Augmenting the discrete timed automaton with other data structures  by Ibarra, Oscar H. & Su, Jianwen
Theoretical Computer Science 289 (2002) 191–204
www.elsevier.com/locate/tcs
Augmenting the discrete timed automaton with
other data structures
Oscar H. Ibarra ∗, Jianwen Su
Department of Computer Science, University of California, Santa Barbara, CA 93106, USA
Received July 2000; accepted May 2001
Communicated by A. Salomaa
Abstract
We describe a general automata-theoretic approach for analyzing the veri0cation problems of
discrete timed automata (i.e., timed automata with integer-valued clocks) augmented with various
data structures. Formally, let C be a class of nondeterministic machines with reversal-bounded
counters and possibly other data structures (e.g., a pushdown stack, a queue, a read-write work-
tape, etc.). Let A be a discrete timed automaton and M be a machine in C. Denote by A⊕M
the combined automaton, i.e., A augmented with M (in some precise sense to be de0ned). We
show that if C has a decidable emptiness problem, then the (binary, forward, backward) reacha-
bility, safety, and invariance for A⊕M are solvable. We give examples of such C’s and exhibit
some new properties of discrete timed automata that can be veri0ed. We also brie8y consider
reachability in discrete timed automata operating in parallel. c© 2002 Elsevier Science B.V. All
rights reserved.
1. Introduction
Ever since the introduction of the model of a timed automaton [1], there have been
many studies that extend the expressive power of the model (e.g. [2, 4, 5, 7, 10]). For
instance [2] considers models of hybrid systems of 0nite automata supplied with (un-
bounded) discrete data structures and continuous variables and obtains decidability
results for several classes of systems with control variables and observation variables.
Comon and Jurski [5, 4] shows that the binary reachability of timed automata is ex-
pressible in the additive theory of the reals. Dang et al. [7] characterizes the binary
reachability of discrete timed automata (i.e., timed automata with integer-valued clocks)
augmented with a pushdown stack, while Ibarra et al. [10] looks at queue-connected
discrete timed automata.
 Supported in part by NSF grants IRI-9700370 and IIS-9817432.
∗ Tel.: +1-805-893-4171; fax: +1-805-893-8553.
E-mail addresses: ibarra@cs.ucsb.edu (O.H. Ibarra), su@cs.ucsb.edu (J. Su).
0304-3975/02/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(01)00269 -9
192 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
In this paper, we extend the ideas in [7, 10] and describe a general automata-theoretic
approach for analyzing the veri0cation problems of discrete timed automata augmented
with various data structures. Formally, let C be a class of nondeterministic machines
with reversal-bounded counters (i.e., each counter can be incremented or decremented
by 1 and tested for zero, but the number of alternations between nondecreasing mode
and nonincreasing mode is bounded by a constant, independent of the computation) and
possibly other data structures, e.g., a pushdown stack, a queue, a read-write worktape,
etc. Let A be a discrete timed automaton and M be a machine in C. Denote by
A⊕M the combined automaton, i.e., A augmented with M (in some precise sense to
be de0ned). We show that if C has a decidable emptiness problem, then the (binary,
forward, backward) reachability, safety, and invariance for A⊕M are also solvable.
We give examples of such C’s and exhibit some new properties of discrete timed
automata that can be veri0ed:
1. For example, let A be a discrete timed automaton with k clocks. For a given com-
putation of A, let ri be the number of times clock i resets, i=1; : : : ; k. Suppose we
are interested in computations of A in which the ri’s satisfy a Presburger formula
f, i.e., we are interested in the set Q of pairs of con0gurations (
; ) such that 

can reach  in a computation in which the clock resets satisfy f. (A con0guration
of A is a pair (q; U ), where q is a state and U is the set of clock values.) We
can show that Q is Presburger. One can also put other constraints, like introducing
a parameter ti for each clock i, and consider computations where the 0rst time i
resets to zero is before (or after) time ti. Then Q(t1; : : : ; tk) is Presburger.
