Timed Systems through the Lens of Logic by Akshay, S. et al.
Timed Systems through the Lens of Logic
S. Akshay
Department of CSE, IIT Bombay, India
akshayss@cse.iitb.ac.in
Paul Gastin
LSV, ENS Paris-Saclay & CNRS, Université Paris-Saclay
paul.gastin@ens-paris-saclay.fr
Vincent Jugé
LIGM, Université Paris-Est Marne-la-Vallée, CNRS
vincent.juge@u-pem.fr
Shankara Narayanan Krishna
Department of CSE, IIT Bombay, India
krishnas@cse.iitb.ac.in
Abstract
In this paper, we analyze timed systems with data structures. We start by describing behaviors of
timed systems using graphs with timing constraints. Such a graph is called realizable if we can assign
time-stamps to nodes or events so that they are consistent with the timing constraints. The logical
definability of several graph properties [19, 9] has been a challenging problem, and we show, using
a highly non-trivial argument, that the realizability property for collections of graphs with strict
timing constraints is logically definable in a class of propositional dynamic logic (EQ-ICPDL), which
is strictly contained in MSO. Using this result, we propose a novel, algorithmically efficient and
uniform proof technique for the analysis of timed systems enriched with auxiliary data structures,
like stacks and queues. Our technique unravels new results (for emptiness checking as well as model
checking) for timed systems with richer features than considered so far, while also recovering existing
results.
2012 ACM Subject Classification Theory of computation → Quantitative automata; Theory of
computation → Logic and verification; Theory of computation → Timed and hybrid models
Keywords and phrases Timed systems, propositional dynamic logic, Logical definability, Efficient
algorithms, graphs
Funding Partly supported by UMI ReLaX, ANR project TickTac (ANR-18-CE40-0015), DST/INRIA
CEFIPRA project EQuaVe and DST/INSPIRE faculty award [IFA12-MA-017].
1 Introduction
The modeling and analysis of complex real-time systems is a challenging and important
area, both from theoretical and practical points of view. The challenge often stems from the
fact that such models have different sources of infinite behaviors, which makes them highly
expressive but difficult to analyze. On one hand, the timing features engender complex
constraints between events, which allow (or disallow) infinite sets of timed behaviors (over
real numbers) satisfying these constraints. On the other hand, the auxiliary data structures
such as multiple stacks allow a rich expressive power often leading to undecidable verification
problems, even in the absence of time. Thus, each choice of combining these components of
real-time and specific data structures leads to rich models whose analysis is complicated and
often intractable.
The analysis of timed systems without any additional data structures has often been done
using well-accepted models like timed automata [7], where clocks are real-valued variables that
are reset and checked at guards. The classical approach to analyze such timed automata is
ar
X
iv
:1
90
3.
03
77
3v
2 
 [c
s.L
O]
  2
7 A
pr
 20
19
2 Timed Systems through the Lens of Logic
{nop} {w(d1)} {w(d2)} {w(d2)} {r(d1)} {w(d1)} {r(d2)} {w(d1)} {r(d2)} {r(d1)} {nop} {r(d1)}
d1
d1
d1
d2 d2
Figure 1 Labeled linear graph Gσ of a sequence of instructions σ = nop w(d1) w(d2) w(d2)
r(d1) w(d1) r(d2) w(d1) r(d2) r(d1) nop r(d1) from a system having two data structures (a stack
d1 and a queue d2).
τ =
1
nop
x := 0
y := 0
2
w(d)
x = 0
3
nop
y := 0
4
w(d)
y ≤ 1
5
r(d)
2 < d− y
6
nop
x := 0
7
w(d)
8
r(d)
4 <d≤ 5
2 ≤ x
9
nop
y − x < 6
10
r(d)
x− d < 3
d
d d
1 2 3 4 5 6 7 8 9 10
≤ 0
≤ 0 < −2
≤ 1
< 6 ≤ 5
< −4
< 3
≤ −2
Figure 2 Left: labeled linear graph Gτ obtained from a sequence of timed instructions τ . For
readability, the nodes are numbered and their instruction labels are written below them. Right: the
corresponding weighted graph Gτ .
by abstracting the real-timed system using the so-called region abstraction into a finite-state
automaton preserving emptiness. Several variants and extensions of this basic model have
been considered over the years, for instance using event-clocks [8] or diagonal constraints,
or even by allowing (non-) deterministic updates of clocks. Subsequently, there has been a
growing body of work [2, 1, 5, 6, 14, 15, 16, 17, 25] towards adding auxiliary data structures
like stacks [27, 4, 3] or queues [3] to such timed automata. In all these, the techniques used to
solve the emptiness problem were specific and tailor-made to the choice of the data structure,
kind of constraints and updates that are allowed. Our goal is to introduce a novel and uniform
approach for reasoning about such timed systems which allow rich timing features along
with several types of auxiliary data structures at the same time. This technique captures the
behaviors of the underlying model as graphs (see [3]) and examines the logical definability of
certain properties over these graphs.
We start by abstracting a run of a system, be it timed or not, as a sequence of instructions.
When the system has a data structure d such as a stack, these instructions may write to
d (denoted w(d)) or read from d (r(d)). The behavior is modeled as a linear graph (the
sequence of instructions), with instruction labels and with additional data-structure edges
matching writes with corresponding reads, as illustrated in Figure 9. When the system is
timed, instructions may also reset clocks (x := 0), check guards (x < 3), etc. These timing
instructions are recorded as additional labels in the linear graph without a priori being
interpreted as edges, as shown on Figure 2 left. This allows to decouple the behavior of the
underlying untimed system from the timing constraints that should be realized for the run
to be feasible.
Our first contribution is to show that non-emptiness of a timed system T can be reduced
to the satisfiability of a formula ΦT over such labeled linear graphs, which we call T -graphs.
A T -graph Gτ obtained from a sequence of instructions τ , as depicted in Figure 2 (left), is a
witness of non-emptiness of T if it satisfies three properties:
1) The sequence of instructions τ can be generated by T . Since the system T is usually
described with a finite automaton where transitions are labeled with instructions, T induces
a regular language of instruction sequences which can easily be captured by (Φ1) in our logic.
2) The data-structure edges should comply with the sequence of instructions. Intuitively, a
node labeled with w(d) (resp. r(d)) should have an outgoing (resp. incoming) d-edge. If the
S. Akshay, P. Gastin, V. Jugé, S. Krishna 3
data structure d is a stack (resp. queue), then d-edges should be well-nested, i.e., satisfy the
LIFO (resp. FIFO) policy. It is known that compliance with stack or queue data-structures
can be expressed (Φ2) in our logics [10].
3) The real-time constraints induced by the timing instructions should be realizable, i.e., it is
possible to timestamp the nodes of G with some real numbers so that all timing constraints
are satisfied. The second main contribution of this paper is to show that realizability can be
expressed (Φ3) in our logic.
We use a light-weight propositional dynamic logic called EQ-ICPDL for the logical defin-
ability. Writing formulae for our systems in EQ-ICPDL is rather intuitive and improves
readability in several cases compared to the classical MSO. On a technical note, it is known
that EQ-ICPDL is a strict fragment of MSO, and gives us a more tractable complexity than
MSO (avoiding a non-elementary blowup).
We show that realizability can be expressed in EQ-ICPDL in two steps. First, from the
T -graph Gτ , we define a weighted graph Gτ which retains only the timing constraints induced
by the timed instruction sequence τ . For instance, in Figure 2, the T -graph Gτ is on the left
and the associated weighted graph Gτ on the right. In Gτ , an edge from node i to node j
labeled < 6 means that the difference t(j)− t(i) between the timestamps assigned to i and j
should be less than 6. We prove that the weighted graph Gτ can be EQ-ICPDL-interpreted in
the graph Gτ . This holds for all timing features that we consider. Second, we prove that
realizability of weighted graphs is expressible in EQ-ICPDL, say with Φ′3. Since weighted
graphs Gτ can be EQ-ICPDL-interpreted in T -graphs Gτ , we can backward translate Φ′3 into
some EQ-ICPDL formula Φ3 expressing realizability over T -graphs. Finally, non-emptiness of
T is equivalent to satisfiability of ΦT = Φ1 ∧ Φ2 ∧ Φ3.
Our logical characterization of realizability for weighted graphs is highly non-trivial. It
is easier when the underlying system only has closed guards, but we go beyond this and
prove that realizability is also definable in EQ-ICPDL in the presence of both open and closed
guards. On the other hand, we show that, without the linear order, realizability is not
definable in MSO. In fact, we show that this already holds for graphs with a partial order of
width (i.e., size of the largest anti-chain) 2, thus proving a tight characterization.
Our third contribution is to show how the two results above can be combined with
existing techniques to give an effective algorithm for checking emptiness of several classes of
timed systems. First, observe that the above two contributions do not immediately imply
that checking emptiness of the system is decidable, as satisfiability of EQ-ICPDL formulae
over arbitrary collections of graphs is undecidable. This is expected, since, even in the
untimed case, having a single queue or two stacks as data structures leads to undecidability
of emptiness. However, we can now consider under-approximations, as classically done for
untimed systems. One such under-approximation is to consider collections of T -graphs that
have a fixed bound on the tree-width. Such T -graphs can now be interpreted into trees and
we can use the fact that checking satisfiability for EQ-ICPDL (with bounded intersection
width) over trees is decidable in EXPTIME. This gives us a matching EXPTIME algorithm
for checking emptiness of timed systems whose graph behaviors have a bounded tree-width.
Using this approach, we retrieve many known results on timed systems with data structures,
and also obtain new results. Our approach captures with elan, the intricate flow and exchange
of information between data structures and clocks, see Section 5.
Related work Our technique is orthogonal to the theory of timed systems via the region
construction as well as to other related approaches. In the untimed setting, the closest
work to ours is in [27, 4], where generic approaches for decidability via logic and tree-width
4 Timed Systems through the Lens of Logic
have been developed for automata with data structures in the untimed setting. There have
been several papers on the decidability of timed systems with a single stack: [11, 2] deal
with specific timing constraints, while [15, 16] use the language of timed atoms to specify
and analyze an orthogonal but powerful extension to timed registers. In [17], a NEXPTIME
bound is shown in this setting by reduction to one-dimensional branching vector addition
systems. However, all these works are restricted to a single stack, while we tackle several
data structures including multiple stacks, queues. Many recent papers [16, 14, 1] consider
complex constraints between data structures and clocks. In these papers, there are time
constraints between data structures d1, d2, between clocks, and also between a clock c and a
data structure d. All of these can be modeled easily in our case, as can be seen in Section 5.
Our work is also related to [5, 6], where the behaviors of timed systems with stacks are
modeled as graphs having data-structure edges as well as time constraint edges. The presence
of two types of edges necessitates a fresh proof for the the bound on tree-width for each kind
of timing feature. On the contrary, we directly inherit the bound on tree-width established
in the untimed setting. The other main difference is that [5, 6] directly build tree automata
instead of going via logic. Using logic instead of directly building a tree automaton allows us
to have a simpler higher level approach which is easier to write and less technical.
The logic we use builds on Propositional Dynamic Logic, a classical logic to reason about
programs [22]. The extension with loop, intersection and converse was explored in [24],
where complexity bounds were shown for satisfiability and model checking. We inherit these
complexity bounds. However, to the best of our knowledge, this is the first time this logic has
been used in the analysis of timed systems. Further, even with MSO logic (a strictly more
powerful and well-known logic), the characterization of realizability in MSO over graphs of
timed systems was open, as mentioned in [5]: we settle this problem in this paper.
2 Preliminaries
Node- and edge-labeled graphs Let Σ and Γ be two alphabets. Nodes will be labeled with
Σ and edges with Γ. A (Σ,Γ)-labeled graph is a tuple G = (V,E, λ) where V is a finite set
of vertices, λ : V → 2Σ labels vertices with (sets of) letters from Σ and E ⊆ V × Γ× V is
the set of labeled edges. A vertex may have 0, 1 or several labels from Σ. For γ ∈ Γ, we
let Eγ = {(u, v) : (u, γ, v) ∈ E} be the set of edges labeled γ. G(Σ,Γ) denotes the set of
(Σ,Γ)-labeled graphs.
