Submitted 2 October 2019
Accepted 5 April 2020
Published 4 May 2020

Corresponding author
Lei Zhuang, ielzhuang@zzu.edu.cn

Academic editor
Maurice ter Beek

Additional Information and
Declarations can be found on
page 21

DOI 10.7717/peerj-cs.272

Copyright
2020 Wang et al.

Distributed under
Creative Commons CC-BY 4.0

OPEN ACCESS

Exact acceleration of complex real-time
model checking based on overlapping
cycle
Guoqing Wang1, Lei Zhuang1, Yu Song1, Mengyang He1, Ding Ma2 and
Ling Ma1,3

1 School of Information Engineering, Zhengzhou University, Zhengzhou, Henan, China
2 College of Information Science and Engineering, Henan University of Technology, Zhengzhou, Henan, China
3 Digital Medical Image Technique Research Center, Zhengzhou University, Zhengzhou, Henan, China

ABSTRACT
When real-time systems are modeled as timed automata, different time scales may lead
to substantial fragmentation of the symbolic state space. Exact acceleration solves the
fragmentation problem without changing system reachability. The relatively mature
technology of exact acceleration has been used with an appended cycle or a parking
cycle, which can be applied to the calculation of a single acceleratable cycle model.
Using these two technologies to develop a complex real-time model requires additional
states and consumes a large amount of time cost, thereby influencing acceleration
efficiency. In this paper, a complex real-time exact acceleration method based on an
overlapping cycle is proposed, which is an application scenario extension of the parking-
cycle technique. By comprehensively analyzing the accelerating impacts of multiple
acceleratable cycles, it is only necessary to add a single overlapping period with a fixed
length without relying on the windows of acceleratable cycles. Experimental results
show that the proposed timed automaton model is simple and effectively decreases the
time costs of exact acceleration. For the complex real-time system model, the method
based on an overlapping cycle can accelerate the large scale and concurrent states which
cannot be solved by the original exact acceleration theory.

Subjects Real-Time and Embedded Systems, Theory and Formal Methods
Keywords Real-time model checking, Exact acceleration, Complex real-time system, Timed
automata, Overlapping cycle

INTRODUCTION
In real-time embedded systems, especially complex real-time control systems, discrete
logic control and continuous time behavior depend on and influence each other. Take
the Internet of things (IoT) gateway security system (Wang et al., 2018) as an example: its
control center generally has many different control modes to deal with diverse security
risks, such as tampering, intrusion, and identity forging. Important system parameters
(e.g., sensor status, monitoring instructions, and terminal feedback information) change
continuously over time. To meet specific time constraints or parameter values in the
IoT gateway security system, the management mode must be adjusted over time. The
change rules of important parameters also differ by mode, and the response time to

How to cite this article Wang G, Zhuang L, Song Y, He M, Ma D, Ma L. 2020. Exact acceleration of complex real-time model checking
based on overlapping cycle. PeerJ Comput. Sci. 6:e272 http://doi.org/10.7717/peerj-cs.272

https://peerj.com/computer-science
mailto:ielzhuang@zzu.edu.cn
https://peerj.com/academic-boards/editors/
https://peerj.com/academic-boards/editors/
http://dx.doi.org/10.7717/peerj-cs.272
http://creativecommons.org/licenses/by/4.0/
http://creativecommons.org/licenses/by/4.0/
http://doi.org/10.7717/peerj-cs.272


various events should be modified accordingly. In this type of system (Lee et al., 2019),
logic control describes the logical control transformation of the system through models
with high abstraction levels, such as finite state machine and Petri net. Time behavior can
be simulated by clock variables and clock zone transformation. Between the two layers,
signals of the continuous layer and control modes of the discrete layer are correlated and
transformed by certain interfaces and rules.

Typically, test and simulation technologies are the main means of guaranteeing software
quality; however, they cover problems when using the operating system as the main
measure, which cannot guarantee test completeness. These approaches are thus incapable
of traversing all states in a real-time system, leading to covert problems in system operations
(Wang, Pastore & Briand, 2019). In the field of security-related systems with zero tolerance
for system error, using formal theory and technology for security authentication results
in clear descriptions and avoids the complexity of safety verification. Formal description
analysis and refinement have thus become a focus of recent research in related fields.

In real-time model checking, timed automata can model the temporal behavior of
real-time systems (Pinisetty et al., 2017). Clocks describe the state transitions, and clock
constraints serve as the theoretical basis for real-time system model checking (Han, Yang
& Xing, 2015). This approach can easily realize automatic combination and transformation
with other methods. The method is widely used in polling control systems, railway
interlocking systems, and similar applications. Due to clock variables, control programs
and external environments often use different time measures, which can cause the number
of states to increase exponentially when a timed automaton is transformed into a zone
automaton. The reachability analysis algorithm generates many state fragments (Iversen et
al., 2000; Chen & Cui, 2016), resulting in a sharp increase in the state space and considerably
prolonged detection time.

The acceleration technique is a reduction method used to solve the fragmentation
problem following from time measurement differences. Dubout & Fleuret (2013) applied
an acceleration technique to linear target detection and effectively improved the detection
performance. Jeong et al. (2014) applied an implicit Markov model as an improved
framework to accelerate the inference model. For distributed and parallel computing,
a workstation and a multicore processor were used to accelerate state-space searching
(Konur, Fisher & Schewe, 2013). Lin, Chen & Xu (2017) studied an acceleration model
using a Bayesian classifier by analyzing the behavior of heterogeneous population trends;
results indicated that acceleration in the reliability assessment improved the analytic
accuracy. The model checking of linear temporal logic (LTL) model was studied by Barnat
et al. (2010), which employed computed unified device architecture for acceleration. Two
SAT problem solvers were used to validate online models and accelerate the processing of
complex behaviors (Qanadilo, Samara & Zhao, 2013).

The reachability problem is the first to consider in timed automata, which determines
whether a path exists from its initial state to a target state. This problem can be solved
by computing the zones that apply the abstraction technique in practice. State-of-the-art
abstraction methods (Behrmann et al., 2006; Herbreteau, Srivathsan & Walukiewicz, 2016)
produce an approximation closer to the actual reachable clock valuation, which includes

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 2/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


coarser abstractions. Exact acceleration is an excellent means of abstraction to reduce
required storage space and can alleviate state-space explosion. For practical issues such as
protocol validation (Zhang et al., 2013), IoT system modeling (Li et al., 2013), and smart
contract security verification in blockchain (Cruz, Kaji & Yanai, 2018; Grishchenko, Maffei
& Schneidewind, 2018), exact acceleration technology is an efficient way of minimizing
required storage space and time.

When Iversen et al. (2000) used UPPAAL to verify the LEGO robotic system, a
fragmentation problem was identified and briefly described, and some ideas for further
research were suggested. An approximation technique was applied to a real-time system
model for security and connectivity analysis, which avoided repetitive control (Möller,
2002). After that, a real-time property language L∀S was proposed to check the rejection
state of reachability and reduce safety and boundary liveness simultaneously (Aceto et al.,
2003). The problems and methods in these publications have promoted the concept of
exact acceleration and inspired further research. Related studies on exact acceleration in
real-time model checking include Hendriks & Larsen (2002), Yin, Song & Zhuang (2010),
Yin, Zhuang & Wang (2011), Gou et al. (2014), Boudjadar et al. (2016), and Chadli et al.
(2018). In the following four examples, the window of the acceleratable cycle is [a,b].

