Configurable verification of timed automata with discrete variables

Tóth, Tamás; Majzik, István

doi:10.1007/s00236-020-00393-4

Configurable verification of timed automata with discrete variables

Original Article
Open access
Published: 15 December 2020

Volume 59, pages 1–35, (2022)
Cite this article

Download PDF

You have full access to this open access article

Acta Informatica Aims and scope Submit manuscript

Configurable verification of timed automata with discrete variables

Download PDF

2406 Accesses
1 Citation
Explore all metrics

Abstract

Algorithms and protocols with time dependent behavior are often specified formally using timed automata. For practical real-time systems, besides real-valued clock variables, these specifications typically contain discrete data variables with nontrivial data flow. In this paper, we propose a configurable lazy abstraction framework for the location reachability problem of timed automata that potentially contain discrete variables. Moreover, based on our previous work, we uniformly formalize in our framework several abstraction refinement strategies for both clock and discrete variables that can be freely combined, resulting in many distinct algorithm configurations. Besides the proposed refinement strategies, the configurability of the framework allows the integration of existing efficient lazy abstraction algorithms for clock variables based on ${\textit{LU}}$-bounds. We demonstrate the applicability of the framework and the proposed refinement strategies by an empirical evaluation on a wide range of timed automata models, including ones that contain discrete variables or diagonal constraints.

Lazy Reachability Checking for Timed Automata with Discrete Variables

Trace Abstraction Refinement for Timed Automata

A Unified Model for Real-Time Systems: Symbolic Techniques and Implementation

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

Timed automata [1] is a widely used formalism for the modeling and verification of algorithms and protocols with time-dependent behavior. In timed automata models, erroneous or unsafe behavior (that is to be avoided during operation) is often modeled by error locations. The location reachability problem deals with the question whether a given error location is reachable from an initial state along the transitions of the automaton, or network of automata.

As timed automata contain real-valued clock variables, to ensure better performance and termination, model checkers for timed automata apply abstraction over clock variables. The standard solution involves performing a forward exploration in the zone abstract domain [15], combined with extrapolation [4] parametrized by bounds appearing in guards in the model, extracted by static analysis [3]. Other zone-based methods propagate bounds lazily for all transitions [20] or along an infeasible path [22], and perform efficient inclusion checking with respect to a non-convex abstraction induced by the bounds [21]. Alternatively, some methods perform lazy abstraction directly over the zone abstract domain [30, 33]. However, in the context of timed automata, methods rarely address the problem of abstraction for discrete data variables that often appear in specifications for practical real-time systems, or do so by applying a fully SMT (satisfiability modulo theories) [2] based approach, relying on the efficiency of underlying decision procedures for the abstraction of both continuous and discrete variables.

In our work, we address the location reachability problem of timed automata with discrete variables. Overall, we propose a formal algorithmic framework that enables the uniform formalization of several abstract domains and refinement strategies for both clock and discrete variables. The main elements are a generic algorithm for lazy reachability checking and an abstract reachability tree as its central data structure. Second, we present the formalization and integration of several novel strategies in this framework, especially based on our work on lazy interpolation over zones [30], and on the application of interpolation to lazily control the visibility of discrete variables in timed automata models [31]. The main advantage of the framework is that, based on the notion of the direct product abstract domain, it allows the seamless combination of various lazy abstraction methods, resulting in many distinct algorithm configurations that together admit efficient verification of a wide range of timed automata models. This algorithmic framework allowed a straightforward implementation of these strategies in our open source model checking framework Theta [29], this way enabling the practical evaluation of the proposed algorithm configurations. The configurability of this framework also allowed the integration of existing efficient lazy abstraction algorithms for clock variables based on $ LU $-bounds [22], thus admitting the combination and comparison of our methods with the state-of-the-art.

We evaluated the algorithm configurations that our framework currently supports on a wide range of timed automata models, including ones that contain discrete variables or diagonal constraints. Our results show that our framework offers algorithm configurations that are competitive in terms of performance with the state-of-the-art.

1.1 Comparison to related work

Lazy abstraction [19], a form of counterexample-guided abstraction refinement [14], is an approach widely used for reachability checking, and in particular for model checking software. It consists of building an abstract reachability tree on-the fly, representing an abstraction of the system, and refining a part of the tree in case a spurious counterexample is found. For timed automata, a lazy abstraction approach based on non-convex $ LU $-abstraction [4] and on-the-fly propagation of bounds has been proposed [22]. A significant difference of this algorithm compared to usual lazy abstraction algorithms is that it builds an abstract reachability tree that preserves exact reachability information (a so-called adaptive simulation graph or ASG). As a consequence it is able to apply refinement as soon as the abstraction admits a transition that is disabled in the concrete system. Similar abstraction techniques based on building an ASG include difference bound constraint abstraction [33], the zone interpolation-based technique of [30], and the lazy abstraction method for timed automata with discrete variables proposed in [31]. In our work, we build on the same approach, but with abstracting over the specifics of any given abstract domain, thus admitting configurability of the abstraction refinement strategy.

Symbolic handling of integer variables for timed automata is often supported by unbounded fully symbolic SMT-based approaches. Symbolic backward search techniques like [12, 27] are based on the computation and satisfiability checking of pre-images. In [23], reachability checking for timed automata is addressed by solving Horn clauses. In the ic3-based [11] technique of [25], the problem of discrete variables is not addressed directly, but the possibility of generalization over discrete variables is (to some extent) inherent in the technique. In [24], also based on ic3, generalization of counterexamples to induction is addressed for both discrete and clock variables by zone-based pre-image computation. The abstraction methods proposed in our work are completely theory agnostic, and do not rely on an SMT-solver.

In [16], an abstraction refinement algorithm is proposed for timed automata that handles clock and discrete variables in a uniform way. There, given a set of visible variables, an abstracted timed automaton is derived from the original by removing all assignments to abstracted variables, and by replacing all constraints by the strongest constraint that is implied and that does not contain abstracted variables. In case the model checker finds an abstract counterexample, a linear test automaton is constructed for the path, which is then composed with the original system to check whether the counterexample is spurious. If the final location of the test automaton is unreachable, a set of relevant variables is extracted from the disabled transition that will be included in the next iteration of the abstraction refinement loop. In our work, we use a similar approach, but instead of building abstractions globally on the system level and then calling to a model checker for both model checking and counterexample analysis, we use a more integrated, lazy abstraction method, where the abstraction is built on-the-fly, and refinement is performed locally in the state space where more precision is necessary.

Interpolation for variable assignments was first described in [7]. There, the interpolant is computed for a prefix and a suffix of a constraint sequence, and an inductive sequence of interpolants is computed by propagating interpolants forward using the abstract post-image operator. In our work, we define interpolation for a variable assignment and a formula, and compute inductive sequences of interpolants by propagating interpolants both forward and backward, using post-image and weakest precondition computation, respectively. In our context, this enables us to consider a suffix of an infeasible path, instead of the whole path, for computing inductive sequences of interpolants.

Timed automata with diagonal constraints are exponentially more concise than diagonal-free timed automata [9]. In [6], a method has been proposed that eliminates diagonal constraints occurring in timed automata specifications, resulting in an (in general) exponential blowup in the size of the automaton. An extrapolation method has been proposed in [5] that handles diagonal constraints on-the-fly. A refinement-based approach has been described in [10] that does not remove all diagonal constraints systematically. Instead, it performs forward model checking using the standard extrapolation operator used for diagonal-free timed automata, which might admit false negatives. In case a counterexample is found, it is analyzed for feasibility. If the counterexample is spurious, a set of diagonal constraints is selected and eliminated from the model, resulting in a new model, which is then fed back to the model checker. An implementation of the algorithm is described in [28]. In [18], the $\textit{LU}$-abstraction based simulation relation of [4] is extended to models with diagonal constraints. The corresponding simulation test, which generalizes the inclusion test defined in [21] for the diagonal-free setting, is shown to be NP-complete, and is implemented in terms of SMT solving. In our work, we examine two methods for analyzing timed automata with diagonal constraints. The first is based on the eager elimination of diagonal constraints, however, as our algorithms support discrete variables, instead of introducing new locations, we introduce a new discrete variable per constraint. In case abstraction refinement is used for these variables [31], a method is obtained that considers constraints as needed, similarly to [10]. However, instead of building a new model and running the model checker from scratch, this method is lazy, and performs abstraction refinement locally in the state space where more precision is necessary. The second approach is based on zone interpolation, which supports diagonal constraints, as well as other extensions [30], automatically. Thus in this case, elimination of diagonal constraints is not necessary. Unfortunately, this method is not complete, as it does not guarantee termination on all models.

This paper is based on our previous work presented in [30, 31]. In addition to the results presented there, we provide an algorithmic framework in which we uniformly formalize, prove correct and evaluate our abstraction refinement strategies and their combinations. Moreover, besides the refinement strategy presented in [31] that propagates interpolants backward, we introduce a novel strategy that performs abstraction refinement by forward propagation of interpolants. Furthermore, we present an empirical evaluation of the algorithm configurations that the framework offers on a benchmark containing 51 timed automata models. In particular, we examine how the different configurations perform on models containing diagonal constraints.

1.2 Organization of the paper

The rest of the paper is organized as follows. In Sect. 2, we define the notations used throughout the paper, and present the theoretical background of our work. In Sect. 3 we propose our formal framework, a uniform lazy reachability checking algorithm that admits various abstract domains and refinement strategies. In Sect. 4, four abstraction refinement strategies are formalized in our framework, two for clock variables, and two for the efficient handling of discrete variables. Section 5 describes experiments performed on the proposed algorithm configurations. Finally, conclusions are given in Sect. 6.

2 Background and notations

In this section, we summarize the theoretical background of our work. Moreover, we define the notation used throughout the paper.

2.1 Valuations

Let $C$ be a set of clock variables over $\mathbb {R}_{\ge 0}$, and $D$ a set of data variables over $\mathbb {Z}$. Let $V= C\cup D$ denote the set of all variables.

A clock constraint is a formula $\varphi \in Constr _C$ that is a conjunction of atoms of the form $c \bowtie m$ and ${c_i - c_j \bowtie m}$ where $c, c_i, c_j \in C$ and $m \in \mathbb {Z}$ and ${\bowtie } \in \left\{ <, \le , >, \ge , \doteq \right\} $. In the latter case, if $i \ne j$, then a constraint is called a diagonal constraint. A data constraint is a well-formed formula $\varphi \in Constr _D$ built from variables in $D$ and arbitrary function and predicate symbols interpreted over $\mathbb {Z}$. Let $ Constr = Constr _C\cup Constr _D$ denote the set of all constraints.

A clock update (clock reset) is an assignment $u \in Update _C$ of the form ${c :=m}$ where $c \in C$ and $m \in \mathbb {Z}$. A data update is an assignment $u \in Update _D$ of the form ${d :=t}$ where $d \in D$ and t is a term built from variables in $D$ and function symbols interpreted over $\mathbb {Z}$. Let $ Update = Update _C\cup Update _D$ denote the set of all updates.

The set of variables appearing in a term t (resp. in a formula $\varphi $) is denoted by ${\mathsf {vars}(t)}$ (resp. by ${\mathsf {vars}(\varphi )}$). Similarly, the set of variables occurring in an update is denoted by ${\mathsf {vars}(u)}$, that is, ${\mathsf {vars}({x :=t})} = {\mathsf {vars}(t)} \cup \left\{ x \right\} $.

A valuation over a finite set of variables is a function that maps variables to their respective domains. We will denote by ${\mathcal {V}(X)}$ the set of valuations over a set of variables X. Throughout the paper we will allow partial functions as valuations. We will denote by ${\mathsf {def}(\sigma )}$ the domain of definition of a valuation $\sigma $, that is, ${\mathsf {def}(\sigma )} = \left\{ x \mid \sigma (x) \ne \bot \right\} $. We extend valuations to range over terms and formulas the usual way, with the possibility that the value of a term is undefined over a valuation.

We will denote by $\sigma \models \varphi $ iff formula $\varphi $ is satisfied under valuation $\sigma $. Let ${\llbracket \varphi \rrbracket }$ stand for the set of models of a formula $\varphi $, formally defined as ${\llbracket \varphi \rrbracket } = \left\{ \sigma \in ({\mathcal {V} \circ \mathsf {vars}})(\varphi ) \mid \sigma \models \varphi \right\} $, where $\circ $ denotes function composition as usual. Given a valuation $\sigma $, we denote by ${\mathsf {form}(\sigma )}$ the formula characterizing the valuation, that is, ${\mathsf {form}(\sigma )} = \bigwedge _{x \in {\mathsf {def}(\sigma )}} x \doteq \sigma (x)$.

