Backward Reachability Analysis for Timed Automata with Data Variables Electronic Communications of the EASST Volume 076 (2019) Automated Verification of Critical Systems 2018 (AVoCS 2018) Backward Reachability Analysis for Timed Automata with Data Variables Rebeka Farkas, Tamás Tóth, Ákos Hajdu, András Vörös 20 pages Guest Editors: David Pichardie, Mihaela Sighireanu ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Backward Reachability Analysis for Timed Automata with Data Variables Rebeka Farkas1, Tamás Tóth2∗, Ákos Hajdu3, András Vörös4 1 farkasr@mit.bme.hu 2 totht@mit.bme.hu 3 hajdua@mit.bme.hu 4 vori@mit.bme.hu Department of Measurement and Information Systems, Budapest University of Technology and Economics, Hungary 134 MTA-BME Lendület Cyber-Physical Systems Research Group Abstract: Efficient techniques for reachability analysis of timed automata are zone- based methods that explore the reachable state space from the initial state, and SMT- based methods that perform backward search from the target states. It is also pos- sible to perform backward exploration based on zones, but calculating predecessor states for systems with data variables is computationally expensive, prohibiting the successful application of this approach so far. In this paper we overcome this limita- tion by combining zone-based backward exploration with the weakest precondition operation for data variables. This combination allows us to handle diagonal con- straints efficiently as opposed to zone-based forward search where most approaches require additional operations to ensure correctness. We demonstrate the applica- bility and compare the efficiency of the algorithm to existing forward exploration approaches by measurements performed on industrial case studies. Although the large number of states often prevents successful verification, we show that data va- riables can be efficienlty handled by the weakest precondition operation. This way our new approach complements existing techniques. Keywords: timed automata, reachability analysis, backward exploration, weakest precondition 1 Introduction The ubiquity of real-time safety-critical systems makes it desirable to model and verify time- dependent behaviour. One of the most common formalisms for this purpose is the timed automa- ton, introduced by Alur and Dill [AD91] which extends the finite automaton with real-valued va- riables called clock variables that represent the elapse of time. This makes it a suitable formalism for modelling time-dependent behaviour of systems such as communication protocols [RSV10] and logical circuits with propagation delay [MP95]. State reachability has a prominent role in verification. Most reachability analysis algorithms perform forward search: they check if the set of states reachable from the initial state contains the target state. Backward search can also be used for checking reachability – in this case the ∗ This work was partially supported by Gedeon Richter’s Talentum Foundation (Gyömrői út 19-21, 1103 Budapest, Hungary). 1 / 20 Volume 076 (2019) mailto:farkasr@mit.bme.hu mailto:totht@mit.bme.hu mailto:hajdua@mit.bme.hu mailto:vori@mit.bme.hu Backward Reachability Analysis for Timed Automata with Data Variables algorithm explores set of states from where the target state is reachable and checks if it contains the initial state [Mit07]. The motivation behind backward search is that when the target state is unreachable, the state space explored from the initial state is disjunct from the one explored backwards from the target states and the latter might be smaller. The combination of backward and forward approaches (often referred to as bidirectional search) can be more efficient than either of the original approaches [VGS13]. Reachability for timed automata is decidable, but the complexity is exponential in the number of clock variables [AD91]. The most efficient techniques for deciding reachability either rely on SMT solvers or abstract state space representations. The key idea of SMT-based techniques is to transform the system into a set of constraints that is satisfiable if the target state is reachable, and then give it to an SMT solver. Although this technique is efficient for other domains and there is an efficient first-order theory for the timed domain, called difference logic [BM07], in practice solver-based techniques are usually more efficient for other timed formalisms, such as the timeout automaton [DS+04]. As for timed automata, the most efficient algorithms rely on the zone abstract domain [YPD94] that is usually used for (forward) state space exploration [Bou05]. While it is possible to perform zone-based backward state space exploration of timed au- tomata, the forward approach is preferred. The general reason behind this is that in practice extensions of timed automata are used, such as timed automata with data variables, and it is expensive to calculate predecessor states for systems with data variables [BLR05, Bou05]. On the other hand, zone-based backward exploration of timed automata would be desired, because for a class of timed automata called timed automata with diagonal constraints backward explo- ration is the only zone-based method that does not introduce an additional exponential factor to the complexity [BLR05, BC05]. In this paper we propose an algorithm for backward reachability analysis of timed automata that combines zone abstraction for clock variables with the weakest precondition operation for data variables. Using the operation we can explore the state space of the data variables bac- kwards. We also compare the applicability and the efficiency of zone-based backward and for- ward exploration by measurements performed on the XtaBenchmarkSuite presented in [FB18]. We show that data variables can be handled by the weakest precondition operation but the large number of target states often prevents successful verification. We propose some possible impro- vements and other ideas about the applicability of zone-based backward exploration algorithm for the verification of timed automata. The paper is organized as follows. Section 2 presents the related work, Section 3 provides some theoretical background on the reachability analysis of timed automata, our algorithm is explained in Section 4. Section 5 presents and evaluates the performed measurements, and finally Section 6 concludes the paper. 