Configurable verification of timed automata with discrete variables

Algorithms and protocols with time dependent behavior are often specified formally using timed automata. For practical real-time systems, besides real-valued clock variables, these specifications typically contain discrete data variables with nontrivial data flow. In this paper, we propose a configurable lazy abstraction framework for the location reachability problem of timed automata that potentially contain discrete variables. Moreover, based on our previous work, we uniformly formalize in our framework several abstraction refinement strategies for both clock and discrete variables that can be freely combined, resulting in many distinct algorithm configurations. Besides the proposed refinement strategies, the configurability of the framework allows the integration of existing efficient lazy abstraction algorithms for clock variables based on LU\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\textit{LU}}$$\end{document}-bounds. We demonstrate the applicability of the framework and the proposed refinement strategies by an empirical evaluation on a wide range of timed automata models, including ones that contain discrete variables or diagonal constraints.


Introduction
Timed automata [1] is a widely used formalism for the modeling and verification of algorithms and protocols with time-dependent behavior. In timed automata models, erroneous or unsafe behavior (that is to be avoided during operation) is often modeled by error locations. The location reachability problem deals with the question whether a given error location is reachable from an initial state along the transitions of the automaton, or network of automata.
As timed automata contain real-valued clock variables, to ensure better performance and termination, model checkers for timed automata apply abstraction over clock variables. The standard solution involves performing a forward exploration in the zone abstract domain [15], combined with extrapolation [4] parametrized by bounds appearing in guards in the model, extracted by static analysis [3]. Other zone-based methods propagate bounds lazily for all transitions [20] or along an infeasible path [22], and perform efficient inclusion checking with respect to a non-convex abstraction induced by the bounds [21]. Alternatively, some methods perform lazy abstraction directly over the zone abstract domain [30,33]. However, in the context of timed automata, methods rarely address the problem of abstraction for discrete data variables that often appear in specifications for practical real-time systems, or do so by applying a fully SMT (satisfiability modulo theories) [2] based approach, relying on the efficiency of underlying decision procedures for the abstraction of both continuous and discrete variables.
In our work, we address the location reachability problem of timed automata with discrete variables. Overall, we propose a formal algorithmic framework that enables the uniform formalization of several abstract domains and refinement strategies for both clock and discrete variables. The main elements are a generic algorithm for lazy reachability checking and an abstract reachability tree as its central data structure. Second, we present the formalization and integration of several novel strategies in this framework, especially based on our work on lazy interpolation over zones [30], and on the application of interpolation to lazily control the visibility of discrete variables in timed automata models [31]. The main advantage of the framework is that, based on the notion of the direct product abstract domain, it allows the seamless combination of various lazy abstraction methods, resulting in many distinct algorithm configurations that together admit efficient verification of a wide range of timed automata models. This algorithmic framework allowed a straightforward implementation of these strategies in our open source model checking framework Theta [29], this way enabling the practical evaluation of the proposed algorithm configurations. The configurability of this framework also allowed the integration of existing efficient lazy abstraction algorithms for clock variables based on LU-bounds [22], thus admitting the combination and comparison of our methods with the state-of-the-art.
We evaluated the algorithm configurations that our framework currently supports on a wide range of timed automata models, including ones that contain discrete variables or diagonal constraints. Our results show that our framework offers algorithm configurations that are competitive in terms of performance with the state-of-the-art.

Comparison to related work
Lazy abstraction [19], a form of counterexample-guided abstraction refinement [14], is an approach widely used for reachability checking, and in particular for model checking software. It consists of building an abstract reachability tree on-the fly, representing an abstraction of the system, and refining a part of the tree in case a spurious counterexample is found. For timed automata, a lazy abstraction approach based on non-convex LU-abstraction [4] and on-the-fly propagation of bounds has been proposed [22]. A significant difference of this algorithm compared to usual lazy abstraction algorithms is that it builds an abstract reachability tree that preserves exact reachability information (a so-called adaptive simulation graph or ASG). As a consequence it is able to apply refinement as soon as the abstraction admits a transition that is disabled in the concrete system. Similar abstraction techniques based on building an ASG include difference bound constraint abstraction [33], the zone interpolation-based technique of [30], and the lazy abstraction method for timed automata with discrete variables proposed in [31]. In our work, we build on the same approach, but with abstracting over the specifics of any given abstract domain, thus admitting configurability of the abstraction refinement strategy.
Symbolic handling of integer variables for timed automata is often supported by unbounded fully symbolic SMT-based approaches. Symbolic backward search techniques like [12,27] are based on the computation and satisfiability checking of pre-images. In [23], reachability checking for timed automata is addressed by solving Horn clauses. In the ic3based [11] technique of [25], the problem of discrete variables is not addressed directly, but the possibility of generalization over discrete variables is (to some extent) inherent in the technique. In [24], also based on ic3, generalization of counterexamples to induction is addressed for both discrete and clock variables by zone-based pre-image computation. The abstraction methods proposed in our work are completely theory agnostic, and do not rely on an SMT-solver.
In [16], an abstraction refinement algorithm is proposed for timed automata that handles clock and discrete variables in a uniform way. There, given a set of visible variables, an abstracted timed automaton is derived from the original by removing all assignments to abstracted variables, and by replacing all constraints by the strongest constraint that is implied and that does not contain abstracted variables. In case the model checker finds an abstract counterexample, a linear test automaton is constructed for the path, which is then composed with the original system to check whether the counterexample is spurious. If the final location of the test automaton is unreachable, a set of relevant variables is extracted from the disabled transition that will be included in the next iteration of the abstraction refinement loop. In our work, we use a similar approach, but instead of building abstractions globally on the system level and then calling to a model checker for both model checking and counterexample analysis, we use a more integrated, lazy abstraction method, where the abstraction is built on-the-fly, and refinement is performed locally in the state space where more precision is necessary.
Interpolation for variable assignments was first described in [7]. There, the interpolant is computed for a prefix and a suffix of a constraint sequence, and an inductive sequence of interpolants is computed by propagating interpolants forward using the abstract postimage operator. In our work, we define interpolation for a variable assignment and a formula, and compute inductive sequences of interpolants by propagating interpolants both forward and backward, using post-image and weakest precondition computation, respectively. In our context, this enables us to consider a suffix of an infeasible path, instead of the whole path, for computing inductive sequences of interpolants.
Timed automata with diagonal constraints are exponentially more concise than diagonalfree timed automata [9]. In [6], a method has been proposed that eliminates diagonal constraints occurring in timed automata specifications, resulting in an (in general) exponential blowup in the size of the automaton. An extrapolation method has been proposed in [5] that handles diagonal constraints on-the-fly. A refinement-based approach has been described in [10] that does not remove all diagonal constraints systematically. Instead, it performs forward model checking using the standard extrapolation operator used for diagonal-free timed automata, which might admit false negatives. In case a counterexample is found, it is analyzed for feasibility. If the counterexample is spurious, a set of diagonal constraints is selected and eliminated from the model, resulting in a new model, which is then fed back to the model checker. An implementation of the algorithm is described in [28]. In [18], the LUabstraction based simulation relation of [4] is extended to models with diagonal constraints. The corresponding simulation test, which generalizes the inclusion test defined in [21] for the diagonal-free setting, is shown to be NP-complete, and is implemented in terms of SMT solving. In our work, we examine two methods for analyzing timed automata with diagonal constraints. The first is based on the eager elimination of diagonal constraints, however, as our algorithms support discrete variables, instead of introducing new locations, we introduce a new discrete variable per constraint. In case abstraction refinement is used for these variables [31], a method is obtained that considers constraints as needed, similarly to [10]. However, instead of building a new model and running the model checker from scratch, this method is lazy, and performs abstraction refinement locally in the state space where more precision is necessary. The second approach is based on zone interpolation, which supports diagonal constraints, as well as other extensions [30], automatically. Thus in this case, elimination of diagonal constraints is not necessary. Unfortunately, this method is not complete, as it does not guarantee termination on all models. This paper is based on our previous work presented in [30,31]. In addition to the results presented there, we provide an algorithmic framework in which we uniformly formalize, prove correct and evaluate our abstraction refinement strategies and their combinations. Moreover, besides the refinement strategy presented in [31] that propagates interpolants backward, we introduce a novel strategy that performs abstraction refinement by forward propagation of interpolants. Furthermore, we present an empirical evaluation of the algorithm configurations that the framework offers on a benchmark containing 51 timed automata models. In particular, we examine how the different configurations perform on models containing diagonal constraints.

