fig. 13, the configurations 
((l , ry,a:: b) ,(c1 ,E),(c2 ,E)) and ((l,ry),(c1 ,a),(c2 ,b)) of system E' and E are 
related by Q. In E' , first message a can be consumed and then message b. E 
still has a choice, i.e . . the messages can be consumed in any order , hence, Q is 
not a branching bisimulation (Def. 2.20) . However, it is possible to show that 
for each trace of S there exists a trace of S' having the same stuttering-free 
projection (cf. Def. 2.26). Further , we show that S' and S are path equivalent 
up to stuttering (Def. 2.28). 
(I ,~)' ',_ 
(c, s (pi~,v) ::q) 
i+I 
(I', TI [x~>v]) 
(c,~) 
I 
I 
' _____ t ___ ___,,.__ ____ t ___ ~
(l,ry,E) 
( c, s(pid~ v)::q) 
I 
I 
' 
Definition 5.4. 
(I, TI , s(pid, v)) 
(c,:q) 
' 
j+l 
(I ', 11 [x~>v]~) 
(c, q~ 
I 
I 
j+2 
Fig. 14. Mimicking a reception T-step 
x 
Let ( and x be traces of S and S' , respectively. We write ( = v x i.ff there exists 
V <.;;; N x N such that 
102 Closing and Flow Analysis for Model Checking Reactive Systems 
1. (i,j) E V implies X-y (j)Q(-y (i). 
2. ( and x can be partitioned as ( 11 ( 12 . .. and xJ' xh ... , respectively, so that 
for all k > 0, h = { i , i + 1}, Jk = {j , ... , j + m}, 1 ::::; m ::::; 2 and the 
following conditions are satisfied: 
- (i,j), (i + 1,j + m) E V, (.\(i + 1) = X.\(j + m) , and all input queues 
are empty at X-y (j) and at X-y(j + m); 
- n(j + 1) = T and (i,j + 1) E V if m = 2. 
W e write S ::Sv S' iff for every trace ( of S there exists a trace x in S' such 
that ( =v x for some V S: N x N. 
Further, we show that for each trace (of E there is trace x of E' such that 
x has the same stuttering-free projection as ( . Roughly speaking, each step of 
(is mimicked by the same step of x except T-steps that take a message from a 
queue modelling an input channel and consume it. For an example on Fig. 14, 
assume that ((i) = v x(j) for some V s;;; N x N and that the (i + l)th-step of ( 
is the T-step that takes message s(pid, v) from the queue modelling channel c 
and consumes the message. To be able to mimic such a step in E' , we postpone 
moving messages from queues modelling channels into the input queue of the 
process as long as possible. 
Since ( (i) =v x(jl, X-y(j)Q(-y(i) by condition 1 of Def. 5.4. Therefore, we 
take a T-step that removes signal s(pid, v) from the queue modelling channel c 
and adds it to the empty input queue of process P' (cf. rule COMM of Table 6) . 
For the configuration X-y (j + 1) reached by the T-step, X-y (j + l)Q(-y(i) holds, 
and we add (i , j + 1) to V . 
According to the rule I NPUT of Table 5, we can make a T-step that con-
sumes the message s(pid, v) from the input queue of process P' and leads to 
configuration X-y(j + 2) such that X-y (j + 2)Q(-y (i + 1). We add (i + 1,j + 2) to 
V , and thus we obtain ({i+l) =v x(H2l for the extended V. 
Lemma 5.4. 
Let ( and x be traces of S and S' respectively. Let ( =v x for some V s;;; N x N. 
Then ( =wtr X. 
Proof. Traces x and ( that satisfy condition 2 of Def. 5.4 also satisfy conditions 
of Def. 2.16. D 
Let 7r ( and 7r x be paths corresponding to traces ( and x respectively, i. e. 
1f( = ( -y (O)(-y (l) . . . and 7rx = X-y (O)x-y (l) . .. . 
Lemma 5.5. 
Let ( and x be traces of S and S' respectively. Let ( =v x for some V s;;; N x N. 
Let £ : I' ---+ 2P and L': I'' ---+ 2P be interpretation functions, P be the set 
of atomic propositions, and I' and I'' be sets of configurations of S and S' 
respectively. Then 1f( =st 7rx· 
5.2 S emantics 103 
Proof. Both S and S' are obtained from some specification Spee, so they have 
the same set of variables. Since ( =v x for some V <:;;; N x N, £((1 (i)) = 
£'(x1 (j)) for all (i,j) E V by condition 1 of Def. 5.4. 
By condition 2 of Def. 3.14, each step of trace ( is mimicked either by the 
same step of trace x or by by the same step of x preceded by one T-step that 
does not change the valuation of variables. Further, it is straightforward to 
show that £(Pr(7rc;)(k)) = L'(Pr(Kx)(k)) for all k;:::: 0 (cf. Def. 2.27). D 
Lemma 5.6. 
Let Specp be a process specification, P' be the LTS obtained by applying the 
rules of Table 5 to Specp, and P be the LTS obtained by applying the rules of 
Table 9 to Specp. Let E be the composition of P with the LTSs modelling its 
input channels and let E' be the composition of P' with the LTSs modelling its 
input channels according to the rules of Table 6. For each trace ( of E there is 
a trace x of E' such that ( =v x for some V <:;;; N x N . 
Proof. In Lemma 5.3, we have already demonstrated that 1b Q10 is valid for the 
initial configurations of E' and E; thus, V = {(O, O)} and ( 1 (0) = /o initially. 
Further, we construct a trace x and a relation V by induction on the length 
of the trace (. Each step of ( is mimicked by a step of E', and configurations 
reached by a step of (and the mimicking step are related by Q. Now we proceed 
with a case analysis on the rules of Table 9 and rule COMM of Table 6. Note 
that here we consider rule COMM only for the case when a process receives 
a message from a channel. Assume that ( i, j) E V and that all input queues 
are empty in x 1 (j). By Def. 5.4, traces ((i) and x(j) can be partitioned as 
( (i)J' ((i)Ii d (j)J, (j)J' ... . .. an X ··· X . 
Case: COMM 
Let the (i + l)th-step of (be 
( ( l, 'T) ), ... , (Ck, s(pid, V) : : if k), . . . ) --+ 7 ( ( l, 'T) [x....., v J), . .. , ( Cj, ijj), ... ) 
By rule COMM of Table 6 and rule INPUT of Table 9, l ___,cJ?s(x) [ E Edg. 
By Def. 5.4, (i,j) E V implies that x,(j) Q(,(i) and the input queue of P' 
is empty at x,(j). To mimic the T-step of(, we extend x(j) by two steps. By 
rule COMM of Table 6, we first add the T-step: 
((l, 'T) , t:), . . . , (cj, s(pid, v) :: qj) , . . . ) --+ 7 ((l, 'T) , s(pid, v)), ... , (cj, qj) , .. . ) 
that removes message s(pid , v) from the head of the queue modelling channel 
Cj and adds it to the input queue of process P'. We add (i,j + 1) to V and 
define x 1 (j + 1) = ( ( l , 'T) , s (pid , v)), ... , ( ci , qi), ... ) , X>. (j + 1) = T. For this step, 
x,(j + l)Q(,(i). 
By rule INPUT of Table 5, we add the T-step: 
104 Closing and Flow Analysis fo r Model Checking Reactive Systems 
consuming s(pid ,v) from the input queue of P' . We add (i + l , j + 2) to V 
and define x"l (j + 2) = ((i, 1] [x ...... v], E) , . . . , (en , Qn)) , X>-. (j + 2) = T. Moreover , 
x"l(j + 2)Q('Y (i + 1) and the input queue of P' is empty at x 'Y (j + 2). 
The (i + l )th-step of (Ci+l ) forms partition Ji+l· The (j + l)th-step together 
with (j + 2)th-step forms partition J i+l of xCH2l. All conditions of Def. 5.4 are 
satisfied , and (Ci+l) =v xCH2). 
It is straightforward to show that we can mimic the (i + l )th-step of ( by 
the (j + l)th-step of E' so that ((i+l) =v x(Hl) for cases DISCARD , OUTPUT, 
ASSIGN, SET, RESET, TICKp , TIMEOUT and TDISCARD of Table 9. 
Here we showed that for each finite prefix ( (i+ l) of trace ( of E, we can 
construct a finite prefix xCHm) of trace X of E' such that (Ci+ l) =v X(J+m). It 
means that for each trace ( of E there is a trace x of E' such that ( =v x for 
some V. 0 
Proposition 5.2. 
Let Spee be a system specification, S' be the LTS obtained by applying the rules 
of Tables 5, rules IN and O UT of Table 2 and the rules of Table 6 to Spee, and 
S be the LTS obtained by applying the rules of Tables 9, rules IN and O UT of 
Table 2 and the rules of Table 6 to Spee . For each trace ( of S there is a trace 
x of S' such that ( = v x for some V ~ N x N . 
Proof. For each channel c there is only one process that takes messages from 
the channel (see Def. 3.2). Relation Q as given by Def. 5.3 can be easily lifted 
to a definition of Q on configurations of S' and S . S and S' are the LTSs 
obtained using the same rules of n-ary composition. By Lemma 5.6 and by a 
case analysis on the rules of Table 6, it is straightforward to show that for each 
trace (of S there is a trace x of S' such tha t ( = v x for some V . D 
Proposition 5.3. WEAK TRACE EQUIVALENCE 
Let Spee be a system specification, S' be the LTS obtained by applying the rules 
of Tables 5, rules IN and OUT of Table 2 and the rules of Table 6 to Spee, and 
S be the LTS obtained by applying the rules of Tables 9, rules IN and O UT of 
Table 2 and the rules of Table 6 to Spee. Then S =wtr S'. 
Proof. Case: S' jwtr S 
Follows from Proposition 5.1. 
Case: S jwrt S' 
Follows from Proposition 5.2 and Lemma 5.4. 
Proposition 5.4. PATH INCLUSION UP TO STUTTERING 
D 
Let Spee be a system specification, S' be the LTS obtained by applying the rules 
of Tables 5, rules IN and O UT of Table 2 and the rules of Table 6 to Spee, and 
S be the LTS obtained by applying the rules of Tables 9, rules IN and OUT of 
Table 2 and the rules of Table 6 to Spee . Further, let £ and£' be interpretation 
functions fo r the set of atomic propositions P. Then (S , £ ) =st (S', £ '). 
5.3 Marking Chaotically-influenced Variables 105 
Proof. Both (S, £ ) and (S', £') are L2TSs (Def. 2.25). Here we assume that 
neither system S nor system S' contains deadlocks, because even if the system 
cannot proceed, time can progress. So all traces of S and S' are infinite. 
Case: (S' , £' ) -:!est (S, .C) 
Follows from Def. 5.3 and Proposition 5. 1. 
Case: ( S, .C) -:!est ( S' , £') 
Follows from Proposition 5.2 and Lemma 5.5. 
(S, .C) -:!est (S', £' ) and (S' , .C' ) -:!est (S, .C ) imply (S, .C) =st (S' ,£' ). D 
Theorem 5.1. 
For all formulas r.p of LTL-X mentioning process variables and timer variables 
of Spee, S I= r.p ifj S' I= r.p . 
Proof. Straightforward from Proposition 5.4 and Theorem 2.2. 0 
5.3 Marking Chaotically-influenced Variables 
Originating from an unknown or underspecified environment, signals from out-
side can carry any value, which often leads to infinite state space. Assuming 
nothing about the data means one can conceptually abstract values from out-
side into one abstract "chaotic" value, which basically means to ignore these 
data and focus on the control structure. Data not coming from outside is left 
untouched, though chaotic data from the environment influence internal data 
of the system. In this section, we present a straightforward data-flow analysis 
marking variable and timer instances that may be influenced by the environ-
ment, namely we establish for each process- and timer-variable in each location 
whether 
l. the variable is guaranteed to be not influenced by the outside, or 
2. the variable is guaranteed to be influenced by the outside, or 
3. whether its status depends on the actual run. 
The analysis is a combination of the ones from [151] and [103] . 
5.3.1 Data-Flow Analysis 
The analysis works on a simple flow graph representation of the system; each 
process is represented by a single flow graph, whose nodes n E nodes are associ-
ated with the process' actions and the flow relation captures the intra-process 
data dependencies. Since the structure of the language we consider is rather 
simple, the flow graph can be easily obtained by standard techniques. 
We use an abstract representation of the data values, where T is inter-
preted as a value chaotically influenced by the environment and ..l stands for a 
non-chaotic value. We write 71°', 71'{, ... for abstract valuations, i.e., for typical 
elements from Val a= Var __, {T, ..l} . The abstract values are ordered ..l ~ T, 
106 Closing and Flow Analysis for Model Checking Reactive Systems 
and the order is lifted pointwise to valuations. With this ordering, the set of 
valuations forms a complete lattice, where we write 'f/1- for the least element , 
given as 'f/1- ( x) = ..l for all x E Var , and we denote the least upper bound of 
rJ?, ... , 'f/~ by V~= 1 'f/f (or by 'r/? v 'f/2 in the binary case). By slight abuse of 
notation, we will use the same symbol rJ"' for the valuation per node, i.e., for 
functions of type node ___, Val"' . 
Depending on whether we are interested in an answer to point (1) or point 
(2) from above, T is interpreted as a variable influenced from outside, and, 
dually for the second case, T stands for variables guaranteed to be influenced 
from outside. We present may and must analysis for the first and the second 
case respectively. 
May Analysis 
First we consider may analysis that marks variables potentially influenced by 
data from outside. Each node n of the flow graph has associated with it an 
abstract transfer function f n : Val"' ___, Val"', describing the change of the 
abstract valuations depending on the kind of action at the node. The functions 
are given in Table 10. The equations are mostly straightforward; the only case 
deserving mention is the one for c?s(x) , whose equation captures the inter-
process data-flow from a sending to a receiving action. If s is an external signal 
then variable x is potentially influenced from outside. A process within the 
system can also send a message parameterized by data influenced from outside. 
That is captured by V {[e],7a I n' = g l> c!s( e) }. It allows to mark a variable 
by T if at least one process sends signal s with data influenced from outside. 
Sending a signal c!s( e) does not change the valuation of variables , hence it does 
not influence abstract valuation as well. 
Assignment g l> x := e changes the valuation of x depending on the valuation 
of expression e. The abstract valuation [e] 'l" for an expression e equals ..l iff 
all variables in e are evaluated to ..l , [e]'l" is T iff the abstract valuation of a t 
least one of the variables in e is T. Setting a timer is similar to an assignment. 
Reset and timeout set a timer to the reliable value off. It is easy to see that 
the transfer functions are monotonic. 
Upon the start of the analysis, the variables' values at each node are assumed 
to be defined; the initial valuation is the least one: 'r/~it ( n) = 'f/1-. This choice 
rests on the assumption that all local variables of each process are properly 
initialized. We are interested in the least solution to the data-flow problem 
given by the following constraint set: 
'f/;osl (n) :::: fn('r/;re (n)) 
'r/;re ( n) :::: V { 'f/;ost ( n') I ( n', n) in flow relation} (4) 
For each node n of the flow graph, the data-flow problem is specified by 
two inequations or constraints. The first one relates the abstract valuation 'r/~re 
before entering the node with the valuation rJ~ost afterwards via the abstract 
5.3 Marking Chaotically-influenced Variables 
f( ? ( )) °' { rJ°'[x~TJ c.s x T/ = 
T/°' [x ~ V (leJ,1a Jn' =g I> c!s(e) }] 
J(g r> c!s(e))rJ°' = T/"' 
f(g [> x := e) rJ°' = T/"'[x~[e],,a] 
f(g r> sett:= e) rJ°' = T/"'it~on([e],,a)] 
f(g r> reset t)rJ°' = T/°'[t ~ o.lTJ 
f (gt r> reset t)rJ°' = 'f/0 [t ~off] 
S E Sig ext 
S rj Sig ext 
Table 10. May analysis: transfer functions/abstract effect for process P 
input : the flow graph of the program 
output : T/~m T/~ost; 
r]"(n) = T/ fnit( n) ; 
WL = {n I Ctn =?s(x), s E Sig ext }; 
repeat 
pick n E WL ; 
if n =g r> c!s(e) then 
let S' = {n' In'= c?s(x) and [e]TJ"(n) 1 [x]TJ"(n')} 
in 
for all n' E S': rJ°'(n') := f n' (T/"'(n')); 
let S = {n" E succ(n) I f n(T/"'(n)) 1 rJ°' (n")} 
in 
for all n" E S: rJ°'(n") := f n( rJ°' (n)); 
WL := WL\ {n} u Su S'; 
until WL = 0; 
T/~re(n) = rJ°' (n); 
T/~ost(n) = fn(rJ°'(n)) 
Fig. 15. May analysis: worklist algorithm 
107 
108 Closing and Flow Analysis for Model Checking Reactive Systems 
effects of Table 10. The least fixpoint of the constraint set can be found itera-
tively in a fairly standard way by a worklist algorithm (see e.g., [111 , 85, 131]) , 
where the worklist steers the iterative loop unt il the least fixpoint is reached 
(cf. Figure 15) . 
The worklist data-structure WL used in the algorithm is a set of elements, 
more specifically a set of nodes from the flow graph, where we denote by succ( n) 
the set of successor nodes of n in the flow graph in forward direction. It supports 
as operation to randomly pick one element from the set (without removing it) , 
and we write WL\ { n} for the worklist without the node n and U for set-union on 
the elements of the worklist. The algorithm starts with the least valuation on all 
nodes and an initial worklist containing nodes with input from the environment. 
It enlarges the valuation within the given lattice step by step until it stabilizes, 
i.e., until the worklist is empty. If adding the abstract effect of one node to the 
current state enlarges the valuation, i.e., the set Sis non-empty, those successor 
nodes from S are (re-)entered into the list of unfinished ones. The special case 
for output nodes c!s(e) captures interprocess communication. Since the set of 
variables in the system is finite, and thus the lattice of abstract valuations, 
t ermination of the a lgorithm is immediate. 
With the worklist as a set-like data-structure, the algorithm is free to work 
off the list in any order. In practice, more deterministic data-structures and 
traversal strategies are appropriate , for instance traversing the graph in a 
breadth-first manner (see [131] for a broader discussion or various traversal 
strategies). 
After termination the algorithm yields two mappings 'T/~re : Node----> Val 0 
and 'T/~ost : Node ----> Val 0 . On a location l, the result of the analysis is given by 
ry0 (l) = V{TJ~ost(ii) I ii= l ____.a l} (where a is an action), also written as ry'f'. 
Lemma 5.7. CORRECTNESS (may) 
The algorithm in Fig. 15 terminates. Upon termination, the algorithm gives 
back the least solution to the constraint set as given by the equations (4) , where 
the transfer function is defined by Table 10. 
Proof. The set of variables is finite and the lattice of abstract valuations is 
complete (Def. 2.2) . Transfer functions are monotonic. Using Theorem 2.1 , it 
is straightforward to show that an abstract valuation reached upon the termi-
nation of the algorithm on Fig. 15 is the least solution to the constraint set as 
given by the equations ( 4). D 
Must Analysis 
The must analysis is almost dual to the may analysis. The must analysis marks 
the variables that are guaranteed to be influenced by data from outside. The 
transfer function that describes the change of the abstract valuation depending 
on the action at the node is defined in Table 11. For inputs c?s(x), the transfer 
function assigns ..l to x if the signal is sent to P with reliable data only. This 
5.3 Marking Chaotically-influenced Variables 
!( ? ()) a { T/a [x~TJ c.sx T/ = 
T/a [x ~ ;\ {[eJ,,a In' =g [> c!s(e) }] 
J(g r> c!s(e))T/a = r/°' 
f (gr> x := e)T/a = T/alx ~ITeJ ,,a I 
f (g [>sett := e)T/a = T/a[t ~ on([eJ,,a )] 
f (g r> reset t)TJ°' = T/°' [t ~ oJJI 
f (gt r> reset t)TJ°' = r/°' [t ~ oJJI 
S E Sig int 
Table 11. Must analysis: transfer functions/abstract effect for process P 
input : t he flow graph of the program 
output : T/;re, T/;ost; 
T/a (n) = TJin;t (n) ; 
WL= {n I O'.n =gr>x :=e}; 
re p eat 
pick n E WL; 
if n =gr> c!s(e) then 
let S' = {n' In'= c?s(x) and [e] 11"(n) i. [x] 11"(n'J } 
in 
for all n' E S': TJ <> (n') := f n' (T/a (n')) ; 
le t S = {n" E succ(n) I f n(T/a(n)) i. TJ <> (n")} 
in 
for all n" E S: TJ <> (n") := fn(TJa(n)) ; 
WL := WL\ {n} u Su S ' ; 
unt il WL = 0; 
T/;re ( n) = T/°' ( n); 
T/;ost (n) = fn(TJ °' (n)) 
Fig . 16. Must analysis: worklist algorithm 
109 
110 Closing and Flow Analysis for Model Checking Reactive Systems 
means the values after reception correspond to the greatest lower bound over 
all expressions which can occur in a matching send-action. 
Similar to the may analysis, the data-flow problem is specified for each 
node n of the flow graph by two inequations (5) (see Table 11). Analogously, 
the greatest fixpoint of the constraint set can be found iteratively by a worklist 
algorithm ( cf. Figure 16). Upon the start of the analysis, at each node the 
variables' values are assumed to be defined , i.e., the initial valuation is the 
greatest one: TJ'init ( n) = T/T. 
T/;ost ( n) :S: f n ( T/;re ( n)) 
T/;re ( n) :S: /\ { T/;ost ( n') I ( n', n) in flow relation} 
(5) 
As in the case of may analysis , termination of the algorithm follows from 
the finiteness of the set of variables. After termination the algorithm yields two 
mappings TJ~re, TJ~ost : Node --> Val°'. On a location l, the result of the analysis 
is given by TJ°' ( l) = /\. { TJ~ost (ii) I ii = f ___,a l}, also writ ten as ry'j. 
Lemma 5.8. CORRECTNESS (must) 
The algorithm in Fig. 16 terminates. Upon termination, the algorithm gives 
back the greatest solution to the constraint set as given by equations (5) , where 
the transfer function is defined by Table 11. 
5.4 Program Thansformation 
For model checking, we cannot live with the infinity of data injected from out-
side by the chaotic environment. Therefore , we abstract this infinity into one 
single abstract value T. For chaotically influenced timers, we should differen-
tiate among deactivated timers , timers that are ready to expire immediately 
and timers that are active but not ready to expire in the current time slice. 
The timer abstraction introduced in Sec. 4.2 cannot be used for this purpose, 
because k+ abstraction is suitable only to represent an active timer that can-
not expire immediately. Therefore, we will need a more refined abstraction. 
Since the abstract system is still open, we close it by embedding the chaotic 
environment into the system. Special care is taken to properly embed chaotic 
behaviour wrt. timed behaviour. 
Based on the result of the analysis, we transform a given specification Spee 
into a closed one denoted by Spee", where communication with the environment 
is embedded into the system, all the data exchanged with it is abstracted. 
The intention is to use the information collected in the analysis about the 
influence of the environment to reduce the state space. Depending on whether 
one relies on the may-analysis alone (which variable occurrences may be in-
fluenced from the outside) or takes into account the results of both analyses 
(additional information which variable occurrences are definitely chaotic) the 
precision of the abstraction varies. Using only the may-information overapprox-
imates the system (further) but in general leads to a smaller state space. The 
5.4 Program Transformation 111 
second option, on the other hand, gives a more precise abstraction and thus 
less false negatives. 
Here we describe only the transformation based on a combination of may 
and must analyses, since the alternative t ransformation using the results of the 
may analysis is simpler. The transformation not only closes the system but 
also optimises it by removing unnecessary instances of variables or expressions 
which are guaranteed to be T. The transformation is defined by the rules in 
Table 12. 
Overloading the symbols T and J_ we mean for the rest of the paper: the 
value of T for a variable at a location refers to t he result of the must analysis, 
i. e., the definite knowledge that the data is chaotic for all runs. Dually, l_ 
stands for the definite knowledge of t he may analysis , i.e., for data which is 
never influenced from outside. Additionally, we write I in case neither analysis 
gives a definite answer. The set of variables whose value is I in at least one 
location is denoted further as Var I. The strict lifting of a valuation ry0 to 
expressions is denoted by [.] 17" . 
We extend each data domain by the additional value lr, representing un-
known, chaotic, data, i.e., we assume now domains such as NT = N U {lr}, 
BoolT = Boal (J {lr}, ... , D T = D (J {lr} where we do not distinguish nota-
tionally the various types of chaotic values. These values lr are considered as 
the largest values, i. e., we introduce :::; as the smallest reflexive relation with 
v :::; lr for all elements v (separately for each domain). The strict lift ing of a 
valuation ryH (ryH: Var ---> D T) to expressions is denoted by [.] 17,. 
The transformation of untimed guards is straightforward: guards influenced 
by the environment a re taken non-deterministically, i.e., a guard g at a location 
l is replaced by true, if [g] 17r = T. A guard g whose value a t a location l is 
I is treated dynamically on the extended data domain, i.e. it is replaced by 
((g = true) V (g = lr)). The guards whose value at a location is l_ are left 
unmodified. Further , the transformed guards are denoted as gH. 
For assignments, we distinguish between the variables that carry the value 
I in at least one location and the rest. Assignments of lr to variables that 
take I at no location are omitted (rule T-ASSIGN 1 of Table 12). Assignments 
of concrete values are left untouched and assignments to variables that are 
marked by I in at least one location are performed on the extended data 
domain. If an assigned expression e is guaranteed to be influenced from the 
outside, i.e., [e] 17r = T, we get rid of the expression and assign lr directly (rule 
T-ASSIGN2 of Table 12). 
The interpretation of timer variables on the extended domain requires spe-
cial attention. Chaos can influence timers only via the set-operation by setting 
it to a chaotic value in the on-state. Therefore, the domain of timer values con-
tains the additional chaotic value on(lr). Since we need the transformed system 
to show at least the behaviour of t he original one, we must provide proper treat-
ment of the rules involving on(lr) , i.e., the TIMEOUT-, the TDrSCARD- , and 
the TICK-rule of Table 9. As on(lr) stands for any value of active timers, it 
must cover the cases where timeouts and timer discards are enabled (because 
112 Closing and Flow Analysis for Model Checking Reactive System s 
l E Loci 
----------
-- T-NoTIMEOUT 
l--->t=on(T) C> se l t:=T+ l E Edg tt 
l --->g C> set t:=e [ E Edg [e]'lr = T 
A tt T-SET 
l --->9 u C> set t =T l E Edg 
C E fn env l --->g C>c!(s,e) [ E Edg 
---------,---tt--- T -OUTP UTex l 
l ---? 9u C> skip l E Edg 
l --->c?s(x) l E Edg S E Sig ext X E Var I 
----------
--, --- tt-----T-INPUT!xt 
l --->9tp C> x:=T l E Edg 
l --->c?s(x) l E Edg S E Sig ext X r/ Var I 
------------,---tt----- T-INPUT~xt 
l ---> 9t P C> skip l E Edg 
l E Loe; 
----------
- T-Nol NPUT 
l --->9tp C> se l t p:= l l E Edg tt 
l --->c?s(x) [ E Edg s E Sig int x r/ Var I [x]'lr = T 
----------
----, ---tt---------T-INPUTint 
l --->c?s(-) l E Edg 
Table 12. Transformation 
5.4 Program Transformation 113 
Fig. 17. Timer abstraction 
of the concrete value on(O)) as well as disabled (because of on(n) with n 2'. 1). 
