A Boolean Approach to Unbounded, Fully Symbolic Model Checking of Timed Automata

We present a new approach to unbounded, fully symbolic model checking of timed automata that is based on an e(cid:14)cient translation of quanti(cid:12)ed separation logic to quanti(cid:12)ed Boolean logic. Our technique preserves the interpretation of clocks over the reals and can check any property expressed in the timed (cid:22) calculus. The core operations of eliminating quanti(cid:12)ers over real variables and deciding separation logic are respectively translated to eliminating quanti(cid:12)ers on Boolean variables and checking Boolean satis(cid:12)ability (SAT). We can thus leverage well-known techniques for Boolean formulas, including Binary Decision Diagrams (BDDs) and recent advances in SAT and SAT-based quanti(cid:12)er elimination. We present preliminary empirical results for a BDD-based implementation of our method.


Introduction
Timed automata [2] have proved to be a useful formalism for modeling real-time systems.A timed automaton is a generalization of a finite automaton with a set of real-valued clock variables.The state space of a timed automaton thus has a finite component (over Boolean state variables) and an infinite component (over clock variables).Several model checking techniques for timed automata have been proposed over the past decade.These can be classified, on the one hand, as being either symbolic or fully symbolic, and on the other, as being bounded or unbounded.Symbolic techniques use a symbolic representation for the infinite component of the state space, and either symbolic or explicit representations for the finite component.In contrast, fully symbolic methods employ a single symbolic representation for both finite and infinite components of the state space.Bounded model checking techniques work by unfolding the transition relation d times, finding counterexamples of length up to d, if they exist.As in the untimed case, these methods suffer from the limitation that, unless a bound on the length of counterexamples is known, they cannot verify the property of interest.Unbounded methods, on the other hand, can produce a guarantee of correctness.
The theoretical foundation for unbounded, fully symbolic model checking of timed automata was laid by Henzinger et al. [11].The characteristic function of a set of states is a formula in separation logic, a quantifier-free fragment of first-order logic.Formulas in Separation Logic (SL) are Boolean combinations of Boolean variables and predicates of the form x i x j + c where ∈ {>, ≥}, x i and x j are real-valued variables, and c is a constant.Quantified Separation Logic (QSL) is an extension of SL with quantifiers over real and Boolean variables.The most important model checking operations involve deciding SL formulas and eliminating quantifiers on real variables from QSL formulas.
In this paper, we present the first approach to unbounded, fully symbolic model checking of timed automata that is based on a Boolean encoding of SL formulas and that preserves the interpretation of clocks over the reals.Unlike many other fully symbolic techniques, our method can be used to model check any property in the timed µ calculus or Timed Computation Tree Logic (TCTL) [3].The main theoretical contribution of this paper is a new technique for transforming the problem of eliminating quantifiers on real variables to one of eliminating quantifiers on Boolean variables.In some cases, we can avoid introducing Boolean quantification altogether.These techniques, in conjunction with previous work on deciding SL formulas via a translation to Boolean satisfiability (SAT) [17], allow us to leverage well-known techniques for manipulating quantified Boolean formulas, including Binary Decision Diagrams (BDDs) and recent work on SAT and SAT-based quantifier elimination [13].
Related Work.The work that is most closely related to ours is the approach based on representing SL formulas using Difference Decision Diagrams (DDDs) [14].A DDD is a BDD-like data structure, where the node labels are generalized to be separation predicates rather than just Boolean variables, with the ordering of predicates induced by an ordering of clock variables.This predicate ordering permits the use of local reduction operations, such as eliminating inconsistent combinations of two predicates that involve the same pair of clock variables.Deciding a SL formula represented as a DDD is done by eliminating all inconsistent paths in the DDD.This is done by enumerating all paths in the DDD and checking the satisfiability of the conjunction of predicates on each path using a constraint solver based on the Bellman-Ford shortest path algorithm.Note that each path can be viewed as a disjunct in the Disjunctive Normal Form (DNF) representation of the DDD, and in the worst case there can be exponentially many calls to the constraint solver.Quantifier elimination is performed by the Fourier-Motzkin technique [10], which also requires enumerating all possible paths.In contrast, our Boolean encoding method is general in that any representation of Boolean functions may be used.Our decision procedure and quantifier elimination scheme use a direct translation to SAT and Boolean quantification, respectively, avoiding the need to explicitly enumerate each DNF term.In theory, the use of DDDs permits unbounded, fully symbolic model checking of TCTL; however, the DDD-based model checker [14] can only check reachability properties (these can express safety and bounded-liveness properties [1]).
Uppaal2k and Kronos are unbounded, symbolic model checkers that explicitly enumerate the discrete component of the state space.Kronos uses Difference Bound Matrices (DBMs) as the symbolic representation [19] of the infinite component.Uppaal2k uses, in addition, Clock Difference Diagrams (CDDs) to symbolically represent unions of convex clock regions [6].In a CDD, a node is labeled by the difference of a pair of clock variables, and each outgoing edge from a node is labeled with an interval bounding that difference.Note that while Kronos can check arbitrary TCTL formulas, Uppaal2k is limited to checking reachability properties and very restricted liveness properties such as AFp.
Red is an unbounded, fully symbolic model checker based on a data structure called the Clock Restriction Diagram (CRD) [18].The CRD is similar to a CDD, labeling each node with the difference between two clock variables.However, each outgoing edge from a node is labeled with an upper bound, instead of an interval.Red represents separation formulas by a combined BDD-CRD structure, and can model check TCTL formulas.
A fully symbolic version of Kronos using BDDs has been developed by interpreting clock variables over integers [8]; however, this approach is restricted to checking reachability for the subclass of closed timed automata1 , and the encoding blows up with the size of the integer constants.Rabbit [7] is a tool based on this approach that additionally exploits compositional methods to find good BDD variable orderings.In comparison, our technique applies to all timed automata and its efficiency is far less sensitive to the size of constants.Also, the variable ordering methods used in Rabbit could be used in a BDD-based implementation of our technique.
Many fully symbolic, but bounded model checking methods based on SAT have been developed recently (e.g., [5,15]).These algorithms cannot be directly extended to perform unbounded model checking.
The rest of the paper is organized as follows.We define notation and present background material in Sections 2 and 3. We describe our new contributions in Sections 4 and 5.We conclude in Section 6 with experimental results and ongoing work.