Organization of the paper
The rest of the paper is organized as follows. In Sect. 2, we define the notations used throughout the paper, and present the theoretical background of our work. In Sect. 3 we propose our formal framework, a uniform lazy reachability checking algorithm that admits various abstract domains and refinement strategies. In Sect. 4, four abstraction refinement strategies are formalized in our framework, two for clock variables, and two for the efficient handling of discrete variables. Section 5 describes experiments performed on the proposed algorithm configurations. Finally, conclusions are given in Sect. 6.

Background and notations
In this section, we summarize the theoretical background of our work. Moreover, we define the notation used throughout the paper.

Valuations
Let C be a set of clock variables over R ≥0 , and D a set of data variables over Z. Let V = C ∪ D denote the set of all variables.
A clock constraint is a formula ϕ ∈ Constr C that is a conjunction of atoms of the form c m and c i − c j m where c, c i , c j ∈ C and m ∈ Z and ∈ <, ≤, >, ≥, .
= . In the latter case, if i = j, then a constraint is called a diagonal constraint. A data constraint is a well-formed formula ϕ ∈ Constr D built from variables in D and arbitrary function and predicate symbols interpreted over Z. Let Constr = Constr C ∪ Constr D denote the set of all constraints.
A clock update (clock reset) is an assignment u ∈ Update C of the form c := m where c ∈ C and m ∈ Z. A data update is an assignment u ∈ Update D of the form d := t where d ∈ D and t is a term built from variables in D and function symbols interpreted over Z. Let Update = Update C ∪ Update D denote the set of all updates.
The set of variables appearing in a term t (resp. in a formula ϕ) is denoted by vars(t) (resp. by vars(ϕ)). Similarly, the set of variables occurring in an update is denoted by vars(u), that is, vars(x := t) = vars(t) ∪ {x}.
A valuation over a finite set of variables is a function that maps variables to their respective domains. We will denote by V(X ) the set of valuations over a set of variables X . Throughout the paper we will allow partial functions as valuations. We will denote by def(σ ) the domain of definition of a valuation σ , that is, def(σ ) = {x | σ (x) = ⊥}. We extend valuations to range over terms and formulas the usual way, with the possibility that the value of a term is undefined over a valuation.
We will denote by σ | ϕ iff formula ϕ is satisfied under valuation σ . Let ϕ stand for the set of models of a formula ϕ, formally defined as where • denotes function composition as usual. Given a valuation σ , we denote by form(σ ) the formula characterizing the valuation, that is, Remark 1 Note that in the context of partial valuations, σ | ¬ϕ is a strictly stronger statement than σ | ϕ.
Clearly, is a partial order over sets of valuations. We will denote the restriction of valuation σ to a set of variables X by σ X , that is, We lift the notion to sets of valuations with the obvious meaning. Let moreover σ = σ ∈ V(V ) | σ σ , also defined for sets of valuations in the obvious way.
We state the following lemmas (without proof).
We will denote by ⊗ the partial function over valuations that is defined as , and is undefined otherwise. We extend this function to sets of valuations in both parameters in the obvious way. Finally, given a valuation σ and an update x := t, we denote by σ {x := t} the valuation σ such that σ (x) = σ (t) and σ (x ) = σ (x ) for all x = x. For a sequence of updates, let σ { } = σ and σ {u · μ} = σ {u}{μ}, where u is an update and μ is a sequence of updates.

Timed automata
In the area of modeling and verifying time-dependent behavior, timed automata [1] is the most prominent formalism. To make the specification of practical systems more convenient, the traditional formalism is often extended with various syntactic and semantic constructs, in particular with the handling of discrete variables. In the following, we describe such an extension.

Definition 1 (Syntax) Syntactically, a timed automaton with discrete variables is a tuple
where -L is a finite set of locations, -C is a finite set of continuous clock variables over R ≥0 , -D is a finite set of discrete data variables over Z, -T ⊆ L × P(Constr) × Update * × L is a finite set of transitions, where for a transition ( , G, μ, ), the set G ⊆ Constr is a set of guards, and μ ∈ Update * is a sequence of updates, and -0 ∈ L is the initial location.
We are going to refer to a sequence of transitions π ∈ T * as a path.

Remark 2
According to the above definition, clearly C ∩ D = ∅. Note that given a guard g ∈ G, either vars(g) ⊆ C, or vars(g) ⊆ D. Similarly, given an update u, either vars(u) ⊆ C, or vars(u) ⊆ D.
Definition 2 (Semantics) Let σ 0 be the unique total function σ 0 : V → {0}. The operational semantics of a timed automaton is given by a labeled transition system with initial state ( 0 , σ 0 ) and two kinds of transitions: We will use the notation C = V(V ), and refer to a valuation σ ∈ C as a concrete state. A state of a timed automaton is a state of its semantics, that is, a pair ( , σ ) where ∈ L and σ ∈ C.
In case D = ∅, the above definition for semantics coincides with the semantics of timed automata in the usual sense. Throughout the paper, we will refer to a timed automaton with discrete variables simply as a timed automaton.

