Scaling BDD-based timed verification with simulation reduction by NGUYEN, Truong Khanh et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
11-2016 
Scaling BDD-based timed verification with simulation reduction 
Truong Khanh NGUYEN 
Tian Huat TAN 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Jiaying LI 
Yang LIU 
See next page for additional authors 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Programming Languages and Compilers Commons, and the Software Engineering 
Commons 
Citation 
NGUYEN, Truong Khanh; TAN, Tian Huat; SUN, Jun; LI, Jiaying; LIU, Yang; CHEN, Manman; and DONG, Jin 
Song. Scaling BDD-based timed verification with simulation reduction. (2016). Proceedings of the 2015 
International Symposium on Software Testing and Analysis, Baltimore, USA, July 13-17. 10009, 363-382. 
Research Collection School Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/4944 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Author 
Truong Khanh NGUYEN, Tian Huat TAN, Jun SUN, Jiaying LI, Yang LIU, Manman CHEN, and Jin Song 
DONG 
This conference proceeding article is available at Institutional Knowledge at Singapore Management University: 
https://ink.library.smu.edu.sg/sis_research/4944 
Scaling BDD-based Timed Verification
with Simulation Reduction
Truong Khanh Nguyen1, Tian Huat Tan2, Jun Sun2, Jiaying Li2(B),
Yang Liu3, Manman Chen2, and Jin Song Dong4
1 Autodesk, San Rafael, USA
truong.khanh.nguyen@autodesk.com
2 Singapore University of Technology and Design, Singapore, Singapore
{tianhuat tan,sunjun,manman chen}@sutd.edu.sg,
jiaying li@mymail.sutd.edu.sg
3 Nanyang Technological University, Singapore, Singapore
yangliu@ntu.edu.sg
4 National University of Singapore, Singapore, Singapore
dongjs@comp.nus.edu.sg
Abstract. Digitization is a technique that has been widely used in real-
time model checking. With the assumption of digital clocks, symbolic
model checking techniques (like those based on BDDs) can be applied
for real-time systems. The problem of model checking real-time systems
based on digitization is that the number of tick transitions increases
rapidly with the increment of clock upper bounds. In this paper, we
propose to improve BDD-based veriﬁcation for real-time systems using
simulation reduction. We show that simulation reduction allows us to
verify timed automata with large clock upper bounds and to converge
faster to the ﬁxpoint. The presented approach is applied to reachability
and LTL veriﬁcation for real-time systems. Finally, we compare our app-
roach with existing tools such as Rabbit, Uppaal, and CTAV and show
that our approach outperforms them and achieves a signiﬁcant speedup.
1 Introduction
Timed automata are an extension of ﬁnite automata with clock variables which
represent timed constraints [3]. Interesting model checking problems of timed
automata, like the veriﬁcation of the reachability and LTL properties, are shown
to be decidable through the construction of region graphs [3]. However, since
the size of region graphs grows exponentially with the number of clocks and the
maximal clock constants, veriﬁcation based on region graphs is impractical.
There are two lines of work that are proposed to address this problem.
The ﬁrst line of work is based on Diﬀerence Bound Matrices (DBMs). DBMs
were proposed to represent a set of clock valuations satisfying a set of convex
This work is supported by research project T2MOE1303.
c© Springer International Publishing AG 2016
K. Ogata et al. (Eds.): ICFEM 2016, LNCS 10009, pp. 363–382, 2016.
DOI: 10.1007/978-3-319-47846-3 23
364 T.K. Nguyen et al.
clock constraints [20] with a zone graph. The resulted zone graph is often much
smaller than the region graph, which often results in eﬃcient veriﬁcation of timed
automata models [15]. There are several problems with DBMs. First, it is diﬃ-
cult to verify LTL properties with non-Zeno assumption. A run is called Zeno
if there are inﬁnite actions happening in ﬁnite time. Zeno runs are unrealistic
and therefore should be excluded during the system veriﬁcation. However, this
process has shown to be fairly non-trivial [44]. Second, DBMs cannot represent
non-convex zones. Some veriﬁcation/reduction techniques for timed automata
may result in non-convex zones, and novel techniques need to be invented for
handling such cases. For instance, with a particular abstraction technique called
LU abstraction [7], the resulted zone can be non-convex. In such a case, a convex
subset of LU abstraction, called Extra+LU extrapolation [7], needs to be used.
Third, since locations and clock valuations are stored separately in zone graphs,
state space explosion is often encountered with models having many processes.
The other line of work is based on digitization [30]. It replaces the contin-
uous passage of time with a passage in discrete steps. The advantage of this
approach is that it helps transforming the problem to model checking a dis-
crete system and techniques such as BDD-based symbolic model checking [16]
can be leveraged. There are several advantages of using BDD-based veriﬁcation
compared to DBMs-based veriﬁcation. First, checking non-Zenoness with digi-
tization and BDDs is almost trivial. Furthermore, it has been shown to outper-
form zone-based approach in many existing works (e.g., [5,9,12,15,46]). Second,
we can store both locations and clock valuations together symbolically and is
not limited to non-convex sets. However, the problem with digitization and the
BDD-based approach is that it does not scale for large clock constants. Large
clock constants would signiﬁcantly increase the number of tick transitions which
denote the passage of one time unit. As a result, a large number of iterations
are often necessary to completely explore the state space.
In this work, we propose the usage of LU simulation to address the aforemen-
tioned problem. In particular, we propose two algorithms, based on LU simula-
tion, for model checking reachability and LTL properties respectively. A desired
property of LU simulation is that it can be obtained for free in timed automata.
Our algorithms depend on two clock bounds: the maximal lower bound and the
maximal upper bound (LU bounds) [7]. By leveraging these clock bounds, we
could explore the set of all reachable states from initial states in fewer iterations.
Intuitively, this is achieved in two ways. First, during the veriﬁcation, given a set
of reachable states S encoded as BDD, we actively enlarge it by adding states
which can be simulated by those in S. Thus, we have more states and it is pos-
sible to ﬁnd all the reachable states with fewer iterations. Second, according to
LU simulation relation, states with clock value greater than the maximal lower
bound can simulate all states with larger clock values. Therefore, our method
could perform well even if the maximal upper bound is very large.
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 365
In short, we make the following technical contributions in this work:
1. We have applied simulation reduction in a BDD eﬃcient way for both reach-
ability and LTL properties. To the best knowledge of the authors, we are the
ﬁrst to apply LU simulation relation in BDD-based approach model checking
of timed automata.
2. We have shown the soundness and completeness of our proposed algorithms.
In addition, we further prove that for the algorithm on verifying reachability
properties, our approach always requires the same or fewer iterations than
classic approaches.
3. We have compared our approaches on verifying reachability and LTL proper-
ties with state-of-the-art DBMs-based and BDD-based model checkers, e.g.,
Uppaal [31] and Rabbit [10] on benchmark systems. The results show that
our approach achieves a signiﬁcant speed up and outperforms other tools.
