Abstraction Refinement Algorithms for Timed Automata
AAbstraction Refinement Algorithmsfor Timed Automata (cid:63)
Victor Roussanaly, Ocan Sankur, Nicolas Markey
Univ Rennes, Inria, CNRS, IRISA – Rennes, France
Abstract.
We present abstraction-refinement algorithms for model check-ing safety properties of timed automata. The abstraction domain we con-sider abstracts away zones by restricting the set of clock constraints thatcan be used to define them, while the refinement procedure computes theset of constraints that must be taken into consideration in the abstractionso as to exclude a given spurious counterexample. We implement thisidea in two ways: an enumerative algorithm where a lazy abstractionapproach is adopted, meaning that possibly different abstract domainsare assigned to each exploration node; and a symbolic algorithm wherethe abstract transition system is encoded with Boolean formulas.
Model checking [26,10,12,4] is an automated technique for verifying that the setof behaviors of a computer system satisfies a given property. Model-checkingalgorithms explore finite-state automata (representing the system under study) inorder to decide if the property holds; if not, the algorithm returns an explanation.These algorithms have been extended to verify real-time systems modelled astimed automata [3,2], an extension of finite automata with clock variables tomeasure and constrain the amount of time elapsed between occurrences of transi-tions. The state-space exploration can be done by representing clock constraintsefficiently using convex polyhedra called zones [9,8]. Algorithms based on thisdata structure have been implemented in several tools such as Uppaal [7], andhave been applied in various industrial cases.The well-known issue in the applications of model checking is the state-spaceexplosion problem: the size of the state space grows exponentially in the sizeof the description of the system. There are several sources for this explosion:the system might be made of the composition of several subsystems (such as adistributed system), it might contain several discrete variables (such as in a pieceof software), or it might contain a number of real-valued clocks as in our case.Numerous attempts have been made to circumvent this problem. Abstractionis a generic approach that consists in simplifying the model under study, so asto make it easier to verify [13].
Existential abstraction may only add extrabehaviors, so that when a safety property holds in an abstracted model, it also (cid:63)
This work was funded by ANR project Ticktac (ANR-18-CE40-0015) and by ERCgrant EQualIS (StG-308087). a r X i v : . [ c s . F L ] M a y olds in the original model; if on the other hand a safety property fails to hold,the model-checking algorithms return a witness trace exhibiting the non-safebehaviour: this either invalidates the property on the original model, if thetrace exists in that model, or gives information about how to automaticallyrefine the abstraction. This approach, named CEGAR (counter-example guidedabstraction refinement) [11], was further developed and used, for instance, insoftware verification (BLAST [20], SLAM [5], ...).The CEGAR approach has been adapted to timed automata, e.g. in [14,18],but the abstractions considered there only consist in removing clocks and discretevariables, and adding them back during refinement. So for most well-designedmodels, one ends up adding all clocks and variables which renders the methoduseless. Two notable exceptions are [22], in which the zone extrapolation opera-tors are dynamically adapted during the exploration, and [28], in which zones arerefined when needed using interpolants. Both approaches define “exact” abstrac-tions in the sense that they make sure that all traces discovered in the abstractmodel are feasible in the concrete model at any time.In this work, we consider a more general setting and study predicate abstrac-tions on clock variables. Just like in software model checking, we define abstractstate spaces using these predicates, where the values of the clocks and theirrelations are approximately represented by these predicates. New predicates aregenerated if needed during the refinement step. We instantiate our approach bytwo algorithms. The first one is a zone-based enumerative algorithm inspired bythe lazy abstraction in software model checking [19], where we assign a possiblydifferent abstract domain to each node in the exploration. The second algorithmis based on binary decision diagrams (BDD): by exploiting the observation that asmall number of predicates was often sufficient to prove safety properties, we usean efficient BDD encoding of zones similar to one introduced in early work [27].Let us explain the abstract domains we consider. Assume there are two clockvariables x and y . The abstraction we consider consists in restricting the clockconstraints that can be used when defining zones. Assume that we only allow tocompare x with 2 or 3; that y can only be compared with 2, and x − y can only becompared with − y x y x (a) Abstraction of zone 1 ≤ x, y ≤ y x y x (b) Abstraction of zone y ≤ ∧ ≤ x − y ≤ Fig. 1: The abstract domain is defined by the clock constraints shown in thickred lines. In each example, the abstraction of the zone shown on the left (shadedarea) is the larger zone on the right. “concrete” zone, its abstraction is the smallest zone which is a superset and isdefinable under our restriction. For instance, the abstraction of 1 ≤ x, y ≤ ≤ x, y ≤ ∧ − ≤ x − y (cf. Fig. 1a). Related Works.
We give more detail on zone abstractions in timed automata.Most efforts in the literature have been concentrated in designing zone abstractionoperators that are exact in the sense that they preserve the reachability relationbetween the locations of a timed automaton; see [6]. The idea is to determinebounds on the constants to which a given clock can be compared to in a givenpart of the automaton, since the clock values do not matter outside these bounds.In [21,22], the authors give an algorithm where these bounds are dynamicallyadapted during the exploration, which allows one to obtain coarser abstractions.In [28], the exploration tree contains pairs of zones: a concrete zone as in theusual algorithm, and a coarser abstract zone. The algorithm explores all branchesusing the coarser zone and immediately refines the abstract zone whenever anedge which is disabled in the concrete zone is enabled. In [17], a CEGAR loopwas used to solve timed games by analyzing strategies computed for each abstractgame. The abstraction consisted in collapsing locations.Some works have adapted the abstraction-refinement paradigm to timedautomata. In [14], the authors apply “localization reduction” to timed automatawithin an abstraction-refinement loop: they abstract away clocks and discretevariables, and only introduce them as they are needed to rule out spuriouscounterexamples. A more general but similar approach was developed in [18].In [31], the authors adapt the trace abstraction refinement idea to timed automatawhere a finite automaton is maintained to rule out infeasible edge sequences.The CEGAR approach was also used recently in the LinAIG framework forverifying linear hybrid automata [1]. In this work, the backward reachability algo-rithm exploits don’t-cares to reduce the size of the Boolean circuits representingthe state space. The abstractions consist in enlarging the size of don’t-cares toreduce the number of linear predicates used in the representation.
Given a finite set of clocks C , we call valuations the elements of R C≥ . For a clockvaluation v , a subset R ⊆ C , and a non-negative real d , we denote with v [ R ← d ]the valuation w such that w ( x ) = v ( x ) for x ∈ C \ R and w ( x ) = d for x ∈ R , andwith v + d the valuation w (cid:48) such that w (cid:48) ( x ) = v ( x ) + d for all x ∈ C . We extendthese operations to sets of valuations in the obvious way. We write for thevaluation that assigns 0 to every clock. An atomic guard is a formula of theform x ≺ k or x − y ≺ k with x, y ∈ C , k ∈ N , and ≺ ∈ { <, ≤ , >, ≥} . A guard is a conjunction of atomic guards. A valuation v satisfies a guard g , denoted v | = g , if all atomic guards hold true when each x ∈ C is replaced with v ( x ).Let (cid:74) g (cid:75) = { v ∈ R C≥ | v | = g } denote the set of valuations satisfying g . We write Φ C for the set of guards built on C . timed automaton A is a tuple ( L , Inv , (cid:96) , C , E ), where L is a finite set oflocations, Inv : L → Φ C defines location invariants, C is a finite set of clocks, E ⊆ L × Φ C × C × L is a set of edges, and (cid:96) ∈ L is the initial location. An edge e = ( (cid:96), g, R, (cid:96) (cid:48) ) is also written as (cid:96) g,R −−→ (cid:96) (cid:48) . For any location (cid:96) , we let E ( (cid:96) ) denotethe set of edges leaving (cid:96) .A configuration of A is a pair q = ( (cid:96), v ) ∈ L× R C≥ such that v | = Inv ( (cid:96) ). A run of A is a sequence q e q e . . . q n where for all i ≥ q i = ( (cid:96) i , v i ) is a configuration,and either e i ∈ R > , in which case q i +1 = ( (cid:96) i , v i + e i ), or e i = ( (cid:96) i , g i , R i , (cid:96) i +1 ) ∈ E ,in which case v i | = g i and q i +1 = ( (cid:96) i +1 , v i [ R i ← path is a sequence of edgeswith matching endpoint locations. Several tools for timed automata implement algorithms based on zones , whichare particular polyhedra definable with clock constraints. Formally, a zone Z is asubset of R C≥ definable by a guard in Φ C .We recall a few basic operations defined on zones. First, the intersection Z ∩ Z (cid:48) of two zones Z and Z (cid:48) is clearly a zone. Given a zone Z , the set of time-successorsof Z , defined as Z ↑ = { v + t ∈ R C≥ | t ∈ R ≥ , v ∈ Z } , is easily seen to bea zone; similarly for time-predecessors Z ↓ = { v ∈ R C≥ | ∃ t ≥ . v + t ∈ Z } .Given R ⊆ C , we let Reset R ( Z ) be the zone { v [ R ← ∈ R C≥ | v ∈ Z } , and Free x ( Z ) = { v (cid:48) ∈ R C≥ | ∃ v ∈ Z, d ∈ R ≥ , v (cid:48) = v [ x ← d ] } .Zones can be represented as difference-bound matrices (DBM) [15,8]. Let C = C ∪ { } , where 0 is an extra symbol representing a special clock variable whosevalue is always 0. A DBM is a |C | × |C | -matrix taking values in ( Z × { <, ≤} ) ∪{ (+ ∞ , < ) } . Intuitively, cell ( x, y ) of a DBM M stores a pair ( d, ≺ ) representingan upper bound on the difference x − y . For any DBM M , we let (cid:74) M (cid:75) denotethe zone it defines.While several DBMs can represent the same zone, each zone admits a canonical representation, which is obtained by storing the tightest clock constraints definingthe zone. This canonical representation can be obtained by computing shortestpaths in a graph where the vertices are clocks and the edges weighted by clockconstraints, with natural addition and comparison of elements of ( Z × { <, ≤} ) ∪{ (+ ∞ , < ) } . This graph has a negative cycle if, and only if, the associated DBMrepresents the empty zone.All the operations on zones can be performed efficiently (in O ( |C | )) on theirassociated DBMs while maintaining reduced form. For instance, the intersection N = Z ∩ Z (cid:48) of two canonical DBMs Z and Z (cid:48) can be obtained by first com-puting the DBM M = min( Z, Z (cid:48) ) such that M ( x, y ) = min { Z ( x, y ) , Z (cid:48) ( x, y ) } for all ( x, y ) ∈ C , and then turning M into canonical form. We refer to [8]for full details. By a slight abuse of notation, we use the same notations forDBMs as for zones, writing e.g. M (cid:48) = M ↑ , where M and M (cid:48) are reduced DBMssuch that (cid:74) M (cid:48) (cid:75) = (cid:74) M (cid:75) ↑ . Given an edge e = ( (cid:96), g, R, (cid:96) (cid:48) ), and a zone Z , we define Post e ( Z ) = Inv ( (cid:96) (cid:48) ) ∩ ( g ∩ Reset R ( Z )) ↑ , and Pre e ( Z ) = ( g ∩ Free R ( Inv ( (cid:96) (cid:48) ) ∩ Z )) ↓ .or a path ρ = e e . . . e n , we define Post ρ and Pre ρ by iteratively applying Post e i and Pre e i respectively. For all clocks x and y in C , we consider a finite set D x,y ⊆ N ×{≤ , < } , and gatherthese in a table D = ( D x,y ) x,y ∈C . D is the abstract domain which restricts zonesto be defined only using constraints of the form x − y ≺ k with ( k, ≺ ) ∈ D x,y ,as seen earlier. Let us call D the concrete domain if D x,y = N × {≤ , < } forall x, y ∈ C . A zone Z is D -definable if there exists a DBM D such that Z = (cid:74) D (cid:75) and D ( x, y ) ∈ D x,y for all x, y ∈ C . Note that we do not require this witnessDBM D to be reduced; the reduction of such a DBM might introduce additionalvalues. We say that domain D (cid:48) is a refinement of D if for all x, y ∈ C , we have D x,y ⊆ D (cid:48) x,y .An abstract domain D induces an abstraction function α D : 2 R C≥ → R C≥ where α D ( Z ) is the smallest D -definable zone containing Z . For any reduced DBM D , α D ( (cid:74) D (cid:75) ) can be computed by setting D (cid:48) ( x, y ) = min { ( k, ≺ ) ∈ D x,y | D ( x, y ) ≤ ( k, ≺ ) } (with min ∅ = ( ∞ , < )).An interpolant for a pair of zones ( Z , Z ) with Z ∩ Z = ∅ is a zone Z with Z ⊆ Z and Z ∩ Z = ∅ [29]. We use interpolants to refine our abstractions;in order not to add too many new constraints when refining, our aim is to find minimal interpolants : define the density of a DBM D as d ( D ) = { ( x, y ) ∈ C | D ( x, y ) (cid:54) = ( ∞ , < ) } . Notice that while any pair of disjoint convex polyhedra canbe separated by hyperplanes, not all pairs of disjoint zones admit interpolants ofdensity 1; this is because not all (half-spaces delimited by) hyperplanes are zones. Lemma 1.
