Veri cation of Complex Systems · Veri cation of Complex Systems | Timed automata | Nicolas Markey...

$: Veri cation of Complex Systems · Veri cation of Complex Systems | Timed automata | Nicolas Markey Master \Research in Computer Science" Univ. Rennes 1, France 2019-2020 version of$
Verification of Complex Systems— Timed automata —

Nicolas Markey

Master “Research in Computer Science”Univ. Rennes 1, France

2019-2020

version of December 11, 2019

Contents

1 Introduction 31.1 Why (formal) verification? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Basics of model checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2.1 Finite-state automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.2 Language-theoretic operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2.3 Model checking classical properties . . . . . . . . . . . . . . . . . . . . . . . . 81.2.4 Model checking for richer properties . . . . . . . . . . . . . . . . . . . . . . . 91.2.5 Bisimulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.2.6 In practice... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2 From finite-state automata to timed automata 132.1 Augmenting finite-state automata with clocks . . . . . . . . . . . . . . . . . . . . . . 14

2.1.1 Discrete vs. dense time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.2 Operations on timed automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Language-theoretic problems for timed automata 243.1 Checking language emptiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.1.1 (Time-abstract) bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.1.2 Partitions that define a time-abstract bisimulation . . . . . . . . . . . . . . . 253.1.3 Region equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.1.4 Quotienting an automaton by a bisimulation . . . . . . . . . . . . . . . . . . 323.1.5 Complexity of checking emptiness . . . . . . . . . . . . . . . . . . . . . . . . 33

3.2 Checking language inclusion and universality . . . . . . . . . . . . . . . . . . . . . . 35

4 Model-checking for timed automata 404.1 Model checking via language inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 404.2 Model checking using temporal logics . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5 Efficient algorithms for timed automata 465.1 Reachability algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.2 Zones and DBMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.2.1 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.2.2 Representation and operations on zones using DBM . . . . . . . . . . . . . . 485.2.3 Backward algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.2.4 Forward algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

1

6 Parameterized extensions of timed automata 596.1 Extending timed automata with parameters . . . . . . . . . . . . . . . . . . . . . . . 596.2 Parametric-size networks of timed automata . . . . . . . . . . . . . . . . . . . . . . . 61

2

Chapter 1

Introduction

1.1 Why (formal) verification?

Artificial intelligence, and computer systems in a broader sense, are now ubiquitous in our lives:while they used to be limited to specific industrial applications in transportation or telecommuni-cations, they have now deeply modified our everyday lives in numerous ways. Besides controllingenergy plants, air traffic and telecommunication networks, computers now also control our cars,phones, payment systems, household appliances, heating systems, medical appliances, and the listwould be long. This very fast expansion is witnessed by the fact that, during 2014, more than250 billion billion (i.e. 250 × 1018) transistors were manufactured, which is more than the totalnumber of transistors ever built before 2011.

As we all have already experienced, computer devices have bugs. Notorious examples of bugsinclude the blast of Ariane 5 in June 1996 [Wika], the Pentium II floating-point division bug[Wikc],the loss of the Mars Climate Orbiter [Wikb], or the radiation overdoses caused by the Therac-25radiation therapy device [Wikd]. All these problems originate in software bugs, and give prominenceto the pressing need for software and hardware verification.

As another example, less critical and dramatic but easier to understand, let us consider thebug of the Zune MP3 player. In order to compute the current date, this device had an internalclock counting the number of seconds (say) elapsed since January 1st, 1980. From this, it is easyto compute the corresponding number of days, from which it was needed to compute the currentyear (which would be trivial without leap years). For this, Algorithm 1 was used. Assuming thatIsLeapYear correctly decided whether year is a leap year, this algorithm would simply subtract365 or 366 days, and at the same time increment the computed year, until the number of days isless than or equal to 365. But guess what happened on 31 December 2008 (or equivalently, whatwould have happened on 31 December 1980, if the device had existed on that day)...

Verifying complex systems can hardly be done purely by hand. The examples above illustratethat fact: those devices had been developed by skilled engineers, and had been heavily testedbefore being used. But corner cases and specific assumptions are very difficult to list and handleexhaustively. This advocates for formal methods, based on mathematics and logics.

3

Algorithm 1: Zune3.0 code for computing current year

year = ORIGINYEAR; /* = 1980 */

while (days > 365)

if (IsLeapYear(year))

if (days > 366)

days -= 366;

year += 1;

else

days -= 365;

year += 1;

1.2 Basics of model checking

The general problem whether a program (or a Turing machine, to state it formally) halts on agiven input is undecidable [Tur37]. This undecidability result can even be extended to two-countermachines [Min67], which are very simple programs involving two (unbounded) counters that canbe incremented, decremented, and tested against zero. Fully automatic and exhaustive verificationtechniques thus have to (severely) restrict the class of systems they consider. Tackling the problemfrom the other end, finite-state automata enjoy efficient algorithms for checking reachability ofsome set of accepting states. Theoretically, finite-state automata can model Turing machines withbounded tape (in practice, this is hardly usable, because the transformation would be exponentialand the tape should be long enough to model interesting systems). Still, finite-state automata canmodel systems with limited capacities, which encompasses many kinds of reactive systems. Hencethis is a natural starting point for model checking.

1.2.1 Finite-state automata

In order to fix notations, we formally define finite-state automata and their semantics in terms ofthe (infinite) runs they generate, and in terms of the language they accept.

Definition 1. Let Σ be a finite alphabet. A finite-state automaton over Σ is a 7-tuple A = 〈S, S0,T, src, tgt, lab, A〉 where S is a finite non-empty set of states, S0 ⊆ S is its non-empty subset ofinitial states, T is the set of transitions, src : T → S and tgt : T → S indicate the source- andtarget states of transitions in T , lab : T → Σ indicates their labellings1, and A : Tω → 0, 1 is the

1Transitions are often represented as a subset of S × Σ × S. Our formalism allows for having more than onetransition having the same source, label and target, which will be useful when dealing with timed automata.

4

acceptance condition.

A run of A is an infinite2 sequence ρ = (ti)i∈N of transitions in T such that for any i ∈ N,it holds src(ti+1) = tgt(ti). For s ∈ S, e write Runs(A, s) for the set of runs ρ = (ti)i∈N of A whosefirst state src(t0) is s. A run with src(t0) ∈ S0 is said initial. Finally, an initial run ρ = (ti)i∈N suchthat A(ρ) = 1 is said accepting. With a run ρ = (ti)i∈N, we associate the word w(ρ) = (lab(ti))i∈Nin Σω. A word w ∈ Σω is accepted by A if there exists an accepting initial run ρ of A such thatw = w(ρ). The language L(A) of A is the set of all its accepted words.

Acceptance conditions may be of various types, depending on the role of the automaton. Whenthe automaton is used as a model of a system, it is usually intended that any run corresponds to apossible execution of the system, and the acceptance condition always returns 1. When automataare used to define sets of words, e.g. for describing the set of correct behaviors, having a trivialacceptance condition is usually not powerful enough; on the other hand, for acceptance conditionsto be usable by algorithms, they must have a finite representations. Classical acceptance conditionsinclude:

• trivial acceptance condition, which returns 1 on any input. Automata with such an acceptancecondition correspond to labelled transition systems;

• reachability of some transition in a target set F : a run ρ = (ti)i∈N is accepted if for some i ∈ N,we have ti ∈ F ;

• repeated reachability (a.k.a. Buchi condition) of some transition in a target set F : a run isaccepted if ti ∈ F for infinitely many indices i ∈ N. This is expressed formally by requiringthat for any j ∈ N, there exists i ≥ j such that ti ∈ F .

Notice that reachability can be encoded as repeated reachability, in the following sense: for anyfinite-state automaton A with reachability condition, one can build a finite-state automaton A′ withrepeated-reachability condition such that L(A) = L(A′). For this, it suffices for instance to considertwo copies of A, moving from the first copy to the second one when reaching a target transition;all transitions in the second copy would be accepting for the repeated-reachability condition.

As a consequence, in the sequel we only focus on repeated-reachability acceptance. Numerousacceptance conditions have been studied in the literature beyond reachability and repeated reach-ability, but this is beyond the scope of these notes. We refer to surveys on this subject for moredetails [Tho88, Far02].

1.2.2 Language-theoretic operations

In this section we quickly survey classical results about the languages accepted by finite-stateautomata (with repeated-reachability acceptance).

Theorem 2. The set of languages accepted by finite-state automata is closed under union andintersection.

Proof. Union can be handled by simply considering the disjoint union of both automata: given twofinite-state automata A1 = 〈S1, S1

0 , T1, src1, tgt1, lab1, A1〉 and A2 = 〈S2, S2

0 , T2, src2, tgt2, lab2, A2〉,

their disjoint union is the finite-state automaton A1]A2 = 〈S1×1∪S2×2, S10×1∪S2

0×2,T 1 × 1 ∪ T 2 × 2, src, tgt, lab, A〉 where

2In these notes, we only consider infinite runs; we always assume that any state is the source of some transition,thereby enforcing absence of deadlocks. This way, from any state, there always exists at least one infinite run.

5

• src((t, 1)) = src1(t), tgt((t, 1)) = tgt1(t) and lab((t, 1)) = lab1(t);

• src((t, 2)) = src2(t), tgt((t, 2)) = tgt2(t) and lab((t, 2)) = lab1(t);

• A(((ti, ki))i∈N) = Ak0((ti)i∈N) (notice that this is well-defined, because (ti)i∈N is indeed arun of Ak0).

It is trivial to prove that this automaton indeed accepts the union of the languages of A1 and A2,since the set of runs of A1 ]A2 is (isomorphic to) the union of the set of runs of A1 and of the setof runs of A2.

Closure under intersection is proven by building the product of both automata: intuitively, thisamounts to running two finite-state automata in parallel over the same input word; that inputword is in the intersection of the languages of both automata if both runs accept. Consider twofinite-state automata A1 = 〈S1, S1

0 , T1, src1, tgt1, lab1, A1〉 and A2 = 〈S2, S2

0 , T2, src2, tgt2, lab2, A2〉.

Their synchronized product is the finite state automaton A1 ⊗A2 = 〈S, S0, T, src, tgt, lab, A〉 with:

• S = S1 × S2 and S0 = S10 × S2

0 ;

• T = (t1, t2) | t1 ∈ T 1, t2 ∈ T 2 and lab1(t1) = lab2(t2);

• src((t1, t2)) = (src1(t1), src2(t2)) and tgt((t1, t2)) = (tgt1(t1), tgt2(t2));

• lab((t1, t2)) = lab1(t2) = lab2(t2) (by construction);

• A((t1i , t2i )i∈N) = A1((t1i )i∈N)∧A2((t2i )i∈N).

It is routine to prove that an infinite word is accepted by both A1 and A2 if, and only if, it isaccepted by A1 ⊗A2.

It remains to turn the acceptance condition into a repeated-reachability one. For this, it sufficesto consider two copies of the automaton defined above: transitions defining the acceptance condi-tion A1 will switch from the first copy to the second one, and are used to define the acceptancecondition of A1⊗A2, while transitions defining the acceptance condition A2 switch from the secondcopy to the first one.

A finite-state automaton is said complete if for any state s and any letter σ, there is at least onetransition t with src(t) = s and lab(t) = s. It is straightforward to turn any finite-state automatonwith repeated-reachability acceptance into a complete one: it suffices to introduce a new sink state,and to missing transitions with this state as target, while preserving the same acceptance condition.

Similarly, an automaton is said deterministic when |S0| = 1 and, for any state s and any letter σ,there is at most one transition t with src(t) = s and lab(t) = σ.

Theorem 3. There exist finite-state automata with repeated-reachability acceptance whose languageis accepted by no deterministic automata with repeated-reachability acceptance.

Proof. It is not hard to show that the set of words of a, bω having finitely many occurrences of ais accepted by a non-deterministic automaton with a repeated-reachability condition. However, thislanguage cannot be accepted by a deterministic such automaton: for a contradiction, assume thatthis language is accepted by a deterministic automaton A. Consider the word bω: it is acceptedbyA, hence after some finite prefix bn1 , its (unique) corresponding run visits an accepting transition.Similarly, bn1 · a · bω is accepted, and after a finite prefix bn1 · a · bn2 , its associated run visits a

6

second accepting transition. The same argument can be repeated until we build a finite wordbn1 · a · bn2 · a · · · a · bnk of size larger than the number of transitions of A. Then some transitionis repeated twice in two different blocks of b-transitions. From this we can get an infinite wordaccepted by A but having infinitely many occurrences of a, which by hypothesis should not exist.

Remark 1. Notice that using richer acceptance conditions (e.g. where the set of transitions visitedinfinitely many times must be in a given list, a.k.a. Muller condition) allow for determinization.We again refer to classical textbooks for more details.

Theorem 4. The set of languages accepted by finite-state automata (with reachability or repeated-reachability acceptance) is closed under complement.

Proof. Let F be a set of transitions defining the acceptance condition. We begin with defining anequivalence relation ∼ over finite words over Σ: two words v and w are equivalent if, and only if,the following two conditions hold:

• for any two states s and s′, if there is a prefix of a run from s to s′ associated with word v,then there is one associated with w;

• for any two states s and s′, if there is a prefix of a run from s to s′ visiting a transition of Fand associated with word v, then there is one associated with w.

It is clear that this defines an equivalence relation. Moreover, any equivalence class can be char-acterized by a mapping f : S → 2S × 2S : for this, for any word v and any state s, we let S1

v(s)be the (possibly empty) set of states reachable from s when reading word v, and S2

v(s) be thesubset of S1

v of states reachable from s by reading v and visiting a transition of F . We then letfv(s) = (S1

v(s), S2v(s)), which clearly satisfies v ∼ w if, and only if, fv = fw. As a consequence,

relation ∼ has finitely many equivalence classes.We write Lf for the equivalence class characterized by f . Using the characterization above, it is

not hard to prove that Lf is a regular language (of finite words), by expressing it as the intersectionof finite-state automata encoding the characterization above (namely, for any word v ∈ Lf , theremust be a finite run over v from any state s to each state of the first component of f(s), and norun from s to any other state, and similarly for runs visiting an accepting transition).

The central argument relies on the infinite Ramsey theorem3. Pick a word w = (σi)i∈N, anddefine a mapping C that associates with any set of two integers j, k (assuming j < k) theequivalence class Lf in which the finite word wj,k = (σi)j≤i<k occurs. Applying the infinite Ramseytheorem, there must exist an infinite set of integers M such that all finite words wj,k, with j and kbelonging to M , belong to the same equivalence class. As a consequence, there exist two equivalenceclasses f and g such that w ∈ Lf · (Lg)ω.

We now prove that for any f and g, either Lf · (Lg)ω is disjoint from L(A), or it is includedin L(A). This will conclude the proof, since the complement of L(A) can then be characterizedas the union of finitely many sets Lf · (Lg)ω, each of which being ω-regular (since Lf and Lg areregular).

So, assume that there is a word w = (σi)i∈N being both in L(A) and in Lf · (Lg)ω. We de-compose w as an infinite sequence of finite words w = (wj)j∈N such that w0 ∈ Lf and wj ∈ Lg

3This theorem is as follows: for any infinite set X and any integer n, write Pn(X) for the set of subsets of X ofsize exactly n. Pick any c ∈ N, and any map C : Pn(X) → 1, ..., c. Then there exists an infinite subset Y ⊆ Xsuch that C(Pn(Y )) is a singleton.

7

for all j > 0. Then there exists an increasing function c : N → N with c(0) = 0 and such thatwj = (σi)c(j)≤i<c(j+1). Let ρ = (ti)i∈N be an infinite accepting run of A over w, and for all j ∈ N,let sj = src(tc(j)). For all j ∈ N, sj+1 is the state reached along ρ after reading the finite prefix(wk)0≤k≤j . Hence, writing (S1

j , S2j ) = g(sj), we have that sj+1 ∈ S1

j for all j > 0. Since ρ is

accepting, there exists infinitely many indices j′ such that sj′+1 ∈ S2j′ ; we write J for the infinite

set containing those indices.Now, pick any other word w′ = (σ′i)i∈N in Lf · (Lg)ω, and decompose w′ into a sequence of finite

words w′ = (w′j)j∈N such that w′0 ∈ Lf and wj ∈ Lg for all j > 0. We build an accepting run ρ′

over w′ going through all the landmark states sj defined above.Since w′0 ∈ Lf , there must exist a run over w′0 from s0 (the first state of ρ) to s1 (the state

reached by ρ after w0). Similarly, from sj with j > 0, there is a run over w′j from sj to sj+1;moreover, those portions of run can be made to visit an accepting transition for all indices j ∈ J .This defines an accepting run over w′, and concludes the proof.

Notice that this construction involves a doubly-exponential blowup in the size of the automatonaccepting the complement language: the number of mappings from S to 2S × 2S is 2S·(S+1), butthe automata accepting Lf may have doubly-exponential size. Other constructions exist with asingly-exponential blowup [Saf92].

1.2.3 Model checking classical properties

Basically, model checking for finite-state systems consists in checking properties of the language ofa given finite-state system. In this setting, those systems are modelled as finite-state automata inwhich the acceptance condition is trivial (any run is accepted).

The most basic (yet useful) relevant properties include reachability (some run eventually takessome good transition), liveness (all runs eventually take some good transition), safety (all runsalways avoid bad transitions), or repeated reachability (some run visits good transitions infinitelymany times). For those four properties, we briefly explain how to decide if they hold from the initialstates of an automaton, using fixpoint computations. All four algorithms run in polynomial time.

Notice that while we characterized the properties above in terms of the transitions being visited,it would be more natural to express them in terms of the labels decorating transitions. Obviously,both approaches are equivalent. We thus fix a subset U of transitions of T :

• for reachability of some transition in U , we initialize our computation by letting R0 be the setof states that are sources of a transition in U , and inductively define Ri+1 be the (smallest) setcontaining Ri and all the source states of transitions having their target in Ri. The sequence(Ri)i∈N is non-decreasing and bounded by S; it converges in at most |S| steps. By construc-tion, from any state in any Ri, there is a run4 eventually visiting a transition in U , and anystate having a witnessing transition eventually belongs to some Ri.

• the algorithm for liveness is similar: L0 is the set of states from which all outgoing tran-sitions are in U , and Li+1 contains those states whose transitions all end up in some Ljwith j ≤ i. The arguments above still apply here to prove that this sequence converges, andby construction the limit set is the set of states from which the liveness property holds.

4We did not check that an infinite such run would exist. This can be enforced by first ruling out deadlock states,from which only finite runs exist, or by assuming that no such states exist in the automaton, which we did.

8

• safety is dual to reachability, so that the algorithm above could be reused. A direct algorithmconsists in letting S0 be the set of all states that are not source of any transition in U , andSi+1 be the subset of Si containing all states that are not source of any transition leading tosome state not in Si.

• finally, repeated reachability follows similar arguments, but requires nesting fixpoints. We letB0 be the set of states from which a transition in U can be reached (computed using ourreachability algorithm above). Then Bi+1 is the set of states from which a transition in Uwith target in Bi can be reached. Obviously, B1 ⊆ B0, and by induction, Bi+1 ⊆ Bi, so thatthis sequence converges to a fixpoint, which can be proven to corresponds to all states fromwhich a run repeatedly visiting U exists.

1.2.4 Model checking for richer properties

In order to check richer properties, two approaches can be used: either by expressing propertiesas automata, or by expressing them in some logical formalism. In the former case, the problemthen consists in checking whether all runs of the model are accepted by the automaton expressingthe property to be fulfilled. This is then translated as a language inclusion problem, which canbe solved by checking emptiness of the intersection of the model with the complement of theautomaton representing the property. Such an algorithm would thus run in time polynomial in thesize of the model, and exponential (using an adequate complementation procedure) in the size ofthe automaton expressing the property to be checked.

Another way of expressing properties of finite-state automata involves temporal logics. Tem-poral logics extend propositional logics with temporal modalities to express how various events(occurrences of transitions) should be ordered along a run of the automaton.

The main temporal modality is named until : formula σUσ′ states that some transition labelledwith σ′ has to occur at some point along the run, and only transitions labelled with σ can be takenuntil then. Of course, using disjunction, σ and σ′ can be made to match several events.

On top of temporal modalities, temporal logics also have path quantifiers, in order to expressthat some or all runs have to fulfill a property. These constructs give rise to the logic CTL∗ (calledfull Computational Tree Logic) [EH86]5:

Definition 5. Formulas of the temporal logic CTL∗ over alphabet Σ are built according to thefollowing grammar:

CTL∗ 3 φs ::= ¬φs | φs ∨φs | Eφp

φp ::= σ | φs | ¬φp | φp ∨φp | φp Uφp.

where σ ranges over Σ. Formulas of type φs are called state formulas, while formulas of type φpare called path formulas.

Formulas of CTL∗ are evaluated at a given position along a run of an automaton. For anautomaton A, an infinite run ρ = (ti)i∈N in A, and an integer j indicating a position along ρ,

5In these notes, we define temporal logics over labelled transition systems (instead of the more usual approachusing Kripke structures). Our definition of CTL∗ corresponds to the logic ACTL∗ of [dNV90], but both formalismsare equivalent in terms of their expressiveness.

