Language inclusion checking of timed automata with non-Zenoness by WANG, Xinyu et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
1-2017 
Language inclusion checking of timed automata with non-
Zenoness 
Xinyu WANG 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Ting WANG 
Shengchao QIN 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Software Engineering Commons 
Citation 
WANG, Xinyu; SUN, Jun; WANG, Ting; and QIN, Shengchao. Language inclusion checking of timed 
automata with non-Zenoness. (2017). IEEE Transactions on Software Engineering. 43, (11), 995-1008. 
Research Collection School Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/4701 
This Journal Article is brought to you for free and open access by the School of Information Systems at 
Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research 
Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore 
Management University. For more information, please email libIR@smu.edu.sg. 
1Language Inclusion Checking of Timed
Automata with Non-Zenoness
Xinyu Wang, Jun Sun, Ting Wang, and Shengchao Qin
Abstract—Given a timed automaton P modeling an implementation and a timed automaton S as a specification, the problem of
language inclusion checking is to decide whether the language of P is a subset of that of S. It is known to be undecidable. The problem
gets more complicated if non-Zenoness is taken into consideration. A run is Zeno if it permits infinitely many actions within finite time.
Otherwise it is non-Zeno. Zeno runs might present in both P and S. It is necessary to check whether a run is Zeno or not so as to avoid
presenting Zeno runs as counterexamples of language inclusion checking. In this work, we propose a zone-based semi-algorithm for
language inclusion checking with non-Zenoness. It is further improved with simulation reduction based on LU-simulation. Though our
approach is not guaranteed to terminate, we show that it does in many cases through empirical study. Our approach has been
incorporated into the PAT model checker, and applied to multiple systems to show its usefulness.
Index Terms—Timed Automata, Language Inclusion, Non-Zenoness.
F
1 INTRODUCTION
TIMED automata, introduced by Alur and Dill in [3], haveemerged as one of the most popular models to specify and
analyze real-time systems. It has been shown that the reachability
problem for timed automata is decidable through the construction
of region graphs [3]. Efficient methods based on zone abstraction
for checking both safety and liveness properties have later been
developed [25], [34]. Zone abstraction, which constructs zone
graphs, is an effective technique for model checking timed au-
tomata and it has been employed by many tools including the
popular UPPAAL [25]. Verification tools for timed automata based
models have proven to be successful [10], [13], [25], [37].
Nonetheless, researchers have also identified several issues
associated with timed automata based system verification [3], [14].
One of them is that the language inclusion checking problem is
undecidable. In order to avoid this undecidability, a number of
determinizable subclasses of timed automata have been identified,
e.g., event-clock timed automata [4], [28], and integer resets
timed automata [31]. In addition, it has been shown [26] the
problem of checking whether the language of a timed automaton
is a subset of that of a timed automaton with a single clock is
decidable. Another issue is related to the notion of Zeno runs.
An infinite run is non-Zeno if and only if it takes an unbounded
amount of time; otherwise it is Zeno. Zeno runs are infeasible
in reality and thus must be pruned during system analysis. That
is, it is necessary to check whether a run is Zeno or not so as
to avoid presenting Zeno runs as counterexamples. In particular,
liveness properties are usually meaningless unless non-Zenoness
• Xinyu Wang is with College of Computer Science, Zhejiang University,
P.R. China. E-mail: wangxinyu@zju.edu.cn
• The corresponding author Ting Wang is with College of Computer Sci-
ence, Zhejiang University of Technology, P.R. China. E-mail: wangt-
ing@zjut.edu.cn
• Jun Sun is with ISTD, Singapore University of Technology and Design,
Singapore. E-mail: sunjun@sutd.edu.sg
• Shengchao Qin is with Teesside University, UK. E-mail: S.Qin@tees.ac.uk
is assumed; and safety properties cannot be trusted since Zeno
runs may conceal deadlocks, etc. Furthermore, the reason why
non-Zenoness checking is particularly challenging is that zone
graphs are too abstract to directly infer time progress and hence
non-Zenoness. For instance, given an infinite path in the zone
graph, it is infeasible to tell whether there are infinitely many
transitions that bound some clock x from above, but only finitely
many transitions that reset x and, thus, the total time elapsed is
bounded. A number of approaches have been proposed to solve
the Zenoness checking problem in [22], [23], [34], [35]. The
state-of-the-art approach is based on constructing guessing zone
graphes which enrich zone graphs with additional information for
Zenoness checking [22], [23].
In this work, we investigate the language inclusion checking
problem of timed automata with non-Zenoness. That is, we define
the language of a timed (safety) automaton to be the set of finite
timed words obtained from runs which can be extended to an
infinite non-Zeno run. That is, we consider a finite timed word
non-Zeno if it can only occur as a part of Zeno infinite runs. We
develop a zone-based approach which, given a timed automaton
P modeling an implementation and a timed automaton S as a
specification, checks whether the language of P is a subset of that
of S . Language inclusion checking can be often converted to a
reachability problem on the product of P and the determinization
of S , where a state of the product is composed of a state of P
and a set of states from S . In our approach, we develop a semi-
algorithm which determinizes S and constructs the product on-the-
fly, where zones are used as a symbolic representation. Due to the
complication of Zeno runs, the states of the product are enriched
with additional labels so that only a part of a non-Zeno run in
P (which has no corresponding non-Zeno run in S) is output as
a counterexample. Furthermore, simulation reduction, based on
simulation relation between the product states obtained through
LU-simulation [6], is incorporated, which often contributes to the
termination of our semi-algorithm.
Our approach has been implemented in the PAT model
checker [32]. It can be applied to arbitrary timed automata,
2though it may not always terminate. To show that our approach
can be useful in practice, we investigate when our approach
is terminating empirically. Firstly, we prove that, if S satisfies
a clock boundedness condition defined in [5], our approach is
guaranteed to terminate. Secondly, using a large set of randomly
generated timed automata, we show that our approach often
terminates. Lastly, we apply our approach to multiple benchmark
systems to investigate its scalability.
RelatedWork This work is related to the line of work on language
inclusion checking for timed automata. The work in [3] is the
first study on the problem. It shows that timed automata are not
closed under complement, which is an obstacle in automatically
comparing the languages of two timed automata. This conclu-
sion leads to work on identifying determinizable subclasses of
timed automata, with reduced expressiveness. Several subclasses
of timed automata have been identified, e.g., event-clock timed
automata [4], [28], timed automata with integer resets [31] and
strongly non-Zeno timed automata [5]. In addition, it has been
shown [26] that although timed automata with one clock are not
determinizable, the problem of checking whether the language of
a timed automaton is a subset of that of a timed automaton with a
single clock is decidable.
Our work is inspired by [5], in which the authors present an
approach for deciding when a timed automaton is determinizable.
The idea is to check whether the timed automaton satisfies a
clock boundedness condition. The authors show that the condition
is satisfied by event-clock timed automata, timed automata with
integer resets and strongly non-Zeno timed automata. Using region
construction, it is shown in [5] that an equivalent deterministic
timed automaton can be constructed if the given timed automaton
satisfies the clock boundedness condition. The work is closely
related to [2], in which the authors proposed a zone-based ap-
proach for determinizing timed automata with one clock. Our work
combines [2], [5] and extends them with simulation reduction so
as to provide an approach which could be useful for arbitrary
timed automata in practice.
In addition, a game-based approach for determinizing timed
automata has been proposed in [9], [24]. This approach produces
an equivalent deterministic timed automaton or a deterministic
over-approximation, which allows one to enlarge the set of timed
automata that can be automatically determinized compared to the
one in [5]. In comparison, our approach could determinize timed
automata which fail the boundedness condition in [5], and can
cover the examples shown in [9]. The work is remotely related
to work in [20]. In particular, it has been shown that under
digitization with the definition of weakly monotonic timed words,
whether the language of a closed timed automaton is included in
the language of an open timed automaton is decidable [20].
This work is closely related to our previous work in [38],
which proposes a semi-algorithm for language inclusion checking
of timed automata without non-Zenoness. We adopt the idea
of constructing an abstract product of the implementation and
specification in this work and extend it to investigate language
inclusion checking with non-Zenoness. Though some of the used
techniques are similar, we target two different problems. To the
best of our knowledge, the language inclusion checking problem
with non-Zenoness for timed automata has been rarely addressed.
In [27], the authors showed that the refinement checking problem
of safety MTL, a real-time extension of linear temporal logic, is
decidable. Their approach is to translate a safety MTL formula into
a single-clock timed automaton based on the non-Zeno semantics.
The refinement checking problem of safety MTL is then reduced
to the language inclusion checking problem between two single-
clock timed automata.
This work is related to the line of work on non-Zenoness
checking. In [34], it has been shown that every run in a timed
automaton is non-Zeno if for each structural loop of the timed
automaton (i.e., a loop in the timed automaton itself, not the
underlying transition system), there exists a clock c such that c
is reset during the loop and c is bounded from below in a guard
of a transition during the loop. A weaker condition is identified
in [12] (e.g., instead of checking all structural loops, only some
loops are checked). Given a network of timed automata, it implies
that every run is non-Zeno if the product automaton satisfies
the condition. Sufficient conditions which guarantee absence of
Zeno runs in a network without constructing the product have
been identified [12]. Effectively, the work in [12] weakens the
requirements imposed in [34].
The analysis in [12] is able to assert absence of Zeno runs
for a larger class of specifications, but it assumes a simple timed
automaton model. In [18], the authors show that the analysis
is not sound when UPPAAL extensions such as non-Zero clock
assignments and broadcast channels are considered, and that syn-
chronisation can be better exploited to improve precision. Besides,
they extend the analysis to cases where urgent and committed
locations, urgent channels, parameters and selections are used in
the model.
However, preventing Zeno runs altogether by construction
would be too restrictive for users [18]. Rather, methods should
be provided to check whether a run is Zeno or not and discard
the Zeno runs in the process of verification. In [34], [35], the
authors showed that every timed automaton can be transformed
into a strongly non-Zeno one, for which, the emptiness problem
can be solved easily. The price to pay is an extra clock. It has
been shown that adding one clock may result in an exponentially
larger zone graph [23]. The proposed remedy is the guessing-zone
graph approach. In addition, this work is related to the work on
non-Zeno real-time game strategy [15], which however is not
based on zone abstraction.
Organization The remainders of the article are organized as
follows. Section 2 reviews the relevant background. Section 3
shows how to reduce the language inclusion checking problem to
a reachability problem in the concrete semantics. Section 4 then
shows how to reduce the language inclusion checking problem
to a reachability problem with zone abstraction. Section 5 then
presents details on how the language inclusion problem is solved.
Section 6 reports the experimental results. Section 7 concludes.