In this paper, graphs model behaviors of sequential systems. Hence, we have a special
symbol succ in Γ to define the successor relation Esucc of a total order on V . We simply write
u ≺· v instead of (u, v) ∈ Esucc. We call these graphs linear ; we let  = ≺·∗ be the linear order
induced by ≺· and we note ≺ = ≺·+ the strict order. The other edges Eγ , with γ ∈ Γ \ {succ},
are used to model other useful relations in the graph, for instance the matching push-pop
relation if we are interested in pushdown systems.
Propositional dynamic logic over labeled graphs We define now the logic that we will use
to specify properties of graphs. We use a variant of the propositional dynamic logic [22].
This logic is sufficiently expressive for our purposes and enjoys good complexity for the
satisfiability problem, rather than the more expressive monadic second order logic (MSO)
which has a much higher complexity. The logic ICPDL(Σ,Γ) is defined over Σ (often seen as
propositional variables), and Γ (often seen as atomic programs).
S. Akshay, P. Gastin, V. Jugé, S. Krishna 5
{p, s} {q, s} {p, q} {r} {q} {q, s}
d
e
f
c
Figure 3 A node- and edge-labeled graph.
Syntax We have the following, with p ∈ Σ and γ ∈ Γ:
Φ ::= Eσ : ¬Φ : Φ ∨ Φ
σ ::= > : p : σ ∨ σ : ¬σ : 〈pi〉σ : loop(pi)
pi ::= γ−→ : test{σ} : pi + pi : pi · pi : pi∗ : pi−1 : pi ∩ pi
In ICPDL, C stands for converse (pi−1) and I for intersection (pi∩pi). We also consider LCPDL
which is the fragment with loop but without intersection, since it has better complexity, as
stated in Theorem 2. We also write CPDL or PDL with the obvious meaning. In the syntax
above, Φ are sentences and E is the existential node quantifier. The universal node quantifier
Aσ is written ¬E¬σ. Formulae σ are called node or state formulae and have one implicit
free first-order variable, while formulae pi are called path or program formulae and have two
implicit free first-order variables, the endpoints of the path.
Semantics Given a (Σ,Γ)-labeled graph G = (V,E, λ), we can write the semantics of the
formulae. The semantics of a state formula σ is a set JσKG ⊆ V , while the semantics of a
path formula pi is a binary relation JpiKG ⊆ V 2. Their definitions are mutually inductive. If
the graph G is clear from the context, we omit subscripts and simply write JσK and JpiK.
The base cases for path formulae are J γ−→K = Eγ and Jtest{σ}K = {(v, v) : v ∈ JσK}. The
operations +,∩, ·,∗ correspond to rational expression notations, interpreted respectively as
union, intersection, concatenation and Kleene star of the respective relations. Finally, the
converse is defined by Jpi−1K = {(u, v) : (v, u) ∈ JpiK}.
The base cases for state formulae are J>K = V and JpK = {v ∈ V : p ∈ λ(v)}, where
p ∈ Σ. Disjunction and negation correspond to union and complement. We let Jloop(pi)K
consist of the vertices v ∈ E from which there is a loop following path pi, i.e., such that
(v, v) ∈ JpiK. Similarly, we let J〈pi〉σK consist of the vertices u ∈ E from which it is possible to
follow the path pi and reach a vertex satisfying σ, i.e., (u, v) ∈ JpiK for some v ∈ JσK. We often
write 〈pi〉 instead of 〈pi〉>. A sentence Eσ states that there exists a vertex of G satisfying σ,
i.e., G |= Eσ if JσKG 6= ∅. Disjunction and negation of sentences are as usual.
While ICPDL allows intersection, loop and converse, we also look at EQ-ICPDL where we
allow existential quantification over new propositional variables in a similar spirit as in [26].
Thus, formulae of EQ-ICPDL(Σ,Γ) have the form Ψ = ∃p1, . . . , pn Φ where AP = {p1, . . . , pn}
is disjoint from Σ and Φ ∈ ICPDL(Σ unionmulti AP,Γ). The semantics is defined by G = (V,E, λ) |=
∃p1, . . . , pn Φ if there exists λ′ : V → 2AP such that (G,λ′) = (V,E, λ∪λ′) |= Φ. For formulae
Ψ in ICPDL(Σ,Γ) or EQ-ICPDL(Σ,Γ), we let L(Ψ) = {G ∈ G(Σ,Γ) : G |= Ψ}.
I Example 1. We illustrate the semantics of ICPDL(Σ,Γ) using Figure 3. We have a node-
and edge-labeled graph, with node labels Σ = {p, q, r, s} and edge labels Γ = {d, e, f, succ}.
In path formulae, we simply write → instead of succ−−→. The formula E 〈(test{p ∨ q} · →)∗〉r
6 Timed Systems through the Lens of Logic
evaluates to true on the given graph: the leftmost node is a witness. Likewise, the formula
¬E 〈→〉(p∧ s) is also true, since there are no nodes in the graph whose successors are labeled
both p and s. Let ∆ = Γ \ {succ}. The formula E ∨(d,d′)∈∆2,d6=d′ loop( d−→ · d′−→−1) is not
true since all the non-successor edges are labeled by a unique symbol. Finally, the formula
E 〈test{s} · e−→ · test{r} · f−→ · test{s} · d−→−1 · c−→〉p is true, while E 〈test{p} · d−→〉r is not.
Satisfiability of propositional dynamic logic The following definitions and results will be
used in Section 4.3. Over arbitrary graphs, the satisfiability problem for PDL is undecidable.
On the other hand, when we restrict to graphs of bounded tree-width, then the satisfiability
problem becomes decidable with elementary complexity. We explain this now. Tree-width
is a well-known measure for graphs [28]. We say that a labeled graph G = (V,E, λ) has
tree-width k if the underlying unlabeled graph has tree-width k. We will not need the formal
definition of tree-width in this paper, so it is omitted. We denote by Gk(Σ,Γ) the graphs in
G(Σ,Γ) having tree-width at most k.
Below is one of the main theorems that we use in this paper. It refers to the intersection
width of an EQ-ICPDL formula, which is the maximum of the intersection widths of its path
subformulae: the intersection width of path formulae is defined inductively by iw( γ−→) =
iw(test{σ}) = 1, iw(pi1 + pi2) = iw(pi1 · pi2) = max(iw(pi1), iw(pi2)), iw(pi−1) = iw(pi∗) = iw(pi),
and iw(pi1 ∩ pi2) = iw(pi1) + iw(pi2). Hence, a formula in LCPDL has intersection width 1.
I Theorem 2 (Satisfiability). Given k ≥ 1 in unary and a formula Ψ in EQ-ICPDL(Σ,Γ) of
intersection width bounded by a constant, checking whether G |= Ψ for some G ∈ Gk(Σ,Γ)
can be solved in EXPTIME.
This is a consequence of a similar result over trees due to Göller, Lohrey and Lutz [24,
Theorem 3.8]. Indeed, graphs of tree-width at most k can be represented by binary trees
which are called k-terms. Moreover, for each formula Ψ ∈ ICPDL(Σ,Γ) we can construct an
ICPDL formula Ψk of size O(k2|Ψ|) over k-terms such that, for all k-terms τ , we have τ |= Ψk
iff JτK |= Ψ, where JτK is the graph denoted by the k-term τ [10]. Hence, satisfiability of Ψ
over Gk(Σ,Γ) is reduced to satisfiability of Ψk over k-terms.
Graph interpretation and backward translation [20, 10] The following definitions and
results will be used in Section 4.2. We consider two signatures (Σ,Γ) and (Σ′,Γ′). Intuitively,
a graph G′ ∈ G(Σ′,Γ′) is interpreted in a graph G ∈ G(Σ,Γ) if we have formulae over the
signature (Σ,Γ) which, when evaluated on G, express nodes, labels and edges of G′. In this
paper, we use CPDL interpretations, which means that the formulae for the interpretation are
in CPDL(Σ,Γ). Also, we only need interpretations when the graphs G and G′ have the same
set of nodes. In this simple case, an interpretation I is given by a tuple of state formulae
(σp)p∈Σ′ and a tuple of path formulae (piγ)p∈Γ′ , all in CPDL(Σ,Γ). Now, we say that a
graph G′ = (V,E′, λ′) ∈ G(Σ′,Γ′) is I-interpreted in the graph G = (V,E, λ) ∈ G(Σ,Γ) if,
for all u, v ∈ V , all p ∈ Σ′ and all γ ∈ Γ′, we have p ∈ λ′(u) iff G, u |= σp and (u, γ, v) ∈
E′ iff G, u, v |= piγ . In this case, we write G′ = I(G).
Interpretations allow for a backward translation theorem: for each formula Ψ′ ∈ EQ-ICPDL(Σ′,Γ′),
we can construct a formula Ψ ∈ EQ-ICPDL(Σ,Γ) such that, for all graphs G ∈ G(Σ,Γ), we
have I(G) |= Ψ′ iff G |= Ψ. The formula Ψ is obtained from Ψ′ by replacing the atomic state
formulae p with σp (for p ∈ Σ′) and the atomic path formulae γ−→ with piγ (for γ ∈ Γ′). Hence,
Ψ and Ψ′ have same intersection width and |Ψ| ≤ |Ψ′| ·max{|σp|, |piγ | : p ∈ Σ′, γ ∈ Γ′}.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 7
3 Logical definability of realizability
Weighted graphs We consider linear weighted graphs where node labels are irrelevant,
i.e., Σ = ∅, and edges are labeled with constraints of the form < α or ≤ α, where α ∈ Z,
i.e., Γ = {succ} ∪ ({<,≤} × Z). Since node labels are irrelevant, a linear weighted graph
is simply denoted G = (V,E). Often we use a maximal constant M ∈ N and let ΓM =
{succ} ∪ ({<,≤} × {−(M − 1), . . . , 0, . . . ,M − 1}). A graph G ∈ G(∅,ΓM ) is called M
weight-bounded. If we only compare using ≤, i.e., if there are no edges of the form (u,<, α, v),
then we say that the graph is closed or a graph with closed constraints. Otherwise, we call it
a mixed weighted graph or a graph with mixed constraints.
y := 0 x := 0 x > 2 3 ≤ y − x < 4
x := 0
1 < x ≤ 3
y − x ≤ 6
< −2
< 4
≤ −3
≤ 6
≤ 3
< −1
Figure 4 A realizable linear weighted graph obtained from a sequence of instructions of a
timed system. x, y are real-valued variables called clocks. x := 0 (y := 0) denotes reset instructions.
Changing the last instruction to y−x ≤ 5 gives a non-realizable weighted graph. The non-realizability
follows from (i) there is a time elapse more than 5 between the first and third nodes, (ii) the time
elapse is at most 5 between the first and fourth nodes, and (iii) time is monotone, hence there is at
least zero time elapse between the third and fourth nodes. This gives a negative cycle between the
first and fourth nodes.
Realizability One important property of interest, which is the focus of this paper, is
realizability. The property of realizability asks whether the constraints defined by the weights
can be satisfied in a manner that is consistent with the order.
I Definition 3. A weighted graph G is realizable if there exists a time-stamp map ts : V → R
such that (i) all constraints are satisfied: ∀(u, /, α, v) ∈ E, ts(v)− ts(u) / α, and (ii) ts is
monotone w.r.t. the linear order: ∀u, v ∈ V , if u  v, then ts(u) ≤ ts(v).
If G is realizable via a map ts, then we say that ts is a realization of G. Note that the
monotonicity could have been enforced by adding more constraint edges: when u ≺· v we
could have added an edge (v,≤, 0, u). With these extra constraints, realizability corresponds
to checking the feasibility of the difference constraints. This is a classical problem on graphs
which amounts to checking the absence of a negative cycle (see [18] for more details). There
are many algorithms to solve this problem, e.g., the Bellman-Ford shortest path algorithm.