• Hendriks & Larsen (2002) introduced a method of syntax adjustment to a subset of timed
automata by adding an appended cycle whose length was da/(b−a)e times longer than
that of the acceleratable cycle. This method accelerates forward symbolic reachability
analysis, which solves the fragmentation problem and optimizes the verification of the
LEGO robotic system.
• Yin, Song & Zhuang (2010) proposed a method to identify the acceleratable cycle in
timed automata by introducing topological sorting for a large state space of a timed
automaton; by simplifying the scale of timed automata, the method operated efficiently.
• An exact acceleration method based on a parking cycle was proposed (Yin, Zhuang &
Wang, 2011), in which the entry boundary condition was determined by the size of the
acceleratable cycle’s window (the condition is z ≥a× ab−a +n0); the automaton model
improved the speed of exact acceleration and reduced the cost.
• By analyzing the main parameters of the acceleration process, Gou et al. (2014) proposed
a method for determining whether exact acceleration was required. This approach can be
used to avoid adding an appended cycle to reduce verification speed when the number
of fragments is small, or fragments do not satisfy certain conditions.
• Boudjadar et al. (2016) proposed a development method to improve the utilization rate
of resources by using model-checking technology. In the design and development stage,
exact acceleration technology was used to greatly improve the capability of symbolic
model checking in a processing scheduling system. For the scheduling problem of
network physical systems, Chadli et al. (2018) modeled advanced specifications and
validation frameworks with the help of exact acceleration technology, automatically
transforming high-level specifications into formal models. The above two research
works mainly applied exact acceleration to model a system resource scheduling problem
but did not improve the original exact acceleration theory.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 3/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


When modeling a complex real-time system (Wang et al., 2019), multiple acceleratable
cycles may overlap at the same location. If the appended cycle method is used for exact
acceleration, then the added locations multiply as the number of acceleratable cycles
increases, resulting in insufficient memory for model checking. If the parking cycle method
is used for exact acceleration, acceleratable-cycle stacking leads to non-uniformity in
parking-cycle entry conditions; differences in the windows of multiple acceleratable cycles
can increase time consumption drastically. In this paper, we propose an exact acceleration
method for complex real-time model checking based on an overlapping cycle, which is an
application scenario extension of parking-cycle technique. A single overlapping cycle is
developed by comprehensively analyzing the accelerating effects of multiple acceleratable
cycles and analyzing acceleration differences among these cycles. The overlapping cycle is
simple to create and has a fixed length, eliminating the need to add multiple locations for
complex real-time models. The overlapping cycle adds much less state space than appended
cycles or parking cycles in model checking, substantially reducing the acceleration cost.
The proposed method can be effectively applied to modeling and verification of complex
real-time systems such as the IoT gateway security system. It can also alleviate additional
consumption of time and space caused by state-space explosion while maintaining the
original nature of the system.

The remainder of this paper is organized as follows. The section ‘Preliminaries’ briefly
introduces timed automata, forward symbolic reachability analysis, and the theory of exact
acceleration. The exact acceleration method for complex real-time models based on an
overlapping cycle is proposed in ‘Exact Acceleration of Complex Real-time System Model
Based on Overlapping Cycle’, which outlines the method of creating a single, fixed-length
overlapping cycle. A timed automaton with an overlapping cycle is shown to accelerate the
originally timed automaton with reachability. In ‘Experimental Results’, the acceleration
effects of the appended cycle, parking cycle, and overlapping cycle with a complex real-time
model example are compared using experiments. Finally, the ‘Conclusion’ provides a few
ideas for future research.

PRELIMINARIES
Timed automata
This part is based on work by Alur & Dill (1994). To illustrate the real-time clock of timed
automata more clearly, we define a clock constraint set T(C) contain all clock constraints.
We assume that the set of clock variables is C, and the definition of the set of clock
constraints τ is as follows:

τ :=c ∼n|τ1∧τ2

where c ∈C, n∈N, and ∼ denotes one of the binary relationships {<,≤,=,≥,>}. The
clock constraint set T(C) is the set of all clock constraints τ .

A clock interpretation ν is a mapping from C to R+∪{0}, where R+ represents the set of
positive real numbers. Note that ν assigns each clock variable in the set of clock variables C.
For a set X ⊆C, X :=0 indicates that X assigns 0 to each c ∈X (i.e., clock reset), whereas
the clock variables in set C−X have no effects.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 4/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Figure 1 Timed automaton M.
Full-size DOI: 10.7717/peerjcs.272/fig-1

Definition 1 (Timed automaton). A timed automaton is defined as a six-tuple
(C,L,L0,A,I,E), where C is a set of clocks, L is a finite set of locations, L0 ⊆L is the
set of initial locations, A is a set of action events, I represents mapping that provides every
location l ∈L with some clock constraint in T(C), and E ⊆L×A×T(C)×2C ×L is a set
of edges. An edge (l,a,τ,λ,l

′

) denotes a transition: when the clock constraint in location l
satisfies τ , the system can complete action event a, move from location l to location l

′

, and
allow clocks in λ to be reset.

Figure 1 shows an example of a timed automaton. The timed automaton M represents
a plain and abstract model of the control program and the external environment in a
real-time system. If the control program sends instructions to the control center in an IoT
security system, the environment will be decided by sensors and actuators. The cycle of
locations L1, L2, and L3 model the control program labeled the control cycle, consisting of
three atomic instructions, whose clock is x. The external environment is modeled by clock
y, which is checked each time in L2. The clock y also called global clock. The size of the
threshold constant LARGE determines how slow the environment is relative to the control
program. If y ≥LARGE, the control cycle may be exited.

The semantics of a timed automaton M is defined by a transition system S(M) with Alur
& Dill (1994). A state of S(M) is a pair (l,ν), where l is a location of M and ν indicates a
clock interpretation for C such that ν satisfies I(l). Regarding this transition system, the
traces of a timed automaton have been defined by Hendriks & Larsen (2002).

Forward symbolic reachability analysis
The forward symbolic reachability analysis algorithm is a core of the real-time model-
checking tool UPPAAL (Behrmann, David & Larsen, 2004). The model-checking engine
uses an on-the-fly strategy to search forward from the initial location to determine whether
a symbolic state is reachable. For each symbolic state that has not yet been explored, it is
necessary to calculate subsequent states based on their clocks and actions and compare
them to searched symbolic states. If they have been seen in the past, they are discarded;
otherwise, they are added to the list of explored symbolic states.

The reachability property ϕ of a timed automaton M can be presented as the timed
computation tree logic (TCTL) formula E <> (P), where P is a state property of M.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 5/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-1
http://dx.doi.org/10.7717/peerj-cs.272


Table 1 Results of symbolic states from a forward symbolic exploration by timed automaton M.

State Location Zone

1 L0 y =0 x =0 y − x =0
2 L1 3 < y ≤5 3 < x ≤5 y − x =0
3 L2 3 < y ≤7 0≤x ≤2 3 < y − x ≤5
4 L3 3 < y ≤11 0≤x ≤4 3 < y − x ≤7
5 L1 4 < y ≤12 1≤x ≤5 3 < y − x ≤7
6 L2 6 < y ≤14 0≤x ≤2 6 < y − x ≤12
7 L3 6 < y ≤18 0≤x ≤4 6 < y − x ≤14
8 L1 7 < y ≤19 1≤x ≤5 6 < y − x ≤14
9 L2 9 < y ≤21 0≤x ≤2 9 < y − x ≤19
10 L3 9 < y ≤25 0≤x ≤4 9 < y − x ≤21
11 L1 10 <y ≤26 1≤x ≤5 9 <y − x ≤21
12 L2 12 <y ≤28 0≤x ≤2 12 < y − x ≤26

We describe that M satisfies ϕ, denoted by M � ϕ, if a trace exists in the form of
((l0,ν0),(l1,ν1),...)∈Tr(M), where (li,νi)� P for some i≥0.

To describe the process of forward symbolic reachability analysis, we take automaton
M in Fig. 1 as an example. Table 1 shows the symbolic states that timed automaton M
searches forward from the initial location after one execution.