There exist pairs of zones accepting no simple interpolants.Proof.
Consider 3-dimensional zones A , defined as z = 0 ∧ x = y , and B , definedas y ≥ ∧ z ≤ ∧ y − x ≤ ∧ x − z ≤
1. Both zones and their canonical DBMsare represented on Fig. 2.We observe that they are disjoint: if a triple ( x, y, z ) were in both A and B ,then x = y and z = 0 (for being in B ); in A , y ≥
2, hence also x ≥
2, contradicting x − z ≤ I , with A ∩ I = ∅ and B ⊆ I .In the canonical DBM of I , only one non-diagonal element is not (+ ∞ , < );assume I ( x, y ) (cid:54) = (+ ∞ , < ). Then we must have A ( y, x ) + I ( x, y ) < (0 , ≤ ), and B ( x, y ) ≤ I ( x, y ). Then A ( x, y ) + B ( x, y ) < (0 , ≤ ). However, it can be observedthat in our example, A ( x, y ) + B ( y, x ) ≥ (0 , ≤ ) for all pairs ( x, y ). (cid:117)(cid:116) Still, we can bound the density of a minimal interpolant:
Lemma 2.
For any pair of disjoint, non-empty zones ( A, B ) , there exists aninterpolant of density less than or equal to |C | / . It is sometimes also required that the interpolant only involves clocks that havenon-trivial constraints in both Z and Z . We do not impose this requirement in ourdefinition, but it will hold true in the interpolants computed by our algorithm. zy A B A = (0 , ≤ ) (+ ∞ , < ) (+ ∞ , < ) (0 , ≤ )(+ ∞ , < ) (0 , ≤ ) (0 , ≤ ) (+ ∞ , < )(+ ∞ , < ) (0 , ≤ ) (0 , ≤ ) (+ ∞ , < )(0 , ≤ ) (+ ∞ , < ) (+ ∞ , < ) (0 , ≤ ) B = (0 , ≤ ) (3 , ≤ ) (4 , ≤ ) (2 , ≤ )( − , ≤ ) (0 , ≤ ) (1 , ≤ ) (1 , ≤ )( − , ≤ ) (1 , ≤ ) (0 , ≤ ) (0 , ≤ )(0 , ≤ ) (1 , ≤ ) (2 , ≤ ) (0 , ≤ ) Fig. 2: Two zones that cannot be separated by a simple interpolant
Proof.
Assume that A and B are given as canonical DBMs, which we also write A and B for the sake of readability. We prove the stronger result that A ∩ B = ∅ if, and only if, for some n ≤ |C | /
2, there exists a sequence of pairwise-distinctclocks ( x i ) ≤ i ≤ n − such that, writing x n = x , n − (cid:88) i =0 A ( x i , x i +1 ) + B ( x i +1 , x i +2 ) < (0 , ≤ ) . Before proving this result, we explain how we conclude the proof: the inequalityabove entails that n − (cid:92) i =0 A ( x i , x i +1 ) ∩ n − (cid:92) i =0 B ( x i +1 , x i +2 ) = ∅ where we abusively identify A ( x, y ) with the half-space it represents. It followsthat (cid:84) n − i =0 B ( x i +1 , x i +2 ) is an interpolant, whose density is less than or equalto |C | / C for the DBM min( A, B ).Then n − (cid:88) i =0 C ( x i , x i +1 ) = n − (cid:88) i =0 min { A ( x i , x i +1 ) , B ( x i , x i +1 ) }≤ n − (cid:88) i =0 A ( x i , x i +1 ) + B ( x i +1 , x i +2 ) < (0 , ≤ ) . This entails that the intersection is empty.Conversely, if the intersection is empty, then there is a sequence of clocks( x i ) ≤ i Input: canonical DBM A , B ; for ( x, y ) ∈ C do if A ( x, y ) ≤ B ( x, y ) then M ( x, y ) := A ( x, y ); else M ( x, y ) := ( ∞ , < ); N := canonical ( M ); for ( i = 1 ; i ≤ |C | / ; i + + ) do for ( x, y ) ∈ C do M i ( x, y ) := min { N i − ( x, y ) , min z ∈ SC B ( y ) N i − ( x, z ) + B ( z, y ) } ; for ( x, y ) ∈ C do N i ( x, y ) := min { M i ( x, y ) , min z ∈ SC A ( y ) M i ( x, z ) + A ( z, y ) } ; if ( x = y ) and N i ( x, x ) < (0 , ≤ ) then return ( true , i ); return false ; Consider one of the shortest such sequences. Since A and B are non-empty, thesum must involve at least one element of each DBM. Moreover, if it involves twoconsecutive elements of the same DBM (i.e., if A ( x i , x i +1 ) < B ( x i , x i +1 ) and A ( x i +1 , x i +2 ) < B ( x i +1 , x i +2 ) for some i ), then by canonicity of the DBMs of A and B , we can drop clock x i +1 from the sequence and get a shorter sequencesatisfying the same inequality, contradicting minimality of our sequence. The resultfollows. (cid:117)(cid:116) By adapting the algorithm of [29] for computing interpolants, we can computeminimal interpolants efficiently: Proposition 3. Computing a minimal interpolant can be performed in O ( |C| ) .Proof. Algorithm 1 describes our procedure. In order to prove its correctness,we begin with proving that the sequence of DBM it computes satisfies thefollowing property: Lemma 4. For any i ≥ such that N i has been computed by Algorithm 1, forany ( x, y ) ∈ C , it holds N i ( x, y ) = min π ∈ Paths ( x,y ) | π | B ≤ i W min( A,B ) ( π ) . roof. The proof proceeds by induction on i . For i = 0, pick a path π = ( x i ) ≤ i ≤ k from x + 0 to x k such that | π | B = 0. Then W min( A,B ) ( π ) = (cid:88) ≤ i Corollary 5. If A ∩ B (cid:54) = ∅ , then Algorithm 1 returns false ; otherwise, it returns ( true , k ) for the smallest k such that for all cyclic path π such that | π | B < k ,it holds w min( A,B ) ( π ) ≥ (0 , ≤ ) . This entails that k is the dimension of the minimal interpolant. The minimalinterpolant can be obtained by taking the B -elements of the negative cycle foundby the algorithm. (cid:117)(cid:116) Enumerative Algorithm The first type of algorithm we present is a zone-based enumerative algorithm basedon the clock-predicate abstractions. Let us first describe the overall algorithmin Algorithm 2, which is a typical abstraction-refinement loop. We then explainhow the abstract reachability and refinement procedures are instantiated. Algorithm 2: Enumerative algo-rithm checking the reachabilityof a target location (cid:96) T . Input: A = ( L , Inv , (cid:96) , C , E ), (cid:96) T Initialize D ; wait := { node ( (cid:96) , ↑ , D ) } ; passed := ∅ ; while do π := AbsReach ( A , wait , passed , (cid:96) T ); if π = ∅ then return Not reachable; else if trace π is feasible then return Reachable; else Refine ( π, wait , passed ); return Not reachable; Algorithm 3: AbsReach Input: ( L , Inv , l , C , E ), wait , passed , (cid:96) T while wait (cid:54) = ∅ do n := wait .pop (); if n.(cid:96) = (cid:96) T then return Trace from root to n ; if ∃ n (cid:48) ∈ passed such that n.(cid:96) = n (cid:48) .(cid:96) ∧ n.Z ⊆ n (cid:48) .Z then n. covered := n (cid:48) ; else n.Z := α ( n.Z, n ); passed .add ( n ); for e = ( (cid:96), g, R, (cid:96) (cid:48) ) ∈ E ( n.(cid:96) ) s.t. Z (cid:48) := Post e ( n.Z ) (cid:54) = ∅ do D (cid:48) := choose-dom ( n, e ); n (cid:48) := node ( (cid:96) (cid:48) , Z (cid:48) , D (cid:48) ); n (cid:48) . parent := n ; wait .add ( n (cid:48) ); return ∅ ; The initialization at line 1 chooses an abstract domain for the initial state,which can be either empty (thus the coarsest abstraction) or defined according tosome heuristics. The algorithm maintains the wait and passed lists that are usedin the forward exploration. As usual, the wait list can be implemented as a stack,a queue, or another priority list that determines the search order. The algorithmalso uses covering nodes. Indeed if there are two node n and n (cid:48) , with n ∈ passed , n (cid:48) ∈ wait , n.(cid:96) = n (cid:48) .(cid:96) , and n (cid:48) .z ⊆ n.Z , then we know that every location reachablefrom n (cid:48) is also reachable from n . Since we have already explored n and wegenerated its successors, there is no need to explore the successors of n (cid:48) . Thealgorithm explicitly creates an exploration tree: line 2 creates a node containinglocation (cid:96) , zone ↑ , and the abstract domain D as the root of our tree, andadds this to the wait list. More details on the tree are given in the next subsection.Procedure AbsReach then looks for a trace to the target location (cid:96) T . If such atrace exists, line 9 checks its feasibility. Here π is a sequence of node and edgesof A . The feasibility check is done by computing predecessors with zones startingfrom the final state, without using the abstraction function. If the last zonentersects our initial zone, this means that the trace is feasible. More details aregiven in Section 3.2. AbsReach We give a generic algorithm independently from the implementations of theabstraction functions and the refinement procedure.Algorithm 3 describes the reachability procedure under a given abstractdomain D . It is similar to the standard forward reachability algorithm using a wait -list and a passed -list. We explicitly create an exploration tree where the leavesare nodes in wait , covered nodes, or nodes that have no non-empty successors.Each node n contains the fields (cid:96), Z which are labels describing the currentlocation and zone; field covered points to a node covering the current node (it isundefined if the current node is not (known to be) covered); field parent pointsto the parent node in the tree (it is undefined for the root); and field D is theabstract domain associated with the node. Thus, the algorithm uses a possiblydifferent abstract domain for each node in the exploration tree.The difference of our algorithm w.r.t. the standard reachability can be seenat lines 8 and 11. At line 8, we apply the abstraction function to the zone takenfrom the wait -list before adding it to the passed -list. The abstraction function α is a function of a zone Z and a node n . This allows one to define variants withdifferent dependencies; for instance, α might depend on the abstract domain n. D at the current node, but it can also use other information available in n or onthe path ending in n . For now, it is best to think of α simply as Z (cid:55)→ α n. D ( Z ).At line 11, the function choose-dom chooses an abstract domain for the node n (cid:48) .In our implementation, the abstraction function always abstracts the givenzone w.r.t. the abstract domain n. D . For choose-dom , we considered three variants: – one using a global domain, the same for all nodes: this way, each refinementbenefits to all nodes, but this is often a drawback since in general differentparts of the automaton will better have different abstract domain; – one using a local domain for each node: this has the advantage of using thecoarsest possible abstraction, but it takes more memory and usually involvesmore refinements. – one using one domain per location of the automaton: this appears to be agood trade-off between the above two approaches. Remark 1. Note that we use the abstraction function when the node is insertedin the passed list. This is because we want the node to contain the smallest zonepossible when we test whether the node is covered. We only need to use theabstracted zone when we compute its successor and when we test whether thenode is covering. This allows us to store a unique zone.As a first step towards proving correctness of our algorithm, we consider thatthe following property is preserved by Algorithm AbsReach :For all nodes n in passed , for all edges e from n.