Verifying stateful timed CSP using implicit clocks and zone abstraction by SUN, Jun et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
12-2009 
Verifying stateful timed CSP using implicit clocks and zone 
abstraction 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Yang LIU 
Jin Song DONG 
Xian ZHANG 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Programming Languages and Compilers Commons, and the Software Engineering 
Commons 
Citation 
SUN, Jun; LIU, Yang; DONG, Jin Song; and ZHANG, Xian. Verifying stateful timed CSP using implicit clocks 
and zone abstraction. (2009). Proceedings of the 11th International Conference on Formal Engineering 
Methods, ICFEM 2009, Rio de Janeiro, Brazil, December 9-12. 581-600. Research Collection School Of 
Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/5042 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Verifying Stateful Timed CSP Using Implicit Clocks and
Zone Abstraction
Jun Sun, Yang Liu, Jin Song Dong, and Xian Zhang
School of Computing,
National University of Singapore
{sunj,liuyang,dongjs,zhangxi5}@comp.nus.edu.sg
Abstract. In this work, we study model checking of compositional real-time
systems. A system is modeled using mutable data variables as well as a compo-
sitional timed process. Instead of explicitly manipulating clock variables, a num-
ber of compositional timed behavioral patterns are used to capture quantitative
timing requirements, e.g. delay, timeout, deadline, timed interrupt, etc. A fully
automated abstraction technique is developed to build an abstract finite state ma-
chine from the model. The idea is to dynamically create/delete clocks, and main-
tain/solve a constraint on the clocks. The abstract machine weakly bi-simulates
the model and, therefore, LTL model checking or trace-refinement checking are
sound and complete. We enhance our home-grown PAT model checker with the
technique and show its usability via the verification of benchmark systems.
1 Introduction
Specification and verification of real-time systems are important research topics which
have practical implications. During the last decade or so, a popular approach for
specifying real-time systems is based on the notation Timed Automata [1,23]. Timed
Automata are powerful in designing real-time models with explicit clock variables.
Real-time constraints are captured by explicitly setting/reseting clock variables. A num-
ber of automatic verification support for Timed Automata have proven to be successful
(e.g. UPPAAL [20], KRONOS [4] and RED [36]).
Models based on Timed Automata often adapt a simple structure, e.g. a network of
Timed Automata with no hierarchy [20]. The benefit is that efficient model checking is
made feasible. Nonetheless, designing and verifying compositional real-time systems
is becoming an increasingly difficult task due to the widespread applications and in-
creasing complexity of such systems. High-level requirements for real-time systems are
often stated in terms of deadline, time out, and timed interrupt [18,11,22]. In industrial
case studies of real-time system verification, system requirements are often structured
into phases, which are then composed sequentially, in parallel and alternatively [14,19].
Unlike statecharts (with clocks) or timed process algebras, Timed Automata lack high-
level compositional patterns for hierarchical design. As a result, users often need to
manually cast those terms into a set of clock variables with carefully calculated clock
constraints. The process is tedious and error-prone.
K. Breitman and A. Cavalcanti (Eds.): ICFEM 2009, LNCS 5885, pp. 581–600, 2009.
c© Springer-Verlag Berlin Heidelberg 2009
582 J. Sun et al.
Contributions. We investigate an alternative approach for modeling and verifying
compositional real-time systems. In this work, a system is modeled using a compo-
sitional timed process as well as mutable data variables and data operations. A rich
set of process constructs are supported, a number of which are adapted from Timed
CSP [30]. Additional behavioral patterns which are useful in modeling and analyzing
real-time systems are introduced. Examples are deadline (which constrains a process
to terminate within some time units), timed interrupt , etc. Instead of explicitly manip-
ulating clock variables (as in Timed Automata), the time related process constructs are
designed to build on implicit clocks. Further, we augment a system model with mutable
variables and data structures (e.g. arrays, stacks, queues, or any user created data types),
synchronous/asynchronous channels, etc.
In order to offer efficient mechanical verification support, a fully automated abstrac-
tion technique is developed to build an abstract finite state machine from the model.
The idea is to dynamically create clocks (only if necessary) to capture constraints in-
troduced by the timed process constructs. A clock may be shared for many constructs
in order to reduce the number of clocks. Further, the clocks are deleted as early as
possible. During system exploration, a constraint on the active clocks is maintained
and solved using techniques based on Difference Bound Matrix (DBM [7]). We show
that the abstraction is finite state and is subject to model checking. Further, it weakly
bi-simulates the concrete model and, therefore, we may perform sound and complete
LTL-X (i.e. LTL without the next operator) model checking or refinement checking
upon the abstraction. We enhance our home-grown PAT model checker [33] (available
at http://pat.comp.nus.edu.sg) with the technique and show its usability via automated
verification of benchmark systems. We compare PAT with UPPAAL to show that our
technique offers complementary support for analysis of real-time systems.
Section Organization. The remainder of the paper is organized as follows. Section 2
presents the syntax and operational semantics of a subset of our modeling language.
Section 3 presents the zone abstraction using dynamical clocks. Section 4 discusses the
soundness of the abstraction and its implication on model checking. Section 5 discusses
automation of the technique in the PAT model checker. Section 6 reviews related work
and discusses future research direction.
2 Language Syntax and Operational Semantics
In this section, we introduce the compositional language to model real-time systems
and then define its operational semantics. Let Σ be the set of event names.
Definition 1 (LTS). A labeled transition system is 3-tuple L = (S , init ,→) where
S is a set of system configurations, init : S is an initial system configuration and
→: S ×Σ × S is a labeled transition relation.
A run of a LTS is a finite or infinite sequence of alternating configurations/events,
i.e. 〈s0, e0, s1, e1, · · ·〉 such that s0 = init and si ei→ si+1 for all i . An execution is
a sequence of events 〈e0, e1, · · ·〉 such that there exists a run 〈s0, e0, s1, e1, · · ·〉. For
simplicity, we write c x→ to mean that there exists c′ such that c x→ c′.
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 583
2.1 Syntax
Definition 2 (Timed process). A timed process (hereafter process) is defined by the
following grammar1.
P = Stop | Skip – primitives
| e → P – event prefixing
| [b]P – state guard
| P | Q – general choice
| P ‖ Q – parallel composition
| P ; Q – sequential composition
| Wait [d ] – delay
| P timeout [d ] Q – timeout
| P interrupt [d ] Q – timed interrupt
| P deadline[d ] – deadline
| P =̂ Q – process definition
where P and Q range over processes, e ∈ Σ is an observable event, b is a Boolean
expression on global variables or process parameters and d is an integer constant.
Process Stop does nothing but idling. Process Skip terminates (possibly after some
idling). Process e → P engages in event e first and then behaves as P . Notice that
e may be an abstract event or a data operation, e.g. written in the form of e{x = 5;
y = 3; } or an external C# program. The data operation may update data variables
(and is assumed to be executed atomically). For simplicity, the resultant data valuation
is written as e(V ). A guarded process is written as [b]P . If b is true, then it behaves
as P , else it idles until b becomes true. Process P | Q offers a choice between P and
Q . Parallel composition of two processes is written as P ‖ Q , where P and Q may
communicate via multi-party event synchronization or shared variables. Process P ; Q
behaves as P until P terminates and then behaves as Q immediately.
