A Time Action Lock is a state of a Real-time system at which neither time can progress nor an action can occur. Time Action Locks are often seen as signs of errors in the model or inconsistencies in the specification. As a result, finding out and resolving Time Action Locks is a major task for the designers of Real-time systems. Verification is one of the methods of discovering deadlocks. However, due to state explosion, the verification of deadlock freeness is computationally expensive. The aim of this paper is to present a computationally cheap testing method for Timed Automata models and pointing out any source of possible Time Action Locks to the designer. We have implemented the approach presented in the paper, which is based on the geometry of Timed Automata, via a Testing Tool called TALC (Time Action Lock Checker). TALC, which is used in the conjunction with the model checker UP-PAAL, tests the UPPAAL model and provides feedback to the designer. We have illustrated our method by applying TALC to a model of a simple communication protocol.
Introduction
In a general term, a deadlock is a state at which a system is unable to progress any further. Various types of deadlock in Real-time systems are studied in the literature [16, 8, 7, 27, 28] . In particular, a Time Lock [27] is a state at which time is prevented from passing beyond a certain point, and Time Action Lock [8] is a Time Lock state at which no action can occur. As a result, a Time Action Lock, is a state at which neither time can progress nor an action can occur.
In this paper, we shall deal with Real-time systems, which are modelled via Timed Automata [1] . Such systems can be verified with the help of model checkers such as UPPAAL [2, 6] , which uses a variant of Timed Automata model of [1] . UPPAAL has been successfully applied to the verification of Real-time systems [5, 15, 20, 9, 2] .
The process of verification of a property ¤ starts by creating a UPPAAL Timed Automata model of the Real-time system. Before conducting the verification of the property ¤ , we often check the model for the existence of deadlocks. This is to ensure the integrity of the design; as the existence of a deadlock is often interpreted as either an error in the model or a sign of inconsistencies in the specification. As a result, when a model checker informs us of the existence of a deadlock, we scrutinise the model to discover the cause of the deadlock. However, due to state explosion, the verification of deadlock freeness is computationally expensive. The aim of this paper is to present a method of testing of the Timed Automata models to point out any source of possible Time Action Locks to the designer. This is to help avoiding the verification of the model for deadlock-freeness, which is computationally expensive. Our approach can be implemented via a Testing Tool, which works in parallel with a model checker as depicted in Fig. 1 . The designer creates a model of the system in the Model Checker. The Testing Tool checks the model for Time Action Locks and provides feedback to the designer. The feedback provided to the designer is either, "the system is deadlock free" or "there is a possibility of deadlocks." In the case that the system is declared deadlock free by the Testing Tool, there is no need to use the Model Checker to ensure the system is deadlock free, and the designer can focus on the verification of ¤ . If the Testing tool declares that there is a possibility of deadlocks, sources of the deadlock are pointed out, which can help the designer in scrutinising the model for finding any possible flaw in the model or inconsistencies in the specification. The approach presented in this paper is based on the geometry of the Timed Automata. In a Timed Automaton, the progress of time is subject to a set of constraints, which form convex regions [27] in the The paper is organised as follows. We shall start by a brief introduction on the Timed Automata. Section 3 follows with a brief review of the background material on Presburger Arithmetic. Section 4 reviews definitions of various types of Time Lock. Section 5 sketches our geometric approach for detecting Time Action Lock. Results related to the implementation via Rational Presburger Sentences are discussed in section 6. Section 7 explains the Testing Tool TALC and applies the method to the testing of a simple communication protocol for the existence of a Time Action Lock. The paper finishes with a conclusion section.
In the current version of UPPAAL, must be an integer. A set of reset statements is called a reset-set or reset if each variable is assigned at most once. 
denotes the set of all resets.
A Timed Automaton e is a 6-tuple
is a finite set of locations and gi 7 f is a designated location called the initial location. Assume that
assigns to the initial location an initial region. -and are finite sets of clock variables and actions, respectively. -
is the set of transition relation. 
is a function that assigns to each location an invariant. Intuitively, a Timed Automata can stay in a location while its invariants are satisfied. The default invariant for a location is true ( 
D f
To model concurrency and synchronisation between Timed Automaton, CCS [22] style parallel composition operators are introduced, which synchronise over half actions. We refer the interested reader to [2] 
is the initial state and
where is the set of actions. For further information on network of Timed Automata and UPPAAL see [6, 21] .
Rational Presburger Sentences
Assume that ¦ denotes the set of all linear inequalities on integer variables and integer constants. A Presburger Sentence is a closed first-order logical statements on
¦ ©
The phrase closed means that, there is no free variable in a Presburger Sentence. For example,
is a Presburger Sentence. Satisfiability of Presburger Sentence is decidable [19] .