(cid:96) , if Post e ( n.Z ) (cid:54) = ∅ ,then n has a child n (cid:48) such that Post e ( n.Z ) ⊆ n (cid:48) .Z . If n (cid:48) is in passed ,then we also have α n (cid:48) . D ( Post e ( n.Z )) ⊆ n (cid:48) .Z . (1) lgorithm 4: Refine Input: π , wait , passed ; n := last node of π ; Z := n.Z ; r := Refine-rec ( n, Z, wait , passed ); n cut := node to cut(according to heuristics); cut ( n cut ); if n cut .Z = ∅ then delete n cut else passed .remove ( n cut ); wait .add ( n cut ); n cut .Z := Concrete ( n cut ); return r ; Algorithm 5: Refine-rec Input: n, Z, wait , passed ; C := Concrete ( n ); if C ∩ Z = ∅ then Strengthen ( n, Z, C, wait ); return Not Feasible; else if n has no parent then return Feasible ; else e edge from n. parent to n ; Z (cid:48) := Pre e ( Z ) ∩ n. parent .Z ; if Refine-rec ( n. parent , Z (cid:48) , wait , passed ) = Feasible then return Feasible; else C := Concrete ( n ); Strengthen ( n, Z, C, wait ); return Not Feasible; Algorithm 6: Concrete Input: n ; if n has parent then e := edge from n. parent to n ; return Post e ( n. parent .Z ); else return initial zone; Algorithm 7: Strengthen Input: n, Z, C, wait ; if α n. D ( C ) ∩ Z (cid:54) = ∅ then I := interpolant ( C, Z ); n. D .add ( I ); n := α n. D ( C ); Add every uncovered nodes to wait ; The following is an easy observation about our algorithm: Lemma 6. Algorithm AbsReach preserves Property (1) . Note that although we use inclusion in Property (1), AbsReach would actuallypreserve equality of zones, but we will not always have equality before running AbsReach . This is because Refine might change the zones of some nodes withoutupdating the zones of all their descendants. Refine We now describe our refinement proecdure Refine . Let us now assume that AbsReach returns π = A σ −→ A σ −→ . . . σ k − −−−→ A k , and write D i for the domainassociated with each A i . We write C for the initial concrete zone, and for i < k , we define C i +1 = Post σ i ( A i ). We also note Z k = A k and for i < k , Z i = Pre σ i ( Z i +1 ) ∩ A i . Then π is not feasible if, and only if, Post σ ...σ k ( C ) = ∅ ,r equivalently Pre σ ...σ k ( A k ) ∩ C = ∅ . Since for all i < k , it holds C i ⊆ A i +1 ,we have that π is not feasible if, and only if, ∃ i ≤ k. C i ∩ Z i = ∅ . We illustratethis on Fig. 3. Z C A Z C A C A = Z Post PostPrePre Fig. 3: Spurious counter-example: Z ∩ C = ∅ Let us assume that π is not feasible. Let us denote by i the maximal indexsuch that C i ∩ Z i = ∅ . This index also has the property that for all j < i ,we have Z j = ∅ and Z i (cid:54) = ∅ . Once we have identified this trace as spurious bycomputing the Z j , we have two possibilities: – if Z i ∩ α D i ( C i ) (cid:54) = ∅ : this means that we can reach A k from α D i ( C i ) butnot from C i . In other words, our abstraction is too coarse and we must addsome values to D i so that Z i ∩ α D i ( C i ) = ∅ . Those values are found bycomputing the interpolant of Z i and C i – Otherwise it means that α D i ( C i ) cannot reach A k and the only reason thetrace exists is because either D i or A i − has been modified at some pointand A i was not modified accordingly.We can then update the values of C i for i > i and repeat the processuntil we reach an index j such that C j = ∅ . We then have modified thenodes n i , . . . , n j and knowing that n j .Z = ∅ , we can delete it and all of itsdescendants. Since some of the descendants of n i have not been modified, thismight cause some refinements of the first type in the future. In order to ensuretermination, we sometimes have to cut a subtree from a node in n i , . . . , n j − and reinsert it in the wait list to restart the exploration from there. We call thisaction cut , and we can use several heuristics to decide when to use it. In the restof this paper we will use the following heuristics: we perform cut on the firstnode of n i ...n j that is covered by some other node. Since this node is covered,we know that we will not restart the exploration from this node, or that thenode was covered by one of its descendant. If none of these nodes are covered,we delete n j and its descendants. Other heuristics are possible, for instanceapplying cut on n i . We found that the above heuristics was the most efficient inour experiments. Lemma 7. Pick a node n , and let Y = n.Z . Then after running Refine , eithernode n is deleted, or it holds n.Z ⊆ Y . In other words, the zone of a node canonly be reduced by Refine .roof. Refine may only add values to the domain of a node, so that the refined zoneis included in the previous one. If no values were added to the domain of a node,then its parent must have been modified. Since A ⊆ B ⇒ Post e ( A ) ⊆ Post e ( B ),the result follows by induction. (cid:117)(cid:116) It follows that Refine also preserves Property (1), so that: Lemma 8. Algorithm 2 satisfies Property (1) .Proof. We prove that procedure Refine preserves property (1). Combined withLemma 6, this entails the result. First notice that Refine may not add new nodes.Let n (cid:48) be a node, n its parent, and e the edge from n to n (cid:48) . Three cases mayarise: – n (cid:48) has been modified: then it must have been modified at line 4 or 15. At thispoint n is no longer modified, and Refine ensures that Concrete ( n ) ⊆ n (cid:48) .Z , and Concrete ( n ) = Post e ( n.Z ). If n (cid:48) is in passed , we also have α n (cid:48) . D ( Post e ( n.Z )) = n (cid:48) .Z ; – n (cid:48) has been deleted: in this case, if n is part of the subtree and it has eitherbeen deleted or moved to wait , and is not in passed anymore. Otherwise n isnot part of the subtree that has been cut and n (cid:48) is the root of this subtree,with n (cid:48) .Z = ∅ and since Concrete ( n ) ⊆ n (cid:48) .Z ; – n (cid:48) has not been modified, but n has: then using Lemma 7, we know that theinclusion Post e ( n.Z ) ⊆ n (cid:48) .Z (or α n (cid:48) . D ( Post e ( n.Z )) ⊆ n (cid:48) .Z ) is preserved by Refine . (cid:117)(cid:116) We can then prove that our algorithm correctly decides the reachabilityproblem and always terminates. Theorem 9. Algorithm 2 terminates and is correct.Proof. We first prove correctness, assuming termination. First let us notice thatif the wait set is empty, then for any reachable location l , there is a node n suchthat n.(cid:96) = l . This is because we over-approximate the zones as shown in Lemma 8,so we over-approximate the set of reachable states. Thus, if AbsReach ( A , wait , passed , (cid:96) T ) returns ∅ , then (cid:96) T is not reachable in A . In other words, if theenumerative algorithm returns ” Not reachable ” then (cid:96) T is indeed not reachable.On the other hand, if the algorithm returns ” Reachable ”, it means that thereis a feasible trace reaching (cid:96) T , and (cid:96) T is indeed reachable.We now prove termination. Since there are a finite number of possible locationsand we can limit the number of possible zones to a finite number using abstractionfunctions, we can deduce that AbsReach terminates.Let us assume that the enumerative algorithm does not terminate. Then itmeans that Refine is called infinitely many timed. Note that Refine is modifyinga node and a node can be modified a finite number of time.We can also note that a node can be destroyed only if one of its ancestorsis modified. As such, we can show that for every depth k , there is a point inhe algorithm where every node at depth k or less is fixed and will no longer bemodified.So we know that the algorithm does not terminate if, and only if, the depthof the resulting tree is unbounded. This means that there exists a path where wehave two distinct nodes n and n with n .(cid:96) = n .