2 Related work To the best of our knowledge there is no zone-based backward reachability analysis algorithm for timed automata with data variables in the literature. However, many zone-based algorithms have been proposed for forward exploration [HNSY92] as well as SMT-based methods that perform backward search [MPS11]. Such algorithms often fail to support extensions of timed automata, AVoCS 2018 2 / 20 ECEASST such as diagonal constraints or data variables. Our algorithm is applicable in both cases. Zone-based state space exploration Zone-based techniques explore an abstract reachability graph whose nodes contain a zone-based abstraction of a set of reachable states. The basics of zone-based algorithms and the zone operations were introduced in [YPD94] where they proposed the backward exploration of timed automata (without data variables) that provides the timed part of our algorithm. Zone-based forward exploration algorithms were also developed [BY03] and preferred for efficiency reasons – despite the fact that they are not sound for timed automata with diagonal constraints [Bou03]. Many optimizations of zone abstraction have been defined. An optimal zone-based abstraction – that is, the weakest abstraction that is still safe – has been presented in [HSW13]. The optimi- zation was extended to timed automata with diagonal constraints in [GMS18]. Other approaches to apply zone-based forward exploration for timed automata with data variables were discussed in [BLR05]. Backward exploration Generally, SMT-based methods can operate both forwards and bac- kwards, and they can be applied to systems with data variables as well as timed automata with diagonal constraints. However, despite the many advantages, in practice SMT-based methods are less efficient for timed automata, than zone-based techniques. One of the most efficient SMT- based methods for timed automata is presented in [MPS11], where backward exploration is used, however, before exploration the timed automaton is translated to another formalism called finite state machine with time. The transformation requires lower and upper bounds on the integer variables. Besides state reachability, backward exploration is often used for model checking CTL pro- perties on timed automata. The tool Kronos [Yov97] performs zone-based backward exploration for model checking timed automata against TCTL properties. However, Kronos does not support data variables. Algorithms for timed automata with data variables Independent of the algorithm, the values of data variables can be encoded to the locations of timed automata as a preprocessing operation. In addition, forward exploration algorithms can be applied for extended timed automata by cal- culating the values of data variables on the fly. However, these approaches only allow explicit state space exploration over data variables. On the other hand, in case of approaches with abstractions over data variables the possible operations are often restricted to ensure the abstraction is safe. In [IW14] the restrictions ensure integer variables can be encoded in zones (just like clocks). In [FS01] they use the concept of well-structured transition systems, that require well-quasi orderings to verify several formalisms, including timed systems. There are very few methods applicable to extended timed automata without restrictions that do not calculate the values of data variables explicitly. In [HRSY14] where they use Horn-clauses for verification of timed automata with data variables. In [TM18] the visibilities of data variables are controlled based on interpolations. 3 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables 3 Preliminaries This section presents the important aspects of modeling timed systems, the extensions of timed automata used in practice, as well as the basic operations of zone-based state space exploration. The weakest precondition operation is also defined. 3.1 Timed automata 3.1.1 Basic definitions Clock variables (or clocks, for short) are introduced to represent the elapse of time. The set of clock variables is denoted by C . The most commonly used type of predicates over clocks is clock constraints. Definition 1 A clock constraint is a conjunction of atomic clock constraints, that can either be simple constraints of the form x ∼ n or diagonal constraints of the form x−y ∼ n, where x,y ∈ C , ∼∈{≤,<,=,>,≥} and n ∈N. The set of clock constraints is denoted by B(C ). In other words clock constraints define upper and lower bounds on the values of clocks and the differences of clocks. A timed automaton extends a finite automaton with clock variables. Definition 2 A timed automaton A is a tuple 〈L,l0,E〉 where • L is the set of locations (or control states), • l0 ∈ L is the initial location, • E ∈ L×B(C )×2C ×L is the set of edges. An edge is defined by the source location, the guard (represented by a clock constraint), the set of clocks to reset and the target location. Remark 1 It is usual to allow invariants on the locations of the automaton. In this paper we omit them to keep the explanations simple. However, the presented algorithms can be adjusted to handle invariants. In the literature many algorithms are only defined for a subclass of timed automata called diagonal-free timed automata. Definition 3 A diagonal-free timed automaton is a timed automaton where all atomic clock constraints are simple constraints. It is possible to transform a timed automaton containing diagonal constraints to a diagonal-free timed automaton – i.e. the expressive power of diagonal-free timed automata is the same as that of timed automata. However, the number of locations in the resulting automaton is exponential in the number of diagonal constraints [BC05]. AVoCS 2018 4 / 20 ECEASST 3.1.2 Operational semantics The values of the variables at a given moment is described by a valuation. Definition 4 Let us denote by dom(v) the set of possible values for a variable v, i.e. the domain of v. Given a set of variables V and the corresponding domains a valuation is a function v : V →∪v∈V dom(v) that assigns a value for each variable v ∈V such that v(vi)∈ dom(vi). Remark 2 For simplicity in this paper we shall write dom(V ) instead of ∪v∈V dom(v) Accordingly, a clock valuation is a function vc : C →R≥0. In this paper we denote clock valuations by vc. Valuations over other types of variables are denoted by vd . We denote by v |= c if valuation v satisfies a constraint c. The set of all valuations satisfying a constraint c is denoted by JcK. Clock variables are initialized to 0 – that is, initially vc0(c) = 0 for all c ∈ C –, and their values are constantly and steadily increasing (at the same pace for all clocks). The only operation on clock valuations is the operation reset, denoted by [C ← 0]vc which sets the value of a set C ⊆ C to 0, that is [C ← 0]vc(c) = 0 for c ∈ C and [C ← 0]vc(c) = vc(c) otherwise. It is an instantaneous operation, after which the value of the clocks will continue to increase. The state of a timed automaton is defined by the current location and the values of the clocks. Formally, a state of A is a pair 〈l,vc〉 where l ∈L(A ) is a location and vc is the current valuation. Two kinds of operations are defined. The state 〈l,vc〉 has a discrete transition to 〈l′,vc′〉 if there is an edge e = 〈l,g,r,l′〉∈ E in the automaton such that vc |= g and vc′ = [r ← 0]vc. The state 〈l,vc〉 has a time transition to 〈l,vc′〉 if vc′ assigns vc(c)+d for some non-negative d to each c ∈ C . A run of A is a finite sequence of consecutive transitions R =〈l0,vc0〉 t0−→〈l0,vc0′〉 d0−→〈l1,vc1〉 t1−→ 〈l1,vc1′〉...