9

we define the satisfaction relation A, ρ, i |= φ for any φ ∈ CTL∗ inductively as follows:

A, ρ, j |= ¬φ ⇐⇒ ¬ (A, ρ, j |= φ)

A, ρ, j |= φ∨φ′ ⇐⇒ (A, ρ, j |= φ)∨(A, ρ, j |= φ′)

A, ρ, j |= Eφp ⇐⇒ ∃ρ′ ∈ Runs(A, src(tj)). A, ρ′, 0 |= φp

A, ρ, j |= σ ⇐⇒ lab(tj) = σ

A, ρ, j |= φp Uφ′p ⇐⇒ ∃k > 0. ∀0 < l < k. (A, ρ, j + k |= φ′p)∧(A, ρ, j + l |= φp).

We write true as a shorthand for σ ∨¬σ, which is a state formula that evaluates to true in anystate. Using negation, it is possible to build conjunctions of formulas φ∧φ′ ≡ ¬((¬φ)∨(¬φ′)), anduniversal path quantification Aφp ≡ ¬E¬φp. Additionally, two useful temporal modalities can bedefined from U : modality Fφp ≡ trueUφp for expressing that φp will eventually hold, and itsdual modality Gφp ≡ ¬F¬φp, expressing that φp always holds along the path under consideration.

Two prominent syntactic fragments of CTL∗ have been defined and studied in the literature:

• CTL (Computation-Tree Logic [CE82, QS82]) is the fragment with restricted path formulas φp:path formulas may not be directly nested within an until modality:

φp ::= σ | ¬φp | φs Uφs.

Notice that σ ∨¬σ is not in CTL, but Eσ ∨¬( Eσ) is; hence modalities F and G can still beexpressed in CTL.

• somewhat symmetrically, LTL (Linear-time Temporal Logic [Pnu77]) path formulas may nothave nested state formulas:

φp ::= σ | ¬φp | φp ∨φp | φp Uφp.

Remark 2. Note that our definition of CTL is apparently weaker than the classical definitions,where states are labelled with letters (or atomic propositions)6. For instance, request-responseproperties can be expressed in state-based CTL as AG (σ ⇒ AFσ′). This is not a CTL formula inour setting, since σ is a path formula. Additionally, it would impose AFσ′ from all source state ofa σ-transition, which is not the expected property. A correct way of expressing such request-responseproperties in our version of CTL∗ is AG (σ ⇒ Fσ′).

Still, in terms of expressiveness, both settings are equivalent (see Exercice 1.2).

As can be noticed from the semantics, whether A, ρ, j |= φ for formulas of the form Eφp(and boolean combinations thereof) only depends on the state src(tj); this is the reason why thoseformulas are called state formulas. It follows:

• model checking CTL formulas over finite-state automata can be performed by inductivelylabelling all states with the truth value of subformulas of the formula being checked. Thisreduces the model-checking problem for CTL to the model-checking problem for formulas ofthe form Eφs Uφ′s, which can be solved in polynomial time as a reachability problem in asub-automaton [CE82, QS82];

6The reason for using transition-based labels is that it better corresponds to what we will use in the timed setting.

10

• LTL formulas are boolean combinations of formulas of the form Eφp, where φp does notinvolve any path quantifier. Hence LTL model checking amount to checking the existence of arun satisfying a formula with nested until modalities. It is not hard to prove that if there issuch a run, then there is one of that is ultimately periodic, and has size at most exponentialin the size of the path formula and linear in the size of the automaton [SC85].

From those remarks, we get:

Theorem 6. Over finite-state automata, CTL model checking can be solved in polynomial time,while LTL and CTL∗ model checking can be solved in polynomial space.

It can be proven that those algorithms are optimal. Notice that automata-based algorithmsexist for both problems (using tree automata for CTL and CTL∗). This is beyond the scope of thesenotes, and we refer to [VW94, KVW00] for more details.

1.2.5 Bisimulation

An important tool that we will use in the sequel is bisimulation:

Definition 7. Let A = 〈S, S0, T, src, tgt, lab, A〉 be an automaton, and R ⊆ S × S. The binaryrelation R is a bisimulation if, for any (s, s′) ∈ R and any σ ∈ Σ, the following two properties hold:

• if there is a transition t with src(t) = s and lab(t) = σ, then there also exists a transition t′

with src(t′) = s′ and lab(t′) = σ, and such that (tgt(t), tgt(t′)) ∈ R;

• symmetrically, if there is a transition t′ with src(t′) = s′ and lab(t′) = σ, then there also existsa transition t with src(t) = s and lab(t) = σ, and such that (tgt(t), tgt(t′)) ∈ R.

Two states s and s′ are said bisimilar when there exists a bisimulation relation such that (s, s′) ∈ R.

The following lemma is straightforward:

Lemma 8. Let ρ = (ti)i∈N be a run, and s′ be a state bisimilar to src(t0). Then there exists apath ρ′ = (t′i)i∈N with src(t′0) = s′, w(ρ) = w(ρ′), and such that for all i ∈ N, states src(ti) andsrc(t′i)) are bisimilar.

Then:

Proposition 9. Any two bisimilar states of a (possibly infinite-state) automaton satisfy the exactsame set of CTL∗ formulas.

Proof. By induction on the structure of CTL∗ formulas, we prove that if a state formula holds truein some state, then it also holds true in any other bisimilar state. For path quantification, we makeuse of the previous lemma: if ρ = (ti)i∈N is a path originating from some state s, then from abisimilar state s′, it is possible to build a path ρ′ = (t′i)i∈N such that w(ρ) = w(ρ′) and src(ti) andsrc(t′i) are bisimilar for all i ∈ N.

11

1.2.6 In practice...

In many cases, models are not given as a unique, monolithic finite-state automaton, but as aproduct of several automata, whose transitions are synchronized e.g. with rendez-vous or messagebroadcast. Such products of automata are as expressive as plain finite-state automata, but theymay be exponentially more succinct: building a finite-state automaton whose language is the sameas the language of a product of n synchronized finite-state automata may entail an exponentialblowup. As a consequence, in this case, all the algorithms we presented above (including decidingreachability of a transition) would use polynomial space.

Several model-checking tools exist for finite-state models. For instance:

• Spot[DLF+16] (https://spot.lrde.epita.fr/) is a tool for manipulating finite-state au-tomata. It uses binary decision diagrams (BDD [Bry86]) to succinctly represent and handlelarge state spaces;

• NuSMV/NuXMV [CCG+02] (https://nuxmv.fbk.eu/) implements fixpoint computationsas above, also using BDD for representing finite-state models. NuSMV also incorporatesSAT-based algorithms [CGP+02].

• Spin [Hol97] (http://spinroot.com/) is another model checker, aiming at checking dis-tributed, multi-threaded software systems.

Those tools have been used successfully on various industrial case studies (flight software ofMars Exploration Rovers [HJ04], collision-avoidance systems for aircrafts, ...)

This course aims at studying the extension of model checking techniques to real-time systems.Indeed, in many practical applications, taking real-time constraints is essential, both for modellingthe systems (which may have time-outs, communication delays, ...) and for expressing propertiesto be checked (time-bounded reachability, ...) During this course, we define the model of timedautomata and explain how much of the techniques above can be extended to handle those automata.

Exercises

Exercise 1.1 Prove that the halting problem is undecidable. A classical proof consistsin assuming that an algorithm exists for this problem, building another algorithm that may ormay not terminate, and then in running this second algorithm on itself (this is a so-called diagonalargument).

Exercise 1.2 Reachability and repeated-reachability acceptance conditions are usuallybased on states being visited or visited infinitely-many times. Prove that having them based ontransitions is equally expressive.

Exercise 1.3 Write CTL formulas (or CTL∗ formulas) expressing reachability, liveness,safety and repeated reachability.

12

https://spot.lrde.epita.fr/

https://nuxmv.fbk.eu/

http://spinroot.com/

Chapter 2

From finite-state automata totimed automata

Finite-state automata could be (and have been![EMSS92, LST00]) used to model time as the numberof transitions. A (slight) extension consists in adding weights on transitions: a weighted automatonif a pair W = 〈A,wgt〉 where A is a finite-state automaton and wgt : T → N indicates the weightof transitions.

In that setting, the notion of runs is unchanged1, but with each run ρ = (ti)i∈N and each

index j ∈ N, we associate the weight of the prefix of size j of ρ as∑j−1k=0 wgt(tk). Interesting

questions here do not concern reachability, but optimal reachability, i.e., finding (the length of)shortest paths until some event occurs, or the shortest average delay (in the long run) between eventsoccurring infinitely many times. Classical polynomial-time algorithms exist for such problems.

This approach is very simple, both technically and algorithmically. But it is also too weak:weights here are only observers, they are used to measure some quantity along runs, but they donot affect the behaviours (i.e., the possible runs of the automaton). They cannot be used to modelbehaviours that depend on time, such as timeouts. Also, the semantics with atomic transitions isnot compatible with the synchronization of several weighted automata.

Considering one-counter automata would be a possible answer to this remark: one-counterautomata are finite-state automata with a single, integer-valued counter which can be incremented(by any integer n ∈ N), decremented (by any n ∈ N), and tested against zero2. Thanks to thezero-test, the behaviour can now depend on the value (meant to measure time) of the counter.Reachability is known to be decidable (and NP-complete [HKOW09]) for those models.

However, this is only a very limited way of measuring time, and again synchronized executionsof several automata is problematic. We thus turn to timed automata, in which several explicitvariables are used to model time.

1Actually, various semantics could be defined: transitions can be atomic (as we consider here) or they could besplit into several intermediary transitions of duration 1. We refer to [LMS06] for a study of those different semantics.

2Notice that we restrict here to one-counter automata because reachability in two-counter automata is undecid-able [Min67].

13

2.1 Augmenting finite-state automata with clocks

Timed automata extend finite-state automata with variables, called clocks, that can be used tomeasure (and impose constraints on) delays between various events along a run of the automaton.More precisely, given a set X = ci | 1 ≤ i ≤ n of clocks, the set of allowed constraints is definedusing the following grammar:

C(X ) 3 g ::= c ∼ n | g ∧ g

where c ranges over X , n ranges over Z, and ∼ ranges over <,≤,=,≥, >. The semantics ofsuch clock constraints is defined in the expected way: given a clock valuation3 v : X → R, that aconstraint g ∈ C(X ) holds true at v, denoted v |= g, is defined inductively as follows:

v |= c ∼ n if, and only if, v(c) ∼ nv |= g1 ∧ g2 if, and only if, v |= g1 and v |= g2.

For a valuation v : X → R, a non-negative real d ∈ R≥0, and a subset R ⊆ X , we let

v + d : X → R v[R← 0] : X → R

c 7→ v(c) + d c ∈ R 7→ 0c /∈ R 7→ v(c)

Finally, we let 0 be the valuation mapping all variables to 0.

The syntax of timed automata is defined as follows:

Definition 10. Let Σ be a finite alphabet. A timed automaton is a tuple T = 〈A,X , inv, guard, reset〉where A = 〈S, S0, T, src, tgt, lab, A〉 is a finite-state automaton, X is a finite set of clocks, inv : S →C(X ) defines the state invariants, guard : T → C(X ) defines the guards of transitions, and reset : T →2X indicates which clocks are reset along transitions.

Timed automata provide a finite representation of (a class of) infinite-state automata. In orderto define the semantics of timed automata, we have to first make explicit the correspondence betweentimed automata and the infinite-state automata they represent. This correspondence depends ona time domain T, i.e., the set over which clock values will range. Usually, T is either N (discretetime) or R≥0 (dense time), but it may make sense to consider Q≥0, or k ·N for some k ∈ Q>0.

A configuration of a timed automaton is a pair (s, v) where s ∈ S and v ∈ TX . With a timedautomaton T , we associate the infinite-state automaton4 S(T ) = 〈Q,Q0, D, src, tgt, lab,Ω〉 overT ]T where

• the set of states contains all configurations (s, v) in which the valuation satisfies the invariantof its state:

Q = (s, v) | s ∈ S, v : X → T s.t. v |= inv(s);

• the initial states are obtained by adjoining the null valuation (all clocks are mapped to zero)to initial states of T , provided that the invariant is fulfilled;

• D contains two kinds of transitions: for two configurations (s, v) and (s′, v′),

3We give the general definitions for real-values valuations, but they naturally apply to other domains such as N.4We keep the names src, tgt and lab for convenience, as long as no ambiguity may arise. In some cases we will

write labS(T ) to distinguish the labelling function of S(T ) from the labelling function labT of T .

14

– if s = s′, v |= inv(s), v′ |= inv(s′), and there exists δ ∈ T such that v′ = v+ δ, then thereis a transition d in S(T ) having src(d) = (s, v), tgt(d) = (s′, v′) and lab(d) = δ (assumingΣ ∩T = ∅), indicating a delay transition of duration δ;

– if there is a transition t in T such that src(t) = s, src(t) = s′, v |= inv(s)∧ guard(t),v′ = v[reset(t) ← 0] and v′ |= inv(s′), then there is a transition d in S(T ) such thatsrc(d) = (s, v), tgt(d) = (s′, v′), and lab(d) = t. Such transitions are usually called actiontransitions.

• Ω: Dω → 0, 1 is obtained from A by letting

Ω((di)i∈N) = A(projT ((lab(di))i∈N))

where projT is the projection on T , keeping only informations about action transitions. It mayhappen that projT ((lab(di))i∈N) be a finite sequence, in which case we let Ω((di)i∈N) = 0.

A run of T is a run of its associated infinite-state automaton S(T ) as defined above (extendingthe notion of run from finite-state automata to infinite-state automata in the natural way). In otherterms, it is an infinite sequence of delay- and action transitions. Such a run is accepted by T if it isaccepted by S(T ). In the sequel, we only consider (infinite) runs containing infinitely many actiontransitions.

The language of a timed automaton is defined in terms of timed words over Σ. A timed wordis a sequence of pairs ((σi, δi))i∈N. A run ρ = (di)i∈N generates a timed word w = ((σi, δi))i∈Ndefined as follows: since ρ contains infinitely many action transitions, there must exist an increasingmapping act : N → N achieving (lab(dact(i)))i∈N = projT ((lab(di))i∈N) (intending that act(i) is theindex of the i-th action transition in ρ); the associated timed word ((σi, δi))i∈N is then such that

σi = labT (labS(T )(dact(i))) δi =∑

act(i−1)<j<act(i)

labS(T )(dj)

where we abusively let act(−1) = −1. A timed word w is accepted by T if, and only if, there isan accepting initial run ρ in T whose associated timed word is w. Notice that in such a run ρ,merging two consecutive delay transitions, of durations δ and δ′, into a single delay transition, ofduration δ + δ′, does not change the acceptance status. A timed word is said in normal form ifdelay- and action transitions strictly alternate. Obviously enough, for any run ρ, there is a run ρin normal form whose associated timed word is the same as that of ρ. We write L(T ) for thelanguage accepted by T , i.e., the set of all timed words accepted by T . We also define the untimedlanguage U(T ) of T as the set (σi)i∈N | ∃((σi, δi))i∈N ∈ L(T ).

Example 1. Consider the timed automaton depicted on Fig. 2.1: it has two clocks, four statesand five transitions. We use classical conventions when drawing such automata; in particular,a transition t is depicted as an arrow from src(t) to tgt(t). We decorate t with its guard guard(t),and additionally write e.g. x := 0 to indicate that reset(t) = x. We omit to mention the guardwhen it is equivalent to true, and we omit to mention clock resets when reset(t) = ∅. We similarlydecorate states with their invariants, unless they are equivalent to true.

Figures 2.2 and 2.3 show two possible runs of this automaton: the first one assumes T = N (butof course would also exist with T = R≥0), while the second one uses T = R≥0 (but would also bepossible with T = Q≥0 or T = 0.1×N).

15

x≤2s0

y≤2s1

x≤2s2

x≤1s3

y=1, y:=0

t1

x≤2, x:=0

t2

y≥2, y:=0

t3

x=0∧ y=2

t4x:=0

t5

Figure 2.1: Example of a timed automaton

1−→

t1 ↓1−→ t2 ↓

1−→ t3 ↓

1−→ t2 ↓ 2

−→

x = 0y = 0

x = 1y = 1

x = 1y = 0

x = 2y = 1

x = 0y = 1

x = 1y = 2

x = 1y = 0

x = 2y = 1

x = 0y = 1

0 1 2 3 4 5

Figure 2.2: A run in discrete time (T = N)

1−→

t1 ↓0.8−→t2 ↓

1.3−→t3 ↓

0.6−→t2 ↓

1.4−→x = 0y = 0

x = 1y = 1

x = 1y = 0

x = 1.8y = 0.8

x = 0y = 0.8

x = 1.3y = 2.1

x = 1.3y = 0

x = 1.9y = 0.6

x = 0y = 0.6

0 1 2 3 4 5

Figure 2.3: A run in dense time (T = R≥0)

2.1.1 Discrete vs. dense time

From Example 1, we notice that discrete time (T = N) is much easier to grasp than dense time.For instance, it is easy to compute in your head that state s3 in the automaton of Fig. 2.1 cannotbe reached when T = N. While this also holds when T = R≥0, this is much harder to see.

Our main use of timed automata is to model computer devices. Most such devices have discretebehaviours (because they run with a finite frequency), which advocates for the use of discrete time(say T = k ×N, which is equivalent to taking T = N even if it means scaling the constants of theautomaton). But finding the exact value to be used for k is not an easy task. Moreover, at leastas long as safety is concerned, we prefer models that over-approximate the set of behaviours of thesystem. Finally, some behaviours correspond to a physical evolution of the system, and may notbe synchronized with the frequency of the device under study. For these reasons, we prefer usingT = R≥0, and we do so in the rest of these notes.

We illustrate the discussion above with a concrete example of a digital circuit [BS91]. Considerthe circuit described on Fig. 2.4, where the intervals decorating each gate indicate the delay neededfor this gate to output the correct output value, after the stabilization of its input values. We startwith i = 0 in a stable configuration, hence the output values are [o1 = 1, o2 = 0, o3 = 1] (in thesequel, we omit the name of the output variables, and write this output as the triple [101]).

When the input signal i turns to 1, one possible sequence of values (before stabilization) is

[101]1.2 o2−−−−−→ [111]

1.3 o3−−−−−→ [110]0.3 o1−−−−−→ [010]

1.7 o3−−−−−→ [011]

16

i

NOT

AND

1

NAND

o2

o1

o3

[1,3]

[1,3]

[1,2]

Figure 2.4: Example of a circuit

i

o1NOT

[1,2]

o2NOT

[1,2]

o3NOT

[1,2]

o4XOR

[1]

o5XOR

[1]

o6XOR

[1]

o7[1]

OR

[1]

o8

Figure 2.5: A circuit that is not 1-discretizable

where transitions of the form1.2 o2−−−−−→ indicate a delay transition of 1.2 time units follows by the

transition updating output o2. The last set of values in the above computation can be seen to bestable.

Now, consider the (more complex) circuit depicted on Fig. 2.5 (where the gate before output o7computes ¬o4 ∧ o5 ∧¬o6). We will prove that considering this circuit under discrete-time does notexhibit all possible behaviours. Again, we start with the input set to 0, with output values [11100000](notice that the last bit could also be 1, but it would then be stable for any value of o7). Now theinput is turned to 1. One possible behaviour in dense time is the following:

[11100000]1 o1−−−−→ [01100000]

0.5 o2−−−−−→ [00100000].5 o3,o5−−−−−−→ [00001000]

[00001000]1 o5,o7−−−−−−→ [00000010]

1 o7,o8−−−−−−→ [00000001]

It can be checked that this is a stable configuration.On the other hand, we can easily list all possible behaviours in discrete time:

• if all three NOT-gates change at the same time, we end up with [00000000], which is stable;

• if o1 alone changes at date 1, we reach [01100000]; then both o2 and o3 will be updated atdate 2, as well as o4 and o5, thereby reaching [00011000]; finally, o4, o5 and o6 will be updatedone time unit later (but the value of o6 is actually unchanged), hence reaching [00000000],which is stable. The run is symmetric if only o2 or o3 changes at date 1;

17

• finally, if o1 and o3 both change at date 1, we reach [01000000], then [00010100], and[00000000], which is stable. The evolution is similar for any other pair of gates being up-dated at date 1.

As a result, all discrete-time behaviours of the circuit of Fig. 2.5 end up in configuration [00000000],with final output 0, while there are dense-time behaviours which eventually set the value of o7 and o8to 1.

The illustration with circuits shows that the set of reachable states of a timed automaton maybe different depending whether T = N or whether T = R≥0. It could be argued that, in the aboveexample, it would suffice to consider T = 0.5 × N in order to bring back equality of the sets ofreachable states. But for any positive real k, it is not difficult to build a timed automaton Akfor which the set of reachable states is different whether we consider T = k × N or T = R≥0.Figure 2.7 shows a timed automaton that admits infinite runs with T = R≥0, but only finite runswhen T = k ×N, whatever the value of k.

