## **Singapore Management University**

# Institutional Knowledge at Singapore Management University

Research Collection School Of Computing and Information Systems School of Computing and Information Systems

1-2013

# Modeling and verifying hierarchical real-time systems using stateful timed CSP

Jun SUN Singapore Management University, junsun@smu.edu.sg

Yang LIU

Jin Song DONG

Yan LIU

Ling SHI

See next page for additional authors

Follow this and additional works at: https://ink.library.smu.edu.sg/sis\_research

Part of the Programming Languages and Compilers Commons, and the Software Engineering Commons

### Citation

SUN, Jun; LIU, Yang; DONG, Jin Song; LIU, Yan; SHI, Ling; and ANDRÉ, Étienne. Modeling and verifying hierarchical real-time systems using stateful timed CSP. (2013). *ACM Transactions on Software Engineering and Methodology*. 22, (1), 3:1-3:29. **Available at:** https://ink.library.smu.edu.sg/sis\_research/4995

This Journal Article is brought to you for free and open access by the School of Computing and Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Computing and Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please email cherylds@smu.edu.sg.

# Author

Jun SUN, Yang LIU, Jin Song DONG, Yan LIU, Ling SHI, and Étienne ANDRÉ

# Modeling and Verifying Hierarchical Real-Time Systems Using Stateful Timed CSP

JUN SUN, Singapore University of Technology and Design YANG LIU, JIN SONG DONG, YAN LIU, LING SHI, and ÉTIENNE ANDRÉ, National University of Singapore

Modeling and verifying complex real-time systems are challenging research problems. The *de facto* approach is based on Timed Automata, which are finite state automata equipped with clock variables. Timed Automata are deficient in modeling hierarchical complex systems. In this work, we propose a language called *Stateful Timed CSP* and an automated approach for verifying Stateful Timed CSP models. Stateful Timed CSP is based on Timed CSP and is capable of specifying hierarchical real-time systems. Through dynamic zone abstraction, *finite-state* zone graphs can be generated automatically from Stateful Timed CSP models, which are subject to model checking. Like Timed Automata, Stateful Timed CSP models suffer from Zeno runs, that is, system runs that take infinitely many steps within finite time. Unlike Timed Automata, model checking with non-Zenoness in Stateful Timed CSP can be achieved based on the zone graphs. We extend the PAT model checker to support system modeling and verification using Stateful Timed CSP and show its usability/scalability via verification of real-world systems.

General Terms: Algorithms, Languages, Verification

Additional Key Words and Phrases: Stateful Timed CSP, Zone Abstraction, Non-Zenoness, PAT

#### **ACM Reference Format:**

Sun, J., Liu, Y., Dong, J. S., Liu, Y., Shi, L., and André, É. 2013. Modeling and verifying hierarchical real-time systems using stateful timed CSP. ACM Trans. Softw. Eng. Methodol. 22, 1, Article 3 (February 2013), 29 pages.

DOI = 10.1145/2430536.2430537 http://doi.acm.org/10.1145/2430536.2430537

#### 1. INTRODUCTION

The correctness of safety-critical computer-based systems is crucial. Real-world systems often depend on quantitative timing. Modeling and verification of real-time systems are challenging research topics that have important practical implications. The choice of language for real-time system modeling is an important factor in the success of the entire system analysis or development. The language should cover facets of the requirements and the model should reflect a system *intuitively and exactly* (up to abstraction of irrelevant details). It should have a semantic model suitable to study the behaviors of the system and to establish the validity of desired properties.

Many languages have been proposed to model real-time systems, for instance, algebra of timed processes [Nicollin and Sifakis 1994], Timed CCS [Yi 1991], Timed CSP [Schneider 2000], etc. The most popular one is Timed Automata [Alur and Dill 1994; Lynch and Vaandrager 1996] and its variant Timed Safety Automata [Henzinger et al. 1994]. Timed Automata are finite state automata equipped with real-valued

© 2013 ACM 1049-331X/2013/02-ART3 \$15.00

DOI 10.1145/2430536.2430537 http://doi.acm.org/10.1145/2430536.2430537

This article is a significant extension of Sun et al. [2009b].

Author's address: J. Sun; email: sunjunhqq@gmail.com.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or permissions@acm.org.

clocks. They are powerful as they allow explicit representation of real-time through the manipulation of clock variables. Real-time constraints are captured by clock constraints on system transitions, setting or resetting clocks, etc. Verification tools for Timed Automata based models have proven to be successful, for instance, UPPAAL [Larsen et al. 1997], KRONOS [Bozga et al. 1998].

Models based on Timed Automata often have a simple structure. For instance, the input models of the popular UPPAAL checker are networks of Timed Automata with no hierarchy. While a simple structure may lead to efficient model checking, it may not be ideal as designing and verifying hierarchical complex real-time systems are becoming an increasingly urgent task due to the widespread applications and increasing complexity of real-time systems. High-level requirements for real-time systems are often stated in terms of *deadline*, *timeout*, and *timed interrupt* [Lai and Watson 1997; Dong et al. 1999; Lindahl et al. 2001]. In practice, system requirements are often structured into phases, which are then composed in many different ways. Unlike Statecharts equipped with clocks [Harel and Gery 1997] or timed process algebras [Nicollin and Sifakis 1994; Yi 1991; Schneider 2000], Timed Automata lack high-level compositional patterns for hierarchical design. Users often need to manually cast high-level requirements into a set of clock variables with carefully calculated clock constraints. This process is tedious and error-prone. On the other hand, real-time system modeling based on timed process algebras often suffers from lack of language features (e.g., shared variables) or automated tool support.

In this work, we propose an alternative approach to model and verify real-time systems. In particular, we make the following technical contributions.

- -We propose a language named *Stateful Timed CSP* to model hierarchical real-time systems. Stateful Timed CSP extends Timed CSP [Schneider 2000] with language constructs to manipulate data structures in order to support real-world applications easily. More important, it supports a rich set of timed process constructs to capture timed system behavior patterns, for instance, *delay*, *deadline*, *timeout*, *timed interrupt*, etc.
- —We develop a fully automatic method to model check Stateful Timed CSP models. Different from Timed Automata, Stateful Timed CSP relies on *implicit* clocks. For instance, a process that has a deadline is intuitively written as P deadline[d]. Intuitively speaking, an implicit clock starts ticking once process P is activated (i.e., Phas the control and is ready to perform some action) and P must terminate when its reading is d. As a result, abstraction and verification techniques designed for Timed Automata are not directly applicable. Inspired by the previous work on zone abstraction [Dill 1989], we propose dynamic zone abstraction. The idea is to dynamically create/prune clocks (only if necessary) to capture constraints introduced by the timed process constructs. We prove that dynamic zone abstraction produces an abstract model, that is, a zone graph, which is both finite-state and property preserving, so that it is subject to temporal logic based model checking or refinement checking.
- We develop an approach to verify Stateful Timed CSP models with the assumption of non-Zenoness, that is, infinitely many steps always take infinite time. Zeno executions are unrealistic for obvious reasons and therefore must be ruled out during verification. In the setting of Timed Automata, it is nontrivial to decide if a run of the zone graph corresponds to a non-Zeno run [Tripakis 1999; Herbreteau et al. 2010]. We show that the zone graph in our setting can be used to detect non-Zeno runs so that we can verify Stateful Timed CSP models with the assumption of non-Zenoness.
  —Last, we enhance the PAT model checker [Sun et al. 2009a; Liu et al. 2011] with the techniques and show its usability via modeling of complex systems as well as automated verification of real-world and benchmark systems.

Modeling and Verifying Hierarchical Real-Time Systems Using Stateful Timed CSP

The remainder of the article is organized as follows. Section 2 presents relevant definitions. Section 3 presents the syntax and operational semantics of Stateful Timed CSP. Section 4 presents dynamic zone abstraction. Section 5 discusses how to perform model checking with the assumption of non-Zenoness. Section 6 discusses our implementation in the PAT model checker. Section 7 reviews related work. Section 8 concludes the work and discusses future research direction.

#### 2. PRELIMINARIES

Let  $\mathbb{R}_+$  denote the set of nonnegative real numbers. Throughout the article,  $\tau$  denotes an unobservable event;  $\checkmark$  denotes the special event of process termination;  $\epsilon \in \mathbb{R}_+$ denotes the event of idling for exactly  $\epsilon$  time units;  $\Sigma$  denotes the set of observable events such that  $\tau \notin \Sigma$  and  $\checkmark \in \Sigma$ ;  $\Sigma_{\tau} = \Sigma \cup \{\tau\}$ . Furthermore, the following naming convention is adopted:  $e \in \Sigma$  denotes an observable event;  $a \in \Sigma_{\tau}$  denotes an observable event or  $\tau$ ;  $x \in \Sigma_{\tau} \cup \mathbb{R}_+$ .

Definition 2.1. A labeled transition system (LTS) is a tuple  $\mathcal{L} = (S, init, \Sigma_{\tau}, T)$ where S is a set of states;  $init \in S$  is an initial state and  $T : S \times \Sigma_{\tau} \times S$  is a labeled transition relation.

 $\mathcal{L}$  is finite if and only if S is finite. Without loss of generality, we assume that an LTS is always *reduced* so that every  $s \in S$  is reachable from *init*. We write  $s \xrightarrow{x} s'$  to denote  $(s, x, s') \in T$  when T is clear from the context. An event a is enabled at state s if there exists s' such that  $s \xrightarrow{a} s'$ . State s is a deadlock state if and only if there is no enabled events at s. A run of  $\mathcal{L}$  is a sequence of alternating states/events  $\langle s_0, a_0, s_1, a_1, \ldots \rangle$  such that  $s_0 = init$  and  $s_i \xrightarrow{a_i} s_{i+1}$  for all i. The set of runs of  $\mathcal{L}$  is written as  $runs(\mathcal{L})$ .

Definition 2.2. A timed transition system (TTS) is a tuple  $\mathcal{T} = (S, init, \mathbb{R}_+ \cup \Sigma_{\tau}, T)$  such that S is a set of states;  $init \in S$  is an initial state;  $T : S \times (\mathbb{R}_+ \cup \Sigma_{\tau}) \times S$  is a labeled transition relation.

There are two kinds of transitions in  $\mathcal{T}$ , that is, event transitions  $s \xrightarrow{a} s'$  and time transitions  $s \xrightarrow{\epsilon} s'$ . For simplicity, we write  $s \xrightarrow{\epsilon,a} s'$  or  $(s, (\epsilon, a), s') \in T$  to denote that there exists  $s_0$  such that  $s \xrightarrow{\epsilon} s_0 \xrightarrow{a} s'$ . State s is a deadlock state if and only if there do not exist  $\epsilon, a$  and s' such that  $s \xrightarrow{\epsilon,a} s'$ . A run of  $\mathcal{T}$  is a sequence  $\rho$  of the form  $\langle s_0, (\epsilon_0, a_0), s_1, (\epsilon_1, a_1), \ldots \rangle$  such that  $s_0 = init$  and  $s_i \xrightarrow{\epsilon_{i,a}} s_{i+1}$  for all i. Given  $\rho$ , we say that  $\langle s_0, a_0, s_1, a_1, \ldots \rangle$  is an untimed run of  $\mathcal{T}$ . The set of untimed runs of  $\mathcal{T}$  is written as  $runs(\mathcal{T})$ .

Definition 2.3. A run  $\rho = \langle s_0, (\epsilon_0, a_0), s_1, (\epsilon_1, a_1), \ldots \rangle$  is non-Zeno if and only if  $\rho$  is infinite and  $(\epsilon_i + \epsilon_{i+1} + \cdots)$  for all *i* is unbounded.

A run is Zeno if and only if it is not non-Zeno. That is, a run is Zeno if and only if it contains infinitely many steps taken in a finite time interval. For obvious reasons, Zeno runs are unrealistic. A TTS is nonempty if and only if it allows at least one non-Zeno run.

Definition 2.4. A time-abstract bisimulation relation between a TTS  $\mathcal{T} = (S_t, init_t, \Sigma_\tau \times \mathbb{R}_+, T_t)$  and an LTS  $\mathcal{L} = (S_u, init_u, \Sigma_\tau, T_u)$  is a relation  $\mathcal{R} \subseteq S_t \times S_u$  satisfying the following condition.

- C1. If  $(s_0, s_1) \in \mathcal{R}$  and  $(s_0, (\epsilon, a), s'_0) \in T_t$  for some  $\epsilon$  and a, then there exists  $s'_1$  such that  $(s_1, a, s'_1) \in T_u$  and  $(s'_0, s'_1) \in \mathcal{R}$ ;
- C2. If  $(s_0, s_1) \in \mathcal{R}$  and  $(s_1, a, s_1') \in T_u$  for some  $s_1'$ , then there exists some  $\epsilon$  and  $s_0'$  such that  $(s_0, (\epsilon, a), s_0') \in T_t$  and  $(s_0', s_1') \in \mathcal{R}$ ;
- C3.  $(init_t, init_u) \in \mathcal{R}$ .

ACM Transactions on Software Engineering and Methodology, Vol. 22, No. 1, Article 3, Pub. date: February 2013.

| P = Stop                                     | - in-action                         |
|----------------------------------------------|-------------------------------------|
| Skip                                         | – termination                       |
| $  e \rightarrow P$                          | – event prefixing                   |
| $  a\{program\} \rightarrow P$               | – data operation prefixing          |
| $  \mathbf{if}(b) \{P\} \mathbf{else} \{Q\}$ | – conditional choice                |
| $\mid P \mid Q$                              | – general choice                    |
| $  P \setminus X$                            | – hiding                            |
| P;Q                                          | – sequential composition            |
| $  P \parallel Q$                            | – parallel composition              |
| Wait[d]                                      | - delay*                            |
| $\mid P \ timeout[d] \ Q$                    | - timeout*                          |
| $\mid P \; interrupt[d] \; Q$                | - timed interrupt*                  |
| $\mid P within[d]$                           | - timed responsiveness <sup>*</sup> |
| $\mid P \ deadline[d]$                       | - deadline*                         |
| $\mid Q$                                     | – process referencing               |

| Fig. 1. | Process | constructs. |
|---------|---------|-------------|
|---------|---------|-------------|

 $\mathcal{T}$  time-abstract bisimulates  $\mathcal{L}$ , written as  $\mathcal{T} \approx \mathcal{L}$ , if and only if there exists a time-abstract bisimulation relation between them. The following result is immediate, that is, time-abstract bisimulation preserves untimed runs.