2. As another example, suppose we are interested in the set S of pairs of con0gurations
(
; ) of a discrete timed automaton A such that there is a computation path (i.e.,
sequence of states) from 
 to  that satis0es a property that can be veri0ed by a
machine in a class C. If C has a decidable emptiness problem, then S is eIectively
computable. For example, suppose that the property is for the path to contain three
nonoverlapping subpaths (i.e., segments of computation) which go through the same
sequence of states, and the length of the subpath is no less than 15 of the length of
the entire path. We can show that S is computable.
The constraints in 1 and 2 can be combined; thus, we can show that the set of pairs
of con0gurations that are in both Q and S is computable.
3. We can equip the discrete timed automaton with one-way write-only tapes which
the automaton can use to record certain information about the computation of the
system (and perhaps even require that the strings appearing in these tapes satisfy
some properties). Such systems can eIectively be analyzed.
Finally, we brie8y look at reachability in machines (i.e., A1⊕M1 and A2⊕M2) oper-
ating in parallel.
2. Combining discrete timed automata with other machines
A timed automaton [1] is a 0nite-state machine augmented with 0nitely many real-
valued clocks. All the clocks progress synchronously with rate 1, except that a clock
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 193
can be reset to 0 at some transition. Here, we only consider integer-valued clocks. A
clock constraint is a Boolean combination of atomic clock constraints in the following
form: x # c, x − y # c, where # denotes 6;¿;¡;¿; or = , c is an integer, x; y are
integer-valued clocks. Let LX be the set of all clock constraints on clocks X . Let Z be
the set of integers and N the set of nonnegative integers. Formally, a discrete timed
automaton A is a tuple 〈S; X; E〉 where
1. S is a 0nite set of (control) states,
2. X is a 0nite set of clocks with values in N, and
3. E⊆ S × 2X ×LX × S is a 0nite set of edges or transitions.
Each edge 〈s; ; l; s′〉 in E denotes a transition from state s to state s′ with enabling
condition l∈LX and a set of clock resets ⊆X . Note that  may be empty. The
meaning of a one-step transition along an edge 〈s; ; l; s′〉 is as follows:
• The state changes from s to s′.
• Each clock changes. If there are no clock resets on the edge, i.e., = ∅, then each
clock x∈X progresses by one time unit. If  
= ∅, then each clock x∈  is reset to
0 while each x =∈  remains unchanged.
• The enabling condition l is satis0ed.
The notion of a discrete timed automaton de0ned above is slightly diIerent, but
easily shown equivalent to the standard de0nition of a (discrete) timed automaton in
[1] (see [7]).
Now consider a class C of acceptors, where each machine M in the class is a
nondeterministic 0nite automaton augmented with 0nitely many counters, and possibly
other data structures. Thus, M = 〈Q;; q0; F; K; D; 〉, where Q is the state set,  is the
input alphabet, q0 is the start state, F is the set of accepting states, K is the set of
counters, D the other data structures, and  is the transition function. In the move
(q; a; s1; : : : ; sk ; loc)= {t1; : : : ; tm},
• q is the state, a is # or a symbol in , si is the status of counter i (i.e., zero or
non-zero), and loc is the “local” portion of the data structure(s) D that in8uences
(aIects) the move. For example, if D is a pushdown stack, then loc is the top of the
stack; if D is a two-way read-write tape, then loc is the symbol under the read-write
head; if D is a queue, then loc is the symbol in the front of the queue or # if the
queue is empty. Note that D can be a combination of several data structures (e.g.,
several stacks and queues).
• t1; : : : ; tm are the choices of moves (note that M is nondeterministic). Each ti is of
the form (p; d1; : : : ; dk ; act), which means increment counter i by di (1, 0, or −1),
perform act on loc, and enter state p. For example if D is a pushdown stack, act
pops the top symbol and pushes a string (possibly empty) onto the stack; if D is
a two-way read-write tape, act rewrites the symbol under the read-write head and
moves the head one cell to the left, right, or remains on the current cell; if D is a
queue, then act deletes loc (if not #) from the front of the queue, and possibly adds
a symbol to the rear of the queue.