On the other hand, it is natural to wonder whether the set of reachable transitions is the samewhen considering T = Q≥0 and T = R≥0. Here, the answer is positive, and we have the following(stronger) result:

Proposition 11. If ρ = (ti)i∈N is a run of a timed automaton A for T = R≥0, then there existsa run ρ′ = (t′i)i∈N of the same timed automaton such that for any i ∈ N, we have t′i = ti if ti ∈ T ,and t′i ∈ Q≥0 if ti ∈ R≥0.

Proof. We build ρ′ inductively from ρ by modifying the delays. We assume without loss of generalitythat delay transitions and event transitions strictly alternate along ρ, even if it means insertingdelay transitions with zero duration or merging consecutive delay transitions (the case of pathshaving finitely many event transitions can be handled separately with similar arguments). Hence

for all i ∈ N, we have lab(t2i) ∈ R≥0, and we let d2i =∑ij=0 lab(t2j).

We build ρ′ by first building a sequence of rational dates (d′2i)i∈N such that d′2i is an integer if,and only if, d2i is, and for all i ∈ N, bd′2ic = bd2ic, and for all 0 ≤ j < i and all ∼ ∈ <,=, >,it holds 〈d′2i〉 ∼ 〈d′2j〉 if, and only if, it also holds 〈d2i〉 ∼ 〈d2j〉. The construction is as follows:

• if d0 ∈ N, then we let d′0 = d0; otherwise, d0 lies between n and n + 1 for some n ∈ N, andwe may set d0 to any rational in (n, n+ 1);

• assuming that for each 0 ≤ i ≤ k, d′2i has been defined (and satisfies the inductive properties),we now define d′2k+2:

– first, if d2k+2 ∈ N, then we let d′2k+2 = d2k+2. Then d′2k+2 has the same fractional partas some d′2j if, and only if, d′2j is also an integer, which in turn is equivalent to d2j beingan integer. Otherwise, 〈d′2k+2〉 < 〈d′2j〉, which means that d′2j , hence also d2j , are notintegers, so that also 〈d2k+2〉 < 〈d2j〉.

– otherwise, if d2k+2 − d2l = n for some 0 ≤ l ≤ k and some n ∈ N, then we let d′2k+2 =d′2l + (d2k+2 − d2l), which is a rational. It is not hard to prove that with this definition,none of d2k+2 and d′2k+2 are integers, and that bd′2k+2c = bd2k+2c. The condition onfractional parts is obviously satisfied for index l. For j 6= l, if 〈d2k+2〉 ∼ 〈d2j〉, then also〈d2l〉 ∼ 〈d2j〉 (because 〈d2k+2〉 = 〈d2l〉), hence 〈d′2l〉 ∼ 〈d′2j〉 (by inductive hypothesis),so that finally 〈d′2k+2〉 ∼ 〈d′2j〉 (because 〈d′2k+2〉 = 〈d′2l〉).

18

s0 s1

x≤1

y:=0

y>0

Figure 2.6: A timed automaton with Zenobehaviours

s0 s1 s2x=1

x:=0

y=1

z:=0

z>0

y:=0

Figure 2.7: A timed automaton with conver-gence phenomenon in s2

– the last case to handle is when d2k+2 is not an integer and d2k+2 − d2l is an integer forno 0 ≤ l ≤ k. In that case, the integral part of d′2k+2 must be the same as that of d2k+2.In order to fix its (rational) fractional part, we proceed as follows: if for some l, it holds〈d2k+2〉 − 〈d2l〉 > 0, then we let 0 ≤ α ≤ k be such that

〈d2k+2〉 − 〈d2α〉 = min〈d2k+2〉 − 〈d2l〉 | 0 ≤ l ≤ k∧〈d2k+2〉 − 〈d2l〉 > 0.

Similarly, we let 0 ≤ β ≤ k be such that

〈d2k+2〉 − 〈d2β〉 = max〈d2k+2〉 − 〈d2l〉 | 0 ≤ l ≤ k∧〈d2k+2〉 − 〈d2l〉 < 0

if any. By induction hypothesis, 〈d′2k+2〉 − 〈d′2α〉 also realizes the minimum among thepositive values of 〈d′2k+2〉 − 〈d′2l〉, and β realizes the maximum of the negative values ofthis difference. Pick any rational value between 〈d′α〉 and 〈d′β〉 (which exists by densenessof Q). Taking this value for the fractional part of d′2k+2 clearly fulfills the inductionhypothesis.

Now, we notice that by construction, we have that for any two indices i and j, any ∼ ∈<,≤,=,≥, >, and any n ∈ Z, we have that d2i − d2j ∼ n if, and only if, d′2i − d′2j ∼ n.

From (d′2i)i∈N, we derive a sequence (u′2i)i∈N by letting u′−0 = d′0, and t′2i = d′2i − d′2i−2 for allinteger i ≥ 1. Let ρ′ the path obtained from ρ by labelling each transition t2i with u′2i. In orderto prove that ρ′ is a valid run A, we have to prove that all guards and invariants are still fulfilledalong ρ′.

Now, the value of any clock x after transition t2i along ρ′ is d′2i − d′2j , where j is such thattransition t2j+1 was the last reset clock x before t2i. Similarly for ρ. Since all invariants and guardswere satisfied along ρ, they also are along ρ′, which concludes our proof.

While we claimed that considering discrete-time would not capture all behaviours of the dense-time semantics, considering dense-time semantics also comes with a few cons. An example isZenoness: there may exist infinite runs along which time converges (see e.g. the automaton ofFig. 2.6). Such runs do not have physical significance. The convergence of (global) time is not theonly problem: in the automaton of Fig. 2.7, while time diverges along any infinite run, it can bechecked that the total time elapsed in state s2 is bounded by one along any infinite run; consideringsuch behaviours, again, is questionable. Notice that in both examples, for any positive granularity k,no (infinite) run would exist when considering T = k ×N.

2.2 Operations on timed automata

We prove in this section that (the set of languages accepted by) timed automata are closed underunion and intersection, but not under complement.

19

Theorem 12. For any two timed automata T1 and T2, there exists timed automata T∪ and T∩ suchthat

L(T∪) = L(T1) ∪ L(T2) L(T∩) = L(T1) ∩ L(T2)

On the other hand, there exists a timed automaton T0 for which no timed automata accept exactlythe complement of L(T0).

Proof. We begin with union, which is simple to handle as it suffices to take the disjoint union ofboth automata.

Formally, given T 1 = 〈A1,X 1, inv1, guard1, reset1〉 and T 2 = 〈A2,X 2, inv2, guard2, reset2〉, we let

T 1 ] T 2 = 〈A1 ] A2,X 1 ] X 2, inv, guard, reset〉

where for each i ∈ 1, 2,

• for each s ∈ Si, inv((s, i)) = invi(s),

• for each t ∈ T i, guard((t, i)) = guardi(t), and reset((t, i)) = reseti(t),

As for finite-state automata, T 1 ] T 2 is easily proven to indeed accept the union of the languagesof A1 and A2.

For intersection, we define the synchronized product of timed automata. This consists in let-ting both automata run in parallel, each having its own clocks. Formally, given T 1 = 〈A1,X 1,inv1, guard1, reset1〉 and T 2 = 〈A2,X 2, inv2, guard2, reset2〉 (assuming w.l.o.g. that X 1 and X 2 aredisjoint), we let

T 1 ⊗ T 2 = 〈A1 ⊗A2,X 1 ] X 2, inv, guard, reset〉with

• inv((s1, s2)) = inv(s1)∧ inv(s2),

• guard((t1, t2)) = guard(t1)∧ guard(t2),

• reset((t1, t2)) = reset(t1) ∪ reset(t2).

We now prove that a timed word is accepted by T 1⊗T 2 if, and only if, it is accepted by both T 1

and T 2. We write S∩, S1 and S2 for the infinite-state automata associated with T 1 ⊗ T 2, T 1 andT 2, respectively. We first pick an accepting initial run ρ in S∩, and its associated timed word w.We prove that w is accepted by T 1 (the result for T 2 follows by symmetry). For this, we considerthe projection of ρ on T 1: writing ρ = (τi)i∈N, we have that lab(τi) = (t1i , t

2i ) ∈ T for infinitely many

indices i. With this path, we can associate an infinite sequence of configurations (((s1i , s2i ), vi))i∈N,

with ((s1i , s2i ), vi) = src(τi) (hence also ((s1i+1, s

2i+1), vi+1) = tgt(τi)). For i ∈ N, we write v1i and v2i

for the restriction of vi to X 1 and X 2, respectively.First, for each i with lab(τi) = (t1i , t

2i ) ∈ T , we have vi |= inv((s1i , s

2i ))∧ guard((t1i , t

2i )), hence

vji |= invj(sji )∧ guardj(tji ) for j ∈ 1, 2. Moreover, vi+1 = vi[reset((t

1i , t

2i )) ← 0], which implies

vji+1 = vji [reset(tji ) ← 0]. Hence there is a transition from (s1i , v

1i ) to (s1i+1, v

1i+1) labelled with t1i

in S1.On the other hand, if lab(τi) = δi ∈ T, then vi+1 = vi + δi and vi |= inv((s1i , s

2i )) and vi+1 |=

inv((s1i+1, s2i+1)). By our construction, it immediately follows v1i+1 = v1i + δi and v1i |= inv(s1i ) and

v1i+1 |= inv(s1i+1), so that again there is a transition from (s1i , v1i ) to (s1i+1, v

1i+1) labelled with δi

in S1.It follows that from our accepting initial run ρ = (τi)i∈N, the sequence ρ1 = (τ1i )i∈N with

20

s0 s1 s2a, x := 0

t1

x = 1, at2

at3

at4

at5

Figure 2.8: A non-complementable timed automaton

• src(τ1i ) = (s1i , v2i );

• tgt(τ1i ) = (s1i+1, v2i+1);

• lab(τ1i ) = t1i if lab(τi) = (t1i , t2i ), and lab(τ1i ) = lab(τi) if lab(τi) ∈ T,

is a run of T 1. It is easily observed that it is an initial run. Moreover, that the original run ρ is ac-cepting means that the sequence projT ((lab(τi))i∈N) is accepted byA. It implies that projT 1((lab1(τ1i ))i∈N)is accepted by A1. Finally, it is easily observed that the timed word associated with ρ1 is the sameas the one associated with ρ, which concludes this direction of the proof.

Conversely, from two accepting initial runs ρ1 and ρ2 respectively in T 1 and T 2 associated withthe same timed word w, we build an accepting initial run in S∩ associated with the same timedword. For this, we first assume that ρ1 = (τ1i )i∈N and ρ2 = (τ2i )i∈N are in normal form: they beginwith a delay transition, and have strict alternation between delay and action transitions. Now,since both runs correspond to the same associated timed word, we have:

• labS(τ12i) = labS(τ22i) ∈ T for all i ∈ N;

• labT (labS(τ12i+1)) = labT (labS((τ22i+!)) ∈ T for all i ∈ N.

Now, as was the case for finite-state automata, the acceptance condition is not a repeated-reachability condition; however, following similar ideas as for the proof of Theorem 2.

As the last part of the proof of Theorem 12, we prove that the class of languages accepted bytimed automata is not closed under complement. Our proof follows that of [Bou98]. An alternativeproof, based on [AM04], is proposed as Exercise 2.3. This result is also a consequence of Exercise 3.7,which proves undecidability of the problem whether a given timed automaton can be complemented.

Consider the timed automaton depicted on Fig. 2.8: state s0 is its initial state, and the accep-tance condition requires to have at least one visit to transition t2.

It should be clear that this timed automaton accepts precisely those timed words in which atleast two occurrences of letter a are exactly one time-unit apart: this is indeed needed in order toreach state s2, and conversely, for any timed word having that property, we can build an acceptingrun in this automaton.

We now prove that the complement of this language, which contains all timed words on alpha-bet Σ = a in which no two occurrences of a are exactly one time-unit apart, cannot be acceptedby any timed automaton. For a contradiction, assume that some timed automaton T accepts thatlanguage. We assume that all guards of T are conjunctions of non-diagonal constraints, Let n bethe number of clocks in T , c be the least positive constant appearing in T (assuming c ≤ 1), andk be its number of transitions.

Let M = 2n ·k+1. Consider a sequence (di)0≤i≤M such that 0 < di < di+1 < c for all 0 ≤ i < M .

We define the timed word w made of 2M+1 occurrences of a, at dates di and 1+ di+di+1

2 . This word

21

must be accepted by T : let (tj)0≤j≤2M be a sequence of transitions corresponding to an aceptingexecution of T over w.

Consider transition tj for some M < j ≤ 2M : we write its guard as the conjunction∧

1≤k≤n xk ∈Akj . Along the run up to tj , for each 1 ≤ k ≤ n:

• if clock xk has been reset after time 1 (i.e., at time 1 + di+di+1

2 for some i), then the valueof xk when taking transition tj is less than c. Since c is the smallest positive constant in T ,it must be that Akj contains (0; c). In that case, we say that clock xk is useless at tj . Noticethat not all clocks can be useless, as otherwise the delays could be modified and T wouldaccept words having occurrences of a that are 1 time unit apart.

• otherwise, clock xk may have been reset along some transition before time 1 (or never): in

that case, the value of xk when taking tj is 1 +dj+dj+1

2 − pj,k, where pj,k is the last time

clock xk has been reset before taking tj (possibly pj,k = 0). Then 1 +dj+dj+1

2 − pj,k ∈ Akj .

Now, there are M = 2n ·k+1 such transitions tj with M < j ≤ 2M : hence there must exist twoindices j1 and j2 such that tj1 and tj2 are the same transition of T , and that they have the samesets of useless clocks (hence also the same sets of useful clocks). Since tj1 and tj2 correspond to thesame transition, we have Akj1 = Akj2 for all k; moreover, for all useful clocks, Akj1 (and Akj2) contains

both 1+dj1+dj1+1

2 −pj1,k and 1+dj2+dj2+1

2 −pj2,k. Notice that pj1,k = pj2,k, since clock xk is useful(and thus cannot have been reset between time 1 and the occurrences of tj1 or tj2 . It follows thatfor all useful clocs xk, Akj1 contains 1 + dj1+1 − pj1,k (since AkJ are intervals). It is then possible toshift transition tj1 to take place at time 1 + dj1+1, still preserving an accepting run:

• such a shift does not modify the future values of clocks that are not reset along that transition;

• those clocks that are reset along that transition are useless for all future transitions, hencethey cannot block any future transition.

This concludes our proof.

A timed automaton is deterministic if, from any configuration (s, v) of the automaton and anyletter σ of the alphabet, there is at most one transition from (s, v) labelled with σ. Notice thatthis does not prevent a state of the automaton to be the source of several σ-labelled transitions;but if this is the case, the guards of those transitions must be pairwise disjoint. Notice that thiscorresponds to determinism of the underlying infinite-state automaton associated with the timedautomaton.

As could be expected from the impossibility of complementing, we have:

Theorem 13. There exists a timed automaton T0 for which no deterministic timed automata acceptexactly L(T0).

Proof. The last part of the proof of Theorem 12 shows that the complement of the language of theautomaton A of Fig. 2.8 can be accepted by no automaton with prefix-independent acceptance con-dition. Now, assume that A would have the same language as a deterministic timed automaton D.By inverting the acceptance condition, we would get a timed automaton with a prefix-independentacceptance condition accepting the complement of the language of A, which we know is impossible.

22

Exercises

Exercise 2.1 Write an example of a (prefix of a) run in each of the timed automata ofFig. 2.9. What are the languages accepted by those automata?

s0x≤1

s1

x≥1 a

x,y:=0t1

y>0 bt2

s0x≤1

s1

x≥1 a

x,y:=0t1

y>0 bt2

t3

y=1 b

y:=0

Figure 2.9: Two timed automata

Exercise 2.2 Write a model of the digital circuit of Fig. 2.4.

Exercise 2.3 Consider the timed automata depicted on Fig. 2.10 (where transitions t2for A and t3 for B must be visited infinitely many times). What is the language accepted by A?What is the complement of this language?

A:s0 s1

a,b,c

t1

x 6=1

a,b,c

t2

a

x:=0t3

B:s′0 s′1 s′2

y>0∧ x<1

a y:=0

t1

b

t2y>0∧ x<1

at4 t5

x>2

c

c

t3

Figure 2.10: Two timed automata A and B

Assume that the complement of the language of A is accepted by some timed automaton C.Describe the intersection of the languages of B and C, and its untimed version. Using Prop. 23 (seenext chapter), this provides an alternative proof that timed automata cannot be complemented.

Exercise 2.4 Timed automata as we defined them only allows comparison of one clockagainst one integer in clock constraints. In this exercise, we extend clock constraints with diagonalconstraints:

C(X ) 3 g ::= c ∼ n | c− c′ ∼ n | g ∧ g.

Prove that any timed automaton with diagonal constraints can be transformed into a language-equivalent timed automaton without diagonal constraints. How large is the resulting timed au-tomaton compared to the original one?

Exercise 2.5 As for finite-state automata, timed automata can be augmented with silenttransitions: silent transitions are labelled with a special symbol ε; when such transitions appear ina run, they produce no “output” in the associated timed word.

Let Σ = a. Build a timed automaton with silent transition whose language is the set L2 of allwords in which the letter a may only occur at dates in 2 ·N (for instance, the word (a, 2i)i∈N, butalso the word (a, 2i)i∈N). Prove that this language can be accepted by no classical timed automata.

23

Chapter 3

Language-theoretic problems fortimed automata

3.1 Checking language emptiness

Checking emptiness is the most basic problem to be solved for any class of automata. A majorfeature of timed automata is that they enjoy (reasonably efficient) algorithms for deciding theiremptiness. The key ingredient here is that the (infinite) state space of timed automata can bepartitioned into finitely many pieces in such a way that any two configurations that belong to thesame piece are time-abstract bisimilar. We begin with defining these notions, and then explain howto partition the set of configurations.

3.1.1 (Time-abstract) bisimilarity

In Section 1.2.4, we introduced bisimilarity for finite-state automata. It naturally extends to infinite-state automata. Let us recall the precise definition in the setting of timed automata.

Definition 14. Let T be a timed automaton, and R be a binary relation between configurationsof T . Relation R is a bisimulation for S(T ) if for any ((s, v), (s′, v′)) ∈ R, the following propertieshold:

• for any transition d ∈ D such that src(d) = (s, v), there is a transition d′ ∈ D such thatsrc(d′) = (s′, v′) such that additionally labS(T )(d) = labS(T )(d

′) (for delay transitions) orlabT (labS(T )(d)) = labT (labS(T )(d

′)) (for action transitions), and (tgt(d), tgt(d′)) ∈ R;

• symmetrically, for any transition d′ ∈ D such that src(d′) = (s′, v′), there is a transition d ∈ Dsuch that src(d) = (s, v) such that additionally labS(T )(d

′) = labS(T )(d) (for delay transitions)or labT (labS(T )(d

′)) = labT (labS(T )(d)) (for action transitions), and (tgt(d), tgt(d′)) ∈ R.

Two configurations (s, v) and (s′, v′) are said bisimilar in S(T ) whenever there exists a bisimulationrelation R for S(T ) such that ((s, v), (s′, v′)) ∈ R.

This notion of bisimilarity is very fine: consider a state s of a timed automaton T involving asingle clock x, such that inv(s) = [x ≤ 1]; then for any two valuations v : x 7→ α and v′ : x 7→ β

24

with 0 < α < β ≤ 1, the configurations (s, v) and (s, v′) are not bisimilar, since from (s, v) a delaytransition labelled with 1 − α is available, while it does not exist from (s, v′). On the other hand,the kind of properties we focus on here (for instance deciding reachability of a transition) does notneed such a precise tracking of delays.

We thus define another notion of bisimilarity, called time-abstract bisimilarity, in which theexact delays of transitions are not taken into account:

Definition 15. Let T be a timed automaton, and R be a binary relation between configurationsof T . Relation R is a time-abstract bisimulation for S(T ) if for any ((s, v), (s′, v′)) ∈ R, thefollowing properties hold:

• for any transition d ∈ D such that src(d) = (s, v), there is a transition d′ ∈ D such thatsrc(d′) = (s′, v′) such that additionally

– either labS(T )(d) ∈ T , and it must hold labS(T )(d′) ∈ T and labT (labS(T )(d)) = labT (labS(T )(d

′)),or labS(T )(d) ∈ R≥0, and we must have labS(T )(d

′) ∈ R≥0;

– (tgt(d), tgt(d′)) ∈ R;

• symmetrically, for any transition d′ ∈ D such that src(d′) = (s′, v′), there is a transition d ∈ Dsuch that src(d) = (s, v) such that additionally

– either labS(T )(d) ∈ Σ, and it is required that labS(T )(d′) ∈ T and labT (labS(T )(d)) =

labT (labS(T )(d′)), or labS(T )(d) ∈ R≥0, and we need labS(T )(d

′) ∈ R≥0;

– (tgt(d), tgt(d′)) ∈ R.

Two configurations (s, v) and (s′, v′) are said time-abstract bisimilar in S(T ) whenever there existsa timed-abstract bisimulation relation R for S(T ) such that ((s, v), (s′, v′)) ∈ R.

