# SMT Translation

## Robert Smith

## August 19, 2020

## Contents

| 1 | Intr | roduction                       | 2  |
|---|------|---------------------------------|----|
| 2 | Pre  | liminaries                      | 2  |
|   | 2.1  | Bit-Vector Logic                | 2  |
|   | 2.2  | Timed Automata                  | 3  |
|   | 2.3  | Bounded Satisfiability Checking | 3  |
| 3 | TA   | Encoding                        | 4  |
|   | 3.1  | Transitions                     | 5  |
|   | 3.2  | States                          | 5  |
|   | 3.3  | Variables                       | 6  |
|   | 3.4  | Clocks                          | 6  |
| 4 | Con  | astraints                       | 7  |
|   | 4.1  | Initialization & Progression    | 7  |
|   | 4.2  | Transitions                     | 8  |
|   | 4.3  | Sync                            | 10 |

|   | 4.4 Loop Constraints                  | 11 |
|---|---------------------------------------|----|
| 5 | Evaluation                            | 13 |
|   | 5.1 Fischer Mutual Exclusion Protocol | 13 |
|   | 5.2 CSMA/CD                           | 16 |
| 6 | Conclusion                            | 16 |

## 1 Introduction

### 2 Preliminaries

### 2.1 Bit-Vector Logic

A BitVector is an array of binary values, or bits. BitVectors are interpreted using two's complement arithmetic to produce integer values, and their length can be any positive integer ( $\mathbb{Z}^+$ ). We use the notation  $\overleftarrow{x}_{[n]}$  to represent a BitVector x of length n, but this can be simplified to  $\overleftarrow{x}$  if the length is clear. Bits are numbered from right to left, with the rightmost, least significant bit labeled as 0, and the leftmost, most significant bit labeled as n-1. As an example, the constant vector -4 of length 5 would be written as  $\overleftarrow{-4}_{[5]}$ , which would expand to 11100. We can also reference individual bits in the vector using the notation  $\overleftarrow{x}_{[n]}^{[i]}$  to extract the ith bit from the BitVector x. It is also possible to extract a sub-vector with the notation  $\overleftarrow{x}_{[n]}^{[j:i]}$ , where  $n>j\geq i\geq 0$ . This extracts a vector of length j-i+1 whose rightmost bit corresponds to the ith bit of x and whose leftmost bit corresponds to the jth. Similarly, concatenation operates on two BitVectors by combining their bit arrays.  $\overleftarrow{x}_{[n]}$ :  $\overleftarrow{y}_{[m]}$  returns a new BitVector  $\overleftarrow{z}_{[n+m]}$  where  $\overleftarrow{z}_{[m-1:0]} = \overleftarrow{y}$ , and  $\overleftarrow{z}_{[m+n-1:m]} = \overleftarrow{x}$ .

The usual arithmetic operations of addition + and subtraction - are defined over two BitVectors of the same length. BitVectors also support the bit-wise operators not  $\neg$ , disjuction  $\lor$ , conjunction  $\land$ , equivalence  $\iff$ , and implication  $\Rightarrow$ . These binary operators return a new BitVector where each bit i is the result of applying the logical operator to the ith bit of each of the input vectors, following the usual convention where

1 is true and 0 is false.