(cid:96) and n .Z = n .Z , since thenumber of location and possible zones is finite. Without loss of generality, wecan assume that n is an ancestor of n and n is the parent of another node.This is only possible if n is in passed , which means that n was in wait andwas not covered at some point. Since a zone can only be modified to be smaller,this means that n has been modified at some point. Otherwise n has alwaysbeen covered by n , which is not possible. Since n has been modified, and it iscovered (at least by n ), this means that cut has been called on n last time itszone has been modified. This means that n has no children and is not in passed ,contradicting our assumption. Hence the algorithm always terminates. (cid:117)(cid:116) We now present a symbolic algorithm that represents abstract states using Booleanformulas. Let B = { , } , and V be a set of variables. A Boolean formula f thatuses variables from set X ⊆ V will be written f ( X ) to make the dependencyexplicit; we sometimes write f ( X, Y ) in place of f ( X ∪ Y ). Such a formularepresents a set (cid:74) f (cid:75) = { v ∈ B V | v | = f } . We consider primed versions of allvariables; this will allow us to write formulas relating two valuations. For anysubset X ⊆ V , we define X (cid:48) = { p (cid:48) | p ∈ X } .A literal is either p or ¬ p for a variable p . Given a set X of variables, an X -minterm is the conjunction of literals where each variable of X appears exactlyonce. X -minterms can be seen as elements of B X .Given a vector of Boolean formulas Y = ( Y x ) x ∈ X , formula f [ Y /X ] is the substitution of X by Y in f , obtained by replacing each x ∈ X with the formula Y x .The positive cofactor of f ( X ) by x is ∃ x. ( x ∧ f ( X )), and its negative cofactoris ∃ x. ( ¬ x ∧ f ( X )).Let us define a generic operator post that computes successors of a set S ( X, Y )given a relation R ( X, X (cid:48) ) (here, Y designates any set of variables on which S might depend outside of X ): post R ( S ( X, Y )) = ( ∃ X.S ( X, Y ) ∧ R ( X, X (cid:48) ))[ X/X (cid:48) ].Similarly, we set pre R ( S ( X, Y )) = ( ∃ X (cid:48) .S ( X, Y )[ X (cid:48) /X ] ∧ R ( X, X (cid:48) )), whichcomputes the predecessors of S ( X, Y ) by the relation R [24]. Clock predicate abstraction. We fix a total order (cid:47) on C . In this section, abstractdomains are defined as D = ( D x,y ) x(cid:47)y ∈C , that is only for pairs x (cid:47) y . In fact,constraints of the form x − y ≤ k with x (cid:46) y are encoded using the negation of y − x < − k since ( x − y ≤ k ) ⇔ ¬ ( y − x < − k ). We thus define D x,y = −D y,x for all x (cid:46) y .For x, y ∈ C , let P x,y denote the set of clock predicates associated to D x,y : P D x,y = { P x − y ≺ k | ( k, ≺ ) ∈ D x,y } . et P D = ∪ x,y ∈C P x,y denote the set of all clock predicates associated with D (we may omit the superscript D when it is clear). For all ( x, y ) ∈ C and ( k, ≺ ) ∈ D x,y ,we denote by p x − y ≺ k the literal P x − y ≺ k if x (cid:47) y , and ¬ P y − x ≺ − − k otherwise(where ≤ − = < and < − = ≤ ). We also consider a set B of Boolean variablesused to encode locations. Overall, the state space is described using Booleanformulas on these two types of variables, so states are elements of B P∪B .Our Boolean encoding of clock constraints and semantic operations followthose of [27] for a concrete domain. We define these however for abstract domains,and show how all successor computation and refinement operations can beperformed.Let us define the clock semantics of predicate P x − y (cid:22) k as (cid:74) P x − y (cid:22) k (cid:75) C = { ν ∈ R C ≥ | ν ( x ) − ν ( y ) (cid:22) k } . Since the set C of clocks is fixed, we may omitthe subscript and just write (cid:74) P x − y (cid:22) k (cid:75) . We define the conjunction, disjunction,and negation as intersection, union, and complement, respectively. Given a P -minterm v ∈ B P , we define (cid:74) v (cid:75) D = (cid:84) p s.t. v ( p ) (cid:74) p (cid:75) D ∩ (cid:84) p s.t. ¬ v ( p ) (cid:74) p (cid:75) c D . Thus,negation of a predicate encodes its complement. For a Boolean formula F ( P ),we set (cid:74) F (cid:75) = (cid:83) v ∈ Minterms ( F ) (cid:74) v (cid:75) D . Intuitively, the minterms of P define smallestzones of R C≥ definable using P . A minterm v ∈ B B∪P defines a pair (cid:74) v (cid:75) D = ( l, Z )where l is encoded by v |B and Z = (cid:74) v |P (cid:75) D . A Boolean formula F on B ∪ P defines a set (cid:74) F (cid:75) D = ∪ v ∈ Minterms ( F ) (cid:74) v (cid:75) D of such pairs. A minterm v is satisfiable if (cid:74) v (cid:75) D (cid:54) = ∅ .An abstract domain D induces an abstraction function α D : 2 R C≥ → B P with α D ( Z ) = { v | v ∈ B P and (cid:74) v (cid:75) D ∩ Z (cid:54) = ∅} , from the set of zones to the setof subsets of Boolean valuations on P . We define the concretization function as (cid:74) · (cid:75) D : 2 B P → R C≥ . The pair ( α D , (cid:74) · (cid:75) D ) is a Galois connection, and (cid:74) α D ( Z ) (cid:75) D isthe most precise abstraction of Z in the domain induced by D . Notice that α D isnon-convex in general: for instance, if the clock predicates are x ≤ , y ≤ 2, thenthe set defined by the constraint x = y maps to ( p x ≤ ∧ p y ≤ ) ∨ ( ¬ p x ≤ ∧ ¬ p y ≤ ),which is not convex. We now define the reduction operation, which is similar to the reduction ofDBMs. The idea is to eliminate unsatisfiable minterms from a given Booleanformula. For example, we would like to make sure that in all minterms, if p x − y ≤ holds, then so does p x − y ≤ , when both are available predicates. Another issue isto eliminate minterms that are unsatisfiable due to triangle inequality. This issimilar to the shortest path computation used to turn DBMs in canonical form.Let a path in D be a sequence x , ( α , ≺ ) , x , ( α , ≺ ) , . . . , x k , ( α k , ≺ k ) , x k +1 where x , . . . , x k +1 ∈ C , and ( α i , ≺ i ) ∈ D x i ,x i +1 for 1 ≤ i ≤ k . Let us define Paths D k ( x − y ≺ α ) as the set of paths from x to y of length k and weightat most ( α, ≺ ), that is, paths x , ( α , ≺ ) , x , ( α , ≺ ) , . . . , x k , ( α k , ≺ k ) , x k +1 with x = x , x k +1 = y , and (cid:80) ki =1 ( α i , ≺ i ) ≤ ( α, ≺ ). We also denote Paths D≤ k ( x − y ≺ α ) = (cid:83) l ≤ k Paths D l ( x − y ≺ α ). For a path π = x , ( α , ≺ ) , . . . , x k +1 and minterm v ,let us write v | = π for the statement v | = ∧ ki =1 p x i − x i +1 ≺ α i . minterm v ∈ B P is k -reduced if for all ( x, y ) ∈ C and ( α, ≺ ) ∈ D x,y , forall π = x , ( α , ≺ ) , x , . . . , x k +1 ∈ Paths ≤ k ( x − y ≺ α ), whenever v | = π , we alsohave v | = p x − x k +1 ≺ α for all ( α, ≺ ) ∈ D x ,x k +1 with ( α, ≺ ) ≥ (cid:80) ki =1 ( α i , ≺ i ). Thus,in a k -reduced minterm, no contradictions can be obtained via paths of lengthless than or equal to k . Observe that |C | -reduction is equivalent to satisfiabilitysince the condition then includes all paths, and it is known that in the absence ofnegative cycles, a set of difference constraints is satisfiable. Furthermore, for theconcrete domain, k -reduction is equivalent to reduction for any k ≥ 2. A formulais said to be k -reduced if all its minterms are k -reduced. Example 1. Given predicates P = { p x − y ≤ , p y − z ≤ , p x − z ≤ } , the formula p x − y ≤ ∧ p y − z ≤ is not reduced since it contains the unsatisfiable minterm p x − y ≤ ∧ p y − z ≤ ∧¬ p x − z ≤ . However, the same formula is reduced if P = { p x − y ≤ , p y − z ≤ } .Consider now the predicate set P = { p x − y ≤ , p y − z ≤ , p z − w ≤ , p x − w ≤ } , andconsider the formula φ = p x − y ≤ ∧ p y − z ≤ ∧ p z − w ≤ which is 2-reduced. Noticethat the reduction of φ is p x − y ≤ ∧ p y − z ≤ ∧ p z − w ≤ ∧ p x − w ≤ since the lastpredicate is implied by the conjunction of others. However, φ is 2-reduced since nopath of length 2 allows to deduce p x − w ≤ . In the concrete domain, p x − y ≤ ∧ p y − z ≤ would imply p x − z ≤ , thus, p x − w ≤ could be derived too. It is indeed because ofthe abstract domain that 2-reduction might fail to capture all shortest paths.In this paper, we only consider 2-reduction since computing reductions isthe most expensive operation in our algorithms, and the formula below defining2-reduction already tends to grow in size. Let us define reduce D as follows (cid:94) ( x,y ) ∈C ( k, ≺ ) ∈D x,y (cid:34) p x − y ≺ k ← (cid:16) (cid:95) ( l , ≺ ) ∈D x,y ( l , ≺ ) ≤ ( k, ≺ ) p x − y ≺ l ∨ (cid:95) z ∈C , ( l , ≺ ) ∈D x,z , ( l , ≺ ) ∈D z,y ( l , ≺ )+( l , ≺ (cid:48) ) ≤ ( k, ≺ ) p x − z ≺ l ∧ p z − y ≺ l (cid:17)(cid:35) The formula intuitively applies shortest paths over paths of length 1 or 2. Lemma 10. For all formulas S ( P ) , we have (cid:74) S (cid:75) D = (cid:74) reduce D ( S ) (cid:75) D and allminterms of reduce D ( S ) are -reduced.Proof. It is easy to see that (cid:74) reduce k D ( S ) (cid:75) D ⊆ (cid:74) S (cid:75) D . In fact, any minterm of theformer is a minterm of S as well by definition.To see the converse, consider v ∈ Minterms ( S ). We show that (cid:74) v (cid:75) D ⊆ (cid:74) reduce k D ( S ) (cid:75) D . If (cid:74) v (cid:75) D = ∅ then the inclusion holds trivially. Otherwise, wemust have v ∈ Minterms ( reduce k D ( S )). In fact, we show that all minterms v (cid:54)∈ Minterms ( reduce k D ( S )) satisfy (cid:74) v (cid:75) = ∅ . Consider such a minterm v . There mustexist x, y ∈ C and ( k, ≺ k ) ∈ D x,y such that ¬ p x − y ≺ k but the right hand side ofthe implication holds. But this implies that (cid:74) v (cid:75) = ∅ .The fact that all miterms of reduce k D ( S ) are k -reduced follow by the definitionof the operator. (cid:117)(cid:116) Example 2. Note that reduce D ( S ) can still contain valuations that are unsatis-fiable. Consider P = { p x − y ≤ , p y − z ≤ , p x − z ≤ , p z − x ≤− } . Then the minterm u hat sets all predicates to true is still contained in reduce D ( S ) although (cid:74) u (cid:75) = ∅ since x − y ≤ ∧ y − z ≤ x − z ≤ z − x ≤ − 3. Here,adding the predicate p x − z ≤ or p x − z< would render the abstraction preciseenough to eliminate this valuation in reduce D ( S ).Let us see how an abstraction can be refined so that the reduced constrainteliminates a given unsatisfiable minterm. Lemma 11. Let v ∈ B P D be a minterm such that v | = reduce D and (cid:74) v (cid:75) = ∅ .One can compute in polynomial time a refinement D (cid:48) ⊃ D such that v (cid:54)| = reduce D (cid:48) .Proof. Consider a (non-canonial) DBM D that encodes v . Formally, for all ( x, y ) ∈C , D ( x, y ) = min { ( k, ≺ ) | p x − y ≺ k ∈ P x,y and v ( p x − y ≺ k ) = 1 } . The