Abstract. In this paper, we study model checking of timed automata (TAs), and more precisely we aim at finding efficient model checking for subclasses of TAs. For this, we consider model checking TCTL and TCTL ≤,≥ over TAs with one clock or two clocks. First we show that the reachability problem is NLOGSPACE-complete for one clock TAs (i.e. as complex as reachability in classical graphs) and we give a polynomial time algorithm for model checking TCTL ≤,≥ over this class of TAs. Secondly we show that model checking becomes PSPACE-complete for full TCTL over one clock TAs. We also show that model checking CTL (without any timing constraint) over two clock TAs is PSPACE-complete and that reachability is NP-hard.
Introduction
Model checking is widely used for the design and debugging of critical reactive systems [Eme90, CGP99] . During the last decade, it has been extended to realtime systems, where quantitative information about time is required.
Timed models. Real-time model checking has been mostly studied and developed in the framework of Alur and Dill's Timed Automata (TAs) [ACD93, AD94] , i.e. automata extended with clocks that progress synchronously with time. There now exists a large body of theoretical knowledge and practical experience for this class of systems. It is agreed that their main drawback is the complexity blowup induced by timing constraints: most verification problems are at least PSPACE-hard for Timed Automata [Alu91,CY92,ACD93,AL02].
Real-time automata are TAs with a unique clock which is reset after every transition. This subclass has been mostly studied from the language theory point of view [Dim00] , but it is also considered in [HJ96] for modeling real-time systems. Clearly this subclass is less expressive than classical TAs with an arbitrary number of clocks but still it is natural and convenient for describing behavior of simply timed systems. For example, it may be useful to model systems where timing constraints are local, i.e. depend only of the time elapsed since the last transition. The use of a real valued clock offers a convenient and abstract concept of time. Moreover such kinds of restricted TAs are more natural and more expressive than models based on discrete Kripke Structures where some durations are associated with transitions (see for example Timed Transition Graphs [CC95] or Durational Kripke Structures [LMS02] ).
Timed specifications. In order to express timing aspects of computations, we consider extensions of the classical temporal logic CTL. The idea is to use timing constraints tagging temporal modalities [AH92] . For example, the formula EF <10 A states that it is possible to reach a state verifying A ("EF A") in less than 10 time units. Timing constraints can have three main forms: "≤ c" and "≥ c" set a lower or upper bound for durations, while "= c" requires a precise value. TCTL is the extension of CTL with all three types of constraints, while TCTL ≤,≥ is the fragment of TCTL where the "=c" constraints are forbidden.
Our contribution. In this paper, we aim at finding subclasses of Timed Automata that admit efficient model checking algorithms. For this purpose we consider one clock TAs (1C-TAs) which extend real-time automata because the clock is not required to be reset after each transition. First we show that reachability problem is NLOGSPACE-complete for 1C-TAs (i.e. as efficient as reachability in classical graphs) and we give a polynomial time algorithm for model checking TCTL ≤,≥ over 1C-TAs. These results are surprising because adding simple timing constraints induces generally a complexity blowup. Note efficient model checking TCTL ≤,≥ over 1C-TAs requires to use an ad-hoc algorithm: the classical region graph technique or the symbolic algorithms based on DBMs [Dil90] are not polynomial over this subclass. Secondly we show that model checking becomes PSPACE-complete for full TCTL over 1C-TAs. Then we address the case of TAs with two clocks (2C-TAs), since it is well known that three clocks lead to PSPACE-hardness for reachability [CY92] . We show that model checking CTL (without any timing constraints) over 2C-TAs is already PSPACE-complete and that reachability is NP-hard.
These results emphasize the good properties of 1C-TAs and real-time automata, leading to efficient timed model checking.