PROPOSITION 2.5.  $\mathcal{T} \approx \mathcal{L} \Rightarrow runs(\mathcal{T}) = runs(\mathcal{L}).$ 

#### 3. SYNTAX AND OPERATIONAL SEMANTICS

In this section, we introduce Stateful Timed CSP, which is an extension of Timed CSP proposed in Sun et al. [2009b].

#### 3.1. Syntax and Informal Semantics

A Stateful Timed CSP model (hereafter a model) is a tuple  $S = (Var, init_G, P)$  where Var is a finite set of *finite-domain* global variables;  $init_G$  is the initial valuation of the variables and P is a timed process. A variable can be of a predefined type like Boolean, integer, array of integers or any user-defined data type.<sup>1</sup> Process P models the control logic of the system using a rich set of process constructs. A process can be defined by the grammar presented in Figure 1. For simplicity, we assume that P is not parameterized.

Process Stop does nothing but idling. Process Skip terminates, possibly after idling for some time. Process  $e \to P$  engages in event e first and then behaves as P. Note that e may serve as a synchronization barrier, if combined with parallel composition. In order to seamlessly integrate data operations, we allow sequential programs to be attached with events. Process  $a\{program\} \to P$  performs data operation a (i.e., executing the sequential program whilst generating event a) and then behaves as P. The program may be a simple procedure updating data variables (written in the form of  $a\{x := 5; y := 3\}$ ) or a complicated sequential program.<sup>2</sup> A conditional choice is written as **if** (b)  $\{P\}$  **else**  $\{Q\}$ . Process P|Q offers an (unconditional) choice between P and  $Q^3$ . Process P; Q behaves as P until P terminates and then behaves as Q immediately.  $P \setminus X$  hides occurrences of events in X. Parallel composition of two processes is written as  $P \parallel Q$ , where P and Q may communicate via event synchronization (following CSP rules [Hoare 1985]) or shared variables. Notice that if P and Q do not communicate

<sup>&</sup>lt;sup>1</sup>Refer to PAT user manual on how to define a type in C# or Java.

<sup>&</sup>lt;sup>2</sup>The detailed syntax for the sequential program can be found in PAT user manual.

<sup>&</sup>lt;sup>3</sup>For simplicity, we omit external and internal choices [Hoare 1985] in the discussion.

Modeling and Verifying Hierarchical Real-Time Systems Using Stateful Timed CSP

through event synchronization, then it is written as  $P \parallel\mid Q$ , which reads as 'P interleave Q'. A process may be given a name, written as  $P \cong Q$ , and then referenced through its name. Recursion is allowed by process referencing. Additional process constructs (e.g., while or periodic behaviors) can be defined using the above.

In addition, a number of timed process constructs (marked with \* in Figure 1) are designed to capture common real-time system behavior patterns. Let  $d \in \mathbb{R}_+$ . Process Wait[d] idles for exactly d time units. In process P timeout[d] Q, the first observable event of P shall occur before d time units elapse (since process P timeout[d] Q is activated). Otherwise, Q takes over control after exactly d time units. In process P interrupt[d] Q, if P terminates before d time units, P interrupt[d] Q behaves exactly as P. Otherwise, P interrupt[d] Q behaves as P until d time units and then Q takes over. In contrast to P timeout[d] Q, P may engage in multiple observable events before it is interrupted. Process P within[d] must react within d time units, that is, an observable event must be engaged by process P within d time units. Urgent event prefixing [Davies 1993], written as  $e \rightarrow P$ , is defined as  $(e \rightarrow P)$  within[0], that is, e must occur as soon as it is enabled. In process P deadline[d], P must terminate within d time units, possibly after engaging in multiple observable events. Notice that a timed process construct is always associated with an integer constant d, which is referred to as its parameter.

In the following, we apply Stateful Timed CSP to model two systems so as to show that it is expressive enough to capture real-time systems.

*Example.* Let  $\delta$  and  $\epsilon$  be two constants such that  $\delta < \epsilon$ . Fischer's mutual exclusion algorithm is modeled as a model  $(V, v_i, Protocol)$ . V contains two variables *turn* and *counter*. The former indicates which process attempted to access the critical section most recently. The latter counts the number of processes accessing the critical section. Initial valuation  $v_i$  maps *turn* to -1 (which denotes that no process is attempting initially) and *counter* to 0 (which denotes that no process is in the critical section initially). Process *Protocol* is defined as follows.

where *n* is a constant representing the number of processes. Process Proc(i) models a process with a unique integer identify *i*. If *turn* is -1 (i.e., no other process is attempting), Proc(i) behaves as specified by process Active(i). In process Active(i), firstly *turn* is set to be *i* (indicating that the *i*-process is now attempting) by action *update.i*. Note that *update.i* must occur within  $\delta$  time units (captured by *within*[ $\delta$ ]). Next, the process idles for  $\epsilon$  time units (captured by  $Wait[\epsilon]$ ). It then checks whether *turn* is still *i*. If so, it enters the critical section and leaves later. Otherwise, it restarts from the beginning.

Quantitative timing plays an important role in this algorithm to guarantee mutual exclusion, that is, mutual exclusion is not guaranteed if  $\delta \ge \epsilon$ . One way to verify mutual exclusion is to show that *counter*  $\le 1$  is always true. We remark that the event names for variable updates (e.g., *update.i* and *cs.i* and *cs.i*) not only improves readability but also allows an alternative way of verification, that is, through trace refinement checking.

*Example*. A pacemaker is an electronic implanted device that functions to regulate the heart beat by electrically stimulating the heart to contract and thus to pump blood throughout the body. Quantitative timing is crucial to pacemaker. Common pacemakers are designed to correct bradycardia, that is, slow heart beats. A pacemaker mainly performs two functions, that is, sensing and pacing. Sensing is to monitor the heart's natural electrical activity, helping the pacemaker to gather information on the heart beats and react accordingly. Pacing is when a pacemaker sends electrical stimuli, that is, tiny electrical signals, to heart through a pacing lead, which starts a heartbeat. A pacemaker can operate in many different modes according to the implanted patient's heart problem. A mode of the pacemaker is typically modeled as of the following form: *Heart*  $\parallel$  *Sensing*  $\parallel$  *Pacing* where *Heart* models normal or abnormal heart condition; *Sensing* and *Pacing* model the two functions. In the following, we present a simplified model of the simplest mode, that is, the sense Atrial, pace Atrial, in Trigger (AAT) mode.

The model contains one variable *SA*, which is a flag indicating whether it is necessary to monitor atria (1 for necessary). Initially, *SA* is 0. The process is *AAT*, which is defined as follows.

 $\begin{array}{ll} AAT & \widehat{=} \; Heart||Sensing||Pacing(LRI) \\ Sensing & \widehat{=} \; \mbox{if} \; (SA=1) \left\{ & pulseA \rightarrow senseA \rightarrow Sensing \\ & pulseA \rightarrow senseA \rightarrow Sensing \\ & else \left\{ & & \\ & pulseA \rightarrow Sensing \\ \end{array} \right\} \\ Pacing(X) & \widehat{=} \; (senseA \rightarrow paceA\{SA := 0\} \rightarrow Skip) \ timeout[X] \ HelpPacing; \\ & Wait[URI]; \\ & (enableSA\{SA := 1\} \rightarrow Pacing(LRI - URI)) \\ HelpPacing \widehat{=} \; (stimu \rightarrow paceA\{SA := 0\} \rightarrow Skip) \ deadline[0], \end{array}$ 

where URI and LRI are two constants representing upper and lower rate interval, that is, the fastest and slowest a normal heart can beat. For simplicity, we skip the details of process *Heart*. Informally speaking, process *Heart* generates two events *pulseA* (i.e., atrium does a pulse) and *pulseV* (i.e., ventricle does a pulse) periodically for a normal heart or with one of them missing once a while for an abnormal heart. Process *Sensing* monitors heart pacing by synchronizing with *Heart* on *pulseA*. If *SA* is 1, it engages in event *senseA* immediately once *pulseA* occurs. Initially, process *Pacing* awaits for event *senseA*. If *senseA* occurs before X time units, action *paceA* occurs (and *SA* is set to 0 so that sensing is paused for a while). If *senseA* is missing for X time units, timeout happens and process *HelpPacing* is invoked. *HelpPacing* models the process of the pacemaker generating an electrical stimuli (captured by event *stimu*) and then performing action *paceA*. Note that *HelpPacing* must terminate before 0 time unit (captured by *deadline*[0]), which means that it must immediately perform event *stimu* and action *paceA*. Next, *Wait*[*URI*] occurs and later sensing is turned on again for the next circle.

At the top level, the pacemaker model is a choice of 16 different modes. Each mode is a parallel composition of the three components. Each component may have internally hierarchies due to complicated sensing and pacing behaviors. We skip the details [Barold et al. 2004]. The complete pacemaker model can be found at [Sun et al.].

#### 3.2. Formal Operational Semantics

In order to define the operational semantics of Stateful Timed CSP, we define the notion of a configuration to capture the global system state during the system execution, which

is referred as a *concrete configuration*. This terminology distinguishes the notion from the state space abstraction and abstract configurations that will be introduced later. A concrete system configuration is a pair (V, P) where V is a variable valuation function and P is a process. For simplicity, an empty valuation is written as  $\emptyset$ . A transition of the system is in the form  $(V, P) \xrightarrow{x} (V', P')$  where  $x \in \Sigma_{\tau} \cup \mathbb{R}_+$ , that is, a transition is labeled with an event in  $\Sigma_{\tau}$  or a number in  $\mathbb{R}_+$ .

The operational semantics is defined systematically by associating a set of firing rules with each and every process construct. The firing rules associated with the timed process constructs are presented as examples in Figure 2.

- -Rules wait1 and wait2 define the semantics of Wait[d]. Rule wait1 states that the process may idle for an arbitrary amount of time  $\epsilon$  such that  $\epsilon \leq d$ . Afterwards, Wait[d] becomes  $Wait[d \epsilon]$  and the variable valuation is unchanged. Rule wait2 states that the process becomes Skip via a  $\tau$ -transition whenever d is 0.
- -Rules to1 to to4 define P timeout[d] Q. Rule to1 states that if an observable event e can be engaged by P, changing (V, P) to (V', P'), then (V, P timeout[d] Q) becomes (V', P') so that Q is discharged. That is, P has performed an observable event before timeout occurs. Rule to2 states that if d is 0, Q takes over control by a  $\tau$ -transition. Rule to3 states that if P performs a  $\tau$ -transition, then Q and timeout operator remain (since an observable event is yet to be performed). Rule to4 states that if P may idle for less than or equal to d time units, so does P timeout[d] Q.
- -Rules ti1 to ti4 define P interrupt[d] Q. Rule ti1 states that if event a (which may be observable or  $\tau$ , but not  $\checkmark$ ) can be engaged by P, changing (V, P) to (V', P'), then (V, P interrupt[d] Q) can perform a as well. In contrast to rule to1, the interrupt operator remains. Intuitively, it states that before P is interrupted, P behaves freely. Rule ti2 states that if P may idle for less than or equal to d time units, so does P interrupt[d] Q. Rule ti3 states that if P terminates before being interrupted, then the whole process terminates. Rule ti4 states that if d is 0, Q takes over control by a  $\tau$ -transition.
- -Rules wi1 to wi3 define P within[d]. Rule wi1 states that if an observable event e occurs, then within is discharged, as the requirement is fulfilled. In contrast, rule wi2 states that if instead event  $\tau$  occurs, then within remains. Rule wi3 states that if P can idle for  $\epsilon$  time units, so does P within[d] as long as  $\epsilon \leq d$ .
- -Rules dl1, dl2 and dl3 define P deadline[d]. P deadline[d] requires P to terminate (marked by  $\checkmark$ ) before d time units. Rule dl1 states that P can do whatever it can before the deadline is expired. Rule dl2 states that if P terminates, then deadline is discharged. Rule dl3 states if P can idle for  $\epsilon$  time units, so does P deadline[d] as long as  $\epsilon \leq d$ .

The rest of the rules are similarly defined [Sun et al. 2009b]. We remark the rules are an extension of the operational semantics in Schneider [1995]. In particular, we handle data states and extend Schneider [1995] with rules for timed process constructs like *within* and *deadline*.

The following can be established immediately.

PROPOSITION 3.1. (1) If  $(V, P) \stackrel{\epsilon}{\to} (V', P')$ , then V' = V. (2) If  $(V, P) \stackrel{\epsilon_0}{\to} (V', P')$  and  $(V', P') \stackrel{\epsilon_1}{\to} (V'', P'')$ , then  $(V, P) \stackrel{\epsilon_0+\epsilon_1}{\to} (V'', P'')$ .  $\Box$ 

Intuitively speaking, (1) states that time transitions do not modify variables and (2) states that consecutive time transitions can be accumulated.

