Verification of Timed Asynchronous Programs by Abdulla, Parosh Aziz et al.














In this paper, we address the verification problem for timed asynchronous programs. We associ-
ate to each task, a deadline for its execution. We first show that the control state reachability
problem for such class of systems is decidable while the configuration reachability problem is
undecidable. Then, we consider the subclass of timed asynchronous programs where tasks are
always being executed from the same state. For this subclass, we show that the control state
reachability problem is PSPACE-complete. Furthermore, we show the decidability for the config-
uration reachability problem for the subclass.
2012 ACM Subject Classification Theory of computation
Keywords and phrases Reachability, Timed Automata, Asynchronous programs
Digital Object Identifier 10.4230/LIPIcs.FSTTCS.2018.8
Related Version An extended version of this paper is available at [1], http://www.cse.iitb.
ac.in/~krishnas/fsttcs2018.pdf.
1 Introduction
One of the well-known design paradigms in concurrent programs is to break a problem into
smaller subproblems which are solved asynchronously and concurrently. Each process or
thread in the program can then dispatch tasks to other processes, expecting them to be
completed by a certain deadline. Each process has a potentially unbounded bag where
its pending tasks are stored. In the asynchronous paradigm, one need not wait for time-
consuming tasks to be completed to proceed; asynchronous procedure calls are stored in a
task buffer, which are executed later, rather than right away. The tasks which are posted
asynchronously have deadlines attached to them, and the process or thread, in whose bag the
task has been posted, must execute the task within the deadline. In addition to asynchronous
procedure calls, one can also make use of synchronous procedure calls where the caller of the
procedure blocks until the callee returns. To summarize, an asynchronous program is one
that contains procedure calls which are not immediately executed from the calling site, but
stored and dispatched in a non-deterministic order by some scheduler(s) at a later point.
© Parosh Aziz Abdulla, Mohamed Faouzi Atig, Shankara Narayanan Krishna, and Shaan Vaidya;
licensed under Creative Commons License CC-BY
38th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science
(FSTTCS 2018).
Editors: Sumit Ganguly and Paritosh Pandya; Article No. 8; pp. 8:1–8:16
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
8:2 Verification of Timed Asynchronous Programs
As an example for timed asynchronous programs, we look at SwingWorker, an abstract
class developed for the Swing library of Java, and is used to perform lengthy GUI interaction
tasks in a background thread. While developing applications, sometimes the GUI hangs when
it is trying to do some lengthy task. For such purposes, the SwingWorker class schedules the
execution of this lengthy task on a different thread while the GUI still remains responsive.
There are deadlines associated with the background tasks, and if the worker thread which
is handling the background task does not finish by the given deadline, then an interrupt
is created. To update the user (and GUI) regarding the progress of background tasks,
inter-thread communication is allowed.
Writing correct asynchronous programs and reasoning about their correctness is very
difficult, since the creation and execution of tasks within deadlines leads to unpredictable
behaviours. The verification of asynchronous programs is hence a very challenging topic.
A formal model of mutiset pushdown systems for asynchronous recursive programs was
presented in [16]. This model consists of a pushdown automaton equipped with a multiset
or bag. The automaton adds pending asynchronous method calls to the bag, and the stack
executes synchronous recursive method calls. A task can be taken from the bag for execution
when the stack is empty. The control state reachability problem was shown to be decidable
with an EXPSPACE lower bound under this model. This shows that the case of single-
thread asynchronous programs, the reachability problem is very difficult. Subsequently, [8]
showed that control state reachability for single-thread asynchronous recursive programs is
EXPSPACE-complete. In all these models, time constraints do not play a role in the execution
of the asynchronous methods. In the timed setting, [7] considers asynchronous calls of the
form future(p, t) posted to the task buffer, where p is a handler and t ∈ N. The idea is that
the handler p will execute the task in t time units from now. The execution of the program
is controlled by logical ticks of a clock. The model proposed in [7] is a generalization of the
models in [16] and [11]. [7] shows that safety checking for such programs is undecidable.
The goal of this paper is to investigate the decidability and complexity of the reachability
problem for asynchronous non-recursive programs under dense time. We propose a formalism
called multiset timed automata (MTA) where each process is modeled as a timed automaton [2].
Each timed automaton is equipped with a bag or multiset. To handle asynchronous method
calls, each timed automaton can post a task to the bag of another automaton. These tasks
have deadlines attached to them. The deadline is either a natural number d ∈ N or∞. When
a task is posted to a bag, its age is considered to be 0, and with elapse of time, the age
also grows. A task can be executed by the process in whose bag it lies, before the age of
the task exceeds the deadline; tasks whose ages have exceeded the deadline will be forever
pending. While a main process picks up pending tasks depending on their ages in [7], in
our model, a process can execute a pending task in its bag at its will. There are 2 sources
of infinity in our model: one coming from dense-time, and the second coming from the
unbounded size of the bags of each process. We investigate control state reachability as
well as configuration reachability of this model, and show that control state reachability is
decidable and EXPSPACE-hard, while configuration reachability is undecidable. We then
identify a practically relevant class of MTA where the task execution happens from the
same state in each process, and give a PSPACE-complete decision procedure for control state
reachability. The configuration reachability also turns out to be decidable for this class.
Related Work
Most of the existing work (e.g., [3,4,6,8,11,13,14,16]) on the formal verification of asynchron-
ous programs considers the untimed version. In [7], the authors consider timed constraints
on tasks; however, this model is different from the formal model studied in this paper. In
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:3
fact, in [7], the authors assume that a task should always be executed by its deadline and
the execution of each task is done in logical zero time. In our model, a task whose age has
exceeded the deadline will be forever pending. Furthermore, the control state reachability
for the model presented in [7] is undecidable while it is decidable for our model. In [5], the
authors consider a model similar to the one considered in this paper and show that the
coverability problem is decidable using a different technique than ours.
2 Preliminaries
In this section, we introduce some notations and definitions that will be used throughout the
paper.
Notations
We use standard notation N for the set of naturals, along with ∞. R represents the set
of non-negative real numbers. Let X be a finite set of variables called clocks, taking val-
ues from R. A valuation on X is a function ν : X → R. We assume an arbitrary but
fixed ordering on the clocks and write xi for the i-th clock. This allows us to treat a
valuation ν as a vector (ν(x1), ν(x2), . . . , ν(xn)) in R|X |. For a subset of clocks X ∈ 2X
and valuation ν ∈ R|X |, we write ν[X:=0] for the valuation where ν[X:=0](x) = 0 if
x ∈ X, and ν[X:=0](x) = ν(x) otherwise. For t ∈ R, write ν + t for the valuation
defined by ν(x) + t for all x ∈ X . The valuation 0 ∈ R|X | is a special valuation such that
0(x) = 0 for all x ∈ X . For a, b ∈ N and a < b, the set I of time intervals is defined
by I := [a, b] | [a, a] | (a, b] | [a, b) | (a, b) | [a,∞) | (a,∞). The set of clock constraints,
denoted ϕ(X ), is the set of Boolean formulae over {x ∈ I | x ∈ X , I ∈ I}. For a constraint
g ∈ ϕ(X ), and a valuation ν ∈ R|X |, we write ν |= g to represent the fact that valuation ν
satisfies the constraint g. For example, (1.1, 0, 10) |= (x1 ∈ (0, 2))∧(x2 ∈ [0, 0])∧(x3 ∈ (1,∞)).