Remark 1

Note that in the context of partial valuations, $\sigma \models \lnot \varphi $ is a strictly stronger statement than $\sigma \not \models \varphi $. For example, but it is not the case that .

Let $\sigma \preceq \sigma '$ iff $\sigma (x) = \sigma '(x)$ for all $x \in {\mathsf {def}(\sigma ')}$. Moreover, let $A \preceq B$ iff for all $\sigma \in A$ there exists $\sigma ' \in B$ such that $\sigma \preceq \sigma '$. Clearly, $\preceq $ is a partial order over sets of valuations. We will denote the restriction of valuation $\sigma $ to a set of variables X by ${\sigma {\restriction _{X}}}$, that is, $({\sigma {\restriction _{X}}})(x) = \sigma (x)$ if $x \in X$ and $({\sigma {\restriction _{X}}})(x) = \bot $ if $x \notin X$. We lift the notion to sets of valuations with the obvious meaning. Let moreover , also defined for sets of valuations in the obvious way.

We state the following lemmas (without proof).

Lemma 1

$\sigma \preceq \sigma ' \Rightarrow \sigma ' \models \varphi \Rightarrow \sigma \models \varphi $

Lemma 2

$\sigma \preceq \sigma ' \Leftrightarrow \sigma \models {\mathsf {form}(\sigma ')}$

Lemma 3

$A \preceq B \Rightarrow {A{\restriction _{X}}} \preceq {B{\restriction _{X}}}$

We will denote by $\otimes $ the partial function over valuations that is defined as

$$\begin{aligned}({\sigma \otimes \sigma '})(x) = {\left\{ \begin{array}{ll} \sigma (x) &{} \text{ if } x \in {\mathsf {def}(\sigma )} \\ \sigma '(x) &{} \text{ if } x \in {\mathsf {def}(\sigma ')} \\ \bot &{} \text{ otherwise } \end{array}\right. }\end{aligned}$$

if $\sigma (x) = \sigma '(x)$ for all $x \in {\mathsf {def}(\sigma )} \cap {\mathsf {def}(\sigma ')}$, and is undefined otherwise. We extend this function to sets of valuations in both parameters in the obvious way.

Finally, given a valuation $\sigma $ and an update ${x :=t}$, we denote by ${\sigma \{ {x :=t} \}}$ the valuation $\sigma '$ such that $\sigma '(x) = \sigma (t)$ and $\sigma '(x') = \sigma (x')$ for all $x' \ne x$. For a sequence of updates, let ${\sigma \{ \epsilon \}} = \sigma $ and ${\sigma \{ u \cdot \mu \}} = {{\sigma \{ u \}}\{ \mu \}}$, where u is an update and $\mu $ is a sequence of updates.

2.2 Timed automata

In the area of modeling and verifying time-dependent behavior, timed automata [1] is the most prominent formalism. To make the specification of practical systems more convenient, the traditional formalism is often extended with various syntactic and semantic constructs, in particular with the handling of discrete variables. In the following, we describe such an extension.

Definition 1

(Syntax) Syntactically, a timed automaton with discrete variables is a tuple $\mathcal {A}= {( L, C, D, T, \ell _0 )}$ where

$L$ is a finite set of locations,
$C$ is a finite set of continuous clock variables over $\mathbb {R}_{\ge 0}$,
$D$ is a finite set of discrete data variables over $\mathbb {Z}$,
$T\subseteq L\times {\mathcal {P}( Constr )} \times { Update }^{*} \times L$ is a finite set of transitions, where for a transition ${( \ell , G, \mu , \ell ' )}$, the set $G \subseteq Constr $ is a set of guards, and $\mu \in { Update }^{*}$ is a sequence of updates, and
$\ell _0 \in L$ is the initial location.

We are going to refer to a sequence of transitions $\pi \in {T}^{*}$ as a path.

Remark 2

According to the above definition, clearly $C\cap D= \emptyset $. Note that given a guard $g \in G$, either ${\mathsf {vars}(g)} \subseteq C$, or ${\mathsf {vars}(g)} \subseteq D$. Similarly, given an update u, either ${\mathsf {vars}(u)} \subseteq C$, or ${\mathsf {vars}(u)} \subseteq D$.

Definition 2

(Semantics) Let $\sigma _0$ be the unique total function $\sigma _0 : {V \rightarrow \left\{ 0 \right\} }$. The operational semantics of a timed automaton is given by a labeled transition system with initial state ${( \ell _0, \sigma _0 )}$ and two kinds of transitions:

Delay: ${( \ell , \sigma )} \xrightarrow {\delta } {( \ell ', \sigma ' )}$ for some real number $\delta \ge 0$ where $\ell ' = \ell $ and $\sigma ' = { delay _{\delta }(\sigma )}$ with
$$\begin{aligned}{ delay _{\delta }(\sigma )}(x) = {\left\{ \begin{array}{ll} \sigma (x) + \delta &{} \text{ if } x \in C\\ \sigma (x) &{} \text{ otherwise } \end{array}\right. }\end{aligned}$$
Action: ${( \ell , \sigma )} \xrightarrow {t} {( \ell ', \sigma ' )}$ for some transition $t = {( \ell , G, \mu , \ell ' )}$ where $\sigma ' = { action _{t}(\sigma )}$ with
$$\begin{aligned}{ action _{t}(\sigma )} = {\left\{ \begin{array}{ll} \bot &{} \text{ if } \sigma \models \lnot g \text{ for } \text{ some } g \in G \\ {\sigma \{ \mu \}} &{} \text{ otherwise } \end{array}\right. }\end{aligned}$$

We will use the notation $\mathcal {C}= {\mathcal {V}(V)}$, and refer to a valuation $\sigma \in \mathcal {C}$ as a concrete state. A state of a timed automaton is a state of its semantics, that is, a pair ${( \ell , \sigma )}$ where $\ell \in L$ and $\sigma \in \mathcal {C}$.

In case $D= \emptyset $, the above definition for semantics coincides with the semantics of timed automata in the usual sense. Throughout the paper, we will refer to a timed automaton with discrete variables simply as a timed automaton.

Definition 3

(Run) A run of a timed automaton is a sequence of states from the initial state ${( \ell _0, \sigma _0 )}$ along the transition relation

$$\begin{aligned} {( \ell _0, \sigma _0 )} \xrightarrow {\alpha _1} {( \ell _1, \sigma _1 )} \xrightarrow {\alpha _2} \cdots \xrightarrow {\alpha _k} {( \ell _k, \sigma _k )} \end{aligned}$$

where $\alpha _i \in T\cup \mathbb {R}_{\ge 0}$ for all $0 \le i \le k$.

Definition 4

(Reachable location) A location $\ell \in L$ is reachable iff there exists a run such that $\ell _k = \ell $.

Clearly, if a location is reachable then it is reachable along a run of the form $\cdot \xrightarrow {\delta _0} {( \ell _0, \sigma '_0 )} \xrightarrow {t_1} \cdot \xrightarrow {\delta _1} {( \ell _1, \sigma _1 )} \xrightarrow {t_2} \cdot \xrightarrow {\delta _2} \cdots \xrightarrow {t_k} \cdot \xrightarrow {\delta _k} {( \ell _k, \sigma _k )} $. This observation enables the definition of a symbolic semantics for timed automata as follows.

Definition 5

(Symbolic semantics) Let $\varSigma _0 = \left\{ { delay _{\delta }(\sigma _0)} \mid \delta \ge 0 \right\} $, that is, the set of concrete states reachable from $\sigma _0$ by a delay transition. The symbolic semantics of a timed automaton is a labeled transition system with initial state ${( \ell _0, \varSigma _0 )}$ and transitions of the form ${( \ell , \varSigma )} \xrightarrow {t} {( \ell ', \varSigma ' )}$ where $t = (\ell , \cdot , \cdot , \ell ')$ and $\varSigma ' = { post _{t}(\varSigma )}$ with the concrete post-image operator

$$\begin{aligned} { post _{t}(\sigma )} = \left\{ ({ delay _{\delta } \circ action _{t}})(\sigma ) \mid \delta \ge 0 \right\} , \end{aligned}$$

defined for paths as $ post _{\epsilon } = id $ and $ post _{t \cdot \pi } = post _{\pi } \circ post _{t}$.

We will refer to a pair ${( \ell , \varSigma )}$ with $\ell \in L$ and $\varSigma \subseteq \mathcal {C}$ as a symbolic state.

Let $ pre _{t} = post _{t}^{-1}$ and ${ post ^{X}_{t}(\varSigma )} = {{ post _{t}(\varSigma )}{\restriction _{X}}}$ for $X \in \left\{ C, D \right\} $. Let moreover $ pre ^{C}_{t} = {( post ^{C}_{t})^{-1}}$. Furthermore, let $\nu _0 = {\varSigma _0{\restriction _{D}}}$ and $Z_0 = {\varSigma _0{\restriction _{C}}}$.

Remark 3

As a consequence of Remark 2, it can be shown that in general, a symbolic state ${( \ell , \varSigma )}$ occurring in a symbolic run of timed automaton is such that $\varSigma = {\nu \otimes Z}$, where $\nu = {\varSigma {\restriction _{D}}}$ is a data valuation, and $Z = {\varSigma {\restriction _{C}}}$ is a special set of clock valuations, called a zone (see Sect. 2.3). Moreover, ${ post _{t}({\nu \otimes Z})} = {{ post ^{D}_{t}(\nu )} \otimes { post ^{C}_{t}(Z)}}$.

Definition 6

(Enabled transition) Given a set of concrete states $\varSigma $, we will say that a transition t is enabled from $\varSigma $ iff ${ post _{t}(\varSigma )} \ne \emptyset $, otherwise it is disabled.

Definition 7

(Feasible path) We will say that a path $\pi $ is feasible (resp. data-feasible) (resp. clock-feasible) iff ${ post _{\pi }(\varSigma _0)} \ne \emptyset $ (resp. ${ post ^{D}_{\pi }(\nu _0)} \ne \emptyset $) (resp. ${ post ^{C}_{\pi }(Z_0)} \ne \emptyset $), otherwise it is infeasible (resp. data-infeasible) (resp. clock-infeasible).

Remark 4

By Remark 3 and induction, a path $\pi $ is feasible iff it is data-feasible and clock-feasible.

Definition 8

(Symbolic run) A symbolic run of a timed automaton is a sequence of symbolic states from the symbolic initial state ${( \ell _0, \varSigma _0 )}$ along the transition relation ${( \ell _0, \varSigma _0 )} \xrightarrow {t_1} {( \ell _1, \varSigma _1 )} \xrightarrow {t_2} \cdots \xrightarrow {t_k} {( \ell _k, \varSigma _k )} $ where $\varSigma _k \ne \emptyset $.

Remark 5

Clearly, a timed automaton has a symbolic run $\cdot \xrightarrow {t_1} \cdot \xrightarrow {t_2} \cdots \xrightarrow {t_k} \cdot $ iff the path $t_1 t_2 \cdots t_k$ is feasible.

Proposition 1

For a timed automaton, a location $\ell \in L$ is reachable iff there exists a symbolic run with $\ell _k = \ell $ [15].

2.3 Zones and DBMs

A zone $Z \in \mathcal {Z}$ is the set of solutions of a clock constraint $\varphi \in Constr _C$, that is $Z = \left\{ \eta \in {\mathcal {V}(C)} \mid \eta \models \varphi \right\} $. If Z and $Z'$ are zones and $t \in T$, then $\emptyset $, ${\mathcal {V}(C)}$, $Z_0$, $Z \cap Z'$, ${ post ^{C}_{t}(Z)}$ and ${ pre ^{C}_{t}(Z')}$ are also zones. In the context of zones, we will denote $\emptyset $ by $\bot $ and ${\mathcal {V}(C)}$ by $\top $. Zones are not closed under complementation, but the complement of any zone is the union of finitely many zones. For a zone Z, we are going to denote a minimal set of such zones by ${\lnot Z}$.

