Generalized discrete timed automata: decidable approximations for safety verification  by Dang, Zhe et al.
Theoretical Computer Science 296 (2003) 59–74
www.elsevier.com/locate/tcs
Generalized discrete timed automata: decidable
approximations for safety veri)cation
Zhe Danga ;∗ , Oscar H. Ibarrab , Richard A. Kemmererb
aSchool of Electrical Engineering and Computer Science, Washington State University,
Pullman, WA 99164, USA
bDepartment of Computer Science, University of California, Santa Barbara, CA 93106, USA
Abstract
We consider generalized discrete timed automata with general linear relations over clocks and
parameterized constants as clock constraints and with parameterized durations. We look at three
approximation techniques (i.e., the r-reset-bounded approximation, the B-bounded approximation,
and the 〈B; r〉-crossing-bounded approximation), and derive automata-theoretic characterizations
of the binary reachability under these approximations. The characterizations allow us to show
that the safety analysis problem is decidable for generalized discrete timed automata with unit
durations and for deterministic generalized discrete timed automata with parameterized durations.
An example speci)cation written in ASTRAL is used to run a number of experiments using one
of the approximation techniques.
c© 2002 Elsevier Science B.V. All rights reserved.
1. Introduction
As a standard model for analyzing real-time systems, timed automata [3] have re-
ceived enormous attention during the past decade. A timed automaton can be considered
as a )nite automaton augmented with a )nite number of clocks. The clocks can be
reset or progress at the same rate, and can be tested against clock constraints in the
 The work by Zhe Dang and Richard A. Kemmerer has been supported in part by the Defense Advanced
Research Projects Agency (DARPA) and Rome Laboratory, Air Force Material Command, USAF, under
agreement number F30602-97-1-0207. The work by Oscar H. Ibarra has been supported in part by NSF
Grants IRI-9700370.
∗ Corresponding author.
E-mail addresses: zdang@eecs.wsu.edu (Z. Dang), ibarra@cs.ucsb.edu (O.H. Ibarra), kemm@cs.ucsb.edu
(R.A. Kemmerer).
0304-3975/03/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(02)00432 -2
60 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
form of clock regions (i.e., comparisons of a clock or the diGerence of two clocks
against an integer constant, e.g., x− y¿8, where x and y are clocks). A fundamental
result in the theory of timed automata shows that region reachability for timed auto-
mata is decidable [3]. This result has been very useful in de)ning various real-time
logics, appropriate model checking algorithms, and tools [2,4,15,16,17,23,24,26,27,28]
for verifying real-time systems (see [1] for a survey).
However, not every real-time system can be modeled as a timed automaton. A com-
plex (not necessarily large) real-time system might contain nonregion clock constraints,
such as x1− x2¿x3− x4 + c, where x1; x2; x3; x4 are clocks, and c is a parameterized
(or unspeci)ed) constant. Though there are practical needs to augment timed automata
with more complex clock constraints, the “Turing computing” power of such augmented
automata prevents automatic veri)cation of properties such as reachability [3,5]. There-
fore, decidable approximation techniques are of great interest, since these techniques
would provide a user some degree of con)dence in analyzing and debugging com-
plex real-time speci)cations. In contrast to the most direct approximation techniques
[5,11–13] that bound the number of transitions to a )xed number, the approximation
techniques presented in this paper restrict the clock behaviors but do not necessarily
bound the number of transition iterations to be )nite.
In this paper, we focus on timed automata with integer-valued clocks, i.e., discrete
timed automata, and extend them to generalized discrete timed automata by allowing
general linear relations over clocks and parameterized constants as clock constraints.
Furthermore, the duration of a transition can be a parameterized constant. These gen-
eralizations have practical motivation. For example, many complex real-world speci-
)cations [6,7,11,21] written in the real-time speci)cation language ASTRAL [6] use
generalized clock constraints and parameterized durations in almost every speci)ca-
tion. Therefore, the results presented in this paper may be useful in implementing
an automatic speci)cation debugger for complex real-time speci)cation languages like
ASTRAL.
We investigate three approximation techniques in this paper. The r-reset-bounded ap-
proximation bounds the number of clock resets by a given positive integer r for each
clock. The B-bounded approximation requires that, for each clock, the clock value is
less than a given positive integer B every time when the clock resets (but after the last
reset, the clock can go unbounded). Combining these two, the 〈B; r〉-crossing-bounded
approximation requires that, for each clock, there are at most r times that the clock
resets after its value is greater or equal to B. Given an approximation technique, we
will focus on the binary reachability characterization of a generalized discrete timed
automaton. Binary reachability has recently been proposed and investigated for a num-
ber of timed systems [8,9,10,14], which makes it possible to reason about “nonregion”
properties for these systems. We )rst show that, when a generalized discrete timed
automaton has unit duration, the binary reachability under any one of the three approx-
imations is Presburger. Then by considering a generalized discrete timed automaton
with parameterized durations, we show that the binary reachability under any one of
the three approximations has a 2DCM-padding when the machine is deterministic.
Speci)cally, we show that the “padded language” for binary reachability can be ac-
cepted by a deterministic two-way counter machine with one reversal-bounded counter
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 61
[19]. The case for nondeterministic generalized discrete timed automata is open. These
are good characterizations in the sense that the validity of Presburger formulas can be
veri)ed by these machines, and the emptiness problem for such machines is decidable.
