## Politecnico di Milano

Scuola di Ingegneria Industriale e dell'Informazione Master Degree in Computer Science and Engineering Dipartimento di Elettronica, Informazione e Bioingegneria



# IMPROVED VERIFICATION OF NETWORKS OF TIMED AUTOMATA

Supervisor: Prof. Pierluigi San Pietro

Tesi di laurea di: Robert Lawrence Smith Matr. 914634

Academic Year: 2019-2020

## Contents

| 1 | Abs  | stract                       | 4          |
|---|------|------------------------------|------------|
| 2 | Intr | $\mathbf{r}$ oduction        | 4          |
| 3 | Pre  | liminaries                   | 4          |
|   | 3.1  | Timed Automata               | 4          |
|   | 3.2  | Bounded Model Checking       | 8          |
|   | 3.3  | Constraint LTL Over Clocks   | 13         |
|   | 3.4  | TACK CLTLoc Translation      | 14         |
|   | 3.5  | Bit-Vector Logic             | 17         |
|   | 3.6  | AE2SBVZOT                    | 18         |
| 4 | TA   | Encoding                     | 20         |
|   | 4.1  | Transitions                  | 21         |
|   | 4.2  | States                       | 23         |
|   | 4.3  | Variables                    | 24         |
|   | 4.4  | Clocks                       | 24         |
|   | 4.5  | Complete Encoding            | 24         |
| 5 | Cor  | astraints                    | <b>2</b> 5 |
|   | 5.1  | Initialization & Progression | 26         |
|   | 5.2  | Transitions                  | 28         |
|   | 5.3  | Svnc                         | 30         |

|              | 5.4              | Loop Constraints                    | 31 |  |
|--------------|------------------|-------------------------------------|----|--|
|              | 5.5              | Equivalence and Improvements        | 33 |  |
| 6            | Eva              | luation                             | 34 |  |
|              | 6.1              | Fischer Mutual Exclusion Protocol   | 35 |  |
|              | 6.2              | CSMA/CD                             | 36 |  |
|              | 6.3              | Token Ring                          | 39 |  |
| 7            | Conclusion 4     |                                     |    |  |
|              |                  |                                     |    |  |
| ${ m L}$     | ist (            | of Figures                          |    |  |
| ${f L}$      | $\mathbf{ist}$ ( | of Figures  A basic Timed Automaton | 5  |  |
| $\mathbf{L}$ |                  |                                     | 5  |  |
| $\mathbf{L}$ | 1                | A basic Timed Automaton             |    |  |
| $\mathbf{L}$ | 1 2              | A basic Timed Automaton             | 6  |  |

## List of Tables

| 1  | Supported Synchronization Events                                                                                                                                                                                                                                                            | 7  |
|----|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 2  | TACK Encoding of an Automaton in CLTLoc                                                                                                                                                                                                                                                     | 15 |
| 3  | Encoding of Different Synchronization Types                                                                                                                                                                                                                                                 | 16 |
| 4  | Liveness Semantics                                                                                                                                                                                                                                                                          | 17 |
| 5  | Possible Edge Constraints                                                                                                                                                                                                                                                                   | 17 |
| 6  | An example ae2sbvzot trace showing loop variables                                                                                                                                                                                                                                           | 18 |
| 7  | ae<br>2<br>sbvzot definition of a proposition $\varphi$                                                                                                                                                                                                                                     | 19 |
| 8  | Construction of the Transition BitVectors for $A_i \in A$                                                                                                                                                                                                                                   | 22 |
| 9  | Construction of the Transition Aliases                                                                                                                                                                                                                                                      | 22 |
| 10 | Terms and Aliases used in BV encoding of TA                                                                                                                                                                                                                                                 | 25 |
| 11 | Initialization and Progression Constraints for a network of timed automata                                                                                                                                                                                                                  | 26 |
| 12 | Transition Constraints for a network of timed automata                                                                                                                                                                                                                                      | 28 |
| 13 | Synchronization Constraints for a network of timed automata                                                                                                                                                                                                                                 | 30 |
| 14 | Loop Constraints for a network of timed automata                                                                                                                                                                                                                                            | 32 |
| 15 | Time required to solve the Fischer Benchmark Properties                                                                                                                                                                                                                                     | 37 |
| 16 | Time (s) required to check the property of the CSMA/CD Protocol. The symbol $\checkmark$ indicates that the property is satisfied, i.e., the CLTLoc formula is unsatisfiable. The symbol $\checkmark$ indicates that the property is not satisfied, i.e., the CLTLoc formula is satisfiable | 38 |
| 17 | Time (s) required to check the property of the Token Ring. The symbol  ✓ indicates that the property is satisfied, i.e., the CLTLoc formula is unsatisfiable. The symbol ✗ indicates that the property is not satisfied,                                                                    |    |
|    | i.e., the CLTLoc formula is satisfiable.                                                                                                                                                                                                                                                    | 39 |

## 1 Abstract

Timed Automata (TA) is a de facto modelling standard for systems with time-sensitive properties. A common task is to verify if a given network of TA satisfy a given property. We build upon the TA solver TACK, which supports properties expressed in the rich Metric Interval Temporal Logic (MITL), and encodes both the TA network and property to be verified into a variant of Linear Temporal Logic (LTL), Constraint LTL over clocks (CLTLoc). The produced CLTLoc formula can then be solved by tools such as Zot, which transform CLTLoc properties into SMT-LIB2, a standardized SMT solver language.

We present a novel method that preserves TACK's encoding of MITL properties, while presenting a novel encoding of the Timed Automata network directly into a logic suitable for solving by SMT solvers. The encoding of Timed Automata presented is based on a hybrid BitVector logic and logic over real-valued variables. This is supported by the industry-standard SMT-LIB2, which is implemented in many state-of-the-art SMT solvers, including Microsoft's Z3.

## 2 Introduction

## 3 Preliminaries

#### 3.1 Timed Automata

Timed Automata are a useful model for many interactions that require precise timing mechanisms. Each Timed Automaton has a set of states, one of which is active at any given moment, much like a Finite State Machine. Also like a FSM, a Timed Automaton has a set of transitions that allow it to move between different states. However these transitions come with powerful timing properties that allow for finer control over the progression of the automata. Included with our automata is a network of clocks and integer variables. Clocks progress as time passes, and can be used alongside variables as prerequisites for taking transitions and remaining in states. Transitions can also reset these clocks (and assign new values to variables), allowing for communication and shared state between different Timed Automata. For explicit synchronization, we define a set of

synchronization primitives that can be used to coordinate transitions between different automata. Finally, states can be labeled with atomic propositions, to aid in defining model properties that we will then verify over the network. To help concretize this concept, we will introduce a simple Timed Automaton, which will be used throughout this paper to help visualize important concepts.



Figure 1: A basic Timed Automaton

As we can see in figure 1, Timed Automata have many similarities with Finite State Machines and other automata. For a given automaton  $\mathcal{A}_i$ , the example TA consists of a finite set of states  $Q_i = \{q_1, q_2, q_3\}$ , and a finite set of transitions  $T_i = \{t_1, t_2, t_3, t_4\}$ . Like a finite state machine, at a given moment in time there is one state that is "active". The TA can take transitions that may change its state, with the condition that the source of the transition must be the currently active state. We denote the source state of a transition t as  $t_-$ , and the destination state as  $t_+$ . As an example, if the current active state is  $q_1$ , then either  $t_1$  or  $t_2$  can be taken. Although not shown in this example, the source and destination state of a transition may be the same state, and there may be multiple transitions with identical source states and identical destination states.

In addition to states and transitions, TA are enriched with clocks and bounded integer variables. Clocks are variables over  $\mathbb{R}_{\geq 0}$  that increment with the passage of time. Their ability to continuously change value is fundamental to the ability of timed automata to model time-sentisive and real-time systems. Meanwhile the bounded integer variables do not change value on their own, and have to be explicitly modified by the TA.

We can now show how these values are used and manipulated by a timed automa-



Figure 2: A Timed Automaton with clock x and variable n.

ton. Figure 2 shows the same example TA modified with transition guards, transition assignments, and state invariants. Transition guards are conditions over either clocks or variables that prevent the associated transition from being taken when they are not satisfied. As an example, transition  $t_2$  can only be taken when the value of clock x is greater than 5. Assignments on the other hand modify the value of a clock or variable after the transition has been taken. For example, it is perfectly valid for transition  $t_2$  to be taken when x=6, even though the assignment x=0 resets the value of x to 0, which is smaller than the value accepted by the transition guard x>5. Variables can be assigned to any value, while clocks can only be reset to 0. The third feature to mention are the state invariants. In our example there is only one, x<2 which is associated with state  $q_2$ . When a state is active, its invariant (if any) is required to be true. The invariant attached to  $q_2$  requires the TA to depart state  $q_2$  before clock x reaches a value of 2.

In addition to clocks and variables, TA also offer a powerful synchronization mechanism for different automata in the same network to coordinate. Any transition may contain a synchronization event of the form  $\{channel \times sync\}$ , where channel can be any symbol and  $sync \in \{!, ?, \#, @\}$ . Two different timed automata can synchronize their transitions by labelling them with the same synchronization channel, and using the actions to describe the type of synchronization desired.

As shown in table 1, two types of synchronization are defined. The first type is one-to-one synchronization, which has two associated operators, one signifying one-to-one 'send' (!), and the second for one-to-one receiving (?). A transition labelled with  $\alpha$ !, for

| $\mathbf{Type}$ | Synchronization Semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| One-to-one      | Whenever a TA $A_i$ takes a transition with a syncronization event $\alpha$ !, there exists exacty one $A_j$ , $i \neq j$ , such that in the same instant $A_j$ has an active transition $t'$ with the synchronization event $\alpha$ ?, and vice versa.                                                                                                                                                                                                                         |
| Broadcast       | Whenever a TA $\mathcal{A}_i$ takes a transition with a synchronization event $\alpha \#$ , every other TA $\mathcal{A}_j$ must not simultaneously take a transition with the same event, and must either simultaneously take a transition labelled with $\alpha @$ , or there must not exist a transition $t' \in \mathcal{A}_j$ such that $t$ is the currently active state, $\alpha @$ is the synchronization event, and the clock and variable guards of $t'$ are satisfied. |

Table 1: Supported Synchronization Events

some channel  $\alpha$ , can only be fired if at the same moment in time, another TA takes a transition labelled with the  $\alpha$ ? event. The second type of synchronization available is termed 'broadcast' synchronization, and again we have two operators, broadcast-send (#) and broadcast-receive (@). Like one-to-one synchronization, for a given channel  $\alpha$  there can only be one active transition with the event  $\alpha$ #, however the difference is that there can be 0,1, or multiple automata that sync using broadcast-receive at once. In addition, each automaton is required to perform a broadcast-sync if it is able to, meaning that there exists a transition t such that  $t_-$  is the currently active state, and all guards of the transition are satisfied.

With the basic concepts introduced, we will formally define the Timed Automata discussed in this paper. Let AP be a set of atomic propositions, and let Act be a set of synchronization events of the form  $Act \subset \{channel \times sync\}$ , where channel is a set of symbols and  $sync \in \{!, ?, \#, @\}$ . In addition we define a null event  $\tau$ .  $Act_{\tau}$  is the set  $Act \cup \{\tau\}$ . Let X be a finite set of clocks, and Int a finite set of integer-valued variables.  $\Gamma(X)$  is the set of clock constraints, where a clock constraint  $\gamma$  is a relation  $x \sim c \mid \gamma \wedge \gamma$ , where  $x \in X$ ,  $\sim \in \{<, >, \le, \ge\}$ , and  $c \in \mathbb{N}$ . Assign(X) is the set of clock assignments, where each assignment has the form x=0, where  $x \in X$ . Assign(Int) is a set of variable assignments of the form y := exp, where  $exp := exp + exp \mid exp - exp \mid n \mid c$ ,  $n \in Int$  and  $c \in \mathbb{Z}$ .  $\Gamma(Int)$  is the set of integer variable constraints, where a variable constraint  $\gamma$  is defined as  $\gamma := n \sim c \mid n \sim n' \mid \neg \gamma \mid \gamma \wedge \gamma$ , where  $n \in \mathbb{Z}$  and n' are integer variables,  $n \in \mathbb{Z}$  and  $n' \in \{<, =\}$ . A Timed Automaton with variables is defined as the tuple  $n \in \mathbb{Z}$  and  $n \in \{<, =\}$ . A Timed Automaton with variables is defined as the tuple

the timed automaton,  $q^0 \in Q$  is the initial state of the TA,  $v_{var}^0: Int \to \mathbb{Z}$  is a function providing initial values for each of the variables, and  $Inv: Q \to \Gamma(X)$  is a function assigning each state to a (possibly empty) set of clock constraints. The labeling function  $L: Q \to \mathcal{P}(AP)$  assigns each state to a subset of the atomic propositions. Each transition  $t \in T$  has the form  $t = \langle Q \times Q \times Act_{\tau} \times \Gamma(X) \times \Gamma(Int) \times \mathcal{P}(Assign(X)) \times \mathcal{P}(Assign(Int)) \rangle$ , consisting of a source and destination state, an action, a set of clock and variable guards, a set of clocks to be reset when the transition fires, and a set of variables to assign values to. To refer to the components of a transition we will use  $t_-$  and  $t_+$  to refer to the source and destination states respectively, as well as  $t_\epsilon, t_{\gamma_c}, t_{\gamma_v}, t_{a_c}, t_{a_v}$  to refer to the event, clock constraints, variable constraints, clock assignments, and variable assignments respectively.