As previously, one may check that two time-abstract-bisimilar configurations can reach the exactsame sequences of actions (this time however, delays may not be preserved). Assuming that theacceptance condition depends on action names (which can be achieved w.l.o.g., but may affectbisimilarity), the untimed languages generated from two time-abstract-bisimilar configurations areidentical.

3.1.2 Partitions that define a time-abstract bisimulation

We now give necessary conditions for a partition of the state space to correspond to a time-abstractbisimulation for (any state of) a given timed automaton T . More precisely, what we expect is apartition of the space (R≥0)X of clock valuations such that, for any two clock valuations in the samecell of the partition, and any state s of T , configurations (s, v) and (s, v′) be time-abstract bisimilar.In the following, given a set r ⊆ (R≥0)X , we write r +R≥0 for the set v + t | v ∈ r and t ∈ R≥0.

Intuitively, what we need is that

• if a delay or an action transition is available from a given valuation in a cell of the partition,it must be available from any other valuation in the same cell. This can be translated asfollows:

for any cell r of the partition and any clock constraint g appearingin the automaton, either r is included in g (i.e., all valuations in rsatisfy g), or r is disjoint from g (i.e., no valuations in r satisfy g).

(R1)

25

• if a given valuation v in some cell r can reach a cell r′ by a delay transition, then all valuationsin r must be able to reach r′ via a delay transition. Thus:

for any two cells r and r′ of the partition, either (r +R≥0) ∩ r′ = ∅ or∀v ∈ r. (v +R≥0) ∩ r′ 6= ∅. (R2)

• similarly, a given valuation v in some cell r can reach a cell r′ by an action transition, thenall valuations in r must be able to reach r′ via an action transition carrying the same label.Actually, action transitions only act on valuations via clock resets. Hence it is sufficient tohave:

for any cell r of the partition, if an action transition resetting someclocks U ⊆ X is available from r, then r[U ← 0] must be fully includedin a cell of the partition.

(R3)

We prove that any partition satisfying rules (R1) to (R3) indeed gives rise to a time-abstractbisimulation:

Proposition 16. Let T be a timed automaton. Let R be a partition of the set (R≥0)X of valuationssatisfying rules (R1) to (R3) for the transitions of T . Then the relation ∼ induced on the set ofconfigurations of T as

(s, v) ∼ (s′, v′) ⇔ s = s′ and v and v′ are in the same cell of R

is a time-abstract bisimulation for S(T ).

Proof. Let (s, v) and (s, v′) be two equivalent configurations for relation ∼, and d be a transitionwith src(d) = (s, v). We first consider the case where lab(d) is a transition t of T . Rule (R1) entailsthat the guard of this transition is also satisfied by valuation v′, so that there exists a transition d′

with src(d′) = (s, v′) and lab(d′) = lab(d). The transition indicated by lab(d) (and lab(d′)) mayreset some clocks in R ⊆ X ; by rule (R3), resetting those clocks from v or from v′ leads to the samecell of the partition. In the end, the resulting configurations are (s′, v[R ← 0]) and (s′, v′[R ← 0])are equivalent for ∼, as required.

The case of delay transitions is similar: if δ = lab(d) ∈ R≥0, then by rule (R2), the cellcontaining v + δ can be reached from v′ by some delay δ′. Moreover, both v and v + δ fulfillthe invariant inv(s), hence by rule (R1), also v′ and v′ + δ′ satisfy inv(s). Hence there is a delaytransition d′ with src(d′) = (s, v′) and lab(d′) = δ′ ∈ R≥0, and its target configuration (s, v′ + δ′) isequivalent to (s, v + δ).

Example 2. Consider a 2-clock timed automaton with three transitions:

• one has guard [x = 4], and resets no clocks;

• one has guard [y ≤ 3], and resets no clocks;

• one has guard [y ≥ 2], and resets clock x.

We inductively build a partition satisfying rules (R1) to (R3). First, in order to fulfill rule (R1),we split the space of valuations into 6 cells, as defined by the guards of our automaton. We end upwith a first partition, represented on Fig. 3.1a. It satisfies (R1) (this is how we built it).

However, it does not satisfy (R2): for instance, one can find a valuation in cell 1© that cantake a delay transition to cell 4©, and another valuation in the same cell 1© that cannot reach 4©

26

1 2 1

3 4 3

5 6 5

x=4

y≥2

y≤3

(a) Partition satisfying (R1).

17

8

2 9

310

5 11

5 6 12

x=4

(b) Refinement satisfying (R1) and (R2).

17

8

2 9

3 13 14

104 11

5 15 16 6 12

x=4

y≥2

y≤3

(c) Refinement satisfying (R1) and (R3).

1

17 18 7

8

2 9

3

19

13

2014

104 11

5 15 16 6 12

x=4

(d) Partition satisfying (R1), (R2), (R3).

Figure 3.1: Iteratively computing a partition satisfying rules (R1) to (R3) for a two-clock timedautomaton

by a delay transition. The same problem occurs with valuations in 1© and in 4© trying to reach 6©.We address these problems by refining cells 1© and 3© following diagonal lines, ending up with thepartition depicted on Fig. 3.1b, which can be seen to satisfy rules (R1) and (R2). Notice that anyrefinement of our first partition will satisfy (R1).

Now, rule (R3) is not fulfilled in this partition: one can find valuations in 3© (and also in 5©actually), from which the third transition (which resets clock x) can be taken, but that may end in 1©,7© or 8©. Hence we have to refine regions 3© and 5© in order to make rule (R3) hold. We end up

with the partition of Fig. 3.1c, where rules (R1) and (R3) hold.Unfortunately, the new cells we just added in our partition invalidate rule (R2): cells 1©, 3©

and 13© have to be further refined. We end up with the partition of Fig. 3.1d, which has 20 cells,and can be checked to satisfy all three rules.

3.1.3 Region equivalence

In Example 2, we have been able to compute a finite partition satisfying our three rules, henceinducing a time-abstract bisimulation for our automaton (notice that the partition does not dependon the automaton itself, but only on the clock constraints and clock resets). Looking at the sequence

27

of refinements, we may conjecture that all refinements can be defined using integer constants neverexceeding the maximal constants each clock is compared to. We will see that this conjecture isindeed true. As a consequence, a second conjecture, which also turns out to hold true, is thatthe maximally-refined partition (depicted on Fig. 3.2) would satisfy all three rules (R1) to (R3),for any timed automaton (provided it does not use integer constants larger than those used forrule (R1)). We now define this partition by introducing region equivalence, and show that it enjoysthe properties above.

Fix a finite set of clocks X , and a valuation M : X → N defining the maximal constants allowedfor each clock. M-region equivalence is defined as follows:

Definition 17. Two clock valuations v1 and v2 of clocks in X are M-region-equivalent if theysatisfy the following three properties1:

1. for any clock c ∈ X , v1(c) > M(c) if, and only if, v2(c) > M(c);

2. for any clock c ∈ X such that v1(c) ≤M(c),

(a) bv1(c)c = bv2(c)c;(b) 〈v1(c)〉 = 0 if, and only if, 〈v2(c)〉 = 0;

3. for any two clocks c and c′ in X such that v1(c) ≤ M(C) and v1(c′) ≤ M(c′), we have〈v1(c)〉 ≤ 〈v1(c′)〉 if, and only if, 〈v2(c)〉 ≤ 〈v2(c′)〉.

Reflexiveness, symmetry and transitivity of this relation are easy to prove, so that:

Lemma 18. For any M ∈ NX , M-region equivalence is indeed an equivalence relation.

A region (we will most often omit to mention the upper-bound valuation M, when it is clearfrom the context) is an equivalence class for this relation.

Proposition 19. Let T be a timed automaton with maximal-constant valuation M. The partitiondefined by the M-region equivalence satisfies rules (R1) to (R3); hence it induces a time-abstractbisimulation for the infinite-state automaton associated with T .

Proof. The proof of this lemma is long and quite tedious. It makes heavy use of the following simpleobservations:

Lemma 20. Let a, b, c and d be non-negative reals. Then

1. if a ≤ b < a+ 1 and a ∈ Z, then bbc = a;

2. if 〈a〉 = 〈b〉, then 〈a+ d〉 = 〈b+ d〉;

3. if 〈a〉 ≤ 〈b〉 < 〈c〉 and c+ d ∈ Z, then 〈a+ d〉 ≤ 〈b+ d〉;

4. if 〈a〉 ≤ 〈c〉 ≤ 〈b〉 and c+ d ∈ Z, then 〈b+ d〉 ≤ 〈a+ d〉;

5. if 〈c〉 ≤ 〈a〉 ≤ 〈b〉 and c+ d ∈ Z, then 〈a+ d〉 ≤ 〈b+ d〉;

6. if 〈a〉 ≤ 〈b〉 and 〈b+ d〉 < 〈a+ d〉, then b+ e ∈ Z for some 0 ≤ e ≤ d.

1In this definition, and in the sequel, we write bxc for the greatest integer less than or equal to x, dxe for −b−xc(i.e., the least integer larger than or equal to x), and 〈x〉 = x− bxc (so that 0 ≤ 〈x〉 < 1 for any x ∈ R).

28

x=4

y≥2

y≤3

Figure 3.2: The 104 regions for M(x) = 4 and M(y) = 3

We begin with rule (R1): we pick two equivalent clock valuations v and v′, and a clock con-straint g (not comparing any clock c with any integer larger than M(c)), assuming that v |= g;we aim at proving that also v′ |= g. First, since g is a conjunction of atomic constraints c ∼ n,it suffices to prove the result for such atomic constraints.

So, assume v(c) ∼ n. First, if v(c) > M(c), then we must have ∼ ∈ ≥, >, since n ≤ M(c).Condition (1) of the definition of region equivalence gives v′(c) > M(c), so that also v′(c) ∼ n. Now,if v(c) ≤ M(c), then by conditions (2a) and (2b) of region equivalence, we have bv(c)c = bv′(c)c,and v(c) is an integer if, and only if, v′(c) also is. It is easily observed that two such values cannotbe distinguished by any integer constraint.

We now prove (R2): for this, we again pick two equivalent clock valuations v and v′, and anon-negative real d. We have to prove that there is a non-negative real d′ such that v+d and v′+d′

are equivalent.First assume that v(c) + d > M(c) for all c ∈ X . It then suffices to take d′ = 1 + maxc∈X M(c)

to make sure that also v′(c) + d′ > M(c) for all c ∈ X . This proves our result in this case.Otherwise, for at least one clock c, it holds v(c) + d ≤M(c). We then also have v(c) ≤M(c),

so that v′(c) ≤M(c) and bv(c)c = bv′(c)c and 〈v(c)〉 = 0 if, and only if, 〈v′(c)〉 = 0. We considertwo cases:

• if, for some clock c such that v(c)+d ≤M(c), the value v(c)+d is an integer: we then let d′ =d+ v(c)− v′(c). We first prove that this value is non-negative: indeed, we have v(c) ≤M(c),

29

so that for any integer k less than or equal to M(c), we have v(c) ≤ k if, and only if, v′(c) ≤ k.In particular, for k = v(c) + d, we get v′(c) ≤ v(c) + d, which entails that d′ is non-negative.Now, we prove that v + d and v′ + d′ are equivalent. Obviously v′(c) + d′ = v(c) + d, so thatit is also an integer less than or equal to M(c). Hence conditions (1), (2a) and (2b) hold forclock c.

Pick any other clock c′. In case v(c′) > M(c′), then also v′(c′) > M(c′), and v(c′)+d > M(c′)and v′(c′)+d′ > M(c′), which proves (1), (2a) and (2b) for such clocks c′. Otherwise, we havev(c′) ≤M(c′), hence also v′(c′) ≤M(c′). It follows that bv(c′)c = bv′(c′)c, and 〈v(c′)〉 = 0 if,and only if, 〈v′(c′)〉 = 0, and 〈v(c)〉 ≤ 〈v(c′)〉 if, and only if, 〈v′(c)〉 ≤ 〈v′(c′)〉.First assume 〈v(c)〉 ≤ 〈v(c′)〉, hence also 〈v′(c)〉 ≤ 〈v′(c′)〉. We then have

bv′(c′)c ≤ bv′(c′)c+ 〈v′(c)〉 ≤ bv′(c′)c+ 〈v′(c′)〉 = v′(c′) < bv′(c′)c+ 1 ≤ bv′(c′)c+ 〈v′(c)〉+ 1.

It follows

bv′(c′)c+ 〈v′(c)〉+ d′ ≤ v′(c′) + d′ < bv′(c′)c+ d′ + 1 ≤ bv′(c′)c+ 〈v′(c)〉+ d′ + 1.

Since v(c) + d is an integer, 〈v′(c)〉+ d′ = d+ v(c)− bv′(c)c is an integer, and

bv′(c′) + d′c = bv′(c′)c+ 〈v′(c)〉+ d′ (by property (1) of Lemma 20)

= bv′(c′)c − bv′(c)c+ d+ v(c)

= bv′(c′)c+ d+ 〈v(c)〉+ bv(c)c − bv′(c)c= bv′(c′)c+ d+ 〈v(c)〉= bv(c′) + dc.

Now, if 〈v(c′) + d〉 = 0, then we must have 〈v(c′)〉 = 〈v(c)〉. Since v′ ∼ v, by condition (3)we get 〈v′(c′)〉 = 〈v′(c)〉, so that 〈v′(c′) + d′〉 = 〈v′(c) + d′〉 = 0. The converse implication issimilar.

Thus we have proved (2a) and (2b) for c′, even in case v(c′) + d or v′(c′) + d′ exceed M(c′).Property (1) follows.

We now prove property (3). We pick two clocks c′ and c′′ (assuming w.l.o.g. that 〈v(c′)〉 ≤〈v(c′′)〉), and consider four cases depending on the relative positions of 〈v(c)〉 w.r.t. 〈v(c′)〉and 〈v(c′′)〉:

– if 〈v(c′)〉 ≤ 〈v(c′′)〉 < 〈v(c)〉: then also 〈v′(c′)〉 ≤ 〈v′(c′′)〉 < 〈v′(c)〉. Since v(c) + d andv′(c) + d′ are integers, we get 〈v(c′) + d〉 ≤ 〈v(c′′) + d〉 and 〈v′(c′) + d′〉 ≤ 〈v′(c′′) + d′〉;

– if 〈v(c′)〉 ≤ 〈v(c′′)〉 = 〈v(c)〉: then 〈v′(c′)〉 ≤ 〈v′(c′′)〉 = 〈v′(c)〉. Since v(c) + d andv′(c) + d′ are integers, we get 0 = 〈v(c′′) + d〉 ≤ 〈v(c′) + d〉 and 0 = 〈v′(c′′) + d′〉 ≤〈v′(c′) + d′〉.

– if 〈v(c′)〉 ≤ 〈v(c)〉 ≤ 〈v(c′′)〉: the argument is similar, and we get 〈v(c′′)+d〉 ≤ 〈v(c′)+d〉and 〈v′(c′′) + d′〉 ≤ 〈v′(c′) + d′〉;

– if 〈v(c)〉 ≤ 〈v(c′)〉 ≤ 〈v(c′′)〉: in this case we get 〈v(c′)+d〉 ≤ 〈v(c′′)+d〉 and 〈v′(c′)+d′〉 ≤〈v′(c′′) + d′〉.

• if v(c) + d is not an integer for any clock c such that v(c) + d ≤M(c): we again split this caseinto two subcases:

30

– either for any intermediary delay 0 ≤ e ≤ d and any clock c, either v(c) + e > M(c) orit is not an integer: in that case, we claim that v ∼ v + d: if it were not the case, then

∗ either v(c) ≤M(c) and v(c) + d > M(c) for some clock c, but then we would havev(c) + e = M(c) for some 0 ≤ e ≤ d;

∗ or bv(c)c 6= bv(c) + dc for some clock, which would lead to the same contradiction;

∗ or 〈v(c)〉 = 0 and bv(c) + dc 6= 0 (or the other way around), again contradicting ourhypothesis;

∗ or finally 〈v(c)〉 ≤ 〈v(c′)〉 and 〈v(c) + d〉 > 〈v(c′) + d〉: this again entails v(c′) + e bean integer for some 0 ≤ e ≤ d.

It then suffices to take d′ = 0 to obtain our result.

– the last case is when v(c) + e is an integer less than or equal to M(c), for some c ∈ Xand some 0 ≤ e < d: in that case, there are finitely many such values for e, and we pickthe largest one. The proof above (case where v(c) + d is an integer for some c) applies,so that there exists a non-negative delay e′ for which v + e ∼ v′ + e′.

We now let f = d− e, and pick any f ′ such that 0 < f ′ < min1− 〈v′(c) + e′〉 | c ∈ X.Notice that 0 < f < min1 − 〈v(c) + e〉 | c ∈ X, by construction of e. We claim thatv + e+ f ∼ v′ + e′ + f ′:

∗ if v(c) + e + f > M(c) for some c, then v(c) + e ≥ M(c): if it were not thecase, we would have v(c) + g = M(c) for some e < g ≤ d. We thus also havev′(c) + e′ ≥M(c), so that v′(c) + e′ + f ′ > M(c).Conversely, if v(c)+e+f ≤M(c), then v(c)+e < M(c), hence also v′(c)+e′ < M(c).By construction of f ′, we must have v′(c) + e′ + f ′ < M(c).

∗ pick a clock c such that v(c) + e+ f ≤M(c) (hence also v′(c) + e′+ f ′ ≤M(c)). Byconstruction of f and f ′, we have bv(c) + e+ fc = bv(c) + ec and bv′(c) + e′+ f ′c =bv′(c) + e′c. Since v + e ∼ v′ + e′, we get bv(c) + e+ fc = bv′(c) + e′ + f ′c for thoseclocks. Additionally, for such a clock c, neither v(c) + e+ f nor v′(c) + e′ + f ′ maybe an integer, so that property (2b) holds.

∗ finally, pick two clocks c and c′ such that 〈v(c)+e+f〉 ≤ 〈v(c′)+e+f〉. As previously,by construction of e, we also have 〈v(c) + e〉 ≤ 〈v(c′) + e〉, hence also 〈v′(c) + e′〉 ≤〈v′(c′)+e′〉. Now, by definition of f ′, we must have 〈v′(c)+e′+f ′〉 ≤ 〈v′(c′)+e′+f ′〉.

This concludes our proof for (R2)

It remains to prove rule (R3): again, we pick two equivalent valuations v and v′, and prove thestronger result that for any subset R ⊆ X , we have v[R ← 0] ∼ v′[R ← 0].

Property (1) is easy to prove: if v[R ← 0](c) > M(c), then either M(c) < 0 or v(c) > M(c)and c /∈ R. The former case is trivial; in the latter case, since v ∼ v′, we have v′(c) > M(c), hencealso v′[R ← 0](c) > M(c). Properties (2a) and (2b) are proven with similar arguments: they areobvious for clocks in R, and directly follow from v ∼ v′ for clocks not in R. Finally, we proveproperty (3) by picking two clocks c and c′, and assuming 〈v[R ← 0](c)〉 ≤ 〈v[R ← 0](c′)〉. We splitthe argument into several subcases:

• if both c and c′ are in R, then obviously 〈v′[R ← 0](c)〉 ≤ 〈v′[R ← 0](c′)〉;

• if c ∈ R and c′ /∈ R, we then have 〈v′[R ← 0](c)〉 = 0, and the inequality 〈v′[R ← 0](c)〉 ≤〈v′[R ← 0](c′)〉 holds trivially;

31

• if c /∈ R and c′ ∈ R, then our hypothesis implies 〈v(c)〉 = 0. Hence also 〈v′(c)〉 = 0, and〈v′[R ← 0](c)〉 ≤ 〈v′[R ← 0](c′)〉;

• finally, if none of c and c′ is in R, then 〈v′[R ← 0](c)〉 ≤ 〈v′[R ← 0](c′)〉 rewrites as 〈v′(c)〉 ≤〈v′(c′)〉, which holds because v′ ∼ v.

Remark 3. Proposition 19 would not hold for automata involving diagonal constraints: prop-erty (R1) fails to hold for diagonal constraints when some clock exceeds its maximal constant. It ispossible to adapt the definition of region-equivalence in order to get a partition compatible withdiagonal constraints, by extending “diagonal splits” besides maximal constants.

3.1.4 Quotienting an automaton by a bisimulation

We now focus on deciding emptiness of the language accepted by a timed automaton. We solve thisproblem by exploiting the study above about region equivalence and time-abstract bisimulation.The important ingredient here consists in quotienting the infinite-state graph associated with atimed automaton by a time-abstract bisimulation:

Definition 21. Let T = 〈〈S, S0, T, src, tgt, lab, A〉,X , inv, guard, reset〉 be a timed automaton, S(T ) =〈Q,Q0, D, src, tgt, lab,Ω〉 be its associated infinite-state automaton, and ∼ be a time-abstract bisim-ulation for S(T ). Let δ be a special symbol not in T . The quotient of S(T ) by ∼ (sometimes alsocalled quotient of T by ∼) is the automaton S∼(T ) = 〈Q′, Q′0, D′, src′, tgt′, lab

′,Ω′〉 defined over thealphabet T ] δ as follows:

• the set Q′ of states is the set of equivalence classes of ∼. For a configuration (s, v) of T ,we write [[(s, v)]] for its equivalence class;

• Q′0 = [[q0]] | q0 ∈ Q0;

• for any two equivalence classes r and r′, and any label l ∈ T ] δ, there is a transitiond′r,l,r′ in D′ with src(d′r,l,r′) = r, tgt(d′r,l,r′) = r, and lab(d′r,l,r′) = l, whenever there is atransition d ∈ D with r = [[src(d)]], r′ = [[tgt(d)]], and either lab(d) = l if l ∈ T , or lab(d) ∈ R≥0if l = δ;

• finally, Ω′ : D′ω → 0, 1 is defined as for S(T ), by letting Ω′((d′i)i∈N) = A(projT ((lab(d′i))i∈N).

