Fully Symbolic TCTL Model Checking for Incomplete Timed Systems [1] [1]This work was partly supported by the German Research Council (DFG) as part of the Transregional Collaborative Research Center ``Automatic Verification and Analysis of Complex Systems'' (SFB/TR 14 AVACS, http://www.avacs.org/). Electronic Communications of the EASST Volume 66 (2013) Proceedings of the Automated Verification of Critical Systems (AVoCS 2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 Georges Morbé and Christoph Scholl 15 pages Guest Editors: Steve Schneider, Helen Treharne Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 1 This work was partly supported by the German Research Council (DFG) as part of the Transregional Col- laborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS, http://www.avacs.org/). http://www.easst.org/eceasst/ ECEASST Fully Symbolic TCTL Model Checking for Incomplete Timed Systems ∗ Georges Morbé and Christoph Scholl Department of Computer Science, University of Freiburg, (morbe, scholl)@informatik.uni-freiburg.de Abstract: In this paper we present a fully symbolic TCTL model checking algo- rithm for incomplete timed systems. Our algorithm is able to prove that a TCTL property is violated or satisfied regardless of the implementation of unknown timed components in the system. For that purpose the algorithm computes over- approxi- mations of sets of states fulfilling a TCTL property φ for at least one implementation of the unknown components and under-approximations of sets of states fulfilling φ for all possible implementations of the unknown components. The algorithm works on a symbolic model for timed systems, called a finite state machine with time (FSMT), and makes use of fully symbolic state set representations containing both the clock values and the state variables. In order to handle incomplete timed sys- tems our model checking algorithm deals with different communication methods between the system and its unknown components, e.g. shared integer variables and urgent and non-urgent synchronization. Our experimental results demonstrate that it is possible to prove interesting properties at early stages of the design when parts of the overall system may not yet be finished. Additionally, fading out components of a large system may dramatically reduce the complexity of the system and thus the effort for verification. Keywords: Timed Automata, TCTL Model Checking, Black Box Model Checking 1 Introduction Both the application areas and the complexity of real-time systems have grown with an enormous speed during the last decades. Moreover, in many applications the correct operation of real- time systems is safety-critical. These reasons make verification of such systems crucial. Timed Automata (TAs) [AD94, Alu99] have become a standard for modeling real-time systems. They extend finite automata to the real-time domain by adding real-valued clock variables. All clock variables evolve over time with the same rate. During a discrete step that happens in zero-time a clock variable may be reset. Model checking approaches for TAs based on reachability analysis can be classified into semi symbolic and fully symbolic approaches. Semi-symbolic approaches represent discrete locations of TAs explicitly whereas sets of clock valuations are represented symbolically e.g. by unions of clock zones. Clock zones are convex regions that result from an intersection of clock constraints of the form xi −x j ∼ d where d ∈Q, ∼∈{<,≤,=,≥,>} and xi, x j are clock variables. Uppaal [LPY97, BDL04], the probably most prominent semi-symbolic approach, represents clock zones by so-called difference bound matrices (DBMs) and provides efficient methods for manipulating DBMs. In [MPS11] a fully symbolic model checking algorithm for reachability analysis based on finite state machines with time (FSMTs) and LinAIGs (‘And-Inverter-Graphs ∗ This work was partly supported by the German Research Council (DFG) as part of the Transregional Col- laborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS, http://www.avacs.org/). 1 / 15 Volume 66 (2013) mailto:(morbe, scholl)@informatik.uni-freiburg.de Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 with linear constraints’) [DDH+07, SDPK09, DDD+12] was presented. An FSMT is a for- mal model to represent real-time systems using transition functions and reset functions, which is especially suited for symbolic verification algorithms. TAs may be translated into FSMTs. LinAIGs provide a fully symbolic representation both for the continuous part (i.e. the clock values) and the discrete part (i.e. the state variables). A review of a number of alternative data structures for a fully symbolic representation of timed systems as well as their comparison to LinAIG representations can be found in [MPS11] as well. In this paper we consider verification approaches for incomplete timed systems, i.e., timed systems that contain unknown components. Unknown components are called ‘Black Boxes’ (BBs), whereas all known components are combined into the so-called ‘White Box’ (WB). Our verification algorithm deals with different communication methods between the WB and the BB, namely shared integer variables and urgent and non-urgent synchronization. We address two interesting questions: The question whether there exists a replacement of the BB such that a given property is satisfied (‘realizability’) and the question whether the property is satisfied for any possible replacement (‘validity’). The verification of incomplete timed systems can provide three major benefits: First of all, certain verification steps can be performed at early stages of the design of a timed system, when parts of the overall system may not yet be finished, so that errors can be detected as early as possible. Second, complex parts of a complete timed system can be abstracted away and just the relevant components for verifying a certain property are considered. Finally, the location of design errors in timed systems not satisfying some property can be narrowed down by iteratively masking potentially erroneous components. We use fully symbolic methods to do full TCTL model checking for incomplete timed systems. We use over-approximations of the set of states satisfying the given TCTL property φ for at least one implementation of the BB and we use under-approximations of set of states satisfying φ for all BB implementations. Using these sets, we provide sound proofs of validity and non- realizability. The paper is organized as follows. In Sect. 2 we give a brief review of Timed Automata (TAs), TCTL model checking, and finite state machines with time (FSMTs) as a fully symbolic representation for real-time systems. In Sect. 3 we compare our approach to related work. Our model checking algorithm for incomplete systems is given in Sect. 4. We conclude the paper in Sect. 6 after presenting experimental results in Sect. 5. 