In Table 1, symbolic states 6 and 3 are both L2. However, the clock zones are not
identical; these states represent two different symbolic states to be further forward searched.
Therefore, every execution of the control cycle results in new symbolic states. Because the
threshold LARGE is usually larger and clock y is especially smaller, the timed automaton
M must execute a certain number of control cycles to increase clock y effectively when
verifying the reachability of L4. The number of executions depends on LARGE; if LARGE
is large, then there are more executions. Due to different clocks, when the model checking
tools detect a symbolic model cycle by cycle, many unnecessary clock fragments may appear
in the state space, causing a forward symbolic fragment problem. For example, if we only
observe the symbolic states 3, 6, 9 and 12 of location L2, we can find that each clock zone
overlaps with the zone in front of it, which is called clock zone continuous. At this time,
because of the small-time measurement in the cycle, the overlapped clock zone is divided
into infinite segments, which leads to the fragmentation problem. Table 1 lists results from
the UPPAAL simulator.

Exact acceleration
Hendriks & Larsen (2002) proposed the concept of exact acceleration, based on which, we
provide basic definitions for our study. The acceleratable cycle is a key concept in exact
acceleration. An acceleratable cycle can use only one clock in clock constraints (including
invariants, guards, and resets).

Definition 2 (Acceleratable cycle). Let M = (C,L,l0,A,I,E) be a timed automaton,
Ec =(e0,...,en−1)∈En, and x ∈C. An acceleratable cycle is defined as a two-tuple (Ec,x)
when the following conditions are satisfied:

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 6/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


• Ec is a cycle;
• for all locations in Ec, I(l) is either empty or in the form of {x ≤c};
• if (l,a,τ,λ,l

′

)∈Ec, then τ is empty or in the form of {x ≥ c}, and λ is empty or only
contains x; and
• x must be reset on all in-going edges to src(e0).

Clock x is the clock of the cycle, I(l) is the location invariant, and τ is the edge guard.
The location src(e0) is the reset location whose out-going edge is e0, which indicates the
external clock’s checking position in the acceleratable cycle. If a specific location’s in-going
edge is ei in the cycle, then the out-going edge of this position is ei+1, where i∈[0,n−2].

The cycle in automaton M (Fig. 1), composed of locations L1, L2, and L3, is an
acceleratable cycle. The clock of the cycle is x, and the reset location is L2. The invariants
and guards are in accordance with the defined form of clock x, and the clock resets to zero
at the only in-going edge of L2.

Definition 3 (Window of acceleratable cycle). Let an acceleratable cycle in the
timed automaton M be (Ec,x). The compression sequence of all traces is expressed as
Tr(Ec)=

(
(l0,ν0),

(
l0,ν

′

0

)
,(l1,ν1),...,(ln−1,νn−1),

(
ln−1,ν

′

n−1

)
,(ln,νn)

)
, where νi and ν

′

i

indicate different clock interpretations, i∈[0,n], and l0= ln= src(e0).((lj,ν
′

j),(lj+1,νj+1))
depends on the edge ej and can be understood as an action event of ej, j ∈[0,n−1]. The
window of the acceleratable cycle (Ec,x) is defined as the interval [a,b], a,b∈N when the
following conditions are satisfied:

• the total delay of Tr(Ec) is an element of [a,b]; and
• for any real number d ∈[a,b], we adjust the delays under legal clock constraints in
Tr(Ec) to ensure the total delay is d.

The meaning of the total delay in this definition is an increase in the clock of the cycle,
which can be simply defined as the increment of the external clock when the acceleratable
cycle returns to the reset location once from the initial location. The window is the minimal
and maximal time it may take to pass through a cycle. According to this definition, the
window of the acceleratable cycle shown in Fig. 1 can be calculated as [3,7].

Definition 4 (Accelerated automaton based on appended cycle). Let M =
(C,L,l0,A,I,E)be a timed automaton, and let Cycle=(Ec,x) be an acceleratable cycle of M,
where L= {l0,l1,...,lm}, Ec = (e0,e1,...,en−1), ei= (li,ai,τi,λi,li+1). Acceleration of M based
on the appended cycle is a new automaton Acca(M,Cycle) defined as (C,L′,l0,A,I ′,E′),
where

• L′=L∪
{
l′1,l
′

2,...,l
′

n−1
}
∪
{
l′0
}
∪

{
l
′′

1,l
′′

2,...,l
′′

n−1

}
• I ′(li)= I(li), 0≤ i≤m
• I ′

(
l′i
)
= I(li), 1≤ i≤n−1

• I ′
(
l′0
)
=∅

• I ′
(
l
′′

i

)
= I(li), 1≤ i≤n−1

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 7/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


• E′ = E ∪
{(
l0,a0,τ0,λ0,l′1

)
,
(
l′n−1,an−1,τn−1,λn−1,l

′

0
)}

∪
{(
l′0,a0,τ0,λ0,l

′′

1
)
,
(
l′′n−1,an−1,τn−1,λn−1,l0

)}
∪
{
(l′i,ai,τi,λi,l

′

i+1),(l
′′

i ,ai,τi,λi,l
′′

i+1)|1≤ i≤n−1
}

• in particular, E′=E∪
{(
l0,a0,τ0,λ0,l′0

)
,
(
l′0,a0,τ0,λ0,l0

)}
when n=1.

Theorem 1. Let M =(C,L,l0,A,I,E) be a timed automaton, and let Cycle =(Ec,x) be
an acceleratable cycle of M with a window [a,b]. If ϕ is the reachability property of M,
then

3a≤2b⇒(M �ϕ⇔Acca(M,Cycle) �ϕ).

Theorem 1 has been proved in Hendriks & Larsen (2002). In Definition 4, the appended
cycle is obtained by expanding the acceleratable cycle twice. If the timed automaton M
is added to the appended cycle by expanding the acceleratable cycle i times, then the
precondition in Theorem 1 can be generalized to (i+1)a≤ ib.

Definition 5 (Accelerated automaton based on parking cycle). Let M =(C,L,l0,A,I,E)
be a timed automaton, and let Cycle=(Ec,x) be an acceleratable cycle of M with a window
of [a,b], where L= {l0,l1,...,lm}, Ec= (e0,e1,...,en−1), ei = (li,ai,τi,λi,li+1). The global
clock is y, and the maximum value of y before entering the acceleratable cycle is n0. The
acceleration of M based on the parking cycle is a new automaton Accp(M,Cycle) defined
as (C,L′,l0,A,I ′,E′), where

• L′=L∪
{
l′0
}

• I ′(li)= I(li), 0≤ i≤m
• I ′

(
l′0
)
=∅

• E′=E∪
{(
l0,a0,τ′,∅,l′0

)
,
(
l′0,an−1,∅,λn−1,l0

)}
, τ ′ is y ≥a×

⌈ a
b−a

⌉
+n0.

Definition 5 has been given in Yin, Zhuang & Wang (2011). The accelerated automaton
Acca(M,Cycle) equals the timed automaton M with an appended cycle composed of
locations l0,l

′

1,l
′

2,...,l
′

n−1,l
′

0,l
′′

1,l
′′

2,...,l
′′

n−1. Accelerated automaton Accp(M,Cycle) equals
the timed automaton M with a parking cycle whose edge guard y controls the acceleration
timing. Only when the acceleratable cycle has been executed at leastda/(b−a)e times is the
automaton permitted to enter the parking cycle. Figures 2 and 3 display the acceleration of
M (Fig. 1) based on the appended cycle and parking cycle, respectively. They are labeled
the accelerated automata Ma and Mp. Because the window of the acceleratable cycle is
[3,7], the edge guard of the parking cycle is y ≥3 in Mp.