2 PRELIMINARY
In this section, we review some relevant background on labeled
transition systems (LTS), timed automata and define our problem.
2.1 Labeled Transition Systems
An LTS is a tuple L = (S, Init,⌃, T ), where S is a set of
states; Init ✓ S is a set of initial states; ⌃ is an alphabet; and
T ✓ S ⇥⌃⇥S is a labeled transition relation. L is deterministic
if and only if (s, e, s0) 2 T and (s, e, s00) 2 T imply s0 = s00.
A run of L is a finite sequence of alternating states and events
hs0, e1, s1, e2, · · · , en, sni such that (si, ei+1, si+1) 2 T for all
30  i  n   1. We say the run starts with s0 and ends with sn.
A state s0 is reachable from s if and only if there is a run starting
with s and ending with s0. A state is always reachable from itself.
A run is rooted if it starts with a state in Init. A state is reachable
if there is a rooted run which ends at the state. Given the above
run, the sequence tr = he1, e2, · · · , eni is called a trace. We say
that sn is reachable from s0 via trace tr.
Let F ✓ S be a set of target states. Given two states s0 and
s1 in S, we say that s0 is simulated by s1 with respect to F if
s0 2 F implies that s1 2 F ; and for any e 2 ⌃, (s0, e, s00) 2 T
implies there exists (s1, e, s01) 2 T such that s00 is simulated by
s01. In order to check whether a state in F is reachable, if we
know that s0 is simulated by s1 with respect to F and F is not
reachable from s1, F is also not reachable from s0, and hence s0
can be skipped during system exploration if s1 has been explored
already. This is known as simulation reduction [16].
2.2 Timed Automata
Timed automata were originally introduced as finite-state timed
Bu¨chi automata [3], i.e., finite automata equipped with real-
valued clock variables and Bu¨chi accepting condition. The Bu¨chi
accepting condition is used to enforce progress, i.e., a run is
accepting if and only if it visits some accepting state infinitely
often. Later, timed safety automata were introduced in [21] which
adopt an intuitive notion of progress. That is, instead of having
accepting states, each state in timed safety automata is associ-
ated with a local timing constraint called a state invariant. An
automaton can stay at a state as long as the valuation of the clocks
satisfies the state invariant. The expressiveness of timed safety
automata is strictly less than that of timed Bu¨chi automata [30].
In the following, we focus on timed safety automata as they are
supported by the popular tools like UPPAAL [25] and are often
used in practice. Hereafter, they are referred to as timed automata
following common practice.
Let R+ be the set of non-negative real numbers. Given a set
of clocks C , we define  (C) as the set of clock constraints.
Each clock constraint is inductively defined as follows:
  := true|x ⇠ n| 1 ^  2|¬ 1 where ⇠2 {=,, , <,>}; x is
a clock in C and n is an integer constant1. The set of downward
constraints obtained with ⇠2 {, <} and without negation ¬ is
denoted as  ,<(C). A clock valuation v for a set of clocks C
is a function which assigns a real value to each clock. A clock
valuation v satisfies a clock constraint  , written as v 2  , if and
only if   evaluates to be true using the clock values given by v.
A clock constraint can be viewed as the set of clock valuations
which satisfy the constraint. For d 2 R+, let v + d denote the
clock valuation v0 such that v0(c) = v(c) + d for all c 2 C . For
X ✓ C , let clock resetting notion [X := 0]v denote the valuation
v0 such that v0(c) = v(c) for all c 2 C ^ c /2 X , and v0(x) = 0
for all x 2 X . We write C = 0 to be the clock valuation where
each clock c 2 C reads 0.
Definition 1: A timed automaton is a tuple (S, Init,⌃, C, L, T )
where S is a finite set of locations; Init ✓ S is a set of
initial locations; ⌃ is an alphabet; C is a finite set of clocks;
L : S !  ,<(C) labels each state with an invariant;
T ✓ S ⇥ ⌃⇥  (C)⇥ 2C ⇥ S is a labeled transition relation.
1. We do not consider diagonal constraints in this work. Notice that due to
the negation, a clock constraint may not be convex.
Intuitively, a transition (s, e,  , X, s0) 2 T can be fired if   is
satisfied. After event e occurs, clocks in X are set to zero. An
example timed automaton is shown at the top of Fig. 1.
Definition 2: Let A = (S, Init,⌃, C, L, T ) be a timed au-
tomaton. The concrete semantics of A is an infinite-state LTS
C(A) = (Sc, Initc,R+ [⌃, Tc) such that Sc is a set of concrete
states ofA, each of which is a pair (s, v) where s 2 S is a location
and v is a clock valuation; Initc = {(s, C = 0)|s 2 Init} is
a set of initial concrete states; and Tc is the smallest transition
relation satisfying the following conditions:
• ((s, v), t, (s, v + t)) 2 Tc if v + t 2 L(s);
• or, ((s, v), e, (s0, [X := 0]v)) 2 Tc if there is a transition
(s, e, g,X, s0) 2 T such that v 2 g and [X := 0]v 2
L(s0).
A timed automaton A is deterministic if and only if C(A) is
deterministic. Otherwise, A is non-deterministic. A (finite or
infinite) run of C(A) is of the form
⇡ = h(s0, v0), x1, (s1, v1), x2, · · · , (si, vi), xi, · · · i
where ((si, vi), xi, (si+1, vi+1)) 2 Tc for all i. Note that xi is
either an event in ⌃ or a number in R+. The duration of the
run is the accumulated delay: ⌃d2{xi|xi2R+}d. An infinite run is
non-Zeno if its duration is unbounded. A finite run is non-Zeno
if and only if it is a prefix of some non-Zeno infinite run. That
is, a finite run is Zeno if it cannot be extended to an infinite non-
Zeno run. Given the above run ⇡, we can obtain a timed word:
h(D1, e1), (D2, e2), · · · , (Di, ei), · · · i such that e1 is the first
event in the sequence hx1, x2, · · · i and D1 is the accumulated
delay before e1 occurs; and e2 is the second event in the sequence
and D2 is the accumulated delay before e2 occurs and so on. We
define L(A, (s, v)) to be the set of finite timed words obtained
from the set of all non-Zeno finite runs starting with (s, v). The
language of A, written as L(A), is defined as {x|9s 2 Init. x 2
L(A, (s, C = 0))}. Two timed automata are equivalent if they
define the same language.
The language inclusion checking problem with non-Zenoness
is the problem of checking whether L(P) ✓ L(Q), given a
timed automaton P and a timed automaton Q. In the rest of the
article, we fix two timed automata with the same alphabet P =
(Sp, Initp,⌃, Cp, Lp, Tp) and Q = (Sq, Initq,⌃, Cq, Lq, Tq)
such that Sp, Sq , Cp and Cq are pair-wise disjoint. We remark
that in practice, P and Q are often composed of several timed
automata executing in parallel, i.e., a network of timed automata.
We skip the details on parallel composition of timed automata and
remark our approach applies to networks of timed automata.
2.3 Zone Abstraction
Given a timed automaton A, zone abstraction is a technique for
building an abstraction of C(A) called a zone graph. Zone abstrac-
tion has been employed by many tools including UPPAAL [25]. A
zone is the conjunction of multiple primitive constraints over a set
of clocks. Technically speaking, a zone is the maximal set of clock
valuations satisfying the constraint. A zone is empty if and only
if the constraint is unsatisfiable. In the following, we use zones
and clock constraints interchangeably as the latter is the syntactic
representation of the former.
The following zone operations are relevant in this work. Given
a zone  , we use  " to denote the zone reached by delaying an
4S1 S2
S1,x ≥ 0 S2,x ≥ 1
e2,x ≤ 1,{x}
e1,x ≥ 1
A
ZG(A)
e1
e2
Fig. 1. A sample zone graph
arbitrary amount of time from zone  ; we write [X := 0]  to
denote the zone obtained by resetting clocks in X to be 0. Given
a set of clocks X , let  [X] denote the projection of   on X .
Definition 3: Let A = (S, Init,⌃, C, L, T ) be a timed
automaton. Its zone graph, denoted as ZG(A), is an LTS
(Sz, Initz,⌃, Tz) such that
• Sz is a set of nodes, each of which is a pair (s,  ) such
that s 2 S is a location and   is a zone;
• Initz = {(init, (Vc2C c = 0)"^L(init))|init 2 Init}
is a set of initial nodes;
• Tz is the smallest labeled transition relation such that
((s1,  1), e, (s2,  2)) 2 Tz if there exists a transition
(s1, e,  , X, s2) 2 T and  1 ^   6= false and [X :=
0]( 1 ^  ) ^ L(s2) 6= false and  2 = ([X := 0]( 1 ^
 ) ^ L(s2))" ^ L(s2).
An example zone graph is shown at the bottom of Fig. 1. The
following establishes the relation between ZG(A) and C(A).
Proposition 1 [39]: Let A = (S, Init,⌃, C, L, T ) be a timed
automaton and ZG(A) = (Sz, Initz,⌃, Tz) be the zone graph.
(s, v) is a reachable state of C(A) if and only if there exists a
reachable state (s0,  ) of ZG(A) such that s = s0 and v 2  . ⇤
The above proposition can be proved by an induction, i.e., it is
true for any initial state of C(A) and it is preserved through
every transition in C(A). It implies that zone abstraction preserves
certain reachability properties (e.g., whether certain location is
reachable or not). Unfortunately, zone abstraction is too abstract so
that it is impossible to decide if a path in the zone graph ZG(A)
corresponds to a non-Zeno run of A [36]. The state-of-the-art
approach for solving this problem is to construct a guessing zone
graph, which enriches ZG(A) with additional information for
checking non-Zenoness [23]. We present the details of guessing
zone graphes when they are relevant in Section 5.1.
We remark that the number of zones in ZG(A) is in gen-
eral infinite. A number of normalization operators have been
defined [11], [29] to normalize the zones so that that the number
of zones is finite. For instance, the idea of maximum ceiling nor-
malization [29] is to transform zones that may contain arbitrarily
large constants to a unique representation of a class of zones
whose constants are bounded by certain fixed constant, e.g., the
maximum clock ceiling in A. In the following, we assume that
zone normalization is not applied unless it is stated otherwise.
3 CHECKING WITH CONCRETE SEMANTICS
In the following, we define an approach to solve the language
inclusion checking problem in the concrete semantics. Note that
it is only aimed to help understanding the approach in the next
section as obviously the concrete semantics is too big an LTS and
cannot be constructed explicitly.
The problem of checking whether L(P) ✓ L(Q) can be
converted to a reachability problem on the product of C(P) and
the determinization of C(Q). In the following, we formally define
these two operations: determinization and computing the product.