correspond-ing graph must have a negative cycle s s . . . s m with s m = s . To define D (cid:48) ,we add the following predicates to D : – s i − s i +1 ≤ D ( s i , s i +1 ) for all 1 ≤ j ≤ m − – s − s j ≤ D ( s , s ) + D ( s , s ) + . . . + D ( s j − , s j ) for 1 ≤ j ≤ m − s to s j . This allows to derive thenegative cycle using only paths of length 2.More precisely, v ∧ reduce D (cid:48) implies the following two predicates: s − s m ≤ (cid:80) m − j =1 D ( s j , s j +1 ), and s m − s ≤ D ( s m , s ) as implied by v . Since − D ( s m , s ) > (cid:80) m − j =1 D ( s j , s j +1 ) (due to the negative cycle), the first predicate entails that ¬ p s − s m ≤− D ( s m ,s ) , which contradicts the second one. Hence v (cid:54)| = reduce D (cid:48) . (cid:117)(cid:116) In this section, we explain how successor computation is realized in our en-coding. For a guard g , assume we have computed an abstraction α D ( g ) in thepresent abstract domain. For each transition σ = ( (cid:96) , g, R, (cid:96) ), let us define theformula T σ = (cid:96) ∧ α D ( g ). We show how each basic operation on zones can be com-puted in our BDD encoding. In our algorithm, all formulas A ( B , P ) representingsets of states are assumed to be reduced, that is, A ( B , P ) ⊆ reduce D ( A ( B , P )).The intersection operation is simply logical conjunction. Lemma 12. For all reduced formulas A ( P ) , B ( P ) , A ( P ) ∧ B ( P ) = α D ( (cid:74) A ( P ) (cid:75) D ∩ (cid:74) B ( P ) (cid:75) D ) .Proof. Consider v ∈ Minterms ( A ( P ) ∧ B ( P )). Then v ∈ Minterms ( A ( P )) ∩ Minterms ( B ( P )). So (cid:74) v (cid:75) ⊆ (cid:74) A ( P ) (cid:75) ∩ (cid:74) B ( P ) (cid:75) , and v = α D ( (cid:74) v (cid:75) ) ⊆ α D ( (cid:74) A ( P ) (cid:75) D ∩ (cid:74) B ( P ) (cid:75) D ).We will now show α D ( (cid:74) A ( P ) (cid:75) D ∩ (cid:74) B ( P ) (cid:75) D ) ⊆ A ( P ) ∧ B ( P ), which is equivalentto (cid:74) A ( P ) (cid:75) D ∩ (cid:74) B ( P ) (cid:75) D ⊆ (cid:74) A ( P ) ∧ B ( P ) (cid:75) . Consider any clock valuation ν in theLHS, and let v = α D ( ν ). Since ν ∈ (cid:74) A ( P ) (cid:75) D and ν ∈ (cid:74) B ( P ) (cid:75) D , we must have v ∈ A ( P ) ∧ B ( P ), so ν ∈ (cid:74) A ( P ) ∧ B ( P ) (cid:75) . (cid:117)(cid:116) x y x Fig. 4: Time successors: the successors of the gray zone on the left are the unionof all blue dashed zones on the right.For the time successors, we define S Up = (cid:94) x ∈C ( k, ≺ ) ∈D x, ( ¬ p x − ≺ k → ¬ p (cid:48) x − ≺ k ) (cid:94) x,y ∈C ,x (cid:54) =0( k, ≺ ) ∈D x,y ( p (cid:48) x − y ≺ k ↔ p x − y ≺ k ) . Note that this relation is not a function: for x ≤ , y = 0, if ¬ p x − y ≺ k , thennecessarily ¬ p (cid:48) x − y ≺ k ; but otherwise both truth values for p (cid:48) x − y ≺ k are allowed.In fact, the formula only says that all lower bounds on clocks and diagonalconstraints must be preserved. We let Up ( A ( B , P )) = reduce ( post S Up ( A ( B , P ))). Example 3. Figure 4 shows this operation applied to the gray zone on the left.The overapproximation is visible in this example. In fact, the blue dashed zonedefined by Z = 3 < x < ∧ ≤ y < ∧ x − y < Z by a time delay. Adding more diagonal constraints to theabstract domain, for instance, x − y ≤ Lemma 13. For any Boolean formula A ( B , P ) , α D ( (cid:74) A (cid:75) ↑ ) ⊆ Up ( A ) . Moreover,if D is the concrete domain and A is reduced, then this holds with equality.Proof. We show that α D ( (cid:74) A (cid:75) ↑ ) ⊆ Up ( A ), which is equivalent to (cid:74) A (cid:75) ↑ ⊆ (cid:74) Up ( A ) (cid:75) D .Let ν (cid:48) ∈ (cid:74) A (cid:75) ↑ , and let ν ∈ (cid:74) A (cid:75) such that ν (cid:48) = ν + d for some d ≥ 0. Wewrite u = α D ( ν ) ∈ Minterms ( A ), and v = α D ( ν (cid:48) ). We now show that ( u, v ) ∈ S Up .This suffices to prove the inclusion since v ∈ Minterms ( Up ( A )) implies that ν (cid:48) ∈ (cid:74) v (cid:75) D ⊆ (cid:74) Up ( A ) (cid:75) D . Observe that α D ( ν ) and α D ( ν (cid:48) ) satisfy the same diagonalpredicates of the form p x − y ≺ α with x, y (cid:54) = 0, since ν (cid:48) = ν + d . Moreover, anylower bound satisfied by u is also satified by v . Thus, ( u, v ) ∈ S Up .Assume now that A is reduced. We show that Up ( A ) ⊆ α D ( (cid:74) A (cid:75) ↑ ). Let v ∈ Minterms ( Up ( A )), and let ( u, v ) ∈ S Up with u ∈ Minterms ( A ). We claim that (cid:74) v (cid:75) ⊆ (cid:74) u (cid:75) ↑ . This suffices to prove the inclusion since { v } = α D ( (cid:74) v (cid:75) ) ⊆ α D ( (cid:74) u (cid:75) ↑ ) ⊆ α D ( (cid:74) A (cid:75) ↑ ). To prove the claim, it suffices to see (cid:74) u (cid:75) and (cid:74) v (cid:75) as DBMs. In fact, S Up precisely corresponds to the up operation on DBMs. In particular, u and v have the same diagonal constraints, and any lower bound of u is a lower boundof v . Because u is reduced, this implies that (cid:74) v (cid:75) ↑ ⊆ (cid:74) u (cid:75) . (cid:117)(cid:116) xample 4. Note that we do need that the domain is concrete to prove equality.In fact, assume the predicates are p = y − x ≤ p = x − y ≤ x ≤ , y ≤ , x ≤ , y ≤ 4. Then if u = x ≤ ∧ y ≤ ∧ p ∧ p and v = 1 ≤ x ≤ ∧ y ≤ ∧ p ∧ p .So v is larger than u ↑ .Second, to see that the Up operation can yield strict over-approximations,consider p x ≤ ∧ p y ≥ in a domain with no predicate on x − y . The operatorrelaxes all upper bounds, yielding p y ≥ which defines a set larger than theconcrete time-successors y ≥ ∧ x − y ≤ z ∈ C , S Reset z = (cid:94) (0 , ≤ ) ≤ ( k, ≺ ) ∈D z, p (cid:48) z − ≺ k ∧ (cid:94) x (cid:54) = z ( k, ≺ ) ∈D x,z (cid:16) (cid:95) ( l, ≺ (cid:48) ) ∈D x, ( l, ≺ (cid:48) ) ≤ ( k, ≺ ) p x − ≺ (cid:48) l (cid:17) ⇒ p (cid:48) x − z ≺ k ∧ (cid:94) y (cid:54) = z ( k, ≺ ) ∈D z,y (cid:16) (cid:95) ( l, ≺ (cid:48) ) ∈D ,y ( l, ≺ (cid:48) ) ≤ ( k, ≺ ) p − y ≺ (cid:48) l (cid:17) ⇒ p (cid:48) z − y ≺ k ∧ (cid:94) y (cid:54) = z (0 , ≤ ) ≤ ( k, ≺ ) ∈D z,y p (cid:48) z − y ≺ k ∧ (cid:94) x,y (cid:54) = z ( k, ≺ ) ∈D x,y p (cid:48) x − y ≺ k ⇔ p x − y ≺ k . Intuitively, the first conjunct ensures all non-negative upper bounds on the resetclock hold; the second conjunct ensures that a diagonal predicate x − z ≺ k with x (cid:54) = z is set to true if, and only if, an upper bound ( l, ≺ (cid:48) ) ≤ ( k, ≺ ) alreadyholds on x . Recall that in operations on DBMs, one sets such a diagonal componentto the tightest upper bound on x . The third conjunct is symmetric to the second,and the last one ensures diagonals not affected by reset are unchanged. Let usdefine Reset z ( A ) = reduce ( post S Reset z ( A )). Lemma 14. For any Boolean formula A ( B , P ) , and for any z ∈ C , we have α D ( Reset z ( (cid:74) A (cid:75) D )) ⊆ Reset z ( A ) . Moreover, if D is the concrete domain, and A is reduced, then the above holds with equality.Proof. Let r = { z } . We show the equivalent inclusion Reset r ( (cid:74) A (cid:75) D ) ⊆ (cid:74) Reset r ( A ) (cid:75) D .Let ν (cid:48) ∈ Reset r ( (cid:74) A (cid:75) ), and ν ∈ (cid:74) A (cid:75) such that ν (cid:48) = ν [ r ← u = α D ( ν ) ∈ A .Letting v = α D ( ν (cid:48) ), let us show that ( u, v ) ∈ S Reset r , which proves that v ∈ Reset r ( A ), thus ν (cid:48) ∈ (cid:74) v (cid:75) D ⊆ (cid:74) Reset r ( A ) (cid:75) D . x y x Fig. 5: Reset Operation: The abstract successor of the gray zone on the left isthe blue dashed zone on the right. – Consider x ∈ r . Since ν (cid:48) ( x ) = 0, we have that v | = p x − y ≺ k for all ( k, ≺ ) ∈ D x,y with ( k, ≺ ) ≥ (0 , ≤ ); so ( u, v ) satisfies the first conjunct. Fix ( k, ≺ ) ∈ D x,y . – Assume x (cid:54)∈ r, y ∈ r , so that ν (cid:48) ( x ) = ν ( x ) , ν (cid:48) ( y ) = 0. If there is ( l, ≺ (cid:48) ) ∈ D x, with ( l, ≺ (cid:48) ) ≤ ( k, ≺ ), this means ν ( x ) − ≺ (cid:48) l ≺ k so ν (cid:48) ( x ) − ν (cid:48) ( y ) ≺ k . Thusthe second conjunct is satisfied. – Assume x ∈ r, y (cid:54)∈ r so that ν (cid:48) ( x ) = 0 , ν (cid:48) ( y ) = ν ( y ). If there is ( l, ≺ (cid:48) ) ∈ D ,y with ( l, ≺ (cid:48) ) ≤ ( k, ≺ ), this means 0 − ν ( y ) ≺ (cid:48) l ≺ k so ν (cid:48) ( x ) − ν (cid:48) ( y ) ≺ k as well.Thus the third conjunct is satisfied. We also have trivially ν (cid:48) ( x ) − ν (cid:48) ( y ) ≺ k for all (0 , ≤ ) ≤ ( k, ≺ ), which entails the fourth conjunct. – Observe that ν and ν (cid:48) satisfy the same predicates of type p x − y ≺ α with x, y (cid:54)∈ r since these values are not affected by the reset; so the pair ( u, v ) satisfies thelast conjunct of S Reset r as well.Now, if the domain is concrete and A is reduced, then we have (cid:74) Reset r ( A ) (cid:75) D ⊆ Reset r ( (cid:74) A (cid:75) D ). In fact, the operation then corresponds precisely to the resetoperation in DBMs, see [8, Algorithm 10]. On DBMs, for a component ( x, y )with x ∈ r, y (cid:54)∈ r , the algorithm consists in setting this component to value (0 , y ).In our encoding, we thus set the predicate p (cid:48) x − y ≺ k to true whenever p − x ≺ (cid:48) l holdswith ( l, ≺ (cid:48) ) ≤ ( k, ≺ ). The argument is symmetric for ( x, y ) with x (cid:54)∈ r , y ∈ r . (cid:117)(cid:116) Algorithm 8 shows how to check the reachability of a target location given anabstract domain. The list layers contains, at position i , the set of states thatare reachable in i steps. The function ApplyEdges computes the disjunction ofimmediate successors by all edges. It consists in looping over all edges e =( l , g, R, l ), and gathering the following image by e : enc ( (cid:96) ) ∧ Reset r k ( Reset r k − ( . . . ( Reset r (((( ∃B .A ( B , P ) ∧ enc ( (cid:96) )) ∧ α D ( g ))))))) , where R = { r , . . . , r k } . We thus use a partitioned transition relation and do notcompute