Definition 3 (Run)
A run of a timed automaton is a sequence of states from the initial state ( 0 , σ 0 ) along the transition relation

Definition 4 (Reachable location)
A location ∈ L is reachable iff there exists a run such that k = .
Clearly, if a location is reachable then it is reachable along a run of the form . This observation enables the definition of a symbolic semantics for timed automata as follows.
Definition 5 (Symbolic semantics) Let Σ 0 = delay δ (σ 0 ) | δ ≥ 0 , that is, the set of concrete states reachable from σ 0 by a delay transition. The symbolic semantics of a timed automaton is a labeled transition system with initial state ( 0 , Σ 0 ) and transitions of the form ( , Σ) t − → ( , Σ ) where t = ( , ·, ·, ) and Σ = post t (Σ) with the concrete post-image operator defined for paths as post = id and post t·π = post π • post t .
We will refer to a pair ( , Σ) with ∈ L and Σ ⊆ C as a symbolic state.

Remark 3
As a consequence of Remark 2, it can be shown that in general, a symbolic state ( , Σ) occurring in a symbolic run of timed automaton is such that Σ = ν ⊗ Z , where ν = Σ D is a data valuation, and Z = Σ C is a special set of clock valuations, called a zone (see Sect. Definition 6 (Enabled transition) Given a set of concrete states Σ, we will say that a transition t is enabled from Σ iff post t (Σ) = ∅, otherwise it is disabled.

Remark 4
By Remark 3 and induction, a path π is feasible iff it is data-feasible and clockfeasible.

Definition 8 (Symbolic run)
A symbolic run of a timed automaton is a sequence of symbolic states from the symbolic initial state ( 0 , Σ 0 ) along the transition relation Remark 5 Clearly, a timed automaton has a symbolic run · Proposition 1 For a timed automaton, a location ∈ L is reachable iff there exists a symbolic run with k = [15].

Zones and DBMs
A zone Z ∈ Z is the set of solutions of a clock constraint ϕ ∈ Constr C , that is Z = {η ∈ V(C) | η | ϕ}. If Z and Z are zones and t ∈ T , then ∅, V(C), Z 0 , Z ∩ Z , post C t (Z ) and pre C t (Z ) are also zones. In the context of zones, we will denote ∅ by ⊥ and V(C) by . Zones are not closed under complementation, but the complement of any zone is the union of finitely many zones. For a zone Z , we are going to denote a minimal set of such zones by ¬Z . Zones can be efficiently represented by difference bound matrices [17]. A bound is either ∞, or a finite bound of the form (m, ≺) where m ∈ Z and ≺ ∈ {<, ≤}. Difference bounds can be totally ordered by "strength", that is, (m, ≺) < ∞ and (m 1 , ≺ 1 ) < (m 2 , ≺ 2 ) iff m 1 < m 2 and (m, <) < (m, ≤). Moreover the sum of two bounds is defined as b + ∞ = ∞ and (m 1 , ≤) + (m 2 , ≤) = (m 1 + m 2 , ≤) and (m 1 , <) + (m 2 , ≺) = (m 1 + m 2 , <).
A difference bound matrix (DBM) over X = {x 0 , x 1 , . . . , x n } is a square matrix M of bounds of order n + 1 where an element M i j = (m, ≺) represents the clock constraint x i − x j ≺ m. We denote by M the zone induced by the conjunction of constraints stored in M. We say that M is consistent iff M = ⊥. The following is a simple sufficient and necessary condition for a DBM to be inconsistent.

Proposition 2 A DBM M is inconsistent iff there exists a negative cycle in M, that is, a set of pairs of indexes
For a consistent DBM M, we say it is canonical iff constraints in it cannot be strengthened without losing solutions, formally, iff For convenience, we will also consider the inconsistent DBM M with the single finite bound M 0,0 = (0, <) canonical. Up to the ordering of clocks, the canonical form is unique.
The zone operations described above, as well as set inclusion ⊆ over zones, can be efficiently implemented in terms of canonical DBMs [5]. Therefore, we will refer to a canonical DBM M (syntax) and the zone M it represents (semantics) interchangeably throughout the paper.
Moreover, for two DBMs M 1 and M 2 , we will denote by min(

Algorithm for lazy reachability checking
In this section we present our uniform approach, a lazy reachability checking algorithm that allows the combination of various abstract domains and refinement strategies. It is based on the notion of Abstract Reachability Tree, which is defined in the sequel. Then the algorithm itself is described.

Abstract reachability tree
The central data structure of the algorithm is an abstract reachability tree.
Definition 9 (Abstract domain) For our purposes, an abstract domain for a timed automaton is a tuple D = (S, , init, post, · ) such that -S is set of abstract states, -⊆ S × S is a preorder, -init ∈ S is the abstract initial state, -post : T × S → S is the abstract post-image operator, and -· : S → P(C) is the concretization function.
For soundness, we assume the following properties to hold.

Definition 11 (Unwinding) An unwinding of a timed automaton
For an unwinding we require that the following properties hold: , -for all nodes n and n such that n n it holds that M N (n) = M N (n ).
The term n n marks that search from node n of the unwinding is to be pruned, as another node n admits all runs that are feasible from n. We define the following shorthand notations for convenience: n = M N (n) and t e = M E (e).
Definition 12 (Abstract reachability tree) An abstract reachability tree (ART) for a timed automaton A over a sound abstract domain D is a labeled unwinding, that is, a pair G = (U , ψ) where -U is an unwinding of A, and ψ : N → S is a labeling of nodes by abstract states.
We will use the following shorthand notation: s n = ψ(n).

Definition 13 (Properties of nodes)
A node n is expanded iff for all transitions t ∈ T such that t = ( , ·, ·, ·) and n = , either t is disabled from s n , or n has a successor for t. A node n is covered iff n n for some node n . It is excluded iff it is covered or it has an excluded parent. A node is complete iff it is either expanded or excluded. A node n is -safe iff n = .
For an ART to be useful for reachability checking, we have to ensure that the tree represents an over-approximation of the set of reachable states. Therefore we introduce restrictions on the labeling, as formalized in the next definition.
Definition 14 (Well-labeled node) A node n of an ART G for a timed automaton A is welllabeled iff the following conditions hold: -(initiation) if n = n 0 , then Σ 0 ⊆ s n , -(consecution) if n = n 0 , then for its parent m and the transition t = t (m,n) it holds that post t s m ⊆ s n -(coverage) if n n for some node n , then s n ⊆ s n and n is not excluded.
Besides preserving reachable states, we will also ensure that nodes represent runs of the automaton. We formalize this in the following definitions.

