Abstraction Refinement Algorithms for Timed Automata

We present abstraction-refinement algorithms for model checking safety properties of timed automata. The abstraction domain we consider abstracts away zones by restricting the set of clock constraints that can be used to define them, while the refinement procedure computes the set of constraints that must be taken into consideration in the abstraction so as to exclude a given spurious counterexample. We implement this idea in two ways: an enumerative algorithm where a lazy abstraction approach is adopted, meaning that possibly different abstract domains are assigned to each exploration node; and a symbolic algorithm where the abstract transition system is encoded with Boolean formulas.


Introduction
Model checking [4,10,12,26] is an automated technique for verifying that the set of behaviors of a computer system satisfies a given property. Model-checking algorithms explore finite-state automata (representing the system under study) in order to decide if the property holds; if not, the algorithm returns an explanation. These algorithms have been extended to verify real-time systems modelled as timed automata [2,3], an extension of finite automata with clock variables to measure and constrain the amount of time elapsed between occurrences of transitions. The state-space exploration can be done by representing clock constraints efficiently using convex polyhedra called zones [8,9]. Algorithms based on this data structure have been implemented in several tools such as Uppaal [7], and have been applied in various industrial cases.
The well-known issue in the applications of model checking is the state-space explosion problem: the size of the state space grows exponentially in the size of the description of the system. There are several sources for this explosion: the system might be made of the composition of several subsystems (such as a distributed system), it might contain several discrete variables (such as in a piece of software), or it might contain a number of real-valued clocks as in our case.
Numerous attempts have been made to circumvent this problem. Abstraction is a generic approach that consists in simplifying the model under study, so as to make it easier to verify [13]. Existential abstraction may only add extra behaviors, so that when a safety property holds in an abstracted model, it also holds in the original model; if on the other hand a safety property fails to hold, the model-checking algorithms return a witness trace exhibiting the non-safe behaviour: this either invalidates the property on the original model, if the trace exists in that model, or gives information about how to automatically refine the abstraction. This approach, named CEGAR (counter-example guided abstraction refinement) [11], was further developed and used, for instance, in software verification (BLAST [20], SLAM [5], ...).
The CEGAR approach has been adapted to timed automata, e.g. in [14,18], but the abstractions considered there only consist in removing clocks and discrete variables, and adding them back during refinement. So for most welldesigned models, one ends up adding all clocks and variables which renders the method useless. Two notable exceptions are [22], in which the zone extrapolation operators are dynamically adapted during the exploration, and [29], in which zones are refined when needed using interpolants. Both approaches define "exact" abstractions in the sense that they make sure that all traces discovered in the abstract model are feasible in the concrete model at any time.
In this work, we consider a more general setting and study predicate abstractions on clock variables. Just like in software model checking, we define abstract state spaces using these predicates, where the values of the clocks and their relations are approximately represented by these predicates. New predicates are generated if needed during the refinement step. We instantiate our approach by two algorithms. The first one is a zone-based enumerative algorithm inspired by the lazy abstraction in software model checking [19], where we assign a possibly different abstract domain to each node in the exploration. The second algorithm is based on binary decision diagrams (BDD): by exploiting the observation that a small number of predicates was often sufficient to prove safety properties, we use an efficient BDD encoding of zones similar to one introduced in early work [28].
Let us explain the abstract domains we consider. Assume there are two clock variables x and y. The abstraction we consider consists in restricting the clock constraints that can be used when defining zones. Assume that we only allow to compare x with 2 or 3; that y can only be compared with 2, and x−y can only be compared with −1 or 2. Then any conjunction of constraints one might obtain in this manner will be delimited by the thick red lines in Fig. 1; one cannot define a finer region under this restriction. The figure shows the abstraction process: given a "concrete" zone, its abstraction is the smallest zone which is a superset and is definable under our restriction. For instance, the abstraction of Fig. 1a).
Related Works. We give more detail on zone abstractions in timed automata. Most efforts in the literature have been concentrated in designing zone abstraction operators that are exact in the sense that they preserve the reachability relation between the locations of a timed automaton; see [6]. The idea is to determine bounds on the constants to which a given clock can be compared to in a given part of the automaton, since the clock values do not matter outside these bounds. In [21,22], the authors give an algorithm where these bounds are dynamically adapted during the exploration, which allows one to obtain coarser abstractions. In [29], the exploration tree contains pairs of zones: a concrete zone as in the usual algorithm, and a coarser abstract zone. The algorithm explores all branches using the coarser zone and immediately refines the abstract zone whenever an edge which is disabled in the concrete zone is enabled. In [17], a CEGAR loop was used to solve timed games by analyzing strategies computed for each abstract game. The abstraction consisted in collapsing locations.
Some works have adapted the abstraction-refinement paradigm to timed automata. In [14], the authors apply "localization reduction" to timed automata within an abstraction-refinement loop: they abstract away clocks and discrete variables, and only introduce them as they are needed to rule out spurious counterexamples. A more general but similar approach was developed in [18]. In [31], the authors adapt the trace abstraction refinement idea to timed automata where a finite automaton is maintained to rule out infeasible edge sequences.
The CEGAR approach was also used recently in the LinAIG framework for verifying linear hybrid automata [1]. In this work, the backward reachability algorithm exploits don't-cares to reduce the size of the Boolean circuits representing the state space. The abstractions consist in enlarging the size of don't-cares to reduce the number of linear predicates used in the representation.