Related Work. On the eﬀort of improving reachability analysis of timed
automata, this work is related to studies on the abstraction techniques [7,13,
27,35] to reduce the number of states in zone graphs. The idea is to enlarge a
DBMs without violating the correctness. This work continues the research on
using BDDs and BDD-like data structures to improve the veriﬁcation of real-time
systems [5,8,9,12,15,40,46,47].
This work is related to the research on simulation reduction (e.g., [21,22]) as
well as research on the emptiness checking of Timed Bu¨chi Automata (TBA).
Note that LTL veriﬁcation on timed automata can be converted to the emptiness
checking of TBA. In [44], Tripakis discovered that it is non-trivial to check
whether a run in a zone graph can induce a non-Zeno run in the original TBA.
In [45], Tripakis questioned whether coarser extrapolation techniques, speciﬁcally
inclusion abstraction [19] and LU extrapolation [7], can also be used to check
TBA emptiness. In [29], Laarman et al. showed that inclusion abstraction only
preserves the emptiness of TBA in one direction. In [32], Li showed that LU
extrapolation indeed preserves the emptiness of TBA. One result of this work is
an improved algorithm to solve non-emptiness problem based on BDDs.
This work is closely related to [7,32] and work on using downward closure [22]
based on LU simulation relation as an abstraction. While [7,32] both apply LU
simulation relation to DBMs (Extra+LU extrapolation) for reachability analysis
and emptiness checking respectively, we apply the LU simulation relation to
BDDs for both reachability and emptiness. There are two advantages of our
approach. First, given a convex set of clock valuations, Extra+LU is a subset of
LU abstraction. Our approach based on LU abstraction can be more eﬃcient
than Extra+LU [22,27], because a BDD can represent a non-convex set of clock
valuations. Second, to handle the non-Zeno condition, [32] relies on the strongly
non-Zeno transformation, which requires an additional clock and may result in
a zone graph with exponentially more states [25,26]. This work is orthogonal to
our previous works of veriﬁcation [17,43] and synthesis [33] of time requirements
for service composition, and can be used to complement our previous works.
366 T.K. Nguyen et al.
Organization. The rest of the paper is organized as follows. Section 2 introduces
timed automata and the LU simulation relation in timed automata. Section 3
presents our work on the reachability analysis. Then, Sect. 4 presents our work
on the LTL veriﬁcation. Next, Sect. 5 shows the experimental results. Section 6
discusses our work. Finally, Sect. 7 concludes our paper.
2 Preliminaries
2.1 Timed Automata
In this section we introduce timed automata, arguably one of the most popular
modeling languages for real-time systems. We denote the ﬁnite alphabet by Σ.
Let R≥0 be the set of non-negative real numbers. Let X be the set of non-
negative real variables called clocks. The set Φ(X) contains all clock constraints
δ deﬁned inductively by the grammar: δ := x ∼ c |x − y ∼ c | δ ∧ δ where
x, y ∈ X, ∼∈ {<,≤,=,≥, >}, and c ∈ N. Given a set of clocks X, a clock
valuation v : X → R≥0 is a function which assigns a non-negative real value to
each clock in X. We denote R|X|≥0 the set of clock valuations over X. We write
v |= δ if and only if δ evaluates to true using the clock valuation v. We denote as
0 the valuation that assigns each clock with the value 0. Given a clock valuation
v and d ∈ R≥0, the clock valuation v′ = v + d is deﬁned as v′(x) = v(x) + d for
all clocks x in X. For R ⊆ X, let [R 	→ 0]v denote the clock valuation v′ such
that v′(x) = v(x) for all x ∈ X \ R and v′(x) = 0 for all x ∈ R.
Definition 1. A timed automaton is a tuple A = (Σ,X,L, l0, T, I) where
– Σ is the ﬁnite alphabet, X is the set of clock variables.
– L is the set of locations, l0 ∈ L is the initial location.
– T ⊆ L × Φ(X) × Σ × 2X × L is the set of transitions (l, g, e, R, l′) where l
and l′ are the source and destination locations of this transition respectively,
g ∈ Φ(X) is a guard, e ∈ Σ is an event name, and R ⊆ X is a set of resetting
clocks.
– I : L → Φ(X) assigns invariants to locations.
The (continuous) semantics of a timed automaton A = (Σ,X,L, l0, T, I) is a
transition system CS(A) = (S, s0,→) where S = L × R|X|≥0 is a set of states,
s0 = (l0,0) is the initial state, and → is the smallest labeled transition relation
satisfying the following:
– Delay transition: (l, v) d−→ (l, v + d) if ∀0 ≤ d′ ≤ d, v + d′ |= I(l)
– Action transition: (l, v) t−→ (l′, v′) with t = (g, e,R) if there exists
(l, g, e, R, l′) ∈ T such that v |= g, v′ = [R 	→ 0]v, and v′ |= I(l′)
We write (l, v) d−→ t−→ (l′, v′) if there exists (l1, v1) where (l, v) d−→ (l1, v1) and
(l1, v1)
t−→ (l′, v′). A run of A is a sequence (l0, v0) d0−→ t0−→ (l1, v1) d1−→ t1−→ · · · .
A state (ln, vn) is reachable from (l0, v0) if there is a run starting from (l0, v0)
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 367
and ending at (ln, vn). The duration of the run is deﬁned as the total delay over
this run,
∑
i≥0 di. A run is called Zeno if there are inﬁnite actions happening in
ﬁnite time. Given a timed automaton A = (Σ,X,L, l0, T, I) and a location l ∈ L,
reachability analysis is to decide whether a given state (l, v) is reachable from
the initial state (l0,0). Next, we deﬁne the emptiness checking problem for timed
automata. Let Acc ⊆ L be the set of accepting locations. An accepting run of A
is a run which visits a state in Acc inﬁnitely often. The language of A over Acc,
L(A), is deﬁned as the set of accepting non-Zeno runs. The emptiness problem
is to determine whether L(A) is empty, i.e., whether there exists an inﬁnite run
which is non-Zeno and accepting. We remark that reachability analysis is often
used to verify safety problem, whereas algorithms for the emptiness checking
problem can often be extended to verify liveness properties like LTL formulae.
In the above semantics, clock values are continuous and events are observed
at real time points. Thus, the number of states is inﬁnite and BDDs can not
be applied to verify timed automata under this semantics. In the following, we
introduce discrete semantics which are based on the assumption that events are
observed at integer time points only.
2.2 Discrete Semantics
In discrete semantics, we assume that clock constraints are always closed, i.e.,
deﬁned by δc := x ∼c c | x − y ∼c c | δc ∧ δc where x, y ∈ X, ∼c∈ {≤,=,≥},
and c ∈ N. Timed automata with closed constraints are called closed timed
automata [5,24].
Given any clock x ∈ X, we write M(x) to denote the maximal constant to
which x is compared in any clock constraint of A. Given a clock valuation v,
v ⊕ d denotes the clock valuation where (v ⊕ d)(x) = min(v(x) + d,M(x) + 1).