The second one is necessary, since the enabledness of the tick steps depends on 
the disabledness of timeouts and t imer discards via the blocked-condition. 
To distinguish the two cases, we introduce a refined abstract value on(T+) 
for chaotic timers, representing all on-settings larger than or equal to 1 (see 
Fig. 17). The order on the domain of t imer values is given as the smallest re-
flexive order relation such that on(O) ::=; on(T) and on(n) :::; on(T+) ::=; on(T), 
for all n 2 1. To treat the case where the abstract t imer value on(T) denotes 
absence of immediate timeout , we add edges l --> t=on(T) r> set t:=T+ l E EdgU 
which set back the timer value to T+ representing a non-zero delay (rule 
T-NOTIM EOUT of Table 12). Rule T-SET of Table 12 transforms setting a 
timer to a value given by expression e into setting the timer to T if e is always 
influenced by the environment. The decreasing operation needed in the TICKp-
rule of Table 9 is defined in extension to the definition on values from on(N) on 
T+ by on(T+) - 1 = on(T). Note that the operation is left undefined on T. 
Timeout guards gt are transformed into ((t = on(O)) V (t = on(T))) denoted 
further gf. 
Lemma 5.9. 
Let SU be LTSs obtained by applying the rules of Table 9 and Table 6 to Spee". 
Let (l,'IJU) be a configuration of SH . If (l , 'IJH) -+tick, then [t]7JH t/ {on(O) , on(T)}, 
for all timers. 
Proof. If at least one timer has a value from { on(O), on(T)} then either t imeout 
(rule T IMEOUT Table 9) , or discard of timeout (rule TDISCARD Table 9), or 
setting the timer to on(T+) possible by the rule T-NoTIMEOUT is enabled. 
Since there is an enabled step , the system is not blocked and no tick-step is 
possible. o 
We have abstracted from data coming from outside, but so far , t he sys-
tem is still open. The rules T-INPUT!xt > T-INPUT;xt> T-NOINPUT, T -INPUTint 
T-OUTPUTex t of Table 12 embed the chaotic environment 's behaviour into the 
system. Embedding concerns only communication statements. For communi-
cation statements, we distinguish between signals going to or coming from the 
environment and those exchanged within the system. Outputs to the outside 
are skipped (rule T-OUTPUTex t)· Outputs within the system are basically left 
114 Closing and Flow Analysis for Model Checking Reactive Systems 
unmodified. If an expression e is guaranteed to be influenced from the out-
side, i.e., [e]'7f' = T, we get rid of the expression and send T directly (rule 
T -O uTPUTint of Table 12). 
Inputs from the outside are t reated similarly. However we cannot just replace 
an input from the environment by an unconditionally enabled assignment of 
T to the variable influenced by the input. It would render potential tick-steps 
impossible by ignoring the situation when the chaotic environment does not 
send any message. The core of the problem is that with the timed semantics, 
the chaotic environment not just sends streams of messages but "chaotically 
timed" message streams, i. e. with tick 's interspersed at arbitrary points. 
We embed the chaotic nature of the environment by adding to each process 
specification Spee P a new timer variable t p , used to guard the input from 
outside. These t imers behave in the same manner as the "chaotic" timers, 
except that we do not allow the new t p timers to become deactivated. The 
expiration of timer t p is expressed by the time guard (tp = on(O) ) denoted by 
g tp . When guard g lp is true, a non-deterministic choice is made between the 
assignment of an abst ract value T to variable x (rule T-INPUT!xt of Table 12) 
and the set t ing of timer t p that postpones inputs from the environment till the 
next time slice (rule T-NolNPUT of Table 12) . The transformation gets rid of 
all expressions where at least one variable is guaranteed to be influenced from 
the outside. Therefore, we skip the assignment of T to x, if the variable x is 
not a I variable (rule T-INPUT;xt of Table 12) . 
Since communication statements using the external signals and environment 
input channels are replaced by skip in case of output and by assignment or skip 
in case of input , the embedding yields a closed system specification which we 
denote by Specu. 
5.4.1 Preservation Result 
Further , let Spee be a specification of the original system and SpecU be the 
specification obtained as the result of the t ransformation of Spee according to 
the rules of Table 12. Let S and S U be LTSs obtained by applying the rules 
of Table 9 and Table 6 to Spee and SpecU, respectively. Note that the rules of 
Table 9 are lifted to data domains with T values. The relationship between the 
original and the closed systems will be based on path inclusion up to stuttering 
(Def. 2.28), i.e. S f= 4> if S U f= 4> for any next-free LTL formula 4> mentioning 
only variables never influenced by the environment . It will take the rest of this 
section to establish this claim. 
The set of variables VarU for SU equals the original Var , except that for 
each process P of the system, a fresh timer-variable t p is added to its local 
variables, i.e., VarU = Var (J {tp,, ... , tpn}. Based on the data-flow analysis, 
the transformation considers certain variable instances as chaotic and unreli-
able. Hence to compare the configurations of S and S U, we have to take 77° into 
account. Variable instances that are not influenced by the environment should 
have the same values in S and S U. Variable instances whose value depends on 
5.4 Program Transformation 115 
the system run should have the same value when they are reliable and T when 
they are unreliable. By the transformation, we get rid of variable instances that 
are guaranteed to be influenced from outside. In this case, we cannot relate a 
value of the variable in S to its value in stt . Therefore, we require [x] 17a = T for 
such variable instances. Relative to a given analysis r(', we define the relation 
::; on valuations as follows. 
D efinition 5.5. RELATION ::; ON VALUATIONS 
Given ry 0 , ry ::; rytt iff the fallowing conditions hold: 
- for all process variables x E Var: either [x] 11 
[x] 17" = T; 
- for all timer variables t E Var: [t] 17 ::; [t] 17 tt. 
T, or 
Introducing the additional T-value renders a system less deterministic. Be-
fore proving the corresponding branching simulation lemmas, the next lemmas 
state monotonicity of the semantics of expressions, monotonicity of updating a 
valuation, and preservation of the ::;-relation by the count-down operation on 
timers. 
Lemma 5.10. 
Let e be an arbitrary expression and ry and ry tt two valuations Var ---+ D and 
Var---+ DT . Then ry ::; rytt implies [e] 17 ::; [e] 17 tt. 
Proof. Straightforward. 0 
Lemma 5.11. 
If ry ::; ry tt and v ::; v T, then ry[ x,..... v] ::; rytt [x,..... v Tl. 
Proof. Straightforward. 0 
Lemma 5.12. 
Assume ry ::; ry tt with [t] 17 -j. on(O) and [t] 17 tt r/: { on(O), on(T)} for all timers 
t E Var. Then ry [t>-> (i-1)]::; rytt [t>-> (i- 1)]. 
Proof. The ::;-relation on valuations is defined by pointwise lifting of the cor-
responding relation on the values. The preservation results for single timer 
variables follow directly from the definition of ::; on the domain {off , on( n) I 
n E NT U {T+ }} and the definition of the decreasing operation "-" on this 
domain. O 
Before relating traces of the original system to traces of the closed one, 
we define order relations on configurations. To relate states from Loe x Val 
with those from Loe" x Val", we define the relation ::; on states as the smallest 
relation such that ( l , ry) ::; ( l, ry tt) if ry ::; ry tt . 
116 Closing and Flow Analysis for Model Checking R eactive Systems 
D e finition 5.6. RELATION :::; ON PROCESS STATES 
Let Spee p be a process specification, and Spee p~ be the process specification 
obtained by transforming Specp according to the rules of Table 12. Let P and ptt 
be LTSs built by applying the rules of Table 9 to Specp and Specp~, respectively. 
Let CJ = (l, TJ) and <Jtt = (l, TJ H) be states of P and ptt respectively. W e write 
(J :::; (J " ifj T} :::; T}". 
D efinition 5.7. RELATION :::; ON MESSAGES 
Messages from M = Sig x Id x D T are related by :::; as follows: 
s(pid , v) :S s(pid, v T ) if v :::; v T. 
Comparing queues modelling channels, external messages are ignored. The 
internal messages must coincide wrt . signals. The values parameterizing the 
internal messages must be related by the ::;-relation, i.e. queues q and qtt are 
related by :::; iff qtt is q with a ll messages from the environment projected out. 
D efinit ion 5.8 . RELATION :::; ON QUEUES 
W e define :::; on queues inductively as follows: 
- E :'SE, 
- s(env ,v)::q:::; q tt ifjq:::; q«, 
- s(pid,v) ::q :Ss(pid ,vT): :q« ifjv::;vT, q ::; qtt andpid-=f- env. 
Since the transformation skips all the outputs to the environment , queues 
modelling input channels of the environment are always empty in the closed 
system. We could remove those queues from the closed system, as it is done in 
the implementation (see Sec. 5.5) of our approach. For the sake of readability, 
we keep them here. 
D efinit ion 5.9 . RELATION :::; ON CHANNEL STATES 
R elation :::; on channel states is defined as follows: 
- (c, q) :S (c, q«) if q :S qtt and c €/ In env; 
- (c , q) :S (c,t) ifc E In env · 
The definitions :::; are extended to configurations in the obvious manner. 
D efinition 5 .10. RELATION < ON CONFIGURATIONS 
Let Spee be a specification, a-;,,d Spee« be the specification obtained by trans-
forming Spee according to the rules of Table 12. Let S and stt be LTSs built 
by applying the rules of Table 9, rules IN and O UT of Table 2 and the rules 
of Table 6 to Spee and Spee« respectively. W e write 'Y :::; 'Ytt for configurations 
'Y = ( 'Y1, ... , 'Yn ) and 'Ytt = ( 'Y~, ... , 'Y~ ) of S and stt , respectively, ifj 'Yi :::; 'Y~ for 
all i = l..n . 
Lemma 5. 13 . 
Let Spee be a specification, and Spee« be the process specification obtained by 
transforming Spee according to the rules of Table 12. Let T} :::; T/ tt be two evalu-
ations. 
5.4 Program Transformation 117 
1. Let g be a guard of an edge in Spee originating in location l and gH its 
analogue in Spee" . If [g]'l = true, then [gH]rytt = true. 
2. Let t be a timer in Spee. If [t]'l = on(O) , then [t] rytt E { on(O), on(ll)} . 
Proof. Follows direct ly from Def. 5.10 and the transformation of guards. 
Note that we are interested in preservation of properties that can be ex-
pressed by LTL-X formulas. Formulas of LTL-X are interpreted over Kripke 
structures (see Sec. 2.3) , thus the ::;-relation on configurations could be enough 
to establish our claim about preservation. To keep the proofs of this section 
more intuitive, we also define the observable effect and the ::;-relation on labels. 
The observable effect renames to T the labels concerning communication with 
the environment. 
D efinition 5.11. OBSERVABLE EFFECT 
The observable effect ' ·' : Lab ---; Lab on labels of system S is given as the 
following equations: 
, ? ( .d )' _ { T if pid = env or c E inenv 
c .s pi 'v -
c?s(pid, v) otherwise 
r 1 ( .d )' _ { T if pid = env or c E inenv c.s pi 'v -
c!s(pid , v) otherwise 
'tick' = tick 
The observable effect '-': Lab ---; Lab on labels of system stt is given by an 
identity function. 
D efinit ion 5 .12. RELATION ::; ON LABELS 
Relation ::; on labels is the smallest relation ::; s;; Lab x Lab such that 
- T :S T, 
- tick ::; tick , and 
- c?s(pid,v)::; c?s (pid ,v T) as well as c!s(pid ,v) ::; c!s(pid ,v T) iffv::; v 11 . 
Further , we show that for each trace (of s there is a trace x of stt having the 
same stuttering-free projection as(. It guarantees that we may transfer positive 
verification results from the closed system to the original one for properties that 
can be expressed by LTL-X-formulas mentioning only variables not influenced 
by the environment . First , we define a trace equivalence relating traces of S to 
traces of stt. 
D e finition 5 .13. 
Let ( be a trace of S and x be a trace of stt. We write ( = n x ifj there is 
R s;; N x N such that (0 , 0) E R and 
118 Closing and Flow Analysis for Model Checking Reactive Systems 
( i , j) E R implies that ( I' ( i) :::; x l' (j) and that one of the following conditions 
holds: 
1. (x(i + 1) E { ci !s(pid ,v),c0 ?s( env,v ) I Ci E in env } , 
(l' (i + 1) :::; x l' (j) and (i + 1, j) E R ; 
2. (x(i + 1) t/ { ci !s(pid ,v), c0 ?s( env ,v) I Ci E in env} , 
r(.x(i + 1)' ::::: rx.x(j + 1)', (l' (i + 1) ::::: x l' (j + 1) and (i + l , j + 1) E R ; 
3. (.x(i + 1) =tick , x_x(j + m) = tick , ( l' (i + 1) :::; xl' (j + m) , 
(i+ l , j+m) E R , and for all 1 :::; k < m : x .x(j+k) = T , ( l' (i):::; xl' (j+k) 
and (i , j + k) E R. 
We write s ~R su iff for each trace ( of s there is a trace x of s" such 
that ( = n x for some R ~ N x N. 
We illustrate conditions 1, 2 and 3 of Def. 5.13 by Fig. 18, 19 and 20 respec-
tively. For all three examples, we assume that ( <iJ =-n x Ul for some R ~ N x N. 
By Def. 5.13, (i,j) E R , and thus (l' (i ) ::::: xl' (j). 
i+I 
I 
, c?s(env, v) , 
............... -·-------?·-·  (c, q) ' , , (c, q:: s(env, v)) 
I , 
·• ···· ·· .... . . .. .. .. .......... . 
(c, q #) : x 
Fig. 18. Skipping communication with the environment 
In Fig. 18, we assume that the ( i+ 1) th-step of ( is step c0 ? s( env , v ) receiving 
message s( env, v ) from the environment. Closing embeds effects of consuming 
messages from the environment into the system and skips external communica-
tion. Condition 1 ofDef. 5.13 reflects it . The c0 ?s(env,v )-step does not change 
the values of the variables and so the configuration (I' ( i + 1) reached by the 
step is in the :::::-relation with xl' (j). We add (i + l , j) to R , and thus obtain 
( (i+l) ='-R x(j) for the extended R. 
Each step of S that is not a tick-step and not communication with the 
environment is mimicked by the same step of SU having the effect related by 
the :::::-rela tion. In Fig. 19, we assume that the (i + l)th-step of ( is step T 
consuming message s( env, v) from the queue modelling channel c, and that 
value v is influenced by environment , i.e. it is abstracted to T in SU. 
5.4 Program Transformation 119 
i+I 
I I 
·• ,,, ... 1;, (l , T]) I I (I ', T] [x->v]) 
(c, s(pid,v)::q) I (c, q) 
I I 
I I 
• 
,,, ..  x ( l , T]#) I ( I', T] li{x-> lr]) I 
( c, s(pid, lr): :q #) : I (c, q # ) 
j+l 
Fig. 19. Mimicking T steps 
Since (1 (i) ::; x,(j), consuming message s(pid , v) in Scan be mimicked by 
consuming message s(pid , lr) in S~. The (i + l)th-step of (leads to a change of 
location and valuation of t he variable x to v . The mimicking (j + l)th-step of x 
changes location in the same way and modifies the valuation of x to lr, and so 
( 1 (i + 1)::; x,(j + 1). We add (i + 1, j + 1) to R , and thus get ((i+iJ = n xU+i) 
the extended R . 
t=on(5) I ' ' ' ' I 
I 
············ • 
t=on( lr ) : 
lp =on(O) 
i+I 
tick 
t=on(4) ' 
't ' 't tick I ,,,. 
'6) 3'Q x 
t=on( lrl I t=on( lrl : I I t=on( lr )1 
tp =on(O) I lp =on(!) lp =on(O): 
I 
j+ I j+2 j+3 
Fig. 20. Mimicking a tick-step 
120 Closing and Flow Analysis for Model Checking Reactive Systems 
In Fig. 20, we assume that ( (il = n x(j) for some R s;; N x N, and that the 
(i + l)th-step of ( is step tick . We also assume that timer t is influenced by the 
environment . 
System Sis blocked in ( ,, (i) , however , blocked( x ,, (j) ) is not necessarily true. 
In the closed system , timer t can be in state on(T), and special timer t p added 
by the transformation is on(O) in x ,, (j ). To be able to mimic the tick-step, 
we should reach a configura tion where S U is blocked as well. Timers having 
value on(T) should be set to on(T+) (see rule T-NoTTMEOUT in Table 13) . 
Specia l timers t p added by the transformation should be set to on( l ) (see 
rule T-NOINPUT in Table 13). 
First we take a T-step suspending a t imeout of t imer t , i.e. setting t to 
on(T+). The configuration x,, (j + 1) reached by this step is in relation :::; wit h 
( ,, (i). We add (i, j + 1) to R . 
In system S U, we do not take step setting specia l process timers t p to on (l ) 
until we have to mimic a tick-step of S. By a T-step , we set t imer tp to on (l ). 
The configuration x,, (j + 2) reached by t his step is in relation :::; with ( ,, (i). 
We add (i , j + 2) to R . 
Now system s U is blocked , and we may take a tick-step in S U. The config-
uration x ,, (j + 3) reached by this step is in relation :::; with ( ,, (i + 1). We add 
(i + 1, j + 3) to R , and thus obtain ( (i+ l ) = n x <J+ 3 ) for some R s;; N x N. 
Let ?T( and ?Tx be paths corresponding to t races ( and x respectively, i. e. 
?T( = ( ,, (0)(,, (1) ... and ?Tx = x ,, (O)x,, (1) .. .. Next, we show that ( = n x for 
some R s;; N x N implies ?T( = st ?Tx · 
Lemma 5.14. 
Let ( and x be traces of S and SU respectively. Let ( = n x f or some relation 
R s;; N x N. Let£: I' ~ 2P and £ U: r U ~ 2P be interpretation functions, P be 
the set of atomic propositions that mention only variables never influenced by 
the environment, I' and r u be sets of configurations of S and S U respectively. 
Then ?T( = st ?Tx · 
Proof. Since ( = n x for some R s;; N x N, (0, 0) E R by Def. 5.13. By Def. 5.13, 
£ (Pr ( ?Tc) (0)) = £ U (Pr ( ?T x) (0)) . 
Assume that (<il = n x <j), and prefixes ( (i) and x (j ) have the same stut-
tering-free projection. That means f P r(?Tc(iJ )[ = f Pr(?Tx<j) )I and that for all 
0 :::; k :::; f P r(?T( (il ) [, £ (P r(?T( (il )(k)) = £ U( Pr(?Tx<j) )(k)) (cf. Def. 2.27). Since 
( = n x, ( (i+ l ) = n x <J+m) for some m 2". 0 (cf. Def. 5.13) . 
Further , we show that for each prefix ( (i+l) there is a prefix x <J+m) for 
some m such t hat ( (i+l) = n x <J+m) , and ( (i+ l ) and x<J+m) have the same 
stuttering-free project ion. We proceed by a case analysis on condit ions 1, 2 
and 3 of Def. 5. 13. 
Case: condition 1 
Assume that the (i + l )th-step of ( is a communication with t he environment , 
i.e. (x(i + 1) E { ci !s(pid ,v), c0 ?s( env , v) I ci E in env}· T he (i + l)th-step of ( 
5.4 Program Transformation 121 
does not change the valuation of the variables not influenced by the environ-
ment. It only adds (removes) messages from queues modelling channels. There-
fore, we may conclude that IPr(7r(<'+11)I = 1Pr(7rx<JJ )I and .C(Pr(7r( <'+l) )(k)) = 
.CU( Pr(7rx<j)) (k)) for all 0 ::::; k ::::; IPr(7r( (i+11)I (cf. Def. 2.26 and Def. 2.27). 
Case: condition 2 
Assume that the (i + l)th-step of ( is neither a communication with the en-
vironment nor a tick-step, i. e. (x(i + 1) €/ { tick ,ci !s(pid ,v),c0 ?s(env ,v) I 
Ci E in env }· By Def. 5.13, both (,, (i) ::::; x ,, (j) and (,, (i + 1) ::::; x,,(j + 1). 
Thus .C((,, (i)) = .ctt(x,, (j)) and .C ((,, (i + 1)) = .ctt(x,,(j + 1)). Therefore, 
1Pr(7r((i+ l)) I = IPr(7rx<J+ 11)I and .C(Pr(7r((i+ l))(k)) = .CU(Pr(7rx(j+ 1i )(k)) for 
all 0 ::::; k ::::; IPr(7r(<H 11)I (cf. Def. 2.26 and Def. 2.27). 
Case: condition 3 
Assume that the ( i+ 1 )th-step of ( is a tick-step. By Def. 5.13, for all 0 ::::; n < m, 
(,,(i) ::::; x,,(j+n) and (,,(i+l)::::; x ,, (j + m). Thus, for a ll 0 ::::; n < m , .C((,, (i)) = 
.C"(x,, (j + n)) and .C((,, (i + 1)) = .C"(x,,( j + m)) . Therefore, we may conclude 
that IPr(7r((i+11)I = IPr(7rx(J +m1)I and L (Pr(7r( (i+ l) )(k)) = £ U( Pr(7rx<HmJ)(k)) 
for all 0 ::::; k ::::; IPr(7r((i+ tJ )I (cf. Def. 2.27) . 
We demonstrated that for each prefix ( (i+ l ) there is a prefix x(j+m) for 
some m such that ( (i+ l ) = R x<J+m) , and ( (i+ l ) and x<J+m) have the same 
stuttering-free projection. ( and x are infinite, and thus we may conclude that 
they have the same stuttering-free projections. D 
Lemma 5.15. 
Let Spee p be a process specification, and Spee p~ be the process specification 
obtained by transforming Specp according to the rules of Table 12. Let P and p U 
be LTSs built by applying the rnles of Table 9 to Specp and Specp~, respectively. 
Let a= (l , ry ) and aU = (l , ry U) be configurations of P and P U, respectively, such 
that a ::::; a U. If blocked(a) , then there exists a U = ag ---->r a~ ---->r ..• ---->r a~ 
for some configurations a f and some n 2 0 such that a ::::; af for all i , and 
blocked (a~). 
Proof. Let a = (l , TJ ) and blocked(a). By Lemma 5.2, none of the timers in P 
has the value on(O). Since a ::::; a U, it can be the case that some timers of p U 
have value on(T) in a" (cf. Def. 5.5). Moreover , timer tp can have the value 
on(O) in a U. It means that p U is not blocked in a U. 
We consider only well-formed specifications, hence, S can be blocked only 
in input locations. Since l is an input location, nothing except an input step 
or a T-step mimicking an input from the environment or a t imeout may take 
place in a U. According to rule T-NOTIMEOUT of Table 12, there is an edge 
l ----> t=on(T) C> set t:=T +l E EdgU for each timer t in each location. By rule SET 
of Table 9, we take a step (l , ryU) ---->r (l , 'T]U[t._. on(T + )J) for each timer t having 
value on(T) in a U. The states 1f reachable by these steps are still in relation 
::::; with a (cf. Def. 5.5). 
After all timers that were in sta te on(T) are set to on(T+), we also need 
to set tp to on(l) . According to the rule T-NOINPUT of Table 12, there is an 
122 Closing and Flow Analysis for Model Checking Reactive Systems 
edge l -->t=on(T) C> set t:=T+l E Edgtt. By rule SET of Table 9, we set timer tp to 
on( l ) by the T-step (l, 17tt) ---;T (l, 77 tt[tp ...... on(l)J). State (}~ of p tt is still in relation 
::::; with (}. All the timers of ptt have either a nonzero value or value on(T+) 
and there are no other enabled transitions, and so blocked((}~) . D 
Lemma 5.16. 
Let Spee p be a process specification, and Spee p~ be the process specification 
obtained by transforming Specp according to the rules of Table 12. Let P and p tt 
be LTSs built by applying the rules of Table 9 to Spee p and Spee p~ , respectively. 
Then for each trace ( of P there is a trace x of p tt such that ( =R X for some 
R <:;;;NxN. 
Proof. Here , we show that for any trace ( of P , we can build a trace x of 
p tt such that ( = n x for some R <:;;; N x N. Initially, all variables have the 
same initial values and all the timers are deactivated both in P and in p tt, 
hence (To ::::; (}~ for initial configurations (To and (}~ of P and ptt , respectively. 
Therefore , R is initialized as {(O, O)} . Further , we proceed by induction on the 
length of(. Each step of P is mimicked by a step of ptt so that conditions of 
Def. 5.13 are satisfied, and configurations reached by the original step and the 
mimicking step are related by ::::; . 
Assume that (i , j) E R. Now we proceed with a case analysis on the rules 
of Table 9. 
Case: INPUT 
Here we have to consider two cases: (i) process P receives a message from 
another process within the system; (ii) process P receives a message from the 
environment . 
Subcase: s(pid,v), pid =f. env 
Let the (i + l)th-step of (be (l, 17) ---;c,?s(pid ,v) (l, 17[x.....,vJ). Let (l'(i) = (l, 17) , 
(x(i + 1) = ci?s(pid, v), and (l'(i + 1) = (l, 17 [x ...... vJ) . By rule INPUT of Table 9, 
we have l -->c?s(x) [ E Edg. 
If x t/ VarI and [x]7J~ = T, we get l -->c?s(-) [ E Edg tt by rule T-INPUTint 
of Table 12. By rule INPUT of Table 9, we obtain the following mimicking 
step (l, 17tt) ---;c,?s(pid ,vT ) (l, 17 tt) and define x'Y(j + 1) = (f,77tt) and x;,.(j + 1) = 
ci?s (pid ,vT), where v ::=:: vT, and add (i + 1,j + 1) to R. [x]1Jr = T and 
(l'(i) ::::; xl'( j) , hence (l'(i + 1) ::::; xl'(j + 1) and the conditions of Def. 5.13 are 
satisfied. 
Otherwise, the input edge is left unmodified and it is straightforward to 
show that we can mimic the (i + l)th-step of ( by the (j + l)th-step of x, so 
that the conditions of Def. 5.13 are satisfied. 
Subcase: s( env, v) 
Assume that the (i + l)th-step of (is (l, 17) ---;c,?s( env ,v) (l, 17[x....., vJ), i. e. (l'(i) = 
(l,17), (;,(i + 1) = ci?s(env,v), and (l'(i + 1) = (l, ry[x ...... vJ). By rule INPUT of 
Table 9, we have l -->c?s(x) [ E Edg . 
5.4 Program Transformation 123 
If x E VarI, we get l -----+ 9 , P 1> x:= T i E EdgU by rule T-INPUT!xt of Table 12. 
By rule INPUT of Table 9, we obtain the mimicking step (l, 17U) ---7 7 (i, 17U[x ...... TJ). 
We define x.x(j+l) = T, X-y(j+l) = (i, 17U[x1-> TJ) . Here r(.x(i + 1)'::::: rx.x(j + 1)'. 
Since (-y(i) :S: X-y(j) and the mimicking step assigns T to x, (-y(i+l) :S: X-y(j+l). 
We add (i + 1, j + 1) to R . The conditions of Def. 5.13 are satisfied. 
If x fj VarI, we get l -----+ 9 ,,, 1> skip i E Edgtt by rule T-INPUT;xt of Table 12. 
Since skip changes the location only, we obtain the mimicking step (l , 17H) ---7 7 (i, 17U). We define n(j + 1) = T , X-y (j + 1) = (i, 17U) , so r(.x(i + 1)'::::: rx.x(j + 1)'. 
