Timed CTL Model Checking in Real-Time Maude⋆ - IfI

Timed CTL Model Checking in 

Real-Time Maude ⋆ 

(Extended Version) ⋆⋆ 

Daniela Lepri 1 , Erika Ábrahám2 , and Peter Csaba Ölveczky1,3 

1 University of Oslo, Norway 

2 RWTH Aachen University, Germany 

3 University of Illinois at Urbana-Champaign, USA 

Abstract. This paper presents a timed CTL model checker for Real- 

Time Maude and its semantic foundations. In particular, we give a timed 

CTL model checking procedure for that is sound and complete for closedbound 

formulas under a continuous semantics for a fairly large class of 

systems. An important benefit of our model checker is that it also automatically 

provides a timed CTL model checker for subsets of modeling 

languages, like Ptolemy II and (Synchronous) AADL, which have Real- 

Time Maude model checking integrated into their tool environments. 

1 Introduction 

Real-Time Maude [31] extends Maude [15] to support the formal modeling and 

analysis of real-time systems in rewriting logic. Real-Time Maude is characterized 

by its expressiveness and generality, natural model of object-based distributed 

real-time systems, that supports multiple inheritance as well as dynamic 

creation and deletion of both objects and messages, the possibility to define any 

computable data type, and a range of automated formal analysis such as simulation, 

reachability and temporal logic model checking. This has made it possible 

to successfully apply the tool to a wide range of real-time systems, including 

advanced state-of-the-art wireless sensor network algorithms [18, 33], multicast 

protocols [32, 21], scheduling algorithms requiring unbounded queues [27], and 

routing protocols [34]. 

Real-Time Maude’s expressiveness and generality also make it a suitable 

semantic framework and analysis tool for modeling languages for real-time systems 

[25]. For example, the tool has been used to formalize (subsets of) the 

⋆⋆ This paper is the extended version of a work submitted for publication. In particular, 

more details about the model checker implementation and optimizations are given 

in Section 5, and Section 6 contains two further case studies, about model checking, 

respectively, a simple network of embedded medical devices, and the Ptolemy II 

railoroad crossing benchmark. 

⋆ This work was partially supported by the Research Council of Norway through the 

Rhytm project, by the DAADppp HySmart project, and by AFOSR Grant FA8750- 

11-2-0084.

2 D. Lepri, E. Ábrahám, and P. Cs. Ölveczky 

industrial avionics modeling standard AADL [26], a synchronous version of 

AADL [6], Ptolemy II discrete-event (DE) models [7], the web orchestration language 

Orc [2], different EMF-based timed model transformation frameworks [35, 

10], etc. Real-Time Maude formal analysis has been integrated into the tool environment 

of some of these languages, enabling a model engineering process that 

combines the convenience of an intuitive modeling language with formal analysis. 

In Real-Time Maude, the data types of the system are defined by an algebraic 

equational specification, and the system’s instantaneous transitions are modeled 

by (instantaneous) rewrite rules. Time advance is modeled explicitly by so-called 

tick (rewrite) rules of the form {t} => {t ′ } in time u if cond, where {_} is 

an operator that encloses the entire global state, and the term u denotes the 

duration of the rewrite. Real-Time Maude is parametric in the time domain, 

which may be discrete or dense. For dense time (in particular), tick rules typically 

have the form {t} => {t ′ } in time x if x

Timed CTL Model Checking in Real-Time Maude 3 

the branching time logic CTL in which the temporal operators are annotated 

with a time interval, so that, for example, the formula E ϕ1 U [2,4] ϕ2 holds if 

there is a path in which ϕ2 holds after some time 2 ≤ r ≤ 4 and where ϕ1 holds 

in all states until then. 

Going from untimed temporal logic to a timed temporal logic presents at 

least two significant challenges for Real-Time Maude: 

1. What is the intended semantics of a Real-Time Maude specification with the 

above tick rule w.r.t. timed temporal logic properties? For example, given 

a tick rule {f(y)} => {f(y + x)} in time x if x


studies: a Real-Time Maude model of a simple network of embedded medical 

devices, a Ptolemy II model of a railroad crossing system, and a Ptolemy II 

model of a fault-tolerant traffic light system. 

An important benefit of our work is that a TCTL model checker for Real- 

Time Maude also gives us a TCTL model checker for free for Ptolemy II DE 

models, synchronous AADL models, and other modeling languages for which 

Real-Time Maude models can be generated. As shown in Section 6, our model 

checker has already been integrated into the Ptolemy II tool, allowing the user 

to model check TCTL properties of Ptolemy II models from within Ptolemy II. 

Related Work. The tools Kronos [39], Redlib [37], and TSMV [22] implement 

TCTL model checkers for, respectively, timed automata, linear hybrid automata, 

and timed Kripke structures. The tool Uppaal [9] provides an efficient symbolic 

model checking procedure for timed automata for a subset of non-nested TCTL 

properties. The Roméo tool [17, 11], based on a timed extension of Petri nets [1, 

23], has an integrated timed model checker for some non-nested TCTL modalities, 

with the addition of bounded response properties. These formalisms are 

significantly less expressive than real-time rewrite theories [28], which makes 

their model checking problems decidable. The first approaches to model checking 

timed temporal properties for Real-Time Maude are described in [20, 38] 

and analyze important specific classes of timed temporal logic formulas (timebounded 

response, time-bounded safety, and minimum separation), but only for 

flat object-based specifications. Unlike in [20, 38], our new model checker is not 

limited to specific classes of temporal logic properties, but offers the full TCTL. 

The new model checker is also not limited to flat object-oriented systems, but 

can also analyze any (sensible) Real-Time Maude model, including hierarchical 

object-oriented specifications, which is crucial, since both AADL and Ptolemy II 

models are hierarchical. 

Paper Structure. Section 2 introduces real-time rewrite theories and Real-Time 

Maude. Section 3 describes our model checker and its semantics. Section 4 

presents our soundness and completeness results. We discuss our model checker 

implementation in Section 5, and demonstrate its applicability on three case 

studies in Section 6. Finally, concluding remarks are given in Section 7. 

2 Real-Time Rewrite Theories and Real-Time Maude 

A rewrite theory is a tuple (Σ, E, R), where (Σ, E) is a membership equational 

logic theory [15] that defines the state space of a system as an algebraic data 

type, with Σ a signature declaring sorts, subsorts, and function symbols, and 

E a set of conditional equations and membership axioms, and where R is a set 

of labeled conditional rewrite rules of the form [l] : t −→ t ′ if cond, where 

l is a label, t, t ′ are Σ-terms, and cond is a conjunction of rewrite conditions 

u −→ u ′ , equational conditions v = v ′ , and membership conditions w : s, where 

u, u ′ , v, v ′ , w are Σ-terms and s is a sort in Σ. A rule is implicitly universally


quantified by the variables appearing in t, t ′ and cond, and specifies a set of 

local one-step transitions in the system. Rules are applied modulo the equations 

E. The set T Σ/E,s of states of sort s is defined by the E-equivalence classes of 

ground terms of sort s. 

Real-time rewrite theories [28] are used to specify real-time systems in rewriting 

logic. Rules are divided into tick rules, that model time elapse in a system, 

and instantaneous rules, that model instantaneous change. Formally a real-time 

rewrite theory R is a tuple (Σ, E, R, φ, τ) such that 

– (Σ, E, R) is a rewrite theory, with a sort System and a sort GlobalSystem 

with no subsorts or supersorts and with only one operator {_} : System → 

GlobalSystem which satisfies no non-trivial equations; furthermore, for any 

f : s1 . . . sn → s in Σ, the sort GlobalSystem does not appear in s1 . . . sn. 

– φ : TIME → (Σ, E) is an equational theory morphism which interprets 

TIME in R; the theory TIME [28] defines time abstractly as an ordered commutative 

monoid (Time, 0, +, r with t −→ t ′′ for some 

t ′′ r0 r1 r2 

. A timed path in R is an infinite sequence π = t0 −→ t1 −→ t2 −→ · · · such 

that 

ri 

– for all i ∈ N, ti −→ ti+1 is a one-step rewrite in R; or 

ri 

– there exists a k ∈ N such that ti −→ ti+1 is a one-step rewrite in R for all 

0 ≤ i < k, there is no one-step rewrite from tk in R, and tj = tk and rj = 0 

for each j ≥ k. 

For paths π of the above form we define dπ m = m−1 i=0 ri, tπ m = tm and rπ m = rm. 

r0 r1 r2 

We call the timed path π = t0 −→ t1 −→ t2 −→ · · · a timed fair path if 

– for any ground term ∆ of sort Time, if there is a k such that for each j > k 

r 

there is a one-step tick rewrite tj −→ t with ∆ ≤ dπ j + r then there is an l 

with ∆ ≤ dπ l , and 

– for each k, if for each j > k both a maximal tick step with duration 0 and an 

inst 

instantaneous rule can be applied in tj then tl −→ tl+1 is a one-step rewrite 

applying an instantaneous rule for some l > k. 

We denote the set of all timed fair paths of R starting in t0 by tfPathsR(t0). A 

term t is reachable from t0 in R in time r iff there is a path π ∈ tfPathsR(t0) with tπ k = t and dπ k = r for some k. A path π is time-divergent iff for each time 

value r ∈ Time there is an i ∈ N such that dπ i > r. 

r ′


The Real-Time Maude tool [30] extends the Maude system [15] to support 

the specification, simulation, and analysis of real-time rewrite theories. Real- 

Time Maude is parametric in the time domain, which may be discrete or dense, 

and defines a supersort TimeInf of Time which adds the infinity element INF. 

To cover all time instances in a dense time domain, tick rules often have one of 

the forms 

crl [tick] : {t} => {t ′ } in time x if x {t ′ } in time x if cond [nonexec] . (∗), or 

rl [tick] : {t} => {t ′ } in time x [nonexec] . (§). 

where x is a new variable of sort Time not occurring in {t} and cond. This 

ensures that the tick rules can advance time by any amount in rules of the form 

(∗) or (§) and any amount less than or equal to u in rules of the form (†). Rules 

of these forms are called time-nondeterministic and are not directly executable 

in general, since many choices are possible for instantiating the new variable x. 

In contrast to, e.g., timed automata, where the restrictions in the formalism 

allow the abstraction of the dense time domain by “clock regions” containing 

bisimilar states [3], for the more complex systems expressible in Real-Time 

Maude there is not such a discrete “quotient”. Instead, Real-Time Maude executes 

time-nondeterministic tick rules by offering a choice of different time sampling 

strategies [30], so that only some moments in the time domain are visited. 

For example, the maximal time sampling strategy advances time by the maximum 

possible time elapse u in rules of the form (†) (unless u equals INF), and 

tries to advance time by a user-given time value r in tick rules having other 

forms. In the default mode each application of a time-nondeterministic tick rule 

will try to advance time by a given time value r. 

The paper [30] explains the semantics of Real-Time Maude in more detail. 

In particular, given a real-time rewrite theory R and a time sampling strategy 

σ, there is a real-time rewrite theory R σ that has been obtained from R 

by applying a theory transformation corresponding to using the time sampling 

strategy σ when executing the tick rules. In particular, the real-time rewrite 

theory R maxDef (r) denotes the real-time rewrite theory R where the tick rules 

are applied according to the maximal time sampling strategy, while R def(r) denotes 

R where the tick rules are applied according to the default time sampling 

strategy (tick steps which advance time by 0 are not applied). 

A real-time rewrite theory R is time-robust if the following hold for all ground 

terms t, t ′ , t ′′ of sort GlobalSystem and all ground terms r, r ′ , of sort Time: 

– t = t ′ holds in the underlying equational theory for any 0-time tick step 

0 

t −→ t ′ . 