Intuitively, for each clock x, once the clock value is greater than its maximal
constant M(x), its exact value is no longer important, but the fact v(x) > M(x)
matters.
The discrete semantics of a closed timed automaton A = (Σ,X,L, l0, T, I) is
a transition system DS(A) = (S, s0,→) where S = L × N|X| is a set of states,
s0 = (l0,0) is the initial state, and → is the smallest labeled transition relation
satisfying the following condition:
– Tick transition: (l, v) tick−−→ (l, v ⊕ 1) if v |= I(l) and v ⊕ 1 |= I(l)
– Action transition: (l, v) t−→ (l′, v′) with t = (g, e,R) if there exists
(l, g, e, R, l′) ∈ T such that v |= g, v′ = [R 	→ 0]v, and v′ |= I(l′)
It was shown that the discrete semantics preserves untimed properties of
closed timed automata [5,24]. Thus, DS(A) can be used in place of CS(A)
in the veriﬁcation of untimed properties like untimed reachability analysis and
untimed LTL veriﬁcation. It follows that BDDs can be used to encode and verify
the closed timed automata based on the discrete semantics. In this work, we
adopt the approach presented in [9,37] to encode DS(A) in BDD. Given a timed
automaton A = (Σ,X,L, l0, T, I), we denote Init, Tick, and Trans the BDD
368 T.K. Nguyen et al.
encodings of the initial states, tick transitions, and action transitions of DS(A),
respectively. Note that the encoding of the transition relation of DS(A) is the
disjunction of Tick and Trans. The tick transitions and action transitions are
encoded separately for eﬃciency. The details are discussed in Sect. 3.
2.3 Simulation Relation
Since our model checking algorithms use the simulation relation, we introduce
the simulation relation over timed automata in the following.
Definition 2. Given a timed automaton A, a (location-based) simulation rela-
tion over states of CS(A) is a binary relation R ⊆ S × S such that for all
((l1, v1), (l2, v2)) ∈ R,
– l1 = l2.
– if (l1, v1)
d−→ (l1, v1 + d) then there exists d′ such that (l2, v2) d
′
−→ (l2, v2 + d′)
and ((l1, v1 + d), (l2, v2 + d′)) ∈ R.
– if (l1, v1)








hold. A state (l1, v1) is simulated by state (l2, v2) denoted as (l1, v1)  (l2, v2),
if there exists a simulation relation R such that ((l1, v1), (l2, v2)) ∈ R. By def-
inition, any state simulates itself. Given a set of states Q ⊆ S, we deﬁne the
downward closure [22] as Down(Q) = {s1 ∈ S | ∃s2 ∈ Q.s1  s2}. Intuitively,
the downward closure of Q is the set of states which can be simulated by any state
in Q. Since the simulation relation is reﬂexive, it follows that Q ⊆ Down(Q).
For timed automata, there exists a simulation relation called the LU simula-
tion relation [7]. Given a clock x, the maximal lower bound L(x) (respectively
maximal upper bound U(x)) is the maximal constant k that there exists a con-
straint x > k or x ≥ k in the timed automaton. If such constant k does not
exist, we set L(x) to −∞. Then, given two clock valuations v and v′, we denote
v  v′ if for all clocks x ∈ X, either v′(x) = v(x) or L(x) < v′(x) < v(x) or
U(x) < v(x) < v′(x). It shows the relation RCS = {((l, v), (l, v′))|v  v′} is a
simulation relation based on CS(A) [7]. The following proposition shows that it
is also a simulation relation based on DS(A).
Proposition 1. The relation R = {((l, v), (l, v′)) | v, v′ ∈ N|X| ∧ v  v′} is a
simulation relation of DS(A).
The proof is the same as Lemma 3 in [7]. For simplicity, we denote  the BDD
encoding of the simulation relation R deﬁned in Proposition 1.
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 369
Algoritm 1: Reachability Analysis
1: function
IsReach(Init, T ick, Trans, goal)
2: Qp = ∅
3: Q = Init
4: Q = Reach(Q,Trans)
5: while (Qp = Q) do
6: Qp = Q
7: Q=Q∪Reach(
succ(Q,T ick), T rans)








16: Qp = ∅
17: while (Qp = Q) do
18: Qp = Q




Algoritm 2: Reachability Analysis with
Simulation
1: function
IsReachsim(Init, T ick, Trans, goal)
2: Qp = ∅
3: Q = Down(Init)
4: Q = Reachsim(Q,Trans)
5: while (Qp = Q) do
6: Qp = Q
7: Q=Q∪Reachsim
(Down(succ(Q,T ick)), T rans)








16: Qp = ∅
17: while (Qp = Q) do
18: Qp = Q




3 Reachability Analysis Algorithm
In this section, we present the reachability analysis algorithm without the sim-
ulation reduction and the one with the reduction.
3.1 Algorithm Without Simulation Reduction
Given a set of states goal, the reachability analysis is performed by computing
the set of reachable states and checking whether it contains any state in goal.
The problem of eﬃciently computing the set of reachable states in BDDs for
timed systems has been investigated by Beyer in [9,11]. There are two impor-
tant observations to avoid exploding BDDs. First, separating action and tick
transitions is more eﬃcient than unifying them as monolithic transitions. Sec-
ond, for ﬁx-point computation, applying action transitions before tick transitions
can achieve smaller encodings of intermediate reachable states.
Algorithm 1 shows the reachability analysis algorithm based on Beyer’s obser-
vations, without simulation reduction. The function IsReach takes Init, Tick,
Trans, and goal as input. It checks whether a state in goal is reachable from
an initial state in Init by transitions in Tick or Trans. Moreover, given a set of
states Q and a transition relation R, the function Reach(Q,R) computes the set
of states reachable from Q by transitions in R. We denote the set of successor
370 T.K. Nguyen et al.
l0 l1
[1 ≤ x ≤ 106]
l2e
l0,0 l0,1 l0,2 l0,106 l0,106+1...





ticktick tick tick tick
tick tick tick tick
tick
tick
Fig. 1. Timed automaton with large clock constant and the transition system based
on discrete semantics
states of Q as succ(Q,R). Intuitively, Q stores the set of states reachable within
i time units after ith iteration (lines 5–11). The algorithm reaches the ﬁxpoint
if no new state is found in the next time unit.
While Algorithm 1 is relatively eﬃcient in computing the reachable states, it
still suﬀers from large maximal clock constants. Models with large maximal clock
constants require a large number of iterations to obtain the ﬁxpoint. Figure 1a
presents a timed automaton with a large clock constant, i.e., with a maximal
clock constant of 106. We remark that in practice, large clock constants are
not uncommon because diﬀerent time units are often used in the same time.