Definition 15 (Feasible node and transition)
Let n be a node of an ART G, and π the path from n 0 to n in G. Then n is feasible iff π is feasible. Moreover, a transition t is feasible from n iff the path π · t is feasible.
The above definitions for nodes can be extended to trees.

Definition 16 (Properties of ARTs)
An ART is complete, -safe, well-labeled or feasible iff all its nodes are complete, -safe, well-labeled, or feasible, respectively.
A well-labeled ART preserves reachable states, which is expressed by the following proposition.

Proposition 3 Let G be a complete, well-labeled ART for a timed automaton
has a non-excluded node n such that k = n and Σ k ⊆ s n .
Proof We prove the statement by induction on the length k of the symbolic run. If k = 0, then 0 = n 0 and Σ 0 ⊆ s n 0 by condition initiation, thus n 0 is a suitable witness. Suppose the statement holds for runs of length at most k − 1. Hence there exists a non-excluded node m such that k−1 = m and Σ k−1 ⊆ s m .
Clearly transition t k is not disabled from s m , as then by the induction hypothesis it would also be disabled from Σ k−1 , which contradicts our assumption. As m is complete and not excluded, it is expanded, and thus has a successor n for transition t k with n = k . By condition consecution, we have post t k s m ⊆ s n . As Σ k−1 ⊆ s m , by the monotonicity of images in ⊆, we obtain Σ k ⊆ s n .
Thus if n is not covered, then it is a suitable witness for the statement. Otherwise there exists a node n such that n n . By condition coverage, we know that s n ⊆ s n and n is not excluded, thus n is a suitable witness.

Reachability algorithm
The pseudocode of the algorithm is shown in Algorithm 1. The algorithm gets as input a timed automaton A and a distinguished error location e ∈ L. The goal of the algorithm is to decide whether e is reachable for A. To this end the algorithm gradually constructs an ART for A and continually maintains its well-labeledness and feasibility. Upon termination, it either witnesses reachability of e by a feasible node n such that n = e , which by Definition 15 corresponds to a symbolic run of A to e , or produces a complete, well-labeled, e -safe ART that proves unreachability of e by Proposition 3.
The main data structures of the algorithm are the ART G and sets passed and waiting. Set passed is used to store nodes that are expanded, and waiting stores nodes that are incomplete. The algorithm consists of two subprocedures, close and expand. Procedure close attempts to cover a node n by some other node. It calls a procedure cover that tries to force cover the node by adjusting its label so that it is subsumed by the label of some candidate node n . Procedure expand expands a node n by creating its successors. To avoid creating infeasible nodes, it calls a procedure disable that checks feasibility of a given transition t, and adjusts the labeling of n so that if t is infeasible from n, then it also becomes disabled from s n . Both close and expand potentially modify the labeling of some nodes as a side effect, but in a way Algorithm 1 Reachability algorithm 1: ensure ρ = safe iff e is unreachable for A 2: function explore(A, e ) returns ρ ∈ safe, unsafe 3: let n 0 be a node with n 0 = 0 and s n 0 = init 4: let G be an ART for A over N , E and 6: 7: passed ← ∅, waiting ← {n 0 } 8: invariant G is well-labeled and feasible 9: while n ∈ waiting for some n do 10: waiting ← waiting \ {n} 11: if n = e then 12: return unsafe 13: else 14: close(n) 15: if n is not covered then 16: expand(n) 17: return safe 18: invariant G is well-labeled and feasible 19: procedure close(n) 20: for all n ∈ passed such that n = n do 21: cover(n, n ) 22: if s n s n then 23: ← ∪ (n, n ) 24: return 25: invariant G is well-labeled and feasible 26: ensure n is expanded 27: procedure expand(n) 28: for all t ∈ T such that t = ( , ·, ·, ) with = n do 29: if not disable(n, t) then 30: let s = post t (s n ) 31: let n be a new node with n = and s n = s 32: let e = (n, n ) be a new edge with t e = t 33: waiting ← waiting ∪ n 36: passed ← passed ∪ {n} 37: invariant G is well-labeled and feasible 38: procedure cover(n, n ) 39: invariant G is well-labeled and feasible 40: ensure β iff t is disabled from s n 41: ensure ¬β iff t is feasible from n 42: function disable(n, t) returns β that maintains well-labeledness and feasibility of the ART. Naturally, the implementation of procedures cover and disable depends on the abstract domain, and are described in Sect. 4 in detail.
The algorithm consists of a single loop in line 9 that employs the following strategy. The loop consumes nodes from waiting one by one. If waiting becomes empty, then A is deemed safe. Otherwise, a node n is removed from waiting. If the node represents the error location, then A is deemed unsafe. Otherwise, in order to avoid unnecessary expansion of the node, the algorithm tries to cover it by a call to close. If there are no suitable candidates for coverage, then the algorithm establishes completeness of the node by expanding it using expand, which puts it in passed, and puts all its successors in waiting.
We show that explore is correct with respect to the procedure contracts listed in Algorithm 1. We focus on partial correctness, as termination depends on the particular abstract domain and refinement method used. We note that in general, termination can be easily ensured using the right extrapolation operator for clock variables [22,30,33].

Proposition 4
Procedure explore is partially correct: if explore(A, e ) terminates, then the result is safe iff e is unreachable for A.
Proof (sketch) Let covered = {n ∈ N | n is covered}. It is easy to verify that the algorithm maintains the following invariants: passed is a set of non-excluded, expanded, e -safe nodes, waiting is a set of non-excluded, non-expanded nodes, covered is a set of covered, non-expanded, e -safe nodes.
It is easy to see that under the above assumptions sets passed, waiting and covered form a partition of N . Assuming that G is well-labeled and feasible, partial correctness of the algorithm is then a direct consequence: At line 12 a node is encountered that is not e -safe, thus by Definition 15 there is a symbolic run of A to e ; conversely, at line 17 the set waiting is empty, so G is complete and e -safe, and as a consequence of Proposition 3 the location e is indeed unreachable for A.
What remains to show is that the algorithm maintains well-labeledness and feasibility of G. We assume that procedures cover and disable maintain well-labeledness and feasibility, which we prove to hold in Sect. 4.
Initially, node n 0 is well-labeled, as Σ 0 ⊆ init = s n 0 , thus n 0 satisfies initiation. It also trivially satisfies feasibility, as post (Σ 0 ) = Σ 0 = ∅. Procedure close trivially maintains well-labeledness and feasibility, as it just possibly adds a covering edge for two nodes such that condition coverage is not violated. In procedure expand, if disable(n, t) for a transition t, then t is not feasible from n, and the labeling is adjusted so that t is disabled from s n . Otherwise, t is feasible from n, and a successor node n is created. Clearly, n is feasible as t is feasible. Moreover, post t s n ⊆ post t (s n ) = s n , thus n satisfies consecution. Thus according to the contract, n becomes expanded, and all its successors are well-labeled and feasible, so well-labeledness and feasibility of G is preserved.