Timed Automata
Let Act denote a finite set called actions. A timed automaton (TA) [2] is a tuple A =
(L,L0, Act,X , E) such that (i) L is a finite set of locations, (ii) X is a finite set of clocks, (iii)
Act is a finite alphabet called an action set, (iv) E ⊆ L×ϕ(X )×Act× 2X ×L is a finite set
of transitions, and (v) L0 ⊆ L is the set of initial locations. A state s of a timed automaton is
a pair s = (`, ν) ∈ L× R|X |. A time elapse transition from s = (`, ν) to s′ = (`′, ν′) denoted
s
t→ s′ is defined iff `′ = ` and ν′ = ν + t. Given e = (`, g, a, Y, `′) ∈ E, a discrete transition
from s to s′ on e is written as s e→ s′, such that ν |= g and ν′ = ν[Y :=0]. A run is a finite




e2→ s2 . . . sn−1
tn→ s′n−1
en→ sn of states with alternating time
elapse transitions and discrete transitions.
Multisets or Bags
A multiset or bag over an alphabet Σ is a mapping M : Σ 7→ N. For an element a ∈ Σ, we
use a ∈ M to denote that M(a) ≥ 1. We use ∅ to denote the empty multiset. Given two
multisets M1,M2 over Σ, we write M1 ≤ M2 iff M1(a) ≤ M2(a) for all a ∈ Σ. M1 + M2
denotes the multiset M such that M(a) = M1(a) +M2(a) for all a ∈ Σ. Likewise, M1 −M2
FSTTCS 2018
8:4 Verification of Timed Asynchronous Programs
denotes, when it is defined (i.e., M1 ≥M2), the multisetM such thatM(a) = M1(a)−M2(a)
for all a ∈ Σ. The notation M1 + a denotes a multiset M2 such that M2(a) = M1(a) + 1 and
M2(b) = M1(b) for all b 6= a. Likewise, M1 − a denotes, when it is defined (i.e. M1(a) ≥ 1),
a multiset M2 such that M2(a) = M1(a)− 1 and M2(b) = M1(b) for all b 6= a. The terms
multiset and bag will be used interchangeably.
Timed Petri Nets
A Timed Petri Net (TPN) [17] is a tuple N = (P, T, F, c) where P is a finite set of places,
T is a finite set of transitions, T ∩ P = ∅ and F ⊆ (P × T ) ∪ (T × P ) is a flow relation,
c : F ∩ (P × T )→ I is a time constraint relation assigning a time interval to every arc from
a place to a transition. A marking M of N is a mapping that associates to each place p a
multiset over R. A marked TPN is a pair (N ,M0) where M0 is an initial marking, which
assigns to each place in P , an initial multiset of tokens annotated with 0 (the initial age).
The dynamics of a TPN consists of two types of transitions rules: firing of a transition and
time elapsing. Given N , along with a marking M , (denoted (N ,M)) a transition t is enabled
at M iff for all places p such that (p, t) ∈ F , there exists some x ∈M(p), and x ∈ c(p, t). If
t is enabled by M , then it can be fired, producing a marking M ′ obtained from M by (i)
removing a token from M(p) for all places p such that (p, t) ∈ F and whose age satisfies
c(p, t), and (ii) adding a token with age 0 to M(q) for all places q such that (t, q) ∈ F . In a
time elapse transition, with an elapsing time r ∈ R, the age of all tokens increases by r. A
marked TPN (N ,M0) induces a transition system with states are the markings of N , and
the transition relation consists of time elapsing and firing transitions.
A read arc in a TPN facilitates firing a transition without removing the token. We use
F∗ ⊆ P × T to denote the set of read arcs and c∗ : F∗ → I to denote a function that
assigns a time interval to each read arc. A transition t is enabled iff for all places p such that
(p, t)∗ ∈ F∗, there exists some x ∈ M(p) and x ∈ c∗(p, t). The transition system induced
by a marked TPN with read arcs can be defined in a similar manner as for marked TPN.
A 1-safe marking is one where |M(p)| ≤ 1 for all p ∈ P . A 1-safe TPN is a marked TPN
(N ,M0), with F ∩ F∗ = ∅, where all markings which are reachable from M0 are 1-safe.
Coverability problem. For markings M1 and M2 in a TPN N , define M1 ≤M2 iff for all
p ∈ P, M1(p) ≤M2(p). The coverability problem for N asks whether, given a marking M ,
it is possible to reach a marking M ′ in N from the initial marking M0 such that M ≤M ′.
3 Multiset Timed Automata
Let T ={T1, . . . , TN} be a set consisting of N≥1 timed automata Ti=(Li, L0i , Acti,Xi, Ei).
A Multiset Timed Automata (MTA) is defined as M = (Σ, T ,X , St), where Σ is a finite
alphabet called tasks, X =
⊎N
i=1 Xi is the finite disjoint union of clocks in Ti, St is a function
that assigns a finite multiset St(i) over Σ (possibly empty) to the timed automaton Ti. This
is the initial set of tasks assigned to Ti. The actions Acti are defined as Acti = {i!j(a[d]), i?a |
a ∈ Σ, j ∈ {1, . . . , N}, d ∈ N ∪ {∞}} ∪ {nopi}. The number d is the deadline for the task a.
The action i!j(a[d]) represents Ti adding the task a to the bag of automaton Tj , and the task
a has an associated deadline d. Likewise, the action i?a represents automaton Ti picking
up the task a from its bag, provided its age has not exceeded the deadline. For readability
reasons, we assume that any outgoing transition from any initial location is labeled by an
action of the form i?a. We use the notation N -MTA whenever we need to clarify the number
of timed automata Ti which are used in the definition.
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:5






















Figure 1 A stateless and time independent 3-MTA consisting of timed automata T1, T2, T3 from
left to right. When the deadline of a task is ∞, we do not mention it.
Let q = (q1, . . . , qN ) be a tuple of states, where qi = (si, νi) is the current state of
Ti. Let m = (M1, . . . ,MN ) be a tuple of multisets. Each element in Mi has the form
α = (a, r, d) ∈ Σ× R× N consisting of – pending tasks, their ages, and their deadlines in Ti.
The age of a task in a bag is the time elapse since it has been added to the bag. For t ∈ R, let
q+ t represent the tuple (q′1, . . . , q′n) where q′i = (si, νi+ t). For an element α = (a, r, d) ∈Mi,
α + t = (a, r + t, d); Mi + t is the multiset obtained by replacing each α ∈ Mi with α + t.
We define m+ t as the tuple (M1 + t, . . . ,MN + t).
A configuration c of an N -MTA is the tuple (q,m) consisting of the current states of all
the N timed automata, along with the multisets of pending tasks corresponding to each Ti.