Figure 1b is the transition system generated by the discrete semantics. States at
location l2 are ignored in Fig. 1b for simplicity. We denote (li, j) the state where
the location is li and the clock valuation v such that v(x) = j. Assume the
property is whether location l2 is reachable. Then, Algorithm 1 requires 106 +2
iterations to reach the ﬁxpoint to conclude that l2 is unreachable. Speciﬁcally,
106 + 1 iterations to ﬁnd all the reachable states and the last iteration does not
ﬁnd any new state and concludes that the ﬁxpoint is reached. However, with
simulation reduction, our approach can verify whether l2 is reachable within 3
iterations.
In the next section, we present our improved algorithm by using the sim-
ulation relation. We prove that the number of iterations can be reduced, and
experimental results given in Sect. 5 conﬁrm that our improved algorithm is
much more eﬃcient.
3.2 Algorithm with Simulation Reduction
In this section, we present our improved reachability analysis algorithm. Given
a transition system L, a simulation relation  over states of L and a set of
states goal, our algorithm determines whether any state in goal is reachable.
The reachability analysis is performed similarly as Algorithm 1 by computing
the reachable states set and checking whether it contains any state in goal.
We assume that the simulation on L is compatible with the set goal, i.e., for
any (s1, s2) ∈, s1 ∈ goal =⇒ s2 ∈ goal. In our reachability veriﬁcation for
timed automata, the LU simulation relation satisﬁes this condition because the
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 371
reachability veriﬁcation is over locations. Eﬀectively, with simulation reduction,
we would explore a reduced transition system deﬁned as Deﬁnition 3.
Definition 3. Given the transition system L = (C, initc,→) and the simulation
relation , we deﬁne the transition system L′ = (C ′, init′c, =⇒ ) such that:
– C ′ = C, init′c = Down(initc).
– Given any state s′1, s
′
2 ∈ L′, there is a transition s′1 =⇒ s′2 in L′ if there
exists a transition s′1 → s2 in L and s′2  s2.
Note that the state space is unchanged. The initial states and transition
functions are changed accordingly the simulation relation over the set of states
C. Intuitively, for any transition s′1 → s2 in L, we allow other states simulated
by s2 to be successor states of s′1 in L′. Thus, given a set of states Q ⊆ C,
succ(Q, =⇒ ) = Down(succ(Q,→)). In the following, we establish that L′
preserves the reachability.
Lemma 1. Given q′1  q1, if there exists a path with length n, q′1 =⇒ q′2 =⇒
· · · =⇒ q′n in L′, there exists a path with the same length, q1 → q2 → · · · → qn
in L such that q′i  qi for all 1 ≤ i ≤ n. unionsq
Theorem 1. Given the transition systems L, L′, and a set of states goal, goal
is reachable in L if and only if goal is reachable in L′. unionsq
Based on the relationship between transition systems L and L′ stated by The-
orem 1, we can use L′ as the input for Algorithm 1. However, explicitly com-
puting the transition relation of L′ is computationally expensive. Instead, we
apply Down to the result of any call succ(Q) on the ﬂy in Algorithm 1 because
succ(Q, =⇒ ) = Down(succ(Q,→)). Algorithm 2 presents our improved reacha-
bility analysis algorithm with simulation reduction. We rename the two functions
as IsReachsim and Reachsim respectively. The diﬀerence between Algorithms 2
and 1 is that in the function IsReachsim, we ﬁrst update Q = Down(Init) at
line 3, and subsequently, we call Reachsim(Q,R) and Down(succ(Q,R)) instead
of Reach(Q,R) and succ(Q,R) respectively. It can be observed that we always
apply Down to the results of the succ function.
Theorem 2. Algorithm 2 is sound and complete. unionsq
Proof: As we discussed the diﬀerence between Algorithms 2 and 1, given a
transition system L, while the function IsReach(Init, T ick, Trans, g) checks
the reachability of g on L, the function IsReachsim(Init, T ick, Trans, g) actu-
ally checks the reachability of g on L′. Thus, the correctness of Algorithm 2 is
obtained based on Theorem 1 and the correctness of Algorithm 1.
Our algorithm is similar to the algorithm of antichain of promising states [22].
Note that in [22], the algorithm uses the Min operator while our approach uses
the Down operator. We uses Down operator because it is eﬃcient to compute
in BDD. This algorithm is also similar to the one in [7], where LU simulation is
used to improve zone-based veriﬁcation of timed automata. However, the Down
operator here is coarser than extrapolation used in [7] (any extrapolation must
result in convex zones).
372 T.K. Nguyen et al.
Lemma 2. Assume Q′ = Down(Q), Q′ ∪ Reachsim(Down(succ(Q′, T ick)),
T rans) = Down(Q ∪ Reach(succ(Q,T ick), T rans)).
Lemma 3. Assume Q′ = Down(Q), after n iterations, if Reach(Q,R) reaches
the ﬁxpoint, Reachsim(Q′, R) also reaches the ﬁxpoint. Moreover the results of
those functions satisfy Reachsim(Q′, R) = Down(Reach(Q,R)).
Since the reachability analysis requires many ﬁxpoint computations, the ratio-
nale of Algorithm 2 is to converge faster to the ﬁxpoint. In the following, we
prove that Reachsim (Down(Q)) requires the same or smaller number of iter-
ations to reach the ﬁxpoint than Reach(Q). In our proof, to distinguish with
Algorithm 1, given any variable Q appearing in Algorithm 2, we use the prime
version Q′ to denote that variable in Algorithm 2.
Theorem 3. Algorithm 2 requires fewer or the same number of iterations than
Algorithm 1.
Proof: By Lemmas 3 and 2, in Algorithms 1 and 2, Q′ = Down(Q). So if
Algorithm 1 terminates when Q∩goal = ∅, Algorithm 2 also terminates because
Q′ ∩ goal = ∅. Otherwise if Q = Qp holds in Algorithm 1, Q′ = Q′p also holds
in Algorithm 2.
Example. In the following, we demonstrate how Algorithm 2 works using the
example in Fig. 1. The reachability problem is to check whether l2 is reachable
from the initial state l0. According to timed automaton, we have L(x) = 1 and
U(x) = 106. Algorithm 2 only takes 3 iterations to verify l2 is unreachable,
speciﬁcally:
– Q′0 = {(l0, 0)}, Q′1 = {(l0, 0), (l0, 1), (l1, 1)}
– Q′2 = {(l0, i) | 0 ≤ i ≤ 106 + 1} ∪ {(l1, i) | 1 ≤ i ≤ 106 + 1}, Q′3 = Q′2
In the 2nd iteration, we have (l0, 2), (l1, 2) ∈ Q′2 at ﬁrst. Since (l0, i)  (l0, 2) and
(l1, i)  (l1, 2) for all i > 2, we add all states (l0, i), (l1, i) where i > 2 to Q′2 by
Down function. Thus, ﬁnally Q′2 = {(l0, i) | 0 ≤ i ≤ 106 + 1} ∪ {(l1, i) | 1 ≤ i ≤
106 + 1}.
