α β VERIFIED MODEL CHECKING OF TIMED AUTOMATAhome.in.tum.de/~wimmers/papers/TACAS_18.pdf ·...

VERIFIED MODEL CHECKING OF TIMED

AUTOMATASIMON WIMMER AND PETER LAMMICH

FAKULTÄT FÜR INFORMATIK, TECHNISCHE UNIVERSITÄT MÜNCHEN

λ→

∀=Is

abelle

β

α

LIGHT SWITCH EXAMPLE

TIMED AUTOMATA

E⌃ light .bright<latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit>

A⌃ light .bright<latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit>

A B

C

press!

press!press!

<latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit><latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit><latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit><latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit><latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit><latexit sha1_base64="54Kxte+qh6+I2nc/ljEwBeHZqqY=">AAAFRnicdZRbb9MwFMez0nEp18EjL4Zt0hAhNMtKN0bQgBfeAIkBUlNVjnvaWnXiYDtsJcrX4jPwFZAQb/DIG+KV46YbaxmW2pz4/M7F9t+JM8G1aTa/LNXO1JfPnjt/oXHx0uUrV6+tXH+jZa4Y7DMppHoXUw2Cp7BvuBHwLlNAk1jA23j8zPrffgCluUxfm0kG3YQOUz7gjBqc6q3UXkSGjz9qMAUgNyFCyuy+p81EQFjgi4YUtA79oCwbxyhPueFUEAOHJiysJ4YhTwvrzzgzuYKyo0dSGUjJ49DPjJvKPpA+LoimDMIWS1yZkqHifZfmRnZJgxCyHlmqg4wBd1bDFTQGERb4Jw8errGeTyIB70mwVnbJhu75dzCwWENjrdy1SU7LkaCR5AnR/COEgdeC5ETsk3KXLAb+J2DzDukoPhyZUA4IxruHesQHJrwXWKB4+m8H/0kUYKLpio4STapEd9uQHCVtVXTxrMpKooyaUefe42qvZv1DfwiETAvSWH4A5PH8tb5VVv0eoZtz6HQN82hwjAZzqIDBAulXpB27jQjS/tyx966tNr3N7VZzOyBotLfarbY1HjQDv0V8rzkdq85svOytLH2L+pLlCaSGCap1x29mpltQZTgTgNrKNWSUjekQOmimNAHdLabSL8k6zvTJQCr8pYZMZ09GFDTRepLESCa4fXrRZydP83VyM9juotCzHDXMqkKDHCUvib1HKGUFzIgJGpQplBkjbEQVZQZvW2OuTCzl2NBY41JSOGAySShuWpRnGaWiLCJ7izQr9qv3BYprWnb8bkVxU6z6i8QYJn8JPTiFyDMjsY5dJGaIXM8rHpWRi9hcn/YYq+22luCxompS2OuJkdSlSskDPXt4CeCUHtEMtJtJze3nhKdDtw9MqunHRXu2obKBijg6dhTCDo721szY8Y8V8WbT85ue/2prdW9vpo3zzk3ntrPh+E7b2XOeOy+dfYfVPtW+1r7XftQ/13/Wf9V/V2htaRZzw5kby84f0HO+iA==</latexit>

• One press: light turns low

• Two quick presses: light turns bright

• Two slow presses: light turns off

o↵ low bright

fading

press?

c1 := 0

press? c1 � 5

press?

c1 < 5

press?

<latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit><latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit><latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit><latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit><latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit><latexit sha1_base64="TZslhTy2X5QAyRkPgm4+ylxK9yw=">AAAG8nicjZXNbttGEMcZq1UT9Stuj70sagVIUIYh9VE5cZjaKIz00EMK1IkBURCWyyG1EMlldpdxZILvEfRW9NJDnyXXtG/TISmlpiqjXUDScPY/v9kdzq78LOZK2/ZfN/Y6H3zY/ejmrd7Hn3z62ee39794rkQuGZwxEQt57lMFMU/hTHMdw3kmgSZ+DC/85ffV/ItXIBUX6c96lcEsoVHKQ86oRtd8v3Piab68VKALQN2KxEJkDyylVzG4BT4oSEEp1xmWZe+9lKdccxoTDa+1W1QzPkQ8Lar5jDOdSyinaiGkhpQ8cZ1Mm6kIgAS4IZoycMcsMUVKIskDk+ZazEiPEHLHq1RT1Ggw1znMmPoQuwV+iYtHfTZ3iBfDSzLslzNyV82dexhY9NHol0cVZBcjQSPJE6L4JbhDawzJlVgRhuUR2Q69JmRwj0wljxbaFSFBgvlaLXio3fvDSoAFu/j3Kq5BDduowRbKr+f+N22EtLpGG9qqoX1TC4qQBjyNGhrxMqoX0/tPmqqvKwFBBITUiagvXgEGYScp9V3ZOGs4OutX8Mgldr+s67FBDFqIGEJ9hdA46x1tEF6Eb3HcL5vF76b890IeV4i6mBvCsEXYpGwRNtiylXq0M3VZV6fWVOOo50EatBp9fvvAtgaHY/twSNCYjCbjSWV8aw+dMXEsux4Hxno8m+/vvfECwfIEUs1iqtTUsTM9K6jUnMWApylXkFG2pBFM0UxpAmpW1Ie9JHfQE5BQSPykmtTeqxEFTZRaJT4qE3zNanuucu6am+Y6PJzh0c5yPLWsSRTmeMgFqW4OPLwSmI5XaFAm8WAxwhZUUqbxfum10vhCLDX1FW4lhQsmkoRi0bw8yyiNy8Kr7g3FirPmeUvFFS2nzqxRcV0cONuKJaz+UahwhyLPtMA81SaR4JmWVTwuPRNlbd3J+Vrlh8VJ6cXiEtIItmAnT1si9TKncltzegV0eh3o9GlLtBP0I9BA1YsPqFrU7UulxGulXeGqAZtGqayY+5LKVVFdpcinZh2i1j9WAuhSC5qBMjOheHX1421gBsCErP8IlFWVsuxhL28aFlv4IY7JaG08dN738vOB5diW89Po4Ph43dU3ja+Mr427hmNMjGPjB+OZcWawzu+dt513nT+7uvtL99fub41078Y65kujNbp//A2Y/Vgq</latexit>

LIGHT

USER

LIGHT SWITCH EXAMPLE

TIMED AUTOMATA

E⌃ light .bright<latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit><latexit sha1_base64="5UZs03Hp2ChLCPvkxwExAhZOcTc=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcee5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DR9BInE=</latexit>

A⌃ light .bright<latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit><latexit sha1_base64="Wo0A5+aM8olwTy59DSC3PHoHD04=">AAADZ3icdZLNbtNAEMe3CdASPpoWCSG4GCIkDpVltwlJJQ6JUFQOHIpE2khxFI3X62SV9a7ZXbcEyxJPwxVeh0fgLVgnBmorjGR5PPPbmdnx348ZVdpxfu7U6rdu39ndu9u4d//Bw/3mweGFEonEZIQFE3LsgyKMcjLSVDMyjiWByGfk0l++zfOXV0QqKvhHvYrJNII5pyHFoE1o1nzqDcae5UWgF1SnjM4X2vZl/spmzZZjH/c6Tu/EMk633e10c+e1c+J2LNd21tZChZ3PDmodLxA4iQjXmIFSE9eJ9TQFqSlmJGt4iSIx4CXMycS4HCKipun6Epn10kQCKxTSPFxb6+jNEylESq0i35D5tKqay4PbcpNEh71pSnmcaMLxplGYMEsLK9+IFVBJsGYr4wCW1Mxq4QVIwNrsrVFq4wux1OArcxVOrrGIIuBB6iVxDMCy1NPks1Y4HW2+KxRVkE3c6YYyy265VWJJVv8IFW4hklgL06f4Xd6RbadvMu/IYGVuMC4oP0wHmcfEF8LnpFJscFaC1KcEZJUZ3ig0/F+h4VkJ2lroPYFArYcPQC3WCgMpxbWZ3Ajtj5qMvk6NdduFc+r+FdrFse06tvuh3er3C8ntoWfoBXqFXNRFffQOnaMRwugr+oa+ox+1X/X9+uP6kw1a2ynOPEIlqz//DRNBIm0=</latexit>

A B

c2 3

C

press!

c2 := 0

press!press!

<latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit><latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit><latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit><latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit><latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit><latexit sha1_base64="tLZUMUNsFIQZW7zdKXbrBLnVoIA=">AAAGc3ichVRtb9s2EFbj1eu8t3b72C9c4wINpmhSHM9pMxXJiqD7MGAdsLQpLCOgqJNNmBJVkmrqCPof+z37F/sh+77TS7LITjECto+85567o59jmAmujev+fWer98nd/qf3Pht8/sWXX319/8E3r7XMFYNTJoVUZyHVIHgKp4YbAWeZApqEAt6EyxeV/817UJrL9A+zymCW0HnKY86owaPzB1t/BYYvLzWYAhC3IkLK7AdHm5UAv8CNhhS09r1RWQ6uoTzlhlNBDHwwflF5QpjztKj8GWcmV1BO9UIqAyl57nuZsVMZAYmwIZoy8McssWVK5opHNs2NnJEBIeRxUKGmiDFgtzlsQUMQfoFf8uLZkJ17JBDwjoyG5Yw80efeDgYWQzSG5WFFchtHgkaSJ0TzS/BHzhiSG7HH5SFZD9wM2Khjr1vH3g6ZKj5fGF/GBKntD3rBY+Pvjqpkxc+bxX2kqBES1UmuiFYN0fcTLKIlHTfo4kXDSoKMmsV093lzjW1rEM2h3hJSZ6WhfA8YhPrQ+rvypqvOh666rWc+cYdX7rqzwbW1QVq3fFXirldX1U1QtzS4tjYYBMT/S+DttDYhh4MA0qijtPP7266zdzB2D0YEjcn+ZDypjB/dkTcmnuPWa9tq1ytU/Z9BJFmeQGqYoFpPPTczs4Iqw5kAlHOuIaNsSecwRTOlCehZUU9bSR7jSURiqfCTGlKf3owoaKL1KgkRmeDfotd91eFtvmlu4oMZzlaW49iwJlGc45RJUo0uTo8CZsQKDcoUKpsRtqCKMoMDPuikCaVcGhpqbCWFCyaThOKlBXmWUSrKIqgGV7PitNmvobim5dSbNShuim1vHbGE1X8IHd+CyDMjMU/VJDIEtuMUP5WBjbAu7visRYUxDmIg5CWkc1gjO37ZAel3OVXrmJMbRCcfIzp52QHdSvQr0EjXxUdUL2p9U6XkRdm94UqAjVAqS/BQUbUqqrcM+aldh+j2x0kAj/SCZqDtTGpevb08ndsRMKnql1g71VWWA9TylWBRwk9xTfZb46l3reXXe47nOt7v+9tHR62q71kPrUfWE8uzJtaR9Yv1yjq1WG+n91vvrPf27j/9h/1H/WED3brTxnxrdVZ/919IuCJB</latexit>

• One press: light turns low

• Two quick presses: light turns bright

• Two slow presses: light turns off

o↵ low bright

fading

press?

c1 := 0

press? c1 � 5

press?

c1 < 5

press?


LIGHT

USER

TIMED AUTOMATA

• Types of transitions: delay and action

• Clock valuations: → Infinite Semantics

• Clock constraints: → Invariants on nodes and guards on edges

nat ) real

(�c. 1) ` c1 > 0 ^ c2 3

o↵ low bright

fading

press?

c1 := 0

press? c1 � 5

press?

c1 < 5

press?


SEMANTICS

MODEL CHECKING

• Clock valuations: → Infinite Semantics

• Concrete states (l, u) to abstract states (l, Z)

• node l

• clock valuation u:

• Z a set of clock valuations (zone):

• Symbolic computation: zones as clock constraints → Difference Bound Matrices (DBMs)

nat ) real

(nat ) real) set

nat ) realo↵ low bright

fading

press?

c1 := 0

press? c1 � 5

press?

c1 < 5

press?


MODEL CHECKING?

• However: number of zones (or DBMs) is infinite → Approximations: cut-off at largest entry in the automaton

• Getting these approximations right is hard!

• Bouyer 2003:

• Most correctness proofs incomplete/wrong

• Approximation is unsound for general TA → Restriction to diagonal-free TA (what we do) or represent zones as unions of DBMs

OBJECTIVE

• Provide verified reference implementation for TA MC

• Not meant to replace existing MCs

• Rather allow validation of existing MCs against it

• Experimentation platform

• Thus we need:

• Acceptable performance

• High feature compatibility with relevant modelling formalisms

THE STARTING POINT

ABSTRACT FORMALISATION

• ITP 2016: Isabelle/HOL formalisation of TA

• Main Results:

• Approximations of zones are indeed sound

• Abstractly, the typical reachability checking algorithm for single TA is sound & complete

WHAT WERE WE MISSING?• Efficient Algorithms

• DBMs as imperative arrays with destructive updates

• Search algorithms with subsumption

• Expressive modelling language

• Networks of automata with synchronisation

• State of the art tool Uppaal accepts a C-like language

HOW DO WE GET THERE?• Efficient Algorithms → Refinement

• DBMs as imperative arrays with destructive updates Imperative Refinement Framework: abstract functional impl. → efficient imperative impl.

• Search algorithms with subsumption

• Expressive modelling language

• Networks of automata with synchronisation Product construction: reduction to single TA model checking

• State of the art tool Uppaal accepts a C-like language Program analysis: not every input constitutes a valid (single) TA

AGENDA• MAIN THEOREM • REFINEMENT • PROGRAM ANALYSIS • PRODUCT CONSTRUCTION • EXPERIMENTS • FUTURE WORK

HOARE TRIPLE IN IMPERATIVE-HOL

WHAT DO WE PROVE?

6

checking process is started. Given such an input, our tool will first determinewhether the input is valid and lies in the supported fragment. This is achievedby a simple program analysis. As input formulae, our model checker accepts thesame (T)CTL fragment that is supported by UPPAAL, but restricts formulaeto not contain clocks. While this is not a principal limitation of our work, itreduced the complexity of our first prototype. If the input is invalid, our toolanswers with “invalid input”, else it determines whether

conv N, (init , s0, u0) ✏max steps �

holds for the all-zero valuation u0 under the assumption that the automaton isdeadlock-free5, and answers with true/false. Here, N is the input automaton,conv converts all integer constants to reals (as the semantics are specified onreals), and � is the input formula. The relation ✏max steps is a variant of ✏lifted to networks of timed automata with shared state and Uppaal bytecodeannotations. It is indexed with the maximum number of steps that any executionof a piece of Uppaal bytecode can use (i.e. max steps is the fuel available toexecutions). The vector of start locations init, and the shared state s0 (part ofthe input) describe the initial configuration.

The actual model checking proceeds in two steps. First, a product construc-tion converts the network to a single timed automaton, expressed by HOL func-tions for the transition relation and the invariant assignment. Second, accordingto the formula, a model checking algorithm is run on the single automaton. Weneed three algorithms: a reachability checker for E⌃ and A⇤, a loop detectionalgorithm for E⇤ and A⌃, and a combination of both to check 99K-properties.Note that the aforementioned HOL functions are simply functional programsthat construct the product automaton’s state and invariant assignments on-the-fly. The final correctness theorem we proved can be stated as follows:

{emp}precond mc p m k max steps I T prog formula bounds P s0

{�Some r ) valid input p m max steps I T prog bounds P s0 na k ^(¬ deadlock (conv N) (init , s0, u0) =)r = conv N, (init , s0, u0) ✏max steps formula)

| None ) ¬ valid input p m max steps I T prog bounds P s0 na k}

This Hoare triple states that the model checker terminates and produces theresult None if the input is invalid. If the input is valid and deadlock free, itproduces the result Some r, where r is the answer to the model checking problem.