Background
We begin with a brief presentation of background material, based on papers by Alur [2] and Henzinger et al. [11].We refer the reader to these papers for details.

Separation Logic
Separation logic (SL), also known as difference logic, is a quantifier-free fragment of first-order logic.A formula φ in separation logic is a Boolean combination of Boolean variables and separation predicates (also known as difference bound constraints) involving real-valued variables, as given by the following grammar: We use a special variable x 0 to denote the constant 0; this allows us to express bounds of the form x ≥ c.We will however use both x c and x x 0 + c, where ∈ {>, ≥}, as suits the context.We will denote Boolean variables by b, b 1 , b 2 , . . ., real variables by x, x 1 , x 2 , . . ., and SL formulas by φ, φ 1 , φ 2 , . . . .Note that the relations > and ≥ suffice to represent equalities and other inequalities.
Characteristic functions of sets of states of timed automata are SL formulas.Deciding the satisfiability of a SL formula is NP-complete [11].
Quantified Separation Logic.Separation logic can be generalized by the addition of quantifiers over both Boolean and real variables.This yields quantified separation logic (QSL).The satisfiability problem for QSL is PSPACE-complete [12].We will denote QSL formulas by ω, ω 1 , . . . .

Timed Automata
A timed automaton T is a tuple L, L 0 , Σ, X , I, E , where L is a finite set of locations, L 0 ⊆ L is a finite set of initial locations, Σ is a finite set of labels used for product construction, X is a finite set of non-negative real-valued clock variables, I is a function mapping a location to a SL formula (called a location invariant), and E is the transition relation, a subset of L × Ψ × R × Σ × L, where Ψ is a set of SL formulas that form enabling guard conditions for each transition, and R is a set of clock reset assignments.A location invariant is the condition under which the system can stay in that location.A clock reset assignment is of the form x i := x 0 + c or x i := x j , where x i , x j ∈ X and c is an integer constant,2 and indicates that the clock variable on the left-hand side of the assignment is reset to the value of the expression on the right-hand side.We will denote guards by ψ, ψ 1 , . . . .Two timed automata are composed by synchronizing over common labels.We refer the reader to Alur's paper [2] for a formal definition of product construction.Note that in contrast to the definition of timed automata given by Alur [2], we allow location invariants and guards to be arbitrary SL formulas, rather than simply conjunctions over separation predicates involving clock variables.
The invariant I T for the timed automaton T is defined as I T = l∈L [enc(l) =⇒ I(l)], where enc(l) denotes the Boolean encoding of location l.We will also denote a transition t ∈ E as ψ =⇒ A, where ψ is a guard condition over both Boolean state variables (used to encode locations) and clock variables of the system, and A is a set of assignments to clock and Boolean state variables.

Timed µ Calculus and TCTL
We express properties of timed automata in a generalization of the µ calculus called the timed µ (Tµ) calculus.A formula ϕ of the Tµ calculus is generated by the following grammar: z is a specification clock variable (i.e., z ∈ X ) and X is a formula variable used in fixpoint computation.The formula ϕ 1 ϕ 2 means that the formula ϕ 1 is true at the present state, and remains true (as time elapses) until some transition is taken, at which time formula ϕ 2 becomes true; thus " " is essentially a next-state operator.The formula z.ϕ is true in a state where ϕ is true after setting specification clock variable z to zero.The expression µX.ϕ stands for the least fixpoint of ϕ, where X is a formula variable bound inside ϕ; ν denotes the greatest fixpoint operator.
Henzinger et al. [11] show that the Tµ calculus can express the dense-real-time version of Computation Tree Logic (CTL), Timed CTL (TCTL) [3].TCTL generalizes CTL by allowing atomic propositions to be any SL formula, and in addition contains formulas of the form z.ϕ where z is a specification clock variable and ϕ is a TCTL formula in which z appears free; the latter class enables one to write time-bounded properties.We omit the details for brevity.
Several model checkers are specialized to check reachability properties.Using the notation of the Tµ calculus, a reachability property is a formula of the form where φ init is the initial set of states, and φ err characterizes the bad states; the formula evaluates to true if no error state is reachable from any initial state.