#### 2.2 Timed Automata

Let AP be a set of atomic propositions, and let Act be a set of synchronization events. In addition we define a null event  $\tau$ .  $Act_{\tau}$  is the set  $Act \cup \{\tau\}$ . Let X be a finite set of clocks, and Int a finite set of integer-valued variables.  $\Gamma(X)$  is the set of clock constraints, where a clock constraint  $\gamma$  is a relation  $x \sim c \mid \neg \gamma \mid \gamma \wedge \gamma$ , where  $x \in X$ ,  $\sim \in \{<,=\}$ , and  $c \in \mathbb{N}$ . Assign(X) is the set of clock assignments, where each assignment has the form x = c, where  $x \in X$ ,  $c \in \mathbb{Z}^+$ . Assign(Int) is a set of variable assignments of the form y := exp, where  $exp := exp + exp \mid exp - exp \mid exp \times exp \mid exp \div exp \mid n \mid c, y \in Int$ and  $c \in \mathbb{Z}$ .  $\Gamma(Int)$  is the set of integer variable constraints, where a variable constraint  $\gamma$  is defined as  $\gamma := n \sim c \mid n \sim n' \mid \neg \gamma \mid \gamma \wedge \gamma$ , where n and n' are integer variables,  $c \in \mathbb{Z}$ , and  $\sim \in \{<,=\}$ . A Timed Automaton with variables is defined as the tuple  $\mathcal{A} = \langle AP, X, Act_{\tau}, Int, Q, q_0, v_{var}^0, Inv, L, T \rangle$ . Q is the finite set of states of the timed automaton, and  $q_0 \in Q$  is the initial state.  $Inv: Q \to \Gamma(X)$  is a function assigning each state to a (possibly empty) set of clock constraints. The labeling function  $L: Q \to \mathcal{P}(AP)$ assigns each state to a subset of the atomic propositions. Each transition  $t \in T$  has the form  $T \subset Q \times Q \times Act_{\tau} \times \Gamma(X) \times \Gamma(Int) \times \mathcal{P}(Assign(X)) \times \mathcal{P}(Assign(Int))$ , consisting of a source and destination state, an action, a set of clock and variable guards, and a set of clocks to be reset when the transition fires. To refer to the components of a transition we will use  $t_{-}$  and  $t_{+}$  to refer to the source and destination states respectively, as well as  $t_{\epsilon}, t_{\gamma_c}, t_{\gamma_v}, t_{a_c}, t_{a_v}$  to refer to the event, clock constraints, variable constraints, clock assignments, and variable assignments respectively.

A network of Timed Automata is a finite list of timed automata  $\mathcal{A} = [\mathcal{A}_1, \mathcal{A}_2, \dots \mathcal{A}_k]$ . Timed Automata in the same network can refer to common clocks, variables, and synchronization channels to coordinate their actions. To simplify the notation we will use the symbols T, X, Int, and  $Act/Act_t$  to refer to the union of the respective sets of each individual timed automaton in the network. When necessary to refer to the properties of one timed automaton in particular, we will append a numerical subscript to the set in question, for example  $X_i$  to refer to the clocks used by a specific timed automaton.

### 2.3 Bounded Satisfiability Checking

(here sketch both ta->CLTLoc encoding and sbyzot translation)

## 3 TA Encoding

Using BitVector logic, we have the ability to group logically connected propositions into a Vector, granting significant speedups on operations performed on every element of the vector.

When encoding the constraints of the system, it is convenient to write that a constraint will hold over every discrete time position in the trace. As an example, consider a transition with an guard  $x_i < 5$ . When formalizing the constraints, it would be simpler to have a formula of the type  $transition \rightarrow constraint$  that we can assert over every time position at once. Therefore we will use BitVectors of length k + 2, where each position in the BitVector represents the formula at a different moment in time. This allows us to use the BitVector implication operator to assert that the transition BitVector implies a given constraint at every time instance.

This encoding, while convenient, is not very efficient. Using one BitVector per each transition yields a space complexity of O(|T|k). Since only one transition is active at a time, it is more compact to store the currently active transition as a binary number over  $\lceil \log_2 |T| \rceil$  bits, where T is the set of transitions. Therefore we will create  $\lceil \log_2 |T| \rceil$  BitVectors of length k+2 to represent the active transition of the TA over time. In order to be able to conveniently refer to individual elements of the set, we will define aliases which refer to unique combinations of the BitVectors. This will give us the convenience of the individually-named BitVectors while retaining the efficiency of the compact approach. This method will be formalized below for the encoding of the states, transitions, and variables of the Timed Automata.