In this section, we have presented our improved algorithm for reachability
veriﬁcation by using the LU simulation relation. We prove that our approach
in Algorithm 2 always uses fewer or the same number of iterations compared
with the classic algorithm as in Algorithm 1. In the next section, we continue
with presenting our improved emptiness checking algorithm with the simulation
relation.
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 373
Algorithm 3: Algorithm IsEmpty
1: function IsEmpty(Init, T r, J)
2: old = ∅
3:
4: new = Reach(Init, T r)
5: while (new = old) do
6: old = new
7: for all Ji ∈ J do
8: new=Reach(new∩Ji, T r)
9: end for





15: return (new = ∅)
16: end function
Algorithm 4: Algorithm IsEmptysim
1: function IsEmptysim(Init, T r, J)
2: old = ∅
3: Init = Down(Init)
4: new = Reachsim(Init, T r)
5: while (new = old) do
6: old = new
7: for all Ji ∈ J do
8: new=Reachsim(new∩Ji, T r)
9: end for





15: return (new = ∅)
16: end function
4 Emptiness Checking Algorithm
Under digitization and automata theory, LTL veriﬁcation can be done by empti-
ness checking. Thus, the emptiness checking algorithm of Kesten et al. [28] can
be used. In this section, we ﬁrst present the algorithm of Kesten. Then, we
introduce our improved algorithm by using the simulation relation.
4.1 Algorithm Without Simulation Reduction
Given a transition system and a set of Bu¨chi conditions J where Ji ∈ J is a set
of states, an accepting run is an inﬁnite run which visits a Ji-state (a state in
Ji) inﬁnitely often for all Ji ∈ J . The emptiness problem is to check whether
this run exists.
For simplicity, in this section, we merge Trans and Tick and assume that
Tr is the encoding of the whole transition system. Algorithm 3 [28] presents the
symbolic emptiness checking algorithm. Speciﬁcally, function IsEmpty takes
the set of the initial states Init, the transition relation Tr, and a set of Bu¨chi
conditions J as input.
In Algorithm 3, function IsEmpty searches for an accepting strongly con-
nected component (SCC) which contains a Ji-state for every Bu¨chi condition
Ji ∈ J . The algorithm computes the set of all reachable accepting SCCs. If this
set is empty, there is no accepting run in the given transition system. At line 4,
new is assigned as the set of all reachable states from the initial states. Then,
the while-loop (from line 5 to line 14) continuously reﬁnes the set of states new
until a ﬁxpoint is reached (i.e., new = old at line 5). Inside this while-loop, ﬁrst,
we backup the current value of new in old (line 6). Then, from line 7 to line 9, we
continue to reﬁne new as the set of states reachable by a Ji-state for all Ji ∈ J .
Next, in the inner while-loop from line 11 to line 13, we again reﬁne new by
successively removing from new states which do not have a predecessor in new
374 T.K. Nguyen et al.
(line 12). This loop is iterated until new is closed under predecessor. Thus, new
is the set of all reachable SCCs. Because of the loop from line 7 to line 9, those
SCCs are accepting by contain a state in Ji for all Ji ∈ J . At the end, new
contains all reachable accepting SCCs in this transition system.
4.2 Algorithm with Simulation Reduction
In this section, we present our improved emptiness checking algorithm of timed
automata Algorithm 4, which improves Algorithm 3 by using the simulation
relation. We rename the function as IsEmptysim. The diﬀerence between Algo-
rithm 4 and Algorithm 3 is that in the function IsEmptysim, we update
Init = Down(Init) at line 3 at the beginning, and throughout the algorithm, we
call the functions Reachsim(Q,Tr) and Down(succ(Q)) instead of Reach(Q,Tr)
and succ(Q), respectively. Note that the function Reachsim (Q,Tr) is introduced
in Sect. 3. In other words, we always apply the function Down on the results of
the succ function. We prove that Algorithm 4 is sound and complete as we did
for Algorithm 3. First, we prove that L′ (deﬁned in Deﬁnition 3) also preserves
the emptiness.
Lemma 4. Given q′1  q1, if there exists a path with length n, q′1 =⇒ q′2 =⇒
· · · =⇒ q′n in L′, there exists a path with the same length n, q1 → q2 → · · · → qn
in L such that q′i  qi for all 1 ≤ i ≤ n.
Lemma 5. Given q′1  q1, if there exists a cycle q′1 =⇒ · · · =⇒ q′1 in L′
which contains a Ji-state for all Ji ∈ J , there exists a cycle q1 → · · · → q1 in L
which contains a Ji-state for all Ji ∈ J .
Lemma 6. If there exists an accepting run in L′, there exists an accepting run
in L.
Theorem 4. Given a transition system L, a set of Bu¨chi conditions J , and a
simulation relation  over states of L, L has an accepting run if and only if L′
has an accepting run.
Following Theorem 4, we can use the transition system L′ as the input for
Algorithm 3. However, explicitly computing the transition relation of L′ is not
eﬃcient. Instead, we apply Down for the result of any call succ(Q) on the ﬂy in
Algorithm 3 because of the fact that succ(Q, =⇒ ) = Down(succ(Q,→)).
Theorem 5. Algorithm 4 is sound and complete.
Proof: As we discussed the diﬀerence between Algorithm 4 and Algorithm 3,
given a transition system L with a set of initial states Init, the transition relation
Tr and a set of Bu¨chi conditions J , while IsEmpty(Init, T r, J) is checking the
emptiness of L, IsEmptysim(Init, T r, J) is actually checking the emptiness of
the transition system L′. Thus, the correctness of Algorithm 4 is obtained based
on Theorem 4. unionsq
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 375
Algorithm 4 does not guarantee that it always takes fewer or the same num-
ber of iterations than Algorithm 3. To distinguish between Algorithms 4 and 3,
we use new′ and new to denote the variable new in Algorithm 4 and Algorithm 3
respectively. Then, the reason that Algorithm 4 might take more iterations is
new′ = Down(new) is not an invariant during the algorithm. Assume before exe-
cuting the line 12, it holds that new′ = Down(new), then new′ = Down(new)
may not hold after this line is executed as shown in Lemma 8 in [2]. Thus,
new′ = Down(new) is not an invariant. Nevertheless, in our evaluation in Sect. 5,
Algorithm 4 always outperforms Algorithm 3 and takes less number of succ func-
tion calls. The reason is that during the computation of all reachable states from
initial states at line 4 and the ﬁrst run of the while-loop in lines 7–9, Algorithm 4
can take much lesser number of succ function calls than Algorithm 3 as the result
of Theorem 3 and Lemma 7 in [7]. Moreover, the computation of all reachable
states (line 4) is the most expensive computation in these algorithms.
Algorithm 4 can be adopted to verify the emptiness of TBA straightfor-
wardly. The requirement that the run must visit an accepting location inﬁnite
times and contain an inﬁnite number of tick transitions and action transitions is
represented as a set of Bu¨chi conditions J = {Acc, J0, J1} where Acc is a set of
accepting locations in DS(A) and J0 (respectively J1) is the set of states which
are the destination states of the action transition (respectively tick transition).
