Verified Model Checking of Timed Automata
Abstract
We have constructed a mechanically verified prototype implementation of a model checker for timed automata, a popular formalism for modeling realtime systems. Our goal is twofold: first, we want to provide a reference implementation that is fast enough to check other model checkers against it on reasonably sized benchmarks; second, we strive for maximal feature compatibility with the stateoftheart tool Uppaal. The starting point of our work is an existing highly abstract formalization of reachability checking of timed automata. We reduce checking of Uppaalstyle models to the problem of model checking a single automaton in this abstract formalization, while retaining the ability to perform on the fly modelchecking. Using the Isabelle Refinement Framework, the abstract specification of the model checker is refined, via multiple intermediate steps, to an actual imperative implementation in Standard ML. The resulting tool is evaluated on a set of standard benchmarks to demonstrate its practical usability.
1 Introduction
Timed automata [1] are a widely used formalism for modeling realtime systems, which is employed in a class of successful model checkers such as Uppaal [2]. These tools can be understood as trustmultipliers: we trust their correctness to deduce trust in the safety of systems checked by these tools. However, mistakes have previously been made. This particularly concerns an approximation operation that is used by modelchecking algorithms to obtain a finite search space. The use of this operation induced a soundness problem in the tools employing it [3], which was only discovered years after the first model checkers were devised.
Our ongoing work^{1} addresses this issue by constructing a fully verified model checker for timed automata, using Isabelle/HOL [4]. Our tool is not intended to replace existing model checkers, but to serve as a reference implementation against which other implementations can be validated. Thus, it must provide sufficient performance to check real world examples. To this end, we use the Isabelle Refinement Framework (IRF) [5, 6] to obtain efficient imperative implementations of the algorithms required for model checking.
Our work starts from an existing abstract formalization of reachability checking of timed automata [7]. To close the gap to a practical model checker, we need to address two types of issues: efficient implementation of abstract model checking algorithms, and expressiveness of the offered modeling formalism. Two kinds of algorithms deserve special attention here. The first are operations to manipulate Difference Bound Matrices (DBMs) [2], which represent abstract states. With the help of the IRF, we obtain efficient implementations of DBMs represented as arrays. The second are search algorithms that govern the search for reachable states. These algorithms are interesting in their own right, since they make use of subsumption: during the search process an abstract state can be ignored if a larger abstract state was already explored. We provide a generalized framework for different variants of search algorithms, including a version which resembles Uppaal’s unified passed and waiting list [2].
We aim to offer a modeling formalism that is comparable in its expressiveness to the one of Uppaal. To accomplish this goal while keeping the formalization effort manageable, we opt to accept Uppaal bytecode as input. At the current state of the project we have formalized the semantics of a subset of the bytecode produced by Uppaal. We support the essential modeling features: networks of automata with synchronization, and bounded integer state variables. We apply a product construction to reduce models of this formalism to a single timed automaton. As in real model checkers, the whole construction is computed on the fly. However, not every bytecode input designates a valid automaton. To this end, we employ a simple program analysis to accept a sufficiently large subset of the valid inputs.
We conducted experiments on a small number of established benchmark models. The throughput of our model checker — the number of explored states per time unit — is within an order of magnitude of a version of Uppaal running a comparable algorithm.
1.1 Isabelle/HOL
Isabelle/HOL [4] is an interactive theorem prover based on HigherOrder Logic (HOL). You can think of HOL as a combination of a functional programming language with logic. Although Isabelle/HOL largely follows ordinary mathematical notation, there are some operators and conventions that should be explained. Like in functional programming, functions are mostly curried, i.e. of type \(\tau _1 \Rightarrow \tau _2 \Rightarrow \tau \) instead of \(\tau _1 \times \tau _2 \Rightarrow \tau \). This means that function application is usually written \(f\ a\ b\) instead of f(a, b). Lambda terms are written in the standard syntax \(\lambda x.\ t\) (the function that maps x to t) but can also have multiple arguments \(\lambda x\ y.\ t\), paired arguments \(\lambda (x,y).\ t\), or dummy arguments \(\lambda \_.\ t\). Type variables are written \('a\), \('b\), etc. Compound types are written in postfix syntax: \(\tau \ set\) is the type of sets of elements of type \(\tau \). In some places in the paper we have simplified formulas or code marginally to avoid distraction by syntactic or technical details, but in general we have stayed faithful to the sources.