4 Single Automaton Model Checking

In this section, we describe the route from the abstract semantics of timed au-tomata to the implementation of an actual model checker. The next section willdescribe the construction of a single timed automaton from the Uppaal-model.

5 Adding a check for deadlocked states to our algorithms would be conceptually simplebut is left for future work.

FAILURE

SUCCESS

INPUT IS VALID AND LIES IN THE SUPPORTED FRAGMENT?

SAT/UNSAT?

NO DEADLOCK

REFINEMENT

REFINEMENT BY EXAMPLEup M = (�i j.

if i > 0 then if j = 0 then 1else min(M i 0 +M 0 j)(M i j)

else M i j)<latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit><latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit><latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit><latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit><latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit><latexit sha1_base64="x05k7Ds6VpcMU9RZ+x7Ur+e5hs0=">AAADLXicbVFNb9NAEF2brxI+msKRy4iIKggpstuEpAdQJC5cioogTaRsFK0362aT9dryroHI8m/iP/AfOCAhrvwNxnECbeisLL1982ZmPS9IlDTW83447o2bt27f2btbu3f/wcP9+sGjcxNnKRcDHqs4HQXMCCW1GFhplRglqWBRoMQwWL4p88NPIjUy1h/tKhGTiF1oGUrOLFLT+rdDyBIKp/AKmlRh3YyBpLBoAaU1wDikgGcpVrkMCwoSXoO3Iexc6OJycoFddpNSh3b1fzOhjCjKSyQ1NE9pOdSDF4AIOyyebzlE19dS2Aqm9YbXOup1vN4xIOi2u51uCV56x34H/Ja3jgbZxNn0wPlAZzHPIqEtV8yYse8ldpKz1EquRFGjmREJ40t2IcYINYuEmeTrZRfwDJkZhHGKn7awZi9X5CwyZhUFqIyYnZvdXElelxtnNuxNcqmTzArNq0FhpsDGUDoHM5kKbtUKAeOpxLcCn7OUcYv+1q6MCeJ4aVlg8Fe0+MzjKGJ6ltMsSRhTRU6t+GINzwfVfUclDSvG/qRSSZs3/F0FmvBPYcJKgTZsd43bP8HotjfgxP9rw/lRy/da/vt2o9/fGLJHnpCnpEl80iV98packQHhTtN55wydkfvV/e7+dH9VUtfZ1DwmV8L9/QcIUftD</latexit>

up1 M = (�i j.

if i > 0 ^ j = 0

then 1else M i j)

<latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit>

ASSUME THAT M IS NORMALISED

EXPLICIT PROOF

REFINEMENT BY EXAMPLEup1 M = (�i j.

if i > 0 ^ j = 0

then 1else M i j)

<latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit><latexit sha1_base64="Z198V9GAQ0de/5liNQzStnTrZIs=">AAAC7XicbVFNbxMxEPUuXyVAm8IBJC4jIqpyiXbbhKQHUCQuXCoVQdpKcRR5vbOJG6+9Wnspq1Uu/AduiCu/iX/Az8CbhI+mPMvS88wbjz0vyqQwNgh+eP6Nm7du39m627h3/8H2TnP34anRRc5xyLXU+XnEDEqhcGiFlXie5cjSSOJZNH9T588+Ym6EVh9smeE4ZVMlEsGZdaFJ8/MeFNkkpHAMr2CfSlcZMxAULtpAaWMPHGi95lhWIllQEPAaAqCXGE8RLlxVcE1nZ6ickgqV2PL6NSgNuvQxXfZ5MWm2gvZBvxv0D8GRXqfX7dXkZXAYdiFsB0u0yBonk13vPY01L1JUlktmzCgMMjuuWG4Fl7ho0MJgxvicTXHkqGIpmnG1HNYCnrtIDInO3VYWltF/KyqWGlOmkVOmzM7MZq4O/i83KmzSH1dCZYVFxVeNkkKC1VBPHmKRI7eydITxXLi3Ap+xnHHr/GlcaRNpPbcsMu4rCi+5TlOm4ooWWcaYXFTU4idreDVcnTdUwrDFKByvVMJWrXBT4Uz4qzDJSuFs+D1rN/0jh15nTY7CPzacHrTDoB2+67QGg7UhW+QpeUb2SUh6ZEDekhMyJJz89La9x94TX/tf/K/+t5XU99Y1j8gV+N9/Abf45Y4=</latexit>

up2 M n = fold

(�i M. M((i, 0) := 1))

[1 ..<n+ 1] M<latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit>

FUNCTIONAL PROGRAM

EXPLICIT PROOF

REFINEMENT BY EXAMPLE

up2 M n = fold

(�i M. M((i, 0) := 1))

[1 ..<n+ 1] M<latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit><latexit sha1_base64="hT1AorJyosVHyPC9BvVvDiq4n5c=">AAAC/XicbZHNjtMwEMed8LWUj+3CkYtFBWrFKoq7Le0ikCpx4YK0SHR3pTqqHMfZterYUewAJYp4Gm6IK8/BkSfhyqTtAlvtRJbGM7+Zyfgf50paF4a/PP/a9Rs3b+3cbt25e+/+bnvvwbE1ZcHFlBtlitOYWaGkFlMnnRKneSFYFitxEi9eN/mTD6Kw0uj3bpmLKGNnWqaSMweheXuBn2KMy3zep/gtxRq/wtSJT9CpSo1KakxpCzcMha9LFXROGJYAB3C6Xbkf9vALKJI6dcteb81DQcPPCC1zZ7B+RiKg5+1OGPTHw3B8gMEZDUbDUeM8Dw/IEJMgXFkHbexovud9ponhZSa044pZOyNh7qKKFU5yJeoWLa3IGV+wMzEDV7NM2KhavUqNn0Akwakp4GiHV9H/KyqWWbvMYiAz5s7tdq4JXpWblS4dR5XUeemE5utBaakwbNo8MU5kIbhTS3AYLyT8K+bnrGDcgRCtS2NiYxaOxRZW0eIjN1nGdFLBq+WMqbpaSWF5NV3ftyhpWT0jUXUhWIdsEwux/EfY9Aqi0QfmNEtCB7ofBNXLmu4DBmpdSAIiHYKNBhvnkPxV67gfkDAg7wadyWSj2w56hB6jLiJohCboDTpCU8TRT/TbQ57nf/G/+t/872vU9zY1D9El83/8AdLs7V8=</latexit>

IMPERATIVE IMPLEMENTATION

EXTRACTED SEMI-AUTOMATICALLY

up3 M n = imp for0 1 (n+ 1)

(�i M. mtx set (n+ 1) M (i, 0) 1)

M<latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit><latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit><latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit><latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit><latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit><latexit sha1_base64="PmfF/7gqa55tPUiXJMPt7lSoyck=">AAADBXicbVFNbxMxEHW2fKThKy1HLhYRJYhotW4SkkogReLCpVKRSFspjlZex9ta8drWehYaVjnza7ghrvyO/hpwPigk6ltZejvzZsbjl1glHUTRdSXYuXP33v3qbu3Bw0ePn9T39k+dKXIuhtwok58nzAkltRiCBCXObS5YlihxlkzfL/Jnn0XupNGfYGbFOGMXWqaSM/ChuO4OChu3KT6mWON3WGaWxqnJX1JMKG5q/BqTV5jS2gH2oP5rUuW7TxiWviikOIMrGjsBN+plr6Zs4chTKnUKs80Ox3G9EYWH/W7Ub2NPep1et7cgb6I26WISRks00Bon8V7lK50YXmRCA1fMuRGJLIxLloPkSsxrtHDCMj5lF2LkqWaZcONy+Tpz/MJHJtgv5Y8GvIz+X1GyzLlZlnhlxuDSbecWwdtyowLS/riU2hYgNF8NSguFweDFU+OJzAUHNfOE8Vz6u2J+yXLGwRtS2xiTGDMFlji/ihZfuMkypiclLaxlTM1LCuIKHC+Hq/8tlXRsPiLjlUpC2SDbiqmY/VO49BZFYcH4OYslfQfaCsPy7Zy2vMy79dcSb9KRR6+zJkfkxq3Tw5BEIfnYaQwGa9+q6Bl6jpqIoB4aoA/oBA0RR9fod6Va2Q2+Bd+DH8HPlTSorGueog0Ev/4AYP7u2A==</latexit>