Definition 3.2. Let  $S = (Var, init_G, P)$  be a model. The concrete semantics of S, denoted as  $\mathcal{T}_S$ , is a TTS  $(S, init, \Sigma \cup \mathbb{R}_+, T)$  such that S is a set of reachable concrete

ACM Transactions on Software Engineering and Methodology, Vol. 22, No. 1, Article 3, Pub. date: February 2013.

$$\begin{split} & \underline{\epsilon} \leq d \\ \hline (V, Wait[d]) \stackrel{c}{\rightarrow} (V, Wait[d-\epsilon]) \quad [wait1] \quad (V, Wait[0]) \stackrel{\tau}{\rightarrow} (V, Skip) \quad [wait2] \\ \hline (V, P) \stackrel{e}{\rightarrow} (V', P') \\ \hline (V, P \ timeout[d] \ Q) \stackrel{c}{\rightarrow} (V', P') \quad [to1] \quad (V, P \ timeout[0] \ Q) \stackrel{\tau}{\rightarrow} (V, Q) \quad [to2] \\ \hline (V, P) \stackrel{\tau}{\rightarrow} (V', P') \\ \hline (V, P \ timeout[d] \ Q) \stackrel{\tau}{\rightarrow} (V', P' \ timeout[d] \ Q) \quad [to3] \\ \hline (V, P) \stackrel{c}{\rightarrow} (V, P'), \epsilon \leq d \\ \hline (V, P \ timeout[d] \ Q) \stackrel{c}{\rightarrow} (V, P' \ timeout[d] \ Q) \quad [ti1] \\ \hline (V, P \ interrupt[d] \ Q) \stackrel{c}{\rightarrow} (V, P' \ timeout[d] \ Q) \quad [ti1] \\ \hline (V, P) \stackrel{c}{\rightarrow} (V', P'), \epsilon \leq d \\ \hline (V, P \ interrupt[d] \ Q) \stackrel{c}{\rightarrow} (V, P' \ interrupt[d] \ Q) \quad [ti2] \\ \hline (V, P) \stackrel{c}{\rightarrow} (V', P') \\ \hline (V, P \ interrupt[d] \ Q) \stackrel{c}{\rightarrow} (V, P' \ interrupt[d] \ c \in ] \ Q) \quad [ti3] \\ \hline (V, P) \stackrel{c}{\rightarrow} (V', P') \\ \hline \hline (V, P \ interrupt[d] \ Q) \stackrel{\tau}{\rightarrow} (V, Q) \quad [ti4] \ (V, P) \stackrel{\tau}{\rightarrow} (V', P') \\ \hline \hline (V, P \ interrupt[d] \ Q) \stackrel{\tau}{\rightarrow} (V, Q) \quad [ti4] \ (V, P) \stackrel{\tau}{\rightarrow} (V', P') \\ \hline \hline (V, P \ interrupt[d] \ Q) \stackrel{\tau}{\rightarrow} (V, P) \quad [ti1] \ (V, P) \stackrel{\tau}{\rightarrow} (V', P') \\ \hline \hline (V, P \ interrupt[d] \ Q) \stackrel{\tau}{\rightarrow} (V, P) \quad [ti1] \ (V, P) \stackrel{\tau}{\rightarrow} (V', P') \\ \hline \hline (V, P \ within[d]) \stackrel{e}{\rightarrow} (V', P') \\ \hline \hline (V, P \ within[d]) \stackrel{e}{\rightarrow} (V', P') \quad [wi1] \ (V, P) \stackrel{\tau}{\leftarrow} (V, P'), \epsilon \leq d \\ \hline (V, P) \stackrel{d}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V, P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V, P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V, P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]) \stackrel{\phi}{\rightarrow} (V', P') \\ \hline \hline (V, P \ deadline[d]$$

Fig. 2. Concrete firing rules where  $e \in \Sigma$  and  $a \in \Sigma_{\tau}$ .

system configurations;  $init = (init_G, P)$  is the initial configuration; and T satisfies  $((V, P), x, (V', P')) \in T$  if and only if  $(V, P) \xrightarrow{x} (V', P')$ .

#### 4. DYNAMIC ZONE ABSTRACTION

 $\mathcal{T}_{\mathcal{S}}$  always has infinitely many states, even when all variables have finite domains. For instance, assume  $\mathcal{S} = (\emptyset, true, P)$  where there is no variable and P is defined as  $P \cong (a \to (P|c \to Skip)); (b \to Stop)$ , it can be shown that the set of runs of S constitutes an irregular language [Hoare 1985]. We thus restrict ourselves to a subset of models, which we refer as regular Stateful Timed CSP models. A Stateful Timed CSP model S is regular if and only if P is a process expression constituted by finitely many process constructs, for every reachable configuration (V, P) of  $\mathcal{T}_S^4$ . Given a regular model S, there may still be infinitely many states in  $\mathcal{T}_S$  because parameters of timed process constructs in a process (e.g., d in Wait[d]) can take infinitely many different values. Intuitively, the constants capture the reading of the implicit clocks associated with the processes. In the following, we abstract the exact value of the constants by dynamic zone abstraction (initially proposed in Sun et al. [2009b]) so as to generate a finite-state abstraction. We extend Sun et al. [2009b] with a discussion on how Stateful Timed CSP is different from Timed Automata semantically in the end of this section.

#### 4.1. From Implicit Clocks to Explicit Clocks

In Stateful Timed CSP, clocks are implicitly associated with timed process constructs. A clock starts ticking once a timed process becomes activated. Before applying zone abstraction, we associate clocks with time processes explicitly so as to differentiate parameters associated with different timed process constructs. In theory, each timed process construct is associated with one unique clock. Nonetheless, multiple timed processes may be activated at the same time during system execution and therefore can be associated with the same clock. For instance, assume that a process P is defined as:  $P \cong (Wait[5]; Wait[3])$  interrupt[6] Q. There are at least three implicit clocks: one associated with Wait[5] (say  $t_1$ ); one with Wait[3] (say  $t_2$ ); and one with P (because of interrupt [6], say  $t_3$ ). Because Wait [5] and P are activated, clock  $t_1$  and  $t_3$  have started. In contrast, clock  $t_2$  starts only when Wait[5] terminates. It is obvious that  $t_1$  and  $t_3$  always have the same reading and thus one clock is sufficient. It is known that the fewer clocks, the more efficient real-time model checking could be [Bengtsson and Yi 2003]. In order to minimize the number of clocks, clocks are introduced at runtime and are shared by as many processes as possible. In the following, we show how to systematically associate clocks with timed processes. Intuitively, a clock is introduced if and only if one or more timed processes have just become activated. For simplicity, we write  $Wait[d]_t$ (or P timeout  $[d]_t Q$ , P interrupt  $[d]_t Q$ , P within  $[d]_t$ , P deadline  $[d]_t$ ) to denote that the process is associated with clock t. Given a process P and a clock t, we define function  $\mathcal{A}$  to associate t with P. Figure 3 presents the detailed definition. Intuitively speaking, A1 to A5 state that if a process is untimed and none of its subprocesses is activated, then it is unchanged. A6 to A10 state that if a process is timed, then it is associated with t and function  $\mathcal{A}$  is applied to its activated subprocesses at the same time. Note that if a timed process has already been associated with a clock t', then it will not be associated with the new clock. This is captured by A11–A15, where  $Wait[d]_{t'}$  denotes that Wait[d] is associated with clock t'. If a subprocess is activated, then function A is applied recursively, as captured by A7–10,12–19. The last rule A20 states that if P is defined as Q, then  $\mathcal{A}(P, t)$  can be obtained by applying  $\mathcal{A}$  to Q.

Given a process P, we can obtain the set of clocks associated with P or any subprocess of P. For instance, the clocks associated with P timeout $[d]_t Q$  contain t and the clocks associated with P. Notice that there is no clock associated with Q because it is not activated. This set is written as cl(P).

<sup>&</sup>lt;sup>4</sup>This definition adopts the the idea of *finite-state processes* for Timed CSP as defined in Ouaknine and Worrell [2002]. Formally, a Timed CSP process is a finite-state process if there are only finitely many states reachable via transitions labeled with events or 1 (i.e., a time transition that takes 1 time unit). It is possible to extend their definition to the setting of Stateful Timed CSP. Nonetheless, formally establishing that a 'finite-state process' can only reach finite process expressions is tedious and not the focus of this work.

| $\mathcal{A}(Stop, t)$                                      | = Stop                                                           | - A1  |
|-------------------------------------------------------------|------------------------------------------------------------------|-------|
| $\mathcal{A}(Skip, t)$                                      | = Skip                                                           | - A2  |
| $\mathcal{A}(e  ightarrow P, t)$                            | $= e \rightarrow P$                                              | – A3  |
| $\mathcal{A}(a\{program\} \to P, t)$                        | $= a\{program\} \to P$                                           | - A4  |
| $\mathcal{A}(\mathbf{if}(b) \{P\} \mathbf{else} \{Q\}, t\}$ | $= \mathbf{if}(b) \{P\} \mathbf{else} \{Q\}$                     | – A5  |
| $\mathcal{A}(Wait[d], t)$                                   | $= Wait[d]_t$                                                    | - A6  |
| $\mathcal{A}(P \ timeout[d] \ Q, t)$                        | $= \mathcal{A}(P, t) \ timeout[d]_t \ Q$                         | -A7   |
| $\mathcal{A}(P \ interrupt[d] \ Q, t)$                      | $= \mathcal{A}(P, t) interrupt[d]_t Q$                           | – A8  |
| $\mathcal{A}(P \ within[d], t)$                             | $= \mathcal{A}(P, t) \ within[d]_t$                              | – A9  |
| $\mathcal{A}(P \ deadline[d], t)$                           | $= \mathcal{A}(P, t) \ deadline[d]_t$                            | - A10 |
| $\mathcal{A}(\mathit{Wait}[d]_{t'},t)$                      | $= Wait[d]_{t'}$                                                 | – A11 |
| $\mathcal{A}(P \ timeout[d]_{t'} \ Q, t)$                   | $= \mathcal{A}(P, t) \ timeout[d]_{t'} \ Q$                      | – A12 |
| $\mathcal{A}(P \ interrupt[d]_{t'} \ Q, t)$                 | $= \mathcal{A}(P, t) interrupt[d]_{t'} Q$                        | – A13 |
| $\mathcal{A}(P \ within[d]_{t'}, t)$                        | $= \mathcal{A}(P, t) \ within[d]_{t'}$                           | – A14 |
| $\mathcal{A}(P \ deadline[d]_{t'}, t)$                      | $= \mathcal{A}(P, t) \ deadline[d]_{t'}$                         | – A15 |
| $\mathcal{A}(P \mid Q, t)$                                  | $=\mathcal{A}(P,t)\mid\mathcal{A}(Q,t)$                          | - A16 |
| $\mathcal{A}(P \setminus X, t)$                             | $= \mathcal{A}(P,t) \setminus X$                                 | – A17 |
| $\mathcal{A}(P; Q, t)$                                      | $= \mathcal{A}(P,t); Q$                                          | – A18 |
| $\mathcal{A}(P \parallel Q, t)$                             | $= \mathcal{A}(P,t) \parallel \mathcal{A}(Q,t)$                  | - A19 |
| $\mathcal{A}(P,t)$                                          | $= \mathcal{A}(Q, t) \qquad \text{if } P \stackrel{\frown}{=} Q$ | - A20 |
|                                                             |                                                                  |       |

Fig. 3. Clock activation.

#### 4.2. Zones

The concrete firing rules presented in Figure 2 capture quantitative timing through parameters of the timed processes. Inevitably, there are infinitely many constant values. In the setting of Timed Automata, it has been shown that zone abstraction allows efficient model checking [Dill 1989; Behrmann et al. 1999; Bengtsson and Yi 2003]. Zone abstraction for Timed Automata, however, cannot be readily adopted due to the difference between Stateful Timed CSP and Timed Automata. In the following, we review necessary background on zones and zone operations before presenting how to apply zone abstraction to Stateful Timed CSP models.

A zone is the conjunction of multiple primitive constraints over a set of clocks. A primitive constraint is of the form  $t \sim d$  or  $t_1 - t_2 \sim d$  where  $t, t_1, t_2$  are clocks; d is a constant; and  $\sim$  is either,  $\geq$ , = or  $\leq$ . A zone is the maximal set of clock valuations satisfying the constraint. Given a clock valuation v, we write  $v \in D$  to denote that v is in zone D. A zone is empty if and only if the constraint is unsatisfiable. We write cl(D) to denote the clocks of D. A zone can be equivalently represented as a DBM (short for Difference Bound Matrices [Dill 1989; Behrmann et al. 1999]). Let  $t_1, t_2, \ldots, t_n$  denote n clocks and  $t_0$  denote a dummy clock whose value is always 0. A DBM representing a constraint on the clocks contains n + 1 rows, each of which contains n + 1 elements. Entry (i, j) in the matrix, denoted by  $D_j^i$ , represents the upper bound on difference between clock  $t_i$  and  $t_j$  such that  $0 \leq i \leq n$  and  $0 \leq j \leq n$ . The bound on difference between  $t_i$  and  $t_j$  is captured by:  $-D_i^j \leq t_i - t_j \leq D_j^i$ . Because  $t_0$  is always 0, we have  $-D_i^0 \leq t_i \leq D_0^i$ , which is the bounds of clock  $t_i$ .

In the following, we briefly introduce the relevant zone operations/properties and its corresponding DBM implementation. Interested readers are referred to Dill [1989], Behrmann et al. [1999], and Bengtsson and Yi [2003] for details.

|           | $t_0$       | $t_1$   | •••   | $t_i$   | • • • • | $t_{k-1}$            | $\mathbf{t_k}$       |
|-----------|-------------|---------|-------|---------|---------|----------------------|----------------------|
| $t_0$     | 0           | $d_1^0$ | •••   | $d_i^0$ | • • •   | $d_{k-1}^{0}$        | 0                    |
| $t_1$     | $d_0^1$     | *       |       | *       |         | *                    | $\mathbf{d}_0^1$     |
| • • •     | • • •       |         |       |         | • • •   |                      |                      |
| $t_i$     | $d_0^i$     | *       |       | *       |         | *                    | $\mathbf{d_0^i}$     |
| •••       | • • •       |         |       |         | • • •   |                      |                      |
| $t_{k-1}$ | $d_0^{k-1}$ | *       | • • • | *       | • • •   | *                    | $\mathbf{d_0^{k-1}}$ |
| $t_k$     | 0           | $d_1^0$ | •••   | $d_i^0$ | • • •   | $\mathbf{d_{k-1}^0}$ | 0                    |

Fig. 4. Add clock.

- -Calculate canonical form. In theory, there are infinitely many different timing constraints representing the same zone. For instance, the clock valuations for  $0 \leq t_1 \leq 3 \land 0 \leq t_1 t_2 \leq 3$  and  $0 \leq t_1 \leq 3 \land 0 \leq t_1 t_2 \leq 3 \land t_2 \leq 1000$  are exactly the same and hence they represent the same zone. Zones represented as DBMs can be systematically compared if they are in their canonical forms. A DBM is in its canonical form if and only if every entry  $D_j^i$  is the tightest bound on difference between clock  $t_i$  and  $t_j$ . An important property of DBM is that there is a relatively efficient procedure to compute a unique canonical form. If the clocks are viewed as vertices in a weighted graph and the clock difference as the label on the edge connecting two clocks, the tightest clock difference is the shortest path between the respective vertices. Floyd-Warshall algorithm [Floyd 1962] thus can be used to compute the tightest bound on clock differences and hence the canonical form. The complexity of Floyd-Warshall algorithm is cubic in the number of clocks.
- —*Check satisfiability.* It is essential to check whether a zone is empty or not. A zone is empty if and only if its DBM representation, in its canonical form, contains an entry  $D_i^i$  such that  $D_i^i < 0$ . Intuitively, it means that clock  $t_i$  is constrained to satisfy  $t_i t_i < 0$ , which is impossible. Furthermore, it can be shown that a DBM in its canonical form represents an empty zone if and only if  $D_0^0$  is negative.
- —Add clocks. Clocks may be introduced during system exploration, as we have shown in Section 4.1. Assume that the clock to be added is  $t_k$  and the given DBM is in its canonical form. Figure 4 shows how the DBM is updated with entries for  $t_k$ . For all i,  $D_k^i$  is set to be  $D_0^i$  and  $D_k^k$  is set to be  $D_0^0$ . Because  $t_k$  is a newly introduced clock, it must be equivalent to  $t_0$ . The resultant DBM is canonical if the given DBM is.
- —*Prune clocks*. In our setting, clocks may be pruned. Because entries in a canonical DBM represent the tightest bounds on clock differences, pruning a clock  $t_i$  is simply to remove the *i*-row and *i*-column in the matrix. The remaining DBM is canonical, that is, the bounds can not be possibly tightened with less constraints. Given a DBM D and a set of clocks C, we write D[C] to denote the DBM obtained by pruning all clocks other than those in C. In an abuse of notation, we write D[t] to denote the constraint on t.
- —Delay. Given a zone D,  $D^{\uparrow}$  denotes the zone obtained by delaying for an arbitrary amount of time.  $D^{\uparrow}$  is obtained by changing  $D_0^i$  to  $\infty$  for all i such that  $i \ge 1$ .