Note that the counters can only hold nonnegative integers. There is no loss of generality
since the states can remember the signs.
194 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
The language accepted by M is denoted by L(M). We will only be interested in
C’s with a decidable emptiness problem. This is the problem of deciding for a given
acceptor in C, whether L(M) is empty. Since the emptiness problem for 0nite automata
augmented with two counters is undecidable [11], we will need to put some restrictions
on the operation of the counters.
Let r be a nonnegative integer. We say that a counter is r-reversal if the counter
changes mode from nondecreasing to nonincreasing and vice-versa at most r times,
independent of the computation. So, for example, a counter whose values change
according to the pattern
0 1 1 2 3 3 3 4 5 5 5 4 3 2 1 1 0 0 1 1 2 3 3
is 2-reversal. When we say that the counters are reversal-bounded, we mean that we
are given an integer r such that each counter is r-reversal. From now on, we will
assume that the acceptors in C have reversal-bounded counters.
We can extend the acceptors in C to multitape acceptors by providing them with
multiple one-way read-only input tapes. Thus, a k-tape acceptor now accepts a
k-tuple of words (strings). We call the resulting class of acceptors C(k). The empti-
ness problem for C(k) is deciding for a given k-tape acceptor M , whether it accepts an
empty set of k-tuples of strings. We denote C(1) simply by C. One can easily show
the following:
Theorem 1. If the emptiness problem for C is decidable; then the emptiness problem
for C(k) is decidable.
Proof. We give a proof for the case k =2. Let M be a 2-tape acceptor in C(2). We
may assume without loss of generality that the two tapes of M use disjoint input
alphabets. We construct an acceptor M ′ in C such that L(M ′) is empty if and only if
L(M) is empty. The idea of the construction is as follows: If (x1; x2) is an input to
M , then the input to M ′ is a string x which is some interlacing of the symbols in x1
and x2 (i.e., x is a shuNe of x1 and x2). Thus x with the symbols in x1 (x2) deleted
reduces to x2 (x1). Clearly M ′ can simulate the actions of the two input heads of M
on input x.
In the rest of the paper, we will assume that C has a decidable emptiness problem. In
the area of veri0cation, we are mostly interested in the “behavior” of machines rather
than their language-accepting capabilities. When dealing with machines in C without
inputs, we shall refer to them simply as machines. Thus, when we say “a machine M
in C”, we mean that M has no input tape.
Let A be a discrete timed automaton and M a machine in class C (hence, M has no
input tape!). Let A⊕M be the machine obtained by augmenting A with M . So, e.g.,
if M is a machine with a pushdown stack and reversal-bounded counters, then A⊕M
will be a discrete pushdown timed automaton with reversal-bounded counters. We will
describe more precisely how A⊕M operates later. A con0guration 
 of A⊕M is a
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 195
5-tuple (s; U; q; V; v(D)), where s and U are the state and clock values of A, and q,
V , v(D) are the state, counter values, and data structure values of M (e.g., if D is a
pushdown stack, then v(D) is the content of the stack; if D is a queue, then v(D) is
the content of the queue). Let Reach(A⊕M) be the set of all pairs of con0gurations
(
; ) such that 
 can reach . This set is the binary reachability of A⊕M . We
assume that the con0gurations are represented as strings over some alphabet, where
the components of a con0guration are separated by markers, and the clock and counter
values represented in unary. We also assume that each of the following tasks can be
implemented on a machine M ′ in C:
1. M ′, when given a con0guration 
=(s; U; q; V; v(D)) of A⊕M on its input tape, can
represent this con0guration in its counters and data structures, i.e., M ′ can read 

and record the states s and q, store the set of values of U and V in appropriate
counters, and store v(D) in its data structures.
