Improved Undecidability Results for Reachability Games on Recursive
  Timed Automata by Krishna, Shankara Narayanan et al.
Adriano Peron and Carla Piazza (Eds.):
Proceedings of the Fifth International Symposium on
Games, Automata, Logics and Formal Verification (GandALF 2014)
EPTCS 161, 2014, pp. 245–259, doi:10.4204/EPTCS.161.21
Improved Undecidability Results for Reachability Games on
Recursive Timed Automata
Shankara Narayanan Krishna Lakshmi Manasa Ashutosh Trivedi
Indian Institute of Technology Bombay, Mumbai, INDIA
{krishnas, manasa, trivedi}@cse.iitb.ac.in
Abstract. We study reachability games on recursive timed automata (RTA) that generalize Alur-Dill
timed automata with recursive procedure invocation mechanism similar to recursive state machines.
It is known that deciding the winner in reachability games on RTA is undecidable for automata with
two or more clocks, while the problem is decidable for automata with only one clock. Ouaknine
and Worrell recently proposed a time-bounded theory of real-time verification by claiming that re-
striction to bounded-time recovers decidability for several key decision problem related to real-time
verification. We revisited games on recursive timed automata with time-bounded restriction in the
hope of recovering decidability. However, we found that the problem still remains undecidable for
recursive timed automata with three or more clocks. Using similar proof techniques we characterize
a decidability frontier for a generalization of RTA to recursive stopwatch automata.
1 Introduction
Timed automata, introduced by Alur and Dill [4], extend finite state machines with a finite set of continu-
ous variables called clocks that grow with uniform rate in each state. Since the syntax of timed automata
allows guarding the transitions and states with simple constraints on clocks and resetting clocks during
a transition, timed automata can express complex timing based properties of real-time systems. The
seminal paper of timed automata [3] showed the decidability of the fundamental reachability problem
for the timed automata, that paved the way for the success of timed automata as the specification and
verification formalism for real-time systems.
Recursive timed automata (RTAs) [9] extend timed automata with recursion to model real-time soft-
ware systems. Formally, an RTA is a finite collection of components where each component is a timed
automaton that in addition to making transitions between various states, can have transitions to “boxes”
that are mapped to other components modeling a potentially recursive call to a component. During such
invocation a limited information can be passed through clock values from the “caller” component to
the “called” component via two different mechanism: a) pass-by-value, where upon returning from the
called component a clock assumes the value prior to the invocation, and b) pass-by-reference, where
upon return a clock reflects any changes to the value inside the invoked procedure. The reachability
problem for RTA is known [9] to be undecidable for RTA with three or more clocks.
In this paper we study reachability games on recursive timed automata that are played between two
players—called Player 1 and Player 2—who take turns to move a token along the infinite graph of
configurations (context, states, and clock valuations) of recursive timed automata. In a reachability game
the goal of Player 1 is to reach a desirable set of target states, while the goal of Player 2 is to avoid it.
The reachability game problem is to decide the winner in a reachability game.
Example 1 The visual presentation of a reachability game on recursive timed automaton with two com-
ponents M1 and M2, and one clock variable x is shown in Figure 1 (inspired by example in [9]) where
246 Games on Recursive Timed Automata
M1
u1
u2
u3b1 : M2
(x)
x=1
x<1
x=0
M2
v1 v2
b2 : M2
x=1
x=1,{x}
Figure 1: Reachability game on a recursive timed automata with one clock and two components
component M1 calls component M2 via box b1 and component M2 recursively calls itself via box b2.
Components are shown as thinly framed rectangles with their names written next to upper right corner.
Various control states, or “nodes”, of the components are shown as circles or blue squares with their
labels written inside them, e.g. see node u1. The circles are Player 1 states (see u1) while blue squares
(v1) are Player 2 states. Entry nodes of a component appear on the left of the component (see u1), while
exit nodes appear on the right (see u3). Boxes are shown as thickly framed rectangles inside components
labelled b : M, where b is the label of the box, M is the component it is mapped to. The tuple of clocks
passed to M by value, if any, are shown below the box, and the rest of the variables are passed by ref-
erence. For example, in the figure clock x is passed during the invocation of component M2 via box b1,
while no clock is passed by value to component M2 via box b1. Each transition is labelled with a guard
and the set of reset variables, (e.g. transition from node v1 to v2 can be taken only when variable x<1,
and after taking this transition, variable x is reset). To minimize clutter we omit empty reset sets.
Trivedi and Wojtczak [9] showed that the reachability game and termination (reachability with empty
calling context) game problems are undecidable for RTAs with two or more clocks. Moreover, they
considered the so-called glitch-free restriction of RTAs—where at each invocation either all clocks are
passed by value or all clocks are passed by reference— and showed that the reachability (and termination)
is EXPTIME-complete for RTAs with two or more clocks. In the model of [9] it is compulsory to pass
all the clocks at every invocation with either mechanism. Abdulla, Atig, and Stenman [1] studied a
related model called timed pushdown automata where they disallowed passing clocks by value. On the
other hand, they allowed clocks to be passed either by reference or not passed at all (in that case they
are stored in the call context and continue to tick with the uniform rate). It is shown in [1] that the
reachability problem for this class remains decidable (EXPTIME-complete). In this article, we restrict
ourselves to the recursive timed automata model as introduced in [9].
Ouaknine and Worrell [8] proposed a thesis that restriction to bounded-time recovers decidability
for several key decision problem related to real-time verification. In support of this thesis a number of
important undecidable problems have been shown to be decidable under bounded-time restriction, for
instance language inclusion for timed automata, emptiness problem for alternating timed automata, and
emptiness problem for rectangular hybrid automata. The goal of this work was to approach reachability
games on recursive timed automata from this viewpoint and to recover the decidability of these games
under time-bounded restriction. However, we discovered a rather negative result. In this paper we show
that the problem stays undecidable for RTA with just 3 or more clocks.