– t r+r′ 

−→ t ′′ if and only if there is a t ′ r 

of sort Time such that t −→ t ′ and 

−→ t ′′ . 

r 

– If t −→ t ′ ′ inst 

is a tick step with r > 0, and t −→ t ′′ is an instantaneous one-step 

r 

rewrite, then t −→ t ′′ is a maximal tick step. 

– for M = {r | ∃t ′ r 

. t −→ t ′ } we have that either there is a maximal element in 

M or M is the whole domain of Time. 

t ′ r ′


Real-Time Maude extends Maude’s linear temporal logic model checker to 

check whether each behavior, possibly up to a certain time bound, satisfies an 

(untimed) LTL formula. State propositions are terms of sort Prop. The labeling 

of states with propositions can be specified by (possibly conditional) equations 

of the form 

{stateP attern} |= prop = b 

for b a term of sort Bool, which defines the state proposition prop to evaluate to b 

in all states matching the given pattern. We say that a set of atomic propositions 

is tick-invariant in R if tick rules do not change their values. 

Since the model checking commands execute time-nondeterministic tick rules 

according to a time sampling strategy, only a subset of all possible behaviors 

is analyzed. Therefore, Real-Time Maude analysis is in general not sound and 

complete. However, the reference [29] gives easily checkable sufficient conditions 

for soundness and completeness, which are satisfied by many large Real-Time 

Maude applications. 

3 Timed CTL Model Checking for Real-Time Maude 

In untimed temporal logics it is not possible to reason about the duration 

of/between events. There are many timed extensions of temporal logics: both 

point-based and interval-based, linear-time and branching-time, with discrete or 

dense time, based on pointwise or continuous semantics, etc. (see [4, 36, 12] for 

an overview). In this paper we consider TCTL [5] with interval time constraints 

on temporal operators. 

3.1 Timed CTL 

In computation tree logic (CTL) [5], a state formula specifies a property over the 

computation tree corresponding to the system behavior rooted in a given state. 

State formulae are constructed by adding universal (A ) and existential (E ) 

path quantifiers in front of path formulae to specify whether the path formula 

must hold, respectively, on each path starting in the given state, or just on some 

path. Path formulae are built from state formulae using the temporal operators 

X (“next”) and U (“until”). Intuitively, the path formula p U q (“p until q”) 

is satisfied by a path if the property q becomes valid within a finite number of 

steps and the property p constantly holds on the path before. 

As syntactic sugar we use the common abbreviations: E F ϕ is defined as 

E true U ϕ; A F ϕ is defined as A true U ϕ; E G ϕ is defined as ¬A F ¬ϕ and 

A G ϕ is defined as ¬E F ¬ϕ. 

Timed CTL (TCTL) is a quantitative extension of CTL [5], where the scope 

of the temporal operators can be limited in time by subscripting them with time 

constraints. In this paper we consider an interval-bound version of TCTL where 

the temporal operators are subscripted with a time interval. A time interval I 

is an interval of the form [a, b], (a, b], [a, b∞) or (a, b∞), where a and b are values 

of sort Time and b∞ is a value of sort TimeInf.


Definition 1. Given a set Π of atomic propositions, TCTL formulae are built 

using the following abstract syntax: 

ϕ ::= true | p | ¬ϕ | ϕ ∧ ϕ | E ϕ UI ϕ | A ϕ UI ϕ 

where p ∈ Π and I is a time interval. 

We omit the bound [0, ∞) as subscript and we write ≤ b, < b, ≥ a and > a for 

[0, b], [0, b), [a, ∞) and (a, ∞), respectively. We denote by TCTLcb the fragment 

of TCTL where all time bounds are of the form [a, b] with a < b, or [a, ∞). 

3.2 Timed Kripke Structures and TCTL Semantics 

The semantics of TCTL formulae is defined on Kripke structures. A Kripke 

structure is a transition system with an associated labeling function, which maps 

each state in the transition system to the set of atomic propositions that hold 

in that state. 

A timed Kripke structure is a Kripke structure where each transition has the 

form s r 

−→ s ′ , where r denotes the duration of the transition step. 

Definition 2. Given a set of atomic propositions Π and a time domain T , a 

timed Kripke structure is a triple T K = (S, T 

−→, L) where S is a set of states, 

T 

−→⊆ S×T ×S is a transition relation with duration, and L is a labeling function 

L : S → P(Π). The transition relation T 

−→ is total, 4 i.e., for each s ∈ S there 

exist r ∈ T , s ′ ∈ S such that (s, r, s ′ ) ∈ T 

−→. We write s r 

−→ s ′ if (s, r, s ′ ) ∈ T 

−→. 

We use a similar notation for timed paths in a timed Kripke structure T K as for 

r0 r1 

real-time rewrite theories. Thus, a timed path is written π = t0 −→ t1 −→ . . ., 

we define dπ m = m−1 i=0 ri, tπ m = tm and rπ m = rm, and the set of all timed fair 

paths originating in state t is denoted by tfPathsT K(t). 

The semantics of TCTL formulae is defined as follows: 

Definition 3. For timed Kripke structures T K = (S, T 

−→, L), states t ∈ S, and 

TCTL formulae ϕ, the pointwise satisfaction relation T K, t |=p ϕ is defined 

inductively as follows: 

T K, t |=p true always. 

T K, t |=p p iff p ∈ L(t). 

T K, t |=p ¬ϕ1 iff T K, t |=p ϕ1. 

T K, t |=p ϕ1 ∧ ϕ2 iff T K, t |=p ϕ1 and T K, t |=p ϕ2. 

T K, t |=p E ϕ1 UI ϕ2 iff there exists π ∈ tfPaths T K(t) and an index k s.t. 

d π k ∈ I, T K, tπ k |=p ϕ2, and 

T K, t π l |=p ϕ1 for all 0 ≤ l < k. 

T K, t |=p A ϕ1 UI ϕ2 iff for each π ∈ tfPaths T K(t) there is an index k s.t. 

d π k ∈ I, T K, tπ k |=p ϕ2, and 

T K, t π l |=p ϕ1 for all 0 ≤ l < k. 

4 T 

T • T 

A transition relation −→ can be made total by defining ( −→) = −→ ∪{(s, 0, s) ∈ 

S × T × S | ¬∃ s ′ ∈ S, r ∈ T s.t. (s, r, s ′ ) ∈ T 

−→}.


For a timed Kripke structure T K = (S, T 

−→, L), a state t ∈ S and paths 

π, π ′ ∈ tfPathsT K(t) we say that π ′ is a simple time refinement of π if either 

π = π ′ or π ′ can be obtained from π by replacing a transition tk 

rk 

−→ tk+1, 

r ′ 

k k 

rk > 0, by a sequence tk −→ t r′′ 

−→ tk+1 of transitions for some t ∈ S and time 

values r ′ k , r′′ 

k > 0 with r′ k + r′′ 

k = rk. A path π ′ is a time refinement of another 

path π if π ′ can be obtained from π by applying a (possibly infinite) number of 

time refinements. We also say that π is a time abstraction of π ′ . 

Definition 4. The continuous-time satisfaction relation T K, t |=c ϕ is defined 

inductively as follows: 

T K, t |=c true always. 

T K, t |=c p iff p ∈ L(t). 

T K, t |=c ¬ϕ1 iff T K, t |=c ϕ1. 

T K, t |=c ϕ1 ∧ ϕ2 iff T K, t |=c ϕ1 and T K, t |=c ϕ2. 

T K, t |=c E ϕ1 UI ϕ2 iff there is a path π ∈ tfPathsT K(t) such that for each 

time refinement π ′ ∈ tfPathsT K(t) of π there is an 

index k s.t. d π′ 

k 

∈ I, T K, tπ′ 

k |=c ϕ2, and 

T K, t π′ 

l |=c ϕ1 for all 0 ≤ l < k. 

T K, t |=c A ϕ1 UI ϕ2 iff for each path π ∈ tfPaths T K(t) there is a time 

refinement π ′ ∈ tfPaths T K(t) of π and an index k 

s.t. d π′ 

k 

∈ I, T K, tπ′ 


T K, t π′ 

l |=c ϕ1 for all 0 ≤ l < k. 

3.3 Associating Timed Kripke Structures to Real-Time Rewrite 

Theories 

To each real-time rewrite theory we associate a timed Kripke structure as follows: 

Definition 5. Given a real-time rewrite theory R = (Σ, E, R, φ, τ), a set of 

atomic propositions Π and a protecting extension (Σ ∪ Π, E ∪ D) ⊇ (Σ, E), we 

define the associated timed Kripke structure 

T K(R)Π = (T Σ/E,GlobalSystem, ( T 

−→R) • , LΠ), 

where ( T 

−→R) • ⊆ TΣ/E,GlobalSystem × TΣ/E,φ(Time) × TΣ/E,GlobalSystem contains 

r 

all transitions of the kind t −→ t ′ which are also one-step rewrites in R and 

0 

all transitions of the kind t −→ t for all those states t that cannot be further 

rewritten in R, and for LΠ : TΣ/E,GlobalSystem → P(Π) we have that p ∈ LΠ(t) 

if and only if E ∪ D ⊢ (t |= p) = true. 

We use this transformation to define R, LΠ, t0 |=c ϕ as T K(R)Π, t0 |=c 

ϕ, and similarly for the pointwise semantics. The model checking problems 

T K(R)Π, t0 |=p ϕ and T K(R)Π, t0 |=c ϕ are decidable if 

– the equational specification in R is Church-Rosser and terminating,


– the set of states reachable from t0 in the rewrite theory R is finite, and 

– given a pair of reachable states t and t ′ , the number of one-step rewrites of 

r 

the kind t −→ t ′ in R is finite. 

As mentioned above, real-time rewrite theories generally contain a time-nondeterministic 

tick rule, but since Real-Time Maude executes such theories by 

applying a time sampling strategy σ, our model checker does not analyze R but 

the executable theory Rσ in which the time sampling strategy transformation 

has been applied. Thus, we associate a timed Kripke structure not to R, but 

to Rσ , and hence the third requirement is satisfied by all but the most esoteric 

cases; indeed, the tick rules in all Real-Time Maude applications we have seen 

are deterministic, in the sense that there is at most one one-step tick rewrite 

r 

t −→ t ′ from any state, when the time sampling strategy is taken into account. 

We denote by T K(R, t0)Π the timed Kripke structure associated to R which 

is restricted to states reachable from t0, and for states t reachable from t0 we 

write R, LΠ, t |= ϕ for T K(R, t0)Π, t |= ϕ. 

4 Sound and Complete TCTL Model Checking for 

Real-Time Maude 

As mentioned above, for dense time domains, Real-Time Maude only analyzes 

those behaviors obtained by applying the tick rules according to a selected 

time sampling strategy. The paper [29] specifies some conditions on a real-time 

rewrite theory R and on the atomic propositions that ensure that model checking 

R maxDef (r) , i.e., using the maximal time sampling strategy, is a sound and 

complete model checking procedure to check whether all behaviors in the original 

model R satisfy an untimed LTL formula without the next operator. 

For example, if 

– no application of a tick rule changes the valuation of the atomic propositions 

in a formula (this requirement almost always holds in real applications, since 

the only values changed by ticks are clock and timer values that usually do 

not appear in the formula); 

– instantaneous rewrite rules can only be applied after maximal tick steps or 

after applying an instantaneous rule, 

then model checking R maxDef (r) gives a sound and complete model checking 

procedure for R. 5 This result yields a feasible sound and complete model checking 

procedure for many useful (dense-time) systems, that include many systems 

that cannot be modeled as, e.g., timed automata. 

Unfortunately, this completeness result does not carry over to timed temporal 

logic properties. Consider for example the TCTL formula ϕ = E F≥1 (E p U≥2 q). 