The following proposition follows from our results in the previous sections:

Proposition 22. The timed automaton T has an accepting execution if, and only if, the automa-ton S∼(T ) has one.

Proof. First assume that there is an accepting execution in S(T ); we write it (di)i∈N. Following ourconstruction of D′, each di induces a transition in D′, which we write [[di]]. The sequence ([[di]])i∈N isthen an execution of S∼(T ). Since this execution is accepting in S(T ), it clearly also is in S∼(T ).

Conversely, let (d′i)i∈N be an accepting execution in S∼(T ). Pick an initial configuration (s0, v0)in src(d′0) (hence v0 = 0). We build our execution inductively: first, since there is a transition d′0with src(d′0) = [[(s0, v0)]], by construction of D′ there must exist a transition h0 in S(T ) with[[src(h0)]] = src(d′0) and [[tgt(h0)]] = tgt(d′0), and lab(h0) = lab(d′0) if lab(d′0) ∈ T and lab(h0) ∈ R≥0if lab(d′0) = δ. Now, since ∼ is a bisimulation relation, we know that there exists a transition d0

32

in S(T ) with src(d0) = (s0, v0) and tgt(d0) ∈ tgt(d′0), and lab(d0) = lab(d′0) if lab(d′0) ∈ T , andlab(d0) ∈ R≥0 otherwise. We write (s1, v1) = tgt(d0).

Now, assume we have built a finite prefix of an execution in S(T ), ending with a transition dksuch that tgt(dk) = (sk+1, vk+1) and [[(sk+1, vk+1)]] = tgt(d′k). Applying the same arguments as forthe first step, we add a new transition dk+1 to our run, carrying the same label as d′k+1 if this label isin T , and carrying a non-negative real if lab(d′k+1) = δ. Taking the limit of these increasing sequencesof finite runs, we get an infinite run (d′i)i∈N such that projT ((lab(di))i∈N) = projT ((lab(d′i))i∈N). Thisconcludes our proof.

In the same way as we did for defining the language of timed automata, given an infinite runaccepted by S(T ) (hence containing infinitely many transitions labelled with some transition of T ),we let act : N → N be the increasing function such that (lab(d′act(i)))i∈N = projT ((lab(d′i))i∈N).

The untimed word associated with an execution (d′i)i∈N is the infinite word (labT (labS(T )(d′act(i))))i∈N.

The proof of Prop. 22 actually proves the following, stronger result:

Proposition 23. The language accepted by S∼(T ) is the untimed language of T .

The number of equivalence classes of the region equivalence is easily proven to be finite, whichentails that the untimed language of a timed automaton is ω-regular.

3.1.5 Complexity of checking emptiness

For convenience, we fix an (arbitrary) order on the set of clocks, writing them (ci)1≤i≤|X|. Inorder to estimate the number of regions, we associate with each valuation v a 4-tuple χ(v) =〈(nc)c∈X , (c)c∈X , νF , (vc)c∈F 〉 (where F ⊆ X ) defined as follows:

• a vector (nc)c∈X of integers such that 0 ≤ nc ≤M(c) for each c (representing for each clockthe largest integer in [0,M(c)] that is smaller than or equal to v(c)), together with a vector ofrelation symbols (c)c∈X such that c ∈ =, > (indicating whether v(c) = nc or v(c) > nc);

• a permutation νF of the set F of clocks having nc < M(c) and positive fractional part (i.e. cis the symbol >), and a sequence of relation symbols (vc)c∈F ∈ =, <F : the permutationindicates the ordering of the fractional parts of the clocks in F , and the relation symbol isused to indicate whether two consecutive clocks in this ordering have equal fractional partsor not.

The following lemma is then straightforward:

Lemma 24. Two clock valuations v and v′ such that χ(v) = χ(v′) are region equivalent.

Notice that the converse implication does not hold in general.

Proposition 25. The number of equivalence classes of region equivalence is at most∏c∈X

2(M(c) + 1) · |X |! · 2|X |.

Proof. We count the number of different characteristics, which by Lemma 24 over-approximatesthe number of regions: there are

∏c∈X (M(c) + 1) different values for (nc)c∈X , and 2|X | choices

for (c)c∈X .

33

We over-approximate the number of permutations of F by the number of permutations of X ,which is |X |!. Similarly, there are at most 2|X | possible choices for (vc)c∈F . The result follows.

It is natural to assume that the integer constants of the automaton are given in binary notation;in that case, each value M(C) is exponential in the size of the input. Thus, even if the number ofclocks is seen as a constant, our bound on the number of regions remains exponential. Notice alsothat a lower bound on the number of regions is

∏c∈X 2(M(c) + 1), which is exponential both in the

number of clocks and in (the binary encoding of) their associated maximal constants, so that ourover-approximation is reasonable.

As a consequence, the quotient of S(T ) by ∼ has size exponential, so that emptiness of thelanguage of a timed automaton can be decided in time exponential in the size of the automaton,by building the quotient automaton and checking its emptiness. This algorithm uses exponentialspace, but this can be improved: the emptiness problem can be decided on-the-fly, without buildingthe whole quotient automaton. Indeed, if there exists a run reaching a final transition, there is onevisiting each state of the quotient automaton at most once, hence whose size can be bounded byan exponential function. A non-deterministic algorithm would then guess a witnessing run step-by-step until reaching a target transition (or until reaching a target transition for the second time,if considering repeated-reachability acceptance); it would either reach a final transition and returnthat the language is non-empty, or it would stop if the length of the execution it has built exceedsthe bound. By Savitch theorem, a deterministic polynomial-space algorithm can be derived.

Proposition 26. The emptiness of the language of a timed automaton can be decided in polynomialspace.

It remains to prove that this is optimal:

Proposition 27. Emptiness of the language of a timed automaton with reachability acceptancecondition is PSPACE-hard.

Proof. The proof is by a reduction of the problem whether a non-deterministic linear-boundedTuring machineM accepts an input word w. We first fix our notations: we assume w.l.o.g. thatMworks on a 2-letter alphabet a, b, with an extra blank symbol #, and that its set of states is V andits set of transitions is E. We assume that it has one initial state bi and one final state vf . Beinglinear-bounded for M means that there is a linear function ` : N→ N s.t., on input w, M uses atmost `(|w|) cells of the tape. Deciding whether a linear-bounded Turing machine M accepts aninput word w is known to be PSPACE-complete.

In our encoding, the content of each cell Ci of the tape of the Turing machine is encoded by thevalue of a clock xi when the extra clock t equals 0 and the timed automaton is in a certain state(to be defined below): xi = 0 will encode #, xi ∈ (0, 2] will encode a, and xi > 2 will encode b.

We now consider the timed automaton T = 〈〈S, S0, T, src, tgt, lab, A〉,X , inv, guard, reset〉 s.t.

• S = V ×1, ..., `(|w|)×0, ..., 2× `(|w|), where the first component encodes the state of theTuring machine, the second component corresponds to the position of the tape head, and thethird component will be used to range over all clocks in order to update them (this will benecessary because our encoding is not invariant under time elapsing);

• the set T of transitions is defined below (together with src, tgt, lab, guard and reset);

34

• A accepts all runs along which a transition reaching a state (vf , i, j) ∈ S, for any i and j;

• X = xi | i ∈ 1, ..., `(|w|)∪t. Clock t is used as a tick: it will be reset each time it reachesvalue 2;

• inv is always true.

We now explain how we build the set of transitions: consider for instance a transition (v, b, v′, a,−1)(meaning that if in state v and reading an b, the tape head of M will write an a (thereby erasingthe b), move to the left (if possible), and switch to state v′), and a position i ∈ 2, ..., `(|w|)(the case i = 1 is slightly different as the tape head should not move past the first cell of the tape).Our automaton T will then have the following transitions:

• a transition e with src(e) = (q, i, 0), guard(e) = 〈t = 1∧xi > 3〉, reset(e) = xi and tgt(e) =(q′, i−1, 1)): the guard t = 1∧xi > 3 ensures that clock xi encodes a b (because one time-unitearlier, when t = 0, it was xi > 2); the fact that we reset xi will enforce that next time wereset t (and go to a state really encoding a configuration of M), we have xi ∈ (0, 2], thusencoding an a in cell Ci.

• then for each j 6= i, we have to take care of the values of xj . We do this once when t = 1(for a), and once when t = 2 (for #); notice that clocks encoding b’s do not need to beupdated. When t = 1, a’s are characterized by clock values 0 (in case the a has just bewritten on the tape) or in (1, 3]. In any case, resetting the corresponding clock will enforcethat it is in (0, 2] next time t is reset. Similarly, when t = 2, # are characterized by clockvalue 2. We reset clocks having this value, thus preserving our encoding. These sequences ofupdates are achieved using the sequences of states (q′, i, j) where j ranges from 1 to 2×S(|w|).When the last clock has been updated a second time, we reset t and go to state (q′, i, 0).

We leave it to the reader to prove that there is a weak bisimulation2 between the Turing machineand the automaton representing the semantics of the timed automaton, so that reachability of astate (qf , i, 0) from (qi, 0, 0) in the timed automaton is equivalent to reachability of the final statefrom the initial state of the Turing machine.

As a consequence:

Theorem 28 ([AD94]). Language emptiness for timed automata is PSPACE-complete.

Remark 4. Notice that the proof of Prop. 27 would also hold for discrete-time semantics of timedautomata: considering dense time does not make emptiness (much) harder.

Example 3. We conclude this section with an example of (the reachable part of) a region automa-ton, depicted on Fig. 3.3.

3.2 Checking language inclusion and universality

Besides emptiness, other important problems in automata theory include language inclusion anduniversality. While those problems are decidable for finite-state automata, they are undecidable fortimed automata:

2Weak meaning that we may have silent transitions, corresponding here to the sequence of transitions updatingthe values of the clocks.

35

x≤2 y≤2 x≤2 x≤1y=1, y:=0

x≤2, x:=0

y≥2, y:=0

x=0, y=2x:=0

Figure 3.3: The region automaton for the automaton of Fig. 2.1

Theorem 29. Language inclusion and language universality are undecidable for timed automata.

Proof. We prove the result for universality; if inclusion were decidable, then universality would alsobe, since it amounts to checking inclusion of the language of a timed automaton accepting all timedwords.

We reduce the halting problem for 2-counter machines [Min67] to the language-universalityproblem for timed automata. We encode the executions of M as a timed word w = (σi, ti)i, withti > 0 for all i ∈ N. Each configuration is encoded as a 1-time-unit timed word, starting with letter qrepresenting the current state ofM, followed by as many copies of letter σ1 as the value of counter c1,and by as many copies of letter σ2 as the value of counter c2. The whole execution is encoded asthe concatenation of the timed words encoding the successive configurations, with the followingconditions between successive configurations:

• in case the value of the first counter is unchanged, then each occurrence of σ1 in the firstconfiguration must be followed by an occurrence of σ1 exactly one time unit later;

36

s0

x = 1q ∈ Qx := 0

σ ∈ Σ

0 < x < 1q ∈ Q

x > 1e ∈ Q ∪ Σ

e ∈ Q ∪ Σ

s1

e ∈ Q ∪ Σ

σ2 σ1

e ∈ Q ∪ Σ

s2

e ∈ Q ∪ Σ

σi

x := 0

σi

e ∈ Q ∪ Σ

e ∈ Q ∪ Σ

x < 1

e ∈ Q ∪ Σx ≥ 1

e ∈ Q ∪ Σ \ σix > 1

e ∈ Q ∪ Σ

s3

e ∈ Q ∪ Σ

σi

x := 0

e ∈ Q ∪ Σ \ σi

e ∈ Q ∪ Σ

σi

x = 1

σi σi

e ∈ Q ∪ Σ

s4

e ∈ Q ∪ Σ

e ∈ Q ∪ σix := 0

σi

y := 0

e ∈ Q ∪ Σ

e ∈ Q ∪ σix = 1

σi

y < 1

e ∈ Q ∪ Σ

Figure 3.4: (Some of the) automata for proving undecidability of universality

• in case it gets incremented, then each σ1 in the first configuration has a corresponding σ1exactly one time unit later in the following configuration, and an extra occurrence of σ1 isadded after those in the second configuration;

• in case it gets decremented, then each σ1 but the last one in the first configuration is followedby an occurrence σ1 one time unit later in the following configuration;

• the same conditions apply for letter σ2 and the second counter.

We now build a timed automaton T that accepts all timed words that do not correspond to acorrect encoding of a halting execution of M, as described above. This timed automaton will bethe disjunction of several timed automata, each responsible for checking that the timed word beingread does not correctly encode some aspect of our encoding (see Fig. 3.4). Checking that the worddoes not have states of Q at exactly integer dates (automaton with initial state s0 on Fig. 3.4), thatit is not of the form (Q× σ1∗ × σ2∗)∗ (i.e., it contains the pattern σ2 · σ1, see automaton withinitial state s1 on Fig. 3.4), or that the final state of M is not reached, are rather straightforward.Checking that two actions do occur at the same time is also easy.

37

It remains to check that one of the instructions is not applied correctly. This can be eitherbecause the following state of M is not the one indicated by the instruction, or because one ofthe counter is not modified correctly. The first condition is easily checked. We briefly explain thesecond one: several cases may correspond to a “failure”:

• either there is a σi in some configuration (not the last one, in case of a decrementation) thatis not followed by a σi one time unit later (automaton starting in s2 on Fig. 3.4);

• (at least) two new occurrences of σi are added at the end of the sequence of σi’s (automatonwith initial state s3 of Fig. 3.4);

• or there is a σi in some configuration (not the last one in case of an incrementation) notpreceded by a σi one time unit earlier (automaton starting from s4 on Fig. 3.4).

The union of these automata is not universal if, and only if, there exists a correct encoding of ahalting execution of M, which is undecidable.

Exercises

Exercise 3.1 Let v1 and v2 be two region-equivalent clock valuations, and d ∈ R≥0.Is it the case that v1 + d and v2 + d are region-equivalent?

Exercise 3.2 Prove that emptiness of the language of a timed automaton involving asingle clock can be decided in polynomial time.

Exercise 3.3 Our proof that the emptiness problem for timed automata is PSPACE-hardconsists in building a timed automaton whose executions correspond to executions of a linear-bounded Turing machine. The timed automaton we built uses a polynomial number of clocks.

Prove that the problem is also PSPACE-hard for timed automata with only three clocks. Forthis, you may again encode the executions of a linear-bounded Turing machine with two letters 0and 1, representing the content of the tape as an integer.

Exercise 3.4 Exercise 2.4 extended clock constraints with so-called diagonal constraints,and showed that this does not add expressive power to timed automata, but but can be moresuccinct. From the transformation of Exercise 2.4, we can derive an algorithm for checking emptinessof timed automata with diagonal constraints; but this algorithm would have high complexity.

By adapting the definition of clock regions, prove that deciding emptiness of the language oftimed automata with diagonal constraints is PSPACE-complete.

Exercise 3.5 Besides diagonal constraints, timed automata can also be augmented withadditive constraints, for the form c+ c′ ∼ n.

Prove that there exists a timed automaton with additive constraints (using two clocks) acceptingthe single-word language

(a, ti)i∈N | ∀i. ti = 1/2i+1.

Prove that no classical timed automaton can accept this language.By refining the region construction, prove that emptiness is decidable for timed automata with

additive constraints involving at most two clocks.

38

s0 s1 s2 s2a, x := 0

t1

x = 1, at2

x = 1, αt3

at3

at4

at5

Σt4

Figure 3.5: A (non-complementable) timed automaton A

By encoding the runs of a two-counter machine, prove that emptiness is undecidable for timedautomata with additive constraints involving at least four clocks.

Exercise 3.6 We extend clock constraints by allowing comparison of clocks with realvalues (e.g.

√2). Prove that the function t ∈ N 7→ 〈t ·

√2〉 (the fractional part of t ·

√2) is injective.

Prove that emptiness is undecidable for timed automata with real-valued constants.

Exercise 3.7 Let Σ be a finite alphabet containing a letter a, and let α /∈ Σ be an extraletter. Characterize the language of the timed automaton of Fig. 3.5.

Let B be a timed automaton over alphabet Σ. Build a timed automaton accepting the language(Σ×R≥0)∗ × (α ×R≥0)× L(B).

Finally, build a timed automaton accepting all timed words not containing α, or containing atleast two occurrences of α.

Let L be the union of the three languages above. Prove that the complement of L is acceptedby a timed automaton if, and only if, B is universal. Conclude.

Using similar arguments, prove that the problem whether a timed automaton can be deter-minized is undecidable.

39

Chapter 4

Model-checking for timedautomata

4.1 Model checking via language inclusion

Classically, model checking consists in checking that the language of a timed automaton representingthe model under scrutiny is included in the language of a timed automaton representing the propertyto be checked: when this is the case, then indeed all behaviours of the model satisfy the property.

In the timed setting, language inclusion is undecidable. A classical workaround is to considerthe (automaton corresponding to the) negation of the property, and to check that its languagedoes not intersect the language of the timed automaton representing the model. This is decidable,but can only be performed in the case where we can obtain the automaton for the negation ofthe automaton. Another way to circumvent undecidability of language inclusion is to restrict toproperties expressed by finite-state (untimed) automata: such automata can be complemented(at the expense of an exponential blowup); alternatively, language inclusion can be checked withthe region automaton.

4.2 Model checking using temporal logics

As was the case for finite-state automata, instead of using timed automata, it is classical to resortto temporal logics for expressing properties. The logic CTL∗, introduced in Sction 1.2.4, can begiven a semantics over timed automata. Notice however that runs in a timed automaton mix delay-and action transitions; in order to cope with these, we label all delay transitions with a specialsymbol delay. The semantics of CTL∗ on timed automata is then defined as follows:

A, ρ, j |= σ ⇐⇒ lab(tj) = σ (for any σ ∈ Σ ∪ delayA, ρ, j |= ¬φ ⇐⇒ ¬ (A, ρ, j |= φ)

A, ρ, j |= φ∨φ′ ⇐⇒ (A, ρ, j |= φ)∨(A, ρ, j |= φ′)

A, ρ, j |= Eφp ⇐⇒ ∃ρ′ ∈ Runs(A, src(tj)). A, ρ′, 0 |= φp

40

A, ρ, j |= φp Uφ′p ⇐⇒ ∃0 < k. A, ρ, j + k |= φ′p ∧∀0 < m < k. (A, ρ, j +m |= delay)∨(A, ρ, j +m |= φp).

Notice how the semantics of until has been modified to allow for delay transitions. Notice also thatstate formulas are only evaluated initially of before an action transition. We refer to Remark 2 onpage 10 for explanations.

While we introduced the region-automaton construction for checking language emptiness, we sawthat it can do much more: any configuration of a timed automaton is time-abstract bisimilar to itscorresponding region (Prop. 19). Actually, this is strong enough to preserve CTL∗ formulas:

Proposition 30. Any two bisimilar states of a (possibly infinite-state) automaton satisfy the exactsame set of CTL∗ formulas.

Proof. By induction on the structure of CTL∗ formulas, we prove that if a formula is true in somestate, then it also holds true in any other bisimilar state. The crucial argument is that if ρ = (ti)i∈Nis a path originating from some state s, then from any bisimilar state s′, it is possible to build apath visiting transitions with the exact same sequence of events. Now, the truth value of a pathformula only depends on the sequence of events along a run, and not on the delays.

A consequence of this proposition is that checking CTL∗ (hence also CTL and LTL) propertieson timed automata can be achieved by checking those properties on the region automaton. Hence:

Theorem 31. CTL, LTL and CTL∗ model checking can be performed on timed automata in poly-omial space.

Notice that obtaining a polynomial space algorithm for CTL (hence also CTL∗) is not so obvious:while checking EU formulas can indeed be performed in polynomial space, labelling the the statesof the region automaton with the subformulas they satisfy would require exponential space. Butit is not absolutely necessary to keep track of the truth value of all subformulas in all regions, andthey can instead be recomputed on demand when necessary.

In a timed setting, it is natural to extend temporal logics to also constrain the delays betweenevents. Two extensions have been studied in the literature: one decorates until modalities withintervals, thereby constraining the delay before which the right-hand-side formula has to be fulfilled;the second approach consists in using formula clocks, in a way similar to clocks in timed automata.We focus here only on the second approach.