Related work. Quantitative logics for Timed Automata are now well-known and many results are available regarding their expressive power, or the satisfiability and model checking problems [AH94,ACD93,AH93,AFH96,Hen98]. That exact durations may induce harder model checking complexity was already observed in the case of LTL and Timed Automata [AFH96] . Complexity of timed model checking is considered in [CY92] where it is shown that three clocks are sufficient to have PSPACE-hardness for the reachability problem. In [AL02] , model checking is studied for several timed modal logics. In [ACH94] the expressive power of clocks in TAs is studied from the language theory point of view.
Let N and R denote the sets of natural and non-negative real numbers, respectively. Let C be a set of real valued clocks. We use B(C) to denote the set of boolean expressions over atomic formulae of the form 3 x ∼ k with x ∈ C, k ∈ N, and ∼ ∈ {<, ≤, >, ≥, =}. Constraints of B(C) are interpreted over valuations for C clocks, that are functions from C to R. The set of valuations is denoted by R C . For every v ∈ R C and d ∈ R, we use v + d to denote the time assignment which maps each clock x ∈ C to the value v(x) + d. For every r ⊆ C, we write v[r ← 0] for the valuation which maps each clock in r to the value 0 and agrees with v over C r. Let AP be a set of atomic propositions. Definition 2.1. A timed automaton (TA) is a 6-tuple A = Q A , C, q init , → A , Inv A , l A where Q A is a finite set of control states, C is a finite set of clocks and q init ∈ Q A is the initial state. The set → A ⊆ Q A ×B(C)×2
C ×Q A is a finite set of action transitions: for (q, g, r, q ) ∈ → A , g is the enabling condition (or guard) of the transition and r is the set of clocks to be reset with the transition (we write q
AP labels every control state with a subset of AP .
A state (or configuration) of a timed automaton A is a pair (q, v), where q ∈ Q A is the current control state and v ∈ R C is the current clock valuation. The initial state of A is (q init , v 0 ) where v 0 is the valuation mapping all clocks in C to 0.
There are two kinds of transition. From (q, v), it is possible to perform the action transition q g,r − → A q if v |= g and v[r ← 0] |= Inv A (q ) and then the new configuration is (q , v[r ← 0]). It is also possible to let time elapsing, and reach (q, v + t) for some t ∈ R whenever the invariant is satisfied. Formally the semantics of a TA A is given by a Timed Transition System (TTS) T A = (S, s init , → TA , l) where:
AP labels every state (q, v) with the subset of AP l A (q).
An execution of A is an infinite path in T A . Let s = (q, v) be an A-configuration.
An execution ρ from s can be described as an infinite sequence s = s 0
− − →→ a · · · for some t i ∈ R. Such an execution ρ goes through any configuration s reachable from some s i by a delay transition of duration t ∈ [0; t i ] -we write s ∈ ρ. Let Exec(s) be the set of all executions from s.
The standard notions of prefix, suffix and subrun apply for paths in TTS. Given ρ ∈ Exec(s), any finite prefix σ leading to a configuration s (denoted s σ → s ) has a duration, Time(s σ → s ), defined as the sum of all delays along σ. Let Pref(ρ) be the set of all prefixes of ρ.
Given ρ ∈ Exec(s) and s , s ∈ ρ, we say that s precedes strictly s along ρ (written s < ρ s ) iff there exists a finite subrun σ in ρ s.t. s σ → s and σ contains at least one non null delay transition or one action transition (i.e. σ is not reduced to δ(0) −→). Note that a configuration may have several occurrences along ρ and then it may be that s < ρ s or s < ρ s and s < ρ s.
The size of a TA is |Q A | + |C| + (q,g,r,q )∈→A |g| + q |Inv A (q)| where the size of a constraint is its length (constants are encoded in binary). We use |→ A | to denote the number of transitions in A.
Timed CTL
TCTL is the quantitative extension of CTL where temporal modalities are subscripted with constraints on duration [ACD93] . Formulae are interpreted over TTS states.
