Bounded DBM-based clock state construction for timed automata in Uppaal

When the simulation of a system, or the verification of its model, needs to be resumed in an online context, we face the problem that a particular starting state needs to be reached or constructed, from which the process is then continued. For timed automata, especially the construction of a desired clock state, represented as a difference bound matrix (DBM), can be problematic, as only a limited set of DBM operations is available, which often does not include the ability to set DBM entries individually to the desired value. In online applications, we furthermore face strict timing requirements imposed on the generation process. In this paper, we present an approach to construct a target clock state in a model via sequences of DBM operations (as supported by the model checker Uppaal), for which we can guarantee bounded lengths, solving the present problem of ever-growing sequences over time. The approach forges new intermediate states and transitions based on an overapproximation of the target state, followed by a constraining phase, until the target state is reached. We prove that the construction sequence lengths are independent of the original trace lengths and are determined by the number of system clocks only, allowing for state construction in bounded time. Furthermore, we implement the (re-)construction routines and an extended Uppaal model simulator which provides the original operation sequences. Applying the approach to a test model suite as well as randomly generated DBM operation sequences, we empirically validate the theoretical result and the implementation.


Introduction
State (re-)construction, i.e., setting a system to a desired state, is a common task. Ranging from physical systems to programs and executable models, a system may need to be in some specific state to execute particular routines and test or verify a certain system behavior. The general task of constructing a state is as follows: Starting from a particular known (and usually static) state s init , find a sequence of state transformations S = (tr 1 , . . . , tr n ) (imposed by, e.g., actions in a physical system or transitions in an automaton), such that the sequence leads to a known target state s target , i.e., find an S B Sascha Lehmann s.lehmann@tuhh.de Sibylle Schupp schupp@tuhh.de 1 Hamburg University of Technology, Hamburg, Germany with S(s init ) = s target . In the easiest case, the system is static, a valid "reference" transformation sequence S ref to the target state is known from observing a previous system execution, and the construction process is unconstrained in time. Then, we can simply replay the given sequence S ref to reach the target state. However, systems are usually more complex and impose constraints that render the trivial approach inapplicable in many cases:

C1
The system may change dynamically over time (e.g., as some actions become inapplicable in a changed environment); a previously valid sequence that correctly reached the target state may become invalid or lead to a wrong state due to changed actions. C2 The reference transformation sequence may be unknown (e.g., as the system actions are unobservable, or as we want to construct a state not reached by a previous execution); such a sequence needs to be manually constructed.

C3
The feasible time frame may be constrained (e.g., if the construction is embedded in an online setting for ongoing monitoring and thus frequently repeated); the restoring sequence needs to be limited both in terms of its length and the complexity of its transformations.
As the trivial approach requires access to the observed reference sequence, which grows linearly with system progress, and further assumes an unchanged system to apply the formerly valid sequence to, a conflict with all three constraints becomes clear, and alternative construction approaches are needed.
A prominent example of executable models that are frequently initialized to updated states-and the motivation of our work-is the field of online model checking. Model checking in general proves that specific system properties hold and provides guarantees on the correct behavior of a system, and for checking timed systems in particular, the modeling formalism of timed automata (TA) is commonly used, which represents time as (zones of) real-valued clocks. For online model checking, a technique that incrementally verifies or falsifies properties of a model under simulation for limited time scopes, a starting model state that reflects the state of the real system is required, so that one can continue model checking from that state on. In this article, we approach the state construction problem for TAs regarding the initially described system constraints, i.e., for potentially dynamic models in an online setting.
Adding online constraints to the overall construction task, one can distinguish two scenarios based on the availability of a reference sequence: S1 If the reference sequence S ref is given, we need to find a transformation red = (red 1 , . . . , red m ) that reduces S ref to a bounded sequence S, but still reaches the target state when applied to the initial state, i.e., find a red with Regardless of the concrete construction approach, one is usually tied to a limited set of operations and actions supported by a system to lead from its initial state to the target state. However, depending on the concrete field of application, the requirements and restrictions for intermediate states and transitions between the initial and target state differ: In case of physical systems, we can only use given actions applied in the scope of the system semantics, e.g., move an entity in defined directions. Consequently, the visited states have to lie in the original system state space, and the executed transitions need to correspond to the supported actions. For executable models such as those used in model checking, these strict requirements may be relaxed. Compared to a physical system, we may not be bound to existing states and transitions to reach the target state; in fact, the strict requirement is only imposed on a model if its system description cannot be altered, or if a physical system is already executed alongside the model during construction of the starting state. Otherwise, we can adapt the model by introducing new states and transitions which allow reaching the target state faster, or-in case of adaptive models-enable state construction in the first place. Instead of requiring original actions exclusively, we are only bound to a set of atomic, model-checker specific operations then.
A general problem is that a model checker may not allow us to set the concrete clock state of a TA directly by assignment. Our work uses the model checker U ppaal, a modeling and verification tool developed in a collaboration of the Uppsala and Aalborg universities. Here, the set of possible operations is limited to the reset of individual model clocks, constraining of clock differences, and time delays. Furthermore, all its simulations start at a well-defined clock state, where all clocks are initially set to 0. On the one hand, the assignment restriction guarantees that any clock state which the model takes is indeed valid and reachable in terms of the underlying semantics. On the other hand, the restriction raises the need for another strategy to set the system to a desired clock state. For an online model checking interface, which relies on a repeated manual manipulation of the clock state in bounded time to iteratively restore the most current state for the next verification run, such a strategy is mandatory.
We already discovered in the beginning that the trivial approach neither meets time constraints due to growing sequence lengths over time, nor can it be used if the model changes and the prior observed transformation sequence thus becomes inapplicable. For the case of a changeable model, Rinast [31] introduced a graph-based approach that keeps track of visited states and traversed transitions and forges new transitions as shortcut between existing states on the fly. Thus, the states belong to the original state space, while the intermediate transitions are potentially composed of segments of existing transitions. Even though the approach improves on the trivial result, the dependency on original states and transition segments still leads to ever-growing state construction sequences if no suitable shortcuts are found.
To tackle the sequence growth problem, we propose a new approach that utilizes both forged intermediate states and transitions to reach a desired starting state via DBM operation sequences of guaranteed bounded length. This article makes the following contributions: 1. We propose and prove a clock state construction approach for timed automata based on DBM overapproximation and constraining (which we call OC approach), which guarantees bounded lengths of DBM operation sequences S that depend quadratically on the number of system clocks T only (i.e., 0 ≤ |S| ≤ 1+2 * |T |+|T | * (|T |+1)), and covers both the scenarios of known (S1) and unknown (S2) reference sequences. 2. We provide an implementation of all OC approach variants as well as the trivial and graph-based Rinast approach for comparison, alongside an extended simulator for Uppaal timed automata which exposes the applied DBM operation sequences required by our approach on the fly. 3. We perform a comparison of the new approach with existing alternatives, i.e., the trivial and graph-based approaches.
The proposed overapproximation and constraint strategy derives a DBM operation sequence that first generates a superzone of the target state, and then constrains it until that state is reached.
An example of a model representing a simple process illustrates the state construction problem. The example model as shown in Fig. 1) has three locations (On, Off, and Execute) and two clocks (t_active and t_exec). The model, which is initially in On, can either perform an execution if the system state is not critical, with a duration d ∈ [2,5] given by the guard t_exec >= 2 and the invariant t_exec <= 5, or else restart the system via Off. Consider a path starting in On, which traverses the Execute location ten times, turns Off once, and then visits Execute another ten times. An execution of this path, assuming all clocks are initially set to 0, leads to the following difference bound matrix (cf. Sect. 3.3 for the definition of D B M): Different reasons may require us to restore the concrete model state, assuming the system was already running for some time: We may want to verify that the system remains uncritical for another amount of time steps; then, we do not want to perform verification from the original initial model state on, as what lies in the past was verified already, but from the most current model state. Or we may want to set the upper bound for an execution step to a lower value (e.g., 4) according to real observations. As the system was previously running with time value 5, and the (verified) current state might not lie in the reachable state space for the adapted system anymore, we need to reach that state in another way. Setting the location and variable state is straight-forward; we can directly select Init locations which are active on model initialization, and set variables via direct assignments. The challenge though, as stated before, lies in the recovery of the clock state. If we had access to a trivial operation Set V alue that sets a specific entry of a D B M with system clocks T to any particular value and is directly callable in a model, we could simply set all clock state values on a single transition via at most (|T | + 1) 2 applications of Set V alue, and would be done. Unfortunately, such an operation is not supported by common T A model checkers due to their underlying semantics, and furthermore, the operations supported by a checker cannot be called directly and individually, as they are called in groups bound to the state and transition semantics of a T A. Thus, we have to compose or derive a supported sequence of DBM operations (and based on that, a corresponding sequence of automaton locations and edges)-which leads to this exact clock state DBM and does not require replaying the full execution path.
The article is structured as follows: We describe the related work in Sect. 2, followed by prerequisite knowledge of timed automata and DBMs in Sect. 3. Afterward, we introduce our approach in Sect. 4, where we refer back to the initial example, and describe the overapproximation and constraining phases of our approach in Sect. 5 and Sect. 6. Then, we transfer the approach to concrete Uppaal models in Sect. 7 and cover the tool implementation in Sect. 8, followed by the conducted experiments in Sect. 9. Finally, we provide a conclusion in Sect. 10.