2. M ′, when given a con0guration 
 on its input tape, can check if 
 represents its
current con0guration (this task is the converse of 1).
In the following, A is a discrete timed automaton and M is a machine in C; FCA refers
to a nondeterministic 0nite automaton (acceptor) augmented with reversal-bounded
counters.
Theorem 2. We can e4ectively construct a 2-tape acceptor in C(2) accepting Reach
(A⊕M).
Note that the input to the 2-tape acceptor is a pair of con0gurations (
; ), where

 () is on the 0rst (second) tape. We illustrate the proof in the next section for a
particular class C.
Theorem 3. If I (the initial set) and P (the unsafe set) are two sets of con5gurations
of A⊕M; let BAD be the set of all con5gurations in I that can reach con5gurations
in P. If I and P can be accepted by FCAs; then we can e4ectively construct an
acceptor in C accepting BAD. Hence; nonsafety is decidable with respect to P.
Proof. Let MI and MP be FCAs accepting I and P, respectively. From Theorem 2, we
can construct a 2-tape acceptor B in C(2) accepting Reach(A⊕M). By using additional
counters, we can modify B to a 2-tape acceptor B′ which also checks that 
 () on
tape1 (tape2) is accepted by MI (MP). Now construct from B′ an acceptor B′′ which
deletes the second tape. Clearly, L(B′′)=BAD. Then A⊕M is unsafe if and only if
L(B′′) is nonempty, which is decidable by Theorem 1.
Since the complement of a language accepted by a deterministic FCA can also be
accepted by an FCA [8], we also have:
Theorem 4. If I and P (the safe set) are two sets of con5gurations of A⊕M; let
GOOD be the set of all con5gurations in I that can only reach con5gurations in P.
196 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
If I can be accepted by an FCA and P can be accepted by a deterministic FCA; then
we can decide whether GOOD= I . Hence; invariance is decidable with respect to P.
We can show that forward reachability is computable.
Theorem 5. Let I be a set of con5gurations accepted by an FCA. We can e4ectively
construct an acceptor in C accepting post∗(A⊕M; I)= the set of all con5gurations
reachable from con5gurations in I .
Proof. Let MI be an FCA accepting I . As in Theorem 3, we can construct a 2-tape
acceptor B′ in C(2) accepting the set of all pairs of con0gurations (
; ) in Reach(M)
such that 
 is accepted by MI . We can then construct from B′ an acceptor B′′ in C
which deletes the 0rst tape, and L(B′′)=post∗(A⊕M; I).
Similarly, for backward reachability we have:
Theorem 6. Let I be a set of con5gurations accepted by an FCA. We can e4ectively
construct an acceptor in C accepting pre∗(A⊕M; I)= the set of all con5gurations
that can reach con5gurations in I .
We can equip A⊕M with a one-way input tape. In order to do this, we can simply
change the format of the transition edge of A by a 5-tuple 〈s; ; l; s′; a〉 in E, where a
denotes an input symbol or # (the null string). The meaning of this edge is like before,
but now A can read a symbol or a null string at each transition. We also de0ne a subset
of the states of A as accepting states. Then A⊕M becomes an acceptor. Note that A
and M will now start on some prescribed initial con0gurations (e.g., A is initialized to
its start state with all clocks zero, M is initialized to its start state with all counters
zero and the other data structures properly initialized). We will prove the following in
the next section.
Theorem 7. It is decidable to determine; given an acceptor A⊕M; whether A⊕M
accepts the empty set.
One can extend the A⊕M acceptor to have multiple input tapes. Then, similar to
Theorem 1, we have:
Corollary 1. It is decidable to determine; given a multitape acceptor A⊕M; whether
A⊕M accepts the empty set.