Definition 3.1 (Syntax of TCTL). TCTL formulae are given by the following grammar:
where ∼ can be any comparator in {<, ≤, =, ≥, >}, c any natural number and
Standard abbreviations include , ⊥, ϕ ∨ ψ, ϕ ⇒ ψ, . . . as well as EF ∼c ϕ (for E U ∼c ϕ), AF ∼c ϕ (for A U ∼c ϕ), EG ∼c ϕ (for ¬AF ∼c ¬ϕ) and AG ∼c ϕ (for ¬EF ∼c ¬ϕ). Further, the modalities U, F and G without subscripts are shorthand for U ≥0 , F ≥0 and G ≥0 . The size |ϕ| of a formula ϕ is defined in the standard way, with constants written in binary notation.
Definition 3.2 (Semantics of TCTL). The following clauses define when a state s of some TTS T = S, s init , →, l satisfies a TCTL formula ϕ, written s |= ϕ, by induction over the structure of ϕ (semantics of boolean operators is omitted).
Thus, in EϕU ∼c ψ, the classical until is extended by requiring that ψ be satisfied within a duration (from the current state) verifying the constraint "∼c".
Given a TA A = Q, C, q init , → A , Inv A , l A and a TCTL formula ϕ, we write A |= ϕ when s init |= ϕ.
Given a TA A, the TTS T A may have an infinite number of states and then standard model checking techniques cannot be applied directly. Indeed the decidability of verification problems over TAs is based on the region graph technique: The infinite state space of configurations is partitioned in a finite number of regions (equivalence classes of a relation over valuations) which have the "same behavior" w.r.t. the property to be checked, then a standard model checking algorithm can be applied over this finite abstraction. The region graph mainly depends on the number of clocks and the constants occurring in the guard. One of the main drawbacks of timed model checking is that the size of the region graph is exponential in the number of clocks and the (encoding of) constants. Several data-structures have been proposed to verify non-trivial timed systems (for ex. DBM see [Dil90, Bou04] ).
Reachability problem of timed automata is known to be PSPACE-complete [AH94] . In [CY92] , reachability in TA is shown to be PSPACE-complete even when the number of clocks is 3 or when the constants occurring in the guard belong to {0, 1}.
For TCTL, model checking is PSPACE-complete [ACD93] . And it is EXP-TIME-complete for many variants of timed µ-calculus [AL02] ; Checking timed bisimilarity is also an EXPTIME-complete problem. Note that all these results hold for a R or N as time domain and these results still hold when considering a parallel composition of TAs instead of a single one [AL02] .
In this paper, we consider two subclasses of TAs whose complexity for timed verification is not known: we will study TAs with one clock (1C-TAs) or two clocks (2C-TAs). Clearly these subclasses are more expressive than real-time automata where the unique clock is reset after any transition and than extensions of Kripke structures with integer durations.
We will assume that in 1C-TAs, the guards are given by two constants defining the minimal (resp. maximal) value for x to perform the transition: it is always possible to reduce, in polynomial time, any 1C-TA to an equivalent automaton verifying such a property.
Model checking one clock timed automata
For a 1C-TA, a valuation is just a real value: the time assignment associated with the automaton clock x. First we consider the reachability problem: "Given a TA and a control state q, is it possible to reach a configuration (q, v) from the initial state?" Proposition 5.1. Reachability in 1C-TAs is NLOGSPACE-complete.
Proof. The NLOGSPACE-hardness comes from complexity of reachability in classical graphs. Now we give a NLGOSPACE algorithm. A 1C-TA configuration is a control state and a value for the clock x. It is sufficient to consider only the integer value of x and to know if the fractional part is zero or not, but the integer value cannot be stored directly in a logarithmic space algorithm and we have to use a more concise encoding.