Related work
In general terms, our work aims at the optimization of system state constructions, allowing model checkers like Uppaal to restore a given state more efficiently while relying on semantically supported operations only. Our work shares the motivation with fault tolerance and trace replay techniques commonly used to restore (past) system states, and draws technically on DBM operation sequences, their transformations, and DBM-based constraint solving.
In broad terms, our work contributes to research in state (re-)construction. Typically, research on this field can be found in debugging, testing, optimization, and in particular in fault tolerance since the 1960s. In fault tolerance, one prominent technique is checkpoint-recovery, during which a system on failure is reinitialized to a complete snapshot and optionally updated along several incremental checkpoints. Over the past decades, it was used for state recovery both in software (e.g., for databases [28] and shared memory multiprocessor systems [38]) and cyber-physical hardware applications [22]. Compared to our approach, while often targeting entirely different domains unrelated to model checking (even though variants of checkpoint recovery are also used in model checking, e.g., for non-explicit storage of states in colored Petri nets [14]), such a technique is used to reduce the memory and runtime overhead to reach a certain state. For instance, using context-aware [25] and online [40] variants of checkpoint derivation, or optimized techniques such as two-state checkpointing in hard real-time systems [33], one tries to reduce the number and extent of checkpoints during recovery. For all these techniques, the initial state is the snapshot of the full state, which the system can be directly assigned to, while the target state is the one before the failure occurred, reachable via a sequence of incremental checkpoints and additional instructions after the final checkpoint. In our approach, the initial state is the starting state specified by the concrete model checker, and the target state is the most recently simulated state which we want to recover.
Other techniques, such as full-system-restart applied in cyber-physical systems [18] or software rejuvenation [17], rely on a restart of the affected system. The initial state then becomes the system state directly after the restart, and the goal remains getting back to the latest error-free state within limited time. The differences to our work are the application domain (these techniques are usually applied to concrete programs and actuator systems rather than abstract system models), the requirements (e.g., full restarts are only feasible in applications with non-exponential state spaces to keep the recovery time bounded), and the absence of clock state abstractions (i.e., clock zones) as used in timed automata.
A major challenge to make the aforementioned techniques feasible in practice is to find suitable reduction strategies for the involved instructions, so that not all original actions need to be replayed on recovery. Therefore, aside from fault tolerance, different forms of state reconstruction are used in software optimization, debugging, and testing. The aspect of instruction sequence reduction can be found, among others, in the field of source code analysis and optimization [9]. A common aspect of such an optimization is the identification of shorter instruction sequences to a specific state by omitting redundant instructions, or those leading to unread intermediate states. Likewise, in testing applications, traces of instructions observed during simulation are optimized for the purpose of reduced replay times or memory space usage, e.g., during virtual memory simulations [21].
For the problem of clock state (re-)construction in particular, only few works can be found. Closely related, in the domain of timed automata, Rinast approaches the recovery problem under the term state space reconstruction [31]. In his work, he constructs "shortcut" transitions to states observed during simulation, i.e., transitions from which DBM operations are removed that were overwritten by subsequent operations and thus were rendered redundant. As main use case of his work, applied in multiple medical case studies [30], he used the approach to reconstruct a target state via such shortcut transitions, visiting only a reduced (and preferably bounded) number of intermediate states. The approach requires that resets of all clocks in all model cycles exist to guarantee bounded (re-)construction lengths. Our approach omits this requirement and allows the construction of a specific state via a finite amount of transitions linearly proportional to the number of system clocks (cf. Sect. 7).
Several model checking techniques either rely on, or may benefit from, clock state (re-)construction techniques: Incremental model checking [27] verifies multiple iterations of a system design, and aims for reusing portions of previous checking results. Restoring a state, which is visited in one system, in another candidate system directly before reaching a differing component (compared to the former system), may reduce the time required to check incrementally designed system candidates. As the candidates are individual systems, a trivial transfer of one system state to another system is not generally possible, and thus, the state needs to be reconstructed. Bounded model checking [10] reduces the general model checking approach to limited scopes of k steps, and was applied to timed systems [4], including timed automata [37], in the past. Building on this boundedness, online model checking [39] verifies a system iteratively for limited future time scopes and derives temporarily valid guarantees. With optimized state (re-)construction techniques, we can faster restore the most recently verified state that fits new observations, from which another verification iteration is then started; otherwise, the recovery of such a state would require growing amounts of time.
Technically, we draw on DBM operation sequences, sequence transformations, and constraint solving. The concept of difference bound matrices (DBMs), the data structure which is used, e.g., for timed automata to represent the clock state, was covered in detail by Bengtsson et al. [8]. Our approach works on such a representation of clocks to restore the overall clock state. For that, it applies algebraic transformations to DBM operation sequences to reach DBM overapproximations and eliminate redundant constraints. Different DBM overapproximation techniques were already used in the literature, e.g., for the convex hull calculation of state unions [32] or zone extrapolation [6] in Uppaal, or for compact graph construction of real-time preemptive Petri net systems [1]. Compared to these techniques, tightness is not required by our approach, as the constraint phase reaches a target D B M independent of the concrete overapproximation; however, more efficient constraint sequences may result from tightness requirements.
Our D B M target -based overapproximation approach relies on constraint solving, and, more precisely, the selective discarding of constraints. In model checking, various data structures such as difference bound matrices (DBMs) [8], clock difference diagrams (CDDs) [24], or the more recent constraint matrix diagrams (CMDs) [13] are used to span the clock state by a set of constraints. Constraint solving can then, among others, be applied to such structures to manipulate the state space symbolically [29] and obtain valid clock value assignments, or to temporal logic formulae [15] to verify system properties. Furthermore, constraints need to be relaxed in certain cases to deal with inconsistencies of constraint systems, e.g., for constraint networks [16] or during model repair [3], often with the goal of minimal relaxations or consideration of constraint priorities or uncertainties in real world systems [12]. In our case, the relaxed constraints do not necessarily need to be minimal, but the constraints cannot be relaxed independent of each other, as they are bound to certain DBM operations (e.g., the future delay) semantically.
The constraint phase of our approach derives suitable sets of constraints that reduce the former overapproximated zone to the zone of the target DBM. An efficient approach is the use of minimal constraint systems (MCS), a technique introduced by Larsen et al. [23] for timed automata that is based on the transitive reduction in directed graphs [2] and commonly used as a compact representation of DBM data. Our approach builds upon the idea of MCS and extends it to regard constraints that are already fulfilled by the overapproximating DBM, which eliminates redundancy and results in shorter operation sequences.
In regard to tool dependencies and support, our work uses models for the model checking tool Uppaal [7]. Its implementation and formalisms impose specific requirements for our work, i.e., an operation-based construction of DBMs and a defined clock space initialization (all clocks set to 0 initially), respectively. The applicability of our approach is not limited to that particular model checker, though.