Zones can be efficiently represented by difference bound matrices [17]. A bound is either $\infty $, or a finite bound of the form ${( m, \prec )}$ where $m \in \mathbb {Z}$ and ${\prec } \in \left\{ <, \le \right\} $. Difference bounds can be totally ordered by “strength”, that is, ${( m, \prec )} < \infty $ and ${( m_1, \prec _1 )} < {( m_2, \prec _2 )}$ iff $m_1 < m_2$ and ${( m,< )} < {( m, \le )}$. Moreover the sum of two bounds is defined as $b + \infty = \infty $ and ${( m_1, \le )} + {( m_2, \le )} = {( m_1 + m_2, \le )}$ and ${( m_1,< )} + {( m_2, \prec )} = {( m_1 + m_2, < )}$.

A difference bound matrix (DBM) over $X = \left\{ x_0, x_1, \ldots , x_n \right\} $ is a square matrix $M$ of bounds of order $n + 1$ where an element $M_{ij} = {( m, \prec )}$ represents the clock constraint $x_i - x_j \prec m$. We denote by ${\llbracket M \rrbracket }$ the zone induced by the conjunction of constraints stored in $M$. We say that $M$ is consistent iff ${\llbracket M \rrbracket } \ne \bot $. The following is a simple sufficient and necessary condition for a DBM to be inconsistent.

Proposition 2

A DBM $M$ is inconsistent iff there exists a negative cycle in $M$, that is, a set of pairs of indexes $\left\{ {( i_1, i_2 )}, \ldots , {( i_{k-1}, i_k )}, {( i_k, i_1 )} \right\} $ such that ${M_{i_1, i_2}} + \cdots + {M_{i_{k-1}, i_k}} + {M_{i_k, i_1}} < {( 0, \le )}$ [17].

For a consistent DBM $M$, we say it is canonical iff constraints in it cannot be strengthened without losing solutions, formally, iff ${M_{i, i}} = {( 0, \le )}$ for all $0 \le i \le n$ and $ {M_{i, j}} \le {M_{i, k}} + {M_{k, j}}$ for all $0 \le i, j, k \le n $. For convenience, we will also consider the inconsistent DBM $M$ with the single finite bound ${M_{0, 0}} = {( 0, < )}$ canonical. Up to the ordering of clocks, the canonical form is unique.

The zone operations described above, as well as set inclusion $\subseteq $ over zones, can be efficiently implemented in terms of canonical DBMs [5]. Therefore, we will refer to a canonical DBM $M$ (syntax) and the zone ${\llbracket M \rrbracket }$ it represents (semantics) interchangeably throughout the paper.

Moreover, for two DBMs $M_1$ and $M_2$, we will denote by ${\min (M_1, M_2)}$ the (not necessarily canonical) DBM $M$ where $M_{i,j} = \min (M_{1, ij}, M_{2, ij})$. It can be easily shown that ${\llbracket {\min (M_1, M_2)} \rrbracket } = {\llbracket M_1 \rrbracket } \cap {\llbracket M_2 \rrbracket }$.

3 Algorithm for lazy reachability checking

In this section we present our uniform approach, a lazy reachability checking algorithm that allows the combination of various abstract domains and refinement strategies. It is based on the notion of Abstract Reachability Tree, which is defined in the sequel. Then the algorithm itself is described.

3.1 Abstract reachability tree

The central data structure of the algorithm is an abstract reachability tree.

Definition 9

(Abstract domain) For our purposes, an abstract domain for a timed automaton is a tuple $\mathbb {D}= {( \mathcal {S}, \sqsubseteq , \mathsf {init}, \mathsf {post}, {\llbracket \cdot \rrbracket } )}$ such that

$\mathcal {S}$ is set of abstract states,
$\sqsubseteq {} \subseteq \mathcal {S}\times \mathcal {S}$ is a preorder,
$\mathsf {init}\in \mathcal {S}$ is the abstract initial state,
$\mathsf {post}: {T\times \mathcal {S} \rightarrow \mathcal {S}}$ is the abstract post-image operator, and
${\llbracket \cdot \rrbracket } : {\mathcal {S} \rightarrow {\mathcal {P}(\mathcal {C})}}$ is the concretization function.

For soundness, we assume the following properties to hold.

Definition 10

(Sound abstraction) An abstract domain ${( \mathcal {S}, \sqsubseteq , \mathsf {init}, \mathsf {post}, {\llbracket \cdot \rrbracket } )}$ is sound iff

${s_1 \sqsubseteq s_2} \Rightarrow {\llbracket s_1 \rrbracket } \subseteq {\llbracket s_2 \rrbracket }$,
$\varSigma _0 \subseteq {\llbracket \mathsf {init} \rrbracket }$, and
${ post _{t}{\llbracket s \rrbracket }} \subseteq {\llbracket {\mathsf {post}_{t}(s)} \rrbracket }$.

Definition 11

(Unwinding) An unwinding of a timed automaton $\mathcal {A}$ is a tuple $U= {( N, E, n_0, M_N, M_E, \triangleright )}$ where

${( N, E )}$ is a directed tree rooted at node $n_0 \in N$,
$M_N: {N \rightarrow L}$ is the node labeling,
$M_E: {E \rightarrow T}$ is the edge labeling and
$\triangleright \subseteq N\times N$ is the covering relation.

For an unwinding we require that the following properties hold:

${M_N(n_0)} = \ell _0$,
for each edge $e \in E$ with $e = {( n, n' )}$ the transition ${M_E(e)} = {( \ell , \cdot , \cdot , \ell ' )}$ is such that ${M_N(n)} = \ell $ and ${M_N(n')} = \ell '$,
for all nodes n and $n'$ such that ${n\triangleright {}n'}$ it holds that ${M_N(n)} = {M_N(n')}$.

The term ${n\triangleright {}n'}$ marks that search from node n of the unwinding is to be pruned, as another node $n'$ admits all runs that are feasible from n. We define the following shorthand notations for convenience: $\ell _{n} = {M_N(n)}$ and $t_{e} = {M_E(e)}$.

Definition 12

(Abstract reachability tree) An abstract reachability tree (ART) for a timed automaton $\mathcal {A}$ over a sound abstract domain $\mathbb {D}{}$ is a labeled unwinding, that is, a pair $\mathcal {G}= {( U, \psi )}$ where

$U$ is an unwinding of $\mathcal {A}$, and
$\psi : {N \rightarrow \mathcal {S}}$ is a labeling of nodes by abstract states.

We will use the following shorthand notation: ${s_{n}} = {\psi (n)}$.

Definition 13

(Properties of nodes) A node n is expanded iff for all transitions $t \in T$ such that $t = {( \ell , \cdot , \cdot , \cdot )}$ and $\ell _{n} = \ell $, either t is disabled from ${\llbracket {s_{n}} \rrbracket }$, or n has a successor for t. A node n is covered iff ${n\triangleright {}n'}$ for some node $n'$. It is excluded iff it is covered or it has an excluded parent. A node is complete iff it is either expanded or excluded. A node n is $\ell $-safe iff $\ell _{n} \ne \ell $.

For an ART to be useful for reachability checking, we have to ensure that the tree represents an over-approximation of the set of reachable states. Therefore we introduce restrictions on the labeling, as formalized in the next definition.

Definition 14

(Well-labeled node) A node n of an ART $\mathcal {G}$ for a timed automaton $\mathcal {A}$ is well-labeled iff the following conditions hold:

(initiation) if $n = n_0$, then $\varSigma _0 \subseteq {\llbracket {s_{n}} \rrbracket }$,
(consecution) if $n \ne n_0$, then for its parent m and the transition $t = t_{{( m, n )}}$ it holds that ${ post _{t}{\llbracket {s_{m}} \rrbracket }} \subseteq {\llbracket {s_{n}} \rrbracket }$
(coverage) if ${n\triangleright {}n'}$ for some node $n'$, then ${\llbracket {s_{n}} \rrbracket } \subseteq {\llbracket {s_{n'}} \rrbracket }$ and $n'$ is not excluded.

Besides preserving reachable states, we will also ensure that nodes represent runs of the automaton. We formalize this in the following definitions.

Definition 15

(Feasible node and transition) Let n be a node of an ART $\mathcal {G}$, and $\pi $ the path from $n_0$ to n in $\mathcal {G}$. Then n is feasible iff $\pi $ is feasible. Moreover, a transition t is feasible from n iff the path $\pi \cdot t$ is feasible.

The above definitions for nodes can be extended to trees.

Definition 16

(Properties of ARTs) An ART is complete, $\ell $-safe, well-labeled or feasible iff all its nodes are complete, $\ell $-safe, well-labeled, or feasible, respectively.

A well-labeled ART preserves reachable states, which is expressed by the following proposition.

Proposition 3

Let $\mathcal {G}$ be a complete, well-labeled ART for a timed automaton $\mathcal {A}$. If $\mathcal {A}$ has a symbolic run $ {( \ell _0, \varSigma _0 )} \xrightarrow {t_1} {( \ell _1, \varSigma _1 )} \xrightarrow {t_2} \cdots \xrightarrow {t_k} {( \ell _k, \varSigma _k )} $ then $\mathcal {G}$ has a non-excluded node n such that $\ell _k = \ell _n$ and $\varSigma _k \subseteq {\llbracket s_n \rrbracket }$.

Proof

We prove the statement by induction on the length k of the symbolic run. If $k = 0$, then $\ell _0 = \ell _{n_0}$ and $\varSigma _0 \subseteq {\llbracket {s_{n_0}} \rrbracket }$ by condition initiation, thus $n_0$ is a suitable witness. Suppose the statement holds for runs of length at most $k-1$. Hence there exists a non-excluded node m such that $\ell _{k-1} = \ell _{m}$ and $\varSigma _{k-1} \subseteq {\llbracket {s_{m}} \rrbracket }$.

Clearly transition $t_k$ is not disabled from ${\llbracket {s_{m}} \rrbracket }$, as then by the induction hypothesis it would also be disabled from $\varSigma _{k-1}$, which contradicts our assumption. As m is complete and not excluded, it is expanded, and thus has a successor n for transition $t_k$ with $\ell _n = \ell _k$. By condition consecution, we have ${ post _{t_k}{\llbracket {s_{m}} \rrbracket }} \subseteq {\llbracket {s_{n}} \rrbracket }$. As $\varSigma _{k-1} \subseteq {\llbracket {s_{m}} \rrbracket }$, by the monotonicity of images in $\subseteq $, we obtain $\varSigma _k \subseteq {\llbracket {s_{n}} \rrbracket }$.

Thus if n is not covered, then it is a suitable witness for the statement. Otherwise there exists a node $n'$ such that ${n\triangleright {}n'}$. By condition coverage, we know that ${\llbracket {s_{n}} \rrbracket } \subseteq {\llbracket {s_{n'}} \rrbracket }$ and $n'$ is not excluded, thus $n'$ is a suitable witness. $\square $

3.2 Reachability algorithm

The pseudocode of the algorithm is shown in Algorithm 1. The algorithm gets as input a timed automaton $\mathcal {A}$ and a distinguished error location $\ell _e \in L$. The goal of the algorithm is to decide whether $\ell _e$ is reachable for $\mathcal {A}$. To this end the algorithm gradually constructs an ART for $\mathcal {A}$ and continually maintains its well-labeledness and feasibility. Upon termination, it either witnesses reachability of $\ell _e$ by a feasible node n such that $\ell _{n} = \ell _e$, which by Definition 15 corresponds to a symbolic run of $\mathcal {A}$ to $\ell _e$, or produces a complete, well-labeled, $\ell _e$-safe ART that proves unreachability of $\ell _e$ by Proposition 3.

The main data structures of the algorithm are the ART $\mathcal {G}$ and sets $ passed $ and $ waiting $. Set $ passed $ is used to store nodes that are expanded, and $ waiting $ stores nodes that are incomplete. The algorithm consists of two subprocedures, close and expand. Procedure close attempts to cover a node n by some other node. It calls a procedure cover that tries to force cover the node by adjusting its label so that it is subsumed by the label of some candidate node $n'$. Procedure expand expands a node n by creating its successors. To avoid creating infeasible nodes, it calls a procedure disable that checks feasibility of a given transition t, and adjusts the labeling of n so that if t is infeasible from n, then it also becomes disabled from ${\llbracket {s_{n}} \rrbracket }$. Both close and expand potentially modify the labeling of some nodes as a side effect, but in a way that maintains well-labeledness and feasibility of the ART. Naturally, the implementation of procedures cover and disable depends on the abstract domain, and are described in Sect. 4 in detail.