Let A be a 1C-TA. Let B be the set of integer values used in the guards and zero. We use b 0 , b 1 , . . . , b k to range over B and assume 0 = b 0 < b 1 < · · · and |B| = k + 1. The set B defines a set I B of 2(k + 1) intervals λ 0 , λ 1 , . . . with
We will encode the configuration (q, x) by the pair (q, n(x)) s.t. x ∈ λ n(x) . Since k ≤ 2 · |→ A |, it is possible to store n(x) in logarithmic space.
First the algorithm counts the number of different constants in guards of A: This is done by verifying that the constants occurring in the i-th transition are different from the constants used in the j-th transition with j < i (this test is done by enumerating each bit of the constant c to be checked and verify the equivalence, it requires a space in O(log(log(c)))).
Then given a pair (q, n), the algorithm non-deterministically guesses another (q , n ) and verifies that (q , λ n ) is reachable from (q, λ n ), i.e. either q = q and n = n + 1 (this is a delay transition), or there exists a transition q g,r − → q s.t. g is satisfied by any value in λ n and n = n (resp. n = 0) if r = ∅ (resp. r = {x}). Assume g = m 1 ≤ x ≤ m 2 , then checking λ n |= g can be done by counting the number n 1 of different constants less than m 1 and the number n 2 of those greater than m 2 . Finally λ n |= g iff n 2 ≥ n 1 and n 2 ≤ k − n 2 (resp. n−1 2 ≥ n 1 and n+1 2 ≤ k − n 2 ) if n is even (resp. n is odd). These operations requires only a logarithmic space.
This result entails that analysing a 1C-TA is not more complex than analysing an untimed graph from the complexity theory. After this positive result, we now consider model checking for 1C-TA and TCTL ≤,≥ :
Theorem 5.2. Model checking TCTL ≤,≥ over 1C-TAs is P-complete.
Proof. P-hardness follows from the case of CTL model checking. We present a polynomial algorithm to construct, for any state q and subformula ξ of Φ, an union of intervals Sat[q, ξ] over R containing the valuations for x s.t. x ∈ Sat[q, ξ] iff (q, x) |= ξ. Assume Sat[q, ξ] = j=1,...,k α j , β j with ∈ {[, (} and ∈ {], )}; We will see that it is sufficient to consider α j , β j ∈ N ∪ {∞}. We choose α j < β j and β j < α j+1 if j + 1 ≤ k in order to keep its size (i.e. the number of intervals) small; Indeed we will show that |Sat[q, ξ]| ≤ 2 · |ξ| · |→ A |. We denote by Cst A ⊆ N ∪ {∞} the set of all constants occurring in A (either in guards or in invariants) plus 0.
We only present here the labeling procedure for the modality EϕU ≤c ψ: the case of boolean operators and atomic propositions is straightforward and the procedures for other modalities are given in Appendix A.
Assume ξ = EϕU ≤c ψ. Assume also that Sat[q, ϕ] and Sat[q, ψ] have been already constructed. In order to compute Sat[q, ξ], we build a (finite) graph G = (V G , → G , l G ) where every node v ∈ V G corresponds to a set of configurations (q, λ) where λ is an interval over R s.t. (1) these configurations verify either ψ or ϕ ∧ ¬ψ, (2) for any guard g in an A-transition, λ |= g or λ |= ¬g. This last requirement implies that the same sequences of action transitions are enabled from any configuration of (q, λ).
Every G-transition will correspond to an action transition of A or an abstract delay transition (leading to another node with different properties) − → q in A such that λ |= g, λ = λ (resp. λ = [0; 0]) if r = ∅ (resp. r = {x}), and λ |= Inv A (q ).
