Abstract—We propose a model that captures the behavior of real-time recursive systems. To that end, we introduce dense-timed pushdown automata that extend the classical models of pushdown automata and timed automata, in the sense that the automaton operates on a finite set of real-valued clocks, and each symbol in the stack is equipped with a real-valued clock representing its “age”. The model induces a transition system that is infinite in two dimensions, namely it gives rise to a stack with an unbounded number of symbols each of which with a real-valued clock. The main contribution of the paper is an EXPTIME-complete algorithm for solving the reachability problem for dense-timed pushdown automata. I.

Abstract—Timed automata has been used as a powerful formalism for specifying, designing, and analyzing real time systems. We consider the generalization of timed automata to Pushdown Timed Automata (PTA). We show how PTAs can be elegantly modeled via logic programming extended with coinduction and constraints over reals. We use this logic programming realization of a PTA to develop an elegant solution to the generalized railroad crossing problem of Lynch and Heitmeyer. Interesting properties of the system can be verified merely by posing appropriate queries to this coinductive constraint logic program. I.

Timed automata are a popular formalism to model real-time systems. They were introduced two decades ago to support formal verification. Since then they have also been used for other purposes and a large has been introduced to be able to deal with the many different kinds of requirements of real-time system. This paper presents a fairly comprehensive survey, comprised of eighty variants of timed automata. The paper classifies all these eighty variants of timed automata in an effort to determine current developments. It uses analysis techniques, formal properties, and decision problems to draw distinctions between different versions. Moreover, the paper discusses the challenges behind using a timed automata specification to derive an implementation of a working real-time system and presents some solutions. Finally, the paper lists and classifies forty tools supporting timed automata. The paper does not only discuss many variants and their supporting concepts (e.g., closure properties, decision problems), techniques (e.g., for analysis), and tools, but it also attempts to help the reader navigate the vast literature in the field, to highlight differences and similarities between variants, and to reveal research trends and promising avenues for future exploration.