Theorem 2. Let M =(C,L,l0,A,I,E) be a timed automaton, and let Cycle =(Ec,x) be
an acceleratable cycle of M with a window of [a,b]. If ϕ is a reachability property of M,
then

a<b⇒(M �ϕ⇔Accp(M,Cycle) �ϕ).

Yin, Zhuang & Wang (2011) gives this theorem form forward symbolic reachability
analysis, and this is the previous achievement of our working group. We will give its
another proof in the view of zone later.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 8/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Figure 2 Accelerated automaton Ma based on appended cycle.
Full-size DOI: 10.7717/peerjcs.272/fig-2

Figure 3 Accelerated automaton Mp based on parking cycle.
Full-size DOI: 10.7717/peerjcs.272/fig-3

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 9/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-2
https://doi.org/10.7717/peerjcs.272/fig-3
http://dx.doi.org/10.7717/peerj-cs.272


Figure 4 Timed automaton M ′.
Full-size DOI: 10.7717/peerjcs.272/fig-4

EXACT ACCELERATION OF COMPLEX REAL-TIME SYSTEM
MODEL BASED ON OVERLAPPING CYCLE
The appended cycle and parking cycle technologies in exact acceleration apply to a real-time
system model with a single acceleratable cycle. For a complex real-time system model (as

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 10/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-4
http://dx.doi.org/10.7717/peerj-cs.272


shown in Fig. 4), using these two technologies for exact acceleration requires additional
states and consumes a large amount of time cost, which influences the acceleration effect.
Figure 4 presents an example of the IoT gateway security system (in Wang et al., 2018).

The timed automaton M ′ models a wireless sensor network including a reactive program
and external environment. The run-time behavior control several sensors, which can be
transformed into clock constrains in UPPAAL. Every location in the cycle represents a
sensor model in the IoT system. The cycle’s clock is x, and clock y controls the execution
time. The larger the constant LARGE is, the more slowly the timed automaton M ′ runs.
Using the algorithm described by Yin, Song & Zhuang (2010) to identify the acceleratable
cycle in M ′, we obtain four acceleratable cycles whose reset locations are all L1 and share
the clock of cycle x. For this complex real-time model, we propose a method based on the
overlapping cycle for exact acceleration.

Theorem 3. Let M =(C,L,l0,A,I,E) be a timed automaton, and let Cycle =(Ec,x) be
an acceleratable cycle of M with a window of [a,b]. If a < b, there is a positive integer n
in the forward symbolic reachability analysis, which leads the reset location to obtain a
continuous clock zone after executing the Cycle n times.

Proof. According to the forward symbolic reachability analysis, the problem of fragments
in the acceleratable cycle will inevitably lead to the overlap of clock zones, that is,
the appearance of continuous clock zone. If a < b, according to the definitions about
exact acceleration, the continuous clock zone will be got after several executions of the
acceleratable cycle, and the point of the proof is to determine the number of executions.

So, without loss of generality, we might assume that the execution number is a positive
integer n. Let n be the rounds of Cycle execution, and let the interval [c,d] be the clock
zone at the reset location before execution of the Cycle. At the reset location, the clock zone
is continuous from the (n+1)th time onward; therefore, the clock zones obtained in the
(n+1)th time and the nth time have an intersection that is

(n+1)a+c ≤nb+d ⇒n≥(a+c−d)/(b−a).

Because b>a, d ≥c, there must be an integer n≥a/(b−a). So, the number of executions
should be at least da/(b−a)e. When the Cycle is executed da/(b−a)e (that is n) times, the
reset location obtains a continuous clock zone, thereby completing the proof.

Corollary 1. If the timed automaton M has an acceleratable cycle with a window of
[a,b], a<b, then the reset location will obtain a continuous clock zone after executing the
Cycle at least a/(b−a) times during forward symbolic reachability analysis.

Proof. According to Theorem 3, we easily know the reset location obtains a continuous
clock zone when the Cycle is executed n times. For the integer n, we can calculate that
n≥a/(b−a). The proof is completed.

Corollary 2. Let the global clock be y, and let the maximum value of y before entering
the acceleratable cycle be n0. If the timed automaton M has an acceleratable cycle with a
window of [a,b], a<b, then the reset location will obtain a continuous clock zone when
the following condition is satisfied during forward symbolic reachability analysis:

y−n0≥a×a/(b−a).

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 11/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Proof. According to Corollary 1, the reset location will obtain a continuous clock zone
after executing the acceleratable cycle at least a/(b−a) times. Because the window of the
acceleratable cycle is [a,b], the increment of y by executing the acceleratable cycle a/(b−a)
times is denoted as 1y ∈[a×a/(b−a),b×a/(b−a)], where 1y =y−n0. Therefore, when
y−n0≥a×a/(b−a), the reset location will obtain a continuous clock zone. The proof is
completed.

Corollary 3. Let the global clock be y, and let the maximum value of y before entering
the acceleratable cycle be n0. If the timed automaton M has an acceleratable cycle with
a window of [a,b], a < b, then every location in the acceleratable cycle will obtain a
continuous clock zone when y−n0≥a×a/(b−a).

Proof. Because clock y is not the cycle clock, any invariant or guard in the acceleratable
cycle will not contain clock y according to Definition 2. Based on the theory of timed
automata, clock y exhibits monotonous growth when the acceleratable cycle is executed.
Thus, when y−n0 ≥a×a/(b−a), per Corollary 2, the reset location begins to obtain a
continuous clock zone, indicating that every location in the acceleratable cycle is reachable.
At this point, a constant clock zone will also be received by any location in the acceleratable
cycle, and the proof is completed.

Next, we will give the new proof of Theorem 2.
Proof. Sufficient Condition. The known condition is a < b. Because Accp(M,Cycle) is

obtained by adding a parking cycle to M, the timed automaton M can clearly reach any
reachable state in original model. The accelerated automaton Accp(M,Cycle) can also
reach states by executing the same time trace; that is, the state transition system S(M)
associated with M is included in the state transition system S(Accp(M,Cycle)) associated
with Accp(M,Cycle).

Necessary Condition. The known condition is a < b. Let the global clock be y. When
y < a×a/(b−a)+n0, the accelerated automaton Accp(M,Cycle) does not execute the
parking cycle, and reachable states in Accp(M,Cycle) are also reachable in the timed
automaton M. When y ≥a×a/(b−a)+n0 (according to Corollary 3), every location
in the acceleratable cycle of M will obtain a continuous clock zone; that is, after
y ≥a×a/(b−a)+n0 at any time, M can reach any location in the acceleratable cycle
and Accp(M,Cycle) executes the parking cycle, satisfies the edge guards, and returns to the
reset location of any state, which guarantees that M is always reachable.

In summary, when a<b, the accelerated automaton Accp(M,Cycle) does not change the
reachability property ϕ of the timed automaton M, and the proof is completed.

According to our theorems and corollaries, we can prove that the exact acceleration
method based on the parking cycle is more concise and effective than that based on the
appended cycle. On one hand, there is no location invariant in the parking cycle to ensure
the clock can stay in this location for acceleration; on the other hand, the parking cycle
contains an edge guard to ensure that any location of the acceleratable cycle obtains
a continuous clock zone, which provides reachability. In this way, the parking cycle
accelerates the search for the symbolic state by controlling acceleration timing and ensures
reachability of the timed automaton to realize exact acceleration. The exact acceleration
method for the complex real-time model based on an overlapping cycle is an improved

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 12/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


method based on the parking cycle. It attempts to extend the application field of exact
acceleration technology to complex real-time model checking to improve efficiency and
alleviate state explosion.

Theorem 4. Let M =(C,L,l0,A,I,E) be a timed automaton with several acceleratable
cycles. Let Cyclei= (Eci,x) be the ith acceleratable cycle of M with a window of [ai,bi], where
i is a non-zero natural number. All acceleratable cycles affect the cycle of clock x, and their
reset locations are uniform in lreset ∈L. There is a single acceleratable cycle whose effect is
the most effective in obtaining a continuous clock zone than multiple acceleratable cycles.