Timed Automata
Given a finite set of clocks C, we call valuations the elements of R C ≥0 . For a clock valuation v, a subset R ⊆ C, and a non-negative real d, we denote with v[R ← d] the valuation w such that w(x) = v(x) for x ∈ C \ R and w(x) = d for x ∈ R, and with v + d the valuation w such that w (x) = v(x) + d for all x ∈ C. We extend these operations to sets of valuations in the obvious way. We write 0 for the valuation that assigns 0 to every clock. An atomic guard is a formula of the form x ≺ k or x − y ≺ k with x, y ∈ C, k ∈ N, and ≺ ∈ {<, ≤, >, ≥}. A guard is a conjunction of atomic guards. A valuation v satisfies a guard g, denoted v |= g, if all atomic guards hold true when each x ∈ C is replaced with v(x).
| v |= g} denote the set of valuations satisfying g. We write Φ C for the set of guards built on C.
A timed automaton A is a tuple (L, Inv, 0 , C, E), where L is a finite set of locations, Inv : L → Φ C defines location invariants, C is a finite set of clocks, E ⊆ L × Φ C × 2 C × L is a set of edges, and 0 ∈ L is the initial location. An edge e = ( , g, R, ) is also written as g,R − − → . For any location , we let E( ) denote the set of edges leaving .
A path is a sequence of edges with matching endpoint locations.

Zones and DBMs
Several tools for timed automata implement algorithms based on zones, which are particular polyhedra definable with clock constraints. Formally, a zone Z is a subset of R C ≥0 definable by a guard in Φ C . We recall a few basic operations defined on zones. First, the intersection Z∩Z of two zones Z and Z is clearly a zone. Given a zone Z, the set of time-successors of Z, defined as Z↑ = {v + t ∈ R C ≥0 | t ∈ R ≥0 , v ∈ Z}, is easily seen to be a zone; similarly for time- Zones can be represented as difference-bound matrices (DBM) [8,15]. While several DBMs can represent the same zone, each zone admits a canonical representation, which is obtained by storing the tightest clock constraints defining the zone. This canonical representation can be obtained by computing shortest paths in a graph where the vertices are clocks and the edges weighted by clock constraints, with natural addition and comparison of elements of (Z × {<, ≤}) ∪ {(+∞, <)}. This graph has a negative cycle if, and only if, the associated DBM represents the empty zone.
All the operations on zones can be performed efficiently (in O(|C 0 | 3 )) on their associated DBMs while maintaining reduced form. For instance, the intersection N = Z ∩ Z of two canonical DBMs Z and Z can be obtained by first computing the DBM M = min(Z, Z ) such that M (x, y) = min{Z(x, y), Z (x, y)} for all (x, y) ∈ C 0 2 , and then turning M into canonical form. We refer to [8] For a path ρ = e 1 e 2 . . . e n , we define Post ρ and Pre ρ by iteratively applying Post ei and Pre ei respectively.