We also consider the extension of RTAs with stopwatches (clocks that can be paused) to recursive
stopwatch automata (RSAs) and show that the time-bounded reachability game problem stays undecid-
able even for RSAs with 3 or more stopwatches, while we show decidability of glitch-free RSAs with
2 stopwatches. We also show that the reachability problem is undecidable for unrestricted RSA with
two or more stopwatches. For the time-bounded reachability case, we show that the problem stays un-
decidable even for glitch-free variant of RSAs with 4 or more stopwatches. The Table 1 highlights our
Krishna, Manasa, and Trivedi 247
Recursive Timed Automata Recursive Stopwatch Automata
TUB TB TUB TB
Glitch-free D D U (≥ 3 sw) U(≥ 4 sw)
D (≤ 2 sw) D (≤ 2 sw)
Unrestricted U (≥ 2 clocks) U (≥ 3 clocks) U (≥ 2 sw) U (≥ 3 sw)
Table 1: Summary of the contributions of this paper. Results shown in bold are contributions from this
paper, while results shown in gray color are from [9]. Here TUB and TB stand for time-unbounded and
time-bounded reachability games, and U stands for undecidable, D for decidable, and sw for stopwatches.
contributions related to reachability games on recursive timed and stopwatch automata. For a survey of
models related to RTA and dense-time pushdown automata we refer the reader to [9] and [1]. Due to
space limitations, we only sketch the key proofs and details can be found in [6].
2 Preliminaries
2.1 Reachability Games on Labelled Transition Systems.
A labelled transition system (LTS) is a tuple L = (S,A,X) where S is the set of states, A is the set
of actions, and X : S×A → S is the transition function. We say that an LTS L is finite (discrete)
if both S and A are finite (countable). We write A(s) for the set of actions available at s ∈ S, i.e.,
A(s) = {a : X(s, a) 6= ∅}. A game arena G is a tuple (L,S1,S2), where L = (S,A,X) is an LTS,
S1 ⊆ S is the set of states controlled by player Player 1, and S2 ⊆ S is the set of states controlled by
Player 2. Moreover, sets S1 and S2 form a partition of the set S. In a reachability game on G, rational
players—Player 1 and Player 2—take turns to move a token along the states of L. The decision to
choose the successor state is made by the player controlling the current state. The objective of Player 1
is to eventually reach certain states, while the objective of Player 2 is to avoid them forever.
We say that (s, a, s′) ∈ S×A×S is a transition of L if s′ = X(s, a) and a run of L is a sequence
〈s0, a1, s1, . . .〉 ∈ S×(A×S)∗ such that (si, ai+1, si+1) is a transition of L for all i ≥ 0. We write RunsL
(FRunsL) for the sets of infinite (finite) runs and RunsL(s) (FRunsL(s)) for the sets of infinite (fi-
nite) runs starting from state s. For a set F ⊆ S and a run r = 〈s0, a1, . . .〉 we define Stop(F)(r) =
inf{i ∈N : si ∈ F}. Given a state s ∈ S and a set of final states F ⊆ S we say that a final state is reach-
able from s0 if there is a run r ∈ RunsL(s0) such that Stop(F)(r)<∞. A strategy of Player 1 is a partial
function α : FRunsL → A such that for a run r ∈ FRunsL we have that α(r) is defined if last(r) ∈ S1,
and α(r) ∈ A(last(r)) for every such r. A strategy of Player 2 is defined analogously. Let ΣL1 and ΣL2
be the set of strategies of Player 1 and Player 2, respectively. The unique run Run(s,α,τ) from a state s
when players use strategies α ∈ ΣL1 and τ ∈ ΣL2 is defined in a straightforward manner.
Given an initial state s and a set of final states F, and strategies τ for Player 2 and α for Player 1,
Player 1 is said to win the reachability game if Stop(F)(Run(s,α,τ))<∞, else if Stop(F)(Run(s,α,τ)) =
∞, then Player 2 is the winner. A reachability game problem is to decide whether in a given game arena
G, an initial state s and a set of final states F, Player 1 has a strategy to win the reachability game
(irrespective of Player 2’s strategy).
248 Games on Recursive Timed Automata
M1
u1
u2
u4
b1 : M2
b2 : M3 u3
M2
v1
v2
v3
v4
c1 : M2
c2 : M3
M3
w1 w2
d : M1
Figure 2: Example recursive state machine taken from [2]
2.2 Reachability Games on Recursive state machines
A recursive state machine [2]M is a tuple (M1,M2, . . . ,Mk) of components, where each component
Mi = (Ni,ENi,EXi,Bi,Yi,Ai,Xi) for each 1≤ i ≤ k is such that:
• Ni is a finite set of nodes including a distinguished set ENi of entry nodes and a set EXi of exit
nodes such that EXi and ENi are disjoint sets;
• Bi is a finite set of boxes;
• Yi : Bi→ {1,2, . . . ,k} is a mapping that assigns every box to a component. We associate a set of
call ports Call(b) and return ports Ret(b) to each box b ∈ Bi:
Call(b) =
{
(b, en) : en ∈ ENYi(b)
}
and Ret(b) =
{
(b, ex) : ex ∈ EXYi(b)
}
.
Let Calli = ∪b∈BiCall(b) and Reti = ∪b∈BiRet(b) be the set of call and return ports of component
Mi. We define the set of locations Qi of componentMi as the union of the set of nodes, call ports
and return ports, i.e. Qi = Ni ∪ Calli ∪ Reti;
• Ai is a finite set of actions; and
• Xi : Qi×Ai→ Qi is the transition function with a condition that call ports and exit nodes do not
have any outgoing transitions.
For the sake of simplicity, we assume that the set of boxes B1, . . . ,Bk and set of nodes N1,N2, . . . ,Nk are
mutually disjoint. We use symbols N,B,A,Q,X, etc. to denote the union of the corresponding symbols
over all components.
An example of a RSM is shown in Figure 2 (taken from [9]). An execution of a RSM begins at the
entry node of some component and depending upon the sequence of input actions the state evolves natu-
rally like a labelled transition system. However, when the execution reaches an entry port of a box, this
box is stored on a stack of pending calls, and the execution continues naturally from the corresponding
entry node of the component mapped to that box. When an exit node of a component is encountered, and
if the stack of pending calls is empty then the run terminates; otherwise, it pops the box from the top of
the stack and jumps to the exit port of the just popped box corresponding to the just reached exit of the
component. We formalize the semantics of a RSM using a discrete LTS, whose states are pairs consisting
of a sequence of boxes, called the context, mimicking the stack of pending calls and the current location.