Automata and DBM prerequisites
In this section, we provide preliminary details on the definitions of the syntax and semantics of timed automata

Timed automata
Our work uses timed automata as underlying modeling formalism. We define the syntax of timed automata as follows: Definition 1 (TA-Syntax) A timed automaton (TA) is a tuple L, l 0 , C, E, g, r , I , where L is a finite set of locations, l 0 is the initial location, C is a finite set of (real-valued) clocks, E ⊆ L × L is a set of edges between locations, g : E → (C) is a mapping from edges to guards, r : E → R(C) is a mapping from edges to partial resets, and I : L → (C) is a mapping from locations to invariants. The set (C) contains all possible conjunctions over constraints t a <> c and t a − t b <> c, with t a , t b ∈ C, c ∈ N, and <>∈ {<, ≤, =, ≥, >}. R(C) = [C N 0 ] denotes the set of all partial functions ρ : C N 0 , where each ρ represents a right-unique mapping from a subset of clocks to reset values (i.e., any natural number including 0, where the latter is the usual reset value).
Both edge guards and location invariants express constraints on the valuations of clocks C, which control when an edge can eventually be triggered, and for how long a location may remain active, respectively. Extending the TA formalism, an extended timed automaton (ETA) is a tuple L, l 0 , C, V , E, g, r , I , a, L U , L C , Ch Bi , Ch Br , where V is a set of variable, a : E → A(V ) is a mapping from edges to variable assignments, L U and L C are urgent and committed locations, and Ch Bi and Ch Br are binary and broadcast channels. We define A(V ) = [V B + Z] as the set of all partial assignment functions α : V B + Z, where each α represents a right-unique mapping from a subset of variables to boolean or integer values.
Commonly, the semantics of T As is defined via realvalued delays on transitions in a labeled transition system, which results in an uncountable state space. Using a zone-based abstraction (via convex polyhedra of clock constraints), one can reduce the state space to a finite set. We use the latter for our work and thus define the symbolic TA semantics similar to the definition of Behrmann et al. [5] and adapted for N 0 -resets, zero-initialized zones, and included variable states as follows: where Z ↑ = {u+d | u ∈ Z ∧d ∈ R ≥0 } (the future operation), and r e (Z ) = {[r (e)]u | u ∈ Z } (the reset operation). u : C → R ≥0 is a clock valuation function (note that the definitions consider guards and invariants as sets of clock valuations by abuse of notation), u + d maps each clock x ∈ C to the value u(x) + d, d ∈ R ≥0 , and [r (e)]u denotes the clock valuation which maps a subset C r of clocks C to natural numbers as defined by r (e), and agrees with u over C\C r . Likewise, u v : V → B + Z is a variable valuation function (where U v is the set of all variable valuations), and [a(e)]u v denotes the variable valuation which maps a subset V a of variables V to boolean or integer numbers as defined by a(e), and agrees with u v over V \V a .
For a definition of the semantics of networks of timed automata and channel synchronization, see [7].

Model state
An execution trace of a model is a sequence of transitions. During such an execution, each transition leads to a concrete model state. A state of an ETA consists of three components: (a) The location state covering the currently active location of each sub-automaton, (b) the variable state spanning all global and local integer, bool, etc. valuations that are used by components of the ETA, and (c) the clock state including all clock differences (e.g., for our work, represented as a DBM). The construction of a location and variable state is easily done: The targeted location can be set as initial location (l init ), and will be active on model initialization. The variables are set directly to their targeted values by assignment. The clock state, in contrast, needs to be constructed via a sequence of invariants, guards, resets, and other operations defined in the following sub-section and is the focus of this paper.

DBM and operations
Clocks can take values from a given interval, which is defined by the previous invariants, guards, and resets along a path through the model. In case of TAs, the concrete value intervals of these clocks are represented as DBMs [8], which have the following structure: In a DBM, the matrix entry in the row of clock t i and column of clock t j represents the upper bound of their clock value difference, i.e., t i − t j ≤ c i j , and the diagonal entries are naturally 0 (as t i − t i = 0). Note that a reference clock t(0) is added, which has a constant value of 0, to turn any single clock constraint into a two-clock constraint We denote the set of clocks of a D B M as T 0 (D B M) if the reference clock is included, and as T (D B M) otherwise. Altogether, such a DBM represents the complete clock state. The symbolic definition of T A semantics provides three types of operations that are applied to clock zones over transitions in the simulation graph: The ↑ operation delays the clock arbitrarily to include all futures, the logical ∧ operation adds constraints to the clock zone, and the r e operation resets selected clocks to natural numbers. In the context of D B Ms in the scope of our work, we call these operations Delay Future, Constraint, and Reset, respectively. A fourth operation is Close, which determines the tightest constraints representing the original zone, i.e., the transitive closure of constraints. While not required by the base semantics, that operation is commonly applied by model checkers after adding constraints to the zone, enabling a more efficient application of subsequent operations. The full set of operations applied during transitions through a model [5] is thus which we will abbreviate as D F, R, C, and Cl, respectively, where appropriate. On the level of D B M transformations, the operations are formally defined as follows for a D B M with n clocks (∀i, j ∈ N ∩ [0, n]):  Fig. 2(1)). The Reset(t a , v) operation resets a single clock t a to the value v. The operation adapts all DBM entries in the row and column of t a (see Fig. 2(2)), i.e., the difference between that clock and all other clocks, according to the reset value.
The Constraint(t a , t b , v) operation constrains the DBM zone by updating a single DBM entry D B M[t a , t b ] to the minimum of its value and v (see Fig. 2(3)). As Constraint is the only operation in O P which does not preserve the closedness of the input DBM zone, a following Close(t a , t b ) call is required.
The Close(t a , t b ) operation transforms the DBM to its closed form (see Fig. 2(4)) in case that only one single constraint operation Constraint(t a , t b , v) was applied beforehand (cf. [11]). A general form, Close(), exists, which recalculates all shortest paths between pairs of clocks from scratch. For a more compact presentation of the construction sequences, we will use a single Close operation after sequences of constraints instead of selective Close(t a , t b ) operations after each constraint.

DBMs and graphs
A DBM can be represented as weighted complete digraph [8] as shown in Fig. 3. In such a graph, each edge (t i , t j ) represents the clock difference t j − t i , and the edge weight represents the value of D B M[ j, i]. Self-edges, which represent the diagonal D B M entries with 0 weight, are usually omitted. The weight of a path is the sum of weights of edges included in the path. Three facts become important  [8]. [23], i.e., given a weight function w, w(e) ≤ w( p) holds for each longer path

represents the transitive closure for a set of constraints).
Fact 3 (Cycles with ∞-weight edges) The total path cost of a cycle with at least one ∞-weight edge is ∞.
Finally, we point out the following path types: A simple cycle in a digraph is a cycle where no vertex except for the start vertex is repeated (as the cycle starts and ends in the same vertex).
A Hamiltonian path is a path that visits each vertex of a graph exactly once. A Hamiltonian cycle is a simple cycle over all vertices of a graph. A cycle chord of a cycle in a digraph is an edge between two (non-immediately) consecutive vertices of the cycle, i.e., a "short-cut" between two cycle vertices, such as A path prefix of a path p is a subpath starting with the same vertex as p.
A prefix cycle of a cycle c is a subcycle over a path prefix of c followed by an edge to the start vertex of c. An all-positive-prefix path p in a weighted digraph is path in which all path prefixes (including p itself) have positive weights.

DBM operation sequences
We denote the sets of all possible R, C, and Cl operations as follows: Multiple operations form a sequence, which we denote as S = (op 1 , op 2 , . . . , op n ), with op i ∈ OP(D B M), and for which we define its application to a DBM based on function composition as: We define the merging of two operation sequences S 1 = (op 1 , . . . , op m ) and S 2 = (op m+1 , . . . , op n ) as Furthermore, we define the set of all merged sequences over the cartesian product of two sequence sets S a = {S a,1 , . . . , S a,n } and and, based on ⊗ (written as ⊗ i indicating the i-th occurrence of the operator), define for a single sequence set S Finally, we denote the subsequence relation between a sequence S = (x 1 , ..., x n ) and a subsequence S = (x i k ) k∈ [1,n] , For a single operation op, we define for sets of sequences where op is applied once (op 1 ), zero or more times (op * ), zero or one time (op?), or one or more times (op + ), and for a set O P of operations, we define Finally, we define the following particular types of sequences which become relevant in our approach: is reset exactly once, and each reset is followed by a D F.
is reset exactly once, and each reset may be followed by a D F; note that the sets of reset-all and reset-dfall sequences are subsets of the set of all reset(-df)-all sequences.
In our O(DBM) approach (cf. Sect. 5.2), a major focus lies on the order of resets in operation sequences. In general, the two DBM entries For such an interval, the following fact holds: l < 0 ∧ u > 0, iff order "not explicitly known", (3.14) where "reset before" and "reset after" imply that a potential delay happened between both resets, while "simultaneously" means without intermediate delay.
Note that the fourth case can only occur if we reset to values other than 0, as only then, a reset may set a clock to a value greater than another clock which was actually reset before, so that the reset order is "not explicitly known" from the interval bounds alone. For D B Ms reached via reset-df-all sequences (as shown in Fig. 4), we note that each entry D B M[i, j] becomes either v i − v j or ∞ based on the reset order, and the following fact holds: For the relation between reset orders in a reset-df-all sequence and paths in a graph G of a D B M, we note the following facts:

Fact 6 (Hamiltonian cycles and reset order) For a D B M and its graph G, a one-to-one relation exists between Hamiltonian cycles p H in G and total reset orders of clocks T (D B M).
Fact 7 (∞-edges after reset-df-all sequence) Given a D B M and its graph G, a reset-df-all sequence sets all edges (t i , t j ) ∈ E(G) to ∞ for which the clocks t i and t j are not in reset order.