5 The requirements in [29] are weaker than described here; e.g., the valuation of the 

atomic propositions may change once in a sequence of maximal tick rewrites.


Then, we can have a sequence of only maximal tick steps (where we only show 

the atomic properties valid in the corresponding states) 

p 3 

−→ p inst 

−→ q −→ · · · (¬p ∧ ¬q forever) 

that does not satisfy the formula ϕ, whereas if we can “split” up the maximal 

tick step into three non-maximal tick steps, where time elapses by one time unit 

in each tick step, we get a behavior 

p 1 

−→ p 1 

−→ p 1 


−→ q −→ · · · (¬p ∧ ¬q forever) 

which makes ϕ hold for the system. Notice that the system satisfies the two 

strong criteria suggested above. It is also worth mentioning that this problem 

also applies to timed linear logics. For the system R indicated in the example, 

the “timed LTL” formula ¬ (✸≥1 (p U≥2 q)) is satisfied by R maxDef (r) but not 

by R. 

In the following we focus on dense time, since we can achieve sound and 

complete model checking for discrete time by exploring all possible tick steps in 

the pointwise semantics, and by advancing time by the smallest possible nonzero 

duration in the continuous semantics. Furthermore, as already mentioned, 

in this paper we restrict our treatment to TCTLcb formulas under the continuous 

semantics. 6 

Our goal is therefore to find a discrete abstraction of a real-time rewrite 

theory R, so that model checking the abstraction (under the pointwise semantics) 

is equivalent to model checking R under the continuous semantics. One part of 

our solution is to make sure that time progress “stops” at any time point when a 

time bound in the formula could be reached. This can be achieved if we split any 

tick step by an amount that divides all possible maximal tick durations and all 

possible finite non-zero time bounds in the formula. Let ¯r be the greatest common 

divisor of the durations of all maximal tick steps in R maxDef (r) reachable from the 

initial state and each finite non-zero time bound in the formula; then “stopping” 

at each interesting time point should be acheieved if we divide each maximal 

tick step into smaller steps of duration ¯r. 

However, the following example shows that it is not sufficient to always advance 

time by this greatest common divisor ¯r to obtain a sound and complete 

abstraction under the continuous semantics. Consider a (dense-time) theory R 

that has only one behavior in terms of maximal tick steps, which we show here 

in terms of validity of the atomic proposition p in the corresponding states: 

π = ¬p 1 

−→ ¬p inst 


−→ ¬p 1 

−→ · · · (¬p forever) 

That is, a p-state is reachable in exactly time 1, and ticks do not change the 

valuations of the atomic propositions. In this model all maximal tick steps have 

6 We are currently working on releasing the restriction to closed bounds. However, 

our proof for the completeness result cannot be directly extended to TCTL formulas 

with open bounds.


duration 1. Let’s consider the formula ϕ = E ϕ1 U [1,1] true, where ϕ1 is the 

formula E F [1,1] p. The formula ϕ says that ϕ1 must hold all the way until we 

reach time 1. The greatest common divisor of all maximal time increments and 

all time values in ϕ is still 1, so the “greatest common divisor” abstraction is 

equivalent to R maxDef (r) . In particular, this abstraction (i.e., the above behavior) 

satisfies ϕ w.r.t. the initial state π(0). However, R, L {p}, π(0) |=c ϕ does not hold, 

since ϕ does not hold in the timed refinement (where the first tick has been split 

into two smaller ones) 

π ′ = ¬p 1/2 

−→ ¬p 1/2 

−→ ¬p inst 


−→ ¬p 1 

−→ · · · (¬p forever) 

because ϕ1 does not hold in the second state in the refinement. 

Our approach is therefore to capture all these “intermediate” states by further 

splitting the “gcd” tick steps into two smaller tick steps. In essence, we advance 

time not by ¯r, but by “half” the gcd ¯r in each tick step. 

To formalize this notion, let us first consider the time domain. Real-time 

rewrite theories are parametric in their time domain; the time domain must only 

satisfy some abstract properties given in some functional theory defined in [28] 

that defines the time domain abstractly as a commutative monoid (0, ≤, T ime) 

with some additional operators, such as monus, where x monus y denotes x − y 

if y < x, and 0 otherwise. The following theory states that there exist functions 

gcd and half on the non-zero time values with the expected properties. 

fth GCD-TIME-DOMAIN is including LTIME-INF . 

sort NzTime . subsort NzTime < Time . 

cmb T:Time : NzTime if T:Time =/= 0 . 

op gcd : NzTime NzTime -> NzTime [assoc comm] . 

op _divides_ : NzTime NzTime -> Bool . 

op half : NzTime -> NzTime . 

vars T1 T2 T3 : NzTime . vars T T’ : Time . 

eq T1 divides T1 = true . 

ceq T1 divides T2 = false if T2 < T1 . 

eq T1 divides (T1 + T2) = T1 divides T2 . 

eq gcd(T1, T2) divides T1 = true . 

ceq gcd(T1, T2) >= T3 if T3 divides T1 /\ T3 divides T2 . 

eq half(NZT) + half(NZT) = NZT . 

endfth 

In the following we assume that all considered time domains satisfy the theory 

GCD-TIME-DOMAIN, and write gcd and half for the interpretation of gcd and half, 

respectively. Note that the usual dense time domains, such as the nonnegative 

rationals, satisfy this theory with the standard interpretation of division and the 

gcd operator.


The real-time rewrite theory R gcd(t0,r,ϕ) is obtained from the tick-robust realtime 

rewrite theory R, a state t0 in R, and a TCTL formula ϕ, by advancing 

time by “half” the greatest common divisor of all the following values: 

– all tick step durations appearing in paths from tfPaths R maxDef (r)(t0) and 

– all finite non-zero lower and upper bounds of all temporal operators in ϕ. 

Definition 6. For a real-time rewrite theory R whose time domain satisfies the 

theory GCD-TIME-DOMAIN, a non-zero time value r, a TCTL formula ϕ and a 

state t0 of R we define 

T1(R, t0, r) = {r ′ ∈ NzTime | ∃π ∈ tfPaths R maxDef (r)(t0). ∃i ≥ 0. r ′ = r π i } 

T2(ϕ) = {r ∈ NzTime | there exists a subformula E ϕ1 UI ϕ2 or 

GCD(R, r, ϕ, t0) = gcd(T1(R, t0, r) ∪ T2(ϕ)). 

A ϕ1 UI ϕ2 of ϕ with r a non-zero finite 

lower or upper bound in I} 

If T1(R, t0, r) and T2(ϕ) are finite then the GCD value is well-defined and 

we can define the real-time rewrite theory R gcd(t0,r,ϕ) as follows: 

Definition 7. Given a real-time rewrite theory R whose time domain satisfies 

the theory GCD-TIME-DOMAIN, a non-zero time value r, a TCTL formula ϕ, a 

state t0 of R, and assume that ¯r = GCD(R, t0, r, ϕ) is a defined non-zero time 

value. Then R gcd(t0,r,ϕ) is defined as R but where each tick rule of the forms (†), 

(∗), and (§) is replaced by the respective tick rule: 

crl [tick] : {t} => {t ′ } in time x if x := half (¯r) /\ cond [nonexec] . 

crl [tick] : {t} => {t ′ } in time x if x := half (¯r) /\ cond [nonexec] . 

crl [tick] : {t} => {t ′ } in time x if x := half (¯r) [nonexec] . 

The following lemma states that the evaluation of the formula ϕ and its 

subformulas does not change inside tick steps of R gcd(t0,r,ϕ) . 

Lemma 1. Assume a time-robust real-time rewrite theory R whose time domain 

satisfies the theory GCD-TIME-DOMAIN. Let Π be a set of tick-invariant atomic 

propositions, and assume a protecting extension of R defining the atomic propositions 

in Π and inducing a labeling function LΠ. Let t0 be a state of R, r a 

non-zero time value of sort Time, ϕ a TCTLcb formula over Π, and assume that 

¯r = GCD(R, t0, r, ϕ) is a defined non-zero time value. 

Then for each subformula ϕ ′ of ϕ, each time-divergent path π ∈ tfPathsR(t0) r π 

i 

and for all tick step sequences tπ i −→ . . . rπ 

j−1 

−→ tπ j in π satisfying n· ¯r < dπi < dπj < 

(n + 1) · ¯r for some n we have that 

R, LΠ, t π i |=c ϕ ′ 

iff R, LΠ, t π j |=c ϕ ′ . 

Proof. In the following we use N0 and N for the set of all natural numbers 

including resp. excluding 0. The proof is by induction on the structure of ϕ ′ . 

Base cases:


– ϕ ′ = true: R, t |=c true for all t by the definition of |=c. 

– ϕ ′ = p: Since all steps between tπ i and tπj are tick steps, the property follows 

from the tick-invariance of p. 

Assume now that the lemma holds for the subformulae ϕ1 and ϕ2. 

– ϕ ′ = ¬ϕ1: 

– ϕ ′ = ϕ1 ∧ ϕ2: 

– ϕ ′ = E ϕ1 UI ϕ2: 

R, t π i |=c ¬ϕ1 ⇐⇒ not (R, t π i |=c ϕ1) 

induction 

⇐⇒ not (R, t π j |=c ϕ1) 

⇐⇒ R, t π j |=c ¬ϕ1 . 

R, t π i |=c ϕ1 ∧ ϕ2 ⇐⇒ R, t π i |=c ϕ1 and R, t π i |=c ϕ2 

induction 

⇐⇒ R, t π j |=c ϕ1 and R, t π j |=c ϕ2 

⇐⇒ R, t π j |=c ϕ1 ∧ ϕ2 . 

We define d1 = dπ i −n¯r, d2 = dπ j −dπi and d3 = (n+1)¯r−d π j . Let furthermore 

πpre denote the prefix of π ending at tπ i and let πpre i denote the tick sequence 

tπ ri 

i −→ . . . rj−1 

−→ tπ j . Let ml¯r be the lower bound of I. The upper bound of I 

is either INF or a finite bound mu¯r. 

“⇒”: The proof structure is illustrated on Figure 1. 

Assume that R, t π i |=c E ϕ1 UI ϕ2 holds. Then by definition there is a path 

πi ∈ tfPaths T K(t π i ) such that for each time refinement π′ i ∈ tfPaths T K(t π i ) 

of πi there is an index k s.t. d π′ i 

i 

k ∈ I, T K, tπ′ 

k |=c ϕ2, and T K, t π′ i 

l |=c ϕ1 for 

all 0 ≤ l < k. 

Let πi be such a path. Due to time robustness, πi has a time refinement 

π ′ i ∈ tfPathsT K(tπ i ) which contains the state tπj at time point d2, a state t∗ at time point7 ml¯r − d1/2 in case ml > 0, and a state t∗∗ at time point 

ml¯r + d2 (which is tπ j in case ml = 0). Note that time robustness assures 

that the state in π ′ i at time point d2 is tπ j . 

Let π ′ i be such a path. Let πpre′ i and πj be the prefix resp. suffix of π ′ i 

ending resp. starting at tπ j at the time point d2. We show that πj satisfies 

the conditions for R, tπ j |=c E ϕ1 UI ϕ2. 

Let π ′ j be a time refinement of πj. Then the concatenation π ′′ 

i 

of πpre′ 

i 

π ′ j is a time refinement of πi. By assumption there is an index k s.t. d π′′ 

i 

k 

and 

∈ I, 

T K, t π′′ 

i 

k |=c ϕ2, and T K, t π′′ 

i 

l |=c ϕ1 for all 0 ≤ l < k. 

Let k be such an index and let π ′ be the concatenation of πpre and π ′′ 

i . 