A number of timed process constructs can be used to capture common real-time sys-
tem behavior patterns. Without loss of generality, we assume d is an integer constant.
Process Wait [d ] idles for exactly d time units. In process P timeout [d ] Q , the first ob-
servable event of P shall occur before d time units elapse (since the process starts). Oth-
erwise, Q takes over control after exactly d time units elapse. Process P interrupt [d ]Q
behaves exactly as P (which may engage in multiple observable events) until d time
units elapse, and then Q takes over control. Process P deadline[d ] constrains P to ter-
minate before d time units. We remark additional process constructs (e.g. if-then-else,
while, etc.) can be defined using the above. In this setting, clock variables are made
implicit and hence they cannot be compared with each other directly, which potentially
allows efficient clock manipulation and hence system verification.
Definition 3 (System model). A system model is a 3-tuple S = (Var , init ,P) where
Var is a set of global variables, init is the initial valuation of the variables and P is a
process.
1 Hiding, external/internal choice, waituntil and more are skipped for simplicity. It should be
clear that the discussion applies to those operators.
584 J. Sun et al.
Example 1 (Fischer’s Algorithm). The following models Fischer’s mutual exclusion
algorithm.
var x = −1;
var ct = 0;
Proc(i) = [x = −1]Active(i)
Active(i) = (update.i{x = i} → Skip)deadline[δ];
Wait [];
if (x = i) {
cs .i{ct = ct + 1} →
exit .i{ct = ct − 1; x = −1} → Proc(i)
} else {
Proc(i)
}
Protocol = Proc(0) ‖ Proc(1) ‖ Proc(2);
where δ and  are two integer constants with δ < ; x and ct are global variables. The
protocol is modeled as process Protocol , which is the parallel composition of three
processes. Each of the three processes attempts to enter the critical section when x is
-1, i.e. no other process is currently attempting. Once the process is active, it sets x to
its identity i within δ time units (captured by deadline[δ]). Then it idles for  time units
(captured by Wait []) and then checks whether x is still i . If so, it enters the critical
section and leaves later. Otherwise, it restarts from the beginning. 
2.2 Semantics
In order to define the operational semantics of a system model, we define the notion of
a configuration to capture the global system state during system execution.
Definition 4 (System configuration). A system configuration is a pair c = (V ,P)
where V is a variable valuation function and P is a process.
A transition of the system is of the form c x→ c′ where c and c′ are the system con-
figurations before and after the transition respectively. We adopt the following naming
convention for transition labels: t denotes a non-negative real number; τ denotes an
invisible event;  is the event of process termination; e ∈ Σ ∪ {} is an observable
event; x ∈ Σ ∪ {τ,}. For instance, c t→ c′ denotes a transition of t time units elaps-
ing. In the following, we present the firing rules which are associated with the timed
process constructs, adopting the approach in [29].
t ≤ d
[ de1 ]
(V ,Wait [d ])
t→ (V ,Wait [d − t ])
[ de2 ]
(V ,Wait [0])
τ→ (V ,Skip)
The above captures behaviors of process Wait [d ]. Rule de1 states that the process may
idle for any amount of time as long as it is less than or equal to d time units; Rule de2
states that the process terminates immediately after d becomes 0.
(V ,P)
e→ (V ′,P ′)
[ to1 ]
(V ,P timeout [d ] Q)
e→ (V ′,P ′)
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 585
(V ,P)
τ→ (V ′,P ′)
[ to2 ]
(V ,P timeout [d ] Q)
τ→ (V ′,P ′ timeout [d ] Q)
(V ,P)
t→ (V ,P ′), t ≤ d
[ to3 ]
(V ,P timeout [d ] Q)
t→ (V ,P ′ timeout [d − t ] Q)
[ to4 ]
(V ,P timeout [0] Q)
τ→ (V ,Q)
If an observable event x can be engaged by P , then P timeout [d ] Q becomes P ′ (rule
to1). An invisible transition does not solve the choice (rule to2). If P may idle for less
than or equal to d time units, so is the composition (rule to3). When d becomes 0, Q
takes over control by a silent transition (rule to4).
(V ,P)
x→ (V ′,P ′)
[ it1 ]
(V ,P interrupt [d ] Q)
x→ (V ′,P ′ interrupt [d ] Q)
(V ,P)
t→ (V ,P ′), t ≤ d
[ it2 ]
(V ,P interrupt [d ] Q)
t→ (V ,P ′ interrupt [d − t ] Q)
[ it3 ]
(V ,P interrupt [0] Q)
τ→ (V ′,Q)
Rule it1 states if P engages in event x , P interrupt [d ] Q becomes P ′ interrupt [d ] Q .
Rule it2 states that if P may idle for less than or equal to d time units, so is the com-
position. When d time units elapse, Q takes over by a τ -transition.
(V ,P)
x→ (V ′,P ′)
[ dl1 ]
(V ,P deadline[d ])
x→ (V ′,P ′ deadline[d ])
(V ,P)
t→ (V ,P ′), t ≤ d
[ dl2 ]
(V ,P deadline[d ])
t→ (V ,P ′ deadline[d − t ])
Intuitively, P deadline[d ] behaves exactly as P except that it must terminate before
d time units. The rest of the rules are straightforward extensions of those introduced
in [29], which are presented in Appendix A.
Definition 5 (Concrete transition system). Let S = (Var , init ,P) be a system model.
The concrete transition system corresponding to S is a LTS LSc = (Cc , initc ,→) where
Cc is the set of reachable concrete system configurations, initc is the initial configura-
tion (init ,P) and → is the smallest transition relation closed under the firing rules.
586 J. Sun et al.
3 Zone Abstraction
For the sake of model checking, we assume that all variables have finite domains and
the process forbids unbounded non-tail recursion. Nonetheless, the number of concrete
configurations (and hence the concrete transition system) is infinite because of the time
transitions. In the following, we apply zone abstraction to build an abstract configu-
ration system. Different from zone abstraction applied to Timed Automata [7,38], we
dynamically create/delete a set of clocks to precisely encode the timing requirements.
We show that the abstract transition system is finite state and subject to model checking.
3.1 Clock Activation and De-activation
A clock is a variable ranging from 0 to some bounded natural number. Given a config-
uration (V ,P), a clock is necessary to measure time elapsing if, and only if, a timed
process is (e.g. Wait [d ], P timeout [d ] Q , P interrupt [d ] Q , or P deadline[d ]) has
been enabled. If a timed process (say Wait [d ]) is enabled, we associate a clock (say tm)
with the process to record time elapsing (written as Wait [d ]tm ). The timing require-
ments can be captured using a constraint on the valuation of the clock. During system
execution, multiple clocks may be used to capture quantitative timing constraints. A
clock may become irrelevant as soon as the related process takes a transition. For in-
stance, if P in P timeout [d ]tm Q engages in an observable event, then the process
transforms to P ′ and clock tm becomes irrelevant. It is known that model checking of
real-time systems is exponential in the number of clocks. Therefore, it is desirable to
use clocks only necessary and discharge them as early as possible.
Definition 6 (Abstract system configuration). An abstract system configuration is a
triple (V ,P ,D), where V is a variable valuation, P is a process and D is a zone.
A zone is the maximal set of clock valuations satisfying a set of primitive clock con-
straints. A primitive constraint on a clock is of the form tm ∼ d where tm is a timer,
d is a constant and ∼ is ≥, =, or ≤. Because clocks are implicit, clock readings cannot
be compared directly. A zone is not empty if, and only if, the constraint is not false.