LetM= (M1,M2, . . . ,Mk) be an RSM where the componentMi is (Ni,Eni,Exi,Bi,Yi,Ai,Xi). The
semantics ofM is the discrete labelled transition system [[M]] = (SM,AM,XM) where:
• SM ⊆ B∗×Q is the set of states;
• AM = ∪ki=1Ai is the set of actions;
• XM : SM×AM → SM is the transition function such that for s = (〈κ〉,q) ∈ SM and a ∈ AM,
we have that s′ = XM(s, a) if and only if one of the following holds:
1. the location q is a call port, i.e. q = (b, en) ∈ Call, and s′ = (〈κ,b〉, en);
Krishna, Manasa, and Trivedi 249
2. the location q is an exit node, i.e. q= ex ∈ EX and s′ = (〈κ′〉, (b, ex))where (b, ex)∈Ret(b)
and κ = (κ′,b);
3. the location q is any other kind of location, and s′ = (〈κ〉,q′) and q′ ∈ X(q, a).
GivenM and a subset Q′ ⊆ Q of its nodes we define [[Q′]]M as {(〈κ〉,v′) : κ ∈ B∗ and v′ ∈ Q′}.
We define the terminal configurations TermM as the set {(〈ε〉, ex) : ex ∈ EX} with the empty context
〈ε〉. Given a recursive state machine M, an initial node v, and a set of final locations F ⊆ Q the
reachability problem onM is defined as the reachability problem on the LTS [[M]] with the initial state
(〈ε〉,v) and final states [[F]]. We define termination problem as the reachability of one of the exits with
the empty context. The reachability and the termination problem for recursive state machines can be
solved in polynomial time [2].
A partition (Q1,Q2) of locations Q of an RSM M (between Player 1 and Player 2) gives rise
to recursive game arena G = (M,Q1,Q2). Given an initial state, v, and a set of final states, F, the
reachability game onM is defined as the reachability game on the game arena ([[M]], [[Q1]]M, [[Q2]]M)
with the initial state (〈ε〉,v) and the set of final states [[F]]M. Also, the termination gameM is defined
as the reachability game on the game arena ([[M]], [[Q1]]M, [[Q2]]M) with the initial state (〈ε〉,v) and
the set of final states TermM. It is a well known result (see, e.g. [10, 5]) that reachability games and
termination games on RSMs are decidable (EXPTIME-complete).
3 Recursive Hybrid Automata
In this paper since we study both recursive timed automata as well as recursive stopwatch automata,
we introduce a more general recurisve hybrid automata, and from that we define these two subclasses.
Recursive hybrid automata (RHAs) extend classical hybrid automata (HAs) with recursion in a similar
way RSMs extend LTSs. We introduce a rather simpler subclass of hybrid automata known as singular
hybrid automata where all variables grow with constant-rates.
3.1 Syntax
Let R be the set of real numbers. Let X be a finite set of real-valued variables. A valuation on X is
a function ν : X → R. We assume an arbitrary but fixed ordering on the variables and write xi for the
variable with order i. This allows us to treat a valuation ν as a point (ν(x1),ν(x2), . . . ,ν(xn)) ∈ R|X |.
Abusing notations slightly, we use a valuation on X and a point in R|X | interchangeably. For a subset
of variables X ⊆ X and a valuation ν′ ∈ X , we write ν[X:=ν′] for the valuation where ν[X:=ν′](x) =
ν′(x) if x ∈ X, and ν[X:=ν′](x) = ν(x) otherwise. The valuation 0 ∈R|X | is a special valuation such
that 0(x) = 0 for all x ∈ X .
We define a constraint over a set X as a subset of R|X |. We say that a constraint is rectangular if
it is defined as the conjunction of a finite set of constraints of the form x ./ k, where k ∈ Z, x ∈ X ,
and ./∈ {<,≤,=,>,≥}. For a constraint G, we write [[G]] for the set of valuations in R|X | satisfying
the constraint G. We write > ( resp., ⊥) for the special constraint that is true (resp., false) in all the
valuations, i.e. [[>]] = R|X | (resp., [[⊥]] = ∅). We write rect(X ) for the set of rectangular constraints
over X including > and ⊥.
Definition 1 (Recursive Hybrid Automata) A recursive hybrid automatonH= (X , (H1,H2, . . . ,Hk))
is a pair made of a set of variables X and a collection of components (H1,H2, . . . ,Hk) where every
componentHi = (Ni,ENi,EXi,Bi,Yi,Ai,Xi,Pi, Invi,Ei, Ji,Fi) is such that:
250 Games on Recursive Timed Automata
• Ni is a finite set of nodes including a distinguished set ENi of entry nodes and a set EXi of exit
nodes such that EXi and ENi are disjoint sets;
• Bi is a finite set of boxes;
• Yi : Bi → {1,2, . . . ,k} is a mapping that assigns every box to a component. (Call ports Call(b)
and return ports Ret(b) of a box b ∈ Bi, and call ports Calli and return ports Reti of a component
Hi are defined as before. We set Qi = Ni ∪Calli ∪ Reti and refer to this set as the set of locations
ofHi.)
• Ai is a finite set of actions.
• Xi : Qi×Ai→ Qi is the transition function with a condition that call ports and exit nodes do not
have any outgoing transitions.
• Pi : Bi→ 2X is pass-by-value mapping that assigns every box the set of variables that are passed
by value to the component mapped to the box; (The rest of the variables are assumed to be passed
by reference.)
• Invi : Qi→ rect(X ) is the invariant condition;
• Ei : Qi×Ai→ rect(X ) is the action enabledness function;
• Ji : Ai→ 2X is the variable reset function; and
• Fi : Qi→N|X | is the flow function characterizing the rate of each variable in each location.
We assume that the sets of boxes, nodes, locations, etc. are mutually disjoint across components and we
write (N,B,Y,Q,P,X, etc.) to denote corresponding union over all components.
We say that a recursive hybrid automaton is glitch-free if for every box either all variables are passed
by value or none is passed by value, i.e. for each b ∈ B we have that either P(b) = X or P(b) = ∅.
Any general recursive hybrid automaton with one variable is trivially glitch-free. We say that a RHA is
hierarchical if there exists an ordering over components such that a component never invokes another
component of higher order or same order.