The algorithm consists of a single loop in line 9 that employs the following strategy. The loop consumes nodes from $ waiting $ one by one. If $ waiting $ becomes empty, then $\mathcal {A}$ is deemed safe. Otherwise, a node n is removed from $ waiting $. If the node represents the error location, then $\mathcal {A}$ is deemed unsafe. Otherwise, in order to avoid unnecessary expansion of the node, the algorithm tries to cover it by a call to close. If there are no suitable candidates for coverage, then the algorithm establishes completeness of the node by expanding it using expand, which puts it in $ passed $, and puts all its successors in $ waiting $.

We show that explore is correct with respect to the procedure contracts listed in Algorithm 1. We focus on partial correctness, as termination depends on the particular abstract domain and refinement method used. We note that in general, termination can be easily ensured using the right extrapolation operator for clock variables [22, 30, 33].

Proposition 4

Procedure explore is partially correct: if $\textsc {explore}(\mathcal {A}, \ell _e)$ terminates, then the result is $\textsc {safe}$ iff $\ell _e$ is unreachable for $\mathcal {A}$.

Proof

(sketch) Let $ covered = \left\{ n \in N \mid n \text { is covered} \right\} $. It is easy to verify that the algorithm maintains the following invariants:

$N = passed \cup waiting \cup covered $,
$ passed $ is a set of non-excluded, expanded, $\ell _e$-safe nodes,
$ waiting $ is a set of non-excluded, non-expanded nodes,
$ covered $ is a set of covered, non-expanded, $\ell _e$-safe nodes.

It is easy to see that under the above assumptions sets $ passed $, $ waiting $ and $ covered $ form a partition of N. Assuming that $\mathcal {G}$ is well-labeled and feasible, partial correctness of the algorithm is then a direct consequence: At line 12 a node is encountered that is not $\ell _e$-safe, thus by Definition 15 there is a symbolic run of $\mathcal {A}$ to $\ell _e$; conversely, at line 17 the set $ waiting $ is empty, so $\mathcal {G}$ is complete and $\ell _e$-safe, and as a consequence of Proposition 3 the location $\ell _e$ is indeed unreachable for $\mathcal {A}$.

What remains to show is that the algorithm maintains well-labeledness and feasibility of $\mathcal {G}$. We assume that procedures cover and disable maintain well-labeledness and feasibility, which we prove to hold in Sect. 4.

Initially, node $n_0$ is well-labeled, as $\varSigma _0 \subseteq {\llbracket \mathsf {init} \rrbracket } = {\llbracket {s_{n_0}} \rrbracket }$, thus $n_0$ satisfies initiation. It also trivially satisfies feasibility, as ${ post _{\epsilon }(\varSigma _0)} = \varSigma _0 \ne \emptyset $. Procedure close trivially maintains well-labeledness and feasibility, as it just possibly adds a covering edge for two nodes such that condition coverage is not violated. In procedure expand, if ${\textsc {disable}(n, t)}$ for a transition t, then t is not feasible from n, and the labeling is adjusted so that t is disabled from ${\llbracket {s_{n}} \rrbracket }$. Otherwise, t is feasible from n, and a successor node $n'$ is created. Clearly, $n'$ is feasible as t is feasible. Moreover, ${ post _{t}{\llbracket {s_{n}} \rrbracket }} \subseteq {\llbracket {\mathsf {post}_{t}({s_{n}})} \rrbracket } = {\llbracket {s_{n'}} \rrbracket }$, thus $n'$ satisfies consecution. Thus according to the contract, n becomes expanded, and all its successors are well-labeled and feasible, so well-labeledness and feasibility of $\mathcal {G}$ is preserved. $\square $

4 Abstraction refinement

Algorithm 1 is abstracted over the particular abstract domain used to well-label the constructed ART. Moreover, it declares two procedures, cover and disable, that perform forced covering and abstraction refinement over the abstract domain, respectively. In this section, we describe several possible abstract domains, and corresponding abstraction refinement strategies, that can be used for model checking timed automata with discrete variables.

In the listings of the given refinement strategies, we are going to refer to a simple procedure update that enables safely updating the labeling for a given node in the ART.

Proposition 5

update is totally correct: If either n is the root and $\varSigma _0 \subseteq {\llbracket s \rrbracket }$, or there exists an edge $e = {( m, n )}$ with $t_{e} = t$ for some m and ${ post _{t}{\llbracket {s_{m}} \rrbracket }} \subseteq {\llbracket s \rrbracket }$, then ${\textsc {update}(n, s)}$ terminates and ensures ${s_{n}} = s$. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes. At the end of the procedure, ${s_{n}} = s$ is ensured. Clearly, n is well-labeled: initiation and consecution is ensured by contract, and coverage is ensured by the loop due to soundness of the abstract domain. $\square $

4.1 Combination of abstractions

Our approach is based on the direct product of abstract domains, as described below.

Definition 17

(Direct product domain) Let $\mathbb {D}_i = {( \mathcal {S}_i, \sqsubseteq _i, \mathsf {init}_i, \mathsf {post}^i, {\llbracket \cdot \rrbracket }_i )}$ for $i \in \left\{ 1, 2 \right\} $. Then their direct product is the abstract domain $\mathbb {D}_1 \times \mathbb {D}_2 = {( S, \sqsubseteq , \mathsf {init}, \mathsf {post}, {\llbracket \cdot \rrbracket } )} $ where

$\mathcal {S}= \mathcal {S}_1 \times \mathcal {S}_2$,
${( s_1, s_2 )} \sqsubseteq {( s'_1, s'_2 )} \text { iff } s_1 \sqsubseteq _1 s'_1 \text { and } s_2 \sqsubseteq _2 s'_2$ (thus $\sqsubseteq $ is a preorder),
$\mathsf {init}{} = {( \mathsf {init}_1, \mathsf {init}_2 )}$,
${\mathsf {post}_{t}(s_1, s_2)} = {( \mathsf {post}^1_t(s_1), \mathsf {post}^2_t(s_2) )}$, and
${\llbracket {( s_1, s_2 )} \rrbracket } = \llbracket s_1 \rrbracket _1 \cap \llbracket s_2 \rrbracket _2$.

In later descriptions, when it is clear from the context, we are going to omit indexes when referring to components of a direct product (and write e.g. ${( {\mathsf {post}_{t}(s_1)}, {\mathsf {post}_{t}(s_2)} )}$ instead of ${( \mathsf {post}^1_t(s_1), \mathsf {post}^2_t(s_2) )}$).

Proposition 6

If $\mathbb {D}_1$ and $\mathbb {D}_2$ are sound, then $\mathbb {D}_1 \times \mathbb {D}_2$ is sound.

In case of timed automata with discrete variables, as according to Definition 1, abstraction and refinement can be conveniently defined compositionally, where clock variables and discrete variables are handled by separate abstractions. Algorithm 3 describes a straightforward method for achieving this separation.

In the above description, in line 10 and line 15, we refer to the preservation of well labeledness for the two projections of the ART. This weaker assumption will simplify proofs of correctness for the component refiners. We show that this implies well-labeledness in the original sense.

Total correctness of $\textsc {cover}_{\times }$ follows from total correctness of $\textsc {cover}_D$ and $\textsc {cover}_C$. We show total correctness of $\textsc {disable}_{\times }$ as follows.

Proposition 7

$\textsc {disable}_{\times }$ is totally correct: ${\textsc {disable}_{\times }(n, t)}$ terminates and preserves well-labeledness and feasibility of $\mathcal {G}$; Moreover, it returns $\mathsf {false}$ iff t is feasible from n, and ensures that t is disabled from ${\llbracket {s_{n}} \rrbracket }$ otherwise.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes.

First we show that $\textsc {disable}_{\times }$ maintains well-labeledness. By contract, $\textsc {disable}_C$ and $\textsc {disable}_D$ preserve well-labeledness of $\mathcal {G}$ (in the weaker sense described above). Let ${s_{n}} = {( s_1, s_2 )}$ for root node n. As $\varSigma _0 \subseteq {\llbracket s_1 \rrbracket }$ and $\varSigma _0 \subseteq {\llbracket s_2 \rrbracket }$, clearly $ \varSigma _0 \subseteq {\llbracket s_1 \rrbracket } \cap {\llbracket s_2 \rrbracket } = {\llbracket {( s_1, s_2 )} \rrbracket } $, thus initiation is preserved. Now let ${s_{m}} = {( s_1, s_2 )}$ and ${s_{n}} = {( s'_1, s'_2 )}$ for nodes m and n such that ${( m, n )} \in E$ and $t = t_{{( m, n )}}$. As $ post _{t}$ is an image and ${ post _{t}{\llbracket s_1 \rrbracket }} \subseteq {\llbracket s'_1 \rrbracket }$ and ${ post _{t}{\llbracket s_2 \rrbracket }} \subseteq {\llbracket s'_2 \rrbracket }$, we have $ { post _{t}{\llbracket {( s_1, s_2 )} \rrbracket }} = { post _{t}({\llbracket s_1 \rrbracket } \cap {\llbracket s_2 \rrbracket })} \subseteq { post _{t}{\llbracket s_1 \rrbracket }} \cap { post _{t}{\llbracket s_2 \rrbracket }} \subseteq {\llbracket s'_1 \rrbracket } \cap {\llbracket s'_2 \rrbracket } = {\llbracket {( s'_1, s'_2 )} \rrbracket } $, thus consecution is preserved. Finally, let ${s_{m}} = {( s_1, s_2 )}$ and ${s_{n}} = {( s'_1, s'_2 )}$ for nodes m and n such that ${m\triangleright {}n}$. As ${\llbracket s_1 \rrbracket } \subseteq {\llbracket s'_1 \rrbracket }$ and ${\llbracket s_2 \rrbracket } \subseteq {\llbracket s'_2 \rrbracket }$, clearly $ {\llbracket {( s_1, s_2 )} \rrbracket } = {\llbracket s_1 \rrbracket } \cap {\llbracket s_2 \rrbracket } \subseteq {\llbracket s'_1 \rrbracket } \cap {\llbracket s'_2 \rrbracket } = {\llbracket {( s'_1, s'_2 )} \rrbracket } $, thus coverage is preserved.

Assume that t is feasible from n. Then t is both data- and clock-feasible from n by Remark 4. Thus ${\textsc {disable}_D(n, t)} = \mathsf {false}$ and ${\textsc {disable}_C(n, t)} = \mathsf {false}$ by contract, from which ${\textsc {disable}_{\times }(n, t)} = \mathsf {false}$ follows directly. Assume that t is not feasible from n. Then t is either not data- or not clock-feasible from n by Remark 4. Assume t is not data-feasible from n. Thus ${\textsc {disable}_D(n, t)} = \mathsf {true}$ and t becomes disabled from ${\llbracket s_1 \rrbracket }$ by contract. As a consequence, ${\textsc {disable}_{\times }(n, t)} = \mathsf {true}$, and t becomes disabled from ${\llbracket {s_{n}} \rrbracket } = {\llbracket {( s_1, s_2 )} \rrbracket } = {\llbracket s_1 \rrbracket } \cap {\llbracket s_2 \rrbracket }$. The other case follows symmetrically. $\square $

To simplify exposition, we are going to treat $\psi $ as a lens (in simple terms, a pair consisting of a “getter” and a “setter”) that can be used to deeply manipulate the structure of a given label. Thus later in the text, when we refer to ${s_{n}}$, we are going to mean the corresponding component of a direct product based on the context.

4.2 Abstraction for clock variables

First, we address abstraction refinement over clock variables.

4.2.1 Zone abstraction

Most model checkers for timed automata rely on zones for abstracting clock valuations. We define zone abstraction in our framework as follows.

Definition 18

(Zone abstraction) We define zone abstraction as the abstract domain .

Note that in the absence of discrete variables, Definition 18 corresponds to the usual definition of zone abstraction.

Proposition 8

$\mathbb {D}_\mathcal {Z}$ is sound.

We define $\textsc {cover}_\mathcal {Z}$ as a no-op, thus its total correctness is trivial. Moreover, we define $\textsc {disable}_\mathcal {Z}$ as ${\textsc {disable}_\mathcal {Z}(n, t)} \text { iff } {\mathsf {post}_{t}(Z)} \sqsubseteq \bot $ for $Z = {s_{n}}$.