2 Preliminaries 2.1 Timed Automata Real-time systems are often represented as Timed Automata (TAs) [Alu99, AD94]. TAs use real-valued clock variables X := {x1,...,xn} to represent time. The set of clock constraints C (X) contains atomic constraints of the form (xi ∼ d) and (xi −x j ∼ d) with d ∈ Q and ∼∈ {<,≤,=,≥,>}. We consider TAs extended with integer variables. Let Int := {int1,...,intm} be a set of bounded integer variables with fixed lower and upper bounds for each integer. A TA has a finite number of discrete locations. A state of a TA is a combination of a location and a valuation of the clock variables and integer variables. When a TA stays in a location, a continuous transition may take place, i.e., all clock variables evolve over time with the same rate without changing the location or the values of the integers. In addition to continuous transitions, TAs may take discrete transitions from one location to another (which happen in zero time). Assignments to clocks and integers on a discrete transition take effect after taking the transition. Proc. AVoCS 2013 2 / 15 ECEASST r0 i = 2 a i := 2 a x1 ≤ 5 x0 ≥ 6 au x0 := 0 r1 r2 l0 l1 l2 au x1 := 0 a aui p0 p1 Figure 1: Timed System In general, transitions in TAs are labeled with guards, (syn- chronization) actions, assignments to integers and resets of clocks. Guards are restricted to conjunctions of clock constraints and con- straints on integers. A transition can only be taken, if its guard is satisfied, i.e., if it is ‘enabled’. Actions from Act :={a1,...,ak} are used for synchronization between different TAs. For our purposes they do not have a special meaning when considering one timed au- tomaton in isolation. Transitions in different automata labeled with the same actions have to be taken simultaneously. If a transition in a TA is not labeled with an action, then this transition can only be taken if all other TAs stay in their current location. If several transitions without action are enabled at the same time it is chosen non-deterministically which one to take. Resets are assign- ments to clock variables of the form xi := 0. If a transition is taken, then all resets and integer assignments on the transition are executed. A transition in a TA may be declared as urgent. Whenever an urgent transition in the system is enabled, the current location must be left without any delay. Just like transitions, actions may be declared as urgent. Let au be an urgent action. If several TA components are composed in parallel and in all components containing au-transitions a transition labeled with au is enabled, then there must not be any time delay before taking a transition. Example 1 The timed system shown in Fig. 1 consists of two TAs p0 and p1. Each TA has three locations, p0 has clock variable x0, p1 has clock variable x1. The bounded integer i is used to pass numerical information from one TA to the other. Initially, the timed system is in locations l0 and r0 with clock values x0 = 0 and x1 = 0 and integer value i = 0. When – starting from the initial state – time passes for 4.6 time units, e.g., the state s = (l0,r0,x0 = 4.6,x1 = 4.6,i = 0) is reached. The guards are used to enable transitions, for example the transition (r0,r1) is enabled in s whereas the transition (l0,l1) is only enabled when x0 has a value higher than or equal to 6. With the assignment i := 2 on the transition (l0,l1) integer i is set to 2. In p1 i is read in the guard i = 2 on the transition (r1,r2). Clock variable x0 is reset on (l2,l0) in p0, x1 is reset on (r2,r0) in p1. Both TAs synchronize over the non-urgent action a and the urgent action au. Because of a the two transitions (l2,l0) and (r2,r0) can only be taken in parallel. Similarly, (l1,l2) and (r1,r2) synchronize over the action au. Since au is an urgent action, when p0 is in l1, p1 is in r1, and i has a value of 2, time is not allowed to pass until the transitions (l1,l2) and (r1,r2) have been taken (in parallel). If there is a continuous or a discrete transition leading the TA from state s to state s′, we write s → s′. A trajectory of a T A is a finite or infinite sequence of states (s j) j≥0 with initial state s0 and s j−1 → s j for each j > 0. A state is reachable if there is a trajectory ending in that state. In many definitions for TAs found in the literature (e.g. [LPY97]) locations are connected with so-called invariants as an alternative to urgent transitions and urgent actions. Invariants in TAs are conjunctions of clock constraints of the form xi ∼ d with ∼∈{<,≤}, d ∈ Q+. A TA is only allowed to stay in a location as long as the location invariant is not violated. In some sense invariants are a means to define urgency implicitly: If a location l0 has the invariant x <= 5 and for instance one outgoing transition (synchronizing or non-synchronizing), then the outgoing transition becomes urgent as soon as the clock value of x equals 5. Especially for synchronizations between different components we prefer to make it explicit whether they are urgent (i.e. require a transition without letting time pass) or not. For that reason we do not allow invariants in this paper. This is not a real restriction, because it is easy to see that for each TA with closed location invariants there is a TA without invariants which is semantically equivalent 3 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 x ≤ 5 x ≤ 5 x = 5 TA TA′x := 0 x := 0 (a) urgent transitions x ≤ 5 x ≤ 5 x := 0 x = 5 TA TA′ a au a x := 0 (b) urgent synchroniztation Figure 2: Urgency caused by invariants (i.e. allows the same trajectories) and uses urgency only explicitly: Lemma 1 For each TA without urgency and with closed location invariants of the form ∧ki=1(xi ≤ di) with clock variables xi, di ∈ Q+ for i ∈ {1,...,k}, there exists a semantically equivalent TA with urgency and without invariants. Consider a location l in timed automaton T A with the closed invariant x ≤ n. When transform- ing T A into a semantically equivalent TA T A′, l is copied into an equivalent location l′ without invariant. For each incoming transition of l′ without reset on x in the copy an additional guard of the form x ≤ n is added to guarantee that l′ cannot be entered with a clock value x > n. For each outgoing non-synchronizing (and non-urgent) transition e of l with a guard g, g∧(x = n) 6= 0, there are two edges in the copy: One non-urgent transition with all original labels and one urgent transition with the additional guard x = n corresponding to the boundary of the invariant. This has the effect that whenever in l′ the value of x is n a discrete transition must be taken to leave the location. For a transition with a guard g′, g′∧(x = n) 6= 0, leaving l labeled with a synchronizing (and non-urgent) action a, there are two transitions in T A′ as well: The original transition and an additional transition with identical labels, apart from the additional guard (x = n) and an urgent action au replacing the original action a. (In other components composed in parallel, transitions which were originally labeled by a are also duplicated into two edges, one with the non-urgent action a and one with the urgent action au.) Figs. 2(a) and 2(b) illustrate these transformations. New urgent transitions (resp. transitions with urgent