We say that a variable x ∈ X is a clock (resp., a stopwatch) if for every location q ∈ Q we have that
F(q)(x) = 1 (resp., F(q)(x) ∈ {0,1}). A recursive timed automaton (RTA) is simply a recursive hybrid
automata where all variables x ∈ X are clocks. Similarly, we define a recursive stopwatch automaton
(RSA) as a recursive hybrid automaton where all variables x ∈ X are stopwatches. Since all of our
results pertaining to recursive hybrid automata are shown in the context of recursive stopwatch automata,
we often confuse RHA with RSA.
3.2 Semantics
A configuration of an RHAH is a tuple (〈κ〉,q,ν), where κ ∈ (B×R|X |)∗ is sequence of pairs of boxes
and variable valuations, q ∈ Q is a location and ν ∈ R|X | is a variable valuation over X such that ν ∈
Inv(q). The sequence 〈κ〉 ∈ (B×R|X |)∗ denotes the stack of pending recursive calls and the valuation
of all the variables at the moment that call was made, and we refer to this sequence as the context of
the configuration. Technically, it suffices to store the valuation of variables passed by value, because
other variables retain their value after returning from a call to a box, but storing all of them simplifies the
notation. We denote the empty context by 〈e〉. For any t∈R, we let (〈κ〉,q,ν)+t equal the configuration
(〈κ〉,q,ν+F(q) · t). Informally, the behaviour of an RHA is as follows. In configuration (〈κ〉,q,ν) time
passes before an available action is triggered, after which a discrete transition occurs. Time passage is
Krishna, Manasa, and Trivedi 251
available only if the invariant condition Inv(q) is satisfied while time elapses, and an action a can be
chosen after time t elapses only if it is enabled after time elapse, i.e., if ν+F(q) · t ∈ E(q, a). If the
action a is chosen then the successor state is (〈κ〉,q′,ν′) where q′ ∈ X(q, a) and ν′ = (ν+ t)[J(a) := 0].
Formally, the semantics of an RHA is given by an LTS which has both an uncountably infinite number
of states and transitions.
Definition 2 (RHA semantics) LetH= (X , (H1,H2, . . . ,Hk)) be an RHA where each component is of
the formHi = (Ni,ENi,EXi,Bi,Yi,Ai,Xi,Pi, Invi,Ei, Ji,Fi). The semantics ofH is a labelled transition
system [[H]] = (SH,AH,XH) where:
• SH ⊆ (B×R|X |)∗×Q×R|X |, the set of states, is s.t. (〈κ〉,q,ν)∈SH if ν∈Inv(q).
• AH =R⊕×A is the set of timed actions, where R⊕ is the set of non-negative reals;
• XH : SH×AH→ SH is the transition function such that for (〈κ〉,q,ν) ∈ SH and (t, a) ∈ AH, we
have (〈κ′〉,q′,ν′) = XH((〈κ〉,q,ν), (t, a)) if and only if the following condition holds:
1. if the location q is a call port, i.e. q= (b, en) ∈ Call then t= 0, the context 〈κ′〉= 〈κ, (b,ν)〉,
q′ = en, and ν′ = ν.
2. if the location q is an exit node, i.e. q= ex ∈ Ex, 〈κ〉= 〈κ′′, (b,ν′′)〉, and let (b, ex)∈ Ret(b),
then t = 0; 〈κ′〉 = 〈κ′′〉; q′=(b, ex); and ν′=ν[P(b):=ν′′].
3. if location q is any other kind of location, then 〈κ′〉 = 〈κ〉, q′ ∈ X(q, a), and
(a) ν+F(q) · t′ ∈ Inv(q) for all t′ ∈ [0, t];
(b) ν+F(q) · t ∈ E(q, a);
(c) ν′ = (ν+ F(q)·t)[J(a) := 0].
3.3 Reachability and Time-Bounded Reachability Game Problems
For a subset Q′ ⊆Q of states of RHAH we define the set [[Q′]]H as the set {(〈κ〉,q,ν) ∈ SH : q ∈ Q′}.
We define the terminal configurations as TermH = {(〈ε〉,q,ν) ∈ SH : q ∈ EX}. Given a recursive hy-
brid automaton H, an initial node q and valuation ν ∈ R|X |, and a set of final locations F ⊆ Q, the
reachability problem on H is to decide the existence of a run in the LTS [[H]] staring from the initial
state (〈ε〉,q,ν) to some state in [[F]]H. As with RSMs, we also define termination problem as reachability
of one of the exits with the empty context. Hence, given an RHAH and an initial node q and a valuation
ν ∈R|X |, the termination problem on H is to decide the existence of a run in the LTS [[H]] from initial
state (〈ε〉,q,ν) to a final state in TermH.
Given a run r = 〈s0, (t1, a1), s2, (t2, a2), . . . , (sn, tn)〉 of an RHA, its time duration time(r) is defined
as ∑ni=1 ti. Given a recursive hybrid automaton H, an initial node q, a bound T ∈N, and valuation
ν ∈ R|X |, and a set of final locations F ⊆ Q, the time-bounded reachability problem on H is to decide
the existence of a run r in the LTS [[H]] staring from the initial state (〈ε〉,q,ν) to some state in [[F]]H
such that time(r) ≤ T. Time-bounded termination problem is defined in an analogous manner.
A partition (Q1,Q2) of locations Q of an RHA H gives rise to a recursive hybrid game arena
Γ = (H,Q1,Q2). Given an initial location q, a valuation ν ∈ V and a set of final states F, the reacha-
bility game on Γ is defined as the reachability game on the game arena ([[H]], [[Q1]]H, [[Q2]]H) with the
initial state (〈ε〉, (q,ν)) and the set of final states [[F]]H. Also, termination game on Γ is defined as the
reachability game on the game arena ([[H]], [[Q1]]H, [[Q2]]H) with the initial state (〈ε〉, (q,ν)) and the
set of final states TermH.
We prove the following key theorem about reachability games on various subclasses of recursive
hybrid automata in Section 4.
252 Games on Recursive Timed Automata
Theorem 1 The reachability game problem is undecidable for:
1. Unrestricted RSA with 2 stopwatches,
2. Glitch-free RSA with 3 stopwatches,
3. Unrestricted RTA with 3 clocks under bounded time, and
4. Glitch-free RSA with 4 stopwatches under bounded time.
Moreover, all of these results hold even under hierarchical restriction.