This allows us to establish, in principle, decidable results for the (Presburger) safety
analysis problem for generalized discrete timed automata under the approximations. The
2DCM-padding characterization is particularly interesting, since binary reachability is
not necessarily semilinear.
The paper is organized as follows. Section 2 gives the basic de)nitions and pre-
liminary results that are used in the paper. Section 3 presents the decidable char-
acterization of binary reachability for generalized discrete timed automata with unit
durations and with parameterized durations, under the approximations. Section 4
formulates the safety analysis problem and its decidability and proposes an open prob-
lem concerning nondeterministic generalized discrete timed automata with parameter-
ized durations. Section 5 shows an example from an ASTRAL speci)cation of the
railroad crossing benchmark. Finally, in Section 6, conclusions and future work are
summarized.
2. Generalized discrete timed automata
Let V be a )nite set of variables over the integers. An atomic linear relation on
V is de)ned as
∑
v∈V avv¡b; where av and b are integers. A linear relation on
V is constructed from a )nite number of atomic linear relations using ¬ and ∧. LV
denotes the set of all linear relations on V . An atomic Presburger relation on V
is either an atomic linear relation on V or a linear congruence
∑
v∈V avv= bmod d,
where av; b and d are integers. A Presburger formula can always be constructed from
atomic Presburger relations using ¬ and ∧.
Let N be the set of integers with N+ denoting the set of nonnegative integers.
A clock is a variable over N+. A generalized discrete timed automaton A is a tuple
〈S;C ;X ; E〉 where S is a )nite set of (control) states, X is a )nite set of clocks, C is
a )nite set of parameterized constants, and E⊆ S× (C ∪{0; 1})×2X ×LX ∪C ×S is a
)nite set of edges. Each edge 〈s; d; ; l; s′〉 denotes a transition (or an edge) from s to s′
with enabling condition l∈LX∪C . d∈C ∪{0; 1} is a parameterized constant indicating
the duration of this transition. ⊆X is the set clocks that are reset as a result of this
transition. When  is empty, the duration, which is a parameterized constant in C or
integer constant 1, must be positive. Clock resets take no time. Thus, when  is not
empty, the duration d on this edge is simply 0.
The semantics is de)ned as follows. ∈S× (N+)|C |× (N+)|X | is called a con3gura-
tion with q being the state under this con)guration. xi and cj denote the value of the
clock xi and the value of the parameterized constant cj, respectively. Note that each
clock and parameterized constant are nonnegative, i.e., in N+. → 〈s; d; ; l; s′〉′ denotes
a one-step transition along an edge in A satisfying
• Constant values do not change, i.e., for each c∈C , c = ′c.
• The state s is set to a new location s′, i.e., q= s; ′q= s′.
62 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
s1 s2
x-y+z>B
 }, C
2x-y<A
{z}
{
Fig. 1. An example generalized discrete timed automaton.
• Each clock changes according to the edge given. When there is no clock reset on
this edge, i.e., = ∅, all the clocks synchronously progress by the amount of the
duration, i.e., for each x∈X , ′x = x + d. In this case, the duration is positive, i.e.,
d¿0. When  = ∅, clocks in  reset to 0 and all the other clocks are unchanged.
Thus, clock resets take no time. That is, for each x∈, ′x =0 and for each x =∈,
′x = x.
• The enabling condition is satis)ed. That is, l() is true.
We simply write → ′ if  can reach ′ by a one-step transition. A is deterministic if
for any con)guration  there is at most one  such that → . A path 0 · · · k satis)es
i→ i+1 for each i. Write ❀A  if  reaches  through a path. In the de)nition of
A, there is no input. This is because the input is always one way for timed automata
and, therefore, input symbols can be built into the control states. A has parameterized
durations. If we restrict each duration on an edge without clock resets to be 1, then
A is called a generalized discrete timed automaton with unit durations.
Example 1. Fig. 1 shows a generalized discrete timed automaton with parameterized
constants A; B; C and clocks x; y; z. The automaton has two transitions T1 (i.e., from
state s1 to state s2) and T2 (i.e., from state s2 to state s1). As shown in the )gure, T1
has an enabling condition of x−y+z¿B, an empty clock reset set, and a parameterized
duration C. T2 has an enabling condition of 2x−y¡A, a clock reset set {z}, and a zero
duration. According to the semantics, the following is an instance of an execution of the
automaton when A=4; B=1; C =2: 〈s1; x=1; y=1; z=3〉→T1 〈s2; x=3; y=3; z=5〉
→T2 〈s1; x=3; y=3; z=0〉.
When A with unit durations contains no parameterized constants and enabling con-
ditions are clock constraints or clock regions in the form of Boolean combinations of
x− y#c and x#c, where c is an integer, x and y are clocks and #∈{¡; = ;¿}, A is
equivalent to a standard timed automata (with integer-valued clocks) [3]. On the other
hand, when A with unit durations contains enabling conditions only in the form of
Boolean combinations of x#c, where c is a parameterized constant or an integer, x is
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 63
a clock (when c is a parameterized constant, x is called a parameterized clock), A is
a parameterized timed automaton (with integer-valued clocks) [5].