Fully Symbolic Model Checking
We use a model checking algorithm given by Henzinger et al. [11].This algorithm checks that a timed automaton T satisfies a specification given as a Tµ formula ϕ.The algorithm always terminates, and generates a SL formula |ϕ|, such that, if T is non-zeno (i.e., time can diverge from any state), then |ϕ| is equivalent to I T .
The algorithm is fully symbolic since it avoids the need to enumerate locations by representing sets of values of both Boolean state variables and clock variables as SL formulas.It performs backward exploration of the state space and uses the following three special operators over SL formulas: 1. Time Elapse: φ 1 φ 2 denotes the set of all states that can reach the state set φ 2 by allowing time to elapse, while staying in state set φ 1 at all times in between.Formally, where φ + δ denotes the formula obtained by adding δ to all clock variables occurring in φ, computed as φ[x i + δ/x i , 1 ≤ i ≤ n], where x 1 , x 2 , . . ., x n are the clock variables in φ i (i.e., not including the zero variable x 0 ).

Assignment: φ[A]
, where A is a set of assignments, denotes the formula obtained by simultaneously substituting in φ the right hand side of each assignment in A for the left hand side.Formally, if A is the list b 1 := φ 1 , . . ., b k := φ k , x 1 := x j 1 + c 1 , . . ., x n := x jn + c n , where each b i is a Boolean variable, each x j is a clock variable, and for each x j l , j l = 0 or c l = 0, then Assignments are thus performed via substitutions of variables.
3. Weakest Pre-condition: pre T φ denotes the weakest precondition of φ with respect to the timed automaton T .Formally, where for a transition Note that pre T is defined using assignments and Boolean operations.
The model checking algorithm is defined inductively on the structure of Tµ formulas: • |µX.ϕ| is the result of the following iteration: As can be seen from the algorithm description above, apart from Boolean operators, the main components of the algorithm are: quantifier elimination in the time elapse operation, substitution of state variables in an assignment, and the decision procedure used to check containment in fixpoint computation.For a fully symbolic model checker that represents state sets as SL formulas, these model checking operators can be defined as operations in QSL.We elaborate below.
Time Elapse.Consider the formula on the right hand side of Equation 1, the definition of the time elapse operator.This formula is not in QSL, since it includes expressions that are the sum of two real variables (e.g., x + δ).However, it can be transformed to a QSL formula, by using instead of δ and , variables δ and that represent their negations: Formula 2 is expressible in QSL, since the substitution φ[ Finally, we can rewrite Formula 3 purely in terms of existential quantifiers: A procedure for performing the time elapse operation therefore requires one for eliminating (existential) quantifiers over real variables from a SL formula.
Checking Containment.Containment of one set of states, φ new , in another, φ old , is checked by deciding the validity of the SL formula φ = φ new =⇒ φ old (or equivalently, the satisfiability of ¬φ).There are several procedures that can decide separation formulas (e.g., [17,4,15]).

Model Checking Operations using Boolean Encoding
We now show how to implement the fundamental model checking operations using a Boolean encoding of separation predicates.We first describe how our encoding allows us to replace quantification of real variables by quantification of Boolean variables.This builds on previous work on deciding a SL formula by transformation to a Boolean formula [17].We then show how we represent SL formulas as Boolean formulas, allowing the model checking operations to be implemented as operations in Quantified Boolean Logic (QBL), and enabling the use of QBL packages, e.g., a BDD package.

From Real Quantification to Boolean Quantification
Consider the QSL formula ω a .= ∃x a .φ,where a ∈ [1.
.n].We transform ω a to an equivalent QSL formula ω bool with quantifiers over only Boolean variables in the following three steps: 1. Encode separation predicates: Consider each separation predicate in φ of the form x i x j +c where either i = a or j = a.For each such predicate, we generate a corresponding Boolean variable e ,c i,j .Separation predicates that are negations of each other are represented by Boolean literals (true or complemented variables) that are negations of each other; however, for ease of presentation, we will extend the naming convention for Boolean variables to Boolean literals, writing e >,−c j,i for the negation of e ≥,c i,j .Let the added Boolean variables be e We replace each predicate x a x j + c (or x i x a + c) in φ by the corresponding Boolean variable e ,c a,j (or e ,c i,a ).Let the resulting SL formula be φ a bool .