WITH THE IMPERATIVE REFINEMENT FRAMEWORK

IMPERATIVE REFINEMENT

• Semi-automatically synthesise imp. implementation

• Parametricity (‘truly polymorphic functions ignore the type’)

• Separation logic with some automated frame inference

• Proved automatically:

(up3, up2) 2 mtx assnd ⇤ nat assnk ! mtx assn<latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit><latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit><latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit><latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit><latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit><latexit sha1_base64="FKW0yQnj2uj959N3syzcLa0K+Bk=">AAAC3nicbVHLjtMwFHXCq1NeHViysaiQBoSqpA/S2VViw3IQdGakJoQb122tJHZk3zBTRd2yQ2z5tfkacJMOMIUj2To+9/h1blJkwqDnXTnurdt37t5rHbTvP3j46HHn8MmpUaVmfMpUpvR5AoZnQvIpCsz4eaE55EnGz5L07bZ+9oVrI5T8iOuCRzkspVgIBmiluGPa1OKoLOLBa2rn/ktaK6GQdhiocrwMYzBGbj7N6au69i9qpwS8dqY01GK5QtBaXeyf0447Xa/XH4+88YBaEgyDUbAlb7yBP6J+z6vRJTucxIfOh3CuWJlziSyzh8x8r8CoAo2CZXzTDkvDC2ApLPnMUgk5N1FVp7OhL6wypwul7ZBIa/XvHRXkxqzzxDpzwJXZr23F/9VmJS7GUSVkUSKXrLloUWYUFd1GTedCc4bZ2hJgWti3UrYCDQxtQ9o3rkmUShESY78i+QVTeQ5yXoVlUQBkmypEfomGVdNmveey8W5mftS4BFZdf9+R8vUfh1k0DtuG66xt+scWwXBHjv3fbTjt93yv578fdieTXUNa5Bl5To6ITwIyIe/ICZkSRq7IT6flHLif3a/uN/d7Y3Wd3Z6n5AbcH78AeYvinA==</latexit>

FOR LIVENESS PROPERTIES

CYCLICITY CHECKER

9

We assume that !A1 is pre-stable w.r.t. !C and that !C is post-stable w.r.t.!A1 . Along with some side conditions on P1 and P2

6 we can prove:

Theorem 1. If a0 !A2 as !A2 a !A2 bs !A2 a and P2 a, then there existx 2

S(C a0) and xs such that x !xs

C and xs passes throughS(C a) infinitely

often.

Proof. We first apply C to the second layer states and get a path of the form:C a0 !C as0 !C C a !C bs0 !C C a for some as0 and bs0. From Lemma 1 andpost-stability, we obtain a path of the form a01 !A1 as1 !A1 a1 !A1 bs1 !A1

a1 with a01 2 C a0 and a1 2 C a. By applying Lemma 2 and pre-stability, weobtain the desired result.

This is the main theorem that allows us to run cycle detection on the abstractzone graph during model checking: the other direction is trivial, and the theoremcan be directly instantiated for regions and (abstracted) zones. There is a slightsubtlety here since we only guarantee x 2

S(C a0). However we typically have

C a0 = a0, as all clocks are initially set to zero.

4.4 Implementation of Search Algorithms

We first implement the three main model checking algorithms abstractly in thenondeterminism monad provided by the IRF. On this abstraction level, we canuse such abstract notions as sets and specify the algorithm for an arbitrary (fi-nite) transition system !. We only showcase the implementation of our cyclicitychecker (used for A⌃ and E⇤). The techniques used for the other algorithmsare similar. The code for our cyclicity checker is displayed in Listing 1.1.

dfs P = do {(P, ST, r) recT (�dfs (P, ST, v) .

do {if 9v0 2 set ST. v0 � v then return (P, ST,True)else do {

if 9v0 2 P. v � v0 then return (P, ST,False)else do {

let ST = v · ST ;(P, ST 0, r)

foreach {v0 | v ! v0} (�( , , b). ¬ b)(�v0 (P, ST, ). dfs (P, ST, v0))(P, ST,False) ;

assert (ST 0 = ST ) ;return (insert v P, tl ST 0, r)

}}

} ) (P, [ ], a0 ) ;return (r, P )}

Listing 1.1: Cyclicity Checker

6 P1 states are distinct and there are only finitely many of them. For every P2 state,there is an overlapping P1 state.

SETS

SUBSUMPTION

ANY RELATION/TS/

GRAPH

‘PSEUDOCODE’

LAYERED REFINEMENT

CYCLICITY CHECKER

• Non-determinism monad (‘give me any x such that …’)

• Verification Condition Generator

• Final data structure resembles Uppaal’s unified PW list

• Main theorems:

(dfs map, dfs) 2 map set rel ! Id⇥r map set rel<latexit sha1_base64="CHpOmkolXG/2e1dCLAPHmklxSxk=">AAACoHicbZBNaxsxEIbl7VfqfjntsRcRU0ihmFUSd52boZf01BjqONS7LFqtnAhL2kWabWKW/Wn9Ib0Veumh/Q8de5PShAwIvTPzDiM9WamVhzD83gnu3X/w8NHW4+6Tp8+ev+htvzzxReWEnIpCF+40415qZeUUFGh5WjrJTablLFt+WPdnX6XzqrCfYVXKxPAzqxZKcMBS2pvtxsrzOl/4ODW8bN7R67x5i9K2KXbi1EuIUyd1Q2Mo6MccL2WkT91dnrTXDwd7o2E42qcoooNoGK3F+3CfDSkbhJvoj+nk1w9CyHG63WFxXojKSAtCc+/nLCwhqbkDJbRsunHlZcnFkp/JOUrLcXdSbwg09A1WcrooHB4LdFP9f6LmxvuVydBpOJz727118a7evILFKKmVLSuQVrSLFpWmSGCNk+bKSQF6hYILp/CtVJxzxwUg9O6NNVlRLIFnHr9i5YUojOE2r+OqLDnXTR2DvAQv6mmb33Ih4WbOktaloO4zdCDka5LI9hAjOrgSh+wf5JO9AQsHbIK0x6SNLfKa7JBdwkhExuSIHJMpEeQb+Ul+kz/BTnAUfAomrTXoXM28Ijci+PIXntXWSQ==</latexit><latexit sha1_base64="1VpWnF22EHA+sO8NkLgB1l8XOJI=">AAACoHicbZBNaxsxEIbl7Udc9yNOe+xFxBRSKGaVxF3nZuglPTWGOg71LotWq02E9bFI2iZm2Z/WH9JzofTQ/oeOvUlpQgaE3pl5h5GerJTC+TD83gkePHz0eKv7pPf02fMX2/2dl6fOVJbxGTPS2LOMOi6F5jMvvORnpeVUZZLPs+WHdX/+lVsnjP7sVyVPFD3XohCMeiil/fleLByt88LFqaJl8w7f5M1bkLpNoROnjvs4tVw2OPYGf8zhEoq71N7nSfuDcLg/HoXjAwwiOoxG0Vq8Dw/ICJNhuInBBE9//exujU7SnQ6Jc8MqxbVnkjq3IGHpk5paL5jkTS+uHC8pW9JzvgCpKexO6g2BBr+BSo4LY+FojzfV/ydqqpxbqQycivoLd7e3Lt7XW1S+GCe10GXluWbtoqKSGAisceJcWM68XIGgzAp4K2YX1FLmAXrv1prMmKWnmYOvaH7JjFJU53VclSWlsqljz6+8Y/Wsze+4gHCzIEnrEr4eEHAA5BuSwPYIIjq8FkfkH+TT/SEJh2QKtCeojS56jXbRHiIoQhN0jE7QDDH0Df1Av9GfYDc4Dj4F09YadK5nXqFbEXz5Cx1f1pM=</latexit><latexit sha1_base64="1VpWnF22EHA+sO8NkLgB1l8XOJI=">AAACoHicbZBNaxsxEIbl7Udc9yNOe+xFxBRSKGaVxF3nZuglPTWGOg71LotWq02E9bFI2iZm2Z/WH9JzofTQ/oeOvUlpQgaE3pl5h5GerJTC+TD83gkePHz0eKv7pPf02fMX2/2dl6fOVJbxGTPS2LOMOi6F5jMvvORnpeVUZZLPs+WHdX/+lVsnjP7sVyVPFD3XohCMeiil/fleLByt88LFqaJl8w7f5M1bkLpNoROnjvs4tVw2OPYGf8zhEoq71N7nSfuDcLg/HoXjAwwiOoxG0Vq8Dw/ICJNhuInBBE9//exujU7SnQ6Jc8MqxbVnkjq3IGHpk5paL5jkTS+uHC8pW9JzvgCpKexO6g2BBr+BSo4LY+FojzfV/ydqqpxbqQycivoLd7e3Lt7XW1S+GCe10GXluWbtoqKSGAisceJcWM68XIGgzAp4K2YX1FLmAXrv1prMmKWnmYOvaH7JjFJU53VclSWlsqljz6+8Y/Wsze+4gHCzIEnrEr4eEHAA5BuSwPYIIjq8FkfkH+TT/SEJh2QKtCeojS56jXbRHiIoQhN0jE7QDDH0Df1Av9GfYDc4Dj4F09YadK5nXqFbEXz5Cx1f1pM=</latexit><latexit sha1_base64="1VpWnF22EHA+sO8NkLgB1l8XOJI=">AAACoHicbZBNaxsxEIbl7Udc9yNOe+xFxBRSKGaVxF3nZuglPTWGOg71LotWq02E9bFI2iZm2Z/WH9JzofTQ/oeOvUlpQgaE3pl5h5GerJTC+TD83gkePHz0eKv7pPf02fMX2/2dl6fOVJbxGTPS2LOMOi6F5jMvvORnpeVUZZLPs+WHdX/+lVsnjP7sVyVPFD3XohCMeiil/fleLByt88LFqaJl8w7f5M1bkLpNoROnjvs4tVw2OPYGf8zhEoq71N7nSfuDcLg/HoXjAwwiOoxG0Vq8Dw/ICJNhuInBBE9//exujU7SnQ6Jc8MqxbVnkjq3IGHpk5paL5jkTS+uHC8pW9JzvgCpKexO6g2BBr+BSo4LY+FojzfV/ydqqpxbqQycivoLd7e3Lt7XW1S+GCe10GXluWbtoqKSGAisceJcWM68XIGgzAp4K2YX1FLmAXrv1prMmKWnmYOvaH7JjFJU53VclSWlsqljz6+8Y/Wsze+4gHCzIEnrEr4eEHAA5BuSwPYIIjq8FkfkH+TT/SEJh2QKtCeojS56jXbRHiIoQhN0jE7QDDH0Df1Av9GfYDc4Dj4F09YadK5nXqFbEXz5Cx1f1pM=</latexit><latexit sha1_base64="1VpWnF22EHA+sO8NkLgB1l8XOJI=">AAACoHicbZBNaxsxEIbl7Udc9yNOe+xFxBRSKGaVxF3nZuglPTWGOg71LotWq02E9bFI2iZm2Z/WH9JzofTQ/oeOvUlpQgaE3pl5h5GerJTC+TD83gkePHz0eKv7pPf02fMX2/2dl6fOVJbxGTPS2LOMOi6F5jMvvORnpeVUZZLPs+WHdX/+lVsnjP7sVyVPFD3XohCMeiil/fleLByt88LFqaJl8w7f5M1bkLpNoROnjvs4tVw2OPYGf8zhEoq71N7nSfuDcLg/HoXjAwwiOoxG0Vq8Dw/ICJNhuInBBE9//exujU7SnQ6Jc8MqxbVnkjq3IGHpk5paL5jkTS+uHC8pW9JzvgCpKexO6g2BBr+BSo4LY+FojzfV/ydqqpxbqQycivoLd7e3Lt7XW1S+GCe10GXluWbtoqKSGAisceJcWM68XIGgzAp4K2YX1FLmAXrv1prMmKWnmYOvaH7JjFJU53VclSWlsqljz6+8Y/Wsze+4gHCzIEnrEr4eEHAA5BuSwPYIIjq8FkfkH+TT/SEJh2QKtCeojS56jXbRHiIoQhN0jE7QDDH0Df1Av9GfYDc4Dj4F09YadK5nXqFbEXz5Cx1f1pM=</latexit><latexit sha1_base64="rYEHg6T4WczCEumtr1j6viKrv1I=">AAACoHicbZBNbxMxEIad5auErxSOXKxGSEVC0bpt2PQWiUs50UqkqciuVrNeb2vFa6/sWSBa7U/jh3DmCv8BJ5siWnUky+/MvKOxn6xS0mEY/uwF9+4/ePho53H/ydNnz18Mdl+eO1NbLmbcKGMvMnBCSS1mKFGJi8oKKDMl5tnyw7o//yqsk0Z/xlUlkhIutSwkB/SldDDfj6WDJi9cnJZQte/odd6+9VJ3qe/EqRMYp1aolsZo6MfcX7IULrV3edLBMBwdTMbh5JB6ER1F42gt3oeHbEzZKNzEkGzjNN3tsTg3vC6FRq7AuQULK0wasCi5Em0/rp2ogC/hUiy81OB3J82GQEvf+EpOC2P90Ug31f8nGiidW5WZd5aAV+52b128q7eosZgkjdRVjULzblFRK+oJrHHSXFrBUa28AG6lfyvlV2CBo4fev7EmM2aJkDn/FS2+cVOWoPMmrqsKQLVNjOI7Ot7MuvyWyxNuFyzpXBKbIfMOD/mapGd77CM62opj9g/y+cGIhSN2Fg6n0y3uHfKa7JF9wkhEpuSEnJIZ4eQH+UV+kz/BXnASfArOOmvQ2868Ijci+PIXW7fT0A==</latexit>

dfs P SPEC (�(r, P 0). (r =) (9x. a0 !⇤ x ^ x !+ x))