〈ln,v c n〉 tn−→〈ln,vcn′〉 where for all 1 ≤ i ≤ n,ti denotes a time transition and di denotes a discrete transition. 3.1.3 Extensions of timed automata In practice the low descriptive power of the original timed automaton formalism makes it im- practical for modeling systems. Over the years many extensions of the formalism have been invented to overcome this issue. In this paper we are focusing on timed automata with data variables. Data variables are variables whose value can only be changed by discrete transitions, e.g. variables of types integer, bool, etc. They can appear in constraints to enable transitions (data guards) and can be modified by transitions (update). However, clock variables are not allowed to appear in data guards or updates. The extended formalism can be formally defined as follows. Definition 5 A timed automaton with data variables is a tuple 〈L,l0,E,vd0〉 where • L is the set of locations, • l0 ∈ L is the initial location, 5 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables • E ∈ L×B(C )×PV ×2C ×UV ×L is the set of edges, where PV denotes the set of first order predicates over a set of data variables V and U ∈ UV is a sequence of assignments (updates) of the form v ← t where v ∈ V and t is a term built from variables in V and function symbols interpreted over dom(v). An edge is defined by the source location, the clock guard, the data guard, the set of clocks to reset, the updates, and the target location. • vd0 is the initial data valuation. The possible types of data variables and the expressions appearing in data guards and updates may vary by model checker, however, for efficient verification it is important, that the expressive power of the extended formalism is the same as that of the original timed automaton. In many cases this is achieved by restricting the set of possible values to a finite set (e.g. an interval for integers) – this way, the model can be translated to a (simple) timed automaton by encoding the values of data variables to locations. In this paper we denote the set of general conditions on a set of variables V by cond(V ). The operational semantics are also modified. A state of the extended formalism A over a set of clock variables C and a set of data variables V can be described by a tuple 〈l,vd,vc〉 where l ∈ L is the current location, vd : V → dom(V ) is the current data valuation and vc : C →R≥0 is the clock valuation. While the operational semantics of time transitions are not affected by data variables, discrete transitions become more complex: data guards have to be satisfied and updates have to be exe- cuted. Let us denote by U(vd) the data valuation after executing the sequence of updates U on a system with the initial data valuation vd . Formally, the state 〈l,vd,vc〉 has a discrete transition to 〈l′,vd′,vc′〉 if there is an edge e = 〈l,g, p,r,U,l′〉∈ E in the automaton such that vc |= g, vd |= p, vc′= [r ← 0]vc and vd′= U(vd). Another popular extension of timed automata allows the decomposition of the automaton to a network of automata. A network (A1|...|An) is a parallel composition of a set of timed au- tomata. Communication is possible by shared variables or handshake synchronization using synchronization channels. A network of timed automata can be transformed into a timed auto- maton by constructing the product of the automata in the network. For formal definition, the interested reader is referred to [BLL+95]. 3.2 Verification of timed automata In this section we present the basic opreations of zone-based reachability analysis of timed auto- mata. SMT-based verification is beyond the scope of this paper. In case of (simple) timed automata the reachability problem can be formalized as follows. Input: A timed automaton A , and a location ltrg ∈ L(A ) Question: Is there a run 〈l0,v0〉→〈ltrg,vn〉 for some vn in A ? AVoCS 2018 6 / 20 ECEASST 3.2.1 Zone-based verification An introduction to the abstract domain zone can be found in [BY03], along with the operations necessary for verification and an efficient representation, called difference bound matrix (DBM). Definition 6 A zone Z = {vc | vc |= g} is a set of clock valuations satisfying some clock con- straint g. Many operations are defined on zones. In this paper the following notations are used: • [R ← 0]Z denotes the result of the reset operation applied to a zone Z, R ⊆ C : [R ← 0]Z ={vc | ∃vc′∈ Z : vc = [R ← 0]vc′} • [R ← 0]−1Z,R ⊆ C denotes the inverse of the reset operation: [R ← 0]−1Z ={vc | [R ← 0]vc ∈ Z} • Z↑ denotes the set of valuations reachable from Z by time transitions: Z↑ ={vc + t | vc ∈ Z,t ∈N}, where vc +t = vc′ denotes a valuation where vc′(c) = vc(c)+t for all c ∈ C • Z↓ denotes the set of nonnegative valuations from where Z is reachable by time transitions: Z↓ ={vc | ∃t ∈N : vc + t ∈ Z} The core of reachability analysis is to construct an abstract reachability graph, that is an abstract representation of the state space. In case of zone-based reachability the abstract reacha- bility graph is called a zone graph. Definition 7 A zone graph is a finite graph containing 〈l,Z〉 pairs as nodes, where l ∈ L is a location of the automaton and Z is a zone. A node of the zone graph represents a set of states reachable from the initial state (or a set of states from where the target states are reachable, in case of backward exploration). Edges between nodes correspond to discrete transitions through which those states are reachable. Remark 3 In this paper we use the word represent for indicating that a node n certifies that the explored state space contains a state s, i.e. n = 〈l,Z〉 represents s = 〈l,vc〉 iff vc ∈ Z. The goal of state space exploration is to create the zone graph. The process is similar to any kind of graph-based state space exploration and will be presented to detail in Subsubsection 4.1.2. The primary task is postimage calculation (in case of forward exploration): given a node of the graph under construction n = 〈l,Z〉 representing the set of reachable states and an edge of the automaton e = 〈l,g,R,l′〉 the task is to calculate a node n′ representing the set of all states that can be reached from those represented by n through e. The postimage of l is straightforward and the postimage of Z can be calculated by first de- termining the maximal subzone Z′ that satisfies g (Z′ represents the set of valuations where the discrete transition is enabled), then resetting all clocks c ∈ R in Z′ (i.e. executing the discrete transition), and finally applying time transitions. Formally, the postimage calculation can be described as Postg,R(Z) = ([R ← 0](Z ∩JgK)) ↑. 