Add transitivity constraints:
Notice that there can be assignments to the e ,c i,a and e ,c a,j variables that have no corresponding assignment to the real valued variables.To disallow such assignments, we place constraints on these added Boolean variables.Each constraint is generated from two Boolean literals that encode predicates containing x a .We will refer to these constraints as transitivity constraints for x a .
A transitivity constraint for x a has one of the following types: where if 1 = 2 , then = 1 , otherwise, we must duplicate this constraint for both = 1 and for = 2 .
, where c 1 > c 2 and either i = a or j = a.
(c) e >,c i,j =⇒ e ≥,c i,j , where either i = a or j = a.
Note that a constraint of type (a) involves a separation predicate (x i x j + c 1 + c 2 ).This predicate might not be present in the original formula φ. 4After generating all transitivity constraints for x a , we conjoin them to get the SL formula φ a cons .
3. Finally, generate the QSL formula ω bool given below: We formalize the correctness of this transformation in the following theorem.
Theorem 1 ω a and ω bool are equivalent.
Proof: To show that ω a and ω bool are equivalent, we show that ω a =⇒ ω bool and ω bool =⇒ ω a .Denote the formula ω a =⇒ ω bool by ω 1 and ω bool =⇒ ω a by ω 2 .Note first that the free variables in both implications are the real-valued variables x 1 , x 2 , . . ., x a−1 , x a+1 , . . ., x n and the Boolean variables b 1 , b 2 , . . ., b k .For all i and j, the values assigned to x i and b j by an assignment A are denoted by A[x i ] and A[b j ] respectively.
1. We first show that ω 1 is valid.
Let A denote an arbitrary assignment to all free variables and to the bound real variable x a in ω a such that A[ω a ] = true.We extend A with an assignment to the Boolean variables e

Define an evaluation of the newly added Boolean variables according to the following rules:
A[e c, a,j ] = A[x a x j + c] ∀j = a, for all constants c and relations (5) A[e c, i,a ] = A[x i x a + c] ∀i = a, for all constants c and relations (6) Since A[ω a ] = true, A[φ] = true.Further, using Equations 5 and 6, we can conclude that A[φ a bool ] = A[φ] because φ a bool is obtained from φ by replacing predicates (x a x j + c) and (x i x a + c ) (for all i, j and for all constants c, c ) with Boolean variables e c, a,j and e c , i,a .Therefore, A[φ a bool ] = true.To show that A[ω bool ] = true, we need to additionally show that A[φ a cons ] = true.We consider an arbitrary transitivity constraint of each type: a,j ] = true.Then, by Equations 5 and 6, we conclude that , where c 1 > c 2 and either i = a or j = a.
Suppose A[e 1 ,c 1 i,j ] = true.Then, by Equations 5 and 6, A[ i,j =⇒ e ≥,c i,j , where either i = a or j = a.

Exactly as for type (b) constraints
i,j ] = true.Thus, A satisfies all transitivity constraints, and hence A[φ a cons ] = true, completing the proof for the first part.
2. We now show that ω 2 is valid.
Let A denote an arbitrary assignment to all free variables and to the bound Boolean variables in ω bool such that A[ω bool ] = true.We extend A with an evaluation of x a such that A[ω a ] = true and hence A[ω 2 ] = true.
Since A[ω bool ] = true, we know that A[φ a cons ] = true (i.e., the transitivity constraints are satisfied by A) and A[φ a bool ] = true.Suppose we can find a value A[x a ] that satisfies the following equations: because φ a bool is obtained from φ by replacing predicates (x a x j + c) and (x i x a + c ) (for all i, j and for all constants c, c ) with Boolean variables e c, a,j and e c , i,a .Since A[φ a bool ] = true, A[φ] = true, and hence A[ω a ] = true.A value A[x a ] that satisfies Equations 7 and 8 exists if: In the above equations, w.l.o.g., we use literals encoding lower bounds on x a (e.g., e c,≥ a,j ) in place of those encoding upper bounds (e.g., e −c,> j,a ).Let U a = min Then, the inequalities 9 to 12 can be satisfied if: In other words, if the minimum upper bound on A[x a ] is greater (or greater than or equal to) the maximum lower bound on A[x a ].
To show that the above is true, it is enough to show that for any pair of upper and lower bounds on A[x a ], the relation holds, and so it holds in particular for the minimum upper bound and the maximum lower bound.For example, for the two inequalities Therefore, consider two arbitrary indices j and k different from a.We need to consider four cases based on evaluations of the Boolean literals e c 1 , a,j and e c 2 , a,k .Note that cases in which both literals evaluate to true or both to false only give rise to two lower bounds or to two upper bounds.By the transitivity constraints of types (b) and (c), if the minimum upper bound (or maximum lower bound) is satisfied, then every other upper bound (or lower bound) will be satisfied.
The four cases are enumerated below: We need to show that The last inequality is true, since A satisfies the transitivity constraint e −c 1 ,≥ j,a (b) e c 1 ,≥ a,j = false, e c 2 ,> a,k = true.This case is identical to the one above, with ≥ and > interchanged.
(c) e c 1 ,> a,j = false, e c 2 ,> a,k = true.This implies that We need to show that The last inequality is true, since A satisfies the transitivity constraint e −c 1 ,≥ j,a a,j = false, e c 2 ,≥ a,k = true.This case is identical to the one above, with ≥ and > interchanged.
Thus, we can conclude that Equation 14 is satisfied, and that completes the proof of this part.
Note also that the transformation procedure we present here differs from the one presented by Strichman et al. [17] in that the latter is concerned with preserving satisfiability only, whereas the former must produce an equivalent formula that preserves all satisfying assignments to the free variables.
Using Theorem 1, we can transform ω 1..n to an equivalent QSL formula ω bool with existential quantifiers only over Boolean variables encoding all separation predicates.As ω bool is a QBL formula with only existential quantifiers, we can simply discard the quantifiers and use a Boolean satisfiability checker to decide the resulting Boolean formula.
Note that the procedure described above can be viewed as one way to implement the procedure of Strichman et al. [17].