Next, we show how to systematically activate and de-activate clocks using process
Wait [d ] and P timeout [d ] Q as examples. Let t be a fresh clock. Given an abstract
configuration, we define function A(P , t) to recursively determine whether a clock
is necessary and associate the clock with the relevant process constructs. A clock is
necessary if and only if one (or more) timed pattern has just been enabled. For instance,
A(Wait [d ]t′ , t) = Wait [d ]t′
A(Wait [d ], t) = Wait [d ]t
where Wait [d ]t′ denotes that the timed pattern is associated with a clock t ′, whereas
Wait [d ] denotes that it has not been associated with a clock. The intuition is for the
former case, A does nothing and t is not used (since it is not necessary to introduce
another clock); for the latter case, A associates t the the timer pattern. The following
shows how to apply A to process P timeout [d ] Q .
A(P timeout [d ]t′ , t) = P timeout [d ]t′ Q
A(P timeout [d ] Q , t) = A(P) timeout [d ]t A(Q)
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 587
A(P | Q , t) = A(P , t) | A(Q , t)
A(P ‖ Q , t) = A(P , t) ‖ A(Q , t)
A(P ; Q , t) = A(P , t); Q
A(P , t) = A(Q , t) – if P =̂ Q
A(Wait [d ], t) = A(Wait [d ]t )
A(P timeout [d ] Q , t) = A(P , t) timeout [d ]t A(Q , t)
A(P interrupt [d ] Q , t) = A(P , t) interrupt [d ]t A(Q , t)
A(P deadline[d ], t) = A(P , t) deadline[d ]t
Fig. 1. Clock activation: A(P , t) is P except the above cases
If a clock t ′ has already been associated with P timeout [d ] Q , then functionA simply
returns the abstract configuration. Otherwise, it is associated with t and further A is
applied to the sub-processes P and Q recursively. The complete definition of function
A is presented in Figure 1. In an abuse of notation, given an abstract configuration
c = [V ,P ]D , we write A(c) to be [V ,A(P)]D∧t=0 if t is used; otherwise A(c) is
simply c.
A runtime clock may later be discarded when the time-related process has evolved
such that the reading of the clock is no longer relevant. For instance, the clock associ-
ated with P timeout [d ] Q can be discarded when P engages in an observable event.
It should be clear that we can identify the set of active runtime clocks by a similar
procedure. To minimize clocks, all in-active runtime clocks, and the associated tim-
ing constraints, shall be pruned from D . Notice that tG is never pruned. We assume a
functionD which performs clock de-activation in a sound and complete way.
3.2 Zone Abstraction
We define D↑ = {t + d | t ∈ D ∧ d ∈ R+}, i.e. the zone obtained by delaying
arbitrary amount of time. Notice that all clocks take the same pace. Next, we define
function ι to compute the zone which can be reached by idling from a given abstract
system configuration [38], presented in Figure 2. Given the current zone D , process
P timeout [d ]tm Q may keep idling as long as P may keep idling and the reading of
clock tm is less or equal to d (so that timeout has not occur). The rest are similarly
defined.
In the following, we define the firing rules based on the abstract system configura-
tions. The idea is to eliminate time transitions altogether and use the timing constraint to
ensure that the time-related process constructs behave correctly. An abstract transition
is of the form (V ,P ,D) x↪→ (V ′,P ′,D ′), where x ∈ Σ ∪ {, τ}.
[ ade ]
(V ,Wait [d ]tm ,D)
τ
↪→ (V ,Skip,D↑ ∧ tm = d)
Process Wait(d) idles for exactly d time units and then engages in event τ and the
process transforms to Skip. Intuitively, it should be clear that this is ‘equivalent’ to the
concrete firing rules. We will define what equivalence means later in this section.
588 J. Sun et al.
ι(V ,Stop,D) = D↑
ι(V ,Skip,D) = D↑
ι(V , e → P ,D) = D↑
ι(V , [b]P ,D) = D↑
ι(V ,P | Q ,D) = ι(V ,P ,D) ∧ ι(V ,Q ,D)
ι(V ,P ‖ Q ,D) = ι(V ,P ,D) ∧ ι(V ,Q ,D)
ι(V ,P ; Q ,D) = ι(V ,P ,D)
ι(V ,Wait [d ]tm ,D) = D
↑ ∧ tm ≤ d
ι(V ,P timeout [d ]tm Q ,D) = ι(V ,P ,D) ∧ tm ≤ d
ι(V ,P interrupt [d ]tm Q ,D) = ι(V ,P ,D) ∧ tm ≤ d
ι(V ,P deadline[d ]tm ,D) = ι(V ,P ,D) ∧ tm ≤ d
ι(V ,P ,D) = ι(V ,Q ,D) – if P =̂ Q
Fig. 2. Idling calculation
(V ,P ,D)
τ
↪→ (V ′,P ′,D ′)
[ ato1 ]
(V ,P timeout [d ]tm Q ,D)
τ
↪→ (V ′,P ′ timeout [d ]tm Q ,D ′ ∧ tm ≤ d)
(V ,P ,D)
x
↪→ (V ′,P ′,D ′)
[ ato2 ]
(V ,P timeout [d ]tm Q ,D)
x
↪→ (V ′,P ′,D ′ ∧ tm ≤ d)
[ ato3 ]
(V ,P timeout [d ]tm Q ,D)
τ
↪→ (V ,Q , tm = d ∧ ι(V ,P ,D))
Depending on when the first event of P takes place and whether it is observable, process
P timeout [d ] Q behaves differently in three ways. An observable transition of P must
occur no later than d time units since the process is enabled (rule ato1 and ato2). If the
first transition is observable, then the choice is resolved (rule ato2). If it is silent, then
the it transforms to P ′ timeout [d ] Q . If P may delay more than d time units (captured
by the constraint ι(V ,P ,D)), then it times out after exactly d time units (rule ato3).
The constraint tm = d ∧ ι(V ,P ,D) means that the delay is exactly d time units and
P must be idling during the period.
(V ,P ,D)
x
↪→ (V ′,P ′,D ′)
[ ait1 ]
(V ,P interrupt [d ]tm Q ,D)
x
↪→ (V ′,P ′ interrupt [d ]tm Q ,D ′ ∧ tm ≤ d)
[ ait2 ]
(V ,P interrupt [d ]tm Q ,D)
τ
↪→ (V ,Q , tm = d ∧ ι(V ,P ,D))
Process P interrupt [d ] Q behaves differently in two ways. Transitions of P must take
place no later than d time units since the process is enabled (rule ait1). If P may delay
more than d time units (captured by the constraint ι(V ,P ,D)), then it is interrupted
after exactly d time units (rule ait2).
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 589
1 3 42
a c
Fig. 3. A simple example
(V ,P ,D)
x
↪→ (V ′,P ′,D ′), x = 
[ adl ]
(V ,P deadline[d ]tm ,D)
x
↪→ (V ′,P ′ deadline[d ]tm ,D ′ ∧ tm ≤ d)
Process P deadline[d ] behaves exactly as P except that any transition must occur be-
fore d time units.