Finally, as a quick aside, note that if we have reflexive edges (u, /, α, u) ∈ E, checking
realizability for these constraints is always vacuously true or false for all possible time-stamps,
8 Timed Systems through the Lens of Logic
and is easy. A realizable linear weighted graph obtained from a sequence of instructions of a
timed system is depicted in Figure 4.
3.1 The first main result: logical definability of realizability
We are interested in properties of (possibly infinite) collections of such graphs, presented in
a finite fashion. In particular, we wish to view graphs as being generated by an automaton,
i.e., as behaviors of a system, and we wish to reason about this set of graphs. From this
automata-theoretic viewpoint, a natural question to ask is whether the properties that we
wish to reason about are definable in a certain logic. We focus on the specific property of
realizability in weighted graphs and study its definability in EQ-ICPDL in our first main
result below. In the next section, we will explain far-reaching consequences of our logical
characterization, and in particular its application for checking emptiness of timed systems.
I Theorem 4. Realizability is EQ-ICPDL definable on the set of graphs G(∅,ΓM ). The size
of the formula is polynomial in M and its intersection width is 2.
We prove the above theorem in two steps: in Subsection 3.1.1, we consider closed graphs
and show that the logical definition is rather easy for them. Then, in Subsection 3.1.2, we
consider graphs with mixed constraints.
Throughout the proof, given a linear weighted graph G = (V,E) with |V | = n, we let
V = {u1, . . . , un} with u1 ≺· u2 ≺· · · · ≺· un. We start with a simple observation regarding the
time-stamps witnessing realizability in weighted graphs. Given an M weight-bounded graph
G = (V,E), a mapping ts : V → R is said to be slowly monotone if 0 ≤ bts(v)c − bts(u)c ≤
M − 1 whenever u ≺· v, where bxc denotes the fractional part of the real number x. If
a realization of a graph G is not slowly monotone, then there must exist two consecutive
points whose time-stamps are separated by more than M − 1. But in this case there can be
no forward edge (i.e., upper bound) that crosses this point, and hence the time difference
between them can be reduced to any value larger than M − 1 without affecting realizability.
Formally,
I Lemma 5. A graph G = (V,E) in G(∅,ΓM ) is realizable iff there is a slowly monotone
map ts : V → R that realizes G.
Proof. Let G = (V,E) ∈ G(∅,ΓM ) be realizable. Then there exists a map ts′ : V → R such
that all constraints are satisfied and ts′ is monotone w.r.t. .
A large gap in ts′ is an integer i < n such that bts′(ui+1)c − bts′(ui)c ≥M . First, if ts′
has no large gap, then ts′ is slowly monotone and we are done. Henceforth, we assume that
ts′ has at least one large gap, and we prove Lemma 5 by backward induction on the smallest
large gap of ts′.
Let i be the smallest large gap of ts′. Notice that ts′(ui+1)− ts′(ui) > M − 1. Since ts′ is
a realization of G, there cannot exist a forward edge (u, /, α, v) ∈ E crossing (ui, ui+1), i.e.,
such that u  ui ≺· ui+1  v, since α ≤M−1 contradicts the satisfaction of constraints. The
back edges (u, /, α, v) ∈ E crossing over (ui, ui+1), i.e., v  ui ≺· ui+1  u are all satisfied
since ts′(v) − ts′(u) ≤ ts′(ui) − ts′(ui+1) < 1 −M ≤ α. Now, if we reduce the difference
ts′(ui+1)− ts′(ui) to any value larger than M − 1, then the constraint on back edges are still
satisfied. Hence, we choose t > ts′(ui) + M − 1 such that btc = bts′(ui)c+ M − 1 and we
define
ts′′(w) =
{
ts′(w) if w  ui
t+ ts′(w)− ts′(ui+1) otherwise.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 9
We can check that ts′′ is a monotone time-stamping satisfying all constraints of G. Moreover,
all large gaps of ts′′, if any, are greater than i. By backward induction, we conclude that
there exists a monotone time-stamping ts satisfying all constraints of G and having no large
gap. Note indeed that the ts values themselves can be arbitrarily large, but the difference
between integral parts of consecutive points is at most M − 1. J
Let us see the above Lemma in action on an example. Consider the weighted graph in
Figure 5 with map ts : V → R which has a single large gap. We will apply Lemma 5 to show
that we can replace ts with a slowly monotone map ts′. For the example, we have M = 3.
The large gap is between time-stamps 0.2 and 3.1. α is chosen as any value > 0.2 + 2 = 2.2.
Let α = 2.3. We then replace the time-stamp 3.1 by 2.3. Indeed, this new time-stamp
satisfies the constraint ≤ −1 of the gap (2.3− 0.2 ≥ 1). Had we tried any other time-stamp
satisfying the constraint ≤ −1, for instance 1.3 instead of 2.3, we might fail to satisfy the
constraint < −2 between the first and third time-stamps. Thus, reducing the time difference
to be just more than M − 1 is a safe choice whenever we have a large gap. We propagate the
reduction by 0.8 (3.1 7→ 2.3) to the subsequent time-stamps as well, so that the relative time
differences are not affected. This gives us the slowly monotone map ts′.
ts
btsc
ts′
bts′c
0
0
0
0
0.2
0
0
0
3.1
3
2.3
2
3.8
3
3.0
3
5.2
5
4.4
4
< −2
≤ −1
≤ 1
< −2
Figure 5 Replacing large gaps.
Next, we have a crucial definition on general weighted graphs. Given an M weight-
bounded linear graph G = (V,E), a time-stamping modulo M is a map tsm : V → ZM =
{0, . . .M − 1}. For all u, v ∈ V , we set dtsm(u, v) = (tsm(v) − tsm(u)) mod M . Further,
(u, v) is said to be tsm-big if there exist w1, w2 ∈ V such that u  w1 ≺ w2  v and
dtsm(u,w1) + dtsm(w1, w2) ≥M . Observe that, if v  u, then (u, v) cannot be tsm-big.
I Definition 6. A time-stamping modulo M tsm is said to weakly satisfy G = (V,E) if for
all e = (u, /, α, v) ∈ E,
(a) if u  v, then (u, v) is not tsm-big and dtsm(u, v) ≤ α;
(b) if v ≺ u then (v, u) is tsm-big or dtsm(v, u) ≥ −α.
Lemma 9 below shows that for linear weighted graphs, existence of such a map is a
necessary condition for realizability. But first, we establish some useful facts. Recall that
V = {u1, . . . , un} with u1 ≺· u2 ≺· · · · ≺· un. For i ≤ j, we also define d+tsm(ui, uj) =
min{M, dtsm(ui, ui+1) + · · · + dtsm(uj−1, uj)} and d+tsm(uj , ui) = −d+tsm(ui, uj). Notice that
we have d+tsm(ui, ui) = 0.
B Claim 7. Let G = (V,E) ∈ G(∅,ΓM ) and let ts : V → R be a slowly monotone map
(which need not satisfy the constraints of G). Define tsm : V → ZM by tsm(v) = bts(v)c
10 Timed Systems through the Lens of Logic
mod M for all v ∈ V . Then, for all u, v ∈ V such that u  v, we have d+tsm(u, v) =
min{bts(v)c − bts(u)c,M}. Furthermore, we have d+tsm(u, v) = M if (u, v) is tsm-big, and
d+tsm(u, v) = dtsm(u, v) otherwise.
Proof. First, dtsm(ui, uj) = (bts(uj)c − bts(ui)c mod M) ≤ bts(uj)c − bts(ui)c for all i ≤ j.
Since ts is slowly monotone, we know that bts(ui+1)c − bts(ui)c < M for all i < n. We
deduce that dtsm(ui, ui+1) = bts(ui+1)c − bts(ui)c. Hence, from the definition of d+tsm, we
have d+tsm(ui, uj) = min{M, bts(uj)c − bts(ui)c} for i ≤ j, and dtsm(ui, uj) = d+tsm(ui, uj) if
and only if d+tsm(ui, uj) < M . Moreover, if (ui, uj) is tsm-big, there exist integers k and `
such that i ≤ k < ` ≤ j and dtsm(ui, uk) + dtsm(uk, u`) ≥ M . Hence bts(uj)c ≥ bts(u`)c ≥
bts(uk)c+ dtsm(uk, u`) ≥ bts(ui)c+ dtsm(ui, u`) + dtsm(uk, u`) ≥ bts(ui)c+ M , and thus we
have d+tsm(ui, uj) = M .
Conversely, if d+tsm(ui, uj) = M , then bts(uj)c ≥ bts(ui)c+M . Then, let k be the smallest
integer such that k ≥ i and bts(uk)c ≥ bts(ui)c+M . We must have k > i. It follows that
bts(uk−1)c < bts(ui)c+M , and therefore that bts(uk−1)c − bts(ui)c = dtsm(ui, uk−1). Since
ts is slowly monotone, we also have bts(uk)c < bts(uk−1)c + M , and therefore bts(uk)c −
bts(uk−1)c = dtsm(uk−1, uk). This shows that dtsm(ui, uk−1) + dtsm(uk−1, uk) = bts(uk)c −
bts(ui)c ≥M , and thus that (ui, uj) is tsm-big, which completes the proof. J
Given that |α| < M for all edges e = (u, /, α, v) ∈ E, Claim 7 provides us with the
following, alternative characterization of weak satisfiability.
I Lemma 8. A time-stamping modulo M tsm weakly satisfies the graph G = (V,E) if and
only if d+tsm(u, v) ≤ α for all (u, /, α, v) ∈ E.
Proof. Let (u, /, α, v) ∈ E with u  v. If (u, v) is not dtsm-big and dtsm(u, v) ≤ α, then
d+tsm(u, v) = dtsm(u, v) ≤ α. Conversely, if d+tsm(u, v) ≤ α, since α < M we deduce that (u, v)
is not dtsm-big and dtsm(u, v) = d+tsm(u, v) ≤ α.
Then, let (u, /, α, v) ∈ E with v ≺ u. If (v, u) is dtsm-big, then d+tsm(u, v) = −d+tsm(v, u) =
−M < α. Likewise, if (v, u) is not dtsm-big and dtsm(v, u) ≥ −α, then d+tsm(u, v) =
−d+tsm(v, u) = −dtsm(v, u) ≤ α. Conversely, if d+tsm(u, v) ≤ α, then either d+tsm(u, v) = −M
and (v, u) is dtsm-big, or else (v, u) is not dtsm-big and dtsm(v, u) = d+tsm(v, u) = −d+tsm(u, v) ≥
−α. J
Now, we obtain one direction of the characterization, which works both for closed and
open constraints.
I Lemma 9. If G ∈ G(∅,ΓM ) is realizable, then there exists a time-stamping modulo M that
weakly satisfies G.
Proof. Lemma 5 proves that there exists a slowly monotone time-stamping ts that satisfies
the constraints G. We define tsm : V → ZM by tsm(v) = bts(v)c mod M , and we show
below that tsm weakly satisfies G.
Let (u, /, α, v) ∈ E. By Lemma 8, it is enough to show that d+tsm(u, v) ≤ α. According
to Claim 7, distinguishing the cases u  v and v ≺ u, we show easily that d+tsm(u, v) ≤
bts(v)c − bts(u)c or d+tsm(u, v) = −M . In the first case, it follows that d+tsm(u, v) ≤ bts(v)c −
bts(u)c ≤ ts(v)− bts(u)c < ts(v)− ts(u) + 1 ≤ α+ 1, and in the second case, we also have
d+tsm(u, v) = −M < α+ 1. Hence, in both cases, we have d+tsm(u, v) < α+ 1. Observing that
d+tsm(u, v) and α are integers proves that d+tsm(u, v) ≤ α. J
The converse of the above lemma does not hold with mixed guards and this will be handled
in the next subsection. However, for closed guards it yields the following characterization.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 11
3.1.1 Characterizing realizability in closed graphs
I Lemma 10. A closed graph G = (V,E) in G(∅,ΓM ) is realizable iff there exists a time-
stamping modulo M that weakly satisfies G.