Representing SL Formulas as Boolean Formulas
In our presentation up to this point, we have not used any specific representation of SL formulas.In practice, we encode a SL formula φ as a Boolean formula β.The encoding is performed as follows.Consider each separation predicate x i x j + c in φ.As in Section 4.1 earlier, we introduce a Boolean variable e ,c i,j for x i x j + c, only this time we do it for every single separation predicate.Also as before, separation predicates that are negations of each other are represented by Boolean literals that are negations of each other.We then replace each separation predicate in φ by its corresponding Boolean literal.The resulting Boolean formula is β.
Clearly, β, by itself, stores insufficient information for generating transitivity constraints.Therefore, we also store the 1-1 mapping of separation predicates to the Boolean literals that encode them.However, this mapping is used only lazily, i.e., when generating transitivity constraints during quantification and in deciding SL formulas.

Substitution.
Given the representation described above, we can implement substitution of a clock variable as follows.For a clock variable x i , we perform the substitution [x i ← x k + d] (where k = 0 or d = 0), by replacing all Boolean variables of the form e ,c i,j and e ,c j,i , for all j, by variables e ,c−d k,j and e ,c +d j,k respectively, creating fresh replacement variables if necessary.Substitution of a Boolean state variable by the Boolean encoding of a separation formula is done by Boolean function composition.

Optimizations
The methods presented in Section 4 can be optimized in a few ways.First, we can be more selective in deciding when to add transitivity constraints.Second, we can compute the time elapse operator more efficiently by a method that does not explicitly introduce the bound real variable , and hence does not introduce new quantifiers over Boolean variables.The third optimization concerns eliminating paths in a BDD representation that violate transitivity constraints.As is well-known, the size of a BDD is very sensitive to the number and ordering of BDD variables.
In the case of model checking timed automata, new Boolean variables are created as the model checking proceeds, while generating transitivity constraints, and while performing substitutions of clock variables.This has the potential to add several BDD variables on each iteration.Finally, we can use an over-approximation technique to to reduce the number of BDD variables added on each model checking iteration.While all four techniques presented in this section help in reducing the number of BDD variables, only the last two are specialized for BDDs.

Determining if Bounds are Conjoined
Suppose φ is a SL formula with Boolean encoding β, and we wish to eliminate the quantifier in ∃x a .φ.As described in Section 4.1, a transitivity constraint for x a involves two Boolean literals that encode separation predicates involving x a .For a syntactic representation of β, as the number of constraints grows, so does the size of [β a cons ∧ β a bool ], the Boolean encoding of [φ a cons ∧ φ a bool ].Further, new separation predicates can be added when a transitivity constraint is generated from an upper bound and a lower bound on x a .For a BDD-based implementation, this corresponds to the addition of a new BDD variable.We would therefore like to avoid adding transitivity constraints wherever possible.
In fact, we only need to add a constraint involving an upper bound literal and a lower bound literal if they are conjoined in a minimized DNF representation of β. 5 From a geometric viewpoint, this means that we check that the predicates corresponding to the two literals are bounds for the same convex clock region.This check can be posed as a Boolean satisfiability problem, which is easily solved using a BDD representation of β.Let the literals be e 1 and e 2 .Then, we use cofactoring and Boolean operations to compute the following Boolean formula: Consider the subformula e i ∧ [β| e i =true ∧ ¬(β| e i =false )] for i = 1, 2. This formula represents the set of input combinations e in which e i must be set to true in order for β(e) to evaluate to true.Thus, the conjunction of the subformulas for i = 1 and i = 2 is satisfiable only if there exists a non-empty set of input combinations e in which both e 1 and e 2 must be set to true for β(e) to evaluate to true.Viewed alternately, Formula 15 expresses the Boolean function corresponding to the disjunction of all terms in the minimized DNF representation of β that contain both e 1 and e 2 in true form.Therefore, if Formula 15 is satisfiable, it means that e 1 and e 2 are conjoined, and we must add a transitivity constraint involving them both.Note however, that since β does not, by itself, represent the original SL formula φ, finding that e 1 and e 2 are conjoined in β does not imply that they are bounds in the same convex region of φ.However, the converse is true, so our method is sound.