Proposition 9

$\textsc {disable}_\mathcal {Z}$ is totally correct: ${\textsc {disable}_\mathcal {Z}(n, t)}$ terminates and preserves well-labeledness and feasibility of $\mathcal {G}$; moreover, it returns $\mathsf {false}$ iff t is clock-feasible from n, and ensures that t is disabled from ${\llbracket {s_{n}} \rrbracket }$ otherwise.

Proof

Termination of the procedure is trivial. Well-labeledness and feasibility follow from the fact that the procedure has no side effects. Let $\pi $ be the path induced by n. Notice that $Z = { post ^{C}_{\pi }(Z_0)}$. Assume ${ post ^{C}_{t}(Z)} \ne \bot $. Then by definition, t is clock-feasible from n, and the procedure returns $\mathsf {false}$. Now assume ${ post ^{C}_{t}(Z)} = \bot $. Then by definition, t is not clock-feasible from n. But t is also disabled from , and the procedure returns $\mathsf {true}$. $\square $

4.2.2 Lazy zone abstraction

To obtain a coarser abstraction, we extend zone abstraction with interpolation as follows.

Definition 19

(Lazy zone abstraction) Let $\mathbb {D}_\mathcal {ZI}= {( \mathcal {S}, \sqsubseteq , \mathsf {init}, \mathsf {post}, {\llbracket \cdot \rrbracket } )}$ be the abstract domain over $\mathbb {D}_\mathcal {Z}$ with

$\mathcal {S}= \mathcal {Z}\times \mathcal {Z}$,
${{( Z, W )} \sqsubseteq {( Z', W' )}} \text { iff } {W \sqsubseteq W'}$,
$\mathsf {init}= {( \mathsf {init}, \top )}$,
${\mathsf {post}_{t}(Z, W)} = {( {\mathsf {post}_{t}(Z)}, \top )}$, and
${\llbracket {( Z, W )} \rrbracket } = {\llbracket W \rrbracket }$.

Proposition 10

$\mathbb {D}_\mathcal {ZI}$ is sound.

Given an abstract state ${( Z, W )}$, the purpose of Z is to encode an exact set of reachable valuations, whereas the purpose of W is to represent a safe overapproximation of Z. This potentially enables better coverage between nodes, thus faster convergence, compared to the purely zone-based setting. In order to efficiently maintain this relationship however, we have to define procedure $\textsc {cover}_\mathcal {ZI}$ and $\textsc {disable}_\mathcal {ZI}$ accordingly. To maintain well-labeledness, these procedures rely on a procedure block that performs abstraction refinement by safely adjusting labels of nodes.

In $\textsc {cover}_\mathcal {ZI}$, as $Z \subseteq W'$ and $B \cap W' \subseteq \bot $, clearly $Z \cap B \subseteq \bot $, thus calling ${\textsc {block}(n, B)}$ is safe. Other than that, total correctness of $\textsc {cover}_\mathcal {ZI}$ follows trivially from total correctness of block (see later). To show the correctness of $\textsc {disable}_\mathcal {ZI}$, we state the following simple lemma that establishes a connection between $ pre ^{C}{}$ and $ post ^{C}{}$.

Lemma 4

$Z \cap { pre ^{C}_{t}(Z')} \subseteq \bot \Leftrightarrow { post ^{C}_{t}(Z)} \cap Z' \subseteq \bot $

Proposition 11

$\textsc {disable}_\mathcal {ZI}$ is totally correct: ${\textsc {disable}_\mathcal {ZI}(n, t)}$ terminates and preserves well-labeledness and feasibility of $\mathcal {G}$; moreover, it returns $\mathsf {false}$ iff t is clock-feasible from n, and ensures that t is disabled from ${\llbracket {s_{n}} \rrbracket }$ otherwise.

Proof

Termination of the procedure is trivial. Well-labeledness and feasibility follow from the total correctness of block. Let $\pi $ be the path induced by n. Notice that $Z = { post ^{C}_{\pi }(Z_0)}$. Assume ${ post ^{C}_{t}(Z)} \ne \bot $. Then by definition, t is clock-feasible from n, and the procedure returns $\mathsf {false}$. Now assume ${ post ^{C}_{t}(Z)} = \bot $. Then by definition, t is not clock-feasible from n. By Lemma 4, we get $Z \cap { pre ^{C}_{t}(\top )} \subseteq \bot $. Thus ${\textsc {block}(n, { pre ^{C}_{t}(\top )})}$ can be called, and as a result, $W \cap { pre ^{C}_{t}(\top )} \subseteq \bot $. By Lemma 4, we get ${ post ^{C}_{t}(W)} = \bot $. Thus t becomes disabled from , and the procedure returns $\mathsf {true}$. $\square $

4.2.3 Interpolation for zones

The proposed refinement strategies for zone abstraction, and in particular, the different implementations of block are based on interpolation, defined over zones expressed in terms of canonical DBMs.

Definition 20

(Zone interpolant) Given zones A and B such that $A \cap B \subseteq \bot $, a zone interpolant is a zone I such that $A \subseteq I$ and $I \cap B \subseteq \bot $ and I is defined over the clocks that appear in both A and B.

This definition of a zone interpolant is analogous to the definition of an interpolant in the usual sense [26]. As zones correspond to formulas in ${\mathcal {DL}(\mathbb {Q})}$, a theory that admits interpolation [13], an interpolant always exists for a pair of disjoint zones. Algorithm 5 is a direct adaptation of the graph-based algorithm of [13] for DBMs. For simplicity, we assume that A and B are defined over the same set of clocks with the same ordering, and are both canonical (naturally, these restrictions can be lifted).

After checking the trivial cases, the algorithm searches for a negative cycle in ${\min (A, B)}$ to witness its inconsistency. This can be done e.g. by running a variant of the Floyd-Warshall algorithm.The interpolant I is then the DBM induced by the constraints in the negative cycle that come from A. It is easy to verify that I is indeed an interpolant.

Proposition 12

Function $\textsc {interpolate}_\mathcal {Z}$ is totally correct: if $A \cap B \subseteq \bot $, then $\textsc {interpolate}_\mathcal {Z}(A, B)$ terminates and ensures $A \subseteq I$ and $I \cap B \subseteq \bot $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Function $\textsc {interpolate}_\mathcal {Z}$ has no side effect, it thus trivially maintains feasibility and well-labeledness. In the trivial cases, I is clearly an interpolant. Assume $A \ne \bot $ and $B \ne \bot $. As $A \cap B \subseteq \bot $ by contract, there exists a negative cycle C in ${\min (A, B)}$ by Proposition 2. As A is canonical, we can assume that no two edges are subsequent in $C_A$, thus the DBM I induced by $C_A$ is clearly canonical. The properties of an interpolant directly follow from the definitions of $C_A$ and I. $\square $

4.2.4 Abstraction refinement for lazy zone abstraction

To maintain well-labeledness, procedures cover and disable rely on a procedure block that performs abstraction refinement by safely adjusting labels of nodes. Algorithm 6 describes two methods for abstraction refinement based on interpolation for zones. Both methods are based on pre- and post-image computation, and can be considered as a generalization of zone interpolation to sequences of transitions of a timed automaton. The main difference between the two strategies is that $\textsc {block}_\textsc {fw}$ (which we refer to as the “forward” zone interpolation strategy) propagates the interpolant forward using $ post ^{C}$; whereas $\textsc {block}_\textsc {bw}$ (which we refer to as the “backward” zone interpolation strategy) propagates “bad” zones, obtained as the complement of the interpolant, backward using $ pre ^{C}$.

In order to make proofs of correctness for the two refinement strategies more concise, we state the following simple lemmas.

Lemma 5

Lemma 6

Proposition 13

$\textsc {block}_\textsc {fw}$ is totally correct: if $Z \cap B \subseteq \bot $, then ${\textsc {block}_\textsc {fw}(n, B)}$ terminates and ensures $W \subseteq I$ and $I \cap B \subseteq \bot $ and $W \cap B \subseteq \bot $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract (Algorithm 4), $Z \cap B \subseteq \bot $ is ensured. Moreover, notice that $W \cap B \subseteq \bot $ follows from $W \subseteq I$ and $I \cap B \subseteq \bot $, thus it is sufficient to establish the latter two claims.

If $W \cap B \subseteq \bot $, then $I = W$, so $W \subseteq I$ and $I \cap B \subseteq \bot $ are trivially established. Moreover, well-labeledness is trivially maintained, as no refinement is performed.

Otherwise, if n is the root, then $A = Z$. Thus $\textsc {interpolate}_\mathcal {Z}(A, B)$ can be called, and the resulting interpolant I is such that $Z \subseteq I$ and $I \cap B \subseteq \bot $. As in this case $Z = Z_0$, clearly . Thus by initiation and Lemma 6. Therefore, ${\textsc {update}(n, {( Z, W \cap I )})}$ can be called, which establishes $W \subseteq I$, while preserving the well-labeledness of $\mathcal {G}$.

Otherwise, there exists a transition $t = t_{m, n}$ for some node m. Since $Z = { post ^{C}_{t}(Z')}$ and $B' = { pre ^{C}_{t}(B)}$, we have $Z' \cap B' \subseteq \bot $ for ${( Z', W' )} = {s_{m}}$ by Lemma 4. Thus ${\textsc {block}_\textsc {fw}(m, B')}$ can be called, and as a result, $A'$ is such that $W' \subseteq A'$ and $A' \cap B' \subseteq \bot $ by contract. As $A = { post ^{C}_{t}(A')}$, we obtain $A \cap B \subseteq \bot $ by Lemma 4. Thus $\textsc {interpolate}_\mathcal {Z}(A, B)$ can be called, and the resulting interpolant I is such that $A \subseteq I$ and $I \cap B \subseteq \bot $. By the monotonicity of images in $\subseteq $, we have ${ post ^{C}_{t}(W')} \subseteq A$. Hence ${ post ^{C}_{t}(W')} \subseteq I$, from which follows by Lemma 5. Thus by consecution and Lemma 6. Therefore, ${\textsc {update}(n, {( Z, W \cap I )})}$ can be called, which establishes $W \subseteq I$, while preserving the well-labeledness of $\mathcal {G}$. $\square $

Proposition 14

$\textsc {block}_\textsc {bw}$ is totally correct: if $Z \cap B \subseteq \bot $, then ${\textsc {block}_\textsc {bw}(n, B)}$ terminates and ensures $W \cap B \subseteq \bot $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract, $Z \cap B \subseteq \bot $ is ensured.

If $W \cap B \subseteq \bot $, then the contract is trivially satisfied. Moreover, well-labeledness is trivially maintained, as no refinement is performed.

Otherwise, $\textsc {interpolate}_\mathcal {Z}(Z, B)$ can be called, and the resulting interpolant I is such that $Z \subseteq I$ and $I \cap B \subseteq \bot $. We show that at the end of the procedure, the claim $W \subseteq I$, and thus $W \cap B \subseteq \bot $ holds.

Assume n is the root node. In this case $Z = Z_0$, thus clearly . Thus by initiation and Lemma 6. Therefore, ${\textsc {update}(n, {( Z, W \cap I )})}$ can be called, which establishes $W \subseteq I$, while preserving the well-labeledness of $\mathcal {G}$.

Now assume there exists a transition $t = t_{m, n}$ for some node m with ${( Z', W' )} = {s_{m}}$. Let $B' \in {\lnot I}$, and $B'' = { pre ^{C}_{t}(B')}$. Clearly, $Z \cap B' \subseteq \bot $. As $Z = { post ^{C}_{t}(Z')}$, we obtain $Z' \cap B'' \subseteq \bot $ by Lemma 4. Thus ${\textsc {block}_\textsc {bw}(m, B'')}$ can be called, which ensures $W' \cap B'' \subseteq \bot $ by contract. Thus ${ post ^{C}_{t}(W')} \cap B' \subseteq \bot $ by Lemma 4. Hence ${ post ^{C}_{t}(W')} \subseteq I$, from which follows by Lemma 5. Thus by consecution and Lemma 6. Therefore, can be called, which establishes $W \subseteq I$, while preserving the well-labeledness of $\mathcal {G}$. $\square $

We would like to point out that for refinement with $\textsc {block}_\textsc {fw}$, syntactically, it is sufficient to store a single zone at each node, thus obtaining a major optimization in memory consumption. In particular, it is sufficient to store Z at leaves, and store W at non-leaf nodes. This is due to the fact that while running the algorithm, Z is only necessary when expand is called, and when the interpolant is computed for the initial node, in this later situation Z being obvious. On the other hand, W is only necessary when calling cover, where coverer nodes are always non-leaf. Moreover, it is always safe to treat W as $\bot $ for leafs.