The rest of the firing rules is present in Appendix B. A transition is valid if, and only
if, it conforms to the firing rules and the resultant zone is not empty. Intuitively, this
means that a transition must be allowed by the untimed system and at the same time
satisfy the additional timing requirement.
Definition 7 (Abstract transition system). Let S = (Var , init ,P) be a system model.
The abstract transition system corresponding to S is a LTS LSa = (Ca , inita , ↪→)
where Ca is the set of reachable valid abstract system configurations, inita is the ini-
tial configuration (init ,P , true) and ↪→ is the smallest transition relation satisfying
∀ c, c′ : Ca . c e↪→ c′ ⇔ A(c) e↪→ D(c′).
Example 2 (A simple example). Assume a model (∅, ∅,P) with no variable and P is
(a → Wait [5]; b → Stop) interrupt [3] c → Stop. The abstract transition system
is shown in Figure 3, where transition label τ is skipped for simplicity. Let 〈t1, t2〉 be
a sequence of clocks. The following illustrates how to construct the abstract transition
system. Let s0 be (∅,P , true).
– Step 1: apply A to s0 to get
s1 = (∅, (a → Wait [5]; b → Stop) interrupt [3]t1 c → Stop, t1 = 0)
– Step 2: apply rule ait1 to s1 to get
s2 = (∅, (Wait [5]; b → Stop) interrupt [3]t1 c → Stop, 0 ≤ t1 ≤ 3)
Notice that (t1 = 0)↑ equals to t1 ≥ 0.
– Step 3: applyD to s2. The result is exactly s2. We obtain the transition from state 1
to state 2.
– Step 4: apply rule ait2 to s1 to get
s3 = (∅, (c → Stop), t1 ≥ 0 ∧ t1 = 3)
Notice that ι(∅, a → Wait [5]; b → Stop, t1 = 0) is t1 ≥ 0.
– Step 5: apply D to s3 to get s4 = (∅, (c → Stop), true). We remark that because
t1 becomes inactive, it is pruned from the constraint. This generates the transition
from state 1 to state 3.
590 J. Sun et al.
– Step 6: apply A to s2 to get
s5 = (∅, (Wait [5]t2 ; b → Stop) interrupt [3]t1 c → Stop,
0 ≤ t1 ≤ 3 ∧ t2 = 0)
– Step 7: apply rule ait1 to s5, we get
s6 = (∅, (Skip; b → Stop) interrupt [3]t1 c → Stop, 0 ≤ t1 ≤ 3 ∧ t2 = 5)
Notice that the timing constraint is false given that all timers take the same pace.
Refer to next section on how this is discovered systematically.
– Step 8: apply rule ait2 to s5 to get
s7 = (∅, c → Stop, t1 ≥ 0 ∧ t2 ≥ 0 ∧ t2 ≤ 5 ∧ t1 = 3)
– Step 9: apply D to s7 to get s4. Notice that both clocks are inactive and therefore
pruned. This generates the transition from state 2 to state 3.
– Lastly, we generate the transition from state 3 to state 4. Notice that this transition
involves no quantitative timing.
3.3 Zone Operations
In order to construct and verify the abstract transition system, we need efficient and
sound procedures to manipulate zones. For instance, we need to determine whether a
zone is empty or not. The procedure must be sound (so that a valid configuration is not
missed) and complete (so that invalid configurations are ruled out).
A zone D can be equivalently represented as a difference bound matrices (DBM).
Let {t1, t2, · · · , tn} be a set of n clocks. Let t0 be a dummy clock whose value is always
0. A DBM representing a constraint on the clocks contains n + 1 rows, each of which
contains n +1 elements. Let D ij represent entry (i , j ) in the matrix. A DBM represents
the constraint: ∀ i : 0 . . n. ∀ j : 0 . . n. ti − tj ≤ D ij . The most important property
of DBM is that there is a relatively efficient procedure to compute a unique canonical
form. Given a DBM in canonical form, checking whether the zone is empty or not is
as easy as looking up an entry in the matrix. DBM has been well studied [7,2,3]. In
the following, we briefly introduce the relevant DBM operations/properties. We skip
the discussion on rest of the zone operations (e.g. D↑, adding a constraint, etc.) as they
resemble the discussion in [3].
Calculate canonical form. In theory, there are infinite different timing constraints
which represent the zone. For instance, 0 ≤ t1 ≤ 3 ∧ 0 ≤ t1 − t2 ≤ 3 is equiv-
alent to 0 ≤ t1 ≤ 3 ∧ 0 ≤ t1 − t2 ≤ 3 ∧ t2 ≤ 1000. In order to systematically
compare two zones, we compute their unique canonical forms. In other words, we com-
pute the tightest bound on each clock difference. If the clocks are viewed as vertices
in a weighted graph and the clock difference as the label on the edge connecting two
clocks, the tightest clock difference is the shortest path between the respective vertices.
The Floyd-Warshall algorithm [12] thus can be used to compute the canonical from.
Given that this algorithm is cubic in the number of clocks, it is desirable to reduce
the number of clocks. Besides, the algorithm must be invoked if necessary and ide-
ally (if possible) the result of performing an operation on a canonical DBM should be
canonical.
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 591
Check satisfiability. In order to construct the abstract transition system, it is essential
to check whether a zone is empty. Given the DBM representing a zone, it is unsatisfiable
if, and only if, there is a clock which has a negative difference from itself, i.e. tk−tk < 0
for some k so that the constraint is false. If the DBM is in canonical form, then there
exists at least one D ii which is negative. Further, it can be shown that the DBM is false
if, and only if, D00 is negative. Therefore, we compute the canonical form whenever it
is necessary to check for satisfiability.
Add clocks. In our setting, clocks may be introduced during system exploration. We
remark that clocks are a constant set in Timed Automata. Assume the new clock is tk
and the given DBM is canonical. The following shows how the DBM is updated with
entries for tk . For all i , D ik = D i0 and Dki = D0i as the new clock always starts with
value 0. By a simple argument, it can be shown the resultant DBM is canonical.
t0 t1 · · · ti · · · tk−1 tk
t0 0 d01 · · · d0i · · · d0k−1 0
t1 d10 ∗ · · · * · · · * d10
· · · · · · · · · · · · · · · · · · · · · · · ·
ti d i0 ∗ · · · ∗ · · · ∗ di0
· · · · · · · · · · · · · · · · · · · · · · · ·
tk−1 dk−10 ∗ · · · ∗ · · · * dk−10
tk 0 d01 · · · d0i · · · d0k−1 0
Prune clocks. Because entries in a canonical DBM represent the tightest bound on
clock differences, pruning clocks is simply to remove the relevant row and column in
the table. It should be clear that the remaining DBM is canonical, i.e. the bounds can
not be possibly tightened with less constraints.
Notice that the number of reachable timing constraints in canonical form are finite
as proved in [7]. As a result, the abstraction system is finite state and therefore subject
to model checking2.
Example 3 (DBM manipulation example). The following illustrates how the DBM is
transformed through system exploration in Example 2.
t0
t0 0
Step1→
t0 t1
t0 0 0
t1 0 0
Step2→
t0 t1
t0 0 0
t1 3 0
Step6→
t0 t1 t2
t0 0 0 0
t1 3 0 3
t2 0 0 0
Step7→
t0 t1 t2
t0 0 0 -5
t1 3 0 3
t2 5 0 0
≡
t0 t1 t2
t0 -2 -5 -7
t1 1 -2 -4
t2 1 -2 -4
Step4
↓
Step8
↓
t0 t1
t0 0 -3
t1 3 0
Step5→ t0t0 0
t0 t1 t2
t0 0 -3 0
t1 3 0 3
t2 ∞ 0 0
Step9→ t0t0 0
The DBM obtained after Step 7 is indeed false, i.e. after applying the Floyd-Warshall
algorithm, D00 is −2. 