An initial configuration is defined as c0 = (q0,m0), where q0 is the tuple ((`01,0), . . . , (`0N ,0))
of initial states of all Ti (`0i ∈ L0i ) and m0 = (M1, . . . ,MN ) where Mi((a, r, d)) = St(i)(a),
for all a ∈ Σ, r = 0 and d =∞, and Mi((a, r, d)) = 0 otherwise. Given two configurations
c = (q,m), and c′ = (q′,m′), we have:
For t ∈ R, c t→ c′ is a time elapse transition iff q′ = q + t,m′ = m+ t.
Let ei = (`i, gi, acti, Yi, `′i) ∈ Ei. Then, c
ei→ c′ iff
qi = (`i, νi), νi |= gi, q′i = (`′i, ν′i), ν′i = νi[Yi := 0], and for all k 6= i, q′k = qk, and,
If acti = i!j(a[d]), then M ′j = Mj + (a, 0, d), and M ′k = Mk for all k 6= j,
If acti = i?a, then ∃c, d, such that (a, c, d) ∈ Mi, M ′i = Mi − (a, c, d), and c ≤ d (i.e.
the age of the task has not yet exceeded the deadline) and M ′k = Mk for all k 6= i,
If acti = nopi, then M ′k = Mk for all 1 ≤ k ≤ N .
Starting with an initial configuration c0, a run ρ is defined as a finite sequence of










e2→ c2 · · ·
tj→ c′j . In that case we say the configuration cj is reachable
from the initial configuration c0 by the run ρ.
In this paper, we consider the following problems. Let s = (s1, . . . , sN ) ∈ L1 × · · · × LN .
P1 Control State Reachability. Given a particular tuple of locations s = (s1, . . . , sN )
of an N -MTA M, the control state reachability problem asks if starting from the initial
configuration c0 of M, there is a run reaching a configuration c = (q,m) such that
qi = (si, νi) for some m, and for some νi, for all 1 ≤ i ≤ N .
P2 Configuration Reachability. Given a particular tuple of locations s = (s1, . . . , sN ) of
an N -MTA M, the configuration reachability problem asks if starting from the initial
configuration c0 of M, there is a run reaching a configuration c = (q,m) such that
m = (∅, . . . , ∅) and qi = (si,0), for all 1 ≤ i ≤ N .
Stateless and Time-Independent MTA
An N -MTA is said to be stateless if Ei ∩ (Li\{`0i } × ϕ(Xi)× {i?a|a∈Σ} × 2Xi × Li)=∅ for
all 1 ≤ i ≤ N , and some `i0 ∈ Li0. The stateless condition ensures that a new task can
be picked by an automaton only from a unique initial location. An N -MTA is said to be
FSTTCS 2018
8:6 Verification of Timed Asynchronous Programs
time-independent iff, in each Ti, all clocks are reset on picking a task from the multiset, and
no clock constraints are checked (i.e. Ei ∩ (Li × ϕ(Xi)× {i?a|a∈Σ} × (2Xi \ {Xi})× Li)=∅
and Ei ∩ (Li × (ϕ(Xi) \ {true})× {i?a|a∈Σ} × 2Xi × Li)=∅ for all 1 ≤ i ≤ N).
Figure 1 describes a stateless and time-independent MTA M consisting of 3 timed
automata T1, T2, T3. The following is a run in M. The initial configuration c0 = (q0,m0)
where q0 = ((`1, 0), (`6, 0), (`10, 0)) andm0 = (M1,M2,M3) with multisetsM1 = {(β1, 0,∞)},
M2 = {(β2, 0,∞)}, and M3 = {(β3, 0,∞)}. Let ei,j denote the transition from location `i to
`j (in the example, we have at most one transition between any pair of locations `i, `j). For




























e11,12→ c13 which reaches locations (`2, `5, `12)
in T1, T2, T3 respectively.
4 Control State Reachability
In the following, we first prove that the control reachability is decidable with a non-primitive
complexity (at the level Fωωω in the fast growing hierarchy [9]). Then, we show that the
control state reachability for stateless and time independent MTA is PSPACE-complete.
I Theorem 1. The control state reachability problem for N -MTA is reducible to the coverab-
ility problem for timed Petri nets with read-arcs.
Proof. We give a translation from an N -MTA M to a TPN with read arcs N such that the
control state reachability ofM reduces to the coverability of N .
Let M = (Σ, T ,X , St) be an N -MTA. Without loss of generality, assume that we are
interested in reaching f = (f1, . . . , fN ) ∈ L1× · · · ×LN . Given the N -MTAM, we construct
a timed Petri net N as follows. There is a place p` in the net corresponding to each location
` ∈ Li in Ti for each i ∈ {1, . . . , N}. For each Ti, there is one and only one marked place p`
such that ` ∈ Li, to denote that the control of Ti is at a certain location `. For each clock
x in X , we have a place px in the net. Next, we model the multisets Mi of each Ti. Let
dmax ∈ N be the maximal value used for any deadline inM. The possible task, deadline
combinations are in the set Σ × {0, 1, . . . , dmax,∞}. Therefore, corresponding to each Ti,
we have |Σ| × (dmax + 2) places in the net. We need to have these many places so as to
distinguish between the tokens. Thus, for each pair (a, d) ∈ Σ×{0, 1, . . . , dmax,∞}, we have
the places p1(a,d), . . . , pN(a,d).
A transition of the form (`, g, i?a, Y, `′) in automaton Ti is simulated by a transition in
N as follows. A token from the place p` corresponding to the location `, and a token from
one of the places pi(a,d), d ∈ {0, 1, . . . , dmax,∞} are removed. The deadline is checked on the
arc via a constraint [0, z] from the place pi(a,z) containing the token. A token is added to
the place p`′ corresponding to `′. A transition of the form (`, g, i!j(a[d]), Y, `′) in automaton
Ti is simulated in a similar way. The tokens corresponding to locations are removed and
added as in the previous case and a token is added to the place pj(a,d). The clock constraints
corresponding to any transition are checked using read arcs from the places simulating the
clocks. Clock resets are simulated by removing a token and putting back a token in the place
corresponding to the clock.
The details of the formal construction of N and the correctness proof can be found in
the extended version of the paper [1]. J
As a corollary of Theorem 1, we get:
I Corollary 2. The control state reachability problem for (time-independent) N-MTA is
decidable.
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:7
Observe that we can easily show that the coverability of Petri nets is reducible to the
control state reachability problem for time-independent (resp. stateless) N -MTA (in the
same way as the proof of EXPSPACE lower bound for the model multiset pushdown systems
presented in [16]). Therefore, the control state reachability problem for time-independent
(resp. stateless) N -MTA is EXPSPACE-hard.
In the rest of this section, we consider the case of stateless and time-independent N -MTA.
I Theorem 3. The control state reachability problem for stateless and time-independent
N -MTA is PSPACE-complete (for N ≥ 1).
Proof. Since MTA subsume timed automata [2], the PSPACE-hardness of the control state
reachability of MTA follows directly from the PSPACE-hardness of reachability of timed
automata. The rest of the proof is devoted to proving the PSPACE-membership of the
problem.