7 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables In case of backward exploration the corresponding operation is preimage calculation, formally described as Preg,R(Z) = ([R ← 0]−1Z ∩JgK) ↓ . This operation is basically the inverse of posti- mage computation with the exception that applying time transitions remains the last step. This way the set of states represented by a node is larger and the zone graph is more compact. In case of backward exploration the zone graph explored using the presented operation is always finite, but this is not true for forward exploration, since using loop-edges it is possible to create a timed automaton with a run of ever-increasing clock valuations [BY03]. To ensure the termination of the algorithm, extrapolation was introduced, however, in case of diagonal constraints extrapolation may introduce unreachable states to the reachability graph, making the result of the analysis a false positive space [Bou03]. Many approaches have been introduced to ensure correctness, including the operation split that splits the zone to extrapolate to smaller zones so that the extrapolation keeps the zone safe [BY03], and CEGAR-based methods where they explore the state space with the origi- nal overapproximating algorithm and if they find a spurious trace they refine the state space or the automaton [BLR05], but the complexity of these methods is exponential in the number of diagonal constraints. 3.2.2 Verification of extended timed automata The reachability problem can be formulated for the extended formalisms. For instance, in case of timed automata with data variables the target states can also depend on the data valuation. Input: A timed automaton with data variables A , a location ltrg ∈ L(A ), and a first order predicate Ptrg over the data variables of A Question: Is there a run from the initial state 〈l0,vd0,v c 0〉 to some 〈l,v d n,v c n〉 where vdn |= P? In case of networks of timed automata, instead of a single control location, the state of the system depends on a configuration – that is, a set of locations containing the current location of each automaton. However, reachability criteria usually only determine the location for some of the automata (e.g. collision detection only requires two out of an arbitrary number of stations to be transmitting). The extended reachability problems can be transformed to the original reachability problem over (simple) timed automata, however, in practice it is more efficient to apply the algorithms on timed automata to the extended formalisms. For example, in case of forward exploration calculating the data variables is straightforward based on the updates. On the other hand, in case of backward exploration there can be more than one predecessor states. Since it is complicated to calculate the possible previous values of data variables, in case of extended timed automata forward exploration is preferred [Bou05, BLR05, Bou04]. 3.3 Weakest precondition In our research we used the weakest precondition operation to calculate the preimage of data va- riables. The weakest precondition can be defined many ways. Here, we define it over predicates and updates. AVoCS 2018 8 / 20 ECEASST Definition 8 Given a sequence of updates U ∈ UV and a predicate P ∈ PV describing a post- condition, the weakest precondition, denoted by wp(P,U) is the predicate describing the weakest constraint on the initial state ensuring that the execution of U terminates in a state satisfying P: wp : PV ×UV → PV such that Jwp(P,U)K ={vd : V → dom(V ) |U(vd) |= P}. The weakest precondition of a sequence of updates can be calculated by iterating backwards over the assignment statements and calculating the weakest precondition one by one. Formally if U = [v1 ← t1; v2 ← t2], then wp(P,U) = wp(wp(v2 ← t2,P),v1 ← t1). The weakest precondition of a predicate P ∈ PV based on an update v ← t can be calculated by replacing all occurrences of v in P with t. Example 1 Let y < 5 be the postcondition of the assignment y ← x + 3. Replacing y with x + 3 yields x + 3 < 5 that can be automatically simplified to x < 2. Therefore if U(vd) = vd′, where vd′(y) = vd(x)+ 3 and vd′(v) = vd(v),v 6= y, then wp(y < 5,U) = x < 2. In other words in order to ensure y < 5 after assigning x + 3 to y, initially x < 2 must hold. In practice the calculation of the weakest precondition is only efficient if the sequences of assignments can be kept small and the assignments are simple. For more information on the weakest precondition operation the reader is referred to [Lei05]. 4 Backward exploration using weakest precondition This section presents our proposed algorithm for backward state space exploration of timed auto- mata with data variables. First the underlying state space exploration approach is explained and then the data structures and the operations specific to our algorithm are presented. The algorithm is also demonstrated on an example and its correctness is formally proven. 4.1 Algorithm The proposed algorithm is an extension of the zone based backward exploration for simple timed automata to timed automata with data variables using the weakest precondition operation to calculate preimages for data variables. 4.1.1 Overview of the approach The basis of the algorithm is a simple state space exploration approach that starts by creating the initial node (representing the target states) and calculates the preimage of each node that introduces new states to the explored state space. Backward exploration terminates when the initial state of the automaton is introduced to the state space (hence, reachability is confirmed) or when the complete state space is explored (hence, the target state is unreachable). Zone-based backward exploration completes the general state space exploration approach with timed automaton-specific data structures (zones) and operations presented in Subsubsection 3.2.1. The proposed algorithm extends zone-based exploration with first-order predicates that are used 9 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables to represent the values of data variables and the weakest precondition operation to calculate preimages for data variables. 4.1.2 State space exploration Backward state space exploration initiates from a node ntrg representing the target states. For all incoming edges e of the target location (in the automaton) a new node n is created representing the preimage of the target states based on e. A corresponding edge ntrg → n is also introduced in- dicating that n represents all states that are from where ntrg is reachable through e. The algorithm continues from the newly created nodes. When a node n is created it is checked if n is covered by some other node n′. Definition 9 A node of the state space graph n is covered by a node n′ iff n′ represents all states represented by n. If a new node n is covered by an existing node n′ then n can be removed from the graph, and instead of the outgoing edge npost → n a new edge npost → n′ is created indicating that n′ represents all states from where npost is reachable through e. The algorithm terminates when there is a node in the state space graph (zone graph) that represents the initial state of the automaton or when the complete state space is explored. 