We look at a model of a queue system that consists of the following components:
Introduction
Model checking techniques [27] have received much attention in recent years, due to the success of automatic techniques for verifying finite-state systems describing protocols, hardware devices, and reactive systems [14] . The limited expressiveness of finite automata has recently sparked much research to define and study infinitestate models that can verify "interesting" properties such as reachability, safety, liveness, etc. The infinite-state models that have been investigated includes timed automata [3] , pushdown automata [7, 18] , various versions of counter machines [11, 17] , and process calculi [28, 9] .
A timed automaton is basically a finite-state automaton with finitely many unbounded clocks that can be tested and reset. Since their introduction and the development of appropriate model checking algorithms [2, 5, 21] , timed automata have become a standard model for investigating verification problems of real-time systems (see [1, 30] for surveys). However, the expressive power of timed automata has many limitations in modeling, since many real-time systems are simply not finite-state, even when time is ignored.
One of the ways to extend a timed automaton is to augment it with an unbounded storage device, e.g., a pushdown stack. It has been shown very recently that the binary reachability of a timed pushdown automaton is decidable [16] when clocks are discrete. This result immediately implies that a number of non-region properties (e.g., a Presburger formula over clocks) can be verified. This is in contrast to the classical result [3] that region reachability of timed automata is decidable. However, queues, not stacks, are a good model for many interesting systems, such as protocols and schedulers.
Queues are usually regarded as hopeless for verification, since it is well known that a finite-state automaton equipped with one unbounded queue can simulate a Turing Machine. However, there are restricted models with queues for which reachability is decidable. These models mostly focus on restricted versions of communicating finite state machines (connecting finite state machines with a number of FIFO queues) [6, 10] , such as a version when the queues contain only one type of message and form a single cycle [29] , and a version when the queues are lossy [4] . In this paper, instead of considering finite state machines, we consider discrete timed automata (i.e., clocks are discrete). That is, we study a new queue system, called queue-connected timed automata, by connecting two discrete timed automata (one "writer"
and one "reader" ¡ ) with a FIFO queue. The queue is unrestricted and it is used to send messages from to ¡ . This model is inspired by the recent work [23] that considers systems with two reversal-bounded counter machines (thus, each counter can be incremented or decremented by 1 and tested for zero, but the number of alternations between nondecreasing mode and nonincreasing mode is bounded by a fixed constant) connected by a FIFO queue. It was shown in [23] that (binary, forward, backward) reachability, safety, and invariance for these systems are solvable when the machines operate synchronously. In this paper we present similar results for a more complex system of queue-connected discrete timed automata that do not share a global clock and operate in a loosely synchronous way. The results remain valid when the discrete timed automata are augmented with reversal-bounded counters.
We treat the reader and the writer as running in a distributed environment. Even though our technique is still valid in dealing with the case when the reader and the writer share a global clock, we prefer to consider a harder and more reasonable case. That is, the reader and the writer do not share a global clock. However, if both operate completely independently (i.e., synchronizations are made only at queue operations), the technique presented in this paper can also be used (and more easily). We allow the reader and the writer to run loosely independent instead of completely independently. That is, the local time of the reader and the local time of the writer always stay close: the variation between them is bounded by a constant. This assumption, we think, is reasonable. For instance, in a distributed network, time protocols can be used to control clock drifting even though a global clock is not usually assumed.
In our model, the queue is essentially a one-way queue. That is, the model can describe, for instance, a time-dependent communication protocol such that party can only send messages (through a queue) to party ¡ . In this case, is the writer and ¡ is the reader. Of course, many protocols involve two-way communication instead of only one-way communication. However, it can be easily shown that adding another queue to our model (from ¡ to ) gives it the power of a Turing machine, even when and ¡ are finite-state machines (not timed automata). But, one-way protocols do exist. For instance, there are a number of well-known producer/consumer models such as the modeling of TCP using an unbounded buffer [8] , where the producer (the writer) and the consumer (the reader) operate on an unbounded buffer. There is no pre-assumption on the relative speed of the reader and the writer-they can be synchronous, asynchronous, or loosely synchronous. The results presented in this paper can be easily used to automatically verify safety properties expressed as a Presburger formula over the clock readings in both the consumer and the producer, as well as over the number of symbols in the buffer.
Our model can also handle two-way communications by adding a second queue under some restrictions. One of the restrictions is to make the two queues halfduplex [13] . That is, at any moment, at least one of the queues is empty. [13] shows that two finite automata connected by two half-duplex queues have a recognizable reachable set. In this paper, we show that our verifications results still hold for loosely synchronous QTAs with two half-duplex queues. This result opens the door for verifying a restricted class of two-way timed communication protocols.