Abstraction refinement
Algorithm 1 is abstracted over the particular abstract domain used to well-label the constructed ART. Moreover, it declares two procedures, cover and disable, that perform forced covering and abstraction refinement over the abstract domain, respectively. In this section, we describe several possible abstract domains, and corresponding abstraction refinement strategies, that can be used for model checking timed automata with discrete variables.
In the listings of the given refinement strategies, we are going to refer to a simple procedure update that enables safely updating the labeling for a given node in the ART. for all m such that m n and s m s do 7: ← \ (m, n) 8: waiting ← waiting ∪ {m} 9: s n ← s Proof Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of G, as it does not create new nodes. At the end of the procedure, s n = s is ensured. Clearly, n is well-labeled: initiation and consecution is ensured by contract, and coverage is ensured by the loop due to soundness of the abstract domain.

Combination of abstractions
Our approach is based on the direct product of abstract domains, as described below. In later descriptions, when it is clear from the context, we are going to omit indexes when referring to components of a direct product (and write e.g. (post t (s 1 ), post t (s 2 )) instead of (post 1 t (s 1 ), post 2 t (s 2 ))).

Proposition 6
If D 1 and D 2 are sound, then D 1 × D 2 is sound.
In case of timed automata with discrete variables, as according to Definition 1, abstraction and refinement can be conveniently defined compositionally, where clock variables and discrete variables are handled by separate abstractions. Algorithm 3 describes a straightforward method for achieving this separation.
In the above description, in line 10 and line 15, we refer to the preservation of well labeledness for the two projections of the ART. This weaker assumption will simplify proofs of correctness for the component refiners. We show that this implies well-labeledness in the original sense.
Total correctness of cover × follows from total correctness of cover D and cover C . We show total correctness of disable × as follows. First we show that disable × maintains well-labeledness. By contract, disable C and disable D preserve well-labeledness of G (in the weaker sense described above). Let s n = (s 1 , s 2 ) for root node n. Assume that t is feasible from n. Then t is both data-and clock-feasible from n by Remark 4. Thus disable D (n, t) = false and disable C (n, t) = false by contract, from which disable × (n, t) = false follows directly. Assume that t is not feasible from n. Then t is either not data-or not clock-feasible from n by Remark 4. Assume t is not data-feasible from n. Thus disable D (n, t) = true and t becomes disabled from s 1 by contract. As a consequence, disable × (n, t) = true, and t becomes disabled from s n = (s 1 , s 2 ) = s 1 ∩ s 2 . The other case follows symmetrically.
To simplify exposition, we are going to treat ψ as a lens (in simple terms, a pair consisting of a "getter" and a "setter") that can be used to deeply manipulate the structure of a given label. Thus later in the text, when we refer to s n , we are going to mean the corresponding component of a direct product based on the context.

Abstraction for clock variables
First, we address abstraction refinement over clock variables.

Zone abstraction
Most model checkers for timed automata rely on zones for abstracting clock valuations. We define zone abstraction in our framework as follows.
Definition 18 (Zone abstraction) We define zone abstraction as the abstract domain Note that in the absence of discrete variables, Definition 18 corresponds to the usual definition of zone abstraction.

Proposition 8 D Z is sound.
We define cover Z as a no-op, thus its total correctness is trivial. Moreover, we define disable Z as disable Z (n, t) iff post t (Z ) ⊥ for Z = s n . Proposition 9 disable Z is totally correct: disable Z (n, t) terminates and preserves welllabeledness and feasibility of G; moreover, it returns false iff t is clock-feasible from n, and ensures that t is disabled from s n otherwise.
Proof Termination of the procedure is trivial. Well-labeledness and feasibility follow from the fact that the procedure has no side effects. Let π be the path induced by n. Notice that Then by definition, t is clock-feasible from n, and the procedure returns false. Now assume post C t (Z ) = ⊥. Then by definition, t is not clock-feasible from n. But t is also disabled from Z , and the procedure returns true.

Lazy zone abstraction
To obtain a coarser abstraction, we extend zone abstraction with interpolation as follows.

Proposition 10 D ZI is sound.
Given an abstract state (Z , W ), the purpose of Z is to encode an exact set of reachable valuations, whereas the purpose of W is to represent a safe overapproximation of Z . This potentially enables better coverage between nodes, thus faster convergence, compared to the purely zone-based setting. In order to efficiently maintain this relationship however, we have to define procedure cover ZI and disable ZI accordingly. To maintain well-labeledness, these procedures rely on a procedure block that performs abstraction refinement by safely adjusting labels of nodes.
In cover ZI , as Z ⊆ W and B ∩ W ⊆ ⊥, clearly Z ∩ B ⊆ ⊥, thus calling block(n, B) is safe. Other than that, total correctness of cover ZI follows trivially from total correctness of block (see later). To show the correctness of disable ZI , we state the following simple lemma that establishes a connection between pre C and post C .

Proposition 11 disable ZI is totally correct: disable ZI (n, t) terminates and preserves well-labeledness and feasibility of G; moreover, it returns false iff t is clock-feasible from n, and ensures that t is disabled from s n otherwise.
Proof Termination of the procedure is trivial. Well-labeledness and feasibility follow from the total correctness of block. Let π be the path induced by n. Notice that Z = post C π (Z 0 ). Assume post C t (Z ) = ⊥. Then by definition, t is clock-feasible from n, and the procedure returns false. Now assume post C t (Z ) = ⊥. Then by definition, t is not clock-feasible from n. By Lemma 4, we get Z ∩ pre C t ( ) ⊆ ⊥. Thus block(n, pre C t ( )) can be called, and as a result, W ∩ pre C t ( ) ⊆ ⊥. By Lemma 4, we get post C t (W ) = ⊥. Thus t becomes disabled from W , and the procedure returns true.

Interpolation for zones
The proposed refinement strategies for zone abstraction, and in particular, the different implementations of block are based on interpolation, defined over zones expressed in terms of canonical DBMs.