Quantifier Elimination by Eliminating Upper Bounds on x 0
The definition of the time elapse operation introduces two quantified non-clock real variables: δ and .We can exploit the special structure of the QSL formula for the time elapse operation so as to avoid introducing altogether.Thus, we can avoid adding new quantified Boolean variables encoding predicates involving .
Consider the inner existentially quantified SL formula in Formula 4 in Section 3, reproduced here: Grouping the inequality δ ≤ with the formula ¬φ 1 [ /x 0 ], we get: Finally, treating δ as a clock variable, we can revert back to from , transforming Formula 16 to the following form: Formula 17 is a special case of the formula ω given by for some SL formula φ.From a geometric viewpoint, φ is a region in R n and ω is the shadow of φ for a light source at ∞ n .Examples of φ and the corresponding ω are shown in Figures 1(a) and 1(c) respectively.We can transform ω to an equivalent SL formula φ ub by eliminating upper bounds on x 0 , i.e., Boolean variables of the form e ,c i,0 .The transformation is performed iteratively in the following steps: 1. Let φ 0 = φ.Let e 1 ,c 1 i 1 ,0 , e 2 ,c 2 i 2 ,0 , . . ., e m ,cm im,0 be Boolean literals encoding all upper bounds on x 0 that occur in φ.
Note that an upper bound literal e j ,c j i j ,0 occurs in φ, if it appears in some term in the minimized DNF representation of φ.This can be checked by evaluating the Boolean function [β| e j ,c j i j ,0 =true ∧ ¬(β| e j ,c j i j ,0 =false )], where β is the Boolean encoding of φ, and checking that it is not false.
2. For j = 1, 2, . . ., m, we construct φ j as follows: (a) Replace all occurrences of x i j j x 0 + c j in φ j−1 with e j ,c j i j ,0 to get φ 0,j−1 bool .(b) Construct φ 0,j−1 cons , the conjunction of all transitivity constraints6 for x 0 involving e j ,c j i j ,0 and clock variables in φ 0,j−1 bool .(c) Construct the formula φ j , a disjunction of two terms: bool | e j ,c j i j ,0 =false ]} The first disjunct is the region obtained by dropping the bound x i j j x 0 + c j from convex sub-regions of φ j−1 where it is a lower bound on x i j , while letting time elapse backward.The second disjunct corresponds to sub-regions where ¬(x i j j x 0 + c j ) is an upper bound; these regions are left unchanged.
The output of the above transformation, φ ub , is given by φ ub = φ m .The correctness of this procedure is formalized in the following theorem.
Proof: We make use of the following lemmas.
1. First, we show that ω j−1 =⇒ ω j .Let A be an assignment to the free and bound variables in We consider two cases.
(a) Case 1: A[(x i j j x 0 + c j ) + j−1 ] = true.Note that by construction, From the two equalities above, and since In addition, the transitivity constraints are satisfied, i.e., A[φ 0,j−1 cons | e j ,c j i j ,0 =true + j ] = true because φ 0,j−1 cons | e j ,c j i j ,0 =true + j only involves real-valued variables.Therefore, Thus, we conclude that This concludes the first case.
Let A be an assignment to the free and bound variables in ω j such that A[ω j ] = true.This means that A[φ j + j ] = true.We wish to extend A by an assignment to j−1 so that A[φ j−1 + j−1 ] = true and A[ j−1 ≥ x 0 ] = true.
We consider two cases.
(a) Case 1: A[(φ 0,j−1 bool ∧ φ 0,j−1 cons )| e j ,c j i j ,0 =true + j ] = true.Therefore, and A[φ 0,j−1 cons | e j ,c j i j ,0 =true + j ] = true If A[(x i j j x 0 + c j ) + j ] = true, then using the equality we can set A[ j−1 ] = A[ j ], which yields A[(x i j j x 0 + c j ) + j−1 ] = true, and so using Equations 18 and 19, we get However, if A[(x i j j x 0 + c j ) + j ] = false, then we must find an alternate assignment to j−1 , such that A[(x i j j x 0 + c j ) + j−1 ] = true.Then, we can conclude, as above, that Equation 20 holds.
Consider, w.r.t. the assignment A, all lower bounds on x 0 that occur in φ j−1 + j (and hence in φ 0,j−1 bool + j ); more precisely, a lower bound on x 0 is a predicate ( If no such lower bound on x 0 exists, then we can set j−1 to any value that results in A[(x i j j x 0 + c j ) + j−1 ] = true, because there is no lower bound to be violated by increasing the value of a clock variable.So suppose at least one lower bound on x 0 exists in φ j−1 .Define the value v s as Let l be the k for which the minimum on the right-hand side of Equation 21 is attained.
If there are many such k, say k 1 , k 2 , . . ., k d , set l according to the following rules: i.If there exists k i for which k i =>, set l to any one such k i .ii. Otherwise select l to be any one of k 1 , k 2 , . . ., k d .Thus, Next, we define a positive real number χ as follows: is non-negative and is strictly positive when l =>.This is because there exists a transitivity constraint in φ 0,j−1 cons of the form (e j ,c j i j ,0 ∧ x 0 l x i l + c l ) =⇒ (x i j j x i l + c j + c l ) which occurs in φ 0,j−1 cons | e j ,c j i j ,0 =true as (x 0 l x i l + c l ) =⇒ (x i j j x i l + c j + c l ) If j = l , the following constraint also holds: Since A[(x 0 l x i l + c l ) + j ] = true, the following equalities hold: is non-negative and is strictly positive when l =>.We now show that v s − χ ≥ 0. If χ = 0, clearly v s − χ ≥ 0. So, assume that l =>, and ).Then we can conclude the following: Intuitively, v s −χ is a non-negative real number we can add to all clock variables without violating lower bounds on x 0 in φ j−1 + j .Now, define A[ j−1 ] as follows: Given the above assignment to j−1 , we first show that A[(x i j j x 0 +c j )+ j−1 ] = true.
We have the following sequence of equalities: ) and from Eqn. 24) We next show that the assignment to j−1 in Equation 26 preserves the truth assignment to other bounds on x 0 ; i.e., bounds in φ j−1 + j other than (x i j j x 0 +c j )+ j .Formally, we show that for all bounds x 0 k x i k + c k where k = j: Note that the value of separation predicates of the form