Definition 4:Given an LTSL = (S, Init,⌃, T ), the determiniza-
tion of L is an LTS det(L) = (S0, {Init},⌃, T 0) such that
• S0 = PS is the set of all sets of states in S;
• T 0 is the smallest relation such that (X, e, Y ) 2 T 0 if
Y = {y 2 S|9x 2 X. (x, e, y) 2 T}.
By definition, det(L) is deterministic. It is easy to show that L
and det(L) have the same set of traces. We remark that det(L)
could have exponentially more states than L.
Definition 5: Given two LTSs Li = (Si, Initi,⌃i, Ti) where i 2
{1, 2}, the product of L1 and L2, denoted as L1 ⌦ L2, is an LTS
(S, Init,⌃, T ) such that S = S1 ⇥ S2; Init = Init1 ⇥ Init2;
⌃ = ⌃1 [ ⌃2; and T is the smallest transition relation such that
• ((s1, s2), e, (s01, s2)) 2 T if (s1, e, s01) 2 T1 and e 62 ⌃2;
• ((s1, s2), e, (s1, s02)) 2 T if (s2, e, s02) 2 T2 and e 62 ⌃1;
• ((s1, s2), e, (s01, s02)) 2 T if (s1, e, s01) 2 T1 and
(s2, e, s02) 2 T2;
Next, we show how to check language inclusion with non-
Zenoness based on C(P) ⌦ det(C(Q)). Note that a state in
C(P) ⌦ det(C(Q)) is of the form (s,X) where s is a state in
C(P) andX is a set of states in C(Q). Intuitively, s andX can be
reached via the same timed word respectively in C(P) and C(Q).
Without the assumption of non-Zenoness, it is sufficient to check
whether there is a reachable state (s,X) in the product such that
X is an empty set (i.e., there is a timed word which is possible in
P but not in Q). With the assumption of non-Zenoness, we need
to check whether there is a non-Zeno run from s in P and there is
a non-Zeno run from any state in X in Q. For simplicity, we say
that s is non-Zeno if and only if there is a non-Zeno run starting
with s; and a set of states is non-Zeno if and only if it contains
a non-Zeno state. Notice that by this definition, an empty set of
states is Zeno.
Given a state (s,X) in C(P) ⌦ det(C(Q)), we need to
distinguish three cases in order to check language inclusion with
non-Zenoness.
• Case 1: s is non-Zeno and X is non-Zeno, i.e., there
exists a non-Zeno run starting with s in P and and a non-
Zeno run starting with X in Q. In this case, the language
inclusion is not violated at this state.
• Case 2: s is non-Zeno and X is Zeno, i.e., there exists a
non-Zeno run starting with s in P and there is no non-
Zeno run starting with any state inX inQ. Thus, the trace
reaching s is a trace of C(P) but not a trace of C(Q) and
the language inclusion may be violated.
5• Case 3: s is Zeno, i.e., there is no non-Zeno run starting
with s in P . Thus, the runs starting with s are no longer
relevant for the language inclusion checking.
Theorem 1: L(P) ✓ L(Q) if and only if there is no reachable
state (s,X) in C(P)⌦det(C(Q)) with an incoming edge labeled
with an event e 2 ⌃ and s is non-Zeno and X is Zeno.
Proof: By induction, we can show that: (1) for all (s,X) in
C(P)⌦ det(C(Q)), if s is reachable from an initial state in C(P)
through trace tr, X is the set of all states reachable through tr
from any initial state in C(Q); and (2) if tr ends with an event
e 2 ⌃, X is the set of all states reachable through a trace tr0 such
that tr and tr0 result in the same timed word. Next, we prove the
theorem in both directions by contradiction.
(if)We first show that if L(P) ✓ L(Q) does not hold, there exists
(s,X) which satisfies the condition. By definition, if L(P) ✓
L(Q) does not hold, there is a timed word tw in L(P) but not
in L(Q). By definition, there must be a trace tr of C(P) from
which we can obtain tw. Assume that after trace tr, we reach
state (s,X) in C(P)⌦ det(C(Q)). By definition, s must be non-
Zeno. By (2) above,X contains all states reachable through a trace
tr0 such that tr and tr0 result in tw. By assumption, tw is not in
L(Q), therefore X must be Zeno.
(only if) We show that if there is a reachable configuration
(s,X) satisfying the condition, L(P) ✓ L(Q) does not hold. By
assumption, (s,X) must be reachable via a trace tr ending with
an event e 2 ⌃. Since s is non-Zeno, the timed word obtained
from tr is in L(P). Since X is Zeno, the timed word obtained
from tr is not in L(Q) by (2). Thus L(P) ✓ L(Q) does not
hold. ⇤
In the following, we refer to a state (s,X) in C(P)⌦ det(C(Q))
with an incoming edge labeled with an event e 2 ⌃ where s is
non-Zeno and X is Zeno as a witness state, as it is a witness
of violation of language inclusion, by the above theorem. The
problem of language inclusion checking is thus reduced to the
problem checking whether a witness state is reachable.
4 LANGUAGE INCLUSION CHECKING WITH ZONES
In this section, we present how to construct an abstraction of
C(P) ⌦ det(C(Q)) based on zone abstraction, based on which
we solve the language inclusion checking problem. As discussed
above, language inclusion checking requires constructing the
product of P and the determinization of Q. Determinizing timed
automata in general is undecidable [3]. In the following, we
describe an approach which can be applied to arbitrary timed
automata. Though it is not guaranteed to terminate, we show that
it is useful in the setting of language inclusion checking. The
approach is presented in two parts in the following: 1) unfolding
the original timed automaton into an infinite timed tree; and 2)
building the product of P and the determinization of the timed
tree generated from Q based on zones.
4.1 Removing State Invariant
In order to simplify the presentation in the remaining of the
section, we first transform P and Q to a form without state
invariants. The idea is to move the state invariants to transition
guards. Given a timed automaton A and any state s with state
x ≥ 3, es1 s2
s3 x ≤ 3
x ≥ 3, es1 s2
s3
(a) (b)
Fig. 2. Timed automata examples
invariant L(s), we construct a timed automaton A0 as follows.
Firstly, any outgoing transition (s, e,  , X, s0) from s is changed
to (s, e,   ^ L(s), X, s0). Secondly, for any incoming transition
(s0, e,  , X, s) of s, for any clock constraint of the form x ⇠ n
where ⇠2 {, <} in L(s), if x /2 X , conjunct   with x ⇠ n.
For instance, given the timed automaton in Fig. 2(a), we construct
the one in Fig. 2(b). The state invariant x  3 of state s3 is added
to the transition from s2 to s3 and the transition from s3 to s1.
By a simple induction, it can be shown that the set of finite timed
words that can be obtained from A0 is the same as that of A.
Notice that because A0 has no state invariants (i.e., time can
always elapse unboundedly at any state), every run of A0 is non-
Zeno by definition. For instance, for the example shown in Fig. 2,
after the transformation, the timed automaton can idle at state s3
forever. As a result, this transformation does not preserve L(A),
i.e., all Zeno runs in A become non-Zeno in A0 and a timed word
which is obtained only from Zeno runs in A is in L(A0) but not
in L(A). This is not an issue as non-Zenoness is always checked
based on the original timed automata, as we show in Section 5. In
the remainder of the section, we assume that all timed automata
are without state invariants unless otherwise stated.
4.2 Unfolding
The idea of unfolding the original timed automaton into an infinite
timed tree is adopted from [5]. The reason for the unfolding is that
the infinite timed tree has the input-determinacy property, with
which we can determinize this tree during the construction of the
product.
In the following, we first show how to construct an unfolding
of Q which is equivalent to Q through an example. Given the
timed automaton Q in Fig. 3(a), Fig. 3(c) shows the infinite timed
tree after unfolding Q. A fresh clock is introduced at every level
and used to replace the original clocks, i.e., x and y are replaced
by clocks from a set Z = hz0, z1, z2, · · · i. At level 0, we are
at state q0 and introduce a clock z0. Since clock x and clock y
start at the same time as z0, we can use z0 to replace x and y
in the transition guard from q0 at level 0 to the nodes at level 1.
Because at level 0, the reading of clock z0 is relevant to the future
system behavior (i.e., there is a transition guard whose truth value
depends on z0), we say that z0 is active at this node. In the tree,
we label every node with a pair (q, A) where q is a location and
A is a set of active clocks.
Two transitions from the level 0 node leads to the node of level
1, corresponding to the transitions from location q0 to location q0
and q1 in Fig. 3(a). The clock constraint x < 5 is rewritten to
z0 < 5 using the active clock z0 from the source node. A fresh
clock z1 is introduced along the transitions. Notice that the node
with location q0 at level 1 is labelled with a set of two active
clocks. z1 is active at location q0 at level 1 since it can be used
to replace clock x which is reset along the transition, whereas z0
is active because it is used to replace clock y which is not reset
6q0
q1
a
y < 20, a
{x}
(a) a timed automaton Q
q0
q0 q1
q0 q1
{z0}
{z1, z0}
{z0}
{z2, z0}
{z1, z0}
z0<5, a, {z1}
z1<5, a, {z2}
a, {z1}
x < 5, a
{x}
L0
L1
L2
q0
q1
a
{x}
y < 20, a
(b) a timed automaton Q’
x < 5, a
{x}
q0 q1{z3, z0}
{z2, z0}
z2<5, a, {z3} z0<20, a, {z3}
a, {z3}
a, {z2}
(c) unfolding Q
q0
q0 q1
q0 q1
{z0}
{z1, z0}
{z1, z0}
{z2, z0}
{z2, z0}
z0<5, a, {z1}
z1<5, a, {z2}
a, {z1}
q0 q1{z3, z0}
{z3, z0}
z2<5, a, {z3}
a, {z3}
a, {z2}
(d) unfolding Q’
q1{z1, z0}
L3
z0<20, a, {z2}
q1{z2, z0} q1{z1, z0}
z0<20, a, {z3}z0<20, a, {z3}
q1
{z2, z0}
z0<20, a, {z2}
q1
{z3, z0}
z0<20, a, {z3}
Fig. 3. Unfolding timed automata into infinite timed trees
along the transition. The set of active clocks of the node with
location q1 at level 1 is a singleton z0 since both of the clocks x
and y are not reset along the transition. Here z1 is not active as its
reading is irrelevant to future transitions from q1. Following the
same construction, we build the tree level by level.