A boolean variable isT ick can be introduced during the encoding. For each tran-
sition, this variable is updated to false if that is an action transition. Otherwise
it is updated to true. Then J0 is the set of states where isT ick is false and J1 is
the set of states where isT ick is true.
We have presented our approach on the veriﬁcation of reachability and LTL
properties by using the LU simulation relation. We evaluate them in the next
section.
5 Evaluation
We conducted experiments to evaluate our approach. Speciﬁcally, we attempted
to answer the following research questions:
RQ1: How is the improvement in the number of iterations and veriﬁcation time
of our methods, compared to the existing state-of-the-art BDD-based and DBM-
based methods, in checking reachability and LTL properties?
RQ2: How scalable is our method in size of maximal clock constants and
processes?
Our approach has been implemented as a BDD library for the reachability
and LTL veriﬁcation of timed automata in the PAT framework [42]. Our imple-
mentation is based on the CUDD package [41], which is a package that provides
functions to manipulate BDDs. All of the experiments are performed on a PC
with Intel Core i7-2600 CPU at 3.4GHz and 4GB RAM.
To answer the research questions, we have conducted four experiments, and
the results are shown in Tables 1-4. For all experiments, we measure the number
of succ function calls (#Succ), the veriﬁcation time (in seconds) (Time), and
376 T.K. Nguyen et al.
Table 1. Experimental results in the reachability veriﬁcation with increasing clock
constants
PAT-Sim PAT-NonSim Rabbit
MCC #Succ Time Memory #Succ Time Memory Time
CSMACD 808 4,369 6 34 17,794 1,563 577 208
CSMACD 1,616 8,721 36 59 - oot - 1,494
CSMACD 3,232 17,425 228 181 - - - oot
Fischer 256 796 14 73 2,838 1,033 1,089 58
Fischer 512 1,564 112 252 - - oom 1,076
Fischer 1,024 3,100 867 931 - - - oom
Lynch 64 481 12 66 1,347 217 498 256
Lynch 128 929 104 287 2,627 2,163 1,562 oot
Lynch 256 1,825 859 1,003 - - oom oom
Table 2. Experimental results in the reachability veriﬁcation with increasing number
of processes
PAT-Sim PAT-NonSim Rabbit Uppaal
#Proc #Succ Time Memory #Succ Time Memory Time Time
CSMACD 16 7,377 62 85 - oot - 5,638 oom
CSMACD 32 14,289 453 187 - - - oot -
CSMACD 64 26,801 3,912 477 - - - - -
Fischer 8 308 52 482 - oot - 7,258 0.7
Fischer 16 356 366 1,442 - - - oom oom
Fischer 32 452 3,351 1,651 - - - - -
Lynch 8 169 8 72 696 6,203 1,690 2,494 1.1
Lynch 16 217 104 290 - - oom oom oom
Lynch 32 313 2,971 1,201 - - - - -
the memory usage of CUDD library (in MB) (Memory) over three benchmark
systems from [1,15,36]: CSMACD protocol, Fischer’s protocol, and Lynch-Shavit
protocol. We run PAT in two settings, i.e., with and without simulation, which
are referred to as PAT-Sim and PAT-NonSim. The algorithms for PAT-Sim
(PAT-NonSim resp.) on verifying reachability and LTL properties are given in
Algorithms 2 and 4 (Algorithms 1 and 3 resp.).
All experiments are conducted with a time limit of 2 CPU hours. An entry
‘oot’ in the table means that the time limit is reached, and an entry ‘oom’
means that the program runs out of memory. Given a benchmark system, when
a smaller model is running out of time or memory, we omit the evaluation of
larger models. An entry ‘-’ means the information is unavailable.
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 377
Table 3. Results in the LTL veriﬁcation with increasing maximal clock constants
PAT-Sim PAT-NonSim
MCC #Succ Time Memory #Succ Time Memory
CSMACD 404 4,334 5 36 14,169 493 876
CSMACD 808 8,608 18 75 28,257 2,857 1,489
CSMACD 1,616 16,688 35 82 - - oom
Fischer 200 979 2 28 2,812 417 1,101
Fischer 400 1,779 3 29 5,412 3,847 1,600
Fischer 800 3,379 8 34 - oot -
Lynch 200 6,937 25 53 19,682 2,404 1,434
Lynch 400 13,137 45 62 - oot -
Lynch 800 25,537 90 63 - - -
Table 4. Results in the LTL veriﬁcation with increasing number of processes
PAT-Sim PAT-NonSim CTAV
#Proc #Succ Time Memory #Succ Time Memory Time
CSMACD 12 22,184 283 1,041 - oot - 562
CSMACD 16 28,972 511 756 - - - oom
CSMACD 20 35,760 839 1,063 - - - -
Fischer 8 608 5 39 1,974 10,275 1,689 4
Fischer 12 672 46 208 - - oom oom
Fischer 16 736 310 965 - - - -
Lynch 4 3,591 1 25 10,003 243 329 1
Lynch 8 9,839 42 65 - - oom 5
Lynch 12 19,551 585 326 - - - oom
We compare the results to three state-of-the-art model checkers, i.e., DBM-
based model checker Uppaal [31] and CTAV [32], as well as BDD-based model
checker Rabbit [10]. Although RED [46] and BDD-based version of Kronos [14]
are related to our work as real time veriﬁcation tools using BDD (BDD-like) data
structure, Rabbit was shown to outperform them [10]. Therefore, only Rabbit is
used in our experiments.
5.1 Evaluation for Reachability Properties
We evaluate our approach with Rabbit and Uppaal in the veriﬁcation of reach-
ability properties. Since our approach is digitization-based, naturally, the ﬁrst
question is how well the library scales with the number of clock ticks. In the ﬁrst
experiment (cf. Table 1), we exponentially increase the maximal clock constants
while keeping the number of processes constant (we set it 4). Since Uppaal is
378 T.K. Nguyen et al.
a DBM-based model checker, its performance does not depend on the maximal
clock constants; therefore, it is not used in the experiment. The column MCC
is the maximal clock constant values in the corresponding models. Compared
to PAT-NonSim, PAT-Sim takes smaller number of succ function calls which
can be reduced from 2 to 4 times by using simulation. Compared to Rabbit,
PAT-Sim achieves a speedup from 2 to 21 times, and there are ﬁve cases where
Rabbit runs out of memory or time. As a result, PAT-Sim outperforms both
PAT-NonSim and Rabbit and can handle larger maximal clock constants.