2 Assume that the variable domains are finite and the reachable process expressions are finite.
592 J. Sun et al.
4 System Verification
In this section, we prove that our abstraction is sound and complete with respect to a
number of properties. The abstract transition system is shown to be equivalent to the
concrete transition system using a specialized bi-simulation relationship [21]. We then
show that two different system verification methods are sound.
In the concrete transition system, if a configuration (V ′,P ′) can be reached from
(V ,P) by idling only, we write (V ,P)  (V ′,P ′). By a simple argument, it can be
shown that if (V ,P)  (V ′,P ′), then V = V ′. We write (V ,P) x (V ′,P ′) if, and
only if, there exists (V ,P1), (V ′,P2) such that (V ,P)  (V ,P1) and (V ,P1) x→
(V ′,P2) and (V ′,P2)  (V ′,P ′).
Definition 8 (Time abstract bi-simulation). Let S = (Var , init ,P) be a model. Let
LSc = (Cc , initc ,→) and LSa = (Ca , inita , ↪→) be the concrete and abstract transition
systems. Lc and La are time abstract bi-similar (hereafter bi-similar) if, and only if,
there exists a binary relation R : Cc → Ca such that (initc , inita) ∈ R and ∀ x :
Σ ∪ {, τ}; c = (Vc ,Pc); a = (Va ,Pa ,Da) such that (c, a) ∈ R implies,
– Vc = Va ,
– if c x c′, then for some a′, a x↪→ a′ and (c′, a′) ∈ R.
– if a x↪→ a′, then for some c′, c x c′ and (c′, a′) ∈ R.
We say that c and a are bi-similar, written as c ∼ a, if, and only if, there exists R such
that the transition systems are bi-similar. Notice that Lc and La are bi-similar if, and
only if, initc ∼ inita .
Theorem 1. Let S = (Var , init ,P) be a system model. LSc and LSa are time abstract
bi-similar. 
By definition, it suffices to construct a binary relation which satisfies the condition.
We present the proof based on structural induction in Appendix C. Time abstract bi-
simulation is strong enough to guarantee soundness on verification of a number of use-
ful properties.
LTL-X Model Checking. In this setting, the properties are linear temporal logic for-
mulae without the next operator (i.e. LTL-X), constituted by propositions on global
variables. Notice that no clocks are allowed in the property. The philosophy is that a
critical property may often be independent of the speed of the hardware on which the
system is deployed, whereas the model of the implementation shall incorporate known
hardware limitations.
Example 4. Given Example 1, the following are some critical properties.
ct ≤ 1 – safety property
(x = i ⇒ cs .i) – liveness property
where  and  read as ‘always’ and ‘eventually’. The first property precisely states
mutual exclusion, i.e. at all time, there must not be 2 or more processes in the critical
section. The second states that if process i is attempting to access the shared resource,
it must eventually do so.
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 593
In order to reflect model checking results on the abstract transition system to the original
system, we need to establish that the abstract transition system is equivalent to the
concrete one with respect to LTL-X formulae. The idea is to show stutter equivalence
between traces of the abstract system and the concrete system. Given two traces tr1 =
〈V0,V1, · · ·〉 and tr2 = 〈V ′0,V ′1, · · ·〉, tr1 and tr2 are stutter equivalent if, and only if,
tr1 and tr2 can be partitioned into blocks, so that the variable valuation in the k -th block
in tr1 is the same as those in the k -th block of tr2. Formally, tr1 is stutter equivalent
to tr2 if, and only if, there are two infinite sequences of integers 0 < i0 < i1 < · · ·
and 0 < j0 < j1 < · · · such that for every block k ≥ 0 holds Vsik = Vsik+1 = · · · =
Vsik+1−1 = V
′
sjk
= V ′sjk+1 = · · · = V
′
sjk+1−1
. It is known that tr1 satisfies a LTL-X
property if, and only if, tr2 does.
Let φ be such a property, we write L  φ to denote that the labeled transition system
L satisfies φ, i.e. every trace of L satisfies φ.
Lemma 1. Let S = (Var , init ,P) be a system model. For every trace of the concrete
transition system Lc , there is a stutter equivalent trace of the abstract transition system
La and vice versa.
The above lemma can be proved by structural induction or implied from Theorem 1.
Consequently, the following theorem can be proved straightforwardly.
Theorem 2. Let S = (Var , init ,P) be a system model. Let φ be a LTL-X formula
constituted by propositions on Var . LSc  φ if, and only if, LSa  φ. 
Refinement Checking. In this setting, we investigate an alternative verification schema
for finite system executions. That is, to verify whether the system satisfies the property
by showing a refinement relationship between the system and a model which models the
property. A variety of refinement relationships have been studied, e.g. trace-refinement,
stable failures refinement and failures/divergence refinement [16]. In order to check re-
finement between two (timed) models, time abstraction must be applied to both models.
Example 5. Given the model presented in Example 1, a natural question is whether 
and δ are necessary or their values would make a difference. Equivalently, the former
is to ask whether (init , uProcotol) where init = {x → −1, ct → 0} and uProcotol
defined as follows, trace-refines the original one (init ,Procotol).
uProc(i) = [x = −1]uActive(i)
uActive(i) = update.i{x = i} →
if (x = i) {
cs .i{ct = ct + 1} →
exit .i{ct = ct − 1; x = −1} → uProc(i)
} else {
uProc(i)
}
uProtocol = uProc(0) ‖ uProc(1) ‖ uProc(2);
By showing trace refinement in both directions, we may establish trace equivalence. Or,
the users may change the value of  and δ check for equivalence. 
594 J. Sun et al.
Let L be a LTS. A finite sequence of observable events, e.g. 〈x0, x1, · · · , xm〉, is a trace
of L if, and only if, there exists a finite execution 〈c0, e0, c1, e1, · · · , en , cn+1〉 such that
〈e0, e1, · · · , en〉  {τ} = 〈x0, x1, · · · , xm〉 where tr  X removes the events in X from
the sequence tr . The set of all traces of L is written as traces(L).
Given a finite trace tr and a configuration c in L, we write c/tr to denote the set
of system configurations that can be reached from c via trace tr or idling. Because of
nondeterminism, multiple configurations can be reached via the same trace. The refusals
are the sets of observable event sets which may be refused.
refusals(c) = {X : P Σ | ∀ e : X  ∃ c′ c e c′}
where P Σ is the power sets of Σ. The failures of L is defined as follows.
failures(S) = {(tr ,X ) | tr ∈ traces(L) ∧ X ∈ refusals(init/tr)}
If (tr ,X ) is a failure of the model, this means that the model can engage in the sequence
of events recorded by tr , and then refuse to perform any event in X .
Definition 9. Let Si = (Vari , initi ,Pi) where i ∈ {1, 2} be two system models.