the monolithic transition relation.When the target location is found to be reachable, ExtractTrace ( layers ) returnsa trace reaching the target location. This is standard and can be done bycomputing backwards from the last element of layers , by finding which edge lgorithm 8: Algorithm SymReach that checks the reachability of a targetlocation l T in a given abstract domain D . Input: A = ( L , Inv , (cid:96) , C , E ), (cid:96) T , D ; next := enc ( l ) ∧ α D ( ∧ x ∈C x = 0); layers := []; reachable := false ; while ( ¬ reachable ∧ next ) (cid:54) = false do reachable := reachable ∨ next ; next := ApplyEdges ( Up ( next )) ∧ ¬ reachable ; layers .push ( next ); if ( next ∧ enc ( l T )) (cid:54) = false then return ExtractTrace ( layers ); return Not reachable; can be applied to reach the current state. Since both reset and time successoroperations are defined using relations, predecessors in our abstract system canbe easily computed using the operator pre R . As it is standard, we omit theprecise definition of this function (the reader can refer to the implementation)but assume that it returns a trace of the form A σ −→ A σ −→ . . . σ n − −−−→ A n , where the A i ( B , P ) are minterms and the σ i belong to the trace alphabet Σ = { up , r ∅ } ∪ { r ( x ) } x ∈C , with the following meaning: – if A i up −→ A i +1 then A i +1 = Up ( A i ); – if A i r ∅ −→ A i +1 then A i +1 = A i ; – if A i r ( x ) −−→ A i +1 then A i +1 = Reset x ( A i ).The feasibility of such a trace is easily checked using DBMs.The overall algorithm then follows a classical CEGAR scheme. We initialize D by adding the clock constraints that appear syntactically in A , which is oftena good heuristic. We run the reachability check of Algorithm 8. If no trace isfound, then the target location is not reachable. If a trace is found, then we checkfor feasibility. If it is feasible, then the counterexample is confirmed. Otherwise,the trace is spurious and we run the refinement procedure described in the nextsubsection, and repeat the analysis. Since we initialize D with all clock constraints appearing in guards, we can makethe following hypothesis. Assumption 1. All guards are represented exactly in the considered abstractions. ote that the algorithm can be easily extended to the general case; but thissimplifies the presentation.The abstract transition relation we use is not the most precise abstractionof the concrete transition relation. Therefore, it is possible to have abstracttransitions A a −→ A for some action a while no concrete transition existsbetween (cid:74) A (cid:75) and (cid:74) A (cid:75) . This requires care and is not a direct application of thestandard refinement technique from [11]. A second difficulty is due to incompletereduction of the predicates using reduce D . In fact, some reachable states in ourabstract model will be unsatisfiable. Let us explain how we refine the abstractionin each of these cases.Consider an algorithm interp that returns an interpolant of two given zones Z , Z .In what follows, by the refinement of D by interp ( Z , Z ), we mean the domain D (cid:48) obtained by adding ( k, ≺ ) to D x,y for all constraints x − y ≺ k of interp ( Z , Z ).Observe that α D (cid:48) ( Z ) ∩ α D (cid:48) ( Z ) = ∅ in this case.We define concrete successor and predecessor operations for the actions in Σ .For each a ∈ Σ , let Pre ca denote the concrete predecessor operation on zonesdefined straightforwardly, and similarly for Post ca .Consider domain D and the induced abstraction function α D . Assume thatwe are given a spurious trace π = A σ −→ A σ −→ . . . σ n − −−−→ A n . Let B . . . B n bethe sequence of concrete states visited along π in A , that is, B is the concreteinitial state, and for all 2 ≤ i ≤ n , let B i = Post cπ i − ( B i − ). This sequence canbe computed using DBMs.The trace is realizable if B n (cid:54) = ∅ , in which case the counterexample is confirmed.Otherwise it is spurious . We show how to refine the abstraction to eliminate aspurious trace π .Let i be the maximal index such that B i (cid:54) = ∅ . There are three possiblereasons explaining why B i +1 is empty:1. first, if the abstract successor A i +1 is unsatisfiable, that is, if it containscontradictory predicates; in this case, (cid:74) A i +1 (cid:75) = ∅ , and the abstraction isrefined by Lemma 11 to eliminate this case by strengthening reduce k D .2. if there are predecessors of A i +1 inside A i but none of them are in B i , i.e., Pre cπ i ( (cid:74) A i +1 (cid:75) ) ∩ (cid:74) A i (cid:75) (cid:54) = ∅ ; in this case, we refine the domain by separatingthese predecessors from the rest of A i using interp ( Pre cπ i ( (cid:74) A i +1 (cid:75) ) , B i − ),as in [11].3. otherwise, there are no predecessors of A i +1 inside A i : we refine the ab-straction according to the type of the transition from step i to i + 1:(a) if π i = up: refine D by interp ( (cid:74) A i (cid:75) ↑ , (cid:74) A i +1 (cid:75) ↓ ).(b) if π i = r ( x ): refine D by interp ( Free x ( (cid:74) A i (cid:75) ) , Free x ( (cid:74) A i +1 (cid:75) )).Note that the case π i = r ∅ is not possible since this induces the identity functionboth in the abstract and concrete systems.Given abstraction α D and spurious trace π , let refine ( α D , π ) denote the refinedabstraction α D (cid:48) obtained as described above. The following two lemmas justifythe two subcases of the third case above. They prove that the detected spurioustransition disappears after refinement. The reset and up operations depend on xA A y xA A (a) Refinement for the time successorsoperation. The interpolant that sepa-rates (cid:74) A (cid:75) ↑ from (cid:74) A (cid:75) ↓ contains the con-straint x = y + 2. When this is added tothe abstract domain, the set A (cid:48) (which is A in the new abstraction) is no longerreachable by the time successors opera-tion. y xA A y xA (cid:48) A (cid:48) (b) Refinement for the reset opera-tion. The interpolant that separates Free y ( A ) from Free y ( A ) contains theconstraint x < 2. When this is added tothe abstract domain, the set A (cid:48) (whichis A in the new abstraction) is nolonger reachable by the reset operation. the abstraction, so we make this dependence explicit below by using superscripts,as in Reset αx and Up α , in order to distinguish the operations before and after arefinement. Lemma 15. Consider ( A , A ) ∈ Up α with (cid:74) A (cid:75) ↑ ∩ (cid:74) A (cid:75) = ∅ . Then (cid:74) A (cid:75) ↑ ∩ (cid:74) A (cid:75) ↓ = ∅ . Moreover, if α (cid:48) is obtained by refinement of α by interp ( (cid:74) A (cid:75) ↑ , (cid:74) A (cid:75) ↓ ) ,then for all ( A (cid:48) , A (cid:48) ) ∈ Up α (cid:48) , (cid:74) A (cid:48) (cid:75) ⊆ (cid:74) A (cid:75) implies (cid:74) A (cid:48) (cid:75) ∩ (cid:74) A (cid:75) = ∅ .Proof. Assume there is v ∈ (cid:74) A (cid:75) ↑ ∩ (cid:74) A (cid:75) ↓ . There exists d , d ≥ v ∈ A such that v = v + d and v + d ∈ A , which means v + d + d ∈ A , thus (cid:74) A (cid:75) ↑ ∩ (cid:74) A (cid:75) (cid:54) = ∅ .Let Z = (cid:74) interp ( (cid:74) A (cid:75) ↑ , (cid:74) A (cid:75) ↓ ) (cid:75) . By definition, (cid:74) A (cid:75) ↑ ⊆ Z , and Z ∩ (cid:74) A (cid:75) ↓ = ∅ .We have Z ↑ = Z ; in fact, Z cannot have upper bounds since (cid:74) A (cid:75) ↑ does nothave any. It follows that Z ↑ ∩ (cid:74) A (cid:75) ↓ = ∅ .Now, consider ( A (cid:48) , A (cid:48) ) ∈ Up α (cid:48) with (cid:74) A (cid:48) (cid:75) ⊆ (cid:74) A (cid:75) . Let us show that (cid:74) A (cid:48) (cid:75) ⊆ Z .Notice that all constraints of Z must be satisfied by A (cid:48) due to the inclusion (cid:74) A (cid:48) (cid:75) ⊆ Z : there are no upper bounds in Z , all its lower bounds are satisfiedby A , thus also by A (cid:48) , and are preserved by definition by Up , and all diagonalconstraints of Z hold in A , thus also in A (cid:48) , and are preserved as well in A (cid:48) .This shows the required inclusion. It follows that (cid:74) A (cid:48) (cid:75) ∩ (cid:74) A (cid:75) = ∅ . (cid:117)(cid:116) Lemma 16. Consider x ∈ C , and ( A , A ) ∈ Reset αx such that (cid:74) A (cid:75) [ x ← ∩ (cid:74) A (cid:75) = ∅ . Then Free x ( (cid:74) A (cid:75) ) ∩ Free x ( (cid:74) A (cid:75) ) = ∅ . Moreover, if α (cid:48) is obtainedby refinement of α by interp ( Free x ( (cid:74) A (cid:75) ) , Free x ( (cid:74) A (cid:75) )) , then for all ( A (cid:48) , A (cid:48) ) ∈ Reset α (cid:48) x with (cid:74) A (cid:48) (cid:75) ⊆ (cid:74) A (cid:75) , we have (cid:74) A (cid:48) (cid:75) ∩ (cid:74) A (cid:75) = ∅ .Proof. Let v ∈ Free x ( (cid:74) A (cid:75) ) ∩ Free x ( (cid:74) A (cid:75) ). Then there exist v ∈ (cid:74) A (cid:75) , v ∈ (cid:74) A (cid:75) and v such that v = v [ x ← 0] = v [ x ← 0] = v [ x ← (cid:74) A (cid:75) is closed byresetting x , that is, (cid:74) A (cid:75) [ x := 0] ⊆ (cid:74) A (cid:75) . This follows from Lemma 14 appliedo A , by observing that A is unchanged by the reset operation. So v ∈ (cid:74) A (cid:75) .But then (cid:74) A (cid:75) [ x := 0] ∩ (cid:74) A (cid:75) (cid:54) = ∅ as witnessed by v [ x := 0] = v .Let Z = (cid:74) interp ( Free x ( (cid:74) A (cid:75) ) , Free x ( (cid:74) A (cid:75) )) (cid:75) . For all A (cid:48) satisfying (cid:74) A (cid:48) (cid:75) ⊆ (cid:74) A (cid:75) ,we have (cid:74) A (cid:48) (cid:75) [ x ← ⊆ (cid:74) A (cid:75) [ x ← ⊆ Free x ( (cid:74) A (cid:75) ) ⊆ Z . So Z ∩ A = ∅ meansthat (cid:74) A (cid:48) (cid:75) [ x ← ∩ A = ∅ . (cid:117)(cid:116) We implemented both algorithms. The symbolic version was implemented inOCaml using the CUDD library ; the explicit version was implemented in C++within an