On a positive side, we observe that for glitch-free RSA with two stopwatches reachability games
are decidable by exploiting the existence of finite bisimulation for hybrid automata with 2 stopwatches.
Details can be found in [6].
Theorem 2 The reachability games are decidable for glitch-free RSA with atmost two stopwatches.
4 Undecidability Results
In this section, we provide a proof sketch of our undecidability results by reducing the halting problem
for two counter machines to the reachability problem in an RHA/RTA. Before we show our reduction,
we give a formal definition of two-counter machines.
Definition 3 (Two-counter Machines) A two-counter machine is a tuple (L,C) where L = {`0,`1, . . . ,`n}
is the set of instructions—including a distinguished terminal instruction `n called HALT—andC = {c1, c2}
is the set of two counters. The instructions L are of the type:
1. (increment c) `i : c := c+ 1; goto `k,
2. (decrement c) `i : c := c− 1; goto `k,
3. (zero-check c) `i : if (c > 0) then goto `k else goto `m,
4. (Halt) `n : HALT.
where c ∈ C, `i,`k,`m ∈ L.
A configuration of a two-counter machine is a tuple (l, c,d) where l ∈ L is an instruction, and c,d are
natural numbers that specify the value of counters c1 and c2, respectively. The initial configuration is
(`0,0,0). A run of a two-counter machine is a (finite or infinite) sequence of configurations 〈k0,k1, . . .〉
where k0 is the initial configuration, and the relation between subsequent configurations is governed by
transitions between respective instructions. The run is a finite sequence if and only if the last configura-
tion is the terminal instruction `n. Note that a two-counter machine has exactly one run starting from the
initial configuration. The halting problem for a two-counter machine asks whether its unique run ends at
the terminal instruction `n. The halting problem [7] for two-counter machines is undecidable.
For all the undecidability results, we construct a recursive automaton (timed/hybrid) as per the case,
whose main components are the modules for the instructions and the counters are encoded in the variables
of the automaton. In these reductions, the reachability of the exit node of each component corresponding
to an instruction is linked to a faithful simulation of various increment, decrement and zero check instruc-
tions of the machine by choosing appropriate delays to adjust the clocks/variables, to reflect changes in
counter values. We specify a main component for each type instruction of the two counter machine, for
example Hinc for increment. The entry node and exit node of a main component Hinc corresponding to
Krishna, Manasa, and Trivedi 253
an instruction [`i : c := c+ 1; goto `k] are respectively `i and `k. Similarly, a main component corre-
sponding to a zero check instruction [li: if (c> 0) then goto `k] else goto `m, has a unique entry node `i,
and two exit nodes corresponding to `k and `m respectively. The various main components correspond-
ing to the various instructions, when connected appropriately, gives the higher level componentHM and
this completes the RHA H. The entry node of HM is the entry node of the main component for the first
instruction of M and the exit node is HALT. Player 1 simulates the machine while Player 2 verifies the
simulation. Suppose in each main component for each type of instruction correctly Player 1 simulates
the instruction by accurately updating the counters encoded in the variables of H. Then, the unique run
in M corresponds to an unique run in HM. The halting problem of the two counter machine now boils
down to existence of a Player 1 strategy to ensure the reachability of an exit node HALT (and ¨^ ) in
HM.1
For the correctness proofs, we represent runs in the RSA using three different forms of transitions
s
g,J−→
t
s′, s s′ and s ∗−→
M(V)
s′ defined in the following way:
1. The transitions of the form s
g,J−→
t
s′, where s = (〈κ〉,n,ν), s′ = (〈κ〉,n′,ν′) are configurations of
the RHA, g is a constraint or guard on variables that enables the transition, J is a set of variables,
and t is a real number, holds if there is a transition in the RHA from vertex n to n′ with guard g
and reset set J. Also, ν′ = ν+ rt[J := 0], where r is the rate vector of state s.
2. The transitions of the form s s′ where s = (〈κ〉,n,ν), s′ = (〈κ′〉,n′,ν′) correspond to the fol-
lowing cases:
• transitions from a call port to an entry node. That is, n = (b, en) for some box b ∈ B and
κ′ = 〈κ, (b,ν)〉 and n′ = en ∈ EN while ν′ = ν.
• transitions from an exit node to a return port which restores values of the variables passed
by value, that is, 〈κ〉 = 〈κ′′, (b,ν′′)〉, n = ex ∈ EX and n′ = (b, ex) ∈ Ret(b) and κ′ = κ′′,
while ν′ = ν[P(b) := ν′′].
3. The transitions of the form s t−→
M(V)
s′, called summary edges, where s= (〈κ〉,n,ν), s′= (〈κ〉,n′,ν′)
are such that n= (b, en) and n′ = (b, ex) are call and return ports, respectively, of a box b mapped
to M which passes by value to M, the variables in V. t is the time elapsed between the occurences
of (b, en) and (b, ex). In other words, t is the time elapsed in the component M.
A configuration (〈κ〉,n,ν) is also written as (〈κ〉,n, (ν(x),ν(y))).
4.1 Time Bounded Reachability Games in Unrestricted RTA
Lemma 1 The time bounded reachability game problem is undecidable for recursive timed automata
with at least 3 clocks.
Proof. We prove that the reachability problem is undecidable for unrestricted RTA with 3 clocks. In
order to obtain the undecidability result, we use a reduction from the halting problem for two counter
machines. Our reduction uses a RTA with three clocks x,y,z.
We specify a main component for each instruction of the two counter machine. On entry into a main
component for increment/decrement/zero check, we have x = 12k+c3k+d , y =
1
2k and z = 0, where c,d are
the current values of the counters and k is the current instruction. Note that z is used only to enforce
1Hence the set of final nodes is node HALT and all nodes labelled ¨^ .
254 Games on Recursive Timed Automata
urgency in several locations. Given a two counter machine, we build a 3 clock RTA whose building
blocks are the main components for the instructions. The purpose of the components is to simulate
faithfully the counter machine by choosing appropriate delays to adjust the variables to reflect changes
in counter values. On entering the entry node en of a main component corresponding to an instruction li,
we have the configuration (〈e〉, en, ( 12k+c3k+d , 12k ,0)) of the three clock RTA.