In the following, we define the unfolding of Q formally. Let
Z = hz0, z1, z2, · · · i be an infinite sequence of fresh clocks. The
unfolding Q is an infinite timed tree, which can be viewed as a
timed automaton Q1 = (S1, Init1,⌃, Z, T1) with infinitely
many locations. Furthermore, we assume that Q1 is associated
with a function level such that level(n) is the level of node n in
the tree for all n 2 S1. A state n in S1 is in the form of (q, A)
where q 2 Sq and A is a set of clocks in Z . Given any state n,
we define a function fn : Cq 7! Z which maps ordinary clocks in
Cq to active clocks in Z . In an abuse of notations, given a clock
constraint   on Cq , we write fn( ) to denote the clock constraint
obtained by replacing clocks in Cq with those in Z according to
fn. The initial states Init1 and transition relation T1 are the
minimum set satisfying the following.
• For any q 2 Initq , there is a level-0 node n = (q, {z0})
in Init1 with level(n) = 0, fn(c) = z0 for all c 2 Cq .
• For each node n = (q, A) at level i and for each transition
(q, e,  , X, q0) 2 Tq , we add a node n0 = (q0, A0) at level
i+1 where A0 is the minimum set satisfying the following
conditions: (1) if c 2 Cq \ X , then fn0(c) = fn(c) and
fn0(c) is contained inA0; (2) if c 2 X , fn0(c) = zi+1 and
zi+1 is contained inA0; (3) level(n0) = i+1. Afterwards,
we add a transition (n, e, fn( ), {zi+1}, n0) to T1.
Note that transitions at the same level have the same set of
resetting clocks, which contains exactly one clock. Given a node
n = (q, A) in the tree, observe that not every clock x in A
is active. Hereafter, we assume that inactive clocks are always
removed. The infinite timed trees constructed this way may or
may not be finitely-branching. For instance, the tree in Fig. 3(c)
is finitely-branching, as there are at most 4 branches from one
level to the next. Furthermore, the number of clocks at each
level is bounded by 3. Another example is shown in Fig. 3(d),
which is obtained by unfolding the timed automaton shown in
Fig. 3(b). More and more branches are generated during the
level-by-level construction. As a result, the number of clocks
becomes unbounded. These observations are closely linked to the
termination of the language inclusion checking algorithm which is
introduced later.
4.3 Constructing the Abstract Product
Following the result in [5], it can be shown that the set of finite
timed words obtained from Q and from Q1 are equivalent. In
the following, we define a zone graph for the product of P and
determinization of Q1, referred to as the abstract product, based
on which we solve the language inclusion checking problem.
The abstract product is an LTS Z1 = (S, Init,⌃, T ). A state
in Z1 is of the form (sp, Xq,  ) such that sp 2 Sp; Xq is a set
of nodes in Q1; and   is a clock constraint constituted by clocks
in Cp and Q1. Recall that a node of S1 is of the form (sq, A)
where sq 2 Sq and A is a set of active clocks. Given a set of
nodesXq of S1, we write Act(Xq) to denote the set of all active
clocks, i.e., {c|9(sq, A) 2 Xq. c 2 A}.   constraints all clocks in
Act(Xq). We remark that a state in Z1 encodes a set of states in
C(P)⌦ det(C(Q)). The set of initial states Init is defined as the
following: {(sp, Init1, (Cp[Act(Init1) = 0)")|sp 2 Initp}.
Next, we define T by showing how to generate successors
of a given abstract configuration (sp, Xq,  ), which is illustrated
in Fig. 4. For every event e 2 ⌃, let T1(e,Xq) be the set of
transitions in T1 which start with a state in Xq and are labeled
with event e. Notice that the guard conditions of transitions in
T1(e,Xq) may not be mutually exclusive. We define a set of
constraints Cons(e,Xq) such that each element in Cons(e,Xq)
is a constraint which conjuncts, for each transition in T1(e,Xq),
either the transition guard or its negation. Notice that elements
in Cons(e,Xq) are by definition mutually exclusive. Given
(sp, Xq,  ) and a transition (sp, e, gp, Xp, s0p) in P , for each
g 2 Cons(e,Xq) we generate a successor (s0p, X 0q,  0) such that
the following conditions are satisfied.
• For any state (sq, A) 2 Xq and any transition
((sq, A), e, gq, Yq, (s0q, A0)) 2 T1(e,Xq), (s0q, A0) 2
X 0q if and only if   ^ gp ^ g ^ gq is not false.
• All states in Xq are at the same level and thus all transi-
tions in T1(e,Xq) have the same resetting clock. Let y
be that clock and  0 = ([{y} [Xp := 0](  ^ g ^ gp))".
7(sp, Xq={..., (sq, A), ...}, δ)
gq, e, Yq
...
gp, e, Xp
T∞(e, Xq )
(sp, Xq={..., (sq, A), ...}, δ)
g, e, {y}
...
gp, e, Xp
g∈Cons(e, Xq )
...
δ˄gp˄g, e, Xp∪{y}
... ...
sp, Xq={..., (sq, A), ...}, δ
sp', Xq', δ'
...
Fig. 4. Generating successors
• The transition from (sp, Xq,  ) to (s0p, X 0q,  0) is labeled
with e.
We illustrate the above construction using the example in
Fig. 5, where Fig. 5(a) is P and Fig. 5(b) is the infinite
timed tree Q1. The only initial state of the abstract product
is (p0, {(q0, {z0})}, 0  x = z0), as shown at the top of
Fig. 5(c). As shown in Fig. 5(b), there are two transitions from
node (q0, {z0}) labeled with event a, which are contained in
T1(a, {(q0, {z0})}). One of the transitions has the guard z0 < 5
and the other one has the guard ‘true’. The set Cons(a,Xq)
contains the following constraints: z0 < 5 and z0   5. Taking
the transition form p0 to p0 in P , we generate two potential
successors for each of the constraints in Cons(a,Xq), as shown
above. Similarly, we can generate other states level by level. Note
that for readability, we additionally label the edges in Fig. 5(c)
with the corresponding guard condition and the resetting clocks.
The abstract product graph is always infinite-state as there are
infinitely many clocks. In the following, we show how to reduce
the number of states by reducing the number of clocks, which is
inspired by [5]. Intuitively, given any abstract state (sp, Xq,  )
in Z1, instead of always using a new clock in Z , we can
reuse a clock which is not currently active, or equivalently not
in Act(Xq). We denote the zone graph after renaming as Zr . It is
easy to show that Zr and Z1 are equivalent [5].
The result of renaming Fig. 5(c) is shown in Fig. 6. For
instance, given the configuration on the left of level 3 in Fig. 5(c),
there are three active clocks z0, z2 and z3. We can reuse z1 and
systematically rename z3 to z1 since z1 is not active. Notice that
after renaming, the number of clocks may still be infinite, e.g., the
tree as shown in Fig. 3(d).
5 LANGUAGE INCLUSION WITH NON-ZENONESS
In the following, we first show how to check whether the set of
finite timed words of P is a subset of that of Q based on Zr and
then show how to solve the language inclusion checking problem
with non-Zenoness.
5.1 Checking Language Inclusion with Non-Zenoness
Given a state (sp, Xq,  ) in Zr , we need to check that for any
timed event that sp can perform, whetherXq can perform the same
timed event. Notice that one of the constraints in Cons(e,Xq)
conjuncts the negations of all guards of transitions in T1(e,Xq).
Let us denote the constraint as neg. Given neg, assume the
corresponding successor is (s0p, X 0q,  0). It is easy to see that
X 0q must be empty. If  0 is not false, intuitively there exists a
time point such that P can perform e whereas Q cannot. This is
illustrated by the example shown in Fig. 6. Given the left-most
abstract configuration of level 4 in the figure (named pq), the
constraint neg in Cons(a,Xq) is: z0   20. Conjuncted with the
guard condition x < 10 and the constraint in node pq, it is not
false and there is a successor generated for neg as the node pq0
on the left-bottom of the figure. Note that the Xq at this node is
empty. As a result, the problem of checking whether the set of
timed words of P is a subset of that of Q is reduced to checking
whether Zr contains a state (sp, Xq,  ) where Xq is empty.
Language inclusion checking with non-Zenoness is more com-
plicated because even ifXq is not empty, it might be that there are
only Zeno runs from Xq in Q with the clock valuation satisfying
 . Recall that a state (sp, Xq,  ) in Zr encodes a set of states
of C(P) ⌦ det(C(Q)) (modula clock renaming). By Theorem 1,
in order to check language inclusion, given a state (sp, Xq,  )
in Zr , we need to check if the states encoded as (sp, Xq,  )
include a witness state. In the following, we design a function
witness(sp, Xq,  ,P,Q) which returns true if and only if the
states encoded as (sp, Xq,  ) include a witness state. For instance,
given the state at the right of level 1 in Fig. 6, function witness
would return true since the set of states of P is non-Zeno, whereas
the one of Q is Zeno because clock y is bounded from above
but never reset afterwards (z0 represents clocks x and y with
x = y). As a result, we can immediately conclude that the
language inclusion with non-Zenoness is violated.
In order to realize function witness(sp, Xq,  ,P,Q), we
need to solve the underlying problem, i.e., given any timed
automaton A and a set of states of C(A), how do we check
whether there is non-Zeno run from one of the states in the
set. We solve the problem through constructing a guessing zone
graph [23] based on the original automaton A without removing
the state invariants.
Definition 6: Let A = (S, Init,⌃, C, L, T ) be a timed automa-
ton and (s0,  0) be an abstract state where s0 2 S and  0 is a
clock constraint. The guessing zone graph with respect to (s0,  0),
denoted as GZG(A, s0,  0), is an LTS (Sg, Initg,⌃⇥  (C)⇥
2C , Tg) such that a state in Sg is of the form (s0,  0, Y ) where
(s0,  0) is an abstract state and Y ✓ C; Initg = {(s0,  0, C)};
and Tg is the smallest transition relation satisfying the following
conditions.
• ((s1,  1, Y ), e,  , X, (s2,  2, Y [ X)) 2 Tg if t =
(s1, e,  , X, s2) is a transition in A and there is a
transition ((s1,  1), e, (s2,  2)) in ZG(A) and there are
clock valuations v 2  1, v0 2  2 and d 2 R+ such
that v + d 2 Vx2C Y x > 0 and v + d 2   and
[X := 0](v + d) = v0.
• ((s,  , Y ), ⌧, true, ;, (s,  , Y 0)) 2 Tg where Y 0 = ; or
Y 0 = Y where ⌧ is a special invisible event.