Proof. One direction is Lemma 9. Conversely, suppose that tsm : V → ZM is a time-
stamping modulo M that weakly satisfies G. Then, the map ts : V → N defined inductively
by ts(u1) = 0 and ts(ui+1) = ts(ui) + dtsm(ui, ui+1) is a slowly monotone map.
Let (u, /, α, v) ∈ E. By Claim 7, distinguishing the cases u  v and v ≺ u, we show
easily that d+tsm(u, v) ≥ bts(v)c− bts(u)c or d+tsm(u, v) = M . Since tsm weakly satisfies G (i.e.,
d+tsm(u, v) ≤ α) and M > α, the second case is impossible. It follows that ts(v) − ts(u) =
bts(v)c − bts(u)c ≤ d+tsm(u, v) ≤ α, which shows that ts satisfies the constraints of G. J
It remains to encode the characterization of Lemma 10 in EQ-ICPDL to obtain the logical
definability of realizability for linear weighted graphs.
EQ-LCPDL characterization We use existential quantification over atomic propositions
p0, . . . , pM−1 to guess the time-stamping modulo M . Intuitively, a node satisfies pi iff its
tsm value is i. So we define the formula ∃p0, . . . , pM−1 Partition ∧ Forward ∧ Backward where
the auxiliary formulae are defined in Figure 6. The formula Partition states that every vertex
satisfies exactly one pi (0 ≤ i < M).
For 0 ≤ i, j < M , let δM (i, j) = (j − i) mod M . We use a path formula to characterize
pairs of vertices that are tsm-big: a pair (u, v) is tsm-big iff we can go from node u to node v
following the path formula BigPath.
Since negation is not allowed at the level of path formulae, we provide another formula,
SmallPath, to express that a pair (u, v) of vertices is not tsm-big. There are two cases,
depending on whether tsm(u) ≤ tsm(v) or not. In both cases, (u, v) |= SmallPathi,j iff u  v,
(u, v) is not tsm-big, i = tsm(u) and j = tsm(v).
Formulae Forward and Backward respectively state the two conditions in Definition 6. The
constraint on -forward edges is stated using the loop operator of LCPDL. By excluding
the existence of a loop following the path BigPath · ≤α−−→−1 we make sure that forward
edges (u, v) ∈ E≤α are not tsm-big. Now, to ensure that forward edges (u, /, α, v) satisfy
dtsm(u, v) ≤ α, we exclude the existence of a path violating this property, i.e., a loop following
test{pi} · ≤α−−→ · test{pj} · (→−1)+ with δM (i, j) > α.
3.1.2 A characterization with mixed guards
The characterization above is not sufficient when some of the constraints are strict, i.e., E
contains edges of the form (u,<, α, v). It turns out that we need an additional condition to
make sure that the fractional parts do not violate the realizability.
I Definition 11. Given a graph G = (V,E) and a time-stamping tsm : V → ZM modulo M ,
we define two binary relations geqFr and gtFr on V :
(u, v) ∈ geqFr iff one of the following conditions hold:
1. u ≺ v, (u, v) is not tsm-big and dtsm(u, v) = α for some edge (u, /, α, v) ∈ E;
2. v ≺ u, (v, u) is not tsm-big and dtsm(v, u) = −α for some edge (u, /, α, v) ∈ E;
3. v ≺· u and dtsm(u, v) = 0.
(u, v) ∈ gtFr iff one of the following conditions hold:
1. u ≺ v, (u, v) is not tsm-big and dtsm(u, v) = α for some edge (u,<, α, v) ∈ E;
12 Timed Systems through the Lens of Logic
Partition = A
∨
0≤i<M
[pi ∧
∧
j 6=i
¬pj ]
BigPath =
∑
0≤i,j,k<M
δM (i,j)+δM (j,k)≥M
test{pi} · →+ · test{pj} · →+ · test{pk} · →∗
SmallPathi,j = test{pi} ·
(∑
i≤k≤`≤j
test{pk} · → · test{p`}
)∗
· test{pj} if i ≤ j
SmallPathi,j =
∑
0≤`≤j<i≤k<M
SmallPathi,k · → · SmallPath`,j if j < i
Forward = ¬E
∨
−M<α<M
loop(BigPath · ≤α−−→−1)
∧ ¬E
∨
0≤i,j<M
δM (i,j)>α
loop(test{pi} · ≤α−−→ · test{pj} · (→−1)+)
Backward = ¬E
∨
−M<α<M
0≤i,j<M
δM (i,j)<−α
loop(SmallPathi,j · ≤α−−→)
Figure 6 LCPDL for realizability of linear closed graphs
2. v ≺ u, (v, u) is not tsm-big and dtsm(v, u) = −α for some edge (u,<, α, v) ∈ E.
Notice that gtFr ⊆ geqFr. The idea is that these relations give the ordering between the
fractional parts. Thus, (u, v) ∈ geqFr (resp. gtFr) means that the fractional part of ts(u)
must be at least (resp. strictly greater than) the fractional part of ts(v). Once again, since
|α| < M for all edges (u, /, α, v) ∈ E, Claim 7 provides an alternative characterization of the
relations geqFr and gtFr.
I Lemma 12. Consider graph G = (V,E), tsm : V → ZM modulo M and a pair (u, v) of
vertices of G. Then,
(u, v) ∈ geqFr iff there exists an edge (u, /, α, v) ∈ E such that d+tsm(u, v) = α, or v ≺· u
and d+tsm(u, v) = 0;
(u, v) ∈ gtFr iff there exists an edge (u,<, α, v) ∈ E such that d+tsm(u, v) = α.
I Lemma 13. Let G = (V,E) be an M weight-bounded graph with a linear order and
mixed constraints. G is realizable iff there exists a time-stamping modulo M tsm such that
(i) tsm weakly satisfies G and (ii) there do not exist u, v ∈ V such that (u, v) ∈ gtFr and
(v, u) ∈ geqFr∗, where geqFr∗ is the reflexive transitive closure of geqFr.
Proof. In the forward direction, let G be realizable. Let ts : V → R be a slowly monotone
map that realizes G, and let tsm be the time-stamping moduloM defined by tsm : v → bts(v)c
mod M . Lemma 9 proves that tsm weakly realizes G. We further claim that, if (u, v) ∈ geqFr,
then {ts(u)} ≥ {ts(v)}, and that, if (u, v) ∈ gtFr, then {ts(u)} > {ts(v)}. The proof is as
follows.
If (u, v) ∈ geqFr because v ≺· u and d+tsm(u, v) = 0, then ts(v) ≤ ts(u) and 0 = d+tsm(u, v) =
max{bts(v)c − bts(u)c,−M}. Hence, bts(u)c = bts(v)c, and therefore {ts(v)} ≤ {ts(u)}.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 13
If (u, v) ∈ geqFr because there exists an edge (u, /, α, v) ∈ E such that d+tsm(u, v) = α, then
−M < α = d+tsm(u, v) < M , and Claim 7 proves that α = d+tsm(u, v) = bts(v)c − bts(u)c.
It follows that {ts(v)} = ts(v)− bts(v)c ≤ ts(u) + α− bts(v)c = ts(u)− bts(u)c = {ts(u)}.
If (u, v) ∈ gtFr, then the same argument proves that α = d+tsm(u, v) = bts(v)c−bts(u)c, and
it follows that {ts(v)} = ts(v)− bts(v)c < ts(u) + α− bts(v)c = ts(u)− bts(u)c = {ts(u)}.
In the reverse direction, let tsm : V → ZM be a time-stamping modulo M that weakly
satisfies G and such that (ii) holds. As a direct consequence of (ii), every path in the graph
GgeqFr = (V, geqFr) contains at most |V | edges in gtFr. Indeed, otherwise two such edges would
start from the same vertex, so that one edge would belong to a cycle of GgeqFr . Hence, for
every vertex v ∈ V , we define the integer ts1(v) as the largest number of edges in gtFr that
may be used by a path in GgeqFr starting from v: observe that 0 ≤ ts1(v) ≤ |V |.
By construction, for every pair (u, v) in geqFr, we have ts1(u) ≥ ts1(v), and we even have
ts1(u) > ts1(v) if (u, v) ∈ gtFr. Then, consider the map ts0 : V → N defined inductively by
ts0(u1) = 0 and ts0(ui+1) = ts0(ui) + dtsm(ui, ui+1). The proof of Lemma 10 shows that ts0
is a slowly monotone map and that ts0(v)− ts0(u) ≤ α for all edges (u, /, α, v) ∈ E.
We prove now that the map ts : V → R defined by ts(v) = ts0(v) + ts1(v)/(|V | + 1) is
monotone. For all pairs (u, v),
if u ≺· v and (v, u) ∈ geqFr, then ts(v) = ts0(v) + ts1(v)/(|V |+ 1) ≥ ts0(u) + ts1(u)/(|V |+
1) ≥ ts(u), because ts0(v) ≥ ts0(u) and ts1(v) ≥ ts1(u);
if u ≺· v and (v, u) /∈ geqFr, then d+tsm(v, u) 6= 0, and therefore d+tsm(u, v) ≥ 1, which proves
that ts(v) ≥ ts0(v) = ts0(u) + d+tsm(u) ≥ ts0(u) + 1 > ts0(u) + ts1(u)/(|V |+ 1) = ts(u).
Then, we prove that ts satisfies the constraints of G. Indeed, for every edge (u, /, α, v) ∈ E,
if d+tsm(u, v) = α, then (u, v) ∈ geqFr, and therefore ts1(v) ≤ ts1(u); it follows that
ts(v) = ts0(v) + ts1(v)/(|V |+ 1) ≤ ts0(u) + α+ ts1(u)/(|V |+ 1) = ts(u) + α;
if d+tsm(u, v) = α and, furthermore, / = <, then (u, v) ∈ gtFr, hence ts1(v) < ts1(u); it
follows that ts(v) = ts0(v) + ts1(v)/(|V |+ 1) < ts0(u) + α+ ts1(u)/(|V |+ 1) = ts(u) + α;
if d+tsm(u, v) 6= α, then d+tsm(u, v) ≤ α − 1, since tsm weakly satisfies G; it follows that
ts(v) = ts0(v) + ts1(v)/(|V |+ 1) < ts0(v) + 1 ≤ ts0(u) + (α− 1) + 1 ≤ ts(u) + α.
Consequently, in all cases, we have ts(v)− ts(u) / α, which completes the proof. J
EQ-ICPDL characterization As before, we use existentially quantified propositional variables
p0, . . . , pM−1 to guess the tsm values. To state weak-realizability, we use the formula
WRealizable = Partition ∧ Forward ∧ Backward where the subformulae have been defined in
Figure 6. In addition, we have to check the absence of a cycle among the fractional parts,
which contains at least one strict inequality and other, possibly non-strict, inequalities. By
Lemma 13, this suffices to ensure realizability. To capture the ordering among the fractional
parts, we use two EQ-ICPDL formulae, gtFr and geqFr respectively for the strict and non-strict
parts, formally defined in Figure 7. The EQ-ICPDL formula Realizable is then:
∃p0, . . . pM−1 WRealizable ∧ ¬E loop(gtFr · geqFr∗)
The intersection width of gtFr and geqFr is 2. Hence, the intersection width of Realizable is
also 2. This completes the proof of Theorem 4.
14 Timed Systems through the Lens of Logic
geqFr = (
≤α−−→ + <α−−→) ∩
( ∑
0≤i,j<M
δM (i,j)=α
SmallPathi,j +
∑
0≤i,j<M
δM (j,i)=−α
SmallPath−1j,i
)
+
∑
i<M
test{pi} · →−1 · test{pi}
gtFr = <α−−→∩
( ∑
0≤i,j<M
δM (i,j)=α
SmallPathi,j +
∑
0≤i,j<M
δM (j,i)=−α
SmallPath−1j,i
)
Figure 7 ICPDL formulae for capturing strict guards
3.2 Realizability is beyond logical definability in general
Above, we have seen the EQ-ICPDL definability of realizability for linear weighted graphs. In
the absence of a linear order, we now show that this is no longer true, even if one uses the
strictly more expressive MSO logic (an easy example is the property of connectivity which
separates EQ-ICPDL from MSO).