4.3 Abstraction and refinement for discrete variables

In the following, we describe strategies for the handling of discrete variables that appear in timed automata specifications.

4.3.1 Explicit tracking of variables

The most straightforward way for the handling discrete variables is to explicitly track their value.

Definition 21

(Explicit domain) Let $\mathcal {E}= {\mathcal {V}(D)}$. We define the abstraction that tracks discrete variables explicitly as the abstract domain .

Proposition 15

$\mathbb {D}_\mathcal {E}$ is sound.

Similarly to zone abstraction, we define $\textsc {cover}_\mathcal {E}$ to be a no-op, thus its total correctness is trivial. Moreover, let ${\textsc {disable}_\mathcal {E}(n, t)} \circeq ({\mathsf {post}_{t}(\nu )} \sqsubseteq \bot )$ where $\nu = {s_{n}}$.

Proposition 16

$\textsc {disable}_\mathcal {E}$ is totally correct: ${\textsc {disable}_\mathcal {E}(n, t)}$ terminates and preserves well-labeledness and feasibility of $\mathcal {G}$; moreover, it returns $\mathsf {false}$ iff t is data-feasible from n, and ensures that t is disabled from ${\llbracket {s_{n}} \rrbracket }$ otherwise.

Proof

Termination of the procedure is trivial. Well-labeledness and feasibility follow from the fact that the procedure has no side effects. Let $\pi $ be the path induced by n. Notice that $\nu = { post ^{D}_{\pi }(\nu _0)}$. Assume ${ post ^{D}_{t}(\nu )} \ne \bot $. Then by definition, t is data-feasible from n, and the procedure returns $\mathsf {false}$. Now assume ${ post ^{D}_{t}(\nu )} = \bot $. Then by definition, t is not data-feasible from n. But t is also disabled from , and the procedure returns $\mathsf {true}$. $\square $

4.3.2 Visible variables abstraction

Instead of explicitly tracking in all states the values for all variables, by tracking in each state only those that play a role in unreachability of a given location along a path through the state, and “hiding” all the others, the size of the explored state space can be significantly reduced. In the following, we describe such an abstract domain, together with the corresponding refinement strategies.

Definition 22

(Visible variables domain) Let $\mathbb {D}_\mathcal {EI}= {( \mathcal {S}, \sqsubseteq , \mathsf {init}, \mathsf {post}, {\llbracket \cdot \rrbracket } )}$ be the abstract domain over $\mathbb {D}_\mathcal {E}$ with

$\mathcal {S}= {\mathcal {V}(D)} \times {\mathcal {P}(D)}$,
${{( \nu , Q )} \sqsubseteq {( \nu ', Q' )}} \text { iff } \nu \preceq {\nu '{\restriction _{Q'}}} \text { and } Q' \subseteq Q$ (thus $\sqsubseteq $ is a preorder),
$\mathsf {init}= {( \mathsf {init}, \emptyset )}$,
${\mathsf {post}_{t}(\nu , Q)} = {( {\mathsf {post}_{t}(\nu )}, \emptyset )}$, and
.

Proposition 17

$\mathbb {D}_\mathcal {EI}$ is sound.

Algorithm 7 describes the corresponding refinement methods. Both $\textsc {cover}_\mathcal {EI}$ and $\textsc {disable}_\mathcal {EI}$ rely on a procedure refine for abstraction refinement. Moreover, $\textsc {disable}_\mathcal {EI}$ depends on a weakest precondition operator, defined by the following property.

Definition 23

(Weakest discrete precondition) Let ${ wp ^D_{t}(\varphi )}$ be the formula such that $\nu \models { wp ^D_{t}(\varphi )}$ iff ${ post ^{D}_{t}(\nu )} \models \varphi $ for all $\nu $ and $\varphi $, with respect to t.

In $\textsc {cover}_\mathcal {EI}$, as $\nu \preceq {\nu '{\restriction _{Q'}}}$, we have $\nu \models {\mathsf {form}({\nu '{\restriction _{Q'}}})}$ by Lemma 2, thus calling $\textsc {refine}(n, {\mathsf {form}({\nu '{\restriction _{Q'}}})})$ is safe. Other than that, total correctness of $\textsc {cover}_\mathcal {EI}$ follows trivially from total correctness of refine (see later).

Proposition 18

$\textsc {disable}_\mathcal {EI}$ is totally correct: ${\textsc {disable}_\mathcal {EI}(n, t)}$ terminates and preserves well-labeledness and feasibility of $\mathcal {G}$; moreover, it returns $\mathsf {false}$ iff t is data-feasible from n, and ensures that t is disabled from ${\llbracket {s_{n}} \rrbracket }$ otherwise.

Proof

Termination of the procedure is trivial. Well-labeledness and feasibility follow from the total correctness of refine. Let $\pi $ be the path induced by n. Notice that $\nu = { post ^{D}_{\pi }(\nu _0)}$. Assume ${ post ^{D}_{t}(\nu )} \ne \bot $. Then by definition, t is data-feasible from n, and the procedure returns $\mathsf {false}$. Now assume ${ post ^{D}_{t}(\nu )} = \bot $. Then by definition, t is not data-feasible from n. As ${ post ^{D}_{t}(\nu )} \models \bot $, by Definition 23, we get $\nu \models { wp ^D_{t}(\bot )}$. Thus $\textsc {refine}(n, { wp ^D_{t}(\bot )})$ can be called, and as a result, ${\nu {\restriction _{Q}}} \models { wp ^D_{t}(\bot )}$. By Definition 23, we get ${ post ^{D}_{t}({\nu {\restriction _{Q}}})} \models \bot $, thus clearly ${ post ^{D}_{t}({\nu {\restriction _{Q}}})} = \bot $. Thus t becomes disabled from , and the procedure returns $\mathsf {true}$. $\square $

4.3.3 Interpolation for valuations

The proposed refinement strategies for discrete variables, and in particular, different implementations of refine are based on the notion of a valuation interpolant, defined over a valuation and a formula.

Definition 24

(Valuation interpolant) Given a valuation $\sigma $ and a formula $\varphi $ such that $\sigma \models \varphi $, a valuation interpolant is a valuation $\sigma '$ such that $\sigma \preceq \sigma '$ and $\sigma ' \models \varphi $ and ${\mathsf {def}(\sigma ')} \subseteq {\mathsf {def}(\sigma )} \cap {\mathsf {vars}(\varphi )}$.

Proposition 19

Function $\textsc {interpolate}_\mathcal {E}$ is totally correct: if $\sigma \models \varphi $, then $\textsc {interpolate}_\mathcal {E}(\sigma , \varphi )$ terminates and ensures ${\sigma {\restriction _{I}}} \models \varphi $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Function $\textsc {interpolate}_\mathcal {E}$ has no side effect, it thus trivially maintains feasibility and well-labeledness. Moreover, it is easy to see that it satisfies its contract, as the postcondition is an invariant for the loop. $\square $

Next, we show how valuation interpolants can be used for hiding variables that are irrelevant with respect to the reachability of a given location along a path.

4.3.4 Abstraction refinement for visible variables abstraction

Algorithm 9 outlines two strategies for abstraction refinement over the visible variables abstract domain. Symmetrically to the variants of block, procedure $\textsc {refine}_\textsc {fw}$ (which we refer to as the “forward” valuation interpolation strategy) propagates interpolants forward using $ post ^{D}$; whereas procedure $\textsc {refine}_\textsc {bw}$ (which we refer to as the “backward” valuation interpolation strategy) propagates interpolants backward using $ wp ^D$ along the path to be refined.

To make our formal description more concise, we state the following simple lemmas.

Lemma 7

$\alpha \preceq \beta \Rightarrow { post ^{D}_{t}(\alpha )} \preceq { post ^{D}_{t}(\beta )}$

Lemma 8

Lemma 9

Proposition 20

$\textsc {refine}_\textsc {fw}$ is totally correct: if $\nu \models \varphi $, then ${\textsc {refine}_\textsc {fw}(n, \varphi )}$ terminates and ensures $I \subseteq Q$ and ${\nu {\restriction _{I}}} \models \varphi $ and ${\nu {\restriction _{Q}}} \models \varphi $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract, $\nu \models \varphi $ is ensured. Moreover, notice that ${\nu {\restriction _{Q}}} \models \varphi $ follows from $I \subseteq Q$ and ${\nu {\restriction _{I}}} \models \varphi $ by Lemma 1, thus it is sufficient to establish the latter two claims.

If ${\nu {\restriction _{Q}}} \models \varphi $, then $I = Q$, so $I \subseteq Q$ and ${\nu {\restriction _{I}}} \models \varphi $ are trivially established. Moreover, well-labeledness is trivially maintained, as no refinement is performed.

Otherwise, if n is the root, then $\alpha = \nu $. Thus $\textsc {interpolate}_\mathcal {E}(\alpha , \varphi )$ can be called, and the resulting interpolant I is such that ${\nu {\restriction _{I}}} \models \varphi $. As in this case $\nu = \nu _0$, clearly . Thus by initiation and Lemma 9. Therefore, ${\textsc {update}(n, {( \nu , Q \cup I )})}$ can be called, which establishes $I \subseteq Q$, while preserving the well-labeledness of $\mathcal {G}$.

Otherwise, there exists a transition $t = t_{m, n}$ for some node m. Since $\nu = { post ^{D}_{t}(\nu ')}$ and $\varphi ' = { wp ^D_{t}(\varphi )}$, we have $\nu ' \models \varphi '$ for ${( \nu ', Q' )} = {s_{m}}$ by Definition 23. Thus ${\textsc {refine}_\textsc {fw}(m, \varphi ')}$ can be called, and as a result, $\alpha '$ is such that $\alpha ' = {\nu '{\restriction _{I'}}}$ and $I' \subseteq Q'$ and $\alpha ' \models \varphi '$ by contract for some $I'$. As $\alpha = { post ^{D}_{t}(\alpha ')}$, we obtain $\alpha \models \varphi $ by Definition 23. Thus $\textsc {interpolate}_\mathcal {E}(\alpha , \varphi )$ can be called, and the resulting interpolant I is such that ${\alpha {\restriction _{I}}} \models \varphi $. Clearly $\nu ' \preceq \alpha '$, thus $\nu \preceq \alpha $ by Lemma 7. Therefore, ${\nu {\restriction _{I}}} = {\alpha {\restriction _{I}}}$, as $I \subseteq {\mathsf {def}(\alpha )}$. From this, ${\nu {\restriction _{I}}} \models \varphi $ follows directly. Moreover, as ${\nu '{\restriction _{Q'}}} \preceq {\nu '{\restriction _{I'}}}'$, by Lemma 7, we have ${ post ^{D}_{t}({\nu '{\restriction _{Q'}}})} \preceq \alpha $. Hence ${ post ^{D}_{t}({\nu '{\restriction _{Q'}}})} \preceq {\nu {\restriction _{I}}}$, from which follows by Lemma 8. Thus by consecution and Lemma 9. Therefore, ${\textsc {update}(n, {( \nu , Q \cup I )})}$ can be called, which establishes $I \subseteq Q$, while preserving the well-labeledness of $\mathcal {G}$. $\square $

Proposition 21

$\textsc {refine}_\textsc {bw}$ is totally correct: if $\nu \models \varphi $, then ${\textsc {refine}_\textsc {bw}(n, \varphi )}$ terminates and ensures ${\nu {\restriction _{Q}}} \models \varphi $. Moreover, it preserves well-labeledness and feasibility of $\mathcal {G}$.

Proof

Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of $\mathcal {G}$, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract, $\nu \models \varphi $ is ensured.

If ${\nu {\restriction _{Q}}} \models \varphi $, then the contract is trivially satisfied. Moreover, well-labeledness is trivially maintained, as no refinement is performed.