Fact 8 (Hamiltonian path over non-∞ edges) Given a D B M and its graph G resulting from a reset-df-all sequence, only the Hamiltonian path p H over all vertices t i ∈ V (G) in reset order and all its sub-paths via cycle chords traverse no edges with ∞ costs.
Proof Fact 6 holds as in a complete digraph with exactly one edge per ordered vertex pair, only one unique cycle exists that traverses all vertices in a particular order. Proof Fact 7 directly follows from Fact 5.
Proof Fact 8 holds as all other paths contain at least one edge in reverse reset order, for which Fact 7 holds.

Flow dependency of DBM operations
To prove that particular operations in a sequence can be omit- Based on the rd and wr functions, we define the flow dependency function f d : OP(D B M) → 2 N×N → 2 N×N , which determines how the dependencies from previous oper- with In other words, to determine how the dependency on a set I of marked index pairs is maintained by an operation op, the function f d removes all index pairs from I whose D B M values are overwritten by op (i.e., I \w(op)), and (re-)adds all those index pairs (i.e., the set I op ) whose new D B M values calculated by op depend on marked entries of the original I . That way, we get a new set of marked index pairs based on the original marked indices and the dependencies from these indices forwarded by op. To determine if an operation op 1 can be omitted from a sequence S, we initialize I with the write set of op 1 , and recursively apply f d to I for each following operation until the resulting index set becomes ∅.
To prove flow independency on infinite sets of operation sequences composed from a finite set of operations as required in Sect. 5.1.2, we use the following properties: from which follows that if a set of marked indices becomes ∅ after applying some sequence S, a subset of that index set will certainly become ∅ as well after applying S. Thus, it is sufficient to check the superset only.

DBM-based clock state construction
The main task of this work is to determine a sequence of operations that allows reaching an originally observed model clock state. In this section, we describe the general idea of our approach (Sect. 4.1), allowing state construction in limited time, and revisit the example from the introduction to compare concrete state construction approaches (4.2).

Approach description
In Sect. 1, we introduced the general state construction task, i.e., finding a sequence S that transform a starting state s init into a target state s target , as well as the boundedness requirement |S| ≤ bound for some strict bound imposed by online settings. Our approach splits that state construction task into two phases, the O-phase and the C-phase, where the former constructs an overapproximation of the target state, and the latter constraints that overapproximation until it equals the target state: -O-Phase: Given a starting state s init and a target state s target , determine a bounded sequence S approx that transforms s init into an overapproximation of s target , i.e., find an S approx with S approx (s init ) ⊇ s target . -C-Phase: Given a target state s target and an overapproximating state s approx ⊇ s target , determine a bounded sequence S constr that transforms s approx into s target , i.e., find an S constr with S constr (s approx ) = s target .
The main advantage of this constructive approach is, as we will show later, that it is possible to generate operation sequences with bounded lengths for both phases, which do not grow throughout a simulation, but keep a constant length depending only on the number of clocks involved. Combining both phases leads to a formulation of the overall state construction task for our approach: -Bounded state construction via OC-approach: Given a starting state s init and a target state s target , determine a bounded sequence S = S approx ⊕ S constr that transforms s init into s target , where S approx leads to an overapproximation of s target which is then constrained by S constr to s target , i.e., find an S = S approx ⊕ S constr with |S| ≤ bound, We mentioned in Sect. 3 that setting the variable and location state is trivially solved for Uppaal TAs, and thus, our approach is focused on the construction of the clock state. Thus, in our concrete case of state construction for clock states in TAs, each state s represents a D B M clock state, and the sequences S are composed from a limited set of operations O P supported by the TA formalism, i.e., we apply s = D B M and require S ∈ OP(D B M) * .

Introductory example
Recall the example model of a simple process in Fig. 1, as well as the sample trace and reached DBM (i.e., the target clock state) described in Sect. 1. In this sub-section, we show the differences between possible clock-state construction approaches, i.e., the trivial approach, the graph-based approach [30], and our OC approach.
For the example, applying the trivial approach leads to unbound sequences along all model paths on the long run. The construction sequence is equal to the executed model path and thus grows linearly with the amount of transitions taken. The graph-based approach by Rinast keeps track of all model states that were reached, and finds shortcuts between these states, which can be taken as replacement for longer paths leading to the exact same state during construction. The approach limits the size of the construction path as long as at some point, re-reaching a previous state is guaranteed along all paths, which requires a recurrent reset of all clocks along such a path. In the example, the resulting states of all paths that periodically also take the transitions over Off, which leads to a reset of the clock t_active, can be constructed by a path shorter than the original. Otherwise, if only transitions over Execute are taken consecutively, the clock t_active increases, and thus, no model states are repeated.
Using our approach, we can either refer to the example trace and reduce it to a bounded-length sequence, or construct one independent from the actual execution path, considering only the target state. In both cases, the size depends only on the number of clocks involved, instead of the actual, growing execution path length; this boundedness is the major theoretical contribution of our work.
Using the three approaches, we get the construction sequences shown in Fig. 5. Applying the trivial approach (Fig. 5a), we get a sequence of 43 locations, which have to be traversed before we reach the targeted state. This sequence will keep growing over time, without an upper bound in length. Using the approach by Rinast, the first sequence of 10 Execute steps can be discarded, as the clock state after the Off section is identical to the one at the initial model state. This identified shortcut is used to perform the construction only via the second round of Execute steps. Nevertheless, the Off location is not necessarily reached frequently, and therefore, paths exist for which this approach does not return a length-bounded construction sequence. Finally, the approach introduced in this work leads to a construction sequence which requires 10 DBM operations, which are transformed into a sequence of 5 locations. In general, we can guarantee that our approach always requires at most 1+2 * |T |+|T | * (|T |+1) = 1+2 * 2+2 * 3 = 11 operations for the clock state construction of this model, based on the number of |T | = 2 clocks.

Overapproximation phase (O-phase)
In the first phase, the O-phase, we determine a sequence S approx , which, when applied to DBM init , results in an approximation DBM approx ∈ DBM approx , where DBM approx is the set of all overapproximations of DBM target : This overapproximation is required, so that we can constrain  is not defined in O P, nor is it supported by model checkers such as Uppaal. Therefore, we have to determine a suitable sequence of supported non-constraining operations (i.e., Reset and D F) that leads to D B M approx . In the next two sub-sections, we introduce two approaches to find such a sequence S approx : If a reference sequence that leads from D B M init to D B M target is given, we show how to reduce the sequence to obtain S approx . If such a sequence is not known beforehand, we derive an overapproximating sequence from D B M target only. In particular, considering the set of all possible overapproximation sequences S approx , we obtain an S approx ∈ S approx by repeated elimination of selected operations from S ref . As result, we get a sequence which has, independent of the original sequence size, a bounded length. In fact, we show that it is always possible to reach an overapproximation by at most |T | Reset and |T | + 1 D F operations, where T is the set of clocks of the particular model.
We split the argumentation for the individual sequence reductions into two steps, recalling the operations O P described in Sect. 3.3: First, we show that we can eliminate all Constraint and Close operations from S ref , where each elimination results in a shorter sequence that leads from D B M init to an overapproximation of D B M target . Second, we show that we can furthermore eliminate Reset and D F operations that are redundant or already overwritten, which leads to a length-bounded S approx .