Definition 32. Let X ′ be a finite set of clocks. The syntax of TCTL∗ over alphabet Σ and set ofclock X ′ is then defined as follows:

TCTL∗ 3 φs ::= (c := 0).φs | ¬φs | φs ∨φs | Eφp

φp ::= σ | c ∼ n | φs | (c := 0).φp | ¬φp | φp ∨φp | φp Uφp.

where σ ranges over Σ, c ranges over X ′, ∼ ∈ <,≤,=,≥, > and n ranges over N.The semantics of TCTL∗ is defined as for CTL∗, but we have to add an extra valuations ν for

41

clocks in X ′. Formally:

A, ρ, j |=ν ¬φ ⇐⇒ ¬ (A, ρ, j |=ν φ)

A, ρ, j |=ν (c := 0).φ ⇐⇒ A, ρ, j |=ν[c←0] φ

A, ρ, j |=ν φ∨φ′ ⇐⇒ (A, ρ, j |=ν φ)∨(A, ρ, j |=ν φ′)

A, ρ, j |=ν Eφ ⇐⇒ ∃ρ′ ∈ Runs(A, src(tj)). A, ρ′, 0 |=ν φ

A, ρ, j |= σ ⇐⇒ lab(tj) = σ

A, ρ, j |=ν c ∼ n ⇐⇒ ν(c) ∼ nA, ρ, j |=ν φUφ′ ⇐⇒ ∃0 ≤ m < k. (lab(tj+m) /∈ R≥0)∧(A, ρ, j + k |=ν+delay(ρ,j,k) φ)∧

∀0 ≤ n < m < l < k. (lab(tj+n) ∈ R≥0)∧(A, ρ, j + l |=ν+delay(ρ,j,l) φ∨ lab(tj+l) ∈ R≥0).

wheredelay(ρ, j, k) =

∑j≤m<j+k

lab(tm)∈R≥0

lab(tm).

The fragments TCTL and TLTL1 are again obtained by limiting path formulas:

• for TCTL: φp ::= σ | c ∼ n | φs Uφs

• for TLTL: φp ::= σ | c ∼ n | (c := 0).φp | ¬φp | φp ∨φp | φp Uφp.

Example 4. TCTL can express bounded-time reachability of eventσ as (c := 0).EF (σ ∧ c ≤ M):this formula is fulfilled when it is possible to reach a σ-transition in at most M time units. TLTLcan express bounded-time request-response properties such as AG (σ ⇒ (c := 0).F (σ′ ∧ c ≤M)).

As a first step towards proving decidability of TCTL model checking, we have the followinglemma:

Lemma 33. Let A be a timed automaton and φs be a TCTL state-formula. We group the (disjoint)sets of clocks of A and φ together, writing V for the resulting set, and write M for the vector ofmaximal constants with which those clocks are compared in A and φ. Let v and v′ be two region-equivalent valuations; we write v|A and v|φ for the restrictions of v to the clocks of A and φ,respectively.

Let ρ and ρ′ be two runs with initial configurations (s, v|A) and (s, v′|A), respectively. Then forany subformula ψ of φ,

A, ρ, 0 |=v|φ ψ ⇐⇒ A, ρ′, 0 |=v|φ ψ

Proof. The proof is by induction on the structure of ψ. There are two main ingredients: first, givena run ρ and a configuration that is region-equivalent to the first configuration of ρ, we can builda run ρ′ such that the ith configurations along ρ and ρ′ are region-equivalent, for all i. In tworegion-equivalent configurations ν and ν′, we have ν(c) ∼ n if, and only if, ν′(c) ∼ n. Second, if νand ν′ are region-equivalent, then so are ν[c := 0] and ν′[c := 0].

1We name this logic TLTL as the natural timed counterpart of LTL. In the literature however, this logic wasnamed TPTL (for Timed Propositional Temporal Logic), and the variant with modalities decodated with timingconstraints, was named MTL (for Metric Temporal Logic).

42

Theorem 34. TCTL model checking is decidable on timed automata, and is PSPACE-complete.

Proof. An exponential-space (and exponential-time) algorithm consists in labelling the regions(for the extended set of clocks containing the clocks of the automaton and the clocks of the formula).As for the case of CTL, a polynomial-space algorithm can be obtained by checking subformulason demand instead of storing the results.

Theorem 35. TLTL model checking is undecidable on timed automata.

Proof. In order to prove this result, we begin with assuming that TLTL also includes the past-timemodality S (for “since”), symmetric to U. The proof is similar to the undecidability proof foruniversality: it consists in encoding the runs of a two-counter machine as timed words, representingeach consecutive configuration of the two-counter machine as one-time-unit portions of timed words,using the same conventions as in the proof of Theorem 29. We use letters σ1 and σ2 to encodethe values of counters c1 and c2, respectively. In this encoding, as in the proof of Theorem 29,we require that in each encoding of a configuration, the occurrences of σ1 preceed those of σ2. It isnot hard to adapt the formulas below to lift this condition (which will be needed in the second partof the proof).

We assume without loss of generality that the 2-counter machine is deterministic. We can thenwrite a series of TLTL formulas characterizing the encodings of halting executions of the two-countermachine (since TLTL is closed under negation, we could as well characterize all timed words notcorresponding to a halting execution, to follow the proof of Theorem 29 even more closely). We onlywrite some of these formulas:

• the run starts in an initial configuration:

q0 ∧(x := 0).(¬σ1 ∧¬σ2) U (x = 1∧∨q∈Q

q)

• counter c1 is correctly incremented:∧q: c1++; goto q’

G [q → (σ1 → ((c := 0).F (c = 1∧σ1 ∧Xσ1)) U (¬σ1)]

where Xφ is defined as falseUφ: it states that formula φ has to hold when the nextevent (following the present one) will take place. The formula above thus states that, ina configuration where c1 will be incremented, each occurrence of σ1 will be followed by anoccurrence of σ1 one time unit later, and that that occurrence is itself immediately followedby another occurrence of σ1.

In order to correctly encode incrementation, we also have to make sure that no extra occur-rences of σ1 occur in the next configuration. For this, we additionally require:∧

q: c1++; goto q’

G[q → (c := 0)

[F(c = 1∧ q′

∧(σ1 ∧(c′ := 0).F-1 (c′ = −1∧σ1)

)U(σ1 ∧X (¬σ1)

))]]This says that each occurrence of σ1, except the last one, has a corresponding σ1 one timeunit earlier. Similar formulas can be written for fully characterizing halting executions oftwo-counter machines.

43

This proof makes heavy use of the S modality: it is used to prevent counters from augmentingarbitrarily from one configuration to the next one. If we restrict to TLTL (without S), our proofabove only encodes the halting problem for 2-counter machines with insertion errors.

We adapt the arguments to prove undecidability also for TLTL (without S). First, we extendour 2-counter machine with a third counter that gets incremented every other step. In the resulting3-counter machine, the halting problem of course remains undecidable. Moreover, with any such3-counter machine, we can associate an integer constant M such that

• along any non-halting execution, the sum c1 + c2 + c3 of the three counters eventually ex-ceeds M ;

• along any halting computation (if any), the sum c1 + c2 + c3 remains below M .

The proof consists in simulating the (deterministic) 3-counter machine up to M , for increasingvalues of M , stopping the simulation when the sum of the three counters reaches M . We thus haveto adapt our reduction to reinitialize simulations once M has been reached.

Formally, when simulating the execution of the 3-counter machine with bound M , the firstconfiguration (with the machine in its initial state q0 with all three counters intialized to zero)will have q0 at the beginning of its one-time-unit representative, followed with M occurrences of aspecial event σz. When counter c1 (or c2) is incremented, one occurrence of σz is replaced (moreformally, is followed one time unit later) by an occurrence of σ1 (or σ2); the other occurrencesof σz are copied verbatim to the next one-time-unit segment. When a counter is decremented, thelast occurrence of σ1 (or σ2) is replaced with an occurrence of σ3. Since counter c3 is incrementedat every other step, this extra occurrence of σ3 can be used for to implement the forthcomingincrementation of the third counter.

In case there are no insertion errors, the number of occurrences of σz eventually reaches zero:this can be tested by a TLTL formula, which can thus impose that in that case, all occurrences of σ1,σ2 and σ3 are reset to σz in the next segment, except for the last occurrence, which is changedinto a new letter σy. The simulation continues with the remaining occurrences of σz (if any),ignoring (but preserving, and possibly inserting) the occurrences of σy. If no occurrences of σzremain, all occurrences of σy are replaced with σz, and (at least) one extra occurrence is added.Notice that at each step, we cannot prevent the occurrence of extra new events from our alphabet.The “algorithm” above can be implemented as formulas of TLTL: in other terms, there are TLTLformulas such that any timed word satisfying those formulas correspond to the conditions listedabove.

Now, assume that the 3-counter machine does not halt: then for any value of M , the exactencoding of the execution of the machine always eventually exhausts all occurrences of σz, andreaches a configuration containing only occurrences of σy. As a consequence, applying the rulesdescribed in our encoding, we get an infinite timed word in which infinitely many one-time-unitsegments contains only occurrences of σy.

Conversely, assume that there is a timed word visiting infinitely many configurations with onlyoccurrences of σy. We name terminal those configurations containing only σy, and starting theimmediate-successor configurations of terminal configurations. Notice that between one terminalconfiguration and the next terminal configuration, the number of occurrences of σy increases. As aconsequence, the number of σz in consecutive starting configurations increases. Now, between astarting configuration and the next terminal configuration, there are several simulations of the 3-counter machine; between one simulation and the next one, the number of occurrences of σz may

44

either increase (because of insertion errors) or decrease by 1 (in case there are no insertion error allalong the simulation). Since in terminal configurations there are no σz left, there must always bea correct simulation (without insertions) between consecutive terminal configurations.

To sum up, if there is a timed word visiting infinitely many configurations with only occurrencesof σy, then this timed word contains correct simulations for arbitrarily-high bounds M on the sumof the counters, and those simulation never reach the halting state. Hence the machine does nothalt.

45

Chapter 5

Efficient algorithms for timedautomata

Our region-based algorithm for emptiness/reachability testing is not very efficient: while region-equivalence indeed reduces the problem from reachability in an infinite-state automaton to reacha-bility in a finite-state one, it splits the state space in numerous very small pieces. In a sense, thisamounts to computing the set of reachable (or co-reachable) valuations in each state as a union alarge number of very small pieces. It would be wiser to try to represent those valuations as theunion of a small number of large sets. This is what we aim at in this section.

5.1 Reachability algorithms

There are two families of techniques for deciding reachability of some state from some other state:

• forward algorithms depart from the source states and iteratively compute what can be reachedfrom there, either until it converges or until it intersects with the set of target states. Sincewe deal with infinite-state automata, neiher of the two conditions is guaranteed to happen;

• symmetrically, backward algorithms start from the target states and iteratively compute theset of states from which a target state can be reached. The procedure stops when the set ofstates computed intersects with the set of source states, or when a fixpoint is reached (whichwe prove can always happen).

Again, both approaches could be implemented using regions, but regions are too refined inpractice, and it would be desirable to be able to handle several regions at the same time. We developother data-structures to keep track of that state space more efficiently.

5.2 Zones and DBMs

5.2.1 Zones

As we already observed when working with regions, the sets of valuations we want to keep trackof can be defined as (unions of) convex polyhedras of simple shapes, defined as intersections of

46

I

G

I

G

I

G G

I

I

G

I

G

I

G

I

G

I

G

Figure 5.1: Forward and backward procedures

equations of the form c ∼ n and c− c′ ∼ n, with ∼ ∈ <,≤,=,≥, > and n ∈ Z.

Definition 36. Let X be a set of n clocks. The set of general clock constraints over X is definedas

G(X ) 3 g ::= c ∼ n | c− c′ ∼ n | g ∧ gwhere c and c′ range over X , ∼ ∈ <,≤,=,≥, > and n ∈ Z.

A zone is a set of valuations that can be defined as the set of solutions of a general clockconstraint.

In order to implement our forward and backward algorithms, we need to be able to computesuccessors and predecessors of zones for delay and action transitions of timed automata. Moreprecisely, we use the following set of operations:

• delay successors and predecessors of a zone: for a zone Z, we let

−→Z = v′ : X → R≥0 | ∃v ∈ Z. ∃t ∈ R≥0. v′ = v + t←−Z = v : X → R≥0 | ∃t ∈ R≥0. v + t ∈ Z.

• intersection of zones: we will need to intersect computed zones with guards and invariants,which are defined as zones:

Z ∩ Z ′ = v : X → R≥0 | v ∈ Z and v ∈ Z ′.

• handling clock resets: for our forward algorithm, we will need to resets clocks when taking atransition. For a set R ⊆ X , we let

Z[R ↓] = v′ : X → R≥0 | ∃v ∈ Z. v′ = v[R := 0].

For our backward algorithm, we need to perform the inverse operation: for R ⊆ X , we let

Z[R ↑] = v : X → R≥0 | v[R := 0] ∈ Z.

As we explain in the next section, those operations are not difficult to implement. See Fig. 5.2 forintuitions. Using these atomic operations, we can define the successors and predecessors of a zoneby (unbounded) delay and action transitions:

47

Z

Postδ(Z)

c2

c1

Z

Preδ(Z)

c2

c1

Z

Z[x ↓]

c2

c1

Z

Z[x ↑]

c2

c1

Figure 5.2: Operations on zones

• for delay transitions, we let

Postδ(Z) =−→Z Preδ(Z) =

←−Z

• for a transition t of a timed automaton, we let

Postt(Z) = (Z ∩ guard(t))[reset(t) ↓]Pret(Z) = (Z ∩ [reset(t) = 0])[reset(t) ↑] ∩ guard(t)

It is not hard to check that Postδ(Z) is the set of valuations that can be reached from somevaluation in Z by letting time elapse; similarly, Preδ(Z) is the set of valuations from which Zcan be reached by letting some time elapse. Notice that Postδ and Preδ are idempotent (that is,Postδ(Postδ(Z)) = Postδ(Z)).

Regarding Postt and Pret, it is easily checked that Postt(Z) is the set of all valuations that canbe reached from some valuation in Z by applying transition t (without any prior delay). The setPret(Z) corresponds to all valuations from which Z can be reached by applying transition t: indeed,the latter valuations have to satisfy the guard of t, and to yield a valuation in Z when the clocksreset by t are set to zero; this exactly corresponds to the definition of Pret(Z).

Using Postδ and Postt, we can build the (concrete) zone graph of any given timed automaton.Since there are infinitely many zones, this automaton is infinite.

5.2.2 Representation and operations on zones using DBM

I DBM and their canonical form

Difference-bound matrices (DBM for short) are a convenient and powerful data structure for han-dling zones. Consider a set X of n clocks, and number its clocks from c1 to cn: a DBM over X is asquare matrix of size (n+ 1)× (n+ 1), where the entry in cell (i, j) (i.e., row i and line j, numberedfrom 0 to n) indicates a constraint on the difference cj − ci, seeing c0 as a special symbol not in X ,and extending any valuation v : X → R≥0 with v(c0) = 0. In order to represent zones as DBM,it suffices to take entries in +∞∪ (Z× <,≤). We equip this set with a total-order relation v,defined as:

• (z,≺) v +∞ for any (z,≺) ∈ Z× <,≤;

• (z,<) v (z,≤) for all z ∈ Z;

48

• (z,≺) v (z′,≺′) if z < z′.

As an example, the zone Z in the leftmost example of Fig. 5.2 can be represented as

c0 c1 c2

c0 (0,≤) (−1,≤) (−1,≤)

c1 (3,≤) (0,≤) (2,≤)

c2 (3,≤) (1,≤) (0,≤)

1 ≤ c1 ≤ 3

1 ≤ c2 ≤ 3−1 ≤ c1 − c2 ≤ 2

Z

c2

c1

It is clear enough that any zone can be represented as a DBM, and that any DBM representsa (possibly empty) zone. Notice that diagonal entries relate to the difference between a clock anditself, and will thus usually be (0,≤). Setting a diagonal entry to (−1,≤) or (0, <) would correspondto the empty zone, since this constraint cannot be satisfied.

Now, consider this other DBM:

c0 c1 c2

c0 (0,≤) (−1,≤) (−1,≤)

c1 (3,≤) (0,≤) (3,≤)

c2 (3,≤) (1,≤) (0,≤)

1 ≤ c1 ≤ 3

1 ≤ c2 ≤ 3−1 ≤ c1 − c2 ≤ 3

Z

c2

c1

The only change is that the constraint c1 − c2 ≤ 2 has been replaced with constraint c1 − c2 ≤ 3.Notice that, since c1 ≤ 3 and c2 ≥ 1, we immediately have c1 − c2 ≤ 2, so that the modifiedconstraint c1 − c2 ≤ 3 is useless. Actually, constraint c1 − c2 ≤ 2 in the first DBM was also useless,but it was in a sense the less useless one: any stronger constraint would not represent the samezone. Such constraints are said tight.

As we explain below, it will be useful to consider DBM where all entries are tight. We tacklethis question by considering an alternative representation of DBM (and zones) as a weighted graph,whose vertices are the clocks (incliding c0 and for each ci and cj , the edge between ci and cj islabelled with the corresponding constraints in the DBM. With the second DBM above, we associatethe weighted graph of Fig. 5.3. Since in our representation, the label of an edge from some vertex cito some other vertex cj represents an upper-bound constraint on the difference cj − ci, the sum ofthe labels seen along a path from some vertex ck to some vertex cl will also be an upper-boundconstraint on the difference cl − ck. The sum we consider here is the usual sum over Z for the firstcomponent, and it return < on the second component if at least one of the operand contains <(and it returns ≤ otherwise). Finally, +∞+ d = +∞ for any d ∈ +∞ ∪ (Z× <,≤).

In graph of Fig. 5.3, there are two simple paths from c2 to c1: a direct one, labelled with (3,≤),and one going through c0, using two edges labelled with (−1,≤) and (3,≤). The latter path inducesa constraint (2,≤) on the difference c1 − c2, which is tighter than the constraint (4,≤). We canthus relabel the transition from c2 to c1 with the tighter constraint, without changing the lengthsof the shortest paths between any pair of nodes. Two cases may then arise:

• either the graph contains negative cycles, corresponding to empty zones (since a negativecycle would correspond to a constraint of the form ci − ci ≤ n for some negative n);

49

c0

c1c2

(0,≤)

(0,≤)(0,≤)

(3,≤)

(3,≤) (−1,≤)

(1,≤)

(−1,≤)

(3,≤)

Figure 5.3: The weighted graph associated with our second DBM

• or the graph has no negative cycles, and the procedure above terminates. When this is thecase, each edge is labelled with the shortest length between its source and target nodes,which corresponds to the tightest constaint for the corresponding clock difference. Hence anynon-empty zone has a unique DBM in reduced form (which we thus also call canonical form).

Notice that computing the reduced form requires applying an all-pair shortest-path algorithm suchas Floyd-Warshall, which runs in O(n3) (and can detect negative cycles). In case a DBM containsa negative cycle (thereby corresponding to the empty zone), we fix a unique representative, e.g.having (0,≤) in every cell except for the first cell (c0, c0), where it contains (−1,≤).

In the sequel, we will always manipulate DBM in normal form: even though it has a cost,it makes it much easier to compare zones and test their emptiness.

I Operations on DBM

We now briefly explain how to implement basic operations for zones on their DBM representations.Given the relatively high complexity of turning a DBM in normal form, we always try to directlyget the resulting DBM in normal form.

Turning a zone into canonical form. As we explained above, this is performed by applyingFloyd-Warshall algorithm, which iteratively computes shortest paths from ci to cj involving onlyvertices c1 to ck:

50

1 function reduce(dbm &D)

2

3 for (k=0; k<=D.size; k++)

4 for (i=0; i<=D.size; i++)

5 for (j=0; j<=D.size; j++)

6 D[i,j] = min D[i,j], D[i,k]+D[k,j];

7 if (i==j && D[i,j]<0)

8 D = empty-dbm;

9 return 0;

10 return 0;

11

Checking emptiness of a zone. As explained above, emptiness is checked when normalizingthe DBM. There is a unique representative for the empty zone, so that the emptiness test is trivial.

Checking inclusion of a zone in another one. Again thanks to the normal form, zone inclusioncan be checked easily: the zone represented by D is included in the zone represented by D′ if, andonly if, Di,j v D′i,j for all i, j.

Computing the delay successor of a zone. Computing the delay successor of a (non-empty)zone represented by a (canonical) DBM D amount to dropping all constraints imposing an upperbound on the values of clocks: in other terms, it can be implemented by replacing all constraintsci − c0 ≤ D0,i with the trivial constraint ci − c0 < +∞. If the original DBM is the empty DBM,we leave it as is.

It is not hard to check that the resulting DBM is already in canonical form (provided that theoriginal DBM was). Indeed, in the graph associated with the DBM, we replaced the weights of alltransitions leaving vertex c0 (except for the self-loop) with +∞. These new values will not helpimproving shortest paths between any two vertices; on the other hand, the shortest path from c0to any other vertex will necessarily begin with a transition labelled +∞, so that there is no hopeof improving it.

1 function delay(dbm &D)

2


4 D[0,i] = infinity;

5 return 0;

6

Computing the delay predecessor of a zone. This operation is similar to the previous one:it consists in replacing lower-bound constraints on single clocks (i.e., entries Di,0) with (0,≤),thereby replacing constraints of the form c0 − ci ≺ d with c0 − ci ≤ 0 (i.e., the trivial conditionci ≥ 0).