LetM = (Σ, T ,X , St) be a stateless, time-independent N -MTA, with T = {T1, . . . , TN}
X =
⊎N
i=1 Xi and St, the function that assigns an initial multiset St(i) to each timed
automaton Ti. Incurring a polynomial blowup in the size, we give a reduction from the
control state reachability ofM to the coverability in 1-safe timed Petri net with read arcs.
The coverability of 1-safe timed Petri nets with read arcs is known to be PSPACE-complete [17]
and our result follows from this.
Without loss of generality, assume that we are interested in reaching f = (f1, . . . , fN ) ∈
L1 × · · · × LN . Let σ be any run from the initial configuration c0 ofM which leads into a
configuration with locations f . Let c = (q,m) be any configuration that appears in σ. Our
proof is divided into two parts.
1. We show that the number of relevant task tuples along σ is bounded by N . Intuitively, A
task tuple (a, r, d) ∈ Σ×R×N is relevant for an automaton Ti if (a, r, d) ∈Mj , for some
j, (r ≤ d) and the task (a, r, d) must be executed by Tj in order to reach the location fi.
The irrelevant task tuples can hence be ignored from each Mi, as they do not affect the
control state reachability.
2. The bound on the number of relevant task tuples obtained in the previous step is used in
constructing a reachability preserving 1-safe timed Petri net with read arcs.
Bounding the number of relevant task tuples
Consider the run σ as described above. Starting from c0, let σi denote the sequence of
transitions (in the order they appear in σ), pertaining only to Ti. In the run σ pertaining to











e1,2→ c8. We now define a
block.
A block in σi begins with a discrete transition of the form
i?a→ (for some task a) and
extends until the next transition of the form i?b→ (for some task b) is encountered. Thus, a
block is a sequence of transitions between two executions of tasks by some Ti, and begins
with some task execution. σ1 has two blocks: the sequence of transitions from c′0 till c′7
forms a block, and the second block is the transition from c′7 to c8. Omitting the time elapse
transitions in σi, let us label each transition in σi with a unique name. Doing this for all σi
gives us a unique label for each discrete transition in σ. Let L = {α1, . . . , αm} be the set of
block labels occurring in σ. In our running example, using labels {α1, . . . , α6}, we can label




























e11,12,α6→ c13. From here on, we refer to the blocks using the block
labels.
FSTTCS 2018

















(α1, {1, 2, 3})







Figure 2 The dependency graph in stages. G0(M) is the initial graph with no edges. Gi+1(M)
is obtained from Gi(M) by changing the color of all the red vertices in Gi(M). The graph stabilizes
when there are no red vertices.
For each timed automaton Ti, we now analyze the blocks which contribute in reaching
the desired location fi. The last block α of σi, which contains the last task tuple (a, r, d)
executed by Ti definitely contributes to Ti reaching fi. Likewise, the block α′ which added
this last task a to the bag of Ti also contributes to Ti reaching fi (note that block α′ may
start with a task b which is executed by Tj , j 6= i). We can continue backwards in this
manner and say that the block α′′ which added the task b to the bag of Tj also contributes to
Ti reaching fi and so on. Given a block label α, let dep(α) denote the set of timed automata
Ti such that α contributes to Ti reaching fi. Thus, if α is the last block in Ti, then i ∈ dep(α)
(we just write the indices i rather than Ti). Likewise, if i ∈ dep(α) and if α′ is the block
which added the task a which was executed at the beginning of α, then i ∈ dep(α′), and so
on. dep(α) is called the dependency set of α. In our running example above, 3 ∈ dep(α6)
since α6 is the last block for T3; however the task ζ3 which was executed in block α6 was
added in block α2 (e7,8), and the task κ2 executed in block α2 was added in block α1. Thus,
3 ∈ dep(α6), dep(α2), dep(α1).
We construct a dependency graph G(M) which keeps track of the dependencies between
blocks. Define a function g : L → (Σ× {1, . . . , N} ×L)∪ {⊥} which maps a block label α to
the triple (a, i, α′) if block α begins with (i?a) the execution of task a, which was added to
the bag of Ti by block α′. If a is part of the initial multiset (a ∈ St(i)) then g(α) = ⊥. The
vertex set of G(M) is the set of pairs (α, dep(α)) where α is a block label and dep(α) is its
dependency set. G(M) is a graph with colored vertices, and is built inductively. To begin,
there are no edges, and we have the following vertices.
Vertices (α, {i}) and α is the last block of Ti. To begin, we are sure of i ∈ dep(α). We
color these vertices red.
Vertices (α, ∅), and α is not the last block for any Ti. To begin, we have not yet discovered
whether α contributes to any Ti, so we keep dep(α) = ∅. The information with respect to
dep(α) will be updated when we discover that α contributed to some Ti. We color these
vertices white.
To add the edges, we repeat the following procedure until no red vertices remain. In each
step, we choose a red vertex (α, dep(α)) and do the following.
1. If g(α) = ⊥, then color (α, dep(α)) blue,
2. If g(α) = (a, i, α′) and (α′, dep(α′)) is white, then color (α, dep(α)) blue and color
(α′, dep(α′)) red. Update dep(α′) to be dep(α′) ∪ dep(α), and add an edge a→ from
(α′, dep(α′)) to (α, dep(α)).
3. If g(α) = (a, i, α′) and (α′, dep(α′)) is not white, then color (α, dep(α)) blue, update
dep(α′) to be dep(α′) ∪ dep(α), and add an edge a→ from (α′, dep(α′)) to (α, dep(α)).
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:9
Finally, we update the dependency relation dep of the vertices as follows: If (α, dep(α))
and (α′, dep(α′)) are blue with g(α) = (a, i, α′), then update dep(α′) to be dep(α′) ∪ dep(α).
Note that the above procedure terminates, since the number of blue vertices in each step
increases. The final graph obtained as result is G(M). Figure 2 describes constructing G(M)
for the run ρ discussed above. Consider any vertex (α, dep(α)) colored blue in G(M). Clearly,
this vertex contributes to all Ti such that i ∈ dep(α). Consider any path in G(M) from a
vertex with no incoming edges to a vertex with no outgoing edges. There is at least one such
path since the last task executed along σ corresponds to the last block of some Ti which has
not contributed to any Tj . A path v1 . . . vs in G(M) is a dependency path for automaton Ti
if the vertex vs = (α, dep(α)), and α is the last block for Ti. Let us go back to our running
example run σ using Figure 2. The tasks appearing on the edges of G(M) are the relevant
tasks. From G(M), the relevant task in the bags when the second block α2 started is κ2.