Proof. Let nj =
⌈

aj
bj−aj

⌉
×aj, nk =

⌈
ak

bk−ak

⌉
×ak, where 1≤ j,k≤ i, and j, k are non-zero

natural numbers. Then, nj and nk represent the edge guard of the jth and kth acceleratable
cycle, respectively, when adding a parking cycle. If these two acceleratable cycles are executed
simultaneously, the edge guard can be expressed as njk =

⌈
aj+ak

(bj−aj)+(bk−ak)

⌉
×
(
aj+ak

)
. The

window of the ith acceleratable cycle is [ai,bi] as a known condition, where 0≤aj ≤bj,
0≤ak ≤bk, and there is aj+ak ≥aj,ak.

We make
aj

bj−aj
=

U
V ,

ak
bk−ak

=
X
Y , such that

aj+ak
(bj−aj)+(bk−ak)

=
U+X
V+Y . We assume that

U
V is

smaller, then XY =
U+µ
V , µ∈R

+. Therefore, there is U+XV+Y =
U+U+µ
V+V =

U
V +

µ
2V >

U
V ; that is,⌈U+X

V+Y

⌉
≥
⌈U
V

⌉
and

⌈U+X
V+Y

⌉
≥min(

⌈U
V

⌉
,
⌈X
Y

⌉
). In the positive-number condition, a larger

number multiplied by a larger number is either equal to or greater than a smaller number
multiplied by a smaller number; therefore,⌈
U +X
V +Y

⌉
×(aj+ak)≥min(

⌈
U
V

⌉
×aj,

⌈
X
Y

⌉
×ak)

which is njk ≥min(nj,nk).
According to Corollary 1, the reset location will obtain a continuous clock zone after

executing the acceleratable cycle, which has a smaller value of
⌈

ai
bi−ai

⌉
×ai,

⌈
ai

bi−ai

⌉
times

during forward symbolic reachability analysis. This solution is faster than using two
acceleratable cycles simultaneously to obtain a continuous clock zone, and it is better than
using the larger one.

By extension, when comparing any two acceleratable cycles, a shorter time cycle always
obtains a continuous clock zone more quickly. When comparing all acceleratable cycles,
we can achieve the most effective acceleratable cycle for exact acceleration. This result
indicates that the acceleration effect of a single acceleratable cycle is more effective than
that of multiple acceleratable cycles, thereby completing the proof.

Corollary 4. Let M =(C,L,l0,A,I,E) be a timed automaton with several acceleratable
cycles. Let Cyclei= (Eci,x) be the ith acceleratable cycle of M with a window of [ai,bi],
where i is a non-zero natural number. All acceleratable cycles affect the cycle of clock x,
and their reset locations are uniform in lreset ∈L. If ai <bi, then the acceleratable cycle with
the min

(⌈
ai

bi−ai

⌉
×ai

)
has the best acceleration effect of obtaining a continuous clock zone

in the shortest time.
Proof. According to Theorem 4, comparing any two acceleratable cycles, a cycle with

smaller value of
(⌈

ai
bi−ai

⌉
×ai

)
always obtains a continuous clock zone more quickly.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 13/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


When comparing all acceleratable cycles, the cycle with the min
(⌈

ai
bi−ai

⌉
×ai

)
obviously

has the most effective acceleration. The proof is completed.
Definition 6 (Accelerated automaton based on overlapping cycle). Let M =

(C,L,l0,A,I,E) be a timed automaton with k acceleratable cycles, where L =
{l0,l1,...,lm}. CYCLE ={Cycle1,...,Cyclek|k ∈N+} denotes the acceleratable cycle set.
Let Cyclei=(Eci,x) be the ith acceleratable cycle with a window of [ai,bi], where 0≤ i≤k,
Ec= (e0,e1,...,en−1), eji= (lji,aji,τji,λji,l(j+1)i). All acceleratable cycles affect the cycle of
clock x, and their reset locations are uniform in lreset ∈L. The global clock is y, and
the maximum value of y before entering the acceleratable cycle is n0. The acceleration
of M based on the overlapping cycle is a new automaton Acco(M,CYCLE) defined as
(C,L′,l0,A,I ′,E′), where

• L′=L∪
{
l′reset

}
• I ′(lh)= I(lh), 0≤h≤m
• I ′

(
l′reset

)
=∅

• E′=E∪
{(
lreset,∅,τ ′,∅,l′reset

)
,
(
l′reset,∅,∅,λ

′,lreset
)}
, τ ′ is y ≥min

(⌈
ai

bi−ai

⌉
×ai

)
+n0

and λ′ only contains x.

The accelerated automaton Acco(M,CYCLE) equals the timed automaton M with the
addition of an overlapping cycle at only one reset location, which solves the problem
where an exact acceleration cannot be used directly for complex real-time model checking.
The overlapping cycle only needs to analyze all windows of every acceleratable cycle in
CYCLE for the calculation. We can also avoid using an appended cycle or parking cycle for
each acceleratable cycle, greatly reducing the additive symbolic state. Figure 5 depicts the
acceleration of M ′ (Fig. 4) based on an overlapping cycle, named accelerated automaton
M
′

o. Because the timed automaton M
′ contains four acceleratable cycles, we analyze them

separately, discard the deadlocked cycle, and only retain three executable cycles. The
deadlocked cycle consists with location l1,l2,l3,l4,l5,l6,l7,l8,l9,l10,l14,l13,l1 in sequence.
For further analysis, the windows of acceleratable cycles are calculated as [7,18], [6,16],
and [13,24]. By taking the minimum value of

⌈
ai

bi−ai

⌉
×ai, we can obtain the overlapping

cycle’s entry condition, which is y ≥6.
Theorem 5. Let M =(C,L,l0,A,I,E) be a timed automaton with several acceleratable

cycles. Let Cyclei = (Eci,x) be the ith acceleratable cycle of M with a window of [ai,bi],
where i is a non-zero natural number. If x is reset on edge e0, then the subsequent states
of src(e0) reachable by multiple acceleratable cycles in M, are reachable by exactly one
execution of the overlapping cycle in Acco(M,CYCLE).

Proof. For a certain acceleratable cycle, its window is set as
[
a′,b′

]
. According to Theorem

1, when 3a′≤2b′, the appended cycle does not change the subsequent reachability of the
reset location src(e0) in M. According to Theorem 2, when a′≤b′, the parking cycle does
not change the subsequent reachability of the reset location src(e0) in M. In the case of
multiple acceleratable cycles superimposing on the same location in a complex real-time
system, the subsequent reachability of the reset location src(e0) in M can be guaranteed to
remain unchanged if any part of the acceleratable cycle is processed with exact acceleration.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 14/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Figure 5 Automaton M ′o: acceleration of M
′ based on an overlapping cycle.

Full-size DOI: 10.7717/peerjcs.272/fig-5

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 15/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-5
http://dx.doi.org/10.7717/peerj-cs.272


Table 2 Runtime data comparing M ′ and its accelerated versions Ma′ , Mp′ and Mo′ .

LARGE

104 105 106 107 108 109

Mem (KB) 27,020 26,892 27,392 27,544 27,952 28,572
M ′

Time (s) 0.032 0.256 1.688 12.045 120.333 1,191.025
Mem (KB) 28,328 29,220 30,468 31,688 32,508 34104

M
′

a
Time (s) 0.007 0.008 0.008 0.008 0.009 0.009
Mem (KB) 27,184 27,384 27,788 28,060 28,208 29,276

M
′

p
Time (s) 0.005 0.004 0.003 0.003 0.003 0.004
Mem (KB) 27,164 27,036 27,472 27,824 27,988 28,788

M
′

o
Time (s) 0.002 0.002 0.002 0.003 0.002 0.002

According toTheorem 4, the accelerablecycle is moreeffective for obtaininga continuous
clock zone at reset location src(e0) than multiple acceleratable cycles. In particular,
according to Corollary 4, if ai < bi, then the exact acceleration based on overlapping
cycle can obtain the continuous clock zone in the shortest time. The proof is completed.