Clock-Predicate Abstraction and Interpolation
For all clocks x and y in C 0 , we consider a finite set D x,y ⊆ N×{≤, <}, and gather these in a table D = (D x,y ) x,y∈C0 . D is the abstract domain which restricts zones to be defined only using constraints of the form and D(x, y) ∈ D x,y for all x, y ∈ C 0 . Note that we do not require this witness DBM D to be reduced; the reduction of such a DBM might introduce additional values. We say that domain D is a refinement of D if for all x, y ∈ C 0 , we have D x,y ⊆ D x,y .

An abstract domain D induces an abstraction function α
An interpolant for a pair of zones ( [29]. We use interpolants to refine our abstractions; in order not to add too many new constraints when refining, our aim is to find minimal interpolants: define the density of a DBM D as Notice that while any pair of disjoint convex polyhedra can be separated by hyperplanes, not all pairs of disjoint zones admit interpolants of density 1; this is because not all (half-spaces delimited by) hyperplanes are zones. Still, we can bound the density of a minimal interpolant:

Lemma 1. For any pair of disjoint, non-empty zones (A, B), there exists an interpolant of density less than or equal to
By adapting the algorithm of [29] for computing interpolants, we can compute minimal interpolants efficiently:

Enumerative Algorithm
The first type of algorithm we present is a zone-based enumerative algorithm based on the clock-predicate abstractions. Let us first describe the overall algorithm in Algorithm 1, which is a typical abstraction-refinement loop. We then explain how the abstract reachability and refinement procedures are instantiated.

Algorithm 1.
Enumerative algorithm checking the reachability of a target location T . The initialization at line 1 chooses an abstract domain for the initial state, which can be either empty (thus the coarsest abstraction) or defined according to some heuristics. The algorithm maintains the wait and passed lists that are used in the forward exploration. As usual, the wait list can be implemented as a stack, a queue, or another priority list that determines the search order. The algorithm also uses covering nodes. Indeed if there are two node n and n , with n ∈ passed, n ∈ wait, n. = n . , and n .z ⊆ n.Z, then we know that every location reachable from n is also reachable from n. Since we have already explored n and we generated its successors, there is no need to explore the successors of n . The algorithm explicitly creates an exploration tree: line 2 creates a node containing location 0 , zone 0↑, and the abstract domain D 0 as the root of our tree, and adds this to the wait list. More details on the tree are given in the next subsection. Procedure AbsReach then looks for a trace to the target location T . If such a trace exists, line 9 checks its feasibility. Here π is a sequence of node and edges of A. The feasibility check is done by computing predecessors with zones starting from the final state, without using the abstraction function. If the last zone intersects our initial zone, this means that the trace is feasible. More details are given in Sect. 3.2.

Abstract Forward Reachability: AbsReach
We give a generic algorithm independently from the implementations of the abstraction functions and the refinement procedure.
Algorithm 2 describes the reachability procedure under a given abstract domain D. It is similar to the standard forward reachability algorithm using a wait-list and a passed-list. We explicitly create an exploration tree where the leaves are nodes in wait, covered nodes, or nodes that have no non-empty successors. Each node n contains the fields , Z which are labels describing the current location and zone; field covered points to a node covering the current node (it is undefined if the current node is not (known to be) covered); field parent points to the parent node in the tree (it is undefined for the root); and field D is the abstract domain associated with the node. Thus, the algorithm uses a possibly different abstract domain for each node in the exploration tree.
The difference of our algorithm w.r.t. the standard reachability can be seen at lines 8 and 11. At line 8, we apply the abstraction function to the zone taken from the wait-list before adding it to the passed-list. The abstraction function α is a function of a zone Z and a node n. This allows one to define variants with different dependencies; for instance, α might depend on the abstract domain n.D at the current node, but it can also use other information available in n or on the path ending in n. For now, it is best to think of α simply as Z → α n.D (Z). At line 11, the function choose-dom chooses an abstract domain for the node n . The domain could be chosen global for all nodes, or local to each node. A good trade-off, which we used in our experiments, is to have domains associated with locations of the timed automaton.
Remark 1. Note that we use the abstraction function when the node is inserted in the passed list. This is because we want the node to contain the smallest zone possible when we test whether the node is covered. We only need to use the abstracted zone when we compute its successor and when we test whether the node is covering. This allows us to store a unique zone.
As a first step towards proving correctness of our algorithm, we show that the following property is preserved by Algorithm AbsReach: For all nodes n in passed, for all edges e from n. , if Post e (n.Z) = ∅, then n has a child n such that Post e (n.Z) ⊆ n .Z. If n is in passed, then we also have α n .D (Post e (n.Z)) ⊆ n .Z.
Note that although we use inclusion in Property (1), AbsReach would actually preserve equality of zones, but we will not always have equality before running AbsReach. This is because Refine might change the zones of some nodes without updating the zones of all their descendants.