Moreover, [x] 11? = T, because x fj VarI and s E Sig ext (see the must-analysis l 
in Section 5.3). Therefore, (-y(i + 1) :S: X-y(j + 1). We also add (i + 1,j + 1) to 
R. The conditions of Def. 5.13 are satisfied . 
Case: DISCARD 
Analogous to the case INPUT above. 
Case: OUTPUT 
Assume that the (i + l)th-step of (is (l, 17) _,c
0
!s(pid,v) (i, 17) , i.e. ( -y (i) = (l , 17) , 
(.x(i + 1) = c0 !s(pid , v), and (-y(i + 1) = (i, 17). By rule OUTPUT of Table 9, we 
have l -----+ 9 1> c!(s ,e) i E Edg. Here we have to consider two sub-cases: (i) process 
P sends a message to some process within the system; (ii) process P sends a 
message to the environment . 
Subcase: c f/ lnenv 
Process P sends a message to some process within the system. 
If [e] 11r = T and s fj Sig exl> we obtain l -----+ 9 u 1> c!(s,T) i E Edgtt by rule 
T-OUTPUTint of Table 12. Since (-y(i) :S: X-y(j), [gU] 11u =true by Lemma 5.13. 
By rule O UTPUT of Table 9, we get (l, 17 H) _,c
0
1s(pid ,T) (i, 17H) , i. e. the output 
in P is mimicked by the output in P H. We define x.x(j + 1) = c0 !s(pid , T) and 
x 1' (j + 1) = ( i, 17 U) . Since v :S: T, r(>. ( i + 1 )' :S: r X>. (j + 1 )' holds for labels. Since 
(,, (i) :S: x ,, (j) and the output step of the original system and the mimicking 
step of the closed one change only the location, ( ,, (i + 1) :S: x,,(j + 1). We add 
the pair (i + 1,j + 1) to R. The conditions of Def. 5.13 are satisfied. 
If [e] 11r =I T then only the guard of the output edge is transformed and 
l -----+9 tt 1> c!(s ,e ) i E Edgtt. Since (,,(i) :S: X-y(j), [gH] 11 u is true by Lemma 5.13 and [e] 11 :S: [e] 11u by Lemma 5.11. By rule OUTPUT of Table 9, we get transition 
(l, 17H) _,co!s (pid,vT) (f,17U), where v T = [e]11u. The output in P is mimicked by 
the output in pU. We define x.x(j + 1) = c0 !s(pid, v T) and x,,(j + 1) = (i, 17U). 
Since [e] 11 :S: [e] 11 u, r(.x(i + 1)' :S: rn(j + 1)' holds for labels. Since the output 
step of the original system and the mimicking step of the closed one change 
only the location and (,, ( i) :S: x,, (j) , ( ,, ( i + 1) :S: x,, (j + 1). We add the pair 
( i + 1, j + 1) to R . The conditions of Def. 5.13 are satisfied. 
S·ubcase: c E In env 
In this case, process P sends a message to the environment. 
The transformation changes all outputs to the environment to skip-actions. 
By rule T-OUTPUT ext of Table 12, we obtain l ---7 g U I> skip i E Edgu. Since 
124 Closing and Flow Analysis for Model Checking Reactive Systems 
( 'Y (i) ~ x'Y(j), [gH]'7tt is true by Lemma 5.13. The output to the environment 
in P is mimicked by ( l , 77H) ->T ( i, 17H) in pH. We define n (j + 1) = T and 
x'Y(j+l) = (i, 77H). '(x(i + l)' ~ 'X:>..(J + l)' holds for labels. Since ('Y(i) ~ x'Y(j) 
and the output step of the original system and the mimicking step of the closed 
one change only the location, ( 'Y (i+ 1) ~ x'Y(j + 1) . We add the pair (i+ 1, j + 1) 
to R. The conditions of Def. 5.13 are satisfied. 
Case: ASSIGN 
Assume that the (i + l)th-step of ( is (l,77) ->T (l,ry[x>-+vJ), i.e. ('Y(i) = (l , 17) , 
(:>..(i + 1) = T , and ( 'Y(i + 1) = (l,ry[x>-+vJ). By rule ASSIGN of Table 9, we get 
l ----.9 C> x:=e i E Edg. Here we should consider three cases: (i) expression e is 
guaranteed to be influenced by the environment and the value of x is not used 
until it gets a reliable value, i.e. x tj Var I; (ii) expression e is guaranteed to be 
influenced by the environment and variable x can be present in expressions or 
guards that should be treated dynamically, i.e. x E VarI ; (iii) otherwise. 
Subcase: [e]'7r = T and x tj VarI 
By rule T-ASSIGN 1 of Table 12, we obtain l ----> 9 u C> skip i E Edg H. [gH]'7u is 
true by Lemma 5.13, because ('Y(i) ~ x'Y(j). Therefore the assignment in P 
can be mimicked by (l, 77H) ->T (i, 77H) in pH. We define X:>.. (j + 1) = T and 
x 'Y (j + 1) = ( i, 17H). '(x ( i + 1 )' ~ 'X:>.. (j + 1 )' holds for labels. Since x t/ VarI , 
[e]7J'.:' = T and ('Y(i) ~ x'Y(j), we get ('Y(i + 1) ~ x'Y(j + 1). We add the pair 
l 
(i + l ,j + 1) to R. The conditions of Def. 5.13 are satisfied. 
Subcase: [e]'7r = T and x E VarI 
By rule T-ASSIGN 12 of Table 12, we obtain l ----> 9 tt C> x:=T i E EdgH. Since 
( 'Y (i) ~ x'Y(j), [gH]'7u is true by Lemma 5.13. By rule ASSIGN of Table 9, the 
assignment in P can be mimicked by the assignment (l,ryH) ->T (i,17H[x>-+TJ) 
in pH_ We define X:>..(j + 1) = T and x'Y(j + 1) = (f,77H[x>-+TJ). Moreover , 
'(x(i + l)' ~ 'X:>..(J + l)' holds for labels. 
The assignment step of the original system changes the value of x to v and 
the mimicking step of the closed system changes the value of x to T. Since 
('Y(i) ~ x'Y(j) and v ~ T, ('Y(i + 1) ~ x'Y(j + 1). We add the pair (i + l ,j + 1) 
to R. The conditions of Def. 5.13 are satisfied. 
Subcase: [e]'7r =f- T 
If [e]'7r =f- T, only the guard of the assignment is modified by the transfor-
mation, i. e. l -----> 9 u C> x:=e [ E EdgH. Since ('Y ( i) :::; X 'Y (j) , [gH]7Jtt is true by 
Lemma 5.13. By Lemma 5.11, [e]'7 ~ [e]7Ju and v T = [e]'7u. By rule ASSIGN 
of Table 9, the assignment in P can be mimicked by (l, 77H) ->T (i, 17H [x ...... v TJ) in 
pH_ We define X:>..(J + 1) = T and x'Y(j + 1) = (i, 17H[x>-+v TJ). Since ('Y(i) ~ x'Y(j) 
and [e]'7 ~ [e]'7tt, ('Y(i + 1) ~ x'Y(j + 1) . We add the pair (i + l ,j + 1) to R. 
The conditions of Def. 5.13 are satisfied. 
Case: SET 
Assume that the (i + l)th-step of (is (l, 17) ->T (l, 7] [t,..... on(v)J), i.e. ('Y(i) = (l, 17) , 
(:>..(i + 1) = T , and ( 'Y (i + 1) = (i, 7J [t>-+ on(v)J). By rule SET of Table 9, we 
5.4 Program Transformation 125 
have l --->9 C> se t t: =e [ E Edg. Here we consider two sub-cases: (i) expression 
e is guaranteed to be influenced by chaos; and (ii) it is not influenced by the 
environment or it depends on a system run. 
Subcase: [e] 7Jr = T 
By rule T-SET of Table 12, l ---> 9ae> sett =T [ E Edgu . Since ( 7 (i):::; x,(j), [gU]7Ja is true by Lemma 5.13. By rule SET of Table 9, setting timer t in P 
can be mimicked by setting (l , ryU) ----> T (l, ry [t ...... on(TJJ) timer t in p U. We define 
X>-,(j + 1) = T and X,( j + 1) = (l, ry U[t >-> on(T)J). r(x(i + 1)' :::; rX;..(j + 1)' holds 
for labels. Since (,(i) :::; x,(j) and on(v) :::; on(T) , (,, (i + 1) :::; x, (j + 1). We 
add the pair ( i + 1, j + 1) to R. The conditions of Def. 5.13 are satisfied. 
Subcase: [e]7Jr =f. T 
The edge of the original specifica tion remains unchanged, only the guard is 
transformed, i.e. l ---> gd C> set t: =e [ E Edg". Since ( , ( i) :::; x' (j)' [gU]7)a is true 
by Lemma 5.13. By Lemma 5.11 , [e]7J :::; [e]7Ja and v T = [e]7Ja. By rule SET of 
Table 12, setting timer tin P can be mimicked by (l , ry U) ---->T (l, ry [t>->on(vT)J ) 
setting timer tin ptt. We define n(j + 1) = T and x,(j + 1) = (l, ryU[t >-> on(v TJJ). 
'(;..(i + 1)' :::; 'x;..(j + 1)' holds for the labels . (, (i + 1) :::; x, (j + 1) , because 
(,(i) :::; x,(j) and on(v) :::; on(v T ). (,(i + 1) :::; x,(j + 1). We add the pair 
( i + 1, j + 1) to R. The conditions of Def. 5.13 are satisfied. 
Case: RESET 
The transformation does not modify reset edges. The proof that a reset of timer 
t in P can be mimicked by a reset of t in p tt is straightforward. 
Case: TIMEOUT 
Assume that the ( i + 1) th-step of ( is the timeou t step ( l, T/) ----> T ( [ , T/[ t ...... off] ) , 
i.e . (, (i) = (l , ry) , (;..(i + 1) = T , and ( 1 (i + 1) = (l, ry [t>-> off]). By rule TIMEOUT 
of Table 9, we have l ---> 9, C> reset t [ E Edg. 
The timeout guard t = on(O) is modified by the transformation into the 
guard ((t = on(O)) V (t = on(T))). Since ( , (i) :::; x, (j) and t = on(O) is true 
in (, (i), ((t = on(O)) V (t = on(T))) is true in x, (j) by Lemma 5.13. By 
rule TIMEOUT of Table 9, the timeout in P can be mimicked by the timeout 
(l , ry U) ---->T (l, T/"[t>-> off]) in p tt _ We define X;..(j + 1) = T and x,(j + 1) = 
(l, T/"[l >-> off]). r(;..(i + 1)' :::; rn(j + 1)' holds for labels. Both the timeout T-
step of the original system and the mimicking step of the closed one set the 
timer t to off. Since (, (i) :::; x, (j) , (, (i + 1) :::; x,(j + 1) . We add the pair 
( i + 1, j + 1) to n. The conditions of Def. 5.13 are satisfied. 
Case: TDISCARD 
Analogous to the TIMEOUT case above. 
Case: TICKp 
Assume that the ( i + 1) th-step of ( is the tick step, ( l , T/) ----> ti ck ( l , ry[t >->( t - 1)]), 
i.e. (, (i) = (l , ry) , (;..(i + 1) = T , and ( , (i + 1) = (l , ry [t>->(t- 1)] ). By rule TICKp 
of Table 9, we have blocked(l , ry). 
We postpone setting timer t p to on(l) in p tt until we meet a tick-step 
along(, hence , pU is not blocked at x, (j). By Lemma 5.15 , we add a sequence 
126 Closing and Flow Analysis for Model Checking Reactive Systems 
x,(j) -->n(j+l) .. . --+n(j+m) x, (j + m) such that ( 1 (i) :S x,(j + k) and 
X:>..(J + k) = T for all k = 1..m. We also add (i,j + k) to R for all k = 
1..m. At x,(j + m) , pU is blocked, hence it can take the mimicking tick-step 
x,(j + m) ->tick x,(j + m)[t>-->(t-1)]. We define X:>..U + m + 1) = tick and 
x,(j+m+ l) = x,(j+m)[t >-->( t-1)]. ByLemma5.12 , (,(i+l) :S x,(j+m+ l ). 
We add (i+l , j+m+l) to R. The tick-step of P is mimicked by the sequence of 
T-steps followed by the tick-step in p U. The conditions of Def. 5.13 are satisfied. 
D 
Lemma 5.17. 
Let Spee be a specification, and Spee" be the specification obtained by trans-
forming Spee according to the rules of Table 12. Let S and SU be LTSs built 
by applying the rules of Table 9, rules IN and O UT of Table 2 and the rules 
of Table 6 to Spee and Spee" , respectively. Let / and 1" be configurations of S 
and SU , such that/ :S /U . If blocked(!) , then 1" = ,g -->r 1f -->r ... -->r /~ 
for some configurations 1f and some n 2 0 such that / :S 1f for all i, and 
blocked (r~). 
Proof. Straightforward from Lemma 5.15 and Def. 5.10. D 
Lemma 5 .18 . 
Let Spee be a specification, and Spee" be the process specification obtained by 
transforming Spee according to the rules of Table 12. Let S and S U be LTSs 
built by applying the rules of Table 9, rules IN and O UT of Table 2 and the 
rules of Table 6 to Spee and Spee", respectively. Then for each trace ( of S 
there is a trace x of SU such that (=Rx for some R ~ N x N. 
Proof. Here, we show that for any trace ( of S we can build a trace x of SU 
such that ( =R x for some R. Initially, all queues modelling channels in S and 
in SU are empty, all variables have the same initial values and all the timers 
are deactivated, hence / o :S ,g for initial configurations /o and ,g of S and SU , 
respectively. R is initialized as {(O, 0)}. Further, we proceed by induction on 
the length of(. Each step of S is mimicked by a step of SU so that conditions 
of Def. 5. 13 are satisfied, and configurations reached by the original step and 
the mimicking step are related by :::;. 
Assume that ( i, j) E R. Before we proceed with a case analysis on rules 
IN , OUT of Table 2 and the rules of Table 6, we consider channels of the open 
system and channels of the closed one. The queues modelling channels in closed 
system SU do not contain messages sent to or received from the environment. 
Case: IN 
Assume that a channel c has state ( c, q) in S and state ( c, qU) in SU, and 
that (c , q) :S (c, qU). Let c in Stakes (c,q) -->c0 ?s( pid ,v) (c,q :: s(pid, v)) (rule 
IN of Table 2) , i. e. some process within the system sends a message s(pid, v) 
via c to another process. Channel c in SU can mimic step c0 ? s(pid, v) by a 
step (c,q) -->c
0
?s( pid ,v T ) (c,q :: s(pid , vT)), where v :S VT. The channel state 
reached by the original and the channel state reached by the mimicking step 
5.4 Program Transformation 127 
are in relation :::;, i.e. (c, q :: s(pid, v)) :::; (c, q :: s(pid , v T)) (cf. Def. 5.8) and 
'c0 ?s(pid , v)' :::; 'c0 ?s(pid, v T)' and condition 2 of Def. 5.13 is satisfied. 
Assume that c in S makes a step (c, q) -;co ?s( pid ,v) (c, q :: s(pid, v) ), i. e. some 
process within the system sends a message s(pid, v) via c to the environment. 
In this case, qtt = E (cf. Def. 5.9). Since (c, q) :::; (c, E) and ' c0 ?s( env, v)' = T, 
(c, q :: s(pid , v)) :::; (c, E) and condition 1 of Def. 5.13 is satisfied. 
Assume that c in S makes a step (c, q) -;c
0
?s(env,v) (c, q :: s(pid, v)) , i.e. the 
environment sends a message s( env, v) to a process within the system. Since 
(c , q) :::; (c , qH) and 'c0 ?s(env,v)' = T , (c , q :: s(pid , v)):::; (c , qH) and condition 1 
of Def. 5.13 is satisfied. 
Case: OUT 
Analogous to the IN case. 
Case: COMM 
Let ( ... , ak , ... ' a1 , .. . ) -;T ( .. . , ak, ... , 0-1 , .. . ) be the (i + l)th-step of(. It 
means that ( ,, (i) = ( ... , ak , . .. , a1 , .. . ), (,\(i + 1) = T and ( ,, (i + 1) = ( ... , ak , 
... , 0-1, ••• ). Further we consider four subcases: (i) receiving a message sent by 
a process of the system; (ii) receiving a message sent by the environment; 
(iii) sending a message to a process within the system; (iv) sending a message 
to the environment. 
Subcase: (i) 
By rule COMM of Table 6, we have ak -;c.?s(pid ,v) ak for some process Pk and 
a1 -;c, !s(pid ,v) 0-1 for some channel c1. 
Since (,,(i) ::::: x'Y(j), process P! can take a! -;c,?s(pid ,vT) a! mimicking 
input (see case INPUT of Lemma 5.16). Moreover, channel C1 in stt can mimic 
the ci !s(pid , v)-step by af -;c. !s(pid ,v T) af. By rule COMM of Table 6 , the T-step 
Of s Can be mimicked by ( ... > a! l ... l af > • • • ) -; T (. • • > a!) · · · > af > • • ·) in stt · 
In this case, we define x,\ (j + 1) = T and x 'Y (j + 1) = ( ... , a!, ... , af, ... ) . 
According to Lemma 5.16 , ( 'Y (i + 1) :::; x 'Y (j + 1) . We add (i + 1, j + 1) to R. 
The conditions of Def. 5.13 are satisfied. 
Subcase: (ii) 
By rule COMM of Table 6, we have <7k -;c,?s(env,v) ak for some process Pk and 
a1 -;c,!s(env ,v) 0-1 for some channel c1 . 
Since ('Y (i) :::; x 'Y (j) , process P! can do a mimicking input a! -;7 a! (cf. the 
case INPUT of Lemma 5.16) . By rule INTERLEAVE7 of Table 6, the T-step of S 
Can be mimicked by ( ... ,a!, ... ,af, ... ) -;T ( ... ,a!, ... ,af , ... ) in stt. In this 
case, we define n(j + 1) = T and x'Y(j + 1) = ( ... ,a!, .. . , af , .. . ). According 
to Lemma 5.16 , ( 'Y (i+ 1) :::; x 'Y (j + 1). We add (i+ 1, j + 1) to R. The conditions 
of Def. 5.13 are satisfied. 
Subcase: (iii) 
By rule COMM of Table 6, we have <7k -;co?s(pid,v) ak for some channel Ck and 
a1 -;c
0
!s(pid ,v) 0-1 for some process P1. Moreover , the message is sent to another 
process within the system, i.e. c r/ inenv. 
128 Closing and Flow Analysis for Model Checking Reactive Systems 
Since ( ,, (i) :::; x,,, (j) , process pl~ can take (Jf ----?Co !s(pid ,v T ) a-f (cf. the case 
OUTPUT of Lemma 5.16). Channel Ck ins~ can mimic the Co ?s(pid, v)-step by 
(J! ----?c
0
?s(pid ,v T ) a-!. By rule COMM of Table 6, the T-step of Scan be mimicked 
by( ... , (JL ... , (J f, ... ) ----?T ( ... ,a-!, ... , a-f, .. . ) in stt. 
We define XA (j + 1) = T and x 1' (j + 1) = ( ... , a-!, ... , a-f, . . . ) . According to 
Lemma 5.16, ( ,,, (i + 1) :::; x,,, (j + 1). We add (i + 1, j + 1) to R . The conditions 
of Def. 5.13 are satisfied. 
Subcase: (iv) 
By rule COMM of Table 6, we have (Jk ----? c 0 ?s(pid ,v ) 0-k for some channel Ck and (Jl ----?c0 !s(pid ,v) 0-1 for some process P1. Moreover, the message is sent to the 
environment , i.e. c E inenv. 
Since (,,,(i) :::; x,,,(j) , process P1" can do a mimicking T-step (Jf ----?r a-f (see 
case OUTPUT of Lemma 5.16). 
By rule l NTERLEAVEr of Table 6, the T-step of Scan be mimicked by tran-
sition ( . .. , (JL ... , (J f, ... ) ----?T ( ... , (JL .. . , a-f, . .. ) in stt. 
In this case, we define x.x(j + 1) = T and x"l (j + 1) = ( ... , (JL ... , a-f , .. . ). 
According to Lemma 5. 16, (1' (i + 1) :::; x"l (j + 1) . We add (i + 1, j + 1) to R. 
The conditions of Def. 5.13 are satisfied . 
Case: l NTERLEAVEin 
Assume that ( ... , (Jk , .. . ) ----? c0 ?s( en v ,v ) ( ... , 0-ki .. . ) is the (i + l)th-step of(, 
i. e. (1' (i) = ( ... , (Jk, .. . ), (.A(i + 1) = c0 ?s( env, v) and (1' (i + 1) = ( . .. , 0-k , .. . ). 
This case corresponds to condition 1 of Def. 5.13, i. e. there is no step in stt 
mimicking the (i + l )th-step of(. But the configuration ( ,,, (i + 1) reached by 
the step is in relation :::; with x 1' (j) and 'c0 ? s( env , v )' is T (see case IN above). 
We add (i + 1, j) to R . The conditions of Def. 5.13 are satisfied. 
Case: l NTERLEAVEoul 
Assume that ( ... , (Jk , .. . ) ----? c; !s(pid ,v ) ( ... , 0-k , .. . ) is the (i + l)th-step of (, 
i.e. (,,, (i) = ( ... , (Jk, .. . ), (x(i + 1) = ci !s(pid , v) and ( ,,, (i + 1) = ( .. . , 0-k , . . . ). 
Moreover c E in env . 
This case corresponds to condition 1 of Def. 5.13 , i.e. there is no step in stt 
mimicking the (i + l )th-step of(. But the configuration (1' (i + 1) reached by 
the step is in relation :::; with x"l (j) and 'ci !s(pid, v)' is T (see case OUT above). 
We add (i + 1, j) to R. The conditions of Def. 5.13 are satisfied. 
Case: l NTERLEAVEr 
Assume that ( ... , (Jk, .. . ) ----? r ( ... , 0-k, .. . ) is the (i + l)th-step of(, i.e. (1' (i) = 
( ... , (Jk , .. . ), (.A(i + 1) = T and ( ,,, (i + 1) = ( ... , 0-k, . .. ). Moreover , we assume 
that T is not the result of synchronizing communication steps, i. e. it corre-
sponds to the ASSIGN , SET, TIMEOUT, TDISCARD, or RESET case considered 
in Lemma 5.16. 
By Lemma 5.16 and rule l NTERLEAVEr of Table 6, the T-step of S can be 
mimicked by T-step ( ... ) (JL .. . ) ----?T ( ... ) a-L ... ) of stt . We define x 1' (j+l) = 
( ... ,a-!, ... ), x.x (j+ 1) = T and add (i+ 1, j+ 1) to R. The conditions of Dcf. 5.13 
are satisfied. 
5. 5 Implementation 129 
Case: TICK 
Assume that (a1 , . .. , an) _,tick (a1, ... , an) is the (i+l)th-step of(, i.e. (,,. (i) = 
(a1 , ... , an), (.x(i + 1) = tick and ( ,. (i + 1) = (a1 , ... , an)· By rule TICK of 
Table 6, blocked ( (..,. ( i)). 
By Lemma 5.17, there is x ..,. (j) = 1'~ _,T 1'~ _,T .. . _,T 1t1n for some config-
ura tions 1f of S U and some n ::: 0 such that 1' :S 1f for all i, and blocked (!~) . 
Therefore , we extend x by a sequence x..,.(j) _,n(j+l) ... _,x.dJ+m) x..,.(j + m) 
such that ( ..,. (i) :S x ..,. (j + k) , x.x(j + k) = T for all k = l..m. We add (i , j + k) 
to R for all k = l..m. At x ..,. (j + m), S U is blocked , hence it may take the 
step x ..,. (j + m) _, tick x ..,. (j + m)[1 ...... (t - 1)] . We define x.x(j + m + 1) = tick and 
x ..,. (j + m + 1) = x ..,. (j + m)[t ...... (1 - 1)] for all t E Var. According to Lemma 5.12 , 
( ..,. (i + 1) :S x..,.(j + m + 1). We add (i + 1, j + m + 1) to R . The tick-step of Sis 
mimicked by the sequence of T-steps followed by tick-step in S U. The conditions 
of Def. 5.13 are satisfied. 
Here we showed that for each finite prefix ( (i+l) of trace ( of S, we can 
construct a finite prefix x(j+m) of trace x of s u such that ((i+ l) =n x (j+ m) for 
some R. It means that for each trace ( of S there is a trace x of S U such that 
( =n x for some R , i.e. S -:5.n S U. D 
Lemma 5.19. PATH INCLUSION UP TO STUTTERING 
Let Spee be a specification, and Spee" be the specification obtained by trans-
forming Spee according to the rules of Table 12. Let S and SU be LTSs built 
by applying the rules of Table 9, rules IN and OuT of Table 2 and the rules of 
Table 6 to Spee and Specu' respectively. Let .c : r ____, 2P and .cu: ru ____, 2P be 
interpretation functions , P be the set of atomic propositions that m ention only 
variables x (process and timer) such that [x]'l;' = J_ for all l E Loe , and I' and 
r U be sets of configurations of S and S U respectively. Then (S, .C) -:5.st (SU , .CU). 
Proof. Follows directly by Lemma 5.18 and Lemma 5.14. D 
Theorem 5.2. 
For all formulas 'P from next-free LTL m entioning only variables x (process 
and timer) such that [x]'l;' = J_ for all l E Loe , SF tp if SU F 'P· 
Proof. Straightforward from Lemma 5.19 and Theorem 2.2. D 
5.5 Implementation 
5.5.1 Extending the Vires Toolset 
The Vires toolset (see [167]) was introduced for the verification of industrial-
size communication protocols. Its architecture is targeted towards the verifica-
tion of SDL specifications and it provides an automatic translation of SDL-code 
into the input language of a discrete-time extension of the Spin model-checker. 
Design, analysis, verification, and validation of SDL specifications is supported 
130 Closing and Flow Analysis for Model Checking Reactive Systems 
by OBJECTGEODE, one of the most advanced integrated SDL-environments. 
OBJECTGEODE also provides code generation and testing of real-time and dis-
tributed applications. 
ObjectGeode 
LIVE 
I IF 
pml2pml 
Spin/DTSpin 
Fig. 21. Toolset components 
IF [28] bridges the gap between OBJECTGEODE and Spin / DTSpin (cf. 
Sec. 2.4). It contains a translator , SDL2IF of SDL specifications into the inter-
mediate representation IF. A static analyzer Live [27] performs an optimization 
of IF-representation to reduce the state space of the model. IF-specifications 
can be translated to DTP ROMELA models with the help of IF2PML-translator 
[25] and verified by DTSpin. 
We have developed the PML2PML-transla tor that takes care of the automatic 
closing of a subcomponent and implements the theory presented before. The 
tool post-processes the output from the translation of an SDL-specification 
to PROMELA , where the implementation covers the subset of SDL described 
abstractly in Sect ion 5.2. The translator works fully automatic and does not 
require any user interaction, except that the user is required to indicate the 
list of external signals. The extension is implemented in Java and requires 
J DK-1.2 or later. The package can be downloaded using the following URL: 
http://www . cwi .nl/ - ustin/EH.html . 