There are two kinds of reachability for A. They are state reachability and binary
reachability. Assume a state s0 is designated as the initial state of A. A state s∈S
is state reachable in A if there is an initial con)guration 0 (whose state is s0 and
whose clock values are all 0) and a con)guration  with q= s such that  is reachable
from the initial con)guration, i.e., 0❀A . The state reachability problem of A is
whether a state s∈S is state reachable. It is noted that the region reachability (whether
clock values in a clock region can reach clock values in another clock region) can be
formulated as state reachability by applying a simple modi)cation to the automaton
being considered. The following are some known results about the state reachability
problem.
Theorem 1. (1) The state reachability problem is decidable for standard timed auto-
mata [3].
(2) The state reachability problem is decidable for parameterized timed automata
with only one parameterized clock (but can have many unparameterized clocks) [5].
(3) The state reachability problem is undecidable for generalized discrete timed
automata.
Actually, Theorem 1(3) follows from the following special cases.
Theorem 2. (1) The state reachability problem is undecidable for standard timed
automata when we allow “+” operations in clock constraints, e.g., x + y − z¡5 [3].
(2) The state reachability problem is undecidable for parameterized timed automata
(with more than 2 parameterized clocks) [5].
On the other hand, binary reachability is the set of all con)guration pairs 〈; 〉 such
that ❀A  (we use ❀A in the paper). Characterizations of the binary reachability of
timed automata have recently been established.
Theorem 3. (1) The binary reachability of timed automata with real-valued clocks is
de3nable in the additive theory over reals and integers [8,9].
(2) The binary reachability of timed automata with integer-valued clocks is de3n-
able by a Presburger formula [8,10].
Characterizations of binary reachability help us to reason about nonregion properties
of timed systems. For instance, consider the following property: “for every con)guration
 there exists a con)guration  such that ❀A  and the clock x1 in  is the sum of
clocks x1 and x2 in ”. Though constraint x1 = x1 + x2 is not in the form of a clock
region, this property can be automatically veri)ed for timed automata [8,9,10].
However, for generalized discrete timed automata, the binary reachability ❀A is
too strong to have an interesting characterization. In particular, even the membership
problem for binary reachability, i.e., deciding whether two given con)gurations  and
 satisfy ❀A  for a generalized discrete timed automaton A, is undecidable. This
64 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
B
(a) (b) (c)
0
Fig. 2. Behaviors of a clock under the three approximations.
follows from the fact that a two-counter machine can be simulated by a generalized
discrete timed automaton A, as shown in the proofs of Theorem 2(1) and (2) [3,5].
Thus, the membership problem can be reduced to the halting problem for two-counter
machines, which is undecidable.
Theorem 4. The membership problem for binary reachability is undecidable for gen-
eralized discrete timed automata.
This undecidability result for generalized discrete timed automata leads us to consider
the following three approximations of ❀A. Let r and B be given )xed positive integers.
The )rst approximation is r-reset-bounded reachability. A path 01 · · · k is called
r-reset-bounded if each clock resets at most r times. Write ❀rA  if  reaches 
through an r-reset-bounded path. The second approximation is B-bounded reachability.
A path 01 · · · k is called B-bounded if for each j¡k, each xi∈X , |jxi − j+1xi |¡B.
Write ❀BA  if  reaches  through a B-bounded path. The third approximation
is 〈B; r〉-crossing-bounded reachability. A path 01 · · · k is called 〈B; r〉-crossing-
bounded if there are at most r many j’s such that |jxi − j+1xi |¿B. Write ❀〈B; r〉A  if
 reaches  through a 〈B; r〉-crossing-bounded path.
Fig. 2 shows the behaviors of a clock under the three approximations with some
bound B and r=4. Fig. 2(a) is the case for r-reset-bounded approximation, where the
clock is reset for at most four times. Fig. 2(b) is the case for B-bounded approximation,
where the clock value always stays below the bound B before the last reset (but there
could be many resets). Fig. 2(c) is the case for 〈B; r〉-crossing-bounded approximation,
where the clock crosses the bound B but for at most four times before the last reset.
The main results in this paper show that the three approximations of binary reach-
ability ❀A have decidable characterizations, i.e., they can be accepted by a class of
machines with a decidable emptiness problem. Before we proceed to show the results,
some further de)nitions are needed.
A nondeterministic multicounter machine (NCM) is a nondeterministic machine with
a )nite set of (control) states Q= {1; 2; : : : ; |Q|}, and a )nite number of counters
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 65
x1; : : : ; xk with integer counter values. Each counter can add 1, subtract 1, or stay un-
changed. These counter assignments are called standard assignments. M can also test
whether a counter is equal to, greater than, or less than an integer constant. These
tests are called standard tests. When an NCM M is used as a language recognizer,
we attach a separate one-way read-only input tape to the machine and assign a state
in Q as the )nal state. M accepts an input iG it can reach the )nal state. It is well
known that counter machines with two counters have an undecidable halting problem.
Thus, we have to restrict the behaviors of the counters. One such restriction is to
limit the number of reversals a counter can make. A counter is r-reversal-bounded if
it changes mode between nondecreasing and nonincreasing at most r times. A counter
is r-strong-reversal-bounded if it changes mode between strictly increasing, strictly de-
creasing and unchanged at most r times. For instance, the following sequence of counter
values: 0; 0; 1; 1; 2; 2; 3; 3; 4; 4; 3; 2; 1; 1; 1; 1; : : :, exhibits only one counter reversal. How-
ever, it has 11 strong reversals. M is (strong-)reversal-bounded if each counter in M is
r-(strong-)reversal-bounded for some r. We note that a (strong-)reversal-bounded M
does not necessarily limit the number of moves or the number of reachable con)gura-
tions to be )nite.