^(¬ r =) ¬ (9x. a0 !⇤ x ^ x !+ x) ^ liveness compatible P 0))<latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit><latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit><latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit><latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit><latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit><latexit sha1_base64="kpBRzyeL7L17JQSRCzfVzFy3MRM=">AAADmHicnVLbbtNAELVrLiXcWniDlxURagJRZLcJSd8iVQiQeAiUtJWyIVqv184q9q61u24SWfkKvoZX+Ar+hrFjeoMnRrI1O+fMzuyZ8dOYa+O6v+wt59btO3e379XuP3j46PHO7pMTLTNF2YjKWKozn2gWc8FGhpuYnaWKkcSP2ak/Pyrw03OmNJfii1mlbJKQSPCQU2IgNN21W5hrkgehXmM0RDhmNQSG52yVHw/fHkG0gWO4LyCooVpouNdsY1RyGgrhj1JEikczQ5SSC6CyJfSs0RJIZOoifAl+fYWWCC9YELHCuQK8RstmE2EMt1Z4AwsW4Rb6u0IF/H+hsvWLQuXjy1/Mz5lgWuMplUkK6oCC60KTvTKjyGvWpjt1t73f77r9AwROr9Pr9grnjXvgdZHXdkurW5UNQd9jHEiaJUwYGhOtx56bmklOlOEUCtRwpllK6JxEbAyuIAnTk7yc6xq9hEiAQqngEwaV0asZOUm0XiU+MBNiZvomVgT/hY0zE/YnORdpZpigm0JhFiMjUbEkKOCKUROvwCFUcegV0RlRhBpYpdq1Mr6Uc0N8DU8RbAHaJUQEOc7SlJB4nWPDlkbTfLQ532CB8OuxN9mwuMnr3k0G7OElQ4cbBozhj9ag/iFYr1M5h97FGE72257b9j516oNBNZBt67n1wmpYntWzBtZ7a2iNLGp/s7/bP+yfzjNn4LxzPmyoW3aV89S6Zs7n39a7IfA=</latexit>

if liveness compatible P<latexit sha1_base64="AO/I2KHZZmZQ24RsRu/uvGNFAFc=">AAAClHicbVFdaxNBFJ1s/ajxo2kFQXwZDIK+hN22cVPwIVAEnySiaQvZJd6d3G2HzM4sO7PVMOTZR3+Nr/o7/DfeZOtHgxcGzpx77r0z52alktaF4c9WsHXj5q3b23fad+/df7DT2d07saauBI6FUaY6y8CikhrHTjqFZ2WFUGQKT7P58Sp/eomVlUZ/cIsS0wLOtcylAEfUtPOinTj87LzMlwlPpAWv5CVqtDaZClOUJKNWlBtNO92wtz/oh4MDTiA+jPvxCrwMD6I+j3rhOrrDx1+mHxljo+lu630yM6IuUDuhwNpJFJYu9VA5KahnO6ktliDmcI4TghoKtKlf/2nJnxEz47mp6GjH1+y/FR4KaxdFRsoC3IXdzK3I/+UmtcsHqZe6rB1q0QzKa8Wd4SuD+ExWKJxaEABRSXorFxdQgXBkY/vamMyYuYPM0lc0fiK7CtAzn9RlCaCWfu2sFX7c3DdU5PVyEqWNSjrfjTYVc1z8Vdi8UdAafntN7h9RxIdX4Cj6s4aT/V4U9qJ3tI8ha2KbPWFP2XMWsZgN2Rs2YmMm2Ff2jX1nP4JHwavgOHjdSIPWVc1Ddi2Ct78Aou7QyQ==</latexit><latexit sha1_base64="XO6n8Ybdxr9ulKK9tIg6m3/4xHs=">AAAClHicbVFNixNBEO2MX2v82KyCIB5sDIJewszuxsmCh8AieJKIZnchE4aaTs1uk57uYbpnNTQ5e/TXeNX/4M3f4R+wklk/NljQ8PrVq6ruV1mppHVh+KMVXLl67fqNrZvtW7fv3N3u7Nw7sqauBI6FUaY6ycCikhrHTjqFJ2WFUGQKj7P54Sp/fI6VlUa/d4sSpwWcaplLAY6otPO8nTj86LzMlwlPpAWv5DlqtDZJhSlKklEryo3STjfs7Q764WCPE4j34368Ai/CvajPo164ju7w4afUfH/8c5TutN4lMyPqArUTCqydRGHpph4qJwX1bCe1xRLEHE5xQlBDgXbq139a8qfEzHhuKjra8TX7b4WHwtpFkZGyAHdmN3Mr8n+5Se3ywdRLXdYOtWgG5bXizvCVQXwmKxROLQiAqCS9lYszqEA4srF9aUxmzNxBZukrGj+QXQXomU/qsgRQS7921go/bu4bKvJ6OYmmjUo63402FXNc/FXYvFHQGn57Te4fUMT7F+Ag+rOGo91eFPait7SPIWtiiz1iT9gzFrGYDdlrNmJjJthn9oV9Zd+CB8HL4DB41UiD1kXNfXYpgje/ADsv0rw=</latexit><latexit sha1_base64="XO6n8Ybdxr9ulKK9tIg6m3/4xHs=">AAAClHicbVFNixNBEO2MX2v82KyCIB5sDIJewszuxsmCh8AieJKIZnchE4aaTs1uk57uYbpnNTQ5e/TXeNX/4M3f4R+wklk/NljQ8PrVq6ruV1mppHVh+KMVXLl67fqNrZvtW7fv3N3u7Nw7sqauBI6FUaY6ycCikhrHTjqFJ2WFUGQKj7P54Sp/fI6VlUa/d4sSpwWcaplLAY6otPO8nTj86LzMlwlPpAWv5DlqtDZJhSlKklEryo3STjfs7Q764WCPE4j34368Ai/CvajPo164ju7w4afUfH/8c5TutN4lMyPqArUTCqydRGHpph4qJwX1bCe1xRLEHE5xQlBDgXbq139a8qfEzHhuKjra8TX7b4WHwtpFkZGyAHdmN3Mr8n+5Se3ywdRLXdYOtWgG5bXizvCVQXwmKxROLQiAqCS9lYszqEA4srF9aUxmzNxBZukrGj+QXQXomU/qsgRQS7921go/bu4bKvJ6OYmmjUo63402FXNc/FXYvFHQGn57Te4fUMT7F+Ag+rOGo91eFPait7SPIWtiiz1iT9gzFrGYDdlrNmJjJthn9oV9Zd+CB8HL4DB41UiD1kXNfXYpgje/ADsv0rw=</latexit><latexit sha1_base64="XO6n8Ybdxr9ulKK9tIg6m3/4xHs=">AAAClHicbVFNixNBEO2MX2v82KyCIB5sDIJewszuxsmCh8AieJKIZnchE4aaTs1uk57uYbpnNTQ5e/TXeNX/4M3f4R+wklk/NljQ8PrVq6ruV1mppHVh+KMVXLl67fqNrZvtW7fv3N3u7Nw7sqauBI6FUaY6ycCikhrHTjqFJ2WFUGQKj7P54Sp/fI6VlUa/d4sSpwWcaplLAY6otPO8nTj86LzMlwlPpAWv5DlqtDZJhSlKklEryo3STjfs7Q764WCPE4j34368Ai/CvajPo164ju7w4afUfH/8c5TutN4lMyPqArUTCqydRGHpph4qJwX1bCe1xRLEHE5xQlBDgXbq139a8qfEzHhuKjra8TX7b4WHwtpFkZGyAHdmN3Mr8n+5Se3ywdRLXdYOtWgG5bXizvCVQXwmKxROLQiAqCS9lYszqEA4srF9aUxmzNxBZukrGj+QXQXomU/qsgRQS7921go/bu4bKvJ6OYmmjUo63402FXNc/FXYvFHQGn57Te4fUMT7F+Ag+rOGo91eFPait7SPIWtiiz1iT9gzFrGYDdlrNmJjJthn9oV9Zd+CB8HL4DB41UiD1kXNfXYpgje/ADsv0rw=</latexit><latexit sha1_base64="XO6n8Ybdxr9ulKK9tIg6m3/4xHs=">AAAClHicbVFNixNBEO2MX2v82KyCIB5sDIJewszuxsmCh8AieJKIZnchE4aaTs1uk57uYbpnNTQ5e/TXeNX/4M3f4R+wklk/NljQ8PrVq6ruV1mppHVh+KMVXLl67fqNrZvtW7fv3N3u7Nw7sqauBI6FUaY6ycCikhrHTjqFJ2WFUGQKj7P54Sp/fI6VlUa/d4sSpwWcaplLAY6otPO8nTj86LzMlwlPpAWv5DlqtDZJhSlKklEryo3STjfs7Q764WCPE4j34368Ai/CvajPo164ju7w4afUfH/8c5TutN4lMyPqArUTCqydRGHpph4qJwX1bCe1xRLEHE5xQlBDgXbq139a8qfEzHhuKjra8TX7b4WHwtpFkZGyAHdmN3Mr8n+5Se3ywdRLXdYOtWgG5bXizvCVQXwmKxROLQiAqCS9lYszqEA4srF9aUxmzNxBZukrGj+QXQXomU/qsgRQS7921go/bu4bKvJ6OYmmjUo63402FXNc/FXYvFHQGn57Te4fUMT7F+Ag+rOGo91eFPait7SPIWtiiz1iT9gzFrGYDdlrNmJjJthn9oV9Zd+CB8HL4DB41UiD1kXNfXYpgje/ADsv0rw=</latexit><latexit sha1_base64="J/SVBER9CCeeTuncH7ZgOKChCxg=">AAAClHicbVHbahsxEJW3t8S9OS30pS+iptC+mN0kzjrQB0Mo9Km4tE4C3sVo5dlEWCstq9mkRvgb+jV9bb+jf5Ox173EdEBwdObMjHQmK7VyGIa/WsGdu/fuP9jZbT989PjJ087es1Nn60rCWFptq/NMONDKwBgVajgvKxBFpuEsm5+s8mdXUDllzRdclJAW4sKoXEmBRE07b9sJwlf0Kl8mPFFOeK2uwIBzyVTaoiQZtaLcaNrphr39QT8cHHAC8WHcj1fgKDyI+jzqhevosk2Mpnutz8nMyroAg1IL5yZRWGLqRYVKUs92UjsohZyLC5gQNKIAl/r1n5b8NTEzntuKjkG+Zv+t8KJwblFkpCwEXrrt3Ir8X25SYz5IvTJljWBkMyivNUfLVwbxmapAol4QELJS9FYuL0UlJJKN7VtjMmvnKDJHXzFwTXYVwsx8UpelEHrp18466cfNfUtFXi8nUdqoFPputK2Yw+KvwuWNgtbw22ty/5giPtyA4+jPGk73e1HYiz6F3eFws5Ad9pK9Ym9YxGI2ZB/YiI2ZZN/Yd/aD/QxeBO+Ck+B9Iw1am5rn7FYEH28An6PPKg==</latexit>