For a model with a time bound of k, and a timed automaton with n distinct transitions, we represent the active transition of the automaton at different time instances as follows:

$$\begin{array}{c|c}
 & & & & & \\
\hline
0 & & & & & \\
\hline
1 & & & & \\
\hline
 & & & & \\
\hline
1 & & & & \\
\hline
 & & & & \\
\hline$$

#### 3.1 Transitions

In the traditional description of Timed Automata, a TA that does not perform a discrete transition at a given time instance is said to perform a null transition, i.e. staying in the same state without firing any transition in the set T. In our encoding it is convenient to explicitly add a null transition for each state  $q \in Q$  to the set of transitions.  $\forall_{q \in Q} trans_{null_q} := \langle q, q, \tau, \varnothing, \varnothing, \varnothing, \varnothing, \rangle$ , and  $\mathcal{T} = T \cup \{ \cup_{q \in Q} trans_{null_q} \}$   $trans_{null} := |_{q \in Q} trans_{null_q}$ 

We define  $O: \mathcal{T} \to \mathbb{N}$  be a bijective function mapping each transition to a natural number less than  $|\mathcal{T}|$ . We define BitVectors  $\{\overleftarrow{tb_1}, \overleftarrow{tb_2}, \dots, \overleftarrow{tb_{\lceil \log_2 |\mathcal{T}| \rceil}}\}$  of size k+2. The BitVector for each individual transition is defined as  $\overleftarrow{trans_t}_{[k+2]} := \&_{i=1}^{\lceil \log_2 |\mathcal{T}| \rceil} N_t(tb_i)$ , where  $N_t(tb_i)$  returns  $tb_i$  if the ith bit in the base two representation of O(t) is 1, and returns  $\neg tb_i$  otherwise.

For clarity, let us consider an example TA with  $\lceil \log_2 |\mathcal{T}| \rceil = 5$  and a transition  $t \in \mathcal{T}$  with O(t) = 5. The base two representation of 5 is 00101, and therefore  $trans_{t[k+2]}$  is equivalent to  $(\neg tb_5 \& \neg tb_4 \& tb_3 \& \neg tb_2 \& tb_1)$ .

#### 3.2 States

For each TA  $A_l \in A$ , we define a BitVector to represent each state of the timed automaton. To do this we define each state as the disjunction of all the transitions whose source is that state.

$$state_s := |\{trans_t : source(t) = s\}| \forall_{s \in S}$$

For each TA  $A_l \in A$ , let  $O: Q \to \mathbb{N}$  be a bijective function mapping each state to a natural number less than |Q|. We define BitVectors  $\{sb_1, sb_2, \ldots, sb_{\lceil \log_2 |Q| \rceil}\}$ , each of length k+2. The BitVector for the individual state is then defined as  $state_{q[k+2]} := \&_{i=1}^{\lceil \log_2 |Q| \rceil} N_q(sb_i)$ , where  $N_q(sb_i)$  returns  $sb_i$  if the ith bit in the base two representation of O(q) is 1, and returns  $\neg sb_i$  otherwise.

#### 3.3 Variables

Bounded integer variables are treated slightly differently, because unlike states and transitions, the possible values of a bounded integer variable are not unrelated objects in a set, but integers that must respect the operations of addition and subtraction. For each variable  $v_i \in Int$  we still construct a bit representation  $v_{i,j[k+2]}$ , where each BitVector has length k+2. However the difference is that the values are encoded in 2s complement notation, and the number of BitVectors is chosen so that the vectors are capable of representing the entire range of values for the given bounded integer variable. We will define  $\lambda(v_i)$  as the number of bits needed.

However sometimes it is more convenient to refer to the complete value of a variable at a particular time instance, rather than a particular bit of the variable over every time instance. We make use of SMT-LIB2's 'extract' and 'concat' operators to define a second set of BitVectors that are defined over the first set.  $\overleftarrow{var_{v,j}}_{[\lambda(v_i)]}$ ,  $0 \le j \le k+1$  is a vector of  $\lambda(v_i)$  bits that represents the value of variable  $v_i$  at time instance j.

#### 3.4 Clocks

Each clock  $c \in \mathcal{C}$  is represented by a function c that takes an integer argument and returns a real number, where the argument represents the time position and the return value is the value of the clock at that instance.