Let (j; v1; : : : ; vk) denote the con3guration of an NCM M (without input tape) when
it is in state j∈Q, counter xi has value vi∈N for i=1; 2; : : : ; k. Similar to ❀A, the
binary reachability ❀M of M is de)ned as all the pairs 〈; 〉 of con)gurations of M
such that  can reach .
It is known that the emptiness problem for reversal-bounded NCMs (when used as
language recognizers) is decidable [18]. When a reversal-bounded NCM uses linear
relations as tests instead of using standard tests, we have the following result.
Theorem 5. Suppose M is a nondeterministic strong-reversal-bounded multicounter
machine without input tape that uses linear relations (on the counters and parame-
terized constants) as tests instead of using standard tests. Then its binary reachability
❀M is Presburger [20].
The machines de)ned above, when used as language recognizers, have a one-way
input tape. Suppose a two-way input is used instead. Let 2DCM(c; r) denote the class
of deterministic machines with a two-way input tape and c r-reversal-bounded counters.
Then the emptiness problem for 2DCM(c; r) when c¿2 and r¿1 is undecidable [18].
An interesting special case is when c=1, i.e., there is only one counter. A language
is 2DCM-recognizable if it can be accepted by a 2DCM(1; r).
Theorem 6. The emptiness problem for 2DCM-recognizable languages is decidable
[19].
It is still open whether Theorem 6 holds for nondeterministic machines. That is,
whether the emptiness problem for 2NCM(1; r), which is a nondeterministic r-reversal-
bounded one-counter machine with a two-way input tape, is decidable.
Given a generalized discrete timed automaton A, consider a subset of con)guration
pairs, RA⊆S×(N+)|C |×(N+)|X |×S×(N+)|C |×(N+)|X |. One can look at RA as some
66 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
sort of reachability relation. For a given A, if a 2DCM(1; r) MA can be eGectively
constructed such that for every w, w is in RA iG there exists a w′ such that MA accepts
w#w′, then we say that RA has a 2DCM-padding. From Theorem 6, it is routine to
show the following lemma.
Lemma 1. (1) The emptiness problem for {RA}A having 2DCM-paddings is decidable.
(2) If R1A and R
2
A have 2DCM-paddings, then so do the join R
1
A∪R2A and the
composition R1A ◦ R2A.
3. Decidability results
Denote ❀0A to be the binary reachability of a generalized discrete timed automaton
A through a path without clock resets. Note that A itself can be considered as a
nondeterministic multicounter machine. However, tests in A, which are linear relations
on clocks and parameterized constants, are not standard. Assignments in A in the form
of x := x+d with d a parameterized constant are also not standard. But, if A has only
unit durations, the assignments are standard except when a clock reset occurs, i.e.,
x := 0.
Lemma 2. Suppose A is a generalized discrete timed automaton with unit durations.
Then ❀0A is Presburger.
Proof. Let A be a generalized discrete timed automaton with unit durations. Note that
when a path of A contains no clock resets, i.e., all the clocks increase at the same rate
1, clocks (understood as counters) are 0-strong-reversal-bounded. The theorem follows
from Theorem 5.
The following theorem gives a characterization of the three approximations of ❀A
when A has unit durations. The proof cuts a reachability path of A into a )nite
number of phases and each phase can be further characterized by ❀0A using Lemma 2.
Theorem 7. Suppose A is a generalized discrete timed automaton with unit durations.
Then ❀rA, ❀
B
A and ❀
〈B; r〉
A are Presburger.
Proof. Let A be a generalized discrete timed automaton with unit durations.
(1) r-reset-bounded reachability ❀rA: An r-reset-bounded path of A can be divided
into at most r|X | many phases, where within each phase no clock resets. Two con-
secutive phases are connected by a one-step transition in A that contains clock resets.
Thus, ❀rA is the “concatenation” of all these phases and the transitions by using exis-
tential elimination. The result follows because from Lemma 2 each phase is Presburger
and Presburger formulas are closed under quanti)cation.
(2) B-bounded reachability ❀BA: Consider a B-bounded path of A. According to the
de)nition of B-bounded reachability, within the path each clock either never exceeds
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 67
the value B or it exceeds B. But once a clock exceeds B, it never resets afterwards.
Thus, with respect to each clock, a path can be divided into at most two phases. Values
of the clock in the )rst phase do not exceed B while the clock in the second phase
never resets. Thus, when all clocks are considered, a path can be divided into at most
|X |+1 phases such that within each phase a clock either never resets or resets (for an
unbounded number of times) but with values not exceeding B. The result follows by
concatenating these phases, where, in a phase that a clock does not exceed B, a )nite
variable (bounded by B) is used to represent the clock, and in a phase that a clock
never resets, Lemma 2 is used.