Definition 20 (Zone interpolant) Given zones A and B such that A ∩ B ⊆ ⊥, a zone interpolant is a zone I such that A ⊆ I and I ∩ B ⊆ ⊥ and I is defined over the clocks that appear in both A and B.
This definition of a zone interpolant is analogous to the definition of an interpolant in the usual sense [26]. As zones correspond to formulas in DL(Q), a theory that admits interpolation [13], an interpolant always exists for a pair of disjoint zones. Algorithm 5 is a direct adaptation of the graph-based algorithm of [13] for DBMs. For simplicity, we assume that A and B are defined over the same set of clocks with the same ordering, and are both canonical (naturally, these restrictions can be lifted).
After checking the trivial cases, the algorithm searches for a negative cycle in min(A, B) to witness its inconsistency. This can be done e.g. by running a variant of the Floyd-Warshall algorithm.The interpolant I is then the DBM induced by the constraints in the negative cycle that come from A. It is easy to verify that I is indeed an interpolant. let M = min(A, B) 10: Proof Function interpolate Z has no side effect, it thus trivially maintains feasibility and well-labeledness. In the trivial cases, I is clearly an interpolant. Assume A = ⊥ and B = ⊥.

Algorithm 5 Interpolation for Canonical DBMs
As A ∩ B ⊆ ⊥ by contract, there exists a negative cycle C in min(A, B) by Proposition 2.
As A is canonical, we can assume that no two edges are subsequent in C A , thus the DBM I induced by C A is clearly canonical. The properties of an interpolant directly follow from the definitions of C A and I .

Abstraction refinement for lazy zone abstraction
To maintain well-labeledness, procedures cover and disable rely on a procedure block that performs abstraction refinement by safely adjusting labels of nodes. Algorithm 6 describes two methods for abstraction refinement based on interpolation for zones. Both methods are based on pre-and post-image computation, and can be considered as a generalization of zone interpolation to sequences of transitions of a timed automaton. The main difference between the two strategies is that block fw (which we refer to as the "forward" zone interpolation strategy) propagates the interpolant forward using post C ; whereas block bw (which we refer to as the "backward" zone interpolation strategy) propagates "bad" zones, obtained as the complement of the interpolant, backward using pre C . In order to make proofs of correctness for the two refinement strategies more concise, we state the following simple lemmas.

Proposition 13 block fw is totally correct: if Z ∩ B ⊆ ⊥, then block fw (n, B) terminates and ensures W ⊆ I and I ∩ B ⊆ ⊥ and W ∩ B ⊆ ⊥. Moreover, it preserves well-labeledness and feasibility of G.
Proof Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of G, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract (Algorithm 4), Z ∩ B ⊆ ⊥ is ensured. Moreover, notice that W ∩ B ⊆ ⊥ follows from W ⊆ I and I ∩ B ⊆ ⊥, thus it is sufficient to establish the latter two claims. If W ∩ B ⊆ ⊥, then I = W , so W ⊆ I and I ∩ B ⊆ ⊥ are trivially established. Moreover, well-labeledness is trivially maintained, as no refinement is performed.
Otherwise, if n is the root, then A = Z . Thus interpolate Z (A, B) can be called, and the resulting interpolant I is such that Z ⊆ I and I ∩ B ⊆ ⊥. As in this case Z = Z 0 , clearly Σ 0 ⊆ I . Thus Σ 0 ⊆ W ∩ I by initiation and Lemma 6. Therefore, update(n, (Z , W ∩ I )) can be called, which establishes W ⊆ I , while preserving the well-labeledness of G.
Otherwise, there exists a transition t = t m,n for some node m. Since Z = post C t (Z ) and Proof Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of G, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract, Z ∩ B ⊆ ⊥ is ensured.
If W ∩ B ⊆ ⊥, then the contract is trivially satisfied. Moreover, well-labeledness is trivially maintained, as no refinement is performed.
Otherwise, interpolate Z (Z , B) can be called, and the resulting interpolant I is such that Z ⊆ I and I ∩ B ⊆ ⊥. We show that at the end of the procedure, the claim W ⊆ I , and thus W ∩ B ⊆ ⊥ holds.
Assume n is the root node. In this case Z = Z 0 , thus clearly Σ 0 ⊆ I . Thus Σ 0 ⊆ W ∩ I by initiation and Lemma 6. Therefore, update(n, (Z , W ∩ I )) can be called, which establishes W ⊆ I , while preserving the well-labeledness of G. We would like to point out that for refinement with block fw , syntactically, it is sufficient to store a single zone at each node, thus obtaining a major optimization in memory consumption. In particular, it is sufficient to store Z at leaves, and store W at non-leaf nodes. This is due to the fact that while running the algorithm, Z is only necessary when expand is called, and when the interpolant is computed for the initial node, in this later situation Z being obvious. On the other hand, W is only necessary when calling cover, where coverer nodes are always non-leaf. Moreover, it is always safe to treat W as ⊥ for leafs.

Abstraction and refinement for discrete variables
In the following, we describe strategies for the handling of discrete variables that appear in timed automata specifications.

Explicit tracking of variables
The most straightforward way for the handling discrete variables is to explicitly track their value.

Definition 21 (Explicit domain) Let E = V(D).
We define the abstraction that tracks discrete variables explicitly as the abstract domain D E = (E, =, ν 0 , post D , · ).

Proposition 15 D E is sound.
Similarly to zone abstraction, we define cover E to be a no-op, thus its total correctness is trivial. Moreover, let disable E (n, t) (post t (ν) ⊥) where ν = s n .
Proposition 16 disable E is totally correct: disable E (n, t) terminates and preserves welllabeledness and feasibility of G; moreover, it returns false iff t is data-feasible from n, and ensures that t is disabled from s n otherwise.
Proof Termination of the procedure is trivial. Well-labeledness and feasibility follow from the fact that the procedure has no side effects. Let π be the path induced by n. Notice that ν = post D π (ν 0 ). Assume post D t (ν) = ⊥. Then by definition, t is data-feasible from n, and the procedure returns false. Now assume post D t (ν) = ⊥. Then by definition, t is not data-feasible from n. But t is also disabled from ν , and the procedure returns true.

Visible variables abstraction
Instead of explicitly tracking in all states the values for all variables, by tracking in each state only those that play a role in unreachability of a given location along a path through the state, and "hiding" all the others, the size of the explored state space can be significantly reduced. In the following, we describe such an abstract domain, together with the corresponding refinement strategies.