1.2 Related Work
The basis of the work presented in this paper is our existing formalization of timed automata [7]. We are aware of one previous proofassistant formalization of timed automata using PVS [8, 9]. This work has the basic decidability result using regions and claims to make some attempt to extend the formalization towards DBMs. Another line of work [10, 11] aims at modeling the class of pautomata [12] in Coq and proving properties of concrete pautomata within Coq. A similar approach was pursued with the help of Isabelle/HOL in the CClair project [13]. In contrast, our formalization [7] focuses on the foundations of timed automata model checking. In particular, it encompasses a formalization of the relevant DBM algorithms and the rather intricate developments towards the correctness proof for the approximation operation.
We are not aware of any previous formalizations or verified implementations of timed automata model checking. The first verification of a model checker we are aware of is by Sprenger for the modal \(\mu \)calculus in Coq [14]. Our important forerunner, however, is the CAVA project [15, 16, 17] by Esparza et al. It sets out for similar goals as we do but for finite state LTL model checking. A significant part of the refinement technology that we make use of was developed for this project, and it was the first project to demonstrate that verification of model checking can yield practical implementations. Compared to CAVA, our work offers several novelties: we target model checking of timed automata, which have an infinite state space; we use imperative data structures, which is crucial for efficient DBMs; finally, we implemented complex search algorithms with subsumption. Additionally, we operate on automata annotated with Uppaal bytecode, which has interesting ramifications: for the product construction, and because we need to ensure that the input actually defines a timed automaton.
2 Timed Automata and Model Checking
2.1 Transition Systems
2.2 Timed Automata

Delay: \((l, u) \rightarrow ^d (l, u \oplus d)\) if \(d \ge 0\) and \(u \oplus d\vdash \mathcal {I}\ l\);

Action: \((l, u) \rightarrow _a (l', [r \rightarrow 0]u)\)
if \(A \vdash l \longrightarrow ^{g,a,r} l'\), \(u \vdash g\), and \([r \rightarrow 0]u\vdash \mathcal {I}\ l'\);
2.3 Model Checking
Due to the use of clock valuations, the state space of timed automata is inherently infinite. Thus, model checking algorithms for timed automata are based on the idea of abstracting from concrete valuations to sets of clock valuations of type \(( nat \Rightarrow real )\ set\), often called zones. The initial decidability result [1] partitioned the state space into a quotient of zones, the socalled regions, and showed that these yield a sound and complete abstraction^{3}. However, practical model checking algorithms rather explore the state space in an onthefly manner, computing successors directly on zones, which are typically represented symbolically as Difference Bound Matrices (DBMs). DBMs are simply a matrixform representation of clock constraints, which contain exactly one conjunct for each pair of clocks. To represent constraints on single clocks, an artificial \(\mathbf {0}\)clock is added, which is assumed to be assigned 0 in any valuation.
The delicate part of this method is that the number of reachable zones could still be infinite. Therefore, an overapproximation is applied to zones to obtain a finite search space. We call the transition system of zones the zone graph, and the version where overapproximations are applied the abstract zone graph [18]. The soundness argument for this method (due to overapproximation completeness is trivial), starts from the region construction and then introduces the notion of the closure of a zone, which is defined to be the union of all regions intersecting with a zone. It can be shown from the correctness of the region construction that closures yield a sound overapproximation of zones. Finally, one shows that the result of applying the overapproximation operator to zones is always contained in the closure, thus inheriting soundness from the soundness of closures. We have formalized this argument and all of the material summarized in this section in previous work [7]. It only covers the case of reachability, but we will demonstrate how to extend the soundness argument to liveness below.
3 A First Glance at the Model Checker
4 Single Automaton Model Checking
In this section, we describe the route from the abstract semantics of timed automata to the implementation of an actual model checker. The next section will describe the construction of a single timed automaton from the Uppaalmodel.
4.1 Implementation Semantics
Although we have established that the DBMbased semantics from Sect. 2 can only explore finitely many zones, it is still “too infinite”: the automaton and DBMs are described by real constants, and operations on DBMs are performed on infinitely many dimensions (i.e. clocks). Thus, we introduce an implementation semantics, in which automata are given by integer constants, and where the number of clocks is fixed. We prove equivalence of the semantics in two steps: first, we show that DBM operations need only be performed on the clocks that actually occur in the automaton; second, we show that all computations can be performed on integers, provided the initial state only contains integers.