Remember that ml¯r is the lower bound of I. We distinguish between (i) 

d π′′ 

i 

k ∈ I1 = [ml¯r, ml¯r + d2 + d3) and (ii) d π′′ 

i 

k ∈ I2 = I\I1. 

7 For intuition we sample the middle point between ml¯r − d1 and ml¯r. However, any 

time point in the interval (ml¯r − d1, ml¯r) would fit for our purpose.

π : 

πi : 

π ′ i : 

πj : 

π ′ j : 

π ′′ 

i : 

π ′ : 


0 ¯r 2¯r 3¯r 4¯r 5¯r 

t π i 

t π j 

n¯r d1 d2 d3 

π pre π pre 

i 

t π i 

t π i 

π pre′ 

i 

d2 

t π j 

ml ¯r− d 1 2 

t ∗ 

t π j t ∗ 

t π j t ∗ 

t π i t π j t ∗ 

π pre′ 

i 


π pre π ′′ 

i 

I 

ml ¯r+d2 

Fig. 1: Lemma 1: Proof structure for the “⇒” direction of existentially quantified 

bounded until 

I1 

πj 

I 

π ′ j 

t ∗∗ 

t ∗∗ 

t ∗∗ 

t ∗∗ 

t ∗∗ 

I2 

I


(i) Assume first that d π′′ 

i 

k ∈ I1 = [ml¯r, ml¯r + d2 + d3). We observe that 

π ′′ 

i contains the state t∗∗ at time point ml¯r + d2 (we added this sample 

point when refining πi to π ′ i ), thus t∗∗ appears in π ′ at time point (n + 

ml)¯r + d1 + d2. Furthermore, we assumed that d π′′ 

i 

k 

d π′′ 

i 

k < ml¯r + d2 + d3, implying that t π′′ 

i 

∈ I1, i.e., ml¯r ≤ 

k appears in π′ at a time point in 

[(n + ml)¯r + d1, (n + ml + 1)¯r). Thus both t∗∗ and t π′′ i 

k appear in π′ in 

the interval ((n + ml)¯r, (n + ml + 1)¯r), and from T K, t π′′ i 

k |=c ϕ2 we get 

by induction that T K, t∗∗ |=c ϕ2. 

Note that t∗∗ also appears in π ′ j . We want to show that the index of t∗∗ in 

π ′ j satisfies the conditions for the satisfaction of the until formula by π′ j . 

We already have shown that T K, t∗∗ |=c ϕ2. Additionally, t∗∗ appears in 

at time point ml¯r, 

π ′′ 

i at time point ml¯r + d2, therefore it appears in π ′ j 

which is the left end point of the interval I. 

In case ml = 0 we are done, because tπ j satisfies ϕ2 and there are no 

states prior to tπ j in π′ j . Otherwise, if ml > 0, it remains to show that all 

states prior to t∗∗ in π ′ j satisfy ϕ1. There are two cases. 

∗ We know that all states t π′′ 

i 

l 

with l < k (especially all states at time 

points less than ml¯r) satisfy ϕ1. We conclude that the states in π ′ j at 

time points less than ml¯r − d2, building a subset of the above states, 

all satisfy ϕ1. 

∗ It remains to show that all states at time points from [ml¯r −d2, ml¯r) 

in π ′ j also satisfy ϕ1. Notice that π ′ i contains the state t∗ at time 

point ml¯r − d1/2. Since this time point is below the lower bound of 

I we have T K, t ∗ |=c ϕ1. 

This state t ∗ appears in π ′ at time point 

(n¯r + d1) + (ml¯r − d1/2) = (n + ml)¯r + d1/2 . 

By induction we get that all states appearing in π ′ at time points 

from the interval ((n + ml)¯r, (n + ml + 1)¯r) satisfy ϕ1. I.e., all states 

in π ′ j at time points from 

((n + ml)¯r − (n¯r + d1 + d2), (n + ml + 1)¯r − (n¯r + d1 + d2)) 

= (ml¯r − d1 − d2, (ml + 1)¯r − d1 − d2) 

⊇ [ml¯r − d2, ml¯r) 

satisfy ϕ1. 

(ii) For the case d π′′ i 

k ∈ I2 = I\I1 let v be the number of states in π pre′ 

i . We 

show that k − v is a proper index for the satisfaction of the bounded 

until along π ′ j . 

We observe that t π′ 

j 

l 

T K, t π′ 

j 

i = tπ′′ 

l+v 

i 

for all l. Therefore, T K, tπ′′ 

k |=c ϕ2 implies 

k−v |=c ϕ2. Since d π′′ i 

k ∈ I2 we have d π′′ i 

k ≥ ml¯r + d2 + d3 and 

thus d π′ 

j 

i 

k−v = dπ′′ 

k − d2 ≥ ml¯r + d3, i.e., the duration of π ′ j until the 

(k − v)-th state is above the lower bound of I. It is easy to see that this


duration is also below the upper bound (d π′′ 

i 

k is below the upper bound 

and d π′ 

j 

k−v 

i = dπ′′ 

k − d2 < d π′′ 

i 

k ). 

Finally, T K, t π′′ i 

l+v |=c ϕ1 implies T K, t π′ 

j 

l |=c ϕ1 for all l < k−v Therefore, 

the index (k − v) is appropriate to show that the path π ′ j satisfies the 

bounded until property. 

“⇐”: The proof structure is illustrated in Figure 2. 

Assume that R, t π j |=c E ϕ1 UI ϕ2 holds. Then by definition there is a path 

πj ∈ tfPaths T K(t π j ) such that for each time refinement π′ j ∈ tfPaths T K(t π j ) 

of πj there is an index k s.t. d π′ j 

j 

k ∈ I, T K, tπ′ 

k |=c ϕ2, and T K, t π′ 

j 

l |=c ϕ1 for 

all 0 ≤ l < k. 

Let πj be such a path. Remember that mu¯r denotes the upper bound of I in 

case it is finite. Let π ′ j be πj if the upper bound of I is INF or 0 and a time 

refinement of πj which contains the state t∗∗ at the time point mu¯r − d2 

otherwise. Then the above properties hold also for π ′ j . 

Let πi be the concatenation of π pre 

i (appearing in π) and π ′ j . We show that 

πi satisfies the requirements for R, tπ i |=c E ϕ1 UI ϕ2. 

Let π ′ i be a time refinement of πi. Then tπ j appears in π′ i at time point d2 at 

some position v. 

Let π ′′ 

j be the suffix of π′ i starting at position v. Then π′′ j is a time refinement 

of π ′ j 

T K, t π′′ 

j 

l 

j 

. Therefore there must be an index k s.t. dπ′′ 

k 

j 

∈ I, T K, tπ′′ 


|=c ϕ1 for all 0 ≤ l < k. We distinguish between k = 0 and k > 0. 

k = 0 For the case k = 0 notice that t π′′ 

j 

0 = tπ j and thus T K, tπ j |=c ϕ2. By 

induction we get T K, t π i |=c ϕ2. Furthermore, since d π′′ 

j 

0 

j 

= 0 and dπ′′ 0 

∈ I, 

the lower bound of I must be 0. I.e., the index 0 satisfies the condition 

for the bounded until on the path π ′ i . 

k > 0 Otherwise, if k > 0 then, since t π′′ 

j 

0 = tπj we get T K, tπj |=c ϕ1 and by 

induction T K, t π′ 

i 

l |=c ϕ1 for all l < v (i.e., all states in the prefix π pre′ 

i 

of π ′ i ending at tπj at time point d2 satisfy ϕ1). 

(i) If the upper bound of I is INF then we show that k+v is an appropri- 

ate index to satisfy the bounded until along π ′ j 

i . From T K, tπ′′ 

k |=c ϕ2 

and t π′′ 

j i 

i 

k = tπ′ 

k+v we conclude that T K, tπ′ 

k+v |=c ϕ2. Furthermore, d π′′ 

j 

is above the lower bound of I and d π′ 

i 

j 

k+v = dπ′′ 

k + d2, i.e., d π′ 

i 

k+v ∈ I. 

Finally, all states with indices from v to (k + v − 1) in π ′ i satisfy ϕ1, 

since they also appear in π ′′ 

j before the index k. We have already 

shown above that the states with indices up to v also satisfy ϕ1, 

therefore the bounded until is satisfied along the path π ′ i . 

(ii) Assume next that the upper bound mu¯r of I is finite. Note that 

k > 0 implies mu > 0. We first assume d π′′ 

j 

k ∈ I2 = (mu¯r − d2, mu¯r], 

and consider d π′′ 

j 

k ∈ I1 = I\I2 in case (iii). 

k


π : 

πj : 

π ′ j : 

πi : 

π ′ i : 

π ′′ 

j : 

π ′ : 

0 ¯r 2¯r 3¯r 4¯r 5¯r 

t π i 

t π j 

n¯r d1 d2 d3 

π pre π pre 

i 

t π i 

t π i 

π pre 

i 

π pre′ 

i 

t π j 

t π j 

t π j 

t π j 

π ′ j 

I 

π ′′ 

j 

I 

mu ¯r−d2 

I1 

t ∗∗ 

t ∗∗ 

t ∗∗ 

t π j t ∗∗ 

t π i t π j t ∗∗ 

π pre π ′ i 

Fig. 2: Lemma 1: Proof structure for the “⇐” direction of existentially quantified 

bounded until 

I 

I2


Assume that d π′′ 

j 

k ∈ I2 and let π ′ be the concatenation π pre and π ′ i . 

The state t π′′ 

j 

k 

appears in π′′ 

j 

by assumption at a time point in (mu¯r− 

d2, mu¯r], and therefore also in π ′ i at a time point in (mu¯r, mu¯r + d2] 

and in π ′ at a time point in ((n + mu)¯r + d1, (n + mu)¯r + d1 + d2]. 

By construction π ′ j contains the state t∗∗ at time point mu¯r − d2. 

Again by construction, also π ′ i contains t∗∗ at time point mu¯r − d2 + 

d2 = mu¯r. Therefore, the state t ∗∗ appears also in π ′ at time point 

(n + mu)¯r + d1. 

We conclude that both t π′′ j 

k and t∗∗ appear in π ′ within the time 

interval ((n + mu)¯r, (n + mu + 1)¯r). From T K, t π′′ j 


therefore by induction T K, t∗∗ |=c ϕ2. 

Since t∗∗ appears in π ′ i at time point mu¯r being the upper bound of 

I, also the time bound of the until is satisfied for t∗∗ on π ′ i . 

Finally, we have already shown that all states up to index v in π ′ i 

satisfy ϕ1. This holds also for all remaining states preceeding t∗∗ in 

, since they also appear in π′′ before the index k. Thus the index 

π ′ i j 

of t∗∗ in π ′ i satisfies the condition of the bounded until on π′ i . 

(iii) For the case d π′′ 

j 

k ∈ I1 = I\I2 we observe that t π′ i 

l 

j 

= tπ′′ 

l−v for all l ≥ v. 

Therefore, T K, t π′′ j 

k |=c ϕ2 implies T K, t π′ 

i 

k+v |=c ϕ2. Since d π′′ j 

k 

∈ I2 

we have d π′′ 

j 

k ≤ mu¯r − d2 and thus d π′ i 

j 

k+v = dπ′′ 

k + d2 ≤ mu¯r, i.e., the 

duration of π ′ i until the (k + v)-th state is below the upper bound of 

I. It is easy to see that this duration is also above the lower bound 

(d π′′ 

j 

k is above the lower bound and d π′ 

i 

j 

k+v = dπ′′ 

k + d2 > d π′′ 

j 

k ). 

We have already shown above that the states with indices up to v 

satisfy ϕ1. Furthermore, T K, t π′′ 

j 

l 

|=c ϕ1 implies T K, t π′ 

i 

l+v |=c ϕ1 for 

all l < k Therefore, the index (k + v) is appropriate to show that the 

path π ′ i satisfies the bounded until property. 

– ϕ = A ϕ1 UI ϕ2, 

“⇒”: This proof case it quite analogous to the “⇒” direction of the existentially 

quantified bounded until case. The proof structure is illustrated in 

Figure 3. 

Assume that R, tπ i |=c A ϕ1 UI ϕ2 holds. Then by definition each path 

πi ∈ tfPathsT K(tπ i ) has a time refinement π′ i ∈ tfPathsT K(tπ i ) such that for 

some index k with d π′ 

i 

0 ≤ l < k. 

k 

i 

∈ I we have T K, tπ′ 


i 

l |=c ϕ1 for all 

We show that R, tπ j |=c A ϕ1 UI ϕ2 holds. Let πj ∈ tfPathsT K(tπ j ) be a path. 

Due to time robustness, πj has a time refinement π ′ j ∈ tfPathsT K(tπ j ) which 

contains a state t∗∗ at time point ml¯r (which is tπ j in case ml = 0) and a 

state t∗ at time point ml¯r − d2 − d1/2 in case ml > 0. 

Let π ′ j be such a time refinement and let πi be the concatenation of π pre 

i 

and 

π ′ j . From R, tπi |=c A ϕ1 UI ϕ2 we conclude that there is a time refinement


π : 

πj : 

π ′ j : 

πi : 

π ′ i : 

π ′′ 

j : 

π ′ : 

0 ¯r 2¯r 3¯r 4¯r 5¯r 

t π i 

t π j 

n¯r d1 d2 d3 

π pre π pre 

i 

t π j 

ml ¯r−d2− d 1 2 

t π j t ∗ 


π pre 

i 


π pre′ 

i 

t π j t ∗ 


π pre π ′ i 

Fig. 3: Lemma 1: Proof structure for the “⇒” direction of universally quantified 

bounded until 

I1 

π ′ j 

π ′′ 

j 

ml ¯r 

I 

t ∗∗ 

t ∗∗ 

t ∗∗ 

t ∗∗ 

t ∗∗ 

I2 

I 

I


π ′ i of πi and an index k s.t. d π′ 

i 

i 

k ∈ I, T K, tπ′ 

k |=c ϕ2, and T K, t π′ i 

l |=c ϕ1 for 

all 0 ≤ l < k. Let π ′ i be such a path and k such an index. 

Note that π ′ i contains the state tπj at time point d2. Let π pre′ 

i and π ′′ 

j be 

the prefix resp. suffix of π ′ i ending resp. starting at that state. Let v be the 

number of states in π pre′ 

i and let π ′ be the concatenation of πpre and π ′ i . We 

show that the bounded until is satisfied along π ′′ 

j , being a time refinement 

of πj. 

Remember that ml¯r is the lower bound of I. We distinguish between (i) 

d π′ 

i 

k ∈ I1 = [ml¯r, ml¯r + d2 + d3) and (ii) d π′ 

i 

k ∈ I2 = I\I1. 

(i) Assume first that d π′ i 

k ∈ I1 = [ml¯r, ml¯r + d2 + d3). We observe that π ′ i 

contains the state t∗∗ at time point ml¯r + d2 (we added this sample 

point when refining πj to π ′ j ), thus t∗∗ appears in π ′ at time point (n + 

ml)¯r + d1 + d2. Furthermore, we assumed that d π′ 

i 

k ∈ I1, i.e., ml¯r ≤ 

d π′ 

i 

k < ml¯r + d2 + d3, implying that t π′ i 

[(n + ml)¯r + d1, (n + ml + 1)¯r). Thus both t∗∗ and t π′ i 

k appear in π′ in 

the interval ((n + ml)¯r, (n + ml + 1)¯r), and from T K, t π′ 

i 


by induction that T K, t∗∗ |=c ϕ2. 

k appears in π′ at a time point in 

Note that t ∗∗ also appears in π ′′ 

j . We want to show that the index of t∗∗ in 

π ′′ 

j 

satisfies the conditions for the satisfaction of the until formula by π′′ 

j . 

We already have shown that T K, t ∗∗ |=c ϕ2. Additionally, t ∗∗ appears in 

π ′′ 

j at time point ml¯r, which is the left end point of the interval I. 

In case ml = 0 we are done, because there are no states prior to t∗∗ in 

π ′′ 

j . Otherwise, if ml > 0, it remains to show that all states prior to t∗∗ in π ′′ 

j satisfy ϕ1. There are two cases. 

∗ We know that all states t π′ 

i 

l 

with l < k (especially all states at time 

points less than ml¯r) satisfy ϕ1. We conclude that the states in π ′′ 

j at 

time points less than ml¯r − d2, building a subset of the above states, 

all satisfy ϕ1. 

∗ It remains to show that all states at time points from [ml¯r −d2, ml¯r) 

in π ′′ 

j also satisfy ϕ1. Notice that π ′ i contains the state t∗ at time 

point ml¯r − d1/2. Since this time point is below the lower bound of 

I we have T K, t ∗ |=c ϕ1. 

This state t ∗ appears in π ′ is at time point 

(n¯r + d1) + (ml¯r − d1/2) = (n + ml)¯r + d1/2 . 

By induction we get that all states appearing in π ′ at time points 

from the interval ((n + ml)¯r, (n + ml + 1)¯r) satisfy ϕ1. I.e., all states 

in π ′′ 

j at time points from 

((n + ml)¯r − (n¯r + d1 + d2), (n + ml + 1)¯r − (n¯r + d1 + d2)) 

= (ml¯r − d1 − d2, (ml + 1)¯r − d1 − d2) 

⊇ [ml¯r − d2, ml¯r) 

satisfy ϕ1.


(ii) For the case d π′ 

i 

k ∈ I2 = I\I1 let v be the number of states in π pre′ 

i . We 

show that k − v is a proper index for the satisfaction of the bounded 

until along π ′′ 

j . 

We observe that t π′′ 

j 

l 

T K, t π′′ 

j 

i = tπ′ 

l+v 

i 

for all l. Therefore, T K, tπ′ 

k |=c ϕ2 implies 

k−v |=c ϕ2. Since d π′ i 

k ∈ I2 we have d π′ i 

k ≥ ml¯r + d2 + d3 and 

thus d π′′ j 

i 

k−v = dπ′ 

k − d2 ≥ ml¯r + d3, i.e., the duration of π ′′ 

j until the 

(k − v)-th state is above the lower bound of I. It is easy to see that this 

duration is also below the upper bound (d π′ 

i 

k is below the upper bound 

and d π′′ j 

i 

k−v = dπ′ 

k − d2 < d π′ i 

k ). 

Finally, T K, t π′ 

i 

l+v |=c ϕ1 implies T K, t π′′ 

j 

l |=c ϕ1 for all l < k−v Therefore, 

the index (k − v) is appropriate to show that the path π ′′ 

j satisfies the 

bounded until property. 

“⇐”: This proof case is quite analogous to the “⇐” case of the existentially 

quantified bounded until. The proof structure is illustrated in Figure 4. 

Assume that R, t π j |=c A ϕ1 UI ϕ2 holds. Then by definition for all paths 

πj ∈ tfPaths T K(t π j ) there is a time refinement π′ j ∈ tfPaths T K(t π j ) of πj and 

an index k s.t. d π′ 

j 

j 

k ∈ I, T K, tπ′ 


j 

l |=c ϕ1 for all 0 ≤ l < k. 

We show that R, tπ i |=c A ϕ1 UI ϕ2 holds. Let πi ∈ tfPathsT K(tπ i ) be a path. 

Due to time robustness, πi has a time refinement π ′ i ∈ tfPathsT K(tπ i ) which 

contains the state tπ j at time point d2, and in case the upper bound of I is 

finite also a state t∗∗ at time point mu¯r. Note that time robustness assures 

that the state at time point d2 is tπ j . 

Let π pre′ 

i and πj be the prefix resp. suffix of π ′ i 

ending resp. starting at 

time point d2, i.e., at the state tπ j . From R, tπj |=c A ϕ1 UI ϕ2 we conclude 

that there is a time refinement π ′ j of πj and an index k such that d π′ 

j 

k 

T K, t π′ 

j 

∈ I, 


j 

l |=c ϕ1 for all 0 ≤ l < k. 

Let π ′′ 

i be the concatenation of πpre′ i and π ′ j . Note that π′′ i is a time refinement 

of πi. We show that the bounded until holds along π ′′ 

i . We distinguish 

between k = 0 and k > 0. 

k = 0 For the case k = 0 notice that t π′ 

j 

0 = tπj and thus T K, tπj |=c ϕ2. Using the 

path π, by induction we get T K, tπ i |=c ϕ2. Furthermore, since d π′ 

j 

0 = 0 

and d π′ j 

0 ∈ I, the lower bound of I must be 0. I.e., the index 0 satisfies 

the condition for the bounded until on the path π ′′ 

i . 

k > 0 Otherwise, if k > 0 then T K, tπ j |=c ϕ1 and we get by induction that 

T K, t π′′ 

i 

l |=c ϕ1 for all l < v (i.e., all states in the prefix π pre′ 

i 

ending at tπ j at time point d2 satisfy ϕ1). 

of π ′′ 

i 

(i) If the upper bound of I is INF then from T K, t π′′ 

j 

k |=c ϕ2 and t π′′ 

j 

k = 

t π′ 

i 

k+v 

i 

we conclude that T K, tπ′ 

k+v |=c ϕ2. Furthermore, d π′′ 

j 

k is above 

the lower bound of I and d π′ 

i 

k+v 

j 

= dπ′′ 

k + d2, i.e., d π′ 

i 

k+v 

∈ I.

π : 

πi : 

π ′ i : 

πj : 

π ′ j : 

π ′′ 

i : 

π ′ : 


0 ¯r 2¯r 3¯r 4¯r 5¯r 

t π i 

t π j 

n¯r d1 d2 d3 

π pre π pre 

i 

t π i 

t π i 

π pre′ 

i 

d2 

t π j 

t π j 

t π j 

I 

πj 

I1 

mu ¯r 

t ∗∗ 

t ∗∗ 

t ∗∗ 


π pre′ 

i 


π pre π ′′ 

i 

Fig. 4: Lemma 1: Proof structure for the “⇐” direction of universally quantified 

bounded until 

I 

π ′ j 

I 

I2


Finally, all states with indices from v to (k + v − 1) in π ′ i satisfy ϕ1, 

since they also appear in π ′′ 

j before the index k. We have already 

shown above that the states with indices up to v also satisfy ϕ1, 

therefore the bounded until is satisfied along the path π ′ i . 

(ii) Otherwise mu¯r is the finite upper bound of I. Note that k > 0 

implies mu > 0. We assume first d π′ 

j 

k ∈ I2 = (mu¯r − d2, mu¯r] and 

cover d π′ 

j 

k ∈ I1 = I\I2 in case (iii). 

Let π ′ be the concatenation πpre′ and π ′′ 

j 

j . The state tπ′ 

k appears in 

π ′ j by assumption at a time point in (mu¯r − d2, mu¯r], and therefore 

also in π ′′ 

i at a time point in (mu¯r, mu¯r + d2] and in π ′ at time point 

((n + mu)¯r + d1, (n + mu)¯r + d1 + d2]. 

By construction π ′ j contains the state t∗∗ at time point mu¯r − d2. 

Again by construction, also π ′′ 

i contains t∗∗ at time point mu¯r −d2 + 

d2 = mu¯r. Therefore, the state t∗∗ appears also in π ′ at time point 

(n + mu)¯r + d1. 