We can now restrict G to the nodes satisfying EϕUψ by a standard algorithm and then clearly the nodes in V G represent all A configurations satisfying EϕUψ. We now have to see when there exists a path leading to a ψ-state and being short enough (i.e. ≤ c) to witness ξ. For this we can compute for any node (q,
is the duration of a shortest path from (q, t) to some state verifying ψ (along a path satisfying ϕ). The crucial point is that such a duration function over λ has a special structure: it is first constant and then decreases with the slope −1. The constant part corresponds to configurations for which a shortest path starts by a sequence of action transitions where the clock is reset at least once before any time elapsing (and clearly this also holds for previous positions in λ), and the decreasing part corresponds to positions from which a delay transition occurs before reseting x along a shortest path. These functions can easily be encoded as pairs (c 1 , c 2 ) with c 1 ≥ c 2 , with the following meaning:
Of course, it is also possible to have a pure constant function over λ (then c 1 = c 2 ) or a pure decreasing function (then c 1 = c 2 + (b i+1 − b i )). See Figure 1 for more intuition.
The structure of the duration functions allows us to compute them by adapting the Bellman-Ford algorithm for single source shortest path over G. This algorithm is given in Appendix A. The idea is to compute the δ once: given a configuration (q, x) with x ∈ λ, either a SP starts as the previous positions x < x in λ and it starts by action transitions that can be performed from (q, x), or the SP starts by delaying until Succ(λ) and in both cases it is not necessary to come back to (q, λ) later. Assume the size of a SP in G is k, then k is bounded by |V G | + 1 and then it is discovered after the k-th step of the algorithm.
Once the δ Proof. Membership in PSPACE follows from the general result for TAs [ACD93] . PSPACE-hardness is shown by reducing QBF instance to a model checking problem over 1C-TA.
Consider a QBF instance Φ def = Q 0 p 0 Q 1 p 1 . . . Q n−1 p n−1 · ϕ: Q i ∈ {∃, ∀}, any p i is a boolean variable for i = 0, . . . , n − 1, and ϕ is a propositional formula over the p i 's.
To reduce the QBF instance Φ to a model checking problem, we consider the 1C-TA A Φ depicted in Figure 2 and the formulae Φ i with i = 0, . . . , n defined 
Now we show that Φ is valid iff (q 0 , 0) |= Φ 0 . Indeed, interpreting Φ 0 over (q 0 , 0) makes that every formula Φ i with i = 1, . . . , n is interpreted over some configurations in a set S i located at duration j<i 2 j from (q 0 , 0). More precisely S i is composed by (p i−1 , l) and (p i−1 , l) with l ∈ {1, . . . , 2 i−1 }. A configuration in S i can be seen as a boolean valuation for p 0 , . . . , p i−1 : The truth value of p i−1 is iff the control state is p i−1 and the value of p k (k < i − 1) is given by the k-th bit of the binary encoding of l − 1. Moreover this valuation is preserved in the two possible successor configurations in S i+1 at duration 2 i from the current position. The alternation of existential EF and AF allows to simulate the alternation of quantifiers over the p i 's in Φ.
Finally Φ n is interpreted over configurations of S n which define valuations for p 0 , . . . , p n−1 . The configurations of the form (p n−1 , l) (resp. (p n−1 , l)) with l ∈ {1, . . . , 2 n−1 } are located at distance 0, . . . , 2 n−1 −1 (resp. 2 n−1 , . . . , 2 n −1) to q F . Consider such a configuration (p n−1 , l) and assume (p n−1 , l) |= EF =2 n −1 b k : Reaching (q F , 0) takes 2 n−1 − l, it remains to spend 2 n−1 + l − 1 in the loop b ⊥ k b k · · · and clearly b k holds after this duration iff the k-th bit of l − 1 is 1.
Note that the automaton depicted in Figure 2 is a real-time automaton (x is reset after every transition) and then we can deduce the following corollary:
Corollary 5.4.
-Reachability in real-time automata is NLOGSPACE-complete.
-Model checking TCTL ≤,≥ over real-time automata is P-complete. -Model checking TCTL over real-time automata is PSPACE-complete.
When a timed automaton has two clocks, there is a complexity blow-up for model checking. First we have the following result for reachability:
Proposition 6.1. Reachability problem in 2C-TAs is NP-hard.