This transformation may not return a DBM in reduced form: if the original DBM contains aconstraint ci − cj ≤ −d (for some positive d), then we must have cj ≥ d (because ci ≥ 0). ThusDj,0 should be at most (−d,≤), while we set it to (0,≤).

51

(0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

Postδ

(0,≤) (−4,≤) (−1,≤)(+∞,≤) (0,≤) (6,≤)(+∞,≤) (−1,≤) (0,≤)

no normalization needed

Figure 5.4: Computing delay successors using DBM

In order to get a reduced DBM, we proceed as follows: we replace all Di,0 with (0,≤); noticethat the original value of Di,0 was necessarily smaller than or equal to (0,≤). Hence we certainlywill not create new shortest paths by increasing this value. The only point to check is whetherwe should set Di,0 to a smaller value (between he original Di,0 and (0,≤)): this is the case if thereis a better path from ci to c0 via some node cj ; the best paths from ci to cj and from cj to c0 arethe direct paths (since D is in reduced form). In the end, the new value of Di,0 will be the smallestvalue in the set (0,≤) ∪ Di,j | 1 ≤ j ≤ n (because D[j, 0] = 0 for all j). Computing the delaypredecessor of a zone in reduced form thus runs in O(n2).

1 function inv-delay(dbm &D)

2


4 D[i,0] = (0,≤);5 for (j=0; j<=D.size; j++)

6 if (D[i,j] @ D[i,0])

7 D[i,0] = D[i,j];

8 return 0;

9

(0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

Preδ

(0,≤) (0,≤) (0,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

norm.

(0,≤) (−1,≤) (0,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

Figure 5.5: Computing delay predecessors using DBM

52

Intersecting a zone with a clock constraint. Here we want to add a single constraint xi−xj d to a zone. In case Dj,i v (d,), then the new constraint is already fulfilled by all valuations inthe zone, and the DBM is unchanged. Conversely, if Di,j + (d,) A (0,≤), then the intersectionis empty. In the other cases, we replace Dj,i with (d,). This in general does not give a DBMin reduced form: it has to be normalized using the Floyd-Warshall algorithm. Since we departedfrom a canonical DBM and only modified one edge, this algorithm can be made to run in O(n2):indeed, the algorithm is not sensitive to the order with which the vertices are updated: we maythen decide to handle vertices i and j last; in that case, the first n−1 iterations of the outer loop ofthe Floyd-Warshall algorithm will have no effect, and we only have to run the last two iterations.

1 function intersect(dbm &D, c[j]-c[i]d)2

3 if (D[j,i] + (d,) @ (0,≤))4 D = empty-dbm;

5 else if ((d,) @ (0,≤))6 D[i,j] = (d,);7 for (k in i,j)

8 for (l=0; l<=D.size; l++)

9 for (m=0; m<=D.size; m++)

10 D[l,m] = min (D[l,m], D[l,k] + D[k,m]);

11 return 0;

12

c1 − c2 ≤ 4 (0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

inters.

(0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (4,≤)(3,≤) (−1,≤) (0,≤)

norm.

(0,≤) (−1,≤) (0,≤)(7,≤) (0,≤) (4,≤)(3,≤) (−1,≤) (0,≤)

Figure 5.6: Adding a constraint to a DBM

Resetting a clock in a zone. Resetting clock ci to some integer d amounts to setting Di,0 =(−d,≤) and D0,i = (d,≤), and relaxing the diagonal constraints involving this clock. The resultingDBM need not be in normal form, and we have to normalize it (e.g. using the O(n2) algorithm asabove).

A faster algorithm can be obtained by noticing that when resetting ci, the constraints betweenany other two clocks (including c0) cannot be improved: indeed, the edges between c0 and ci mayhave been shortened, but they cannot be used to shorten other paths since they can only reachedby taking an edge between some cj and ci, whose length has been set to +∞.

53

Hence normalization only amounts to computing new constraints involving ci, which can beperformed in time O(n) using the new values in Di,0 and D0,i.

1 function reset(dbm &D, c[i]:=d)

2


4 D[j,i] = D[j,0] + (d,≤);5 D[i,j] = (-d,≤) + D[0,j];

6 return 0;

7

(0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

c1 := 2

(0,≤) (−2,≤) (−1,≤)(2,≤) (0,≤) (+∞,≤)(3,≤) (+∞,≤) (0,≤)

norm.

(0,≤) (−2,≤) (−1,≤)(2,≤) (0,≤) (1,≤)(3,≤) (1,≤) (0,≤)

Figure 5.7: Resetting a clock (here c1 := 2) in a DBM

Un-constraining a clock in a zone. Un-constraining consists in removing all constraints on aclock; this almost corresponds to un-resetting a clock, except that un-resetting would first intersectwith a constraint ci = d.

The algorithm here is very similar to the one for resetting: we set Di,0 = (0,≤) and D0,i = +∞,and relax the diagonal constraints involving ci. Now, since there are no constraints on ci, we havecj − ci ≤ cj , meaning that we can set Di,j to D0,j . All other constraints are left unchanged, andthe resulting DBM is in normal form.

1 function free(dbm &D, c[i])

2


4 if (j!=i)

5 D[i,j] = D[0,j];

6 D[j,i] = infinity;

7 return 0;

8

54

(0,≤) (−4,≤) (−1,≤)(8,≤) (0,≤) (6,≤)(3,≤) (−1,≤) (0,≤)

free(c2)

(0,≤) (−4,≤) (0,≤)(8,≤) (0,≤) (+∞,≤)

(+∞,≤) (+∞,≤) (0,≤)

norm.

(0,≤) (−4,≤) (0,≤)(8,≤) (0,≤) (8,≤)

(+∞,≤) (+∞,≤) (0,≤)

Figure 5.8: Unconstraining a clock (here c2) in a DBM

5.2.3 Backward algorithm

We are now ready to implement the zone-based reachability algorithm. As already announced,two versions are possible: either we depart from the target states and compute backward until afixpoint (or the initial state) is reached, or we depart from the initial state and compute forward.We handle the former algorithm in this section.

The algorithm is a classical fixpoint algorithm: it starts with B0 = (`, v) | ` ∈ F, v |= inv(s),and iteratively compute

B2i+1 = B2i ∪ (`, Z) | ∃(`′, Z ′) ∈ B2i. ∃t ∈ T. src(t) = ` and tgt(t) = `′ and Z = Pret(Z′)

B2i+2 = B2i+1 ∪ (`, Z) | ∃(`, Z ′) ∈ B2i+1. Z = Preδ(Z′).

By definition of Pret and Preδ, from any configuration (`, v) in any zone (`, Z) of Bj , there isan execution (of length at most j) to B0.

It remains to prove that the computation terminates: for this, we prove that Pret and Preδ,if applied to unions of regions (with maximal constants M), always return unions of regions (with thesame maximal constants). The number of regions being finite, and since B0 is a finite union ofregions, we get termination.

Lemma 37. If Z is a finite union of regions with maximal constants M, then so are Pret(Z)and Preδ(Z), and any transition t (compatible with M).

Proof. Pick a finite union of regions Z =⋃

1≤i≤pRi for a vector of maximal constants M. ThenPreδ(Z) =

⋃1≤i≤p Preδ(Ri). Each Preδ(Ri) is a finite union of regions, which concludes this part

of the proof.Now, for any clock constraint g whose integer constants agree with M, the zone Z ∩ g is the

finite union of regions Ri ∩ g, whose constants agree with M. In particular, Z ∩ [reset(t) = 0]is a finite union of regions, and so is (Z ∩ [reset(t) = 0])[reset(t) ↑], and finally so is the zonePret(Z) = (Z ∩ [reset(t) = 0])[reset(t) ↑] ∩ guard(t).

While it is very simple conceptually, this approach unfortunately is not very efficient in practice:while it can deal with zones very efficiently, it is not well-suited for dealing with the discrete state-space. While in the untimed case, efficient symbolic data-structures can be used to deal with

55

y = 1y := 0 F1

F0

F3

F2

F5

F4

F7

F6

F9

F8

x

y

Figure 5.9: A timed automaton for which the forward algorithm does not terminate.

large discrete state spaces, our algorithms handle the discrete state space explicitly. This canbe illustrated as follows: consider a configuration of a chess game, and a transition consisting inmoving a knight in some direction; while the forward application of this transition is deterministic,the backward application of the same transition has to list all possible adversary pieces that mayhave been captured by that move.

5.2.4 Forward algorithm

We now turn to the forward algorithm: it follows the same ideas, setting F0 = (`,0) | ` ∈ S0, and

F2i+1 = F2i ∪ (`, Z) | ∃(`, Z ′) ∈ F2i. Z = Postδ(Z′)

F2i+2 = F2i+1 ∪ (`, Z) | ∃(`′, Z ′) ∈ F2i+1. ∃t ∈ T. src(t) = ` and tgt(t) = `′ and Z = Postt(Z′).

Again, correctness is straightforward: any configuration in Fj is reachable from some initialconfiguration in F0. However, as illustrated on Fig. 5.9, the computation may fail to terminate,because new constants that can be made arbitrarily large appear in the DBM.

This example illustrates the fact that the exact computation of the reachable state space cannotbe finitely represented with zones. In order to circumvent this problem, we will not perform theexact computation, but instead apply an abstraction operator, which groups together several zones,with the double aim of reducing to finitely many zones and being compatible with reachability.

Formally, following the exact computation above, we begin with defining the concrete zonegraph G associated with a timed automaton T : its set of states is the set of pairs (`, Z), where Z isa zone. It has transitions from (`, Z) to (`′, Z ′), denoted (`, Z)→ (`′, Z ′), if either

• either ` = `′ and Z ′ = Postδ(Z),

• or there is a transition t such that ` = src(t), `′ = tgt(t), and Z ′ = Postt(Z).

As we saw above, even the reachable part of this graph can be infinite. To cope with this, we in-troduce abstractions: an abstraction is a mapping a : P(RX≥0) → P(RX≥0), associating with eachset of valuations another set of valuations, and such that W ⊆ a(W ) and a(a(W )) = a(W ) forany W ⊆ RX≥0. In the current setting, we are only looking for abstractions that are defined on anyzone, and that maps zones to zones.

Fix such an abstraction function a. We can use it to define an abstract zone graph: its state spaceis the same as for the concrete zone graph (but only a finite number of states will be reachable);there is a transition from (`, Z) to (`′, Z ′) in this new graph whenever Z = a(Z) and there is azone Z ′′ such that (`, Z)→ (`′, Z ′′) in the concrete zone graph, and Z ′ = a(Z ′′).

For our purposes, we are looking for abstractions such that

56

1. the image of a is finite;

2. a can be effectively (and efficiently) computed;

3. reachability can be decided on the abstract zone graph: this can be expressed as requiringthat the abstraction is

• sound : if a state (`, Z) is reachable in the abstract zone graph, then a configuration (`, v)with v ∈ Z must be reachable in the timed automaton;

• complete: if a configuration (`, v) is reachable in the timed automaton, then there mustbe a zone Z containing v such that (`, Z) be reachable in the abstract zone graph.

Any abstraction meeting those three properties can be used in our forward algorithm: Property (1)ensures termination (only finitely many zones are reachable), Property (3) implies correctness, andProperty (2) yields practicability.

Several candidate abstractions have been proposed in the literature. The most basic one is theso-called k-extrapolation: it maps a zone Z to the smallest zone Z ′ containing Z and definable withinteger constants in [−k; k]. Notice that such a zone always exists. Then:

1. k-extrapolation has finite image, since there are only finitely many zones involving integerconstants in [−k; k].

2. computing the extrapolation of a zone can be performed on its associated DBM by replacingentries larger than (k,≤) with +∞, and entries less than (−k,≤) with (−k,≤). This does notpreserve the reduced form of the DBM, and the resulting DBM has to be turned in canonicalform using the Floyd-Warshall algorithm.

3. since k-extrapolation always returns a zone containing its input zone, the zone obtained atstep i of our algorithm with k-extrapolation contains the zone obtained at step i of ournon-abstracted algorithm. This entails completeness.

In order to prove soundness, we have to make explicit the choice of k: we set k to the maximalconstant M appearing in the timed automaton (we could equivalently use a vector M ofmaximal constants as we did for defining regions). Soudness can then be proven by provingthat the k-extrapolation of any zone Z is included in the union of all regions intersecting Z.We refer to [Bou04] for detailed proofs.

Remark 5. As shown in [Bou04], the approach presented above does not apply to timed automatawith diagonal constraints. Indeed, consider the timed automaton of Fig. 5.10: it can be checked thatafter taking n times the loop on state s2, the set of valuations that can be reached while in s5 is thezone defined by the following zone:

a ≥ 0∧ b ≥ 1∧ c ≥ 2n+ 5∧ d ≥ 2n+ 6 ∧ d− c ∈ [1; 3] ∧ c− a = 2n+ 5∧ d− b = 2n+ 5.

Notice that the last two equalities entail b− a = d− c, so that state s6 cannot be reached. However,any abstraction that would lose track of the equality between c − a and d − b would declare s6reachable; in particular, no abstractions of zones having finite image will yield a sound forwardalgorithm.

The forward algorithm for checking reachability can then be written as follows:

57

s0 s1 s2

s′2

s3 s4 s5 s6c ≤ 3

a, c := 0

b = 3

b := 0

a = 2

a := 0

b = 2

b := 0

a = 3

a := 0

b− a > 2

d− c < 2

a = 2

a := 0

b = 2

b := 0

Figure 5.10: k-extrapolation is not sound in presence of diagonal constraints

1 function reachable(automaton A, transition t)

2

3 passed:=∅;4 waiting:=(s0, D0);

5 repeat

6 extract (s,D) from waiting;

7 if (s=src(t) && D∩ guard(t)6= ∅)8 return YES;

9 if (for all (s’,D’) in passed, D 6⊆ D’)

10 for each transition r from s

11 add (tgt(r),approx(Post(D,r))) to waiting;

12 add (s,D) to passed;

13 until waiting is empty

14 return NO;

15

58

Chapter 6

Parameterized extensions of timedautomata

6.1 Extending timed automata with parameters

In this section, we consider timed automata in which clock constraints may involve parame-ters [AHV93]. The natural problems in this setting can be formulated as follows: do there ex-ist values for the parameters under which the timed automaton satisfies some given property (e.g.reachability of some target transition)?

We begin with formalizing this setting. Compared to plain timed automata, the main changelies in clock constraints: they are now extended to allow comparison of clocks with parameters.Formally, a parametric clock constraint is defined using the following grammar:

C(X ,P) 3 g ::= c ∼ n | c ∼ p | g ∧ g

where c ranges over X , n ranges over Z, p ranges over P, and ∼ ranges over <,≤,=,≥, >.

Definition 38. A parametric timed automaton is a tuple Q = 〈A,X ,P, inv, guard, reset〉 whereA = 〈S, S0, T, src, tgt, lab, A〉 is a finite-state automaton, X is a finite set of clocks, P is a finiteset of parameters, inv : S → C(X ,P) defines the state invariants, guard : T → C(X ,P) defines theguards of transitions, and reset : T → 2X indicates which clocks are reset along transitions.

Given a parametric timed automaton Q = 〈A,X ,P, inv, guard, reset〉 and a valuation ν : P → R

of its parameters, we (abusively) write ν(Q) for the timed automaton obtained by replacing eachoccurrence of a parameter in he clock constraints of Q with its value in ν. It is easily observed thatν(Q) is a plain timed automaton, whose semantics is now as defined in Section 2.1.

In this setting, reachability is undecidable, as we now prove:

Theorem 39. Given a parametric timed automaton Q, the existence of a parameter valuation νfor which the language accepted by ν(Q) is non-empty is undecidable.

Proof. Several proofs of this result exist in the literature, with various limitations on the numberof clocks and parameters. However, some of the proofs use richer clock constraints, so the differentresults are not always easily comparable.

59

si sjt = 0 x1 = M − 1

x1 := 0

t = M

t := 0

x2 = M ;x2 := 0 x2 = M ;x2 := 0

Figure 6.1: A module implementing instruction li: c1++; goto lj

t = M

x1 := 0

t = M+1 ∧x1 = 1

x1 := 0; t := 0

Figure 6.2: A module checking that M+1 = M + 1

The proof is by a reduction from the halting problem for a two-counter machine. Our parametrictimed automaton uses three clocks x1, x2 and t. The encoding is straightforward: the values ofcounters c1 and c2 are stored directly in clocks x1 and x2.

The main idea is as follows: assuming that we know the maximal value M that the countersmay take, we can implement incrementation by the module depicted on Fig. 6.1 (where M is themaximal value of the counters): the total duration to traverse this module is M , which inreasesall clocks by M ; the reset of clock x1 amounts to decreasing x1 by M − 1, so that globally thismodule increments x1 by 1; similarly, the global effect of this module on x2 (and t) is null. As longas x2 ≤ M and x1 ≤ M − 1, this preserves the value of x2 and increments the value of x1. Noticethat if x1 > M − 1 when entering this module, the automaton ends up in a deadlock.

Similarly, decrementations and zero-tests are easily encoded, and the resulting modules can beassembled into a parametric timed automaton Q, following the structure of the two-counter machinewe are encoding.

Then:

• assume that the two-counter machine has an accepting run ρ, and let m be an integer largerthan the values of the counter along ρ. Then the run ρ can me mimicked in the timedautomaton ν(Q), where ν(M) = m.

• assume that for some parameter valuation ν, the halting state is reachable in ν(Q). First,this implies that the value of x1 and x2 never exceed M in any of the states si (otherwise theautomaton would reach a deadlock, contradicting the fact that it reaches the halting state).It is easily shown that, as long as this is the case, any run in ν(Q) corresponds to a valid runof the two-counter machine. The run reaching the halting state in ν(Q) then corresponds toa halting run in the two-counter machine, which concludes our proof.

The proof above uses three clocks and a single parameter M , but it also uses parametric clockconstraints of the form x ∼M − 1, which are not allowed in our definition. One solution to this isto add two extra parameters M−1 and M+1, intended to have value M − 1 and M + 1, respectively.This can be checked by adding an initial module enforcing these constraints (see Fig. 6.2).

As another workaround [BBLS15], we can use the module of Fig. 6.3 (and a similar modulefor decrement) in order to only have comparisons to M . In this module, the total time elapsedis M + 1, and clock x2 is reset twice in order to decrease its value by the same amount.

60

si sjt = 1

t := 0

x1 = Mx1 := 0

x2 = Mx2 := 0

x2 = M

x2 := 0

x2 = 1

x1 := 0

x2 = 1x2 := 0

x1 = Mx1 := 0

t = M

t := 0

Figure 6.3: A refined module implementing instruction li: c1++; goto lj

We now exhibit a simple setting where the parameterized reachability problem is decidable.

Definition 40 ([HRSV02]). A L/U parametric timed automaton is a parametric timed automatonwhose set of parameters can be partitioned into

• lower-bound parameters: those parameters can only be used as lower bounds in clock con-straints;

• upper-bound parameters: those parameters can only be used as upper bounds in clock con-straints.

In other terms, in L/U parametric timed automata, the set of parametric clock constraintsfollows the following grammar:

C(X ,L,U) 3 g ::= c ∼ n | l c | c u | g ∧ g

where P = L ] U , and c ranges over X , n ranges over Z, l ranges over L, u ranges over U , and∼ ranges over <,≤,=,≥, > and ranges over <,≤.

Take a L/U parametric timed automaton Q, and two valuations ν and µ. We write µ v ν todenote the fact that µ(l) ≤ ν(l) for all l ∈ L, and µ(u) ≥ ν(u) for any u ∈ U . It is easily observedthat L(ν(Q)) ⊆ L(µ(Q)) whenever µ v ν, since any run in ν(Q) also exists in ν±1(Q). In particular,consider the parameter valuation ω that maps any l ∈ L to −∞ and any u ∈ U to +∞. Then ω v νfor any valuation ν of the parameters. Hence if L(ν(Q)) is non-empty for some valuation ν, thenalso L(ω(Q)) is non-empty. Additionally, ω(Q) is a plain timed automaton, for which reachabilitycan be checked. Hence:

Theorem 41. Given a L/U parametric timed automaton Q, the existence of a parameter valua-tion ν for which the language accepted by ν(Q) is non-empty is PSPACE-complete.

6.2 Parametric-size networks of timed automata

We turn to another kind of parametric extension of timed automata, which we call parameterizednetworks of timed automata. Given the difficulty of verifying parameterized networks in the untimed

61

case, and the difficulty of handling parameterized timed automata (See Section 6.1), we only considera very restricted setting, for which we will prove that reachability is decidable. We begin withintroducing the formalism.

The model we consider is that of timed networks [AJ03]. A timed network is made of onecentral controller, and arbitrarily many processes (which can be seen as a kind of one-clock timedautomata). As for classical timed automata, there will be two kinds of transitions: delay transitionsin which all clocks will advance, and action transitions where a rule will be applied to update thestates of some processes and/or of the controller.

Definition 42. A timed network is a tuple N = 〈C,Q,R〉 where C and Q are the finite sets ofstates of the controller and of the processes, respectively, and R is a finite set of rules in C2× (Q×C(c)× 0, 1 ×Q)+.