synchronization) are represented by dashed arrows. The connection of urgency and invariants has already been studied by Bornot et al. in [BST97], introducing TAs with deadlines that provide a general model for enforcing time progress condi- tions. In this model, transitions may be associated with deadlines and time progress is stopped whenever the deadline of such a transition is reached. Urgent transitions are called eager transi- tions in [BST97], non-urgent transitions are called lazy transitions. According to [BST97] any TA with deadlines may be transformed into a TA using only eager and lazy transitions. A timed system is a system of p timed automata {T A1,...,T Ap}. A timed system has an interleaving semantics, i.e., transitions in different TAs may not be taken simultaneously unless they synchronize over non-urgent or urgent actions. For simplicity, we assume that only two timed automata are able to synchronize over a (binary) synchronization action. As usual, the composition of p timed automata is again a timed automaton. The interface of a TA T Ai is formed by the synchronization actions that it has in common with other TAs T A j (i 6= j) and by integers on its transitions that are written / read by other TAs. In this paper we consider the urgency of a synchronization action in a TA T Ai as a property of its interface. An urgent action au enforces an immediate synchronization without letting time pass, whereas time is allowed to pass before the synchronization if TAs synchronize over a non-urgent action a. Remark 1 A timed system T A1,...,T Ap is called well-formed, if for each integer i and each synchronizing action a there is a unique TA T A j that is allowed to have transitions which are labeled by a and perform assignments to i. In well-formed systems write-conflicts on integers cannot occur. We only consider well-formed timed systems. Proc. AVoCS 2013 4 / 15 ECEASST In this paper we deal with incomplete networks of TAs. In such a system not all components are known in detail. Some components are modelled by a Black Box (BB) whose behavior is unknown. The remaining system is called White Box (WB). A BB is a part of the system and like all other components it interacts with the rest of the system. There are several types of communication between a BB and the WB, namely (1) shared bounded integer variables, (2) non-urgent and (3) urgent synchronization actions. (1) With shared bounded integer variables numerical values within the integer bounds can be passed from one TA to another. In an incomplete system the BB is allowed to update certain shared integer variables. The exact value after the update is then unknown to the WB. (2) Two enabled transitions synchronizing over a common non-urgent action have to be taken in parallel. If only one of the transitions is enabled, synchronization cannot take place and none of the two transitions can be taken. The problem of a synchronization between the WB and the BB consists in the fact that it is unclear when the BB sends a synchronization action. (3) As for non-urgent actions, transitions synchronizing over urgent actions have to be taken in parallel, but additionally a discrete transition must be taken without any delay, when an urgent synchronizing transition may take place. Thus, a BB can cause two effects via urgent actions: It may enable a transition in the WB ‘waiting for synchronization’ (just as for non-urgent actions) and it can disable time evolution (continuous transitions) until a discrete transition is taken. With these three types of communication in a timed system the BB is not only able to affect the discrete behavior of the WB but, because of urgency, the timing behavior of the WB may also be influenced. Remark 2 Note that we do not allow communication via shared clock variables in this paper. This means that we assume local clocks of the WB and the BB components. In particular, clocks that are written (i.e., reset) in the BB are not allowed to be used in guards of WB components. We make the (realistic) assumption that only discrete information can be communicated from one component to the other. Remark 3 Furthermore, we restrict our consideration to BBs that cannot enable infinitely many non-synchronizing urgent transitions during a finite amount of time. We call those BBs ‘non- Zeno’ BBs. Other BBs are not interesting for us, because they can stop time evolution without any interaction with the WB components. 2.2 Timed Computation Tree Logic Timed CTL [ACD93, HNSY92, BK08] is an extension of the temporal logic CTL [CE82] used to express properties for real-time systems. As usual, Eϕ holds in a state s when there exists a path starting in s that satisfies the path formula ϕ . Aϕ holds in a state s when ϕ is satisfied on all paths starting in s. A path formula is defined by ϕ ::= Φ UJ Ψ where J ⊆ R≥0 is an interval of real numbers. Intuitively, a path satisfies Φ UJ Ψ whenever at some point in J, a state satisfying Ψ is reached and at all previous time instants Φ∨Ψ holds [BK08]. Timed variants of the modal operators F (eventually) and G (always) can be derived as follows: F J Φ = true UJ Φ, AGJ Φ = ¬EF J¬Φ, and EGJ Φ = ¬AF J¬Φ. TCTL formulas with J = [0,∞) may be considered as a CTL formula and can be verified using normal CTL model checking algorithms. Any other 5 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 intervals J 6= [0,∞) in a TCTL formula can be handled as follows: For J 6= [0,∞) a new clock variable xnew is introduced that is neither used in the TA nor in the formula Φ. The variable xnew is used to measure the elapsed time until a certain property holds. A TCTL formula EF J Φ holds in a state s, e.g., iff the formula EF(Φ∧xnew ∈ J) holds in (s,xnew = 0). Model checking of a TCTL formula Φ uses a recursive method to compute for all subformulas Ψ the sets of states Sat(Ψ) for which Ψ is satisfied (similar to CTL model checking). If Ψ = EF J Ψ1, J 6= [0,∞), e.g., then Sat(EF J Ψ1) is computed by a fixed point iteration starting from Sat(Ψ1 ∧xnew ∈ J) using the predecessor operation Pre which computes for a state set S the set of all states s′ with s′ → s, s ∈ S. Pre is repeatedly applied until the fixed point is reached. Sat(EF J Ψ1) simply results by fixing xnew to 0 in resulting fixed point. As usual, we say that a TA fulfills a property Φ, if all initial states are included in Sat(Φ) (similar to CTL model checking). A complete exposition of TCTL model checking can be found in [BK08],e.g.. 2.3 Finite State Machine with Time (FSMT) In TAs locations are represented explicitly. By parallel composition of several TAs the number of locations may explode. For that reason FSMTs have been considered for symbolic represen- tations in [MPS11]. FSMTs do not define explicit representations of locations and thus, they are better suited for fully symbolic algorithms. An FSMT is basically an extension of finite state machines by real-valued clock variables. Let X := {x1,...,xn} be the set of real-valued clock variables, Y := {y1,..., yl} a set of (binary) state variables, I := {i1,...,ih} a set of (binary) input