8q0
q0 q1
q0 q1
{z0}
{z1, z0}
{z0}
{z2, z0}
{z1, z0}
z0<5, a, {z1}
z1<5, a, {z2}
a, {z1}
q0 q1{z3, z0}
{z2, z0}
z2<5, a, {z3}
a, {z3}
a, {z2}
(b) infinite timed tree Q∞
q1
{z2, z0}
z0<20, a, {z2}
q1
{z3, z0}
z0<20, a, {z3}
p0
x < 10, a
{x}
(a) timed automaton P
p0, {(q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥5 ˄ z0≥5 ˄ 5≤z1-x<10 
˄ 5≤z0-x<15 ˄ 0≤z0-z1<5
p0, {(q0, {z0})}
0≤x=z0
x<10 ˄ z0<5, a
{x, z1}
x<10 ˄ z1≥5 ˄ z0<20, a
{x, z2}
z0<20, a, {z3}
(c) synchronous product
p0, {(q0, {z1, z0}), (q1, {z0})}
0≤x=z1 ˄ 0≤z0-x<5 ˄ 0≤z0-z1<5
p0, {(q1, {z0})}
0≤x ˄ 5≤z0 ˄ 5≤z0-x<10
x<10 ˄ z0≥5, a
{x, z1}
p0, {(q0, {z2, z0}), (q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥0 ˄ z0≥0 ˄ 0≤z1-x<5 ˄ 0≤z0-x<10 
˄ 0≤z0-z1<5
x<10 ˄ z1<5 ˄ z0<20, a
{x, z2}
p0, {(q1, {z2, z0}), (q1, {z3, z0})}
0≤x=z3 ˄ z2≥5 ˄ z0≥5 ˄ 5≤z2-x<10 
˄ 5≤z0-x<20 ˄ 0≤z0-z2<10
p0, {(q0, {z3, z0}), (q1, {z2, z0}), (q1, {z3, z0})}
0≤x=z3 ˄ z2≥0 ˄ z0≥0 ˄ 0≤z2-x<5 ˄ 0≤z0-x<15 
˄ 0≤z0-z2<10
x<10 ˄ z2<5 ˄ z0<20, a
{x, z3}
p0, {(q1, {z3, z0})}
0≤x ˄ z3>5 ˄ z0≥20 ˄ 5<z3-x<10 
˄ 20≤z0-x<25 ˄ 10<z0-z3<15
x<10 ˄ z3≥5 ˄ z0≥20, a
{x, z4}
p0, {(q1, {z3, z0}), (q1, {z4, z0})}
0≤x=z4 ˄ z3≥5 ˄ z0≥5 ˄ 5≤z3-x<10 
˄ 5≤z0-x<20 ˄ 0≤z0-z2<15
x<10 ˄ z3≥5 ˄ z0<20, a
{x, z4}
p0, {(q0, {z4, z0}), (q1, {z3, z0}), (q1, {z4, z0})}
0≤x=z4 ˄ z3≥0 ˄ z0≥0 ˄ 0≤z3-x<5 ˄ 0≤z0-x<20 
˄ 0≤z0-z3<15
x<10 ˄ z3<5 ˄ z0<20, a
{x, z4}
x<10 ˄ z2≥5 ˄ z0<20, a
{x, z3}
q0 q1{z4, z0}
{z3, z0}
a, {z4}
q1
{z4, z0}
z3<5, a, {z4}
z0<20, a, {z4}
z0<20, a, {z4}
L0
L1
L2
L3
L4
L0
L1
L2
L3
L4
Fig. 5. An example of product
p0, {(q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥5 ˄ z0≥5 ˄ 5≤z1-x<10 
˄ 5≤z0-x<15 ˄ 0≤z0-z1<5
p0, {(q0, {z0})}
0≤x=z0
x<10 ˄ z0<5, a
{x, z1}
x<10 ˄ z1≥5 ˄ z0<20, a
{x, z2}
p0, {(q0, {z1, z0}), (q1, {z0})}
0≤x=z1 ˄ 0≤z0-x<5 ˄ 0≤z0-z1<5
p0, {(q1, {z0})}
0≤x ˄ 5≤z0 ˄ 5≤z0-x<10
x<10 ˄ z0≥5, a
{x, z1}
p0, {(q0, {z2, z0}), (q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥0 ˄ z0≥0 ˄ 0≤z1-x<5 ˄ 0≤z0-x<10 
˄ 0≤z0-z1<5
x<10 ˄ z1<5 ˄ z0<20, a
{x, z2}
p0, {(q1, {z2, z0}), (q1, {z1, z0})}
0≤x=z1 ˄ z2≥5 ˄ z0≥5 ˄ 5≤z2-x<10 
˄ 5≤z0-x<20 ˄ 0≤z0-z2<10
p0, {(q0, {z1, z0}), (q1, {z2, z0}), (q1, {z1, z0})}
0≤x=z1 ˄ z2≥0 ˄ z0≥0 ˄ 0≤z2-x<5 ˄ 0≤z0-x<15 
˄ 0≤z0-z2<10
x<10 ˄ z2<5 ˄ z0<20, a
{x, z1}
p0, {(q1, {z1, z0})}
0≤x ˄ z1>5 ˄ z0≥20 ˄ 5<z1-x<10 
˄ 20≤z0-x<25 ˄ 10<z0-z1<15
x<10 ˄ z3≥5 ˄ z0≥20, a
{x, z2}
p0, {(q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥5 ˄ z0≥5 ˄ 5≤z1-x<10 
˄ 5≤z0-x<20 ˄ 0≤z0-z2<15
x<10 ˄ z1≥5 ˄ z0<20, a
{x, z2}
p0, {(q0, {z2, z0}), (q1, {z1, z0}), (q1, {z2, z0})}
0≤x=z2 ˄ z1≥0 ˄ z0≥0 ˄ 0≤z1-x<5 ˄ 0≤z0-x<20 
˄ 0≤z0-z1<15
x<10 ˄ z1<5 ˄ z0<20, a
{x, z2}
x<10 ˄ z2≥5 ˄ z0<20, a
{x, z1}
Level 0
Level 1
Level 2
Level 3
Level 4
p0, { }
0≤x ˄ z1>5 ˄ z0≥20 ˄ 5<z1-x<10 
˄ 20≤z0-x<25 ˄ 10<z0-z1<15
x<10 ˄ z0≥20, a
Node pq
Node pq’
Fig. 6. From language inclusion checking to reachability analysis
Compared to zone graphs, guessing zone graphes contain extra
states and transition labels which are designed for detecting
Zenoness. Intuitively, there are two reasons why a path in the
zone graph disallows time from elapsing unboundedly. Either the
path has infinitely many transitions that bound some clock x from
above, but only finitely many transitions that reset x and, thus,
the during of any run following the path is bounded. Or, the
path contains transitions that reset x, and always subsequently
transitions that requires x = 0 and thus time cannot elapse at
all. The transitions which require x = 0 are called zero-checks.
Guessing zone graphs are designed to handle these two cases
explicitly. In particular, the Y component of a node (s,  , Y )
allows us to infer that the clocks not in Y are strictly positive.
A node of the form (s,  , ;) is called clear node, from which
every reachable zero-check is preceded by the reset of the clock
that is checked, and hence nothing prevents time from elapsing in
this node. An infinite path of the guessing zone graph is non-Zeno
if all clocks bounded from above are reset infinitely often and the
path contains a clear node [23]. A path is blocked if there is a
clock that is bounded from above infinitely often and reset only
finitely often by the transitions on the path. Otherwise the path is
called unblocked.
Given the automaton A shown in Fig. 1, Fig. 7 shows
the zone graph ZG(A) along with the guessing zone graph
GZG(A, s1, x   0), where self-loop ⌧ -transitions are removed
for readability. An unblock path containing a clear node, i.e., a
9S1,x ≥ 0
S2,x ≥ 1
S1,x ≥ 0,{x}
S2,x ≥ 1,{x}
S1,x ≥ 0,ø
S2,x ≥ 1,øτ
τ
ZG(A) GZG(A)
e1,
x ≥ 1
x ≤ 1,
e2,{x}
x ≥ 1 e1e2 e1
Fig. 7. A guessing zone graph with self-loop ⌧ -transitions removed
S1
e, {x}
S2
x = 0, e
S1,x ≥ 0
S2,x ≥ 0
S1,x ≥ 0,{x}
S2,x ≥ 0,{x}
S1,x ≥ 0,ø
S3,x ≥ 0,{x}
τ
ZG(B)
GZG(B)
e,{x}
e
e
S3
x = 0, e, {x}
S3,x ≥ 0
e
S2,x ≥ 0,ø
S3,x ≥ 0,ø
x = 0, e
B
τ
τ
x = 0, 
e, {x}
e, {x}
Fig. 8. A guessing zone graph with zero checks
non-Zeno path, can be found in this guessing zone graph. Fig. 8
shows a timed automaton with zero-checks, together with the
corresponding zone graph and guessing zone graph (with self-loop
⌧ -transitions removed). Obviously, there are no non-Zeno runs in
automaton B. This is reflected in the guessing zone graph, where
the infinite path in the graph (containing the two states labeled
with S2, x   0, {x} and S3, x   0, {x} respectively) does not
contain a clear node.
Theorem 2: A node in GZG(A, s,  ) is non-Zeno if and
only if it can reach a strongly connected component (SCC) in
GZG(A, s,  ) which contains a clear node and a path which
visits every node and edge in the SCC is unblocking.
Proof: The proof follows the proof of Theorem 2 in [23].
Intuitively, if a node in GZG(A, s,  ) can reach such an SCC,
there must be an infinite run starting with the node such that
neither reasons why the run disallows time from elapsing un-
boundedly is possible. Thus, function witness(sp, Xq,  ,P,Q)
can be realized with the following steps. Firstly, we extract the
set of states of the implementation as (sp,  [Cp]) and build
GZG(P, sp,  [Cp]). Secondly, by analyzingGZG(P, sp,  [Cp])
we answer whether (sp,  [Cp]) is non-Zeno. Similarly, we answer
whether (sq,  [A]) is non-Zeno for every (sq, A) 2 Xq . If
(sp,  [Cp]) is non-Zeno and all (sq,  [A]) are Zeno, we return
true. The above method is computationally expensive as the worst
case complexity of constructing the guessing zone graph and
checking whether it contains one such SCC is |ZG| · (|C| + 1)2
where |ZG| is the size of the zone graph and |C| is the number of
clocks. In practice, the algorithm can be improved by constructing
only a small part of the guessing zone graph [23].
Furthermore, we can improve the above approach for imple-
menting function witness by caching the states which have been
identified as Zeno or non-Zeno. To see how it works, let us first
implement a function nz(s,  ,A, NZSet, ZSet) which takes an
Algorithm 1: Function nz(s,  ,A, NZSet, ZSet)
Input: timed automaton A and an abstract state (s,  )
Output: true if and only if (s,  ) is non-Zeno
1: if there exists (s,  0) in NZSet such that  0 ✓   then
2: return true;
3: end if
4: if there exists (s,  0) in ZSet such that   ✓  0 then
5: return false;
6: end if
7: construct GZG(A, s,  );
8: for all (s0,  0) in GZG(A, s,  ) do
9: if (s0,  0) is non-Zeno by Theorem 2 then
10: add (s0,  0) into NZSet;
11: else
12: add (s0,  0) into ZSet;
13: end if
14: return true iff it is non-Zeno by Theorem 2;
15: end for
abstract state (s,  ) and the corresponding timed automaton A
as inputs and returns true if and only if (s,  ) is non-Zeno.