(3) 〈B; r〉-crossing-bounded reachability ❀〈B; r〉A : Consider a 〈B; r〉-crossing-bounded
path of A. From the de)nition, each clock in the path can only cross the boundary B
at most r times. Thus, the path can be divided into at most r|X |+ 1 phases with the
)rst r|X | phases being B-bounded paths. The last one is either a B-bounded path or a
path with no clock resets. Phases are connected by a one-step transition with at least
one clock reset. Thus, the result follows from (1) and (2) above.
The case when A has parameterized durations is more complicated. In principle, A
with parameterized durations can be simulated by an A′ with unit durations. This is
done by simply introducing a new clock z to test whether the parameterized duration
of a transition is reached, and after the transition is )red z is reset to 0. However,
the three approximations on A are not equivalent to those on A′. The reason is as
follows. Consider❀0A, the 0-reset-bounded approximation ofA. ❀A
0  if  can reach
 through a path without clock resets. But for A′ each transition with a parameterized
duration causes clock z to reset. Thus, a path in A′ witnessing ❀0A  could have
an unbounded number of clock resets. Therefore, for A with parameterized durations,
Theorem 7 is not applicable.
Before proceeding to prove some further results, we )rst give some properties of
linear relations. Let R be the ()nite) set of all the atomic linear relations that appear
in all the enabling conditions of A. Each atomic linear relation is obviously convex
in clocks X for any )xed values for parameterized constants in C . De)ne the set of
labels:
∑
= {∧Ri∈R $i: each $i =Ri or $i =¬Ri}. Each label is a linear relation over
X and C , and it is convex in clocks X . A con)guration  has label $∈∑ if the
values of the clocks and the parameterized constants in  satisfy the linear relation $.
By the de)nition of
∑
, each con)guration has a unique label.
In the following, we consider a generalized discrete timed automaton A (with
parameterized durations). Currently, we cannot show a decidable characterization of
❀0A, since we )nd it is related to the emptiness problem of 2NCM(1; r), which is
still open. However, by restricting A to be deterministic, the following results can be
established.
Lemma 3. Let A be a deterministic generalized discrete timed automaton. Then ❀0A
has a 2DCM-padding.
Proof. Let A= 〈S0; S;C ;X ; E〉. Since ❀0A contains no clock resets, we may assume
that all edges in A with clock resets are not present in A. Let  and ′ be two
68 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
con)gurations. Denote
∑
to be the set of labels. Since clocks in A synchronously
increase at the same rate, due to the convexity of each label in
∑
, without loss
of generality, we can further partition a path for ❀0A 
′ into the following sequence,
0↗1′0→ 1↗1′1 · · · → m↗1′m, where m is bounded by the number of labels in
∑
,
and 0 = , ′m= 
′. Each “↗1” represents a sequence of one-step transitions through
con)gurations with the same label. Each “→ ” represents a one-step transition. Note
that the number of labels is independent of the choice of the sequence. Thus, from
Lemma 1, it suOces to show that both → and ↗1 have 2DCM-paddings.
We )rst show the case for ↗1. The one for → , which is trivial, is left for the
reader. Assume ↗1 is through con)gurations with the same label $. By de)nition, a
label gives the truth value for each enabling condition. We )rst drop all edges e from E
with le ∧$ false. Then the enabling conditions on all the remaining edges are replaced
by true. The resulting automaton is written as A−. Note that A− is deterministic. That
is, each node in A− cannot have more than one outgoing edge, from the de)nition of
$ and the fact that A is deterministic. Given two con)gurations 's and 's
′
at control
states s and s′, respectively, a key observation is
's↗1 's′ iG 's ❀ 's′ in A− and both 's and 's′ have label $.
That is, 's↗1 's′ if and only if 's reaches 's′ in A− with the )rst con)guration 's
and the last con)guration 's
′
having the same label $. The convexity of each label
ensures that all the intermediate con)gurations also have the same label. Since A−
is deterministic, any path from s to s′ can be written as uviw for some i, with the
length of u, v and w bounded by the number of control states |S|. That is, the path
can be concatenated by a short path and a short cycle followed by another short path.
In order to show ↗1 has a 2DCM-padding, we construct the required 2DCM(1; r) M .
M operates on an input tape with the following format: Bs#Bs′#u#v#w, where Bs and
Bs′ are string encodings of the two con)gurations 's and 's
′
. u; v and w are short
sequences of control states, which could be empty, with u started by s and w ended
by s′. From the above key observation, M only needs to check:
(1) the input tape is in the correct format. That is, A− actually has a path uvw.
This can be done by M using a )nite table look-up. Con)gurations 's and 's
′
agree
on each (positive) parameterized constant. This can be done with exactly |C | counter
reversals.
(2) 's and 's
′
have the same label $. Note that $ is a linear relation. Checking
satis)ability of a linear relation over con)gurations 's and 's
′
can be done by accumu-
lating the counter while reading the value of each clock and constant stored in Bs#Bs′
on the two-way input tape. Since $ is )xed, this needs only ((|C |+ |X |+ 1) counter
reversals, where ( is the number of atomic linear relations in $.