Refinement: Refine
We now describe our refinement procedure Refine. Let us now assume that and write D i for the domain associated with each A i . We write C 1 for the initial concrete zone, and for i < k, we define C i+1 = Post σi (A i ). We also note Z k = A k and for i < k, we have that π is not feasible if, and only if, ∃i ≤ k. C i ∩ Z i = ∅. We illustrate this on Fig. 2. Let us assume that π is not feasible. Let us denote by i 0 the maximal index such that C i0 ∩ Z i0 = ∅. This index also has the property that for all j < i 0 , we have Z j = ∅ and Z i0 = ∅. Once we have identified this trace as spurious by computing the Z j , we have two possibilities: -if Z i0 ∩ α Di 0 (C i0 ) = ∅: this means that we can reach A k from α Di 0 (C i0 ) but not from C i0 . In other words, our abstraction is too coarse and we must add some values to D i0 so that Z i0 ∩ α Di 0 (C i0 ) = ∅. Those values are found by computing the interpolant of Z i0 and C i0 -Otherwise it means that α Di 0 (C i0 ) cannot reach A k and the only reason the trace exists is because either D i0 or A i0−1 has been modified at some point and A i0 was not modified accordingly.
We can then update the values of C i for i > i 0 and repeat the process until we reach an index j 0 such that C j0 = ∅. We then have modified the nodes n i0 , . . . , n j0 and knowing that n j0 .Z = ∅, we can delete it and all of its descendants. Since some of the descendants of n i0 have not been modified, this might cause some refinements of the first type in the future. In order to ensure termination, we sometimes have to cut a subtree from a node in n i0 , . . . , n j0−1 and reinsert it in the wait list to restart the exploration from there. We call this action cut, and we can use several heuristics to decide when to use it. In the rest of this paper we will use the following heuristics: we perform cut on the first node of n i0 ...n j0 that is covered by some other node. Since this node is covered, we know that we will not restart the exploration from this node, or that the node was covered by one of its descendant. If none of these nodes are covered, we delete n j0 and its descendants. Other heuristics are possible, for instance applying cut on n i0 . We found that the above heuristics was the most efficient in our experiments. Lemma 4. Pick a node n, and let Y = n.Z. Then after running Refine, either node n is deleted, or it holds n.Z ⊆ Y . In other words, the zone of a node can only be reduced by Refine.
It follows that Refine also preserves Property (1), so that:

Lemma 5. Algorithm 1 satisfies Property (1).
We can then prove that our algorithm correctly decides the reachability problem and always terminates.