PROGRAM ANALYSIS & PRODUCT

CONSTRUCTION

TO ENSURE THE INPUT IS VALID

PROGRAM ANALYSIS

• Input: Uppaal bytecode (interpreted with finite fuel) Assembler-style language for updates and guards

• Main property: Successful executions only induce conjunctive clock constraints ( but not )

• Very simplistic analysis:

• Approximate set of reachable instructions for a given guard

• Check that clock expressions only occur in a ‘conjunction block’

c1 > 0 ^ c2 < 3 c1 > 0 _ c2 < 3

PRODUCT CONSTRUCTION

• From networks to single TA MC

• Shared bounded integer variables

• Networks with sync. over channels

• Retains ability to do MC on the fly

14 Uppaal Networks:

shared bounded

integer variables

State Networks:

arbitrary finiteshared state

Networks:

only synchronization

Single Automaton

Encode programs

One per state

Encode location vectors

Pairlocations&

state

Fig. 3: Outline of the product construction.

6 Experimental Evaluation

We conducted experiments on some standard benchmark models for timed au-tomata: a variant of Fischer’s mutual-exclusion protocol, the FDDI token ringprotocol, and the CSMA/CD protocol used in Ethernet networks. We tested onereachability and one liveness property for each model: E⌃(c > 1) and P1.b 99KP1.c for Fischer’s protocol; E⌃(¬P1.idle^¬P2.idle) and true 99K z async1 forFDDI; and E⌃(P1.abort ^ P2.send), and collision 99K active for CSMA/CD.We compare (c.f. Table 1) our tool against Uppaal configured with two di↵erentapproximation operators: di↵erence (Uppaal1) and location-based (Uppaal2)extrapolation. We give the computation time in seconds and the number ofexplored states, as reported by our tool and Uppaal6. Since the number ofexplored states di↵ers significantly, we also calculated throughput, i.e. the num-ber of explored states per second. The ratio of Uppaal’s throughput and ourtool’s throughput is given in the column TR. We specify the problem size as thenumber of automata in the network.

The results indicate that our tool’s throughput is around one order of magni-tude lower than Uppaal’s. Encouragingly, the gap seems to decrease for largermodels. However, for larger problem sizes of some models, we also start to runout of memory because our tool is not tuned towards space consumption. We donot have a convincing explanation for the di↵erence in states explored by ourtool and Uppaal — particularly, because our tool already implements location-based extrapolation. Nevertheless, we conclude that the performance o↵ered byour tool is reasonable for a reference implementation against which other toolscan be validated: we can check medium sized instances of common benchmark

6 Uppaal comes with a note suggesting that these numbers might be wrong for livenessproperties.

EXPERIMENTS

Our Tool Uppaal Ratio

Model Prop SAT Size #states time1 time2 #states time TR1 TR2

Fischer R N 5 38578 6,93 2,14 3739 0,062 10,83 3,35L Y 5 42439 7,87 2,24 8149 0,112 13,49 3,84

Y 6 697612 373 132 67325 1,94 18,56 6,57

FDDI R N 8 6720 35,1 8,92 5416 0,789 35,85 9,11N 10 29759 173 33,2 24120 6,64 21,12 4,05

L Y 6 2083 9,38 2,69 2439 0,159 69,08 19,81Y 7 3737 18,1 5,74 4944 0,406 58,98 18,70

CSMA/CD R N 5 9959 5,29 1,18 2769 0,102 14,42 3,22N 6 81463 72 15,6 17939 2,18 7,27 1,58

L Y 5 11526 5,81 1,28 3867 0,091 21,33 4,70Y 6 96207 76,4 16,6 23454 2,13 8,74 1,90

<latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit><latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit><latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit><latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit><latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit><latexit sha1_base64="XgBUHHeuyQ09pyWQHheADnkfW+I=">AAAL53icjVbbbtw2EN2kt3jdNkn72BehviAFWIcXiZIeWji1G7SAk7qJ7biIDIOrpdeCdVlIVFJH0Df0rehrv6Tf0b/pkNLuSvbajbBakUPNGc7MmRFH0zgqFMb/3rn7wYcfffzJvZXh6qeffX7/wcMvjoqszEN5GGZxlh+PRCHjKJWHKlKxPJ7mUiSjWL4aXezo9VdvZF5EWXqgLqfyJBGTNDqLQqFAdPpw5Z9gJCdRWikxKmOR11Uch/F2FZwXF9HUIjKp8zy/Mr8yrYcWXIHKpnkZSzOxrM3FL0jKWEWw1zJJK1ZXYV39UubWQZbF9dVlapbXAyV/V1VQTqdCxPX6Da+90E7UQdCYDMIkGusdVM63hDSbsp5lYxmD9n6eTeHx8smB/o/eSY24ViihZAHD1qCKElmfkvWrErref11LzTuJUOejs+rgxVyrIwGt+d7arTWzp1ERnsvc2tAKPx4/Cq3vLfKN1n8OtwM3R5zAg3mO68ETI6anFDMbw5MQZBsp1g+P2L55F3lze7Nr03rRQZ3BceQzDYeI1mcu8xs0TrWb2m/wgGDksbojYIg59TUL2od9sjWygr0sneTR5FyJPM/eWiAMtUu/tcZd5Gh4m9qtuasueddcsjEiS1za66A2cAbec41PtAMA+qTnE0O23/fJs6/7tGlubYLr23e5QYFA6Z0yPeYuo9o+Qb7dNeAhh3cNcOS4cwMbHQvrofWdRa5FTUvxLGzGqIkO1v/GOr4RDC8FI+8F1uPn093dn+e51fwMUjnR+YzGsbSCt3I8gYeRUSObU9fTmyG8SSJ3KW4SrWeOTbiJIeKL7LdCmyJ8C3UNaovGHKQVPeTThT5Grud3s+ogz+lmwQce3JTm500gIEC+62gUYtLMGNIWqE2MXSjIbp4pQYR2LdgIg8Wl1aHyUl5LzbvgtLhMw9N5erghr+OZmvBYUwuO2YGpF06QuyiQmdAD4c0FwluwlU3LR8xAI+4v1KE8nG7cuI+w1/WK+Mi7MXDagtuUhQsWgPompcjVG7R9u2lRNuYdQAcS17cAHuDlXeWmuIl+4N6f1zsvnz15vLPbZTaQWoyyXM1YrRldyHTca8Y2sg0Ffd9pG6Xpnq7JhO0g1hXytnHx/+nFLZiDqOEcIt5CHfKCe20LdkD7bYvS2/jMmxbI9ZZcjUQcU3bAbd9knjb2Znguom4vK0DE5UmB7y+cSuDocC0zIlTRG9nt+HbzmSHEoXxBXebh5jvQ/YYxj7sz4e0Nf4YGJU5M4Ki30Ac0n/TLlLF+mS5jW7/f+5xiDeZys0NoZ6aOmO3YTeRYBxDoa/cj5+NFH9jo8W9jJ4/gBCP0ecSw70zExaJ53k7kUaZUlhisAAg6P6+dPljDWxTKzeEWDJhvQ8JhQB0HwMgWNtfaoL32Tx/euR+Ms7BMZKrCWBTFa4Kn6qQSOewtlvUwKAs5FeGFmMjXMExFIouTyhw1a2sDJGPrLMvhTpVlpF2NSiRFcZmM4E19EiqurmnhsrXXpTrzTqoonZZKpmFj6KyMLZVZ+txqjaNchiq+hIEITRyt8FzkwDo43Q57ZkZZdgHhKcCVVL4NsyQRELDZYbIyqSrC6rCZ10MI4SxOEDkfLmhhzQDYNFs6olsEb5Ff6dr2D20w7w2+Gnw9eDQgA3ewPfhpsD84HITDzeHe8HB4tBqt/rH65+pfzat377Q6Xw561+rf/wHrVPAr</latexit>