In the second experiment (cf. Table 2), we compare PAT, Rabbit, and Uppaal
using the same benchmark systems. The column #Proc represents the number of
processes. In this experiment, we set the maximal clock constants to 64 in Fischer
protocol, 16 in Lynch-Shavit protocol, and 404 in CSMACD protocol. Then, we
increase the number of processes in each benchmark system to ﬁnd out which tool
can verify the most number of processes. By using simulation, the number of succ
function calls is reduced. Thus, PAT-Sim is faster and can handle larger number
of processes compared to PAT-NonSim. For example, in the Lynch model with
8 processes, PAT-Sim requires 169 succ function calls and takes 8 s, while PAT-
NonSim requires 696 succ function calls and takes 6,203 s. The veriﬁcation time
is thus reduced signiﬁcantly. According to Table 2, PAT-Sim also outperforms
Rabbit and Uppaal. Although Uppaal achieves shorter evaluation time in smaller
number of processes, both Rabbit and Uppaal easily run out of memory or time
when the number of processes increases. On the contrary, PAT-Sim can still
verify models while both other tools are out of memory or time, for example, 64
processes in the CSMACD benchmark.
5.2 Evaluation for LTL Properties
We evaluate our approach with CTAV in the veriﬁcation of LTL properties under
non-Zeno condition. Note that we do not compare with Uppaal since Uppaal does
not support the veriﬁcation of LTL properties under non-Zeno condition. In the
third experiment (cf. Table 3), to demonstrate the eﬃciency of our approach in
the handling of large maximal clock constants, we ﬁx the number of processes
at 4 and increase the maximal clock constants. We do not compare with CTAV
since it is a DBM-based model checker and its performance is not aﬀected by
maximal clock constants. According to the results, by using the LU simulation
relation, the number of succ function calls is reduced signiﬁcantly. For example,
in the Lynch protocol with MCC = 200, the number of succ calls is reduced
from 19,682 to 6,937. As a result, the veriﬁcation time is improved signiﬁcantly,
from 2,404 s to 25 s.
PAT-Sim outperforms PAT-NonSim on all the models. It is faster and uses
less memory. Thus, it can handle models with maximal clock constants up to
thousands.
In the fourth experiment (cf. Table 4), to demonstrate the eﬃciency of our
approach in the handling of large number of processes, we ﬁx the maximal clock
constant as 808 for CSMACD and 100 for other benchmarks. We increase the
number of processes then. In this experiment, we compare our approach with
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 379
CTAV tool. The results indicate PAT-Sim approach outperforms PAT-NonSim
and CTAV on all the models. Speciﬁcally, it is faster and can handle more
processes than PAT-NonSim and CTAV. For example, in the CSMACD model
with 16 processes, PAT-Sim can verify within 511 s and 756 MB while PAT-
NonSim runs out of time, and CTAV runs out of memory.
With the results of four experiments, we answer research questions RQ1
and RQ2. Our approach improves the performance signiﬁcantly by reducing the
number of iterations. Furthermore, it can handle models with clock constants
larger than a thousand.
6 Discussion
Limitation. A limitation of our approach is that when maximal lower and upper
bounds are the same, LU abstraction would not provide better performance. This
is because our method will take the same number of iterations to achieve the
ﬁxpoint, and there are overheads for calling the Down operator.
Complexity of Down operator. [7] For checking of reachability properties,
given the maximal distance from the initial state to a state in the explored
model as N , the complexity is O(N). For checking of LTL properties, the time
complexity is linearly dependent upon the size of the symbolic (BDD) repre-
sentation in terms of the distances between states in the automaton graph, the
number and arrangement of the strongly connected components in the graph,
and the number of fairness conditions asserted [39]. Overall, Down operator can
be computed eﬃciently. In addition, variable ordering could aﬀect the perfor-
mance of BDD. Overall, the Down operator can be computed eﬃciently. In our
implementation, we make use of several well-known heuristics [6,9,23,38] that
can produce a fairly good ordering.
7 Conclusion
In this paper, we propose to use the simulation relation to improve the BDD-
based model checking for real-time systems. Our approach is applied to verify
reachability and LTL properties. Experimental results conﬁrm that our approach
achieves a signiﬁcant speedup and outperforms Rabbit, Uppaal, and CTAV. As
future works, ﬁrst, we plan to investigate the extensibility of our method to other
variety of timed automata, such as parametric timed automata [4]. Second, we
plan to investigate other reduction techniques, e.g., interpolation [34] or IC3 [18],
on top of our proposed techniques.
References
1. MCMT Benchmarks of Timed Automata. http://crema.di.unimi.it/∼carioni/
mcmt ta.html
2. Technical Report of Scaling BDD-based Timed Veriﬁcation with Simulation Reduc-
tion. http://tianhuat.github.io/tr bddsr.pdf
380 T.K. Nguyen et al.
3. Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2),
183–235 (1994)
4. Alur, R., Henzinger, T.A., Vardi, M.Y.: Parametric real-time reasoning. In: STOC,
pp. 592–601 (1993)
5. Asarin, E., Maler, O., Pnueli, A.: On discretization of delays in timed automata
and digital circuits. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS,
vol. 1466, pp. 470–484. Springer, Heidelberg (1998)
6. Aziz, A., Tasiran, S., Brayton, R.K.: BDD variable ordering for interacting ﬁnite
state machines. In: DAC, pp. 283–288 (1994)
7. Behrmann, G., Bouyer, P., Larsen, K.G., Pela´nek, R.: Lower and upper bounds
in zone based abstractions of timed automata. In: Jensen, K., Podelski, A. (eds.)
TACAS 2004. LNCS, vol. 2988, pp. 312–326. Springer, Heidelberg (2004)
8. Behrmann, G., Larsen, K.G., Pearson, J., Weise, C., Yi, W.: Eﬃcient timed reach-
ability analysis using clock diﬀerence diagrams. In: Halbwachs, N., Peled, D.A.
(eds.) CAV 1999. LNCS, vol. 1633, pp. 341–353. Springer, Heidelberg (1999)
9. Beyer, D.: Improvements in BDD-based reachability analysis of timed automata.
In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 318–343.
Springer, Heidelberg (2001)
10. Beyer, D., Lewerentz, C., Noack, A.: Rabbit: a tool for BDD-based veriﬁcation of
real-time systems. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol.
2725, pp. 122–125. Springer, Heidelberg (2003)
11. Beyer, D., Noack, A.: Eﬃcient veriﬁcation of timed automata using BDDs. In:
FMICS, pp. 95–113 (2001)
12. Beyer, D., Noack, A.: Can decision diagrams overcome state space explosion in
real- time veriﬁcation. In: Ko¨nig, H., Heiner, M., Wolisz, A. (eds.) FORTE 2003.