This theorem ensures the effectiveness of acceleration. For a single acceleratable cycle,
if all states are reachable by more than one execution of the acceleratable cycle, then
exactly only one execution of the acceleratable cycle of the appended cycle or parking
cycle can guarantee reachability of all states in the accelerative automaton. The complex
real-time model checking differs from the exact acceleration of a single acceleratable cycle.
In depth-first forward symbolic reachability analysis, it is necessary to verify whether
subsequent states are reachable in priority while ignoring the breadth-first search within
cycles.

In our case study of an IoT gateway security system (Wang et al., 2018), the control
center must complete a security process and distribute it to each sensor node. Once a
self-organizing sensor network completes the process, it can respond to the command
of the control center in a timely manner. The control center can perform subsequent
operations after receiving feedback regardless of whether other sensor nodes can complete
the process. Hence, the security system must ensure its subsequent reachability regardless
of who completes the process. This approach accelerates the search of subsequent states,
thus avoiding time and space consumption caused by superposition of acceleratable cycles.

EXPERIMENTAL RESULTS
To verify the validity of the exact acceleration method based on an overlapping cycle
for complex real-time model checking, we collected runtime data, including memory
consumption and verification time, from the timed automaton M ′. We also gathered
runtime data from the accelerated automata M

′

a, M
′

p, and M
′

o, which use the appended cycle,
parking cycle, and overlapping cycle, respectively. We employed the model-checking tool
UPPAAL with a depth-first search order to verify whether location L15 was reachable, which
can give the time and memory consumption in verification automatically. Experimental
results are displayed in Table 2.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 16/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Figure 6 Technical framework of IoT gateway security system.
Full-size DOI: 10.7717/peerjcs.272/fig-6

Results show that the time consumption of M ′ increased with exponential growth
of LARGE at a rate of nearly ten times without using exact acceleration. The memory
consumption of M ′ increased slightly because no additional locations were added. The
accelerated automaton M

′

a used an appended cycle, which reduced the time consumption,
reflecting the advantages of exact acceleration. However, due to a large number of additional
locations, the memory consumption of M

′

a increased dramatically. The accelerated
automaton M

′

p used a parking cycle to reduce the time consumption further compared
to M

′

a. The fixed length of the parking cycle reduced the number of additional locations
compared to the appended cycle; accordingly, the memory consumption was much lower
for M

′

p than for M
′

a but slightly higher than for M
′. The accelerated automaton M

′

o that used
the proposed overlapping cycle exhibited minimal time consumption and only required the
addition of a single, fixed-length location for the complex real-time model. The memory
consumption of M

′

o was close to that of M
′, far less than that of M

′

a, and slightly better than
that of M

′

p. We can explain the time and memory consumption of M
′

o by Theorem 5. The
depth-first search order ensures that the overlapping cycle accelerates exploration before
complete exploration of all accelerable cycles.

A less theoretical study case involves model verification of the IoT gateway security
system (Wang et al., 2018). The exact acceleration method based on the overlapping cycle
was successfully applied in this case, significantly improving verification efficiency. The
technical framework of the IoT gateway security system is illustrated in Fig. 6.

An essential technology in the IoT gateway security system is the time-stamped advanced
encryption standard algorithm. By introducing a timestamp into the key expansion phase,
the round key can be dynamically updated with change over time to realize a cipher text
change that ensures the security of confidential information. Due to the introduction of
a timestamp, the system generates acceleratable cycles when modeled as timed automata.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 17/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-6
http://dx.doi.org/10.7717/peerj-cs.272


Multiple acceleratable cycles are overlaid on the same location in particular scenarios,
which requires overlapping cycle technology for exact acceleration.

Our theory can be used to simulated the parallel execution of processes and idle cycles.
However, the presence of urgent locations and synchronous channels may disturb exact
acceleration. For example, if broadcast channel coordination occurs in an urgent location,
the multi-party response of the broadcast should be completed before the next state location
can be migrated. The execution time of the response process is not controlled by the cycle
control program; thus, it is not appropriate to simply use exact acceleration technology
for acceleration; the space–time loss of using acceleration technology should be compared
to the broadcasting response. However, exact acceleration technology can often handle
urgent locations and synchronous channels. The following case of an IoT gateway security
system also involves these situations. As no extra time interference exists within the whole
acceleration process, the exact acceleration technology can finally be successfully applied
to system modeling and verification.

The accelerated automaton based on an overlapping cycle is an approximation that can
be adapted to verify the accuracy of invariance and reachability properties. Consider the
processes in Fig. 7; these processes model a top architecture and a middleware control
program consisting of locations, edges, and channels.

The IoT gateway runs from the Start location, reads configuration information and
performs gateway identity authentication. The underlying unified authentication service
is invoked through channel StartAC for security authentication, and GatewayStatus is
returned after authentication. If GatewayStatus =true, then the system enters the location
EnterMiddle and transforms to the polling module of the middle layer through the
StartMiddle channel. For the middle-layer polling module, polling begins through the
StartMiddle channel, and the top-layer main module is returned by the FinishMiddle
channel. Location CheckCategory controls whether polling logic ends up at a perception
terminal or an execution terminal, which each have different processing methods. In the two
polling processes, the underlying security service is invoked through the synchronization
channel according to different requirements. The specific process can be interpreted by the
meaning of state locations, synchronization channels, and variables as described by Wang et
al. (2018). In particular, clock constraints are added during the stage of waiting for timing
and the stage of keeping the equipment running. The top-layer main module model and
middle-layer polling module model constitute the general framework of the IoT gateway
security system. Security implementation depends on the underlying security service
modules ultimately, hence it is necessary to improve model construction of the underlying
security service modules. For complex system modeling with underlying services, we apply
the exact acceleration method proposed in this paper, which can effectively improve the
verification speed.

To demonstrate the effect of exact acceleration, we checked all security properties of the
IoT gateway security system model in Fig. 7. Several examples are presented below.

(1) A[] not deadlock
Property 1 is used to check deadlock and ensure all state locations will be reachable.
(2) E<>Top.CheckGS

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 18/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


Figure 7 Part of the IoT gateway security system model.
Full-size DOI: 10.7717/peerjcs.272/fig-7

(3) E<>Top.EnterMiddle imply Middle.CheckCategory
Properties 2 and 3 are used to explore part of the state space. The truth of these two

properties indicates that the implementation accelerated model is an exact acceleration
with the overlapping cycle.

(4) A[] Top.Restart imply c<=300
(5) A[] Top.Record imply c<=600
(6) A[] Middle.RetrieveData imply Middle.y>=30
(7) A[] Middle.WaitDevice imply Middle.y<=5
Properties 4–7 are examined in terms of whether subsequent states of the reset location

are reachable. Clock c is a global clock and clock y is used to model the duration of one
process.

We measured time and memory consumption and explored states for these properties.
The IoT gateway security system was modeled as a timed automaton MIoT , and the
acceleration of MIoT with overlapping cycles was modeled as an automaton MIoTo. We used
model checkers UPPAAL and KRONOS to verify security system properties automatically,
such as confidentiality, availability, and authenticity in parallel processes. KRONOS is able

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 19/24

https://peerj.com
https://doi.org/10.7717/peerjcs.272/fig-7
http://dx.doi.org/10.7717/peerj-cs.272


Table 3 Runtime data comparing MIoT and MIoTo.