#### 4.3. Abstraction

In the following, we present dynamic zone abstraction for Stateful Timed CSP. First, we define the notion of abstract system configurations.

Definition 4.1. An abstract system configuration is a triple (V, P, D), where V is a variable valuation; P is a process; and D is a zone.

In order to systematically apply zone abstraction, we define a set of *abstract* firing rules. The abstract firing rules eliminate concrete  $\epsilon$ -transitions all together and use

| idle(Stop)                                       | = true                   |                               | – rule | idle1  |
|--------------------------------------------------|--------------------------|-------------------------------|--------|--------|
| idle(Skip)                                       | = true                   |                               | - rule | idle2  |
| $idle(e \rightarrow P)$                          | = true                   |                               | -rule  | idle3  |
| $idle(a\{program\} \rightarrow P)$               | = true                   |                               | - rule | idle4  |
| $idle(\mathbf{if}(b) \{P\} \mathbf{else} \{Q\})$ | = true                   |                               | – rule | idle5  |
| $idle(P \mid Q)$                                 | $= idle(P) \wedge id$    | lle(Q)                        | – rule | idle6  |
| $idle(P \setminus X)$                            | = idle(P)                |                               | - rule | idle7  |
| idle(P; Q)                                       | = idle(P)                |                               | – rule | idle8  |
| $idle(P \parallel Q)$                            | $= idle(P) \wedge id$    | lle(Q)                        | – rule | idle9  |
| $idle(Wait[d]_t)$                                | $= t \leq d$             |                               | - rule | idle10 |
| $idle(P \ timeout[d]_t \ Q)$                     | $= t \leq d \wedge idle$ | :(P)                          | -rule  | idle11 |
| $idle(P \ interrupt[d]_t \ Q)$                   | $= t \leq d \wedge idle$ | :(P)                          | - rule | idle12 |
| $idle(P \ within[d]_t)$                          | $= t \leq d \wedge idle$ | :(P)                          | - rule | idle13 |
| $idle(P \ deadline[d]_t)$                        | $= t \leq d \wedge idle$ | :(P)                          | – rule | idle14 |
| idle(P)                                          | = idle(Q)                | if $P \stackrel{\frown}{=} Q$ | - rule | idle15 |
|                                                  |                          |                               |        |        |

Fig. 5. Idling calculation.

zones to ensure a process behaves correctly with respect to timing requirements. To distinguish from concrete firing rules, an abstract firing rule is written in the the form of  $(V, P, D) \xrightarrow{x} (V', P', D')$  where  $x \in \Sigma_{\tau}$ .

We first define a function *idle*, which, given a process (which has been associated with clocks), returns the zone in which the process can idle. Figure 5 shows the detailed definition. Rules *idle1* to *idle5* state that if the process is untimed and none of its subprocesses is activated, then function *idle* returns true, which means that the process may idle for an arbitrary amount of time. Rules *idle6* to *idle9* state that if subprocesses of the process are activated, then function *idle* is applied to the subprocesses. For instance, if the process is a choice (rule *idle6*) or a parallel composition (rule *idle9*) of P and Q, then the result is *idle(P) \land idle(Q)*. Intuitively, this means that process P|Q (or  $P \parallel Q$ ) may idle as long as both P and Q can idle. Rules *idle10* to *idle14* define the cases when the process is timed. For instance, process  $Wait[d]_t$  may idle as long as t is less or equal to d. Last, *idle15* defines the case for process referencing.

Figure 6 then exemplifies the abstract firing rules for the timed processes. The rest of the rules are similarly defined [Sun et al. 2009b].

- —Rule *await* defines the abstract semantics of Wait[d]. In contrast to the concrete semantics, there is only one abstract rule. It states that a  $\tau$ -transition occurs exactly when clock t reads d. Intuitively,  $D^{\uparrow} \wedge t = d$  denotes the exact moment when t reads d. Afterwards, the process becomes Skip.
- --Rules *ato*1, *ato*2 and *ato*3 define the abstract semantics of P timeout[d] Q. Rule *ato*1 states that if a  $\tau$ -transition transforms (V, P, D) to (V', P', D'), then a  $\tau$ -transition may occur given  $(V, P \text{ timeout}[d]_t Q, D)$  if zone  $D^{\uparrow} \wedge D' \wedge t \leq d$  is not empty. Intuitively, this means that the  $\tau$ -transition must occur before timeout occurs. Similarly, rule *ato*2 ensures that the occurrence of an observable event e from process P occurs only before timeout occurs. Rule *ato*3 states that timeout results in a  $\tau$ -transition when the reading of t is d. Constraint  $D^{\uparrow} \wedge t = d \wedge idle(P)$  ensures that process P may idle until timeout occurs.
- -Rules ait1, ait2 and ait3 define the abstract semantics of P interrupt[d] Q. Rule ait1 states that a transition (other than process termination) originated from P may occur only if  $t \leq d$ , that is, before interrupt occurs. Rule ait2 states that interrupt results

 $(V, Wait[d]_t, D) \stackrel{\tau}{\leadsto} (V, Skip, D^{\uparrow} \land t = d)$  $(V, P, D) \xrightarrow{\tau} (V', P', D')$  $(V, P \ timeout[d]_t \ Q, D) \xrightarrow{\tau} (V', P' \ timeout[d]_t \ Q, D^{\uparrow} \land D' \land t \leq d)$ \_\_\_\_\_[ ato1 ]  $\frac{(V, P, D) \stackrel{e}{\rightsquigarrow} (V', P', D')}{(V, P \ timeout[d]_t \ Q, D) \stackrel{e}{\rightsquigarrow} (V', P', D^{\uparrow} \land D' \land t \le d)} [\ ato2\ ]$  $(V, P \ timeout[d]_t \ Q, D) \stackrel{\tau}{\leadsto} (V, Q, D^{\uparrow} \land t = d \land idle(P))$  $(V, P, D) \stackrel{a}{\leadsto} (V', P', D'), a \neq \checkmark$  $(V, P interrupt[d]_t Q, D) \xrightarrow{a} (V', P' interrupt[d]_t Q, D^{\uparrow} \land D' \land t \leq d)$ \_\_\_\_\_ [ ait2 ]  $(V, P \ interrupt[d]_t \ Q, D) \xrightarrow{\tau} (V, Q, D^{\uparrow} \land t = d \land idle(P))$  $(V, P, D) \xrightarrow{\checkmark} (V', P', D')$  [ ait3 ]  $(V, P interrupt[d]_t Q, D) \xrightarrow{\checkmark} (V', P', D^{\uparrow} \land D' \land t \leq d)$  $(V, P, D) \stackrel{\tau}{\leadsto} (V', P', D')$  $\frac{(V, P, D) \stackrel{\sim}{\leadsto} (V', P', D')}{(V, P \text{ within}[d]_t, D) \stackrel{\tau}{\leadsto} (V', P' \text{ within}[d]_t, D^{\uparrow} \land D' \land t \leq d)}$ \_\_\_\_\_[ awi1 ]  $(V, P, D) \stackrel{e}{\leadsto} (V', P', D')$  $\underbrace{(V, P \ within[d]_t, D) \stackrel{e}{\leadsto} (V', P', D^{\uparrow} \land D' \land t < d)}_{e} [awi2]$  $(V, P, D) \stackrel{a}{\leadsto} (V', P', D'), a \neq \checkmark$ \_\_\_\_\_[ adl1 ]  $(V, P \ deadline[d]_t, D) \xrightarrow{a} (V', P' \ deadline[d]_t, D^{\uparrow} \land D' \land t < d)$  $(V, P, D) \xrightarrow{\checkmark} (V', P', D')$ \_\_\_\_\_[ adl2 ]  $(V, P \ deadline[d]_t, D) \xrightarrow{\checkmark} (V', P', D^{\uparrow} \land D' \land t < d)$ Fig. 6. Abstract Firing Rules.

in a  $\tau$ -transition when the reading of *t* is *d*. Rule *ait* 3 states that if *P* terminates before interrupt occurs, then the whole process terminates.

- -Rules awi1 and awi2 define the abstract semantics of P within[d]. Rule awi1 states that if a  $\tau$ -transition occurs within d time units, then the resultant process is of the form P' within[d], which means that it is yet to perform some observable event before d time units. Rule awi2 states that once an observable event occurs, the within construct is removed.
- -Rules adl 1 and adl 2 define the abstract semantics of P deadline [d]. Rule adl 1 ensures that all transitions of P must occur within d time units. Rule adl 2 states that if P terminates (by engaging in  $\checkmark$ ), then deadline is removed.

Using the abstract firing rules, we can generate an abstract LTS that captures the abstract semantics of a model.



Fig. 7. An abstract LTS and its Timed Automaton equivalent.

Definition 4.2. Let  $\langle t_1, \ldots \rangle$  be a sequence of clocks. Let  $S = (Var, init_G, P)$  be a model. The time-abstract semantics of S, denoted as  $\mathcal{L}_S$ , is an LTS  $(S, init, \Sigma_{\tau}, T)$  such that S is a set of valid abstract system configurations;  $init = (init_G, P, true)$  is the initial abstract configuration and T is the smallest transition relation such that: for all  $(V, P, D) \in S$ , if t is the first clock in the sequence that is not in cl(P), and if  $(V, \mathcal{A}(P, t), D \wedge t = 0) \stackrel{\sim}{\longrightarrow} (V', P', D')$ , then  $((V, P, D), a, (V', P', D'[cl(P']])) \in T$ .

Because of zone abstraction,  $\mathcal{L}_S$  is also referred to as a zone graph. Informally,  $\mathcal{L}_S$  is constructed as follows. Given an abstract configuration (V, P, D), first, a clock t that is not currently associated with P is picked. The abstract configuration (V, P, D) is transformed to  $(V, \mathcal{A}(P, t), D \land t = 0)$ , that is, timed processes that just become activated are associated with t and D is conjuncted with t = 0. Then, an abstract firing rule is applied to get a target configuration (V', P', D') such that D' must not be empty (otherwise, the transition is infeasible). Last, clocks that are not in cl(P') are pruned from D' since those clocks are irrelevant to the behavior of P'. Note that for all  $(V, P, D) \in S$ , cl(P) = cl(D). The construction of  $\mathcal{L}_S$  is illustrated in the following example.

*Example.* Assume that a model  $S = (\emptyset, true, P)$  such that

$$P \cong (a \rightarrow Wait[5]; b \rightarrow Stop) interrupt[3] c \rightarrow P$$

Intuitively, event *b* never occurs because interrupt always occurs first. The left part of Figure 7 shows the  $\mathcal{L}_{S}$  (the right part depicts the equivalent model under the form of a Timed Automaton, which will be explained in Section 5). Notice that transitions are labeled with the clock that is associated with the just activated timed processes, an event and a set of clocks that are pruned from the zone after the transition. The initial configuration is  $c_0 = (\emptyset, P, true)$ .

—Starting with  $c_0$ , we apply  $\mathcal{A}$  to P with  $t_1$  to get

 $c_1 = (\emptyset, (a \rightarrow Wait[5]; b \rightarrow Stop) interrupt[3]_{t_1} c \rightarrow P, t_1 = 0)$ 

Next, we can apply either rule *ait*1 or *ait*2. Applying rule *ait*1, we get

 $c_2 = (\emptyset, (Wait[5]; b \rightarrow Stop) interrupt[3]_{t_1} c \rightarrow P, 0 \le t_1 \le 3)$ 

Applying rule *ait* 2 to  $c_1$ , we get  $c_3 = (\emptyset, c \to P, t_1 = 3)$ . Note that clock  $t_1$  is irrelevant after the transition. After pruning  $t_1$ , we get  $c_4 = (\emptyset, c \to P, true)$ .

-Starting with  $c_2$ , we apply  $\mathcal{A}$  to  $(Wait[5]; b \to Stop)$  interrupt $[3]_{t_1} c \to P$  with  $t_2$  to get

$$c_5 = (\emptyset, (Wait[5]_{t_2}; b \to Stop) interrupt[3]_{t_1} c \to P, 0 \le t_1 \le 3 \land t_2 = 0)$$

Next, we can apply rule *ait*1 or *ait*2. Applying rule *ait*1 to  $c_5$ , we get zone  $(0 \le t_1 \le 3 \land t_2 = 0)^{\uparrow} \land 0 \le t_1 \le 3 \land t_2 = 5$ ). By DBM operations, this zone can be shown to be empty and therefore this transition is invalid. Intuitively, this is because  $(0 \le t_1 \le 3 \land t_2 = 0)^{\uparrow}$  is equivalent to  $0 \le t_1 - t_2 \le 3$ . Apply rule *ait*2 to  $c_5$ , we get

$$c_7 = (\emptyset, c \to P, t_1 \ge 0 \land t_2 \ge 0 \land t_2 \le 5 \land t_1 = 3)$$

Note that both clocks are irrelevant and therefore can be pruned. The resultant configuration is  $c_4$ .

-Starting with  $c_4$ , apply the rule for event prefixing, that is, c may occur at any time in the future (refer to rule *aev* in Sun et al. [2009b]) to obtain the transition to  $c_0$ . Note that  $t_1$  is available and thus reused.