variables. Let Cb(X) be the set of arbitrary boolean combinations of clock constraints and Cb(X,Y ) be the set of arbitrary boolean combinations of clock constraints and state variables (similarly for Cb(X,Y,I)). As usual, c ∈ Cb(X,Y ) describes a subset of Rn ×{0,1}l , namely the set of all valuations of vari- ables in X and Y that evaluate c to true. An FSMT is defined as follows: Definition 1 (FSMT) A finite state machine with time, called FSMT, is a tuple 〈X,Y,I,init, (δ1,...,δl),(resetx1,...,resetxn),urgent〉 where X :={x1,..., xn} is a set of clock variables, Y := {y1,...,yl} is a set of state variables, I := {i1,...,ih} is a set of input variables, init : (R+0 )n × {0,1}l →{0,1} is a predicate describing the set of initial states, δi : (R+0 )n×{0,1}l ×{0,1}h → {0,1} (1 ≤ i ≤ l) are transition functions, resetx j : (R+0 )n×{0,1}l ×{0,1}h →{0,1} (1 ≤ j ≤ n) are reset functions, urgent : (R+0 ) n×{0,1}l ×{0,1}h →{0,1} is a predicate indicating when an urgent transition is enabled. The functions δi, resetx j and urgent can be represented by boolean combinations from Cb(X,Y,I), init can be represented by a boolean combination from Cb(X,Y ). A state of an FSMT is a valuation s = (xv1,...,x v n,y v 1,...,y v l ) ∈ (R + 0 ) n ×{0,1}l of the clock variables and the state variables. A valuation (yv1,...,y v l ) is also called a location of the FSMT. Trajectories of an FSMT always start in states fulfilling init. An FSMT may perform discrete steps that are defined by transition functions δi based on the valuations of clocks, state variables, and inputs. When performing a discrete step, the state variable yi is set to 0 (1) iff δi evaluates to 0 (1) and a clock xi is reset to 0 iff resetxi evaluates to 1. Moreover an FSMT may perform continuous steps (or time steps) where it stays in the same location, but lets time pass. This means that all clocks are increased by the same constant as long as the predicate urgent does not evaluate to 1. We consider systems of FSMTs {F1,...,Fp}, where the components are running in parallel. Communication in such a system is realized just as for communicating FSMs. FSMTs commu- nicate by reading each other’s state variables, clocks, and shared input variables. A system of Proc. AVoCS 2013 6 / 15 ECEASST FSMTs therefore is again an FSMT. In [MPS11] timed systems of several TAs are translated into FSMTs. The state bits y1,...,yl result from logarithmic encodings of locations and integer variables of the TAs. The transition functions δi represent transitions in the TAs and the reset functions are computed based on clock resets on these transitions. In order to obtain deterministic transition functions, self loops have to be added before the transformation and the decision between non-deterministic transitions is resolved by additional (pseudo-)inputs. Additional input variables are used for the selection between different interleaved TAs (in case of the so-called “pure interleaving behavior”) and for resolving read-/write-conflicts on integers and clocks (in case of the so-called “parallelized interleaving behavior”). Altogether we arrive at a set of inputs {i1,...,ih}. In the following we abbreviate x1,...,xn by ~x, y1,...,yl by ~y, i1,...,ih by~i etc.. For ease of exposition we assume that there is a one-to-one relation between the integer values in the allowed range and the assignments to the state bits corresponding to these integers. We omit easy but slightly tedious technical details due to invalid codes. 3 Related work Our approach shares ideas with Modal Transition Systems (MTSs) [LT88, LX90] (and their successors like Partial Kripke Structures (PKSs) [BG99] and Kripke Modal Transition Systems (KMTSs) [HJS01]) which exhibit must- and may-transitions between states. In our context must- transitions are transitions between states that exist for all possible BB implementations. May- transitions are transitions that may exist for at least one possible BB implementation. In that sense our method is strongly related to 3-valued model checking [HJS01] and its extensions using symbolic representations [CDEG03, NS04, NS13]. The approaches mentioned above were given for discrete systems, whereas we extend and adapt these ideas to timed systems and properties in TCTL (Timed Computation Tree Logic) [ACD93, HNSY92, BK08]. The module checking problem [KV96] may be seen as a validity problem (‘is a given property satisfied for all possible replacements of the BBs’) confined to a single BB (which models the environment behavior). Kupferman and Vardi use tree automata techniques to solve the mod- ule checking problem for discrete systems specified by branching time properties (CTL, CTL*) [KV96]. The realizability problem (‘does a replacement of the BBs exist, so that a given property is satisfied?’) is strongly connected to the controller synthesis problem [MPS95, AMPS98], where a system interacts with an unknown controller. In the real-time domain the controller synthesis problem is modeled as a timed two-player game [BCD+, EMP10, PEM], where the controller (BB) tries to satisfy a safety property and plays against the WB (who tries to violate it). unsafe a BB a WB x := 0 x ≥ 6 l0 l1 l2 Figure 3: BB example By Fig. 3 we illustrate that these approaches with their ‘classical notion’ of controller synthesis are not able to decide the realizability question for safety properties as defined in our context. The figure shows a small WB with an initial location l0, two additional loca- tions and two transitions labeled with the non-urgent action a and the guard x ≥ 6, respectively. The location l2 is considered to be unsafe and the task is to implement the BB in such a way that the unsafe location cannot be reached. The interface between the WB and the BB is given by a non-urgent synchronization action a. Since the synchronization action a is non-urgent, it is not possible to define such an implementation for the BB, since time is allowed to pass until x = 6 and the transition to the unsafe location can be taken even if the BB is always in a location with an enabled outgoing transition labeled by a. However, the mentioned controller synthesis approaches lead to the result that the property is realizable, i.e., it is possible 7 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 to replace the BB by a controller such that the unsafe location cannot be reached. This is due to the fact that these approaches assume that the controller is able to make transitions urgent (either explicitly or implicitly by invariants in the controller). This clearly gives the controller more power than allowed in our model where the BB and the WB are components with equal rights, that have to respect urgency or non-urgency of synchronization actions in the interface. If parts of an existing timed system that do not include invariants and communicate with their environment by non-urgent synchronization actions are abstracted away into a BB, then our approach may prove unrealizability (which means that the safety property is not valid for the original design) in cases when controller synthesis classifies the problem as realizable, since it gives the BB too much power. An example for such a case is given by the benchmark ‘arbiter error’ considered in Sect. 5, where ‘classical’ controller synthesis cannot identify the error, which is found with our TCTL model checking algorithm. Additionally, whereas existing controller synthesis tools like Uppaal-Tiga [BCD+] consider only reachability of safety properties, our algorithm goes beyond and is able to handle full TCTL properties. 