κ2 is executed at the beginning of block α2. Relevant tasks ζ2, ζ3 are added to the bag in
block α2, and α1 adds β1. β1 is executed in block α4 while ζ2, ζ3 respectively are executed in
blocks α5, α6. The relevant tasks along run σ are β1, κ2, ζ2, ζ3, of which at most 3 are stored
across bags at any point of time. Thus, we can obtain another run σ′ which is reachability
equivalent to σ as follows. The block α3 is useless as it is not contributing to any of the
automata. Each block begins at a unique initial location of some automaton, and, on the
transition which executes the task, it does not check any constraints, and resets all clocks on
the transition. Due to this, we can “prune away” a block from a run, and reconnect the run
at a later block if we maintain the time elapse in the interim. Hence, removing a useless block
of some automaton Ti does not affect the control reachability, since the next useful block of
Ti again starts from the same initial location of Ti. Accounting for the time elapse in the
useless block is sufficient to ensure that the ages of the pending tasks are accurate. σ′ can



























We want to prove that in any configuration c = (q,m) appearing in the run σ, the number
of pending tasks maintained in m = (M1, . . . ,MN ) which contribute, in reaching the desired
control states, in σ is ≤ N . These are the relevant tasks, and each one is part of a block α,
and the corresponding vertex (α, dep(α)) in G(M) is colored blue. If we attach the color of
the vertex (α, dep(α)) to the task a in g(α), then we want to prove that in any configuration
appearing in σ, the number of blue tasks is ≤ N . Assume that there is some configuration
c = (q,m) in σ such that the number of blue tasks in m is p > N . Let a1, . . . , ap be the tasks
in m, and let α1, . . . , αp be the blocks where these are executed. Since p > N , and there are
only N multisets in m, there are at least two tasks ai, aj such that dep(αi) ∩ dep(αj) 6= ∅.
Observe that, by definition, we have dep(αk) 6= ∅ for all k ∈ {1, . . . , p}. Let us assume that
k ∈ dep(αi) ∩ dep(αj). Since both are blue, both get executed in σ, and both lie in the
dependency path of the last block of the automaton Tk. Clearly, one must come before
the other, and the earlier block has contributed to the creation of the later block. Hence,
they cannot be pending at the same time. Thus, the number of blue pending tasks in any
configuration is bounded above by N .
Construction of 1-safe TPN with read arcs
Now, we are ready to propose a 1-safe timed Petri net (with read-arcs) whose coverability
problem is equivalent to the control state reachability problem of the given N -MTA.
FSTTCS 2018
8:10 Verification of Timed Asynchronous Programs
Given the N -MTA M consisting of timed automata T1, . . . , TN , we construct a 1-safe
TPN N . There is a place p` corresponding to each location ` ∈ Li in Ti. For each Ti, there is
one and only one marked place p` at any point in the execution, such that ` ∈ Li, to denote
that the control of Ti is at a certain location `. For each clock x in X, there is a place px.
Next, we model the multisets Mi of each Ti. Let dmax ∈ N be the maximal value used for any
deadline inM. For each task a ∈ Σ, we have |Σ| × (2 + dmax) possible combinations of tasks
and associated deadlines. The bound established above tells us that there are at most N
pending tasks in any configuration i.e. at any point we will have to keep track of N tasks but
they can be distributed in any of the multisets. There are |Σ| × (dmax + 2) possibilities for
task, deadline pairs. Tasks will be modeled as tokens in the net. So to be able to distinguish
between them, for each Ti, we need N ×|Σ|× (dmax+ 2) places (N , because 1-safe). For each
Ti and for each pair (a, d) ∈ Σ× {0, 1, . . . , dmax,∞}, we have N places pi(a,d,1), . . . , pi(a,d,N).
A transition of the form (`0i , g, i?a, Y, `′) in automaton Ti is simulated by N × (dmax + 2)
transitions in N as follows. For each (z, j) ∈ {0, 1, . . . , dmax,∞}× {1, . . . , N}, a transition
removes a token from the place p`0
i
corresponding to the unique initial location `0i , a token
from pi(a,z,j) and adds a token to the place p`′ corresponding to `′. The deadline is checked
on the arc from the place pi(a,z,j) by a constraint which checks the age of the token to be in
the interval [0, z]. As any deadline value is possible, and any of the N places can be filled,
one of the N × (dmax + 2) transitions is non-deterministically chosen.
A transition of the form (`, g, i!j(a[d]), Y, `′) in automaton Ti is simulated in a similar
way by N + 1 transitions. In each of the N of these transitions, tokens for control locations
are added and removed as in the previous case. For each k ∈ {1, . . . , N}, one of the N
transitions adds a token to the place pja,d,k if it is empty. The (N + 1)-th transition simulates
the possibility that the task a is not relevant (only N are relevant at any point) and so it
simulates only the change in control location and adds no other tokens. One of these N + 1
transitions is chosen non-deterministically. Observe that the first N transitions add a token
only to an empty place pja,d,k by definition of an 1-safe Petri net.
Clock resets are simulated by adding and removing a token from the corresponding place
px for the clock. Clock constraints are simulated by read arcs. These arcs are connected
with the corresponding transitions that are described above.
The formal construction is in [1]. Thus, the control state reachability in M to reach
(f1, . . . , fN ) ∈ L1 × · · · × LN reduces to the coverability problem of the marking M given by
M(pfi) = 1 for all 1 ≤ i ≤ N (and hence M(p`) = 0 for all ` /∈ {f1 . . . , fN}). The control
state reachability of M thus reduces to the coverability of the constructed 1-safe timed
Petri net with read arcs. Since the coverability of 1-safe timed Petri nets with read arcs is
PSPACE-complete [17], the control state reachability ofM is also PSPACE-complete. J
5 Configuration Reachability
In this section, we explore the general question of the configuration reachability problem for
N -MTA. We first show (theorem 4) that the configuration reachability problem for N -MTA
is undecidable.
I Theorem 4. The configuration reachability problem for N-MTA is undecidable. This
undecidability holds even in the case of time-independent N -MTA.
Proof. The proof is done by a reduction from the reachability problem for a 2-counter
machine (which is known to be undecidable [15]). The main idea is to construct an 1-MTA
whose set of states contains the states of the two counter machine plus some auxiliary states
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:11
that are used to simulate the zero tests as we will see later on. The 1-MTA has two types of
tasks a and b. The number of pending tasks of type a (resp. b) corresponds to the value
of the counter c1 (resp. c2). Furthermore, the 1-MTA has one clock x that is used to check
that no time elapsed when simulating some transitions of the two counter machine.
To simulate an increment transition of the form (q, c1++, q′) (resp.(q, c2++, q′)) of the
two counter machine, the 1-MTA proceeds as follows: first it checks that the value of the
clock x = 0, then it will change its state from q to q′ and finally adds a pending task of type
a (resp. b) with zero as its deadline. Observe that we need only one transition to perform
all these steps of the simulation of an increment operation.
To simulate a decrement transition of the form (q, c1−−, q′) (resp. (q, c2−−, q′)) of the
two counter machine, the 1-MTA proceeds as follows: first it checks that the value of the
clock x = 0, then it will change its state from q to q′ and finally consumes a pending task of
type a (resp. b). Observe that we need only one transition to perform all these steps of the
simulation of an increment operation.
To simulate a zero test transition of the form (q, c1 == 0, q′) (resp. (q, c2 == 0, q′)) of
the two counter machine, the 1-MTA proceeds as follows: (i) it checks that the value of the
clock x = 0, (ii) it enters to a loop where it consumes a task of type b (resp. a) and creates
a task of the same type but its deadline is now set to one time unit, (iii) it will change its
state from q to q′, (iv) it checks that the value of the clock x is still zero, (v) it checks that
one time unit has elapsed (ie., checking whether x ∈ [1, 1]) and resets the clock x, (vi) it
enters to a loop where it consumes a task of type b (resp. a) and creates a task of the same
type but its deadline is now set to zero, and (vii) it checks that the value of x = 0. Here the
auxiliary states are needed in the simulation of these steps.