We discuss the module for incrementing counter c here; more details can be found in [6]. In all the
components, the variables passed by value are written below the boxes and the invariants of the locations
are indicated below them.
Simulate increment instruction: Lets consider the increment instruction `i: c = c+ 1; goto `k. The
component for this instruction is component Inc c given in Figure 3. Assume that x = 12k+c3k+d , y =
1
2k
and z = 0 at the entry node en1 of the component Inc c. To correctly simulate the increment of counter
c, the clock values at the exit node ex1 should be x = 12k+c+23k+d+1 , y =
1
2k+1 and z = 0. The value of x
goes from x = 12k+c3k+d to x =
1
2k+c+23k+d+1 so that c is incremented and end of current k+ 1 instruction is
also recorded. Thus x = 12k+1+c+13k+1+d .
Let α= 12k+c3k+d and β=
1
2k . We want x=
α
12 and y=
β
2 at ex1. We utilise the component Div{a,n}
(instantiating Div{a,n} with a = x,n = 12 to achieve x = α12 and with a = y,n = 2 to achieve y = β2 )
to perform these divisions. Lets walk through the working of the component Inc c. As seen above, at the
entry node en1, we have x = 12k+c3k+d , y =
1
2k and z = 0.
1. No time is spent at en1 due to the invariant z = 0. Div{y,2} is called, passing x,z by value. At
the call port of A1 : Div{y,2}, we have the same values of x,y,z. Let us examine the compo-
nent Div{y,2}. We instantiate Div{a,n} with a = y,n = 2. Thus, the clock referred to as b in
Div{a,n} is x after the instantiation. At the entry node en2 of Div{y,2}, no time is spent due to
the invariant z = 0; we have a = y = β,b = x = α,z = 0. Resetting b(i.e; x), we are at the call
port of A3 : D. A3 is called, passing a,z by value. A nondeterministic time t is spent at the entry
node en3 of D. Thus, at the return port of A3, we have a = y = β,b = x = t,z = 0. The return
port of A3 is a node belonging to Player 2; for Player 1 to reach ¨^ , t must be
β
2 . Player 2 has two
choices to make at the return port of A3: he can continue the simulation, by resetting a(i.e; y) and
going to the call port of A5 : D, or he can verify if t is indeed
β
2 , by going to the call port of A4.
• Assume Player 2 goes to the call port of A4 : Cx=y/2 (recall, that by the instantiation, b = x,
a = y and n = 2). z is passed by value. At the entry node en5 of Cx=y/2, no time elapses due
to the invariant z = 0. Thus, we have x = b = t, a = y = β,z = 0 at en5. The component
A7 :Mx is invoked, passing x,z by value. At the entry node en6 of Mb, a time 1− t is spent,
giving a = y = β+ 1− t, b = x = t and z = 0 at the return port of A7. Since n = 2, one
more invocation of A7 :Mx is made, obtaining a= y= β+ 2(1− t), b= x= t and z= 0 at
the return port of A7 after the second invocation. To reach the exit node ex5 of Cx=y/2, a must
be exactly 2, since no time can be spent at the return port of A7; this is so since the invariant
z = 0 at the exit node ex5 of Cx=y/2 is satisfied only when no time is spent at the return port
of A7. If a is exactly 2, we have β = 2t. In this case, from the return port of A4, ¨^ can be
reached.
• Now consider the case that Player 2 moves ahead from the return port of A3, resetting a(i.e;
y) to the call port of A5 : D. The values are a = y = 0,b = x = t =
β
2 and z = 0. A5 : D is
invoked passing b = x and z by value. A non-deterministic amount of time t′ is spent at the
entry node en3 of D, giving a= y= t′, b= x =
β
2 and z= 0 at the return port of A5. Again,
Krishna, Manasa, and Trivedi 255
Inc c
en1
[z=0]
A1 :Div{y,2}
(x,z)
A2 :Div{x,12}
(y,z)
ex1
[z=0]
Div{a,n} : a,b ∈ {x,y}
en2
[z=0]
A3:D
(a,z)
A4 :Cb=a/n
(z)
A5 :D
(b,z)
A6:Ca=b
(z)
ex2
[z=0]
¨^
[z=0]
{b} {a}
D
en3 ex3
Ca=b
en4 ex4
a=1
b=1
Cb=a/n : a,b ∈ {x,y}
en5
[z=0]
A7:Mb
(b,z)
n−1 calls to Mb
(b,z) pass by value
ex5
[z=0]
a=n
Mb
en6 ex6
b=1
Figure 3: Games on RTA with 3 clocks : Increment c.
the return port of A5 is a node belonging to Player 2. Here Player 2, thus has two choices:
he can continue with the simulation going to ex2, or can verify that t′ =
β
2 by going to the
call port of A6 : C
y=
x . C
y=
x is a component that checks if y has “caught up” with x; that is,
whether t′ = t = β2 . At the entry node en4 of C
y=
x , a and b can simultaneeously reach 1 iff
t = t′; that is, t′ = β2 . Then, from the return port of A6, we can reach ¨^ .
• Thus, we reach ex2 with x = y = β2 ,z = 0. At the return port of A1 : Div{y,2}, we thus
have x = α,y = β2 ,z = 0.
2. From the return port of A1 : Div{y,2}, we reach the call port of A2 : Div{x,12}. y,z are passed
by value. The functioning of A2 is similar to that of A1: at the return port of A1, we obtain x= α12 ,
y = β2 and z = 0.
Time taken: Now we discuss the total time to reach a ¨^ node or the exit node ex1 of the component
Inc c while simulating the increment instruction. At the entry node en1, clock values are x = 12k+c3k+d ,
y = 12k and z = 0. Let α =
1
2k+c3k+d and β =
1
2k . The invaraint z = 0 at the entry and the exit nodes en1
and ex1 ensures that no time elapses in these nodes and also in the return ports of A1 and A2. From the
analysis above, it follows that at the return port of A1 : Div{y,2}, x = α, y = β2 and z = 0. Similarly at
the return port of A2 : Div{x,12}, the clock values are x = α12 , y = β2 and z = 0. Thus, counter c has
been incremented and the end of instruction k has been recorded in x and y. The time spent along the
path from en1 to ex1 is the sum of times spent in A1 : Div{y,2} and A2 : Div{x,12}.