Proposition 17 D EI is sound.
Algorithm 7 describes the corresponding refinement methods. Both cover EI and disable EI rely on a procedure refine for abstraction refinement. Moreover, disable EI depends on a weakest precondition operator, defined by the following property. Definition 23 (Weakest discrete precondition) Let wp D t (ϕ) be the formula such that ν | wp D t (ϕ) iff post D t (ν) | ϕ for all ν and ϕ, with respect to t.
In cover EI , as ν ν Q , we have ν | form(ν Q ) by Lemma 2, thus calling refine(n, form(ν Q )) is safe. Other than that, total correctness of cover EI follows trivially from total correctness of refine (see later).

Proposition 18 disable EI is totally correct: disable EI (n, t) terminates and preserves welllabeledness and feasibility of G; moreover, it returns false iff t is data-feasible from n, and ensures that t is disabled from s n otherwise.
Algorithm 7 Visible Variables Abstraction 1: procedure cover EI (n, n ) 2: let (ν, ·) = s n 3: let (ν , Q ) = s n 4: if ν ν Q then 5: refine(n, form(ν Q )) 6: function disable EI (n, t)

Interpolation for valuations
The proposed refinement strategies for discrete variables, and in particular, different implementations of refine are based on the notion of a valuation interpolant, defined over a valuation and a formula.
Proof Function interpolate E has no side effect, it thus trivially maintains feasibility and well-labeledness. Moreover, it is easy to see that it satisfies its contract, as the postcondition is an invariant for the loop.
Next, we show how valuation interpolants can be used for hiding variables that are irrelevant with respect to the reachability of a given location along a path.

Abstraction refinement for visible variables abstraction
Algorithm 9 outlines two strategies for abstraction refinement over the visible variables abstract domain. Symmetrically to the variants of block, procedure refine fw (which we refer to as the "forward" valuation interpolation strategy) propagates interpolants forward using post D ; whereas procedure refine bw (which we refer to as the "backward" valuation interpolation strategy) propagates interpolants backward using wp D along the path to be refined.
Proposition 20 refine fw is totally correct: if ν | ϕ, then refine fw (n, ϕ) terminates and ensures I ⊆ Q and ν I | ϕ and ν Q | ϕ. Moreover, it preserves well-labeledness and feasibility of G.
Proof Termination of the procedure is trivial. Moreover, the procedure trivially maintains feasibility of G, as it does not create new nodes. Thus we focus on partial correctness and the preservation of well-labeledness. By contract, ν | ϕ is ensured. Moreover, notice that ν Q | ϕ follows from I ⊆ Q and ν I | ϕ by Lemma 1, thus it is sufficient to establish the latter two claims. If ν Q | ϕ, then I = Q, so I ⊆ Q and ν I | ϕ are trivially established. Moreover, well-labeledness is trivially maintained, as no refinement is performed.
Otherwise, if n is the root, then α = ν. Thus interpolate E (α, ϕ) can be called, and the resulting interpolant I is such that ν I | ϕ. As in this case ν = ν 0 , clearly Σ 0 ⊆ ν I . Thus Σ 0 ⊆ ν Q∪I by initiation and Lemma 9. Therefore, update(n, (ν, Q ∪ I )) can be called, which establishes I ⊆ Q, while preserving the well-labeledness of G.
Otherwise, there exists a transition t = t m,n for some node m. Since ν = post D t (ν ) and ϕ = wp D t (ϕ), we have ν | ϕ for (ν , Q ) = s m by Definition 23. Thus refine fw (m, ϕ ) can be called, and as a result, α is such that α = ν I and I ⊆ Q and α | ϕ by contract for some I . As α = post D t (α ), we obtain α | ϕ by Definition 23. Thus interpolate E (α, ϕ) can be called, and the resulting interpolant I is such that α I | ϕ. Clearly ν α , thus ν α by Lemma 7. Therefore, ν I = α I , as I ⊆ def(α). From this, ν I | ϕ follows directly. Moreover, as ν Q ν I , by Lemma 7, we have post D t (ν Q ) α. Hence post D t (ν Q ) ν I , from which post t ν Q ⊆ ν I follows by Lemma 8. Thus post t ν Q ⊆ ν Q∪I by consecution and Lemma 9. Therefore, update(n, (ν, Q ∪ I )) can be called, which establishes I ⊆ Q, while preserving the well-labeledness of G.
Proposition 21 refine bw is totally correct: if ν | ϕ, then refine bw (n, ϕ) terminates and ensures ν Q | ϕ. Moreover, it preserves well-labeledness and feasibility of G. and size of the state space (number of nodes in the generated ART). The input models, raw measurement data, and instructions to reproduce our experiments are available in a supplementary material [32].
We implemented a prototype version of our algorithm and refinement strategies in the open source model checking framework Theta [29]. Our tool performs location reachability checking on models given in a reasonable language subset 1 of the Uppaal 4.0 XTA format.
To enable comparison to the state-of-the-art, we implemented in our framework a variant of the lazy abstraction method of [22] based on LU-bounds as an alternative refinement strategy for clock variables (by defining the domain, cover and disable accordingly). The main difference in our implementation compared to [22] is that when performing abstraction refinement, bounds are propagated from all guards on an infeasible path, and not just from ones that contribute to the infeasibility. Because of this, refinement in the resulting algorithm is extremely cheap, but as the comparison of our data with that of [22] suggests, for the models examined in both papers, the algorithm is similarly as space-and time-efficient as the original one.
The algorithms are evaluated for both breadth-first and depth-first search orders of ART expansion. By combining all the possible alternatives, this results in 16 distinct algorithm configurations: -as search order, breadth-first (BFS) or depth-first (DFS) search, -for clock variables, forward (FWITP) or backward (BWITP) zone interpolation, or lazy a LU abstraction (LU), -for discrete variables, forward (FWITP) or backward (BWITP) valuation interpolation, or no refinement (NONE).
Each algorithm configuration is encoded as a string containing three characters, specifically the first character of the name of each selected parameter. So for example, the configuration with BFS as search order, LU as refinement strategy for clock variables, and NONE as refinement strategy for discrete variables, is going to be encoded as BLN.
For the configurations that handle discrete variables explicitly (·N·), we partitioned the set of nodes of the ART based on the value of the data valuation, this way saving the O(n) cost of checking inclusion for valuations. This optimization also significantly reduces the number of nodes for which coverage is checked and attempted during close. Apart from this and the difference in refinement strategies, the implementation of the configurations is shared.
As inputs we considered 51 timed automata models in total, which we divided to three distinct categories. For each model, the number of clock variables/number of discrete variables is given in parentheses.
We performed our measurements on a machine running Windows 10 with a 2.6 GHz dual core CPU and 8GB of RAM. We evaluated the algorithm configurations for both execution time and the number of nodes in the resulting ART. The timeout (denoted by "-" in the tables) was set to 300 s. The execution time shown in the following tables is the average of 10 runs, obtained from 12 deterministic runs by removing the slowest and the fastest one. For each model, the value belonging to the best configuration is typeset in bold.