S1 trace-refines S2 if, and only if, traces(LS1c ) ⊆ traces(LS2c ). S1 refines S2 in the
failures semantics if, and only if, traces(LS1c ) ⊆ traces(LS2c ) and failures(LS1c ) ⊆
failures(LS2c ).
In the following, we argue that it is sound and complete to show stable failures refine-
ment (i.e. assuming both models are divergence-free) between the abstraction transition
systems in order to show failures refinement between the concrete models.
Theorem 3. Let Si where i ∈ {1, 2} be two models. S1 refines S2 in stable failures
semantics iff traces(LS1a ) ⊆ traces(LS2a ) and failures(LS1a ) ⊆ failures(LS2a ). 
By Theorem 1, it should be clear that our abstraction preserves failures. Intuitively,
this is because not only observable transitions but also τ -transitions are preserved by
the abstraction. The theorem can then be proved straightforwardly. We remark that it
is clear the failures refinement subsumes trace-refinement and, therefore, it too can be
supported by only checking the abstract transition systems.
5 Implementation and Evaluation
PAT is a self-contained environment for system specification, simulation and verifica-
tion. It supports multi-languages targeting concurrent/distributed systems. The
techniques presented in this paper have been implemented in PAT. PAT verifies LTL
properties using an on-the-fly automata-based approach [35]. PAT verifies refinement
relationship using an on-the-fly simulation checking approach [32]. In the following, we
present the experiments results on two bench models. The models and PAT are available
at http://pat.comp.nus.edu.sg.
Table 1 shows the experiment results on the Fischer’s mutual exclusion algorithm
and a railway control system [38]. The data is obtained with Intel Core 2 Quad 9550
CPU at 2.83GHz and 2GB memory. In both examples, PAT performs reasonably well.
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 595
Table 1. Experiment results
Model Size Property States/Transitions PAT (s)
Fischer 4 ct ≤ 1 3452/8305 0.22
Fischer 5 ct ≤ 1 26496/73628 2.49
Fischer 6 ct ≤ 1 207856/654776 27.7
Fischer 7 ct ≤ 1 1620194/5725100 303
Fischer 4 (x = i ⇒cs.i) 5835/16776 0.53
Fischer 5 (x = i ⇒cs.i) 49907/169081 5.83
Fischer 6 (x = i ⇒cs.i) 384763/1502480 70.5
Fischer 4 Protocol refines uProtocol 7741/18616 5.22
Fischer 5 Protocol refines uProtocol 72140/201292 126.3
Fischer 6 Protocol refines uProtocol 705171/2237880 3146
Railway Control 4 deadlock-free 853/1132 0.11
Railway Control 5 deadlock-free 4551/6115 0.42
Railway Control 6 deadlock-free 27787/37482 3.07
Railway Control 7 deadlock-free 195259/263641 24.2
Railway Control 8 deadlock-free 1563177/2111032 223.1
Railway Control 4 (appr .1 →leave.1) 1504/1985 0.16
Railway Control 5 (appr .1 →leave.1) 8137/10862 0.95
Railway Control 6 (appr .1 →leave.1) 50458/67639 6.58
Railway Control 7 (appr .1 →leave.1) 359335/482498 58.63
It handles 107 states/transition in a few hours, which is comparable to existing model
checkers [17,28]. Further, a simple experiment shows that the computational overhead
of calculating clocks/DBMs is around one third of the overall time.
The data on UPPAAL [20] or RED [36] verifying the same models has been omitted
from the table. Because UPPAAL and PAT are based on a different modeling language,
the results must be taken with a grain of salt. The state graph generated from a PAT
model may contain unnecessary τ -transitions introduced by the compositional process
constructs, e.g. the τ in rule ato3. In hand-crafted UPPAAL models, however, the τ -
transitions may be removed by carefully manipulating the clock guards and grouping
clock guards and events on the same transition. In such a setting, verification of the
UPPAAL is faster (by a factor related to the number of such τ -transitions). However,
our experiment show that if we manually construct a PAT model and a UPPAAL model
with the same state graph, then PAT and UPPAAL have a similar performance.
6 Conclusion
This work is related to specification and verification of real-time systems. Composi-
tional specification based on process algebras for real-time systems has been studied
extensively, e.g. the algebra of timed processes ATP [31,24], CCS + real time [37]
and timed CSP [26,30]. Verification support has been developed for these specifica-
tion language. For instance, a preliminary PVS encoding of Timed CSP was presented
in [5], which rely heavily on user interaction for formal proving of real-time systems.
596 J. Sun et al.
In [38], a constraint solving method was proposed to verify CCS + real time. A num-
ber of verification support for ATP were evidenced in [25,6]. The modeling language
Timed Automata [1] gathered more attention later on, especially in terms of mechani-
cal verification. Several model checkers have been developed with Timed Automata (or
a simplified version named timed safety automata [15]) being the core of their input
languages [20,4,34]. The zone abstraction is closely related to works presented in [38],
where a similar compositional abstraction method is discussed for CCS + real time.
The difference is that we use implicit clocks and make the specification fully compo-
sitional. The soundness discussion of our abstraction is inspired by [21]. A remotely
related modeling language is statecharts [13] with clocks, which too is compositional.
This work follows the approach of Timed CSP and significantly extends the notion to
cover a wide range of application domains. We developed a self-contained toolkit PAT
to verify our models. To the best of our knowledge, there are few verification support
for Timed CSP, e.g. the theorem proving approach documented in [5], the translation
to UPPAAL models [8,9] and the approach based on constraint solving [10]. The PAT
model checker is the first dedicated verification tool support for Timed CSP models
adapting advanced verification techniques for real-time systems. In addition, PAT com-
plements UPPAAL with the ability to check full LTL-X property and check refinement
relationship. PAT is remotely related to the Spin model checker (on automata-based LTL
model checking) [17] and the FDR refinement checker (on refinement checking) [28].
We remark that verification on CSP-based models has been traditional based on re-
finement checking [27], e.g. using the FDR checker [28]. One research direction we
are currently investigating is to check timed refinement relationship between two timed
models. The main challenge is that abstraction must be applied separately to two timed
models and yet preserve timed trace/failures equivalence.
References
1. Alur, R., Dill, D.L.: A Theory of Timed Automata. Theoretical Computer Science 126, 183–
235 (1994)
2. Behrmann, G., Larsen, K.G., Pearson, J., Weise, C., Yi, W.: Efficient Timed Reachability
Analysis Using Clock Difference Diagrams. In: Halbwachs, N., Peled, D.A. (eds.) CAV
1999. LNCS, vol. 1633, pp. 341–353. Springer, Heidelberg (1999)
3. Bengtsson, J., Yi, W.: Timed Automata: Semantics, Algorithms and Tools. In: Desel, J.,
Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098,
pp. 87–124. Springer, Heidelberg (2004)
4. Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine, S.: Kronos: A Model-
Checking Tool for Real-Time Systems. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427,
pp. 546–550. Springer, Heidelberg (1998)
5. Brooke, P.: A Timed Semantics for a Hierarchical Design Notation. PhD thesis, University
of York (1999)
6. Closse, E., Poize, M., Pulou, J., Sifakis, J., Venter, P., Weil, D., Yovine, S.: TAXYS: A
Tool for the Development and Verification of Real-Time Embedded Systems. In: Berry, G.,
Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 391–395. Springer, Heidel-
berg (2001)
7. Dill, D.L.: Timing Assumptions and Verification of Finite-State Concurrent Systems. In:
Sifakis, J. (ed.) CAV 1989. LNCS, vol. 407, pp. 197–212. Springer, Heidelberg (1990)
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 597
8. Dong, J.S., Hao, P., Qin, S.C., Sun, J., Yi, W.: Timed Patterns: TCOZ to Timed Automata.
In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 483–498.