We start by defining MSO interpretations, which will be used to formalize the arguments
below.
I Definition 14. An MSO interpretation [20] is a partial function that constructs for a given
family of input structures, a new family of output structures as specified by a number of
MSO formulae. The universe of the output structure is determined in terms of the universe
of the input structure as specified by some MSO formula. Each predicate R(x1, . . . , xk) in
the output structure is determined using an MSO formula ψR(x1, . . . , xk) over the input
structure. More precisely, a deterministic MSO interpretation τ : S → T is given by (i) an
MSO sentence ϕdom which determines which input structures S ∈ S are in the domain of τ ,
(ii) an MSO formula ϕ(x) over the signature of S, with one free variable x, which determines
the universe of τ(S) for each S ∈ dom(τ), (iii) for each predicate R of arity k of the output
signature, a formula ψR(x1, . . . , xk) over the signature of S, with k free first order variables
x1, . . . , xk, which determines R in τ(S) as the set of tuples (x1, . . . , xk) from the universe of
τ(S) which satisfy ψR.
For ease of understanding, we give here an example that illustrates MSO interpretations.
I Example 15. Consider as input the family of word structures over alphabet {a, b} and
binary relation S (successor) that satisfy the formula ϕdom = is_word ∧ ψ, where is_word
is an MSO sentence stating that S is the successor relation of a total order and that each
vertex is labeled either a (laba) or b (labb). The formula ψ is given by
∃x.[first(x) ∧ laba(x)] ∧ ∃x.[last(x) ∧ labb(x)] ∧ ∀x∀y[labb(x) ∧ S(x, y)⇒ labb(y))]
where first(x) = ¬∃zS(z, x) and last(x) = ¬∃zS(x, z).
Clearly, the input consists of words in a+b+. Consider the MSO interpretation having
formulae ϕ(u) = true, which asserts that the universe is unchanged, formulae ψlaba(u) =
laba(u) and ψlabb(u) = labb(u), which preserve the labeling of positions as they were in the
input word, and formulae ψS(u, v) = S(v, u), which revert the successor edges. Thus, an
input word akbj will result in bjak after interpretation.
Next, we recall the backwards translation theorem [20], which is used in the proof of
Theorem 17.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 15
I Theorem 16 (Backwards Translation Theorem, [20]). Let L ⊆ G2 be definable in MSO and
let θ : G1 → G2 be an MSO interpretation. Then the set θ−1(L) = {G ∈ G1 : θ(G) ∩L 6= ∅} is
definable in MSO.
a a a b b b
a a a
bbb
≤ 1 ≤ 1
≤ 0
≤ −1≤ −1
≤ 0
a a b b b b
a a
bbbb
≤ 1
≤ 0
≤ −1≤ −1≤ −1
≤ 0
Figure 8 The MSO interpretation that interprets words anbm as realizable weighted graphs iff
n ≥ m.
I Theorem 17. The property of realizability is not definable in MSO for weighted graphs
without the linear order.
Proof. We prove the result by contradiction using MSO interpretations. Let us consider word
structures defined by the formula ϕdom in Example 15. We define the MSO interpretation θ
that takes as input the above family of word structures. We construct a family of weighted
graph structures as our output. The following MSO formulae complete the interpretation.
The predicates E./ β in the output structure are determined by formulae ψE./ β over the
signature of the input word structure.
1. ϕ(u) = true. This ensures that all nodes of the input word are also part of the output
graph.
2. ψE≤1(u, v) = S(u, v) ∧ laba(u) ∧ laba(v)
3. ψE≤−1(u, v) = S(u, v) ∧ labb(u) ∧ labb(v)
4. ψE≤0(u, v) = [S(u, v) ∧ laba(u) ∧ labb(v)] ∨ [last(u) ∧ first(v)],
5. ϕ≺·(u, v) = [S(u, v) ∧ laba(u) ∧ laba(v)] ∨ [S(v, u) ∧ labb(u) ∧ labb(v)]
Figure 8 illustrates this interpretation by giving two input words and the respective weighted
graphs obtained. It can be seen that if one starts from words of the form anbm where n ≥ m,
then the resulting graph is realizable, and otherwise, it is not since there is a negative cycle.
If we consider L ⊆ G to be the set of realizable graphs, and assume that L is definable in
MSO, then by the Backwards translation theorem, we obtain θ−1(L) = {anbm : n ≥ m} to
be a language definable in MSO, which we know is not the case. Hence, realizability is not
an MSO-definable property of weighted graphs. Notice that, by the formula ϕ≺·(u, v), the
weighted graphs constructed are not linear but are covered by two chains. J
4 Analyzing timed systems with data structures
In this section, we develop a generic technique to analyze timed systems with auxiliary data
structures. We start with untimed systems with data structures.
16 Timed Systems through the Lens of Logic
4.1 Capturing data structure operations as graphs
{nop} {w(d1)} {w(d2)} {w(d2)} {r(d1)} {w(d1)} {r(d2)} {w(d1)} {r(d2)} {r(d1)} {nop} {r(d1)}
d1
d1
d1
d2 d2
Figure 9 A valid sequence σ = nop w(d1) w(d2) w(d2) r(d1) w(d1) r(d2) w(d1) r(d2) r(d1) nop r(d1)
of operations from a system having two data structures (a stack d1 and a queue d2), with its graph
Gσ.
Let us fix a finite set of data structures DS. Each data structure d ∈ DS can be operated
via two instructions, either a write that writes to the data structure, denoted w(d), or a read
instruction that reads from the data structure, denoted r(d). The set of instructions from
DS is denoted ΣDS = {r(d), w(d) : d ∈ DS} ∪ {nop}, where nop is a special operation that
does not access the data-structures. For simplicity and ease of exposition, we restrict each
d ∈ DS to be a stack or a queue. However, the approach described here can be adapted to
other structures (such as bags) with minor modifications. When d ∈ DS is a stack, r(d) is
the pop operation and w(d) is the push operation on stack d. Similarly, if d is a queue, r(d)
is the dequeue operation, while w(d) is the enqueue operation on queue d.
A sequence of operations from ΣDS abstracts a run of a system with these data structures.
We can then define the system as a generator of (possibly infinitely many) sequences of
operations. The mechanism for generating this sequence of operations can be some machine
(an automaton), or can be specified by regular expressions. We do not dwell on this detail
here, and instead define a system S with data structures as a regular language of sequences of
operations over ΣDS. Without loss of generality, we assume that all sequences will start with
nop. It is easy to see that standard models such as (multi)pushdown automata, (multi)queue
automata, multiset automata and so on generate regular languages of sequences of such
operations.
A sequence σ of operations over ΣDS is said to be valid if, for every prefix σ′ of σ and for
every data structure d ∈ DS, the number of reads r(d) in σ′ is at most the number of writes
w(d) in σ′, and the number of reads and writes in σ are equal. For a system S, we are only
interested in valid sequences generated by S, and we denote this set by L(S). For instance,
a valid behavior of a pushdown system cannot read/pop from a stack before writing/pushing
to it. Let ΓDS = DS ∪ {succ}. We associate, to any valid sequence σ of operations over ΣDS,
a (ΣDS,ΓDS) linear graph Gσ.
I Definition 18. Let σ = σ1 . . . σn be a valid sequence of operations over ΣDS. We define its
(ΣDS,ΓDS)-graph as Gσ = (V,E, λ), where V = {1, . . . n} and
1. for 1 ≤ i ≤ n, λ(i) = {σi}, and, for 1≤i<n, i succ−−→ i+ 1,
2. σi = w(d) (r(d)) iff there is an outgoing (incoming) edge in E labeled d from (to) i.
3. for each stack (queue) d, edges labeled d satisfy the LIFO (FIFO) property.
As an example, let σ be a sequence of operations from DS = {d1, d2}, where d1 is a stack
and d2 is a queue. The graph Gσ corresponding to σ is depicted in Figure 9, where the node
labels are exactly the singleton sets of operations w(d) and r(d), for d ∈ {d1, d2}. We remark
that this graph depends crucially on the interpretation of the data structure, as a stack or a
queue. Notice that the edges labeled d1 respect the stack discipline (well-nesting), while the
edges labeled d2 respect FIFO. For a fixed DS, we assume the interpretation of each data
structure to be fixed and simply write Gσ.
Given a (Σ,ΓDS)-graph G = (V,E, λ), we define its projection pi(G) as the (∅,ΓDS)-graph
obtained by removing the node labels: pi(G) = (V,E).
S. Akshay, P. Gastin, V. Jugé, S. Krishna 17
τ =
1
nop
x := 0
y := 0
2
w(d)
x = 0
3
nop
y := 0
4
w(d)
y ≤ 1
5
r(d)
2 < d− y
6
nop
x := 0
7
w(d)
8
r(d)
4 <d≤ 5
2 ≤ x
9
nop
y − x < 6
10
r(d)
x− d < 3
d
d d
Figure 10 A labeled linear graph Gτ obtained from a sequence of instructions τ from ΣDSClocks. For
readability, the nodes are numbered and their instruction labels are written below them.
1 2 3 4 5 6 7 8 9 10
≤ 0
≤ 0 < −2
≤ 1
< 6 ≤ 5
< −4
< 3
≤ −2
Figure 11 The weighted graph Gτ corresponding to the sequence of instructions τ (from Figure 10).
I Theorem 19 ([10]). Let S be a system with data structures from DS. We can construct an
EQ-LCPDL(∅,ΓDS) formula ψS such that, for all (∅,ΓDS)-graphs G, G |= ψS iff G = pi(Gσ)
for some σ ∈ L(S).
The classical non-emptiness problem for a system S with data structures can be formulated
as whether L(S) 6= ∅.
I Corollary 20. For system S, ψS is satisfiable iff L(S) 6= ∅.
This corollary, along with Theorem 2, and using known bounds on tree-width, provides
a “uniform” proof for the decidability of checking non-emptiness for a variety of untimed
systems including (multi)pushdown and (multi)queue systems with bounded contexts, scope,
or phases in a sequential setting. In many cases, the complexity obtained matches the best
known bounds. We extend this approach uniformly to timed systems, using the realizability
proof of Section 3.
4.2 Combining timing and data structures
While combining time constraints and data structures, we cannot directly rely on the formula
for realizability from Section 3 in the approach outlined above. The vocabulary of graphs
obtained from systems having time constraints and data structures might differ from the
(weighted) (∅,ΓM )-graphs of Section 3 and the (unweighted) (Σ,ΓDS)-graphs above, where
Σ = ∅ or Σ = ΣDS. The crucial observation is that, for a large class of timing constraints
and data structures that we are interested in, it turns out that the former weighted graphs
can be interpreted in the latter unweighted graphs, paving the way to extend the approach
for systems having both time constraints and data structures. We now detail this intuition.
4.2.1 Timing instructions
In a timed system with data structures, the sequence of instructions generated by the
system includes (i) checking time constraints on clocks (encoded as operations on clocks), (ii)
18 Timed Systems through the Lens of Logic
checking time constraints on data structures, and (iii) mixing operations on clocks and data
structures. Recall that we already have a fixed set of data structures DS consisting of stacks
and queues. To be concrete, we also fix a representative set of timing features.
We fix a finite set Clocks of real-valued “clock” variables and a maximal constant M ∈ N.
We also fix notations ./ ∈ {≤, <,=, >,≥}, β ∈ [0,M) ∩ N and use letters x, y, x1, . . . for
clock variables. Atomic timing instructions are as follows:
1. for x ∈ Clocks, x:=0 represents clock resets, while x ./ β represent guards or clock
constraints;
2. for d ∈ DS, d ./ β represents an age constraint checking the “age” of the message read;
3. for d ∈ DS and x, y ∈ Clocks, (x− y) ./ β, (d− x) ./ β and (x− d) ./ β represent diagonal
constraints. The latter two capture mixing clock variables and data structures.