Observe that if the 1-MTA reaches the final state with empty set of pending tasks, then
all the simulation of the zero tests are performed correctly. Finally, note that the constructed
1-MTA is time independent. J
We now focus on the class of stateless and time-independent N -MTA.
I Theorem 5. The configuration reachability problem for stateless and time-independent
N -MTA is decidable.
We begin by setting up some notations for the proof.
Well-quasi-orders and Higman’s Lemma
Given a set Q, a quasi-order on Q is a reflexive and transitive relation ⊆ Q × Q. An
infinite sequence (q1, q2 . . . ) in Q is said to be saturating if there exists indices i < j such
that qi  qj . A quasi-order  is a well-quasi-order (wqo) [12] on Q if every infinite sequence
in Q is saturating. Let v be a quasi-order on Q. The induced monotone domination order
 on Q∗, (i.e., the set of finite words over Q) is defined as follows: a1a2 . . . am  b1b2 . . . bn
if there exists a strictly increasing function g : {1, 2, . . . ,m} → {1, 2, . . . , n} such that, for all
1 ≤ i ≤ m, ai v bg(i). It is well-known by Higman’s Lemma [10] that if v is a wqo on Q, then
the induced domination order  is also a wqo on Q∗. As an example, let Σ = {1, 2, . . . , 12}
and let Q be the power set of Σ. Define v on Q to be the set inclusion relation. v is clearly
a wqo since Q is finite. The induced monotone domination order  on Q∗ is the subword
order: for example, {1, 2}{3}{5, 6, 7}  {1, 2, 9}{1}{3, 11}{12}{4, 5, 6, 7}.
FSTTCS 2018
8:12 Verification of Timed Asynchronous Programs
Encoding Configurations
We have seen in section 3 that a configuration of an N -MTA M is a tuple (q,m) where q is
the sequence of states in each Ti, 1 ≤ i ≤ N , and m is the tuple of multisets (M1, . . . ,MN )
corresponding to each Ti. Given (`1, . . . , `N ) ∈ L1 × · · · × LN , we are interested in finding
whether the configuration cgoal = (q,m) is reachable, where q = (q1, . . . , qN ), qi = (`i,0) and
m = (∅, . . . , ∅). A configuration c is called good if cgoal is reachable from c. A configuration is
bad if it is not good. Clearly, cgoal is reachable inM iff some initial configuration c0 is good.
We now construct an equivalence relation onM by encoding the configurations ofM as
words over a certain alphabet. This will enable us to define a wqo on the resulting transition
system. Let K be the maximal constant used in the clock constraints and deadlines inM.
Let [K] = {0, 1, . . . ,K,∞}. Let reg = {r0, r1, . . . , r2K} be a finite set of regions, where for
0 ≤ i ≤ K, r2i is defined as the singleton {i}, while r2i+1 is defined as the interval (i, i+ 1)
for 0 ≤ i ≤ K − 1. We also define the region r2K+1 as (K,∞). Let Γ1 be the set X × reg,
and let Γ2 be a multiset over {(a, r, j)i | a ∈ Σ, r ∈ reg, j ∈ [K], 1 ≤ i ≤ N}. Let Γ3 be the
set X × r2K+1, and let Γ4 be a multiset over {(a, r2K+1, j)i | a ∈ Σ, 1 ≤ i ≤ N, j ∈ [K]}.
Let Υ,∆ respectively be the power sets of Γ1∪Γ2 and Γ3∪Γ4. Let L=L1 × · · · × LN . We
consider words of the form αw(P + ε) where α ∈ L, w ∈ Υ∗ and P ∈ ∆. Since Υ,∆,L
are finite, they are all clearly well-quasi-ordered by set inclusion, and the set of words of
the form αw(P + ε) is well-quasi-ordered by the induced monotone domination order  :
α1ρ1 . . . ρmP1  α2γ1 . . . γnP2 if α1 = α2, P1 ⊆ P2, and there exists a strictly increasing
function g : {1, 2 . . . ,m} → {1, 2, . . . , n} such that for all 1 ≤ i ≤ m, ρi ⊆ γg(i).
We next associate to any configuration c ofM, a canonical word W(c) ∈ L ·Υ∗ · (∆ +
ε). Let yi,1, . . . , yi,|Xi| be the set of clocks in Ti. Given a configuration c = (q,m) with
q = ((`1, ν1), . . . , (`N , νN )) and m = (M1, . . . ,MN ), q is completely specified by describing
for each 1 ≤ i ≤ N , (i) the locations `i, (ii) the tuples (αi,j , frac(yi,j)) (resp, αij) if
αij=((yi,j , reg(ν(yi,j))) is in Γ1 (resp. Γ3) and 1 ≤ j ≤ |Xi|. Observe that here we use
frac(yi,j) (resp. reg(ν(yi,j))) to denote the fractional part (resp. the corresponding region) of
ν(yi,j)). The former case keeps track of clocks, their regions as well as the fractional parts
of the clock valuations, while in the latter, the value of clock yi,j is more than K, (iii) the
multi set consisting of tuples (βi, frac(age(a))) (resp. βi) if βi = (a, reg(age(a)), d) is in Γ2
(resp. Γ4). The former keeps track of tasks, the region of their ages, and their deadlines,
along with the fractional parts of the ages, while in the latter, the age of the task is more
than K. Observe that age(a) returns the age of the task a.
Next, we group together the symbols αh ∈ Γ1, βg ∈ Γ2 having the same fractional parts.
Notice that the fractional parts are retained only for clocks (tasks) whose value (age) has
not yet exceeded K. This yields a new set of Γ1 ∪ Γ2 letters paired with their fractional
parts {(ζi, fraci) | 1 ≤ i ≤ p} where ζi is a (multi)set of symbols from Γ1 ∪ Γ2 and fraci is
the fractional part of those symbols. p is the number of distinct fractional parts in c. We
then form the word w = ρiz1 . . . ρizp ∈ Υ
+ where z1 . . . zp is a permutation of 1 . . . p that
puts fracz1 . . . fraczp in ascending order. Let P ∈ ∆ be the set obtained (if any) by grouping
all the symbols αh ∈ Γ3 and βg ∈ Γ4. We then define W(c) = α.w.P ∈ L.Υ∗(∆ + ε) as the
canonical word encoding c.
I Example 6. Consider a 2-MTA M. Let x1, x2 be the clocks of T1 and y1, y2 be the
clocks of T2. Let K = 3 be the maximal constant used inM. Consider the configurations
c1=((s1, 0.5, 2.1), (s2, 1.7, 2.5), ({(a, 1.1, 2), (b, 2.3,∞), (c, 3.5,∞)}, {(d, 1.9, 2), (e, 0.7, 1)}))
and
c2=((s1, 0.5, 2.4), (s2, 1.9, 2.5), ({(a, 1.4, 2), (b, 2.45,∞), (c, 3.9,∞)}, {(d, 1.99, 2), (e, 0.9, 1)})).