A network of Timed Automata is a finite list of timed automata  $\mathcal{A} = [\mathcal{A}_1, \mathcal{A}_2, \dots \mathcal{A}_N]$ . Timed Automata in the same network can refer to common clocks, variables, and synchronization channels to coordinate their actions. To simplify the notation we will use the symbols T, X, Int, and  $Act/Act_{\tau}$  to refer to the union of the respective sets of each individual timed automaton in the network. When necessary to refer to the properties of one timed automaton in particular, we will append a numerical subscript to the set in question, for example  $X_i$  to refer to the clocks used by the specific timed automaton  $\mathcal{A}_i \in \mathcal{A}$ .

## 3.2 Bounded Model Checking

Bounded Model Checking refers to the problem of evaluating if a given network of timed automata satisfies a given model, or property. To perform this evaluation, the TA network along with the property to be evaluated are transformed into a form acceptable by a Satisfiability Modulo Theories, or SMT solver. The solver then searches all possible executions of the system to determine if the property is satisfied. Before we can discuss this process, we must describe what we mean by an execution of a network of timed automata.

At a given position in time, the TA network can be described by the currently active states, as well as the values of the clocks and integer variables. To describe the values of the clocks and variables at different positions in time, we introdue 'valuations', which accept a clock or variable argument and return a value.

$$v: \mathcal{X} \to \mathbb{R}_{>0}$$

$$v_{var}: Int \to \mathbb{Z}$$

Each time position has an associated clock and variable valuation. Because the execution of a TA is a series of instantaneous state transitions, interspersed throughout time, we can represent a TA execution as a series of 'snapshots' showing these moments of transitions. In order to achieve this representation, we use the concept of a trace. For the time being let us consider a trace  $\eta$  to be an infinite sequence

$$\eta = (l_0, v_0, v_{var,0}), \delta_0, t_0, (l_1, v_1, v_{var,1}), \delta_1, t_1, \dots$$

Where  $l_l[i]$  returns the active state  $q \in Q_i$  for  $i \in [1, N]$ , and  $t_l[i]$  returns a transition  $t \in T_i \cup \sharp$ , where  $\sharp$  is the *null transition*, which signifies that the TA does not perform a discrete transition. We can see that the trace is made up of snapshots of the TA in a given moment of time  $(l, v, v_{var})$ , which are connected with a combined temporal  $\delta$  and discrete t transition step. We can safely require that all transitions follow this pattern because two consecutive temporal transitions  $\delta$  can simply be combined into one whose length is the sum of the two original transitions, and two consecutive discrete transitions can be combined **iff** no TA in the network performs a non-null transition in both transitions, in which case the trace would be illegal, for the TA would be in multiple states in the same time position.

In figure 3 we can see a trace of the Timed Automaton defined in figure 2, which has been given an index of 1. To prevent the value of t[i] being undefined at position 0, the value of t[i] corresponds to the transition taken in the following time position. However for clarity in the traces shown here, the values of t[1] have been shifted to the right by one position, so that the active transition is placed over the position in time where the transition actually occurs. At the top of the trace t[1] tracks the currently active state of the timed automaton. In this simple trace the automaton begins in state t[1] transitions to t[1] transitions transitions to t[1] transitions to t[1] transitions transitions to t[1] transitions transitions transitions transitions to t[1] transitions transition

| l[1] =     | $q_1$ | $q_2$ | $q_2$ | $q_3$ |
|------------|-------|-------|-------|-------|
| n =        | 1     | 1     | 1     | 1     |
| x =        | 0     | 0     | 1     | 0     |
| $\delta =$ | 6     | 1     | 1     | 3     |
| t[1] =     |       | $t_2$ | -     | $t_3$ |
|            |       |       |       |       |
| time       | 0     | 1     | 2     | 3     |

Figure 3: An example trace through 4 positions.

immediately following state.

One surprising observation is that the value of the clock x does not seem to change between positions 0 and 1, despite  $\delta$  indicating that 6 units of time has passed. Recall that transition  $t_2$  resets the value of the clock x to zero, and that the trace capture the values of clocks and variables *after* any assignments have been applied.



Figure 4: A trace highlighting the evaluation of a clock guard.

Figure 4 shows how we can compute the value of clock x at the moment of the transition, before the reset is applied. By combining the values of x and  $\delta$ , we obtain the value of x that is used to determine if the clock guard of transition  $t_2$  is satisfied. We see that x has a value of  $\delta$ , which satisfies the guard x > 5.

Notice in the above trace the value of clock x during the transition from state  $q_2$ to state  $q_3$ . State  $q_2$  has an invariant requiring that the value of clock x be strictly less than 2, however at the moment of transition  $x(2) + \delta(2) = 2$ . Is this trace therefore illegal? This raises an interesting question: at the moment of transition, what is the active state? Possible answers could include the source state, the destination, both, or neither. Different models of Timed Automata implement this differently? In our model, the TA is always in exactly one state at every instant in time. If at the moment of transition the TA remains in the source state, the transition is said to be "right-closed" or equivalently "left-open", because the interval of time that the TA spends in  $t_-$  ends in a closed interval, while the inteval of time that the TA spends in  $t_+$  begins in an open interval. Conversely if the TA is located in the destination state at the moment of transition, we say that it is "left-closed", which also implies that it is right-open. Returning to our example trace, if the timed automaton is not in state  $q_2$  in the instance of transition, then the strict inequality in the state invariant can be satisfied with equality at the instance of transition, since the automaton is not actually in that state at that final moment. To formalize this notion we introduce the weak clock relation  $\sim_w$ , which is defined as follows:

$$x \sim_w c \iff (x \sim c \lor x = c) \sim \in \{<, >, \le, \ge\}$$
  
 $x =_w c \iff false$ 

To make our trace more precise, we add for each TA  $\mathcal{A}_i$  the term  $edge^{RC}[i]$ , which is true at a given time position iff the currently active edge is right-closed.

| l[1] =       | $q_1$ | $q_2$ | $q_2$ | $q_3$ |
|--------------|-------|-------|-------|-------|
| n =          | 1     | 1     | 1     | 1     |
| x =          | 0     | 0     | 1     | 0     |
| $\delta \ =$ | 6     | 1     | 1     | 3     |
| t[1] =       |       | $t_2$ | -     | $t_3$ |
| edge =       |       | ](    |       | )[    |
| time         | 0     | 1     | 2     | 3     |

Figure 5: An example trace with edge variable.

Figure 5 shows the same example trace as before, but with the addition of the edge

variable. Like the transitions, it is shifted to the right by one position for ease of viewing. Notice that when transition  $t_3$  is taken, the edge is left-closed, as is required by the invariant. The value of the edge variable is not shown during the null transition, however during a null transition either value is equivalent. We now revise the notion of a trace to include this term.

#### **Definition 3.1.** A trace $\eta$ is an infinite sequence

$$\eta = (l_0, v_0, v_{var,0}), \delta_0, t_0, edge_0(l_1, v_1, v_{var,1}), \delta_1, t_1, edge_1 \dots$$

When using Timed Automata to model real-time systems, a common desire is to verify that every valid trace of the system obeys a given constraint, or property. Problems of feasibility quickly arise however, due to the infinite length of these traces. Bounded Model Checking is a process in which timed automata traces of infinite length can be efficiently verified against a property. Since TA traces are infinite in length, we restrict ourselves to traces of the form  $s_0 s_1 \dots s_{l-1} (s_l s_{l+1} \dots s_{k-1} s_k)^{\omega}$ , where every  $s = (l, v, v_{var}, \delta, t)$ . These "lasso-shaped" traces consist of an initial sequence of states up until  $s_{l-1}$ , followed by a loop that can be repeated an infinite amount of times to form the full trace. Since the beginning of the loop is allowed to occur anywhere within the sequence, the only variable is the number of distinct states k. Bounded Model Checking refers to checking if a given property is satisfied over lasso-shaped traces of up to length k. The TA system along with the desired property are converted into a format suitable for parsing by a SAT or SMT solver, which is then tasked with finding a counterexample to the property. If a counterexample is found, then there exists at least one trace that does not satisfy the provided property. Otherwise, the property is said to have been verified over the TA network up to the bound k, as the solver has shown that no lasso-shaped traces of length k exist that contradict the property. Although restricting ourselves to only lasso-shaped traces may seem to be a severe limitation, it has been shown that for a given TA network  $\mathcal{A}$ , there exists a limit K such that if a counterexample for a given property exists, there exists a lasso-shaped counterexample of length no more than K[1].

### 3.3 Constraint LTL Over Clocks

Constraint LTL is an extention of linear temporal logic allowing formulas over a given constraint system[2]. CLTLoc is a constraint LTL where the constraint system consists of clocks defined over the positive real numbers. This allows for the construction of formulas defined over atomic propositions and clocks. A clock is a variable over  $\mathbb{R}_{\geq 0}$  whose value changes between LTL positions to model the passage of time. Like clocks in timed automata, clocks can be reset back to zero. In addition CLTLoc has been extended to support expressions over arithmetical variables[3].

A formula in CLTLoc consists of atomic propositions, clock formulas, and formulas over integer variables, which are combined using the standard LTL operators of  $\mathcal{X}$  (next) and  $\mathcal{U}$  (until), as well as the derived operators  $\mathcal{G}$  (globally),  $\mathcal{F}$  (future), and  $\mathcal{R}$  (release). A clock formula compares the value of the clock to a given natural number, for instance x > 7. A variable formula, on the other hand, can compare not only individual variables but also arithmetic combinations of variables. An example would be the expression b + c = 7;  $b, c \in Int$ .

Let X be a finite set of clocks and Int be a finite set of integer variables. CLTLoc formulas are defined as follows:

$$\phi := p \mid x \sim c \mid \exp_1 \sim \exp_2 |\mathcal{X}(n) \sim \exp |\phi \wedge \phi| \neg \phi \mid \mathcal{X}\phi \mid \phi \mathcal{U}\phi$$

Where  $a \in AP$ ,  $x \in X$ ,  $c \in \mathbb{N}$ ,  $n \in Int$ ,  $\sim \in \{<, =\}$  and exp are arithmetic formulas over integer variables and integers (defined in Section 3.1).

As mentioned before, clocks are special dense variables over  $\mathbb{R}_{\geq 0}$  that 'progress' between different LTL positions. To be more specific, each clock must either increment between two adjacent time positions, or it must be reset. To maintain a consistent view of time, we introduce  $\delta : \mathbb{N} \to \mathbb{R}_{>0}$ , which measures the amount of time that elapses between two adjacent time positions. For a given clock 'valuation'  $\sigma : \mathbb{N} \times X \to \mathbb{R}_{\geq 0}$ , each clock  $x \in X$  must either obey the equivalence  $\sigma(l, x) + \delta(l) = \sigma(l+1, x)$ , or is reset, i.e.  $\sigma(l+1, x) = 0$ . This ensures that all clocks progress at the same rate, and we can use  $\delta(t)$  to calculate the amount of time elapsed between any two positions.

We also define vairables via the assignment function  $\iota: \mathbb{N} \times Int \to \mathbb{Z}$  that assigns a

value to each variable  $n \in Int$  at every time position in N. The arithmetical expressions exp can now be evaluated at a time position l by replacing every occurance of an integer variable n with  $\iota(l,n)$ .