#### 4.4. Stateful Timed CSP vs. Timed Automata

An obvious question is: what is the relationship between Stateful Timed CSP and Timed Automata? In the following, we show that regular Stateful Timed CSP is equivalent to Closed Timed Safety Automata with  $\tau$ -transitions. In the original theory of Timed Automata [Alur and Dill 1994], a Timed Automaton is a finite-state Büchi automaton extended with clocks. Büchi accepting conditions are used to enforce progress properties. Timed Safety Automata was introduced in Henzinger et al. [1994] to specify progress properties using local invariant conditions instead. In the following, we focus on Timed Safety Automata and refer them simply as Timed Automata following the literature. A Timed Automaton is *closed* if it has only closed invariant and enabling clock constraints.

Ouaknine and Worrell [2002] show that finite-state Timed CSP processes are equivalent to closed Timed Automata with  $\tau$ -transitions. Because Stateful Timed CSP is an extension of Timed CSP, it thus implies that Stateful Timed CSP is at least as expressive as closed Timed Automata. Stateful Timed CSP extends Timed CSP in two ways: shared variables and process constructs *within* and *deadline*. First, it has long been known (see Hoare [1985] and Roscoe [2001], for example) that one can model a finite domain variable as a finite-state process parallel to the one that uses it. The user processes then read from, or write to, the variable by event synchronization. Second, it can be shown that *deadline* and *within* can be translated to state invariants in Timed (Safety) Automata. For instance, we have shown [Dong et al. 2008] that *deadline* can be captured using clocks and state invariants, that is, if a process must terminate before *d*, then every configuration before the process terminates is labeled with invariant  $x \leq d$  where *x* is clock that starts when *P* is activated. This implies that regular Stateful Timed CSP is equivalent to closed Timed Automata with  $\tau$ -transitions.

This result does not imply that Stateful Time CSP is not useful. Stateful Timed CSP has advantages over Timed CSP, as it offers ease of modeling with the "syntactic sugars." Furthermore, there are useful properties about Stateful Timed CSP that are not satisfied by Timed Automata in general. First, it can be shown that every clock is bounded from above in Stateful Timed CSP (see the definition of *idle* in Figure 5 and abstract firing rules in Figure 6), which implies that unlike Timed Automata, zone normalization [Rokichi 1993] is not essential in our setting. Second, the number of clocks used in our graph is often less than that of the corresponding Timed Automaton model, as shown in Section 6. Last, unlike Timed Automata, model checking with non-Zenoness based on the zone graphs is feasible, as we show in the following section.

#### 5. MODEL CHECKING WITH NON-ZENONESS

In this section, we show that Stateful Timed CSP models can be model checked based on the abstract semantics. Compared to Sun et al. [2009b], we show in addition that model checking non-Zenoness is feasible.

In order to apply model checking techniques, we first establish that  $\mathcal{L}_{\mathcal{S}}$  is finite given any model  $\mathcal{S}$ .

THEOREM 5.1.  $\mathcal{L}_{S}$  is finite for any regular model S.

PROOF. By definition,  $\mathcal{L}_S$  is finite if and only if there are only finitely many abstract configurations. The number of abstract configurations is bounded by  $\#V \times \#P \times \#D$ 

where #V denotes the number of variable valuations; #P denotes the number of processes; and #D denotes the number of zones. We show all of them are finite.

- -#*V* is finite. All variables have finite domains by assumption.
- -#P is finite. Notice that P is constituted by process names, events, the associated clocks and parameters of the timed process constructs. Because processes are not parameterized<sup>5</sup>, process names and events are finite. By assumption, every reachable process is constituted by only finitely many process constructs. Because clocks are associated with timed process constructs, it implies that for every abstract configuration (V, P, D), cl(P) is finite. By reusing clocks (as in Definition 4.2), it implies that only finitely many clocks are necessary. Last, notice that all abstract firing rules preserve parameters of timed process constructs and therefore the possible values for parameters is finite. Finally, #P is finite.
- -#*D* is finite. It is straightforward to show that every clock is bounded from above. It implies that every entry of *D* (in its canonical form) is bounded. Further, every entry of *D* is an integer constant and therefore #*D* must be finite.  $\Box$

The next theorem shows that  $\mathcal{L}_{\mathcal{S}}$  preserves a large class of interesting properties.

THEOREM 5.2.  $T_S$  time-abstract bisimulates  $\mathcal{L}_S$  for any model S.

PROOF. Let  $\mathcal{L}_{\mathcal{S}} = (S_a, init_a, \Sigma_{\tau}, T_a)$  and  $\mathcal{T}_{\mathcal{S}} = (S_c, init_c, \mathbb{R}_+ \cup \Sigma_{\tau}, T_c)$ . By definition, we need to find a time abstract bisimulation relation  $\mathcal{R}$  between  $S_a$  and  $S_c$ . We define  $\mathcal{R}$  as follows: for all  $(V_c, P_c) \in S_c$ ;  $(V_a, P_a, D) \in S_a$ ,  $((V_c, P_c), (V_a, P_a, D)) \in \mathcal{R}$  if and only if  $V_c = V_a$  and  $P_c$  is abstracted by  $P_a$  with D.  $P_c$  is abstracted by  $P_a$  with D if and only if the following two conditions are satisfied.

- $-P_c$  differs from  $P_a$  only by the parameters of the timed process constructs and the fact that  $P_a$  is associated with clocks, whereas  $P_c$  is not.
- —For every timed process construct of  $P_c$ , let d be the associated parameter; let d' be the constant associated with the corresponding construct in  $P_a$ . If the construct is not associated with a clock in P, then d = d'. If the construct is associated with clock t in  $P_a$ , then t = d' d satisfies D[t].

For instance, if  $P_c = Wait[3]$ ; Wait[5] and  $P = Wait[4]_t$ ; Wait[5], then P with zone  $t \leq 4$  abstracts  $P_c$ . Next, we show that C1, C2 and C3 of Definition 2.4 are satisfied by  $\mathcal{R}$ . C3 is proved trivially. C1 and C2 are proved by structural induction, which are exemplified using two cases where  $P_c$  is Wait[d] or P timeout[d] Q. Notice that the first step of Definition 4.2 is to apply  $\mathcal{A}$  to  $P_a$ . Let the resultant process be  $P'_a$  and the result zone be D'.

- --If  $P_c$  is Wait[d] and  $((V_c, P_c), (V_a, P_a, D_a)) \in \mathcal{R}$ ,  $P'_a$  is  $Wait[d']_t$  such that t = d' satisfies  $D'_a[t]$ . We first show that C1 is satisfied. By rule Wait1 and Wait2,  $(V_c, Wait[d]) \xrightarrow{d_t} (V_c, Skip)$ . By rule  $await, (V_a, P'_a, D'_a) \xrightarrow{\tau} (V_a, Skip, D^{\uparrow}_a \land t = d)$  and thus  $(V_a, P'_a, D'_a) \xrightarrow{\tau} (V_a, Skip, D') \in T_a$  where D' = true (since  $cl(Skip) = \emptyset$ ). It is trivial to show  $(V_c, Skip) \approx (V_a, Skip, true)$ . Further,  $((V_c, Skip), (V_a, Skip, true)) \in \mathcal{R}$ . Similarly, we can show that C2 is satisfied. ----If  $P_c$  is P timeout[d] Q, then  $P'_a$  is P' timeout[d]\_t Q such that P is abstracted by P' with
- --If  $P_c$  is P timeout[d] Q, then  $P'_a$  is P' timeout[d]<sub>t</sub> Q such that P is abstracted by P' with D'. Assume  $(V_c, P) \xrightarrow{\epsilon, e} (V_1, P_1)$  for some  $\epsilon \leq d$ . By rule to4 and to1,  $(V_c, P_c) \xrightarrow{\epsilon, e} (V_1, P_1)$ . By induction hypothesis,  $(V_a, P', D') \xrightarrow{e} (V_1, P'_1, D'_1)$  such that  $((V_1, P_1), (V_1, P'_1, D'_1)) \in \mathcal{R}$  and  $(V_1, P_1) \approx (V_1, P'_1, D'_1)$ . By rule ato2,  $(V_a, P'_a, D') \xrightarrow{e} (V_1, P'_1, D'_1 \land D^{\uparrow} \land t \leq d)$ . By

<sup>&</sup>lt;sup>5</sup>It is clear that this assumption can be relaxed to allow finite domain parameters.

 $D'_1[t] - D'[t]$  time units. By induction hypothesis, there exists  $\epsilon \leq D'_1[t] - D'[t]$  such that  $(V_c, P_c) \xrightarrow{\epsilon, e} (V_1, P_1)$  and  $(V_1, P'_1, D'_1) \approx (V_1, P_1)$ . By rules to4 and to1,  $(V_c, P_c) \xrightarrow{\epsilon, e} (V_1, P_1)$ . It can be shown that  $P'_1$  with  $D'_1 \wedge D^{\uparrow} \wedge t \leq d$  abstracts  $P_1$  and thus, C2 is satisfied in the case. Similarly, we prove the case where  $(V_c, P \ timeout[d] \ Q) \xrightarrow{\epsilon, \tau} (V_1, P_1 \ timeout[d] \ Q)$  for some  $\epsilon \leq d$  or  $(V_c, P \ timeout[d] \ Q) \xrightarrow{d, \tau} (V_1, Q)$ .

Other cases can be proved to satisfy C1 and C2 similarly. We thus conclude that  $\mathcal{R}$  is a time-abstract bisimulation between  $\mathcal{T}_{\mathcal{S}}$  and  $\mathcal{L}_{\mathcal{S}}$  so that  $\mathcal{T}_{\mathcal{S}}$  and  $\mathcal{L}_{\mathcal{S}}$  are time-abstract bisimilar.  $\Box$ 

By Theorem 5.2, properties that are preserved by time-abstract bisimulation are preserved by  $\mathcal{L}_{S}$  and therefore can be model checked based on  $\mathcal{L}_{S}$ . In the following, we take one class as an example and briefly discuss how it can be supported. Properties concerning both states and events of infinite runs can be specified in SE-LTL [Chaki et al. 2004], which is a linear temporal logic constituted by not only atomic state propositions but also events. SE-LTL is particularly interesting because Stateful Timed CSP is both state-based and event-based. SE-LTL properties can be model checked using an on-the-fly automata-based approach [Vardi and Wolper 1986]. Given an SE-LTL formula  $\phi$ , a Büchi automaton  $\mathcal{B}$  equivalent to the negation of  $\phi$  can be built using the approach presented in Gastin and Oddoux [2001]. The synchronous product of  $\mathcal{L}_{S}$  and  $\mathcal{B}$ , which is also a Büchi automaton, is then computed. A run of the product is accepting if and only if its projection in  $\mathcal{B}$  is accepting. The problem of model checking  $\mathcal{S}$  against  $\phi$ *without non-Zenoness assumption* is thus reduced to the standard emptiness problem of Büchi automata [Vardi and Wolper 1986; Holzmann 2003].

Model checking with non-Zenoness is more complicated. A Stateful Timed CSP model may contain Zeno runs. For instance, given a model  $(\emptyset, \emptyset, P \text{ deadline}[1])$  where  $P \cong a \rightarrow a$  $P|b \rightarrow Skip$ . If property 'eventually event b occurs' is verified without non-Zenoness, then a counterexample with infinitely many a events will be generated. A close look reveals that the counterexample is Zeno since infinitely many a events must occur within 1 time unit. We thus need a method to check whether a run is Zeno or not. By Theorem 5.2, for every concrete run  $\rho = \langle s_0, (\epsilon_0, a_0), s_1, (\epsilon_1, a_1), \ldots \rangle$  of  $\mathcal{T}_S$ , there is a corresponding  $\pi = \langle s_0, a_0, s_1, a_1, \ldots \rangle$  in  $runs(\mathcal{L}_S)$ . We say that  $\rho$  is an instance of  $\pi$  or equivalently  $\pi$  abstracts  $\rho$ . If  $\pi$  fails certain property, then  $\rho$  can be presented as a concrete counterexample. It is possible that all instances of  $\pi$  are Zeno so that they are not considered as realistic counterexamples. An abstract run  $\pi$  is Zeno if and only if all instances of  $\pi$  are Zeno. Otherwise,  $\pi$  is non-Zeno. Because Zeno runs are unrealistic, system verification must be performed with the assumption of non-Zenoness, that is, to verify properties against only non-Zeno runs. In the setting of Timed Automata, it has been shown that it is highly nontrivial to decide if an abstract run is non-Zeno or not (because zone abstraction fails prestability [Tripakis 1999]). In the following, we show that zone graphs generated from Stateful Timed CSP models have unique characteristics that allow us to establish whether a run is non-Zeno or not.

Notice that  $\mathcal{L}_{\mathcal{S}}$  can be systematically translated into an equivalent Timed Automaton. Let  $\mathcal{A}_{\mathcal{S}}$  denote the Timed Automaton. Every state (V, P, D) of  $\mathcal{L}_{\mathcal{S}}$  is translated into a state of  $\mathcal{A}_{\mathcal{S}}$ . Recall that a transition from a state (V, P, D) of  $\mathcal{L}_{\mathcal{S}}$  is generated by associating a fresh *t* with *P*; applying a firing rule so that  $(V, \mathcal{A}(P, t), D \land t = 0) \stackrel{a}{\rightsquigarrow} (V', P', D')$ 

and lastly pruning unused clocks from D'. For each such transition, a corresponding transition is introduced in  $\mathcal{A}_S$  such that it is labeled with event a and clock constraint D'. Furthermore, all incoming transitions to the state (V, P, D) are labeled with a set of resetting clocks  $\{t\}$ . For instance, the right part of Figure 7 shows the generated Timed Automaton of the zone graph shown on the left.

The following is true about  $\mathcal{A}_{\mathcal{S}}$  (but not Timed Automata in general): for every clock t, assume  $\phi_i$  and  $\phi_j$  are two constraints on t associated with two transitions along any path starting and ending with a transition resetting t, then a valuation of t that satisfies  $\phi_i$  can always satisfy  $\phi_j$  by letting time elapse. This can be proved by looking at the abstract firing rules and Definition 4.2. When a clock t is introduced, it is associated with a *maximum* set of timed process constructs, which results in a maximum set of constraints of the form  $t \leq d$  or t = d. Later, when timed process constructs are discharged through transitions, there are less and less constraints on t. In other words, every clock acts as a count-down clock that cannot be modified or reset before it is expired.