LNCS, vol. 2767, pp. 193–208. Springer, Heidelberg (2003)
13. Bouyer, P.: Forward analysis of updatable timed automata. Formal Methods Syst.
Des. 24(3), 281–320 (2004)
14. Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine, S.: Kronos: a
model-checking tool for real-time systems. In: Vardi, Y.M. (ed.) CAV 1998. LNCS,
vol. 1427, pp. 546–550. Springer, Heidelberg (1998)
15. Bozga, M., Maler, O., Pnueli, A., Yovine, S.: Some progress in the symbolic veri-
ﬁcation of timed automata. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254,
pp. 179–190. Springer, Heidelberg (1997)
16. Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L., Hwang, L.J.: Symbolic model
checking: 1020 states and beyond. Inf. Comput. 98(2), 142–170 (1992)
17. Chen, M., Tan, T.H., Sun, J., Liu, Y., Pang, J., Li, X.: Veriﬁcation of functional
and non-functional requirements of web service composition. In: Groves, L., Sun,
J. (eds.) ICFEM 2013. LNCS, vol. 8144, pp. 313–328. Springer, Heidelberg (2013)
18. Cimatti, A., Griggio, A.: Software model checking via IC3. In: Madhusudan, P.,
Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 277–293. Springer, Heidelberg
(2012)
19. Daws, C., Tripakis, S.: Model checking of real-time reachability properties using
abstractions. In: Steﬀen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 313–329.
Springer, Heidelberg (1998)
20. Sifakis, J.: Timing assumptions and veriﬁcation of ﬁnite-state concurrent systems.
In: Dill, D.L. (ed.) Automatic Veriﬁcation Methods for Finite State Systems.
LNCS, vol. 407, pp. 197–212. Springer, Heidelberg (1989)
21. Dill, D.L., Hu, A.J., Wong-Toi, H.: Checking for language inclusion using simula-
tion preorders. In: Larsen, K.G., Hu, A.J., Wong-Toi, H. (eds.) CAV 1991. LNCS,
vol. 575, pp. 255–265. Springer, Heidelberg (1991)
Scaling BDD-based Timed Veriﬁcation with Simulation Reduction 381
22. Doyen, L., Raskin, J.-F.: Antichain algorithms for ﬁnite automata. In: Esparza, J.,
Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 2–22. Springer, Heidelberg
(2010)
23. Fujii, H., Ootomo, G., Hori, C.: Interleaving based variable ordering methods for
ordered binary decision diagrams. In: ICCAD, pp. 38–41 (1993)
24. Henzinger, T.A., Manna, Z., Pnueli, A.: What good are digital clocks? In: Kuich,
W. (ed.) ICALP 1992. LNCS, vol. 623, pp. 545–558. Springer, Heidelberg (1992)
25. Herbreteau, F., Srivathsan, B.: Eﬃcient on-the-ﬂy emptiness check for timed Bu¨chi
automata. In: Bouajjani, A., Chin, W.-N. (eds.) ATVA 2010. LNCS, vol. 6252, pp.
218–232. Springer, Heidelberg (2010)
26. Herbreteau, F., Srivathsan, B., Walukiewicz, I.: Eﬃcient emptiness check for timed
Bu¨chi automata. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol.
6174, pp. 148–161. Springer, Heidelberg (2010)
27. Herbreteau, F., Srivathsan, B., Walukiewicz, I.: Better abstractions for timed
automata. In: LICS, pp. 375–384 (2012)
28. Kesten, Y., Pnueli, A., Raviv, L.: Algorithmic veriﬁcation of linear temporal logic
speciﬁcations. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS,
vol. 1443, pp. 1–16. Springer, Heidelberg (1998)
29. Laarman, A., Olesen, M.C., Dalsgaard, A.E., Larsen, K.G., van de Pol, J.: Multi-
core emptiness checking of timed Bu¨chi automata using inclusion abstraction. In:
Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 968–983. Springer,
Heidelberg (2013)
30. Lamport, L.: Real-time model checking is really simple. In: Borrione, D., Paul, W.
(eds.) CHARME 2005. LNCS, vol. 3725, pp. 162–175. Springer, Heidelberg (2005)
31. Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a Nutshell. STTT 1(1–2), 134–
152 (1997)
32. Li, G.: Checking timed Bu¨chi automata emptiness using LU-abstractions. In: Ouak-
nine, J., Vaandrager, F.W. (eds.) FORMATS 2009. LNCS, vol. 5813, pp. 228–242.
Springer, Heidelberg (2009)
33. Li, Y., Tan, T.H., Chechik, M.: Management of time requirements in component-
based systems. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol.
8442, pp. 399–415. Springer, Heidelberg (2014)
34. McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt Jr., W.A.,
Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg
(2003)
35. Møller, J.B., Lichtenberg, J., Andersen, H.R., Hulgaard, H.: Diﬀerence decision
diagrams. In: Flum, J., Rodr´ıguez-Artalejo, M. (eds.) CSL 1999. LNCS, vol. 1683,
pp. 111–125. Springer, Heidelberg (1999)
36. Morbe´, G., Pigorsch, F., Scholl, C.: Fully symbolic model checking for timed
automata. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806,
pp. 616–632. Springer, Heidelberg (2011)
37. Nguyen, T.K., Sun, J., Liu, Y., Dong, J.S., Liu, Y.: Improved BDD-based dis-
crete analysis of timed systems. In: Giannakopoulou, D., Me´ry, D. (eds.) FM 2012.
LNCS, vol. 7436, pp. 326–340. Springer, Heidelberg (2012)
38. Rice, M., Kulhari, S.: A survey of static variable ordering heuristics for eﬃcient
BDD/MDD construction. Technical report, University of California, Riverside
(2008)
39. Rozier, K.Y.: Linear temporal logic symbolic model checking. Comput. Sci. Rev.
5(2), 163–203 (2011)
382 T.K. Nguyen et al.
40. Seshia, S.A., Bryant, R.E.: Unbounded, fully symbolic model checking of timed
automata using Boolean methods. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV
2003. LNCS, vol. 2725, pp. 154–166. Springer, Heidelberg (2003)
41. Somenzi, F.: CUDD: CU Decision Diagram Package. http://vlsi.colorado.edu/
∼fabio/CUDD/
42. Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards ﬂexible veriﬁcation under
fairness. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 709–
714. Springer, Heidelberg (2009)
43. Tan, T.H., Liu, Y., Sun, J., Dong, J.S.: Veriﬁcation of orchestration systems using
compositional partial order reduction. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011.
LNCS, vol. 6991, pp. 98–114. Springer, Heidelberg (2011)
44. Tripakis, S.: Verifying progress in timed systems. In: Katoen, J.-P. (ed.) AMAST-
ARTS 1999, ARTS 1999, and AMAST-WS 1999. LNCS, vol. 1601, pp. 299–314.
Springer, Heidelberg (1999)
45. Tripakis, S.: Checking timed Bu¨chi automata emptiness on simulation graphs.
ACM Trans. Comput. Logic 10(3), 1–19 (2009)
46. Wang, F.: Symbolic veriﬁcation of complex real-time systems with clock-restriction
diagram. In: Kim, M., Chin, B., Kang, S., Lee, D. (eds.) FORTE 2001, vol. 69, pp.
235–250. Springer, Heidelberg (2001)
47. Wang, F.: Eﬃcient veriﬁcation of timed automata with BDD-like data-structures.
In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003.
LNCS, vol. 2575, pp. 189–205. Springer, Heidelberg (2003)