Constraint and close elimination
In this step, we consecutively remove Constraint and Close operations from S ref . For the proof that all such operations can be removed while obtaining an overapproximation of D B M target , we have to prove the following three lemmas (cf. Fig. 6):  Following from the three lemmas, we can derive two sequence transformation rules that preserve the subzone relation: At this point, the reduced operation sequence S sub has the following form: After elimination of C and Cl operations, which are C(t 1 , t(0), 5), C(t(0), t 2 , −3), and their corresponding Close operations, the approximating sequence becomes: which leads to the overapproximating DBM

Reset and delay-future elimination
Now that we derived a reduced operation sequence by removing all Constraint and Close operations, which results in a superzone of D B M target , we show that we can further reduce the sequence S approx by removing specific Reset and Delay Future operations while retaining the relation D B M approx ⊇ D B M target . For that, we use the reduction rules formulated in the following two lemmas:   (t a , v a,1 ). Finally, we apply R(t a , v a,2 ) and get: \{(a, 0), . . . , (a, n), (0, a), . . . , (n, a)}) ∪ ∅

= ∅
From I 2 = ∅, we can conclude that no D B M entry is affected by the operation R(t a , v a,1 ) anymore after we applied R(t a , v a,2 ), and thus, R(t a , v a,1 ) can be omitted from the sequence.
We can now apply rule (5.8) repeatedly, followed by rule (5.7) where applicable, which leads to the following lemma:

Operation sequence reduction: summary
In summary, for the O(SEQ) approach based on a given sequence S, we proved that all Constraint and Close operations can be removed from a sequence of operations, if we aim for a D B M approx which overapproximates D B M target (cf. Sect. 5.1.1). Furthermore, we can reduce the resulting sequence by eliminating subsequent occurrences of D F operations and resets of clocks which are reset again later in the sequence (cf. Sect. 5.1.2). Therefore, we have proved the following for the overapproximation of DBM states:

e., a sequence of D F and R operations in which each clock is reset at most once, and D F operations occur at most once between resets, such that S appr (D B M) ⊇ S(D B M) holds.
Overall, we can conclude that for each sequence

O(DBM): overapproximation sequence based on DBM target
In this section, we approach the second scenario S2 from Sect. 1, i.e., the case that S ref is not given and an overapproximation sequence S approx (for which the relation The following two lemmas provide the base for our approach:

Lemma 5.8 (reset-(df)-all to reset-df-all) If a reset-(df)all sequence overapproximates a DBM, the reset-df-all sequences obtained by enforcing a D F after each reset overapproximates the DBM as well.
Proof Lemma 5.7 holds as zero-initialization implies a prefix sequence S R = (R(t 1 , 0), . . . , R(t n , 0)), with n = |T (D B M)|, which turns each sequence S into S ext = S R ⊕ S. It follows that each clock is reset at least once, and due to Proposition 5.2, we can reduce S ext to S approx , with The challenge is to determine a reset-(df)-all sequence without access to an S ref to reduce. The potentially suitable reset-(df)-all sequences differ in three characteristics: The order of resets (C1), the reset values (C2), and the occurrence of D F operations between the resets (C3); the set of such sequences is infinite. Due to Lemma 5.8, we can remove C3 by limiting the search space to reset-df-all sequences. The search space becomes finite for classes of automata that restrict C2, including the formalism of TAs as defined in [5], which supports resets to 0 (i.e., 0-resets) only; the Uppaal tool allows arbitrary positive reset values (i.e., N 0 -resets) during simulation, but limits support to 0-resets during verification. In the remainder of this section, we approach D B M overapproximation for both the case of 0-resets (Sect. 5.2.1) and N 0 -resets (Sect. 5.2.2).

O(DBM) approach for 0-resets
The approach for 0-resets is straightforward, as we can directly infer reset orders from the two-clock constraints D B M[i, j], i = j = 0 (cf. Fact 4). From Fact 4, we know that D B M[i, j] is strictly positive iff t i is reset before t j . Thus, a possible algorithmic approach to determine a valid reset order is to sum the amount of positive values for each column j, and order the clocks t j accordingly in ascending order of the sums. This approach builds on the fact that the higher the amount of positive values in a column j, the more clocks were reset before t j , so that the clock with the lowest column sum was reset first, while the clock with the highest sum was reset last. If clocks are reset simultaneously (i.e., without intermediate delay), the same number of clocks must be reset before them, and thus, their sums of positive column values are equal; the order of these clocks can be chosen arbitrarily.
The order is formally expressed as follows: The resulting orderings Ord R only differ in the order of their "simultaneously" reset clocks. Each reset-df-all sequence that follows such order is guaranteed to lead to an overapproximation of D B M target .

O(DBM) approach for N 0 -resets
While the reset order is the only variable for the case of 0resets, neither the reset order nor the reset values are known for the case of N 0 -resets. In the following, we provide a method to derive overapproximating reset-df-all sequences with N 0 -resets, and split the argumentation into two parts:

P1
We show how reset values are obtained if the reset order is given. P2 We show how reset orders are obtained for which valid reset valuations exist.

Determine reset values (P1)
The process for the determination of reset values is shown in Fig. 7. Given a reset-df-all sequence S with unknown reset values ( Fig. 7-(1)), we derive a constraint system on reset values from the relation between the entries of the overapproximating and target D B M (Fig. 7-(2)). Following from Fact 5, the constraints are Fig. 7-(3a-c)). As the constraints D B M target [i, j] ≤ ∞ trivially hold, they can be omitted from the constraint system. Fig. 7-(4)). The adapted constraint system, which solely consists of constraints on some particular (pairs of) reset values now, can be extended to a constraint system over all reset value pairs by adding the trivially satisfied v i − v j ≤ ∞ for the remaining value pairs, and introducing an artificial reset value v(0) = 0 ( Finally, the D B M v can be transformed to a graph G v (Fig. 7-(7), cf. Sect. 3.4).
Valid reset valuations only exist if D B M v is non-empty, and thus, if G v has only non-negative weight cycles (cf. Fact 1). Only a subset of cycles needs to be checked; in fact, we can reduce the check as follows:  Fig. 7-(7)), and due to Fact 3, we can then ignore all paths that are neither p H nor its sub-paths via cycle chords. The remaining cycles traverse only edges with −D B M target [i, j] and 0 weights; recall that the 0 weights were artificially introduced by v i ≥ 0 for edges e = (v i , v 0 ). Given a closed D B M target with minimum edge costs (cf. Fact 2), we can infer that a maximum edge costs property holds only for a subset of value pairs (v i , v j ) depending on the reset order, and if we chose another reset order, we would obtain constraints on a different subset of value pairs. The concept to determine a suitable reset order is shown in Fig. 8. We first assume the reset-all sequence (Fig. 8-(1)), whose resulting clock zone of D B M approx (Fig. 8-(2)) represents a single point, and which thus results in the most restrictive D B M v,R (Fig. 8-(3 For this most restrictive constraint set (whose solution set is usually empty unless D B M target was constructed by exactly such reset-all sequence), we determine which constraints have to be removed to transform D B M v,R into a valid and non-empty D B M v (Fig. 8-(5)), which corresponds to turning the reset-all sequence into a reset-df-all sequence with a suitable reset order (Fig. 8-(4)). The task is now to derive a reset order from the data in D B M v,R , which we approach on the level of the corresponding graphs G v,R and G v . In terms of Hamiltonian paths (cf. Lemma 5.10), the relation between G v,R and G v is expressed as follows:

Lemma 5.11 (Relation between G v,R and G v ) If p H is an all-positive-prefix Hamiltonian path over edges with non-∞ weights in G v,R , then there exists a graph G v ∈ G v , such that p H is an all-positive-prefix Hamiltonian path over edges with non-∞ weights in G v .
Proof Lemma 5.11 holds as we can obtain such a G v by setting all edges e = (v i , v j ), e / ∈ p H , v j = v 0 in G v,R to ∞, which is equivalent to removing all constraints not implied by the reset order that corresponds to the order of vertices in p H .
We can use such a path p H in G v,R to derive a valid graph G v and thus a suitable reset order: A concrete reset valuation for the reset-df-all sequence can then be picked arbitrarily from the zone D B M v as described in P1 (cf. Lemma 5.9). Algorithm Based on Lemma 5.9, Proposition 5.3, and the steps shown in Fig. 8, we propose the algorithm shown in Fig. 9 for the overapproximation task. In ll.1 − 4, we derive the graph G v,R via D B M v,R , which we calculate as D B M v,R = −D B M T target , and apply the artificial constraints v i ≥ 0 for non-negative reset values. As optimization, we already derive a partial clock reset order Ord P at this point, based on the fact that constraints v i − v j ≤ −∞ (which result from ∞ values in D B M target ) are never satisfiable and thus certainly need to be removed (i.e., replaced by v i − v j ≤ ∞) by choosing the reset order in the reset-dfall sequence accordingly (ll.5 − 6). Based on that ordering, we apply the sub-algorithm All Pos Pr e f i x Path (Fig. 10), which determines an all-positive-prefix path in G v,R and its corresponding total clock reset order Ord T (l.8, cf. Proposition 5.3). Afterward, we obtain the graph G v for our particular reset order by setting all weights of edges in G v,R that correspond to clock pairs in reset order to ∞ (ll.9 − 12), and transform G v back to a (non-empty) D B M v (l.13), for which we restore the closed form (l.14). Finally, we derive an arbitrary valuation of reset values from D B M v (ll.15-16, cf.   (v 2 , v 0 )), from which we can derive the overapproximation sequence

Time and size complexity
To Regarding the generation time, we notice that the reduction in a given S ref depends on its length and the number of clocks. Algorithmically, we start with the last element of S ref , and check for each element, if it is a Reset not encountered yet, or a D F; if neither is true, we remove the element. As each element is compared against the set of already encountered resets, the upper bound of steps required is therefore |S| * (|T |−1). For the second approach, the derivation of S approx from D B M target , the transformation steps to D B M v and then to G v , have a complexity of O(|T | 2 ). Then, for the determination of an all positive prefix path, in the worst case, no −∞ weights are given, and thus, no a priori information of a partial ordering exists. In that case, a possibly full search through the graph is required by All Pos Pr e f i x Path (Fig. 10). There again, in the worst case, only the last searched path yields positive weight sums on all its prefixes, and all other paths turn negative on the last edge, which leads to a complexity of O((|T | − 1)!). In the general case though, a path can turn negative earlier, and is discarded then (together with all paths of which that path is a prefix); also, an all positive prefix path can potentially be discovered earlier. Furthermore, the graph size depends only on the number of clocks, which is usually small (between 3 and 10 clocks per model in our experiment model suite). Among all remaining steps, the Close operation on D B M v has the highest complexity O(|T | 3 ). In conclusion, the complexity of the O(S E Q) approach grows linearly with the sequence length, and is therefore suitable for shorter sequences, e.g.,  (t a , t b , v). Therefore, the goal of the C-phase is to obtain a sequence of constraint operations: We describe three approaches to derive such a constraining sequence S constr with different trade-offs between generation time and sequence length: A trivial approach using the full constraint system (FCS) in Sect. 6.1, a reduced approach using a minimal constraint system (MCS) (introduced by Larsen et al. [23]) in Sect. 6.2 as well as a minimal approach using a newly introduced relative constraint system (RCS) in Sect. 6.3. Among these approaches, the former already solves the problem of constraining D B M approx to D B M target in general, and the latter two optimize the resulting sequence lengths.

C(FCS): full constraint system approach
The first approach uses the FCS, i.e., a system of all constraints contained in a DBM, so we perform an indi- While the simplicity of generation is a clear advantage of this approach, the downsides are manifold, even if we remove the constraints on diagonal D B M entries, representing the differences t i − t i for clocks t i ∈ T (D B M), which are constantly 0 and thus do not need an explicit constraint operation. Certain constraints are already implied by others, and thus, setting a constraint may-via a Close operationalready set multiple DBM entries to their targeted values; applying their Constraint operations from S constr is then redundant. Furthermore, several entries may already equal those of D B M target after the O-phase, so that a constraint for these entries is not required either. Still, this approach allows us to determine a worst case upper bound of required Constraint operations during the C-phase as (|T |+1) 2 , i.e., every entry of D B M target , which has T +1 clocks (the model clocks plus the reference clock t(0)).

C(MCS): minimal constraint system approach
The second sequence generation strategy uses the data of an MCS, i.e., a minimal system of constraints that implies all remaining constraints. The idea is to perform a constraint operation on D B M approx for each entry of the MCS of D B M target . An algorithm for the reduction in an FCS to an MCS was introduced by Larsen et al. [23]. The algorithm performs the following steps: For a graph G representing a given DBM, it determines vertex equivalence classes E i regarding zero-equivalence, which means that a cycle with a weight of 0 (zero-cycle) containing those vertices exists. In each equivalence class E i , it determines a cycle over all its vertices (in index ordering), where each weight between two vertices is the shortest path weight between them. The edges of those cycles are added to the MCS. Furthermore, between equivalence classes E i and E j , it takes the vertex with smallest index from each of the two classes, and includes two edges between them with shortest path weight.
As only a single cycle instead of the complete graph is considered inside each equivalence class, and only two edges are needed between each pair of equivalence classes, it is obvious that the total number of constraints in an MCS can be much smaller compared to the FCS. On average, the MCS contains a number of constraints reduced by 70-86% [23].
The trade-off lies in the time complexity, as the complexity of determining the equivalence classes is O(n 2 ), getting the edges between equivalence classes is O(n), and finding the cycles within E i is O(n), leading to an overall complexity of O(n 2 ) (or O(n 3 ), if the DBM is not in closed form). Additionally, when applied in our approach, the MCS may still include constraints whose corresponding DBM entries already had the targeted values.  (t(0), t 1 , 0), t(0), 0), Cl)

C(RCS): relative constraint system approach
To minimize the required amount of constraints, we introduce the RCS, a system which contains only those constraints that are not already correctly set (i.e., entries or implied by other constraints in the DBM. This approach can be based on the concepts of either FCS or MCS. In the following, we will refer to edges of constraints that are already correctly set as fixed edges, and all remaining ones as non-fixed edges.
Using the FCS, the procedure is straight-forward: While transforming each entry of D B M target into a Constraint operation, we check if the corresponding D B M approx entry has the same value as the D B M target entry. In that case, the Constraint operation is not added to the final sequence of constraints.
Deriving an RCS with the properties of an MCS requires additional steps. The overall idea is to obtain a minimal set of constraints not already included in D B M approx , which, together with the constraints included in D B M approx , implies all remaining constraints of D B M target . Recall that for the construction of an MCS [23], we determine a) two opposing edges between each pair of equivalence classes E i and E j and b) a cycle over all vertices within each equivalence class E i . In steps where vertices are selected, the original MCS construction algorithm uses the index order of vertices to eliminate non-determinism, which could occur as usually multiple minimal sets of constraints exist for a given constraint system. Our RCS approach introduces an additional step which picks fixed edges first, and only then-if still multiple ambiguous choices exist-relies on the vertex order for the remaining edges like the original MCS algorithm. That way, we refine the selection of vertices in favor of constraints that are already correctly set, and thus, reduce the amount of constraints required additionally.  Figure 11 shows the adapted procedure, where l.11, l.17 and ll.19 − 20 (with E f = ∅, i.e., no fixed edges) match the original MCS algorithm, and ll.7 − 9, ll.13 − 15 and ll.19 − 21 (with E f = ∅) implement our adaptions for the case that fixed edges are involved. For the determination of edge pairs in a), we will first search for edges of already correctly set DBM entries (l.7 − 9), and only revert to edges of index ordered vertices (l.11)-as in the original algorithmif none can be found. For the equivalence classes E i and E j (with t a ∈ E i , t b ∈ E j , and min E i the vertex with smallest index among vertices in E i ), we proceed as follows: Among fixed edges (t a , t b ), we choose the one with the smallest index a (l.7), and if multiple such edges exist, the one with smallest index b (l.8) among them. If no such fixed edge exists, we choose the edge (min E i , min E j ) (l.11) as defined in the reference algorithm. Similarly, we determine the second, opposing edge (t b , t a ) (ll.13−15), but with swapped indices, i.e., first the smallest b (l.13) and then the smallest a (l.14), and (min E j , min E i ) (l.17) otherwise.
For (b), in each equivalence class E i , we want to determine a cycle over all its vertices, which additionally contains the maximal possible number of fixed edges. This problem is NPcomplete and can be transformed to the traveling salesman problem by assigning weight 0 to fixed edges and weight 1 to non-fixed edges. Then, the task is to find the lowest-cost Hamiltonian cycle in that graph, i.e., one that contains as few non-fixed edges that impose additional constraints, and as many fixed edges as possible. Fortunately, the problem complexity grows non-polynomially only in the number of clocks in the DBM, which is rather low in the general case (e.g., between 3 and 10 clocks in our experiment suite, cf. Sect. 9). Therefore, it is viable to determine a solution by both brute force and heuristic methods.
Proof The correctness argument for Fig. 11 is as follows: In the original MC S algorithm, the choice of both the concrete edge pairs between equivalence classes and the edges on a Hamiltonian cycle within each equivalence class could be arbitrary, and each solution would be a correct minimal constraint system (cf. [23] for justification). While the MC S algorithm uses the index order of vertices to choose one of these correct solutions deterministically, our approach just adds another objective (i.e., favoring of fixed edges) to that choice in ll.7 − 8, ll.13 − 14, and l. 19. That way, the resulting constraint system is still necessarily correct, and as we pick fixed edges first whenever possible, the resulting RC S is also minimal with respect to D B M approx . The actual maximal number of required operations lies below that bound, as the main diagonal entries are always 0, leading to |S constr | ≤ |T | * (|T | + 1). As certain DBM entries may already be implied by other entries (MCS), or are already set correctly in D B M approx (RCS), we can further reduce the bound by ∼ 80% or ∼ 90%, respectively (see Sect. 9). Combining the sequence length bounds of the O-phase and C-phase, we obtain the total size of our sequence S-the major theoretical result of this work: Theorem 1 (CSC sequence complexity bound) Any valid and closed DBM can be reached by a clock state construction sequence S of 0 ≤ (|S| = |S approx | + |S constr |) ≤ 1 + 2 * |T | + |T | * (|T | + 1)