throughput = #states/time

FUTURE

• Can we find bugs in actual model checkers?

• Can we certify model checking results efficiently? TA MC uses subsumption: final invariant may be much smaller than total number of explored states

• Extensions: Probabilistic Timed Automata, (more complex hybrid systems?)

• > 50000 lines of formalisation vs 5403 lines of SML checker

THANK YOU! QUESTIONS?

wimmers.github.io/munta

Verified Model Checking of Timed AutomataSimon Wimmer <[email protected]> Peter Lammich <[email protected]>

Institut für Informatik, Technische Universität München

Objectives

• Model checking for the common class ofdiagonal-free Timed Automata

• Feature parity with Uppaal (for modelchecking)

• Complete Verification with Isabelle/HOL

• Reasonable Performance

Timed Automata

Clocks

• Resets and guards on edges, invariants on nodes

• Real-valued semantics ⇒ infinite state space

s1

c1 ≤ 3

s2

c1 > 2 ∧ c2 ≤ 2

c1 < 1, a?, c2 := 0

c1 ≤ 3, b, c1 := 0

a!

Model Checking

• Concrete states (l, u) ! abstract states (l, Z)(for node l, clock valuation u, and Z a set ofclock valuations)

• Infinitely many zones Z ⇒ Approximations!

• Soundness of approximations is peculiar(1)

Experiments

Our Tool Uppaal

Model Prop Size time #states time #states TR

Fischer R 5 6,61 38578 0,04 3739 16,02L 5 7,52 42439 0,04 8149 40,1

6 485,9 697612 1,53 67325 30,7

FDDI R 8 16,04 6720 0,31 5416 42,010 142,8 29759 6,44 24120 18,0

L 6 2,58 2083 0,04 2439 68,77 6,50 3737 0,14 4944 62,3

CSMA R 5 4,48 9959 0,03 2769 40,66 71,70 81463 1,79 17939 8,8

L 5 4,93 11526 0,04 3867 42,46 76,83 96207 1,86 12603 10,1

From Theory to Model Checking

• Starting point: abstract formalization of reachability checking for Timed Automata(4)

• Real Model Checking is more:

Modeling

• Modeling language: Uppaal bytecode!

• Networks of Automata with discrete integer statevariables (global)

Algorithms

• Worklist Algorithm for reachability: subsumption

• Operations on Difference Bound Matrices(DBMs): represent zones

• Floyd-Warshall algorithm

Program Analysis

Not all Uppaal bytecode represents a valid au-tomaton ⇒ we apply simple means of program

analysis to accept a subset of valid inputs

Abstraction and Simulation

• Generalized framework for transition systems andtheir abstractions

• Simulation and subsumption graphs(2)

• Relations between infinite runs in the concretesystem and cycles in the abstract system

Refinement, Refinement, Refinement

Much of this work is really an exercise in refinement:

• Abstract Operations on DBMs ⇒ functional impl. on maps ⇒ imperative impl. on arrays

• Semantics on reals ⇒ concrete models with integer constraints

• Complex networks with bytecode semantics ⇒ Single product automaton (On the fly!)

Product Construction

Uppaal Networks:shared bounded integer variables

State Networks:arbitrary finite shared state

Networks:only synchronization

Single Automaton

Encode state

One per state

Encode location vectors

Enco

destate

inlo

cations

Isabelle Infrastructure

Different parts of recent Isabelle/HOL infrastructureare crucial for this work:

• Codatatypes and Coinduction: liveness

• Eisbach: product construction

• Transfer: reals ↔ integers

• The Imperative Refinement Framework(3):imperative implementations

Older but important tools:

• Code Generation

• Locales: to build logical frameworks

• Sledgehammer: free proofs

Work in Progress

Temporal Logics

• LTL: Büchi emptiness

• (T)CTL à la Uppaal: A♦ϕ, A# (ϕ ⇒ A♦ ψ)

• Obstacle: Uppaal semantics & zenoness

Algorithms

• Simple Algorithm for A♦

• Combined with reachability, this givesA# (ϕ ⇒ A♦ ψ)

Modeling Language

• Better program analysis on the input: acceptlarger subclasses of valid bytecode

On-the-fly construction

Simple Trick: A single automaton is repre-sented as an invariant assignment and a transitionfunction. After performing the product construc-tion, we give equivalent functional implementa-tions, thus obtaining an on-the-fly construction.

Future

• Certification: reachability and Büchi emptiness

• Modeling: Broadcast channels, urgent andcommitted locations, ...

• Closing the Loop: Verified model transformation& parsing

[1] P. Bouyer. Untameable Timed Automata! In STACS 2003, volume 2607 of LNCS.Springer, 2003. doi:10.1007/3-540-36494-3_54.

[2] F. Herbreteau, B. Srivathsan, T.-T. Tran, and I. Walukiewicz. Why liveness for timedautomata is hard, and what we can do about it. In FSTTCS 2016, volume 65 ofLIPIcs. Schloss Dagstuhl, 2016. doi:10.4230/LIPIcs.FSTTCS.2016.48.

[3] P. Lammich. Refinement to Imperative/HOL. In C. Urban and X. Zhang, editors, ITP

2015, volume 9236 of LNCS. Springer, 2015. doi:10.1007/978-3-319-22102-1_17.

[4] S. Wimmer. Formalized Timed Automata. In ITP 2016, volume 9807 of LNCS.Springer, 2016. doi:10.1007/978-3-319-43144-4_26.

wimmers.github.io/munta

λ→

∀=Is

abelle

β

α

α β VERIFIED MODEL CHECKING OF TIMED AUTOMATAhome.in.tum.de/~wimmers/papers/TACAS_18.pdf ·...

Documents

Transcript of α β VERIFIED MODEL CHECKING OF TIMED AUTOMATAhome.in.tum.de/~wimmers/papers/TACAS_18.pdf ·...