For the latter step, we use Isabelle’s integrated parametricity prover [19] to semiautomatically transfer the operations from reals to integers.
As an example, Fig. 2 displays the refinement steps of the up operation, which computes the time successor of a zone Z, i.e. the set \(\{u \oplus d\ \ u \in Z \wedge d \ge 0\}\).
In the step from up to \(up_1\), the assumption that the input DBM is canonical is introduced. In \(up_2\), which is the version used in the implementation semantics, the operation is constrained to clocks 1 to n. Finally, in \(up_3\), the matrices are implemented as arrays and the fold is implemented as a foreach loop.
At this point, a naive exploration of the transitive closure of the implementation semantics would already yield a simple but inefficient model checker. The rest of this section outlines the derivation of a more elaborate implementation that is close to what can be found in Uppaal.
4.2 Semantic Refinement of Successor Computation
We further refine the implementation semantics to add two optimizations to the computation of successor DBMs: to canonicalize DBMs it is sometimes sufficient to only “repair” single rows or columns instead of running the full FloydWarshall algorithm; moreover, we can terminate the computation early whenever we discover a DBM that represents an empty zone (as it will remain empty). Both arguments are again carried out on the semantic level.
4.3 Abstraction of Transition Systems with Closures
Recall that the correctness of the reachability analysis on the abstract zone graph in Sect. 2 was obtained arguing that the region closure of zones forms a sound overapproximation of zones, which in turn is larger than the abstract zone graph. We want to reuse the same kind of argument to also argue that there exists a cycle in the abstract zone graph if and only if there is a cycle in the automaton’s transition system. This proof is carried out in a general abstract framework for transition systems and their abstractions.
Lemma 1
If \(\rightarrow _{A_1}\) is poststable and we have \(a \rightarrow _{A_1}as \rightarrow _{A_1}a\) with a finite and nonempty, then there exist xs and \(x \in a\) such that \(x \rightarrow _Cxs \rightarrow _Cx\).
Proof
Let \(x \rightarrow y = (\exists xs.\ x \rightarrow _Cxs \rightarrow _Cy)\). As \(\rightarrow _{A_1}\) is poststable, every a has an ingoing \(\rightarrow \)edge. Because a is finite we can thus find an \(\rightarrow \)cycle in a, and obtain the claim.
Lemma 2
If \(\rightarrow _{A_1}\) is prestable and we have \(a \rightarrow _{A_1}as \rightarrow _{A_1}a\) and \(x \in a\), then there exist xs such that \(x \rightarrow _C^{xs}\) and xs passes through a infinitely often.
Proof
By coinduction. From prestability we can find \(x_1 \in a\) such that \(x \rightarrow _C^+ x_1\), from \(x_1\) we find \(x_2 \in a\) such that \(x_1 \rightarrow _C^+ x_2\), and so forth.
Theorem 1
If \(a_0 \rightarrow _{A_2}as \rightarrow _{A_2}a \rightarrow _{A_2}bs \rightarrow _{A_2}a\) and \(P_2\ a\), then there exist \(x \in \bigcup (\mathcal {C}\ a_0)\) and xs such that \(x \rightarrow _C^{xs}\) and xs passes through \(\bigcup (\mathcal {C}\ a)\) infinitely often.
Proof
We first apply \(\mathcal {C}\) to the second layer states and get a path of the form: \(\mathcal {C}\ a_0 \rightarrow _{\mathcal {C}}as' \rightarrow _{\mathcal {C}}\mathcal {C}\ a \rightarrow _{\mathcal {C}}bs' \rightarrow _{\mathcal {C}}\mathcal {C}\ a\) for some \(as'\) and \(bs'\). From Lemma 1 and poststability, we obtain a path of the form \(a_{0_1} \rightarrow _{A_1}as_1 \rightarrow _{A_1}a_1 \rightarrow _{A_1}bs_1 \rightarrow _{A_1}a_1\) with \(a_{0_1} \in \mathcal {C}\ a_0\) and \(a_1 \in \mathcal {C}\ a\). By applying Lemma 2 and prestability, we obtain the desired result.