operations.
Regarding generation times, deriving the FCS has a time complexity of O(|T | 2 ), as we directly transform each DBM entry into a Constraint operation. For the MCS, the complexity is O(|T | 3 ), which follows from the complexity of deriving the shortest-path reduction G R (cf. [23]). Finally, the RCS approach has a complexity of O(|T | 2 ) for the edges between equivalence classes, and O((|T | − 1)!) to obtain a Hamiltonian cycle with most fixed edges within an equivalence class. However, as for the factorial-time step of the O-phase, the actual costs depend only on the number of clocks, which is comparatively small in the common case.
Finally, we consider the complexity of applying the derived constraint sequence for the C-phase. On the one hand, the FCS approach has the greatest sequence length, but does not require a final Close operation, as all constraints are explicitly contained in the sequence and do not need to be inferred. On the other hand, the MCS and RCS approaches result in shorter sequences, but require a closing step with O(|T | 3 ) complexity which infers the left out constraints. In the end, the most suitable approach in practice depends on the concrete aim, i.e., whether we require a comparatively short sequence, a shorter execution time, or faster generation times; this question cannot be answered universally though.

State construction for Uppaal extended timed automata
At this point, we are given the targeted system state, whichas a reminder-contains the information of the variable values, active locations, and clock state that we want to set, and a clock state construction sequence derived in Sect. 5 and Sect. 6. In this section, we explain how this information extends a concrete (network of) Uppaal automata to restore the desired starting state from which the model simulation will then continue. Note that this section focuses on the (more complex) case of state construction in ETAs (see Sect. 3.1 for the definition of ETAs); however, for a simple TA without synchronization, urgency, and variables, one would proceed similarly, but add the construction sequences directly into the given TA, and implement urgency via explicit invariants t u ≤ 0 on a helper clock t u that was reset before. For state construction in ETAs, we transform the clock state construction sequence and variable data into an additional automaton whose execution restores the clock and variable state before the original system is re-entered at the targeted starting locations. An example of the adapted form of the introduction model ( Fig. 1) is shown in Fig. 12, and we will explain the changes in the following.
To integrate the derived DBM operation sequence leading to D B M target into an Uppaal automaton system, we need to translate the operations into a sequence of artificially added locations and edges, each labeled with invariants, or guards and resets, respectively. Transferring the symbolic semantics (cf. Definition 2), i.e., the execution of transitions and validity checks of active locations, to corresponding DBM operations, we obtain the following types of operation sequences: (R(t 1 , 0), . . . , R(t n , 0)) Initially, all clocks are reset to 0.
In a location l, a D F is applied if no urgent or committed next transition is enabled, and all invariants C l (represented as constraint operations) are applied to the DBM. Afterward, a Cl operation is performed to restore DBM closedness.
On an edge e ab from l a to l b , the atomic guard constraints in g(e ab ) (again represented as C operations) are applied to the clock state DBM, followed by a Cl operation to turn the DBM into closed form again. Then, all clock resets in r (e ab ) (represented as R operations) are applied to the DBM, and finally, the invariants I (l b ) of the target location are checked.
Recall that our construction sequence S consists of a subsequence of (alternating) R and D F operations (O-phase), followed by a sequence of C operations (C-phase), which, when based on the MC S or RC S approach, require a final Cl operation to adapt the remaining DBM entries: The individual elements of this sequence need to be mapped to components of the NTA, i.e., locations and edges, based on the operation sequences applied during simulation identified above. For the subsequence S approx ∈ (R(D B M) 1 ⊗ D F?) * , we can use edges with corresponding resets but without guards to new (non-urgent and non-committed) locations without invariants, which results in the sequences S edge ∈ R(D B M) * and S loc = (D F). That way, we can express each subsequence R(D B M) * ⊗ D F 1 by an edge-location pair; a sequence of those pairs will cover the complete O-phase. In Fig. 7a, these are the locations Init, Rec1, and Rec2, and their corresponding edges. To enforce all constraints of the C-phase, i.e., the subsequence S constr ∈ (C(D B M) * ⊗ Cl 1 ), we can use an edge without resets to an unconstrained location, which results in S edge ∈ (C(D B M) * ⊗Cl 1 ). Note for all Fig. 12 Introduction model adapted for initial state construction these sequences that in Uppaal, a partial Close(t a , t b ) operation is applied after each Constraint(t a , t b , v) instead of a single Close over all clocks after a sequence of Constraint operations.
The construction of the variable state, which is introduced by the ETA formalism, can be performed via a single transition. We can set the individual variable values, in contrast with the DBM state, directly via variable assignments (cf. Definition 2). In Fig. 7a, we added these assignments to a new edge from Rec3 to End for a separation of concerns; however, a separate edge is not needed for these assignments, as we could add them to the last edge of the clock state construction sequence (i.e., the edge with the constraining guards of the C-phase).
Furthermore, we need to reach the original active locations in the adapted model after the variable and DBM state construction. Normally, we would simply define those locations as initial in Uppaal, so that they become active on model initialization. To traverse our artificially added construction sequence though, the first location of that sequence needs to be defined as initial, and the final edge of the construction section should lead to the targeted initial location of the original model section. Once the construction sequence is fully traversed (and only then), the original model sections of all automata are re-entered (which is achieved in ETAs by broadcast synchronization via DBM_init_end).

Implementation
We provide a Python implementation of the introduced OC approach, as well as the required interface and interpreter code needed to apply the approaches to Uppaal models. The project implementation is open source [34] [35] under MIT license, and mainly consists of: -An Uppaal model and Uppaal C code parser (via EBNF grammars building up on the BNF grammar provided with Uppaal), -An Uppaal model simulator, which allows tracking the simulated operation sequences (= S ref ) [34], -The DBM data structure and operations, -The state constructor implementations for the trivial approach, Rinast approach (port from Java [20]), and the variants of our OC approach, -The experiments performed in this paper, including a random sequence generator as alternative input data source.
Compared to the concepts introduced in Sect. 5 and 6, the concrete implementation differs in the following aspects: After installation, executing run in the experiments CLI will run all clock state construction experiments and store the corresponding analysis data. The experiments are available online [36], and the experiment setup and results are explained in Sect. 9.