existing model checker using Uppaal DBM library. Both prototypestake as input networks of timed automata with invariants, discrete variables,urgent and committed locations. The presented algorithms are adapted to thesefeatures without difficulty.We evaluated our algorithms on three classes of benchmarks we believe aresignificant. We compare the performance of the algorithm with that of Uppaal [7]which is based on zones, as well as the BDD-based model checker engine ofPAT [25]. We were unable to compare with RED [30] which is not maintainedanymore and not open source, and with which we failed to obtain correct results.The tool used in [16] was not available either. We thus only provide a comparisonhere with two well-maintained tools.Two of our benchmarks are variants of schedulability-analysis problems wheretask execution times depend on the internal states of executed processes, so thatan analysis of the state space is necessary to obtain a precise answer. Monoprocess Scheduling Analysis. In this variant, a single process sequen-tially executes tasks on a single machine, and the execution time of each cycledepends on the state of the process. The goal is to determine a bound on themaximum execution time of a single cycle. This depends on the semantics of theprocess since the bound depends on the reachable states.More precisely, we built a set of benchmarks where the processes are definedby synchronous circuit models taken from the Synthesis Competition ( ). We assume that each latch of the circuit is associatedwith a resource, and changing the state of the resource takes some amount oftime. So a subset of the latches have clocks associated with them, which measurethe time elapsed since the latest value change (latest moment when the valuechanged from 0 to 1, or from 1 to 0). We provide two time positive bounds (cid:96) and (cid:96) for each latch, which determine the execution time as follows: if the valueof latch (cid:96) changes from 0 to 1 (resp. from 1 to 0), then the execution time of thepresent cycle cannot be less than (cid:96) (resp. (cid:96) ). The execution time of the step isthen the minimum that satisfies these constraints. Multi-process Stateful Scheduling Analysis. In this variant, three processesare scheduled on two machines with a round-robin policy. Processes schedule tasksone after the other without any delay. As in the previous benchmarks, a process http://vlsi.colorado.edu/~fabio/ xecuting a task (on any machine) corresponds to a step of the synchronous circuitmodel. Each task is described by a tuple ( C , C , D ) which defines the minimumand maximum execution times, and the relative deadline. When a task finishes,the next task arrives immediately. The values in the tuple depend on the state ofthe process. The goal is to check the absence of any deadline miss. Processes arealso instantiated with AIG circuits from . Asynchronous Computation. We consider an asynchronous network of “thresh-old gates”, defined as follows: each gate is characterized by a tuple ( n, θ, [ l, u ])where n is the number of inputs, 0 ≤ θ ≤ n is the threshold, and l ≤ u are lowerand upper bounds on activation time. Each gate has an output which is initiallyundefined. The gate becomes active during the time period [ l, u ]. During thistime, if all inputs are defined, and if at least θ of the inputs have value 1, thenit sets its output to 1. At the end of the time period, it becomes deactivatedand the output becomes undefined again, until the next period, which starts l time units after the deactivation. The goal is to check whether the given gatecan output 1 within a given time bound T .Fig. 7: Comparison of our enumerative and symbolic algorithms (resp. Abs-enumerative and Abs-symbolic) with Uppaal and PAT. Each figure is a cactusplot for the set of benchmarks: a point (X,Y) means X benchmarks were solvedwithin time bound Y. Results. Figure 7 displays the results of our experiments. All algorithms weregiven 8GB of memory and a timeout of 30 minutes, and the experiments were runn laptop with an Intel [email protected] processor running Linux. The symbolic algo-rithm performs best among all on the monoprocess and multiprocess schedulingbenchmarks. Uppaal is the second best, but does not solve as many benchmarksas our algorithm. Our enumerative algorithm quickly fails on these benchmarks,often running out of memory. On asynchronous computation benchmarks, ourenumerative algorithm performs remarkably well, beating all other algorithms.We ran our tools on the CSMA/CD benchmarks (with 3 to 12 processes); Uppaalperforms the best but our enumerative algorithm is slightly behind. The symbolicalgorithm does not scale, while PAT fails to terminate in all cases.The tool used for the symbolic algorithm is open source and can be found at https://github.com/osankur/symrob along with all the benchmarks. There are several ways to improve the algorithm. Since the choice of interpolantsdetermines the abstraction function and the number of refinements, we assumedthat taking the minimal interpolant should be preferable as it should keep theabstractions as coarse as possible. But it might be better to predict whichinterpolant is the most adapted for the rest of the computation in order to limitfuture refinements. The number of refinement also depends on the search order,and although it has already been studied in [23], it could be interesting to studyit in this case. Generally speaking, it is worth noting that we currently cannotpredict which (variant of) our algorithms is better suited for which model.Several extensions of our algorithms could be developed, e.g. combining ouralgorithms with other methods based on finer abstractions as in [22], integratingpredicate abstraction on discrete variables, or developing SAT-based versions ofour algorithms. References 1. E. Althaus, B. Beber, W. Damm, S. Disch, W. Hagemann, A. Rakow, C. Scholl,U. Waldmann, and B. Wirtz. Verification of linear hybrid systems with largediscrete state spaces using counterexample-guided abstraction refinement. Scienceof Computer Programming , 148:123–160, Nov. 2017.2. R. Alur, C. Courcoubetis, and D. L. Dill. Model-checking in dense real-time. Information and Computation , 104(1):2–34, May 1993.3. R. Alur and D. L. Dill. Automata for modeling real-time systems. In M. Paterson,editor, Proceedings of the 17th International Colloquium on Automata, Languagesand Programming (ICALP’90) , volume 443 of Lecture Notes in Computer Science ,pages 322–335. Springer-Verlag, July 1990.4. Ch. Baier and J.-P. Katoen. Principles of Model-Checking . MIT Press, May 2008.5. T. Ball and S. Rajamani. The SLAM toolkit. In G. Berry, H. Comon, andA. Finkel, editors, Proceedings of the 13th International Conference on ComputerAided Verification (CAV’01) , volume 2102 of Lecture Notes in Computer Science ,pages 260–264. Springer-Verlag, July 2001.. G. Behrmann, P. Bouyer, K. G. Larsen, and R. Pel´anek. Lower and upper bounds inzone based abstractions of timed automata. In K. Jensen and A. Podelski, editors, Proceedings of the 10th International Conference on Tools and Algorithms forConstruction and Analysis of Systems (TACAS’04) , volume 2988 of Lecture Notesin Computer Science , pages 312–326, Barcelona, Spain, Mar. 2004. Springer-Verlag.7. G. Behrmann, A. David, K. G. Larsen, J. H˚akansson, P. Pettersson, W. Yi, andM. Hendriks. Uppaal 4.0. In Proceedings of the 3rd International Conference onQuantitative Evaluation of Systems (QEST’06) , pages 125–126. IEEE Comp. Soc.Press, Sept. 2006.8. J. Bengtsson and W. Yi. Timed automata: Semantics, algorithms and tools. InJ. Desel, W. Reisig, and G. Rozenberg, editors, Lectures on Concurrency andPetri Nets , volume 2098 of Lecture Notes in Computer Science , pages 87–124.Springer-Verlag, 2004.9. B. Berthomieu and M. Menasche. An enumerative approach for analyzing time Petrinets. In R. E. A. Mason, editor, Information Processing 83 – Proceedings of the9th IFIP World Computer Congress (WCC’83) , pages 41–46. North-Holland/IFIP,Sept. 1983.10. E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletonsusing branching-time temporal logic. In D. C. Kozen, editor, Proceedings of the3rd Workshop on Logics of Programs (LOP’81) , volume 131 of Lecture Notes inComputer Science , pages 52–71. Springer-Verlag, 1982.11. E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guidedabstraction refinement for symbolic model checking. Journal of the ACM , 50(5):752–794, Sept. 2003.12. E. M. Clarke, O. Grumberg, and D. A. Peled. Model checking . MIT Press, 2000.13. P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model forstatic analysis of programs by construction or approximation of fixpoints. In Conference Record of the 4th ACM Symposium on Principles of ProgrammingLanguages (POPL’77) , pages 238–252. ACM Press, Jan. 1977.14. H. Dierks, S. Kupferschmid, and K. G. Larsen. Automatic abstraction refinementfor timed automata. In J.-F. Raskin and P. S. Thiagarajan, editors, Proceedingsof the 5th International Conferences on Formal Modelling and Analysis of TimedSystems (FORMATS’07) , volume 4763 of Lecture Notes in Computer Science , pages114–129. Springer-Verlag, Oct. 2007.15. D. L. Dill. Timing assumptions and verification of finite-state concurrent systems.In J. Sifakis, editor, Proceedings of the International Workshop on AutomaticVerification Methods for Finite State Systems (AVMFSS’89) , volume 407 of LectureNotes in Computer Science , pages 197–212. Springer, 1990.16. R. Ehlers, D. Fass, M. Gerke, and H.