Next, we establish a necessary and sufficient condition to check whether an abstract run is Zeno or not. Because  $\mathcal{L}_S$  is finite, an infinite run  $\pi$  of  $\mathcal{L}_S$  must visit a finite set abstract configurations, denoted as  $inf(\pi)$ , infinitely often. Let  $loopCLK(\pi)$  be the set  $\{x | \forall (V, P, D) \in inf(\pi). x \in cl(D)\}$ , that is, the clocks that are present in every configuration that is visited infinitely often. A transition of  $\mathcal{L}_S$  is sometimes written in the form  $(V, P, D) \stackrel{t,a,X}{\hookrightarrow} (V', P', D')$  such that t is the introduced clock; a is the event and X is the set of pruned clocks. Because a clock is introduced for every transition, through D'[t], we can infer the time needed for the transition to occur. The transition is *instantaneous* if and only if  $D' \Rightarrow t = 0$ . Notice that a transition that is not instantaneous might in fact be forced to occur immediately with any delay. For instance, let  $P \cong (a \to Wait[5])$  deadline[5]; P. The transition labeled with a is not instantaneous by definition. It is nonetheless constrained to occur immediately if we consider the loop generated by P, that is, the run contains infinitely many event  $a, \tau$  and  $\checkmark$  (which are generated by Wait[5]).

THEOREM 5.3. Let S be a model;  $\pi$  be a run of  $\mathcal{L}_S$ .  $\pi$  is non-Zeno if and only if  $loopCLK(\pi) = \emptyset$  and not all infinitely visited transitions are instantaneous.

**PROOF.** Let  $\rho$  be a run of  $\mathcal{T}_S$  and  $\pi$  be the corresponding abstract run of  $\mathcal{L}_S$ .

 $\rho = s_0 \stackrel{\epsilon_0, a_0}{\to} s_1 \stackrel{\epsilon_1, a_1}{\to} \cdots s_i \stackrel{\epsilon_i, a_i}{\to} \cdots$  $\pi = c_0 \stackrel{t_0, a_0, X_0}{\to} c_1 \stackrel{t_1, a_1, X_1}{\to} \cdots c_i \stackrel{t_i, a_i, X_i}{\to} \cdots$ 

ONLY-IF. We show that if  $\rho$  is non-Zeno, then  $loopCLK(\pi) = \emptyset$ . Assume that  $t_i \in loopCLK(\pi)$ . By definition,  $\epsilon_i + \epsilon_{i+1} + \cdots$  is unbounded. Therefore, the reading of  $t_i$  becomes unbounded. Because  $t_i$  is never pruned, there must be some constraints on t in every  $D_m$  such that  $m \ge i$ . According to the abstract firing rules, the constraint must be of the form  $t_m = n$  or  $t_m \le n$  where n is a constant. Because  $t_m$  is unbounded, we derive that  $t_m > n$  and reach contradiction. Therefore,  $loopCLK(\pi) = \emptyset$ . Furthermore, because  $\rho$  is non-Zeno,  $\epsilon_i + \epsilon_{i+1} + \cdots + \epsilon_{i+k} > 0$  and thus there must be a transition that is not instantaneous.

IF. We show that if  $loopCLK(\pi) = \emptyset$  and there is at least one infinitely often visited transition, say  $(V, P, D) \stackrel{t,a,X}{\leadsto} (V', P', D')$ , that is not instantaneous, then  $\pi$  is non-Zeno. Because D' does not imply t = 0, all clocks t' in D' must satisfy  $t' \leq d$  for some positive integer d. Because the constraint on t' can only get weakened (as we argue above), strictly positive number of time units must be able to elapse at some transition. Because  $loopCLK(\pi) = \emptyset$ , every clock is pruned (and reintroduced) before taking the transition

Modeling and Verifying Hierarchical Real-Time Systems Using Stateful Timed CSP

again. Let  $\rho$  be a run that takes the transition repeatedly with a nonzero delay. By Alur and Dill [1994],  $\rho$  is *progressive* as all clocks are reset (which is equivalent to *pruned and reintroduced*) infinitely often and strictly positive infinitely often. Therefore,  $\rho$  is non-Zeno.  $\Box$ 

The next theorem follows immediately. Intuitively speaking, it allows us to solve the emptiness problem of Stateful Timed CSP using methods based on finding maximal strongly connected components (SCC). Given a set of states *scc* constituting an SCC, let *loopCLK*(*scc*) denotes the set  $\{x | \forall (V, P, D) \in scc. x \in cl(D)\}$ .

THEOREM 5.4. Let S be a model.  $T_S$  is nonempty if and only if there exists a reachable maximal SCC scc in  $\mathcal{L}_S$  such that loopCLK(scc) =  $\emptyset$  and not all transitions connecting two states in scc are instantaneous.

PROOF (ONLY-IF). Let  $\pi$  be a non-Zeno run of  $\mathcal{T}_S$ . Let *scc* be the set of states constituting the maximal SCC that contains all states and transitions visited infinitely often by  $\pi$ . If  $\pi$  is non-Zeno,  $loopCLK(\pi) = \emptyset$  and therefore  $loopCLK(scc) = \emptyset$ . Furthermore, the transition that is not instantaneous in  $\pi$  is contained in *scc*. (If) Let *scc* be the maximal SCC that satisfies the condition. A run that traverses through every state and transition of *scc* is non-Zeno by Theorem 5.3.  $\Box$ 

Given an SE-LTL formula  $\phi$ , a Büchi automaton  $\mathcal{B}$  equivalent to the negation of  $\phi$ , model checking with non-Zenoness assumption is to construct the product of  $\mathcal{B}$  and  $\mathcal{L}_S$ and then search for an accepting run of the product whose projection on  $\mathcal{L}_S$  is non-Zeno. By Theorem 5.4, it is equivalent to searching for a particular maximal SCC scc. Therefore, the problem can be solved by an algorithm that has a complexity linear in the number of transitions in the product (e.g., based on Tarjan's algorithm for finding SCCs).

#### 6. EVALUATION

System modeling and verification using Stateful Timed CSP have been implemented in the PAT model checker [Sun et al. 2009a; Liu et al. 2011]. PAT is a self-contained environment for system modeling, simulation and verification. It has an extensible architecture that allows quick realization of new techniques for modeling, abstraction or verification. Interested readers are referred to Liu et al. [2010, 2011]. The model checker for Stateful Timed CSP is built as one plug-in module in PAT, which supports SE-LTL model checking and refinement checking.<sup>6</sup> In the following, we evaluate Stateful Timed CSP in two aspects: system modeling and verification.

#### 6.1. Modeling

We illustrate system modeling in Stateful Timed CSP using a multilift system. The system is chosen for two reasons. First, the system is hierarchical, real-time, and rich in data states, which nicely demonstrates language features of Stateful Timed CSP. Second, the lift system is a standard case study used to demonstrate the expressive power of various specification techniques and languages. The user requirements and behaviors of the system are intuitively clear, and therefore the readers can focus on the modeling. Though inspired by Mahony and Dong [1998], our model is different from Mahony and Dong [1998] in many aspects, for instance, our model uses shared variables, whereas Mahony and Dong [1998] reliv mostly on processes and channels communication; our model implements data operations using executable programs, whereas data operations are abstract in Mahony and Dong [1998]; and probably most important, our model is model checkable whereas Mahony and Dong [1998] is not.

<sup>&</sup>lt;sup>6</sup>Readers are recommended to download PAT at http://www.patroot.com and try out the RTS module.

ACM Transactions on Software Engineering and Methodology, Vol. 22, No. 1, Article 3, Pub. date: February 2013.

The lift system consists of a building, multiple lifts, and a central controller. In the following, we present the lift system model incrementally in bottom-up manner, beginning with models of the primitive components, which are then used to compose complex components. Notice that the language supported by PAT is slightly different from the previously presented notations for user's convenience. For instance, synchronous/asynchronous channels and constant definitions are supported. In the lift system model, the following constants are relevant: *NoOfFloors* (the number of floors); *NoOfLifts* (number of lifts); *Off* of value 0; *Up* of value 1; *Down* of value -1; and *Both* of value 2.

A building consists of multiple floors and each floor is equipped with one button panel on the wall so that a user can make an *external request* to traveling upwards or downwards. A button can be pushed at any time. Once pushed, the button is on until the requested service is provided. The status of the button (or equivalently the external requests) is maintained in an array *Floor Buttons* of length *NoOf Floors*. Each variable in the array has four possible values: *Off* (i.e., it is not on), *Up* (i.e., upward traveling has been requested), *Down* (i.e., downward traveling downward has been requested) or *Both* (i.e., both directions have been requested). The following models the building.

1.  $Press(floor, direction) \cong request. floor. direction{$  $\mathbf{2}$ . if(Floor Buttons[floor] = None)3. *FloorButtons*[*floor*] := *direction* 4. 5. else if  $(Floor Buttons[floor] \neq direction)$ 6. Floor Buttons[floor] := Both7. }  $\rightarrow Skip$ 8.  $TopFloor \cong Press(NoOfFloors - 1, Down); TopFloor$ 9. 10.  $GroundFloor \cong Press(0, Up); GroundFloor$ 11.  $MiddleFloor(n) \cong (Press(n, Down)|Press(n, Up)); MiddleFloor(n)$ 12. Building  $\widehat{=}$  TopFloor || GroundFloor || (|| $_{x=1}^{NoOfFloors-2}$ MiddleFloor(x))

Lines 1 to 8 define process Press(floor, direction), which models the process of pressing a floor button, where parameters floor and direction denote the requesting floor and traveling direction respectively. Notice that direction has two possible values: Up(1) or Down(-1). Event request floor.direction is the event of a user pressing a button at the floor to travel in the direction. It is associated with a program (from line 2 to 7), which stores the request in the Floor Buttons array. Line 9 models the top floor, where only traveling downwards is possible. Line 10 models the ground floor where only traveling upwards is possible. Line 11 models a middle floor, where traveling in both directions are possible. Last, line 12 models the building, which is a parallel composition of all floors. Notice that process Building is not timed since requests can arrive at any time.

Each lift consists of four components, that is, a door for allowing access to and from the lift; a shaft for transporting the lift; an internal queue for determining the lift itinerary; and a controller to coordinate the behaviors of the other components. The following is a model of the door.

```
Door \cong open \rightarrow (Cycle; close \rightarrow Skip) \ deadline[maxTime]; Door 
Cycle \cong to Open \rightarrow opened \rightarrow conf \rightarrow Wait[minTime]; Closing 
Closing \cong (closed \rightarrow Skip) \ interrupt (sensor \rightarrow to Open \rightarrow opened \rightarrow Closing)
```

Process *Cycle* models the process of opening the door and later closing it. It is initiated in process *Door* by the receipt of an *open* signal from the lift controller and completed by sending a *close* signal. That is, events *open* and *close* must be synchronized by the door and lift controller. Event *conf* is a signal from the door to the lift controller to indicate that the door has been opened and thus relevant external/internal service requests can be removed. After waiting for *minTime* time units after the door is opened, a signal *close* is sent to indicate that the door is to be closed. Process *Closing* models the process of closing the door. If an interrupt is detected through event *sensor* before the door is *closed*, the door is reopened and later closed again. Notice that the door has many timing properties. For instance, signal *conf* must occur immediately because of  $\rightarrow$ . Furthermore, the *deadline* in process *Door* is used to ensure that a door cannot remain opened forever. Notice that this is not exactly the case in reality. Nonetheless, this simplifying assumption allows us to ignore unlikely (not still possible) scenarios (e.g., an obstruction keeps the door open forever) and thus be able to verify liveness properties (e.g., always eventually a lift will serve some request).

A shaft takes input from the controller and transports a lift from one floor to another. The time required for transit depends on the distance to be traveled. It is modeled as follows.

$$Shaft(i) \cong move?[id = i]id.n.dir \rightarrow Wait[n * movingTime + delayTime];$$
  
 $arrive \rightarrow Shaft(i)$ 

.

Notice that *move* is a synchronous channel, which acts like a pair-wise synchronizing event. The question mark denotes that this is a channel input. The variables *id*, *n* and *dir* are place-holders for the received data. In particular, *id* indicates the intended lift; *n* is the number of floor to move across; and *dir* is the direction of movement. Condition id = i constrains that only channel inputs satisfying the condition are received. Intuitively, it means that the shaft only picks up messages with the matching identity. The feature is adopted from the Promela language [Holzmann 2003]. It can be shown that our results in this work remain valid with channels. After receiving the input, the shaft starts moving and later signals arrival through synchronizing event *arrive*. The constant *movingTime* is a constant denoting the time needed to travel across one floor and *delayTime* is a delay caused by the initial acceleration and final braking of the lift. Notice that in this model, we assume that once a lift is assigned with a destination, it will not be interrupted to serve a newly arrived request on its way. This is a simplifying assumption made to keep the model small enough for presentation.<sup>7</sup>

Inside each lift, there is a button panel so that a user can make an *internal request* to travel to a particular floor. The panel buttons are in one-to-one correspondence with the floor numbers. The internal requests (or equivalently the status of the internal panel buttons) are maintained in an array *IntReq*, which has dimension *NoOfLifts* × *NoOfFloors*. Entry *IntReq*[*i*][*j*] = *true* if and only if there is an internal request in *i*-lift for *j*-floor.

$$\begin{split} Internal Q(i) &\cong int Req.0 \{ Int Req[i][0] := 1 \} \rightarrow Internal Q(i) | \\ int Req.1 \{ Int Req[i][1] := 1 \} \rightarrow Internal Q(i) | \cdots | \\ int Req.(NoOfFloors - 1) \{ Int Req[i][NoOfFloors - 1] := 1 \} \rightarrow Internal Q(i) \end{split}$$

The above models the internal queue of requests. The process generates all possible internal requests using choices. Note that the removal of internal requests is not modeled as a part of the above process but rather in the lift controller process, which is shown below.

The following models a lift controller. The three parameters denote the lift *i*dentity, its current *floor* and *direction* respectively. Process *LiftCtrl* starts with sending a compound message on channel *check* to the central controller, indicating that it is ready to serve a request. The message consists of: fl, which is the floor that the lift is at; *dir*, which is the traveling direction; and the floor that the lift is traveling to. The

<sup>&</sup>lt;sup>7</sup>Refer to a different model of multilifts in PAT that models interruptible lifts.