The implementation of the function is shown as Algorithm 1.
We maintain two variables NZSet and ZSet which are sets
of abstract states which are known to be non-Zeno and Zeno
respectively. Given a new abstract state (s,  ), if there is a non-
Zeno state (s,  0) in NZSet such that  0 ✓  , (s,  ) is non-Zeno.
Similarly, if there is a state (s,  0) in ZSet such that   ✓  0,
(s,  ) is Zeno. Otherwise, we construct GZG(A, s,  ) and rely
on Theorem 2 to answer whether (s,  ) is non-Zeno or not, while
updating the two sets NZSet and ZSet accordingly. We further
remark that we only need to keep the maximal elements inNZSet
and ZSet. That is, any state (s,  ) in NZSet (or ZSet) can be
omitted if there exists a state (s,  0) such that  0 ✓   (or   ✓  0).
In other words, NZSet and ZSet are anti-chains [1], [40].
The detailed implementation of witness(sp, Xq,  ,P,Q)
is presented in Algorithm 2. It maintains four global variables:
NZSetp, NZSetp, NZSetq , ZSetq . In particular, NZSetp
(and ZSetp) is a set of abstract states which are known to be
non-Zeno (and Zeno) in P . Similarly, NZSetq (and ZSetq) is a
set of abstract states which are known to be non-Zeno (and Zeno)
in Q. The following establishes the correctness of Algorithm 2.
Lemma 1: witness(sp, Xq,  ,P,Q) returns true only if
(sp, Xq,  ) contains a witness state of C(P)⌦ det(C(Q)).
Proof: Given a set of states (s,  ) of C(A), Algorithm 1 returns
true if and only if (s,  ) contains a non-Zeno state By Theorem 2.
Recall that (sp, Xq,  ) encodes a set of states of the form (s,X)
of C(P) ⌦ det(C(Q)). Algorithm 2 returns true only at line 11.
Because of line 5, (sp, Xq,  ) must encode a state (s,X) such
that s is non-Zeno in C(P), by the correctness of Algorithm 1.
Because of line 6 to 10, by the correctness of Algorithm 1, states
in X must be all Zeno.
Furthermore, because of line 1-3, either (s,X) has an
incoming transition labeled with an event in ⌃ (since all
transitions in Zr are labeled with events) or there is a state
(s0, X 0) which does and (s,X) can be reached from (s0, X 0) via
time delay only. In the latter case, X 0 must be Zeno (because of
line 6 to 10) and by the definition of non-Zenoness, s0 must be
non-Zeno. In either case, (sp, Xq,  ) contains a witness state and
10
Algorithm 2: Function witness(sp, Xq,  ,P,Q)
Input: P and Q and a state (sp, Xq,  ) of Zr
Output: true iff (sp, Xq,  ) contains a witness state
1: if (sp, Xq,  ) is the initial state of Zr then
2: return false;
3: end if
4: let NZSetp, NZSetp, NZSetq , ZSetq be empty sets;
5: if nz(sp,  [Cp],P, NZSetp, ZSetp) is true then
6: for all (sq, A) 2 Xq do
7: if nz(sq,  [A],Q, NZSetq, ZSetq) is true then
8: return false;
9: end if
10: end for
11: return true;
12: end if
13: return false;
thus, the lemma holds. ⇤
Lemma 2: If there is a state (sp, Xq,  ) in Zr containing a
witness state of C(P) ⌦ det(C(Q)), there is a reachable state
(s0p, X 0q,  0) in Zr such that witness(s0p, X 0q,  0,P,Q) returns
true.
Proof: If (sp, Xq,  ) contains a witness state (s,X) such
that s is non-Zeno and X is Zeno, the condition at line 1 of
witness(sp, Xq,  ,P,Q) must be false, since (s,X) must has
an incoming transition labeled with an event by definition. By
the correctness of Algorithm 1, the condition at line 5 must be
true. Next, we analyze two cases. If all other states contained in
(sp, Xq,  ) are witness states, witness(sp, Xq,  ,P,Q) returns
true at line 11. Otherwise, it returns false at line 8 because there
is a state (s0, X 0) in (sp, Xq,  ) such that X 0 is not Zeno. In the
former case, the lemma holds. In the following, we show that in
the latter case, there must be state (s0p, X 0q,  0) reachable from
(sp, Xq,  ) such that witness(s0p, X 0q,  0,P,Q) returns true.
Because X is Zeno and X 0 is not, there must be a state
(sq, vq) 2 X which is Zeno and a state (sq, v0q) 2 X 0 which
is not Zeno. Thus, there must be a non-Zeno run from (sq, v0q)
which is infeasible from (sq, vq). By induction, we can show
that there must be a transition which (sq, v0q) can fire after a
number of steps whereas (sq, vq) cannot. Let tr be the first
such transition. By the construction of Z1, there must be at
least two states in Zr , one (say M ) is guard by the transition
guard of tr and the other guarded by its negation (say N ).
As a result, (sq, v0q) can only reach M whereas (sq, vq) can
only reach N . Furthermore, any concrete state in N reachable
from (sq, vq) must be Zeno (by definition). Since (sq, v0q) is
an arbitrary state in X 0, eventually (sp, Xq,  ) would reach a
state which contains only witness states. Thus, the lemma holds.⇤
Theorem 3: L(P) ✓ L(Q) if and only if there is no state
(sp, Xq,  ) in Zr such that witness(sp, Xq,  ,P,Q) returns
true.
Proof: (if) If L(P) ✓ L(Q) does not hold, by Theorem 1, there
is a witness state in C(P) ⌦ det(C(Q)). By Proposition 1, there
is a state in Zr which contains a witness state. By Lemma 2, there
is a state (sp, Xq,  ) in Zr such that witness(sp, Xq,  ,P,Q)
returns true.
(only if) If there is a reachable state (sp, Xq,  ) in Zr
such that witness(sp, Xq,  ,P,Q) returns true, by Lemma 1,
(sp, Xq,  ) contains a witness state. By Proposition 1, there is
a witness state in C(P) ⌦ det(C(Q)). By Theorem 1, L(P) ✓
L(Q) does not hold. Thus, the theorem holds. ⇤
5.2 Simulation Reduction
Let Fr be the set states of in Zr such that function witness
returns true. We have so far reduced the language inclusion
checking problem to the problem of checking whether a state in
Fr is reachable. Next, we improve the reachability analysis by
exploring simulation relation in Zr with respects to Fr .
In the following, we first show that the lower-upper bounds
(hereafter LU-bounds) simulation relation defined in [6] can be
extended to a simulation relation in Zr with respects to Fr . We
define two functions L and U . Given a state s in Zr and a
clock x 2 Cp [ Z , we perform a depth-first-search to collect
all transitions reachable from s without going through a transition
which resets x. Next, we set L(s, x) (resp. U(s, x)) to be the
maximal constant k such that there exists a constraint x > k or
x   k (resp. x < k or x  k) in a guard of those transitions. If
such a constant does not exist, we set L(s, x) (resp. U(s, x)) to
 1. We remark that L(s, x) is always the same as U(s, x) for a
clock in Z because both guard conditions and their negations are
used in constructing Zr .
Next, we define a relation between two zones using the
LU-bounds and show that the relation constitutes a simulation
relation. Given two clock valuations v and v0 at a state s and
the two functions L and U , we write v 4LU v0 if for each
clock c, either v0(c) = v(c) or L(s, c) < v0(c) < v(c) or
U(s, c) < v(c) < v0(c). Given two zones  1 and  2, we write
 1 4LU  2 to denote that for all v1 2  1, there is a v2 2  2 such
that v1 4LU v2. The following shows that 4LU constitutes a
simulation relation.
Lemma 3: Let (s,X,  i) where i 2 {0, 1} be two states of Zr .
(s,X,  1) simulates (s,X,  0) w.r.t. Fr if  0 4LU  1.
Proof: First we show that (s,X,  0) 2 Fr implies (s,X,  1) 2
Fr . (*) If (s,  0[Cp]) is non-Zeno, (s,  1[Cp]) is also non-Zeno
because  0 4LU  1 implies  0 ✓  1. (**) By definition,
L(sx, c) is always the same as U(sx, c) for any clock c in A,
which can be seen as the classical maximal bounds discussed
in [8]. Following the result in [8], we conclude that for all
(sx, A) 2 X , if  0 4LU  1, (sx,  0[A]) is non-Zeno if and only
if (sx,  1[A]) is. Thus if witness(s,X,  0,P,Q) returns true at
line 11, witness(s,X,  1,P,Q)must return true by (*) and (**).
Next, we show that if (s,X,  0) transitions to (s0, X 0,  00)
through an event e, there must be a corresponding transition from
(s,X,  1) to a state (s0, X 0,  01) via e and  00 4LU  01. By the
definition of Zr , if (s,X,  0) transitions to (s0, X 0,  00) through
an event e, there must be a transition (s, e, gp, Xp, s0) in P and
 00 is ([Y [ Xp := 0]( 0 ^ g ^ gp))", where g 2 Cons(e,X)
and Y is a certain set of clocks. By Lemma 3 of [6], we can
show that  0 ^ g ^ gp is not false implies  1 ^ g ^ gp is not
false (since  0 4LU  1) and hence there must be a corresponding
transition from (s,X,  1) to a state (s0, X 00, [Y [ Xp :=
0]( 1 ^ g ^ gp)). Next, following [6], we can show that
[Y [Xp := 0]( 0 ^ g ^ gp) 4LU [Y [Xp := 0]( 1 ^ g ^ gp).
Lastly, we show that X 00 = X 0. By definition, X 00 is a set of
11
states of S1 such that for any (s00, A00) 2 X 00, there exists a state
(s,A) 2 X and a transition ((s,A), e, gs, Y, (s00, A00)) 2 T1
such that  1 ^ gp ^ g ^ gs is not false. X 0 is similarly defined.
Since  0 4LU  1,  1^gp^g^gs is not false if  0^gp^g^gs is
not false. Thus, X 0 ✓ X 00. Next, we show that if  0 ^ gp ^ g ^ gs
is false, then  1 ^ gp ^ g ^ gs is false and hence every state not in
X 0 is not in X 00 and thus X 0 = X 00. Thus the lemma holds. ⇤
With the above lemma, given an abstract state (s,X,  ) of Zr ,
we can enlarge the time constraint   so as to include all clock
valuations which are simulated by some valuations in   without
changing the result of reachability analysis. In the following, we
write LU( ) to denote the set {v|9v0 2   · v 4LU v0}. Notice
that we may not be able to represent this set as a convex time
constraint and there are techniques to get around this problem [6].