## 4 Constraints

#### 4.1 Initialization & Progression

Initialization and Progression Constraints

$$\phi_{1} := \bigwedge_{i \in [1, |\mathcal{A}|]} \overbrace{1}_{[1]} = \overleftarrow{state}_{init(i)}^{[0]} \middle| \phi_{2} := \bigwedge_{v \in Int} \overleftarrow{init(v)} = \overleftarrow{v[0]} \middle| \phi_{3} := \bigwedge_{c \in C} init(c) = c(0)$$

$$\phi_{4} := \bigwedge_{i \in [0, k+1]} \delta(i) > 0 \qquad \qquad \phi_{5} := \overleftarrow{0}_{[k+2]} = \underbrace{\& trans_{null_{i}}}_{i \in [1, |\mathcal{A}|]}$$

$$\phi_{6} := \bigwedge_{t \in \mathcal{T}} \overleftarrow{trans_{t}}^{[k:0]} \Rightarrow \overleftarrow{state}_{t_{-}}^{[k:0]} \underbrace{\& \overleftarrow{state}_{t_{+}}^{[k+1:1]}}_{t \in \mathcal{T}}$$

$$\phi_{7} := \bigwedge_{c \in C} \bigwedge_{j \in [0, k]} \underbrace{\& \underbrace{(\neg \overleftarrow{trans}_{t}}^{[k:0]})}_{t \in \mathcal{R}(c)} \Rightarrow \underbrace{\& \underbrace{(tb_{j}^{[k:0]} = tb_{j}^{[k+1:1]})}_{j \in [1, \lambda(v)]}$$

The initialization constraints are similar for states, clocks, and bounded variables. For states, we assert that the initial state holds in the first time instance by comparing the vector for the initial state  $state_{init(i)}$  to the constant vector  $\overleftarrow{1}_{[1]}$  in formula  $\phi_1$ . This requires the first bit of the state vector to be set to 1, signifying that the state is active in time instance 0. For variables, we assert that the provided initial starting value, init(v) is equal to the value of the variable at time instance 0. For clocks, we assert that the clock function at time instance 0 is equal to its provided initial value in formula  $\phi_3$ .

Each time instance in the range [0, k+1] represents an instant of time in which at least one timed automaton makes a discrete (non-null) transition. In between these instances, all timed automata remain stationary, and only the clocks progress. To capture this progression, we introduce a new clock,  $\delta$ . Formula  $\phi_4$  captures that  $\delta$  is defined as a function over integers in the range [0, k+1] that returns positive integers. The value of delta(i) at instance i refers to the amount of time between instance i and instance i+1. To ensure that each time instance contains a discrete transition, we assert with formula  $\phi_5$  that at every instance, at least one timed automaton i has  $\overline{trans_{null_i}}$  set to 0, meaning that it is not taking a null transition. This guarantees that at least one timed automaton has an active non-null transition at each time instance. Another aspect of progression is ensuring that the active state of a timed automaton correctly reflects the transitions being taken. To that effect, formula  $\phi_6$  asserts that when a transition is taken at time instance i, the source state of the transition is active at instance i, and the destination state is active at instance i instance i.

We must next discuss the progression of the clocks and integer variables. In formula  $\phi_4$  we discussed the special clock  $\delta$ , and how it represents the passing of time between the discrete time instances. Formula  $\phi_7$  connects  $\delta$  to the other clocks. At each time instance i, a clock is either reset by a transition, or its value increments by  $\delta(i)$ . To do this we define the set  $\mathcal{R}_c$  for every clock c, which is defined as the set of all transitions t that reset the value of clock c. When no transition in  $\mathcal{R}_c$  is active, the clock must progress according to the value of  $\delta$ . Similarly for variables, we define the set assign(v) for every variable v containing all transitions that assign a value to the variable. When none of these transitions are active, formula  $\phi_8$  ensures that the value of v remains unchanged.

#### 4.2 Transitions

#### Transition Constraints

As a quick review, transitions consist of a source and destination state, a synchronization action, as well as (possibly empty) sets of clock constraints, variable constraints, clock assignments, and variable assignments. In the earlier chapter on initialization and progression,  $\phi_6$  was defined to ensure that the source and destination states were implemented correctly - that the destination of one transition is the source of the next.

We will first consider the transition guards. Each transition can have multiple guards, which consist of two types, clock guards and variable guards. Clock guards have the form  $c \sim val$ , where  $c \in X$ ,  $val \in \mathbb{Z}$  and  $\sim \in \{<,>,\leq,\geq\}$ . Formula  $\phi_9$  asserts that for every

clock guard, its transition being active at time instance l implies that at the instance of transition, the relationship  $\sim$  holds between the clock value and the value. Recall that if a transition is active at time instance l, the transition occurs in the instant between time instance l and time instance l+1. Therefore, at the instance of the transition, the clock does not have the value c(l), but rather  $c(l)+\delta(l)$ , delta being the special clock that defines the amount of time spent in each time instance. Note that we cannot simply use c(l+1) as the value of the clock, because it is possible that during the transition between time instance l and l+1, the value of the clock may be reset, which would set c(l+1)=0. Our guard only sees the pre-transition value of the clock, and thus we must manually add  $\delta(l)$  to the value.  $\phi_{10}$  captures the same semantics for variable guards, asserting that an active transition with a guard implies that the guard is true at that time instance. Because variables, unlike clocks, do not progress with time, it is sufficient to simply use the value var(l) to determine if the guard is satisfied.

Clock assignments are more straightforward then the clock guards. It is enough to require that if a transition is taken at time instance l, then in the following time instance the clock is reset to the desired value. Variable assignments however, are more complex. Unlike clock assignments, which reset clocks to a constant number in  $\mathbb{Z}^+$ , variable assignments can access both constant values and the values of other variables, and they may combine them using the operators  $\{+,-\}$ . To implement this in our bylogic, we first require that if a variable v' appears in the assignment expression of variable v, then the possible values of v' must be a subset of the possible values of v. Recall that  $\overline{var_v}(l)$  is a bit vector of  $\lambda(v)$  bits that contains the value of v at time instance l in two'scomplement form. By constraining  $v' \subseteq v$ , we prevent v' from having a BitVector of greater length than that of v. We can then cast all constants and variables to BitVectors of length  $\lambda(v)$ , sign-extending shorter variables if necessary. This allows us to use the standard BitVector addition and subtraction operators to compute the final value, which is assigned to v at time instance l+1.

The last component of a transition to discuss is the state invariant. Although invariants are state-specific, not transition-specific, since states are defined by the active transitions, it is sufficient to ensure that a transition never leads to a state whose invariant would be unsatisfied.  $\phi_{13}$  accomplishes this using the notions of strong and weak satisfaction. Explained in the original TACK paper, weak satisfaction is a relation where the invariants are relaxed so that the relations <, > are also satisfied with equality. This was done to model the fact that at the instant of transition, the transition is located in exactly one of the two states, source or destination. This choice can be different for each timed automaton and each time instance. If the timed automaton is not in a state in

the instance of transition, then a strict inequality can be satisfied with equality at the instance of transition, since the automaton is not actually in that state at that instant.

#### 4.3 Sync

$$\phi_{14} := \bigwedge_{t \in T: t_{\epsilon} = \alpha!} \overleftarrow{trans_{t}} \Rightarrow \left( \neg \bigvee_{t' \in T: t'_{\epsilon} = \alpha! \land t' \neq t} \overleftarrow{trans_{t'}} \right) \land \left( \bigvee_{t' \in T: t_{\epsilon} = \alpha?} \overleftarrow{trans_{t'}} \right)$$

$$\phi_{15} := \bigwedge_{t \in T: t_{\epsilon} = \alpha?} \overleftarrow{trans_{t}} \Rightarrow \left( \neg \bigvee_{t' \in T: t_{\epsilon} = \alpha? \land t' \neq t} \overleftarrow{trans_{t'}} \right) \land \left( \bigvee_{t' \in T: t_{\epsilon} = \alpha!} \overleftarrow{trans_{t'}} \right)$$

$$\phi_{16} := \bigwedge_{t \in T: t_{\epsilon} = \alpha\#} \overleftarrow{trans_{t}} \Rightarrow \left( \neg \bigvee_{t' \in T: t_{\epsilon} = \alpha\# \land t' \neq t} \overleftarrow{trans_{t'}} \right)$$

$$\phi_{17} := \bigwedge_{\alpha \in Act} \bigwedge_{i \in [1, |A|]} \left( \bigvee_{t \in T: t_{\epsilon} = \alpha\# \land t' \neq t} \overleftarrow{trans_{t'}} \right)$$

$$\uparrow_{j \in [1, k]: t' \in T_{j}: t$$

Different Timed Automata in our network use the synchronization channels in  $Act_{\tau}$ to communicate and coordinate their transitions between states. Each element in Act consists of a channel, which we will represent with Greek letters  $\alpha, \beta, etc$ , and an action to be performed over the channel. Our implementation supports four actions which are represented using four punctuation symbols. The first two, send(!) and receive(?), capture one-to-one communication. For every channel  $\alpha$  there can be at most one active transition with  $\alpha!$ , and similarly at most one active transition with  $\alpha$ ?. Informally this means that only one timed automaton can send over the channel at a time, and only one can receive at a time. Furthermore each send must be matched by a receive and vice versa. Formula  $\phi_{14}$  captures these semantics for a transition with action  $\alpha!$  for some channel  $\alpha$ . Such a transition implies that no other transition with the action  $\alpha$ ! can be active in the same time instance, and furthermore one of the transitions with the action  $\alpha$ ? must be active. Formula  $\phi_{15}$  captures the same constraints from the point of view of the receiving transition. A transition with action  $\alpha$ ? implies both that no other receiving transition is active, and also that there exists an active sending transition over the same channel.

The second pair of synchronization communication is termed 'broadcast synchronization'. Like the one-to-one communication, there is a broadcast send (#) and a broadcast receive (@). However there are several differences in the semantics of broadcast signals.

To begin, while a broadcast receive signal must be matched with a broadcast send, the reverse is not true, and a broadcast send signal can be matched with any number of broadcast receives, including zero. While multiple broadcast receive signals on the channel can be fired at the same time, there can only be one broadcast send signal at a time per channel. The other important distinction is that the broadcast send signal 'compels' the other Timed Automata to respond with broadcast receive if they are able to. By this we mean that when a Timed Automaton fires a transition with a 'broadcast send' event, all other Timed Automata with an 'available' transition containing a 'broadcast receive' signal (on the same communication channel) must take the transition. By 'available' we mean that the Timed automaton is in the source state of the transition and all of the clock and variable guards are satisfied. Formulas  $\phi_{16}$  and  $\phi_{18}$  describe these constraints for broadcast send and receive, respectively, while formula  $\phi_{17}$  describes the 'compulsive' nature of the 'broadcast send' transition.

#### 4.4 Loop Constraints

Loop Constraints
$$\phi_{19} := \bigwedge \bigwedge \overleftarrow{tb_j}^{[k+1]} = \overleftarrow{tb_j}^{[loop]}$$

$$\phi_{20} := \bigwedge \bigwedge \bigvee \overleftarrow{vb_j}^{[k+1]} = \overleftarrow{vb_j}^{[loop]}$$

$$\phi_{21} := \bigwedge (\lfloor c(k+1) \rfloor = \lfloor c(loop) \rfloor) \vee (\lfloor c(k+1) \rfloor > max(c) \wedge \lfloor c(loop) \rfloor > max(c))$$

$$\phi_{22} := \bigwedge \lfloor c(loop) \rfloor < max(c) \Rightarrow (frac(c(k+1)) = 0) \Leftrightarrow (frac(c(loop)) = 0)$$

$$\phi_{23} := \bigwedge frac(c(k+1)) < frac(c'(k+1)) \Leftrightarrow frac(c(loop)) < frac(c'(loop))$$

$$\phi_{24} := \bigwedge c(k) > c(max) \vee ((\bigcup \overleftarrow{trans_t}) & \overleftarrow{vinloop} \neq \overleftarrow{0})$$

As mentioned previously, we are only interested in lasso-shaped runs that end in a loop. To keep track of the initial position of the loop, we declare the variable loop, and constrain it to have a value in the range [1, k].

Intuitively, the time position k + 1 represents the first time position in the next iteration of the loop. It is effectively a 'copy' of the position loop, however we add it as a distinct position so that we may capture the semantics of the transition between time position k and time position loop. We therefore must introduce constraints to ensure that these two positions are in fact equivalent. This requires that the active state and

transition of each timed automata at instance k + 1 be equal to that at instance loop. Formula  $\phi_{19}$  captures this by requiring that for each Timed Automaton, each transition bit  $tb_i$  contains the same value at time instances k + 1 and loop. Similarly, formula  $\phi_{20}$  enforces the same requirement for each bounded integer variable.

It is tempting to encode the clock constraints in a similar manner, requiring that c(k+1) = c(loop) for each clock. However prior work by Kindermann[ref] has shown that this constraint is not complete, as it excludes valid lasso-shaped runs. To remedy this problem we use the requirements suggested by Kindermann. To begin, for each clock cwe define the non-negative integer max(c), which is equal to the maximum value either assigned to the clock in a clock assignment or compared against the clock in a clock guard. We also define frac(c(l)), which is equal to the fractional part of c at time instance l, or  $frac(c(l)) = c(l) - \lfloor c(l) \rfloor$ . Formulas  $\phi_{21}$ ,  $\phi_{22}$ , and  $\phi_{23}$  encode the desired requirements.  $\phi_{21}$  encodes the first part of the relationship between c(loop) and c(k+1). It states that either both values are greater than max(c), or both have the same floor. This is the first part of the region encoding.  $\phi_{22}$  handles the special case where the fractional part of the value is equal to zero. Since clock guards can test for equality, if the clock value is less than max(c), either the clock value at both time instances has a fractional value of 0 or neither do. Finally,  $\phi_{23}$  completes the region encoding by considering the relationship between values of different clocks, asserting that the relationship between two clock values  $\{<,>,=\}$  is preserved.

Unfortunately, there is one more consideration we must make in this section. The culprit are so-called "Zeno traces", named because while they are lasso-shaped runs with an infinite number of transitions, their execution happens in finite time. Time in these traces is said to "slow down", because often each successive loop of the lasso executes in a smaller amount of time than the loop before. Because these represent unrealistic scenarios, they are often excluded from consideration in many TA models. It is sufficient to require that every clock is either reset within the loop, or has a value greater than max(c) at position k, which is shown in  $\phi_{24}$ . The vector inloop has length k+2, and each bit i is 1 iff  $i \geq loop$ . Using this vector, we can determine if a given clock is reset within the loop portion of the trace.

## 5 Evaluation

In this chapter we present the results of several experimental evaluations of the SMT conversion process. These tests cover several different benchmarks common for bounded model checking programs. For comparison, results are presented alongside those of the previous iteration of the TACK program, to better judge the improvements made using the new process.

In all of the following tests, the time provided measures the combined time taken by i) the TACK program to parse the problem and convert it to SMT form and ii) the z3 program to decide the satisfiability of the SMT problem. In practice, the time taken by z3 dwarfs the time used by the TACK translation, and for the problem sizes encountered below the time taken by the TACK translation was always negligible. For every test below, the evaluation proceeded in several rounds, each with a larger bound on the length of traces considered by TACK. The data obtained demonstrates how the running time of each program scales with the size of the search space.

All tests were performed on a server equipped with an Intel(R) Core(TM) i7-4770 CPU (3.40 GHz) with 8 cores, 16 GB of RAM and Debian Linux (version 4.19).

#### 5.1 Fischer Mutual Exclusion Protocol

The Fischer benchmark models a protocol for ensuring exclusive access to a shared common resource that can be requested by multiple processes. The protocol uses global variables, integrated into the guards and assignment statements of the timed automata, to control access. Each timed automaton in the network has a 'critical state', and the protocol guarantees that only one timed automaton can be in its critical state at a time.

To be more specific, there is a shared variable id, which can take any integer value in the range [0, n], where n is the number of processes in the protocol. Each process begins in an 'idle' state a, and in order to reach the critical section cs, a process must first check to see that the critical section is unoccupied (id = 0), at which point the process writes its own id to the shared variable (while entering state b) and then performs a second transition to state c within 2 seconds of entering state b. The process is then required to wait at least 2 seconds in state c. If after that interval the value of the shared variable is still equal to its id, the process may access the critical section, otherwise it must wait for the value of id to return to 0 before trying again (returning to b). Once access to

the critical section is granted, the process may remain for an unlimited amount of time before returning to state a.

To measure the scalability of our program, in addition to modifying the bound k, we performed multiple test runs while modifying the number of timed automata in the network that are attempting to execute their critical region. Aside from a numerical id, these processes are identical in their behavior. We have tested the Fischer protocol on networks of between 2 and 10 processes and collected their results.

In addition to testing the scalability of the program, we have also run the Fischer protocol through several different MITL properties for verification. These properties will be explained below.

- Property 1:  $\mathcal{G}_{[0,\infty)}$   $(p_1.b \Rightarrow \mathcal{F}_{[0,\infty)}p_1.c)$
- Property 2:  $\mathcal{G}_{[0,\infty)}$   $(p_1.b \Rightarrow \mathcal{F}_{[0,3]}p_1.c)$
- Property 3:  $\mathcal{G}_{[0,\infty)}$   $(p_1.b \Rightarrow \mathcal{F}_{(0,3)}p_1.cs)$
- Property 4:  $\mathcal{G}_{[0,\infty)}$   $(p_1.b \Rightarrow \mathcal{F}_{(0,3)}p_1.c)$
- Property 5:  $\mathcal{G}_{[0,\infty)}$   $(p_1.b \Rightarrow \mathcal{F}_{[0,3]}p_1.cs)$
- Property 6:  $\mathcal{G}_{[0,\infty)} \neg (\bigvee_{i=1:n-1} (p_i.cs \land (\bigvee_{j=i+1:n} p_j.cs)))$

Property 1 requires that once process one enters state b, it always transitions to state c. Property 2 is similar, however it contains the additional constraint that process 1 must complete the transition to state c in at most 3 seconds. Property 3 has a similar time bound, but requires that process one move to the critical section cs rather than c within the time bound, which we expect to not be universally true (a process can return to state b after moving to state c if another process has reset the variable id). Properties 4 and 5 are copies of properties 2 and 3 respectively with the sole difference of inclusion vs exclusion at the boundaries of the interval. Property 6 seeks to prove the "safety" of the protocol, namely that two distinct processes are never in the critical section at the same time.

Table 1: Time required to solve the Fischer Benchmark Properties

| n           |    |     |     |     |     |     |     |     |      |     |  |
|-------------|----|-----|-----|-----|-----|-----|-----|-----|------|-----|--|
|             | k  | 2   | 3   | 4   | 5   | 6   | 7   | 8   | 9    | 10  |  |
|             | 10 | 0.9 | 0.9 | 1.0 | 1.0 | 1.2 | 1.2 | 1.5 | 6.0  | 1.7 |  |
| ne          | 15 | 0.9 | 0.9 | 1.1 | 1.4 | 1.6 | 1.7 | 1.5 | 14.2 | 2.1 |  |
| live-one    | 20 | 1.0 | 1.1 | 1.3 | 2.2 | 1.9 | 2.6 | 2.4 | 3.6  | 3.9 |  |
| li          | 25 | x   | x   | x   | x   | x   | x   | x   | x    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | x    | x   |  |
|             | 10 | x   | X   | X   | x   | x   | x   | x   | x    | X   |  |
| WO.         | 15 | x   | X   | X   | X   | X   | x   | X   | X    | X   |  |
| live-two    | 20 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| ij          | 25 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| •           | 10 | x   | X   | X   | X   | X   | X   | X   | x    | x   |  |
| live-three  | 15 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| re-t]       | 20 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| liv         | 25 | x   | X   | X   | X   | X   | x   | x   | x    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 10 | x   | X   | X   | X   | X   | x   | X   | x    | x   |  |
| our         | 15 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| live-four   | 20 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| ij          | 25 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 10 | x   | X   | X   | X   | X   | X   | X   | x    | x   |  |
| ìve         | 15 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| ve-five     | 20 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| :::         | 25 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
|             | 10 | x   | X   | X   | x   | x   | x   | x   | x    | X   |  |
| $\sin$      | 15 | x   | X   | x   | X   | x   | x   | x   | x    | X   |  |
| live-six    | 20 | x   | X   | X   | X   | X   | x   | X   | X    | X   |  |
| I           | 25 | x   | X   | X   | X   | X   | x   | X   | X    | X   |  |
|             | 30 | X   | X   | X   | X   | X   | X   | X   | X    | X   |  |
| TACK ta2smt |    |     |     |     |     |     |     |     |      |     |  |
| n           |    |     |     |     |     |     |     |     |      |     |  |
|             | k  | 2   | 3   | 4   | 5   | 6   | 7   | 8   | 9    | 10  |  |

TACK ae2sbvzot

- 5.2 CSMA/CD
- 6 Conclusion