We conclude that both t π′ 

j 

k and t∗∗ appear in π ′ within the time 

interval ((n + mu)¯r, (n + mu + 1)¯r). From T K, t π′ 

j 


therefore by induction T K, t ∗∗ |=c ϕ2 . 

Since t ∗∗ appears in π ′′ 

i at time point mu¯r being the upper bound of 

I, also the time bound of the until is satisfied for t ∗∗ on π ′′ 

i . 

We have shown above that all states with indices up to v in π ′′ 

i satisfy 

ϕ1. The remaining states preceeding t ∗∗ in π ′′ 

i also satisfy ϕ1, since 

they appear in π ′ j before the index k. Thus the index of t∗∗ in π ′′ 

i 

satisfies the condition of the bounded until on π ′ i . 

(iii) For the case d π′ j 

k ∈ I1 = I\I2 we observe that t π′′ 

i 

l 

j 

= tπ′ 

l−v 

for all l ≥ v. 

Therefore, T K, t π′ 

j 

k |=c ϕ2 implies T K, t π′′ i 

k+v |=c ϕ2. Since d π′ 

j 

k 

∈ I2 

we have d π′ 

j 

k ≤ mu¯r − d2 and thus d π′′ 

i 

j 

k+v = dπ′ 

k + d2 ≤ mu¯r, i.e., the 

duration of π ′′ 

i until the (k + v)-th state is below the upper bound of 

I. It is easy to see that this duration is also above the lower bound 

(d π′ j 

k 

i 

j 

is above the lower bound and dπ′′ 

k+v = dπ′ 

k + d2 > d π′ j 

k ). 

We have shown above that all states with indices up to v satisfy ϕ1. 

Furthermore, T K, t π′ j 

l |=c ϕ1 implies T K, t π′′ i 

l+v |=c ϕ1 for all l < k. 

Therefore, the index (k + v) is appropriate to show that the path π ′′ 

i 

satisfies the bounded until property. 

Based on the above lemma we gain our completeness result: 

Theorem 1. Assume a time-robust real-time rewrite theory R whose time domain 

satisfies the theory GCD-TIME-DOMAIN. Let Π be a set of tick-invariant 

atomic propositions, and assume a protecting extension of R defining the atomic 

propositions in Π and inducing a labeling function LΠ. Let t0 be a state of R, r 

a non-zero time value of sort Time, ϕ a TCTLcb formula over Π, and assume


that ¯r = GCD(R, t0, r, ϕ) is a defined non-zero time value. Then 

R, LΠ, t |=c ϕ ⇐⇒ R gcd(t0,r,ϕ) , LΠ, t |=p ϕ 

for all states t reachable in R gcd(t0,r,ϕ) from t0. 

Proof. Notice that t0 is also a state of R gcd(t0,r,ϕ) . Furthermore, all states t 

reachable in the abstraction R gcd(t0,r,ϕ) from t0 are also states reachable in R 

from t0. 

Since t is reachable in T K gcd , there is a path π pre ∈ tfPaths T K gcd(t0) leading 

from t0 to t. Let π pre be such a path and let n0 be the number of states in π pre . 

Note that π pre has tick steps of length ¯r/2 and also that π pre ∈ tfPaths T K(t0). 

We denote by T K the timed Kripke structure associated to R, by T K gcd the 

timed Kripke structure associated to R gcd(t0,r,ϕ) . By definition 

R, LP , t |=c ϕ ⇐⇒ T K, t |=c ϕ, 

R gcd(t0,r,ϕ) , LP , t |=p ϕ ⇐⇒ T K gcd , t |=p ϕ. 

Thus the theorem is equivalently proved, if we show that 

T K, t |=c ϕ ⇐⇒ T K gcd , t |=p ϕ. 

Given a TCTLcb formula of the kind E ϕ1 UI ϕ2 or A ϕ1 UI ϕ2, we refer to 

the path formula ϕ1 UI ϕ2 as “the until path formula”. 

The proof is done by induction on the structure of ϕ. Base cases: 

– ϕ = true: We have R, LP , t |=c true and R gcd(t0,r,ϕ) , LP , t |=p true for all t 

by definition of, respectively, |=c and |=p. 

– ϕ = p: We have R, LP , t |=c p iff p ∈ LP (t) iff R gcd(t0,r,ϕ) , LP , t |=p p, by 

definition of |=c and |=p. 

Assume now that the theorem holds by induction hypothesis for ϕ1 and ϕ2 that 

is, respectively, 

R, LP , t |=c ϕ1 ⇐⇒ R gcd(t0,r,ϕ) , LP , t |=p ϕ1, 

R, LP , t |=c ϕ2 ⇐⇒ R gcd(t0,r,ϕ) , LP , t |=p ϕ2, 

for all states t reachable in the abstraction R gcd(t0,r,ϕ) from t0. 

– ϕ = ¬ϕ1: 

– ϕ = ϕ1 ∧ ϕ2: 

T K, t |=c ¬ϕ1 ⇐⇒ not (T K, t |=c ϕ1) (by def. of |=c) 

⇐⇒ not (T K gcd , t |=p ϕ1) (by ind. on ϕ1) 

⇐⇒ T K gcd , t |=p ¬ϕ1 . (by def. of |=p) 

T K, t |=c ϕ1 ∧ ϕ2 ⇐⇒ T K, t |=c ϕ1 and T K, t |=c ϕ2 

⇐⇒ T K 

(by def. of |=c) 

gcd , t |=p ϕ1 and 

T K gcd , t |=p ϕ2 

(by ind. on ϕ1 and ϕ2) 

⇐⇒ T K gcd , t |=p ϕ1 ∧ ϕ2 . (by def. of |=p)


– ϕ = E ϕ1 UI ϕ2: We need to show both implication directions. 

“⇐”: Assume T K gcd , t |=p ϕ. By definition 

T K gcd , t |=p ϕ iff there exists π ∈ tfPathsT Kgcd(t) and an index j s.t. dπ j ∈ I, 

T K gcd , t π j |=p ϕ2, and ∀ 0 ≤ i < j T K gcd , t π i |=p ϕ1. 

Let π be such a path and j such an index. Note that all tick steps in π have 

duration ¯r/2. 

This path π is also in tfPaths T K(t). We show that for each time refinement 

π ′ ∈ tfPathsT K(t) of π there is an index j ′′ s.t. dπ′ j ′′ ∈ I, T K, tπ′ j ′′ |=c ϕ2, and 

T K, t π′ 

i |=c ϕ1 for all 0 ≤ i < j ′′ . 

Let π ′ ∈ tfPaths T K(t) be a time refinement of π. Then t π j 

also appears in 

π ′ at the same time point dπ j at some index j′ , i.e., dπ′ j ′ ∈ I. By induction 

T K, t π j |=c ϕ2 and from t π j 

dπ j is a multiple of ¯r/2 we have that dπ′ j ′ = dπj Let π0 be the concatenation of πpre and π ′ . Then tπ′ = tπ′ j ′ we get T K, tπ′ j ′ |=c ϕ2. Furthermore, since 

is also a multiple of ¯r/2. 

j ′ appears in π0 at position 

n0 + j ′ and time point d π0 

n0+j ′. If dπ0 

n0+j ′ is a multiple of ¯r then we define 

j ′′ = j ′ . Otherwise let d π0 

n0+j ′ be in the time interval (n¯r, (n + 1)¯r) for some 

n ∈ N0. Let j ′′ be the smallest index such that d π0 

n0+j ′′ ∈ (n¯r, (n + 1)¯r). Then 

by Lemma 1 we conclude from T K, tπ′ j ′ |=c ϕ2 and tπ′ ′ = tπ0 ′ that also 

T K, t π0 

n0+j ′′ |=c ϕ2, i.e., T K, t π′ 

j ′′ |=c ϕ2. 

j 

n0+j 

Similarly, by induction we get that T K, t π′ 

i |=c ϕ1 for all i < j ′′ in case d π′ 

i is 

a multiple of ¯r/2, since these states also appear in π at the same time points 

and they satisfy ϕ1 in the pointwise semantics by assumption. 

For the other states t π′ 

i in π ′ appearing before the index j ′′ we use the 

concatenation π0 of π pre and π ′ to show that they satisfy ϕ1 using Lemma 1. 

Note that those states t π′ 

i all appear in π0 in some time interval (n¯r, (n+1)¯r). 

Furthermore, in this interval there is also a state tmid at the time point 

n¯r + ¯r/2, for which we have already shown that T K, tmid |=c ϕ1. Thus by 

Lemma 1 and using the path π0, also t π′ 

i satisfies ϕ1. 

“⇒”: Assume T K, t |=c E ϕ1 UI ϕ2. By definition 

T K, t |=c E ϕ1 UI ϕ2 iff there is a path π ∈ tfPaths T K(t) s. t. for each time 

refinement π ′ ∈ tfPaths T K(t) of π there is an index 

j ′ s.t. dπ′ j ′ ∈ I, T K, tπ′ j ′ |=c ϕ2, and ∀ 0 ≤ i < j ′ 

T K, t π′ 

i |=c ϕ1. 

Let π be such a path. Let π ′ be a time refinement of π in which a state 

appears at all time points n¯r/2 for n ∈ N0. By the above definition we 

conclude that there is an index j ′ such that dπ′ j ′ ∈ I, T K, tπ′ j ′ |=c ϕ2, and 

T K, t π′ 

i |=c ϕ1 for all 0 ≤ i < j ′ . 

Next we define an index j ′′ satisfying the same conditions as j ′ but addi- 

tionally such that d π′ 

j 

′′ is a multiple of ¯r/2. If dπ′ j 

then let j ′′ = j ′ . Otherwise let again π0 be the concatenation of πpre and π ′ . 

′′ is already a multiple of ¯r/2


Then dπ′ j ′ is in π0 in an interval (n¯r, (n + 1)¯r) for some n ∈ N0. Furthermore 

there is another state tmid at time point n¯r + ¯r/2 and index n0 + j ′′ in π0. 

Again by Lemma 1 we have T K, tπ′ j ′′ |=c ϕ2. 

Now we can build a time abstraction of π ′ which we obtain by replacing each 

rl 

tick step sequence tl −→ . . . rl+i−1 

−→ tl+i with dπ′ l = n¯r/2 and dπ′ 

l+i = (n+1)¯r/2 

r 

for some n ∈ N0 by tl −→ tl+i with r = l+i−1 ri. 

This time abstraction π ′′ is a path of T K gcd , and the states of π ′′ appear 

at the same time points also in π ′ . Furthermore, since dπ′ j ′′ is a multiple of 

¯r/2, it also appears in π ′′ at some position j ′′′ . Finally, since all states in π ′ 

with index less that j ′′ satisfy ϕ1, also all states in π ′′ with index less that 

j ′′′ , building a subset of the previous ones, satisfy ϕ1. Thus π ′′ satisfies the 

bounded until path formula, i.e., T K gcd , t |=p E ϕ1 UI ϕ2. 

– ϕ = A ϕ1 UI ϕ2: We need to show both implication directions. 

“⇐”: Assume that T K gcd , t |=p A ϕ1 UI ϕ2. By definition 

T K gcd , t |=p A ϕ1 UI ϕ2 iff for each π ∈ tfPathsT Kgcd(t) there is an index j s.t. dπ j ∈ I, 

i=l 

T K gcd , t π j |=p ϕ2 and ∀ 0 ≤ i < j T K gcd , t π i |=p ϕ1. 

In order to prove that T K, t |=c A ϕ1 UI ϕ2, we have to show that for each 

path π ∈ tfPathsT K(t) there exists a time refinement π ′ ∈ tfPathsT K(t) of π 

and an index j s.t. dπ′ j ∈ I, T K, tπ′ j |=c ϕ2, and ∀ 0 ≤ i < j T K, tπ′ i |=c ϕ1. 