Otherwise $\textsc {interpolate}_\mathcal {E}(\nu , \varphi )$ can be called, and the resulting interpolant I is such that ${\nu {\restriction _{I}}} \models \varphi $. We show that at the end of the procedure, the claim $I \subseteq Q$, and thus by Lemma 1 also ${\nu {\restriction _{Q}}} \models \varphi $ holds.

Assume n is the root node. In this case $\nu = \nu _0$, thus clearly . Thus follows by initiation and Lemma 9. As a consequence, ${\textsc {update}(n, {( \nu , Q \cup I )})}$ can be called, which establishes $I \subseteq Q$, while preserving the well-labeledness of $\mathcal {G}$.

Now assume there exists a transition $t = t_{m, n}$ for some node m with ${( \nu ', Q' )} = {s_{m}}$. Clearly, $\nu \preceq {\nu {\restriction _{I}}}$, thus $\nu \models {\mathsf {form}({\nu {\restriction _{I}}})}$ by Lemma 2. As $\nu = { post ^{D}_{t}(\nu ')}$ and $\varphi ' = { wp ^D_{t}({\mathsf {form}({\nu {\restriction _{I}}})})}$ we obtain $\nu ' \models \varphi '$ by Definition 23. Thus ${\textsc {refine}_\textsc {bw}(m, \varphi ')}$ can be called, which ensures ${\nu '{\restriction _{Q'}}} \models \varphi '$ by contract. Thus ${ post ^{D}_{t}({\nu '{\restriction _{Q'}}})} \models {\mathsf {form}({\nu {\restriction _{I}}})}$ by Definition 23. Hence ${ post ^{D}_{t}({\nu '{\restriction _{Q'}}})} \preceq {\nu {\restriction _{I}}}$ by Lemma 2, from which follows by Lemma 8. Thus by consecution and Lemma 9. As a consequence, ${\textsc {update}(n, {( \nu , Q \cup I )})}$ can be called, which establishes $I \subseteq Q$, while preserving the well-labeledness of $\mathcal {G}$. $\square $

Finally, to conclude this section, Table 1 summarizes the different abstraction refinement strategies discussed.

Table 1 Summary of refinement strategies

Full size table

5 Evaluation

In this section, we investigate how each algorithm configuration that our framework supports behaves on a wide range of timed automata models in terms of performance (execution time) and size of the state space (number of nodes in the generated ART). The input models, raw measurement data, and instructions to reproduce our experiments are available in a supplementary material [32].

We implemented a prototype version of our algorithm and refinement strategies in the open source model checking framework Theta [29]. Our tool performs location reachability checking on models given in a reasonable language subset^{Footnote 1} of the Uppaal 4.0 XTA format.

To enable comparison to the state-of-the-art, we implemented in our framework a variant of the lazy abstraction method of [22] based on $ LU $-bounds as an alternative refinement strategy for clock variables (by defining the domain, cover and disable accordingly). The main difference in our implementation compared to [22] is that when performing abstraction refinement, bounds are propagated from all guards on an infeasible path, and not just from ones that contribute to the infeasibility. Because of this, refinement in the resulting algorithm is extremely cheap, but as the comparison of our data with that of [22] suggests, for the models examined in both papers, the algorithm is similarly as space- and time-efficient as the original one.

The algorithms are evaluated for both breadth-first and depth-first search orders of ART expansion. By combining all the possible alternatives, this results in 16 distinct algorithm configurations:

as search order, breadth-first (BFS) or depth-first (DFS) search,
for clock variables, forward (FWITP) or backward (BWITP) zone interpolation, or lazy $\mathfrak {a}_{\preceq _{LU}}$ abstraction (LU),
for discrete variables, forward (FWITP) or backward (BWITP) valuation interpolation, or no refinement (NONE).

Each algorithm configuration is encoded as a string containing three characters, specifically the first character of the name of each selected parameter. So for example, the configuration with BFS as search order, LU as refinement strategy for clock variables, and NONE as refinement strategy for discrete variables, is going to be encoded as BLN.

For the configurations that handle discrete variables explicitly ($\cdot \textsf {N}\cdot $), we partitioned the set of nodes of the ART based on the value of the data valuation, this way saving the $\mathcal {O}(n)$ cost of checking inclusion for valuations. This optimization also significantly reduces the number of nodes for which coverage is checked and attempted during close. Apart from this and the difference in refinement strategies, the implementation of the configurations is shared.

As inputs we considered 51 timed automata models in total, which we divided to three distinct categories. For each model, the number of clock variables/number of discrete variables is given in parentheses.

Category PAT: classic timed automata models from the Pat benchmark set.^{Footnote 2} These models contain only a few discrete variables.
- critical n with $n \in \left\{ \textsf {3}, \textsf {4} \right\} $ (n/1): Critical Region with n processes.
- csma n with $n \in \left\{ \textsf {9}, \textsf {10}, \textsf {11}, \textsf {12} \right\} $ (n/1): CSMA/CD protocol with n processes.
- fddi n with $n \in \left\{ \textsf {50}, \textsf {70}, \textsf {90}, \textsf {110} \right\} $ ($3n + 1$/1): FDDI token ring with n processes.
- fischer n with $n \in \left\{ \textsf {7}, \textsf {8}, \textsf {9}, \textsf {10} \right\} $ (n/1): Fischer’s mutual exclusion protocol with n processes.
- lynch n with $n \in \left\{ \textsf {7}, \textsf {8}, \textsf {9} \right\} $ (n/2): Lynch-Shavit protocol with n processes.
Category MCTA: model containing a significant number of discrete variables (relative to the number of clock variables). Most of the models come from the Mcta benchmark set,^{Footnote 3} while some of them come from the Uppaal benchmark set.^{Footnote 4}
- bocdp (3/26), bocdpf (3/26): models of the Bang & Olufsen Collision Detection Protocol obtained from the Uppaal benchmark set.
- brp (7/7): a model of the Bounded Retransmission Protocol.
- c1 (3/12), c2 (3/14), c3 (3/15), c4 (3/17): models of a real-time mutual exclusion protocol obtained from the Mcta benchmark set.
- m1 (4/11), m2 (4/13), m3 (4/13), m4 (4/15), n1 (7/11), n2 (7/13), n3 (7/13), n4 (7/15), e1 (3/41): industrial cases studies obtained from the Mcta benchmark set.
Fischer’s protocol with diagonal constraints, based on [28]
- diag n with $n \in \left\{ \textsf {3}, \textsf {4}, \textsf {5}, \textsf {6}, \textsf {7}, \textsf {8} \right\} $ (2n/1): the original model, containing diagonal constraints.
- split n with $n \in \left\{ \textsf {3}, \textsf {4}, \textsf {5}, \textsf {6}, \textsf {7}, \textsf {8} \right\} $ (2n/$n+1$): diagonal-free model obtained from diag n by eliminating diagonal constraints by introducing additional discrete variables and transitions, following the idea described in [6].
- opt n with $n \in \left\{ \textsf {3}, \textsf {4}, \textsf {5}, \textsf {6}, \textsf {7}, \textsf {8} \right\} $ (2n/$n+1$): diagonal-free model obtained from split n by (manually) removing some guards, updates and transitions about which it can statically be established that they do not influence the set of reachable locations.

We performed our measurements on a machine running Windows 10 with a 2.6 GHz dual core CPU and 8GB of RAM. We evaluated the algorithm configurations for both execution time and the number of nodes in the resulting ART. The timeout (denoted by “–” in the tables) was set to 300 s. The execution time shown in the following tables is the average of 10 runs, obtained from 12 deterministic runs by removing the slowest and the fastest one. For each model, the value belonging to the best configuration is typeset in bold.

5.1 Diagonal-free models

Performing location reachability checking on the models, Figure 1a shows the frequency with which different relative standard deviation (RSD) values of execution time occur. It can be seen from the plot that higher RSD values ($>5\%$) are relatively rare among the measurements. Moreover, Figure 1b shows how the RSD of execution time relates to the average execution time for each model and configuration (in this type of figures, each point represents the average result for a given model and configuration). Aside from a few outliers among the PAT models, it can be stated that higher RSD values belong to small average execution times, as expected. Thus it is justifiable to base the comparison of configurations on the average value.

As can be seen on Figure 2, on the selected benchmark set, having all other configuration parameters fixed, clock refinement strategies FWITP and BWITP do not significantly differ in performance. On both benchmarks, FWITP slightly outperforms BWITP in the size of the generated state space. Moreover, for the MCTA models, FWITP, while for the PAT models, BWITP performs slightly better in terms of execution time (note the logarithmic scale on the axes). An explanation for this is that in general, FWITP tends to perform less refinement steps (as refinement is performed in a single iteration), whereas BWITP performs refinement steps more cheaply (as no post-image computation is involved). In our experiments, the two algorithms performed roughly the same number of refinement steps for the PAT models (probably due to discovering the same or similar simple invariants), in which case BWITP has an advantage. In the case of MCTA models however, in general, the number of refinement steps performed was in favor of FWITP.

Figure 3 shows similar results for comparing the two interpolation-based strategies for discrete refinement. Here, BWITP tends to perform better in terms of execution time. Therefore, we are going to omit detailed results for clock refinement BWITP and discrete refinement FWITP for the rest of the section.

Figure 4 compares the impact of the two search orders on performance. With respect to execution time, DFS generally outperforms BFS on the MCTA models, whereas on the PAT models, the performance of the two search orders is balanced. When considering the size of the state space, the tendency is similar.

Clock refinements LU and FWITP are compared on Figure 5. With respect to execution time, LU performs better in category PAT, whereas FWITP performs better in category MCTA. However, with respect to the size of the state space, FWITP outperforms LU.

Figure 6 shows the pairwise comparison of interpolation-based and explicit handling of discrete variables. On the MCTA models, BWITP is always able to generate an—in some cases, significantly—smaller state space. Unsurprisingly, the same reduction effect is not present on PAT models, where there are only one or two discrete variables. Despite the significant reduction in state space, on the models considered, aside from a couple of cases, BWITP is somewhat slower. Beside the obvious overhead of running abstraction refinement, this can be explained with the optimization of coverage checking applied in the explicit case, as described above.

The detailed results for the PAT models are shown in Table 2. On these models, configurations BLN and DLN usually perform best in terms of execution time. When considering the size of the state space however, there is a small variability between configurations. Moreover, we point our that our results for configurations BLN and DLN are consistent with the results presented in [22].

Table 2 Detailed results for PAT models

Full size table

Detailed results for the MCTA models are shown in Table 3. Here, configurations DFN or DFB give the fastest execution on most models. Moreover, configuration DFB generates the least number of nodes in almost all cases, which highlights the advantages of our new interpolation based algorithm presented first in [31].

Table 3 Detailed results for MCTA models

Full size table

5.2 Models containing diagonal constraints

We also evaluated how the different configurations are able to handle models with diagonal constraints. As our benchmark, we used the diagonal version of Fischer’s mutual exclusion algorithm, as presented in [28]. We considered two approaches:

1.
Eager elimination of difference constraints by introducing new discrete variables (models split n and manually optimized versions opt n).
2.
Applying abstraction refinement to the model with diagonal constraints directly (models diag n).

Table 4 Detailed results for the diagonal version of Fischer’s protocol

Full size table

Table 4 shows our detailed measurement data for all three types of models. Models split n, where diagonal constraints are eliminated, enable the comparison of our approach with state-of-the-art approaches presented in [18, 28]. We point out that our results for configuration BLN are consistent with the results presented in [18]. In these models, by using valuation interpolation, both execution times and the size of the state space can be significantly reduced. In particular, configuration BFB significantly outperforms all the other configurations.

In general, all configurations benefited greatly from the manual optimization that we applied for models opt n. However, using valuation interpolation still significantly improves performance for all configurations. Moreover, configuration BFB is still by far the most successful configuration. This also highlights the beneficial effects of combining abstraction refinement strategies for clock and discrete variables, in line with our results in [31].

In case of models diag n, clock refinement strategy LU is not applicable. The other four configurations, using FWITP for the handling of clocks, perform well regardless of search strategy, with BFN being the fastest. In fact, in case of this particular model, not eliminating diagonal constraints, and using zone interpolation seems to be the best of the examined approaches. Moreover, as Figure 7, shows, there is a significant difference in the performance of the two interpolation strategies, with FWITP having the better performance.

Finally, we point out that in case a model with diagonal constraints is analyzed by applying zone interpolation on its own (e.g. without zone splitting [5]), then termination is not guaranteed. In particular, during our experiments, we found that the algorithm diverges on the well-known example presented in [8].