This is the main theorem that allows us to run cycle detection on the abstract zone graph during model checking: the other direction is trivial, and the theorem can be directly instantiated for regions and (abstracted) zones. There is a slight subtlety here since we only guarantee \(x \in \bigcup (\mathcal {C}\ a_0)\). However we typically have \(\mathcal {C}\ a_0 = a_0\), as all clocks are initially set to zero.
4.4 Implementation of Search Algorithms
These refinement steps are conducted inside the nondeterminism monad of the IRF. The final step leads into the heapmonad of Imperative HOL [22], which supports imperative data structures. Here, the Sepref tool [6] replaces functional by imperative data structures and generates a refinement theorem automatically.
4.5 Imperative Implementations of Model Checking Operations
4.6 Code Extraction
Finally, Isabelle/HOL’s code generator [24] is used to extract imperative Standard ML code from the Isabelle specifications generated by Sepref. Code generation involves some optimizations and rewritings that are carried out as refinement steps and proved correct, followed by pretty printing from the functional fragment of HOL and the heap monad to Standard ML.
5 From UPPAALStyle Semantics to a Single Automaton
5.1 UPPAALStyle Semantics
Due to the lack of documentation on the Uppaal intermediate format, we define an approximation of this assemblerlike language by reverse engineering. This is sufficient to check typical benchmarks, and gives a clearly defined semantics to the fragment that we cover. The language is defined as a simple data type instr. A step function of type \(instr \Rightarrow state \Rightarrow state\ option\) computes the successor state after executing an instruction, or fails. A state consists of an instruction pointer, the stack, the state of the shared integer variables, the state of the comparison flag, and a list of clocks that have been marked for reset. Using a fuel parameter, we execute programs by repeatedly applying the step function until we either reach a halt instruction, fail, or run out of fuel, which we also regard as a failed execution.
A special instruction CEXP is used to check whether an atomic clock constraint holds for a given valuation u. However, this instruction cannot simply be executed during model checking as it would need to work on zones instead of valuations. Unconstrained use of the CEXP instruction would allow for disjunctions of clock constraints on edges, which is not part of the standard timed automata formalism. Thus, in the same way as Uppaal, we restrict the valid input programs to those that only yield conjunctions of clock constraints on edges. We then replace every CEXP instruction by a special meta instruction that sets the comparison flag to true. This amounts to enforcing a program execution where the clock constraint, which is expressed by a piece of bytecode, holds for a valuation. Edges are annotated with the conjunction of the atomic clock constraints encountered during execution. In the current version of our tool, we separate concerns for locations by using a state predicate, which is not allowed to use CEXP instructions, and a separate clock constraint. The two could be merged by using the same approach as for edges.
5.2 Program Analysis

a copy instruction to push the flag on the stack, followed by CEXP and an and instruction;

a copy instruction, followed by a jumponzero instruction with \(pc_t\) as the destination, followed by CEXP and an and instruction.
5.3 Product Construction
The result of this construction is a highly contrived description of the single automaton. To obtain an efficiently executable version of this description, we specify an alternative functional implementation and prove the equivalence of the two.
6 Experimental Evaluation
Experimental results on a set of standard benchmarks.
Model  Prop  SAT  Size  Our tool  \({\textsc {Uppaal}}_1\)  \({\textsc {Uppaal}}_2\)  

Time  #States  Time  #States  TR  Time  #States  TR  
Fischer  R  N  5  6,61  38578  0,31  12363  6,83  0,04  3739  16,02 
L  Y  5  7,52  42439  0,31  20340  11,8  0,04  8149  40,1  
Y  6  485,9  697612  42,85  249295  4,1  1,53  67325  30,7  
FDDI  R  N  8  16,04  6720  0,34  5416  37,6  0,31  5416  42,0 
N  10  142,8  29759  6,63  24210  17,5  6,44  24120  18,0  
L  Y  6  2,58  2083  0,05  2439  61,7  0,04  2439  68,7  
Y  7  6,50  3737  0,15  4944  57,0  0,14  4944  62,3  
CSMA/CD  R  N  5  4,48  9959  0,03  2704  45,3  0,03  2769  40,6 
N  6  71,70  81463  1,70  17613  9,2  1,79  17939  8,8  
L  Y  5  4,93  11526  0,04  3802  42,4  0,04  3867  42,4  
Y  6  76,83  96207  1,78  23128  10,4  1,86  12603  10,1 
The results indicate that our tool’s throughput is around one order of magnitude lower than Uppaal’s. Encouragingly, the gap seems to decrease for larger models. However, for larger problem sizes of some models, we also start to run out of memory because our tool is not tuned towards space consumption. We do not have a convincing explanation for the difference in states explored by our tool and Uppaal — particularly, because our tool already implements locationbased extrapolation. Nevertheless, we conclude that the performance offered by our tool is reasonable for a reference implementation against which other tools can be validated: we can check medium sized instances of common benchmark models, which should be sufficient to scrutinize the functionality of a model checker.