Springer, Heidelberg (2004)
9. Dong, J.S., Hao, P., Qin, S.C., Sun, J., Yi, W.: Timed Automata Patterns. IEEE Trans. Soft-
ware Eng. 34(6), 844–859 (2008)
10. Dong, J.S., Hao, P., Sun, J., Zhang, X.: A Reasoning Method for Timed CSP Based on
Constraint Solving. In: Liu, Z., He, J. (eds.) ICFEM 2006. LNCS, vol. 4260, pp. 342–359.
Springer, Heidelberg (2006)
11. Dong, J.S., Mahony, B.P., Fulton, N.: Modeling Aircraft Mission Computer Task Rates.
In: Woodcock, J.C.P., Davies, J., Wing, J.M. (eds.) FM 1999. LNCS, vol. 1709, p. 1855.
Springer, Heidelberg (1999)
12. Floyd, R.W.: Algorithm 97: Shortest Path. Commun. ACM 5(6), 345 (1962)
13. Harel, D.: Some Thoughts on Statecharts, 13 Years Later. In: Grumberg, O. (ed.) CAV 1997.
LNCS, vol. 1254, pp. 226–231. Springer, Heidelberg (1997)
14. Havelund, K., Skou, A., Larsen, K.G., Lund, K.: Formal Modeling and Analysis of an Au-
dio/video Protocol: an Industrial Case Study using UPPAAL. In: RTSS 1997, pp. 2–13 (1997)
15. Henzinger, T.A., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic Model Checking for Real-
Time Systems. Information and Computation 111(2), 193–244 (1994)
16. Hoare, C.A.R.: Communicating Sequential Processes. International Series in Computer Sci-
ence. Prentice-Hall, Englewood Cliffs (1985)
17. Holzmann, G.J.: The SPIN Model Checker: Primer and Reference Manual. Addison Wesley,
Reading (2003)
18. Lai, L.M., Watson, P.: A Case Study in Timed CSP: The Railroad Crossing Problem. In:
Maler, O. (ed.) HART 1997. LNCS, vol. 1201, pp. 69–74. Springer, Heidelberg (1997)
19. Larsen, K.G., Mikucionis, M., Nielsen, B., Skou, A.: Testing Real-time Embedded Software
using UPPAAL-TRON: an Industrial Case Study. In: EMSOFT 2005, pp. 299–306 (2005)
20. Larsen, K.G., Pettersson, P., Wang, Y.: Uppaal in a Nutshell. International Journal on Soft-
ware Tools for Technology Transfer 1(1-2), 134–152 (1997)
21. Larsen, K.G., Yi, W.: Time-abstracted Bisimulation: Implicit Specifications and Decidability.
Information and Computation 134(2), 75–101 (1997)
22. Lindahl, M., Pettersson, P., Wang, Y.: Formal Design and Analysis of a Gearbox Controller.
STTT 2001 3(3), 353–368 (2001)
23. Lynch, N.A., Vaandrager, F.W.: Action Transducers and Timed Automata. Formal Aspects
of Computing 8(5), 499–538 (1996)
24. Nicollin, X., Sifakis, J.: The Algebra of Timed Processes, ATP: Theory and Application.
Information and Computation 114(1), 131–178 (1994)
25. Nicollin, X., Sifakis, J., Yovine, S.: Compiling Real-Time Specifications into Extended Au-
tomata. IEEE Trans. Software Eng. 18(9), 794–804 (1992)
26. Reed, G.M., Roscoe, A.W.: A Timed Model for Communicating Sequential Processes. In:
Kott, L. (ed.) ICALP 1986. LNCS, vol. 226, pp. 314–323. Springer, Heidelberg (1986)
27. Roscoe, A.W.: On the expressive power of csp refinement. Formal Asp. Comput. 17(2), 93–
112 (2005)
28. Roscoe, A.W., Gardiner, P.H.B., Goldsmith, M., Hulance, J.R., Jackson, D.M., Scattergood,
J.B.: Hierarchical compression for model-checking csp or how to check 1020 dining philoso-
phers for deadlock. In: TACAS 1995. LNCS, vol. 1019, pp. 133–152. Springer, Heidelberg
(1995)
29. Schneider, S.: An Operational Semantics for Timed CSP. Information and Computa-
tion 116(2), 193–213 (1995)
30. Schneider, S.: Concurrent and Real-time Systems. John Wiley and Sons, Chichester (2000)
31. Sifakis, J.: The Compositional Specification of Timed Systems - A Tutorial. In: Halbwachs,
N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 487–490. Springer, Heidelberg (1999)
598 J. Sun et al.
32. Sun, J., Liu, Y., Dong, J.S.: Model Checking CSP Revisited: Introducing a Process Anal-
ysis Toolkit. In: Margaria, T., Steffen, B. (eds.) ISOLA 2008. CCIS, vol. 17, pp. 307–322.
Springer, Heidelberg (2008)
33. Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: Towards Flexible Verification under Fairness. In:
CAV 2009. LNCS, vol. 5643, Springer, Heidelberg (2009)
34. Tasiran, S., Alur, R., Kurshan, R.P., Brayton, R.K.: Verifying Abstractions of Timed Sys-
tems. In: Sassone, V., Montanari, U. (eds.) CONCUR 1996. LNCS, vol. 1119, pp. 546–562.
Springer, Heidelberg (1996)
35. Vardi, M.Y., Wolper, P.: An Automata-Theoretic Approach to Automatic Program Verifica-
tion (Preliminary Report). In: Proc. of the Symposium on Logic in Computer Science (LICS
1986), pp. 332–344. IEEE Computer Society, Los Alamitos (1986)
36. Wang, F., Wu, R., Huang, G.: Verifying Timed and Linear Hybrid Rule-Systems with RED.
In: SEKE 2005, pp. 448–454 (2005)
37. Yi, W.: CCS + Time = An Interleaving Model for Real Time Systems. In: Leach Albert,
J., Monien, B., Rodrı´guez-Artalejo, M. (eds.) ICALP 1991. LNCS, vol. 510, pp. 217–228.
Springer, Heidelberg (1991)
38. Yi, W., Pettersson, P., Daniels, M.: Automatic Verification of Real-time Communicating Sys-
tems by Constraint-Solving. In: FORTE 1994, pp. 243–258. Chapman & Hall, Boca Raton
(1994)
Appendix A: Concrete Operational Semantics
The following are firing rules associated with process constructs other than those dis-
cussed in Section 2. They are extension of those presented previously by Schneider
in [29]. αP ⊆ Σ ∪ {} is the alphabet of process P ; init(V ,P) is the set of enabled
events, as defined in [29]. In an abuse of notations, we use 
 to denote any event in
Σ ∪ {τ,} or a real number.