• Time spent in A1 : Div{y,2}. The time spent in A3 : D, as well as A5 : D is both β2 . Recall that
Player 2 can verify that the times t, t′ spent in A3,A5 are both
β
2 . If Player 2 enters A4 to verify
t = β2 , then the time taken is 2(1− t). In this case, the time taken to reach ¨^ from the return port
of A4 is t + 2(1− t) = 2− β2 . Likewise, if Player 2 continued from A3 to A5, and goes on to
verify that the time t′ spent in A5 is also
β
2 , then the total time spent before reaching the ¨^ from
256 Games on Recursive Timed Automata
the return port of A6 is t+ t′ + (1− t′) = 1+ t = 1+ β2 . Thus, if we are back at the return port
of A1, the time spent in A1 is t+ t′ = β.
• Time spent in A2 : Div{x,12}. Here, the time spent in A3 : D as well as A5 : D is α12 . In case
Player 2 verifies that the time t spent in A3 : D is indeed α12 , then he invokes A4. The time elapsed
in Cy=x/12 is 12(1− t) = 12(1− α12 ) < 12. Likewise, if Player 2 continued from A3 to A5, and
goes on to verify that the time t′ spent in A5 is also α12 , then the total time spent before reaching
the ¨^ from the return port of A6 is t+ t′ + (1− t′) = 1+ t= 1+ α12 . Thus, if we are back at the
return port of A2, the time spent in A2 is t+ t′ = 2α12 .
• In general, the component Div{a,n} divides the value in clock a by n. If a = ζ on entering
Div{a,n}, then upon exit, its value is a = ζn . The time taken to reach the exit ex2 is 2 ∗ ( ζn ). The
time taken to reach the node ¨^ in Div{a,n} is < n (due to n calls to Mb component).
• Total time spent in Inc c. Thus, if we come back to the return port of A2, the total time spent is
β+ 2α12 < 2β, on entering with y= β. Recall that x = α=
1
2k+c3k+d and y= β=
1
2k and thus α≤ β
always.
In the zero check instruction, starting with x = 12k+c3k+d = α,y =
1
2k = β and z = 0, we divide x by
6 and y by 2, to record the (k+ 1)th instruction. [6] gives the details. As in the case of the increment
instruction, we show that the main module for simulation of a zero check instruction also takes a time
< 2β, on entering with y = β. The module for the decrement instruction for counter c only differs
from the Increment c module of Figure 3, in that the call to Div{x,12} is replaced by Div{x,3} thus
updating x from 12k+c3k+d to
1
2k+c3k+d+1 . Similar is the case of incrementing and decrementing counter d.
We obtain the full RTA simulating the two counter machine by connecting the entry and exit of main
components of instructions according to the machine’s sequence of instructions. If the machine halts,
then the RTA has an exit node corresponding to HALT. Establising that for the kth instruction, the time
elapsed is no more than 2β, for β = 12k , we have that for the first instruction, the time elapsed is at most
2, for the second instruction it is 22 , for the third it is
2
22 and so on. It is straightforward to see that the
total time duration is bounded from above by 2(1+ 12 +
1
4 +
1
8 +
1
16 + · · · ) < 4.
We now show that the two counter machine halts iff Player 1 has a strategy to reach HALT or ¨^ .
Suppose the machine halts. Then the strategy for Player 1 is to choose the appropriate delays to update
the counters in each main component. Now if Player 2 does not verify (by entering check components)
in any of the main components, then the exit ex1 of the main component is reached. If Player 2 decides
to verify then the node ¨^ is reached. Thus, if Player 1 simulates the machine correctly then either the
HALT exit or ¨^ is reached if the machine halts.
Conversely, assume that the two counter machine does not halt. Then we show that Player 1 has no
strategy to reach either HALT or ¨^ . Consider a strategy of Player 1 which correctly simulates all the
instructions. Then ¨^ is reached only if Player 2 chooses to verify. But if Player 2 does not choose to ver-
ify then ¨^ can not be reached. The simulation continues and as the machine does not halt, the exit node
HALT is never reached. Now, consider any other strategy of Player 1 which does an error in simulation
(in a hope to reach HALT). Player 2 could verify this, and in this case, the node ¨^ will not be reached
as the delays are incorrect. Thus Player 1 can not ensure reaching HALT or ¨^ with a simulation error.
This is because there exists a strategy of Player 2 which can check the error and Player 1 thus can not
win irrespective of all strategies of Player 2. 2
Krishna, Manasa, and Trivedi 257
Inc c
en1
[z=0]
z
A1:Div{y,2}
z
A2 :Div{x,12}
z
ex1
[z=0]
Div{a,n} : a ∈ {x,y}
en2
[z=0]
z
l1
u
l2
z
A3:Cu=a/n
z
l3
a
l4
z
A4:Ca=u
z
ex2
[z=0]
¨^
[z=0]
z
{u} {a}
Ca=u
en4
a,u
ex4
a=1
u=1
Cu=a/n : a,b ∈ {x,y}
en3
[z=0]
z
A5:Mu
z
n−1 calls to Mu ex3
[z=0]
{b} a=n
Mu : a,b ∈ {x,y}
en5
a,b,u
l
b,u
ex5
u=1
{u}
b=1
{b}
Figure 4: Games on Glitchfree-RSA with 4 stopwatches : Increment c. Note that the variables that tick
in a location are indicated above it. Due to semantics of RSA, no time elapses in the call ports and exit
nodes and hence variable-ticking is not mentioned for these locations.
4.2 Time Bounded Reachability Games in RSA
Lemma 2 The time bounded reachability game problem is undecidable for glitch-free recursive stop-
watch automata with at least 4 stopwatches.
Proof. We outline quickly the changes as compared to Lemma 1 for the case of the increment instruction.
Figure 4 gives the component for incrementing counter c. There are 4 stopwatches x,y,z,u. The encod-
ing of the counters in the variables is similar to Lemma 1: at the entry node of each main component
simulating the kth instruction, we have x= 12c+k3d+k = α, y=
1
2k = β and z= 0, where c,d are the current
values of the counters. We use the extra stopwatch u for rough work and hence we do not ensure that
u = 0 when a component is entered.