Thus, we define a set of instructions ΣDSClocks which contains ΣDS with the atomic timing
instructions described above. Without loss of generality, we only consider sequences of
instruction sets (also called sequences of instructions for simplicity) from ΣDSClocks starting with
the set {nop} ∪ {x:= 0 : x ∈ Clocks}, i.e., which resets all clocks at start-up. A sequence
τ of such instructions is shown in Figure 10. We associate to every such sequence τ a
sequence of untimed instructions στ , obtained by ignoring the atomic timing instructions.
Now we say τ is valid if στ is valid. Then, for every valid τ , we can immediately associate a
(ΣDSClocks,ΓDS)-labeled linear graph Gτ by considering Gστ and enriching its node labels with
the timing instructions.
We define a timed system with data structures T as a regular language of sequences of
instructions over ΣDSClocks. It is easy to see that classical models, such as timed automata,
(multi-stack) timed pushdown automata or timed automata with gap order constraints, can be
modeled in this formalism. The set of valid sequences generated by T is denoted L(T ). Now,
a valid sequence of instructions τ = τ1 . . . τn over ΣDSClocks is said to be timed feasible or just
feasible if there exists a time-stamping ts : {1, . . . , n} → R≥0 such that all timing constraints
engendered by the timing instructions are satisfied. That is, for ./ ∈ {≤, <,=, >,≥} and
β ∈ N:
(C1) For every guard of the form x ./ β at position i, if the last reset instruction of the clock x
in τ before i was at position j, then ts(i)− ts(j) ./ β.
(C2) For every age constraint of the form d ./ β at position i, we have an edge j d−→ i in Gτ
(which implies w(d) ∈ λ(j) and r(d) ∈ λ(i)), and ts(i)− ts(j) ./ β.
(C3) For every diagonal constraint of the form x− y ./ β at position i, if j and k are the last
resets of clocks x and y respectively, then ts(k)− ts(j) ./ β.
(C4) We can similarly define diagonal constraints between clocks and data structures.
Thus, the non-emptiness problem for the timed system T is to check whether there exists a
feasible τ ∈ L(T ).
4.2.2 From timing instructions to weighted graphs
We reduce checking non-emptiness of T to checking satisfiability of an EQ-ICPDL formula over
(ΣDSClocks,ΓDS)-graphs. Towards this, we first define the weighted graph Gτ corresponding to a
valid sequence of instructions τ of T in a natural manner. We extend from Section 3, where
all timing instructions were simply clock constraints and resets of clocks i.e., corresponding
to (C1) and (C3) above. In Figure 10, the check of x = 0 on node 2 gives two bidirectional
weighted edges in the weighted graph Gτ depicted in Figure 11, between the last reset point
of x and node 2. Similarly, instruction y ≤ 1 at node 4 gives rise to the forward edge labeled
≤ 1 between last reset of y and node 4. For diagonal constraints (C3), the edge obtained is
S. Akshay, P. Gastin, V. Jugé, S. Krishna 19
between the last reset points. E.g, y − x < 6 at node 9 yields the weighted edge from node 3
to node 6 (last resets of clocks y and x).
This construction easily lifts to (C2) and (C4) as well. For (C2), we just observe that
each age constraint engenders edges between the source write and target read of that data
structure edge. E.g., in Figure 10, the age constraint 4 <d≤ 5 at node 8 yields two weighted
edges (in Figure 11) between the source of the data structure edge, i.e., node 4 and target,
node 8. The upper bound is captured by the forward edge while the lower bound by the
backward edge. Similarly the constraint 2 < d− y at node 5 yields the backward edge from
node 3 (the last reset of clock y) to node 2 (the source of the data structure edge reaching
node 5) labeled < −2 (as it is a lower bound constraint).
The main property about the weighted graph is that it captures feasibility of a sequence
of instructions as realizability.
I Lemma 21. A valid sequence of instructions τ over ΣDSClocks is feasible iff Gτ is realizable.
4.2.3 Interpreting weighted graphs in unweighted graphs
From the above discussion, given a timed system T , for each valid τ of T , we have a weighted
graph Gτ . A significant contribution of this paper, of possible independent interest, is the
following proposition which relates these weighted graphs with unweighted (ΣDSClocks,ΓDS)-
graphs obtained from τ . Proposition 22 allows us to logically interpret weighted graphs into
unweighted ones and, therefore, to decouple the data structure and process edges from the
timing constraints.
I Proposition 22. Let τ be a valid sequence of instructions over ΣDSClocks. Then the weighted
graph Gτ can be CPDL-interpreted in the (ΣDSClocks,ΓDS)-graph Gτ .
Proof. Given a valid sequence of instructions τ over ΣDSClocks, let M be the maximal constant
appearing in these instructions. We saw in the previous subsection that the weighted graph
Gτ = (V,E) has successor edges, and weighted edges arising from constraints of type (C1–C4).
First, we observe that successor edges in Gτ are already present as successor edges in Gτ . For
weighted edges, let / ∈ {<,≤}, and c ∈ [0,M)∩N. We assume that equality constraints such
as x = c have been replaced by the conjunction of x ≤ c and c ≤ x. For a clock x ∈ Clocks,
we define the path formula
Resetx =→−1 · (test{¬(x := 0)} · →−1)∗ · test{(x := 0)}
which moves backwards along successor edges up to the last reset of clock x. Then, towards
the interpretation of forward edges weighted with / c, we define the path formula Π/c as∑
x∈Clocks
Reset−1x · test{x / c} (C1)
+
∑
d∈DS
d−→ ·test{d / c} (C2)
+
∑
x,y∈Clocks
Reset−1x · test{x− y / c} · Resety (C3)
+
∑
x∈Clocks
d∈DS
Reset−1x · test{x− d / c}· d−→
−1 (C4)
+ d−→ ·test{d− x / c} · Resetx
Then, for all u, v ∈ V and c > 0 (we will discuss the case c = 0 below), we have (u, /, c, v) ∈ E
iff (Gτ , u, v) |= Π/c. The four types of upper constraints defined in (C1–C4) are described
by the respective path formulae (C1–C4) in Π/c. As an example, if we refer to the ith node
20 Timed Systems through the Lens of Logic
of Gτ as ui in Figure 10 and Gτ in Figure 11, we have the edge (u3, /, 6, u6) in Gτ because
(Gτ , u3, u6) |= Reset−1y · test{y − x / 6} · Resetx. Similarly, the edge (u6, <, 3, u7) is present
in Gτ since (Gτ , u6, u7) |= Reset−1x · test{x − d < 3}· d−→
−1. Notice that in Resetx, we walk
backward to the first node labeled x := 0, while, in C2 and C4, for checking the age of a data
structure, it is sufficient to check the existence of a data structure backward edge from the
point where the age is checked.
Similarly, towards the interpretation of backward edges weighted with / −c, we define
the path formula Π/−c as∑
x∈Clocks
test{c / x} · Resetx (C1)
+
∑
d∈DS
test{c / d}· d−→−1 (C2)
+
∑
x,y∈Clocks
Reset−1y · test{c / x− y} · Resetx (C3)
+
∑
x∈Clocks
d∈DS
Reset−1x · test{c / d− x}· d−→
−1 (C4)
+ d−→ ·test{c / x− d} · Resetx
Then, for all u, v ∈ V and c > 0, we have (u, /,−c, v) ∈ E iff (Gτ , u, v) |= Π/−c. Again,
the four types of lower constraints defined in (C1–C4) are described by the respective path
formulae (C1–C4) in Π/−c.
Now, when c = 0, an edge weighted / 0 may arise from an upper constraint such has
x / 0 or a lower constraint such as 0 / x. Therefore, for all u, v ∈ V , we have (u, /, 0, v) ∈ E
iff (Gτ , u, v) |= Π/0 + Π/−0.
The size of Π/α is O(|Clocks|2 + |DS|+ |Clocks||DS|).
Thus we have described how each edge of the weighted graph Gτ can be interpreted in
the (ΣDSClocks,ΓDS)-graph Gτ by an CPDL-formula, of size O(|Clocks|2 + |DS|+ |Clocks||DS|),
which completes the proof of this proposition. J
Thus, any formula over weighted graphs can be translated into an “equivalent” formula over
(ΣDSClocks,ΓDS)-graphs:
I Corollary 23. Given a formula ψ ∈ EQ-ICPDL(∅,ΓM ), we can construct ψ′ ∈ EQ-ICPDL(ΣDSClocks,ΓDS)
such that, for all valid sequences of instructions τ over ΣDSClocks, we have Gτ |= ψ iff Gτ |= ψ′.
The size of ψ′ is O((|Clocks|2 + |DS|+ |Clocks||DS|)|ψ|) and its intersection width is same
as ψ.
4.2.4 Reducing emptiness of T to satisfiability of EQ-ICPDL
From Theorem 4, we know that there exists a formula capturing realizability on weighted
graphs, with signature (∅,ΓM ). Combining with Corollary 23 gives us the second main
theorem of the paper regarding logical characterization of emptiness checking in timed
systems with data structures.
I Theorem 24 (Logical characterization of a timed system). Given a timed system with data
structures T , we can construct a formula ΨT ∈ EQ-ICPDL(∅,ΓDS) such that for all (∅,ΓDS)
linear graphs G, we have G |= ΨT iff G = pi(Gτ ) for some feasible τ ∈ L(T ). The size of
ΨT is polynomial in the size of T and its intersection width is 2.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 21
Proof. By Theorem 4, we can construct a formula Realizable in EQ-ICPDL(∅,ΓM ) that
captures realizability over weighted graphs G(∅,ΓM ). By Corollary 23, we obtain a formula
ψreal ∈ EQ-ICPDL(∅,ΓDS) such that, for all τ ∈ L(T ), Gτ |= ψreal iff Gτ |= Realizable. In fact,
ψreal is simply obtained from Realizable by replacing every reference to a weighted edge in
the formula by its logical interpretation in Gτ . Now, by definition of EQ-ICPDL, we have
ψreal = ∃p1 . . . prψ′ for some ψ′ ∈ ICPDL({p1, . . . pr},ΓDS).
Next, recall that a timed system T is a regular language of sequences of timed instructions.
We consider the automaton that describes this regular collection, denoted by A = (Q, i, F,∆)
with Q the set of states, i the initial state and F the final states and ∆ the transition function.
Then, the accepted sequences of instructions can be captured in EQ-LCPDL, by guessing
the states visited along an accepting run, and by checking that consecutive states have a
transition between them and start from initial and end at final state. Though similar in
spirit to Theorem 19, for the sake of completeness and to obtain the precise complexity, we
detail the construction in Appendix A.
Set Σ = ΣDSClocks ∪ Q = {q1, . . . , qn}. There exists a formula ξ = ∃q1 . . . qnξ′, with
ξ′ ∈ LCPDL(Σ,ΓDS), such that, for all (∅,ΓDS)-graphs G, we have G |= ξ iff G = pi(Gτ )
for some sequence τ ∈ L(T ). Combining this with the formula above, and define ψT =
∃p1 . . . pr, q1, . . . qn(ξ′ ∧ ψ′). Then we have for any (∅,ΓDS)-graph G, G |= ψT iff G = pi(Gτ )
for some τ ∈ L(T ) and τ is feasible, which completes the proof. J
4.3 Application: deciding emptiness
While we have reduced checking emptiness of timed systems to checking satisfiability of a
formula in EQ-ICPDL, this does not immediately give decidability results. This is obvious
since systems with multiple data structures (such as stacks or even single queue) are all
Turing powerful, even without any timing features. To obtain decidability, one often considers
under-approximations, for which we essentially restrict the class of graphs that are considered
as behaviors. As mentioned in the preliminaries, graphs of bounded tree-width form a large
family of graphs where we regain decidability thanks to Theorem 2. Recall that Gk denotes
graphs of tree-width at most k. Combining Theorems 2 and 24, we have the following
corollary about decidability in timed systems.