A CLTLoc interpretation is the triple  $(\pi, \sigma, \iota)$ , where  $\phi : \mathbb{N} \to \wp(AP)$  maps time positions to the set of atomic propositions that evaluate to true, and  $\sigma$  and  $\iota$  are the clock and variable valuations. A CLTLoc formula  $\phi$  evaluated at time position l is defined as follows:

$$(\pi, \sigma, \iota), l \vDash x \sim c \qquad \Leftrightarrow \qquad \sigma(l, x) \sim c$$

$$(\pi, \sigma, \iota), l \vDash \exp_{1} \sim \exp_{2} \qquad \Leftrightarrow \qquad \exp_{1}(\iota, l) \sim \exp_{2}(\iota, l)$$

$$(\pi, \sigma, \iota), l \vDash \mathcal{X}(n) \sim \exp \qquad \Leftrightarrow \qquad \iota(l+1, n) \sim \exp(\iota, l)$$

$$(\pi, \sigma, \iota), l \vDash p \qquad \Leftrightarrow \qquad p \in \pi(l)$$

$$(\pi, \sigma, \iota), l \vDash \neg \phi \qquad \Leftrightarrow \qquad ((\pi, \sigma, \iota), l \vDash \phi)$$

$$(\pi, \sigma, \iota), l \vDash \phi_{1} \wedge \phi_{2} \qquad \Leftrightarrow \qquad ((\pi, \sigma, \iota), l \vDash \phi_{1}) \wedge ((\pi, \sigma, \iota), l \vDash \phi_{2})$$

$$(\pi, \sigma, \iota), l \vDash \mathcal{X}(\phi) \qquad \Leftrightarrow \qquad ((\pi, \sigma, \iota), l+1 \vDash \phi$$

$$(\pi, \sigma, \iota), l \vDash \phi_{1} \mathcal{U} \phi_{2} \qquad \Leftrightarrow \qquad ((\pi, \sigma, \iota), l \vDash \phi_{2}) \vee$$

$$((\pi, \sigma, \iota), l \vDash \phi_{1}) \wedge ((\pi, \sigma, \iota), l+1 \vDash \phi_{1} \mathcal{U} \phi_{2})$$

A CLTLoc formula  $\phi$  is said to be *satisfiable* if an interpretation  $(\pi, \sigma, \iota)$  exists such that  $(\pi, \sigma, \iota), 0 \vDash \phi$ . This is often shortened to simply  $(\pi, \sigma, \iota) \vDash \phi$ .

#### 3.4 TACK CLTLoc Translation

The TACK[4] tool developed by Menghi et al. converts Bounded Satisfiability Checking problems into the CLTLoc language. TACK uses Metric Interval Temporal Logic to specify the property to be checked for satisfiability, which allows for more compact and powerful specifications of the desired properties to be checked. Once the Timed Automata network and the MITL property have been converted into CLTLoc, TACK then uses the tool Zot to convert this intermediate representation of the problem into the SMT-LIB2 language, which is supported by many modern SMT solvers. Zot was designed with a modular architecture to allow for several different strategies and algorithms that can be

Table 2: TACK Encoding of an Automaton in CLTLoc

Table 2: TACK Encoding of an Automaton in CLTLoc 
$$\varphi_1 := \bigwedge_{i \in [1,N]} (l[i] = 0) \qquad \varphi_2 := \bigwedge_{n \in Int} n = v_{var}^0(n) \qquad \varphi_3 := \bigwedge_{i \in [1,N]} Inv(l[i])$$

$$\varphi_4 := \bigwedge_{x \in X} (x_0 = 0 \land x_1 > 0 \land x_v = 0) \qquad \varphi_5(j) := \bigwedge_{x \in X} (x_j = 0) \rightarrow \mathcal{X} \left( (x_{(j+1) \mod 2} = 0) \mathcal{R} \left( (x_v = j) \land (x_j > 0) \right) \right)$$

$$\varphi_6 := \bigwedge_{i \in [1,N]} \left( \left( l[i] = q \land t[i] = \sharp \right) \rightarrow \mathcal{X} \left( Inv(q) \land r_1(Inv(q)) \right) \right)$$

$$\varphi_7 := \bigwedge_{i \in [1,N]} t[i] = t \rightarrow \left( l[i] = t_- \land \mathcal{X}(l[i] = t_+) \land \varphi_{\gamma_c} \land \varphi_{\gamma_v} \land \varphi_{\alpha_c} \land \varphi_{\alpha_v} \land \varphi_{edge}(t_-, t_+, i) \right)$$

$$\varphi_{edge}(a,b,i) := \varphi(a,b,i) \lor \varphi(a,b,i)$$

$$\varphi(a,b,i) := Inv(a) \land r_2(Inv(b)) \land edge^{RC}[i]$$

$$\varphi(a,b,i) := Inv_w(a) \land r_2(Inv(b)) \land \neg edge^{RC}[i]$$

$$\varphi_8 := \bigwedge_{i \in [1,N]; q,q' \in \mathcal{Q}_i | q \neq q'} \left( \left( (l[i] = q) \land \mathcal{X}(l[i] = q') \right) \rightarrow \bigvee_{i \in [1,N]} t[i] = t \right)$$

$$\varphi_9 := \bigwedge_{x \in X} \left( \mathcal{X}(x_0 = 0 \lor x_1 = 0) \rightarrow \bigvee_{i \in [1,N]} t[i] = t \right)$$

$$\psi_{10} := \bigwedge_{n \in Int} \left( (\neg (n = \mathcal{X}(n))) \rightarrow \bigvee_{i \in [1,N]} t[i] = t \right)$$

used to convert its input. Currently the most successful Zot plugin for CLTLoc Bounded Model Checking is ae2sbyzot. We will provide an overview of both the TACK encoding of Timed Automata in CLTLoc and the ae2sbyzot translation of CLTLoc into BitVector form.

Each time position in an infinite trace of a network of timed automata is represented as a position in the mono-infinite temporal space of CLTLoc. At every time position l[i]and t[i] return the active state and active transition at the current time position. Each function is syntactic sugar for a set of atomic propositions, one for each possible value of the function, that are constrained so that only one may evaluate to true in each time position. Each  $edge_i^{RC}$ ,  $i \in [1, N]$  is encoded as an atomic proposition. TA clocks and variables can be represented directly as CLTLoc clocks and variables.

Table 2 contains the formulas used to encode the Timed Automata into CLTLoc. To accomplish this encoding, several auxiliary formulas are used.  $l[i], i \in [1, N]$  represents the location of the TA i at the current time position. Likewise,  $t[i], i \in [1, N]$  represents the currently active transition for TA i at the current time position. Because not every TA will transition at each time position, we introduce a null transition symbol #. Therefore

|                 | Synchronization Semantics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $v_1 := v_2 :=$ |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| $v_1 := v_2 :=$ |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| :=<br>:=        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                 | $v_2 := v_1 := v_2 := := v_2 $ |

Table 3: Encoding of Different Synchronization Types

the function t[i] may return either a transition or the symbol  $\sharp$ . If transition t is active in a given position i, then the TA is in state  $t_-$  at position i and state  $t_+$  at position i + 1.

The first formula constrains each TA to be in the initial state at time 0. For each Timed Automaton, the states are represented as natural numbers, with the initial state as 0. The second formula initializes each variable  $n \in Int$  to its initial value, and the third ensures that the invariants of each initial state hold in the initial position.

Formula  $\varphi$  defines the semantics for the null transition. If a Timed Automaton performs a null transition then at the moment of transition, the state invariant must hold both before and after clock resets are applied.

Formula  $\varphi$  encodes the discrete transitions. Each must respect the guards and assignments of the transitions, the TA must currently be in the source state of the transition, and must be in the destination state in the following position.  $\varphi_{edge}$  encodes the two possible edge states, right and left-closed, and ensures that the invariants are satisfied, either weakly or strongly depending on the edge type.

The final three formulas capture the sufficient conditions for a discrete transition. The active state of a TA my not change, nor may a clock be reset, nor may a variable value change without a transition explicitly causing the change.

Table 3 contains the synchronization semantics for the two supported synchronization types. These synchronization semantics are defined in table 1. The formula sync-on is true if the automaton i performs a transition with the event  $\alpha$ . Sync-on-but is true if an automaton not included in the set S performs a sync on  $\alpha$ .  $Same\ edge$  is true if the to automatons have the same edge type.

| Type                       | Liveness Semantics                                                          |
|----------------------------|-----------------------------------------------------------------------------|
| Strong transition liveness | $\underset{i \in [1,N]}{\wedge} \mathcal{G}(\mathcal{F}(t[i] \neq \sharp))$ |
| Weak transition liveness   | $\mathcal{G}(\mathcal{F}(\underset{i \in [1,N]}{\vee}t[i] \neq \sharp))$    |
| Unrestricted               | Т                                                                           |

Table 4: Liveness Semantics

| Type         | Edge Semantics                                            |
|--------------|-----------------------------------------------------------|
| Right-closed | $\mathcal{G} \underset{i \in [1,N]}{\wedge} edge^{RC}[i]$ |
| Open         | Т                                                         |

Table 5: Possible Edge Constraints

In addition to the TA and synchronization constraints, TACK includes support for an optional *liveness constraint*, termed Strong Transition Liveness, which is shown in table 4. This guarantees that every time position, eventually in the future all timed automaton in the network will take a non-null transition. Although a weaker version termed Weak Transition Liveness is defined in the TACK paper, it is not implemented in the TACK tool. It requires that at every position *at least one* timed automaton will eventually perform a non-null transition.

In addition to liveness, TACK also allows for customization of its edge constraints. As we have seen in section 3.2, the edge variables are necessary for defining which state an automaton is located in during the instant of transition. However the freedom to choose between two possible edge types is often not needed, and adds additional overhead to the solver. To speed up problems that do not have invariant edge cases, TACK provides the open to set all edge variables to right-closed in every time position. As seen in table 5, this is contrasted with the 'open' edge semantics, which do not place any additional restrictions on the edge variables.

## 3.5 Bit-Vector Logic

A BitVector is an array of binary values, or bits. BitVectors are interpreted using two's complement arithmetic to produce integer values, and their length can be any positive

Table 6: An example ae2sbyzot trace showing loop variables.

| BitVector                        | 4 | 3 | 2 | 1 | 0 |
|----------------------------------|---|---|---|---|---|
| foo                              | 1 | 0 | 1 | 1 | 0 |
| $\frac{7}{\neg foo}$             | 0 | 1 | 0 | 0 | 1 |
| $\overleftarrow{\mathcal{X}foo}$ | 0 | 1 | 0 | 1 | 1 |
| $\overrightarrow{lpos}$          | 0 | 0 | 0 | 1 | 0 |
| $\overleftarrow{inloop}$         | 1 | 1 | 1 | 0 | 0 |

integer  $(\mathbb{Z}^+)$ . We use the notation  $\overleftarrow{x}_{[n]}$  to represent a BitVector x of length n, but this can be simplified to  $\overleftarrow{x}$  if the length is clear. Bits are numbered from right to left, with the rightmost, least significant bit labeled as 0, and the leftmost, most significant bit labeled as n-1. As an example, the constant vector -4 of length 5 would be written as  $\overleftarrow{-4}_{[5]}$ , which would expand to 11100. We can also reference individual bits in the vector using the notation  $\overleftarrow{x}_{[n]}^{[i]}$  to extract the ith bit from the BitVector x. It is also possible to extract a sub-vector with the notation  $\overleftarrow{x}_{[n]}^{[j:i]}$ , where  $n>j\geq i\geq 0$ . This extracts a vector of length j-i+1 whose rightmost bit corresponds to the ith bit of x and whose leftmost bit corresponds to the jth. Similarly, concatenation operates on two BitVectors by combining their bit arrays.  $\overleftarrow{x}_{[n]}$  ::  $\overleftarrow{y}_{[m]}$  returns a new BitVector  $\overleftarrow{z}_{[n+m]}$  where  $\overleftarrow{z}_{[n-1:0]} = \overleftarrow{y}$ , and  $\overleftarrow{z}_{[m+n-1:m]} = \overleftarrow{x}$ .

The usual arithmetic operations of addition (+) and subtraction (-) are defined over two BitVectors of the same length. BitVectors also support the bit-wise operators not (!), disjuction (|), conjunction (&), equivalence ( $\iff$ ), and implication ( $\Rightarrow$ ). These binary operators return a new BitVector where each bit i is the result of applying the logical operator to the ith bit of each of the input vectors, following the usual convention where 1 is true and 0 is false. For example, the expression ( $1100 \Rightarrow 1010$ ) would evaluate to 1101, since  $a \to b$  is equivalent to  $a \lor \neg b$ .

#### 3.6 AE2SBVZOT

The final program to mention is ae2sbvzot, which is a BitVector-based plugin for Zot. It accepts CLTL formulas and converts them to BitVector logic, which it then sends to Microsoft's Z3 to solve.