As was the case in Lemma 1, simulation of the (k + 1)th instruction, incrementing c amounts to
dividing y by 2 and x by 12. In Lemma 1, it was possible to pass some clocks by value, and some by
reference, but here, all variables must be either passed by value or by reference. The Div{a,n} module
here is similar to that in Lemma 1: the box [A3 : D] in Figure 3 is replaced by the node l1, where only u
ticks and accumulates a time t. (Recall that u is the stopwatch used for rough work and has no bearing
on the encoding.) In node l2, only z ticks. l2 is a node belonging to Player 2. The time t spent at l1 must
be exactly t = β2 , where β =
1
2k is the value of a = y on entering Div{y,2}. When t =
β
2 , Player 1 can
reach ¨^ even when Player 2 enters the check module Cu=y/2. Again, note that the module C
u=
y/2 is similar
to the one in Figure 3. We use the clock x (instantiating b = x) for rough work in this component. Due
to this, the earlier value of x is lost. However, this does not affect the machine simulation as we reach the
node ¨^ , and the simulation does not continue. Cu=y/2 calls the component Mu: at the entry node en5 (of
Mu), we have b= x = 0, u= t and a= y= β. a,b,u tick at en5. A time 1− t is spent at en5, obtaining
b = 1− t,u = 0, a = β+ (1− t) at l. At l, only b,u tick obtaining b = 0,u = t, a = β+ (1− t) at ex5.
A second invocation of Cu=y/2 gives b = 0,u = t, a = β+ 2(1− t). To reach ex3, a must be exactly 2;
258 Games on Recursive Timed Automata
we thus need t = β2 . The time elapsed in one invocation of Mu is 1 time unit; thus a total of 2+t time
units is elapsed before reaching ¨^ (via module Cu=y/2in Div{a,n}). If Player 2 skips the check at l2 and
proceeds to l3 resetting a(i.e; y), we have at l3, z = 0,u = t =
β
2 and a = 0. Only a ticks at l3, a is
supposed to “catch up” with u at l3, by elapsing t=
β
2 in l3. Again, at l4, only z ticks. Player 2 can verify
whether a= u by going to Ca=u . The component Ca=u is exactly same as that in Figure 3. A time of 1− t
is elapsed in Ca=u . Thus, the time taken to reach ¨^ from Ca=u is t+ t+ 1− t = 1+ t. Thus, the exit
node ex2 of Div{a,n} is reached in time 2t = 2 β2 = β. As was the case in Lemma 1, the time taken to
reach the exit node of Inc c, starting with y = β,x = α,z = 0 is β+ 2 α12 < 2β. Also, the time taken by
Div{a,n} on entering with a = ζ is 2 ζn .
To summarize, the time taken to reach the exit node of the Inc c component is < 2β, on entering with
y= β. Also, the component Div{a,n} divides the value in clock a by n. If a= ζ on entering Div{a,n},
then upon exit, its value is a= ζn . The time taken to reach the exit ex2 is 2 ∗ ( ζn ). The time taken to reach
the node ¨^ in Div{a,n} is < n+ 1 (due to n calls to Mu component).
The component for zero check instruction, as in Lemma 1, divides x by 6 and y by 2; similarly, the
component for decrement c instruction divides y by 2 and x by 3. The time to reach the exit node of any
component corresponding to an instruction is < 2β, on enetering the component with y = β. The total
time taken for the simulation of the two counter machine here also, is< 4. Details can be found in [6]. 2
The following lemma is an easy corollary of Lemma 1.
Lemma 3 The time bounded reachability game problem is undecidable for unrestricted recursive stop-
watch automata with at least 3 stopwatches.
5 Conclusion
The main result of this paper is that time-bounded reachability game problem for recursive timed au-
tomata is undecidable for automata with three or more clocks. We also showed that for recursive
stopwatch automata the reachability problem turns undecidable even for glitch-free variant with 4 stop-
watches, and the corresponding time-bounded problem is undecidable for automata with 3 stopwatches.
The decidability of time-bounded reachability game for recursive timed automata with 2 clocks is an
open problem.
References
[1] Parosh Aziz Abdulla, Mohamed Faouzi Atig & Jari Stenman (2012): Dense-Timed Pushdown Automata. In:
LICS, pp. 35–44. Available at http://dx.doi.org/10.1109/LICS.2012.15.
[2] Rajeev Alur, Michael Benedikt, Kousha Etessami, Patrice Godefroid, Thomas W. Reps & Mihalis Yan-
nakakis (2005): Analysis of recursive state machines. ACM Trans. Program. Lang. Syst. 27(4), pp. 786–818.
Available at http://doi.acm.org/10.1145/1075382.1075387.
[3] Rajeev Alur & David L. Dill (1990): Automata For Modeling Real-Time Systems. In: ICALP, pp. 322–335.
Available at http://dx.doi.org/10.1007/BFb0032042.
[4] Rajeev Alur & David L. Dill (1994): A Theory of Timed Automata. 126, pp. 183–235. Available at http:
//dx.doi.org/10.1016/0304-3975(94)90010-8.
[5] Kousha Etessami (2004): Analysis of Recursive Game Graphs Using Data Flow Equations. In: VMCAI, pp.
282–296. Available at http://dx.doi.org/10.1007/978-3-540-24622-0_23.
Krishna, Manasa, and Trivedi 259
[6] Shankara Narayanan Krishna, Lakshmi Manasa & Ashutosh Trivedi (2014): On The Reachability Problem
for Recursive Hybrid Automata with One and Two Players. In: Manuscript, abs/1406.7289. Available at
http://arxiv.org/abs/1406.7289.
[7] Marvin L. Minsky (1967): Computation: finite and infinite machines. Prentice-Hall, Inc.
[8] Joël Ouaknine & James Worrell (2010): Towards a Theory of Time-Bounded Verification. In: ICALP (2), pp.
22–37. Available at http://dx.doi.org/10.1007/978-3-642-14162-1_3.
[9] Ashutosh Trivedi & Dominik Wojtczak (2010): Recursive Timed Automata. In: ATVA, pp. 306–324. Avail-
able at http://dx.doi.org/10.1007/978-3-642-15643-4_23.
[10] Igor Walukiewicz (1996): Pushdown Processes: Games and Model Checking. In: CAV, pp. 62–74. Available
at http://dx.doi.org/10.1007/3-540-61474-5_58.