5.5.2 Implementation of the Program Transformation 
To keep the implementation in Spin's input-language PROMELA simple, the 
abstraction introduced in Sec. 5.3 is realized as a straightforward source code 
transformation. Instead of extending the data domains by one single additional 
5. 5 Implementation 
l ----;c?s(x) [ E Edg S E Sig ext X E Var I 
--------------------T-INPUT!xt 
l ----;9tp [>se t tp,=0-----;(true) [> bx,=false [ E Edgi 
l ---4 c?s(x) [ E Edg S E Sig ext X €/ Var I 
--------------------T-INPUT;xt 
l ---49tp [>se t tp,=0 [ E Edgi 
l E Loe; 
----------- NolNPUT 
l ---49tp [>set t p,=l l E Edg' 
l ----;c?s(x) [ E Edg SE Sig int X E Var I 
--------------------T-lNPUT}nt 
l ---4c?s(x,bx ) [ E Edgi 
l ---4c? s(x) [ E Edg SE Sig int X €/ Var I 
--------------------T-INPUT;nt 
l ---4c?s(x,_) [ E Edgi 
l ----;9 [>c!(s ,e) [ E Edg SE Sig ext 
--------------- T-O UTPUText 
l ---4 9; [> skip [ E Edg i 
l ----; 9 [> c !(s ,e) [ E Edg C €/ In env 
---------------T-0UTPUT}nt 
l ---4(9' /\ b(e)) [> c' (s,e , true) [ E Edgi 
l ---49 [> c !(s,e) [ E Edg C €/ I n env 
---------------T-OUTPUT;nt 
l ---4(9' /\ ~b( e)) [> c'(s ,_,false) [ E Edl 
x E Var I l ---4 9 [> x'=e [ E Edg ----------------.--~. T-ASSIGN11 
l ---4(9' /\ b(e)) [> x'=e----;(true) [> bx'=true l E Edg' 
l ----;9 [> "''=e [ E Edg 
--------------- T-ASSIGN 12 
l ----;(9i /\ ~b(e)) [> bx, =false [ E Ed/ 
x E Var I 
l ----;9 [> "''=e [ E Edg 
--------------- T-Ass1GN21 
l ---4(9 i /\ b(e)) [> "''=e [ E Ed/ 
l ----;9[>x,=e [ E Edg 
--------------- T-Ass1GN22 
l ----;(9i /\ ~b(e)) [>skip [ E Edgi 
Table 13. Implementation of the transformation for untimed edges 
131 
132 Closing and Flow Analysis for Model Checking Reactive Systems 
abstract value for external data, each variable x has associated to it a boolean 
flag bx to remember whether its current value is from the outside or not: The 
flag 's value is fals e when x contains data from outside, and true otherwise. For 
model checking, memory and time consumption are crucial. The introduction 
of a boolean flag for each variable is not optimal in that regard. For instance, 
a system can contain variables never influenced by the environment , hence we 
need no boolean flags for these variables. 
Clearly, the flags are needed only for variables and timers that carry the 
value I (or on(I) for timers) in at least one location; for other variables the 
values found with the static analysis can be used. So let VarI be the set of 
variables and timers that carry the value I, respectively on(I) , at least once. 
The rules of Table 13 define the transformation of untimed edges with re-
spect to the results of the combined may/must analysis. Boolean flags are intro-
duced only for variables that are in VarI. Expressions are interpreted strictly 
with respect to chaotic data and we write b(e), where b(e) is true iff all of 
the variables from Var I occurring in e have their flags set to true and all 
of the variables not belonging to VarI are valuated to l_ wrt. the analysis, 
i.e. b(e) = (Af=1bxJ /\ (Aj'= 1 (ry't(Y1) = 1-)) where 't:/ i = l..n: Xi E VarI and 
't:/ j = 1.. m: y1 </ Var I. The transformation of the guards is optimized so that 
guards which contain at least one variable marked T are transformed to true. 
If all the variables of a guard are marked as 1- , the guard is left unchanged. 
As the abstract system must show at least all behavior of the original system, 
actions with guards whose result depends on values coming from outside, i. e. 
guards g with b(g) =false , must be enabled . Therefore we replace each untimed 
guard by a transformed guard gi given by the disjunction •b(g) V (g A b(g)). To 
propagate the information through the system, the parameter lists of signals 
exchanged within the system, i.e. , signals from Sigint > are extended with the 
lists of corresponding flags . 
Inputs from the chaotic environment are always enabled. We must make 
sure, however , that inputs from the environment do not prevent time progress. 
Therefore, as in Sec. 5.4, we add a new timer variable tp for each process, 
used to guard inputs from outside and assure time progress (cf. T-INPUT~xt> 
T-INPUT~xi)· This timer is set to 0 until a T-NOINPUT step is taken non-
deterministically, which sets the timer to 1, thereby postponing the possibility 
of taking the next input from the environment until time progresses. Flags 
of variables which received their values from environment signals are set to 
false to indicate that from this point on the value is not reliable any more 
(cf. T-INPUT~xi)· For internal signals, we differentiate two cases: (i) a variable 
changed by the input has a flag; (ii) the variable has no flag. In the first case, 
input is extended by the flag of the variable that shows whether a chaotic 
or non-chaotic value is transferred (rule T-INPUTfnt)· In the second case, this 
value does not matter (rule T-INPUTint)· 
Outputs to the environment are just removed (cf. rule T-OUTPUT ext) · In-
ternal outputs are extended as follows: In case the expression e carries a non-
chaotic value, this value is transferred together with the flag true showing that 
5. 5 Implementation 
t E Var I l --> g C> set t :=e [ E Edg 
-----------------.--~. T-SET11 
l -->(g i /\ b(e)) C> set t :=e --> ( true) C> bt :=true l E Edg' 
t E Var I l -->9 C> set t :=e [ E Edg ------------------.--~. T-SET12 
l --> (g ' /\ ~b (e)) C> set t: = O--> ( true) C> bi:=f alse l E Edg' 
l --> 9 e> set t: =e [ E Edg t rj Var I 
l -->(g i /\ b(e)) C> se t t:=e [ E Edgi 
T-SET21 
l -->9 e> set t :=e [ E Edg t rj Var I 
l -->(g i /\ ~b(e)) C> set t: = O [ E Edgi T -S ET22 
------------- T-NOTIMEOUT 
l -->(9 t /\ ~b ( t )) C> reset t l E Edgi 
t E Var; l --> 9 t C> rese t t [ E Edg 
--------------.--~. T -TIMEOUT1 
l -->g , C> reset t--> (true) C> b i := t r u e l E Edg' 
t rj Var; l -->g , C> rese t t [ E Edg 
--------------~ T-TIMEOUT2 
l -->g , C> rese t t [ E Edgi 
t E Var I l -->g C> rese t t [ E Edg 
--------------~ T-RESET1 
l --> gi C> rese t t --> b, := true [ E Edgi 
l --> g C> rese t t [ E Edg 
--------------~ T-RESET2 
l --> g i C> reset t [ E Edgi 
Table 14. Implementation of the transformation for timed edges 
133 
134 Closing and Flow Analysis for Model Checking R eactive Systems 
it is a reliable value (rule T-OUTPUT}nt)· Otherwise , the same signal is sent 
parameterized with a default value and the flag false demonstrating that a 
chaotic value is transferred (rule T-OuTPUTrni)· 
Assignments are treated similarly to outputs. Assignments of chaotic values 
are skipped (rules T-ASSIGN 12 , T-ASSIGN22 ). The flag of the left side variable 
is set to false in case the variable belongs to VarI (rule T-AssrGN12). As-
signments of non-chaotic values are left unmodified (rule T-ASSIGNn and rule 
T-AssrGN2 1 ). In case the left side variable has a flag, the flag is set to true 
(rule T-ASSIGNn). 
The transformation rules for timed edges are given in Table 14. Concerning 
timers, the set operation and its transformation are similar to an assignment 
(rules T -SET11 , T-SET12 , T-SET21 , T-SET22 ) . If the expression e in sett := e 
is non-chaotic, the setting is kept unmodified (rules T-SET11 , T-SET21 ). If the 
timer has a flag, t's flag bt gets the value true (see rule T-SET11 ) . Otherwise, 
if the expression is chaotic (cf. rules T-SET12, T-SET22 ) , we set the timer to 0 
since in the abstraction, a chaotic timer must be able to expire immediately; 
the flag of the timer is set to false (rule T-SET 12 ). 
By resetting a timer , the timer variable gets the concrete value off , inde-
pendent of its previous value. So the action stays unchanged while the flag of 
the timer gets the true value if the timer belongs to Var I ( cf. rules T- RESET1 , 
T -RESET2 ). The same happens with a timeout of the non-chaotic timer (cf. 
rules T-TIMEOUT 1 , T-TIMEOUT2 ). According to this rule the same actions 
can be taken for the chaotic t imer as well , i. e. , it can expire immediately. The 
expiration of the chaotic timer can, however , be postponed according to rule 
T-NOTIMEOUT by non-deterministically setting the timer to 1 at an arbitrary 
moment in time. 
5.5.3 Experiments 
Before we present the results on a larger example - the control-part of a 
medium-access protocol - we show the effect of the transformation on the state 
space using a few artificial, small examples and we also give small examples 
demonstrating the need for both may and must analyses. 
Closing with Chaos 
In this subsection we take some simple open systems modelled in DTPROMELA , 
close them with chaos as a separate process, and illustrate how the state space 
grows with the buffer length and with the number of signals involved into the 
communication with the environment . 
First , we construct a DTPROMELA model of a process (see Fig. 22) that 
receives signals a , b, or c from the outside, and reacts by sending back d, e, or 
f , respectively. 
A closing environment will send the messages a, b, and c to the process, 
and conversely receive d, e, and f in an arbitrary manner. As explained in Sec-
5. 5 Implem entation 
proctype proc() { 
start : goto q ; 
q : atomic{ if 
} 
. . envch ?a - > proch!d ; go to q ; 
:: envch?b -> proch!e; goto q; 
:: envch?c -> proch!f; goto q; fi ; 
} 
Fig. 22. Process 
s : a tomic{ if 
.. expire(t) -> set(t , l); goto s; /*stop sending 
signals until the next time slice * / 
·· expire(t) -> envch!a; set(t , O) ; goto s; 
· · proch ?f - > go to s; 
fi } 
Fig. 23. Environment 
135 
tion 5.4, the environment must behave chaotically also wrt. timing behaviour. 
Therefore, in order to avoid zero-time cycles, t he sending actions are guarded 
by a timeout and an extra clause is added when no more signals are to be 
sent in the current time slice. A specification of such an environment process 
is given in Fig. 23. 
The queues in the verification model, however , have to be bounded. There 
are two options in Spin for handling queues. The first one is to blnd: (option 
"block" in Spin) a process attempting to send a message to a full queue until 
there is a free cell in the queue. With this option, our "naive" closing leads 
to a deadlock caused by an attempt of a process to send a message to the full 
queue of the environment while the environment is trying to send a message 
to the full process queue. Another option is to lose new messages in case the 
queue is full (option "lose" in Spin). In this case a large number of messages 
gets lost . Many properties cannot be verified using t his opt ion. Moreover, there 
is a large class of systems where messages should not get lost, for this would 
lead to non-realistic behaviour of the system. Still, even when this option is 
applicable, time and memory consumption grow tremendously fast with the 
buffer size, as shown in Table 15. We can avoid the deadlock in the system 
that appears by using option "block" if we limit the number of messages sent 
by the environment per time slice. For this purpose, we introduce an integer 
136 Closing and Flow Analysis fo r Model Checking Reactive Systems 
opt. buffer states trans. lost messages memo.(MB) time (s) 
loose 3 3783 13201 5086 2.644 00.24 
loose 4 37956 128079 47173 3.976 01.97 
loose 5 357015 l .18841e+06 428165 18.936 20.49 
loose 6 3.27769e+06 l.08437e+07 3.86926e+06 170.487 4 min 04.74 
Table 15. Different buffer sizes, unlimited number of signals per time slice 
variable n set to the queue size and modify the options of the if statement in 
such a way that sendings are enabled only if n is positive; n is counted down 
with every message sent and n is revived every time before a new time slice 
starts ( cf. Fig. 24). 
:: ( n> O && expire( t)) -> envch! a; n = n - 1; set(t, O) ; goto ea; 
:: expire( t) - > set(t , 1) ; n= BUFFSIZE; goto ea; 
Fig. 24. Environment with a limited number of messages per time slice 
opt. buffer states trans . mem.(MB) time (s) 
b lock 3 328 770 2.542 00.06 
block 4 1280 3243 2.542 00.10 
block 5 4743 12601 2.747 00.24 
block 6 16954 46502 3.259 00.78 
Table 16. Different buffer sizes ( 4 signals per time slice) 
The verification results for the system closed in such a way are shown in 
Table 16. Again, though more slowly than in the previous example, the number 
of states, transitions, memory usage, and time required for the verification grow 
very fast with the queue length. 
5. 5 Implem entation 137 
Next we fix the length of the queue at 4 and vary the number of different 
messages sent from the process to the environment and from the environment 
to the process. Table 17 shows the experimental results. Note that the growth 
of the state space of the system is now caused by the combinatorial explosion 
in the queues. (The maximal number of messages tha t can be sent per time 
slice is still equal to the length of the queue.) 
n-messages states trans. mem.(MB) time (s) 
4 3568 9041 2.644 00.22 
5 8108 20519 2.849 00.42 
6 16052 40569 3.156 00.75 
7 28792 72683 3.771 01.36 
8 47960 120953 4.590 02.45 
9 75428 190071 5.819 03.86 
Table 1 7 . Different numbers of message types 
In the experiments for the same process with the embedded environment, 
the number of states is constant for all the cases considered and equal to 4. As 
one might have expected, closing a system by a separate environment process 
behaving chaotically, leads to a state space explosion even for very simple small 
systems. Tailoring the environment process such that only " relevant" messages 
can be sent makes the environment process large and complicated, which can 
also cause the growth of the state space or lead to errors caused by mistakes 
in the environment design. 
Usage of may and must Analysis 
Further we present a couple of illustrative examples showing the difference be-
tween the approach of [151 , 103] and the one presented in this Chapter. The 
examples are given in DTPROMELA. The may approach pessimistically removes 
all data potentially influenced by data from outside and the transformation is 
based on a static may analysis. The approach based on the combined may/ must 
analysis treats data from outside dynamically, thus achieving a greater preci-
sion, but removes parts afterwards which are guaranteed to be chaotic as given 
by the combined analysis of Section 5.3. 
The difference is visible at the locations, where the abstract valua tion of 
some variable can get both T and J_ depending on the system run. In the may 
approach, the variable instance at this location is handled as chaotic indepen-
dently of the run; now the value of the variable is treated dynamically. The 
138 Closing and Flow Analysis for Model Checking Reactive Systems 
simplest situation of this sort is when the variable gets its value from a signal 
that can be received both from the environment, and from another process of 
the system with a reliable value. 
As illustration, we take two processes communicating with each other and 
with the environment. Fig. 25 shows part of the DTPROMELA code of the 
system specification. Process A can receive signal a(x) both from process B 
and from the environment. Moreover, B always sends this signal with a concrete 
value. 
The DTPROMELA code of the chaotic environment given as external process 
is shown in Fig. 26. The queues in DTSpin are bounded, so we use variable n to 
limit the number of messages that process B and the environment can send to A 
during one time slice. Otherwise, the system would deadlock in the attempt of 
A to send a message to the full queue of the environment while the environment 
is trying to send a message to the full queue of the process. 
Furthermore, the environment must behave chaotically also wrt. timing be-
haviour. Therefore, send actions of the environment are guarded by a timeout , 
which allows to postpone sendings until the next time slice. 
proctype A{ 
} 
pa: atomic{ 
if : : chA ?a,x - > go to decision; fi ; 
} ; 
decision : a tomic{ 
if 
:: ( x==O) -> chB! c; goto pa; 
: : ( x== 1) - > chE nv!c; go to pa; 
fi } 
proctype B{ 
} 
start : atomic{ 
set(tB, 5); goto waiUB;} 
wait_tB:atomic{ 
if 
:: ( n > O && expire(tB)) -> chA!a(O); 
n = n - 1; set(tB,5); goto waiUB ; 
.. chB?c -> set(tB, l) ; goto waiUB; 
fi } 
Fig. 25. Open System 
5. 5 Implementation 
proctype Env{ 
pe: atomic{ 
if 
} 
} 
:: expire(t) -> set(t, 1); 
n= BUFFSIZE; goto pe; 
:: ( n > O && expire(t)) -> ; chA!a, 1; 
n = n - 1; set(t , O); goto pe; 
:: ( n > O && expire(t)) -> chA!a, O; 
n = n - 1; set(t , O) ; goto pe ; 
·· proch?c -> goto pe; 
fi 
Fig. 26. Environment 
139 
Fig. 27 shows the result of the may approach and Fig. 28 shows the result 
obtained with the may+must approach. The may-analysis marks variable x in 
process A as T; therefore , the guards x==1 and x==O are transformed to true. As 
a consequence, the property of the original system, that for every request a ( O, 
true) sent by process B to process A, process B eventually gets an answer c from 
A, does not hold anymore. A can send the answer to the environment instead. 
According to the approach of this chapter, we do not take the pessimistic view 
but follow the information about the reliability of the value of x dynamically 
during the system run. Therefore, B always gets an answer from A for every 
request . Thus the false negative that is obtained during model checking in the 
first case does not appear when we model check the closed system in the second 
case. That justifies the need for the combination of may and must analysis. 
5.5.4 Case Study: a Wireless ATM Medium-access Pro-
tocol 
To validate the may approach, we applied the PML2PML-translator in a series 
of experiments to the industrial protocol Mascara [169]. 
Located between the ATM-layer and the physical medium, Mascara is a 
medium-access layer or , in the context of the ISDN reference model , a trans-
mission convergence sub-layer for wireless ATM communication [9 , 105] in local 
area networks. It has been developed within the WAND 1 project [169], a joint 
European initiative by various telecommunication companies to specify and 
implement a wireless access system for ATM-LANs. 
1 Wireless ATM Network Demonstrator. 
140 Closing and Flow Analysis for Model Checking Reactive Systems 
proctype A{ 
} 
pa: atomic{ 
if 
·· expire(tC) -> set(tC, O) ; 
goto decision ; 
. . chA ?a,x - > go to decision; 
.. expire(tC) - > set(tC, 1) ; goto pa ; 
fi ; } ; 
decision : atomic{ 
if 
:: chB!c; goto pa ; 
:: goto pa; 
fi ; } 
proctype B{ 
:: expire(tB) - > pAch! a(O) ; 
set( tB ,5) ; goto waiUB; 
Fig. 27. System transformed using only may-analysis 
5.5 Implementation 
proctype A{ 
} 
pa: atomic{ 
if 
·· chA?a,x, bx -> goto decision; 
.. expire(tC) -> set(tC, 1) ; goto pa; 
.. expire(tC) -> 
set(tC, O) ; bx=false ; goto decision ; 
fi ; } ; 
decision : atomic{ 
if 
:: (( x==O&bx) II (!bx)) -> pBch!c; 
goto pa; 
:: (( x==l&bx) II (!bx)) -> goto pa; 
fi } 
proctype B{ 
} 
:: expire(tB) - > chA!a(O , true); 
set(tB ,5); goto waiUB; 
141 
Fig. 28. System transformed using the combination of may- and must-analysis 
142 Closing and Flow Analysis for Model Checking Reactive Systems 
Besides the standard transmission convergence sub-layer tasks such as cell 
delineation, transmission frame adaptation, header error control, cell-rate de-
coupling, etc. , operating over radio-links , i.e., over a necessarily shared phys-
ical medium, adds to the complexity of the protocol. Mascara has to arbi-
trate m edium access to the radio environment of a variable number of mobile 
ATM-stations,2 provide enhanced error detection and correction mechanisms 
at various levels to counter the comparatively high bit-error rate of air-borne 
data-transmission. Last but not least , it has to cater for mobility features, al-
lowing a mobile terminal to switch its association with an access point in a 
handover. 
From the perspective of verification, Mascara is a large protocol. Mascara's 
specification contains over 300 pages of (graphical) SDL. It is itself composed 
of various protocol layers and sub-entities ( cf. Fig. 29). 
ATM Layer 
r · - · - · - · - · ·- ·- ·-·- ·-·-·- · 
: I Layer Con1rol I ICC ' Protocol 
' MASCARA Layer ~ I Message 
1
1 ' 
; Encaosulation Unit ' 
· ·-·-· - · - · ·-·-·-·-· - ·- ·-· 
I 
MASCARA I 
Control I I 
I Control Segmentation & I Reassembly 
I Wireless Data Link Control I 
I MAC Data Pump I 
Physical Medium Dependent Layer 
Fig. 29. Top-level functional entities 
The layer control protocol together with the m essage encapsulation unit as-
sists in various ways the information exchange between the Mascara layer and 
entities located within the upper layers. The segmentation and reassembly unit 
does exactly what its name implies: cutting peer-to-peer control messages (also 
called MPDUs) into ATM-cell size and putting them together upon reception. 
All three mentioned top-level entities are comparatively unsophisticated and 
straightforward, as they mainly perform data transformations. The WDLC-
layer , operating already on cell-level, is reminiscent of conventional (non-ATM) 
2 Hence the acronym "Mobile Access Scheme based on Contention and Reservation 
for ATM" . 
5. 5 Implementation 143 
data-link protocols and responsible, per virtual channel, for error- and ftow-
controlled cell-transmission. The lowest level of Mascara is the data-pump in-
cluding a real-time scheduler , which forms a large portion of the protocol's 
code-size. Despite its raw size, the functionality offered to the Mascara-layers 
above is rather simple: the data-pumps of two communicating stations act as 
duplex, lossy fifo-buffers. The other large part of Mascara, making up almost 
half of the SDL-code, is its control entity, on which we concentrate here. For 
a more thorough coverage of Mascara's structure and internals, consult the 
specification material provided by the Wand consortium [169] and [152]. 
As the name suggests, the Mascara control entity (MCL) is responsible for 
the protocol's control and signalling tasks. It offers its services to the ATM-layer 
above while using the services of the underlying segmentation and reassembly 
entity, the sliding-window entities (WLDC's), and in general the low-layer data-
pump. 
Being responsible for signalling, MCL maintains and manages associations 
linking access points with mobile terminals , and connections, i.e., the basic data 
and signalling transfer channels, corresponding to ATM virtual channels. Mas-
cara control falls into four sub-entities, each divided in various sub-processes 
themselves. The two important and complex ones are the dynamic control (DC) 
and the steady-state control (SSC). The division of work between the dynamic 
and the steady-state control is roughly as follows: SSC monitors in various 
ways current associations and the quality of the radio environment in order to 
ensure an optimal transmission quality, to keep informed about alternative ac-
cess points , and to initiate in time change of associations, so-called handovers. 
The dynamic control's task, on the other hand, is to set-up and tear down the 
associations and connections while managing the related administrative work 
like address management , resource allocation, etc. Of minor complexity are the 
radio control entity (RCL, with the radio control manager RCM as its most 
important process) and the generic Mascara control (GMC). 
Both are managed by MCL either in response to requests from the upper 
layer or by taking initiative of its own. 
MCL carries out the periodical monitoring of the current radio link quality, 
gathering the information about radio link qualities of its neighbouring APs to 
handover to in the case of deterioration of the current association link quality, 
and switching from one AP to another in the handover procedure. Its func-
tionality is implemented by a dynamic number of processes, using a variety of 
data-structures , and depending on various timed conditions. 
A crucial feature of Mascara is the support of mobility. An MT located 
inside the area cell of an AP is capable of communicating with it. Whenever an 
MT moves outside the area cell of its current AP, it has to perform a so-called 
handover (HO) to an AP whose area cell MT has moved into. A handover 
must be managed transparently with respect to the ATM layer, maintaining 
the agreed quality of service (QoS) for the current connections. So the protocol 
has to detect the need for a handover , select a candidate AP to switch to and 
redirect the traffic with minimal interruption. 
144 Closing and Flow Analysis for Model Checking Reactive Systems 
It is the Mascara control entity that is responsible for the handling of mo-
bility issues. That is why our verification efforts were focused on the Mascara 
control, particularly on the parts of MT Control managing the handover pro-
cedure that was specified within the Vires project [167]. 
One distinguishes two types of handovers in Mascara: backward handover 
and forward handover. The forward handover procedure starts when the con-
nection to the current AP is lost and MT urgently needs to find another AP. 
Backward handover takes place when MCL notices deterioration of the qual-
ity of the current association. Then it looks for the 'best ' alternative AP to 
switch to. After the alternative AP has been found, MT tunes to its old AP. 
It keeps the association to the old AP until it gets the association to the new 
one. So MT is able to perform its normal activity in the period the upper layer 
accomplishes its part of the procedure of associating to the new AP. 
In [152], MCL was closed by embedding the chaotic environment manually. 
Not surprisingly, verifying properties of MCL closed with chaos yielded false 
negatives at first in many cases - the completely chaotic environment was too 
abstract. Therefore, the traces leading to these false negatives were analyzed , 
which resulted in a refined environment. The refinement was done by identifying 
signals that could not be exchanged chaotically lest the verification property 
was violated, then constructing a specific environment process handling only 
these signals, and finally closing the obtained still open system by embedding 
the residual chaos. The conditions imposed on sending the detached signals are 
in fact the conditions imposed on the behaviour of the rest of the protocol, 
which later formed the correctness properties for the other protocol entities. 
Thus, by constructing the environment process we only produce an abstraction 
of the real environment, keeping it as abstract as possible and leaving the 
whole model still open, which means that the environment prescribes the order 
of sendings and receivings for a part of the signals, only. In this way, we can 
still benefit from embedding chaos into the process. 
Of course, closing the system manually is time-consuming and error-prone. 
With the implemented translator , it became possible to reproduce the same se-
ries of experiments quickly, without looking for typos and omissions introduced 
during the manual closing. Moreover , we performed the same experiments for 
MCL closed with the chaotic environment modelled as a process. In our exper-
iments we used DTSpin , an extension of Spin 3.3.10, using the partial-order 
reduction and compression options. All the experiments were run on a Silicon 
Graphics Origin 2000 server on a single Rl0000/ 250MHz CPU with 8GB of 
main memory. Our aim was to compare the state space and resource consump-
tion for the two closing approaches. 
Table 18 gives the results for the model checking of MCL with chaos as 
external process on the left and embedded on the right. The first column gives 
the buffer size for process queues. The other columns give the number of states, 
transitions, memory in megabytes and time consumption, respectively. As one 
can see, the state space as well as the time and the memory consumption are 
significantly larger for the model with the environment as a process, and they 
5. 6 Conclusion 
buf.size 
2 
3 
4 
states trans. mem. t ime(s) states trans. mem. time(s) 
9.73e+05 3.64e+06 40.842 15:57 300062 l.06e+06 9.071 
5.24e+06 2.02e+07 398.933 22:28 396333 l.85e+06 11.939 
2.69e+07 l.05e+08 944.440 1:59:40 467555 2.30e+ 06 14.499 
1:13 
1:37 
2:13 
145 
Table 18. Model checking MCL with chaos as a process and embedded chaos 
grow much faster with the buffer size than for the model with embedded chaos. 
The model with the embedded environment has a relatively stable state-space 
size and other verification characteristics. 
All variants of closing sketched here were model-checked with DTSpin. The 
results of the experiments confirm that closing the system based on the may 
analysis allows to reduce time and memory consumption compared with the 
system closed by adding the environment as a process. 
5.6 Conclusion 
Model checking has gained popularity in industry and is becoming a constituent 
part of software engineering practice since it is , in principle, a push-button 
verification technology. The further dissemination of model checking, however , 
depends on whether it is possible to reduce the significant human involvement in 
applying t echniques like abstraction ; automation of these techniques is therefore 
crucial. 