6 Conclusions

In this paper, we presented an algorithmic framework for the lazy abstraction based location reachability checking of timed automata with discrete variables. We formalized in our framework several abstract domains and refinement strategies, both for clock and discrete variables, including a novel strategy that propagates valuation interpolants forward (called forward valuation interpolation). We also formalized the combination of abstractions and proved their properties. This framework allowed the straightforward implementation of efficient model checkers using configurable combined strategies.

We performed empirical evaluation on 16 configurations that our tool currently supports for 51 timed automata models, including ones that contain many discrete variables or diagonal constraints. Our results show that our framework offers configurations that are competitive in terms of performance with the state-of-the-art. It turned out that for models with a significant number of discrete variables (category MCTA) it is worth using forward zone interpolation, combined with backward valuation interpolation. For the examined models with diagonal constraints, using forward interpolation for the handling of clocks performs well. In case of eager elimination of diagonal constraints by introducing new discrete variables, again a combination of strategies (breadth-first search with forward zone interpolation and backward valuation interpolation) is the most successful strategy. In general, using valuation interpolation in this model category, both execution times and the size of the state space can be significantly reduced.

According to the method described in this paper, refinement is triggered upon encountering a disabled transition. In the future, we intend to experiment with counterexample-guided refinement for both the abstraction of discrete and continuous variables. In addition, we plan to experiment with different abstract domains (e.g. intervals, octahedra, or polyhedra), and investigate alternative refinement strategies. Moreover, we plan to explore more sophisticated strategies for finding covering states, as this can potentially yield considerable speedups for our method.

Notes

Not supporting procedures and composite types other than arrays of synchronization channels.
https://www.comp.nus.edu.sg/~pat/bddlib/timedexp.html.
http://gki.informatik.uni-freiburg.de/tools/mcta/benchmarks.html.
https://www.it.uu.se/research/group/darts/uppaal/benchmarks.

References

Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994). https://doi.org/10.1016/0304-3975(94)90010-8
Article MathSciNet MATH Google Scholar
Barrett, C., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Handbook of Satisfiability, chap. 26, pp. 825–885. IOS Press (2009). https://doi.org/10.3233/978-1-58603-929-5-825
Behrmann, G., Bouyer, P., Fleury, E., Larsen, K.G.: Static guard analysis in timed automata verification. In: TACAS 2003, LNCS, vol. 2619, pp. 254–270. Springer (2003). https://doi.org/10.1007/3-540-36577-X_18
Behrmann, G., Bouyer, P., Larsen, K.G., Pelánek, R.: Lower and upper bounds in zone based abstractions of timed automata. In: TACAS 2004, LNCS, vol. 2988, pp. 312–326. Springer (2004). https://doi.org/10.1007/978-3-540-24730-2_25
Bengtsson, J., Yi, W.: Timed automata: semantics, algorithms and tools. In: ACPN 2003, LNCS, vol. 3098, pp. 87–124. Springer (2004). https://doi.org/10.1007/978-3-540-27755-2_3
Bérard, B., Petit, A., Diekert, V., Gastin, P.: Characterization of the expressive power of silent transitions in timed automata. Fundamenta Informaticae 36(2,3), 145–182 (1998). https://doi.org/10.3233/FI-1998-36233
Article MathSciNet MATH Google Scholar
Beyer, D., Löwe, S.: Explicit-state software model checking based on CEGAR and interpolation. In: FASE 2013, LNCS, vol. 7793, pp. 146–162. Springer (2013). https://doi.org/10.1007/978-3-642-37057-1_11
Bouyer, P.: Untameable timed automata! In: STACS 2003, LNCS, vol. 2607, pp. 620–631. Springer (2003). https://doi.org/10.1007/3-540-36494-3_54
Bouyer, P., Chevalier, F.: On conciseness of extensions of timed automata. J. Autom. Lang. Combin. 10(4), 393–405 (2005). https://doi.org/10.25596/jalc-2005-393
Article MathSciNet MATH Google Scholar
Bouyer, P., Laroussinie, F., Reynier, P.A.: Diagonal constraints in timed automata: forward analysis of timed systems. In: FORMATS 2005, LNCS, vol. 3829, pp. 112–126. Springer (2005). https://doi.org/10.1007/11603009_10
Bradley, A.R.: SAT-based model checking without unrolling. In: VMCAI 2011, LNCS, vol. 6538, pp. 70–87. Springer (2011). https://doi.org/10.1007/978-3-642-18275-4_7
Carioni, A., Ghilardi, S., Ranise, S.: Mcmt in the land of parametrized timed automata. In: International Verification Workshop (VERIFY-2010), pp. 47–64 (2010)
Cimatti, A., Griggio, A., Sebastiani, R.: Efficient interpolant generation in satisfiability modulo theories. In: TACAS 2008, LNCS, vol. 4963, pp. 397–412. Springer (2008). https://doi.org/10.1007/978-3-540-78800-3_30
Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003). https://doi.org/10.1145/876638.876643
Article MathSciNet MATH Google Scholar
Daws, C., Tripakis, S.: Model checking of real-time reachability properties using abstractions. In: TACAS 1998, LNCS, vol. 1384, pp. 313–329. Springer (1998). https://doi.org/10.1007/BFb0054180
Dierks, H., Kupferschmid, S., Larsen, K.G.: Automatic abstraction refinement for timed automata. In: FORMATS 2007, LNCS, vol. 4763, pp. 114–129. Springer (2007). https://doi.org/10.1007/978-3-540-75454-1_10
Dill, D.L.: Timing assumptions and verification of finite-state concurrent systems. In: CAV 1989, LNCS, vol. 407, pp. 197–212. Springer (1990). https://doi.org/10.1007/3-540-52148-8_17
Gastin, P., Mukherjee, S., Srivathsan, B.: Reachability in timed automata with diagonal constraints. In: International Conference on Concurrency Theory, LIPIcs, vol. 118, pp. 1–17. Dagstuhl (2018). https://doi.org/10.4230/LIPIcs.CONCUR.2018.28
Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Principles of Programming Languages, pp. 58–70. ACM (2002). https://doi.org/10.1145/503272.503279
Herbreteau, F., Kini, D., Srivathsan, B., Walukiewicz, I.: Using non-convex approximations for efficient analysis of timed automata. In: Foundations of Software Technology and Theoretical Computer Science, LIPIcs, vol. 13, pp. 78–89. Dagstuhl (2011). https://doi.org/10.4230/LIPIcs.FSTTCS.2011.78
Herbreteau, F., Srivathsan, B., Walukiewicz, I.: Better abstractions for timed automata. In: Logic in Computer Science, pp. 375–384. IEEE (2012). https://doi.org/10.1109/LICS.2012.48
Herbreteau, F., Srivathsan, B., Walukiewicz, I.: Lazy abstractions for timed automata. In: CAV 2013, LNCS, vol. 8044, pp. 990–1005. Springer (2013). https://doi.org/10.1007/978-3-642-39799-8_71
Hojjat, H., Rümmer, P., Subotic, P., Yi, W.: Horn clauses for communicating timed systems. In: Horn Clauses for Verification and Synthesis, EPTCS, vol. 169, pp. 39–52. Open Publishing Association (2014). https://doi.org/10.4204/EPTCS.169.6
Isenberg, T., Wehrheim, H.: Timed automata verification via IC3 with zones. In: ICFEM 2014, LNCS, vol. 8829, pp. 203–218. Springer (2014). https://doi.org/10.1007/978-3-319-11737-9_14
Kindermann, R., Junttila, T., Niemelä, I.: SMT-based induction methods for timed systems. In: FORMATS 2012, LNCS, vol. 7595, pp. 171–187. Springer (2012). https://doi.org/10.1007/978-3-642-33365-1_13
McMillan, K.L.: Interpolation and SAT-based model checking. In: CAV 2003, LNCS, vol. 2725, pp. 1–13. Springer (2003). https://doi.org/10.1007/978-3-540-45069-6_1
Morbé, G., Pigorsch, F., Scholl, C.: Fully symbolic model checking for timed automata. In: CAV 2011, LNCS, vol. 6806, pp. 616–632. Springer (2011). https://doi.org/10.1007/978-3-642-22110-1_50
Reynier, P.A.: Diagonal constraints handled efficiently in Uppaal. Technical Report, LSV-07-02, Laboratoire Spécification et Vérification, ENS Cachan, France (2007)
Tóth, T., Hajdu, Á., Vörös, A., Micskei, Z., Majzik, I.: Theta: A framework for abstraction refinement-based model checking. In: Formal Methods in Computer Aided Design, pp. 176–179. FMCAD Inc. (2017). https://doi.org/10.23919/FMCAD.2017.8102257
Tóth, T., Majzik, I.: Lazy reachability checking for timed automata using interpolants. In: FORMATS 2017, LNCS, vol. 10419, pp. 264–280. Springer (2017). https://doi.org/10.1007/978-3-319-65765-3_15
Tóth, T., Majzik, I.: Lazy reachability checking for timed automata with discrete variables. In: SPIN 2018, LNCS, vol. 10869, pp. 235–254. Springer (2018). https://doi.org/10.1007/978-3-319-94111-0_14
Tóth, T., Majzik, I.: Supplementary material for the paper “Configurable verification of timed automata with discrete variables”. Zenodo (2020). https://doi.org/10.5281/zenodo.3965792
Wang, W., Jiao, L.: Difference bound constraint abstraction for timed automata reachability checking. In: FORTE 2015, LNCS, vol. 9039, pp. 146–160. Springer (2015). https://doi.org/10.1007/978-3-319-19195-9_10

Download references

Funding

Open access funding provided by Budapest University of Technology and Economics.

Author information

Authors and Affiliations

Department of Measurement and Information Systems, Budapest University of Technology and Economics, Budapest, Hungary
Tamás Tóth & István Majzik

Authors

Tamás Tóth
View author publications
You can also search for this author in PubMed Google Scholar
István Majzik
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tamás Tóth.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

T. Tóth: This work was partially supported by Gedeon Richter’s Talentum Foundation (Gyömrői út 19-21, 1103 Budapest, Hungary). I. Majzik: The research reported in this paper was partially supported by the BME NC TKP2020 grant of NKFIH Hungary.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Tóth, T., Majzik, I. Configurable verification of timed automata with discrete variables. Acta Informatica 59, 1–35 (2022). https://doi.org/10.1007/s00236-020-00393-4

Download citation

Received: 05 March 2019
Accepted: 27 October 2020
Published: 15 December 2020
Issue Date: February 2022
DOI: https://doi.org/10.1007/s00236-020-00393-4

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Configurable verification of timed automata with discrete variables

Abstract

Similar content being viewed by others

Lazy Reachability Checking for Timed Automata with Discrete Variables

Trace Abstraction Refinement for Timed Automata

A Unified Model for Real-Time Systems: Symbolic Techniques and Implementation

1 Introduction

1.1 Comparison to related work

1.2 Organization of the paper

2 Background and notations

2.1 Valuations

Remark 1

Lemma 1

Lemma 2

Lemma 3

2.2 Timed automata

Definition 1

Remark 2

Definition 2

Definition 3

Definition 4

Definition 5

Remark 3

Definition 6

Definition 7

Remark 4

Definition 8

Remark 5

Proposition 1

2.3 Zones and DBMs

Proposition 2

3 Algorithm for lazy reachability checking

3.1 Abstract reachability tree

Definition 9

Definition 10

Definition 11

Definition 12

Definition 13

Definition 14

Definition 15

Definition 16

Proposition 3

Proof

3.2 Reachability algorithm

Proposition 4

Proof

4 Abstraction refinement

Proposition 5

Proof

4.1 Combination of abstractions

Definition 17

Proposition 6

Proposition 7

Proof

4.2 Abstraction for clock variables

4.2.1 Zone abstraction

Definition 18

Proposition 8

Proposition 9

Proof

4.2.2 Lazy zone abstraction

Definition 19

Proposition 10

Lemma 4

Proposition 11

Proof

4.2.3 Interpolation for zones

Definition 20

Proposition 12

Proof

4.2.4 Abstraction refinement for lazy zone abstraction

Lemma 5

Lemma 6

Proposition 13

Proof

Proposition 14

Proof

4.3 Abstraction and refinement for discrete variables

4.3.1 Explicit tracking of variables

Definition 21