4.1.3 Data structure and operations While the state space exploration approach is generally used, the underlying data structure (of the nodes), the initial node, the operations for preimage computation and coverage checking and the termination criteria depend on the formalism. In case of timed automata with data variables the proposed approach uses the following concepts. Data structure The proposed algorithm extends the data structure of zone-based backward exploration with first order predicates that are used to denote the set of possible values of data variables. Therefore, the nodes of the zone graph can be formalized as 〈l,P,Z〉, where l is a location of the automaton, P is a first order predicate representing a set of data valuations and Z is a zone representing a set of clock valuations. A state 〈l,vd,vc〉 is represented by a node 〈l,P,Z〉 iff vd |= P and vc ∈ Z. Initialization The initial node can be formalized as 〈ltrg,Ptrg,JtrueK〉. Preimage computation For a node 〈l,P,Z〉 and incoming edge 〈l′,g, p,r,U,l〉 the preimage 〈l′,P′,Z′〉 is calculated as follows. • The preimage of the location is the source location l′ of the edge. • The preimage of the zone can be calculated as presented in Subsubsection 3.2.1: Z′ = Preg,R(Z). AVoCS 2018 10 / 20 ECEASST 𝑙0 𝑙1 𝑥 == 10 𝑥 ≔ 0 𝑖 ≔ 𝑖 + 1 𝑖 ≔ 0 𝑙0 𝑙1 𝑥 ≔ 0 𝑦 ≔ 0 𝑥 == 10 𝑥 ≔ 0 𝑦 − 𝑥 > 0 𝑖 ≔ 𝑖 + 1𝑖 ≔ 0 𝑦 − 𝑥 > 0 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 (a) Input automaton 𝑙0 𝑙1 𝑥 == 10 𝑥 ≔ 0 𝑖 ≔ 𝑖 + 1 𝑖 ≔ 0 𝑙0 𝑙1 𝑥 ≔ 0 𝑦 ≔ 0 𝑥 == 10 𝑥 ≔ 0 𝑦 − 𝑥 > 0 𝑖 ≔ 𝑖 + 1𝑖 ≔ 0 𝑦 − 𝑥 > 0 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 𝑙1, 𝑖 ≤ 2, 𝑡𝑟𝑢𝑒 𝑙0, 𝑖 ≤ 2,𝑦 − 𝑥 > 0 𝑙0, 𝑖 ≤ 1,𝑥 ≤ 10 𝑙0, 𝑖 ≤ 0,𝑥 ≤ 10 (b) Explored state space Figure 1: State space exploration example • P′ is only calculated if Z′ 6= /0. In this case P′ = wp(P,U)∧ p∧cond(V ). It is important to check if P′ is satisfiable (for instance by using a SAT solver). Checking coverage A node 〈l,P,Z〉 is covered by another node 〈lc,Pc,Zc〉 if l = lc,Z ⊆ Zc and P =⇒ Pc. There are many ways to check implication. In our implementation we use a solver to determine whether P∧¬Pc is unsatisfiable. Termination The algorithm terminates if there are no unexplored nodes in the current graph or if it reached the initial state. The set of states represented by a node n = 〈l,P,Z〉 contains the initial state if l = l0, vd0 |= P, and v0 ∈ Z. 4.2 Example This section demonstrates the operation of backward exploration on the automaton presented in Figure 1a and the target location l1 with predicate i ≤ 2. In this automaton (which is a modified version of the one presented in [BY03]), there are two clock variables x and y and a data variable i that serves as a loop counter. The property to decide is whether it is possible to reach a state where the current location is l1 and i ≤ 2 – considering the automaton the property represents reaching l2 by taking the loop transition less than two times. Initially, clocks x and y are both initialized to 0, which means x = y will hold as long as the system stays in l0. When the loop edge is taken (that can first happen when x = y = 10) x is reset but the value of y continues to increase from the same value – that is, taking the loop edge means increasing y−x by 10. The algorithm operates as follows. The initial node is n0 = 〈l1,i ≤ 2,JtrueK〉. The only incoming edge does not change the data valuation, but has a clock guard. Therefore the preimage of the node is n1 =〈l0,i ≤ 2,y−x > 0〉. The preimage of n1 based on the loop edge can be calculated as follows. Prex=10,{x}(y−x > 0) = ([{x}← 0]−1(y−x > 0)∩Jx = 10K) ↓ = (y > 0∩Jx = 10K)↓, resulting in x ≤10, and wp(i≤2,i := i+1) = i≤1. Therefore, the created node is n2 =〈l0,i ≤ 1,x ≤ 10〉. The preimage of n2 based on the loop edge is n3 = 〈l0,i ≤ 0,x ≤ 10〉. Since i ≤ 0 =⇒ i ≤ 1, n2 covers n3. This means all the states represented by n3 are also represented by n2, so if n3 is reachable from a state, n2 is also reachable. Because of the coverage, node n3 does not need to be expanded further. The exploration terminates. The explored graph can be seen in Figure 1b with a frame around n2 and a dashed arrow n3 → n2 (indicating coverage). Naturally, the reachability algorithm can terminate after creating n2. Since i = 0 |= i ≤ 1 and x = y = 0 |= x ≤ 10, n2 represents the initial state – the property is evaluated to true. 11 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables 4.3 Proof of correctness The presented algorithm is a combination of two existing approaches. Zone calculations are pro- ven to be correct, and the weakest precondition operation is defined to be correct. The correctness of the algorithm can be proven based on the fact that the values of clock and data variables are independent of each other. Therefore, since the computation of zones and (data) predicates are correct, the complete algorithm is also correct. The formal proof is constructed as follows. Claim (Correctness) The presented algorithm is correct: 〈l0,vd0,v c 0〉 is represented by one of the nodes of the abstract reachability graph iff there is a run s0 =〈l0,vd0,v c 0〉→···→ s ′ n =〈ln,vdn,vcn′〉 of A where ln = ltrg is the target location. Proof. (⇐) sn is represented by the initial node. Suppose a state of the run s′k is represented by some nk = 〈Ck,Pk,Zk〉 in this case nk also represents sk since the vck ∈{v c k′} ↓. Let ek−1 = 〈lk−1,g, p,r,U,lk〉 be the edge corresponding to the discrete transition sk−1 → sk. In this case the following claims hold: • vck−1 ∈ Preg,r({v c k}), since the zone operations are correct, • vdk−1 |= wp( ∧ v∈V v = v d k (v),U) (since the weakest precondition was defined like that), the- refore • vdk−1 |= wp(P,U) for any P where v d k |= P, • vdk−1 |= p because the transition is enabled, and • vdk−1 |= cond(V ). Therefore, there is also an edge of the graph representing e from nk to some other node nk−1 that represents sk−1 and – by induction – there is also a node representing s0. (⇒) Let node n0 = 〈l0,P0,Z0〉 be a node of the graph, where l0 is the initial location vc0 ∈ Z0 and v0d |= P0. If a node n of the abstract reachability graph is not the initial node, then it was created along with an incoming edge e(n). Find the path ni e(ni−1)−−−−→ ni−1 ...n1 e(n0)−−−→ n0 where ni is the initial node. Because of the way the edges are chosen, all states represented by a node nk are a preimage of some state represented by nk+1 (other incoming edges might have been introduced based on coverage and in that case, the preimage might be just a subset of the states represented by nk+1). Therefore for all states sk represented by nk there is a state sk+1 represented by nk+1 such that sk+1 is reachable from sk by the edge corresponding to e(nk). By induction, ni represents a state reachable from s0. Remark 4 The path ni e(ni−1)−−−−→ ni−1 ...n1 e(n0)−−−→ n0 is the abstract representation of a run from s0 represented by n0 to s′i represented by ni through the discrete transitions e(ni−1) →···→ e(n0). Delay transitions can also be derived by further analysis of the path. AVoCS 2018 12 / 20 ECEASST 5 Comparison of backward and forward exploration This section presents the measurements ran to analyze and compare the efficiency of the proposed algorithm to forward approaches. The results are discussed and possible improvements are also proposed. 