ACM Transactions on Software Engineering and Methodology, Vol. 22, No. 1, Article 3, Pub. date: February 2013.

latter is computed based on the internal requests using an externally defined function. In PAT, external C# libraries are allowed in Stateful Timed CSP models so that the models are simplified by encapsulating complicated data operations. In this example, *call* is a reserved keyword for invoking an external function; the function name is *GetDesInt*; and the rest are inputs to method *GetDesInt*. The function returns the next internally requested floor in the traveling direction if one exists, or the nearest internal request in the opposite direction, or -1 if there is no internal request.<sup>8</sup>

```
\begin{split} LiftCtrl(i, fl, dir) &\cong check! fl.dir.call(GetDesInt, IntReq, fl, dir, NoOfFloors, i) \\ &\to check?des \to case \left\{ \\ des &= fl : open \to conf \to ClearReq(i, fl, dir); \\ close \to LiftCtrl(i, fl, dir) \\ des &> fl : move!(des - fl).Up \to arrive \to open \to \\ conf \to ClearReq(i, des, Up); close \to LiftCtrl(i, des, Up) \\ 0 &\leq des < fl : moveli.(fl - des).Down \to arrive \to open \to \\ conf \to ClearReq(i, des, Down); close \to LiftCtrl(i, des, Down) \\ def ault : Wait[delayTime]; LiftCtrl(i, fl, dir) \\ \end{split}
```

The central controller is responsible for assigning external requests to specific lifts, which is modeled as follows.

 $Controller \cong check? fl.dir.des \rightarrow check!call(GetDesExt, FloorButtons, fl, dir, des, NoOfFloors) \rightarrow Controller$ 

Upon receiving the message from a lift, the central controller checks the pool of external requests (which are stored in *Floor Buttons*) and decides whether to assign an external request to the lift. Function *GetDesExt* checks if there is an external request along the way for the lift. If there is, it sends the new destination on channel *check* to the lift. If the received *des* is -1, which means that there is no internal request for the lift, then it assigns an external request on the lift's current traveling direction. If there is no request on the current direction, then it assigns a request on the opposite direction. If there are no external requests, the message sent is -1.

Once the lift controller receives the new destination from the central controller, its behaviors diverge, which are modeled using a 'syntactic sugar'. Process case  $\{c_0 : P_0 \ c_1 : P_1 \ldots\}$  is equivalent to  $if(c_0)\{P_0\}$  else  $\{if(c_1) \ P_1\}$  else  $\{\cdots\}\}$ . That is, the conditions  $c_0, c_1, \ldots$  are evaluated one by one until one evaluates to true and then the corresponding process is chosen. In particular, if there is an internal request for the current floor or there is an external request from the current floor to travel in the current direction (i.e., des = fl), then the door is opened to serve the request. Otherwise, if the destination is above (below) the current floor, the shaft is commanded to travel upwards for des - fl floors (downwards for fl - des floors) and then the door is opened. Once the door is confirmed opened, by synchronizing conf, the requests are cleared by *Clear Request*, which is defined as follows.

 $\begin{aligned} Clear Req(i, fl, dir) &\cong clear Request \\ Int Req[i][fl] &:= 0; \\ if(Floor Buttons[fl] = dir) \{Floor Buttons[fl] := None\} \\ else \{if(Floor Buttons[fl]! = None) \{Floor Buttons[fl] := -1 * dir\} \} \\ \} \rightarrow Skip \end{aligned}$ 

Afterwards, the door is closed by signal event *close* and then the lift controller restarts. If there are no internal requests or external requests (i.e., des = -1), then the lift

<sup>&</sup>lt;sup>8</sup>Details of the C# methods are skipped as they are less interesting.

| Model                | Property     | #St  | #Clock | Z(s)  | NZ(s) |
|----------------------|--------------|------|--------|-------|-------|
| Pacemaker            | reachability | 450K | 2      | 21    | 21    |
| Lift (2floor; 2lift) | reachability | 197K | 4      | 54    | 53    |
| Lift (3floor; 2lift) | reachability | 943K | 4      | 310   | 305   |
| Lift (2floor; 2lift) | LTL          | 748K | 4      | 346   | 305   |
| Lift (3floor; 2lift) | LTL          | 4.3M | 4      | 6102  | 3948  |
| Fischer*5            | LTL          | 15K  | 5      | 1     | 1     |
| Fischer*7            | LTL          | 857K | 7      | 229   | 105   |
| Railway*4            | LTL          | 2K   | 4      | < 1   | < 1   |
| Railway*6            | LTL          | 74K  | 4      | 6     | 6     |
| Railway*8            | LTL          | 4.3M | 4      | 1536  | 1200  |
| CSMA*6               | LTL          | 14K  | 5      | 2     | 2     |
| CSMA*9               | LTL          | 295K | 5      | 75    | 71    |
| CSMA*12              | LTL          | 4.7M | 5      | 11475 | 9303  |
| FDDI*4               | LTL          | 46K  | 6      | 10    | 8     |
| FDDI*5               | LTL          | 6.4M | 7      | 1461  | 1438  |

Table I. Experiment Results

controller simply waits for some time and then restarts. Notice that in this modeling, priority has been given to the internal requests. It is possible that a lift system is designed otherwise.

 $Lift(i) \cong (Shaft(i) \parallel Door \parallel LiftCtrl(i, 0, Up) \parallel Internal Q(i)) \\ (open, conf, close, arrive);$ 

A lift is then modeled as the parallel composition of the shaft, the door and the lift controller and the internal queue. Notice that the synchronizing events between the components are hidden from the environment. Last, the lifts are the interleaving of all individual lifts and the lift system is composed of the interleaving of the lifts, the central controller and the building.

 $\begin{array}{l} Lifts() \widehat{=} \parallel \mid_{i=0}^{NoOfLifts-1} Lift(i) \\ System() \widehat{=} Lifts() \parallel CentralController() \parallel Building() \end{array}$ 

This model demonstrates how Stateful Timed CSP may be applied to model hierarchical real-time systems step-by-step. The rich set of process constructs not only allow us to capture real-time behaviors intuitively, without thinking about the clocks, but also to build the system model incrementally from primitive system components.

#### 6.2. Verification

In the following, we evaluate efficiency of our method in order to show that it is practically useful. Table I shows statistics of system verification using PAT. The data are obtained with Intel<sup>®</sup> Xeon<sup>®</sup> CPU E5506 @2.13GHz and 32GB memory, on a 64-bit Windows system. '-' denotes that the experiment is aborted due to out of memory or running more than 4 hours. The verified models include the pacemaker model, the lift system, and benchmark real-time systems like Fischer's mutual exclusion algorithm, the railway control system [Yi et al. 1994], the CSMA/CD protocol [Bozga et al. 1998], and the Fiber Distributed Data Interface (FDDI) [Larsen et al. 1997]. All models with configurable parameters are available at [Sun et al.]. In the first column, the number after the model name is the number of processes. LTL properties are verified with or without the assumption of non-Zenoness. The verification time without non-Zenoness is shown in column Z and the time with non-Zenoness is shown in column NZ. Column #St shows the number states in the zone graphs. Column #Clock shows the maximum number of clocks created during verification. Memory usage is skipped because PAT is

| Model     | #C  | locks  | Without Non-Zenoness |           |                      |  |
|-----------|-----|--------|----------------------|-----------|----------------------|--|
|           | PAT | Uppaal | PAT(s)               | UPPAAL(s) | UPPAAL+ $\tau$ -o(s) |  |
| Fischer*5 | 5   | 5      | < 1                  | < 1       | 696                  |  |
| Fischer*6 | 6   | 6      | 7                    | 1         | -                    |  |
| Railway*6 | 4   | 6      | 2                    | < 1       | -                    |  |
| Railway*7 | 4   | 7      | 15                   | 6         | -                    |  |
| CSMA*6    | 5   | 7      | 1                    | < 1       | -                    |  |
| CSMA*8    | 5   | 9      | 11                   | 5         | -                    |  |
| CSMA*10   | 5   | 11     | 97                   | 18        | -                    |  |

Table II. Experiment Results

based on C# with dynamic garbage collection and therefore accurate memory usage is hard to obtain.

A number of observations can be obtained from the data. First, PAT currently handles in average about 20K states per second (i.e., the total number of visited states—not new states—divided by the total number of seconds), which is reasonable compared to existing model checkers [Holzmann 2003; Roscoe et al. 1995; Larsen et al. 1997]. Second, model checking with non-Zenoness has little computational overhead and may be even more efficient. Compared to other work on model checking with non-Zenoness [Tripakis 1999; Gómez and Bowman 2007; Herbreteau et al. 2010; Herbreteau and Srivathsan 2010], this is a clear advantage. Third, for some models, the number of clocks remains constant when the system size increases, for instance, the railway control system and the CSMA/CD protocol. This is because clocks are shared as much as possible in our approach.

In order to compare our method with the state-of-art real-time model checker, we conducted experiments to compare performance of PAT (version 3.3) and UPPAAL (version 4.1). For simplicity, all properties are reachability (without non-Zenoness). The results are summarized in Table II, where column UPPAAL(s) shows the verification time using UPPAAL, with all optimization techniques. Notice that UPPAAL outperforms PAT in many cases. There are a number of reasons. First, our zone graphs are more complicated than those of Timed Automata. The nodes in our zone graphs, that is, the abstract configurations, are more complicated than those in UPPAAL as an abstract configuration consists of a process expression. The process expression cannot be abstracted as an array of numbers because the system structure in Stateful Timed CSP varies through transitions. Furthermore, our zone graphs may contain more nodes due to the extra  $\tau$ -transitions introduced by the compositional process constructs, for instance, the  $\tau$ -transition generated by abstract firing rule *ato3*. Combined with parallel composition, these  $\tau$ -transitions may result in a large number of additional states. In hand-crafted UPPAAL models, the  $\tau$ -transitions are often removed by carefully manipulating the clock guards or grouping clock guards and events into the same transition. Removing the extra  $\tau$ -transitions is highly nontrivial. In fact, we believe that they are a price to pay in order to model hierarchical systems. Second, PAT is slower than UPPAAL simply because some effective optimization techniques are currently missing. One particular example is *extrapolation*. The column UPPAAL +  $\tau$ -o shows the verification time using UPPAAL without *extrapolation* (and with the same extra  $\tau$ -transitions so that the models in PAT and UPPAAL have similar state spaces). The results show that PAT often outperforms UPPAAL in this setting. This suggests that PAT could be more efficient with similar optimizations in place. One last thing to notice is that in all the experiments, PAT uses less clocks than UPPAAL. It remains as our future work to explore this fact and UPPAAL's powerful optimization techniques to improve PAT.

In summary, the reason why the current PAT implementation is useful is threefold. First, Stateful Timed CSP is more suited to model hierarchical real-time systems than Modeling and Verifying Hierarchical Real-Time Systems Using Stateful Timed CSP

Timed Automata. Second, PAT supports verification with non-Zenoness with little or no extra cost. Last, PAT is reasonably efficient and supports alternative ways of specifying properties (e.g., in SE-LTL, trace-refinement).

#### 7. RELATED WORK

This work is related to research on real-time system modeling and verification. Compositional specification for real-time systems based on timed process algebras has been studied extensively. Examples include the algebra of timed processes named ATP [Sifakis 1999; Nicollin and Sifakis 1994], the extension of CCS with real time [Yi 1991] and Timed CSP [Reed and Roscoe 1986; Schneider 2000]. Stateful Timed CSP is an extension of Timed CSP. Different from timed process algebras, Stateful Timed CSP integrates timed process constructs with complex data variables/operations in order to model real-world systems. There has been a related line of research on integrating timed process algebra with state-based specification languages [Mahony and Dong 2000; Butterfield et al. 2007]. One closely related language is called TCOZ [Mahony and Dong 2000, which is an integration of Timed CSP and Object-Z. In TCOZ, Object-Z is used to model data structures and operations. Different from previous work on integrated formal specification, Stateful Timed CSP is designed to be executable and model checkable. The key difference is that concrete executable programs instead of pre/post-conditions are used to specify data operations. As a modeling language for real-time systems, Stateful Timed CSP is related to Timed Automata [Alur and Dill 1994]. Remotely related modeling languages are Statecharts [Harel 1997] with clocks and timed Petri nets [Ramchandani 1974], which are capable of modeling hierarchical systems with real-time constraints.

There have been many approaches on building verification support for timed process algebras. Development of tool support for ATP was evidenced in Nicollin et al. [1992] and Closse et al. [2001]. In Yi et al. [1994], a constraint solving based verification method was proposed to verify CCS + real time. In Brooke [1999], a theorem proving approach for Timed CSP was discussed. In order to avoid the complexity of developing a model checker from scratch, a number of translation-based approaches have been studied. In our previous work [Dong et al. 2004; 2008], Timed CSP (as part of TCOZ models) is translated to Timed Automata so that UPPAAL can be applied. In Dong et al. [2006], Timed CSP is encoded into a constraint solver so as to verify reachability properties. These approaches share the common problems with all translation-based approaches. That is, the target tool UPPAAL is not designed for Timed CSP and therefore features of Timed CSP may not be effectively encoded or efficiently verified. For instance, every timed process construct results in one fresh clock [Dong et al. 2006], which resulted in using more clocks than necessary. Furthermore, reflecting verification results back to the level of Timed CSP is not trivial. Ouaknine and Worrell [2002] proved that through digitalization, Timed CSP models can be translated into CSP models and verified by CSP model checkers like FDR [Roscoe et al. 1995]. Compared to zone abstraction adapted in this work, digitalization becomes ineffective when a model involves largely different constants associated with timed processes. There has been little verification support for integration of Timed CSP with other languages. To the best of our knowledge, the PAT model checker is the first dedicated verification tool supporting verification of hierarchical complex real-time systems with data structures/operations.

Research on verifying real-time systems have been focused on Timed Automata. Several model checkers have been developed with Timed Automata or Timed Safety Automata [Henzinger et al. 1994] being the core of their input languages [Larsen et al. 1997; Bozga et al. 1998; Tasiran et al. 1996]. Zone abstraction was originally introduced for Petri net [Berthomieu and Menasche 1983] and then adapted to the framework of Timed Automata [Dill 1989]. Our zone abstraction is based on the zone abstraction developed in [Yi et al. 1994; Dill 1989]. In contrast to approaches based on Timed Automata, our approach is capable of modeling and verifying hierarchical systems. This work is closely related to work on Hierarchical Timed Automata [Jin et al. 2007; David et al. 2001; Dong et al. 2008]. In Jin et al. [2007], formal definitions for Hierarchical Timed Automata and their composition were defined. Furthermore, compositional verification based on Multiset-LTS are discussed. Different from Jin et al. [2007], our work offers an alternative approach based implicit clocks.