Explored States Time(s) Memory(KB)

MIoT 108,302 71.151 29,660
MIoTo 47,545 1.049 30,840

Table 4 Comparing the performance of different exact acceleration techniques for large-scale IoT sys-
tems.

System
states-scale

Exact acceleration
technique

Verification
time(s)

104 Appended cycle 277.860
104 Parking cycle 0.893
104 Overlapping cycle 0.015
105 Appended cycle ∞
105 Parking cycle 72.218
105 Overlapping cycle 1.020
106 Parking cycle 364.720
106 Overlapping cycle 43.292
107 Parking cycle ∞
107 Overlapping cycle 409.132

to complete the statistics of the state scale traversed by the whole verification process. It
makes up for the fact that UPPAAL can’t do this. Table 3 lists the experimental results.

On the premise of guaranteeing the security of IoT gateway system, a large number of
underlying services and various applications can be embedded in the system framework.
At this time, the security requirements of IoT gateway system are mainly for various new
access services, and the framework security of the gateway itself can be maintained by its
own mechanism. After access to a large number of services and applications, the original
model will become complex, concurrent, real-time with large-scale. The verification of the
system needs to be processed by the exact acceleration method based on overlapping cycle.

With the increase of the number of access services, the system model becomes more
and more complex, and the scale of access number greatly affect the efficiency of model
verification. Appended cycle and parking cycle methods are more suitable for single
accelerating cycle scenarios. In this complex scenario, when the number of services reaches
a certain level, the acceleration process may not be completed. According to the change of
the number of access services, Table 4 gives the comparison of the acceleration effects of
different exact acceleration methods (from the perspective of time).

The results show that for complex real-time systems, the acceleration efficiency of
overlapping cycle is much higher than that of appended cycle and parking cycle, and the
verification can still be completed when the state scale reaches 107 with proposed method.
So, the exact accelerating technology substantially reduced the time required for verification
in complex real-time model checking. Overlapping cycle acceleration demonstrated the
highest efficiency compared to the appended cycle and parking cycle. In the simple example
of automaton M ′ in Fig. 4, 55 additional locations were required when using the appended

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 20/24

https://peerj.com
http://dx.doi.org/10.7717/peerj-cs.272


cycle, much higher than the number of locations in the original model. Although the
appended cycle reduced verification time, it increased the difficulty of adding locations
to the model in an early stage. When many acceleratable cycles were stacked in the same
reset position, more than one location needed to be added to M ′ when the parking cycle
was used, although the length of the parking cycle was fixed. The parking cycle was neither
simpler nor faster than the overlapping cycle, and its previous calculation was larger than
that of the overlapping cycle.

With the exception of this IoT case, our approach can be applied to other scenarios,
such as security validation of blockchain smart contracts. The complete code and UPPAAL
model can be found at https://github.com/iegqwang/UPPAAL.

CONCLUSIONS
To solve the fragmentation problem for complex real-time model checking, we propose
an exact acceleration method based on an overlapping cycle, which is an application
scenario extension of parking-cycle technique, to accelerate forward symbolic reachability
analysis. Compared with the appended cycle or parking cycle for exact acceleration,
the proposed method can be applied to the model acceleration of large-scale complex
real-time systems and only requires the addition of a single, fixed-length location to the
system’s timed automaton model. The addition of an overlapping cycle introduces far
fewer symbolic states than using either an appended cycle or parking cycle. Rather than
relying on windows of acceleratable cycles, the proposed accelerated automaton model is
more straightforward and reduces the space–time overhead of exact acceleration.

Two aspects warrant exploration in future research. First, we must continue to study
the algorithm for the acceleratable cycle, try to simplify the original automaton model,
guarantee its original property, and rapidly identify the deadlock. Second, we plan to
develop a simple exact acceleration automatic checking platform that can consider other
practical conditions such as action transitions, urgent locations, and synchronous channels
to solve actual modeling problems more efficiently.

ADDITIONAL INFORMATION AND DECLARATIONS

Funding
This work was supported by the Key Program of the National Natural Science Foundation
of China (No. U1604262), the Key Scientific Research Project of Higher Education of
Henan (No. 19A520003, 18A520006 and 17A520057), and the Key R&D and Promotion
Project in Science and Technology of Henan (No. 182102210189). The funders had no
role in study design, data collection and analysis, decision to publish, or preparation of the
manuscript.

Grant Disclosures
The following grant information was disclosed by the authors:
Key Program of the National Natural Science Foundation of China: U1604262.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 21/24

https://peerj.com
https://github.com/iegqwang/UPPAAL
http://dx.doi.org/10.7717/peerj-cs.272


Key Scientific Research Project of Higher Education of Henan: 19A520003, 18A520006,
17A520057.
Key R&D and Promotion Project in Science and Technology of Henan: 182102210189.

Competing Interests
The authors declare there are no competing interests.

Author Contributions
• Guoqing Wang conceived and designed the experiments, performed the experiments,
performed the computation work, prepared figures and/or tables, and approved the final
draft.
• Lei Zhuang conceived and designed the experiments, performed the computation work,
prepared figures and/or tables, and approved the final draft.
• Yu Song analyzed the data, authored or reviewed drafts of the paper, and approved the
final draft.
• Mengyang He performed the experiments, analyzed the data, prepared figures and/or
tables, and approved the final draft.
• Ding Ma performed the experiments, performed the computation work, authored or
reviewed drafts of the paper, and approved the final draft.
• Ling Ma analyzed the data, authored or reviewed drafts of the paper, and approved the
final draft.

Data Availability
The following information was supplied regarding data availability:

Codes are available at GitHub: https://github.com/iegqwang/UPPAAL.

Supplemental Information
Supplemental information for this article can be found online at http://dx.doi.org/10.7717/
peerj-cs.272#supplemental-information.

REFERENCES
Aceto L, Bouyer P, Burgueño A, Larsen KG. 2003. The power of reachability

testing for timed automata. Theoretical Computer Science 300(1):411–475
DOI 10.1016/S0304-3975(02)00334-1.

Alur R, Dill DL. 1994. A theory of timed automata. Theoretical Computer Science
126(2):183–235 DOI 10.1016/0304-3975(94)90010-8.

Barnat J, Bauch P, Brim L, Češka M. 2010. Employing multiple CUDA devices to accel-
erate LTL model checking. In: International Conference on Parallel and Distributed
Systems, 2010. Piscataway: IEEE, 259–266 DOI 10.1109/ICPADS.2010.82.

Behrmann G, Bouyer P, Larsen KG, Pelánek R. 2006. Lower and upper bounds in zone-
based abstractions of timed automata. International Journal on Software Tools for
Technology Transfer 8(3):204–215 DOI 10.1007/s10009-005-0190-0.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 22/24

https://peerj.com
https://github.com/iegqwang/UPPAAL
http://dx.doi.org/10.7717/peerj-cs.272#supplemental-information
http://dx.doi.org/10.7717/peerj-cs.272#supplemental-information
http://dx.doi.org/10.1016/S0304-3975(02)00334-1
http://dx.doi.org/10.1016/0304-3975(94)90010-8
http://dx.doi.org/10.1109/ICPADS.2010.82
http://dx.doi.org/10.1007/s10009-005-0190-0
http://dx.doi.org/10.7717/peerj-cs.272


Behrmann G, David A, Larsen KG. 2004. A tutorial on Uppaal. In: International school
on forman methods for the design of computer, communication and software systems,
2004. Berlin: Springer Verlag, 200–236 DOI 10.1007/978-3-540-30080-9_7.

Boudjadar A, David A, Kim JH, Larsen KG, Mikučionis M, Nyman U, Skou A. 2016.
Statistical and exact schedulability analysis of hierarchical scheduling systems. Science
of Computer Programming 127:103–130 DOI 10.1016/j.scico.2016.05.008.