5.1 Measurements To analyze the applicability and the efficiency of the algorithm we have implemented it in the Theta verification framework [THV+17] and ran measurements on the XtaBenchmarkSuite1, that is a set of test cases for benchmarking timed automaton verification algorithms (we have presented an earlier version of the benchmark suite in [FB18], but it has been improved since). To compare the algorithm to forward exploration we also ran measurements on the algorithm presented in [HSW13] that we have also implemented in the Theta framework. The benchmark suite contains networks of timed automata with data variables. As menti- oned in Subsubsection 3.2.2, for some inputs the properties only define the target location for a few of the automata in the network. In these cases, the possible target configurations were manually collected – all possible combinations of the locations of the remaining automata were included. In many cases, this resulted in a set of target configurations too large for efficient veri- fication. However, by observing the models, we could eliminate many of the configurations. To demonstrate the significance of describing a precise property, we ran the backward exploration algorithm on both the original and the modified property. These modifications did not affect the forward exploration algorithms. The measurements were executed on a virtual 64 bit Windows 7 operating system with a 2 core CPU (2.50 GHz) with 1,5 GB of memory. Each algorithm was run 10 times on each input, the longest and the shortest was eliminated and the average of the remaining runtimes was taken. The timeout was 10 minutes. 5.2 Evaluation The XtaBenchmarkSuite consists of more models than those mentioned here, but we have ex- cluded those that contain a model element that is not yet supported by Theta (e.g. broadcast channels) and those where the property to check is not a reachability property (e.g. liveness properties) or only constrains the data variables. We have also excluded the models where both of the studied algorithms timed out. Table 1 describes the results of the benchmarks on diagonal-free timed automata. The column Name contains the name of the model in the XtaBenchmarkSuite and in case of scalable models, the value of the parameter. The next two columns contain the number of target configurations as described by the original and – when we managed to refine it – the precise property. The remaining columns contain the runtime and the number of explored nodes by the algorithms. The columns denoted by LU correspond to the algorithm presented in [HSW13], while the remaining columns correspond to the execution of our backward exploration algorithm on the model with the original and the modified property. 1 https://github.com/farkasrebus/XtaBenchmarkSuite 13 / 20 Volume 076 (2019) https://github.com/farkasrebus/XtaBenchmarkSuite Backward Reachability Analysis for Timed Automata with Data Variables Table 1: Results on diagonal-free systems Name Target configurations LU BW original precise original precise time (ms) nodes time (ms) nodes time (ms) nodes EXSITH 1 - 1 4 - - 2 5 LATCH 1 - 2 7 - - 1 2 SRLATCH 4 1 0 6 5 28 4 16 ANDOR 4 1 11 9 42 39 13 21 ENGINE 288 - 35 674 3731 8783 - - SIMOP 8960 128 72 325 9820 26271 800 1517 MALER 1 - 553 7157 - - 134127 53519 MUTEX 5 - 1248 5563 [TO] - - - CRITICAL2 56 1 135 112 1631 1914 18 22 CRITICAL3 784 8 148 1632 [TO] - 599 811 CRITICAL4 10976 64 770 25202 [TO] - 233114 51488 CSMA2 4 - 23 18 16 26 - - CSMA3 16 - 29 71 247 338 - - CSMA4 64 - 55 262 16547 11306 - - CSMA5 256 - 177 855 [TO] - - - FISCHER2 1 - 14 18 19 11 - - FISCHER3 4 - 11 65 93 78 - - FISCHER4 16 - 59 220 476 594 - - FISCHER5 64 - 79 727 10221 10426 - - FISCHER6 256 - 366 2378 96102 93735 - - FISCHER7 124 - 1913 7737 [TO] - - - LYNCH2 1 - 20 38 18 33 - - LYNCH3 9 - 32 125 656 821 - - LYNCH4 81 - 47 380 35344 27523 - - TRAIN2 64 - 14 44 156 380 - - TRAIN3 256 - 37 165 694 1330 - - TRAIN4 1024 - 315 1123 6886 10290 - - TRAIN5 4096 - 3874 6488 66837 79892 - - TRAIN6 16384 - 103455 60379 [TO] - - - AVoCS 2018 14 / 20 ECEASST Table 2: Results on diagonal timed automata LU BW Name Transformation Algorithm Total time (ms) time (ms) time (ms) Nodes Time (ms) Nodes SPLIT (original) 4 4 8 9 3 4 SPLIT (modified) 27 16 43 10 4 4 DIAG (original) 14 6 20 22 8 8 DIAG (modified) 32 22 54 24 14 8 Table 2 describes the results of the benchmarks on timed automata with diagonal constraints. We did not manage to find an industrial case study containing diagonal constraints, thus we use the models we found in the literature as examples. Model SPLIT was introduced in [BY03] to demonstrate the incorrectness of the forward exploration algorithm and DIAG was used to demonstrate techniques describes in [BLR05]. We also run the algorithms on modified versions: we added new edges to these examples to create cyclic models. 5.2.1 Weakest precondition One of our research goals was to find out if the weakest precondition operation can be used to efficiently calculate data variables during backward exploration of timed automata. Models of the benchmark suite only contain a few data variables (protocols usually one for each participant, and inputs of category system have integer variables, but their set of possible values is rather small). A possible difficulty would have occurred if the abstract reachability graphs were deeper, but this was not the case as we used breadth-first search. Out of these models ENGINE had the deepest reachability graph with a depth of 63. The results show that despite its limitations (such as the solver overhead introduced by co- verage checking) in practice weakest precondition can be used to handle data variables. Further- more, while most algorithms calculate the values of data variables explicitly, weakest precondi- tion makes it possible to use predicate abstraction over the data variables that can also increase the efficiency of an algorithm. 