Here, we apply data-flow analysis to transform an open system into a closed, 
safe abstraction, well-suited for model checking. The approach for automatic 
closing of open systems, based on data and control abstraction of the environ-
ment , is taking the most general environment , i. e. , the chaotic one. To avoid the 
detrimental effect of external queues on the state space , the closing environment 
is embedded into the system. The approach presented here goes beyond [151] 
in yielding a more refined abst raction. The price for the refinement is a possible 
(but not necessary) increase of the state space, though the state space of the 
model is still significantly smaller than the state space of the model closed with 
the environment built as an outside chaotic process. We partially remove t he 
additional st ate space without losing precision by an a-priori static analysis, 
determining variable occurrences that are guaranteed not to be influenced from 
outside and those which are guaranteed to be chaotic. 
Our approach is implemented as a tool that automatically closes DT-
PROMELA translations of SDL-specifications by embedding the timed chaotic 
environment into the system. The prototype implements the transformation 
based on may analysis only. For future work , we will extend our tool for clos-
ing open components with the combined analysis. We also plan to extend the 
146 Closing and Flow Analysis for Model Checking Reactive Systems 
method to account for more complex data types, process creation and more pre-
cise transformation for guards and expressions influenced by the environment. 
Based on the results from [153], another direction for future work is to extend 
the PML2PML implementation to handle environments more refined than just 
chaos. 
6 
Timed Verification with µCRL 
µCRL IS A PROCESS ALGEBRAIC LANGUAGE FOR SPECIFICATION AND VERIFI-
CATION OF DISTRIBUTED SYSTEMS. µCRL ALLOWS TO DESCRIBE DATA AND 
BEHAVIOUR ASPECTS BUT IT HAS NO EXPLICIT REFERENCE TO TIME. IN THIS 
WORK, WE PROPOSE AN APPROACH THAT ALLOWS US TO REUSE THE UNTIMED 
LANGUAGE AND THE RELATED TOOLSET FOR TIMED VERIFICATION WITHOUT 
EXTENDING THE LANGUAGE AND THE TOOLSET. WE SHOW SOME EXPERI-
MENTAL VERIFICATION RESULTS OBTAINED ON TWO TIMED COMMUNICATION 
PROTOCOLS. 
The chapter is based on [20]. 
148 Tim ed Verification with µCRL 
6.1 Introduction 
The specification language µCRL [78] (micro Common Representation Lan-
guage) is a process algebraic language that was especially developed to take 
account of data in the study of communicating processes. The µCRL toolset [19] 
together with the CADP toolset [65] provides support for enumerative model 
checking. One of the most important application areas for µCRL is the specifi-
cation and verification of communication protocols. Communication protocols 
are mostly timed systems. A common way to use time is the timeout. In some 
cases it is possible to abstract from duration and simulate timeouts with a 
non-deterministic choice. However, in other cases the lengths of the timeouts 
are essential to the correctness of the protocol. To deal with these cases one 
needs an explicit notion of time. 
In [76] , a timed version of the µCRL language is proposed where time is in-
corporated in µCRL as an abstract data type satisfying a few conditions plus a 
construct to make an action happen at a specific time. The timed version of the 
language turned out to be useful as a formalism for the specification and analy-
sis of hybrid systems [82]. However, it is not clear yet whether t imed µCRL can 
be used to analyse systems larger than the examples considered in that paper. 
Moreover , most of the existing tools cannot be used for timed µCRL without 
modification. Most importantly, linearisation (translating a specification into 
the intermediate format) for t imed µCRL is not implemented . 
The goal of the work we present in this chapter is to establish a framework in 
which timed verification may proceed using the existing untimed tools. µCRL 
is powerful framework for data and behaviour aspects of reactive systems that 
could be reused for timed verification. To achieve the goal of timed verification 
with untimed tools, we must restrict ourselves to discrete relative time: the 
state spaces of systems with dense or absolute time are almost always infinite. 
Techniques, such as regions and zones, which allow finite representations of such 
infinite state spaces, are not implemented in the untimed tools. Timestamping 
actions with "absolute" time, as it is done in timed µCRL , leads to infinite 
state spaces in case of unbounded delays. Consider for example the process 
X=sum(t:Time, a©t) which uses time tags (the © symbol must be read as "at 
time") and thus can do action a at any time. The LTS of X consists of two states 
and infinitely many transitions. For this reason, we have chosen a "relative" 
time solution. Namely, we introduce time through an action tick, which by 
convention expresses one unit of time elapsing. In this case we can specify the 
process that can do a at any time as Y=tick. Y+ a . The LTS of process Y has 
two states and two transitions. The advantage of representing time progression 
as an action is that we stay within the syntax of µCRL . Moreover, the special 
use of tick is compatible with the semantics of µCRL , and hence the existing 
toolset can be used for analysis and verification. 
The proposed discrete time semantics is suitable to express t ime aspects 
and analyse time properties of a large class of systems. We argue the usefulness 
of our approach with verification experiments on µCRL specifications of the 
6.2 µCRL: Basic Notions 149 
positive acknowledgment retransmission protocol (PAR) [155] and the bounded 
retransmission protocol (BRP) [100], whose behaviour depends on the timers' 
settings. 
To express timed properties of systems, we introduce an LTL-like timed 
temporal logic on actions and show how to encode its time constraints with the 
use of tick, which results in untimed temporal formulas. These formulas can 
then be translated to the µ-calculus and checked with the CADP toolset . 
The rest of the chapter is organized as follows . In Section 6.2, we sketch 
the syntax and semantics of µCRL . In Section 6.3 we present the discrete time 
semantics that we work with, and afterwards in Section 6.4 we explain how 
timed specifications can be developed within the untimed framework, following 
the proposed approach . In Section 6.5 we discuss some experimental results. In 
Section 6.6 we introduce a timed temporal logic. We conclude in Section 6.7 
with discussing the related works and directions for future work. 
6 .2 µCRL: B asic Notions 
The specification language µCRL (micro Common Representation Language) 
is essentially an extension of the process algebra ACP [12] with abstract data 
types and recursive definitions. The µCRL toolset provides tool support for a 
subset of the µCRL language. In the remainder of this section, we will give an 
overview of both the language and its tool support. Deta ils about the language 
can be found in [78]. Details about the tool support can be found in [19]. 
Data in µCRL is specified using equational abstract data types. Each data 
type is declared using a keyword sort. Each declared sort represents a non-
empty set of data elements. Elements of a data type are declared using keywords 
func and map. The keyword func is used to declare constructors that define 
the structure of the data type. The keyword map is used to declare function 
symbols that are not constructors. The keyword rew is used to define a set 
of equations that represent the properties of the data type. The equations 
following the keyword rew are oriented from left to right and used as rewrite 
rules by the tools, but may be used in both directions for reasoning. 
Every µCRL specification must include a specification of the sort Boal , 
which represents the booleans. An example is given in Fig. 30. The sort Boal 
declares two constructors: true and false . It also declares two functions: 
eq : Bool#Bool-> Boal and and : Bool#Bool-> Boal. 
The usual way of modelling a system in µCRL is to decompose the sys-
tem into components and then specify the components and their interactions 
separately. Components are usually recursively defined using atomic actions , 
sequential and alternative composition and conditionals. 
Actions are abstract representations of events in the real world. They are 
declared using keyword act and are considered to be atomic. A special constant 
6 is used to represent deadlocks, which do not display any behaviour. Sequential 
150 
sort Bool 
func true,false: ->Bool 
map eq,and:Bool#Bool->Bool 
var b :Bool 
rew eq(b,b)=true 
eq(true,false)=false 
eq(false,true)=false 
and(true,b)=b 
and(false,b)=false 
Timed Verification with µCRL 
Fig. 30. A µCRL specification of the sort Boo!. 
act a 
b,c:Bool 
proc X=a . X 
proc Y=sum(b':Bool,b(b').c(b').Y) 
proc Y'(b1:Bool,state :Bool)= 
sum(b' :Bool,b(b').Y'(b',false)<leq(state,true) l>delta)+ 
c(b1).Y'(b1,true)<leq(state,false) l>delta 
init Y'(true, true) 
Fig. 31. Components in µCRL 
composition X . Y and alternative composition X + Y are two elementary operators 
that are used to construct processes. There are no priority operators in µCRL . 
The process X. Y first executes X; when X terminates, it continues with executing 
Y. The process X+Y behaves either as X or as Y. 
The parallel operator can be used to put processes in parallel. The behaviour 
of X I I Y is an arbitrary interleaving of actions of processes X and Y, assuming 
that there is no communication between X and Y. 
It is also possible that X and Y communicate in X 11 Y. This can be described 
by declaring on which action names the processes may synchronize. This is 
done in a communication section, which is a section starting with the keyword 
comm. For example, the interaction between actions a , b and c , resulting in 
action d can be expressed as 
comm alb=ab blc=bc alc=ac albc=d blac=d clab=d 
The comm section says which actions may synchronize, but it does not say 
that they have to synchronize. To enforce communication, the unary encapsu-
lation operator encapH (X) is introduced. A process encapH (X) can execute 
all actions of X which are not in H. The encapsulation operator can be used to 
guarantee that certain actions can occur only in communication. 
Sometimes it is convenient to reuse a given specification with different action 
names. A renaming operator rename mapping action names to action names 
6.2 µCRL: Basic Notions 151 
is used for this purpose. The process rename ( {a ---> b}, X) behaves as X with 
action a renamed to b . To make actions invisible, a hiding operator hide1 (X) 
is used. This operator renames action names to T. 
µCRL combines abstract data types with process algebra by allowing atomic 
actions parameterized by data terms. For example, send (frame (x, y)) stands 
for the action send parameterized by a data frame with two data parameters x 
and y. Data can influence the behaviour of a process via a conditional operator. 
For example, a process X< I BI >Y, where X and Y are processes, behaves as X if 
the boolean condition B is true and as Y otherwise. The summation operator 
sum (d: D, X (d)) , defined for some process X (d) and data type D, behaves as 
X(t 1 ) +X(t 2 )+ . . . , i.e. as possible choice between X(d) for any data term t i 
taken from D. 
The heart of a µCRL specification is the proc section, where the behaviour 
of the system is declared. This section consists of equations of the form: X (x 1 : 
S1 , ... , Xn: Sn)=t. Here X is the process name, Xi are variables, expressing data 
parameters of type Si. Term t is a process expression built from actions and 
expressions of the form Y (d1 , ... , dn) (where Y is a process name and di are data 
terms or variables) using the above mentioned operators. A process declaration 
can thus be recursive. The initial state of the specification is declared in a 
separate initial declaration section init . See below for an explanation for Y' . 
For example, in Fig. 31 we have specified processes X and Y. Process X sim-
ply repeats action a infinitely often. Process Y infinitely often chooses between 
T and F nondeterministically and performs b and c with the same choice as 
argument. 
Besides the parallel composition operator provided by µCRL , other types of 
parallel composition operators can be defined in terms of the basic operators. 
For example, the operator X I {tick} I Y lets the processes X and Y run inter-
leaved except for the action tick, which must be performed synchronously by 
both X and Y. It can be encoded as follows: 
act tick tick' 
comm tickltick=tick' 
X l{tick}I Y = rename({tick'->tick},encap({tick} , XI IY)) 
In the process X 11 Y, tick actions from X and Y may be performed inter-
leaved or at the same time, resulting in a tick' . In the process en cap ( {tick}, 
X I I Y) , the interleaved execution is disallowed by means of encapsulation. Fi-
nally, the tick' is renamed to tick to get the desired result. Note that the 
interaction is not limited to two parties. The result of the interaction may itself 
interact. 
µCRL was successfully applied in the analysis of a wide range of protocols 
and distributed systems. Recently it was used to support the optimized redesign 
of the Transactions Capabilities Procedures in the SS No. 7 protocol stack for 
telephone exchanges [8], to detect a number of mistakes in an industrial pro-
tocol over the CAN bus for lifting trucks [77] , and to analyse the coordination 
languages SPLICE [54, 97] and JavaSpaces [164], and to arrive at a formally 
152 Timed Verification with µCRL 
verified prototype implementation of a multi-channel on-board data acquisition 
system for Lynx helicopters [67]. 
Tool support for µCRL is centered around the linear process format [18]. 
A linear specification consists of a single recursive process, which can choose 
between possibilities of the form "action followed by a recursive call", provided 
guard holds: 
proc X(d1 : D1 · · · ,dn: D n) = 
L e ·D . .. L e D a1(s1).X(t1 )<lc11>0+ 1 1· II lrq· l n 1 
L ek1 :Dk, ... L ek"k :D .,,k ak(sk) .X(tk ) <l Ck I> o+ 
init X(t 0 ) 
The toolset allows the transformation of µCRL specifications into a linear 
form [162] (in F ig . 31 , process Y ' is a linear equivalent of process Y), the 
optimization of a specification in linear form, the simulation of a linear speci-
fication, and the generation of an LTS from a linear specification. The toolset 
allows the user to apply a reduct ion method [81 , 21] based on T-conftuence [79]. 
The reduction method guarantees that the reduced LTS is branching bisimilar 
to the original one. 
LTSs generated by µCRL toolset are used as input for the CADP toolset [65] . 
This provides support for enumerative model checking. Properties to be verified 
are usually expressed by formulas of regular alternation-free µ- calculus. In the 
regular alternation-free µ- calculus [126], one is allowed to use expressions (r)ef> 
and [r]</> where r is a so-called regular e.'Epression built from action formulas. 
Let T = (S, Lab ,__,, s0 ) be an LTS (cf. Def. 2.6). An action formula a is 
defined as follows: 
a :: = action I any I a 1 V a2 I •a 
where action E Lab is an action formula satisfied by the corresponding label 
only. Any label from Lab satisfies any. A label satisfies •a iff it does not satisfy 
a, and a label satisfies a 1 V a2 iff it satisfies a 1 or a 2. A regular expression r 
is defined as follows: 
r ::=a I r1.r2 I r1 + r2 I r* 
Here a is an action formula, r 1 .r2 is concatenation , r 1 +r2 is the choice operator , 
and r* is the transit ive-reflexive closure. For each regular expression r , we refer 
to the language it represents as L(r). Intuitively, (r)</> means that</> holds after 
some trace from L(r) , and [r]</> means that </> holds after all traces from L(r). 
6.3 Semantics of Time 
In this section we discuss which time semantics is appropriate for our purpose. 
6.3 Semantics of Tim e 153 
The fi rst choice to be made is between dense and discrete time. It is normally 
assumed that real-time systems operate in "real", continuous time (though 
some physicists contest against the sta tement that the changes of a system 
state may occur a t any real-numbered time point). Due to the development of 
regions and zones techniques [2], the verification of real-time systems became 
possible. However , a less expensive, discrete t ime solution is for many systems 
as good as dense time in the modelling sense, and better than the dense one 
when verification is concerned ; [88] showed that discrete time suffices for a large 
and important class of systems and properties, including all systems that can 
be modelled as timed LTSs and such properties as time-bounded invariance 
and time-bounded response. Another work that compares the use of dense and 
discrete time is [29]; the authors state that discrete time automata can be 
analyzed using any representation scheme used for dense time, and in addition 
can benefit from enumerative and symbolic techniques (such as BDDs) which 
are not naturally applicable to the dense time systems. Having in mind that we 
prefer not to step out of the current non-timed framework of µCRL , the choice 
for discrete t ime is obvious. 
Timers are usually used to express t ime constraints imposed on a reactive 
system. An expiration of a t imer is a natural way to model an interrupt from 
hardware or a trigger for a software event. Both interrupt and software event 
must be handled , and they must be handled exactly once, i. e. when taking an 
event guarded by a timer condition, we assume that the timer which triggered 
this event became deactivated (otherwise, t he system could handle one event 
several times) . Time progresses by decreasing the values of all active timers by 
one time unit . We will refer to the time progress action as tick and to the 
period of time between two tick's as a t ime slice. 
We consider a class of systems where delays are significant ly larger than 
the dura tion of normal events within the system. Therefore, we assume system 
t ransit ions to be instantaneous. It has been argued in some works that models 
where any action takes some non-zero time allow more faithful descriptions. 
However , we believe that such an assumpt ion destroys abstractness of time, as 
specifications depend on specific implementation choices. In [130], it was shown 
that the zero duration assumption for atomic actions is more general and leads 
to much simpler theories. Moreover , t his assumption does not prevent from 
modelling actions that take some t ime. Whenever it is necessary, we can put 
an explicit t ime delay before an atomic action or split it into start- and finish-
events. 
The assumption about instantaneity of actions leads us to the conclusion 
that time progress can never take place if there is still an untimed action 
enabled , or in other words , t he time-progress transition has the least priority 
in the system and may take place only when the system is blocked: there is 
no transition enabled except for time progress and communication with the 
environment. It means that some actions are urgent, as a process may block 
the progress of time and enforce the execution of actions before some delay. 
154 
sort Timer 
func off:-> Timer 
on:Nat->Timer 
map pred :Timer->Timer 
expired:Timer->Bool 
set: Timer # Nat -> Timer 
reset: Timer ->Timer 
Timed Verification with µCRL 
var t:Timer 
n :Nat 
rew expired(off)=F 
expired(on(n))=eq(O,n) 
pred(on(n))=on(pred(n)) 
pred(off)=off 
set(t, n)=on(n) 
reset(t)=off 
Fig. 32. A µCRL specification of the sort Timer. 
This property is usually called minimal delay, maximal progress or T-urgency 
[130]. In CCS-based process algebras it is strongly related to the communica-
tion mechanism. Indeed, a communication in CCS yields a T-action; thus, this 
property allows to ensure that two processes communicate as soon as they 
are ready to do so. In the timed process algebras TPL [86] , TCSP [150] and 
TiCCS [170], action urgency is enforced for T-actions only. 
6.4 Specifying Timed Systems in µCRL 
In the µCRL framework, we can implement timers as data parameters for 
processes. Fig. 32 shows the specification of the sort Timer. Terms on(n) stand 
for active timers (n is of sort Nat of natural numbers) , while deactivated timers 
are represented by off terms. (Note that µCRL specifications containing the 
sort Timer should also include the sort Nat providing an operation pred that 
decreases a non-zero natural number by one and an operation eq for checking 
the equality of two numbers.) The operations we allow on timers are (1 ) setting 
a timer to a value given by a natural number that shows the time delay left 
until the timer expiration; (2) reset t ing a timer (setting it to off ). The timer 
expirat ion condition given by the predicate expired is the check whether the 
delay until the timer expires is zero. Normally, the action guarded by a timer 
expira tion resets the t imer or sets it to a positive value. 
Following the time semantics described in Sec. 6.3, we want to model time 
progression by the tick action, which is a global action decreasing all active 
timers of the system by one and enabled only when the system is blocked. To 
achieve this, we enable the tick action in a component if that component is 
blocked and if every timer in that component is off or non-zero. By combining 
components with the I {tick} I operator as defined in Sec. 6.2, we get precisely 
the desired behaviour. 
A system is considered blocked if there are no urgent actions possible. As 
µ CRL has no priority mechanism, we capture urgency by following a specifica-
tion discipline. 
First , we classify a number of actions as urgent. Actions that a component 
can perform independently of the other components are internal. Enabled in-
6.4 Specifying Timed Systems in µCRL 155 
ternal actions are urgent - they take zero time and, hence, they may not be 
postponed until later, and tick may not be proposed as an alternative to an 
internal action. 
The situation with communication is more complicated: When the two com-
municating parties are both ready to communicate, communication should take 
place in the current time slice. Thus, no tick action can be given as an alter-
native to a communication action. However , when only one of the parties is 
willing to communicate, time progress should not be disabled, meaning that 
the process willing to communicate but not having this chance yet, should be 
able to take the tick action. 
We resolve the problem by introducing asymmetry into communication. 
Though µCRL has no notions of "sender" and "receiver", it is rather usual for 
a large class of systems to distinguish between the sending and the receiving 
party in a communication action. Moreover, it is logical to expect for a correct 
specification that send events take place in the same time slice in which they 
become enabled; otherwise communication cannot be seen as synchronous and 
a message exchanged between the sender and the receiver should be stored 
in a buffer. Reception, however, can be postponed until the next time slice. 
Consequently, we allow tick as an alternative to a receive action and not to a 
send action. 
The classification of actions results in the classification of component states: 
We require every state to be either a receive state, i.e. a state where only 
"receive" actions are enabled, or a non-receive state, i.e. a state where only 
"send" and internal actions can be taken. The check that a µCRL specification 
meets this requirement can be easily automated by introducing conventional 
names for input and output actions. To simplify matters further , we have used 
patterns for specifying states of components as µCRL processes. 
proc A(ti : Timer · · · , tm : Timer, d1 : D1 · · · , dn : D n) = 
tick.A(pred(t) , d) <l not(V~1 expired(t1)) [> 8+ 
L e D ... L e D in1(s1).Yi(t1,x1)<1c1[>8+ 
11· 11 ln 1 · h q 
Fig. 33. Pattern of a receive state. 
156 Tim ed Verifi cation with µ CRL 
proc B(ti : T im er · · · , trn : Timer, d i : D1 · · · , dn : Dn) = 
Fig. 34. Pattern of a non-receive sta te. 
In µCRL , we use process declarations to specify states of a component . All 
µ CRL processes which correspond to states in one component have the same 
list of parameters. For a component with m t imers and n other variables, the 
first m parameters are timers and the next n are the other variables. The pat-
terns of receive and non-receive states are given in Fig. 33 and 34, respectively. 
We use t to denote a vector of timer terms (data terms of the type Timer) 
and x , y to denot e vectors of untimed data terms. After a receive, internal 
or send action, timers of the component can be set or reset , data parameters 
can be modified and the state of the component may change. After a tick ac-
tion , all active timers of the component are decreased by operation pred(t ) and 
everything else remains unchanged. Receive and non-receive states of the com-
ponent have different transitions: In a receive state, we have timer expiration 
events a 1, . . . , am for expired t imers, tick if no t imer is expired , and receive ac-
tions in1 , . . . , ink . In non-receive states, we only have send and internal actions 
b1 , . . . ' b1 . 
When we build a system from components, we must not only make sure that 
time progression is handled correctly, but also that all enabled communications 
wit hin the system are enforced. T he first requirement means using I {tick} I , 
the latter means encapsulation of send and receive actions. If we specify a 
closed system that does not communicate with the outside world , all send and 
receive actions should be encapsulated. If a system is open , i.e. it sends and 
receives messages from the outside world , then only the sends and the receives 
within the system should be encapsulated. Let H be the set of send and receive 
actions that take place within the system. Then a system with N components 
is described by the following µCRL init statement: 
init encap({H} ,C1 I {tick} I C2· .. I {tick} I CN) 
Fig. 35 contains the µCRL code of a simple watchdog. The watchdog's task 
is to watch a component working properly. The component is supposed to send 
a signal ok every m time units to inform the watchdog that it is functioning 
normally. The watchdog is ready to accept signals from the component at any 
time. In case it does not receive the signal ok within m time units, it will send 
out a warning signal alarm immediately. 
The watchdog is specified by two µCRL process declarations. Process A 
waits either for a signal ok or for an expiration of timer t . If ok comes, the 
6.4 Specifying Timed Systems in µCRL 
proc A(t :Timer,m :Nat ) = 
expire .B(reset(t),m)<lexpired(t ) l>delta+ 
tick . A(pred(t),m)<lnot(expired(t))l>delta+ 
recv(ok) .A(set(t,m),m)< ltruel>delta 
proc B(t :Timer,m :Nat)= 
send(alarm).A(set(t,m),m)<ltruel>delta 
init A(on(5) ,5) 
Fig. 35. A µCRL watchdog 
157 
timer is set to m again. Otherwise, an alarm signal is issued by process B and 
the timer is set to m. The watchdog is an open system, i.e. it communicates 
with outside by receiving ok and sending alarm, so none of the send and receive 
actions is encapsulated. 
process w atchDog 
B 
SET T:=5 
________ __________ r---- ____ ___ 1----
"' 
wail 
: A 
OK 
SET T:=5 
B 
Fig. 36. An SDL watchdog 
The discrete time semantics that we have chosen is similar to SDL time 
semantics (cf. Sec. 3.2). An analogous watchdog can also be specified in SDL. 
In Fig. 36, an SDL specification of a watchdog process is given. It waits either 
for a signal OK or for a timeout of t imer T. If the signal comes in t ime, the 
158 Timed Verification with µ CRL 
timer is set to 5 again. Otherwise, the signal ALARM is sent upon expiration of 
the timer, the timer is set to 5 , and the process comes back to the state wait . 
Intuitively, a set of µCRL process declarations that represent one component 
corresponds to an SDL process specification. Receive and send actions in a 
µCRL specification correspond to input and output actions of SDL processes, 
respectively. 
6.5 Experiments 
We have tested our approach on two protocols: the positive acknowledgment 
retransmission protocol (PAR) [155] and the bounded retransmission protocol 
(BRP) [100, 49]. These are two classical examples of communication protocols 
where time issues are essential for the correct functionality of the protocol. 
The goal of the experiments was to show how our approach can be applied 
to the specification of time aspects of the protocols and to the verification of 
properties that depend on time issues. 
BRP 
BRP is a variation of the Alternating Bit Protocol [155] where only a bounded 
number of retransmission of packets is allowed and timeouts are used to detect 
a packet loss or an abortion of transmission. BRP behaves like a buffer, i.e. it 
reads data from one sender client and then delivers it at a receiver client. 
The usual scenario includes a sender, a receiver, a message channel and 
an acknowledgment channel. The two channels are assumed to either lose a 
message or deliver it correctly. They also delay messages for time TD. Here we 
consider BRP together with its environment consisting of a sender client and 
a receiver client (see Fig. 37). The description of BRP and BRP's environment 
is adopted from [52]. 
The sender client gives a list (d1 , ... , dn) to the sender. Ideally, each element 
di should be delivered to the receiver client. When delivered, the element di of 
the list is accompanied by an indication: LFST, LINC, LOK, LNOK. Indication 
LFST is used if di is the first element of the list and more elements will follow. 
All intermediate elements of the list are accompanied by indication LINC. 
The last element of the list is delivered together with the LOK indication. If 
something goes wrong, L.NOK, "not OK" indication is delivered without data. 
The sender client is informed after the transmission of the whole list, or 
when the transmission is aborted. The indication for the sender client is one of 
the following values: LOK, L.NOK, L.DK. After an LOK or an LNOK indication 
the sender client can be sure that the receiver has got the same indication. An 
LDK indication may occur after the delivery of the last element. The informa-
tion about a successful delivery of the last element is transported over a lossy 
channel. If the acknowledgment for the last element fails, there is no way to 
know that the last element has been delivered correctly. After LOK and LDK, 
the sender client is ready to transmit the next package. 
6. 5 Experiments 159 
S_CLIENT I I R_CLIENT 
Ill 
<dl, ... , dn> II R_out 
s out 
-
I 
I ~ I I I I D SENDER RECElVER 
T1 SYNC ~ TR D 
Fig. 37. BRP 
From the sender client , the sender receives a package ( d1 , ... , dn) to transmit 
([80]). It sends the elements of the list one by one over the message channel. For 
each element of the list , the sender forms a frame consisting of two indication 
elements, a bit and the list element. The first indication shows whether the 
element is the first element of the list. The second one indicates whether the 
element is the last element of the list. The bit is an alternating bit that is used 
to guarantee that data do not get duplicated. The sender sends the frame via 
the message channel. To detect the loss of frames and/or acknowledgments, the 
sender sets timer T1 and waits for the acknowledgment from the receiver. 