This work is related to research on verification with non-Zenoness assumption. Syntactic conditions for Timed Automata to be free from Zeno runs have been identified [Tripakis 1999; Gómez and Bowman 2007]. The conditions are often sufficient only [Bowman and Gómez 2006]. In the setting of Timed Automata, it has been shown that it is not possible to determine if a run can be instantiated to a non-Zeno run given only zone graphs. The solution involving adding one extra clock has been discussed in [Tripakis 1999; Tripakis et al. 2005; Tripakis 2009]. Recently, it has been shown that adding one clock may result in an exponentially larger zone graph [Herbreteau et al. 2010; Herbreteau and Srivathsan 2010]. The remedy is to transform the zone graph into a *guess zone graph* and require that all clocks that are bounded from above must be reset infinitely often during a run and the run must visit a state such that the clocks can be strictly positive [Herbreteau et al. 2010]. In this work, we show that zone graphs generated from Stateful Timed CSP models are different as all clocks are bounded from above and cannot be reset arbitrarily. As a result, detecting Zeno runs based on zone graphs is feasible. In terms of tool support for model checking with non-Zenoness, only UPPAAL and KRONOS allow some form of non-Zenoness detection. UPPAAL relies on test automata [Aceto et al. 2003] and leads-to properties. The problem with this approach is that it is sufficient-only. KRONOS supports an expressive language for specifying properties, which allows encoding of a sufficient and necessary condition for non-Zenoness. Checking for non-Zenoness in KRONOS is expensive. In comparison, checking non-Zenoness in our setting has a negligible computational overhead.

#### 8. CONCLUSION

In this work, we develop a self-contained approach for model checking hierarchical complex real-time systems. In particular, we propose a modeling language named Stateful Timed CSP, which extends Timed CSP with data components as well as additional timed process constructs. We developed a fully automatic method to generate finite-state abstraction from Stateful Timed CSP models. We show that the abstraction preserves interesting properties by proving that it is time-abstract bisimilar to the original model. We then tackle the problem of non-Zenoness. We show that it is possible to check non-Zenoness based on zone graphs so that properties can be verified with the assumption of non-Zenoness. Last, our methods are implemented in the PAT framework.

As for future work, because verification on CSP-based models has been traditionally based on refinement checking [Roscoe 2005], we are currently investigating how to check timed refinement relationship between two Stateful Timed CSP models with the assumption of non-Zenoness. In addition, state space reduction techniques like extrapolation, symmetry reduction and partial order reduction for Stateful Timed CSP are to be studied.

#### REFERENCES

ACETO, L., BOUYER, P., BURGUEÑO, A., AND LARSEN, K. G. 2003. The power of reachability testing for timed automata. *Theor. Comput. Sci.* 300, 1–3, 411–475.

ALUR, R. AND DILL, D. L. 1994. A theory of timed automata. Theor. Comput. Sci. 126, 183-235.

- BAROLD, S. S., STROOPBANDT, R. X., AND SINNAEVE, A. F. 2004. Cardiac Pacemakers Step by Step: An Illustrated Guide. Blackwell Publishing.
- BEHRMANN, G., LARSEN, K. G., PEARSON, J., WEISE, C., AND YI, W. 1999. Efficient timed reachability analysis using clock difference diagrams. In Proceedings of the 11th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 1633. Springer, 341–353.
- BENGTSSON, J. AND YI, W. 2003. Timed automata: Semantics, algorithms and tools. In Lectures on Concurrency and Petri Nets. Lecture Notes in Computer Science, vol. 3098. Springer, 87–124.
- BERTHOMIEU, B. AND MENASCHE, M. 1983. An enumerative approach for analyzing time Petri nets. In Proceedings of the IFIP Congress. 41–46.
- BOWMAN, H. AND GÓMEZ, R. 2006. How to stop time stopping. Formal Aspects Comput. 18, 4, 459–493.
- BOZGA, M., DAWS, C., MALER, O., OLIVERO, A., TRIPAKIS, S., AND YOVINE, S. 1998. Kronos: A model-checking tool for real-time systems. In *Proceedings of the 10th International Conference on Computer Aided Verification*. Lecture Notes in Computer Science, vol. 1427. Springer, 546–550.
- BROOKE, P. 1999. A timed semantics for a hierarchical design notation. Ph.D. thesis, University of York.
- BUTTERFIELD, A., SHERIF, A., AND WOODCOCK, J. 2007. Slotted-circus. In Proceedings of the 6th International Conference on Integrated Formal Methods. Lecture Notes in Computer Science, vol. 4591. Springer, 75–97.
- CHAKI, S., CLARKE, E. M., OUAKNINE, J., SHARYGINA, N., AND SINHA, N. 2004. State/event-based software model checking. In *Proceedings of the 4th International Conference on Integrated Formal Methods*. Lecture Notes in Computer Science, vol. 2999. Springer, 128–147.
- CLOSSE, E., POIZE, M., PULOU, J., SIFAKIS, J., VENTER, P., WEIL, D., AND YOVINE, S. 2001. TAXYS: A tool for the development and verification of real-time embedded system. In *Proceedings of the 13th International Conference on Computer Aided Verification*. Lecture Notes in Computer Science, vol. 2102. Springer, 391–395.
- DAVID, A., DAVID, R., AND MÖLLER, M. O. 2001. From HUPPAAL to UPPAAL A Translation from Hierarchical Timed Automata to Flat Timed Automata.
- DAVIES, J. 1993. Specification and Proof in Real-Time CSP. Cambridge University Press.
- DILL, D. L. 1989. Timing assumptions and verification of finite-state concurrent systems. In Proceedings of the International Workshop onAutomatic Verification Methods for Finite State Systems. Lecture Notes in Computer Science, vol. 407. Springer, 197–212.
- DONG, J. S., HAO, P., QIN, S. C., SUN, J., AND YI, W. 2004. Timed patterns: TCOZ to timed automata. In Proceedings of the 3rd International Conference on Formal Engineering Methods. Lecture Notes in Computer Science, vol. 3308. Springer, 483–498.
- DONG, J. S., HAO, P., QIN, S. C., SUN, J., AND YI, W. 2008. Timed Automata Patterns. IEEE Trans. Software Eng. 34, 6, 844–859.
- DONG, J. S., HAO, P., SUN, J., AND ZHANG, X. 2006. A reasoning method for timed CSP based on constraint solving. In Proceedings of the 8th International Conference on Formal Engineering Methods. Lecture Notes in Computer Science, vol. 4260. Springer, 342–359.
- DONG, J. S., MAHONY, B. P., AND FULTON, N. 1999. Modeling Aircraft Mission Computer Task Rates. In Proceedings of the World Congress on Formal Methods in the Development of Computing Systems. Lecture Notes in Computer Science, vol. 1708. Springer, 1855.
- FLOYD, R. W. 1962. Algorithm 97: Shortest path. Commun. ACM 5, 6, 345.
- GASTIN, P. AND ODDOUX, D. 2001. Fast LTL to Büchi automata translation. In Proceedings of the 14th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 2102. Springer, 53–65.
- GÓMEZ, R. AND BOWMAN, H. 2007. Efficient detection of Zeno runs in Timed Automata. In Proceedings of the 5th International Conference on Formal Modeling and Analysis of Timed Systems. Lecture Notes in Computer Science, vol. 4763. Springer, 195–210.
- HAREL, D. 1997. Some thoughts on statecharts, 13 years later. In Proceedings of the 9th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 1254. Springer, 226–231.
- HAREL, D. AND GERY, E. 1997. Executable object modeling with statecharts. IEEE Comput. 30, 7, 31-42.
- HENZINGER, T. A., NICOLLIN, X., SIFAKIS, J., AND YOVINE, S. 1994. Symbolic model checking for real-time systems. *Inf. Comput.* 111, 2, 193–244.
- HERBRETEAU, F. AND SRIVATHSAN, B. 2010. Efficient on-the-fly emptiness check for timed büchi automata. In Proceedings of the 8th International Symposium on Automated Technology for Verification and Analysis. Springer.

- HERBRETEAU, F., SRIVATHSAN, B., AND WALUKIEWICZ, I. 2010. Efficient emptiness check for timed Büchi automata. In Proceedings of the 22nd International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 6174. Springer, 148–161.
- HOARE, C. A. R. 1985. Communicating Sequential Processes. International Series in Computer Science. Prentice-Hall.
- HOLZMANN, G. J. 2003. The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley.
- JIN, X., MA, H., AND GU, Z. 2007. Real-time component composition using hierarchical timed automata. In Proceedings of the 7th International Conference on Quality Software. IEEE Computer Society, 90–99.
- LAI, L. M. AND WATSON, P. 1997. A case study in timed CSP: The railroad crossing problem. In Proceedings of the International Workshop on Hybrid and Real-Time Systems. Lecture Notes in Computer Science, vol. 1201. Springer, 69–74.
- LARSEN, K. G., PETTERSSON, P., AND WANG, Y. 1997. Uppaal in a nutshell. Int. J. Softw. Tools Technol. Trans. 1, 1–2, 134–152.
- LINDAHL, M., PETTERSSON, P., AND WANG, Y. 2001. Formal design and analysis of a gearbox controller. Int. J. Softw. Tools Technol. Trans. 3, 3, 353–368.
- LIU, Y., SUN, J., AND DONG, J. S. 2010. Developing model checkers using PAT. In Proceedings of the 8th International Symposium on Automated Technology for Verification and Analysis. Springer.
- LIU, Y., SUN, J., AND DONG, J. S. 2011. PAT 3: An extensible architecture for building multidomain model checkers. In *Proceedings of the 22nd International Symposium on Software Reliability Engineering*. ACM.
- LYNCH, N. A. AND VAANDRAGER, F. W. 1996. Action transducers and timed automata. Formal Asp. Comput. 8, 5, 499–538.
- MAHONY, B. P. AND DONG, J. S. 1998. Network topology and a case study in TCOZ. In Proceedings of the 11th International Conference of Z Users. Lecture Notes in Computer Science, vol. 1493. Springer, 308–327.
- MAHONY, B. P. AND DONG, J. S. 2000. Timed communicating object Z. IEEE Trans. Soft. Eng. 26, 2, 150-177.
- NICOLLIN, X. AND SIFAKIS, J. 1994. The algebra of timed processes, ATP: Theory and application. *Inf. Comput.* 114, 1, 131–178.
- NICOLLIN, X., SIFAKIS, J., AND YOVINE, S. 1992. Compiling Real-Time Specifications into Extended Automata. IEEE Trans. Soft. Eng. 18, 9, 794–804.
- OUAKNINE, J. AND WORRELL, J. 2002. Timed CSP = closed timed safety automata. *Electr. Notes Theor. Comput.* Sci. 68, 2, 142–159.
- RAMCHANDANI, C. 1974. Analysis of asynchronous concurrent systems by timed Petri nets. Ph.D. thesis, Massachusetts Institute of Technology.
- REED, G. M. AND ROSCOE, A. W. 1986. A timed model for communicating sequential processes. In Proceedings of the 13th International Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 226. Springer, 314–323.
- ROKICHI, T. G. 1993. Representing and modeling digital circuits. Ph.D. thesis.
- ROSCOE, A. W. 2001. Compiling shared variable programs into CSP. In Proceedings of PROGRESS Workshop.
- ROSCOE, A. W. 2005. On the Expressive Power of CSP Refinement. Formal Aspects Comput. 17, 2, 93-112.
- ROSCOE, A. W., GARDINER, P. H. B., GOLDSMITH, M., HULANCE, J. R., JACKSON, D. M., AND SCATTERGOOD, J. B. 1995. Hierarchical compression for model-checking CSP or how to check 1020 dining philosophers for deadlock. In *Proceedings of the 1st International Workshop on Tools and Algorithms for Construction and Analysis of Systems*. Lecture Notes in Computer Science, vol. 1019. Springer, 133–152.
- SCHNEIDER, S. 1995. An operational semantics for timed CSP. Inf. Comput. 116, 2, 193–213.
- SCHNEIDER, S. 2000. Concurrent and Real-Time Systems. John Wiley and Sons.
- SIFAKIS, J. 1999. The compositional specification of timed systems: A tutorial. In Proceedings of the 11th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 1633. Springer, 2–7.
- SUN, J., LIU, Y., DONG, J. S., LIU, Y., AND SHI, L. Stateful timed CSP: Models and experiments. http://www.comp.nus.edu.sg/~pat/rts.
- SUN, J., LIU, Y., DONG, J. S., AND PANG, J. 2009a. PAT: Towards flexible verification under fairness. In Proceedings of the 20th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 5643. Springer.
- SUN, J., LIU, Y., DONG, J. S., AND ZHANG, X. 2009b. Verifying stateful timed CSP using implicit clocks and zone abstraction. In Proceedings of the 11th IEEE International Conference on Formal Engineering Methods. Lecture Notes in Computer Science, vol. 5885. Springer, 581–600.

- TASIRAN, S., ALUR, R., KURSHAN, R. P., AND BRAYTON, R. K. 1996. Verifying abstractions of timed systems. In Proceedings of the 7th International Conference on Concurrency Theory. Lecture Notes in Computer Science, vol. 1119. Springer, 546–562.
- TRIPAKIS, S. 1999. Verifying progress in timed systems. In Proceedings of the 5th International AMAST Workshop ARTS on Formal Methods for Real-Time and Probabilistic Systems. Lecture Notes in Computer Science, vol. 1601. Springer, 299–314.
- TRIPAKIS, S. 2009. Checking Timed Büchi Automata Emptiness on Simulation Graphs. ACM Transactions on Computational Logic 10, 3, 1–19.
- TRIPAKIS, S., YOVINE, S., AND BOUAJJANI, A. 2005. Checking timed Büchi Automata emptiness efficiently. Formal Meth. Syst. Des. 26, 3, 267–292.
- VARDI, M. Y. AND WOLPER, P. 1986. An automata-theoretic approach to automatic program verification (preliminary report). In Proceedings of the Symposium on Logic in Computer Science. IEEE Computer Society, 332–344.
- YI, W. 1991. CCS + Time = an interleaving model for real time systems. In Proceedings of the 18th International Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 510. Springer, 217–228.
- YI, W., PETTERSSON, P., AND DANIELS, M. 1994. Automatic verification of real-time communicating systems by constraint-solving. In Proceedings of the 7th IFIP WG6.1 International Conference on Formal Description Techniques. IFIP Conference Proceedings, vol. 6. Chapman & Hall, 243–258.

Received October 2010; revised April 2011, August 2011; accepted August 2011