To model the lasso shape of runs, ae2sbyzot adds an additional position to the BitVec-

tor that represents the 'loopback' position, or the first position of the next iteration of the loop. This position becomes the left-most, most significant bit of the vector. To separate the lasso from the initial portion of the trace, ae2sbvzot defines two special BitVectors,  $\overline{lpos}$  and  $\overline{inloop}$ . In table 6 we can see an example formula, foo, along with the corresponding vectors  $\overline{lpos}$  and  $\overline{inloop}$ . We can see that  $\overline{lpos}$  has a value of 2, meaning that bit 2 is the first position in the loop. Looking at the table we can see that the columns for bits 2 and 4 are in bold, to represent that 4, being the 'loopback' position, is a copy of position 2, and therefore all formulas are constrainted to have identical values in these positions. Meanwhile  $\overline{inloop}$  highlights that bits 0 and 1 are **not** in the loop portion of the trace, while the rest of the positions are. The infinite trace therefore would begin in position 0, move to position 1, and then repeat the infinite sequence of positions [232323...].

| Table 7: ae2sbvzot definition of a proposition $\varphi$ |                                                                                                                                                                                    |  |  |
|----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| $\phi$                                                   | Encoding                                                                                                                                                                           |  |  |
| $\neg \varphi$                                           | $(\neg \varphi) = !(\varphi)$                                                                                                                                                      |  |  |
| $\varphi_1 \wedge \varphi_2$                             | $ \frac{(\varphi_1 \wedge \varphi_2)}{(\varphi_1 \vee \varphi_2)} = \frac{(\varphi_1)}{(\varphi_1)} & \frac{(\varphi_2)}{(\varphi_2)} $                                            |  |  |
| $\varphi_1 \vee \varphi_2$                               | $(\varphi_1 \vee \varphi_2) = (\varphi_1) \mid (\varphi_2)$                                                                                                                        |  |  |
| $\mathcal{X}arphi$                                       | $(\varphi_1 \mathcal{U} \varphi_2)^{[k:0]} = (\varphi_2)^{[k:0]}   ((\varphi_1)^{[k:0]} & (\varphi_1 \mathcal{U} \varphi_2)^{[k+1:1]})$                                            |  |  |
| $arphi_1 \mathcal{U} arphi_2$                            | $(\varphi_1 \mathcal{U} \varphi_2)^{[k:0]} = (\varphi_2)^{[k:0]} \mid ((\varphi_1)^{[k:0]} \& (\varphi_1 \mathcal{U} \varphi_2)^{[k+1:1]})$                                        |  |  |
|                                                          | $\wedge \bigg( \Big( \big( \overleftarrow{(\varphi_1)}^{[k+1]} \mid \overleftarrow{(\varphi_2)}^{[k+1]} \mid ! \overleftarrow{(\varphi_1 \mathcal{U} \varphi_2)}^{[k+1]} \big) \&$ |  |  |
|                                                          | $\left(!\overleftarrow{(\varphi_2)}^{[k+1]}\mid \overleftarrow{(\varphi_1\mathcal{U}\varphi_2)}^{[k+1]}\right)=1$                                                                  |  |  |
|                                                          | $\left( \overleftarrow{(\varphi_1 \mathcal{U} \varphi_2)^{[k+1]}} \Rightarrow \uparrow \left( \overleftarrow{(\varphi_2)} \& \overleftarrow{(inloop)} \right) = 1 \right)$         |  |  |

Given a formula with a bound of k, ae2sbvzot constructs a BitVector for the formula and for each subformula with a length of k+2. It adds an extra position both at the beginning (bit 0) to represent the initial configuration of the system, as well as at the end (bit k+1) to represent the loopback position as discussed. Each formula is then represented as a formula over its component subformulas based on the rules in table 7. The first three formulas show the encoding of logical operators  $\neg$ ,  $\wedge$ , and  $\vee$ . The rest of the table shows the encoding of the temporal operators. Extra care is taken in the definition of  $\mathcal{U}$  to ensure that the properties of the lasso are taken into account.

Atomic propositions (including the active states, transitions, edges and variable valuation) are encoded as BitVectors, and form the basic atoms from which more complex

expressions are built upon. For each state, transition, and possible variable assignment (i.e. n=4), there is a BitVector defined whose value is 1 if the corresponding state or transition is active, or if the variable assignment is true. One limitation of this approach is that arithmetic operations over variables cannot be represented. As a result, in this implementation, variable guards may only test for equality, and different variables cannot be added or subtracted in a variable assignment statement.

Clocks, being real-valued functions, cannot be easily represented in BitVector logic. Instead ae2sbvzot takes advantage of SMT-LIB2's support for multiple logics, and encodes clocks directly as functions that accept an integer argument, representing the time position, and return a real number. For a given clock guard a BitVector is constructed to represent the truth value of the clock expression. These can then be used to contruct larger expressions using the rules shown in Table 7.

Unlike the other terms, clocks cannot simply be constrained to hold the same value in the loopback position. As shown by Kindermann[5] this excludes certain valid lasso shaped traces. To avoid this ae2sbvzot adopts the region-based clock constraints suggested by Kindermann. Two clock valuations are said to be in the same region if at both positions loop and k+1:

- Each clock x is either greater than the maximum value compared against x in a clock guard in both positions  $(\max(x))$  or  $\lfloor x(loop) \rfloor = \lfloor x(k+1) \rfloor$
- If  $x < \max(x)$ , the formula  $x(l) \lfloor x(l) \rfloor = 0$  must have the same value in both loop and k+1
- For every pair of clocks x, x', the formula frac(x(l)) < frac(x'(l)) must have the same value in both positions, where frac is the fractional part of the clock's value.

## 4 TA Encoding

The previous work in this field has relied on first translating the TA network and property to be verified into the intermediate CLTLoc representation, to be later translated into BitVector logic and solved. Presented here is a novel method in which the Timed Automata network is directly encoded into BitVector logic. This direct translation allows

us to make several optimizations not possible in CLTLoc. As before, the MITL property will continue to be converted first into CLTLoc before being transformed into BitVector logic by ae2sbvzot. We use a consistent naming convention for the atomic propositions to ensure that the two BitVector encodings can be safely combined to produce the final SMT output.

Before discussing the encoding, a few differences between the representations must be addressed. First and foremost, for reasons to be discussed we wish to represent the *null transition* (when a TA does not transition between time positions) not as the separate entity  $\sharp$ , but rather as a set of transitions that obey the same rules as the discrete transitions. We explicitly add a null transition for each state  $q \in Q$  to the set of transitions.

$$\displaystyle \mathop{\forall}_{i \in [1,N]} \mathop{\forall}_{q \in Q_i} t_{null_q} := <\!q,q,\tau,\varnothing,\varnothing,\varnothing,\varnothing>$$

These null transitions have the same source and destination state, and no constraints or assignments. We can now refer to the set of all transitions as  $\mathcal{T}$ , defined as  $\mathcal{T}_{\rangle} = T_i \cup \{ \bigcup_{q \in Q_i} t_{null_q} \}$  for each TA  $\mathcal{A}_i$ . As before  $\mathcal{T}$  is the union of the  $\mathcal{T}_i$  sets.

Using BitVector logic, we have the ability to group logically connected propositions into a Vector, granting significant speedups on operations performed over every element of the vector. We wish to use this property to group together logically connected constraints of the encoding. One common source of constraint duplication is the transition constraints. These constraints enforce the semantics of Timed Automaton transitions, requiring that, for example all guards and assignment statements have been fulfilled. These constraints must be upheld at every transition in the trace, which can be dozens of discrete transitions long. This motivates us to use the BitVectors to represent a piece of information changing over time, i.e. representing its value at different time positions in the trace.

#### 4.1 Transitions

When encoding the constraints of the system, it is convenient to write that a constraint will hold over every discrete time position in the trace. As an example, consider a transition with a variable assignment  $n = 5, n \in Int$ . When formalizing the constraints, it would be simpler to have a formula of the type  $transition_{[k+2]} \Rightarrow assignment_{[k+2]}$  that

| Transition Bit                             | BitVector                                                              |
|--------------------------------------------|------------------------------------------------------------------------|
| 0                                          | $\overleftarrow{tb_{i,0}}_{[k+2]}$                                     |
| 1                                          |                                                                        |
| :                                          | :                                                                      |
| $(\lceil \log_2 \mathcal{T}_i \rceil - 1)$ | $\overleftarrow{tb_{i,(\lceil \log_2 \mathcal{T}_i \rceil - 1)[k+2]}}$ |

Table 8: Construction of the Transition BitVectors for  $A_i \in A$ 

| Transition                       | Alias                                                                                                                                                                                                                                                            |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\mathcal{T}_i[0]$               | $  t\overleftarrow{b_{i,\lceil \log_2 \mathcal{T}_i \rceil - 1}} \& !\overleftarrow{tb_{i,\lceil \log_2 \mathcal{T}_i \rceil - 2}} \& \dots \& !\overleftarrow{tb_{i,1}} \& !\overleftarrow{tb_{i,0}}$                                                           |
| $\mathcal{T}_i[1]$               | $! \overleftarrow{tb_{i,\lceil \log_2 \mathcal{T}_i \rceil - 1}} \& ! \overleftarrow{tb_{i,\lceil \log_2 \mathcal{T}_i \rceil - 2}} \& \dots \& ! \overleftarrow{tb_{i,1}} \& \overleftarrow{tb_{i,0}}$                                                          |
| $\mathcal{T}_i[2]$               | $! \overleftarrow{tb_{i,\lceil \log_2 \mathcal{T}_i \rceil - 1}} \& ! \overleftarrow{tb_{i,\lceil \log_2 \mathcal{T}_i \rceil - 2}} \& \dots \& \overleftarrow{tb_{i,1}} \& ! \overleftarrow{tb_{i,0}}$                                                          |
| :                                | :                                                                                                                                                                                                                                                                |
| $\mathcal{T}_i[ \mathcal{T}_i ]$ | $ \left  \overleftarrow{tb_{i,\lceil \log_2 \tau_i \rceil - 1}} \& \left( \sim \overleftarrow{tb_{i,\lceil \log_2 \tau_i \rceil - 2}} \right) \& \dots \& \left( \sim \overleftarrow{tb_{i,1}} \right) \& \left( \sim \overleftarrow{tb_{i,0}} \right) \right. $ |

Table 9: Construction of the Transition Aliases

we can assert over every time position at once. In this model we are using BitVectors of length k + 2 where each position in the BitVector represents the formula at a different moment in time. This allows us to use the BitVector implication operator to assert that the transition BitVector implies a given constraint at every time position. At a given time position i, if the corresponding bit in the transition BitVector is set to 1, then the same bit in the variable BitVector would be required to be set to 1 as well. Otherwise the SMT solver would dismiss the trace as invalid.

This encoding, while convenient, is not very efficient. Using one BitVector per each transition yields a space complexity of  $O(|\mathcal{T}|k)$ . Since only one transition is active at a time, it is more compact to store the currently active transition as a binary number over  $\lceil \log_2 |\mathcal{T}| \rceil$  bits. Therefore we will create  $\lceil \log_2 |\mathcal{T}| \rceil$  BitVectors of length k+2 to represent the active transition of the TA over time. In order to be able to conveniently refer to individual elements of the set, we will define aliases which refer to unique combinations of the BitVectors. This will give us the convenience of the individually-named BitVectors while retaining the efficiency of the compact approach. This method will be formalized below for the encoding of the states, transitions, and variables of the Timed Automata.

For a model with a time bound of k, and a timed automaton with n distinct transitions, we represent the active transition of the automaton at different time positions as follows:

After defining the BitVectors to store the bits of the active transition, we define aliases

for the  $|\mathcal{T}_i|$  transitions as shown in table 9. Transition 0 is simply defined as the bit-wise 'and' of the negations of each of the tb BitVectors. Transition 1 differs in that the last BitVector is not negated. This corresponds to the BitVector representation of the number 1, which is 00...001. When viewed in the table, the pattern becomes more clear. Each transition is encoded as a unique combination of the tb vectors. Because the exact value of  $|\mathcal{T}_i|$  is variable, for the last transition in the table we use the symbol  $\sim$  to signal that whether or not the BitVector is negated depends on the exact value of  $|\mathcal{T}_i|$ . The key point is that each alias  $trans_t$  represents when transition t is active - a bit at position t is set to 1 iff the transition occurs between positions t and t-1.

For clarity, let us consider an example TA with  $\lceil \log_2 |\mathcal{T}| \rceil = 5$  and a transition  $t \in \mathcal{T}$  with  $\mathcal{T}_i[5] = t$ . The base two representation of 5 is 00101, and therefore  $\overline{trans}_{t[k+2]}$  is equivalent to  $(\neg tb_5 \& \neg tb_4 \& tb_3 \& \neg tb_2 \& tb_1)$ .

Another consideration we must make is for the transition edges. We add an additional term  $edge_i^{RC}_{[k+2]}$ ,  $i \in [1, N]$  for each Timed Automaton in the network. When a bit is set to 1, it signifies that the active transition for the Timed Automaton at that time position is right-closed, and conversely a value of 0 means that it is left-closed. Although not every transition will be impacted by this term (for instance, the null transitions have no invariants that can be affected), it is a necessity for the correctness of our system.