Random operation sequence generation
The experiments in Sect. 9 use operation sequences that are either obtained from simulation of TA models, or generated (semi-)randomly based on the subsequences for location states and transitions described in Sect. 7. In general, the sequence generator generates operation sequences via a simulating approach, which keeps track of the current D B M to which each generated operation is applied; based on that current D B M, the next invariant, guard, or reset values are selected from intervals that keep the D B M non-empty, and thus, keep the sequences feasible. The generation process starts with specifying if non-zero resets should be allowed, and if the sequence should start with an initialization sequence (i.e., a sequence of resets of all clocks to 0). Then, the generator randomly chooses whether a D F is added, followed by a sequence of single-clock invariants on a random subset of clocks with (valid) values (i.e., con- ) that are random within bounds, and a Cl operation; this part reflects the sequence imposed by the initially active locations. Afterward, until the targeted sequence length is reached, we repeatedly add an operation sequence reflecting a transition, followed by another sequence for the newly active location state. Each transition sequence is composed of a sequence of single-clock guards on a random subset of clocks with random (valid) values (i.e., constraints , followed by a Cl and a sequence of resets of a random subset of clocks to values that are either random (within bounds) if non-zero resets are allowed, or 0 otherwise. The generation of sequences of the newly active location state is identical to the process described for the initial location state. Note that we restrict infinite intervals (i.e., constraint intervals [a, ∞) or the reset value interval [0, ∞)) to finite ones during value choice (i.e., [a, a + c 1 ] and [0, c 2 ], respectively, for some constants c 1 , c 2 ∈ N 0 ).

Empirical evaluation
Using the described implementation, we evaluate the presented approaches for the O-phase and C-phase. All experiments were executed on an Ubuntu 18.04 LTS system with AMD Ryzen 7 2700X eight-core CPU and 16GB RAM. Overall, we perform three types of experiments, by which we compare: 1. The overall state construction sequence lengths of the trivial, Rinast, and our OC approach, which confirms that in contrast with the former two, our approach generates bounded sequences over time in all tested cases. We apply these experiments to two types of data:  The main parameters of the experiments are the model size, the number of clocks, and the observed sequence length. Our experiment model suite consists of 8 models in total, among which the 6 models 2doors, bridge, fischer, fischer-symmetry, train-gate, and train-gate-orig are the complete set of cyclic, deadlock-free models of the demo model suite of standard Uppaal (i.e., without extensions such as Uppaal SMC), and csmacd2 [19] and tdma [26] were developed in case studies. Figure 13 gives an overview of their characteristics. The suite contains models with different amounts of locations (10-100), edges , and clocks (3)(4)(5)(6)(7)(8)(9)(10). For each model, we execute 1000 simulation runs over 100 transitions, and calculate the minimum, average, and maximum of sequence lengths and construction times over all runs at each individual simulation step.
Applying the approaches to the test suite gives the results shown in Figs. 14 and 15, as well as the data table as shown in Fig. 20 provided in appendix 1, which shows the construction sequence lengths after 1, 10, 50, and 100 executed transitions during model simulation for all Uppaal models. For 3 Fig. 15 Average construction times at each step selected models of the test suite (2doors, bridge, and csmacd2), the graphs in Fig. 14 show the state construction sequence lengths of the trivial, Rinast, and OC approach for a simulation up to 50 steps, together with the calculated bounds of the OC approach. Finally, Fig. 15 shows the total construction sequence generation and application time required for all 8 Uppaal models on each step during simulation.
Applying the approaches to random DBM operation sequences based on a range of different numbers of clocks and sequence lengths gives the results shown in Figs. 16, 17, 18, and 19. For a fixed number of 5 clocks, Figs. 16 and 18 show the ranges of reduced lengths and construction times, respectively, for different O-phase and C-phase approaches applied to different lengths of random input sequences (50-500 operations). Figures 17 and 19 show the lengths of state construction sequences derived by the OC approach variants and construction times, respectively, from fixed-length random sequences (100 operations) based on different numbers of clocks (1-10 clocks).

Evaluation
The model-based experiments show that, as expected for all models, the sequences of the trivial approach are not bounded, and grow linearly over time (cf. Figure 20). The approach by Rinast produces bounded sequences for all models except for bridge, which has a global clock that is never reset, and thus, never re-visits any reached state during simulation. Our approach generates bounded sequences  in all cases, with lengths that are generally shorter than the other two approaches in the long run (e.g., 26 operations for O(DBM) + C(FCS) for bridge, compared to 212 operations of trivial). Figure 14 underlines these results. It shows that at an (early) point during simulation (for the three models between 8 and 28 steps), the sequence lengths of the trivial approach outgrow the lengths of our OC approach. For csmacd2, we observe that the Rinast approach performs best, as Reset operations overwrite the clock values on almost every edge in the model. Furthermore, we see that the actual sequence lengths of our approach lie well below the theoretically calculated bounds (dashed lines) for the most part. These properties also hold for the remaining models.
As last experiment applied to the test suite, Fig. 15 shows that the construction times lie in a real-time feasible range; during the experiments, below 50 milliseconds were required for most constructions. Only for very few outliers, especially in the first steps of fischer-symmetry (outside of the plotted range), the construction time exceeds 1 second, with averages still below 1 second. In the regular case, it is possible to restore a model state 2-20 times within a second.
The experiments on generated DBM operation sequences validate the results of the test suite in a systematic manner, and yield the following results: The construction sequence lengths lie in constant ranges for growing input sequence lengths (Fig. 16). With increasing numbers of clocks (Fig. 17), the construction sequence lengths grow linearly for the Ophase and quadratically for the C-phase, both as expected from Theorem 1. Furthermore, we see that the MCS and RCS sequence lengths always lie below the FCS sequence length, and the C(RCS) approach leads to sequences that are ∼ 25% shorter compared to the C(MCS) approach. In terms of construction times for growing input sequences (Fig. 18), the random sequence experiments confirm that for both Ophase and C-phase the required times stay constant, except for O(SEQ); the latter is expected as O(SEQ) gets the complete sequence as a whole in this experiment, in contrast with the step-wise data increments of the model experiments, so that in the worst case, the full input sequence needs to be searched. From Fig. 19, we see that increasing the number of clocks results in constant times for O(DBM) and nonpolynomial times for O(SEQ) (cf. Sect. 5.3) in the O-phase, and in the C-phase, the times grow quadratically for C(FCS), cubically for C(MCS), and non-polynomial for C(RCS) (cf. Sect. 6.4). C(RCS), however, switches to cubic growth similar to C(MCS) once the number of clocks leads to permutation counts that exceed the predefined limit (cf. Sect. 8).
Overall, we can conclude that the new approach allows generating length-bounded sequences throughout the complete model simulation, and does so within real-time capable time frames.

Conclusion and future work
In this article, we introduced and implemented multiple approaches to derive bounded-length operation sequences to restore given DBM states in timed automata. We found out that the complexity of the individual approach variants either only depends on the (fixed) amount of clocks in a system (i.e., for O(DBM), C(FCS), C(MCS), and C(RCS)) or allows the formulation of alternative versions (i.e., for O(SEQ)) which process operations on the fly, making them suitable for use in online model checking contexts. The experiments revealed that early during simulation (between 8 and 28 steps for the test model suite), the sequence lengths of the OC approaches become (and remain) shorter than the lengths of the trivial approach and-except for one model-of the Rinast approach as well.
In future versions, the sequence lengths could be further shortened by an extension of our approach that handles short sections in which not all clocks have been reset already, or by a hybrid approach that selects the minimum sequence of the trivial and our OC approach. Furthermore, more efficient algorithms may be used for the graph-based search problems of O(DBM) and C(RCS), so that the approach becomes applicable for systems with high amounts of clocks. The insights on overapproximating and constraining sequences may be used for model checking routines, e.g., for time efficient falsification of safety properties, and deserve further investigation. a serious flaw in our argumentation on the removal of operations and who provided numerous helpful hints that improved the readability and accessibility of the article.
Funding Open Access funding enabled and organized by Projekt DEAL.
Availability of data and material The models 2doors, bridge, train-gate, train-gate-orig, fischer, and fischersymmetry are part of the demo model suite of Uppaal available at https://www.uppaal.org/. The models csmacd2 [19] and tdma [26] were developed in case studies. All other experimental data were programmatically generated by the authors via the experiments linked under Code availability.

Conflicts of interest Not applicable.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.

Model-based experiments: detailed data table
See Fig. 20.