Boolean Encoding of Zones
We now present a symbolic algorithm that represents abstract states using Boolean formulas. Let B = {0, 1}, and V be a set of variables. A Boolean formula f that uses variables from set X ⊆ V will be written f (X) to make the dependency explicit; we sometimes write f (X, Y ) in place of f (X ∪ Y ). Such a formula represents a set [ We consider primed versions of all variables; this will allow us to write formulas relating two valuations. For any subset X ⊆ V, we define X = {p | p ∈ X}.
A literal is either p or ¬p for a variable p. Given a set X of variables, an Xminterm is the conjunction of literals where each variable of X appears exactly once. X-minterms can be seen as elements of B X . Given a vector of Boolean formulas Y = (Y x ) x∈X , formula f [Y /X] is the substitution of X by Y in f , obtained by replacing each x ∈ X with the formula Y x . The positive cofactor of f (X) by x is ∃x. (x ∧ f (X)), and its negative cofactor is ∃x. (¬x ∧ f (X)).
Let us define a generic operator post that computes successors of a set S(X, Y ) given a relation R(X, X ) (here, Y designates any set of variables on which S might depend outside of X): post R (S(X, Y )) = (∃X.S(X, Y ) ∧ R(X, X ))[X/X ]. Similarly, we set pre R (S(X, Y )) = (∃X .S(X, Y )[X /X] ∧ R(X, X )), which computes the predecessors of S(X, Y ) by the relation R [24].
Clock Predicate Abstraction. We fix a total order on C 0 . In this section, abstract domains are defined as D = (D x,y ) x y∈C0 , that is only for pairs x y. In fact, constraints of the form x − y ≤ k with x y are encoded using the negation of y − x < −k since (x − y ≤ k) ⇔ ¬(y − x < −k). We thus define D x,y = −D y,x for all x y. For x, y ∈ C 0 , let P x,y denote the set of clock predicates associated to D x,y : Let P D = ∪ x,y∈C0 P x,y denote the set of all clock predicates associated with D (we may omit the superscript D when it is clear). For all (x, y) ∈ C 0 2 and (k, ≺) ∈ D x,y , we denote by p x−y≺k the literal P x−y≺k if x y, and ¬P y−x≺ −1 −k otherwise (where ≤ −1 = < and < −1 = ≤). We also consider a set B of Boolean variables used to encode locations. Overall, the state space is described using Boolean formulas on these two types of variables, so states are elements of B P∪B .
Our Boolean encoding of clock constraints and semantic operations follow those of [28] for a concrete domain. We define these however for abstract domains, and show how successor computation and refinement operations can be performed.
Let us define the clock semantics of predicate P Since the set C of clocks is fixed, we may omit the subscript and just write [[P x−y k ]]. We define the conjunction, disjunction, and negation as intersection, union, and complement, respectively. Given a P- Notice that α D is non-convex in general: for instance, if the clock predicates are x ≤ 2, y ≤ 2, then the set defined by the constraint x = y maps to (p x≤2 ∧ p y≤2 ) ∨ (¬p x≤2 ∧ ¬p y≤2 ).

Reduction and Successor Computation
We now define the reduction operation, which is similar to the reduction of DBMs. The idea is to eliminate unsatisfiable minterms from a given Boolean formula. For example, we would like to make sure that in all minterms, if p x−y≤1 holds, then so does p x−y≤2 , when both are available predicates. Another issue is to eliminate minterms that are unsatisfiable due to triangle inequality. This is similar to the shortest path computation used to turn DBMs in canonical form. Example 1. Given predicates P = {p x−y≤1 , p y−z≤1 , p x−z≤2 }, the formula p x−y≤1 ∧ p y−z≤1 is not reduced since it contains the unsatisfiable minterm In this paper, we use limited reduction, since reductions are the most expensive operations in our algorithms. The following formula corresponds to 2reduction, which intuitively amounts to applying shortest paths for paths of lengths 1 and 2: Nevertheless, any abstraction can be refined so that the updated 2-reduction eliminates a given unsatisfiable minterm: We now explain how successor computation is realized in our encoding. For a guard g, assume we have computed an abstraction α D (g) in the present abstract domain. For each transition σ = ( 1 , g, R, 2 ), let us define the formula T σ = 1 ∧ α D (g). We show how each basic operation on zones can be computed in our BDD encoding. In our algorithm, all formulas A(B, P) representing sets of states are assumed to be reduced, that is, A(B, P) ⊆ reduce 2 D (A(B, P)). The intersection operation is simply logical conjunction: For the time successors, we define Up(A(B, P)) = reduce(post S Up (A(B, P))) where