-J. Peter. Fully symbolic timed model checkingusing constraint matrix diagrams. In Proceedings of the 31st IEEE Symposium onReal-Time Systems (RTSS’10) , pages 360–371. IEEE Comp. Soc. Press, Nov. 2010.17. R. Ehlers, R. Mattm¨uller, and H.-J. Peter. Combining symbolic representations forsolving timed games. In K. Chatterjee and T. A. Henzinger, editors, Proceedingsof the 8th International Conferences on Formal Modelling and Analysis of TimedSystems (FORMATS’10) , volume 6246 of Lecture Notes in Computer Science , pages107–212. Springer-Verlag, Sept. 2010.18. F. He, H. Zhu, W. N. N. Hung, X. Song, and M. Gu. Compositional abstractionrefinement for timed systems. In J. Liu, D. A. Peled, B.-Y. Wang, and F. Wang,editors, Proceedings of the 4th International Symposium on Theoretical Aspects ofSoftware Engineering (TASE’10) , pages 168–176. IEEE Comp. Soc. Press, Aug.2010.9. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Conference Record of the 29th ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages (POPL’02) , volume 37(1) of ACM SIGPLAN Notices ,pages 58–70. ACM Press, Jan. 2002.20. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification withBLAST. In T. Ball and S. Rajamani, editors, Proceedings of the 10th InternationalSPIN Workshop (SPIN’03) , volume 2648 of Lecture Notes in Computer Science ,pages 235–239. Springer-Verlag, Apr. 2003.21. F. Herbreteau, D. Kini, B. Srivathsan, and I. Walukiewicz. Using non-convexapproximations for efficient analysis of timed automata. In S. Chakraborty andA. Kumar, editors, Proceedings of the 31st Conference on Foundations of SoftwareTechnology and Theoretical Computer Science (FSTTCS’11) , volume 13 of Leib-niz International Proceedings in Informatics , pages 78–89. Leibniz-Zentrum f¨urInformatik, Dec. 2011.22. F. Herbreteau, B. Srivathsan, and I. Walukiewicz. Lazy abstractions for timedautomata. In N. Sharygina and H. Veith, editors, Proceedings of the 25th Inter-national Conference on Computer Aided Verification (CAV’13) , volume 8044 of Lecture Notes in Computer Science , pages 990–1005. Springer-Verlag, July 2013.23. F. Herbreteau and T.-T. Tran. Improving search order for reachability testing intimed automata. In S. Sankaranarayanan and E. Vicario, editors, Proceedings ofthe 13th International Conferences on Formal Modelling and Analysis of TimedSystems (FORMATS’15) , volume 9268 of Lecture Notes in Computer Science , pages124–139. Springer-Verlag, Sept. 2015.24. K. L. McMillan. Symbolic Model Checking — An Approach to the State ExplosionProblem . PhD thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA,1993.25. T. K. Nguyen, J. Sun, Y. Liu, J. S. Dong, and Y. Liu. Improved BDD-based discreteanalysis of timed systems. In D. Giannakopoulou and D. M´ery, editors, Proceedingsof the 18th International Symposium on Formal Methods (FM’12) , volume 7436 of Lecture Notes in Computer Science , pages 326–340. Springer-Verlag, Aug. 2012.26. A. Pnueli. The temporal logic of programs. In Proceedings of the 18th AnnualSymposium on Foundations of Computer Science (FOCS’77) , pages 46–57. IEEEComp. Soc. Press, Oct.-Nov. 1977.27. S. A. Seshia and R. E. Bryant. Unbounded, fully symbolic model checking of timedautomata using boolean methods. In W. A. Hunt, Jr and F. Somenzi, editors, Proceedings of the 15th International Conference on Computer Aided Verification(CAV’03) , volume 2725 of Lecture Notes in Computer Science , pages 154–166.Springer-Verlag, July 2003.28. T. T´oth and I. Majzik. Lazy reachability checking for timed automata usinginterpolants. In A. Abate and G. Geeraerts, editors, Proceedings of the 15thInternational Conferences on Formal Modelling and Analysis of Timed Systems(FORMATS’17) , volume 10419 of Lecture Notes in Computer Science , pages 264–280.Springer-Verlag, Sept. 2017.29. T. T´oth and I. Majzik. Lazy reachability checking for timed automata usinginterpolants. In A. Abate and G. Geeraerts, editors, Proceedings of the 15thInternational Conferences on Formal Modelling and Analysis of Timed Systems(FORMATS’17) , volume 10419 of Lecture Notes in Computer Science , pages 264–280.Springer-Verlag, Sept. 2017.30. F. Wang. Symbolic verification of complex real-time systems with clock-restrictiondiagram. In M. Kim, B. Chin, S. Kang, and D. Lee, editors, Proceedings of the 21stFIP TC6/WG6.1 International Conference on Formal Techniques for Networkedand Distributed Systems (FORTE’01) , volume 197 of IFIP Conference Proceedings ,pages 235–250. Chapman & Hall, Aug. 2001.31. W. Wang and L. Jiao. Trace abstraction refinement for timed automata. In F. Cassezand J.-F. Raskin, editors, Proceedings of the 12th International Symposium onAutomated Technology for Verification and Analysis (ATVA’14) , volume 8837 of Lecture Notes in Computer Science , pages 396–410. Springer-Verlag, Nov. 2014. Details on Benchmarks Monoprocess-scheduling benchmarks we considered are listed below. In each case,the .aag file is the circuit defining the process (the models with identical filenames is available at ). Only a subset of the latchesare “clocked”, that have time constraints. This can be seen in the file name:for instance, in amba3b5y.aag 4L 200.xml , only the first four latches are clocked.The number of clocks is then five (an additional one is used to test the elapsedglobal time). The last number is the time bound to be tested. The complete listof benchmarks are given in Table 1. amba3b5y.aag 10L 300.xmlamba3b5y.aag 4L 200.xmlamba3b5y.aag 4L 290.xmlamba3b5y.aag 4L 300.xmlamba3b5y.aag 5L 290.xmlamba3b5y.aag 5L 300.xmlamba3b5y.aag 6L 290.xmlamba3b5y.aag 6L 300.xmlamba3b5y.aag 7L 290.xmlamba3b5y.aag 7L 300.xmlamba3b5y.aag 8L 300.xmlamba3b5y.aag 9L 300.xmlamba4c7y.aag 10L 300.xmlamba4c7y.aag 4L 200.xmlamba4c7y.aag 4L 300.xmlamba4c7y.aag 5L 200.xmlamba4c7y.aag 5L 300.xmlamba4c7y.aag 6L 300.xmlamba4c7y.aag 7L 300.xmlamba4c7y.aag 8L 300.xmlamba4c7y.aag 9L 300.xmlbs16y.aag 4L 100.xmlbs16y.aag 4L 150.xmlbs16y.aag 4L 200.xmlcnt5y.aag 4L 200.xmlcnt5y.aag 4L 300.xmlfactory assembly 3x3 1 1errors.aag 10L 500.xmlfactory assembly 3x3 1 1errors.aag 4L 200.xmlfactory assembly 3x3 1 1errors.aag 4L 300.xmlfactory assembly 3x3 1 1errors.aag 5L 300.xmlfactory assembly 3x3 1 1errors.aag 6L 300.xmlactory assembly 3x3 1 1errors.aag 6L 400.xmlfactory assembly 3x3 1 1errors.aag 6L 500.xmlfactory assembly 3x3 1 1errors.aag 7L 500.xmlfactory assembly 3x3 1 1errors.aag 8L 500.xmlfactory assembly 3x3 1 1errors.aag 9L 500.xmlgenbuf2b3unrealy.aag 10L 400.xmlgenbuf2b3unrealy.aag 4L 300.xmlgenbuf2b3unrealy.aag 5L 250.xmlgenbuf2b3unrealy.aag 5L 300.xmlgenbuf2b3unrealy.aag 6L 300.xmlgenbuf2b3unrealy.aag 7L 300.xmlgenbuf2b3unrealy.aag 7L 400.xmlgenbuf2b3unrealy.aag 8L 400.xmlgenbuf2b3unrealy.aag 9L 400.xmlgenbuf5f5n.aag 10L 300.xmlgenbuf5f5n.aag 5L 290.xmlgenbuf5f5n.aag 5L 300.xmlgenbuf5f5n.aag 6L 290.xmlgenbuf5f5n.aag 6L 300.xmlgenbuf5f5n.aag 7L 290.xmlgenbuf5f5n.aag 7L 300.xmlgenbuf5f5n.aag 8L 300.xmlgenbuf5f5n.aag 9L 300.xmlmoving obstacle 8x8 1glitches.aag 10L 300.xmlmoving obstacle 8x8 1glitches.aag 4L 150.xmlmoving obstacle 8x8 1glitches.aag 4L 300.xmlmoving obstacle 8x8 1glitches.aag 5L 150.xmlmoving obstacle 8x8 1glitches.aag 5L 300.xmlmoving obstacle 8x8 1glitches.aag 6L 150.xmlmoving obstacle 8x8 1glitches.aag 6L 300.xmlmoving obstacle 8x8 1glitches.aag 7L 150.xmlmoving obstacle 8x8 1glitches.aag 7L 300.xmlmoving obstacle 8x8 1glitches.aag 8L 300.xmlmoving obstacle 8x8 1glitches.aag 9L 300.xml Table 1: Monoprocess benchmarksFor the multiprocess-scheduling benchmarks, we generated instances using thedata shown in Table 2. All models have three clocks, one per process. The firstthree entries show the circuits (from ) used to definehe processes that are being executed. The last number is the number of thescenario, which determines the execution times of arriving tasks according to thevalue of a selected latch: – in scenario 0, the two tuples ( C , C , D ) of execution time interval and relativedeadlines are: (500 , , , (400 , , – in scenario 1: (500 , , , (400 , , – in scenario 2: (1000 , , , (20000 , , Process1 Process2 Process3 Scenario0 amba3b5y.aag add2y.aag add2y.aag amba3b5y.aag add2y.aag add2y.aag amba3b5y.aag add2y.aag add2y.aag cnt4y.aag cnt3y.aag cnt3y.aag cnt4y.aag cnt3y.aag cnt3y.aag cnt4y.aag cnt3y.aag cnt3y.aag cnt4y.aag cnt4y.aag cnt3y.aag cnt4y.aag cnt4y.aag cnt3y.aag cnt4y.aag cnt4y.aag cnt3y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt4y.aag cnt5y.aag cnt4y.aag cnt3y.aag amba3b5y.aag cnt3y.aag cnt3y.aag cnt5y.aag cnt3y.aag cnt3y.aag cnt5y.aag cnt3y.aag cnt3y.aag cnt5y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag cnt3y.aag amba3b5y.aag add2y.aag add2y.aag amba3b5y.aag add2y.aag add2y.aag amba3b5y.aag add2y.aag cnt3y.aag amba3b5y.aag add2y.aag cnt3y.aag bs8y.aag add2y.aag add2y.aag bs8y.aag add2y.aag add2y.aag bs8y.aag add2y.aag add2y.aag bs8y.aag bs8y.aag add2y.aag bs8y.aag bs8y.aag add2y.aag bs8y.aag bs8y.aag add2y.aag bs8y.aag bs8y.aag bs8y.aag Process1 Process2 Process3 Scenario31 bs8y.aag bs8y.aag bs8y.aag bs8y.aag bs8y.aag bs8y.aag mv4y.aag mv4y.aag add2y.aag mv4y.aag mv4y.aag add2y.aag mv4y.aag mv4y.aag add2y.aag mv4y.aag mv4y.aag mv4y.aag stay2y.aag stay2y.aag mv4y.aag stay4y.aag add2y.aag add2y.aag stay4y.aag cnt4y.aag add2y.aag stay4y.aag stay2y.aag mv4y.aag stay4y.aag stay2y.aag stay2y.aag File name Number of gates Number of inputs Time bound a0 a1 a2 a3 a4 a5 16 8 50 a6 16 8 150 a7 19 14 150 a8 19 14 300 a9 20 14 300 a10 20 14 300 b0 b1 10 4 1000 b2 b3 16 8 1000 b4 40 35 1000 b5 20 14 1000 b6 20 15 1000 b7 b8 10 3 1000 b9 19 14 1000 ile name Number of gates Number of inputs Time bound b10b10