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:13
Then W(c1) = W(c2) = αwP where α = (s1, s2), P = {(c, r7,∞)1}, and
w = {(x2, r5), (a, r3, 2)1}{(b, r5,∞)1}{(x1, r1), (y2, r5)}{(y1, r3), (e, r1, 1)2}{(d, r3, 2)2}.
Two configurations c1, c2 are equivalent (c ∼ c′) if W(c1) = W(c2). A configuration c1 is
dominated by a configuration c2 (written c1  c2) if writing c2 = (q2,m2), there exists q1,m1
such that and m1 = (M ′1, . . . ,M ′N ) with M ′i ⊆ Mi for all i, and c1 ∼ (q1,m1). It can be
easily seen that c1  c2 iff W(c1) W(c2). In fact, the following lemma shows that ∼ is a
bisimulation relation.
I Lemma 7. Let c1, c2 be two configurations of an N-MTA. Let e ∈ Ei be a transition,
1 ≤ i ≤ N , and let t ∈ R. If c1 ∼ c2, then
(1) If c1
e→ c′1, there exists c′2 such that c2
e→ c′2 and c′1 ∼ c′2. If c2
e→ c′2, there exists c′1 such
that c1
e→ c′1 and c′1 ∼ c′2.
(2) If c1
t→ c′1, there exists c′2 and t′ ∈ R such that c2
t′→ c′2 and c′1 ∼ c′2. If c2
t→ c′2, there
exists c′1 and t′ ∈ R such that c1
t′→ c′1 and c′1 ∼ c′2.
As an easy corollary of the above, we see that ∼ preserves goodness and badness: For any
configurations c ∼ c′, c is good iff c′ is good. The proof follows from the definition of goodness
and Lemma 7, whose proof can be found in the extended version of the paper [1].
It is hence sufficient to only consider configurations upto ∼-equivalence, and we define
the quotient labeled transition system M/∼ to consist of all the words W(c) whenever c
is a configuration of M. Call M/∼ as W. W = {W(c) | c is a configuration in M}. For
W1,W2 ∈ W, and a transition e ∈ Ei for 1 ≤ i ≤ N , we define a transition W1
e→ W2 if
for all c1 ∈ W−1(W1), there is some configuration c2 ∈ W−1(W2) such that c1
e→ c2. The
timed transition is defined similarly. Corresponding to each initial configuration c0 inM,
we consider W0 = W(c0) to be an initial word in W. Let W0 be the set of initial words
corresponding to initial configurations c0. It can be seen that for any W1,W2 ∈ W, and a
transition e ∈ Ei or t ∈ R, W1
α→W2 (α ∈ {e, t}) iff there exist configurations c1 ∈ W−1(W1)
and c2 ∈ W−1(W2) such that c1
α→ c2. Given a word W ∈ W, and α∈{e, t} for some
transition e and time t ∈ R, let succ(W )={W ′∈W |W α→W ′} denote the successors of W
in W.
I Lemma 8. For any word W , the set succ(W ) is finite and effectively computable.
Let W0 be the set of initial words corresponding to W(c0) for initial configurations c0.
Let W∅ = W(cgoal). Algorithm 1 decides whether the configuration cgoal can be reached. In
this algorithm, the function Minimize(R) is used, where R ⊆ W is a set of words. It does the
following: it chooses a word W1 ∈ R and removes W1 from R if there exists a word W2 ∈ R
such that W2  W1, and then repeats the procedure until all words in R are processed.
Overall, the algorithm works as follows. Till the set Next of words waiting to be processed is
non-empty, the algorithm chooses one word from Next, and moves it to the Processed set. It
also generates all successors of the chosen word, minimizes them, and adds them to Next
unless there is already some -smaller word in Next or Processed. If a new word is added
to Next, the algorithm removes at the same time all -bigger words from both Next and
Processed. The correctness of the algorithm is discussed next.
A set of words R is good (denoted Good(R)) iff there exists some word W ∈ R which is
good. A word W is good iff there exists a good configuration c such that W(c) = W . If W is
a good word, and if i ∈ N is the length of the shortest path (excluding time elapse transitions)
from W to W∅, then we say that dist(W ) is i. Given a set R of words, dist(R) ∈ N ∪ {∞} is
defined as the length of the shortest path (excluding time elapse transitions) from someW ∈ R
to W∅. More precisely, if R = ∅, then dist(R) =∞, otherwise, dist(R) = minW∈Rdist(W ).
FSTTCS 2018
8:14 Verification of Timed Asynchronous Programs
Algorithm 1 Reach Empty.
Input: A stateless, time-independent N -MTA, and configuration cgoal = (q,m) as above.
Output: TRUE if cgoal is reachable. Otherwise, FALSE.
if W∅ ∈ W0, then return TRUE;
Processed = ∅;
Next = Minimize(W0);
while Next 6= ∅ do
leftmirgin=0.5in Pick and remove a word W from Next and move it to Processed,
leftmiirgiin=0.5iin foreach U ∈ Minimize(succ(W ))
leftmirgin=0.5in if U = W∅, then return TRUE,
leftmiirgiin=0.5iin else if @V ∈ Processed ∪ Next s.t. V  U ,
then
leftmiiirgiiin=0.5iiin Remove all V from Processed∪Next s.t U  V
leftmivrgivn=0.5ivn Add U to Next
return FALSE






!β1, !β2, !β3, nop
nop













!β1, !β2!, !β3, nop
2-MTA which is not time independent
Figure 3
I Lemma 9.
1. Good(Processed ∪ Next)→ Good(W0)
2. Good(W0)→ dist(Processed) > dist(Next)
To prove the invariants, we use the following lemma.
I Lemma 10. If W W ′ and dist(W ′) = i, then dist(W ) = j for some j ≤ i.
Due to the well-quasi ordering, the algorithm terminates: if not, over a period of time, there
will be an infinite sequence of words in Next, each new word added having the property that
it does not dominate any of its predecessors. This would constitute an infinite non saturating
sequence, directly contradicting Higman’s Lemma. The algorithm returns FALSE only when
Next is empty. Then, dist(Processed) > dist(Next) is not true. Therefore, by invariant 2 in
lemma 9, W0 is not good. The algorithm returns TRUE only if either W∅ is already in W0,
or if W∅ is a member of Minimize(succ(W )) for some W ∈ Next. In either case, Next is good.
Then, by invariant 1 of lemma 9, W0 is good. This gives the following lemma.
I Lemma 11. Algorithm Reach Empty terminates and returns true iff starting from the
initial configuration c0 inM, cgoal is reachable.
This concludes the proof of theorem 5. A detailed discussion with proofs for the lemmas can
be found in the extended version of the paper [1].
Notice that the stateless, and time-independent properties ofM are crucial in Lemma 10.
The example below shows that relaxing either condition violates Lemma 10.