(3) M also needs to check that for each x∈X , the net clock change 's′x − 'sx is
the same. This needs 4|X | counter reversals. Also, M makes sure that the net clock
change agrees with the net clock change on a path uviw for some i. Denote )u, )v,
)w to be the sum of the durations of the edges in sequences u; v;w, respectively. Let
x∈X . The counter in M )rst calculates 's′x − 'sx − )u − )w. This can be done by at
most 1 counter reversal. Then M tests whether the counter 6 0, and doing the same
test again by subtracting )v from the counter until the test succeeds. If the counter is
equal to 0, then M accepts, else M rejects. Note that M has only one counter, thus
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 69
)v cannot be stored. Since v is a short path, M instead subtracts each duration (i.e., a
constant, stored in Bs) one by one in v.
Thus, M accepts some input as above iG 's↗1 's′ . This completes the construction
of the required 2DCM(1; r) machine.
The following theorem gives a characterization of the three approximations of ❀A.
Theorem 8. Let A be a deterministic generalized discrete timed automaton. Then,
❀rA, ❀
B
A and ❀
〈B; r〉
A have 2DCM-paddings.
Proof. Similar to the proof of Theorem 7 by “concatenating” the 2DCM-padding for
each phase using Lemmas 1 and 3.
4. Veri)cation of safety properties
Consider P and I , two sets of con)gurations of a generalized discrete timed automa-
ton A de)nable by Presburger formulas. If, starting from a con)guration in I , A can
only reach con)gurations in P, then P is a safety property with respect to the initial
condition I . The following is an example:
“starting from a con)guration satisfying x1 − x2 + x3 − x4¿c+ d, A cannot reach a
con)guration satisfying 2x1 + x2¡c ∧ x3 − 3x4¿2d− c”.
The safety analysis problem is to determine whether P is a safety property with respect
to the initial condition I .
Theorem 9. The safety analysis problem is decidable for generalized discrete timed
automata with unit durations for any one of the following approximations: r-reset-
boundedness, B-boundedness and 〈B; r〉-crossing-boundedness.
Proof. Let A be a generalized discrete timed automata with unit durations. Without
loss of generality, consider r-reset-bounded approximation. The safety analysis prob-
lem is equivalent to the existence of  and  such that ∈I;  ❀rA , and ∈¬P.
From Theorem 7, ❀rA is Presburger. Using the fact that P and I are Presburger and
Presburger formulas are closed under quanti)cation, the theorem follows.
Theorem 10. The safety analysis problem is decidable for deterministic generalized
discrete timed automata for any one of the following approximations: r-reset-
boundedness, B-boundedness and 〈B; r〉-crossing-boundedness.
Proof. Let A be a deterministic generalized discrete timed automaton. We only prove
the result for the case of the r-reset-bounded approximation, the others being similar.
From Theorem 8, ❀rA has a 2DCM-padding. That is, we can construct a 2DCM(1,t)
M such that, for all con)gurations  and , ❀rA  iG ∃w′ (M accepts 〈; 〉#w′).
Let P and I be two sets of con)gurations de)nable by Presburger formulas. It is
70 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
observed that P is not a safety property with respect to the initial condition I under
the approximation iG there exist  and  such that, ∈I; ❀rA  and ∈¬P. Using
the known fact that a Presburger relation can also be accepted by a deterministic two-
way counter machine with one reversal-bounded counter, the above M can be further
modi)ed to check ∈I and ∈¬P. Thus, the safety analysis problem is equivalent to
testing the emptiness of M which is decidable from Lemma 1.
Remark. Theorem 10 can be strengthened. The class of languages accepted by deter-
ministic two-way counter machines with one reversal-bounded counter is closed under
Boolean operations [19]. It follows that Theorem 11 remains valid even if the sets of
con)gurations P (property) and I (initial condition) are sets accepted by these ma-
chines.
It is desirable to consider the decidability of the safety analysis problem for gener-
alized discrete timed automata under some special form but without using the approxi-
mations. One such form is parameterized timed automata with only one parameterized
clock. As stated in Theorem 1(2), the state reachability problem is decidable. However,
surprisingly, the safety analysis problem, i.e., “Deciding whether P is a safety property
with respect to the initial condition I for a parameterized timed automaton with only
one parameterized clock, where both P and I are de)nable by Presburger formulas” is
still open. This problem is closely related to the open problem of the decidability of the
emptiness problem of 2NCM(1,r). This is also an example showing that binary reach-
ability is much stronger than state reachability. Another form that can be considered is
generalized discrete timed automata with clock constraints x#c (c is an integer). Thus,
they are standard timed automata with parameterized durations. The state reachability
problem for these automata is decidable. The idea is to translate a transition with a
parameterized duration d into a loop with unit duration and add a new clock z, which
is tested against d, and use Theorem 1(2) since z is the only parameterized clock. But
again, it is open whether the safety property analysis problem is decidable for these
automata. This problem is simpler than the previous open problem, but the answer is
currently not clear.
It is also worthwhile to point out that the characterizations of the binary reachabil-
ity of deterministic generalized discrete timed automata under the approximations, as
shown in Theorem 8, are not necessarily Presburger. In fact, there are nonsemilinear
languages that are 2DCM(1; r)-recognizable [19].
5. A veri)cation example
In practice, allowing generalized clock constraints and parameterized durations makes
it possible to specify more complex real-time systems. In this section, we take an
example speci)cation [22] of the railroad crossing benchmark [15], which is written in
ASTRAL [6]. The speci)cation speci)es a system consisting of a set of railroad tracks
that intersect a street where cars may cross the tracks. A gate is located at the crossing
to prevent cars from crossing the tracks when a train is near. A sensor on each track
detects the arrival of trains on that track. The critical requirement of the system is that
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 71
whenever a train is in the crossing the gate must be down, and when no train has been
in between the sensors and the crossing for a reasonable amount of time, the gate must
be up. The complete ASTRAL speci)cation of the railroad crossing system, which was
written by Paul Kolano, can be found at http://www.cs.ucsb.edu/˜dang.
The ASTRAL speci)cation includes a global speci)cation and two process speci)-
cations: one is Gate and the other is Sensor. A transition system is speci)ed inside
each process speci)cation along with local assumptions and local properties. ASTRAL
adopts a modularized view of the speci)ed system at the level of correctness proofs:
the global properties in the global speci)cation can be veri)ed by using global assump-
tions and local properties (instead of the actual transition behaviors) of each process
instance; local properties of a process instance can be veri)ed by using the local as-
sumptions, the local imported variable clause and the transition system of the instance,
without looking at the transition behaviors of the other process instances (A reader
need not worry about the possibility of circular proofs. The ASTRAL proof theory is
sound, see [8] for details.).
We take the Sensor process speci)cation to see how parameterized durations and
parameterized clock constraints are used in ASTRAL. Sensor reports whether a train
is beyond the crossing, which is indicated by a Boolean variable train in R. The
process speci)cation has only two transitions enter R and exit R, which have para-
meterized durations enter dur and exit dur, respectively. Transition enter R changes
train in R from FALSE to TRUE as follows:
TRANSITION enter_R
ENTRY [ TIME : enter_dur ]
~train_in_R
EXIT
train_in_R = TRUE.
Transition exit R sets train in R back to FALSE after the slowest train moves out
of the crossing. That is,
TRANSITION exit_I
ENTRY [ TIME : exit_dur ]
train_in_R
& now - Start ( enter_R ) >= RIImin - exit_dur
EXIT
train_in_R = FALSE,
where now indicates the current time, Start(enter R) is the most recent start time
of transition enter R, and RIImin is a parameterized constant indicating the time for
the slowest train to move out of the crossing. One of the two transitions is nondeter-
ministically chosen to )re as long as the ENTRY condition of the chosen transition is
satis)ed. However, if neither of them is )reable, the process idles: now progresses by
one time unit and train in R does not change.
But, according to this semantics, transition enter R must )re immediately whenever
transition exit R completes. This is not the intended behavior of Sensor. In fact, it is
desirable that enter R )res only when a train actually comes. But enter R speci)ed
72 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
as above only tells what happened (set train in R to TRUE) when a train comes,
instead of the time when a train comes. The pattern of a train’s arrival is controlled
by the environment of the process. In this speci)cation, transition enter R is declared
as exported. That is, it must be called by the environment in order to )re. In Sensor,
the environment is speci)ed by the following environment clause:
Call ( enter_R, now )
& EXISTS t: time
( t >= 0 & t <= now & Call[2] (enter_R, t))
-> Call(enter_R) - Call[2] (enter_R) > RIImin.
It says that two consecutive calls of enter R must be separated by at least RIImin
many time units. Assuming the environment holds, the safety property of the process
is speci)ed as a schedule:
( now >= response_time & Call (enter_R, now-response_time)
-> train_in_R )
& ( now >= RIImin & Call (enter_R, now-RIImin)
-> ~train_in_R ).
The )rst conjunct of the schedule says that a train will be sensed within enter dur
many time units after a call of transition enter R is placed (note that, according
to the assumptions on the parameterized constants, response time is a parameter-
ized constant not less than enter dur, and satisfying RIImin >= response time +
exit dur.). The second conjunct of the schedule says that the sensor will be reset
when the slowest train is beyond the crossing. It is assumed that initially now is 0 and
train in R is FALSE.
We manually translated Sensor into a generalized discrete timed automaton and
computed the transitive closure of the one-step transition of the automaton using the
Omega Library [25], which is a tool to manipulate Presburger formulas. Experiments
were run on a Sun workstation with 4 CPUs and 256M real memory and 512M
swap memory. Unfortunately, the closure, even when the durations (enter dur and
exit dur) were set to 1, could not be computed. Then, we used the B-bounded ap-
proximation on the automaton with B=3. This time, the binary reachability ❀BA can
be computed in about 1 min of CPU time and using 170M memory. But the other two
approximation approaches were still too expensive to calculate.
6. Conclusions and future work
We studied generalized discrete timed automata with general linear relations over
clocks and parameterized constants as clock constraints and with parameterized du-
rations. We focused on three approximation techniques and automata-theoretic char-
acterizations of binary reachability under these approximations. The characterizations
allow us to show that the safety analysis problem is decidable with respect to general-
ized discrete timed automata with unit durations, and deterministic generalized discrete
timed automata with parameterized durations (modulo the approximations). We used
Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74 73
an example speci)cation written in ASTRAL to run a number of experiments using
one of the approximation techniques. The results of the experiments show that further
improvements to the approximations have to be developed, since currently they are not
practical for large speci)cations.
For future work, we want to investigate how the approximation techniques proposed
in this paper can be combined with existing image-approximation techniques [13] in
debugging in)nite state systems. Solutions to this problem would lead to an implemen-
tation of an eGective speci)cation debugger for large real-time speci)cations. Another
research issue is how to extend the results in this paper to the case of generalized
timed automata with dense clocks. Recent ideas in [9] may provide some insights.