We construct an LTS, denoted as ZLUr which replaces each state
(s,X,  ) in Zr with (s,X,LU( )). We denote the successors of
a state pq in ZLUr as post(pq,ZLUr ). By a simple argument, we
can show that there is a reachable witness state in Zr if and only
if there is a reachable witness state in ZLUr .
5.3 The Algorithm
Lastly, we present an on-the-fly algorithm for the language
inclusion checking with non-Zenoness. Let ZLUr be the
tuple (S, Init,⌃, T ) where Init is a set (initp, Inits,
LU((Cp = 0 ^ z0 = 0)")). Algorithm 3 constructs ZLUr
on-the-fly while performing reachability analysis with simulation
reduction and non-Zenoness checking. It maintains two data
structures. One is a set working which stores states in S which
are yet to be explored. The other is a set done which contains
states which have already been explored. Initially, working is
set to be Init and done is empty. During the loop from line 3 to
line 14, each time a state is removed from working and added
to done. If the state is a witness state, we return false at line 7.
We generate successors of ps at line 9, and they are added into
working so that they are explored later. Lastly, we return true
at line 15 after exploring all states. The following theorem states
that the algorithm always produces correct results.
Theorem 4:Algorithm 3 returns true if and only ifL(P) ✓ L(S).
Proof Given a state ps in ZLUr , we define distance Dist(ps) 2
N[{1} as the length of the shortest trace for ps to reach a state in
Fr . If no witness state can be reached from ps, Dist(ps) = 1.
Dist(ps) = 0 if and only if ps is a witness state. Next, we
lift the function to a set of states. Given a set Y of states of
ZLUr , if Y = ? then Dist(Y ) = 1, otherwise Dist(Y ) =
minps2YDist(ps). It can be proven that the loop in Algorithm 3
preserves the following two invariants.
• There exists a witness state ps in working [ done if and
only if ps is reachable from some state in Init.
• If there is a reachable witness state, Dist(done) >
Dist(working).
Algorithm 3 returns false only at line 7. In such a case,
a state in Fr is reachable from Init by the first invariant
and thus L(P) ✓ L(S) does not hold. Algorithm 3 returns
true only when working is empty, which implies that
Dist(done) > Dist(working) is not true. By the second
invariant, L(P) ✓ L(S) holds. Thus, the theorem holds. ⇤
Algorithm 3: Language Inclusion Checking
1: let working := Init;
2: let done := ;;
3: while working 6= ; do
4: take ps = (sp, Xs,  ) out from working;
5: add ps into done;
6: if witness(sp, Xs,  ) returns true then
7: return false;
8: end if
9: for all (s0p, X 0s,  0) 2 post(ps,ZLUr ) do
10: if (s0p, X 0s,  0) /2 done then
11: put (s0p, X 0s,  0) into working;
12: end if
13: end for
14: end while
15: return true;
Next, we establish a sufficient condition for the termination of the
algorithm.
Theorem 5: Let S be the set of states of ZLUr . If S is finite,
Algorithm 3 is terminating. ⇤
The above theorem implies that our algorithm always terminates
if the clock boundedness condition defined in [5] is satisfied. The
clock boundedness condition is satisfied if the number of clocks
in Zr is bounded. It has been shown in [5] that if the boundedness
condition is satisfied, Zr and hence ZLUr have a bounded number
of clocks and the set S is finite (assuming that maximum ceiling
zone normalization is applied).
6 EVALUATION
Our method has been implemented with 46K lines of C# code
and integrated into the PAT model checker [32]. In our imple-
mentation, convex zones are encoded as difference bound matrix
(DBM) and zone operations are casted to operations on DBM.
Interested readers are referred to [7], [8] for details on DBM
implementation. Note that in our setting, a zone may not be
convex, e.g., x > 2_ y < 3 (due to negation used in constructing
Zr), and thus cannot be represented as a single DBM. Such non-
convex zones can be represented either as a difference bound logic
formula, as shown in [4], or as a set of DBMs. In this work,
the latter approach is adopted for efficiency. In the following,
we evaluate our approach in order to show the feasibility of
our algorithm. All experiment data are obtained using a PC with
Intel(R) Core(TM) i7-2600 CPU at 3.40 GHz and 8.0 GB RAM.
In the first empirical study, we model and verify benchmark
timed systems using our semi-algorithm and evaluate its per-
formance. The objective is to show our approach is reasonably
scalable (i.e., terminates within a reasonable amount of time) in
verifying these systems. The benchmark systems include Fischer’s
mutual exclusion protocol (Fischer for short), Lynch-Shavit’s
mutual exclusion protocol (Lynch), railway control system (Rail-
way), and CSMA/CD protocol (CSMA). The results are shown
in Table 1 where symbol ‘-’ means either the verification time
is more than 2 hours or out-of-memory exception happens. The
systems are all built as networks of timed automata, and the
number of processes is shown in column ‘System’. The verified
properties are requirements on the systems specified using timed
12
automata (following the timed patterns documented in [17], [19]).
Some of the properties contain one timed automaton with one
clock, while some are networks of timed automata with more
than one clock (i.e., one clock for each timed automaton). In the
table, column ‘|Cq|’ is the number of clocks in the specification.
The systems in the same group, e.g., Lynch*4 and Lynch*5,
have the same specification. Column ‘Det’ shows whether the
specification is deterministic or not. The results of our semi-
algorithm are shown in column ‘Non-Zenoness with Reduction’,
which is compared with the algorithm without the assumption of
non-Zenoness (column ‘without Non-Zenoness’). In order to show
the efficiency of the simulation reduction, we also present the
results of the algorithm without simulation reduction, as shown
in column ‘Non-Zenoness without Reduction’. The number of
transitions includes the transitions when constructing the product,
and the transitions generated in Algorithm 2.
The results in Table 1 show that in all these cases, our semi-
algorithm terminates, which is partly due to the fact that the
properties people verify these systems against are often not very
complicated. Compared to language inclusion checking without
non-Zenoness, checking with non-Zenoness incurs quite some
computational over-head, mainly due to the construction (for
multiple times) of the guessing zone graphs. Lastly, it is evident
that the simulation reduction is helpful in reducing the number of
explored transitions and consequently the checking time.
In the second empirical study, we investigate how often our
semi-algorithm terminates. We extend the approach on generating
non-deterministic finite automata in [33] to automatically generate
random timed automata, and then apply our semi-algorithm for
language inclusion checking with non-Zenoness. Without loss of
generality, a generated timed automaton has always one initial
state and the alphabet is {0, 1}. In addition, the following pa-
rameters are used to control the random generation process: the
number of state |S|, the number of clocks |C|, a parameterDt for
transition density and a clock ceiling. We generate k transitions
(and hence the transition density for the events in the alphabet is
Dt = k/(2|S|)) and distribute the transitions randomly among
all |S| states (the two events 0 and 1 are also distributed on the
transitions where the number for event 0 is num = k/2 and the
one for event 1 is (k num)). For instance, if |S| is set to be 6 and
Dt is set to be 1.1, we randomly generate 13 transitions (round off
to the nearest integer). For each transition, the clock constraint and
the resetting clocks are generated randomly according to the clock
ceiling. We remark that if both implementation and specification
models are generated randomly, language inclusion almost always
fails. Thus, in order to have cases where language inclusion does
hold, we generate a separate group of implementation specification
pairs by generating an implementation first, and then randomly
adding 20% transitions to obtain the specification.
The experimental results are shown in Table 2. The column
|S| and |C| show the number of states and clocks. For each
different combinations of |S|, |C| and Dt, we compute three
numbers, namely a, b and c respectively. a is the percentage of
the specification satisfying the clock boundedness condition (and
therefore being determinizable [5]). b is the percentage of cases in
which Algorithm 3 without non-Zenoness checking terminates. c
is the percentage of cases in which Algorithm 3 terminates. The
gap between a and c thus shows the effectiveness of our approach
on timed automata which may be non-determinizable. The gap
between b and c show how often non-Zenoness checking helps
to make language inclusion checking terminating. Additionally,
it evidences that non-Zenoness is prevalent in language inclusion
checking. We generate 500 random pairs to calculate each number.
It can be observed that in all cases c   b > a. b is always
larger than a because even if the specification may not be detem-
inzable, since Algorithm 3 is on-the-fly, it may still terminate as
long as a violation of the language inclusion is identified. c is no
smaller than b because as soon as non-Zenoness checking helps
to identify a state containing a witness state, we do not have to
continue exploring from that state, which may contribute to the
termination.
It can be observed that there is co-relation between transition
density Dt and the terminating percentage, i.e., value of a, b and
c. For instance, when Dt  0.8, the terminating percentage is
quite high, which implies that our semi-algorithm often terminates.
In general, the lower the density is, the more likely that our
approach terminates. In order to have some indication on whether
our semi-algorithm would terminate verifying systems against
common timed property patterns [17], [19] and the benchmark
systems, we calculate the transition density of the common timed
property patterns and the benchmark systems. We find that all the
models have transition densities less than or equal to 1.0 except
the absence pattern (refer to [17] for details on the pattern). Based
on the results presented in Table 2, we conclude that in practice,
our semi-algorithm has a relatively high probability (i.e.,   0.6)
of being terminating.
7 CONCLUSION
In summary, the contributions of this work are twofold. First, we
develop a zone-based approach for language inclusion checking
of timed automata with non-Zenoness, which is further combined
with simulation reduction for better performance. Furthermore,
we investigate when the semi-algorithm is terminating. Secondly,
we implement the semi-algorithm in the PAT framework and
apply it to benchmark systems. As far as the authors know, our
implementation is the first tool which supports language inclusion
checking for timed automata, with non-Zenoness. As for the future
work, we would like to investigate further optimization techniques
so that our approach is more scalable.
ACKNOWLEDGEMENT
This work was supported by National Natural Science Foundation
of China (61602412, 61572426, U1509214, 61373033), and the
research project from Singapore University of Technology and
Design (T2MOE1303).
REFERENCES
[1] P. A. Abdulla, Y.-F. Chen, L. Holk, R. Mayr, and T. Vojnar. When
simulation meets antichains. In Proceedings of the 16th International
Conference on Tools and Algorithms for the Construction and Analysis
of Systems (TACAS ’10), pages 158–174, 2010.
[2] P. A. Abdulla, J. Ouaknine, K. Quaas, and J. Worrell. Zone-Based
Universality Analysis for Single-Clock Timed Automata. In Proceedings
of International Symposium on Fundamentals of Software Engineering,
pages 98–112, 2007.