Diagonal-free models
Performing location reachability checking on the models, Figure 1a shows the frequency with which different relative standard deviation (RSD) values of execution time occur. It can be seen from the plot that higher RSD values (> 5%) are relatively rare among the measurements. Moreover, Figure 1b shows how the RSD of execution time relates to the average execution time for each model and configuration (in this type of figures, each point represents the average result for a given model and configuration). Aside from a few outliers among the PAT models, it can be stated that higher RSD values belong to small average execution times, as expected. Thus it is justifiable to base the comparison of configurations on the average value.
As can be seen on Figure 2, on the selected benchmark set, having all other configuration parameters fixed, clock refinement strategies FWITP and BWITP do not significantly differ in performance. On both benchmarks, FWITP slightly outperforms BWITP in the size of the generated state space. Moreover, for the MCTA models, FWITP, while for the PAT models, BWITP performs slightly better in terms of execution time (note the logarithmic scale on the axes). An explanation for this is that in general, FWITP tends to perform less refinement steps (as refinement is performed in a single iteration), whereas BWITP performs refinement steps more cheaply (as no post-image computation is involved). In our experiments, the two algorithms performed roughly the same number of refinement steps for the PAT models (probably due to discovering the same or similar simple invariants), in which case BWITP has an advantage. In the case of MCTA models however, in general, the number of refinement steps performed was in favor of FWITP. Figure 3 shows similar results for comparing the two interpolation-based strategies for discrete refinement. Here, BWITP tends to perform better in terms of execution time. Therefore, we are going to omit detailed results for clock refinement BWITP and discrete refinement FWITP for the rest of the section. Figure 4 compares the impact of the two search orders on performance. With respect to execution time, DFS generally outperforms BFS on the MCTA models, whereas on the PAT models, the performance of the two search orders is balanced. When considering the size of the state space, the tendency is similar. Clock refinements LU and FWITP are compared on Figure 5. With respect to execution time, LU performs better in category PAT, whereas FWITP performs better in category MCTA. However, with respect to the size of the state space, FWITP outperforms LU. Figure 6 shows the pairwise comparison of interpolation-based and explicit handling of discrete variables. On the MCTA models, BWITP is always able to generate an-in some cases, significantly-smaller state space. Unsurprisingly, the same reduction effect is not present on PAT models, where there are only one or two discrete variables. Despite the significant reduction in state space, on the models considered, aside from a couple of cases, BWITP is somewhat slower. Beside the obvious overhead of running abstraction refinement, this can be explained with the optimization of coverage checking applied in the explicit case, as described above.
The detailed results for the PAT models are shown in Table 2. On these models, configurations BLN and DLN usually perform best in terms of execution time. When considering the size of the state space however, there is a small variability between configurations. Moreover, we point our that our results for configurations BLN and DLN are consistent with the results presented in [22]. Detailed results for the MCTA models are shown in Table 3. Here, configurations DFN or DFB give the fastest execution on most models. Moreover, configuration DFB generates the least number of nodes in almost all cases, which highlights the advantages of our new interpolation based algorithm presented first in [31].

Models containing diagonal constraints
We also evaluated how the different configurations are able to handle models with diagonal constraints. As our benchmark, we used the diagonal version of Fischer's mutual exclusion algorithm, as presented in [28]. We considered two approaches:  1. Eager elimination of difference constraints by introducing new discrete variables (models split n and manually optimized versions opt n). 2. Applying abstraction refinement to the model with diagonal constraints directly (models diag n). Table 4 shows our detailed measurement data for all three types of models. Models split n, where diagonal constraints are eliminated, enable the comparison of our approach with stateof-the-art approaches presented in [18,28]. We point out that our results for configuration BLN are consistent with the results presented in [18]. In these models, by using valuation interpolation, both execution times and the size of the state space can be significantly reduced.
In particular, configuration BFB significantly outperforms all the other configurations.
In general, all configurations benefited greatly from the manual optimization that we applied for models opt n. However, using valuation interpolation still significantly improves performance for all configurations. Moreover, configuration BFB is still by far the most successful configuration. This also highlights the beneficial effects of combining abstraction refinement strategies for clock and discrete variables, in line with our results in [31].
In case of models diag n, clock refinement strategy LU is not applicable. The other four configurations, using FWITP for the handling of clocks, perform well regardless of search strategy, with BFN being the fastest. In fact, in case of this particular model, not eliminating diagonal constraints, and using zone interpolation seems to be the best of the examined approaches. Moreover, as Figure 7, shows, there is a significant difference in the performance of the two interpolation strategies, with FWITP having the better performance.
Finally, we point out that in case a model with diagonal constraints is analyzed by applying zone interpolation on its own (e.g. without zone splitting [5]), then termination is not guaranteed. In particular, during our experiments, we found that the algorithm diverges on the well-known example presented in [8].

Conclusions
In this paper, we presented an algorithmic framework for the lazy abstraction based location reachability checking of timed automata with discrete variables. We formalized in our framework several abstract domains and refinement strategies, both for clock and discrete variables, including a novel strategy that propagates valuation interpolants forward (called forward valuation interpolation). We also formalized the combination of abstractions and proved their properties. This framework allowed the straightforward implementation of efficient model checkers using configurable combined strategies.
We performed empirical evaluation on 16 configurations that our tool currently supports for 51 timed automata models, including ones that contain many discrete variables or diagonal constraints. Our results show that our framework offers configurations that are competitive in terms of performance with the state-of-the-art. It turned out that for models with a significant number of discrete variables (category MCTA) it is worth using forward zone interpolation, combined with backward valuation interpolation. For the examined models with diagonal constraints, using forward interpolation for the handling of clocks performs well. In case of eager elimination of diagonal constraints by introducing new discrete variables, again a combination of strategies (breadth-first search with forward zone interpolation and backward valuation interpolation) is the most successful strategy. In general, using valuation interpolation in this model category, both execution times and the size of the state space can be significantly reduced.
According to the method described in this paper, refinement is triggered upon encountering a disabled transition. In the future, we intend to experiment with counterexample-guided refinement for both the abstraction of discrete and continuous variables. In addition, we plan to experiment with different abstract domains (e.g. intervals, octahedra, or polyhedra), and investigate alternative refinement strategies. Moreover, we plan to explore more sophisticated strategies for finding covering states, as this can potentially yield considerable speedups for our method.
Funding Open access funding provided by Budapest University of Technology and Economics.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.