In the waiting state, the sender considers several possibilities. If the sender 
receives an acknowledgment , the sender negates its alternating bit and proceeds 
with sending the next frame. If the sender receives an acknowledgment for the 
last element of the list, it sends LOK to the sender client and is ready to start 
with another list. 
If the sender does not get the acknowledgment in time, it wakes up when 
timer T1 expires. The number of retransmissions for each element of the list 
is limited by MAX. If the number of retransmissions attempted has not reached 
MAX, the sender resends the same frame. Otherwise, the sender sends an LDK 
or an LNOK indication to the sender client , depending on whether the current 
list element is the last element of the list or not and waits until timer SYNC 
expires. This timer ensures that the sender does not start the transmission of 
another list before the receiver has properly reacted to the failure. Upon the 
expiration of timer SYNC, the rest of the list is skipped and the sender becomes 
ready to start with a new list. 
The receiver receives frames from the message channel. Upon the recep-
tion of a frame, the receiver checks whether the frame came with the correct 
alternating bit. If the alternating bit coincides with the one expected by the 
receiver, it delivers the data element together with the proper indication to the 
receiver client and sends an acknowledgment over the acknowledgment channel. 
160 Tim ed Verifica tion with µ CRL 
If the frame comes with a wrong alternating bit , the receiver discards the frame 
and sends the acknowledgment. The receiver is able to detect situations when 
the sender has given up, namely, t he receiver sets timer TR after receiving a 
frame and waits for the next frame. If the timer expires, the receiver delivers 
indication LNOK to the receiver client and becomes ready to receive a next list. 
To ensure that no premature timeout is possible for the sender , the sender 
sets t imer T1 to a value longer than twice delay on the channels (T1 > 2-TD) and 
waits for the acknowledgment . It is enough for t he message channel to deliver a 
frame and for the acknowledgment channel to deliver an acknowledgment [52]. 
A premature timeout at the receiver would abort the connection when there 
is still a possibility for some frame to arrive. To ensure that no premature 
t imeout is possible for the receiver , the receiver 's timer TR should be set to a 
value that satisfies the following condition [52]: TR2 2-MAX·T1 + 3·TD. 
In the case of a failure, t he sender should not st art transmitting a new list 
unt il the receiver has reacted properly to the failure. Timer SYNC, which is used 
for synchronisation in case of a failure, should be set to a value that satisfies 
the following condit ion [52]: SYNC2 TR. 
We assume that the packets transmitted by BRP are lists of non-repeating 
natural numbers. It means that the system is infinite. Therefore, we apply data 
abstractions in order to arrive at a finite sta te verification model. The protocol 
should ensure that if the sender is transmitting a list l , the sequence of elements 
that the receiver client gets forms a prefix of l . It can be shown that t his holds 
if in a list of non-repeating naturals the following properties hold ([49]): 
for any two va lues e1 and e2 on positions i and j respectively in the list, 
with i < j , either e2 is not delivered to the receiver client , or e1 is delivered 
to t he receiver client before e2 . 
for any two values e1 and e2 , where e1 is delivered before e2 to the receiver 
client , e1 and e2 occur on positions i and j resp . in the list with i < j. 
This gives the following idea for a data abstraction: We distinguish two natural 
numbers p 1,p2, which are abstracted into e1 , e2 respectively, while a ll the 
other naturals are non-distinguishable and they are abstracted into an abstract 
element nd. 
An arbitrary nonempty list of non-repeating naturals is represented by an 
abstract list of one of the forms: ell , e21 , e1e21 , e2ell , or nemp. nemp rep-
resents non-empty lists t hat contain neither e1 nor e2 , ell represents lists 
containing only e1 , e1e21 represents lists containing fi rst e1 and then e2 . An 
empty list is represented by emp. 
Given this data abstraction for lists, we can define an abstract operation on 
abstract lists for each concrete operation on concrete lists. We are interested in 
the operation that spli ts a list into two parts: the first element of t he list and 
the tail. T he abstraction of the operation is illustrated by a directed graph in 
Fig. 38. T he nodes of the graph in Fig. 38 are labelled by abstract lists . An 
arrow from node n to node n' is labelled by the first element of the list in n . 
6. 5 Experiments 161 
Fig. 38. Abstract split operation 
The destination node n' is labelled by the tail of the list in n. This abstraction 
is analogous to a well-known canonical abstraction proposed in [75] . 
We have specified BRP in µCRL using timers to represent delays on the 
channels and timeouts at the receiver and the sender side, and list abstraction 
to represent all possible list s. Since the system is open, we have closed the 
system by the sender client process that provides abstract lists for the sender 
and the receiver client process that receives frames and indications delivered 
by the receiver. 
Using the µCRL toolset we have generated the LTS for the µCRL specifica-
tion of the protocol. Then, with the CADP toolset , we have verified a number of 
properties expressed by formulas of the regular alternation-free µ-calculus [126]. 
One of the properties is the absence of reordering in t he delivery of elements. 
For example, if the sender receives an abstract list e2e11 from the sender client , 
it is never the case that element e1 is delivered to the receiver client before 
element e2. That can be expressed by the following formula of the regular 
alternation-free µ-calculus: 
[T*. "get_lst(e2e11)" . (not( 'rdeliver(e2. *)' or 'get_lst(. *) ') )*. 
' rdeliver(e1 .*)' .(not('rdeliver(e2.*)' or 'get_lst(.*)'))*. 
' rdeliver(e2 .*)' ]F. 
Here get_lst (e2e11) means that the sender gets a list containing e2 before e1 , 
get_lst( . *) stands for getting a new list to transmit , and rdeliver(e1.*) 
stands for a pair that consists of element e 1 and some indication delivered to 
the receiver client. 
Another property is that the sender client and the receiver client should have 
corresponding indications. For example, if t he receiver client gets indication 
LOK, then the sender client should receive either LOK or LDK. This proper ty 
162 Timed Verification with µCRL 
can be expressed as inevitable reachability ( cf. [56]) of indication LOK or LDK 
by the server client after indication LOK given to the receiver client: 
[T*. 'get_lst(.*)' .(not('get_lst(.*)'))*. 'rdeliver(.*I_OK)'] 
mu X. (['get_lst(.*)']F and <T>T and 
[not(''sdeliver(I_OK)'' or ''sdeliver(I_DK)'')]X) 
Here, sdeli ver (LOK) stands for the delivery of the indication LOK to the 
sender client. Proving property 
[(not('rdeliver(.*I_NOK)'))*. ''sdeliver(I_NOK)' ']F, 
we show that indication LNOK for the sender client is always preceded ( cf. [56]) 
by indication LNOK for the receiver client. 
These properties hold for the system with correct timeouts and do not hold 
for the system with premature timeouts. The µCRL specification for BRP and 
the properties are available at www. cwi. nl;- ustin/tmcrl. html. 
PAR 
The usual scenario for PAR includes a sender, a receiver, a message channel 
and an acknowledgment channel. The channels delay the delivery of messages. 
Moreover , they can lose or corrupt messages. The sender receives a frame from 
the upper layer, sends it to the receiver via the message channel, and waits for 
a positive acknowledgment from the receiver via the acknowledgment channel. 
When the receiver has delivered the message to the upper layer it sends an 
acknowledgment to the sender. After the positive acknowledgment is received, 
the sender becomes ready to send a next message. The receiver needs some 
time to deliver the received frame to an upper layer. The sender handles lost 
frames by timing out. If the sender times out, it re-sends the message. 
The following is a an example of an erroneous scenario. The sender times 
out while the acknowledgment is still on the way. The sender sends a duplicate, 
then receives the acknowledgment and believes that this is the acknowledgment 
for the duplicate. The sender sends the next frame, which gets lost. However, 
the sender receives the acknowledgment for the duplicate , which it believes to 
be the acknowledgment for the last frame. Thus the sender does not retransmit 
the lost message and the protocol fails. To avoid this erroneous behaviour, the 
timeout interval must be long enough to prevent a premature timeout , which 
means that the timeout interval should be larger than the sum of delays on the 
message channel, the acknowledgment channel and the receiver [155]. 
We have specified PAR in µCRL using timers to represent delays on the 
channels and the receiver and the timeout for the sender. Since the system is 
open, i. e. both the sender and the receiver communicate with upper layers, we 
have closed the system by the environment process that provides frames for the 
sender and receives frames delivered by the receiver. If the sender is ready to 
send the next frame before the environment gets the previous frame delivered 
by the receiver , the environment process issues an error action err. The err 
action also occurs if the environment gets a wrong (not sent to the sender) 
frame from the receiver. 
6. 6 Timed Verification 163 
Using the µCRL toolset we have generated the LTS for the µCRL specifica-
tion of the protocol. Then, with the CADP toolset , we have verified a number 
of properties expressed by formulas of the regular alternation-free µ-calculus. 
One of the properties is the absence of traces containing the error action err: 
[T*. "err"] F, 
which holds when the sender's timeout is large enough to avoid premature 
timeouts. 
Another property we have checked was inevitable reachability of an __ out 
action after an __ in action, meaning that the frame sent by the sender to 
receiver will always be delivered by the receiver to the environment: 
[T*. " __ in"] "mu" X. (<T>T and [not(" __ out")]X). 
This property holds neither for the system with correct timeout intervals nor 
for the system with premature timeouts. This can be explained by the fact that 
the message channel may continuously lose or corrupt a frame , so the frame 
will never be delivered to the environment. Using a pattern for fair reachability 
given in [126], we have specified the property stating fair reachability of an 
out action after an in action: 
[T*. " __ in". (not(" __ out"))*]<(not(" __ out"))* . " __ out">T. 
This property holds for the system with correct timeout intervals and not for the 
system with wrong ones. The µCRL specification for PAR and the properties 
are available at www. cwi. nl;- ustin/tmcrl . html. 
6.6 Timed Verification 
In the previous sections we showed how to specify a timed system in µCRL and 
how to verify properties dependent on the settings of timers. The considered 
properties are "qualitative", i.e. they concern only the order of events. In this 
section, we discuss how to verify "quantitative" timed properties, like "event 
a happens within 3 time units after event b". For this purpose, we introduce 
an LTL-like language that allows the direct use of timed constraints, and then 
show how to encode these timed constraints with the use of tick. 
6.6.1 Regular LTL 
First , we will give an untimed version of the action-based linear temporal logic. 
It is a variation of tLTL of Kaivola [106] extended with regular expressions [126]. 
As interpretation model , we consider finite LTSs. Let T = (S, Lab ,---+, s0 ) be 
an LTS ( cf. Def. 2.6). Action formulas and regular expressions are defined as 
in Sec. 6.2. 
The logic we consider here is action-based, so we are interested in paths of 
the form a 1 a 2 ... E Labw, but not in paths of the form 7r = s0s 1 . .. E sw ( cf. 
Sec. 2.3). We say that a sequence of labels w = a 1a 2 ... E Labw is a path of LTS 
Tiff there is an trace ( of T such that (~(i) = ai for all i :'.'.'. 1 and (1 (0) = s0 (cf. Sec. 2.2). 
164 Timed Verification with µCRL 
D efinition 6 .1. [SEMANTICS OF REGULAR EXPRESSION] 
For a path w = o:10:2 ... E Labw, we define w, i , k f=n r for a sequence 
w, i, k = o:i ... O:k if o:i . .. O:k E L(r) , where L(r) is the language defined by r. 
Further we define regular LTL, where LTL modalities are parameterized by 
regular expressions. 
Definition 6.2. [SYNTAX OF REGULAR LTL] 
<P ::=TI •<PI <P1 V <P2 I <P1 U(r) <P2 
where r stands for a regular expression. 
We use J_ , /\ and =? as derived operators in the usual way, and define 
(r)<P = T U(r) cp, [r]<P = •(r)•<f>. 
First we give an intuition for the formulas of regular LTL and then we 
provide a more formal semantics. 
(r )cp holds on a path w if t here exists a prefix w , 1, i of w that satisfies r 
and <P holds on the suffix of w starting at O:(i+I)· 
[r] <P holds on a path w if for w, 1, i that satisfies r, <P holds on the suffix of 
w starting at O:(i+I). 
'I/; U ( r) <P holds on a path w if there exists such an i 2 1 on the path such 
that the sequence w , 1, i satisfies r , the path starting at o:( i+ l) satisfies cp, and 
the path starting at any action before o:(i+ I ) satisfies 'If;. 
D e finition 6.3. [SEMANTICS OF REGULAR LTL] 
Let w ,i be the suffix of w starting at o:(i). Then 
- w, i f= T; 
- w , i F= ·<P if w, i ~ cp; 
- w, i f= 'I/; V <P if w, i f= 'I/; or w, i f= cp; 
- w , i f= 'I/; U ( r) <f> if there exists some k 2 i such that 
• w,i , k f=n r , and 
• w,k+ 1 f= cp, and 
• for all j: i ::::; j ::::; k , w , j f= 'I/; holds. 
We say that w satisfies cp, denoted as w f= cp, if w , 1 f= cp . Formula <P is 
satisfied by an LTS T if all paths of T starting at the initial state satisfy the 
formula . 
6.6.2 R egular LTL with Time 
Now we extend regular LTL with time constraints of the form: 2 c, ::; c, = c, 
where c is a non-negative integer constant. Further, we refer to a time constraint 
of this form as tc. 
Definit ion 6.4. [SEMANTICS OF TIME CONSTRAI NTS] 
Let d(w , i, k) denote the number of tick steps in a finit e sequence w , i, k . Then: 
6. 6 Timed Verification 165 
- w , i , k F'.S c if d(w, i , k) ::::; c; 
- w , i , k F::'.: c if d(w , i , k) ::'.'. c; 
- w , i, k F = c if d(w, i, k) =c. 
D efinition 6.5. [SYNTAX OF REGULAR LTL WITH TIME] 
where tc is a time constraint and r stands for a regular expression that does 
not m ention the action t ick. 
We use l_, /\ and =} as derived operators in the usual way, and define 
(r )tc</J = T U(r)tc </J, [r]ic</J = • (r )ic• </J . 
The intuition about regular expressions is that they hold on traces regardless 
of time progression. This means that a path with ticks satisfies a regular 
expression if the path with the tick steps projected out satisfies the path 
formula. We refer to a path w with all ti ck steps projected out as 7r(w)tick· 
D e finit ion 6.6. [tick-SEMANTICS OF REGULAR EXPRESSIONS] 
We define 
· k 1-tick 'ff ( ) L w, i , r-n r i 7r w tick r-n r 
The intuitive semantics of the formulas is similar to those of regular LTL. 
(r )ic</J holds on a path w if there exists a prefix w , 1, i of w that satisfies rand 
the time constraint tc , and <P holds on the suffix of w starting at a (i+l) · 
[r]ic</J holds on a path w if for w , 1, i that satisfies r and time constraint tc , 
<P holds on the suffix of w starting at a (i+ l)· 
7/J U ( r) tc <P holds on a path if there exists an action on the path such that 
the path up to that action matches both r and tc, the suffix of the path starting 
after this action satisfies <P and the path starting at any action before satisfies 
7/J . 
D efin ition 6.7. [SEMANTICS OF REGULAR LTL WITH TIME] 
Let w , i be the suffix of w starting at a(i) . Then 
_ W i Llick T· 
' I ' 
_ W , i Flick •</J if W, i f!=tick </J ; 
- w , i Ftick 7/J V </J if w , i F 7/J or w , i F </J ; 
w , i F tick 7/J U ( r) tc </J if there exists some k ::'.'. i such that 
• w i k Ltick r and 
'' l'R ' 
• w , i, k F tc, and 
• w, k + 1 Flick </J , and 
• for all j : i ::::; j ::::; k w , j F tick 7/J holds. 
We say that w satisfies <fy , denoted w Ftick <f;, if w, 1 Ftick </J . Formula </J is 
satisfied by an LTS T if all paths of T starting from the initial state satisfy the 
formula. 
166 Timed Verification with µCRL 
Example 1: Each request is followed by an answer in at most 5 t ime units: 
[any*. request] (any* .answer)<s T 
Ex ample 2: request is never followed by fail within 2 time units. 
[any*. request] [any* .fail] 9 l_ 
6.6.3 tick-encoding of R egular LTL with Time 
In this section we present a construction for translating a formula from regular 
LTL with time into regular LTL with tick. The key to this translation is the 
construction of a regular expression over an action domain with ti ck from a 
regular expression over a domain without tick but with a time constraint . This 
is done by translating both the regular expression and the time constraint into 
deterministic finit e automata, combining these automata into a single automa-
ton and translating this automaton back into a regular expression. 
Regular expressions and deterministic finite automata have the same ex-
pressive power and can be transla ted into each other [98]. Let RE(A) be the 
translation from a deterministic finite automaton A to an equivalent regular 
expression r and let Ar be the deterministic finite automaton obtained by the 
transformation of a regular expression r into a deterministic finite automaton. 
Next , we will give the translation of time constraints into deterministic 
finite automata . But first, we give the formal definition of deterministic finite 
automata and languages recognized by finite automata. 
D efinition 6 .8 . 
A deterministic finite automaton {DFA) A is a tuple (S, E , T , so, F) , where 
- S is a set of states; 
- E is a set of labels; 
- T: S x E __, S is a transition function; 
s0 is an initial state; 
- F ~ S is a set of final states. 
The set of strings recognized by A ·is given by 
L(A) = {a1 ... an f :3s1, . .. Sn E s, Sn E F, Vj = o .. n - 1: (sj, O'.j+1, Sj+1) ET} 
Le mma 6 .1. 
For each time constraint tc there is a deterministic finite automaton Ate rec-
ognizing it . 
6. 6 Timed Verification 167 
Proof. The deterministic finite automata recognizing time constraints can be 
built as follows: 
A '.Oe = 
( {O, 1, ... , c + 1 }, {tick} , { (c + 1, tick, c + 1), (i , tick, i + 1) I i = 0 ... c}, 
{O}, {O, 1, ... , c}) 
( {O, 1, ... , c + 1 }, {tick}, { (c + 1, tick, c + 1 ) , ( i, tick, i + 1) I i = 0 ... c }, 
{O} , {c}) 
A 2'. e = 
( {O, 1, . .. , c}, {tick} , { ( i, tick, i + 1) , ( c, tick, c) I i = 0 ... c - 1} , {O} , { c}) 
0 
We now have a deterministic finite automaton Ar corresponding to the 
regular expression and a deterministic finite automaton Ate corresponding to 
the time constraint. All we need to do is to build the product automaton, which 
will recognize all inter leavings of strings recognized by these two automata. The 
following definition gives such a construction: 
D efinition 6 .9. 
Given two deterministic finite automata Ar = ( S 1, E 1, T1, I 1, F1) and Ate 
(S2 , {tick}, T2 , h F2) , we define A= Ar x Ate as (S, E, T,I, F) , where 
- S = S1 x S2; 
- E = E 1 LJ {tick} ; 
- T: S x E _. S such that 
• T((s1 , s2), a)= (81 , s2) iff s1, 81 E S1 , s2 E S2 and T1(s1 , a)= 81, 
• T((s1 , s2), tick)= (s1, 82) iff s1 E S1 , s2 , 82 E S2 and T2(s2 , tick)= 82; 
- I = Ii x h ; 
- F = F1 x F2. 
Lemma 6.2. 
Let Ar be a DFA obtained from a regular expression r that does not mention 
tick, and Ate be the DFA obtained from a time constraint tc. Then Ar x Ate is 
a deterministic finite automaton. 
Proof. The alphabet of Ar does not intersect with the one of Ate· Both Ar and 
Ate are deterministic , so for each (s1, s2) in S there is at most one outgoing 
arrow for each element from E 1 and at most one outgoing arrow labelled by 
~. 0 
168 Timed Verification with µ CRL 
Lemma 6 .3. 
Let w, i, k be some sequence, r be a regular expression, tc be a time con-
straint, and Ate be a DFA recognizing tc and Ar be a DFA recognizing r. Then 
w, i, k f=.\r r and w, i, k f= tc iff w, i, k f=n r' where r' = Rl' (Ar x Ate)· 
Proof Straightforward. D 
We can now define the translation of regular LTL with time to regular LTL 
with tick. 
Definition 6.10. 
The function T translating a formula </> of regular LTL with time to a formula 
of regular LTL with tick is given by: 
where 
T (T) 
T (-i</>) 
T ('ljJ v </>) 
=T 
= -iT( </>) 
= T ('l/J) v T (</>) 
T ('ljJ U(r)te </>) = T ('ljJ)U(r' )T (</>) 
r' = Rl'(Ar X Ate) 
This translation preserves satisfaction: 
Lemma 6 .4 . 
For an LTS T = (S, Lab ,--+, s0 ) and a formula </> of regular LTL with time, we 
have 
T l=tiek </><===? TI= T (</>) _ 
Proof The proof is by induction on the structure of the formula. The induction 
hypothesis is given by the following: 
T l=tiek </><===? TI= T (</>) (1) 
(1) can be reformulated as: 
w,i l=tiek </> implies w,i I= T (</>) (2) 
and 
w,i I= T (</>) implies w,i l=tiek </> (3) 
for every sequence w, i. 
The basis case is for </> being T. w, i l=tiek T and w, i f= T, and thus 
w,i f= T (T) . 
We proceed by considering the inductive step. Let 'ljJ and </> be two temporal 
formulas satisfying the induction hypothesis. We have to show that each of the 
formulas -i</>, 'ljJ V </>and 'ljJ U(r)te </>satisfies the hypothesis. 
6. 6 Timed Verification 169 
Case: •c/J 
Assume that w, i I= tick •c/J. By Def. 6.7, this implies w , i ~tick cp . By the 
counter-positive of (3), we can conclude that w ,i ~ T(cp), which by Def. 6.3 
leads to w , i I= · T( cp ). By Def. 6.10, this leads to w, i I= T( •c/J) 
Assume that w,i I= T(•cp) . By Def. 6.10, w , i I= · T( cp). By Def. 6.3, this 
implies w, i ~ T( cp ). By the counter-positive of (2) , we can conclude that 
w , i ~tick cp . By Def. 6.7, this leads tow, i I= tick •c/J. 
Case: 'l/; V cp 
Assume that w , i !=tick 'l/; V cp. By Def. 6.7, this implies w , i I= tick 'l/; or 
w , i !=tick cp . By (2), we can conclude that w, i I= T( 'l/; ) or w , i I= T(cp). By 
Def. 6.3, it leads tow , i I= T( 'l/;) v T( cp ). By Def. 6.10, T( 'l/; v cp ) = T( 'l/; ) VT ( cp), 
sow, i I= T( 'l/; v cp). 
Assume that w ,i I= T('l/;Vcp). By Def. 6.10, this implies w,i I= T( 'l/; )VT(cp). 
By Def. 6.3 , w , i I= T('l/; ) or w , i I= T( cp ). By (3) , we obtain w, i I= tick 'l/; or 
w, i I= tick cp. By Def. 6.7, this leads tow , i I= tick 'l/; V c/J. 
Case: 'l/; U(r)tc cp 
Assume that w, i I= tick 'l/; U(r)tc cp. By Def. 6.7, this implies that there exists 
some k 2 i such that 
- w i k !=tick r and 
'' R ' 
- w, i , k I= t c, and 
- w, k + 1 l=tick cp, and 
- for all j: i ::::; j ::::; k w , j l= tick 'l/; holds. 
By Lemma 6.3, w, i, k l=~ck r and w , i , k I= tc implies w , i , k l=n r'. To-
gether with (1) , w , k + 1 != tick cp leads tow, k + 1 I= T( cp ). Since w , j !=tick 'l/; 
holds for all j : i ::::; j ::::; k , w , j I= T( 'l/; ) holds by (2) for all j : i ::::; j ::::; k. 
By Def. 6.7, we can conclude that w, i I= T ('l/; ) U(r' ) T (cp) , which leads to 
w , i I= T ('l/; U(r)tccp) by Def. 6.10. 
Assume that w , i I= T ('l/; U(r)tccp ). By Def. 6.10, this implies the following: 
w, i I= T ('l/; ) U(r') T( cp) . By Def. 6.3, this means that there exists some k 2 i 
such that 
- w , i, k l=n r', and 
- w , k + 1 I= T (cp), and 
- for all j: i ::::; j ::::; k w , j I= T ('l/; ) holds. 
By Lemma 6.3, w , i , k l=n r' implies w , i, k l=~ck r and w, i, k I= t c. To-
gether with (3), w , k + 1 I= T( cp ) leads to w, k + 1 !=tick cp. Since w , j I= T( 'l/; ) 
holds for all j : i ::::; j ::::; k , w , j !=tick 'l/; holds by (2) for all j : i ::::; j ::::; k. By 
Def. 6.7, this leads to w , i !=tick 'l/; U(r) 1ccp . 
From the considered cases, we conclude that w, 1 !=tick cp {===} w, 1 I= T( cp ) 
for all paths w of T , i.e. T != tick cp {===}TI= T( cp). D 
170 Tim ed Verification with µCRL 
6. 7 Conclusion 
In this chapter we proposed an approach to specification and verification of 
timed systems within the unt imed µ CRL framework. The experimental results 
confirmed the usefulness of the approach. 
Timed process algebras can be classified using three criteria. First, whether 
they use dense or discrete t ime. Second, whether they use absolute or relative 
time. Third, whether they use time progression constructs or time stamping 
of actions. For example, timed µCRL [76] uses absolute time, time stamping 
of actions and leaves the choice between dense and discrete time open. Sev-
eral versions of process algebra ACP with t ime have been studied (e.g. [11 , 
10]). These algebras use an operator a to express t ime progression rather than 
an action . For example, the process a(P ) in ACP with discrete relative t ime 
(ACP d rt [10]) is intuitively the same as the process tick.P in µ CRL with the 
tick-convention. For theoretical work the a operator is more convenient . For 
tool support the tick action is easier because we do not need to implement 
the operator and can stay within the µ CRL framework. 
The use of the tick action results in a time semantics which is similar 
to the semantics used in others tools, such as DTSpin [24] and ObjectGeode 
[132] . However , the input languages of those tools restrict to one particular 
message passing model, and in µCRL we are free to use whatever model we 
want. Moreover, Spin restricts to LTL model checking, while in CADP which 
serves as a back-end to µCRL we can use the regular alternation-free µ- calculus. 
It will be interesting to find out if the framework presented in this chapter 
can be extended to provide tool support for timed µ CRL. Another research 
topic is the development of time-specific optimization techniques, such as a 
tick-confluence based part ial order method. 
7 
Conclusion 
172 Conclusion 
In the introduction of this thesis, we have posed several research questions. 
In t his chapter , we show how we have answered these questions in this thesis. 
Modelling time aspects 
In Chapter 3, we considered the interpretation of t ime and timers supported by 
the commercial SDL design- tools [166, 156] and the st andard dynamic seman-
tics of SDL [146]. In this interpret ation, system time and the set t ings of t imers 
are unbounded and timeouts are treated as messages, which leads to infinite 
systems in the context of enumerative model-checking. 
We proposed a transformation that substitutes t radi tional SDL timers by 
t imer variables. Timers are set not to values expressing a moment of time when 
the timer should expire, but to values expressing delays left until t he timer ex-
piration. This allows to avoid unbounded timer settings, and thus to eliminate 
the time-rela ted factor leading to infinite systems. To optimize the size of sys-
tems fur ther , timeouts are not placed into the input queues but modelled by 
t imeout guards, so we have fewer possible combinations of messages in the 
input queues. 