A Rational Presburger Sentence (RPS) is similar to the conventional Presburger Sentences, except that constants are rational numbers and variables range over rational (or real) numbers. As a result, the syntax of RPS is as follow:
, where is a rational-valued variable and
. Also
, respectively. The decision problem for RPS is decidable [13, 24] . Moreover, the computational times for deciding the satisfiability for RPS is less than that of Presburger Sentences. RPS and original Presburger Sentences have been successfully applied to the verification of logical designs and network design protocols [10, 14, 3, 25, 4] . Tools [23, 24] are available for the verification of RPS and Presburger sentences.
Deadlock in Timed Automata
Deadlocks, which have often been seen as error situations in concurrent and distributed systems, are classically interpreted as states at which the system will never be able to perform an action. In a Timed Automaton, a deadlock can also be created by preventing the passing of timed beyond a certain point, i.e. the elapse of time causes a violation of at least one of the constraints of the system. This situation, which is referred to as a Timelock, is often created as a result of fault in the specification of guards or invariant in the model. Finding out and resolving Timelocks is a major problem for the analysis and design of time critical systems.
Various interpretations of deadlock are extensively studied in the literature [8, 7, 27, 16, 28] . There are two different forms of Timelock [8] , Zeno Timelock and Time Action Lock. Zeno Timelock is the case that infinite number of actions are performed in a finite period of time. This paper is about Time Action Lock, which is defined as follows in [8] . Time-Action-Lock A Time-Action-Lock (TAL) is a state at which time can only progress for a finite amount ¿ F F Â of time but no action can occur. A special case of the above definition is the situation at which, there is a reachable state at which neither time can progress nor an action can occur [8] . As a result, we can identify a valuation
where for each
there is a subset of 
is the least upper bound of # "
. Each nonempty bounded subset of has a supremum and the supremum of a nonempty unbounded subset of is 8 
"
T he supremum of empty set is defined as
denotes the corresponding region. Assume that`denotes the Topological Closure of` [11] . The reader, who is not familiar with the notion of Topological Closure, can use the following instead of the definition of the Topological Closure. 
, where
is the area of . We shall prove that the above assumption results in a contradiction. Without any loss of generality, we can assume that 7
C
. This is because, there is a reachable state 
is a run of e starting at an initial state and ending in 'g l 6 )
. Suppose that there exists an action transition in the set , simply let . So let us assume that s 7
.f By the definition of Time-Action-Lock at the state 'g { 6 )
time can elapse only B F T Â units and no action can occur. As a result
. By equation (1) . This is a contradiction with
is a Time-Action-Lock as at state 'g l $ )
, time can pass r units to the new state 'g l ¾ r x u Û ) and then occurs. As a result, in both cases, assuming that e has a TAL, results in a contradiction.
§ ¥
Notice that the condition presented in the lemma is a necessary condition. In other words, if Equation (1) satisfies the Timed Automaton has no Time-Action-Lock. We argue that violation of equation 1, which may result in a Time-Action-Lock, is a sign of bad design. Based on this idea, we have developed a tool that carries a static analysis of the Timed Automata and points out to the designer any potential Time-Action-Lock. We shall explain our approach with the help of an example. gets violated, nor an action can occur, since no guard of an outgoing transition is satisfied. We can argue that the case presented in the above examples a clear case of wrong specification. In other words, there is a clear inconsistence in the specification that must be corrected. The contrary position, as explained in [8] , is that such "error situations in behavioural techniques should have a behavioural/operational intuition that is justifiable in term of real world behaviour." This paper does not address the above hotly debated views. Our aim is to present a computationally cheap method of discovering such situations and pointing them to the designer.
Remark: The method presented in this paper deals only with a single Timed Automaton. As Bowman [8] points out, a Time Action Lock can also be created from unsuitable parallel composition. We are currently working on extending our method to cover networks of Timed Automata, i.e. parallel composition of Timed Automata. The current implementation of TALC, checks a network of Timed Automata only by studying each individual Timed Automaton component.
Applying Rational Presburger Sentences to Detect TAL
In this section, we shall present a method of detecting potential Time-Action-Lock (TAL) using Theorem 1. Considering equation 1 of Theorem 1, the aim is to present a technique to verify statements of the form Fringe Proof. The convexity of the region is proved in [27] . The second part is by induction on the number of atomic formulas in`. 
Notation 2 Assume that`is a rectangular region of the form
It might seem that, the above lemma, which provide an elegant way of computing the Fringe is only applicable to the rectangular regions. However, the following lemma shows that to calculate the Fringe, we only need to discard conditions of the form 1 U X 2 4
and focus on the rectangular regions. 
Lemma 3. If`is a non-empty region created from a constraint in`7
The following result, which is also depicted in Fig. 6 explains that to calculate the Fringe, we can use the AntiFringe. 
Proof. The proof is straight forward and omitted.
The following lemma is the equivalent of Lemma 4 for AntiFringe. 
. Using a similar discussion to Lemma 2, we can prove that AntiFringe
. There are four types of atomic formulae in ') . Proof. Direct result of applying Lemma 2, 3, 4 and Lemma 6.
The equation (3) above is an RPS.
'` )
, '¡ ) l )
and`x