#### 4.2 States

For each TA  $A_i \in A$ , we need a way to represent the currently active state of the timed automaton. Like with the transition encoding, we wish to minimize the number of BitVectors that the SMT solver must compute. Since we have already encoded the active transition into BitVector form, we can exploit the fact that given the active transition t, the active state of the TA is simply the source state of the transition, or  $t_-$ . Therefore all that is needed is to define a set of aliases that exploit this equivalence. To this end we define each state as the bit-wise disjunction of all the transitions whose source is that state.

$$\bigvee_{q \in Q} state_q := |\underset{t \in \mathcal{T}|_{t_-} = q}{trans_t}$$

#### 4.3 Variables

Bounded integer variables are treated slightly differently, because unlike states and transitions, the possible values of a bounded integer variable are not unrelated objects in a set, but integers that must respect the operations of addition and subtraction. For each variable  $n \in Int$  we still construct a bit representation  $vb_{n,j[k+2]}$ , where each BitVector has length k+2. However the difference is that the values are encoded in two complement notation, and the number of BitVectors is chosen so that the vectors are capable of representing the entire range of values for the given bounded integer variable. We will define  $\lambda(n)$  as the number of bits needed for each variable n.

However sometimes it is more convenient to refer to the complete value of a variable at a particular time position, rather than a particular bit of the variable over every time position. We make use of the 'extract' and 'concat' operators to define a second set of BitVectors that are defined over the first set.  $var_n(l)_{[\lambda(n)]}$ ,  $0 \le j \le k+1$  is a vector of  $\lambda(n)$  bits that represents the value of variable n at time position j.

#### 4.4 Clocks

Each clock  $x \in \mathcal{X}$  is defined as a function x that takes an integer argument and returns a real number, where the argument represents the time position and the return value is the value of the clock at that position in time.

## 4.5 Complete Encoding

Now that each piece of the timed automaton has been discussed, we can present all of the terms used in the encoding of the TA network. A valid trace of the network consists of assigning values to the following terms in table 10. As we can see, the terms that our SMT solver will need to assign values to are the compacted transition and variable BitVectors, as well as the real-valued clock functions. In addition we define two special terms, which will be used to help define our constraints. The first,  $\delta$ , represents the amount of time that passes between two adjacent time positions, and must be a real number greater than 0. The second, the term  $\overleftarrow{loop}$ , has a value equal to the index of the first time position in the loop portion of the trace. From these we can represent any valid lasso-shaped trace

|             |                                                                   | Terms                                                                                                                                                           |
|-------------|-------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Transitions | $\bigvee_{i \in [1,N]} \bigvee_{j \in [0, \mathcal{T}_i -1]}$     | $\overleftarrow{tb_{i,j}}_{[k+2]}$                                                                                                                              |
| Variables   | $\forall \qquad \forall \\ n \in Int \ j \in [0, \lambda(n) - 1]$ | $\overleftarrow{vb_{n,j}}_{[k+2]}$                                                                                                                              |
| Clocks      | $\bigvee_{x \in X}$                                               | $x: [0, k+1] \to \mathbb{R}_{\geq 0}$                                                                                                                           |
| δ           | $x \in \mathcal{N}$                                               | $\delta: [0, k+1] \to \mathbb{R}_{>0}$                                                                                                                          |
| Edges       | $\bigvee_{i \in [1,N]}$                                           | $\overleftarrow{edge_i^{RC}}_{[k+2]}$                                                                                                                           |
| Loop        |                                                                   | $\overleftarrow{0}_{[k+2]} < \overleftarrow{loop}_{[k+2]} < \overleftarrow{k}_{[k+2]}$                                                                          |
|             |                                                                   | Aliases                                                                                                                                                         |
| Transitions | $\bigvee_{i \in [1,N]} \bigvee_{t \in [1,\mathcal{T}_i]}$         | $ \overrightarrow{trans_t} = \underset{j \in [0, \lceil  \log_2 \mathcal{T}_i  \rceil - 1]}{\&} !^{(t \setminus 2^j) mod \ 2} \ (!(\overleftarrow{tb_{i,j}})) $ |
| States      | $\bigvee_{i \in [1,N]} \bigvee_{q \in Q_i}$                       | $\overline{state}_q =  \underbrace{trans}_t$                                                                                                                    |
| Variables   | $\bigvee_{n \in Int} \bigvee_{l \in [0,k+1]}$                     | $\overrightarrow{var_n(l)} = \vdots \overrightarrow{vb_{n,j}}^{[l]}$                                                                                            |
| inloop      | $\bigvee_{l \in [0,k+1]}$                                         | $\left(\overleftarrow{inloop}_{[k+2]}^{[l]} = \overleftarrow{1}_{[1]}\right) \leftrightarrow (\overleftarrow{loop} \leq \overleftarrow{l})$                     |

Table 10: Terms and Aliases used in BV encoding of TA

of the network. In addition, for ease of comprehension we have aliases to more easily refer to the transitions and states individually, and to refer to the value of a variable at a particular time position.

## 5 Constraints

Of course, in addition to being able to represent all valid lasso-shaped traces, the terms defined can represent many illegal traces as well. Timed Automata in our network cannot simply take any transition as they please, they must obey certain restrictions. These restrictions take the form of clock guards on a transition, a state invariant that prevents a TA from staying in a state indefinitely, clock progression constraints, as well as many others. To ensure that our encoding only allows for valid traces, we will formalize these constraints in BitVector logic for our SMT solver to use when performing the Bounded Model Checking.

Initialization and Progression Constrain

Initialization and Progression Constraints 
$$\phi_{1} := \underset{i \in [1,N]}{\& \overleftarrow{1}}_{[1]} = \overleftarrow{state}_{q_{i}^{0}}^{[0]} \qquad \phi_{2} := \underset{k \in \mathcal{I}}{\& \overleftarrow{v_{var}(n)}} = \overleftarrow{var_{n}(0)} \qquad \phi_{3} := \underset{x \in X}{\bigwedge} x(0) = 0$$

$$\phi_{4} := \underset{i \in [0,k+1]}{\bigwedge} \delta(i) > 0 \qquad \phi_{5} := \underset{t \in \mathcal{T}}{\& (\overleftarrow{trans}_{t}^{[k:0]})} \Rightarrow \overleftarrow{state}_{t_{+}}^{[k+1:1]}) \quad \phi_{6} := \{\phi_{wtl} \mid \phi_{stl} \mid \top\}$$

$$\phi_{7} := \underset{x \in X}{\bigwedge} \underset{j \in [0,k]}{\bigwedge} \left( \underset{t \in \mathcal{R}(x)}{\& (\overleftarrow{trans}_{t}^{[k:0]})} \Rightarrow x(j+1) = x(j) + \delta(j) \right)$$

$$\phi_{8} := \underset{n \in Int}{\&} \underset{t \in assign(n)}{\&} (! \overleftarrow{trans}_{t}^{[k:0]}) \Rightarrow \underset{j \in [1,\lambda(n)]}{\&} (\overleftarrow{v_{n}b_{j}}^{[k:0]} = \overleftarrow{v_{n}b_{j}}^{[k+1:1]})$$

$$\phi_{wtl} := \overleftarrow{0}_{[k+2]} \neq \left( \overleftarrow{inloop} \ \& \ ( \mid \underbrace{trans_{nutl_{q}}}_{q \in Q_{i}}) \right)$$

$$\phi_{Init} := (\phi_{1} \& \phi_{2} \& \phi_{5} \& \phi_{8} = ! \overleftarrow{0}_{[k+2]}) \land \phi_{3} \land \phi_{4} \land \phi_{6} \land \phi_{7}$$

Table 11: Initialization and Progression Constraints for a network of timed automata

#### 5.1Initialization & Progression

In the definition of a Timed Automaton, we included the initialization terms  $q^0$  and  $var^0$ , and mentioned that all clocks are equal to 0 at the initial instance of the trace. Here we formalize those contraints over the BitVector terms that make up our encoding. Also included are contraints on how these three groups of values (transitions, variables, and clocks) evolve throughout the trace.

Properties  $\phi_1 - \phi_3$  The initialization constraints are similar for states, clocks, and bounded variables. For states, we assert that the initial state holds in the first time position by comparing the vector for the initial state  $state_{q_i^0}$  to the constant vector  $\overleftarrow{1}_{[1]}$ in formula  $\phi_1$ . This requires the first bit of the state vector to be set to 1, signifying that the state is active in time position 0. Because the state BitVector is an alias, what this constraint is requiring is that the active transition for each TA i in position 0 must have its source state be equal to the initial state for the TA,  $t_{-}=q_{i}^{0}$ . This transition can be either a discrete transition beginning in  $q_i^0$  or the null transition for state  $q_i^0$ . For variables, we assert that the provided initial starting value,  $var_n^0$  is equal to the value of the variable at time position 0. For clocks, we assert that the clock function at the initial time position is equal to 0 in formula  $\phi_3$ .

Property  $\phi_4$  Each time position in the range [0, k+1] represents an instant of time in which timed automaton may perform discrete (non-null) transitions. In between these positions, all timed automata remain stationary, and only the clocks progress. To capture this progression, we use the special clock  $\delta$ . Formula  $\phi_4$  captures that  $\delta$  is defined as a function over integers in the range [0, k+1] that returns positive real numbers. The value of  $\delta(i)$  at position i refers to the amount of time between position i and position i+1.

Property  $\phi_5$  Another aspect of progression is ensuring that the active state of a timed automaton correctly reflects the transitions being taken. To that effect, formula  $\phi_5$  asserts that when a transition is taken at time position i, the destination state is active at position i+1. Because the state BitVectors are just aliases defined over the transition BitVectors, we do not need to explicitly constrain the TA to be in state  $t_-$  at time position i, since this is true by definition.

Property  $\phi_6$  Unique among the progression contraints is  $\phi_6$ , which encodes the desired liveness property of the network, discussed in ??. This parameter can be chosen by the user, and has three possible values.  $\phi_{stl}$  encodes Strong Transition Liveness, which states that at every moment in time, each TA will eventually in the future perform a discrete (non-null) transition. Since our traces are lasso-shaped, this is equivalent to requiring that each TA takes a discrete transition somewhere in the loop. Similarly,  $\phi_{wtl}$  encodes Weak Transition Liveness, which states that at every instant of time at least one TA will eventually perform a discrete transition in the future. The key to these encodings is the expression !( $|trans_{null_q}|$ ), which for a given TA combines each of the null transitions with the bit-wise disjuction operator. This value is then negated, and consequently a bit of this expression is set to 1 iff the TA has a non-null transition active at that position. We can then compute the desired value by using  $\frac{\overleftarrow{inloop}}{inloop}$ . This BitVector has bits which are set to 1 iff the corresponding position is inside the loop portion of the trace. By requiring that a discrete transition occurs during the loop, we ensure that at every instant of the infinite trace, a TA will eventually take a discrete transition. The third liveness option is to have no liveness constraint at all, in which case  $\phi_6$  trivially evaluates to true  $(\top)$ .

Property  $\phi_7 - \phi_8$  Formula  $\phi_7$  connects  $\delta$  to the other clocks. At each time position i, a clock is either reset by a transition, or its value increments by  $\delta(i)$ . To do this we define the set  $\mathcal{R}_x$  for every clock x, which is defined as the set of all transitions t that reset the value of clock x. When no transition in  $\mathcal{R}_x$  is active, the clock must progress according to the value of  $\delta$ . Similarly for variables, we define the set assign(n) for every variable n containing all transitions that assign a value to the variable. When none of these transitions are active, formula  $\phi_8$  ensures that the value of n remains unchanged.