Let π ∈ tfPathsT K(t) and let π ′ ∈ tfPathsT K(t) be a refinement of π containing 

a state at each time point n¯r/2, n ∈ N0. 

We obtain π ′′ from π ′ rl 

by replacing each tick step sequence tl −→ . . . rl+i−1 

−→ 

r 

−→ tl+i 

tl+i with d π′ 

l 

with r = l+i−1 

i=l 

= n¯r/2 and dπ′ 

l+i = (n + 1)¯r/2 for some n ∈ N0 by tl 

ri. 

Note that π ′′ is in tfPaths T K gcd(t) and thus by assumption there is an index 

j such that d π j ∈ I, T Kgcd , t π j |=p ϕ2 and T K gcd , t π i |=p ϕ1 for all 0 ≤ i < j. 

Let j be such an index. 

Then by construction and induction there exists an index j ′ such that dπ′ j ′ is 

a multiple of ¯r/2, dπ′ j ′ ∈ I, T K, tπ′ j ′ |=c ϕ2 and T K, tπ′ i |=c ϕ1 for all 0 ≤ i < j ′ 

with d π′ 

i 

being a multiple of ¯r/2. For the other states prior to the index j′ 

we construct π0 as the composition of π pre and π ′ . Note that in each interval 

(n¯r, (n + 1)¯r) with (n + 1)¯r < tπ′ j ′ there is a point at n¯r + ¯r/2, for which 

we have already shown to satisfy ϕ1. Thus by Lemma 1 also the states that 

are prior to the index j ′′ and are not at multiples of ¯r/2 satisfy ϕ1. Hence 

π ′ |=c ϕ. 

“⇒”: Assume T K, t |=c A ϕ1 UI ϕ2. 

T K, t |=c A ϕ1 UI ϕ2 iff for each path π ∈ tfPathsT K(t) there is a time 

refinement π ′ ∈ tfPathsT K(t) of π 

and an index j s.t. dπ′ j ∈ I, 

T K, tπ′ j |=c ϕ2, and ∀ 0 ≤ i < j T K, tπ′ i |=c ϕ1.


In order to prove that T K gcd , t |=p A ϕ1 UI ϕ2, we have to show that for 

each π ∈ tfPathsT Kgcd(t) there is an index j s.t. dπ j ∈ I, T Kgcd , tπ j |=p ϕ2, 

and ∀ 0 ≤ i < j T K gcd , tπ i |=p ϕ1. 

Let π ∈ tfPathsT Kgcd(t). We know that π is also a path in T K, thus by 

assumption there exist a path refinement π ′ of π that satisfies the until path 

formula in the continuous semantics in T K. By definition, all tick durations 

in π ′ are ≤ ¯r 

2 , thus, we can define π′′ to be the same time abstraction of π ′ 

that we defined in the proof for the (“⇒”) of the existential until, where we 

removed all states at time points non-multiple of ¯r . We have already shown 

2 

how this path also satisfies the until path formula in T K, thanks to Lemma 1. 

In particular, we have that π ′′ = π and, by using the induction hypotesis on 

ϕ1 and ϕ2 as we did for the “⇐” proof, we know that π ′′ satisfies the until 

path formula in the pointwise semantics in T K gcd , and hence T K gcd |=p ϕ. 

4.1 Soundness and completeness for TACLT and TECLT 

Since it is the theory R σ that is model checked, not all behaviors in the theory R 

are analyzed. Therefore, R σ , LΠ, s |= ϕ does not necessarily imply R, LΠ, s |= ϕ. 

However, for the universal fragment TACTL 8 , in the pointwise semantics, if a 

counter-example exists in the model checking of R σ , then this is also a counterexample 

in R; that is, for ϕA a TACTL formula, we have 

R σ , LΠ, s |=p ϕA =⇒ R, LΠ, s |=p ϕA. 

Thus, R σ is a complete abstraction of R for TACTL. 

However, if a counter-example does not exist in R σ , then this does not exclude 

the existence of a counter-example in R. 

Conversely, in the existential fragment, if the given state satisfies the TECTL 

formula in R σ in the pointwise semantics, meaning that there exists a path π 

satisfying the given formula, then this holds also for R, since π is also a path in 

R; that is, for ϕE a TECTL formula, we have 

R σ , LΠ, s |=p ϕE =⇒ R, LΠ, s |=p ϕE. 

Thus, R σ is a sound abstraction of R for TECTL. 

5 Implementation 

Our model checker makes the natural and reasonable assumption that given a 

real-time rewrite theory R, and an initial state t0 on which we would like to 

check some TCTL formula ϕ, all behaviors starting from t0 are time-diverging 

8 The universal and the existential fragments [13] of TCTL are defined by allowing 

negation only in front of propositions and by restricting quantification to the universal 

quantifier TACTL, and to the existential quantifier in TECTL.


w.r.t. the selected time sampling strategy σ. This assumption also implies that 

the transition relation T 

−→R σ in the timed Kripke structure T K(Rσ , t0)Π is total. 

The current implementation of the model checker assumes that time values 

are either in NAT-TIME-DOMAIN-WITH-INF or POSRAT-TIME-DOMAIN-WITH-INF, 

and provides the user with two possible model-checking strategies: 

(i) The basic strategy, which performs the model checking on the model obtained 

by applying the user-defined time sampling strategy on the original model. 

As we explained in section 4.1, this strategy provides a sound analysis for 

TETCL and a complete analysis for TATCL. 

(ii) The gcd strategy, which extends the maximal time sampling strategy with 

the “gcd” transformation to perform the model checking for the satisfaction 

problem R gcd(t0,r,ϕ) , LΠ, t0 |=p ϕ. 

Soundness and completeness of the gcd strategy might come at the cost of 

a larger state space due to the application of the gcd transformation. When the 

gcd strategy is impractical, the user can still perform model checking with the 

generally faster basic strategy, which does not increase the system state space 

and can still be very useful to discover potential bugs, as illustrated below. 

Real-Time Maude, and hence our model checker, is implemented in Maude, 

making extensive use of Maude’s meta-programming capabilities. Therefore, our 

model checker gets as input the meta-representation R of the Real-Time Maude 

model R to analyze, as well as the meta-representations t0 and ϕ of, respectively, 

the initial state t0 and the TCTL formula ϕ to check. The algorithm first applies 

the user selected time sampling strategy to R, and then explores the reachable 

state space to incrementally construct the timed Kripke structure T K(R σ , t0)Π, 

which is subsequently model checked (directly as it is in the default strategy, 

while, in the gcd strategy, it is further refined by “splitting” the transitions into 

smaller ones of duration equal to the computed greatest common divisor in the 

gcd strategy and then model checked). This is done by repeatedly using Maude’s 

meta-level descent functions metaSearch, to find all states reachable from a state 

in one rewrite step, and metaReduce, to check whether an atomic proposition 

holds in a state. Since the meta-representation of the states can be fairly large 9 , 

performing the rest of the model checking procedure on the generated timed 

Kripke structure is fairly inefficient. In our current implementation, we assign a 

unique natural number to each (meta-represented) state in the generated timed 

Kripke structure, and construct a more compact timed Kripke structure, where 

all the occurrences of these meta-represented states are replaced by their respective 

identifiers. We then perform the main part of the model checking procedure, 

namely, the recursive computation of the satisfaction set of ϕ on this compact 

representation. This optimization led to a large performance improvement and 

made it feasible to apply our model checker to a number of case studies in reasonable 

time, whereas working directly on meta-represented terms made model 

checking unfeasible even for simple case studies. 

9 For example, each state in the Maude representation of the Ptolemy II model in 

Section 6 “contains” the entire Ptolemy II model.


Our implementation of the TCTL model checker is based on the explicit-state 

CTL model checking approach [8] that, starting with the atomic propositions, 

recursively computes for each subformula of the desired TCTL formula the set 

of satisfying reachable states. We implemented specific procedures for a basic set 

of temporal modal operators and we expressed other formulas into this canonical 

form. The basic set consists of the CTL modal operators E ϕ1 U ϕ2, E G ϕ, 

the TCTL≤≥ 10 modal operators E ϕ1 U∼r ϕ2 with ∼∈ {>, ≥}, E ϕ1 U∼r ϕ2 

with ∼∈ {0 ϕ2 and the TCTLcb modal operator E ϕ1 U [a,b] ϕ2. 

The procedures for CTL modalities follow the standard explicit algorithm [8]. 

For TCTL≤≥ modalities, our implementation adapts the TCTL≤≥ model checking 

procedure defined in [19] for time-interval structures and to timed Kripke 

structures with time-diverging paths. 

We briefly explain the model checking procedure for ϕ = E ϕ1 U [a,b] ϕ2. We 

first compute the satisfacton set for the CTL formula ˆϕ = E ϕ1 U ϕ2, then we 

restrict the transition relation (which we here denote by tr) in the timed Kripke 

structure, to those transitions between states satisfying ˆϕ except transitions from 

¬ϕ1-states, obtaining ¯tr. We then recursively compute all the time distances from 

any state to some ϕ2 state up to b time units. This is computed by the operator 

computeDistances. The first two arguments of this operator are set of pairs of 

the kind < r, s > with r a time value and s a state (represented by a natural 

number in the current implementation), where each pair means that it is possible 

to reach some ϕ2-state from state s in time r ≤ b. The first set of such pairs is 

the set of time distances that still have to be “visited”, that is the predecessors 

of s still have to be visited with the given time stamp r. The second of such sets 

contains time distances that have already been visited. The third argument is 

the time bound b and the fourth argument is the restricted transition relation 

¯tr. The operator is initially called with 

computeDistances({< 0, ϕ2-state >},emptyRatNatPairSet,b, ¯tr), 

since each ϕ2-state can obviously be reached in zero time. 

vars RNPS0 RNPS1 RNPS RNPS’ : RatNatPairSet . 

vars TIME0 TIME : Rat . 

var TRTKS : TransRelTKS . 

var N0 : Nat . 

op computeDistances : 

RatNatPairSet RatNatPairSet Rat TransRelTKS -> RatNatPairSet . 

ceq computeDistances(( < TIME0, N0 > RNPS), RNPS’, TIME, TRTKS) = 

computeDistances((RNPS1 RNPS), (< TIME0, N0 > RNPS’), TIME, TRTKS) 

if RNPS0 := allTimedPredecessors(TRTKS,N0) /\ 

RNPS1 := addTimeAndFilter(RNPS0, TIME0, TIME) . 

eq computeDistances(emptyRatNatPairSet, RNPS’, TIME, TRTKS) = RNPS’ . 

10 We denote by TCTL≤≥ the restricted TCTL logic with time constraints on the 

temporal modalities of the form ∼ r, where ∼∈ {},


The operator allTimedPredecessors computes the set of < r, s > pairs 

where s is a predecessor of N0 that can reach N0 in r time in the given transition 

relation, for each pair of time distances that still have to be visited. Then 

addTimeAndFilter selects all pairs such that TIME0 + r ≤ b, which are then 

recursively added to the set of pairs to be “visited”, while < TIME0, N0 > is 

moved to the “visited pairs”. The computation terminates by returning all the 

visited pairs when all possible pairs have been “visited”. 

The satisfaction set of ϕ consists of all states that can reach a ϕ2-state in 

a time within the interval [a, b]. Notice that this procedure works also for open 

bounded intervals, and indeed our implementation covers also open bounded 

intervals, however, the model checked logic is closed under negation only for close 

bounded intervals. In particular, for modalities with close bounded intervals, we 

transform each formula of the kind A ϕ1 U [a,b] ϕ2, with a = 0, into its equivalent 

one A G


E tt U[


In order to analyze this property, we first define two state propositions, isPausing 

and isBreathing, in the expected way. The bounded response property is model 

checked using the following Real-Time Maude command: 

Maude> (mc-tctl initState |= 

AG(isPausing implies AF[ (mc-tctl initState |= AG(isPausing implies 

(AF[


Fig. 5: A Ptolemy II DE model of the railroad crossing benchmark. 