I Corollary 25 (Underapproximations.). Let k ∈ N. Let S be a timed system with data struc-
tures that uses clocks from Clocks and has maximum constant M ∈ N. We can check whether
there exists a feasible τ ∈ L(S) such that Gτ ∈ Gk(∅,ΓDS) in time 2poly(k,M,|Clocks|,|DS|) ×
|S|poly(k,|DS|).
Thus, if the set {Gτ : τ ∈ L(S)} has a bounded tree-width, we obtain the same complexity
bounds for checking emptiness of S. As concrete applications, the following models of timed
systems all fall in this category of having bounded tree-width, hence we obtain decidability
(and efficient algorithms) for checking emptiness of timed automata [7], dense-timed pushdown
automata with a single stack [2], multi-stack dense-timed pushdown automata with bounded
rounds [5]. In fact, the complexity obtained for dense-timed pushdown automata with a
single stack is even optimal. In addition, by this technique, we also have the following
(new, to the best of our knowledge) results on the decidability of the emptiness problem
for multi-stack dense-timed pushdown automata with (i) bounded contexts (the tree-width
of graphs in the case of p-bounded context systems is ≤ p + 1 [27]), (ii) bounded phase
(the tree-width of graphs in the case of p-bounded phase systems is ≤ 2p+1 [21]), and (iii)
bounded scope (the tree-width of graphs in the case of p-bounded scope is ≤ 2(p+ 2) [21]).
Further, if one considers timed automata with b-bounded channels (a b-bounded channel
22 Timed Systems through the Lens of Logic
τ = x1 := 0
x2 := 0
x3 := 0
d1 := x1
x2 := 0
x2 := d1
x1 := 0
x4 := x2
d2 := x2
x2 := 0
x3 := x4
x4 := d2
x3 < 3
x4 < 4
d1 d2
< 3
< 4
Figure 12 Intricate flow of information in complex renamings.
is one where the number of unread messages is bounded by b ∈ N at any point of time),
then the (∅,ΓDS)-graphs have a tree-width ≤ b+ 2 [10]. We expect that many other data
structures and various novel combinations (e.g., any combination of the above with multiple
stacks and queues) can be handled using our technique, and leave these as routine exercises.
In the next section, we consider more substantial extensions.
5 Extensions
We consider two extensions: first, adding new timing features without much change to the
theory above, and second, extending from checking emptiness to model checking.
5.1 Capturing time features - a generic template
We develop a two-step template to add new timing features to our approach above. Step 1
consists in expressing the edges engendered by the new feature in the weighted graph and
Step 2 consists in writing a formula in LCPDL to capture this new edge relation. If we can
accomplish these steps, then our theorems lift to the setting with these new timing features.
This shows the robustness of our approach as we are able to handle these extra features,
uniformly and with ease. At the same time, we remark that this template is interesting even
for timing features that we know can be simulated by ordinary clocks. For instance, consider
diagonal guards in timed automata, which are expressively equivalent to timed automata
without diagonal guards. Removing diagonal constraints incurs an additional exponential
blow-up in the worst-case [12], which can be avoided by directly expressing their edges in
the weighted graph as we did in Equation C4.
5.1.1 Event clocks
Let us illustrate this template in action via another example of a well-studied model, namely,
event predicting clocks [8, 23], which can be simulated by ordinary (non-deterministic) timed
automata. We fix a set AP of atomic propositions (events) arising from the system. An event-
predicting timing instruction nexta ./α, for a ∈ AP, ./ ∈ {≤, <,>,≥} and α ∈ [0,M) ∩ N,
entails a constraint between the current point (call it u) and the point at which node label
a occurs next (call it v). Consistently with the notations on timing constraints C1-C4, in
section 4.2.1, we call this constraint C5. Now, Step 1 is that this can be expressed in the
weighted graph as an edge between these two vertices u and v. For Step 2, it is easy to
write the PDL formula that allows to interpret these edges of the weighted graph as edges
in the ΓDS-graph. Specifically, we just have to add to the path formula Π/α in proof of
Proposition 22 the following term:∑
a∈AP
test{(nexta / α)}· → ·(test{¬a}· →)∗ · test{a} (C5)
S. Akshay, P. Gastin, V. Jugé, S. Krishna 23
We proceed similarly for the path formula Π/−α. It is not difficult to see that we can define
similar formulae to capture event recording clocks as well.
5.1.2 Clock renaming via tracking
While event clocks are relatively straightforward, for some other timing features, it is not
easy to figure out, from the timing instruction, what edges in the weighted graph must be
added. This happens for instance in clock renaming: if we assign to x the value of clock y
and then check it later with x ≤ α, the edge to be added is from the last reset of y to the
point of checking the constraint. This is the case even if y has been reset in between after
the assignment. Figure 12 illustrates this.
We consider a generic class of (deterministic) clock renaming in timed systems. Such
renamings are a special case of clock updates, which are again a classical notion in timed
automata [13, 12], but have not been studied much for timed systems with single or multiple
data structures such as stacks and queues. We divide the features we consider into 4 classes:
(i) the usual reset of a clock x to 0 (x := 0),
(ii) assigning to clock x the value of clock x′ (x := x′),
(iii) assigning to clock x the value associated to data structure d ∈ DS, while reading from d
(x := d),
(iv) writing to d ∈ DS the value of clock x (d := x).
Note that renamings (iii) and (iv), combined with the age and diagonal constraints on data
structures, give us a rich class of timed systems. This allows us to consider timed systems
where we can write to some d1 ∈ DS the value of a clock x1, then read from d1 this value
(which changes with passage of time) into a clock x2, write this value of x2 to some d2 ∈ DS,
and retrieve the value (after some time elapse) into a clock x4. This value in x4 can then be
checked with the value read from some d4 ∈ DS, or with a clock x5, or with a constant α. In
such a sequence, the clock x1 has come a long way at this time of checking, and we need to
track it, to ensure that the time elapse we are looking at happens from the last reset of x1
before it was written to d1. See Figure 12, where the value of clock x1 flows through d1, x2, d2
and finally x4, from where it is checked. Likewise, the value of clock x2 flows through clocks
x4, x3, and is checked at x3. Now, x2 is reset after it flows into x4; however, when checking
x3, we use the reset of x2 before x2 flowed inside x4.
Many recent papers [16, 14, 1] consider complex constraints between data structures
and clocks; however, this intricate flow of information across clocks and data structures
has not been looked at, to the best of our knowledge. In these papers, there are time
constraints between data structures d1, d2, between clocks, and also between a clock c and a
data structure d. All of these can be modeled easily in our case, as shown in Figure 10.
Inferring constraints (i)-(iv) as above requires us to follow and track the clock reset back
to the original event. Rather than writing a formula in CPDL, we find it easier to describe
an automaton which “walks” in the graph and performs this tracking. This enables us to
express the weighted edges engendered by the constraints using the accepting paths of the
automaton. This essentially handles the Step 1 we mentioned earlier. To handle Step 2,
which is the logical definability, we write CPDL formulae whose paths pi use this automaton.
This allows us to interpret the weighted edges.
Formally, we construct an automaton A with set of states Q = {qx : x ∈ Clocks}. A run
of A starting from some state qx will track the name of the clock whose value originates from
x. Without loss of generality, we assume that each transition of the timed system T contains
exactly one renaming operation for each clock, which could be of the form x := 0 (reset),
24 Timed Systems through the Lens of Logic
x := x′ (deterministic clock renaming, we use x := x if the clock is unchanged), x := d (x is
updated with the value read from d ∈ DS), or d := x. There are two types of transitions:
(clock renaming): if there is a renaming operation x′ := x then we have a transition
qx
test{x′:=x}·→−−−−−−−−−→ qx′ ,
(DS renaming): if there is an renaming operation x′ := d for some d ∈ DS, then for all
clocks x, we have a transition qx
test{d:=x}· d−→·test{x′:=d}−−−−−−−−−−−−−−−−→ qx′ . This corresponds to writing
the value of clock x to some d ∈ DS, and, at the time of reading from d ∈ DS, assign this
value to a clock x′.
Consider a run ρ = qx0
pi1−→ qx1 pi2−→ qx2 · · · pin−−→ qxn in A. Let τ ∈ L(T ) be a valid sequence
of instructions from the timed system T . Let Gτ be the associated (ΣDSClocks,ΓDS)-graph and
let u, v be vertices in Gτ . Then, Gτ , u, v |= label(ρ) = pi1 · pi2 · · ·pin iff the value of clock xn
at v originates from clock x0 at u. We write Gτ , u, v |= Ax,x′ if there is a run ρ of A from qx
to qx′ such that Gτ , u, v |= label(ρ).
Now, we can revisit and generalize the timing constraints above in (C1–C4) using A
instead of the paths tracking the last reset of a clock. For instance, the subformulae (C1–C3)
of Π/α in the proof of Proposition 22 should be replaced with∑
x,x′∈Clocks
test{(x := 0)} · Ax,x′ · test{x′ / α} (C1)
+
∑
x,x′∈Clocks
d∈DS
test{(x := 0)} · Ax,x′ · test{d := x′}
· d−→ · test{d / α} (C2)
+
∑
x,x′,y,y′∈Clocks
test{(x := 0)} · Ax,x′ · test{x′ − y′ / α}
· (Ay,y′)−1 · test{(y := 0)} (C3)
This completes Steps 1 and 2 of our template. Hence, timed systems with data structures
whose timing features include renamings can be analyzed by our approach, with a complexity
blow-up that is only polynomial in the size of the input. We remark that, even in the case of
timed automata without data structures, the presence of clock renamings makes the model
exponentially more succinct [12]. That is, if we were to convert timed automata with such
clock renamings to ordinary timed automata (using for instance the reduction from [13]) and
then apply our technique, this would have incurred an additional exponential blowup that
we avoid by using our template above.
5.2 Extending to other problems: Model checking
Here, we would like to check whether a system satisfies a specification. As usual, we
assume a finite set AP of atomic propositions which are used to link the system and the
specification, and thus we will write specifications in the logic LCPDL(AP,ΓDS). For instance,
if req, grant ∈ AP, the formula A (req =⇒ 〈→+〉grant) says that every request should
eventually be granted. As another example, the formula A ((a∧ 〈→ · d−→〉) =⇒ 〈→ · d−→·→〉a)
says that, if some property a ∈ AP holds before a message is sent over data structure d, then
a still holds after the message is received.
Specifications are evaluated over (AP,ΓDS)-graphs. Such graphs are generated by runs
of the timed system. Again, we consider valid sequences τ = τ1 · · · τn of instructions over
AP ∪ ΣDSClocks. An instruction τi ⊆ AP ∪ ΣDSClocks defines the atomic propositions τi ∩ AP which
hold on the ith event, together with the set of operations τi ∩ ΣDSClocks which are executed
at the ith event. Let Gτ = (V,E, λ) be the (AP ∪ ΣDSClocks,ΓDS)-graph associated with τ .
S. Akshay, P. Gastin, V. Jugé, S. Krishna 25
When Σ′ ⊆ Σ, we note piΣ′ the projection on Σ′: if G = (V,E, λ) is a (Σ,Γ)-graph, then
piΣ′(G) = (V,E, λ′), where λ′(u) = λ(u) ∩ Σ′ for all u ∈ V .
Let T be a timed system with data structures DS and let Φ ∈ LCPDL(AP,ΓDS) be a
specification. Recall that, in Theorem 24, we define the formula ΨT = ∃p1, . . . , pn Ψ′T .