We proved the path equivalence up to stuttering between the original sys-
tem and the t ransformed one, and thus showed that both positive and negative 
verification results can be safely transferred from the t ransformed system to 
the original one for all properties expressible by formulas of LT~X . Each coun-
terexample found in the t ransformed system can also be found in the original 
system, and all LTL-X formulas satisfied by the t ransformed system hold on 
the original one as well. This proof relates the implementa tion-oriented inter-
pretation of time and timers in SDL to the verification-oriented interpretation 
of the same concep ts in DTSpin , which can be considered as an implementation 
of the "timers as variables" idea, and formally argues the validity of the use of 
DTSpin for the verification of SDL specifications. 
Abstracting timers 
The correct functionali ty of reactive systems often depends on time const raints 
that are modelled by timers. In practice, it can be important to know whether 
the system works correctly for all settings of a t imer tha t satisfy some condition , 
which is a paramet erized problem. Solving this problem by model checking is in 
general impossible. In a number of cases, we can apply abstractions to obtain 
a finite-state model for a parameterized system. 
In Chapter 4, we considered the time constraints of the form "settings of a 
timer are larger than or equal to some k" . We proposed a timer abst raction tha t 
allows to express a family of finite-state systems satisfying such a const raint 
by a single finite-sta te system. We showed that the abstract system can safely 
be used for verification purposes. Any property that can be expressed by a 
formula of the universal fragment of µ- calculus satisfied on the abstract system 
also holds on each system of the family. 
173 
The timer abstraction turned out to be useful for the verification of a wide 
range of properties, in particular safety properties. However , checking some 
liveness properties with the timer abstraction, we encountered false negatives: 
DTSpin reported that the properties are violated and provided counterexample 
traces that are not present in any of the original systems. To get rid of these 
traces, we imposed a strong fairness constraint on the abstract system. How-
ever, imposing the strong fairness constraint caused a noticeable growth of the 
state space. Due to the fact that the timer abstraction introduces a self-loop, 
it was possible to render the strong fairness constraint to a weak fairness con-
straint . Further , we embedded the weak fairness constraint into the verification 
algorithm. 
The experiments that we performed on PAR and BRP showed that render-
ing to the weak fairness constraint and further embedding the weak fairness 
into the verification a lgorithm are much more efficient in the context of enu-
merative model checking than imposing the strong fairness constraint. We plan 
to extend the approach to handle not only the timer abstractions but also more 
general data abstractions introducing self-loops. 
Closing open systems 
Model checkers usually do not work with open systems. Therefore, the step 
that follows decomposing a system into components is closing the components 
with some environment. Closing, when it is done manually, is slow and error-
prone. In Chapter 5, we provided an approach to the automatic closing of open 
asynchronous timed systems with the most general, chaotic, environment. The 
approach goes beyond [151] in providing a more refined abstraction which gives 
fewer false negatives in the verification. 
The approach involves static analysis, abstraction and program transforma-
tion. To close a system, we need to differentiate variable instances (variables at 
locations) that are definitely influenced by the environment, variable instances 
that are definitely not influenced by the environment, and variable instances 
whose values depend on a system run. For this purpose, we combine may-
analysis marking variables instances potentially influenced by the environment 
with must-analysis marking variable instances definitely influenced by the en-
vironment. Further, we abstract the infinity of data from the environment into 
a single abstract value. For timers , we use a more complex, three-valued, ab-
straction. Abstracting data coming from environment, we eliminate one factor 
causing state explosion. 
Posterior to the combined analysis and abstraction, we provide a program 
transformation that closes the system by embedding the behaviour of the en-
vironment into the system. The transformation is based on the results of the 
combined analysis . It removes all manipulations with data that are definitely 
influenced by the environment. The rest of the data is treated dynamically. 
Embedding excludes asynchronous communication between the system and its 
environment and thus eliminates another factor causing state explosion. 
174 Conclusion 
Embedding is done in such a way that t he closed system shows m ore be-
haviour t han the original one. This claim is justified by a proof showing that for 
every trace of the original system there is a t race in the closed system with the 
same stuttering-free projection. It gives us the preservation of the properties 
expressed by formulas of LTL-X ment ioning only variables not influenced by 
the environment in the direction from the closed system to the original one. 
T herefore, the closed system may saf ely be used for the verification. 
We implemented the closing approach as a tool that automatically closes 
DTPROMELA translations of SDL specifications. The prototype implementa-
t ion is based on may-analysis only, which gives a less refined abstraction than 
the one based on t he combined analysis. In future, we plan to extend the im-
plementation by the combined analysis. The approach itself will be extended 
to deal with process creation and complex data types. 
Reuse of untimed verification methods for timed verification 
T he specification language µ CRL [78] (micro Common Representation Lan-
guage) is a process algebraic language that covers both data aspects and be-
haviour aspects of reactive systems. The µCRL toolset [19] provides support 
for state space generation, abstraction and opt imization prior to enumerative 
model checking that can be performed with the CADP toolset [65] . 
In Chapter 6, we provided a framework tha t allows to use the existing 
untimed language and the toolset for t imed verification without introducing 
any syntactical or semantical changes into the language and without modifying 
the toolset. 
We restricted ourselves to relative discrete time. Time progression is mod-
elled as a tick-action that represents elapsing one unit of t ime. A timed parallel 
composit ion opera tor is defined in terms of basic µCRL operators. Time pro-
gression has the least priority in the system. This property, called maximal 
progress, is usually expressed by introducing priority operators. We avoid the 
introduction of new operators providing a special specification discipline that 
allows us to stay within µ CRL syntax and semant ics. 
The proposed discrete-time semant ics is suitable to express time aspects and 
to analyse time propert ies of a large class of reactive systems. We justified the 
usefulness of our approach by the verification experiments on µ CRL specifica-
tions of the positive acknowledgment retransmission protocol (PAR) [155] and 
the bounded ret ransmission protocol (BRP) [100], whose behaviour depends 
on the t imers' set t ings. 
To express not only qualitative but also quantitative tim ed properties of sys-
tems, we introduced an LTL-like action-based timed temporal logic and showed 
how to encode its time constraints with the use of tick, which results in un-
tim ed temporal formulas. These formulas can then be translated to the regular 
alternation free µ- calculus and checked with the µCRL and CADP toolsets. 
The LTL-like action-based timed temporal logic together wit h the specifi-
cation discipline provide the framework for the t imed verification with untimed 
175 
µCRL and CADP toolsets. In future , we are interested in applying this frame-
work for the verification of real industrial systems. Another direction for future 
work is development of time-specific optimization techniques. 
176 Bibliography 
References 
1. R. Alur. Timed Automata. In Proc. of CAV '99, volume 1633 of Lecture Notes 
in Computer Science, pages 8- 22. Springer-Verlag, 1999. 
2. R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer 
Science, 126(2):183-235, 1994. 
3. R. Alur and T . A. Henzinger. Logics and models of real time: A survey. In Proc. 
of the Real-Time: Theory in Practice, REX Workshop, pages 74-106. Springer-
Verlag, 1992. 
4. R. Alur and T. A. Henzinger. Reactive modules. In Proceedings of LICS '96, 
pages 207- 218. IEEE, Computer Society Press , July 1996. 
5. R. Alur, T. A. Henzinger , and 0. Kupferman. Alternating-time temporal logic. 
In Proceedings of the IEEE Symposium on Foundations of Computer Science, 
Florida, Oct. 1997. 
6. R. Alur, T. A. Henzinger, F. Y. C. Mang, S. Qadeer, S. K. Rajamani , and 
S. Tasiran. Mocha: Modularity in model checking. In A. J. Hu and M. Y. Vardi, 
editors, Proc. of CA V '98, volume 1427 of Lecture Notes in Computer Science, 
pages 521-525. Springer-Verlag, 1998. 
7. K. Apt and D. Kozen . Limits for automatic verification of finite-state systems. 
Information Processing Letters, 15:307- 309, 1986. 
8. T. Arts and I. A. van Langevelde. Correct performance of transaction capa-
bilities. In Proc. of 2nd Conference on Applications of Concurrency to System 
Design (ICACSD'2001), Newcastle upon Tyne , UK, pages 35- 42. IEEE Com-
puter Society Press, 2001. 
9. The ATM forum. http: I /www . atmforum. corn, 2000. 
10. J. C. M. Baeten and J. A. Bergstra. Discrete time process algebra. Formal 
Aspects of Computing, 8(2): 188- 208, 1996. 
11. J. C. M. Baeten and C. A. Middelburg. Process Algebra with Timing: Real 
Time and Discrete Time. In Bergstra et al. [17]. 
12. J. C. M. Baeten and W. P. Weijland. Process algebra. Cambridge Tracts in 
Theoretical Computer Science, 18 , 1990. 
13. T. Basten. Branching bisimilarity is an equivalence indeed! Information Pro-
cessing Letters, 58(3):141- 147, 1996. 
14. K. Baukus, Y. Lakhnech, and K. Stahl. Verification of parameterized protocols. 
Journal of Universal Computer Science, 7(2):141- 158, 2001. 
15. G. Behrmann, A. David, K. G. Larsen, 0. Moller, P. Pettersson, and W. Yi. 
UPPAAL - present and future. In Proc. of 40th IEEE Conference on Decision 
and Control. IEEE Computer Society Press, 2001. 
16. J. A. Bergstra, C . A. Middelburg, and Y. S. Usenko. Discrete time process 
algebra and the semantics of SDL. In J. A. Bergstra, A. Ponse, and S. A. 
Smolka, editors, Handbook of process algebra, pages 1209- 1268. Elsevier Science 
BV, 2001. 
17. J. A. Bergstra, A. Ponse, and S. A. Smolka, editors. Handbook of Process Algebra. 
Elsevier, 2001. 
18. M. Bezem and J. F. Groote. Invariants in process algebra with data. In Proc. 
of the Concurrency Theory, pages 401- 416. Springer-Verlag, 1994. 
19. S. C. C. Blom, W. J . Fokkink, J. F. Groote, I. A. van Langevelde, B. Lisser, 
and J. C . van de Pol. µCRL: a toolset for analysing algebraic specifications. 
In G. Berry, H. Camon, and A. Finkel, editors, Proc. of 13th Conference on 
Bibliography 177 
Computer Aided Verification (CAV'Ol), Paris, France, volume 2102 of Lecture 
Notes in Computer Science, pages 250- 254. Springer-Verlag, 2001. 
20. S. C . C. Blom, N. loustinova, and N. Sidorova. Timed verification with µCRL. 
In M. Broy and A. Zamulin, editors, Proc. of the 5th Int . Conf. Perspectives of 
System Informatics , volume 2890 of Lecture Notes in Computer Science, pages 
178- 192. Springer , 2003. 
21. S. C. C. Blom and J.C. van de Pol. State space reduction by proving confluence. 
In E. Brinksma and K. Larsen, editors, Computer Aided Verification: 14th Int . 
Conference, CAV 2002 Copenhagen, Denmark, July 2002 Proc., volume 2404 of 
Lecture Notes in Computer Science, pages 596- 609. Springer Verlag, 2002 . 
22. D. Bosnacki. Partial-order reduction in presence of rendez-vous communication 
with unless constructs and weak fairness. In D. Dams, R. Gerth, S. Leue, and 
M. Massink , editors, Theoretical and Practical Aspects of SPIN Model Checking, 
5th and 6th Int. SPIN Workshops, volume 1680 of Lecture Notes in Computer 
Science. Spriner-Verlag, 1999. 
23. D. Bosnacki. Enhancing State Space Reduction Techniques for Model Checking. 
PhD dissertation, Eindhoven University of Thechnology, 2001. 
24. D. Bosnacki and D. Dams. Integrating real time into Spin: A prototype im-
plementation. In S. Budkowski, A. Cavalli, and E. Najm, editors, Proc. of For-
mal Description Techniques and Protocol Specification, Testing, and Verification 
(FORTE/PSTV'98). Kluwer Academic Publishers, 1998. 
25. D. Bosnacki, D. Dams, L. Holenderski, and N. Sidorova. Verifying SDL in Spin. 
In S. Graf and M. Schwartzbach, editors, TA GAS 2000, volume 1785 of Lecture 
Notes in Computer Science. Springer-Verlag, 2000. 
26. D. Bosnacki, N. loustinova, and N. Sidorova. Using fairness to make abstractions 
work. In S. Graf and L. Mo uni er , editors, Proc. of the 11th Int . Spin Workshop on 
Model Checking of Software, volume 2989 of Lecture Notes in Computer Science, 
pages 198- 215. Springer, 2004. 
27. M. Bozga, J. C. Fernandez, and L. Ghirvu. State space reduction based on Live. 
In A. Cortesi and G. File, editors, Proc. of SAS '99, volume 1694 of Lecture 
Notes in Computer Science. Springer-Verlag, 1999. 
28. M. Bozga, J. C. Fernandez, L. Ghirvu, S. Graf, J. P. Krimm, and L. Mounier. 
IF: An intermediate representation and validation environment for timed asyn-
chronous systems. In J. Wing, J. Woodcock, and J. Davies, editors, Proc. of 
Symposium on Formal Methods (FM 99) , volume 1708 of Lecture Notes in Com-
puter Science. Springer-Verlag, Sept. 1999. 
29. M. Bozga, 0. Maler, and S. Tripakis. Efficient verification of timed automata 
using dense and disrete time semantics. In T. Kropf and L. Pierre, editors, 
Proc. of CHARME'99, volume 1703 of Lecture Notes in Computer Science, pages 
125-141. Springer , September 1999. 
30. M. Broy. Towards a formal foundation of the Specification Description Language 
SDL. Formal Aspects of Computing, 3:21-57, 1991. 
31. M. Broy, F. Diderichs , C. Dendorfer, M. Fuchs, T . F. Gritzner , and R. Weber. 
Thedesign of distributed systems - an introduction to FOCUS. Technical Report 
TUM-19202-2 , Institut fiir Informatik Technische Universitat Miinchen, 1993. 
32. R. E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE 
Trans. Comput., C-35(8):677- 691 , Aug. 1986. 
33. Bs 7925-2, Software Testing. Software Component Testing. BCS SIGIST, 1998. 
178 Bibliography 
34. J. R. Biichi . On a decision method in restricted second order arithmetic. In 
Proc. of the Int. Congress On Logic, Methodology and Philosophy of Science, 
pages 1- 11. Stanford University Press , 1960. 
35. J. R . Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic 
Model Checking: 1020 States and Beyond. In Proc. of the Fifth Annual IEEE 
Symposium on Logic in Computer Science, pages 1-33, Washington, D.C., 1990. 
IEEE Computer Society Press. 
36. Y. Choueka. Theories of automata on w-tapes: a simplified approach. Journal 
of Computer and System Science, 8:117-141, 1974. 
37. A. Cimatti , E. M. Clarke, F . Giunchiglia, and M. Roveri. NUSMV: A new 
symbolic model checker. International Journal on Software Tools for Technology 
Transfer, 2(4):410- 425, 2000. 
38. E. M. Clarke and E. A. Emerson. Design and synthesis of synchronisation 
skeletons using branching time temporal logic specifications. In D. Kozen, editor, 
Proc. of the Workshop on Logic of Programs 1981, volume 131 of Lecture Notes 
in Computer Science, pages 244- 263. Springer-Verlag, 1982. 
39. E. M. Clarke, E. A. Emerson, and A. Sistla. Automatic verification of finite-
state concurrent systems using temporal logic specifications. ACM Transactions 
on Programming Languages and Systems, 8(2):244- 263, 1986. 
40. E. M. Clarke, 0. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-
guided abstraction refinement. In Jnt. Conference on Computer Aided Verifi-
cation (CA V'OO), volume 1855 of Lecture Notes in Computer Science. Springer, 
2000. 
41. E. M. Clarke, 0. Grumberg, and D. Long. Model checking and abstraction. 
ACM Transactions on Programming Languages and Systems, 16(5):1512- 1542, 
1994. A preliminary version appeared in the Proceedings of POPL 92. 
42. E. M. Clarke, 0. Grumberg, and D. Peled. Model Checking. MIT Press, 1999. 
43. E. M. Clarke and J. M. Wing. Formal methods: State of the art and future 
directions. ACM Computing Surveys, Dec. 1996. Available also as Carnegie 
Mellon University technical report CMU-CS-96-178. 
44. C. Colby, P. Godefroid, and L. J. Jagadeesan. Automatically closing of open 
reactive systems. In Proc. of 1998 ACM SIGPLAN Conference on Programming 
Language Design and Implementation. ACM Press, 1998. 
45. C. Courcoubetis, M. Vardi , P. Wolper, and M. Yannakakis. Memory efficient 
algorithms for the verification of temporal properties. Formal Methods in System 
Design, 1:275-288, 1992. 
46. P. Cousot and R. Cousot. Abstract Interpretaion: A unified lattice model for 
static analysis of programs by construction or approximation of fixpoints. In 
Proceedings of POPL '73. ACM, January 1973. 
47. D. Dams. Abstract Interpretation and Partition Refinement for Model Checking. 
PhD dissertation, Eindhoven University of Thechnology, July 1996. 
48. D. Dams. Abstraction in software model checking: Principles and practice (tu-
torial overview and bibliography). In Proceedings of the 9th International SPIN 
Workshop on Model Checking of Software, pages 14-21. Springer-Verlag, 2002. 
49. D. Dams and R. Gerth . The bounded retransmission protocol revisited . Elec-
tronic Notes in Theoretical Computer Science, 9, 1999. 
50. D. Dams, R. Gerth, and 0 . Grumberg. Abstract interpretation of reactive sys-
tems: Abstraction preserving VCTL * ,:JCTL *, and CTL *. In E.-R. Olderog, ed-
itor, Proc. of PROCOMET '94. IFIP, North-Holland, June 1994. 
Bibliography 179 
51. D. Dams, R. Gerth, and 0. Grumberg. Abstract interpretation of reactive sys-
tems. ACM Transactions on Programming Languages and Systems (TOPLAS), 
19(2), 1997. 
52. P. R. D 'Argenio, J. P. Katoen, T. C. Ruys , and J. Tretmans. The bounded 
retransmission protocol must be on time! In Proc. of the Third Int. Workshop 
on Tools and Algorithms for Construction and Analysis of Systems, pages 416-
431. Springer-Verlag, 1997. 
53. B. A. Davey and H. A. Pristley. Introduction to Lattices and Order. Cambridge 
University Press, 1990. 
54. P. F. G. Dechering and I. A. van Langevelde. The verification of coordination. 
In A. Porto and G. C. Roman , editors, Proc. of 4th Conference on Coordination 
Languages and Models (COORDINATION'2000) , volume 1906 of Lecture Notes 
in Computer Science, pages 335- 340. Springer-Verlag, 2000. 
55. Discrete-time Spin. http : //win.tue.nl/-dragan/DTSpin . html , 2000. 
56. M. B. Dwyer, G. S. Avrunin , and J . C. Corbett. Patterns in property spec-
ifications for finite-state verification. In Proceedings of the 21st international 
conference on Software engineering, pages 411- 420. IEEE Computer Society 
Press, 1999. 
57. M. B. Dwyer and J. Ratcliff. Slicing software for model construction. In Proc. 
of the ACM SIGPLAN Workshop on Partial Evaluation and Semantics-Based 
Program Manipulation (PEPM'99), Jan. 1999. 
58. M. B. Dwyer and C. S. Pasareanu. Filter-based model checking of partial sys-
tems. In Proc. of the 6th ACM SIGSOFT Symposium on the Foundations of 
Software Engineering (SIGSOFT '98), pages 189- 202 , 1998. 
59. M. B. Dwyer and D. Schmidt. Limiting state explosion with filter-based re-
finement. In Proc. of the lst International Workshop in Verification, Abstract 
Interpretation, and Model Checking, Oct. 1997. 
60. E. A. Emerson. Temporal and modal logic. In J. van. Leeuwen, editor, Hand-
book of Theoretical Computer Science, volume B: Formal Models and Semantics, 
pages 995-1072. Elsevier , 1990. 
61. E . A. Emerson and E. M. Clarke. Using branching time temporal logic to 
synthesize synchronisation skeletons. Science of Computer Programming, 2:241-
266, 1982. 
62. E . A. Emerson and J. Y. Halpern. Sometimes and not never revisited: On 
branching versus linear time. Journal of the Association on Computing Machin-
ery, 33(1):151-178, 1986. 
63. E. A. Emerson and C.-L. Lei. Modalities for model checking:Branching time 
strikes back. Science of Computer Programming, 8:275-306, 1987. 
64. R. Eschbach, U. Glasser, R. Gotzhein , and A. Prinz. On the formal semantics 
of SDL-2000: a compilation approach based on an abstract SDL machine. In 
Y. Gurevich, editor, Proc. ASM 2000, volume 1912 of Lecture Notes in Computer 
Science, pages 242- 265, 2000. 
65. J. C. Fernandez, H. Caravel , A. Kerbrat, R. Mateescu, L. Mounier, and 
M. Sighireanu. CADP: A protocol validation and verification toolbox. In Proc. 
of the Bth Conference on Computer-Aided Verification {New Brunswick, New 
Jersey, USA) , pages 437- 440 , 1996. 
66. J. Fischer and E. Dimitrov. Verification of SDL protocol specifications using 
extended petri nets. In Proc. of the Workshop on Petri Netx and Protocols of 
the 16th Intern. Conf. on Application and Theory of Petri Nets, pages 1- 12, 
1995. 
180 Bibliography 
67. W . J. Fokkink, N. Ioustinova, E. Kesseler, J .C. van de Pol , Y. Usenko, and Y . A. 
Yushtein. Refinement and verification applied to an in-flight data acquisition 
unit . In L. Brim, P. J ancar , M. Kretinsky, and A. Kucera, editors, Proc. of 
13th Conference on Concurrency Theory - CONCUR '02, Erno, volume 2421 of 
Lecture Notes in Computer Science, pages 1- 23. Springer, 2002. 
68. N. Francez. Fairness. Springer-Verlag New York , Inc. , 1986. 
69. M. M. Gallardo, J. Martine, P . Merino , a nd E . Pimentel. aSPIN: Extending 
SPIN with abstraction. In Proc. of 9th Int . SPIN Workshop, Grenoble, France 
2002, volume 2318 of Lecture Notes in Computer Science, pages 254- 258, 2002. 
70. R. J . van Gabbeek and W. P. Weijland. Branching time and abstraction in 
bisimulation semantics. J. ACM, 43(3):555- 600, 1996. 
71. R. J. van Glabbeek. The linear time - branching time spectrum. In J . C. M. 
Baeten and J . W . Klop , editors, CONCUR '90. Theories of Concurrency: Uni-
fication and Extension, volume 458 of Lecture Notes in Computer Science. 
Springer-Verlag, 1990. 
72. R. J. van Glabbeek. The linear time - branching time spectrum ii. In Proc. of 
CONCUR 93, volume 715 of Lecture Notes in Computer Science, pages 66- 81, 
1993. 
73. R. J. van Glabbeek. What is the branching time semantics and why to use it? 
In M. Nielsen , editor , Bulletin of the EATCS 53, pages 190- 198, 1994. 
74. P. Godefroid . Using partia l orders to improve automatic verification methods. 
In E. M. Clarke and R. P. Kurshan, editors , Computer Aided Verification 1990, 
volume 531 of Lecture Notes in Computer Science, pages 176- 449. Springer-
Verlag, 1991. 
75. S. Graf. Verification of a distributed cache memory by using abstractions. In 
Workshop on Computer-Aided Verification, CAV'94 , Stanford, volume 818 of 
Lecture Notes in Computer Science. Springer Verlag, 1994. 
76. J. F. Groote. The syntax and semantics of timed µCRL. SEN R9709 , CWI, 
Amsterdam , 1997. 
77. J. F . Groote, J . Pang, and A. G. Wouters. A balancing act: Analyzing a dis-
tributed lift system. In S. Gnesi and U. Ultes-Nitsche, editors, Proc. of 6th 
Workshop on Formal Methods for Industrial Critical Systems (FMJCS'2001), 
Paris, France, pages 1- 12, 2001. 
78. J. F . Groote and M. Reniers. Algebraic process verification. In Bergstra et al. 
[17], pages 1151- 1208. 
79. J. F. Groote and M. P . A. Sellink . Confluence for process verification. Theoretical 
Comput. Sci., 170:47- 81, 1996. 
80. J. F. Groote and J. C. van de Pol. A bounded retransmission protocol for large 
data packets . In M. Wirsing and M. Nivat , editors, Algebraic Methodology and 
Software Technology (AMAST'96), volume 1101 of Lecture Notes in Computer 
Science. Springer, 1996. 
81. J . F. Groote and J. C. van de Pol. State space reduction using part ia l T-
confluence. In M. Nielsen and B. Rovan, editors , Proc. of MFCS 2000, volume 
1893 of Lecture Notes in Computer Science, pages 383- 393. Springer, 2000. 
82. J. F. Groote and J. J. van Wamel. Analysis of three hybrid systems in timed 
µCRL. Science of Computer Programming, 39:215- 247, 2001. 
83. R. Hardin , Z. HarEl , and R. P. Kurshan. COSPAN. In R. Alur and T. A. 
Henzinger , editors, Proc. of the 1996 Wokshop on Computer-Aided Verifi cation, 
volume 1102 of Lecture Notes in Computer Science, pages 423- 427, 1996. 
Bibliography 181 
84. D. Hare! and M. Politi. Modeling Reactive Sys tems with Statecharts, The 
STATEM ATE Approach. McGraw-Hill , 1998. 
85 . M. S. Hecht . Flow Analysis of Programs. North-Holland , 1977. 
86. M. Hennessy and T. Regan. A process algebra for timed systems. Information 
and Computation, 117:221- 239, 1995. 
87. T. A. Benzinger, 0 . Kupferman, and R. Majumdar. On the universal and exis-
tential fragments of the mu-calculus. In Proceedings of the Ninth International 
Conference on Tools and Algorithms for the Construction and Analysis of Sys-
tems (TACAS) , volume 2619 of Lecture Notes in Computer Science, pages 49- 64, 
2003. 
88. T . A. Benzinger , Z. Manna, and A. Pnueli . What good are digital clocks? In 
W. Kuich , editor, !GA LP, volume 623 of Lecture Notes in Computer Science, 
pages 545- 558. Springer, 1992. 
89. T. A. Benzinger , Z. Manna, and A. Pnueli. Temporal proof methodologies for 
timed transition systems. Inf. Comput., 112(2):273- 337, 1994. 
90. U. Hinkel. Formale, semantische Fundierung und eine darauf abgestutzte Veri-
fikationsmethode fii,r SDL. PhD thesis, Tech. Univ. Miinchen , 1998. 
91. U. Hinkel. Verifica t ion of SDL specifications on the basis of stream semantics. In 
Y. Lahav, A. Wolisz, J. Fischer, and E. Holz , editors, Proc. of the l st Workshop 
of the SDL Forum Society on SDL and MSC (SAM'98}, pages 241- 250, 1998. 
92. E. Holz and K. St0len. An attempt to embed a restricted version of SDL as a 
target language to FOCUS. In S. Leue and D. Hogrefe, editors , Proc. of Forte '94 , 
pages 324- 339. Chapmann & Hall , 1994. 
93. G. J. Holzmann. The SPIN Model Checker: Primer and Reference Manual. 
Addison Wesley, 2003. 
94. G . J. Holzmann a nd J. Patti. Validating SDL specifications: an experiment . In 
E. Brinksma, editor, International Workshop on Protocol Specification , Testing 
and Verification IX (Twente, The Netherlands} , pages 317- 326. North-Holland , 
1989. IFIP TC-6 Int . Workshop. 
95. G. J. Holzmann and D. Peled. An improvement in formal verification . In 
D. Hogrefe and S. Leue, editors, Formal Description Techniques Vll, Proc. of 
the 7th !F!P WG6.1 Int. Conference on Formal Description Techniques, Berne, 
Switzerland, 1994 , volume 6 of !F!P Conference Proceedings. Chapman & Hall , 
1995. 