Another point that needs mentioning is that, since we are characterizing binary reachability and doing verification over a class of Presburger properties, the region technique [3] is not applicable (that is, discrete clocks can not be simply treated as bounded counters under this case [12] ). Therefore, constructing the region graph of the model of interest is not enough to deduce the binary reachability [12, 16] .
The paper has seven sections, in addition to this section. Section 2 briefly recalls the definition of a discrete timed automaton and its extensions. Section 3 discusses some results in [22, 23] that are used in the paper and cites some recent results in [16, 25] concerning the binary reachability of discrete timed automata (including those with a pushdown stack and/or reversal-bounded counters). Section 4 formally defines queue-connected timed automata and shows that binary reachability is effectively computable. Section 5 extends the verification results to loosely synchronous QTAs with two half-duplex queues. Section 6 presents some properties that can be verified for queue-connected timed automata, including safety and invariance. Section 7 gives an example of a system composed of a sensor and a controller. Section 8 is a brief conclusion.
Discrete Timed Automata and Extensions
A timed automaton [3] is a finite-state machine augmented with a number of realvalued clocks. All the clocks progress synchronously with rate 1, except that a clock can be reset to 0 at some transition. Here, we only consider integer-valued clocks. A clock constraint is a Boolean combination of atomic clock constraints in the following form: 
progresses by one time unit; i.e.,
) . Thus, clock resets do not take time.
Timed automata have been extended with various unbounded memory structures, such as stacks and reversal-bounded counters. When a TA is augmented with an unrestricted pushdown stack, the one-step transition will be of the form ) is not present in the configuration if there are no reversal-bounded counters (resp. no stack). The binary reachability of is the set
in 0 or more one-step transitions6 . The next section reports on the main decidability results for PTA, CPTA and CTA.
Pushdown Acceptors with Reversal-Bounded Counters and Reachability
A pushdown acceptor with reversal-bounded counters (PCA), first studied in [22] , is a nondeterministic one-way (input) pushdown automaton augmented with finitely many reversal-bounded counters. Without loss of generality, we assume that the counters can only store nonnegative integers, since the finite-state control can remember the signs of the numbers. Though not necessary (since it is one-way), we assume, for convenience, that the one-way read-only input to the PCA has left and right delimiters. A PCA without a pushdown stack is called a CA. PCAs, even CAs, are quite powerful. They can recognize rather complex languages. Decidability/complexity results concerning PCAs (CAs) have been obtained in [22, 19] . Some of the results were used recently to show the decidability/complexity of some decision problems (containment, equivalence, disjointness, etc.) for database queries with linear constraints [24, 26] . A fundamental result in [22] is the following: [22] .
Corollary 1. The emptiness problem for multitape PCAs is decidable.
The decision questions (reachability, safety, etc.) investigated in this paper are reducible to the emptiness problem for multitape PCAs.
Theorem 2. (i) Let be a TA. Then
is Presburger [12, 16] and can be accepted by a 2-tape CA [16] . ( 
Queue-Connected Timed Automata
The model of a synchronized queue-connected reversal-bounded multicounter machines was introduced and investigated in [23] . We now study the model in which the two machines connected by the queue are discrete timed automata that operate in a loosely synchronous manner. Intuitively, a queue-connected discrete timed automaton (QTA) can be described as follows.
-Two TAs (the "writer") and ) is augmented by a write (resp. read) operation to (resp. from) the queue. 
to denote a transition. 
, an integer constant, will be made clear in a moment.
A configuration of a QTA is a tuple Q is the content of the queue (the leftmost is the head, i.e., the reader end, and the rightmost is the tail, i.e., the writer end).
Before we formally define the semantics of a QTA , we first describe intuitively what the intended executions of are. The writer (resp. the reader) can be thought of as a timed automaton with output (resp. input). An output/input can be regarded as a write/read on the queue. The writer and the reader operate independently -the only restriction is that, when the reader reads a symbol ¥ from the queue, this symbol ¥ must have been written by the writer "previously". Therefore, we should have some way to define a (casual) ordering of read/write events in . We introduce two special clocks ¦ and ¤ to the writer and the reader, respectively. They measure the local time, i.e., the total amount of progressable transitions executed so far, for the reader and the writer. Initially, they both start from 0. 