Abstract Lossy channel systems are a classical model with applications ranging from the modeling of communication protocols to programs running on weak memory models. All existing work assume that messages traveling inside the channels are picked from a finite alphabet. In this paper, we extend the model by assuming that each message is equipped with a clock representing the age of the message, thus obtaining the model of Timed Lossy Channel Systems (TLCS). The main contribution of the paper is to show that the control state reachability problem is decidable for TLCS. ACM Subject Classification D.2.4 Keywords and phrases Lossy channel systems, timed automata, model checking Introduction During the last two decades there has been a large amount of work devoted to the verification of discrete program models that have infinite state spaces such as Petri nets, pushdown systems, counter automata, and channel machines. In particular lossy channel systems have been studied extensively as a model of communication protocols. Such protocols are designed to work correctly even in the case where the underlying medium is unreliable in the sense that it can lose messages In this paper, we show decidability of the control state reachability problem for TLCS. We show the decidability result through a novel reduction formulated in two steps. First, we introduce a new model called Dynamic Lossy Channel Systems (DLCS) which is a generalization of (untimed) LCS. More precisely, a DLCS contains, in addition to a (fixed) finite set of lossy channels, a dynamic part that contains an a priori unbounded number of channels. The dynamic part behaves as a second-order lossy channel, i.e., a "lossy channel of lossy channels". We show that each DLCS induces a transition system that is well quasiordered in the sense of The complexity of the reachability problem for TLCS is not primitive recursive as it is not primitive recursive already for untimed LCS Preliminaries Notation We use N and R ≥0 to denote the sets of natural numbers resp. non-negative reals. For a real number r ∈ R ≥0 , we define Int(r) as the greatest n ∈ N such that n ≤ r, and Frac(r) as r − Int(r). We call Int(r) the integer part and Frac(r) the fractional part of r respectively. An open interval is written as (i, j) where i ∈ N and j ∈ N ∪ {∞}. Intervals can also be closed in one or both directions, e.g. We use (A → B) to denote the set of total functions from A to B. We say that a function f : N → N is strictly increasing if whenever i < j we also have f (i) < f (j). We use A * to denote the set of finite words over A. For words w 1 , w 2 ∈ A * , we use w 1 · w 2 to denote the concatenation of w 1 and w 2 . We use to denote the empty word. For a word w = a 1 · · · a n , we use w[i] to denote the ith symbol a i in w, and we will write a ∈ w if a = w[i] for some i : 1 ≤ i ≤ n. We will use a similar notation for tuples. We recall the classical subword ordering on the set A * of words, where a 1 . . . a m a 1 · · · a n if there is a strictly increasing injection g : . To simplify the notation, we write ω ∈ (A * ) * as w 1 · · · w n where w 1 , · · · , w n are words in A * . We extend the ordering to (A * ) * in such a way that Transition Systems A transition system is a pair S = Γ, −→ where Γ is the set of configurations, and −→⊆ Γ×Γ is a binary relation on the set of configurations. As usual, we write γ 1 −→ γ 2 instead of γ 1 , γ 2 ∈−→. We use * −→ to denote the reflexive transitive closure of −→. For a set Γ ⊆ Γ of configurations, we define the set P re (Γ ) := {γ| ∃γ ∈ Γ . γ −→ γ }. Sometimes, we equip Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jonathan Cederberg 3 the set Γ with an ordering and write the transition system as a triple Γ, −→, . We say that S is monotone (wrt. ) if whenever γ 1 −→ γ 2 and γ 1 γ 3 then γ 2 * −→ γ 4 for some γ 4 with γ 3 γ 4 . We say that is a well quasi-ordering (wqo for short), if, for all sequences γ 0 , γ 1 , γ 2 , . . ., there are i < j with γ i γ j . A set U ⊆ Γ is upward closed if whenever γ 1 ∈ U and γ 1 γ 2 then γ 2 ∈ U . The upward closure of a set Γ ⊆ Γ is defined by Γ ↑:= {γ ∈ Γ| ∃d ∈ Γ . d γ}. For sets Γ 1 ⊆ Γ 2 ⊆ Γ, we say that Γ 1 is a minor of Γ 2 if (i) for each γ 2 ∈ Γ 2 there is a γ 1 ∈ Γ 1 such that γ 1 γ 2 , and (ii) γ 1 γ 2 implies γ 1 = γ 2 for all γ 1 , γ 2 ∈ Γ 1 . If is a wqo, then each minor is finite. However, in general, a set may have several different minors. In the applications of this paper, each set Γ has a unique minor, denoted min(Γ ). An instance of the coverability problem consists of two configurations γ 1 and γ 2 . The task is to check whether γ 1 * −→ γ 2 ↑. A transition system Γ, −→, is said to be well quasi-ordered if the following conditions are satisfied: (i) is computable, i.e., for given configurations γ, γ , we can check whether γ 1 γ , (ii) is a wqo, (iii) −→ is monotone wrt. , (iv) for a configuration γ, we can compute the (finite) set min (P re ({γ}↑)). Notice that, since the transition relation is monotone with respect to , it follows that the set P re ({γ}↑) is upward closed. The classical framework of well quasi-ordered transition systems Theorem 1. The coverability problem is decidable for well quasi-ordered transition systems. Timed Lossy Channel Systems In this section, we introduce TLCS, define their operational semantics, and present the reachability problem. Furthermore, we show that it is sufficient to consider a class of "normalized" TLCS where initial ages of messages and new values assigned to clocks are always 0. A TLCS has three parts, a control part, a finite set of clocks, and a finite set of channels. The control part is a finite-state labeled transition system, where the labels are either clock operations or channel operations. The control part can be used to model the total behavior of a number of processes that communicate through the channels. The clocks assume real values, while the channels are unbounded lossy FIFO buffers. Model A Timed Lossy Channel System (TLCS for short) is a tuple T = S, s init , C, M, X, ∆ , where S is a finite set of (control) states, s init ∈ S is the initial control state, C is a finite set of channels, M is a finite set of messages, X is a finite set of clocks, and ∆ is a finite set of transitions. A transition t ∈ ∆ is a triple s 1 , op, s 2 where s 1 , s 2 ∈ S are states and op is an operation of one of the following forms: 1. nop is an empty operation that does not check or update the clock values or the channel contents. 2. c!(m ∈ I) appends a new message m ∈ M to the end of the channel c ∈ C. The initial age of the new message is selected non-deterministically from I ∈ I. 3. c?