References
[1] R. Alur, Timed automata, CAV’99, Lecture Notes in Computer Science, vol. 1633, Springer, Berlin,
pp. 8–22.
[2] R. Alur, C. Courcoubetis, D. Dill, Model-checking in dense real time, Inform. Comput. 104 (1993)
2–34.
[3] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183–236.
[4] R. Alur, T.A. Henzinger, A really temporal logic, J. Assoc. Comput. Mach. 41 (1994) 181–204.
[5] R. Alur, T.A. Henzinger, M.Y. Vardi, Parametric real-time reasoning, STOC’93, ACM Press, New
York, pp. 592–601.
[6] A. Coen-Porisini, C. Ghezzi, R.A. Kemmerer, Speci)cation of real-time systems using ASTRAL, IEEE
Tran. Soft. Eng. 23 (1997) 572–598.
[7] A. Coen-Porisini, R.A. Kemmerer, D. Mandrioli, A formal framework for ASTRAL intralevel proof
obligations, IEEE Tran. Soft. Eng. 20 (1994) 548–561.
[8] H. Comon, Y. Jurski, Timed automata and the theory of real numbers, CONCUR’99, Lecture Notes
in Computer Science, vol. 1664, Springer, Berlin, pp. 242–257.
[9] Z. Dang, Binary reachability analysis of timed pushdown automata with dense clocks, CAV’01, Lecture
Notes in Computer Science, vol. 2102, Springer, Berlin, pp. 506–517.
[10] Z. Dang, O.H. Ibarra, T. Bultan, R.A. Kemmerer, J. Su, Binary reachability analysis of discrete
pushdown timed automata, CAV’00, Lecture Notes in Computer Science, vol. 1855, Springer, Berlin,
pp. 69–84.
[11] Z. Dang, R.A. Kemmerer, Using the ASTRAL model checker to analyze Mobile IP, ICSE’99, ACM
Press, New York, pp. 132–141.
[12] Z. Dang, R.A. Kemmerer, A symbolic model checker for testing ASTRAL real-time speci)cations,
RTCSA’99, IEEE Computer Society, Los Alamitos, pp. 174–181.
[13] Z. Dang, R.A. Kemmerer, Using the ASTRAL symbolic model checker as a speci)cation debugger:
three approximation techniques, ICSE’00, ACM Press, New York, pp. 345–354.
[14] Z. Dang, P. San Pietro, R.A. Kemmerer, On Presburger liveness of discrete timed automata, STACS’01,
Lecture Notes in Computer Science, vol. 2010, Springer, Berlin, pp. 132–143.
[15] C. Heitmeyer, N. Lynch, The generalized railroad crossing: a case study in formal veri)cation of
real-time systems, RTSS’94, pp. 120–131.
[16] T.A. Henzinger, P.-H. Ho, HyTech: the Cornell hybrid technology tool, Hybrid Systems II, Lecture
Notes in Computer Science, vol. 999, Springer, Berlin, 1995, pp. 265–294.
[17] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inform. Comput. 111 (1994) 193–244.
[18] O.H. Ibarra, Reversal-bounded multicounter machines and their decision problems, J. Assoc. Comput.
Mach. 25 (1978) 116–133.
[19] O.H. Ibarra, T. Jiang, N. Tran, H. Wang, New decidability results concerning two-way counter
machines, SIAM J. Comput. 24 (1995) 123–137.
74 Zhe Dang et al. / Theoretical Computer Science 296 (2003) 59–74
[20] O.H. Ibarra, J. Su, Z. Dang, T. Bultan, R.A. Kemmerer, Counter machines: decidable properties
and applications to veri)cation problems, MFCS’00, Lecture Notes in Computer Science, vol. 1893,
Springer, Berlin, pp. 426–435.
[21] P. Kolano, Tools and techniques for the design and systematic analysis of real-time systems, Ph.D.
Thesis, University of California, Santa Barbara, 1999.
[22] P.Z. Kolano, Z. Dang, R.A. Kemmerer, The design and analysis of real-time systems using the
ASTRAL software development environment, Ann. Software Eng. 7 (1999) 177–210.
[23] F. Laroussinie, K.G. Larsen, C. Weise, From timed automata to logic—and back, MFCS’95, Lecture
Notes in Computer Science, vol. 969, Springer, Berlin, pp. 529–539.
[24] K.G. Larsen, P. Pattersson, W. Yi, UPPAAL in a nutshell, Internat. J. Software Tools Tech. Transfer
1 (1997) 134–152.
[25] W. Pugh, The Omega test: a fast and practical integer programming algorithm for dependence analysis,
Comm. Assoc. Comput. Mach. 8 (1992) 102–104.
[26] J. Raskin, P. Schobben, State clock logic: a decidable real-time logic, HART’97, Lecture Notes in
Computer Science, vol. 1201, Springer, Berlin, pp. 33–47.
[27] T. Wilke, Specifying timed state sequences in powerful decidable logics and timed automata, Lecture
Notes in Computer Science, vol. 863, Springer, Berlin, 1994, pp. 694–715.
[28] S. Yovine, A veri)cation tool for real-time systems, Internat. J. Software Tools Tech. Transfer 1
(1997) 123–133.