7 Conclusion
We have derived an efficiently executable and formally verified model checker for timed automata. Starting from an abstract formalization of timed automata, we first reduced the problem to model checking of a single automaton, and then used stepwise refinement techniques to gradually replace abstract mathematical notions by efficient algorithms and data structures. Some of the verified algorithms and data structures, e.g. search with subsumption and Difference Bound Matrices, are interesting in their own right. Our experiments demonstrate that our tool’s performance is suitable for validating other model checkers against it on medium sized instances of classic benchmark models. Using a simple program analysis, we can cover a subset of the Uppaal bytecode that is sufficient to accept common models as an input.
Following the construction we expounded above, our checker can be improved on two different axes: advanced modeling feature such as broadcast channels or committed locations can be enabled by elaborating the product construction; using the refinement techniques that we demonstrated above, further improvements of the model checking algorithms can achieve better performance.
An alternative approach to tackle performance problems is to resort to certification of model checking results. For the simple CTL properties that are supported by our tool and Uppaal, passed sets could be used as the certificates and the model checking algorithms could be reused for certificate checking. As the model checking algorithms for timed automata make use of subsumption, passed sets can contain significantly less states than the total number of states explored during model checking. We plan on exploring this avenue in the future.
Footnotes
 1.
 2.
 3.
We use the same notions as in [7]. Soundness: for every abstract run, there is a concrete instantiation. Completeness: every concrete run can be abstracted.
 4.
For the time being, the bytecode needs to be preprocessed slightly, mainly to rename textual identifiers to integers.
 5.
Adding a check for deadlocked states to our algorithms would be conceptually simple but is left for future work.
 6.
\(P_1\) states are distinct and there are only finitely many of them. For every \(P_2\) state, there is an overlapping \(P_1\) state.
 7.
Uppaal comes with a note suggesting that these numbers might be wrong for liveness properties.
Notes
Data Availability Statement
The datasets generated during and analyzed during the current study are available in the figshare repository [25]: https://doi.org/10.6084/m9.figshare.5917363.v1.
References
 1.Alur, R., Dill, D.L.: A theory of timed automata. Theoret. Comput. Sci. 126(2), 183–235 (1994)MathSciNetCrossRefGoogle Scholar
 2.Bengtsson, J., Yi, W.: Timed automata: semantics, algorithms and tools. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) ACPN 2003. LNCS, vol. 3098, pp. 87–124. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540277552_3CrossRefMATHGoogle Scholar
 3.Bouyer, P.: Untameable timed automata! In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 620–631. Springer, Heidelberg (2003). https://doi.org/10.1007/3540364943_54Google Scholar
 4.Nipkow, T., Wenzel, M., Paulson, L.C. (eds.): Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002). https://doi.org/10.1007/3540459499CrossRefMATHGoogle Scholar
 5.Lammich, P., Tuerk, T.: Applying data refinement for monadic programs to Hopcroft’s algorithm. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 166–182. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642323478_12CrossRefGoogle Scholar
 6.Lammich, P.: Refinement to Imperative/HOL. In: Urban, C., Zhang, X. (eds.) ITP 2015. LNCS, vol. 9236, pp. 253–269. Springer, Cham (2015). https://doi.org/10.1007/9783319221021_17CrossRefGoogle Scholar
 7.Wimmer, S.: Formalized timed automata. In: Blanchette, J.C., Merz, S. (eds.) ITP 2016. LNCS, vol. 9807, pp. 425–440. Springer, Cham (2016). https://doi.org/10.1007/9783319431444_26CrossRefGoogle Scholar