(m ∈ I) removes (receives) the message at the head of the channel c ∈ C provided that this message is m ∈ M and that its age lies in I ∈ I. 4. x ∈ I checks whether the value of x ∈ X belongs to the interval I ∈ I. 5. x ← I assigns non-deterministically a value to x ∈ X from I ∈ I. Timed Lossy Channel Systems Configurations A configuration γ of T is a triple s, X, ν , where s ∈ S is a control state, X ∈ X → R ≥0 defines the clock values (assigns a real number to each clock), and ν ∈ C → (M × R ≥0 ) * defines the content of each channel (the content of a channel is represented by a word, where each message is represented by a pair containing its name and its age). Transition Relation We define a transition relation on configurations 1. op = nop, X 2 = X 1 , and ν 2 = ν 1 . The empty operation does not affect the clock values or the channel contents. , and δ ∈ I. The transition appends a new message to the end of the channel c with name m, and with an age that belongs to the interval I. , and δ ∈ I. The transition removes the message at the head of the channel c provided that its name is m, and that its age is in the interval I. 4. op = x ∈ I, X 1 (x) ∈ I, X 2 = X 1 , and ν 2 = ν 1 . The transition is enabled only if the value of x belongs to I. The clock values and the channel contents are not affected. Notice that in all five cases the control state changes from s 1 to s 2 . The timed transition relation models the passage of time, in the sense that the values of all clocks and the ages of all messages inside the channels are uniformly increased by (the same) real number. For configurations γ 1 = s, X 1 , ν 1 , γ 2 = s, X 2 , ν 2 , and a real number δ ∈ R ≥0 , the relation γ 1 δ −→ T γ 2 holds if the following two conditions hold: (i) X 2 (x) = X 1 (x) + δ for all x ∈ X, and (ii) for every c ∈ C, if ν 1 (c) is of the form ( . Finally the lossy transition relation allows messages to be lost from the channels at any time. Formally, if γ 1 = s, X, ν 1 and γ 2 = s, X, ν 2 , the relation γ 1 Reachability The initial configuration of a TLCS T is defined by γ init := s init , X init , ν init where X init (x) = 0 for all x ∈ X, and ν init (c) = for all c ∈ C. In other words, T is initiated from a configuration where it is in its initial control state, where all the clocks have a value equal to 0, and where all the channels are empty. A control state s ∈ S is said to be reachable if γ init * −→ T s, X, ν for some X and ν. An instance of the reachability problem consists of an Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jonathan Cederberg 5 TLCS T = S, s init , C, M, X, ∆ and a control state s ∈ S. The task is to check whether s is reachable. Normalization A TLCS T = S, s init , C, M, X, ∆ such that I = [0, 0] for all s 1 , c!(m ∈ I), s 2 ∈ ∆ is said to be message-normalized. We say that T is clock-normalized if whenever s 1 , x ← I, s 2 ∈ ∆ then I = [0, 0]. Finally, T is normalized if it is both clock-and message-normalized. The following two lemmas show that the reachability problem for general TLCS can be reduced to that for normalized TLCS. Therefore, in the rest of the paper, we assume that all TLCS are normalized. Lemma 2. The reachability problem for TLCS can be reduced to that for message-normalized TLCS. Lemma 3. The reachability problem for TLCS can be reduced to that for clock-normalized TLCS. Dynamic Lossy Channel Systems In this section, we introduce the model of Dynamic Lossy Channel Systems (DLCS for short). The model is a generalization of lossy channel systems Model A DLCS is a tuple D = S, s init , C, Σ, ∆ where S is a finite set of (control) states, s init ∈ S is the initial control state, C is a finite set of channels names, Σ is the channel alphabet, and ∆ is a finite set of transitions. A transition t ∈ ∆ is a triple s 1 , op, s 2 where s 1 , s 2 ∈ S are states and op is an operation of one of the following forms: 1. nop is an empty operation that does not check or update the channels, 2. c!m appends the message m ∈ Σ to the end of the static channel c ∈ C, 3. c?m removes the message m ∈ Σ from the head of the static channel c ∈ C, 6 Timed Lossy Channel Systems 4. send_channel(c) makes a copy of the content of the static channel c to a new dynamic channel, and appends the new channel to the end of the sequence of dynamic channels. 5. receive_channel(c) copies the content of the rightmost dynamic channel to the static channel c ∈ C and then removes this dynamic channel from the sequence of channels. Configurations A configuration d of D is a triple s, ν, ω , where s ∈ S is a control state, ν ∈ (C → Σ * ) is a function that represents the content of the set of static channels C, and ω ∈ (Σ * ) * is the content of the sequence of dynamic channels, also called the dynamic part of D. For configurations d 1 = s 1 , ν 1 , ω 1 , d 2 = s 2 , ν 2 , ω 2 , we say that d 1 d 2 if s 1 = s 2 , ν 1 (c) ν 2 (c) for all c ∈ C, and ω 1 ω 2 (recall the definition of from Section 2). Intuitively, we derive d 1 from d 2 by deleting messages from the channels (both static and dynamic) and by removing dynamic channels.

In this habilitation thesis, we discuss two complementary approaches to formal verification of infinite-state systems—namely, the use cut-offs and automata-based symbolic model checking (especially the so-called regular model checking). The thesis is based on extended versions of multiple conference and journal papers joint into a unified framework and accompanied with a significantly extended overview of other existing approaches. The presented original results include cut-offs for verification of parameterised networks of processes with shared resources, the approach of abstract regular model checking combining regular model checking with the counterexample-guided abstraction refinement (CEGAR) loop, a proposal of using language inference for regular model checking, techniques for an application of regular model checking to verification of programs manipulating dynamic linked data structures, the approach of abstract regular tree model checking as well as a proposal of a novel class of tree automata with size constraints with applications in verification of programs manipulating balanced tree structures.

researchers interested in the sequential and parallel implementation of logic and constraint programming languages and systems. CICLOPS promotes the free exchange of ideas and early dissemination of potentially premature and promising ideas. CICLOPS 2009 continues a tradition of successful workshops on Implementations of Logic Programming Systems, previously held with considerable