Consider Ψ = ∃p1, . . . , pn (Ψ′T ∧ ¬Φ). Let G = (V,E) be an (∅,ΓDS)-graph. By Theorem 24,
if G |= Ψ then Gτ |= Ψ and there exists a feasible τ ∈ L(T ) such that G = pi∅(Gτ ). Then
Gτ |= ¬Φ, and since the specification uses AP only, we deduce that piAP(Gτ ) |= ¬Φ. Thus,
as a corollary of Theorem 24, we can construct a formula Ψ ∈ EQ-ICPDL(∅,ΓDS) which
is satisfiable over (∅,ΓDS)-linear graphs iff there is a run of the system which violates the
specification Φ.
I Corollary 26. Let T be a timed system with data structures DS and let Φ ∈ LCPDL(AP,ΓDS)
be a specification. We can construct a formula Ψ such that, for all (∅,ΓDS)-linear graphs G,
G |= Ψ iff there exists a feasible τ ∈ L(T ) such that G = pi∅(Gτ ) and piAP(Gτ ) 6|= Φ. The
size of Ψ is polynomial in the size of T and Φ, and its intersection width is 2.
6 Conclusion
We studied timed systems via their behaviors depicted as graphs and reasoned about these
graphs via logic EQ-ICPDL. This gave rise to a problem of independent and basic interest:
logical definability of realizability of weighted graphs. We showed that realizability is definable
in EQ-ICPDL over sequential graphs but not definable, even in MSO, over non-sequential
graphs. We developed a new logic based technique to analyze and model-check timed
systems having a complex interplay of time and data structures. Potential future work
is in generalizing this approach to handle a larger class of timed systems. In light of the
negative result for non-sequential systems, an intriguing question is to come up with classes of
concurrent systems that can be analyzed. Finally, it is worthwhile exploring if this technique
can be applied in practice, in building tools for timed systems.
References
1 P. Abdulla, M. F. Atig, and S. Krishna. Perfect timed communication is hard. In FORMATS
Proceedings, pages 91–107, 2018.
2 P. Abdulla, M. F. Atig, and J. Stenman. Dense-timed pushdown automata. In LICS Proceedings,
pages 35–44, 2012.
3 C. Aiswarya and P. Gastin. Reasoning about distributed systems: WYSIWYG (invited talk).
In FSTTCS Proceedings, pages 11–30, 2014.
4 C. Aiswarya, P. Gastin, and K. Narayan Kumar. Verifying communicating multi-pushdown
systems via split-width. In ATVA Proceedings, pages 1–17, 2014.
5 S. Akshay, P. Gastin, and S. Krishna. Analyzing timed systems using tree automata. In
CONCUR Proceedings, 2016.
6 S. Akshay, P. Gastin, S. Krishna, and I. Sarkar. Towards an efficient tree automata based
technique for timed systems. In CONCUR Proceedings, pages 39:1–39:15, 2017.
7 R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–
235, 1994.
8 R. Alur, L. Fix, and T. A. Henzinger. Event-clock automata: A determinizable class of timed
automata. Theoretical Computer Science, 211(1-2):253–273, 1999.
9 A. Blumensath and B. Courcelle. Monadic second-order definable graph orderings. Logical
Methods in Computer Science, 10(1), 2014.
10 B. Bollig and P. Gastin. Non-sequential theory of distributed systems. CoRR, abs/1904.06942,
2019.
26 Timed Systems through the Lens of Logic
11 A. Bouajjani, R. Echahed, and R. Robbana. On the automatic verification of systems with
continuous variables and unbounded discrete data structures. In Hybrid Systems II, pages
64–85, 1994.
12 Patricia Bouyer and Fabrice Chevalier. On conciseness of extensions of timed automata.
Journal of Automata, Languages and Combinatorics, 10(4):393–405, 2005.
13 Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and Antoine Petit. Updatable timed
automata. Theor. Comput. Sci., 321(2-3):291–345, 2004.
14 L. Clemente. Decidability of timed communicating automata. CoRR, abs/1804.07815, 2018.
15 L. Clemente and S. Lasota. Timed pushdown automata revisited. In LICS Proceedings, pages
738–749, 2015.
16 L. Clemente and S. Lasota. Binary reachability of timed pushdown automata via quantifier
elimination and cyclic order atoms. In ICALP Proceedings, pages 118:1–118:14, 2018.
17 L. Clemente, S. Lasota, R. Lazic, and F. Mazowiecki. Timed pushdown automata and
branching vector addition systems. In LICS Proceedings, pages 1–12, 2017.
18 T. H. Cormen, C. Stein, R. L. Rivest, and C. E. Leiserson. Introduction to Algorithms.
McGraw-Hill Higher Education, 2nd edition, 2001.
19 B. Courcelle. Regularity equals monadic second-order definability for quasi-trees. In Fields of
Logic and Computation II - Essays Dedicated to Yuri Gurevich on the Occasion of His 75th
Birthday, volume 9300 of Lecture Notes in Computer Science, pages 129–141. Springer, 2015.
20 B. Courcelle and J. Engelfriet. Graph Structure and Monadic Second-Order Logic - A Language-
Theoretic Approach, volume 138 of Encyclopedia of mathematics and its applications. CUP,
2012.
21 A. Cyriac, P. Gastin, and K. Narayan Kumar. MSO decidability of multi-pushdown systems
via split-width. In CONCUR Proceedings, pages 547–561, 2012.
22 M. J. Fischer and R. E. Ladner. Propositional dynamic logic of regular programs. Journal of
Computer and System Sciences, 18(2):194–211, 1979.
23 Gilles Geeraerts, Jean-François Raskin, and Nathalie Sznajder. On regions and zones for
event-clock automata. Formal Methods in System Design, 45(3):330–380, 2014.
24 S. Göller, M. Lohrey, and C. Lutz. PDL with intersection and converse: satisfiability and
infinite-state model checking. Journal of Symbolic Logic, 74(1):279–314, 2009.
25 S. Krishna, L. Manasa, and A. Trivedi. What’s decidable about recursive hybrid automata?
In HSCC Proceedings, pages 31–40, 2015.
26 F. Laroussinie and N. Markey. Quantified CTL: expressiveness and complexity. Logical Methods
in Computer Science, 10(4), 2014.
27 P. Madhusudan and G. Parlato. The tree width of auxiliary storage. In POPL Proceedings,
pages 283–294, 2011.
28 Neil Robertson and Paul D. Seymour. Graph minors. III. planar tree-width. J. Comb. Theory,
Ser. B, 36(1):49–64, 1984.
S. Akshay, P. Gastin, V. Jugé, S. Krishna 27
A Details in proof of Theorem 24
In this appendix, we present Lemma 27, which completes the proof of Theorem 24. Though
this is similar in spirit to Theorem 19, for the sake of completeness and to obtain the precise
complexity, we detail the construction below.
I Lemma 27. Let T be a timed system with data structures whose regular language of
sequences of timed instructions is defined by the automaton A = (Q, ι, F,∆). Let Σ = ΣDSClocks∪
Q = {q1, . . . , qn}. We can construct a formula ξ = ∃q1 . . . qnξ′, with ξ′ ∈ LCPDL(Σ,ΓDS),
such that, for all (∅,ΓDS) linear graphs G, G |= ξ iff G = pi(Gτ ) for some sequence τ ∈ L(T ).
Formula ξ is polynomial in the size of T .
Proof. Let A = (Q, ι, F,∆) with Q the set of states, ι the initial state, F the set of final
states, and ∆ ⊆ Q × 2ΣDSClocks × Q the transition relation. We denote a transtion δ ∈ ∆ by
δ = (src(δ), lab(δ), tgt(δ)), where src, tgt are source and target states and lab(δ) is the set of
timed instructions labeling a transition. For simplicity, we assume that the data structure
value (e.g., messages, stack symbols, etc) is a singleton set. Later we indicate how this can
also be extended to a finite alphabet of data structure values.
Now, we write a formula ξ to capture the accepted sequences of sets of instructions in
EQ-LCPDL. We start by guessing the states and instructions visited along an accepting run,
i.e., we write
ξ = ∃q1 . . . qnξ′
where ξ′ is built as a conjunction of the following subformulae which check the conditions of
being an accepting run. Let us describe each subformula along with the property that it is
expected to capture.
States. Every position in the run is labeled by a unique state.
Ψstate = A
∨
q∈Q
(
q ∧
∧
q′∈Q\{q}
¬q′
)
Transitions. Every forward edge must have a corresponding transition either from the
previous source state to a next target state, or from an initial state to the target state.
Further, all node labels (instructions) are those mentioned in the transitions associated
with the nodes.
Ψtrans = A 〈−→−1〉 =⇒
∨
δ∈∆
tgt(δ) ∧ 〈−→−1〉src(δ) ∧
∧
r∈lab(δ)
r ∧
∧
r∈ΣDSClocks\lab(δ)
¬r
∧ A¬〈−→−1〉 =⇒
∨
δ∈∆|src(δ)=ι
tgt(δ) ∧
∧
r∈lab(δ)
r ∧
∧
r∈ΣDSClocks\lab(δ)
¬r
∧ A¬〈−→〉 =⇒
∨
q∈F
q
Data structures. All data structure policies must be followed accurately. Let Stacks be
the set of LIFO-Stacks and Queues be the set of FIFO-queues in DS. Then we need
to check the following properties: (i) every stack is LIFO; (ii) every queue is FIFO;
(iii) data structure edges must go forward with respect to the linear order; (iv) at any
transition labeled “write” (i.e., every node labeled w(d)), there is a unique outgoing data
structure edge, and at every read transition (i.e., every node labeled r(d)), there is a
28 Timed Systems through the Lens of Logic
unique incoming data structure edge. We now write the formula to capture all of these
as a conjunct of formulae, each capturing the above properties.
ΨDS =
∧
d∈Stacks
A (w(d)⇒ loop(−→ · ( d−→ · −→+ test{¬(w(d) ∨ r(d))} · −→)∗ · d−→−1))
∧
∧
d∈Queues
¬E loop(−→+ · d−→ · −→+ · d−→−1)
∧
∧
d∈DS
¬E loop((−→+ · d−→) + (−→+ · d−→−1 · d−→) + (−→+ · d−→ · d−→−1))
∧
∧
d∈DS
A (w(d)⇔ 〈 d−→〉) ∧ A (r(d)⇔ 〈 d−→−1〉).
For simplicity, we also make some assumptions about the data structure access – in
particular, at any node (event), only one data structure access operation is performed.
Hence we cannot have a push and pop at the same time, etc. These can easily be captured
as a conjunction of the below formula with ΨDS.
Ψ′DS =
∧
d∈DS
¬E (w(d) ∧ r(d)) ∧
∧
d′∈DS\{d}
¬E ((w(d) ∨ r(d)) ∧ (w(d′) ∨ r(d′))) .
Define ξ′ = Ψstate ∧Ψtrans ∧ΨDS ∧Ψ′DS. The correctness of the above formula, in encoding
an accepting run, can be argued as follows: for any (∅, γDS)-labeled linear graph G with n
nodes, G |= ξ iff there exists a sequence of transitions δ1, . . . , δn such that src(δ1) = ι is the
initial state, tgt(δn) is a final state, tgt(δj) = src(δj+1) for all 1 ≤ j < n, all data structure
policies are followed, and the labels along this accepting run define a sequence τ ∈ L(T )
such that G = Gτ . We observe at this point that in the above formula we did not check
whether the graph produced by the system was a linear graph. Indeed, this is not possible in
EQ-ICPDL. However, our statement is only about linear graphs, in other words, we assume
that all graphs generated by our system are linear (which is of course true for any sequential
system) and thus our proof is complete.
To handle data structures over an arbitrary message alphabet, we simply enhance our
propositions with the alphabet of messages Msg. Then we can write formulae to check that
each read or write is associated with a single message and the message at a read event is the
message that was written at the matching write event.
Ψmsg =
∧
d∈DS
A
(
w(d) =⇒
∨
m∈Msg
m ∧ 〈−→〉m
)
∧
∧
m∈Msg
A
(
m =⇒
∧
m′∈Msg\{m}
¬m′ ∧
∨
d∈DS
w(d) ∨ r(d)
)
This concludes the proof. J