A configuration of a timed network is defined as a tuple γ = 〈c, n, q, v〉 where c ∈ C is the stateof the controller, n ∈ N≥0 is the (fixed) number of processes in the configuration, q : [1;n] → Q isthe list of states of the n processes, and v : [1;n]→ R≥0 is the valuation of the single clock of eachprocess.

There is a transition from configuration γ = 〈c, n, q, v〉 to configuration γ′ = 〈c′, n′, q′, v′〉 ifn = n′ and one of the following two conditions holds:

• c′ = c, q′ = q, and there exists d ∈ R≥0 such that v′ = v + d; this is a delay transition, alongwhich all clocks are incremented by the same delay d. We denote such transitions as γ →d γ′;

• there exists a rule µ = (c, c′, (qi, gi, ri, q′i)1≤i≤k) in R, and an injective mapping κ : [1; k] →

[1;n] (hence k ≤ n), such that

– q(κ(i)) = qi for all i ∈ [1; k];

– v(κ(i)) |= gi for all i ∈ [1; k];

– q′(κ(i)) = q′i for all i ∈ [1; k];

– v′(κ(i)) = v(κ(i)) if ri = 0, and v′(κ(i)) = 0 if ri = 1, for all i ∈ [1; k];

– q′(j) = q(j) for all j ∈ [1;n] \ κ([1; k]);

– v′(j) = v(j) for all j ∈ [1;n] \ κ([1; k]).

We denote such transitions with γ →µ γ′.

Configurations and transitions as described above can be compiled into an infinite-state tran-sition system, which corresponds to the infinite-state transition system associated with a timedautomaton. Notice that we could also build an intermediary infinite-state timed automaton, in-volving infinitely many clocks.

Example 5. We illustrate timed networks with the classical example of Fischer’s mutual exclusionprotocol. A timed-automaton model of this protocol is depicted on Fig. 6.4. It has one clock, anda common variable is shared among all the participating processes. The rough idea of this protocolis that when a process wants to gain access to the critical section, it will request access by writingits identity in a shared variable, and wait a small amount of time in order to check that no otherprocesses are trying to access the resource simultaneously. This is a classical example in timedautomata, and its correctness (i.e., the property that no two processes will be in their crit statessimultenously) has been proved for several fixed numbers of processes.

62

si0 si1 si2 critivar = ⊥xi := 0 var := i

xi < 1

xi := 0

xi > 1var = i

var 6= i

var := ⊥

Figure 6.4: A timed-automaton model of Fischer’s mutual exclusion protocol

Processes in timed networks are anoymous, and cannot use their identity when communicatingwith the other processes. We circumvent this problem by duplicating the number of states of eachprocess: besides s0, s1, s2 and crit (notice that we do not mention the identity of the processanymore), each process also has states s0, s1, s2 and ˆcrit, which indicate that the shared variablestores their own identity. The rules of the process will make ensure that at most one process is inany of these extra states. It is then easy to encode tests of the form var = i and var 6= i. In orderto encode tests of the form var = −1, we use the central controller, which has two states ⊥ and >,respectively indicating that the shared variable has value ⊥ or that it contains the identity of someprocess. Following this informal explanation, we can derive the set of rules of our timed process:

(⊥,⊥), 〈(s0, true, 1, s1)〉(⊥,>), 〈(s1, x < 1, 1, s2)〉(>,>), 〈(s1, x < 1, 0, s2), (s, true, 0, s)〉 (one such rule for each s ∈ s0, s1, s2, crit)(>,>), 〈(s1, x < 1, 1, s2)〉(>,>), 〈(s2, x > 1, 0, ˆcrit)〉(>,>), 〈(s2, true, 0, s0)〉(⊥,⊥), 〈(s2, true, 0, s0)〉(>,⊥), 〈( ˆcrit, true, 0, s0)〉(>,⊥), 〈(crit, true, 0, s0), (s, true, 0, s)〉 (one such rule for each s ∈ s0, s1, s2, crit)(⊥,⊥), 〈(crit, true, 0, s0)〉

This can be checked to correctly model the behaviour of a network of processes running the Fischerprotocol.

Now, let c0 and q0 be the initial states of the controller and of all the processes. This defines aset of initial configurations

Γ0 = (c, n, q, v) | n ∈ N≥0, c = c0, q : i ∈ [1;n] 7→ q0, v : i ∈ [1;n] 7→ 0.

Let Γ be a set of configurations. The reachability problem we consider is to decide whether there isa sequence of configurations ρ = (γp)1≤p≤S such that γ0 ∈ Γ0, γS ∈ Γ, and for all 1 ≤ p ≤ S − 1,either γi →d γi+1 for some d ∈ R≥0, or γi →µ γi+1 for some rule µ. Such a problem is interestingonly in the case where Γ is infinite: indeed, since the number of processes is constant along arun, any γ = (c, n, q, v) in Γ can only be reached from (c0, n, q0, 0), so that deciding whether γ

63

is reachable can be performed by focusing on a finite part of the infinite-state timed automatonrepresenting the timed network. For a given state q ∈ Q, a typical example of a target set Γ is theset of all configurations which contain at least one occurrence of q.

In order to manipulate sets of configurations of a timed network N = 〈C,Q,R〉, we introduceconstraints. Fix a natural number M ∈ N. A constraint is a tuple φ = 〈d,m, s, k,v〉 such that

• d ∈ C;

• m is the number of processes concerned by φ;

• s : [1;m]→ Q associates a state with each process concerned by φ;

• k : [1;m]→ [0;M ] is intended to return the integral part of the clock of each process;

• v is a quasi-order over [1;m]∪⊥,>, intended to represent the order of the fractional parts.It must satisfy the following conditions:

– ⊥ is a minimal element of v, and > is a maximal element, and > 6v ⊥;

– for any j ∈ [1;m], if k(j) = M , then j ≡ > or j ≡ ⊥ (where j ≡ k means j v k andk v j);

– for any j ∈ [1;m], if j ≡ >, then k(j) = M .

Formally, a configuration γ = 〈c, n, q, v〉 belongs to φ = 〈d,m, s, k,v〉, denoted γ ∈ [[φ]], when c = d,and there is an injection λ : [1;m] → [1;n] such that, for all j1 and j2 in [1;m], the followingconditions are met:

• s(j1) = q(λ(j1)) for all j1 ∈ [1;m];

• k(j1) = minM, bv(λ(j1))c;

• j1 ≡ ⊥ if, and only if, v(λ(j1)) ≤M and 〈v(λ(j1))〉 = 0;

• j1 ≡ > if, and only if, v(λ(j1)) > M ;

• if j1 6≡ > and j2 6≡ >, then j1 v j2 if, and only if, 〈v(λ(j1))〉 ≤ 〈v(λ(j2))〉.

Example 6. Such constraints can be used to represent target configurations for the reachabilityproblem. For the example of the Fischer protocol, the objective is to never have two processessimultaneously visiting the crit state. That two processes simultaneously visit their crit state canbe represented as the union of finitely many constraints of the form 〈d, 2, 1 7→ crit, 2 7→ crit,k,v〉, where d ranges over C, k ranges over all functions from 1, 2 to 0, 1, and v ranges overall the quasi-order compatible with k.

The main use of constraints is to represent and compute the set of configurations from whichthese target configurations can be reached. This is achieved by computing the predecessors ofthe set of configurations represented by a given constraint. This includes predecessors by a delaytransition, and predecessors by an action transition. For a given constraint φ = 〈d,m, s, k,v〉,we define

pred(φ) = γ | ∃γ′ ∈ φ. ∃d ∈ R≥0. γ →d γ′prea(φ) = γ | ∃γ′ ∈ φ. ∃µ ∈ R. γ →µ γ′

These definitions extend to union of constraints, by letting pre(⋃i φi) =

⋃i pre(φi).

64

Proposition 43. Given a constraint φ′, the sets of configurations pred(φ′) and prea(φ′) can be

computed effectively, and represented as finite unions of constraints.

Proof. We sketch the main arguments of the proof, and refer to [AJ03] for more details.We begin with the case of action transitions. A first intermediary result is to prove that given

a constraint φ = 〈d,m, s, k,v〉, a configuration γ = 〈d, n, q, k〉 ∈ [[φ]] with a witness injectionfunction λ : [1;m]→ [1;n], an index j ∈ [1;m], and a clock constraint p(x) involving a single clockvariable x, it can be decided whether p(k(λ(j))) holds true based solely on k(j) and v. For this,it suffices to list all possible cases for p(x):

• if p(x) is of the form x < a with a ∈ [0;M ], then p(k(λ(j))) holds if, and only if, k(j) < a;

• if p(x) is of the form x ≤ a with a ∈ [0;M ], then p(k(λ(j))) holds if, and only if, k(j) < a ork(j) = a and j v ⊥;

• if p(x) is of the form x ≥ a with a ∈ [0;M ], then p(k(λ(j))) holds if, and only if, k(j) ≥ a;

• if p(x) is of the form x > a with a ∈ [0;M ], then p(k(λ(j))) holds if, and only if, k(j) > a, ork(j) = a and j 6v ⊥;

• if p(x) = p1(x)∧ p2(x), then p(k(λ(j))) holds if, and only if, both p1(k(λ(j))) and p2(k(λ(j))) do.

The set prea(φ′) is computed as the union, over the rules of the network, of the sets prera(φ′) ofpredecessors of φ′ by rule r. Fix such a rule (c, c′, (qi, gi, q

′i)1≤i≤k). We partition the set [1;m′] of

indices of φ′ into a set Ch of indices corresponding to states that are involved in r, and a set Unchof indices of states that are not involved.

Given a (union of) constraints φ, we define a sequence (φi)i∈N of constraints such that

φ0 = φ

φi+1 = φi ∪ pred(φi) ∪ prea(φi).

Notice that the sequence ([[φi]])i∈N is nondecreasing. It remains to prove that this sequence converges.To this aim, we define a relation on constraints, by letting φ φ′ if, and only if, [[φ′]] ⊆ [[φ]].

The relation is decidable, thanks to the following characterization:

Proposition 44. Let φ = 〈d,m, s, k,v〉 and φ′ = 〈d′,m′, s′, k′,v′〉 be two constraints. Then φ φ′if, and only if, d = d′ and there exists an injective mapping ν : [1;m]→ [1;m′] such that for all j1and j2 in [1;m], the following conditions hold:

• s′(ν(j1)) = s(j1);

• k′(ν(j1)) = k(j1);

• ν(j1) ≡′ ⊥ if, and only if, j1 ≡ ⊥;

• ν(j1) ≡′ > if, and only if, j1 ≡ >;

• ν(j1) v′ ν(j2) if, and only if, j1 v j2.

65

Proof. Assume that d = d′ and that all the conditions hold for some injection ν, and take aconfiguration 〈d, n, q, v〉 in [[φ′]]. Then there is an injection λ : [1;m′] → [1;n] such that, for any j′1and j′2 in [1;m′]:

• s′(j′1) = q(λ(j′1));

• k′(j′1) = minM, bv(λ(j′1))c;

• j′1 ≡′ ⊥ if, and only if, v(λ(j′1)) ≤M and 〈v(λ(j′1))〉 = 0;

• j′1 ≡′ > if, and only if, v(λ(j′1)) > M ;

• if j′1 6≡′ > and j2 6≡′ >, then j′1 v j′2 if, and only if, 〈v(λ(j′1))〉 ≤ 〈v(λ(j′2))〉.

Let κ = λ ν : [1;m] → [1;n]. We prove that it witnesses the fact that 〈d, n, q, v〉 in [[φ]]. Pick j1and j2 in [1;m]. Then:

• s(j1) = s′(ν(j1)) = q(λ(ν(j1)));

• k(j1) = k′(ν(j1)) = minM, bv(λ(ν(j1)))c;

• j1 ≡ ⊥ if, and only if, ν(j1) ≡′ ⊥, which in turn is equivalent to v(λ(ν(j1))) ≤ M and〈v(λ(ν(j1)))〉 = 0;

• similarly, j1 ≡ ⊥ if, and only if, v(λ(ν(j1))) > M ;

• finally, if j1 6≡ > and j2 6≡ >, then also ν(j1) 6≡ > an ν(j2) 6≡ >. In that case, j1 v j2 isequivalent to ν(j1) v′ ν(j2), which in turn is equivalent to 〈v(λ(ν(j1)))〉 ≤ 〈v(λ(ν(j2)))〉.

Conversely, assume that φ φ′. Then there are configurations of size m′ that belong to [[φ]],which implies that m ≤ m′.

Let γ = 〈d, n, q, v〉 ∈ [[φ′]] (the result being trivial if [[φ′]] were empty). Then γ ∈ [[φ]], and there aretwo injective mappings λ′ : [1;m′]→ [1;n] and λ[1;m]→ [1;n] witnessing those two containments.Then the injective mapping ν = (λ′)−1 λ is an injective mapping from [1;m] to [1;m′] satisfyingthe conditions of the proposition.

Additionally, relation enjoys the following property (whose proof can be found in [AJ03], anduses Higman’s Lemma):

Proposition 45. is a well-quasi-order (i.e., it is reflexive, transitive, and that in any infinitesequence (φi)i∈N, there exists indices i and j such that i < j and φi φj.

Now, assume that the sequence ([[φi]])i∈N does not converge. Then for each i > 0, [[φi]] ( [[φi−1]],and there must exist a constraint ψi such that [[ψi]] ⊆ [[φi]] and [[ψi]] 6⊆ [[φi−1]]. Since is a well-quasi-order, in the infinite sequence (ψi)i∈N we can find indices i and j such that i < j and ψi ψj .Hence [[ψj ]] ⊆ [[ψi]]. But since i < j, we have [[ψi]] ⊆ [[φj−1]], contradicting the fact that [[ψj ]] 6⊆ [[φj−1]].It follows from this contradiction that the sequence ([[φi]])i∈N converges.

In the end:

Theorem 46. Reachability for timed networks is decidable.

66

Bibliography

[AD94] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science,126(2):183–235, 1994.

[AHV93] R. Alur, T. A. Henzinger, and M. Y. Vardi. Parametric real-time reasoning. InSTOC’93, p. 592–601. ACM Press, 1993.

[AJ03] P. A. Abdulla and B. Jonsson. Model checking of systems with many identical timedprocesses. Theoretical Computer Science, 290(1):241–264, 2003.

[AM04] R. Alur and P. Madhusudan. Decision problems for timed automata: A survey. InSFM-RT’04, LNCS 3185, p. 1–24. Springer, 2004.

[BBLS15] N. Benes, P. Bezdek, K. G. Larsen, and J. Srba. Language emptiness of continuous-timeparametric timed automata. In ICALP’15, LNCS 9135, p. 69–81. Springer, 2015.

[Bou98] P. Bouyer. Automates temporises et modularite. Memoire de d.e.a., Lab. Specification& Verification, ENS Cachan, France, 1998.

[Bou04] P. Bouyer. Forward analysis of updatable timed automata. Formal Methods in SystemDesign, 24(3):281–320, 2004.

[Bry86] R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Trans-actions on Computers, 35(8):677–691, 1986.

[BS91] J. A. Brzozowski and C.-J. H. Seger. Advances in asynchronous circuit theory part II:Bounded inertial delay models, MOS circuits, design techniques. EATCS Bulletin,43:199–263, 1991.

[CCG+02] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri, R. Se-bastiani, and A. Tacchella. NuSMV2: An opensource tool for symbolic model checking.In CAV’02, LNCS 2404, p. 359–364. Springer, 2002.

[CE82] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletonsusing branching-time temporal logic. In LOP’81, LNCS 131, p. 52–71. Springer, 1982.

[CGP+02] A. Cimatti, E. Giunchiglia, M. Pistore, M. Roveri, R. Sebastiani, and A. Tacchella.Integrating BDD-based and SAT-based symbolic model checking. In FroCoS’02, LNCS2309, p. 49–56. Springer, 2002.

67

http://dx.doi.org/10.1016/S0304-3975(01)00330-9

http://dx.doi.org/10.1016/S0304-3975(01)00330-9

http://dx.doi.org/10.1007/978-3-662-47666-6_6

http://dx.doi.org/10.1007/978-3-662-47666-6_6

http://dx.doi.org/10.1023/B:FORM.0000026093.21513.31

http://dx.doi.org/10.1007/BFb0025774

http://dx.doi.org/10.1007/BFb0025774

[DLF+16] A. Duret-Lutz, A. Lewkowicz, A. Fauchille, T. Michaud, E. Renault, and L. Xu.Spot 2.0 – A framework for LTL and ω-automata manipulation. In ATVA’16, LNCS9938, p. 122–129. Springer, 2016.

[dNV90] R. de Nicola and F. Vaandrager. Action versus state based logics for transition systems.In Semantics of Systems of Concurrent Processes, LNCS 469, p. 407–419. Springer,1990.

[EH86] E. A. Emerson and J. Y. Halpern. ”Sometimes” and ”not never” revisited: On branch-ing versus linear time temporal logic. Journal of the ACM, 33(1):151–178, 1986.

[EMSS92] E. A. Emerson, A. K.-L. Mok, A. P. Sistla, and J. Srinivasan. Quantitative temporalreasoning. Real-Time Systems, 4:331–352, 1992.

[Far02] B. Farwer. ω-automata. In Automata, Logics, and Infinite Games, LNCS 2500, p. 3–21.Springer, 2002.

[HJ04] G. J. Holzmann and R. Joshi. Model-driven software verification. In SPIN’04, LNCS2989, p. 76–91. Springer, 2004.

[HKOW09] C. Haase, S. Kreutzer, J. Ouaknine, and J. Worrell. Reachability in succinct andparametric one-counter automata. In CONCUR’09, LNCS 5710, p. 369–383. Springer,2009.

[Hol97] G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering,23(5):279–295, 1997.

[HRSV02] T. Hune, J. Romijn, M. Stoelinga, and F. Vaandrager. Linear parametric model check-ing of timed automata. Journal of Logic and Algebraic Programming, 52-53:183–220,2002.

[KVW00] O. Kupferman, M. Y. Vardi, and P. Wolper. An automata-theoretic approach tobranching-time model-checking. Journal of the ACM, 47(2):312–360, 2000.

[LMS06] F. Laroussinie, N. Markey, and Ph. Schnoebelen. Efficient timed model checking fordiscrete-time systems. Theoretical Computer Science, 353(1-3):249–271, 2006.

[LST00] F. Laroussinie, Ph. Schnoebelen, and M. Turuani. On the expressive and complexityof quantitative branching-time temporal logics. In LATIN’00, LNCS 1776, p. 437–446.Springer, 2000.

[Min67] M. L. Minsky. Computation: Finite and Infinite Machines. Prentice Hall, Inc., 1967.

[Pnu77] A. Pnueli. The temporal logic of programs. In FOCS’77, p. 46–57. IEEE Comp. Soc.Press, 1977.

[QS82] J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems inCESAR. In SOP’82, LNCS 137, p. 337–351. Springer, 1982.

[Saf92] S. Safra. Exponential determinization for ω-automata with strong-fairness acceptancecondition. In STOC’92, p. 272–282. ACM Press, 1992.

68

http://dx.doi.org/10.1007/978-3-319-46520-3_8

http://dx.doi.org/10.1007/3-540-53479-2_17

http://dx.doi.org/10.1007/978-3-540-24732-6_6

http://dx.doi.org/10.1007/978-3-642-04081-8_25

http://dx.doi.org/10.1007/978-3-642-04081-8_25

http://dx.doi.org/10.1016/j.tcs.2005.11.020

http://dx.doi.org/10.1016/j.tcs.2005.11.020

http://dx.doi.org/10.1109/SFCS.1977.32

http://dx.doi.org/10.1007/3-540-11494-7_22

http://dx.doi.org/10.1007/3-540-11494-7_22

[SC85] A. P. Sistla and E. M. Clarke. The complexity of propositional linear temporal logics.Journal of the ACM, 32(3):733–749, 1985.

[Tho88] W. Thomas. Automata on infinite objects. Technical Report AIB-88-17, AachenerInformatik Berichte, Aachen, Germany, 1988.

[Tur37] A. M. Turing. On computable numbers, with an application to the entscheidungsprob-lem. Proceedings of the London Mathematical Society, s2-42(1):230–265, 1937.

[VW94] M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Information andComputation, 115(1):1–37, 1994.

[Wika] Wikipedia. Ariane 5 flight 501.

[Wikb] Wikipedia. Mars climate orbiter.

[Wikc] Wikipedia. Pentium FDIV bug.

[Wikd] Wikipedia. Therac-25.

69

http://dx.doi.org/10.1112/plms/s2-42.1.230

http://dx.doi.org/10.1112/plms/s2-42.1.230

http://en.wikipedia.org/wiki/Ariane_5_Flight_501

http://en.wikipedia.org/wiki/Mars_Climate_Orbiter

http://en.wikipedia.org/wiki/Pentium_FDIV_bug

http://en.wikipedia.org/wiki/Therac

Veri cation of Complex Systems · Veri cation of Complex Systems | Timed automata | Nicolas Markey...

Documents

Transcript of Veri cation of Complex Systems · Veri cation of Complex Systems | Timed automata | Nicolas Markey...