Chadli M, Kim JH, Larsen KG, Legay A, Naujokat S, Steffen B, Traonouez LM. 2018.
High-level frameworks for the specification and verification of scheduling problems.
International Journal on Software Tools for Technology Transfer 20(4):397–422
DOI 10.1007/s10009-017-0466-1.

Chen H, Cui L. 2016. Design and model checking of service-oriented software architec-
ture for Internet of things: A survey. Chinese Journal of Computers 39(5):853–871
DOI 10.11897/SP.J.1016.2016.00853.

Cruz JP, Kaji Y, Yanai N. 2018. RBAC-SC: role-based access control using smart
contract. IEEE Access 6:12240–12251 DOI 10.1109/ACCESS.2018.2812844.

Dubout C, Fleuret F. 2013. Accelerated training of linear object detectors. In: Com-
puter vision and pattern recognition workshops, 2013. Piscataway: IEEE, 572–577
DOI 10.1109/CVPRW.2013.156.

Gou L, Li Z, Wang C, Zhuang L. 2014. A method to determine the exact acceleration
efficiency in model checking. Journal of Zhongyuan University of Technology
25(4):37–41 DOI 10.3969/j.issn.1671-6906.2014.04.009.

Grishchenko I, Maffei M, Schneidewind C. 2018. Foundations and tools for the static
analysis of ethereum smart contracts. In: Computer aided verification, 2018. Berlin:
Springer Verlag, 51–78 DOI 10.1007/978-3-319-96145-3_4.

Han D, Yang Q, Xing J. 2015. UML-based modeling and formal verification for software
self-adaptation. Journal of Software 26(4):730–746 DOI 10.13328/j.cnki.jos.004758.

Hendriks M, Larsen KG. 2002. Exact acceleration of real-time model checking. Electronic
Notes in Theoretical Computer Science 65(6):120–139
DOI 10.1016/S1571-0661(04)80473-0.

Herbreteau F, Srivathsan B, Walukiewicz L. 2016. Better abstractions for timed
automata. Information and Computation 251:67–90 DOI 10.1016/j.ic.2016.07.004.

Iversen TK, Kristoffersen KJ, Larsen KG, Laursen M, Madsen RG, Mortensen
SK, Pettersson P, Thomasen CB. 2000. Model-checking real-time control
programs: verifying LEGO R© MINDSTROMSTM systems using UPPAAL. In:
Euromicro conference on real-time systems, 2000. Piscataway: IEEE, 147–155
DOI 10.1109/EMRTS.2000.854002.

Jeong H, Yoo Y, Yi KM, Choi JY. 2014. Two-stage online inference model for traf-
fic pattern analysis and anomaly detection. Machine Vision and Applications
25(6):1501–1517 DOI 10.1007/s00138-014-0629.

Konur S, Fisher M, Schewe S. 2013. Combined model checking for temporal,
probabilistic, and real-time logics. Theoretical Computer Science 503:61–88
DOI 10.1016/j.tcs.2013.07.012.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 23/24

https://peerj.com
http://dx.doi.org/10.1007/978-3-540-30080-9_7
http://dx.doi.org/10.1016/j.scico.2016.05.008
http://dx.doi.org/10.1007/s10009-017-0466-1
http://dx.doi.org/10.11897/SP.J.1016.2016.00853
http://dx.doi.org/10.1109/ACCESS.2018.2812844
http://dx.doi.org/10.1109/CVPRW.2013.156
http://dx.doi.org/10.3969/j.issn.1671-6906.2014.04.009
http://dx.doi.org/10.1007/978-3-319-96145-3_4
http://dx.doi.org/10.13328/j.cnki.jos.004758
http://dx.doi.org/10.1016/S1571-0661(04)80473-0
http://dx.doi.org/10.1016/j.ic.2016.07.004
http://dx.doi.org/10.1109/EMRTS.2000.854002
http://dx.doi.org/10.1007/s00138-014-0629
http://dx.doi.org/10.1016/j.tcs.2013.07.012
http://dx.doi.org/10.7717/peerj-cs.272


Lee J, Yu S, Park K, Park Y, Park Y. 2019. Secure three-factor authentication
protocol for multi-gateway IoT environments. Sensors 19(10):2358–2383
DOI 10.3390/s19102358.

Li G, Wei Q, Li L, Jin Z, Xu Y, Zheng L. 2013. Environment based modeling approach
for services in the Internet of things. Science China Press 43(10):1198–1218
DOI 10.1360/N112013-00031.

Lin K, Chen Y, Xu D. 2017. Reliability assessment model considering heterogeneous
population in a multiple stresses accelerated test. Reliability Engineering & System
Safety 165:134–143 DOI 10.1016/j.ress.2017.03.013.

Möller MO. 2002. Parking can get you there faster: model augmentation to speed
up real-time model checking. Electronic Notes in Theoretical Computer Science
65(6):202–217 DOI 10.1016/S1571-0661(04)80477-8.

Pinisetty S, Jéron T, Tripakis S, Falcone Y, Marchand H, Preoteasa V. 2017. Pre-
dictive runtime verification of timed properties. Journal of Systems and Software
132:353–365 DOI 10.1016/j.jss.2017.06.060.

Qanadilo M, Samara S, Zhao Y. 2013. c. In: Latin-American symposium on dependable
computing, 2013. Piscataway: IEEE, 40–47 DOI 10.1109/LADC.2013.20.

Wang C, Pastore F, Briand L. 2019. Oracles for testing software timeliness with un-
certainty. ACM Transactions on Software Engineering and Methodology 8(1):1–30
DOI 10.1145/3280987.

Wang G, Zhuang L, Wang R, Song Y, Zhang K. 2018. Modeling and verifying based
on timed automata of Internet of things gateway security system. Journal on
Communications 39(3):63–75 DOI 10.11959/j.issn.1000-436x.2018042.

Wang H, Zhong D, Zhao T, Ren F. 2019. Integrating model checking with SysML in
complex system safety analysis. IEEE Access 7:16561–16571
DOI 10.1109/ACCESS.2019.2892745.

Yin C, Song W, Zhuang L. 2010. Method of acceleratable cycles in identify timed
automata. Computer Engineering and Design 31(23):5113–5115
DOI 10.16208/j.issn1000-7024.2010.23.030.

Yin C, Zhuang L, Wang C. 2011. Exact acceleration of real-time model checking based
on parking cycle. Acta Electronica Sinica 39(3):489–493
DOI 10.3969/j.issn.0372-2112.2011.03.001.

Zhang F, Bu L, Wang L, Zhao J, Li X. 2013. Modeling and analysis of wireless sensor
network protocols by stochastic timed automata and statistical model checking.
Scientia Sinica Informationis 43(1):90–107 DOI 10.1360/112012-498.

Wang et al. (2020), PeerJ Comput. Sci., DOI 10.7717/peerj-cs.272 24/24

https://peerj.com
http://dx.doi.org/10.3390/s19102358
http://dx.doi.org/10.1360/N112013-00031
http://dx.doi.org/10.1016/j.ress.2017.03.013
http://dx.doi.org/10.1016/S1571-0661(04)80477-8
http://dx.doi.org/10.1016/j.jss.2017.06.060
http://dx.doi.org/10.1109/LADC.2013.20
http://dx.doi.org/10.1145/3280987
http://dx.doi.org/10.11959/j.issn.1000-436x.2018042
http://dx.doi.org/10.1109/ACCESS.2019.2892745
http://dx.doi.org/10.16208/j.issn1000-7024.2010.23.030
http://dx.doi.org/10.3969/j.issn.0372-2112.2011.03.001
http://dx.doi.org/10.1360/112012-498
http://dx.doi.org/10.7717/peerj-cs.272