4 Model Checking of Incomplete Timed Systems TCTL model checking for complete timed systems is based on the computation of a set Sat(Φ) of all states satisfying a TCTL formula Φ, followed by checking whether all initial states are included in this set (see also Sect. 2.2). The situation becomes more complex, if we consider incomplete timed systems, since for each implementation of the BB we may have different state sets satisfying Φ. For that reason we do not compute the set Sat(Φ), but two sets Sat∃(Φ) and Sat∀(Φ): Sat∃(Φ) contains all states, for which there is at least one BB implementation so that Φ is satisfied. In a similar manner, Sat∀(Φ) contains all states, for which Φ is satisfied for all possible BB implementations. It is easy to see that the following holds: • A property Φ is valid for an incomplete timed system (i.e. for all BB implementations the property is satisfied), if all initial states are included in Sat∀(Φ). • A property Φ is not realizable for an incomplete timed system (i.e. there is no BB imple- mentation that satisfies Φ), if there is an initial state that does not belong to Sat∃(Φ). In order to obtain sound results for validity resp. non-realizability, it is enough to compute approximations for Sat∃(Φ) and Sat∀(Φ). If we replace Sat∀(Φ) by an under-approximation Sat appr∀ (Φ) ⊆ Sat∀(Φ) and Sat∃(Φ) by an over-approximation Sat appr ∃ (Φ) ⊇ Sat∃(Φ), then the statements made above certainly remain correct. (An initial state that is in Sat appr∀ (Φ) is certainly in Sat∀(Φ) as well; an initial state that is not in Sat appr ∃ (Φ) is not in Sat∃(Φ) either.) In the following we show how to compute such sets. In order to simplify notations we usually write Sat∃(Φ) and Sat∀(Φ), even if the computed sets are approximations. In the next section we start with transformations needed to compute fully symbolic representations of sets Sat∃(Φ) and Sat∀(Φ). 4.1 Modeling Incomplete Systems More precisely, we begin with a sketch of how to extend the translation of TAs into FSMTs for incomplete systems. For our model checking algorithm the communication between the BB and the WB is of particular importance. We distinguish between four different types of transitions in the WB: Proc. AVoCS 2013 8 / 15 ECEASST (1) non-urgent transitions without synchronization with the BB, called nu-transitions in the following (2) urgent transitions without synchronization with the BB, called u-transitions (3) transitions with a non-urgent synchronization with the BB, called nu-sync-transitions (4) transitions with an urgent synchronization with the BB, called u-sync-transitions In our algorithm we do not work with one transition (reset) function for the incomplete system at hand, but with different transition (reset) functions for different types of transitions. First, we consider only the transitions in the TAs that do not synchronize with the BB at all (i.e. only nu-transitions and u-transitions) and apply the transformation from [MPS11] (includ- ing addition of self loops etc.) resulting in transition functions δ no−synci (~x,~y,~i). Secondly, we consider only u-sync-transitions, leading to transition functions δ u−synci (~x,~y,~i). These transition functions are computed by the transformation from [MPS11] restricted to u-sync-transitions. The transition functions δ no−synci and δ u−sync i are used in the computation of Sat∀(Φ). To compute Sat∃(Φ) a third transition function is needed. Here, actions used for communi- cation with the BB on nu-sync-transitions and u-sync-transitions can be omitted, because there can always be a BB implementation sending the requested action such that synchronizing transi- tions are always enabled. The functions δ alli (~x,~y,~i) for the state bits yi are then computed by the transformation from [MPS11] considering all transitions in the WB. Similarly we compute three reset functions for each clock variable xi ∈ X . Two reset functions are used for the computation of Sat∀(Φ), one for the resets on the nu-transitions and u-transitions (reset no−syncxi (~x,~y,~i)) and a second for u-sync-transitions (reset u−sync xi (~x,~y,~i)). A third reset func- tion (reset allxi (~x,~y, ~i)) for all transitions in the WB (with neglected synchronization actions with the BB) is needed for the computation of Sat∃(Φ). Finally, we need two additional urgency predicates in our algorithm (Sect. 4.2): uno−sync(~x,~y) is a predicate evaluating to 1, if a u-transition is enabled in state (~x,~y) and uu−sync(~x,~y) is a predicate evaluating to 1, if a u-sync-transition is enabled in state (~x,~y). 4.2 Model checking algorithm Now we show how to do fully symbolic TCTL model checking for incomplete real-time systems modeled as incomplete FSMTs by computing fully symbolic representations of the sets Sat∃(Φ) and Sat∀(Φ) as defined above.1 The most important ingredient of TCTL model checking is the predecessor operation Pre (see also Sect. 2.2); thus the essential contribution is how to define two variants of Pre for computing Sat∃ and Sat∀. Definition 2 (Pre∃(S), Pre∀(S)) s′ is included into Pre∃(S) iff for at least one BB implementa- tion there is a transition s′ → s with s ∈ S. (This transition can be regarded as a may transition following the notion from [LT88]). A state s′ is included in Pre∀(S) iff for all BB implementa- tions there is a transition s′ → s with s ∈ S. (The transition is a must transition.) For formulas like Φ = EF Ψ whose evaluation needs a fixed point iteration we make use of Pre∃ to compute Sat∃(Φ) (instead of Pre which is used for complete systems). In the special case Φ = EF Ψ we start with the set Sat∃(Ψ) ( that at least includes the set of states that may satisfy Ψ 1 If clear from the context, we do not always differentiate between sets like Sat∃(Φ) and predicates describing these sets. 9 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 depending on the concrete BB implementation) and we use Pre∃ to compute the set of states that can reach Sat∃(Ψ) via one ‘may transition’. By iteratively applying Pre∃ we obtain Sat∃(EF Ψ) that includes all states from which there is a computation path to a state from Sat∃(Ψ) for at least one BB implementation. Likewise for Sat∀(Φ) we replace Pre by Pre∀. In the special case Φ = EF Ψ we start with the set Sat∀(Ψ) ( that at most includes the set of states that definitely satisfy Ψ independently from the BB implementation) and we use Pre∀ to compute the set of states which can reach Sat∀(Ψ) via one ‘must transition’, i.e. independently from the BB implementation. Again, we obtain Sat∀(EF Ψ) by iteratively applying Pre∀. The remaining operations