Abstract. We consider pushdown timed automata (PTAs) that are timed automata (with dense clocks) augmented with a pushdown stack. A configuration of a PTA includes a control state, dense clock values and a stack word. By using the pattern technique, we give a decidable characterization of the binary reachability (i.e., the set of all pairs of configurations such that one can reach the other) of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we can show that the binary reachability of a timed automaton is definable in the additive theory of reals and integers. The results can be used to verify a class of properties containing linear relations over both dense variables and unbounded discrete variables. The properties previously could not be verified using the classic region technique nor expressed by timed temporal logics for timed automata and CTL * for pushdown systems. The results are also extended to other generalizations of timed automata.
Introduction
A timed automaton [3] can be considered as a finite automaton augmented with a number of dense (either real or rational) clocks. Clocks can be reset or progress at rate 1 depending upon the truth values of a number of clock constraints in the form of clock regions (i.e., comparisons of a clock or the difference of two clocks against an integer constant). Due to their ability to model and analyze a wide range of real-time systems, timed automata have been extensively studied in recent years (see [1, 35] for recent surveys). In particular, by using the standard region technique, it has been shown that region reachability for timed automata is decidable [3] . This fundamental result and the technique help researchers, both theoretically and practically, in formulating various timed temporal logics [2, 4, 5, 6, 27, 32, 33, 34] and developing verification tools [11, 26, 30] .
Region reachability is useful but has intrinsic limitations. In many real-world applications [14] , we might also want to know whether a timed automaton satisfies a non-region property, e.g., . Recently, Comon and Jurski [16] have shown that the binary reachability of a timed automaton is definable in the additive theory of reals augmented with an integral predicate that tells whether a term is an integer, by flattening a timed automaton into a real-valued counter machine without nested cycles [15] . The result immediately paves the way for automatic verification of a class of non-region properties that previously were not possible using the region technique.
On the other hand, a strictly more powerful system, called a pushdown timed automaton (PTA), can be obtained by augmenting a timed automaton with a pushdown stack. PTAs are particularly interesting because they contain both dense clocks and unbounded discrete structures. They can be used to study, for instance, a timed version of pushdown processes [9, 23] or real-time programs with procedure calls. A configuration of a PTA is a tuple of a control state, dense clock values, and a stack word. The binary reachability of a PTA is the set of all pairs of configurations such that one can reach the other. Comon and Jurski's result for timed automata inspires us to look for a similar result for PTAs. Is there a decidable binary reachability characterization for PTAs such that a class of non-region properties can be verified ? The main result in this paper answers this question positively.
There are several potential ways to approach the question. The first straightforward approach would be to treat a PTA as a Cartesian product of a timed automaton and a pushdown automaton. In this way, the binary reachability of a PTA can be formulated by simply combining Comon and Jurski's result and the fact that pushdown automata accept context-free languages. Obviously, this is wrong, since stack operations depend on clock values and thus can not be simply separated. The second approach is to closely look at the flattening technique of Comon and Jurski's to see whether the technique can be adapted by adding a pushdown stack. However, the second approach has an inherent difficulty: the flattening technique, as pointed out in their paper, destroys the structure of the original timed automaton, and thus, the sequences of stack operations can not be maintained after flattening.
Very recently, the question has been answered positively, but only for integer-valued clocks (i.e., for discrete PTAs). It has been shown in [19] that the binary reachability of a discrete PTA can be accepted by a nondeterministic pushdown automaton augmented with reversal-bounded counters (NPCA), whose emptiness problem is known to be decidable [28] . However, as far as dense clocks are concerned, the automata-based technique used in [19] does not apply. The reason is that traditional automata theories do not provide tools to deal with machines containing both real-valued counters (for dense clocks) and unbounded discrete data structures.
In order to handle dense clocks, we introduce a new technique, called the pattern technique, by separating a dense clock into an integral part and a fractional part. Consider a pair (v 0 , v 1 ) of two tuples of clock values. We define (see Section 3 for details) an ordering, called the pattern of (v 0 , v 1 ), on the fractional parts of v 0 and v 1 . The definition guarantees that there are only a finite number of distinct patterns. An equivalent relation "≈" is defined such that (v 0 , v 1 )≈(v . Therefore, the fractional parts can be abstracted away from the dense clocks by using a pattern. In this way, by preserving the (almost) same control structure, a PTA can be transformed into a discrete transition system (called a pattern graph) containing discrete clocks (for the integral parts of the dense clocks) and a finite variable over patterns. By translating a pattern back to a relation over the fractional parts of the clocks, the decidable binary reachability characterization of the pattern graph derives the decidable characterization (namely, (D + NPCA)-definable) for the PTA, since the relation is definable in the additive theory of reals. With this characterization, it can be shown that the particular class of safety properties that contain mixed linear relations over both dense variables (e.g., clock values) and discrete variables (e.g., word counts) can be automatically verified for PTAs. For instance, whenever configuration α can reach configuration β, α x1 + 2β x2 − α x2 > # a (α w ) − # b (β w ) holds.
can be verified, where α x1 is the dense value for clock x 1 in α, # a (α w ) is the number of symbols a in the stack word of α. The results can be easily extended to PTAs augmented with reversal-bounded counters. In particular, we can show that the binary reachability of a timed automaton is definable in the first-order additive theory over reals and integers with ≥ and +, i.e., (R, N, +, ≥, 0). Essentially, for timed automata, Comon and Jurski's characterization (the additive theory of reals augmented with an integral predicate) is equivalent to ours (the additive theory of reals and integers). The additive theory over reals and integers is decidable, for instance, by the Buchi-automata based decision procedure presented in [12] .