We can also equip the multitape A⊕M acceptor with one-way output tapes. But,
clearly, these output tapes can also be viewed as input tapes (since writing can be sim-
ulated by reading). Hence, the analysis of a multi-input-tape multi-output-tape A⊕M
reduces to the analysis of multi-input-tape A⊕M .
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 197
3. Examples of C
We illustrate the proof of Theorem 2 for the class C, where each machine is a
nondeterministic machine with a pushdown stack and 0nitely many reversal-bounded
counters. Call a machine in this class a PCM, and PCA when it has an input tape (i.e.,
it is an acceptor). It is known that the emptiness problem for PCAs is decidable [8].
Let A be a discrete timed automaton and M be a PCM. We describe precisely how
A⊕M operates.
A con0guration of the timed automaton A is of the form (s; U ), where s is the
state and U is the set of clock values. Now machine M has states, pushdown stack,
and reversal-bounded counters. A move of M is de0ned by a transition function .
If (q; Z; s1; : : : ; sk)= {t1; : : : ; tm}, then
• q is the state, Z is the topmost symbol, and si is the status of counter i (i.e., zero
or non-zero).
• t1; : : : ; tm are the choices of moves (note that M is nondeterministic). Each ti is of
the form (p;w; d1; : : : ; dk), which means pop Z and push string w (which is possibly
empty) onto the stack, increment counter i by di (1, 0, or −1), and enter state p.
A con0guration of M can be represented by a tuple of the form (q; V; w), where q is
a state, V is the set of values of the counters, and w is the content of the stack with
the rightmost symbol at the top of the stack.
A transition of the combined machine A⊕M is now a tuple 〈s; ; l; s′; ENTER(M;R)〉,
where 〈s; ; l; s′〉 is as in a timed automaton. The combined transition is now carried
out in two stages. Like before, A (the timed automaton component of the combined
machine) makes the transition based on 〈s; ; l; s′〉. It then transfers control to machine
M by executing the command ENTER(M;R), where R is a one-step transition rule:
R(s; ; l; s′; q; Z; s1; : : : ; sk)= {t1; : : : ; tm}. Note that the outcome of this transition (i.e.,
the right side of the rule) not only depends on 〈s; ; l; s′〉, but also on the current state,
status of the counters, and the topmost symbol of the stack. This R is then followed
by a sequence of transitions by M (using the transition function ). Thus the use of
ENTER(M;R) allows the combined machine to update the con0guration of M through
a sequence of M ’s transitions. After some amount of computation, M returns control
to A by entering a special state or command RETURN. When this happens, A will
now be in state s′. Thus the computation of A⊕M is like in a timed automaton, except
that between each transition of A, the system calls M to do some computation.
A con0guration of the system is a tuple of the form 
=(s; U; q; V; w). Thus, a
con0guration is a result of an execution of a (possibly empty) sequence of (ENTER,
RETURN) commands. Note that a con0guration can be represented as a string where
the clock values U and counter values V are represented in unary and the components
of the tuple separated by markers.
As de0ned earlier, the binary reachability is Reach(A⊕M)= the set of all pairs of
con0gurations (
; ), where 
 can reach . We will show that Reach(A⊕M) can be
accepted by a 2-tape PCA. Note that the input to the acceptor is a pair of strings (
; ),
where 
 () is on the 0rst (second) tape.
198 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
First we note that we can view the clocks in a discrete timed automaton A as coun-
ters, which we shall also refer to as clock-counters. In a reversal-bounded multicounter
machine, only standard tests (comparing a counter against 0) and standard assignments
(increment or decrement a counter by 1, or simply nochange) are allowed. But clock-
counters in A do not have standard tests nor standard assignments. The reasons are
as follows. A clock constraint allows comparison between two clocks like x2 − x1¿7.
Note that using only standard tests we cannot directly compare the diIerence of two
clock-counter values against an integer like 7 by computing x2− x1 in another counter,
since each time this computation is done, it will cause at least a counter reversal, and
the number of such tests during a computation can be unbounded. The clock progress
x := x+1 is standard, but the clock reset x := 0 is not. Since there is no bound on the
number of clock resets, clock-counters may not be reversal-bounded (each reset causes
a counter reversal).