96. G . J. Holzmann , D. Peled , and M. Yannakakis. On nested depth-first search. In 
Second SPIN Workshop , pages 23- 32. AMS, 1996. 
97. J . Hooman and J. C. v. d . Pol. Formal verification of replicat ion on a distributed 
data space architecture. In Proc. of 17th Symposium on Applied Computing 
{SAC'2002} -Coordination Models, Languages and Applications, pages 351- 358. 
ACM Press, 2002. 
98. J.E. Hopcroft , R. Motwani, and J. D. Ullman. Introduction to Automata Theory, 
Languages, and Computations. Addison-Wesley, 2001. 
99. T. Huckle. Kleine BUGs, groe GAUs: Softwarefehler und ihre Folgen. 
http://www5.in . tum .de/ huckle/bugs .html . 
100. Infrared remote control system RC6. Philips Consumer Electronics B.V. , April 
1997. 
101. N. Ioustinova and N. Sidorova. Transformation of SDL specifications- a step 
towards the verification. In D. Bjorner, M. Broy, and A. Zamulin, editors, 
Post-proceedings of Andrei Ershov Fourth International Conference Perspectives 
182 Bibliography 
of System Informatics (PSI 01), volume 2244 of Lecture Notes in Computer 
Science, pages 64-78. Springer, 2001. 
102. N. Ioustinova, N. Sidorova, and M. Steffen. Abstraction and flow analysis for 
model checking open asynchronous systems. In Proc. of the 9th Asia Pacific 
Software Engineering Conference (APSEC 2002), pages 227-235. IEEE Com-
puter Society, 2002. 
103. N. Ioustinova, N. Sidorova, and M. Steffen. Closing open SDL-systems for model 
checking with DTSpin. In L. H. Eriksson and P.A. Lindsay, editors , FME 2002: 
Formal Methods - Getting IT Right, Proc. of Int. Symposium of Formal Methods 
Europe, FME 2002, volume 2391 of Lecture Notes in Computer Science, pages 
531-548. Springer , 2002. 
104. N. Ioustinova, N. Sidorova, and M. Steffen. Synchronous closing and flow ab-
straction for model checking timed systems. In Proc. of the Second Int. Sympo-
sium on Formal Methods for Components and Objects (FMC0'03), volume (to 
appear) of Lecture Notes in Computer Science. Springer, 2004. 
105. Integrated services digital networks (ISDN). ITU-I, 2000. 
106. R. Kaivola. Using compositional preorders in the verification of sliding window 
protocol. In Proceedings of 9th International Conference on Computer Aided 
Verification (CAV'99), volume 1663 of Lecture Notes in Computer Science, pages 
184- 195, 1999. 
107. Y. Kesten and A . Pnueli. Modularization and abstraction: the keys to practical 
formal verification. In L. Brim, J . Gruska, and J. Zlatuska, editors, Proc. of the 
23rd Int . Symposium on Mathematical Foundations of Computer Science, pages 
54- 71 , 1998. 
108. Y. Kesten and A. Pnueli. Control and data abstraction: The cornerstones of 
practical formal verification. Int . Journal on Software Tools for Technology 
Transfer, 2(4):328- 342, 2000. 
109. Y. Kesten and A. Pnueli. Verificat ion by augmented finitary abstraction. Infor-
mation and Computation, 163(1):203-243, 2000. 
110. Y. Kesten, A. Pnueli , and L. Raviv. Algorithmic verification of linear temporal 
logic specifications. In Automata, Languages and Programming, volume 1443 of 
Lecture Notes in Computer Science, pages 1-16. Springer , 1998. 
111. G. Kildall. A unified approach to global program optimization. In Proc. of 
POPL '73, pages 194- 206. ACM, January 1973. 
112. D. Kozen. Results on the propositional µ-calculus. Journal of Theoretical Com-
puter Science, 27:333- 354, 1983. 
113. S. Kripke. A semantical analysis of modal logic i: normal modal propositional 
caculi. In Zeitschriftfuer Mathematische Logik und Grundlagen der Mathematik, 
volume 9, pages 67- 96, 1963. 
114. R. Kuiper and W . P. de Roever. Fairness assumptions for CSP in a temporal 
logic framework . In D . Bjorner , editor, Proc . of the IFIP Working Conference on 
Formal Description of Programming Concepts-II, pages 159- 170. North-Holland 
Publishing Company, 1983. 
115. 0. Kupferman and M. Y. Vardi . Module checking revisited . In 0. Grumberg , 
editor , CAV '97, Proc. of the 9th Int . Conference on Computer-Aided Verifica-
tion, Haifa. Israel, volume 1254 of Lecture Notes in Computer Science. Springer, 
June 1997. 
116. 0 . Kupferman , M. Y. Vardi , and P . Wolper. Module checking. In R. Alur, 
editor, Proc. of CAV '96, volume 1102 of Lecture Notes in Computer Science, 
pages 75- 86, 1996. 
Bibliography 183 
117. L. Lamport. What good is temporal logic? In R. E . A. Mason , editor , Informa-
tion Processing 83, pages 657- 668. E lsevier Science Publishers B.V., 1983. 
118. L. Lamport. A fast mutual exclusion algorithm. A CM Transactions in Computer 
Systems, 5(1):1- 11 , 1987. 
119. K. Larsen, P . Peterson, and W. Yi. UPPAAL in the nutshell. Software Tools 
for Technology Transfer, 1(1):134- 152, 1997. 
120. 0 . Lichtenstein and A. Pnueli . Checking that finite state concurrent programs 
satisfy their linear specification. In Twelfth Annual Symposium on Principles 
of Programming Languages {POPL) (New Orleans, LA), pages 97- 107. ACM, 
1985. 
121. C. Loiseaux, S. Graf, J. Sifakis , A. Bouajjani , and S. Bensalem. Property pre-
serving abstractions for the verification of concurrent systems. Formal Methods 
in System Design, 6(1):11- 44, 1995. 
122. D. Long. Model Checking, Abstraction and Compositional Verification. PhD 
thesis , Carnegie Mellon University, 1993. 
123. B. D. Lubachevsky. An approach to automating the verification of compact 
parallel coordination programs i. Acta Inf. , 21:125- 169, 1984. 
124. K. L. MacMillan. Symbolic model checking:an approach to the state space explo-
sion problem. PhD thesis, Carnegie Mellon University, 1992. 
125. Z. Manna and A. Pnueli . Temporal verification of reactive systems: safety. 
Springer-Verlag New York, Inc. , 1995. 
126. R. Mateescu and M. Sighireanu. Efficient on-the-fly model-checking for regular 
aletrnation-free mu-calculus. In Proceedings of the 5th International Workshop 
on Formal Methods for Industrial Critical Systems, FMICS '2000, 2000. 
127. S. Merz. Model checking: a tutorial overview. Springer-Verlag New York , Inc., 
2001. 
128. L. I. Millet and T. Teitelbaum. Slicing Promela and its application to model 
checking, simulation, and protocol underst anding. In E . Najm, A. Serhrouchni , 
and G. Holzmann , editors, Electronic Proc. of the Fourth Int. SPIN Workshop, 
Paris, France, Nov. 1998. 
129. R. D. Nicola and F. Vaandrager. Three logics for branching bisimulation. Journal 
of the ACM(JACM), 42(2):458- 487, 1996. 
130. X. Nicollin and J. Sifakis. An overview and synthesis on timed process algebras. 
In Proc. of the Real-Time: Theory in Practice, REX Workshop , pages 526- 548. 
Springer-Verlag, 1992. 
131. F. Nielson , H. R. Nielson, and C. Hankin. Principles of Program Analysis. 
Springer-Verlag, 1999. 
132. ObjectGeode 4.0. http: I lwvrw. csverilog. corn/products/ geode . htm, 2003. 
133. A. Olsen , 0. Frergemand, B. M121ller-Pedersen , R. Reed , and J. R. W . Smith. 
System Engineering Using SDL-92. Elsevier Science, 1997. 
134. S. Owre, J .M. Rushby,, and N. Shankar. PVS: A prototype verification system. 
In D. Kapur, editor, 1 lth International Conference on Automated Deduction 
{CA DE), volume 607 of Lecture Notes in Artificial Intelligence, pages 748- 752, 
Saratoga, NY, jun 1992. Springer-Verlag. 
135. D. Peled. Combining partia l order reductions with on-the-fly model-checking. In 
Proceedings of the 6th International Conference on Computer Aided Verification, 
pages 377- 390. Springer-Verlag, 1994. 
136. W. Penczek, M. Szreter , R. Gerth, and R. Kuiper. Improving partial order 
reductions for universal branching time properties. Fundamenta Informaticae, 
43(1-4) :245- 267, 2000. 
184 Bibliography 
137. A. Pnueli. The temporal logic of programs. In 18th Annual Symposium on 
Foundations of Computer Science, pages 46- 57, 1977. 
138. A. Pnueli , J . Xu , and L. Zuck. Liveness with (0, 1, oo)-counter abstraction. In 
E. Brinksma and K. G. Larsen , editors, Computer Aided Verification : 14th Int. 
Conference, CAV 2002, Copenhagen, Denmark, July 27-31, 2002. Proc., volume 
2404 of Lecture Notes in Computer Science, pages 107 - 122. Springer , 2002. 
139. J . P. Queille and J . Sifakis . Specification and verification of concurrent systems 
in CESAR. In M. Dezani-Ciancaglini and U. Montanari, editors , Proc. of the 5th 
Int. Symposium on Programming 1981, volume 137 of Lecture Notes in Computer 
Science, pages 337-351. Springer-Verlag, 1982. 
140. Specification and Description Language SDL. CCITT, 1993. 
141. SDL combined with UML. ITU-T, 1999. 
142. Specification and Description Language SDL. ITU-T, 1999. 
143. SDL formal definition: Stat ic Semantics. ITU-T, 1993. 
144. SDL formal definition: Static Semantics. ITU-T, 2000. 
145. SDL formal definition: Dynamic Semantics. ITU-T, 1993. 
146. SDL formal definition: Dynamic Semantics. ITU-T, 2000. 
147. F. Regensburger and A. Barnard . Formal verification of SDL systems at the 
Siemens mobile phone department. In B. Steffen, editor, Proc. of Tools and 
Algorithms for the Construction and Analysis of Systems {TACAS'98) , volume 
1384 of Lecture Notes in Computer Science, pages 439-455. Springer , 1998. 
148. W . P. d. Roever , H. Langmaack, and A. Pnueli , editors. Compositionality: Th e 
Significant Difference, Proceedings of the International Symposium COMPOS 
'97, Malente, Germany, September 7- 12, 1997, volume 1536 of Lecture Notes in 
Computer Science. Springer Verlag, 1998. 
149. J. Rushby. Theorem proving for verification. In F . Cassez, C. J ard , B. Rozoy, and 
M. D. Ryan , editors , Modelling and Verification of Parallel Processes: MOVEP 
2000, number 2067 in Lecture Notes in Computer Science, pages 39-57, Nantes , 
France, June 2000. springer Verlag. 
150. S. Schneider. Concurrent and R eal-Time Systems: The CSP Approach. Wiley, 
2000. 
151. N. Sidorova and M. Steffen. Embedding chaos. In P . Cousot, editor, Proc. of 
the Bth Static Analysis Symposium {SAS 'Ol) , volume 2126 of Lecture Notes in 
Computer Science, pages 319- 334. Springer-Verlag, 2001. 
152. N. Sidorova and M. Steffen. Verifying large SDL-specifications using model 
checking. In R. Reed and J. Reed , editors, Proc. of 10th Int. SDL-Forum, Copen-
hagen, Denmark, volume 2078 of Lecture Notes in Computer Science, pages 
399- 416. Springer, June 2001. 
153. N. Sidorova and M. Steffen . Synchronous closing of timed SDL systems for model 
checking. In A. Cortesi, editor , Proc . of the Third Int . Workshop on Verification, 
Model Checking, and Abstract Interpretation (VMCAI) 2002, volume 2294 of 
Lecture Notes in Computer Science, pages 79- 93. Springer-Verlag, 2002. 
154. Spin. http: I /www . spinroot. com. 
155. A. S. Tanenbaum. Computer Networks. Prentice Hall International, Inc., 1981. 
156. Telelogic Malmi:i AB. SDT 3. 1 User Guide, SDT 3.1 Reference Manual. Telel-
ogic, 1997. 
157. Telelogic TAU SDL Suite. http: //www.telelogic. com/ products /sdl/, 2003. 
158. W . Thomas. Automata on infinite words. In J. van Leeuwen, editor, Handbook 
of Theoretical Computer Science, pages 133- 191. Elsevier , 1990. 
Bibliography 185 
159. F. Tip. A survey of program slicing techniques. Journal of Programming Lan-
guages, 3(3):121- 189, 1995. 
160. H . Tuominen. Embedding a dialect of SDL in Promela . In Proc. of 6th Int . 
SPIN Workshop , volume 1680 of Lecture Notes in Computer Science. Springer, 
1999. 
161. K. J. Turner. Using Formal Description Techniques : An Introduction to Estelle, 
Lotos, and SDL. John Wiley & Sons, Inc., 1993. 
162. Y. S. Usenko. Linearization in µCRL. PhD thesis, Technische Unversiteit Eind-
hoven, 2002. 
163. A. Valmari. A stubborn attack on state explosion. Formal Methods in System 
Design, 1992. Earlier version in the proceeding of CAY '90 Lecture Notes in 
Computer Science 531, Springer-Verlag 1991 , pp. 156- 165 and in Computer-
Aided Verification '90, DIMACS Series in Discrete Mathematics and Theoretical 
Computer Science Vol. 3, AMS & ACM 1991 , pp. 25- 41. 
164. J. C. van de Pol and M. Valero Espada. Formal specification of JavaSpaces 
architecture using µCRL. In F. Arbab and C. L. Talcott, editors, Proc. of 5th 
Conference on Coordination Languages and Models (COORDINATION'2002), 
volume 2315 of Lecture Notes in Computer Science, pages 274- 290. Springer-
Verlag, 2002. 
165. M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Information 
and Computation, 115(1):1- 37, 15 1994. 
166. Verilog. ObjectGEODE SDL Simulator - Reference Manual, 1996. 
167. Verifying industial reactive systems (VIRES), Esprit long-term research project 
LTR-23498. http: //radon . ics. ele. tue. nl/-vires/ , 1998-2000. 
168. W. Visser and H. Barringer. P ract ical CTL * model checking: Should SPIN 
be extended? International Journal on Software Tools for Technology Transfer, 
2(4):350- 365, 2000. 
169. A wireless ATM network demonstrator (WAND), ACTS project AC085. 
http : //www . tik . ee . ethz . ch/-wand/, 1998. 
170. Y. Wang. Real-time behaviour of asynchronous agents. In J. C. M. Baeten 
and J . W . Klop , editors, Theories of concurrency: unification and exten-
sion(CONCUR '90 ) , volume 458 of Lecture Notes in Computer Science, 1990. 
171 . P. Wolper . Expressing interesting properties of programs in propositional tempo-
ral logic. In Proc. of 13th ACM Symp. on Principles of Programming Languages, 
pages 184- 192 , St. Petersburgh , J anuary 1986. 
172. ITU-T Recommendation X.291-ISO / IEC 9646-2, Information Technology- Open 
Systems Interconnection- Conformance T esting Methodology and Framework-
Part 2: Abstract Test Specifications. 

Summary 
In this thesis, we present a number of techniques facilitating the verification 
of reactive systems. A well-established formal technique for the verification 
of reactive systems is model checking, which is recognized both by industry 
and by the academic community. As model checking is based on state space 
exploration, the stumbling block limiting the applicability of model checking is 
the state explosion problem. Techniques presented in this work were developed 
to alleviate this problem; they combine abstraction, static analysis and program 
transformation. 
Often, reactive systems are timed systems, and timers are used to express 
timed constraints imposed on a system. Interpretations of time and time con-
straints in specification languages used by industry are mainly implementation-
oriented and unsuitable for verification purposes. SDL is a vivid representative 
of the class of implementation-oriented languages, where time is modelled by 
infinitely an growing variable and timeouts are treated as messages. 
We propose a transformation that substitutes traditional SDL timers by 
timer variables. The transformation allows to avoid unbounded time settings 
and to optimize the size of the system by modelling timeouts as timeout guards. 
We justify that for verification purposes timers as variables can be used instead 
of traditional timers. We prove that original and transformed systems are re-
lated by path equivalence up to stuttering, which guarantees the preservation of 
both positive and negative verification results for properties that are expressible 
by formulas of the temporal logic LT~X . 
The concept of timers as variables can be successfully used for timed veri-
fication using untimed verification frameworks that do not take time into ac-
count. As an example, we take the µCRL framework that provides a language 
for the specification of reactive systems and a toolset for the generation and 
optimisation of state spaces. This framework is especially developed to take 
data into account. We propose a specification discipline that allows to use the 
untimed toolset and the untimed specification language for timed verification 
without introducing new constructs into the language and without modifying 
the toolset. We also introduce an LTL-like action-based timed temporal logic. 
The formulas of this logic can be translated into the regular alternation-free 
µ-calculus and model checked with the CADP toolset. Thus we obtain a pow-
erful framework for timed verification that covers both time and data aspects 
of reactive systems. 
In a number of practical examples, properties of reactive systems are ex-
pected to hold for all settings of timers satisfying a certain condition. A typical 
example of such a condition is "for all settings of a timer larger than or equal to 
some k". Checking whether a property holds for all systems where settings of a 
timer satisfy this condition would require an infinite number of iterations, and 
188 Summary 
thus solving this problem by model checking directly is impossible. We propose 
a timer abstraction that allows to represent an infinite family of finite state 
systems satisfying this condition by a single finite state system. We also show 
that properties that can be expressed by formulas of the universal fragment of 
the µ- calculus are preserved in the direction from the abstract system to the 
original one. This timer abstraction appears to be useful for the verification of 
a wide range of properties. However, it can give rise to false negatives when 
liveness properties are verified. The problem can be resolved by imposing a 
strong fairness condition on the abst ract system. Imposing this strong fairness 
condition leads to a substantial growth of the state space. For the timer ab-
st raction, we prove that the strong fairness condition can be brought down to 
a weak fairness condition. We demonstrate that the weak fairness condition 
can be built into the model checking algorithm implemented in Spin. Using 
the built-in weak fairness is much more efficient than using the strong fairness 
condition. 
Compositional verification is one of the approaches used to cope with state 
explosion. A system is decomposed into components that can be checked sepa-
rately. Since model checkers usually do not work with open systems, the com-
ponents should be closed prior to model checking. Manual closing is error-prone 
and t ime-consuming. We provide automatic closing of open systems with the 
most general, chaotic, environment. Closing involves static analysis, abst raction 
and program transformation. We propose a combination of may- and must-
analyses that marks variables at each location of a system specification as 
definitely influenced by the environment , or as definitely not influenced by the 
environment , or as "don 't know" variables whose values at a location depend 
on a run. The data coming from the environment are abstracted into a single 
abstract value. For timers, we use a more complex three-valued abstraction. 
A program transformation , which follows the combined may / must analysis, 
removes the manipulations on data that are definitely influenced by the envi-
ronment. The manipulations on data that are definitely not influenced by the 
environment are left unmodified. The manipulations on "don 't know" data are 
treated dynamically in the t ransformed system. Abstracting from data coming 
from the environment eliminates one factor causing st ate explosion. Another 
factor leading to st ate explosion is asynchronous communication with the en-
vironment. T he transformation removes it by embedding the environment into 
the system. We show that there is path inclusion up to stuttering between the 
closed and the original open system. This guarantees the transfer of positive 
verification results from the closed system to the original open one for all prop-
erties that can be expressed by LTL-X formulas ment ioning only variables not 
influenced by the environment. 
All techniques presented in this thesis have been implemented. For each of 
the developed approaches, we have performed a number of experiments con-
firming their usefulness. 
Samenvatting 
In dit proefschrift hebben wij een aantal technieken gepresenteerd die helpen 
bij de verificatie van reactieve systemen. Een gerenommeerde formele tech-
niek voor het verifieren van reactieve systemen is model checking, gebruikt 
door zowel bedrijven als de academische wereld. Aangezien model checking 
gebaseerd is op het onderzoeken van toestandsruimtes, is het struikelblok voor 
de toepasbaarheid van model checking het probleem van explosie van toestand-
sruimtes. De technieken gepresenteerd in dit proefschrift werden ontwikkeld 
om dit probleem te verlichten. Zij combineren abstractie, statische analyse en 
programma-transformatie. 
Vaak zijn reactieve systemen ook systemen met tijd, en worden timers ge-
bruikt om de tijdsbeperkingen uit te drukken die het systeem worden opgelegd. 
Interpretaties van tijd en tijdsbeperkingen in specificatietalen gebruikt bij be-
drijven zijn voornamelijk georienteerd op implement atie en ongeschikt voor 
verificatiedoeleinden. SDL is een duidelijke vertegenwoordiger van de klasse 
van implementatiegeorienteerde talen waarin de tijd gemodelleerd wordt met 
een oneindig groeiende variabele en waarin timeouts als berichten worden be-
handeld. 
Wij hebben een transformatie voorgesteld die traditionele SDL-timers ver-
vangt door timervariabelen. De transformatie maakt het mogelijk om onbe-
grensde tijdswaarden te vermijden en de grootte van het systeem te optimali-
seren door timeouts als timeout condities te modelleren. Wij hebben gerecht-
vaardigd dat voor verificatiedoeleinden timers als variabelen gebruikt kunnen 
worden in plaats van traditionele timers. Wij hebben bewezen dat de origi-
nele en getransformeerde systemen verbonden zijn door "path equivalence up 
to stuttering" . Dit garandeert dat zowel positieve als negatieve verificatieresul-
taten behouden blijven voor eigenschappen die uitgedrukt kunnen worden door 
formules in de temporele logica LT~X . 
Het concept van t imers als variabelen kan met succes worden benut voor 
verificatie met tijd, door gebruik te maken van raamwerk voor verificatie die 
geen rekening houden met tijd . Als voorbeeld hebben we het µCRL raamw-
erk genomen, dat een taal voor de specificatie van reactieve systemen en tools 
voor optimalisatie van toestandsruimtes biedt. Dit raamwerk is in het bijzonder 
ontwikkeld om met data te kunnen omgaan. Wij hebben een specificatiemeth-
ode beschreven die het mogelijk maakt om de toolset zonder tijd en de spe-
cificatietaal zonder tijd te gebruiken voor verificatie met tijd , zonder nieuwe 
constructies in de taal te introduceren en zonder de toolset aan te passen. Wij 
hebben eveneens een LTL-achtige temporele logica gei"ntroduceerd die op acties 
gebaseerd is en rekening houdt met tijd. De formules van deze logica kunnen 
vertaald worden in de reguliere alternatie-vrije µ-calculus en met de CADP 
190 Samenvatting 
toolset worden gecontroleerd. Zo hebben wij een krachtig raamwerk verkregen 
dat om kan gaan met zowel tijd als data in reactieve systemen. 
In een aantal praktische voorbeelden worden de eigenschappen van reac-
tieve systemen geacht geldig te blijven voor alle instellingen van timers die 
aan een bepaalde conditie voldoen. Een typisch voorbeeld van zo'n conditie is 
"voor alle instellingen van een timer die groter dan of gelijk aan een bepaalde 
k zijn" . Orn te controleren of een eigenschap geldig blijft voor alle systemen 
waar de instellingen van een timer aan deze conditie voldoen is een oneindig 
aantal iteraties nodig, en dus is het onmogelijk dit probleem direct op te lossen 
met model checking. Wij hebben een timerabstractie gegeven die het mogelijk 
maakt een oneindige familie van finite-state systemen die aan deze conditie 
voldoen te representeren met een enkel finite-state systeem. Wij hebben ook 
aangetoond dat eigenschappen die uitgedrukt kunnen worden door formules uit 
het universele fragment van de µ-calculus behouden worden in de richting van 
het abstracte systeem naar het originele. 
De timerabstractie is nuttig gebleken voor de verificatie van een groot 
scala van eigenschappen. Het kan echter onterechte foutmeldingen veroorzaken 
wanneer liveness-eigenschappen geverifieerd worden. Het probleem kan wor-
den opgelost door een "strong fairness" conditie aan het abstracte systeem 
op te leggen. Het opleggen van deze "strong fairness" conditie leidt tot een 
aanzienlijke groei van de toestandsruimte. Voor de timerabstractie hebben we 
aangetoond dat de "strong fairness" conditie teruggebracht kan worden tot een 
"weak fairness" conditie. Wij hebben aangetoond dat de "weak fairness" con-
ditie ingebouwd kan worden in het model checking a lgoritme dat verwezenlijkt 
is in Spin. Het gebruiken van de ingebouwde "weak fairness" is veel efficienter 
dan het gebruiken van "strong fairness". 
Compositionele verificatie is een van de aanpakken die gebruikt worden voor 
het omgaan met explosie van toestandsruimtes. Een systeem wordt ontleed 
in componenten die los van elkaar gecontroleerd kunnen worden. Aangezien 
model checkers gewoonlijk niet met open systemen werken, moeten de com-
ponenten afgesloten worden voorafgaand aan model checking. Handmatig af-
sluiten is ontvankelijk voor fouten en tijdverslindend. Wij hebben een au-
tomatische afsluiting gegeven van open systemen met de meest algemene, de 
chaotische, omgeving. De afsluiting omvat statische analyse, abstractie en pro-
gramma transformatie. Wij hebben een combinatie voorgesteld van may- en 
must-analyse die variabelen op iedere locatie van een systeemspecificatie mar-
keert als zeker be"invloed door de omgeving, als zeker niet be"invloed door 
de omgeving of als "weet niet" -variabelen waarvan de waarde op een locatie 
afhangt van een executie. De gegevens die van de omgeving komen worden 
geabstraheerd in een enkele abstracte waarde. Voor timers gebruiken we een 
complexere , driewaardige abstractie. 
Een programma-transformatie, die de gecombineerde may- and must-analyse 
volgt , verwijdert de bewerkingen op data die zeker be1nvloed zijn door de om-
geving. De bewerkingen op data die zeker niet be1nvloed zijn door de omgeving 
worden onveranderd gelaten. De bewerkingen op de " weet niet"-data worden 
Samenvatting 191 
dynamisch behandeld in het getransformeerde systeem. Het abstraheren van 
data uit de omgeving elimineert een factor die explosie van toestandsruimtes 
veroorzaakt . Een andere factor die leidt tot explosie van toestandsruimtes is 
asynchrone communicatie met de omgeving. De transformatie verwijdert <lit 
door de omgeving in het systeem vast te leggen. We hebben aangetoond dat 
er path inclusion up to stuttering bestaat tussen afgesloten en originele open 
systemen. Dit garandeert de overdracht van positieve verificatieresultaten van 
afgesloten naar open systemen voor alle eigenschappen die uitgedrukt kunnen 
worden in LTL-X formules met alleen variabelen die niet be"invloed zijn door 
de omgeving. 
Alle technieken gepresenteerd in dit proefschrift zijn ge"implementeerd. Voor 
elk van de ontwikkelde aanpakken hebben we een aantal experimenten uitge-
voerd die hun nut bevestigen. 