are more or less straightforward. It is easy to see that Sat∀(¬Φ) = ¬Sat∃(Φ), Sat∃(¬Φ) = ¬Sat∀(Φ), i.e., negation plays a special role here, since it turns ‘exis- tential quantification of BBs into universal quantification’ and over-approximation into under- approximation (and vice-versa). Moreover, it holds Sat∀(Φ1 ∧Φ2) = Sat∀(Φ1)∧Sat∀(Φ2) and Sat∃(Φ1∧Φ2)⊆ Sat∃(Φ1)∧Sat∃(Φ2). In the second case we only have ‘⊆’ instead of ‘=’, since a certain state may fulfill Φ1∧¬Φ2 for certain BB implementations and ¬Φ1∧Φ2 for all others, thus it belongs to Sat∃(Φ1)∧Sat∃(Φ2), but not to Sat∃(Φ1 ∧Φ2). For approximations we over- approximate by identifying Sat appr∃ (Φ1 ∧Φ2) with Sat appr ∃ (Φ1)∧Sat appr ∃ (Φ2). A second source of approximation stems from the fact that we assume that the BB can make different decisions based on the current state of the WB, i.e., the BB ‘can read the state bits of the WB’. (Note that the same assumption is implicitly made in classical controller synthesis approaches for safety properties as well [BCD+, EMP10, PEM].) The evaluation of general TCTL formulas needs both Pre∀ and Pre∃. In the following we describe the computation of Pre∀(Φ) and Pre∃(Φ) separately for discrete steps and time steps. We start with Pre∀(Φ). 4.3 Pred∀(Φ) – The Discrete Step for Pre∀(Φ) Starting with a state set Φ(~x,~y) the discrete (backward) step needed for Pre∀(Φ) computes all predecessors from which Φ can be reached over a discrete transition in the WB, independently from the implementation of the BB. Since it is possible that the BB does not synchronize with the WB at all, we consider only u-transitions and nu-transitions which are described by the functions δ no−synci . The discrete step can then be computed similarly as in [MPS11] using the transition functions δ no−synci and the reset functions reset no−syncxi . Lemma 2 The resulting state set Pred∀(Φ)(~x,~y) contains only states from which Φ(~x,~y) is reachable by a discrete transition in the WB independently from any BB behavior. The proof of the lemma is straightforward, since due to the interleaving semantics of TAs, the u-transitions and nu-transitions of the WB can always be taken independently from the imple- mentation of the BB. On the other hand, discrete steps that reach Φ independently from the BB use only u-transitions and nu-transitions. This is easy to see by considering a special BB implementation BBno−sync that never synchronizes with the WB and thus disables all nu-sync-transitions and u-sync-transitions. 4.4 Prec∀(Φ) – The Time Step for Pre∀(Φ) Proc. AVoCS 2013 10 / 15 ECEASST l0 i = 1 au i = 0 au x = 5 x = 6 x = 7 au iBB l1 l2 Figure 4: Time step Starting with a state set Φ(~x,~y) the time step for Pre∀(Φ) com- putes all predecessors from which Φ(~x,~y) can be reached through time passing, independently from the BB implementation. Because of urgent synchronization, the BB can affect the timing behaviour in the WB by enabling a u-sync-transition and thus stopping time evolution. Example 2 We illustrate the time step by a small example shown in Fig. 4. Here, the BB communicates with the WB over an urgent synchronization action au and a shared integer i with i ∈{0,1}. Let Φ be the state set already computed by our backward model checking algorithm. We assume that (l0,x = 7,i = 0) ∈ Φ, (l0,x = 7,i = 1) ∈ Φ and ask whether we can include (l0,x = 0,i = 0) into the states reaching Φ independently from the BB implementation. If the BB never sends the action au, then no u-sync-transitions (dashed lines) would be enabled and time would be allowed to pass starting from (l0,x = 0,i = 0). (The time evolution could be interrupted by discrete urgent and non-synchronizing transitions inside the BB possibly writing on i, but only by finitely many of those, since we consider only non-Zeno BBs, see Remark 3.) Finally we would arrive at (l0,x = 7,i = 0) or (l0,x = 7,i = 1). However, the situation is more complicated, since we have to consider all possible BB implementations including BBs which send au and thus disable time evolution. We consider two cases. Case 1: The BB is not allowed to write i on synchronizing transitions with au, because i is written on such transitions in the WB (see Remark 1). Then the BB cannot change i on the u-sync-transitions in Fig. 4. (All the same, the BB can always interrupt time evolutions by discrete urgent and non-synchronizing transitions inside the BB and switch between i = 0 and i = 1.) Only if both (l1,x = 5,i = 0) ∈ Φ and (l2,x = 6,i = 1) ∈ Φ, we can conclude that we can definitely reach Φ from (l0,x = 0,i = 0). Time evolution may lead from (l0,x = 0,i = 0) to (l0,x = 5,i = 0). If the BB then enables the transition from l0 to l1 in Fig. 4, then Φ is reached via this u-sync-transition. If not, time evolution may continue until x = 6. Again, if the BB then enables the transition from l0 to l2 (this presumes that the BB has set i := 1 before), then Φ is reached via this u-sync-transition. Otherwise the time evolution continues until (l0,x = 7,i = 0) or (l0,x = 7,i = 1) that are both in Φ. Case 2: The BB is allowed to write i on synchronizing transitions. Then the BB may switch the integer i from 0 to 1 while taking the u-sync-transitions in Fig. 4. Compared to Case 1, we have thus to demand (l1,x = 5,i = 1) ∈ Φ and (l2,x = 6,i = 0) ∈ Φ as well, if we want to guarantee that we can definitely reach Φ from (l0,x = 0,i = 0). Based on the ideas given in Ex. 2 we arrive at the following formula Prec∀(Φ) for the time step: Prec∀(Φ)(~x,~y) = [ ∧nj=1 (x j ≥ 0) ] ∧( ¬uno−sync(~x,~y)∧ [ uu−sync(~x,~y) =⇒ ∀~yu−syncBB ∀~i Pre u−sync d (Φ)(~x,~y,~i) ]) ∧ ∃λ [ (λ > 0)∧∀~yallBB ( Φ(~x +~λ ,~y)∧ { ∀λ ′(0 < λ ′ < λ ) =⇒ ( ¬uno−sync(~x + ~λ ′,~y)∧[ uu−sync(~x + ~λ ′,~y) =⇒ ∀~yu−syncBB ∀~i Pre u−sync d (Φ)(~x + ~λ ′,~y,~i) ])})] (1) with~x+~λ abbreviated for (x1 +λ ,...,xn +λ ) for a scalar λ , Pre u−sync d (Φ)(~x,~y,~i) being obtained from Φ(~x,~y) by computing a discrete step using δ u−synci (~x,~y,~i) and reset u−sync x j (~x,~y,~i). The subset ~yallBB ⊆~y represents the state variables corresponding to the integer variables that are allowed to be written by the BB (see Case 1 of Ex. 2) and ~yu−syncBB ⊆~yallBB represents the state variables that are allowed to be written by the BB on u-sync-transitions (see Case 2 of Ex. 2). 11 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 Lemma 3 The resulting state set Prec∀(Φ)(~x,~y) contains only states from which states of Φ can be reached (via time evolution and/or via u-sync-transitions), independently from the BB behaviour. The proof of the lemma is rather tedious and omitted due to lack of space. The ideas and all relevant arguments and cases have been given in Ex. 2. 