5.2.2 Property definition One of the motivations for using backward exploration is that the state space explored from the target states might be smaller than the reachable state space. However, in practice the properties describing the target states are kept simple, only mentioning a few locations and variables of the system. While an understandable property definition is usually beneficial, it also increases the number of target states exponentially. For instance, in case of mutual exclusion protocols (that appears to be the most common area of applicability for timed automata) the target state is any state where at least two processes are in the critical section. In case of a system of n similar processes containing k locations there are kn−2 possible control vectors that satisfy this property. Clocks and data variables can be handled 15 / 20 Volume 076 (2019) Backward Reachability Analysis for Timed Automata with Data Variables with symbolic methods, but locations have to be explored explicitly. We believe this issue could be overcome in many cases, such as the CRITICAL example, where the target location is only given for the Prod cell automata, however it is easy to determine the current location of the corresponding Arbiter automata. Therefore, we believe that some initial static analysis of the automaton and the constraints (e.g. the forward exploration of the location graph) could decrease the number of initial states. As it is seen in Table 1 adding details to the property increases the efficiency of backward exploration. 5.2.3 Timed automata with diagonal constraints One of the key strengths of backward exploration for timed automata is that it is correct (sound) for timed automata with diagonal constraints. The transformation of a timed automaton contai- ning diagonal constraints to a diagonal-free automaton takes time and increases the size of the automaton and thus makes verification less efficient – as demonstrated in Table 2. We were only able to perform these measurements on small examples from the literature, since there are no public industrial case studies of timed automata with diagonal constraints. We believe this is due to the fact that most analysis tools do not support diagonal constraints and because of this the case studies are stored in diagonal-free form. 5.2.4 General conclusions In case of timed automata with diagonal constraints, backward exploration performs better on the small examples, although, we could not find an industrial example with diagonal constraints to support this claim. In case of diagonal-free timed automata forward exploration performs better in most cases. However, for many small models backward exploration explored a smaller state space, e.g. the LATCH circuit and protocols with a small number of participants. Forward and backward exploration are complementary techniques. Theta is able to perform both which makes it possible to chose the more appropriate one for a certain model. 5.3 Possible improvements One of the reasons why forward exploration performs better on the case studies is that there are many optimizations for zone-based forward search (e.g. LU abstraction, lazy abstraction, etc. – see Section 2). It would be desired to apply these optimizations for backward exploration. Throughout these measurements we analyzed the models manually to strenghten the proper- ties, although it would be possible (and beneficial) to perform automatic preprocessing on the input to decrease the number of target states (initial states for the algorithm). Backward exploration can also be combined with other techniques to improve the efficiency of existing algorithms. A common application for backward exploration is to run it in parallel with forward exploration – i.e. bidirectional search. This way, if the target state is reachable, the explored state space becomes smaller than a single search from any direction. The two algo- rithms can also increase each others efficiency by exchanging information on the explored state space [VGS13]. Bidirectional search for timed automata appears to be an area worth exploring. AVoCS 2018 16 / 20 ECEASST 6 Conclusions and future work In this paper we have presented an algorithm that uses zone-based backward exploration for the reachability analysis of timed automata. Unlike zone-based forward exploration, this algorithm is also applicable for timed automata with diagonal constraints. We have extended the algorithm to handle complex data: the weakest precondition operation is suitable for calculating the values of data variables. The combination of the two algorithms resulted and efficient procedure for timed systems with data. XtaBenchmarkSuite is a benchmark suite consisting of timed automata including small exam- ples and industrial case studies. XtaBenchmarkSuite was extended in this paper to evaluate the various timed algorithms more rigorously. Measurements on the XtaBenchmarkSuite demon- strated the efficiency and the applicability of our new approach. We have shown that while the algorithm performs better on timed automata with diagonal constraints than forward exploration, some improvements and optimizations are necessary in order to be applicable for industrial case studies. Our results provide a step towards the efficient verification of real-time systems. In the future we will improve the backward exploration algorithm to solve complex industrial case studies. We will analyze the applicability of the improvements of the forward exploration algorithm presented in [HSW13, TM17] to our backward exploration approach. We will also combine backward and forward search algorithms – as it was investigated that bidirectional se- arch is efficient for SAT-based algorithms in [VGS13]. We will also study the combination of forward and backward algorithms in the CEGAR framework as it was discussed in [RRT08]. In order to further investigate the strengths and weaknesses of the timed algorithms, we will extend the XtaBenchmarkSuite with more industrial case studies (e.g. the FlexRay pro- tocol [GEFP10]) and perform an exhaustive benchmark on the existing approaches. Based on the results a – possibly automatic – process can be derived for deciding which algorithm is ex- pected to be the most efficient for verifying a given system. Diagonal constraints represent one extension of timed automata, which proved to be useful for a certain class of models. In the future, we have to analyze other extensions from the verification point of view. Bibliography [AD91] R. Alur, D. L. Dill. The Theory of Timed Automata. In Proceedings of the Real- Time: Theory in Practice, REX Workshop. Pp. 45–73. Springer, 1991. doi:10.1007/BFb0031987 [BC05] P. Bouyer, F. Chevalier. On Conciseness of Extensions of Timed Automata. Journal of Automata, Languages and Combinatorics 