[3] R. Alur and D. L. Dill. A Theory of Timed Automata. Theory of
Computer Science, 126(2):183–235, 1994.
[4] R. Alur, L. Fix, and T. A. Henzinger. Event-clock Automata: A De-
terminizable Class of Timed Automata. Theoretical Computer Science,
211:253–273, 1999.
[5] C. Baier, N. Bertrand, P. Bouyer, and T. Brihaye. When Are Timed
Automata Determinizable? In Proceedings of 36th International Col-
logquium on Automata, Languages and Programming, pages 43–54,
2009.
13
TABLE 1
Experiments on Language Inclusion Checking with Non-Zenoness
System |Cq | Det without Non-Zenoness Non-Zenoness without Reduction Non-Zenoness with Reductionstates transitions time(s) states transitions time(s) states transitions time(s)
Fischer*5 1 Yes 998 2263 0.1 1603 61646 29.9 1603 45178 14.9
Fischer*6 1 Yes 4410 10144 0.9 7065 289698 138.3 7065 217303 73.3
Fischer*7 1 Yes 20044 47060 6.3 31307 1378184 881.9 31307 1056986 457.4
Fischer*4 2 No 1820 3917 0.4 3938 122934 75.1 3938 85900 49.1
Fischer*5 2 No 8456 20142 2.5 21604 795771 589.8 21604 530577 450.4
Lynch*4 1 Yes 903 2150 0.1 2225 136945 54.2 2225 123135 30.8
Lynch*5 1 Yes 3852 11725 0.8 16193 1293511 519.1 16193 1157550 370.2
CSMA*5 1 Yes 2384 5645 0.7 32 5557631 473.4 32 3004445 233.3
Railway*6 1 Yes 26731 39589 4.2 22005 4818205 1273.7 22005 2671729 686.5
TABLE 2
Experiments on Language Inclusion Checking with Non-Zenoness for Random Timed Automata
|S| |C| Dt = 0.6 Dt = 0.8 Dt = 1.0 Dt = 1.1 Dt = 1.3
a b c a b c a b c a b c a b c
4 1 0.97 0.99 0.99 0.76 0.95 0.96 0.65 0.89 0.89 0.48 0.70 0.70 0.11 0.22 0.27
4 2 0.94 0.99 0.99 0.70 0.88 0.90 0.56 0.80 0.81 0.39 0.56 0.57 0.18 0.23 0.31
4 3 0.96 0.99 0.99 0.73 0.86 0.87 0.57 0.74 0.75 0.41 0.55 0.62 0.10 0.17 0.27
6 1 0.98 1.00 1.00 0.89 0.97 0.98 0.49 0.72 0.72 0.37 0.53 0.61 0.18 0.25 0.32
6 2 0.98 0.99 0.99 0.88 0.96 0.97 0.43 0.61 0.66 0.30 0.43 0.54 0.11 0.17 0.33
6 3 0.98 0.99 0.99 0.90 0.96 0.97 0.41 0.58 0.61 0.29 0.40 0.50 0.14 0.18 0.36
8 1 0.99 1.00 1.00 0.75 0.91 0.91 0.40 0.55 0.63 0.25 0.38 0.49 0.06 0.07 0.25
8 2 0.99 0.99 1.00 0.75 0.89 0.90 0.36 0.52 0.61 0.25 0.36 0.51 0.03 0.05 0.24
8 3 0.99 1.00 1.00 0.73 0.89 0.88 0.35 0.49 0.60 0.20 0.31 0.52 0.03 0.05 0.15
[6] G. Behrmann, P. Bouyer, K. G. Larsen, and R. Pela´nek. Lower and Upper
Bounds in Zone-based Abstractions of Timed Automata. International
Journal on Software Tools for Technology Transfer, 8(3):204–215, 2004.
[7] G. Behrmann, K. G. Larsen, J. Pearson, C. Weise, and W. Y. Effi-
cient Timed Reachability Analysis Using Clock Difference Diagrams.
In Proceedings of 11th International Conference on Computer Aided
Verification (CAV 99), page 341353, 1999.
[8] J. Bengtsson and Y. Wang. Timed Automata: Semantics, Algorithms and
Tools. In Lectures on Concurrency and Petri Nets, pages 87–124, 2004.
[9] N. Bertrand, A. Stainer, T. Je´ron, and M. Krichen. A Game Approach to
Determinize Timed Automata. In Proceedings of the 14th International
Conference on Foundations of Software Science and Computational
Structures (FOSSACS ’11), pages 245–259, 2011.
[10] D. Beyer, C. Lewerentz, and A. Noack. Rabbit: A Tool for BDD-based
Verification of Real-Time Systems. In CAV, pages 122–125. Springer,
2003.
[11] P. Bouyer. Forward Analysis of Updatable Timed Automata. Formal
Methods in System Design, 24(3):281–320, 2004.
[12] H. Bowman and R. Go´mez. How to Stop Time Stopping. Formal Aspects
of Computing, 18(4):459–493, 2006.
[13] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine.
Kronos: A Model-Checking Tool for Real-Time Systems. In CAV,
volume 1427 of LNCS, pages 546–550. Springer, 1998.
[14] S. Cattani and M. Z. Kwiatkowska. A Refinement-based Process Algebra
for Timed Automata. Formal Aspects of Computing, 17(2):138–159,
2005.
[15] K. Chatterjee and V. S. Prabhu. Synthesis of Memory-efficient Real-time
Controllers for Safety Objectives. In HSCC, pages 221–230. ACM, 2011.
[16] D. L. Dill, A. J. Hu, and H. Wong-Toi. Checking for Language Inclusion
Using Simulation Preorders. In CAV, pages 255–265, 1991.
[17] M. B. Dwyer, G. S. Avrunin, and J. C. Corbett. Property Specification
Patterns for Finite-State Verification. In Proceedings of the 2nd Workshop
on Formal Methods in Software Practice (FMSP ’98), pages 7–15, 1998.
[18] R. Go´mez and H. Bowman. Efficient Detection of Zeno Runs in
Timed Automata. In FORMATS, volume 4763 of LNCS, pages 195–210.
Springer, 2007.
[19] V. Gruhn and R. Laue. Patterns for Timed Property Specifications.
Electronic Notes in Theoretical Computer Science, 153(2):117–133,
2006.
[20] T. A. Henzinger, Z. Manna, and A. Pnueli. What Good are Digital
Clocks? In Proceedings of 19th International Colloquium on Automata,
Languages and Programming (ICALP ’92), pages 545–558, 1992.
[21] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic
Model Checking for Real-time Systems. Journal of Information and
Computation, 111(2):193–244, 1994.
[22] F. Herbreteau and B. Srivathsan. Efficient On-the-Fly Emptiness Check
for Timed Bu¨chi Automata. In ATVA, pages 218–232, 2010.
[23] F. Herbreteau, B. Srivathsan, and I. Walukiewicz. Efficient Emptiness
Check for Timed Bu¨chi Automata. Formal Methods in System Design,
40(2):122–146, 2012.
[24] M. Krichen and S. Tripakis. Conformance Testing for Real-Time
Systems. Formal Methods in System Design, 34(3):238–304, 2009.
[25] K. G. Larsen, P. Petterson, and Y. Wang. UPPAAL in a Nutshell. Journal
on Software Tools for Technology Transfer, 1(1-2):134–152, 1997.
[26] J. Ouaknine and J. Worrell. On The Language Inclusion Problem for
Timed Automata: Closing a Decidability Gap. In Proceedings of the
19th Annual IEEE Symposium on Logic in Computer Science, pages 54–
63, 2004.
[27] J. Ouaknine and J. Worrell. Safety metric temporal logic is fully
decidable. In Proceedings of the 12th International Conference on
Tools and Algorithms for the Construction and Analysis of Systems,
TACAS’06, pages 411–425, 2006.
[28] J. Raskin and P. Schobbens. The Logic of Event Clocks - Decidability,
Complexity and Expressiveness. Journal of Automata, Languages, and
Combinatories, 4(3):247–286, 1999.
[29] T. G. Rokicki. Representing and Modeling Digital Circuits. PhD thesis,
Stanford Uni., 1993.
[30] A. W. Roscoe. On the Expressive Power of CSP Refinement. Formal
Aspects of Computing, 17(2):93–112, 2005.
[31] P. V. Suman, P. K. Pandya, S. N. Krishna, and L. Manasa. Timed
Automata with Integer Resets: Language Inclusion and Expressiveness.
In Proceedings of 6th International Conference on Formal Modeling and
Analysis of Timed Systems (FORMATS 08), pages 78–92, 2008.
[32] J. Sun, Y. Liu, J. S. Dong, , and J. Pang. PAT: Towards flexible verification
under fairness. In Proceedings of the 21st International Conference on
Computer Aided Verification (CAV ’09), pages 709–714, 2009.
[33] D. Tabakov and M. Y. Vardi. Experimental evaluation of classical au-
tomata constructions. In Proceedings of the 12th international conference
on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR
’05), pages 396–411, 2005.
[34] S. Tripakis. Verifying progress in timed systems. In Proceedings of the
14
5th International AMAST Workshop on Formal Methods for Real-Time
and Probabilistic Systems (ARTS ’99), pages 299–314, 1999.
[35] S. Tripakis, S. Yovine, and A. Bouajjani. Checking Timed Bu¨chi
Automata Emptiness Efficiently. FMSD, 26(3):267–292, 2005.
[36] Stavros Tripakis, Sergio Yovine, and Ahmed Bouajjani. Checking timed
bu¨chi automata emptiness efficiently. Formal Methods in System Design,
26(3):267–292, 2005.
[37] F. Wang. Symbolic Verification of Complex Real-Time Systems with
Clock-Restriction Diagram. In Formal Techniques for Networked and
Distributed Systems, pages 235–250. Springer, 2002.
[38] T. Wang, J. Sun, Y. Liu, X. Wang, and S. Li. Are timed automata
bad for a specification language? language inclusion checking for timed
automata. In Tools and Algorithms for the Construction and Analysis
of Systems - 20th International Conference, TACAS 2014, Held as Part
of the European Joint Conferences on Theory and Practice of Software,
ETAPS 2014, Grenoble, France, April 5-13, 2014. Proceedings, pages
310–325, 2014.
[39] Y. Wang, P. Pettersson, and M. Daniels. Automatic Verification of Real-
Time Communicating Systems by Constraint Solving. In Proceedings
of the 7th International Conference on Formal Description Techniques,
pages 223–238, 1994.
[40] M. D. Wulf, L. Doyen, T. A. Henzinger, and J.-F. Raskin. Antichains:
A New Algorithm for Checking Universality of Finite Automata. In
Proceedings of the 18th International Conference on Computer Aided
Verification (CAV ’06), pages 17–30, 2006.