. Now, the semantics is defined on extended configurations, as follows. Let
, and must be an empty string. That is, it must be the case that the queue is empty. In this case, the transition is called an empty-queue transition, which is also internal.
Similarly, a write-transition
for some . This paper will show a language property for the binary reachability (when the components of ) (resp. ) are represented as strings separated by markers with the states and clock values written in unary).
From now on, we consider 
. However, it can be easily observed that, if the sequence is internal, i.e., contains only internal transitions (thus the queue content will not change by firing the sequence of transitions), then the sequence can be re-organized such that
through an internal sequence of read-transitions and write-transitions, then 
" )
). In the following, we will deduce a condition on these timestamp pairs. This condition is equivalent to the existence of the required sequence of external transitions
. The condition will allow us to use an alternating simulation technique later to show the consists of all the symbols that will be read by the reader from the queue; while ( ' consists of all the symbols that will be written by the writer to the queue.
) ( '
is associated with two sequences of (non-negative) numbers: from left to right while executing its transitions and updating its clocks. Whenever the reader wants to read a symbol from the queue, this symbol is provided by the symbol currently being scanned and the reader will make sure that its local time is the same as the read-timestamp of the symbol provided by from left to right. While executing its transitions and updating its clocks, the writer may write a symbol into the queue. The writing is simulated by reading the symbol currently being scanned (by the writer). The writer makes sure that its local time (after the write) is the same as the write-timestamp of the symbol provided by (1) holds, then the sequence can be modified such that both (1) and (2) hold, i.e.,
. That is, we could use the condition on , the write-timestamp cannot be larger than the read-timestamp by more than $ . Before we justify condition (3), we need a technical lemma. is read by the reader. Conditions (1) and (2) imply conditions (a), (b) and (c). This is because -condition (a) requires that this writing is ahead of reading this symbol by the reader, -condition (b) requires that this reading is after this symbol was written, and -condition (c) guarantees that the reader and the writer are loosely synchronous at each external transition (i.e., a read or a write of a symbol).
Therefore, from Lemma 2, conditions (1) and (2) Hence, in order to show
, we need only to show there is a sequence of transitions such that (3) and (1) are satisfied. This essentially says we need only construct two sequences in another counter, since each time this "storing" is done, it will cause at least a counter reversal, and the number of such tests during a computation can be unbounded. On the other hand, a clock progress § ¡ ¢ is standard, but a clock reset § ¥ is not. Since there is no bound on the number of clock resets, clockcounters may not be reversal-bounded (each reset causes a counter reversal). Besides this obvious obstacle in relating clock-counters to reversal-bounded counters, we have another difficulty in handling the queue in QTA . It is well known that a finite-state machine augmented with a queue has already the computing power of a Turing machine. In the following intermediate result, we will show an alternating simulation technique to simulate the queue using two one-way input tapes.
Define a semi-PCA as a PCA which, in addition to a stack and reversal-bounded counters, has clock-counters that use nonstandard tests and assignments as described in the above paragraph. First we prove the following theorem: . begins by guessing which case to simulate. We describe only the operation of for the latter case (which is harder).
The technique is that alternately simulates can then be modified (using a similar construction) to remove nonstandard tests in the simulation of . The following technique is a modification from the one in [16] . Let 
and, noticing that clocks are nonnegative, 
Loosely Synchronous QTA with Two Queues
A QTA can be easily modified to add a second queue from the reader back to the writer. That is, consists of two timed automata and , as shown in Figure 1 . Obviously, with two queues, is able to simulate any Turing machine. Therefore, we have to restrict the behavior of in order to get decidable verification results. One restriction is to make half-duplex [13] . That is, each intermediate configuration during an execution must satisfy: at least one of the two queues is empty. [13] shows that the reachable set of a half-duplex system with two finite state machines is recognizable. Now, we point out that the binary reachability of loosely synchronous half-duplex QTAs still satisfies Theorem 4. We use 
Verification of Safety Properties
The results of Theorem 4 and Theorem 5 allow us to formulate a set of Presburger safety properties that can be automatically verified for loosely synchronous (halfduplex) QTAs as follows.
Given a loosely synchronous (half-duplex) QTA , let is Presburger, can be accepted by a deterministic CA [22] . On the other hand, from Theorem 4 and Theorem 5, 
An Example
In this section, we illustrate the use of loosely synchronous half-duplex QTAs to model and verify real-time systems. We notice that the proofs of Theorem 4 and Theorem 5 also allow to extend the QTA model with reversal-bounded (r.b.) counters. In fact, in those proofs the added r.b. counters can be faithfully simulated by the extra r.b. counters in the 2-tape PCAs. Hence, for a QTA augmented with reversalbounded counters the same decidability results also hold. This augmented QTA may increase or decrease the counters, which start at 0 in the initial configuration. Also, since r.b. counters may be tested for 0, it may have richer enabling conditions in addition to clock constraints, i.e., tests on the counters. We do not give here a formal definition of the augmented QTA, since it is rather obvious. The following example is an application of precisely this larger class.