Lemma 10. For any Boolean formula A(B, P), α D ([[A]]↑) ⊆ Up(A). Moreover, if D is the concrete domain and A is reduced, then this holds with equality.
Following similar ideas, we handle clock resets by defining Reset z (A) = reduce(post S Resetz (A)), for a (complex) relation S Resetz to encode how predicates evolve (see the long version [27] of this article for more detailled explanations).
When the target location is found to be reachable, ExtractTrace(layers) returns a trace reaching the target location. This is standard and can be done by computing backwards from the last element of layers, by finding which edge can be applied to reach the current state. Since both reset and time successor operations are defined using relations, predecessors in our abstract system can be easily computed using the operator pre R . As it is standard, we omit the precise definition of this function (the reader can refer to the implementation) but assume that it returns a trace of the form A 1 are minterms and the σ i belong to the trace alphabet Σ = {up, r ∅ } ∪ {r(x)} x∈C , with the following meaning: The feasibility of such a trace is easily checked using DBMs.
The overall algorithm then follows a classical CEGAR scheme. We initialize D by adding the clock constraints that appear syntactically in A, which is often a good heuristic. We run the reachability check of Algorithm 3. If no trace is found, then the target location is not reachable. If a trace is found, then we check for feasibility. If it is feasible, then the counterexample is confirmed. Otherwise, the trace is spurious and we run the refinement procedure described in the next subsection, and repeat the analysis.

Abstraction Refinement
Since we initialize D with all clock constraints appearing in guards, we can assume that all guards are represented exactly in the considered abstractions. Note that the algorithm can be easily extended to the general case; but this simplifies the presentation.
The abstract transition relation we use is not the most precise abstraction of the concrete transition relation. Therefore, it is possible to have abstract transitions ]. This requires care and is not a direct application of the standard refinement technique from [11]. A second difficulty is due to incomplete reduction of the predicates using reduce 2 D . In fact, some reachable states in our abstract model will be unsatisfiable. Let us explain how we refine the abstraction in each of these cases.
Consider an algorithm interp which returns an interpolant of given zones Z 1 , Z 2 . In what follows, by the refinement of D by interp(Z 1 , Z 2 ), we mean the domain D obtained by adding (k, ≺) to D x,y for all constraints x − y ≺ k of interp(Z 1 , Z 2 ). Observe that α D (Z 1 ) ∩ α D (Z 2 ) = ∅ in this case.
We define concrete successor and predecessor operations for the actions in Σ. For each a ∈ Σ, let Pre c a denote the concrete predecessor operation on zones defined straightforwardly, and similarly for Post c a . Consider domain D and the induced abstraction function α D . Assume that we are given a spurious trace . . B n be the sequence of concrete states visited along π in A, that is, B 1 is the concrete initial state, and for all 2 ≤ i ≤ n, let B i = Post c πi−1 (B i−1 ). This sequence can be computed using DBMs.
The trace is realizable if B n = ∅, in which case the counterexample is confirmed. Otherwise it is spurious. We show how to refine the abstraction to eliminate a spurious trace π.
Let i 0 be the maximal index such that B i0 = ∅. There are three possible reasons explaining why B i0+1 is empty: 3. otherwise, there are no predecessors of A i0+1 inside A i0 : we refine the abstraction according to the type of the transition from step i 0 to i 0 + 1: Note that the case π i0 = r ∅ is not possible since this induces the identity function both in the abstract and concrete systems.
Given abstraction α D and spurious trace π, let refine(α D , π) denote the refined abstraction α D obtained as described above.
The following two lemmas justify the two subcases of the third case above. They prove that the detected spurious transition disappears after refinement. The reset and up operations depend on the abstraction, so we make this dependence explicit below by using superscripts, as in Reset α x and Up α , in order to distinguish the operations before and after a refinement.