 8.Xu, Q., Miao, H.: Formal verification framework for safety of realtime system based on timed automata model in PVS. In: Proceedings of the IASTED International Conference on Software Engineering, pp. 107–112 (2006)Google Scholar
 9.Xu, Q., Miao, H.: Manipulating clocks in timed automata using PVS. In: Proceedings of SNPD 2009, pp. 555–560 (2009)Google Scholar
 10.PaulinMohring, C.: Modelisation of timed automata in Coq. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 298–315. Springer, Heidelberg (2001). https://doi.org/10.1007/3540455000_15CrossRefMATHGoogle Scholar
 11.Garnacho, M., Bodeveix, J.P., FilaliAmine, M.: A mechanized semantic framework for realtime systems. In: Braberman, V., Fribourg, L. (eds.) FORMATS 2013. LNCS, vol. 8053, pp. 106–120. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642402296_8CrossRefMATHGoogle Scholar
 12.Alur, R., Henzinger, T.A., Vardi, M.Y.: Parametric realtime reasoning. In: Proceedings of the TwentyFifth Annual ACM Symposium on Theory of Computing, pp. 592–601 (1993)Google Scholar
 13.Castéran, P., Rouillard, D.: Towards a generic tool for reasoning about labeled transition systems. In: TPHOLs 2001: Supplemental Proceedings (2001). http://www.informatics.ed.ac.uk/publications/report/0046.html
 14.Sprenger, C.: A verified model checker for the modal \(\mu \)calculus in Coq. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 167–183. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054171CrossRefGoogle Scholar
 15.Esparza, J., Lammich, P., Neumann, R., Nipkow, T., Schimpf, A., Smaus, J.G.: A fully verified executable LTL model checker. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 463–478. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_31CrossRefGoogle Scholar
 16.Neumann, R.: Using promela in a fully verified executable LTL model checker. In: Giannakopoulou, D., Kroening, D. (eds.) VSTTE 2014. LNCS, vol. 8471, pp. 105–114. Springer, Cham (2014). https://doi.org/10.1007/9783319121543_7CrossRefGoogle Scholar
 17.Brunner, J., Lammich, P.: Formal verification of an executable LTL model checker with partial order reduction. J. Autom. Reasoning 60(1), 3–21 (2018)MathSciNetCrossRefGoogle Scholar
 18.Herbreteau, F., Srivathsan, B., Tran, T.T., Walukiewicz, I.: Why liveness for timed automata is hard, and what we can do about it. In: Lal, A., Akshay, S., Saurabh, S., Sen, S. (eds.) FSTTCS 2016, vol. 65. LIPIcs. Schloss Dagstuhl  LeibnizZentrum für Informatik, pp. 48:1–48:14 (2016)Google Scholar
 19.Huffman, B., Kunčar, O.: Lifting and transfer: a modular design for quotients in Isabelle/HOL. In: Gonthier, G., Norrish, M. (eds.) CPP 2013. LNCS, vol. 8307, pp. 131–146. Springer, Cham (2013). https://doi.org/10.1007/9783319035451_9CrossRefMATHGoogle Scholar
 20.Bouajjani, A., Tripakis, S., Yovine, S.: Onthefly symbolic model checking for realtime systems. In: Proceedings of the 18th IEEE RealTime Systems Symposium (RTSS 1997), 3–5 December 1997, San Francisco, CA, USA, pp. 25–34 (1997)Google Scholar
 21.Behrmann, G., Larsen, K.G., Rasmussen, J.I.: Beyond liveness: efficient parameter synthesis for time bounded liveness. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 81–94. Springer, Heidelberg (2005). https://doi.org/10.1007/11603009_7CrossRefGoogle Scholar
 22.Bulwahn, L., Krauss, A., Haftmann, F., Erkök, L., Matthews, J.: Imperative functional programming with Isabelle/HOL. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 134–149. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540710677_14CrossRefGoogle Scholar
 23.Charguéraud, A.: Higherorder representation predicates in separation logic. In: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, CPP 2016, St. Petersburg, FL, USA, pp. 2–14. ACM, New York (2016). https://doi.org/10.1145/2854065.2854068
 24.Haftmann, F., Nipkow, T.: Code generation via higherorder rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) FLOPS 2010. LNCS, vol. 6009, pp. 103–117. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642122514_9CrossRefGoogle Scholar
 25.Wimmer, S., Lammich, P.: Verified model checking of timed automata  artifact (2018)Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.