10(4):393–405, 2005. [BLL+95] J. Bengtsson, K. G. Larsen, F. Larsson, P. Pettersson, W. Yi. UPPAAL - a Tool Suite for Automatic Verification of Real-Time Systems. In DIMACS/SYCON 1995. Pp. 232–243. Springer, 1995. doi:10.1007/BFb0020949 17 / 20 Volume 076 (2019) http://dx.doi.org/10.1007/BFb0031987 http://dx.doi.org/10.1007/BFb0020949 Backward Reachability Analysis for Timed Automata with Data Variables [BLR05] P. Bouyer, F. Laroussinie, P. Reynier. Diagonal Constraints in Timed Automata: For- ward Analysis of Timed Systems. In FORMATS 2005. Pp. 112–126. Springer, 2005. doi:10.1007/11603009 10 [BM07] A. R. Bradley, Z. Manna. The calculus of computation - decision procedures with applications to verification. Springer, 2007. doi:10.1007/978-3-540-74113-8 [Bou03] P. Bouyer. Untameable Timed Automata! In STACS 2003. Pp. 620–631. Springer, 2003. doi:10.1007/3-540-36494-3 54 [Bou04] P. Bouyer. Forward Analysis of Updatable Timed Automata. Formal Methods in System Design 24(3):281–320, 2004. doi:10.1023/B:FORM.0000026093.21513.31 [Bou05] P. Bouyer. An Introduction to Timed Automata. ETR 2005, pp. 25–52, 2005. [BY03] J. Bengtsson, W. Yi. Timed Automata: Semantics, Algorithms and Tools. In ACPN 2003. Pp. 87–124. Springer, 2003. doi:10.1007/978-3-540-27755-2 3 [DS+04] B. Dutertre, M. Sorea et al. Timed systems in SAL. Technical report, SRI Internati- onal, Computer Science Laboratory, 2004. [FB18] R. Farkas, G. Bergmann. Towards Reliable Benchmarks of Timed Automata. In Proceedings of the 25th PhD Mini-Symposium. Pp. 20–23. Budapest University of Technology and Economics, Department of Measurement and Information Systems, 2018. [FS01] A. Finkel, P. Schnoebelen. Well-structured transition systems everywhere! Theore- tical Computer Science 256(1-2):63–92, 2001. doi:10.1016/S0304-3975(00)00102-X [GEFP10] M. Gerke, R. Ehlers, B. Finkbeiner, H.-J. Peter. Model Checking the FlexRay Phy- sical Layer Protocol. In FMICS 2010. LNCS 6371, pp. ”132–147”. Springer, 2010. doi:10.1016/j.entcs.2005.04.014 [GMS18] P. Gastin, S. Mukherjee, B. Srivathsan. Reachability in Timed Automata with Dia- gonal Constraints. In CONCUR 2018. Pp. 28:1–28:17. Schloss Dagstuhl - Leibniz- Zentrum fuer Informatik, 2018. doi:10.4230/LIPIcs.CONCUR.2018.28 [HNSY92] T. A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine. Symbolic Model Checking for Real-time Systems. In LICS 1992. Pp. 394–406. IEEE, 1992. doi:10.1109/LICS.1992.185551 AVoCS 2018 18 / 20 http://dx.doi.org/10.1007/11603009_10 http://dx.doi.org/10.1007/978-3-540-74113-8 http://dx.doi.org/10.1007/3-540-36494-3_54 http://dx.doi.org/10.1023/B:FORM.0000026093.21513.31 http://dx.doi.org/10.1007/978-3-540-27755-2_3 http://dx.doi.org/10.1016/S0304-3975(00)00102-X http://dx.doi.org/10.1016/j.entcs.2005.04.014 http://dx.doi.org/10.4230/LIPIcs.CONCUR.2018.28 http://dx.doi.org/10.1109/LICS.1992.185551 ECEASST [HRSY14] H. Hojjat, P. Rümmer, P. Subotic, W. Yi. Horn Clauses for Communicating Timed Systems. In HCVS 2014. Pp. 39–52. 2014. doi:10.4204/EPTCS.169.6 [HSW13] F. Herbreteau, B. Srivathsan, I. Walukiewicz. Lazy Abstractions for Timed Auto- mata. In CAV 2013. Pp. 990–1005. Springer, 2013. doi:10.1007/978-3-642-39799-8 71 [IW14] T. Isenberg, H. Wehrheim. Timed Automata Verification via IC3 with Zones. In ICFEM 2014. Pp. 203–218. Springer, 2014. doi:10.1007/978-3-319-11737-9 14 [Lei05] K. R. M. Leino. Efficient weakest preconditions. Inf. Process. Lett. 93(6):281–288, 2005. doi:10.1016/j.ipl.2004.10.015 [Mit07] I. M. Mitchell. Comparing Forward and Backward Reachability as Tools for Safety Analysis. In HSCC 2007. Pp. 428–443. Springer, 2007. doi:10.1007/978-3-540-71493-4 34 [MP95] O. Maler, A. Pnueli. Timing analysis of asynchronous circuits using timed automata. In CHARME 1995. Pp. 189–205. Springer, 1995. doi:10.1007/3-540-60385-9 12 [MPS11] G. Morbé, F. Pigorsch, C. Scholl. Fully Symbolic Model Checking for Timed Auto- mata. In CAV 2011. Pp. 616–632. Springer, 2011. doi:10.1007/978-3-642-22110-1 50 [RRT08] F. Ranzato, O. Rossi-Doria, F. Tapparo. A Forward-Backward Abstraction Refine- ment Algorithm. In VMCAI 2008. Pp. 248–262. Springer, 2008. doi:10.1007/978-3-540-78163-9 22 [RSV10] A. P. Ravn, J. Srba, S. Vighio. A Formal Analysis of the Web Services Atomic Transaction Protocol with UPPAAL. In ISoLA 2010. Pp. 579–593. Springer, 2010. doi:10.1007/978-3-642-16558-0 47 [THV+17] T. Tóth, A. Hajdu, A. Vörös, Z. Micskei, I. Majzik. Theta: a Framework for Ab- straction Refinement-Based Model Checking. In FMCAD 2017. Pp. 176–179. IEEE, 2017. doi:10.23919/FMCAD.2017.8102257 [TM17] T. Tóth, I. Majzik. Lazy Reachability Checking for Timed Automata using Interpo- lants. In Formal Modelling and Analysis of Timed Systems. LNCS 10419, pp. 264– 280. Springer, 2017. doi:10.1007/978-3-319-65765-3 15 [TM18] T. Tóth, I. Majzik. Lazy Reachability Checking for Timed Automata with Discrete Variables. In SPIN 2018. Pp. 235–254. Springer, 2018. doi:10.1007/978-3-319-94111-0 14 19 / 20 Volume 076 (2019) http://dx.doi.org/10.4204/EPTCS.169.6 http://dx.doi.org/10.1007/978-3-642-39799-8_71 http://dx.doi.org/10.1007/978-3-319-11737-9_14 http://dx.doi.org/10.1016/j.ipl.2004.10.015 http://dx.doi.org/10.1007/978-3-540-71493-4_34 http://dx.doi.org/10.1007/3-540-60385-9_12 http://dx.doi.org/10.1007/978-3-642-22110-1_50 http://dx.doi.org/10.1007/978-3-540-78163-9_22 http://dx.doi.org/10.1007/978-3-642-16558-0_47 http://dx.doi.org/10.23919/FMCAD.2017.8102257 http://dx.doi.org/10.1007/978-3-319-65765-3_15 http://dx.doi.org/10.1007/978-3-319-94111-0_14 Backward Reachability Analysis for Timed Automata with Data Variables [VGS13] Y. Vizel, O. Grumberg, S. Shoham. Intertwined Forward-Backward Reachability Analysis Using Interpolants. In TACAS 2013. Pp. 308–323. Springer, 2013. doi:10.1007/978-3-642-36742-7 22 [Yov97] S. Yovine. KRONOS: A Verification Tool for Real-Time Systems. International Journal on Software Tools for Technology Transfer 1(1-2):123–133, 1997. doi:10.1007/s100090050009 [YPD94] W. Yi, P. Pettersson, M. Daniels. Automatic verification of real-time communicating systems by constraint-solving. In IFIP 1994. Pp. 243–258. 1994. AVoCS 2018 20 / 20 http://dx.doi.org/10.1007/978-3-642-36742-7_22 http://dx.doi.org/10.1007/s100090050009 Introduction Related work Preliminaries Timed automata Basic definitions Operational semantics Extensions of timed automata Verification of timed automata Zone-based verification Verification of extended timed automata Weakest precondition Backward exploration using weakest precondition Algorithm Overview of the approach State space exploration Data structure and operations Example Proof of correctness Comparison of backward and forward exploration Measurements Evaluation Weakest precondition Property definition Timed automata with diagonal constraints General conclusions Possible improvements Conclusions and future work