6.2 Ptolemy II Discrete Event Models 

As mentioned, Real-Time Maude provides a formal analysis tool for a set of modeling 

languages for embedded systems, including Ptolemy II discrete-event (DE) 

models. Ptolemy II [16] is a well-established modeling and simulation tool used 

in industry that provides a powerful yet intuitive graphical modeling language. 

Our model checker has been integrated into Ptolemy II by Kyungmin Bae, so 

that we can now model check TCTL properties of Ptolemy II DE models from 

within Ptolemy 12 . We show the TCTL analysis of the railroad crossing and the 

hierarchical traffic light existing Ptolemy II models. In this second case study, 

our model checking has uncovered a previously unknown flaw in the model. 

Railroad Crossing Model Figure 5 shows the Ptolemy II model of the well 

known railroad crossing benchmark. In this model, a train approaches a railroad 

crossing, and a gate should be lowered when a train is in the intersection. The 

12 Real-Time Maude verification commands can be entered into the dialog box that 

pops up when the button “Double click to generate code” in Fig. 6 is clicked.


model contains two finite state machines: one for the train and one for the gate. 

One transition is taken in each time unit in the state machine Train. We refer 

to [7] for a thorough explanation of the model. 

The Real-Time Maude specification for Ptolemy II DE models provides an intuitive 

syntax for specifying state propositions, so that e.g. the state proposition 

“the train is in state approaching” is written 

’RailroadSystem . ’Train @ ’approaching 

One important property that the system should satisfy is that the gate should 

open within a reasonable time (here 11 time units) after being lowered, which 

can be model checked by the following Real-Time Maude command: 

Maude> (mc-tctl {init} |= 

AG((’RailroadSystem . ’Gate @ ’closed) implies 

AF[ (mc-tctl {init} |= 

A not (’RailroadSystem . ’Gate)@ ’closed U AG[


Decision 

HierarchicalTrafficLight 

Normal 

TrafficLight 

TrafficLight 

Fig. 6: A hierarchical fault-tolerant traffic light system in Ptolemy II. 

Error 

(a) Pedestrianlight (b) Carlight 

Fig. 7: The FSM actors for pedestrian lights and car lights


Fig. 8: Dialog window for the hierarchical traffic light code generation. 


AG((’HierarchicalTrafficLight . ’Decision | (port ’Error is present)) 

implies AF[


Using the gcd strategy we can also determine a “minimal” time interval such 

that the above bounded response is satisfied in the system. In particular, we 

discovered that this interval is [5, 12] by trying different values for a and b in the 

interval-bounded command 


AG((’HierarchicalTrafficLight . ’Decision | (port ’Error is present)) 

implies AF[c a, b c] (’HierarchicalTrafficLight | 

(’Cyel = # 1, ’Cgrn = # 0, ’Cred = # 0)))) .) 

Figure 8 shows the dialog window for the Real-Time Maude code generation 

of the hierarchical traffic light model: after entering the error handling property, 

a simple click on the Generate button will display the result of the model 

checking command execution in the “Code Generator Commands” box. 

7 Conclusions and Future Work 

We have described the semantic foundations of our TCTL model checker for 

Real-Time Maude. Our modeling formalism is more expressive than those of 

other timed model checkers, allowing us to analyze real-time systems which 

are beyond the scope of other verification tools. In particular, we have proved 

soundness and completeness of our model checker for a class of dense-time Real 

Time Maude specifications that contain many systems outside the scope of other 

real-time model checkers. Furthermore, the introduced TCTL model checker also 

provides for free a timed temporal logic model checker for interesting subsets of 

modeling languages widely used in industry, such as Ptolemy II and the avionics 

standard AADL. 

So far, we have only proved soundness and completeness for formulas with 

closed intervals under the continuous semantics. We should also cover formulas 

with open time intervals and the pointwise semantics. The model checker should 

also provide counter-examples in a user-friendly way, when possible. We should 

also extend our model checker to time-bounded TCTL model checking to support 

the model checking of systems with infinite reachable state space. Finally, the 

current version of the tool is implemented at the Maude meta-level; for efficiency 

purposes, it should be implemented in C++ in the Maude engine. 

References 

1. Aalst, W.M.P.v.d.: Interval timed coloured Petri nets and their analysis. In: Application 

and Theory of Petri Nets 1993. LNCS, vol. 691, pp. 453–472. Springer 

(1993) 

2. AlTurki, M., Meseguer, J.: Real-time rewriting semantics of Orc. In: Proc. 

PPDP’07. ACM (2007) 

3. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 

126(2), 183–235 (1994) 

4. Alur, R., Henzinger, T.: Logics and models of real time: A survey. In: Real Time: 

Theory in Practice. LNCS, vol. 600. Springer (1992)


5. Alur, R., Courcoubetis, C., Dill, D.: Model-checking in dense real-time. Inf. Comput. 

104, 2–34 (May 1993) 

6. Bae, K., Ölveczky, P.C., Al-Nayeem, A., Meseguer, J.: Synchronous AADL and its 

formal analysis in Real-Time Maude. In: ICFEM’11. LNCS, vol. 6991. Springer 

(2011) 

7. Bae, K., Ölveczky, P.C., Feng, T.H., Lee, E.A., Tripakis, S.: Verifying hierarchical 

Ptolemy II discrete-event models using Real-Time Maude. Science of Computer 

Programming (2011), to appear, doi:10.1016/j.scico.2010.10.002 

8. Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press (2008) 

9. Behrmann, G., David, A., Larsen, K.G.: A tutorial on uppaal. In: SFM-RT 2004. 

LNCS, vol. 3185. Springer (2004) 

10. Boronat, A., Ölveczky, P.C.: Formal real-time model transformations in MO- 

MENT2. In: FASE’10. LNCS, vol. 6013. Springer (2010) 

11. Boucheneb, H., Gardey, G., Roux, O.H.: TCTL Model Checking of Time Petri 

Nets. J Logic Computation 19(6), 1509–1540 (2009) 

12. Bouyer, P.: Model-checking timed temporal logics. ENTCS 231, 323–341 (2009) 

13. Clarke, E., Grumberg, O., Peled, D.A.: Model Checking. MIT Press (1999) 

14. Clarke, E.M., Grumberg, O., McMillan, K.L., Zhao, X.: Efficient generation of 

counterexamples and witnesses in symbolic model checking. In: DAC ’95 (1995) 

15. Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, 

C.: All About Maude, LNCS, vol. 4350. Springer (2007) 

16. Eker, J., Janneck, J.W., Lee, E.A., Liu, J., Liu, X., Ludvig, J., Neuendorffer, S., 

Sachs, S., Xiong, Y.: Taming heterogeneity—the Ptolemy approach. Proceedings 

of the IEEE 91(2), 127–144 (2003) 

17. Gardey, G., Lime, D., Magnin, M., Roux, O.H.: Roméo: A tool for analyzing time 

Petri nets. In: CAV’05. LNCS, vol. 3576. Springer, Edinburgh, Scotland, UK (2005) 

18. Katelman, M., Meseguer, J., Hou, J.: Redesign of the LMST wireless sensor protocol 

through formal modeling and statistical model checking. In: Proc. FMOODS’08. 


19. Laroussinie, F., Markey, N., Schnoebelen, P.: Efficient timed model checking for 

discrete-time systems. Theor. Comput. Sci. 353, 249–271 (2006) 

20. Lepri, D., Ölveczky, P.C., Ábrahám, E.: Model checking classes of metric LTL 

properties of object-oriented Real-Time Maude specifications. In: Proc. RTRTS’10. 

EPTCS, vol. 36, pp. 117–136 (2010) 

21. Lien, E., Ölveczky, P.C.: Formal modeling and analysis of an IETF multicast protocol. 

In: Proc. SEFM’09. IEEE Computer Society (2009) 

22. Markey, N., Schnoebelen, P.: TSMV: A Symbolic Model Checker for Quantitative 

Analysis of Systems. In: QEST. IEEE Computer Society (2004) 

23. Morasca, S., Pezzè, M., Trubian, M.: Timed high-level nets. The Journal of Real- 

Time Systems 3, 165–189 (1991) 

24. Ölveczky, P.C.: Towards formal modeling and analysis of networks of embedded 

medical devices in Real-Time Maude. In: Proc. SNPD’08. IEEE (2008) 

25. Ölveczky, P.C.: Semantics, simulation, and formal analysis of modeling languages 

for embedded systems in Real-Time Maude. In: Formal Modeling: Actors, Open 

Systems, Biological Systems. LNCS, vol. 7000. Springer (2011) 

26. Ölveczky, P.C., Boronat, A., Meseguer, J.: Formal semantics and analysis of behavioral 

AADL models in Real-Time Maude. In: Proc. FMOODS/FORTE’10. LNCS, 

vol. 6117. Springer (2010) 

27. Ölveczky, P.C., Caccamo, M.: Formal simulation and analysis of the CASH scheduling 

algorithm in Real-Time Maude. In: Proc. FASE’06. LNCS, vol. 3922. Springer 

(2006)


28. Ölveczky, P.C., Meseguer, J.: Specification of real-time and hybrid systems in 

rewriting logic. Theoretical Computer Science 285, 359–405 (2002) 

29. Ölveczky, P.C., Meseguer, J.: Abstraction and completeness for Real-Time Maude. 

Electronic Notes in Theoretical Computer Science 176(4), 5–27 (2007) 

30. Ölveczky, P.C., Meseguer, J.: Semantics and pragmatics of Real-Time Maude. 

Higher-Order and Symbolic Computation 20(1-2), 161–196 (2007) 

31. Ölveczky, P.C., Meseguer, J.: The Real-Time Maude tool. In: Proc. TACAS’08. 


32. Ölveczky, P.C., Meseguer, J., Talcott, C.L.: Specification and analysis of the 

AER/NCA active network protocol suite in Real-Time Maude. Formal Methods 

in System Design 29(3), 253–293 (2006) 

33. Ölveczky, P.C., Thorvaldsen, S.: Formal modeling, performance estimation, and 

model checking of wireless sensor network algorithms in Real-Time Maude. Theoretical 

Computer Science 410(2-3), 254–280 (2009) 

34. Riesco, A., Verdejo, A.: Implementing and analyzing in Maude the enhanced interior 

gateway routing protocol. Electr. Notes Theor. Comput. Sci. 238(3), 249–266 

(2009) 

35. Rivera, J.E., Durán, F., Vallecillo, A.: On the behavioral semantics of real-time 

domain specific visual languages. In: Proc. WRLA’10. LNCS, vol. 6381. Springer 

(2010), see also the e-Motions web page http://atenea.lcc.uma.es/index.php/ 

Main_Page/Resources/E-motions 

36. Wang, F.: Formal verification of timed systems: A survey and perspective. Proceedings 

of the IEEE 92(8), 1283–1307 (2004) 

37. Wang, F.: REDLIB for the formal verification of embedded systems. In: Proc. 

ISoLA’06. IEEE (2006) 

38. Wirsing, M., Bauer, S.S., Schroeder, A.: Modeling and analyzing adaptive usercentric 

systems in Real-Time Maude. In: Proc. RTRTS’10. EPTCS, vol. 36, pp. 

1–25 (2010) 

39. Yovine, S.: Kronos: A verification tool for real-time systems. Software Tools for 

Technology Transfer 1(1–2), 123–133 (1997)

Timed CTL Model Checking in Real-Time Maude⋆ - IfI

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?