Consider a system used in a physics experiment, composed of a set of actuators (for controlling the experiment) and of a set of sensors (for measuring and recording various experimental data such as the speed and number of subatomic particles). A controller is in charge of controlling the actuators and the sensors, and of elaborating the data detected by the sensors. It is crucial for the experiment that the sensors collect data only in a precise interval, which may vary depending on various conditions, and send the data to the controller upon request.
We model only one sensor and one controller, and ignore all other components. Data are read by the sensor with a variable speed, depending on the environment. The speed is not infinite, but incoming data have a maximum rate of one datum each two time units. The sensor is associated with a cheap embedded processor, with small computation power and very little memory; hence, it cannot store the data it reads, but it must send them immediately to the controller.
The controller is a powerful processor, with lots of memory. However, it has so many other tasks to perform that it cannot continuously elaborate the data coming from the sensor. Incoming data are then put in a queue and read when the controller is ready to make use of them. The protocol in charge of correctly exchanging data between the sensor and the controller (such as the acknowledgement of packet arrival, etc.) is considered to be at a lower level and is not modeled here. We just assume that when data are sent from one end to another, they are correctly put in the queue.
The sensor is not required to read data continuously, since only data collected within a precise time interval are needed. Hence, at the beginning of the experiment the controller first communicates the length of the reading interval to the sensor, that is an integer ¥ . When the moment to start reading data arrives, the controller sends a signal "begin" to the sensor. Upon receipt of the signal, the sensor must read data for exactly . Its transition graph is described in Fig. 2 below. Each label of an edge has four components: the first is the symbol read from the queue, the second is the enabling condition on both clocks and reversal-bounded counters, the third (denoted after a slash) is the symbol written on the other queue, and the fourth is the set of assignments to clocks and counters. For instance, the edge label Its transition graph is described in Fig. 3 below. A run of the system begins with both automata in the are initialized to zero at each transition: hence, the above self-loop is in zerotime. This zero-time assumption is reasonable, since we may assume that the time it takes to transfer the interval length is much smaller than the time to transfer data packets. When 
Conclusions
We introduced a generalization of discrete timed automata, i.e., two TAs connected by a unidirectional queue and analyzed the solvability of verification problems such as (binary, forward, and backward) reachability. The two automata operate in a loosely synchronous way, though our results also hold for the case when they are synchronous (i.e., sharing a global clock with Under both cases, all the results for the QTAs still hold. The QTA models can be used to reason about a number of timed producer/consumer applications involving only one-way communications. We are able to extend the results to a restricted form of QTA with two half-duplex queues. This opens the door for verification of a restricted form of two-way timed communication protocols.
A special case of a QTA is one where and ¡ have no clocks, i.e., they are nondeterministic finite-state machines connected by a queue. We call such a model finite-state QTA. It can be shown that binary reachability is not computable (i.e., not recursive) for the following models: (i) Finite-state QTA with another (second) queue that can be used to send messages from to ¡ ; (ii) Finite-state QTA with a second queue that can be used to send messages from ¡ to (thus, there is now two-way communication between the machines); (iii) Finite-state QTA where each of ¡ and is augmented with a one-turn pushdown stack (i.e., after popping, the stack can no longer push); (iv) Finite-state QTA where each of ¡ and is augmented with an unrestricted counter.
Obviously, all the QTAs considered so far can be augmented with reversalbounded counters. The reason is that the added reversal-bounded counters can be faithfully simulated by the extra reversal-bounded counters in the 2-tape PCAs in the proofs of Theorem 4 and Theorem 5.
It would be interesting to further consider the QTA model with dense time. However, the technical difficulties forbidding us to do so are the lack of theoretical tool to handle both dense variables and unbounded discrete data structures in one system. Recent results in [15] show some hope in this direction, by introducing an infinite partition on the dense clock space. We may investigate the dense time version of QTAs in the future. We also leave the work of complexity analysis of the decision procedures presented in this paper as future work. The reason is that the complexity bound for the emptiness of PCAs is still unknown, though it is believed that the bound can be derived along [19] .