Fractional orderings are an effective way to abstract the fractional parts of dense clocks. The idea of using fractional orderings can be traced back to the pioneering work of Alur and Dill in inventing the region technique [3] . Essentially, the region technique makes a finite partition of the clock space such that clock values in the same region give the same answer to each clock constraint in the system (i.e., the automaton of interest). Comon and Jurski [16] notice that Alur and Dill's partition is too coarse in establishing the binary reachability of a timed automata. They move one step further by bringing in the clock values before a transition was made. But Comon and Jurski's partition is still finite, since their partition, though finer than Alur and Dill's, is still based on answers to all the clock constraints (there are finitely many of them) in the system. In this paper, ≈ deduces an infinite partition of both the initial values v 0 and the current values v 1 of the clocks. Essentially, this partition is based on answers to all clock constraints (not just the ones in the system). That is, ≈ is finer than Comon and Jurski's partition as well as Alur and Dill's. This is why the flattening technique [16] destroys the transition structure of a timed automaton but the technique presented in this paper is able to preserve the transition structure. A class of Pushdown Timed Systems was discussed in [10] . However, that paper focuses on region reachability instead of binary reachability. This paper is organized as follows. Section 2 reviews a number of definitions and, in particular, defines a decidable formalism in which the binary reachability of PTAs are expressed. Section 3 and Section 4 give the definition of patterns and show the correctness of using patterns as an abstraction for fractional clock values. Section 5 and Section 6 define PTAs and show that the pattern graph of a PTA has a decidable binary reachability characterization. Section 7 states the main results of the paper. In Section 8, we point out that the results in this paper can be extended to many other infinite state machine models augmented with dense clocks.
Preliminaries
A nondeterministic multicounter automaton is a nondeterministic automaton with a finite number of states, a one-way input tape, and a finite number of integer counters. Each counter can be incremented by 1, decremented by 1, or stay unchanged. Besides, a counter can be tested against 0. It is well-known that counter machines with two counters have an undecidable halting problem, and obviously the undecidability holds for machines augmented with a pushdown stack. Thus, we have to restrict the behaviors of the counters. One such restriction is to limit the number of reversals a counter can make. A counter is n-reversal-bounded if it changes mode between nondecreasing and nonincreasing at most n times. For instance, the following sequence of counter values: 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 3, 2, 1, 1, 1, 1, · · · demonstrates only one counter reversal. A counter is reversal-bounded if it is n-reversalbounded for some fixed number n independent of computations. A reversal-bounded nondeterministic multicounter automaton (NCA) is a nondeterministic multicounter automaton in which each counter is reversal-bounded. A reversal-bounded nondeterministic pushdown multicounter automaton (NPCA) is an NCA augmented with a pushdown stack. In addition to counter operations, an NPCA can pop the top symbol from the stack or push a word onto the top of the stack. It is known that the emptiness problem (i.e., whether a machine accepts some words?) for NPCAs (and hence NCAs) is decidable.
Lemma 1.
The emptiness problem for reversal-bounded nondeterministic pushdown multicounter automata is decidable. [28] When an automaton does not have an input tape, we call it a machine. In this case, we are interested in the behaviors generated by the machine rather than the language accepted by the automaton. We shall use NPCM (resp. NCM) to stand for NCPA (resp. NCA) without an input tape.
Let N be integers, D = Q (rationals) or R (reals), Γ be an alphabet. We use N + and D + to denote non-negative values in N and D, respectively. Each value v ∈ D + can be uniquely expressed as the sum of ⌈v⌉ + ⌊v⌋, where ⌈v⌉ ∈ N is the integral part of v, and 0 ≤ ⌊v⌋ < 1 is the fractional part of v. A dense variable is a variable over
D. An integer variable is a variable over N. A word variable is a variable over Γ * . Let m ≥ 1. For each 1 ≤ i ≤ m, we use x i , y i , and w i to denote a dense variable, an integer variable, and a word variable, respectively. We use # a (w i ) to denote a count variable representing the number of symbol a ∈ Γ in w i . A linear term t is defined as follows:
where n ∈ N, a ∈ Γ and 1 ≤ i ≤ m. A mixed linear relation l is defined as follows:
where t is a linear term, 0 = n ∈ N, and t discrete is a linear term not containing dense variables. Notice that a mixed linear relation could contain dense variables, integer variables and word count variables. A dense linear relation is a mixed linear relation that contains dense variables only. A discrete linear relation is a mixed linear relation that does not contain dense variables. Obviously, any discrete linear relation is a Presburger formula over integer variables and word count variables.
Each integer can be represented as a unary string, e.g., string "00000" (resp. "11111") for integer +5 (resp. −5). In this way, a tuple of integers and words can be encoded as a string by concatenating the unary representations of each integer and each of the words, with a separator # ∈ Γ . For instance, (2, −4, w) is encoded as string "00#1111#w". Consider a predicate H over integer variables and word variables. The domain of H is the set of tuples of integers and words that satisfy H. Under the encoding, the domain of H can be treated as a set of strings, i.e., a language. A predicate H over integer variables and word variables is an NPCA predicate (or simply NPCA) if there is an NPCA accepting the domain of H. A (D + NPCA)-formula f is defined as follows:
where l dense is a dense linear relation and H is an NPCA predicate. Therefore, a (D + NPCA) formula is a finite disjunction of formulas in the form of l dense ∧ H or l dense ∨ H, where dense variables (contained only in each l dense ) and discrete variables (contained only in each H) are separated. Let p, q, r ≥ 0. A predicate A on tuples in
there is a (D + NPCA)-formula f with p dense variables, p + q integer variables, and r word variables, such that, for all Proof. (1) . l discrete is a Presburger formula. (The domain of) l discrete can therefore be accepted by a deterministic NCA [28] . Hence, l discrete ∧ H and l discrete ∨ H can be accepted by NPCAs by "intersecting" and "joining" the deterministic NCA and the NPCA that accepts H, respectively. 
Instead of giving a lengthy proof, we look at an example of l:
This can be rewritten as: 
. By re-organizing the dense linear relations (in l ′ and f ) and the discrete linear relations (in l ′ ) such that the discrete linear relations are grouped with the NPCA predicates in f , l ′ ∧ f and l ′ ∨ f can be made (D + NPCA)-formulas using Lemma 2 (1). (4). The emptiness problem for l dense ∧ H and l dense ∨ H is decidable, noticing that the emptiness for l dense , which is expressible in the additive theory of reals (or rationals), is decidable, and the emptiness of NPCA predicate H is decidable (Lemma 1). Therefore, the emptiness of any (D + NPCA) formulas, as well as, from Lemma 2 (3), any (D + NPCA)-definable predicates, is decidable.