P.A. Abdulla, M. F. Atig, S. Krishna, and S. Vaidya 8:15
To the left is a 2-MTA which is not stateless. It can be seen that c1=(`1, `6, {β1, β3}, ∅) 
(`1, `6, {β1, β2, β3}, ∅)=c2. Hence, W(c1)  W(c2). Indeed from c2, one can reach (`4, `6, ∅, ∅),
but not from c1. To the right is a 2-MTA which is not time independent. It can be seen that
c1=(((s1, 0), s6), {(β1, 0,∞), (β3, 0,∞)}, ∅)  (((s1, 0), s6), {(β1, 0,∞), (β2, 0,∞), (β3, 0,∞)},
∅)=c2. However, (((s1, 0), s6), ∅, ∅) is reachable from c2 but not from c1.
6 Conclusion
We proposed a model to address the verification problem for timed asynchronous programs.
We identified a special subclass (stateless and time-independent) for which the reachability
problem is decidable and control reachability is PSPACE-complete. There are multiple
avenues for further work. The first question is to check the tightness of the EXPSPACE lower
bound provided. Another question would be to consider the model where we use priority
bags instead of bags. In a priority bag, tasks have associated deadlines and priorities. The
process, while picking up a task for execution, is expected to pick up a task with the highest
priority. Queues are yet another interesting data structure in place of bags: in this set up,
the tasks which require a processor’s attention are picked up in the order in which they were
assigned by various processes. One can also look at mutiset timed pushdown systems, which
extend the model of [16] with time, and multiple processes. Finally, we can move from the
one player setting to two players, where the environment chooses a task for the process to
execute. Under this two player setting, the question would be if the system has a strategy to
execute all the pending tasks.
References
1 P.A. Abdulla, M. Faouzi Atig, S. Krishna, and S. Vaidya. Verification of Timed Asynchron-
ous Programs. URL: http://www.cse.iitb.ac.in/~krishnas/fsttcs2018.pdf.
2 Rajeev Alur and David L. Dill. A Theory of Timed Automata. Theor. Comput. Sci.,
126(2):183–235, April 1994. doi:10.1016/0304-3975(94)90010-8.
3 Mohamed Faouzi Atig, Ahmed Bouajjani, K. Narayan Kumar, and Prakash Saivasan. Veri-
fication of Asynchronous Programs with Nested Locks. In Satya V. Lokam and R. Ramanu-
jam, editors, 37th IARCS Annual Conference on Foundations of Software Technology
and Theoretical Computer Science, FSTTCS 2017, December 11-15, 2017, Kanpur, India,
volume 93 of LIPIcs, pages 11:1–11:14. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik,
2017. doi:10.4230/LIPIcs.FSTTCS.2017.11.
4 Mohamed Faouzi Atig, Ahmed Bouajjani, and Tayssir Touili. Analyzing Asynchronous
Programs with Preemption. In Ramesh Hariharan, Madhavan Mukund, and V. Vinay,
editors, IARCS Annual Conference on Foundations of Software Technology and Theoretical
Computer Science, FSTTCS 2008, December 9-11, 2008, Bangalore, India, volume 2 of
LIPIcs, pages 37–48. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2008. doi:10.
4230/LIPIcs.FSTTCS.2008.1739.
5 Rohit Chadha and Mahesh Viswanathan. Decidability Results for Well-Structured Trans-
ition Systems with Auxiliary Storage. In Luís Caires and Vasco Thudichum Vasconcelos,
editors, CONCUR 2007 - Concurrency Theory, 18th International Conference, CONCUR
2007, Lisbon, Portugal, September 3-8, 2007, Proceedings, volume 4703 of Lecture Notes in
Computer Science, pages 136–150. Springer, 2007. doi:10.1007/978-3-540-74407-8_10.
6 Michael Emmi, Shaz Qadeer, and Zvonimir Rakamaric. Delay-bounded scheduling. In
Thomas Ball and Mooly Sagiv, editors, Proceedings of the 38th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, Janu-
ary 26-28, 2011, pages 411–422. ACM, 2011. doi:10.1145/1926385.1926432.
FSTTCS 2018
8:16 Verification of Timed Asynchronous Programs
7 Pierre Ganty and Rupak Majumdar. Analyzing Real-Time Event-Driven Programs. In
Joël Ouaknine and Frits W. Vaandrager, editors, Formal Modeling and Analysis of Timed
Systems, 7th International Conference, FORMATS 2009, Budapest, Hungary, September
14-16, 2009. Proceedings, volume 5813 of Lecture Notes in Computer Science, pages 164–
178. Springer, 2009. doi:10.1007/978-3-642-04368-0_14.
8 Pierre Ganty and Rupak Majumdar. Algorithmic verification of asynchronous programs.
ACM Trans. Program. Lang. Syst., 34(1):6:1–6:48, 2012. doi:10.1145/2160910.2160915.
9 Serge Haddad, Sylvain Schmitz, and Philippe Schnoebelen. The Ordinal-Recursive Com-
plexity of Timed-arc Petri Nets, Data Nets, and Other Enriched Nets. In Proceed-
ings of the 27th Annual IEEE Symposium on Logic in Computer Science, LICS 2012,
Dubrovnik, Croatia, June 25-28, 2012, pages 355–364. IEEE Computer Society, 2012.
doi:10.1109/LICS.2012.46.
10 Graham Higman. Ordering by divisibility in abstract algebras. Proceedings of the London
Mathematical Society, 3(1):326–336, 1952.
11 Ranjit Jhala and Rupak Majumdar. Interprocedural analysis of asynchronous programs. In
Martin Hofmann and Matthias Felleisen, editors, Proceedings of the 34th ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, POPL 2007, Nice, France,
January 17-19, 2007, pages 339–350. ACM, 2007. doi:10.1145/1190216.1190266.
12 Joseph B Kruskal. The theory of well-quasi-ordering: A frequently discovered concept.
Journal of Combinatorial Theory, Series A, 13(3):297–305, 1972.
13 Pallavi Maiya, Rahul Gupta, Aditya Kanade, and Rupak Majumdar. Partial Order Re-
duction for Event-Driven Multi-threaded Programs. In Tools and Algorithms for the Con-
struction and Analysis of Systems - 22nd International Conference, TACAS, volume 9636
of Lecture Notes in Computer Science, pages 680–697. Springer, 2016.
14 Rupak Majumdar and Zilong Wang. Bbs: A Phase-Bounded Model Checker for Asynchron-
ous Programs. In Daniel Kroening and Corina S. Pasareanu, editors, Computer Aided
Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July
18-24, 2015, Proceedings, Part I, volume 9206 of Lecture Notes in Computer Science, pages
496–503. Springer, 2015. doi:10.1007/978-3-319-21690-4_33.
15 M. Minsky. Computation: Finite and Infinite Machines. Prentice Hall International, 1967.
16 Koushik Sen and Mahesh Viswanathan. Model Checking Multithreaded Programs with
Asynchronous Atomic Methods. In Thomas Ball and Robert B. Jones, editors, Computer
Aided Verification, 18th International Conference, CAV 2006, Seattle, WA, USA, August
17-20, 2006, Proceedings, volume 4144 of Lecture Notes in Computer Science, pages 300–
314. Springer, 2006. doi:10.1007/11817963_29.
17 Jiří Srba. Timed-Arc Petri Nets vs. Networks of Timed Automata. In Proceedings of the
26th International Conference on Application and Theory of Petri Nets (ICATPN 2005).
Netherlands: Springer-Verlag, 2005, pages 385–402, 2005.