Proof. This follows from a simple encoding of the SUBSET-SUM problem [GJ79, p. 223]: assume we are given a set {a 1 , . . . , a p } of integers and a goal b, one asks whether there exists a subset J ⊆ {1, . . . , p} s.t. j∈J a j = b. This problem is known to be NP-complete.
This problem is obviously equivalent to the reachability problem for state G in the automaton shown on figure 3. Let Φ be the following CTL formula:
A path from q 0 to q n defines a boolean valuation for the p i 's: performing the transition q i x=2 i ,x:=0
− − → q i+1 ) assigns (resp. ⊥) to p i . And in the configuration (q n , 0, v y ), the valuation is encoded in the value v y (the total amount of time used to reach q n ). Then the branch q n → s i → s i,1 · · · allows us to check the value of the i-th bit of v y , that is exactly the truth value of p i .
Note that this last result is proved for a very simple subclass: the automaton used in proof of Theorem 6.2 has a clock which is reset after each transition. Despite this, model checking (untimed) CTL leads to PSPACE-hardness. Figure 5 gives an overview of the results presented in the paper and a comparison with the results for classical Timed Automata. The main results concern one-clock automata. First the reachability problem in 1C-TAs is as efficient as the reachability in classical graphs. Moreover model checking can be done efficiently if the property is expressed with TCTL ≤,≥ logic. This result is surprising because usually, in TCTL model checking, the timing constraints are handled by adding a new clock in the system and we also have seen that any model checking problem, even for the untimed CTL, is PSPACE-hard over simple 2C-TAs. Moreover note that the efficiency requires an ad hoc algorithm to handle timing constraints.
In timed model checking, an important challenge consists in developing data structures enabling to manage complexity blow-up due to timing constraints and to parallel composition of components; indeed it would be very interesting to have the benefits of DBMs for the timing constraints and those of BDDs for the control state explosion, but today no convincing solution exists. Our results motivate research for algorithms and data structures for simply timed systems composed by a unique clock and a parallel composition of processes. Of course, analysing such systems is PSPACE-hard due to the composition, nevertheless efficient data structures for handling such systems could be more easily defined due to the simple timing constraints. 
A (End
Then it remains to build Sat[q, ξ] from the duration functions δ ψ q and the threshold c: x ∈ Sat[q, ξ] iff δ ψ q,λ (x) ≤ c. This may lead to cut an interval in two parts. A crucial point of the algorithm is to merge as much as possible these (fragments of) G intervals, and we have to show that the size of Sat[q, ξ] can be bounded enough to ensure a polynomial algorithm. We are going to bound (1) the number of intervals of Sat[q, ξ] coming from a given interval of Sat[q, ϕ] and (2) the number of new constants (not present in B) that can appear due to the cuts. Consider an interval I of Sat [q, ϕ] . This interval corresponds to a finite sequence of G-nodes (q, λ 1 ), · · · , (q, λ k ) s.t. λ i+1 = Succ(λ i ). The threshold "≤ c" may cut these intervals and provide non-adjacent intervals in Sat[q, ξ]. We can distinguish two cases of cuts: (1) the cut is done between two intervals, or (2) the cut is done inside an interval. In both cases the cut is due to a unique constraint in a transition (x < or x >) which can only cut this interval. Since a transition may contain at most two such constraints, the size of Sat formula based on the graph G = (V G , → G , l G ) but here we label nodes by ϕ ∧ ¬ψ, ϕ ∧ ψ and ¬ϕ ∧ ψ. We restrict ourself to nodes satisfying EϕUψ and we introduce a new atomic proposition P SCC + (ϕ) in order to label every node (q, λ) in G belonging to a strongly connected set of nodes satisfying ϕ and where at least one edge is an abstract delay transition. Labeling states for P SCC + (ϕ) can be done in time O(|G|) once they are labeled for ϕ.
We can now solve the original problem. There are two ways a state can satisfy ξ:
