Abstract. Enormous progress has been achieved in the last decade in the verification of timed systems, making it possible to analyze significant real-world protocols. An open challenge is the identification of fully symbolic verification techniques, able to deal effectively with the finite state component as well as with the timing aspects. In this paper we propose a new, symbolic verification technique that extends the Bounded Model Checking (BMC) approach for the verification of timed systems. The approach is based on the following ingredients. First, a BMC problem for timed systems is reduced to the satisfiability of a math-formula, i.e., a boolean combination of propositional variables and linear mathematical relations over real variables (used to represent clocks). Then, an appropriate solver, called MATHSAT, is used to check the satisfiability of the math-formula. The solver is based on the integration of SAT techniques with some specialized decision procedures for linear mathematical constraints, and requires polynomial memory. Our methods allow for handling expressive properties in a fully-symbolic way. A preliminary experimental evaluation confirms the potential of the approach.
Introduction
The verification of timed systems is a very important and challenging problem. In the last decade, it has being devoted a lot of interest, and significant results have been achieved, making it possible to verify real protocols with limited computational resources (see e.g. [LPY95, DY95] ). The verification of timed systems combines the challenge of finite-state variables with the problems related to time: a state can be seen as an assignment to propositional variables and to real variables, called clocks.
The verification of timed systems is traditionally based on the use of Difference Bound Matrices (DBMs) [Dil89] , that compactly represent a region associated with an assignment to the clocks that are compatible with a specific assignment to propositional variables. Despite their efficiency, such techniques are basically explicit-state: a complete assignment to propositional variables is associated with a complete region, and the amount of required memory is the most limiting factor in the verification process. Recently proposed techniques, such as DDD [MLAH01] , CDDs [LWYP98] , and RED [Wan00] , provide symbolic representations for the search space. Also in this case, however, the memory requirements can be substantial, because of the inheritance of the properties of Binary Decision Diagrams.
In this paper, we propose a new symbolic technique for the verification of timed systems. The approach is a generalization of Bounded Model Checking (BMC) [BCCZ99] , that is gaining increasing interest for the verification of finite state systems [Sht00,CFG
+ 01]. The approach consists on encoding the BMC problem of timed systems into the problem of deciding the satisfiability of math-formulas, i.e. boolean combinations of boolean variables and linear (in)equalities over real variables, representing clocks. The resulting problems are then tackled with MATHSAT, a solver combining an efficient procedure for propositional satisfiability (SAT) [DLL62] with mathematical constraint solvers of increasing deductive power.
The approach is rather general, since it allows to express specifications in full LTL, such as fairness properties. Furthermore, the approach is fully symbolic: it allows us to tackle the digital component of timed systems with symbolic technologies as in the untimed case, while the timed component is tackled by means of specialized mathematical constraint solvers. Finally, the math-formulas generated are polynomial w.r.t. the size of the representation of the input system and the maximum path length k, and are solved by a solver requiring a polynomial amount of memory. Although preliminary, our experimental analysis confirms the potentials of the proposed approach.
The paper is organized as follows. In Section 2 we give some background: we recall the basics on timed automata [Alu99] , and we describe the MATHSAT problem [ABC + 02]. In Section 3 we describe the idea of BMC for timed automata, and we show how to reduce the problem to the satisfiability of a math-formula. In Section 4 we discuss some optimizations to the encoding. In Section 5 we discuss some related approaches. In Section 6 we present some preliminary empirical results. In Section 7 we draw some conclusions, and outline the future directions.
Background

Model Checking Timed Automata
In this section we briefly recall timed automata [Alu99] . An atomic clock constraint is any expression in the form (x c), ∈ {≤, ≥, <, >}, x being a clock variable with values in R and c ∈ Z being a constant; a clock constraint is any conjunction of atomic clock constraints. (To this extent, notice that every clock constraint is convex.)
is the set of initial locations, Σ 1 is a finite set of labels for the possible events, X 1 is a finite set of clock variables, I 1 is a map labeling every location s ∈ L 1 with a clock constraint on X 1 , and E 1 is the set of switches. Every switch T = s i , a, ϕ, λ, s j is characterized by its source and target locations s i , s j ∈ L 1 , an event a ∈ Σ 1 , a clock constraint ϕ on X 1 , and a set of clock reset conditions λ in the form (x = 0),
, and E is defined as follows:
The dynamics of the timed automaton A 1 is given by means of a transition system S A1 . A state of S A1 is a pair (s, ν) s.t. s ∈ L 1 and ν : X 1 −→ R + is a clock evaluation satisfying I(s). (s, ν) is an initial state iff s ∈ L 0 1 and ν(x) = 0, ∀x ∈ X 1 . S A1 can evolve into two different ways. With time elapse, if δ ≥ 0, then (s, ν) δ −→ (s, ν + δ), ν + δ being the evaluation such that (ν + δ)(x) = ν(x) + δ, ∀x ∈ X 1 , and ν + δ satisfies I, ∀δ s.t. 0 ≤ δ ≤ δ. With switch, if s i , a, ϕ, λ, s j ∈ E 1 and ν satisfies ϕ,
being the evaluation assigning x = 0 ∀x ∈ λ and agreeing with ν for the other clocks in X 1 .
Let A = L, L 0 , Σ, X, I, E , and let Φ(X) and Λ(X) be the set of all possible atomic clock constraints and clock reset conditions on X. Let Φ A (X) be the set of all atomic clock constraints on X occurring in the automata A. We see as atomic propositions the locations s ∈ L (meaning "A is in location s"), the elements of Φ A (X) and Λ(X). The timed automaton A induces a Kripke structure S, S 0 , R, L , with a finite set of states S, a set of initial states S 0 ⊂ S, a transition relation R ∈ S × S and a labeling function
. R is such that, for every σ i , σ j ∈ S, R(σ i , σ j ) holds if and only if either (i) one switch s i , a, ϕ, λ, s j in Σ is such that
We use Linear Temporal Logic (LTL) with its standard semantics [Eme90] to specify properties of timed automata. Basic propositions are atomic propositions, atomic clock constraint in Φ A (X), and clock reset conditions in Λ(X); a propositional literal (i.e., a basic proposition or its negation) is a LTL formula; if h and g are LTL formulas, then h ∧ g, h ∨ g, h ↔ g, Xg, Gg, Fg, hUg and hRg are LTL formulas, X, G, F, U and R being the standard "next", "globally", "eventually", "until" and "releases" temporal operators respectively. In order to encompass the case of a property f including atomic clock constraints not in Φ A (X), it is possible to extend the labeling function of the Kripke structure to
is the set of atomic clock constraints in f .
Satisfiability of math-formulae
We call math-formula a boolean combination of boolean variables and linear constraints over numerical variables. We call an interpretation a map I which assigns real and boolean values to real and boolean variables respectively and preserves constant values, arithmetical and boolean operators. For instance,
. We say that I satisfies a math-formula φ, written I |= φ, iff I(φ) evaluates to true. We call MATHSAT the problem of checking the satisfiability of a math-formula. We call a truth assignment for a math-formula φ a truth value assignment µ to (a subset of) the atoms of φ. We say that µ propositionally satisfies φ, written µ |= p φ, iff it makes φ evaluate to true. We represent truth assignments as sets of literals, with the intended meaning that positive and negative literals represent atoms assigned to true and to false respectively. I satisfies µ iff it satisfies all its elements. For instance, the assignment {(x − y ≥ 4), ¬A 1 } propositionally satisfies (x − y ≥ 4) ∧ (¬A 1 ∨ (x = y)), and it is satisfied by I s.t. I(x) = 6, I(x) = 1,
To solve the MATHSAT problem, we have implemented MATHSAT [ABC + 02], a solver based on a variant of the DPLL SAT procedure [DLL62] . The basic schema of such a procedure is reported in Figure 1 . MATHSAT takes as input a math-formula ϕ, expressed in CNF, and (by reference) an empty interpretation I, and returns a truth value asserting whether ϕ is satisfiable or not, I being respectively an interpretation satisfying ϕ or N ull. MATHSAT invokes MATHDPLL passing as arguments ϕ and (by reference) an empty assignment µ and the interpretation I. MATHDPLL tries to find a truth assignment µ propositionally satisfying ϕ which is satisfiable from the mathematical viewpoint. Basically, MATHDPLL is a variant of DPLL, modified to work as an enumerator of truth assignments, whose satisfiability is recursively checked by MATHSOLVE. (The function assign(l, ϕ) assigns l to in ϕ and propositionally simplifies the result.) The key difference w.r.t. standard DPLL is in the "base" step. Standard DPLL needs finding only one satisfying assignment µ, and thus simply returns T rue. MATHDPLL instead also needs checking the satisfiability of µ, and thus it invokes MATHSOLVE(µ). Then it returns T rue if a non-null interpretation satisfying µ is found, it returns F alse and backtracks otherwise. MATHSOLVE takes as input an assignment µ and returns either an interpretation I satisfying µ or N ull if there is none. In our implementation, MATHSOLVE first performs all the substitutions allowed by the equalities in µ. Then, if only inequalities with two-variable are left, then a variant of 
Bounded Model Checking for Timed Automata
Bounded Model Checking (BMC) is a recent approach to symbolic model checking [BCCZ99] . The starting point is an existential model checking problem M |= Ef , for an LTL formula f , and a Kripke structure M . The idea is to solve the problem by looking for a witness to the property that can be presented within a bound of k steps. Given k, the problem is reduced to the satisfiability of a propositional formula
k is unsatisfiable, then nothing can be said about the existence of solutions for M |= f models with higher bound. Thus, the typical technique is to generate and solve [[M, f ]] k for increasing values of k, until either a counter-example is found, or a given time-out is reached. (Completeness can be in principle achieved when k reaches the diameter of the problem. Unfortunately, such value is typically hard to compute, and very big.) Despite this limitation, BMC is being increasingly accepted as an effective and practical technique, in particular in the process of falsification, i.e. bug finding. The problem is tackled by refutation, looking for witnesses of bound k to the negation of the property being analyzed. The technique relies on the use of efficient SAT solvers (e.g. based on DPLL procedures) for checking the propositional satisfiabil-
, BMC avoids the blow-up in memory that can occur with model checking based on Binary Decision Diagrams, and is therefore able to tackle much larger circuits. Furthermore, SAT-based techniques appear to require less tuning to be effective, and are therefore more amenable to the introduction in industrial settings. In this paper, we address the problem of BMC for M |= f for the case of timed systems, where M is a Kripke structure induced by a timed automaton, and f is an LTL formula. The encoding [[M, f ]] k is a math-formula, where real variables are used to represent the temporal part of the state space and its evolution. The encoding is a combination of a characterization of the paths of the automaton (described in Section 3.1) with a characterization of the paths that satisfy the specification (described in Section 3.2).
Fig. 3. Encoding Initial Conditions and Invariants for A1
Encoding Paths and Loops of Timed Automata
In the following, we assume that A 1 and A 2 , with
0 , Σ, X, I, E , are given. For explanatory purposes, we use the simple automaton depicted in Figure 2 .
Boolean Variables In order to represent the status and the evolution of the system A 1 , we introduce the following propositional variables. For locations, we introduce an array s of log 2 (|L 1 |) boolean variables. The intended meaning is that s i holds if and only if the system is in the location
To represent each event a ∈ Σ 1 , we introduce a boolean variable a, with the intended meaning that a holds if and only if the system executes a switch of event a. For each switch s i , a, ϕ, λ, s j ∈ E 1 we introduce a single boolean variable (e.g., T ), with the intended meaning that T holds if and only if the system executes the corresponding switch. Finally, we introduce two boolean variables T δ and T Real Variables The clocks in the automaton are represented by means of real variables in the encoding, as follows. We introduce a real variable z, called "absolute time reference", whose negated value represents the time elapsed from the beginning of the path being analyzed. Then, for each clock x in the automaton, we introduce an "offset" variable ox whose negated value is the absolute time when the clock was last reset. In general, the value of a clock x is obtained as ox − z. In the following, we write r for the value of the real variable r after a transition of the automaton. In this setting, when the automaton performs a delta transition, and time advances, we have that z < z. Otherwise, time does not elapse, and z = z. Every condition or operation over a clock x can be encoded by means of the difference between the absolute time z and ox. This trivially applies to state constraints and transition constraints of the form (x c), with ∈ {≤, ≥, <, >}, with c ∈ Z being a constant, that are reduced to (ox − z c). We encode the fact that transition resets a clock by means of the constraint ox = z . Similarly we impose that clocks have non-negative values by means of the constraint ox ≤ z . In the example of Figure 2 , the clock x in the automaton on the left is represented by the difference between ox and z on the right. When clear from context, in the following we write x for ox. 
, as x can either be reset or keep its value. For the example automaton, we depict in Figure 2 , on the right, the variables needed to encode a path of bound k = 4. The vertical squares represent the state vector at the different steps, where thick squares enclose values for real variables, while the corner-rounded squares represent the propositional values of transitions (from top to bottom T δ , T 12 , T 21 , T null ).
A set of implicitly conjoined constraints is needed to make sure that the assignments to the variables represent a legal path of the automaton. The initial conditions, holding over the first state vector, state that the system can be only in one of the initial locations (Figure 3 , Eq. 1, left), and that the clocks are all zero (right). The invariants (Figure 3 , Eq. 2), state that if the system is in a location s i , then all the associated clock constraints must hold, and must be replicated for all state vectors.
The constraints in Figure 4 describe the effect of switches, delta and null transitions, and must be replicated from steps 0 to k − 1. At step i, the current and state vectors are substituted with the state vector at step i and i + 1, respectively. Equation 3 encodes switches s i , a, ϕ, λ, s j ∈ E 1 . Intuitively, if s i , a, ϕ, λ, s j is being fired, then: (i) before the switch, the automaton is in location s i , the event a occurs and the constraints ϕ are verified; (ii) after the switch, the automaton is in location s j , all clocks in λ are reset, and the values of the other clocks are the same as before the transition; (iii) as no time elapse can occur when switching, the value of z is the same before and after the transition. The formula (4) encodes delta transitions: (i) time elapse must be strictly greater than 0, (ii) in the next state the system must be in the same location as in the current state, (iii) the values of all clocks must be identical to those of the current state, and (iv) no event in Σ 1 can occur together with time elapsing. (The invariants
.) The formula (5) encodes the null transition, enforcing that (i) time elapse must be equal to zero, (ii) in the next state the system must be in the same location as in the current state, (iii) the values of all clocks must be identical to those of the current state, and (iv) no event in Σ 1 can occur.
The remaining formulae (6-7) express the relation between the different transitions. Formula (6) states that at least one variable among the variables T in E 1 , T δ and T 1 null must hold, i.e. in system A 1 either a switch shoots, time passes, or stuttering occurs. The formula (7) states mutual exclusion between events, that is, two different events in Σ 1 cannot occur at the same time. The formulas (7) state the mutual exclusion between two switches in the (rare) case they share the same event, source and target locations. In every other case, the mutual exclusion between two switches is a consequence of (3) and the mutual exclusion of states and of events (7).
An infinite, cyclic behaviour can be encoded as a path of length k with a loop back at l, with 0 ≤ l < k. For the propositional part of the state vector, this can be expressed by imposing that each variable has the same value at l and k. For each clock x, we impose that (ox
. Notice that it is not possible to express this condition simply by means of equalities between (ox (k) = ox (l) ), since ox decreases monotonically. Given M and an integer k ≥ 0, we write [[M ]] k for (the math-formula representing) a path of bound k for the Kripke structure M , l L k for the loopback condition from k to l.
Product construction The encoding for the product automaton A = A 1 ||A 2 follows almost directly from the encodings of A 1 and A 2 , by conjunction. (Notice that T δ is common to all systems A i .) The only addition is the following constraint:
needed to prevent two different events a 1 ∈ Σ 1 \Σ 2 and a 2 ∈ Σ 2 \Σ 1 to occur at the same time. It is clear that our approach meets the requirement that the combinatorial explosion due to the product construction is not present when generating the encoding. Rather, it is deferred to search time, where it can be tackled by mean of symbolic techniques.
Encoding LTL specifications of Timed Automata
The existential BMC problem M |= k Ef , read "there exist an execution path of M of bound k satisfying the LTL property f ", is equivalent to the satisfiability problem for the math-formula k ), the bounded tableau, depending on the structure of the formula. (Without loss of generality we assume that f is in extended negative normal form.) The table encodes the necessary conditions for the existence of a path satisfying the formula. For instance, in the case of an eventuality formula Fg, it requires that g must hold in at least one of the steps within in the bound. Notice that, in the case of a globally formula Gg, an infinite behaviour is required in order to be able to provide a witness. The encoding of LTL formulae is very similar to the encoding proposed in [BCCZ99] , apart from two differences. First, in the specification, constraints over clocks are also possible as atomic propositions, so that [[M, f ]] k is a math-formula. Second, we define loopback as an equivalence between the state vectors at l and k, while in [BCCZ99] a transition from step k to step l is required.
Improvements and extensions to the encodings
The encoding described in previous section can be improved and extended in various ways, in order to best exploit the features of the solver. Here we consider some optimizations, and show how they can be implemented in our approach. (Care must be taken since some of them may change the semantics of "next state", and consequently the validity of some LTL properties, in particular those with "X" operators.) Deterministic propagations of real values. We exploit the fact that the truth value of some mathematical constraint may derive deterministically from those of other mathematical constraints. By making such information explicit in the encoding, the SAT solver deterministically propagates the truth values without investigating the mathematical constraint, and may avoid branching on the truth value of mathematical constraints. This is done by adding the formulas reported in Figure 5 to the encoding. The formulas (9), (10) and (11) make explicit the facts that z ≤ z, x ≥ z and x ≤ x, as observed in Section 3.1, and the fact that equalities and strict inequalities are mutually incompatible. We also propagate the positive and negative values of equalities. If so, for every x ∈ X 1 we add the formulas (12), (13), (14), (15), (16) and (17). Moreover, we may propagate the positive and negative values of atomic clock constraints when time does not elapse and clocks are not reset, by adding the formulas (18) and (19). Exploiting parallelism. The formula (8) imposes a mutual exclusion constraint between the two switches T 1 and T 2 , since they are labeled by different events. Consider however that T 1 and T 2 do not interfere with each other, since they belong to different automata. Therefore we may want to release such a constraint, by dropping the formula (8) from the encoding, thus allowing them to shoot in parallel. This amounts to allowing the product system A -though not to forcing it-to collapse both sequences
. This results into more compact formulas, and, more importantly, may significantly shorten the length of the minimum counterexample for a given formula, which is essential in the BMC approach. The resulting encoding of A 1 ||A 2 is exactly the conjunction of the encodings of A 1 and A 2 . Forcing System Activity and Compacting Time elapse. Assume that the system is given by the product of the automata A 0 , ..., A N −1 . The encoding allows situations in which all the systems do nothing, that is, all systems A i execute a transition T i null . (This corresponds to a time elapse with δ = 0.) To prevent the search engine from considering this situation, we add the formula:
Furthermore, we avoid two consequent time elapsing transitions to occur by col-
To do this we add the constraint: Adding global variables. Our encoding can be straightforwardly extended to handle global variables v on discrete domains. The intended meaning is that a switch T can be subject to a condition ψ(v) on the variables v's, and can either assign to v a value n or maintain its value; T δ maintain the value of v, and T null impose no constraints on v. These facts are encoded respectively as
v being a boolean representation of v preserving the mutual exclusion of its values.
(Here we assume that (20) is part of the encoding, to make sure that at least one transition states the value of the global variable.) Exploiting symmetries Assume that the system is the product of the automata A 0 , ..., A N −1 . We say that the model checking problem is symmetric w.r.t. A 0 , ..., A N −1 if, for every permutation σ = {k 0 → 0, ..., k N −1 → N − 1} of the automata indexes, the permutation of a solution is a solution for the permuted problem. A sufficient condition for symmetry is that the automata A 0 , ..., A N −1 are identical and that both the initial conditions and the property to be verified are symmetric. If A 0 , ..., A N −1 are symmetric, we can simplify the search by imposing that, at step i, one of the processes with index 0 ≤ j < i is forced to fire a transition. We substitute equation 20 with
. Notice that, while equation 20 is replicated "as is" for the different time steps, the equation above changes with the step i, so that the i-th instance constraints the possible transitions that can be fired at step i. It is easy to see that the new encoding does not lose any interesting models. It is also clear that a significant amount of search is avoided. The idea is that exponentially-many symmetric executions are collapsed into one. In fact, using 
Related Work
Our work proposes a new way to tackle the verification of timed systems. In this field, several approaches have been proposed. In [HNSY94] , a symbolic approach for formally checking whether a system modeled as a product of timed automata meets its requirements is presented. A product is built from components which can communicate each other through synchronization events. The associated tool KRONOS, is able to perform both backward and forward exploration of the state space, with a symbolic representation combining DBMs ( [Dil89] ) and BDDs [BDM
) is a tool for verification of real-time systems. It is appropriate for systems that can be modeled as a collection of non-deterministic processes with finite control structure and real-valued clocks, communicating through channels and/or shared discrete variables. The description language is a non-deterministic guarded command language with simple data types (e.g. bounded integers, arrays, reals). The model checker is able to check invariants, reachability and some liveness properties by exploring the state space of a system in a symbolic way. To represent the state space, UPPAAL can use Clock Difference Diagrams (CDDs) [LWYP98] , or DBMs. Difference Decision Diagrams (DDDs) [MLAH01] are BDD-like data structures to handle boolean formulas over inequalities of the form x − y < c and x − y ≤ c, and can be used to represent and explore sets of states of a timed system. The associated tool can verify a real time system modeled as a timed guarded command program in a fully symbolic way, by performing reachability analysis and model checking of TCTL formulas using standard fixed-point iteration algorithms. RED [Wan00] is a tool for the verification of real time systems modeled as a set of concurrent processes expressed as timed automata equipped with a clock, discrete variables and pointers. RED is based on the efficient Region Encoding Diagram (RED), a data structure which can be used for fully symbolic model checking of TCTL over timed systems. RED is able to exploit symmetries between processes, and is currently one of the most efficient verification tools in the field. Our approach differs from the above techniques in several respects. On one side, it is limited to the bounded case. On the other side, it allows for the analysis of specifications expressed in LTL, and is therefore able to express general forms of fairness. Furthermore, our approach is based on (an extension of) propositional satisfiability techniques, that are increasingly accepted as an efficient and complementary alternative to the use of Decision Diagrams, for their limited memory requirements. Finally, we use specialized solvers that are able to deal efficiently with different classes of mathematical constraints: equalities (by substitution), binary inequalities (by Bellman-Ford), and arbitrary inequalities (by Symplex). It is also worth mentioning that bounded model checking for timed systems has been recently (and independently) investigated by other groups [Sor02, PWZ02] , the approach closest to ours being [NMA + 02].
Some preliminary empirical results
In this section, we report some preliminary experimental results, where our approach is used to tackle a case study, and compared with the systems described in previous section. The evaluation is carried out on Fischer's mutual exclusion protocol [Lam87] . N identical processes (described in Figure 6 ) try to gain access to a critical section CS. The synchronization relies on a global variable id where each process P i writes its identifier i when entering the waiting state C. Other processes P j can enter the waiting state C in the same way. If after a certain delay δ still id = i, then P i can enter the critical section CS, from which it eventually exits resetting id to 0; otherwise, as soon as id is reset, it can go back to B, from where it can subsequently retry. This protocol is interesting for many reasons: it is very simple to describe and understand, it contains several elements of interest (e.g. time advance, synchronization, mutual exclusions), it is scalable, so that we can increase its complexity at will by increasing N , and it is symmetric. Despite its simplicity, investigating non-obvious properties is non trivial even with small N 's.
To analyze our example, for increasing values of N and increasing values of the bound k = 1, 2, 3, ..., we encoded the given problems into math-formulas and we tackled the resulting math-formulas with our implementation of MATHSAT. The experiments were run under Linux RedHat 7.1 on a 4-processor PentiumIII 700MHz machine with more than 6.5GB RAM. The time limit was fixed to 1 hour (only one processor is allowed for each run), while the memory was limited to 1GB for each run. MATHSAT and all the math-formulas investigated here are available at http://www.science.unitn.it/˜rseba/Mathsat.html.
As a first example, we have considered the reachability problem "Is there a state in which all the processes are in the wait state C", formalized as: M |= k EF i P i .C. For every N , the math-formulas are unsatisfiable for k ≤ N and satisfiable for k > N . In fact, the shortest solution path has length N + 1 (all processes pass from A to B, and then from B to C one at a time). We have compared MATHSAT (without and with the symmetry-exploiting encoding described in Section 4) with the DDD package, with UPPAAL (version 3. in Table 2 . MATHSATwas run with the default splitting heuristic, i.e. the one of SATZ [LA97] . Times are expressed in seconds and size in megabytes. "-" denotes that the system reached the time or size limit. For MATHSAT, the reported times are sums of the times needed to analyze the (unsatisfiable) instances with bound k = 1, ..., N and to the (satisfiable) instance k = N + 1. Although the property is extremely simple, we see that the complexity of the problem blows up quickly with N . Without using the symmetry-exploiting encoding, MATHSAT is better than UPPAAL and KRONOS, slightly worse than RED, worse than DDD and much worse than RED with its symmetry-exploiting technique. With the symmetry-exploiting encoding, MATHSAT runs dramatically better than DDD, UP-PAAL and KRONOS, which have no symmetry-exploiting technique, and even better than RED with symmetry-exploiting technique. As memory consumption is concerned, we see that MATHSAT behaves much better than all the other systems.
As a second example, we have considered the following fairness property: "if the ith process gets infinitely often in B, then it accesses infinitely often in the critical section CS". We look for a counterexample, i.e. we tackle the following problem: M |= k E¬(GFP i .B → GFP i .CS). For every N , the math-formulas are unsatisfiable for k ≤ N + 4 and satisfiable for k > N + 4. In fact, the shortest solution path containing a loop has length N + 5: all processes pass from A to B, and then from B to C one at a time; time elapses of a quantity greater than δ; then the last process arrived in C passes alone into CS and then into A; finally they all pass into B again.
To the best of our knowledge, there is no direct way to encode this problem in DDD, UPPAAL, KRONOS and RED. With MATHSAT instead, we can encode it by forcing a loop from step k to each step l < k. (We report here only the "interesting" case where l = 1). Notice, that the property above is not symmetric, so that this time we cannot use the symmetry-exploiting encoding. The results are collected in Table 3 . To emphasize the effects of different splitting heuristics, we run MATHSAT not only with the SATZ heuristics (left), but also with BOEHM's (right). Thus, we notice that SATZ heuristic gives better results with unsatisfiable instances, and worse results for satisfiable ones (last entries of each column).
The analysis is clearly preliminary in several respects. First, we are comparing a SAT-based bounded model checker with fixpoint-based unbounded model checkers, which were not specially conceived for a bounded search. However, as we are not aware of any other bounded model checker for timed system currently available, this is not a matter of choice. Second, the analysis can be biased by the fact that we are considering only one case study. Notice however that the case study was not tuned toward SAT-based techniques. (It would indeed be quite easy to find a problem where the data structures for the representation of regions blow up, simply because of the inheritance of the properties of BDDs.) On the contrary, we are tackling an asynchronous system, while so far SAT-based BMC methods have proved particularly effective for synchronous systems. It would be interesting to extend the comparison on synchronous applications such as real-time embedded controllers. It is also important to notice that we are comparing mature approaches, that have been optimized over the years, with a new encoding technique and solver. Having said this, the above results show that our approach as extremely promising. First, as CPU times are concerned, our approach can be comparable with other well-established ones. Second, MATHSAT has much more limited memory requirements. Third, even a very simple exploitation of symmetries can significantly reduce the verification times (and we believe that there are several directions of improvements). Fourth, although bounded, our technique can be used to falsify properties that can not be directly handled by the other approaches.
Conclusions and Future Work
In this paper, we have presented a new approach for symbolic model checking of timed systems. We have shown how to encode a BMC problem for timed systems into that of deciding the satisfiability of boolean combinations of boolean variables and atomic linear (in)equalities, which we can solve efficiently by the MATHSAT solver. The approach is fully symbolic, and is not limited to simple reachability, but allows for (Bounded) Model Checking of LTL formulas. Furthermore, the solver can be rather efficient in terms of run-times, even with its limited memory requirements. As BMC in the propositional case, our new technique is intended to be complementary rather than alternative to the current ones, in particular because of its ability of finding (counter)examples, of its expressiveness and of its reduced memory requirements.
In the future, we plan to extend and improve our work along the following directions. First, we want to improve and test new kinds of encodings. In particular, we will investigate alternative representations of locations, events and transitions; we will look for new propagation axioms and invariants to prune search, in particular taking into account more powerful forms of symmetry reduction. Then, we will investigate the customization of MATHSAT for encoded timed automata, by defining splitting heuristics that take into account the different semantics of the variables [GMS98, Sht00] and new mechanisms for propagating and exploiting equalities between real values. Finally, we want to perform an extensive experimental evaluation, also on synchronous domains, to identify the bottlenecks and the strengths of the approach.