4.5 Pred∃(Φ) – The Discrete Step for Pre∃(Φ) In Pre∃(Φ) the discrete step computes all predecessors such that there exists a BB implemen- tation for which Φ can be reached over a discrete transition in the WB. Pred∃(Φ)(~x,~y) can be computed as in [MPS11] using δ alli (~x,~y,~i) and reset all xi (~x,~y, ~i). Lemma 4 The resulting state set Pred∃(Φ)(~x,~y) contains all states for which there exists a BB implementation such that Φ(~x,~y) is reachable by a discrete transition in the WB. The proof follows from the following argument: The result corresponds to a backwards eval- uation of discrete WB transitions of any kind (nu-transitions, u-transitions, nu-sync-transitions, u-sync-transitions). Of course, more transitions can never be enabled in the WB, not even by a BB implementation that always provides all synchronization actions needed to enable synchro- nizing transitions in the WB. 4.6 Prec∃(Φ) – The Time Step for Pre∃(Φ) The time step for Pre∃(Φ) can be described by Prec∃(Φ)(~x,~y) = [ ∧nj=1 (x j ≥ 0) ] ∧¬uno−sync(~x,~y)∧∃∃λ [ (λ > 0)∧( (∃~yallBBΦ(~x +~λ ,~y))∧ { ∀λ ′(0 < λ ′ < λ ) =⇒ ( ∃~yallBB¬uno−sync(~x + ~λ ′,~y) )})] (2) Lemma 5 The resulting state set Prec∃(Φ)(~x,~y) contains all states for which there exists a BB implementation such that Φ(~x,~y) is reachable through time elapsing. The correctness of the lemma follows from the following facts: There may be a time evolution of length λ > 0 from (~x,~y) to a state (~x +~λ ,~y′) in Φ, if (1) ~y′ results from ~y by replacing state bits ~yallBB corresponding to shared integer variables and (2) the time evolution is not stopped by urgent transitions in between. The reason for part (1) is given by the fact that an arbitrary BB is able to interrupt the time evolution by non-synchronizing urgent transitions that change ~y into ~y′ by writing to the shared integers. This is expressed by the existential quantification ∃~yallBB before Φ(~x +~λ ) in Eqn. (2). Part (2) is ensured as follows: First, condition ¬uno−sync(~x,~y) in Eqn. (2) ensures that no u-transition is enabled in (~x,~y). Secondly, condition ∃~yallBB¬uno−sync(~x + ~λ ′,~y) has to hold for each λ ′ between 0 and λ . Since for each λ ′ between 0 and λ the BB may arbitrarily interrupt the time evolution and write on the shared integer variables, it is enough that u-transitions are disabled for an arbitrary value of the shared integer variables ~yallBB (which is expressed by the quantification ∃~yallBB). 4.7 Discrete and Time Steps Together In our implementation we apply alternating discrete steps and time steps for the operations Pre∃ and Pre∀. For Pre∃ we additionally apply an existential quantification of the shared integer Proc. AVoCS 2013 12 / 15 ECEASST variables~yallBB after each application of Pre d ∃ and Pre c ∃. This existential quantification corresponds to an interleaving with a potential discrete backwards step of the BB. Since we have to consider all possible BB implementations for Pre∃, we have to assume that the shared integers can be set to arbitrary values in this step. Since for Pre∀ we only have to consider effects shared by all possible BB implementations and there are certainly BB implementations that do not write shared integers at all, we completely omit potential discrete BB backward steps (and thus the existential quantification of ~yallBB) for Pre∀. 5 Experiments We implemented the TCTL model checking algorithm for incomplete timed systems in the pro- totype model checker FSMT-MC [MPS11]. Tab. 1 shows the results of the new method on several parameterized benchmarks with parameter n. Parameterized benchmarks made it easy for us to generate sets of increasingly complex benchmarks for comparison. Actually we do not consider parameterized benchmarks as the main field of application for our algorithm and thus we did not make use of symmetry reduction, neither within our tool nor within any competitor. ‘CPP’ is a system of communicating parallel processes. The complete version of CPP has n components, an incomplete version with BB only 2 WB components. The benchmark ‘arbiter’ [MPS11] models n processes which are controlled by a distributed arbiter. The complete ver- sion contains 2n + 1 components, an incomplete version contains n + 3 WB components. The Leader Election benchmark (‘leader’) [EFGP10] models a timed leader election in a ring proto- col. We modeled a version of the system with an error such that the leader is not found within a certain time limit. The complete version has n components, the incomplete version has only 3 WB components, but their size increases linearly with n. The Carrier Sense Multiple Access with Collision Detection (‘CSMA’) benchmark [Yov97] is a system with several senders trying to access a common bus. In its complete version it has n + 3 components, the incomplete version has 3 components; one of them increases linearly with n. In all cases the WB components com- municate with the BB components which are abstracted away by exchanging integers values and urgent resp. non-urgent synchronization actions.2 The first column (‘nbr.’) in Tab. 1 gives the parameters n. All times in Tab. 1 are given in CPU seconds. We ran FSMT-MC on the complete version (‘comp.’) and on the incomplete version (‘inc.’) of the benchmarks and compare the results to the state-of-the-art model checkers Uppaal v.4 (UPP.), RED 8 and Kronos 2.5 (KR.). Uppaal performs a forward analysis and RED does a backward traversal. Both can only be used for reachability analysis whereas Kronos can also be used for full TCTL model checking, but cannot handle benchmarks containing integer variables (like ‘arbiter’ and ‘leader’). All bench- marks were originally modeled as TAs and were automatically translated into FSMTs [MPS11]. CPU times of the (un-optimized) translator for the complete (‘comp.’) and the incomplete (‘inc.’) timed systems are given in Tab. 1 in columns TA2FSMT. In all cases when the model checker did not timeout, the sum of translation times and model checking times did not exceed the timeout either. The experiments have been conducted on an Intel Xeon with 3.3 Ghz with a time limit of 2 CPU hours and a memory limit of 2 GB. For the benchmark CPP we test freedom of Zeno behaviour (‘CPP zeno’) with the property ΦNZ = AG(EF{=1}true). To verify this property we need full TCTL model checking and there- fore we compare our results only to the tool Kronos. For the complete system, we detect Zeno behaviour (i.e. ΦNZ is not satisfied) for n up to 6, Kronos reaches n = 3. For the incomplete system FSMT-MC easily verifies non-realizability of ΦNZ for n up to 50. This means that the reason for Zeno behaviour lies in the WB components and cannot be fixed by BB implementa- 2 More details about the benchmarks as well as the benchmark files themselves can be found at http://www.informatik.uni-freiburg.de/∼morbe/bb-tctl/. 