| $\phi_9 :=$                       | $\bigwedge_{t \in T} \bigwedge_{l \in [0,k]} \overleftarrow{trans_t}^{[l]} \to \sigma_{\delta}(l, t_{\gamma_c})$                                                                                                                                                               |
|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\phi_{10} :=$                    | $\bigwedge_{t \in T} \bigwedge_{l \in [0,k]} \overline{trans_t}^{[l]} \to \mu(l, t_{\gamma_v})$                                                                                                                                                                                |
| $\phi_{11} :=$                    | $ \bigwedge_{t \in T} \bigwedge_{x \in t_{a_c}} \bigwedge_{l \in [0,k]} \overleftarrow{trans_t}^{[l]} \to x(l+1) = 0 $                                                                                                                                                         |
| $\phi_{12} :=$                    | $\bigwedge_{t \in T} \bigwedge_{n, \exp \in t_{a_v}} \bigwedge_{l \in [0, k]} \overleftarrow{trans_t}^{[l]} \to \left( \overleftarrow{var_n(l+1)} = \overleftarrow{\zeta(l, n, \exp)} \right)$                                                                                 |
| $\phi_{13} :=$                    | $ \bigwedge_{\substack{i \in [1,N] \\ t \in T_i}} \bigwedge_{l \in [0,k]} \underbrace{\overleftarrow{trans_t}}^{[l]} \to \left( \sigma_{\delta}(l,Inv(t)) \land \sigma_w(l+1,Inv(t_+)) \land (\overleftarrow{edge_i^{RC}}^{[l]} = \overleftarrow{1}_{[1]}) \right) $           |
|                                   | $\vee \left( \sigma_{w\delta}(l, Inv(t_{-})) \wedge \sigma(l+1, Inv(t_{+})) \wedge (\overrightarrow{edge_{i}^{RC}[l]} = \overleftarrow{0}_{[1]}) \right)$                                                                                                                      |
| $\sigma(l, \gamma_c) :=$          | $x(l) \sim c \mid \sigma(l, \gamma_c') \wedge \sigma(l, \gamma_c'')$                                                                                                                                                                                                           |
| $\sigma_{\delta}(l,\gamma_c) :=$  | $x(l) + \delta(l) \sim c \mid \sigma_{\delta}(l, \gamma_c') \wedge \sigma_{\delta}(l, \gamma_c'')$                                                                                                                                                                             |
| $\sigma_w(l,\gamma_c) :=$         | $x(l) \sim_w c \mid \sigma_w(l, \gamma_c') \wedge \sigma_w(l, \gamma_c'')$                                                                                                                                                                                                     |
| $\sigma_{w\delta}(l,\gamma_c) :=$ | $x(l) + \delta(l) \sim_w c \mid \sigma_{w\delta}(l, \gamma_c') \wedge \sigma_{w\delta}(l, \gamma_c'')$                                                                                                                                                                         |
| $\mu(l,\gamma_v) :=$              | $ \frac{\longleftarrow}{var_n(l)_{[\lambda(n)]}} \sim \frac{\longleftarrow}{c_{[\lambda(n)]}}   \frac{\longleftarrow}{var_n(l)_{[\lambda(n)]}} \sim \frac{\longleftarrow}{var_{n'}(l)_{[\lambda(n)]}}   \neg \mu(l, \gamma'_v)   \mu(l, \gamma'_v) \wedge \mu(l, \gamma''_v) $ |
| $\zeta(l, n, \exp) :=$            | $\overleftarrow{var_j(l)}_{[\lambda(n)]} \mid \overleftarrow{c}_{[\lambda(n)]} \mid \zeta(l, n, \exp') + \zeta(l, n, \exp'') \mid \zeta(l, n, \exp') - \zeta(l, n, \exp'')$                                                                                                    |
| $\phi_{trans} :=$                 | $\phi_9 \wedge \phi_{10} \wedge \phi_{11} \wedge \phi_{12} \wedge \phi_{13}$                                                                                                                                                                                                   |

Table 12: Transition Constraints for a network of timed automata

#### 5.2 Transitions

As a quick review, transitions consist of a source and destination state, a synchronization action, as well as (possibly empty) sets of clock constraints, variable constraints, clock assignments, and variable assignments. In section 5.1 on initialization and progression,  $\phi_6$  was defined to ensure that the source and destination states were implemented correctly - that the destination of one transition is the source of the next. We now encode the guard and assignment constraints of every transition in the TA network.

Property  $\phi_9$  We will first consider the transition guards. Each transition can have multiple guards, which consist of two types, clock guards and variable guards. Clock guards have the form  $x \sim c$ , where  $x \in X$ ,  $c \in \mathbb{Z}$  and  $\sim \in \{<, >, \le, \ge\}$ . Formula  $\phi_9$  asserts that for every clock guard, its associated transition being active at time position l implies that at the instance of transition, the relationship  $\sim$  holds between the clock value and the value. Recall that if a transition is active at time position l, the transition

occurs in the instant between time position l and time position l+1. Therefore, at the instance of the transition, the clock does not have the value x(l), but rather  $x(l) + \delta(l)$ , delta being the special clock that defines the amount of time spent in each time position. Note that we cannot simply use x(l+1) as the value of the clock, because it is possible that during the transition between time position l and l+1, the value of the clock may be reset, which would set x(l+1) = 0. Our guard only sees the pre-transition value of the clock, and thus we must manually add  $\delta(l)$  to the value. We use the function  $\sigma$  to encode the grammar of the clock constraints. In this case we use  $\sigma_{\delta}$ , which differs only in the fact that  $\delta$  is added to the clock value.

Property  $\phi_{10}$  This property captures the same semantics for variable guards, asserting that an active transition with a guard implies that the guard is true at that time position. Because variables, unlike clocks, do not progress with time, it is sufficient to simply use the value  $var_v(l)$  to determine if the guard is satisfied. The function  $\mu$  is used to encode the variable constraint grammar. If the form  $var_n(l)_{[\lambda(n)]} \sim var_{n'}(l)_{[\lambda(n)]}$  is used and  $\lambda(n') < \lambda(n)$ , then the BitVector  $var_{n'}(l)_{[\lambda(n')]}$  is implicitly sign-extended to a length of  $\lambda(n)$  bits. It is forbidden to use a variable n' such that  $\lambda(n') > \lambda(n)$ .

Property  $\phi_{11} - \phi_{12}$  Clock assignments are more straightforward then the clock guards. It is enough to require that if a transition is taken at time position l, then in the following time position the clock is reset to 0. Variable assignments however, are more complex. Unlike clock assignments, variable assignments can access both constant values and the values of other variables, and they may combine them using the operators  $\{+,-\}$ . To implement this in our BitVector logic, we require that if any variable n' appears in the assignment expression of variable n, then  $\lambda(n') \leq \lambda(n)$ , just as in the variable guards. We can then cast all constants and variables to BitVectors of length  $\lambda(v)$ , sign-extending shorter values if necessary. This allows us to use the standard BitVector addition and subtraction operators to compute the final value, which is assigned to v at time position l+1.

Property  $\phi_{13}$  The last component of the transition to discuss is the state invariant. Although invariants are state-specific, not transition-specific, since states are defined by the active transitions, it is sufficient to ensure that at the moment of transition both the source and destination invariants are satisfied, taking into account the value of  $\overrightarrow{edge_i^{RC}}$ . Since all invariants are convex, if the invariant is satisfied at moment the TA enters the state and at the moment it leaves, it is satisfied at all positions in the interval between

$$\phi_{14} := \underbrace{\underbrace{\underbrace{\underbrace{k}_{t \in T: t_{\epsilon} = \alpha!} trans_{t}}_{trans_{t}}}}_{t_{\ell} \in \{1, \alpha \neq \}} \Rightarrow (\neg \bigvee_{\substack{t' \in \{T \setminus t\}: \\ t'_{\ell} \in \{\alpha!, \alpha \neq \}}} trans_{t'}) \land (\bigvee_{\substack{t' \in T: t_{\epsilon} = \alpha?}} trans_{t'})}$$

$$\phi_{15} := \underbrace{\underbrace{\underbrace{k}_{i \in [1, N]}}_{teT_{i}: t_{\epsilon} = \alpha?}}_{teT_{i}: t_{\epsilon} = \alpha?}} \Rightarrow (\neg \bigvee_{\substack{t' \in \{T \setminus t\}: \\ t_{\epsilon} = \alpha?}} trans_{t'}) \land (\bigvee_{\substack{j \in [1, N] \\ t' \in T: t_{\epsilon} = \alpha \neq \delta}} \underbrace{\underbrace{k}_{trans_{t'}}}_{trans_{t'}} & \underbrace{(edge_{i}^{RC} \Leftrightarrow edge_{j}^{RC})}_{edge_{j}^{RC}}))$$

$$\phi_{16} := \underbrace{\underbrace{k}_{teT: t_{\epsilon} = \alpha}}_{teT: t_{\epsilon} = \alpha} \underbrace{trans_{t}}_{te=\alpha!} \Rightarrow \neg (\bigvee_{\substack{t' \in T: t_{\epsilon} = \alpha \neq \delta \land t' \neq t} \\ t' \in T: t_{\epsilon} = \alpha}} \underbrace{trans_{t'}}_{t' \in T: t_{\epsilon} = \alpha} \underbrace{k}_{trans_{t'}} & \underbrace{(edge_{i}^{RC} \Leftrightarrow edge_{j}^{RC})}_{t' \in T: t_{\epsilon} = \alpha})$$

$$\phi_{17} := \underbrace{\underbrace{k}_{i \in [1, N]}}_{teT_{i}: t_{\epsilon} = \alpha} \Rightarrow (\bigvee_{\substack{j \in [1, N] \\ t' \in T: t_{\epsilon} = \alpha}} \underbrace{k}_{trans_{t'}} & \underbrace{k}_{$$

Table 13: Synchronization Constraints for a network of timed automata

them. We can see that the transition implies one of two statements, one for each possible value of  $\overrightarrow{edge_i^{RC}}$ . In addition the invariants of the source state are evaluated with  $\delta(l)$ , while the transitions of the state with the open-ended transition are evaluated with the weak satisfaction relation.

#### 5.3 Sync

The synchronization constraints capture the semantics defined in table 1. Formula  $\phi_{14}$  and  $\phi_{15}$  capture the contraints for one-to-one synchronization, while the others cover broadcast synchronization.

Properties  $\phi_{14} - \phi_{15}$  The first formula in this group requires firstly that when a transition marked with  $\alpha$ ! (one-to-one send) is taken, no other transition with the  $\alpha$ ! or  $\alpha$ # event may be active, and secondly that there exists at least one active transition with the event  $\alpha$ ? (one-to-one receive). The second formula is very similar, requiring that when a transition with the event  $\alpha$ ? is active, no other transition with the event  $\alpha$ ? may be active, and there must be at least one active transition with the  $\alpha$ ! event that has the same edge.

Properties  $\phi_{16} - \phi_{18}$  Formulas  $\phi_{16}$  and  $\phi_{17}$  are similar to those for one-to-one communication, with modifications for the different semantics of broadcast synchronization.  $\phi_{16}$  requires that when a transition with the event  $\alpha\#$  (broadcast send) is active, no other transition with the same event may be active. The difference from  $\phi_{14}$  is that there is no requirement for an active transition labelled with the  $\alpha@$  (broadcast receive) event.  $\phi_{17}$  requires that when a transition with the event  $\alpha@$  is active, there exists at least one active transition with the event  $\alpha\#$  and the same edge. Note that multiple transitions are allowed to receive the same broadcast signal. The final formula  $\phi_{18}$  handles the "compulsive" nature of broadcast synchronization. When there exists an active transition with the broadcast send event on a channel  $\alpha$ , for all other TA in the network we require that if there exists a transition

- that has the broadcast receive event on channel  $\alpha$
- whose source state equal to the current state of the TA
- whose guards are all satisfied

then the TA is required to take (have active) a transition with the event  $\alpha$ @.

#### 5.4 Loop Constraints

As mentioned previously, we are only interested in lasso-shaped runs that end in a loop. To keep track of the initial position of the loop, we have defined the BitVector  $\overrightarrow{loop}$ , and constrained it to have a value in the range [1, k].

Intuitively, the time position k+1 represents the first time position in the next iteration of the loop. It is effectively a 'copy' of the position loop, however we add it as a distinct position so that we may capture the semantics of the transition between time position k and time position loop. We therefore must introduce constraints to ensure that these two positions are in fact equivalent.

Propositions  $\phi_{19} - \phi_{20}$  For transitions, edges and variables this is very straightforward. We simply require that in the *loop* and k+1 positions that the active transitions, edge type, and variables have identical values.

$$\begin{aligned} & \text{Loop Constraints} \\ \phi_{19} := \bigwedge_{i \in [1,N]} (\overleftarrow{edg} e_i^{RC}[k+1] = \overleftarrow{edg} e_i^{RC}[loop]) \wedge \bigwedge_{j \in [1,\lceil \log_2|\mathcal{T}_i|\rceil]} \overleftarrow{tb_{i,j}}[k+1] = \overleftarrow{tb_{i,j}}[loop]} \\ \phi_{20} := \bigwedge_{n \in Int} \bigwedge_{j \in [1,\lambda(n)]} \overleftarrow{vb_{n,j}}[k+1] = \overleftarrow{vb_{n,j}}[loop]} \\ \phi_{21} := \bigwedge_{x \in X} (\lfloor x(k+1) \rfloor = \lfloor x(loop) \rfloor) \vee (\lfloor x(k+1) \rfloor > \max(x) \wedge \lfloor x(loop) \rfloor > \max(x)) \\ \phi_{22} := \bigwedge_{x \in X} \lfloor x(loop) \rfloor \leq \max(x) \Rightarrow (frac(x(k+1)) = 0) \Leftrightarrow (frac(x(loop)) = 0) \\ \phi_{23} := \bigwedge_{x,x' \in X} (\lfloor x(loop) \rfloor \leq \max(x) \wedge \lfloor x'(loop) \rfloor \leq \max(x')) \rightarrow \\ \left(frac(x(k+1)) \leq frac(x'(k+1)) \Leftrightarrow frac(x(loop)) \leq frac(x'(loop))\right) \\ \phi_{24} := \bigwedge_{x \in X} x(k) > \max(x) \vee (( \mid \overleftarrow{trans_t}) \& \overleftarrow{inloop} \neq \overleftarrow{0}) \\ \phi_{loop} := \phi_{19} \wedge \phi_{20} \wedge \phi_{21} \wedge \phi_{22} \wedge \phi_{23} \wedge \phi_{24} \end{aligned}$$

Table 14: Loop Constraints for a network of timed automata

Propositions  $\phi_{21} - \phi_{23}$  It is tempting to encode the clock constraints in a similar manner, requiring that x(k+1) = x(loop) for each clock. However, as discussed in Section 3.6, this encoding is not complete as it fails to capture certain runs. Instead we use the same region-based clock constraints used in ae2sbvzot.