and from Equations 21 and 22)
To sum up, we have shown that A[(x i j j x 0 +c j )+ j−1 ] = true, even though A[(x i j j x 0 + c j ) + j ] = false.Thus, we can conclude that This completes the proof for the first case.
From parts 1 and 2 above, we conclude that ω j−1 and ω j are equivalent.
Lemma 2 Suppose the SL formula φ does not contain any separation predicates that are upper bounds on x 0 ; i.e., any satisfying assignment to φ sets all upper bounds on x 0 to false, and all lower bound predicates to true.Then, ∃ .≥ x 0 ∧ φ + is equivalent to φ.
Let A be an assignment to the variables in φ such that A[φ] = true.We extend A with an evaluation of so that Next, we show that (∃ .≥ x 0 ∧ φ + ) =⇒ φ.Let A be an assignment such that A[∃ .≥ x 0 ∧ φ + ] = true.Thus, A[ ≥ x 0 ] = true and A[φ + ] = true.Since φ does not contain any separation predicates that are upper bounds on x 0 , for any lower bound x 0 k x k + c k on x 0 , A[(x 0 k x k + c k ) + ] = true and for an upper bound x l l x 0 + c l on x 0 , A[(x l l x 0 + c l ) + ] = false.
Then, since A[ ] ≥ 0, Similarly, for an upper bound predicate on x 0 , A[x l l x 0 + c l ] = false.It then follows that A[φ] = true.
Example 2 Let the subformula φ of ω be φ is depicted geometrically as the shaded region in Figure 1(a).It comprises two sub-regions, one for each disjunct.The lower bounds on these regions, x 1 ≥ x 0 + 3 and x 2 ≥ x 0 + 3, are upper bounds on x 0 .We encode these by e ≥, 3  1,0 and e ≥,3 2,0 .
Figure 1(b) shows φ 1 , the result of eliminating e ≥,3 1,0 .Formally, we calculate Then, applying step 2(c) of the transformation, we get Similarly, in the next iteration, we introduce and eliminate e ≥,3 2,0 to get φ 2 , shown in Figure 1(c), which is equivalent to ω .
Note that the QSL formula obtained after eliminating the inner quantifier in Formula 4 is not of the form ω , and so we cannot avoid introducing the δ variable.

Overapproximation by Weakening Transitivity Constraints
In spite of the methods of Sections 5.1 and 5.2, generating transitivity constraints while eliminating the quantifier on δ might create too many new BDD variables, causing the BDD to blow up.In the case of reachability properties, a partial solution is to weaken the transitivity constraints added so as to not create new variables, yielding an overapproximation of the time elapse operation.For reachability properties, overapproximating the time elapse ("pre") operation makes our model checking procedure incomplete, but retains soundness.Consider a transitivity constraint for δ of type (a) as defined in Section 4.1, reproduced below: We replace the above constraint by the following weakened constraint: The difference between the two constraints is depicted geometrically in Figure 2.
Note that the consequent of the weakened constraint (Formula 27) only involves separation predicates involving x i , x j , and x 0 , and these already occurred in formula φ of Formula 4, since they are the predicates in which δ was substituted for x 0 .Thus, we avoid adding new BDD variables.

Eliminating Infeasible Paths in BDDs
Suppose β is the Boolean encoding of SL formula φ.Let φ cons denote the conjunction of transitivity constraints for all real-valued variables in φ, and let β cons denote its Boolean encoding.Finally, denote the BDD representations of β and β cons by Bdd(β) and Bdd(β cons ) respectively.
We would like to eliminate paths in Bdd(β) that violate transitivity constraints, i.e., those corresponding to assignments to variables in β for which β cons = false.We can do this by using the BDD Restrict operator, replacing Bdd(β) by Restrict(Bdd(β), Bdd(β cons )).Informally, Restrict(Bdd(β), Bdd(β cons )) traverses Bdd(β), eliminating a path on which β cons is false as long as it doesn't involve adding new nodes to the resulting BDD.Details about the Restrict operator may be found in the paper by Coudert and Madre [9].
Since eliminating infeasible paths in a large BDD can be quite time consuming, we only apply this optimization to the BDD for the set of reachable states, once on each fixpoint iteration.

Experimental Results
We implemented a model checker that uses BDDs to represent Boolean functions and incorporates all the optimizations described in Section 5.The model checker is written in the OCaml language and uses the CUDD package7 for BDD manipulation.We have performed preliminary experiments comparing the performance of our model checker for both reachability and non-reachability TCTL properties, without using the over-approximation scheme of Section 5.3.For reachability properties, we compare against the other unbounded, fully symbolic model checkers, viz., a DDD-based checker (DDD) [14] and Red version 4.1 [18], which have been shown to outperform Uppaal2k and Kronos for reachability analysis.For non-reachability properties, such as checking that a system is non-zeno, we compare against Kronos and Red, the only other unbounded model checkers that check such properties.
As an illustrative example, we use Fischer's protocol for mutual exclusion.Tools such as DDD and Red that we compare against have been shown to perform well on this example for reachability properties.The automaton for the ith process in this protocol is shown in Figure 3.We ran two experiments with this example.The first experiment compared our model checker against DDD and Red, checking that the system preserves mutual exclusion (a reachability property).In the second experiment, we compared against Kronos and Red for checking that the product automaton is non-zeno (a non-reachability property).All experiments were run on a notebook computer with a 1 GHz Pentium-III processor and 128 MB RAM, running Linux.We ran DDD, Kronos, and Red with their default options.For our implementation, we turned off dynamic variable reordering in CUDD.To come up with a static variable ordering, we classified the BDD variables in our Boolean encoding as follows.The first class, C id , consists of variables encoding the shared integer id.For each i, class C(i) contains the BDD variables encoding locations and clock constraints for process i.Finally, class C(i, j) encodes predicates relating clock variables from processes i and j.We used a static variable ordering that groups together variables in the same class, places class C id at the top, orders C(i) before C(j) if i < j, and places C(i, j) right after C(j) for j > i.New BDD variables added during model checking are inserted into the order at positions that depend upon the class they fall into.The same static variable order was used for the corresponding Boolean variables and separation predicates in DDD.Table 1 shows the results of the comparison against DDD and Red for checking mutual exclusion for increasing numbers of processes.We refer to our model checker as TMV.For DDD and TMV, the table lists both the run-times and the peak number of nodes in the decision diagram for the reachable state set.We find that DDD outperforms TMV due to the blow-up of BDDs.In spite of the optimizations of Section 5, the peak node count in the case of DDD is less than that for TMV for the larger benchmarks.In particular, in addition to eliminating infeasible paths as TMV does, the local reduction operations performed by DDD during node creation can eliminate unnecessary DDD nodes without adding any time overhead.For example, DDD can reduce a function of the form e 1 ∧ e 2 ∧ e 3 under the transitivity constraint [e 1 ∧ e 2 ] =⇒ e 3 to simply the conjunction e 1 ∧ e 2 .The BDD Restrict operator cannot always achieve this as it is sensitive to the BDD variable ordering.Furthermore, TMV contains many other BDDs, such as those for the transitivity constraints, to which we do not apply the Restrict optimization due to its runtime overhead.Finally, in comparison to Red, we see that while TMV is faster on the smaller benchmarks, Red's superior memory performance enables it to complete for 7 processes while TMV runs out of memory.
Table 2 shows the comparison with Kronos and Red for checking non-zenoness.The time for Kronos is the sum of the times for product construction and backward model checking.We notice that while Kronos does better for smaller numbers of processes, the product automaton it constructs grows very quickly, becoming too large to construct at 6 processes.The run times for TMV, on the other hand, grow much more gradually, demonstrating the advantages of a Table 2: Checking non-zenoness for Fischer's protocol.A "*" indicates that Kronos exited with an "out of memory" error.
Although they are preliminary, our results indicate that our model checker based on a general purpose BDD package can outperform methods based on specialized representations of SL formulas.The drawback of our BDD-based implementation is its poor memory performance on some examples.However, there is still scope for improving our implementation, especially in finding more efficient ways of eliminating unnecessary BDD nodes as is possible with DDDs.Furthermore, note that the memory problems we face arise from our use of BDDs, while the techniques we have presented in this paper can make use of any representation of Boolean functions.In particular, we are starting to work on a SAT-based implementation of our method; such an implementation might better handle the growth in the number of Boolean variables.Finally, we are also exploring heuristics for automatically generating good BDD variable orderings, such as those based on compositional methods [7].

i 1 ,c i 1 i 1 j 1 ,c j 1 a,j 1 , e j 2 ,c j 2 a,j 2 ,
,a , e i 2 ,c i 2 i 2 ,a , . . ., e im ,c im im,a for the upper bounds on x a , and e m for the lower bounds on it.

j
,c s.t. e c, a,j =false (A[x j ] + c) and L a = max j,c s.t. e c, a,j =true (A[x j ] + c) U a and L a are respectively the tightest upper and lower bounds on A[x a ].Define the ordering relation as follows = ≥ if the tightest bounds are non-strict, i.e., A[x a ] ≤ U a and A[x a ] ≥ L a > otherwise (13)

Figure 2 :
Figure 2: Weakening Transitivity Constraints.The shaded area denotes the region satisfying the constraint.

Figure 3 :
Figure 3: Fischer's mutual exclusion protocol.The timed automaton for the ith process is shown.

Table 1 :
Checking mutual exclusion for Fischer's protocol.A "*" indicates that the model checker ran out of memory.fully symbolic approach.For this property, the BDDs remain small even for larger numbers of processes.Thus, TMV outperforms Red, especially as the number of processes increases.These results indicate that when the representation (BDDs) remains small, Boolean methods for quantifier elimination and deciding SL can outperform non-Boolean methods by a significant factor.