Experiments
We implemented both algorithms. The symbolic version was implemented in OCaml using the CUDD library 2 ; the explicit version was implemented in C++ within an existing model checker using Uppaal DBM library. Both prototypes take as input networks of timed automata with invariants, discrete variables, urgent and committed locations. The presented algorithms are adapted to these features without difficulty. We evaluated our algorithms on three classes of benchmarks we believe are significant. We compare the performance of the algorithm with that of Uppaal [7] which is based on zones, as well as the BDD-based model checker engine of PAT [25]. We were unable to compare with RED [30] which is not maintained anymore and not open source, and with which we failed to obtain correct results. The tool used in [16] was not available either. We thus only provide a comparison here with two well-maintained tools.
Two of our benchmarks are variants of schedulability-analysis problems where task execution times depend on the internal states of executed processes, so that an analysis of the state space is necessary to obtain a precise answer.
Monoprocess Scheduling Analysis. In this variant, a single process sequentially executes tasks on a single machine, and the execution time of each cycle depends on the state of the process. The goal is to determine a bound on the maximum execution time of a single cycle. This depends on the semantics of the process since the bound depends on the reachable states.
More precisely, we built a set of benchmarks where the processes are defined by synchronous circuit models taken from the Synthesis Competition (http:// www.syntcomp.org). We assume that each latch of the circuit is associated with a resource, and changing the state of the resource takes some amount of time. So a subset of the latches have clocks associated with them, which measure the time elapsed since the latest value change (latest moment when the value changed from 0 to 1, or from 1 to 0). We provide two time positive bounds 0 and 1 for each latch, which determine the execution time as follows: if the value of latch changes from 0 to 1 (resp. from 1 to 0), then the execution time of the present cycle cannot be less than 1 (resp. 0 ). The execution time of the step is then the minimum that satisfies these constraints.
Multi-process Stateful Scheduling Analysis. In this variant, three processes are scheduled on two machines with a round-robin policy. Processes schedule tasks one after the other without any delay. As in the previous benchmarks, a process executing a task (on any machine) corresponds to a step of the synchronous circuit model. Each task is described by a tuple (C 1 , C 2 , D) which defines the minimum and maximum execution times, and the relative deadline. When a task finishes, the next task arrives immediately. The values in the tuple depend on the state of the process. The goal is to check the absence of any deadline miss. Processes are also instantiated with AIG circuits from http://www. syntcomp.org.

Asynchronous Computation.
We consider an asynchronous network of "threshold gates", defined as follows: each gate is characterized by a tuple (n, θ, [l, u]) where n is the number of inputs, 0 ≤ θ ≤ n is the threshold, and l ≤ u are lower and upper bounds on activation time. Each gate has an output which is initially undefined. The gate becomes active during the time period [l, u].
During this time, if all inputs are defined, and if at least θ of the inputs have value 1, then it sets its output to 1. At the end of the time period, it becomes deactivated and the output becomes undefined again, until the next period, which starts l time units after the deactivation. The goal is to check whether the given gate can output 1 within a given time bound T . Figure 3 displays the results of our experiments. All algorithms were given 8 GB of memory and a timeout of 30 min, and the experiments were run on laptop with an Intel i7@3.2 Ghz processor running Linux. The symbolic algorithm performs best among all on the monoprocess and multiprocess scheduling benchmarks. Uppaal is the second best, but does not solve as many benchmarks as our algorithm. Our enumerative algorithm quickly fails on these benchmarks, often running out of memory. On asynchronous computation benchmarks, our enumerative algorithm performs remarkably well, beating all other algorithms. We ran our tools on the CSMA/CD benchmarks (with 3 to 12 processes); Uppaal performs the best but our enumerative algorithm is slightly behind. The symbolic algorithm does not scale, while PAT fails to terminate in all cases.

Results.
The tool used for the symbolic algorithm is open source and can be found at https://github.com/osankur/symrob along with all the benchmarks.

Conclusion and Future Work
There are several ways to improve the algorithm. Since the choice of interpolants determines the abstraction function and the number of refinements, we assumed that taking the minimal interpolant should be preferable as it should keep the abstractions as coarse as possible. But it might be better to predict which interpolant is the most adapted for the rest of the computation in order to limit future refinements. The number of refinement also depends on the search order, and although it has already been studied in [23], it could be interesting to study it in this case. Generally speaking, it is worth noting that we currently cannot predict which (variant of) our algorithms is better suited for which model.
Several extensions of our algorithms could be developed, e.g. combining our algorithms with other methods based on finer abstractions as in [22], integrating predicate abstraction on discrete variables, or developing SAT-based versions of our algorithms.