13 / 15 Volume 66 (2013) Fully Symbolic TCTL Model Checking for Incomplete Timed Systems 1 tions. (For the CPP benchmark this result is more interesting than the shorter CPU times, since the size of the WBs remains constant for increasing n.) For the arbiter benchmark we considered a correct version (arbiter) and an erroneous version (arbiter error). For the complete and correct version our model checking algorithm can prove correctness for n up to 16, whereas Uppaal and RED cannot go beyond n = 6. For the incomplete (correct) version, FSMT-MC can prove validity of the safety property for n up to 50. For the erroneous version, the situation is similar. FSMT-MC is able to prove that the safety property is not realizable for the incomplete (and incorrect) version, i.e., no BB implementation can prevent the system from reaching the unsafe states. This is achieved with much smaller run times than for the complete version. Remember that for the arbiter as well as for the following benchmarks the complexity of the WB increases with n. For the incomplete leader benchmark we can prove unrealizability for large systems as well, i.e., independently from the BB behaviour no leader can be found within a given time limit. In contrast to the cases above Uppaal and RED outperform our tool for the complete system. On the CSMA benchmark we tested freedom of Zeno behaviour with property ΦNZ . Kronos falsifies property ΦNZ for systems with up to 7 senders. For incomplete variants with BB FSMT- MC easily proves unrealizability of ΦNZ for large systems using full TCTL model checking. nbr. UPP. RED FSMT-MC TA2FSMT comp. inc. comp. inc. ar bi te r 5 30.5 4.6 12.6 2.3 1.7 6.4 6 3556.9 40.7 20.9 3.0 2.9 8.8 7 to to 25.6 3.3 3.7 10.8 16 to to 1687.6 24.5 18.4 52.2 17 to to to 28.1 20.4 58.3 50 to to to 561.7 214.2 512.5 ar bi te r er ro r 3 0.1 0.6 1.3 1.0 1.2 2.7 4 0.1 to 1.2 1.4 1.4 4.4 10 2648.0 to 5.9 2.3 7.4 21.4 11 to to 6.8 2.3 8.7 25.7 49 to to 122.5 16.9 199.5 490.7 50 to to to 17.2 209.3 509.9 le ad er 5 0.4 18.3 to 124.7 4.0 15.3 6 2.3 to to 72.6 5.7 21.1 10 2960.7 to to 163.0 17.7 59.8 11 to to to 149.5 21.4 72.3 50 to to to 421.8 3702.2 2376.5 nbr. KR. FSMT-MC TA2FSMT comp. inc. comp. inc. C P P ze no 3 0.5 6.1 7.3 1.5 3.0 4 to 131.5 5.5 2.2 4.6 6 to 2205.1 5.5 4.8 9.0 7 to to 8.2 6.4 11.9 49 to to 16.8 345.0 502.9 50 to to 16.0 357.1 522.1 C S M A 3 0.1 to 6.2 1.2 2.2 6 0.7 to 7.2 2.5 5.0 7 0.5 to 10.5 3.2 6.4 8 to to 11.9 4.0 7.9 49 to to 13.0 138.3 184.2 50 to to 18.2 142.5 192.5 Table 1: Experimental results In summary, we observe that after abstracting timed components our new TCTL model checker is still able to prove interesting validity and unrealizability results within much smaller times than needed for the complete system. 6 Conclusion We presented a fully symbolic TCTL model checking algorithm for FSMTs able to handle in- complete timed systems. We described the computation of the discrete step and the time step to be able to handle incomplete FSMTs communicating with the BB over shared integers and urgent and non-urgent synchronization. For a given TCTL property and an incomplete FSMT our model checking algorithm can prove non-realizability (there is no BB implementation such that the property is satisfied) and validity (the property is satisfied for all possible BB implemen- tations). The experimental results show that it is possible to prove interesting properties early when parts of the overall system may not yet be finished. Additionally the results demonstrate Proc. AVoCS 2013 14 / 15 ECEASST that fading out complete components of a timed system dramatically reduces the complexity of the system and the verification effort. As mentioned in Sect. 4 our algorithm is sound, but approximate since different decisions of the BB can be made based on different states of the WB. An interesting task for the future would be to investigate exact (or more exact) solutions taking the ‘restricted degree of informedness’ of the BB into account (possibly for restricted scenarios like one single BB, e.g..). Bibliography [ACD93] Alur, Courcoubetis, Dill. Model-Checking in Dense Real-time. Information and Computation, 1993. [AD94] Alur, Dill. A Theory of Timed Automata. Theoretical Computer Science, 1994. [Alu99] Alur. Timed Automata. Theoretical Computer Science, 1999. [AMPS98] Asarin, Maler, Pnueli, Sifakis. Controller Synthesis For Timed Automata. 1998. [BCD+] Behrmann, Cougnard, David, Fleury, Larsen, Li. UPPAAL-Tiga: time for playing games! CAV’07. [BDL04] Behrmann, David, Larsen. A Tutorial on Uppaal. In SFM. 2004. [BG99] Bruns, Godefroid. Model Checking Partial State Spaces with 3-Valued Temporal Logics. In CAV. 1999. [BK08] Baier, Katoen. Principles of Model Checking (Representation and Mind Series). The MIT Press, 2008. [BST97] S. Bornot, J. Sifakis, S. Tripakis. Modeling Urgency in Timed Systems. In COMPOS. 1997. [CDEG03] Chechik, Devereux, Easterbrook, Gurfinkel. Multi-valued symbolic model-checking. ACM Trans. Softw. Eng. Methodol. 12, 2003. [CE82] Clarke, Emerson. Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic. In Logic of Programs. 1982. [DDD+12] Damm, Dierks, Disch, Hagemann, Pigorsch, Scholl, Waldmann, Wirtz. Exact and fully symbolic verifi- cation of linear hybrid automata with large discrete state spaces. Sci. Comput. Program. 77, 2012. [DDH+07] Damm, Disch, Hungar, Jacobs, Pang, Pigorsch, Scholl, Waldmann, Wirtz. Exact State Set Representa- tions in the Verification of Linear Hybrid Systems with Large Discrete State Space. In Proc. of ATVA. 2007. [EFGP10] Ehlers, Fass, Gerke, Peter. Fully Symbolic Timed Model Checking Using Constraint Matrix Diagrams. In Proc. of RTSS. 2010. [EMP10] Ehlers, Mattmüller, Peter. Combining Symbolic Representations for Solving Timed Games. In Proc. of FORMATS. 2010. [HJS01] Huth, Jagadeesan, Schmidt. Modal Transition Systems: A Foundation for Three-Valued Program Anal- ysis. In Europ. Symp. on Programming. 2001. [HNSY92] Henzinger, Nicollin, Sifakis, Yovine. Symbolic Model Checking for Real-time Systems. Information and Computation, 1992. [KV96] O. Kupferman, M. Y. Vardi. Module Checking. In CAV. LNCS 1102, pp. 75–86. 1996. [LPY97] Larsen, Pettersson, Yi. UPPAAL in a Nutshell. STTT 1, 1997. [LT88] Larsen, Thomsen. A Modal Process Logic. In LICS. 1988. [LX90] Larsen, Xinxin. Equation Solving Using Modal Transition Systems. In LICS. 1990. [MPS95] Maler, Pnueli, Sifakis. On the Synthesis of Discrete Controllers for Timed Systems. In STACS. 1995. [MPS11] Morbé, Pigorsch, Scholl. Fully Symbolic Model Checking for Timed Automata. In Proc. of CAV. 2011. [NS04] Nopper, Scholl. Approximate Symbolic Model Checking for Incomplete Designs. In FMCAD. 2004. [NS13] Nopper, Scholl. Symbolic Model Checking for Incomplete Designs With Flexible Modeling of Un- knowns. IEEE Transactions on Computers, 2013. [PEM] Peter, Ehlers, Mattmüller. Synthia: Verification and Synthesis for Timed Automata. CAV’11. [SDPK09] Scholl, Disch, Pigorsch, Kupferschmid. Computing Optimized Representations for Non-convex Poly- hedra by Detection and Removal of Redundant Linear Constraints. In Tools and Algorithms for the Construction and Analysis of Systems. 2009. [Yov97] Yovine. Kronos: A Verification Tool for Real-Time Systems. Journal on Software Tools for Technology Transfer, 1997. 15 / 15 Volume 66 (2013) Introduction Preliminaries Timed Automata Timed Computation Tree Logic Finite State Machine with Time (FSMT) Related work Model Checking of Incomplete Timed Systems Modeling Incomplete Systems Model checking algorithm Pred() – The Discrete Step for Pre() Prec() – The Time Step for Pre() Pred() – The Discrete Step for Pre() Prec() – The Time Step for Pre() Discrete and Time Steps Together Experiments Conclusion