[ st ]
(V ,Stop)
t→ (V ,Stop)
[ sk1 ]
(V ,Skip)
→ (V ,Skip)
[ sk2 ]
(V ,Skip)
t→ (V ,Skip)
[ as1 ]
(V , e → P) t→ (V , e → P)
[ as2 ]
(V , e → P) e→ (e(V ),P)
[ gu1 ]
(V , [b]P)
t→ (V , [b]P)
V  b
[ gu2 ]
(V , [b]P)
τ→ (V ,P)
(V ,P)
x→ (V ′,P ′)
[ ex1 ]
(V ,P | Q) x→ (V ′,P ′)
(V ,Q)
x→ (V ′,Q ′)
[ ex2 ]
(V ,P | Q) x→ (V ′,Q ′)
(V ,P)
t→ (V ,P ′),
(V ,Q)
t→ (V ,Q ′)
[ ex3 ]
(V ,P | Q) t→ (V ,P ′ | Q ′)
(V ,P)
x→ (V ′,P ′), x ∈ αQ
[ pa1 ]
(V ,P ‖ Q) x→ (V ′,P ′ ‖ Q)
(V ,Q)
x→ (V ′,Q ′), x ∈ αP
[ pa2 ]
(V ,P ‖ Q) x→ (V ′,P ‖ Q ′)
Verifying Stateful Timed CSP Using Implicit Clocks and Zone Abstraction 599
(V ,P)
x→ (V ,P ′), (V ,Q) x→ (V ,Q ′), x ∈ (αP ∩ αQ) ∪ R+
[ pa3 ]
(V ,P ‖ Q) x→ (V ,P ′ ‖ Q ′)
(V ,P)
→ (V ,P ′)
[ pa4 ]
(V ,P ; Q)
τ→ (V ,Q)
(V ,P)
t→ (V ′,P ′),  ∈ init(V ,P)
[ se1 ]
(V ,P ; Q)
t→ (V ′,P ′; Q)
(V ,P)
x→ (V ′,P ′),  ∈ init(V ,P)
[ se2 ]
(V ,P ; Q)
x→ (V ′,P ′; Q)
(V ,Q)
→ (V ′,Q ′),P =̂ Q
[ def ]
(V ,P)
→ (V ′,Q ′)
Appendix B: Abstract Operational Semantics
The following are abstract firing rules associated with process constructs other than
those discussed in Section 2.
[ aki ]
(V ,Skip,D)

↪→ (V ,Stop,D↑)
V  b
[ agu ]
(V , [b]P ,D)
τ
↪→ (V ,P ,D↑)
[ aev ]
(V , e{prg} → P ,D) e↪→ (prg(V ),P ,D↑)
(V ,P ,D)
x
↪→ (V ′,P ′,D ′)
[ aex1 ]
(V ,P | Q ,D) x↪→ (V ′,P ′,D ′ ∧ ι(V ,Q ,D))
(V ,Q ,D)
x
↪→ (V ′,Q ′,D)
[ aex2 ]
(V ,P | Q ,D) x↪→ (V ′,Q ′,D ′ ∧ ι(V ,P ,D))
(V ,P ,D)
e
↪→ (V ′,P ′,D ′), e ∈ αQ
[ apa1 ]
(V ,P ‖ Q ,D) e↪→ (V ′,P ′ ‖ Q ,D ′ ∧ ι(V ,Q ,D))
(V ,Q ,D)
e
↪→ (V ′,Q ′,D ′), e ∈ αP
[ apa2 ]
(V ,P ‖ Q ,D) e↪→ (V ′,P ‖ Q ′,D ′ ∧ ι(V ,P ,D))
(V ,P ,D)
e
↪→ (V ,P ′,D ′), (V ,Q ,D) e↪→ (V ,Q ′,D ′′), e ∈ αP ∩ αQ
[ apa3 ]
(V ,P ‖ Q ,D) e↪→ (V ,P ′ ‖ Q ′,D ′ ∧ D ′′)
(V ,P ,D)
x
↪→ (V ′,P ′,D ′), x = 
[ ase1 ]
(V ,P ; Q ,D)
x
↪→ (V ′,P ′; Q ,D ′ ∧ ( ∈ init(V ,P) ∨ D))
(V ,P ,D)

↪→ (V ′,P ′,D ′)
(V ,P ; Q ,D)
τ
↪→ (V ,Q ,D ∧ D ′)
(V ,P ,D)
x
↪→ (V ′,P ′,D ′),Q =̂ P
(V ,Q ,D)
x
↪→ (V ′,P ′,D ′)
600 J. Sun et al.
Appendix C: Proof of Theorem 1
Let S = (Var , i ,P) be the model; Lc and La be the concrete and abstract transition
system respectively. By definition, it suffices to construct a binary relation which sat-
isfies the condition. The theorem is proved by structural induction on the all types of
process expressions. The following are the base cases.
– Stop: R = {(i ,Stop) → (i ,Stop, true)}. Trivially true.
– Skip:R = {(i ,Skip) → (i ,Skip, true), (i ,Stop) → (init ,Stop, true)}. Trivially
true.
– Wait [d ]: R = {(i ,Wait [d ]) → (i ,Wait [d ], true), (i ,Skip) → (i ,Skip, true),
(i ,Stop) → (i ,Stop, true)}. The transition (i ,Wait [d ]) τ (i ,Skip) of Lc corre-
sponds to the transition (i ,Waid [d ], true) τ↪→ (i ,Skip, true). Notice that the clock
introduced by functionA would be pruned by D. The rest is trivial.
Next, we prove the induction step.
– e → P : (i , e → P) and (i , e → P , true) are bi-similar since (i , e → P) e
(prg(i),P) (by rule as1 and as2) and (i , e → P , true) e↪→ (e(i),P , true) (by
rule aev ), and (e(i),P) ∼ (e(i),P , true) (by hypothesis).
– [b]P : if i  b, then [b]P behaves exactly as P (rule gu2 and rule agu), hence by
hypothesis, (i , [b]P) ∼ (i , [b]P , true). If i  b, then [b]P behaves exactly as Stop
(rule gu1 and no abstract firing rule), hence (i , [b]P) ∼ (i , [b]P , true).
– P | Q : P | Q behaves either as P or Q , in both cases, by hypothesis (i ,P | Q) ∼
(i ,P | Q , true).
– P ‖ Q : there is one-to-one correspondence on the concrete firing rules (rule pa1,
pa2 and pa3) and the abstract firing rules ((rule apa1, apa2 and apa3)). It is clear
that by hypothesis (i ,P ‖ Q) ∼ (i ,P ‖ Q , true).
– P ; Q . Similarly as above.
– P timeout [d ] Q : let the associated clock be tm. We show that each abstract transi-
tion is possible if, and only if, there is a corresponding concrete transition (i ,P) 
(i ′,P ′). Rule ato1 is applicable if, and only if, tm ≤ d and (i ,P ,D) may perform
a τ -transition. By hypothesis, (i ,P ,D) may perform a τ -transition if, and only if,
(i ,P) does. By rule to2, to3 and to4, a τ of P may happen if, and only if, tm ≤ d .
Therefore, we conclude rule ato1 is applicable if, and only if, there is a correspond-
ing concrete transition. Similarly, we argue that rule ato2 and ato3 are applicable
if, and only if, there is a corresponding concrete transition. This concludes that
(i ,P timeout [d ] Q) ∼ (i ,P timeout Q , true).
– P interrupt [d ] Q : Similarly as above.
– P deadline[d ]: Similarly as above.
– P =̂ Q : By induction.