Clock Patterns and Their Changes
A dense clock is simply a dense variable taking non-negative values in D + . Now we fix a k > 0 and consider k + 1 clocks x = x 0 , · · · , x k . For technical reasons, x 0 is an auxiliary clock indicating the current time now. Let K = {0, · · · , k}, and K + = {1, · · · , k}. A subset K ′ of K is abused as a set of clocks; i.e., we say
The relative representation v of a valuation v is a valuation satisfying:
A valuation v 0 is initial if the auxiliary clock x 0 has value 0 in v 0 . 
Clock Patterns
We distinguish two disjoint sets,
for some 0 ≤ n < 2(k + 1), of nonempty and disjoint subsets of
Though this definition of a pattern is quite complex, a pattern can be easily visualized after looking at the following example. 1 for v 1 (3)) for each component in v 1 ; i.e., the pattern is
There are at most 2
6(k+1)
2 distinct patterns. Let Φ denote the set of all the patterns (for the fixed k). A pattern is initial if it is the pattern of (v 0 , v 0 ) for some initial valuation v 0 . If η is the pattern of (v 0 , v 1 ), we use init(η) to denote the pattern of .0
.118
.436
.704
.876
.993 v_0(1),v_0(2),v_1 (2) v_1 (0) v_0 (4) v_1 (3) v_0(0),v_0 (3) v_1 ( 
have the same pattern, and have the same integral parts (i.e., ⌈v
The following lemma can be observed.
Lemma 3. For any two initialized pairs
, the following statements hold: (1) . the pattern of (v 
Proof. Directly from the definition of a pattern.
Recall 0 1 ∈ K 1 stands for the index for the value of clock x 0 (representing now) in v 1 . Let η = p 0 , · · · , p n be a pattern. p i is the now-position of η if 0 1 ∈ p i . A pattern η is regulated if the now-position of η is p 0 . Note that the pattern of an initialized pair (v 0 , v 1 ) is regulated if and only if the auxiliary clock x 0 takes an integral value in v 1 (i.e., ⌊v 1 ⌋(0) = 0). A pattern is a merge-pattern if the now-position is a singleton set (i.e., 0 1 is the only element). A pattern is a split-pattern if it is not a merge-pattern, i.e., the now-position contains more than one element. ("Merge" and "split" will be made clear in a moment.) Obviously, a regulated pattern is always a split-pattern. This is because the now-position of a regulated pattern, which is p 0 , contains at least two elements 0 0 and 0 1 .
Clock Progresses
For each 0 < δ ∈ D + , v + δ is the result of a clock progress from v by an amount of δ. How does a pattern change according to the progress? Let us first look at an example.
Similar steps can be followed to show that the pattern η 2 of
A helpful way to see the relationship between η 1 and η 2 is by looking at Figure 1 . Holding the box labeled by v 1 (0) (for the current time) and sliding counter-clockwisely along the big circle for an amount of .268 will stop at the box labeled by v 1 (1) and v 1 (4). Thus, the pattern η 2 (after sliding) is exactly η 1 (before sliding) except that 0 1 in the 3-position in η 1 is merged into the 2-position in η 2 . Notice that η 1 is a merge-pattern and the resulting η 2 is a split-pattern. The integral parts ⌈v 1 ⌉(1) and ⌈v 1 ⌉(4) change to ⌈v 2 ⌉(1) = ⌈v 1 ⌉(1) + 1 and ⌈v 2 ⌉(4) = ⌈v 1 ⌉(4) + 1. But all the other components of ⌈v 1 ⌉ do not change. The reason is that, after merging 0 1 with 1 1 and 4 1 in η 2 , the fractional parts ⌊v 2 ⌋(1) and ⌊v 2 ⌋(4) are "rounded" (i.e., become 0). What if we further make a clock progress from v 2 for an amount of δ ′ = .12? The resulting pattern η 3 of
which is a merge-pattern again. This process of merging and splitting can be formally defined as the following function next.
k+1 describes how a pattern changes upon a clock progress. Given any discrete valuation u and pattern η = p 0 , · · · , p n with the now-position being p i for some i, next(η, u) is defined to be (η
-(the case when η is a merge-pattern) if i > 0 and |p i | = 1 (that is, the now-position
(that is, η ′ is the result of merging the now-position to the previous position), and
Besides, if i = 1 (i.e., the now-position is merged to p 0 ; in this case, η ′ is a regulated pattern), then u
In either case, u ′ = u.
k+1 is called the increment vector of η with ∆ η = u ′ − u. Obviously, N ext(η) = η and N ext(·) is total and 1-1.
To better understand N ext(·), we visualize pattern η as a circle shown in Figure 2 . Applications of N ext(·) can be regarded as moving the index 0 1 along the circle, by performing merge-operations (Figure 2 (a) ) and split-operations (Figure 2 (b) ) alternatively. After enough number of applications of N ext(·), 0 1 will return to the original now-position after moving through the entire circle. That is, for each pattern η, there is a smallest positive integer m such that N ext m (η) = η; i.e., η 0 , · · · , η m satisfies η 0 = η m = η, and N ext(η i ) = η i+1 for each 0 ≤ i < m. More precisely, by looking at Figure 2 , if η is a merge-pattern, m = 2n; if η is a split-pattern, m = 2(n + 1). Furthermore, elements η 0 , · · · , η m−1 are distinct. The sequence η 0 , · · · , η m is called a pattern ring. The pattern ring is unique for each fixed η 0 . Notice that next m (η, u) = (η, u + 1) for each u. Since the next pattern N ext(η) is a merge-pattern (resp. split-pattern) if η is a split-pattern (resp. merge-pattern), on a pattern ring, merge-patterns and split-patterns appear alternately.
Fix any initialized pair (v 0 , v) and 0 < δ ∈ D + . Assume the patterns of (v 0 , v) and (v 0 , v + δ) are η and η ′ , respectively. We say v has no pattern change for
has the same pattern. We say v has one pattern change
The following lemma on the correctness of next can be observed.
Lemma 5.
For any initialized pair (v 0 , v) and any 0 < δ ∈ D + , the following statements are equivalent: (1) .
. v has one pattern change for δ. We say v has n pattern changes for δ with n ≥ 1, if there are positive δ 1 , · · · , δ n in D + with Σ 1≤i≤n δ i = δ such that v + Σ 1≤i≤j δ i has one pattern change for δ j+1 , for each j = 0, · · · , n − 1. It is noticed that for any δ ≤ 1, v has at most m pattern changes, where m is the length of the pattern ring starting from the pattern η of (v 0 , v). This m is uniformly bounded by 4(k + 1).
Lemma 6. For any initialized pair
if v has no pattern change for δ then ⌈v⌉ = ⌈v + δ⌉.
Clock Resets
In addition to clock progresses, clock resets are the other form of clock behaviors. Let r ⊆ K + be (a set of) clock resets. v ↓ r denotes the result of resetting each clock x i ∈ r (i.e., i ∈ r). That is, for each i ∈ K, be conceptually regarded as moving the label v 1 (4) from the box of v 1 (1) and v 1 (4) to the box of v 1 (0) (the current time). Therefore, the pattern after the reset changes from
k+1 for r ⊆ K + describe how a pattern changes after clock resets. Given any discrete valuation u and any pattern η = p 0 , · · · , p n with the now-position being p i for some i, reset r (η, u) is defined to be
′ is the result of bringing every index in r 1 into the now-position. Notice that some of p m − r 1 may be empty after moving indices in r 1 out of p m , for m = i. In this case, these empty elements are removed from η
Note that Reset r (η) is unique for each η and r, and is independent of u. The following lemma states that reset is correct.
Lemma 7. For any initialized pair
(v 0 , v) and any r ⊆ K + , reset r ([(v 0 , v)], ⌈v⌉) = ([(v 0 , v ↓ r )], ⌈v ↓ r ⌉).
Clock Constraints and Patterns
An atomic clock constraint (over clocks x 1 , · · · , x k , excluding x 0 ) is a formula in the form of x i − x j #d or x i #d where 0 ≤ d ∈ N + and # stands for <, >, ≤, ≥, =. A clock constraint c is a Boolean combination of atomic clock constraints. Let C be the set of all clock constraint (over clocks
Any clock constraint c can be written as a Boolean combination I(c) of clock constraints over discrete clocks ⌈x 1 ⌉, · · · , ⌈x k ⌉ and fractional orderings ⌊x i ⌋#⌊x j ⌋ and ⌊x i ⌋#0. For instance, x i −x j < d is equivalent to:
Therefore, testing v ∈ c is equivalent to testing ⌈v⌉ and the fractional orderings on ⌊v⌋ satisfying I(c).
Assume v has a pattern η = p 0 , · · · , p n . A fractional ordering on ⌊v⌋ is equivalent to a Boolean condition on η, as shown in Lemma 4. Whenever η is fixed, each fractional ordering in I(c) has a specific truth value (either 0 or 1). In this case, we use I(c) η , or simply c η , to denote the result of replacing fractional orderings in I(c) by the truth values given by η. c η , without containing fractional orderings, is just a clock constraint (over discrete clocks). Notice that the pattern space Φ is finite, therefore, v ∈ c is equivalent to η∈Φ (v has pattern η ∧ ⌈v⌉ ∈ c η ).
Hence, the truth value of v ∈ c only depends on a pattern of v and the integral parts of v. These observations conclude the following results. In particular, Lemma 8 (2) indicates that it is sufficient to test the two end points v ∈ c and v + δ ∈ c in order to make sure that c is consistently satisfied on each v + δ ′ , 0 ≤ δ ′ ≤ δ, if from v to v + δ, there is at most one pattern change. 
Lemma 8. (1)
. For any initialized pair (v 0 , v), any pattern η ∈ Φ, if (v 0 , v) has pattern η, then, for any clock constraint c ∈ C, v ∈ c iff ⌈v⌉ ∈ c η . (2). For any initialized pair (v 0 , v) and any 0 < δ ∈ D + , if v has at most one pattern change for δ, then, for any clock constraint c ∈ C,∀0 ≤ δ ′ ≤ δ(v + δ ′ ∈ c) iff v ∈ c and v + δ ∈ c.
(3). For any initialized pairs
(v 1 0 , v 1 ) and (v 2 0 , v 2 ), if (v 1 0 , v 1 )≈(v 2 0 , v 2 ), then, for any c ∈ C, v 1 ∈ c iff v 2 ∈ c.
Lemma 9. For any initialized pairs
, and for any c ∈ C, v 1 ∈ c (resp. v 1 ∈ c) iff v 2 ∈ c (resp. v 2 ∈ c),
2). same as (1.2).
Proof. (1) 
. It can be checked that (1.2) and (1.3) hold using Lemma 8 and Lemma 3.
Any larger δ 1 that causes multiple pattern changes for v 1 can be split into a finite (Lemma 6) sequence of small δ's that causes exactly one pattern change. In this case, δ 2 can be calculated by working on each small δ (the last one first) as in the above proof.
(2). The case when r = ∅ is obvious. Assume r contains only one element j ∈ K + . Assume η is the pattern of (v 
), for some j 1 and j 2 , such that no other component in ⌊ v 1 ⌋ and ⌊ v 1 0 ⌋ lies strictly between these two values, then ⌊ v 2 ⌋(j) is picked as any value lies strictly between
, we can show ⌊ v 2 ⌋(j) can always be picked. The choice of ⌊ v 2 ⌋(j) guarantees that the pattern of (v 1 0 , v 1 ) is the same as the pattern of (v 2 0 , v 2 ). The rest of conditions in (2) can be checked easily. For the case when r contains more than one element, the above proof can be generalized by resetting clocks in r one by one.
Pushdown Timed Automata
A pushdown timed automaton (PTA) A is a tuple
where -S is a finite set of states, -x 1 , · · · , x k are (dense) clocks, -Inv : S → C assigns a clock constraint over clocks x 1 , · · · , x k , called an invariant, to each state, -R : S × S → C × 2 {x1,···,x k } assigns a clock constraint over clocks x 1 , · · · , x k , called a reset condition, and a subset of clocks, called clock resets, to a (directed) edge in S × S, -Γ is the stack alphabet. P D : S × S → Γ × Γ * assigns a pair (a, γ) with a ∈ Γ and γ ∈ Γ * , called a stack operation, to each edge in S × S. A stack operation (a, γ) replaces the top symbol a of the stack with a string (possibly empty) in Γ * .
A timed automaton is a PTA without the pushdown stack. The semantics of A is defined as follows. A configuration is a triple (s, v, w) of a state s, a clock valuation v on x 0 , · · · , x k (where x 0 is the auxiliary clock), and a stack word w ∈ Γ * . (s 1 , v 1 , w 1 ) → A (s 2 , v 2 , w 2 ) denotes a one-step transition of A if one of the following conditions is satisfied:
-(a progress transition) s 1 = s 2 , w 1 = w 2 , and
. That is, a progress transition makes all the clocks synchronously progress by amount δ > 0, during which the invariant is consistently satisfied, while the state and the stack content remain unchanged.
, and w 1 = aw, w 2 = γw for some w ∈ Γ * , where R(s 1 , s 2 ) = (c, r) for some clock constraint c and clock resets r, and P D(s 1 , s 2 ) = (a, γ) for some stack symbol a ∈ Γ and string γ ∈ Γ * . That is, a reset transition, by moving from state s 1 to state s 2 , resets every clock in r to 0 and keeps all the other clocks unchanged. The stack content is modified according to the stack operation (a, γ) given on edge (s 1 , s 2 ). Clock values before the transition satisfy the invariant Inv(s 1 ) and the reset condition c; clock values after the transition satisfy the invariant Inv(s 2 ). v 2 , w 1 ). This result implies that, from the definition of ≈, for any fixed s 0 , s 1 , w 0 and w 1 , the pattern of (⌊v 1 0 ⌋, ⌊v 1 ⌋) (instead of the actual values 1 A reader might wonder why we don't have a stack operation for a progress transition. That is, a state s can also be assigned with a stack operation (a, γ) such that each progress transition by an amount δ > 0 on state s also modifies the stack content according to (a, γ). However, this progress transition can be treated as a sequence of three transitions: a progress transition (without a stack operation) by δ1 > 0, a clock reset transition (by adding a dummy clock) performing stack operation (a, γ), followed by a progress transition (without a stack operation) by δ2 > 0, whenever δ = δ1 +δ2. A translation can be worked out by expressing any PTA with a stack operation for each progress transition by a PTA defined in this paper. Since we focus on the clock/stack behaviors of a PTA, instead of the ω-language accepted by it, input symbols are not considered in our definition. (The input to a timed automaton is always one-way. Thus, input symbols can always be built into states.) of ⌊v 
The Pattern Graph of a Timed Pushdown Automaton
Let A = S, {x 1 , · · · , x k }, Inv, R, Γ, P D be a PTA specified in the previous section. The pattern graph G of A is a tuple
where -S is the states in A, -Φ is the set of all patterns. A node is an element in S × Φ, -Discrete clocks y 0 , · · · , y k are the integral parts of the clocks x 0 , · · · , x k in A, -E is a finite set of (directed) edges that connect between nodes. An edge can be a progress edge, a stay edge, or a reset edge. A progress edge corresponds to progress transitions in A that cause one pattern change. A stay edge corresponds to progress transitions in A that cause no pattern change. Since a progress transition can cause no pattern change only from a merge-pattern, a stay edge connects a merge-pattern to itself. A reset edge corresponds to a reset transition in A. Formally, a progress edge e s,η,η ′ that connects node (s, η) to node (s, η ′ ) is in the form of (s, η), c, (s, η ′ ) such that c = Inv(s), η ′ = N ext(η) (thus η = η ′ ). A stay edge e s,η,η , with η being a merge-pattern, that connects node (s, η) to itself is in the form of (s, η), c, (s, η) such that c = Inv(s). A reset edge e s,s ′ ,r,(a,γ) that connects node (s, η) to node (s ′ , η ′ ) is in the form of
where R(s, s ′ ) = (c, r) and P D(s, s ′ ) = (a, γ). E is the set of all progress edges, stay edges, and reset edges wrt A. Obviously, E is finite.
A configuration of G is a tuple (s, η, u, w) of state s ∈ S, pattern η ∈ Φ, discrete valuation u ∈ (N + ) k+1 and stack word w ∈ Γ * . (s, η, u, w) → e (s ′ , η ′ , u ′ , w ′ ) denotes a one-step transition through edge e of G if the following conditions are satisfied:
-if e is a progress edge, then e takes the form (s, η), c, (s, η ′ ) and s ′ = s, u ∈ c η ,
Here c η and c η ′ are called the preand the post-(progress) tests on edge e, respectively.
-if e is a stay edge, then e takes the form (s, η), c, (s, η) and s = s ′ , u ∈ c η , u = u ′ , η = η ′ and w = w ′ . Here c η is called the pre-and the post-(stay ) tests on edge e.
-if e is a reset edge, then e takes the form (s, η), c, r, a, γ, (s
for some w ′′ ∈ Γ * (i.e., w changes to w ′ according to the stack operation). Here 
for some e. The binary reachability → * G of G is the transitive closure of → G . The pattern graph G simulates A in a way that the integral parts of the dense clocks are kept but the fractional parts are abstracted as a pattern. Edges in G indicate how the pattern and the discrete clocks change when a clock progress or a clock reset occurs in A. However, a progress transition in A could cause more than one pattern change. In this case, this big progress transition is treated as a sequence of small progress transitions such that each causes one pattern change (and therefore, each small progress transition in A can be simulated by a progress edge in G). We first show that the binary reachability → * G of G is NPCA. Observe that discrete clocks y 0 , · · · , y k are the integral values of dense clocks x 0 , · · · , x k . Even though the dense clocks progress synchronously, the discrete clocks may not be synchronous (i.e., that one discrete clock is incremented by 1 does not necessarily cause all the other discrete clocks incremented by the same amount.). The proof has two parts. In the first part of the proof, a technique is used to translate y 0 , · · · , y k into another array of discrete clocks that are synchronous. In the second part of the proof, G can be treated as a discrete PTA [19] by replacing y 0 , · · · , y k with the synchronous discrete clocks. Therefore, Lemma 12 is obtained from the fact [19] that the binary reachability of discrete PTA is NPCA. Proof. We start with a technique that makes discrete clocks y 0 , · · · , y k (i.e., the integral parts of dense clocks) synchronous on any path of G.
A pattern ordering graph P is a directed graph on Φ.
In this case, we say the edge has label p (stands for "progress") and η ′ is called the p-successor of
In this case, we say the edge has label r and η ′ is called the r-successor of η. An edge can have multiple labels. 2 For the purpose of this paper, we assume in Lemma 12 → * G is restricted in such a way that η is a regulated pattern whenever (s, η, u, w) → *
. This is because the auxiliary clock x0 in A starts from 0.
A path τ on P is a sequence of edges
Path τ is a p-path if each edge on the path is a progress edge; i.e., label l i is p for all 1 ≤ i ≤ m. Path τ is a regulated path if η 0 is a regulated pattern. Path τ is a p-ring of η 0 if τ is a p-path, and η 0 , · · · , η m is the pattern ring of η 0 . Now we augment P with counters y (= y 0 , · · · , y k ) taking values in (N + ) k+1 . Values of counters y change along a path in P. For each progress edge η → p η ′ , counters y change to y ′ as follows: y ′ := y + ∆ η (recall ∆ η is the increment vector for η), consistent to the definition that next(η, y) = (η ′ , y + ∆ η ). For each reset edge η → r η ′ , counters y change to y ′ as follows: y ′ := y ↓ r , consistent to the definition that reset r (η, y) = (η ′ , y ↓ r ). For a p-path τ = η 0 , · · · , η m , ∆ τ = Σ 0≤i≤m−1 ∆ ηi is the net increment for counters y after walking through the path. In particular, ∆ τ = 1 for each p-ring τ .
A progress edge η → p η ′ is add-1 if η ′ is a regulated pattern. A path is short if it is a regulated path and, it does not contain an add-1 edge or it contains an add-1 edge but only at the end of the path. A path is add-1 if it is a short path containing an add-1 edge. By definition, an add-1 path starts and ends with regulated patterns and each pattern in between along the path is not a regulated pattern. The following lemma is directly from the definitions of reset and next.
Lemma 13. For any path τ , (1). if τ is a short path, then for each i ∈ K
+ that is reset on τ , y i has value 0 at the end of τ , (2) . if τ is an add-1 path, then for each i ∈ K + that is not reset on τ , y i has progressed by exactly 1 at the end of τ .
When walking along a path in P, a counter in y is always nondecreasing except sometimes it resets. However, counters y are not synchronous: that one counter's advancing by 1 at some progress edge does not always cause all the other counters to advance by the same amount. Now we are going to show that, on any regulated path, y can be simulated by a set of synchronous counters z = z 0 , · · · , z k . The ideas are as follows. Let τ be any regulated path of P. τ then can be concatenated by segments: a number of add-1 paths followed by a short path. We introduce an increment vector ∆ ∈ {0, 1} k+1 to denote how much a counter in y progresses on a segment. Besides, we use I ⊆ K + to remember the indices i ∈ K + that are reset on each segment. Assume counters y walk through τ and change counter values from u to u ′ . Then, in the simulation, counters z starts from u with ∆ = 0 and I = ∅. After walking through τ (while updating ∆ and I along the path), counters z have values satisfying u ′ = (z + ∆) ↓ I . The simulation is defined by the following translation. For each progress edge η → p η ′ , the instruction y ′ := y +∆ η is replaced by:
′ is a regulated pattern (hence the edge is an add-1 edge), i.e., the end of the current segment, then z ′ := (z + 1) ↓ I (synchronous progress followed by resets);
For each reset edge η → r η ′ , the instruction y ′ := y ↓ r is replaced by:
Obviously z are synchronous. The correctness of the algorithm is stated as follows.
Claim. For any regulated path τ , y = (z + ∆) ↓ I at the end of τ .
Proof. Given a regulated path τ . Since τ can be split into a number of segments as mentioned before, and by looking at the translation, at the end of each add-1 path, ∆ = 0 and I = ∅ (i.e., the initial values for ∆ and I). Therefore, it suffices to show the claim for a segment, i.e., a short path τ , by induction on the length of τ . Notice that, from the translation, I stands for the set of indices that has been reset on the short path; ∆ stands for the increment that has been made on the short path for counters y. The relationship between I and ∆ is established in Lemma 13, which will be used in the proof. Case 1. The claim trivially holds for τ with length 1. Case 2. Assume the claim holds for short paths with length ≤ m. Now consider a short path with length m + 1. This path can be written as a short path τ followed by an edge e of (η, η ′ ). Note that, by the induction hypothesis, y = (z + ∆) ↓ I at η (the end of τ ). Now we are going to show y ′ = (z ′ + ∆ ′ ) ↓ I ′ where primed values are for node η ′ . Case 2.1. If edge e is a progress edge and η ′ is a regulated pattern, then, from the translation,
If the edge is a progress edge and η ′ is not a regulated pattern, then, from the translation, z ′ = z, I ′ = I, and ∆ ′ = ∆ + ∆ η . Therefore,
If the edge is a reset edge η → r η ′ , then, from the translation, z ′ = z ↓ r , ∆ ′ = ∆ ↓ r , and I ′ = I ∪ r. Therefore,
Hence, the claim holds. Now we continue the proof of Lemma 12. Let G be the pattern graph of a timed automaton A. A path in G witnessing
(with η being a regulated pattern) between two configurations corresponds to a regulated path (by properly adding stack operations) in the pattern ordering graph P. In above, we have demonstrated a technique such that counters y = y 0 , · · · , y k can be simulated by synchronous counters z = z 0 , · · · , z k using an increment vector ∆ ∈ {0, 1} k+1 and a reset set I ⊆ K + . The relationship between y and z is y = (z + ∆) ↓ I . Tests in G (including all the pre-and post-(progress, stay and reset) tests) are in the form of Boolean combinations of y i − y j #d, y i #d with i, j ∈ K + and d ∈ N + (Section 4). Since there are only a finite number of choices for I and ∆, these tests can be accordingly translated to tests on z 0 , · · · , z k , using the relationship y = (z + ∆) ↓ I . Observe that the translated tests are still in the form of Boolean combinations of z i − z j #d, z i #d with i, j ∈ K + and with probably larger or smaller d. Since z are synchronous, G, with y simulated by z, is a discrete PTA [19] . In that paper, these synchronized discrete clocks z can be further translated into reversal-bounded counters. Hence, the binary reachability of a discrete PTA is NPCA as shown in [19] . Therefore, the lemma follows by translating back from z to y using y = (z + ∆) ↓ I at the initial and at the end of the simulation (this requires only a finite number of counter reversals). Thus, → * G is NPCA. In particular, when A is a timed automaton, G, with y simulated by z, is a discrete timed automaton [19] . Using the fact [19] that the binary reachability of a discrete timed automaton is Presburger, → be a merge-pattern. This progress transition in A can therefore be simply simulated by the stay edge in G at state s. If, however, v has at least one pattern change for δ, then assume the p-ring of η 0 is η 0 , · · · , η m = η 0 . This progress transition in A can be simulated by the following path consisting of progress edges in G: looping along the p-ring for ⌈δ⌉ times on state s in G, followed by a prefix of the p-ring ended with the pattern η i , for some i, of (v 0 
Pick any initial valuation
is constructed as follows, where v 0 = v 0 and each transition t i in A corresponds to each edge e i in G. From i = 1 to m, each e i belongs to one of the following three cases: Case 1. e i is a progress edge in G. In this case, next(
, and s i−1 = s i . We pick t i to be a progress transition (at state s i−1 ) in A from v i−1 with an amount of δ that causes exactly one pattern change (Lemma 6 and Lemma 5). Take v i = v i−1 + δ. Notice that both the progress edge and the progress transition do not change the stack content, i.e., w i = w i−1 . Case 2. e i is a stay edge in G. In this case, η i−1 = η i must be a merge-pattern with w i = w i−1 and and s i−1 = s i . We pick t i to be a progress transition (at state s i−1 ) in A from v i−1 with an amount of δ that causes no pattern change (Lemma 6). Similarly to Case 1, w i = w i−1 . Case 3. e i is a reset edge from state s i−1 to state s i with clock resets r in G, then t i is the reset transition from state s i−1 to state s i with clock resets r in A. Notice that both e i and t i have the same stack operation. Take v i = v i−1 ↓ r and w i is the result of the stack operation on w i−1 . Notice that, for each i = 1 · · · m,
This can be shown using Lemma 5 for Case 1, Lemma 6 for Case 2, and Lemma 7 for Case 3. Therefore, this constructed path of A keeps the exactly the same patterns and integral parts of clocks as well as the stack word as in the path for G. From Lemma 8, clock tests (and obviously the stack operations) are consistent between the path in G and the constructed path in A. Hence,
Now, we conclude this section by claiming that → * A,η is NPCA by combining Lemma 12 and Lemma 14. 
A Decidable Binary Reachability Characterization and Automatic Verification
Recall that PTA A actually has clocks x 1 , · · · , x k . x 0 is the auxiliary clock. The binary reachability ; * B
A of A is the set of tuples
The main theorem of this paper gives a decidable characterization for the binary reachability as follows. 
, and on word variables w and w ′ . This formula is equivalent to
From the definition of patterns, P "for any two configurations α and β with α ; * B A β, if the difference between β x3 (the value of clock x 3 in β) and α x1 + α x2 (the sum of clocks x 1 and x 2 in α) is greater than the difference between # a (α w ) (the number of symbol a appearing in the stack word in α) and # b (β w ) (the number of symbol b appearing in the stack word in β), then # a (α w ) − 2# b (β w ) is greater than 5." The negation of this property can be expressed as the emptiness of
where l is the negation of a mixed linear relation (hence l itself is also a mixed linear relation):
Thus, from Theorem 2, this property can be automatically verified. We need to point out that
is a linear relation on both dense variables and discrete variables. Thus, this property can not be verified by using the decidable characterization for discrete PTAs [19] , where only integer-valued clocks are considered.
-Even without clocks, # a (w) − 2# b (w ′ ) > 5 expresses a non-regular set of stack word pairs. Therefore, this property can not be verified by the model-checking procedures for pushdown systems [9, 23] .
-Even without the pushdown stack,
as a constant such as 0) is not a clock region, therefore, the classical region-based techniques can not verify this property. This is also pointed out in [16] .
-With both dense clocks and the pushdown stack, this property can not be verified by using the region-based techniques for Timed Pushdown Systems [10] .
When A is a timed automaton, by Theorem 1, the binary reachability ; * B
A can be expressed in the additive theory of reals (or rationals) and integers. Notice that our characterization is essentially equivalent to the one given by Comon and Jurski [16] For instance, consider the following property for a timed automaton A with two real clocks:
"there are states s and s ′ such that, for any
and thus can be verified according to Theorem 3.
Conclusions, Discussions and Future Work
In this paper, we consider PTAs that are timed automata augmented with a pushdown stack. A configuration of a PTA includes a control state, finitely many dense clock values and a stack word. By introducing the concept of a clock pattern and using an automata-theoretic approach, we give a decidable characterization of the binary reachability of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we can show that the binary reachability of a timed automaton is definable in the additive theory of reals and integers. The results can be used to verify a class of safety properties containing linear relations over both dense variables and unbounded discrete variables. A PTA studied here can be regarded as the timed version of a pushdown machine. Carefully looking at the proofs of the decidable binary reachability characterization, we find out that the underlying untimed machine (e.g., the pushdown machine) is not essential. We can replace it with many other kinds of machines and the resulting timed system still has a decidable binary reachability characterization. We will summarize some of these machines in this section.
Consider a class of machines X. We use XCM to denote machines in X augmented with reversal-bounded counters. We are looking at the binary reachability characterization of the timed version of machines in X. The characterization is established in the previous sections when X represents pushdown machines. In the proofs, a dense clock is separated into a fractional part and an integral part. The fractional parts of dense clocks are abstracted as a pattern and the integral parts are translated into synchronous discrete clocks, which are further translated into reversal-bounded counters [19] . The result of the translation is the underlying untimed machine in X augmented with these reversal-bounded counters, i.e., a machine in XCM. Suppose a class of automata Y accept the binary reachability of machines in XCM. In the case of X being pushdown machines, XCM represents NPCMs and Y can be chosen as NPCAs (it is known that the binary reachability of NPCMs can be accepted by NPCAs [19] .). The fact that this Y (i.e., NPCA) satisfies Lemma 2 is the only condition we need in order to obtain the decidable reachability characterization in Theorem 1. Definitions like NPCA predicates and (D + NPCA)-definability can be accordingly modified into Y predicates and (D+Y)-definability once Y is clear. The above discussions give the following result. Notice that Lemma 2 (4) requires that the emptiness problem for Y in Theorem 4 be decidable. Theorem 2 can be immediately followed from Theorem 4 for the timed version of X.
According to Theorem 4, the timed version of the following machines X has a decidable (D+Y)-definable characterization for binary reachability by properly choosing Y: -NPCM. Here Y=NPCA; -NCM with an unrestricted counter. Notice that the counter is a special case of a pushdown stack (when the stack alphabet is unary). Here, Y=NPCA; -Finite-crossing NCM [28] (i.e., NCM augmented with a finite-crossing read-only worktape. The head on the worktape is two-way, but for each cell of the tape, the head crosses only a bounded number of times.). Here, Y is finite-crossing NCAs [28] that are NCM augmented with a finite-crossing input tape. -Reversal-bounded multipushdown machines [17] that are multipushdown machines [13] augmented with reversal-bounded counters. Here, Y is reversal-bounded multipushdown automata [17] .
Let X be a class of machines. The pattern technique tells us that, for a decidable binary reachability characterization of the timed version of X, the density of clocks (and even clocks themselves) is not the key issue. This is because, using the technique, these dense clocks can be reduced to reversal-bounded integer counters. The key issue is whether X and its reversal-bounded version XCM have a decidable binary reachability characterization (i.e., the binary reachability can be accepted by a class Y of automata with a decidable emptiness problem). In particular, when the binary reachability of X is effectively semilinear (and hence the binary reachability is decidable), in most cases, the binary reachability of XCM is also effectively semilinear. Such X includes all the machines mentioned above. In this case, once we can show the untimed machines in X have a decidable binary reachability characterization, we are getting really close to the decidable characterization for their timed version. But, we do have exceptions. For instance, consider X to be a finite state machine with a two-way read only worktape. X has a decidable binary reachability characterization (witnessed by two-way multitape finite automata). However, augmenting X with reversal-bounded counters makes the binary reachability undecidable. The pitfall here is that a two-way tape makes reversalbounded counters too powerful. In fact, the emptiness problem is undecidable for twoway automata augmented with reversal-bounded counters. In the case when there is only one reversal-bounded counter, the emptiness problem is decidable if the machines are deterministic. The nondeterministic case is still open [29] .
In practice, augmenting timed automata with other unbounded data structures allows us to study more complex real-time applications. For instance, the decidable characterization of PTAs makes it possible to implement a tool verifying recursive real-time programs containing finite-state variables against safety properties containing linear constraints over dense clocks and stack word counts. This tool will be a good complement to available tools for recursive finite state programs (for regular safety properties, e.g., termination) [22, 7] . On the other hand, for the existing tools analyzing real-time systems (such as UPPAAL [30] and its extensions [31] , TREX [31] , HyTECH [26] , Kronos [11] ), the traditional region-based technique used in the tools may be enhanced with the pattern technique. Doing this makes it possible for the tools to verify complex timing requirements that may not be in the form of clock regions. The results in this paper can also be used to implement a model-checker for a subset of the real-time specification language ASTRAL [14] . The subset includes history-independent ASTRAL specifications containing both dense clocks and unbounded discrete control variables.
As mentioned in this section, the timed version of NPCM (i.e., PTAs further augmented with reversal-bounded counters) also has a decidable characterization. This timed model has many important applications. For instance, a real-time recursive program (containing unbounded integer variables) can be automatically debugged using the reversal-bounded approximation (i.e., assign a reversal-bound to the variables). Additionally, a free counter (i.e., an unrestricted counter) is a special case for a pushdown stack (when the stack alphabet is unary). Therefore, this model can also be used to specify real-time systems containing a free counter and many reversal-bounded counters. It seems that "reversal-bounded counters" appear unnatural and therefore their applications in practice are remote. However, a non-decreasing counter is also a reversalbounded counter (with zero reversal-bound). This kind of counters have a lot of appli-cations. For instance, a non-decreasing counter can be used to count digital time elapse, the number of external events, the number of a particular branch taken by a nondeterministic program (this is important, when fairness is taken into account), etc. For instance, consider a timed automaton with input symbols (i.e., a transition is triggered by an external event as well as the enabling condition). We use # a to denote the number of event a occurred so far. The enabling condition of a transition, besides clock constraints, may also include comparisons of the counts # a against an integer constant and comparisons of one specific linear term T (on all # a ) against an integer constant. "It is always true that whenever x 1 − 7# b + 3x 2 > 2# a holds, x 1 must be greater # c − # a ."
A future research issue is to investigate whether the decidable results [21] for Presburger liveness of discrete timed automata can be extended to timed automata (with dense clocks) using the technique in this paper. We are also going to look at the possibility of extending the approximation approaches for parameterized discrete timed automata [20] to the dense clocks. This is particularly interesting, since the reachability set presented in [20] is not necessarily semilinear. Another issue is on the complexity analysis of the decision procedure presented in this paper. However, the complexity for the emptiness problem of NPCAs is still unknown, though it is believed that it can be derived along Gurari and Ibarra [24] .
The author would like to thank H. Comon and O. H. Ibarra for discussions on the topic of dense timed pushdown automata during CAV'00 in Chicago, B. Boigelot, P. San Pietro and J. Su for recent discussions on [12] , J. Nelson, F. Sheldon and G. Xie for reading an earlier draft of this paper. Thanks also go to T. Bultan, H. Comon, J. Esparza and K. Larsen for comments on the short version of this paper presented in CAV'01 in Paris.