To begin, for each clock x we define the non-negative integer  $\max(x)$ , which is equal to the maximum value compared against the clock in a clock guard. We also define frac(x(l)), which is equal to the fractional part of x at time position l, or frac(x(l)) = $x(l) - \lfloor x(l) \rfloor$ . Formulas  $\phi_{21}$ ,  $\phi_{22}$ , and  $\phi_{23}$  encode the desired requirements.  $\phi_{21}$  encodes the first part of the relationship between x(loop) and x(k+1). It states that either both values are greater than  $\max(x)$ , or both have the same floor. This is the first part of the region encoding.  $\phi_{22}$  handles the special case where the fractional part of the value is equal to zero. Since clock guards can test for equality, if the clock value is less than  $\max(x)$ , either the clock value at both time positions has a fractional value of 0 or neither do. Finally,  $\phi_{23}$  completes the region encoding by considering the relationship between values of different clocks, asserting that the relationship between two clock values  $\{<,>,=\}$  is preserved.

Property  $\phi_{24}$  Unfortunately, there is one more consideration we must make in this section. The culprit are so-called "Zeno traces", named because while they are lassoshaped runs with an infinite number of transitions, their execution happens in finite time. Time in these traces is said to "slow down", because often each successive loop of the lasso executes in a smaller amount of time than the loop before. Because these represent unrealistic scenarios, they are often excluded from consideration in many TA models. It is sufficient to require that every clock is either reset within the loop, or has a value greater than max(x) at position k, which is shown in  $\phi_{24}$ . The vector inloop has length k+2, and each bit i is 1 iff  $i \geq loop$ . Using this vector, we can determine if a given clock is reset within the loop portion of the trace.

#### 5.5 Equivalence and Improvements

Using the definitions presented above, we are now ready to define our TA network in BitVector logic as follows:

$$\phi_{network} := \phi_{init} \wedge \phi_{trans} \wedge \phi_{sync} \wedge \phi_{loop}$$

We argue that this is a correct and complete representation of all lasso-shaped, non-Zeno runs given the bound of k.

Both encodings constrain the clocks, variables, and timed automata to their respective initial positions at time position 0. For variables and clocks these constraints are identical, as both assign the desired value at time position 0. For states our encoding uses the  $\frac{1}{100}$  state  $\frac{1}{100}$  aliases to require that the TA begins in the initial state, despite not having state BitVectors. Because the state alias is only true when one of the transitions whose source is that state is true (including the state-specific null transitions), the constraint is valid. Our clock  $\delta(l)$  ensures that all clocks progress at the same rate, while clock resets and variable assignments are only allowed if one of the corresponding transitions are active.

As for the transitions, although we have broken up  $\varphi_7$  into several pieces, the functionality remains the same. We ensure that in order for a transition to be valid, its destination state must be active in the next time position, the clock and variable constraints must be satisfied, all assignments must be enforced, and the invariants of the source and destination state must be true at the moment of transition. Like TACK, we allow that at the moment of transition, only one of the two invariants must be satisfied, using the concept of weak satisfaction to formalize this relaxation.

Similarly, the original TACK encoding contains three contraints that assert that the values of the active states, as well as the values of the variables and clocks, can only be changed if there is an active transition that modifies them. For states, this is accomplished with  $\phi_5$ , which requires that the active state in the following position be equal to the value of the destination state of the active transiton. Unlike in the original encoding, we have one null transition for each position, so we do not need to consider the null transitions as a special case. Therefore the for the state to change, there must be a non-null transition to enable the state change. For variables,  $\phi_8$  asserts that when no transition explicitly changes the value of a variable, its value must remain the same.  $\phi_7$  asserts the same for the clocks.

Our new encoding also respects the same loop constraints as ae2sbvzot including the extended clock constraints described in Section 5.4 necessary to represent all possible lasso-shaped traces.

In addition, our encoding contains improvements over the original TACK+ae2sbvzot encoding. As mentioned previously, ae2sbvzot contains a limitation regarding integer variables - because they are represented as elements of a set, ae2sbvzot can only test for equality. This means that contraints of the form  $n \sim c$  or  $n \sim n'$ , where  $\sim \neq =$  are not supported. Our encoding correctly represents the values of the integer variables using a twos-complement encoding, and therefore can support the full grammar of variable guards and assignments.

Although the TACK paper describes right-closed, left-closed, and unrestricted traces, the implementation currently only supports right-closed traces. We have implemented all three options in our encoding, allowing the user to choose which one they will use to evaluate their traces.

## 6 Evaluation

In this chapter we present the results of several experimental evaluations of the SMT conversion process. These tests cover several different benchmarks common for bounded model checking programs. For comparison, results are presented alongside those of the previous iteration of the TACK program, to better judge the improvements made using the new process.

In all of the following tests, the time provided measures the combined time taken by both the TACK program to parse the problem and convert it to SMT form and the z3 program to decide the satisfiability of the SMT problem. In practice, the time taken by z3 dwarfs the time used by the TACK translation, and for the problem sizes encountered below the time taken by the TACK translation was always negligible. For every test below, the evaluation proceeded in several rounds, each with a larger bound on the length of traces considered by TACK. The data obtained demonstrates how the running time of each program scales with the size of the search space.

All tests were performed on a server equipped with an AMD EPYC 7551 CPU (2.5 GHz) with 2 32-core sockets, 500 GB of RAM and Debian Linux (version 4.19).

#### 6.1 Fischer Mutual Exclusion Protocol

The Fischer benchmark models a protocol for ensuring exclusive access to a shared common resource that can be requested by multiple processes. The protocol uses global variables, integrated into the guards and assignment statements of the timed automata, to control access. Each timed automaton in the network has a 'critical state', and the protocol guarantees that only one timed automaton can be in its critical state at a time.

To be more specific, there is a shared variable id, which can take any integer value in the range [0, n], where n is the number of processes in the protocol. Each process begins in an 'idle' state a, and in order to reach the critical section cs, a process must first check to see that the critical section is unoccupied (id = 0), at which point the process writes its own id to the shared variable (while entering state b) and then performs a second transition to state c within 2 seconds of entering state b. The process is then required to wait at least 2 seconds in state c. If after that interval the value of the shared variable is still equal to its id, the process may access the critical section, otherwise it must wait for the value of id to return to 0 before trying again (returning to b). Once access to the critical section is granted, the process may remain for an unlimited amount of time before returning to state a.

To measure the scalability of our program, in addition to modifying the bound k, we performed multiple test runs while modifying the number of timed automata in the network that are attempting to execute their critical region. Aside from a numerical id,

these processes are identical in their behavior. In addition to testing the scalability of the program, we have also run the Fischer protocol through several different MITL properties for verification. These properties will be explained below.

$$Live1 := \mathcal{G}_{[0,\infty)} (p_1.b \Rightarrow \mathcal{F}_{[0,\infty)}p_1.c)$$

$$Live2 := \mathcal{G}_{[0,\infty)} (p_1.b \Rightarrow \mathcal{F}_{[0,3]}p_1.c)$$

$$Live3 := \mathcal{G}_{[0,\infty)} (p_1.b \Rightarrow \mathcal{F}_{(0,3)}p_1.cs)$$

$$Live4 := \mathcal{G}_{[0,\infty)} (p_1.b \Rightarrow \mathcal{F}_{(0,3)}p_1.c)$$

$$Live5 := \mathcal{G}_{[0,\infty)} (p_1.b \Rightarrow \mathcal{F}_{[0,3]}p_1.cs)$$

$$Live6 := \mathcal{G}_{[0,\infty)} \neg (\bigvee_{i=1:n-1} (p_i.cs \land \bigvee_{j=i+1:n} p_j.cs))$$

Liveness property 1 requires that once process one enters state b, it always transitions to state c. Property 2 is similar, however it contains the additional constraint that process 1 must complete the transition to state c in at most 3 seconds. Property 3 has a similar time bound, but requires that process one move to the critical section cs rather than c within the time bound, which we expect to not be universally true (a process can return to state b after moving to state c if another process has reset the variable id). Properties 4 and 5 are copies of properties 2 and 3 respectively with the sole difference of inclusion vs exclusion at the boundaries of the interval. Property 6 seeks to prove the "safety" of the protocol, namely that two distinct processes are never in the critical section at the same time.

## 6.2 CSMA/CD

The CSMA/CD (Carrier Sense Multiple Access/Collision Detection) protocol is a well known protocol for allowing multiple agents to share a communication channel, and was popularized by its inclusion in the Ethernet standard. The protocol includes 1 process to manage a shared communication bus, as well as a number of processes that wish to obtain exclusive access to the bus in order to send a message. When two processes attempt to send at the same time, the bus process detects the collision and uses the broadcast synchronization primitive to force the processes to wait a randomized amount

Table 15: Time required to solve the Fischer Benchmark Properties

|            |                                                                  |                                                                                 |                                    |                                                                      | TAC                                    | K ae2sbv                                                              | zot                                                                    |                                                                    |                                                                        |                                                                       |
|------------|------------------------------------------------------------------|---------------------------------------------------------------------------------|------------------------------------|----------------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------|------------------------------------------------------------------------|--------------------------------------------------------------------|------------------------------------------------------------------------|-----------------------------------------------------------------------|
|            |                                                                  |                                                                                 |                                    |                                                                      |                                        | n                                                                     |                                                                        |                                                                    |                                                                        |                                                                       |
|            | k                                                                | 2                                                                               | 3                                  | 4                                                                    | 5                                      | 6                                                                     | 7                                                                      | 8                                                                  | 9                                                                      | 10                                                                    |
| live-one   | $\begin{array}{ c c } 10 \\ 15 \\ 20 \\ 25 \\ 30 \\ \end{array}$ | $\begin{array}{ c c c }\hline 0.9 \\ 0.9 \\ 1.0 \\ 1.1 \\ 1.1 \\ \end{array}$   | 0.9<br>0.9<br>1.1<br>1.6<br>1.5    | 1.0<br>1.1<br>1.3<br>1.5<br>2.0                                      | 1.0<br>1.4<br>2.2<br>2.1<br>3.1        | 1.2 $1.6$ $1.9$ $189.8$ $6.4$                                         | 1.2<br>1.7<br>2.6<br>3.4<br>4.5                                        | 1.5<br>1.5<br>2.4<br>4.9<br>4.9                                    | $\begin{array}{c} 6.0 \\ 14.2 \\ 3.6 \\ 4.5 \\ 4.7 \end{array}$        | 1.7<br>2.1<br>3.9<br>4.6<br>4.8                                       |
| live-two   | $\begin{array}{ c c } 10 \\ 15 \\ 20 \\ 25 \\ 30 \\ \end{array}$ | $\begin{array}{ c c } & 1.4 \\ & 4.5 \\ & 10.8 \\ & 32.6 \\ & 42.4 \end{array}$ | 1.6<br>6.3<br>13.0<br>39.3<br>80.7 | $ \begin{array}{c} 1.7 \\ 6.0 \\ 37.5 \\ 57.3 \\ 127.7 \end{array} $ | 2.0<br>9.7<br>22.1<br>131.8<br>63.8    | $\begin{array}{c} 2.0 \\ 15.0 \\ 56.6 \\ 102.4 \\ 1149.1 \end{array}$ | $\begin{array}{c} 2.4 \\ 27.0 \\ 36.8 \\ 2369.2 \\ 125.9 \end{array}$  | 2.5<br>48.4<br>56.8<br>1614.3                                      | 2.7<br>67.4<br>567.9<br>1197.9                                         | 3.1<br>146.5<br>1589.1<br>6311.7                                      |
| live-three | 10<br>  15<br>  20<br>  25<br>  30                               | 1.0<br>1.2<br>1.2<br>2.0<br>1.5                                                 | 1.1<br>1.3<br>1.8<br>2.3<br>4.6    | 1.6<br>2.5<br>2.1<br>3.7<br>4.6                                      | 3.6<br>2.0<br>4.2<br>5.9<br>8.8        | 8.0<br>18.5<br>8.0<br>9.5<br>32.7                                     | 13.2<br>27.6<br>10.4<br>24.1<br>24.4                                   | 19.5<br>30.6<br>23.9<br>681.5<br>30.7                              | 17.6<br>59.4<br>33.1<br>753.3<br>102.8                                 | 26.7<br>41.2<br>64.7<br>826.9<br>150.1                                |
| live-four  | 10<br>  15<br>  20<br>  25<br>  30                               | $\begin{array}{ c c } & 1.2 \\ & 2.9 \\ & 6.6 \\ & 10.3 \\ & 27.5 \end{array}$  | 1.3<br>3.6<br>15.5<br>17.8<br>26.2 | 1.5<br>5.0<br>14.4<br>22.9<br>33.9                                   | 1.7<br>8.0<br>17.7<br>45.5<br>56.0     | $ \begin{array}{c} 1.9 \\ 11.2 \\ 77.7 \\ 151.4 \\ 67.0 \end{array} $ | 2.1<br>19.6<br>86.2<br>2482.6<br>217.1                                 | $\begin{array}{c} 2.1\\ 33.9\\ 183.5\\ 2406.0\\ 1717.2\end{array}$ | $\begin{array}{c} 2.4 \\ 74.8 \\ 504.3 \\ 6578.4 \\ 291.6 \end{array}$ | $ \begin{array}{r} 2.3 \\ 130.9 \\ 1516.6 \\ - \\ 462.5 \end{array} $ |
| live-five  | 10<br>  15<br>  20<br>  25<br>  30                               | 1.1<br>1.3<br>1.7<br>2.1<br>2.2                                                 | 1.3<br>1.7<br>2.2<br>3.6<br>6.9    | 1.9<br>2.5<br>2.6<br>4.4<br>5.6                                      | 1.8<br>2.3<br>5.2<br>13.5<br>14.9      | 5.4<br>5.3<br>8.6<br>10.6<br>21.1                                     | 13.7<br>5.7<br>15.2<br>17.2<br>26.7                                    | 24.0<br>20.3<br>29.8<br>781.3<br>28.8                              | 22.9<br>71.2<br>816.1<br>140.6                                         | 23.7<br>36.8<br>-<br>569.4<br>238.6                                   |
| live-six   | 10<br>  15<br>  20<br>  25<br>  30                               | 0.9<br>1.0<br>1.5<br>1.7<br>2.5                                                 | 1.1<br>1.8<br>3.9<br>8.9<br>16.3   | 1.9<br>4.4<br>10.2<br>27.6<br>54.4                                   | 2.5<br>10.0<br>21.6<br>83.5<br>263.4   | 3.1<br>33.9<br>93.3<br>188.1<br>993.9                                 | $\begin{array}{c} 4.7 \\ 51.2 \\ 234.8 \\ 596.2 \\ 3354.1 \end{array}$ | 10.1<br>84.0<br>670.4<br>2469.2                                    | 7.9<br>110.9<br>1000.4<br>5365.0                                       | 16.2<br>191.5<br>—<br>—                                               |
|            |                                                                  |                                                                                 |                                    |                                                                      | TAC                                    | CK ta2sn                                                              | nt                                                                     |                                                                    |                                                                        |                                                                       |
|            |                                                                  |                                                                                 |                                    |                                                                      |                                        | n                                                                     |                                                                        |                                                                    |                                                                        |                                                                       |
|            | k                                                                | 2                                                                               | 3                                  | 4                                                                    | 5                                      | 6                                                                     | 7                                                                      | 8                                                                  | 9                                                                      | 10                                                                    |
| live-one   | 20<br>25<br>30<br>35<br>40                                       | 0.9<br>1.0<br>1.0<br>1.1<br>1.1                                                 | 1.0<br>1.1<br>1.1<br>1.1<br>1.2    | 1.1<br>1.2<br>1.2<br>1.3<br>1.8                                      | 1.1<br>1.2<br>1.3<br>1.6<br>1.8        | 1.5<br>1.4<br>2.1<br>1.7<br>1.8                                       | 1.4<br>1.5<br>1.8<br>1.8<br>2.8                                        | 1.3<br>1.6<br>1.7<br>1.8<br>2.3                                    | 1.5<br>1.5<br>3.0<br>1.8<br>2.8                                        | 1.4<br>1.6<br>1.8<br>2.9<br>2.4                                       |
| live-six   | $\begin{array}{ c c } 20 \\ 25 \\ 30 \\ 35 \\ 40 \end{array}$    | 1.2<br>1.4<br>1.5<br>2.0<br>2.6                                                 | 3.7<br>6.7<br>12.0<br>19.0<br>24.2 | 14.0<br>21.1<br>35.2<br>40.2<br>58.4                                 | 34.1<br>44.8<br>63.6<br>117.3<br>119.5 | 62.7<br>83.9<br>141.3<br>173.4<br>246.3                               | 101.4<br>144.3<br>191.8<br>281.0<br>410.3                              | 145.5<br>511.3<br>311.6<br>450.3<br>539.8                          | 290.7<br>673.0<br>449.4<br>599.4<br>1040.9                             | 454.0<br>847.3<br>803.2<br>1070.6<br>2924.0                           |

Table 16: Time (s) required to check the property of the CSMA/CD Protocol. The symbol ✓ indicates that the property is satisfied, i.e., the CLTLoc formula is unsatisfiable. The symbol ✗ indicates that the property is not satisfied, i.e., the CLTLoc formula is satisfiable.

|             | TACK ae2sbvzot             |   |   |   |     |     |      |    |   |    |
|-------------|----------------------------|---|---|---|-----|-----|------|----|---|----|
|             |                            | n |   |   |     |     |      |    |   |    |
|             | k                          | 2 | 3 | 4 | 5   | 6   | 7    | 8  | 9 | 10 |
| live-csmacd | 10<br>15<br>20<br>25<br>30 |   |   |   |     |     |      |    |   |    |
|             |                            |   |   | , | ТАС | K t | a2sn | nt |   |    |
|             |                            | n |   |   |     |     |      |    |   |    |
|             |                            |   |   |   |     |     |      |    |   |    |
|             | k                          | 2 | 3 | 4 | 5   | 6   | 7    | 8  | 9 | 10 |

of time before attempting to communicate again. While an agent is sending over the bus, the bus process can send a 'busy' signal to the other agents, in order to simulate the agents listening to the bus and detecting a communication in-progress.

$$\mathbf{live\text{-}csma} := \mathcal{G}_{(0,\infty)}(P1.begin\_send \rightarrow (\neg collision\_after\_deadline))$$

$$P1.begin\_send := (\neg P1.send) \land (P1.send\ \mathcal{U}_{(0,inf)} \top)$$

$$P1.collision\_after\_deadline := \mathcal{G}_{(0,52]}(P1.send \land (P1.send\ \mathcal{U}_{[0,inf)}(P1.send \land P2.send)))$$

This protocol was tested to ensure that a collision is always detected before a certain amount of time has passed. The property **live-csma** asserts that after process 1 has been sending for 52 units of time, process 2 cannot begin sending until process 1 has finished.

Table 17: Time (s) required to check the property of the Token Ring. The symbol ✓ indicates that the property is satisfied, i.e., the CLTLoc formula is unsatisfiable. The symbol ✗ indicates that the property is not satisfied, i.e., the CLTLoc formula is satisfiable.

|            | TACK ae2sbvzot |            |            |            |                   |                   |                   |                   |                   |            |  |
|------------|----------------|------------|------------|------------|-------------------|-------------------|-------------------|-------------------|-------------------|------------|--|
|            | n              |            |            |            |                   |                   |                   |                   |                   |            |  |
|            | k              | 2          | 3          | 4          | 5                 | 6                 | 7                 | 8                 | 9                 | 10         |  |
|            | 10             | 1.0        | 1.2        | 1.3        | 1.4               | 1.5               | 1.8               | 1.9               | 2.1               | 2.2        |  |
| п          | <b>15</b>      | 1.6        | 1.5        | 1.6        | 1.8               | 1.9               | 1.9               | 2.3               | 2.5               | 2.9        |  |
| live-token | 20             | 2.8        | 2.5        | 2.4        | 2.0               | 2.5               | 2.7               | 2.9               | 3.0               | 3.5        |  |
| ÷.         | 25             | 3.3        | 4.7        | 4.5        | 3.4               | 3.5               | 3.3               | 3.9               | 4.2               | 4.4        |  |
| ve.        | <b>30</b>      | 5.0        | 7.0        | 7.4        | 8.1               | 7.2               | 5.3               | 4.1               | 5.9               | 6.1        |  |
| =          | 35             | 6.0        | 9.0        | 11.2       | 10.0              | 17.3              | 10.2              | 9.4               | 5.7               | 6.5        |  |
|            | 40             | 9.9        | 10.5       | 14.2       | 15.8              | 18.8              | 12.1              | 11.7              | 12.7              | 12.2       |  |
|            |                |            |            |            | ТА                | CK ta             | 2smt              |                   |                   |            |  |
|            |                | n          |            |            |                   |                   |                   |                   |                   |            |  |
|            | k              | 2          | 3          | 4          | 5                 | 6                 | 7                 | 8                 | 9                 | 10         |  |
|            | 10             | 0.9        | 1.0        | 1.0        | 1.0               | 1.2               | 1.2               | 1.3               | 1.4               | 1.5        |  |
| п          | <b>15</b>      | 1.0        | 1.0        | 1.1        | 1.2               | 1.4               | 1.4               | 1.5               | 1.7               | 1.7        |  |
| ke         | 20             | 1.0        | 1.2        | 1.3        | 1.3               | 1.5               | 1.7               | 1.8               | 2.1               | 2.1        |  |
| 0          | 25             | 1.1        | 1.4        | 1.4        | 1.5               | 1.7               | 1.8               | 2.1               | 2.7               | 2.4        |  |
| جَب        |                |            |            |            |                   |                   |                   |                   |                   |            |  |
| ve-t       | 30             | 1.3        | 1.4        | 1.6        | 1.6               | 2.1               | 2.0               | 2.4               | 2.6               | 3.0        |  |
| live-token |                | 1.3<br>1.3 | 1.4<br>1.4 | 1.6<br>1.6 | $\frac{1.6}{2.1}$ | $\frac{2.1}{2.2}$ | $\frac{2.0}{2.1}$ | $\frac{2.4}{3.0}$ | $\frac{2.6}{3.0}$ | 3.0<br>3.2 |  |

## 6.3 Token Ring

The Token Ring protocol models a ring of agents that pass a token between themselves, along with a process that models the ring itself. The token moves in either direction along the ring (the ring process controls the token). The agents may choose to return the token in either a synchronous or asynchronous manner. In both cases channel-based synchronization is used to coordinate ownership of the token.

live-token :=
$$\mathcal{G}_{0,\infty}(\neg((ST_1.zsync \lor ST_1.zasync \lor ST_1.ysync \lor ST_1.ysync) \land (ST_2.zsync \lor ST_2.zasync \lor ST_2.ysync \lor ST_2.ysync)))$$

This property asserts that agents 1 and 2 never simultaneously synchronize with the token.

## 7 Conclusion

We have presented a novel approach for encoding networks of Timed Automata directly into BitVector logic, suitable for solving by state of the art SMT solvers. Building off of the work begun with the development of the TACK solver, we retain TACK's approach of encoding MITL properties to be verified over the network, while creating a more efficient model for the encoding of the network itself. Rather than encode the TA network into CLTLoc, we directly translate the network terms and constraints into a combination of BitVector and real-valued logic, written in the standard SMT-LIB2 language.

In addition to re-implementing the translation of timed automata networks, we have corrected several difficiencies in the original TACK implementation, and the tool now supports the full variable constraint and variable assignment grammars. In addition our implementation allows users to choose the desired liveness and edge semantics at runtime. We are proud to present the implementation of this algorithm, which is available for download at https://github.com/fm-polimi/TACK alongside the original TACK encoding, as free software.

Empirical testing has revealed that our approach exibits significant speedups across several benchmarks when compared to the previous encoding. The results seem to indicate that our approach is better suited to exploring models with larger bounds, as the time necessary to solver larger and larger bounds grows more slowly when comparised with ae2sbvzot. One potential future research direction is in similarly improving the encoding of the MITL property files into BitVector logic. As seen in the TACK results, our tool [wait until results are finalized before finishing]

## References

- [1] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu, "Symbolic model checking without bdds," in *Tools and Algorithms for the Construction and Analysis of Systems* (W. R. Cleaveland, ed.), (Berlin, Heidelberg), pp. 193–207, Springer Berlin Heidelberg, 1999.
- [2] S. Demri and D. D'Souza, "An automata-theoretic approach to constraint ltl," *Information and Computation*, vol. 205, no. 3, pp. 380 415, 2007.
- [3] F. Marconi, M. M. Bersani, M. Erascu, and M. Rossi, "Towards the formal verification of data-intensive applications through metric temporal logic," in *Formal Methods and Software Engineering* (K. Ogata, M. Lawford, and S. Liu, eds.), (Cham), pp. 193–209, Springer International Publishing, 2016.
- [4] C. Menghi, M. M. Bersani, M. Rossi, and P. S. Pietro, "Model checking mitl formulae on timed automata: A logic-based approach," ACM Trans. Comput. Logic, vol. 21, Apr. 2020.
- [5] R. Kindermann, T. Junttila, and I. Niemelä, "Beyond lassos: Complete smt-based bounded model checking for timed automata," in *Formal Techniques for Distributed Systems* (H. Giese and G. Rosu, eds.), (Berlin, Heidelberg), pp. 84–100, Springer Berlin Heidelberg, 2012.