We 0rst prove an intermediate result. De0ne a semi-PCA as a PCA which, in addition
to a stack and reversal-bounded counters, has clock-counters that use nonstandard tests
and assignments as described in the preceding paragraph.
Lemma 1. We can e4ectively construct; given a discrete timed automaton A and
PCM M; a 2-tape semi-PCA B accepting Reach(A⊕M).
Proof. We describe the construction of the 2-tape semi-PCA B. Given a pair of con-
0gurations (
; ) on its two input tapes, B 0rst copies 
 into its counters and stack
(these include the clock-counters). Then B simulates the (“alternating” mode of) com-
putation of A⊕M starting from con0guration 
 as described above. It is clear that
B can do this. After some time, B guesses that it has reached the con0guration . It
then checks that the values of the counters and stack match those on the second input
tape. B accepts if the check succeeds. However, there is a slight complication because
the pushdown stack content is in “reverse”. If the stack content on the second tape
is written in reversed, there is no problem. One can get around this diQculty if the
comparison of the stack content with the second tape is done during the simulation
instead of waiting until the end of the simulation. This involves guessing, for each
position of the stack, the last time M rewrites this position, i.e., that the symbol would
not be rewritten further in reaching con0guration . So, e.g., if on stack position p,
the symbol changes are Z1; : : : ; Zk for the entire computation, then Zk is the last symbol
written on the position, and B checks after Zk is written that the pth position of the
stack word in  is Zk . M marks Zk in the stack and makes sure that this symbol is
never popped or rewritten in the rest of the computation.
The next lemma uses a technique from [7] (see also [9]).
Lemma 2. We can e4ectively construct from the 2-tape semi-PCA B; a 2-tape PCA
C equivalent to B.
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 199
Proof. The 2-tape PCA C operates like B, but the simulation of A⊕M diIers in
the way A is simulated. Let A have clock-counters x1; : : : ; xk . Let m be one plus the
maximal absolute value of all the integer constants that appear in the tests (i.e., the
clock constraints on the edges of A in the form of Boolean combinations of xi # c,
xi − xj # c with c an integer). Denote the 0nite set {−m; : : : ; 0; : : : ; m} by [m]. De0ne
two 0nite tables with entries aij and bi for 16i; j6k. Each entry can be regarded as
a 0nite state variable with states in [m]. Intuitively, aij is used to record the diIerence
between two clock values of xi and xj, and bi is used to record the clock value of xi.
During the computation of A, when the diIerence xi − xj (or the value xi) goes above
m or below −m, aij (or bi) stays the same as m or −m. The procedure for updating the
entries is given below, where “⊕ 1” means adding one if the result does not exceed m,
else it keeps the same value. “1” means subtracting one if the result is not less than
−m, else it keeps the same value. We modify A as follows. Consider a transition edge
in A. If on the edge the set of clock resets = ∅, the entries are updated by adding
the following instructions for each 16i6k:
• aij := aij for each 16j6k. Recall that all the clocks progress after this edge; thus,
the diIerence is unchanged.
• bi := bi⊕ 1. That is, clocks progress by one time unit.
If the set of clock resets is  
= ∅, the entries are updated by adding the following
instructions for each 16i; j6k:
• aij := 0 if i∈  and j∈ . In this case, both clocks xi and xj reset to 0.
• aij := −bj if i∈  and j =∈ . In this case, xi resets but xj does not. So the diIerence
should be −xj.
• aij := bi if i =∈  and j∈ .
• aij := aij if i =∈  and j =∈ .
We then add the following instructions:
• bi := bi if xi =∈ .
• bi := 0 if xi ∈ .
The initial values of aij and bi can be constructed directly from the values 
xi of clocks
xi in con0guration 
, for each 16i; j6k:





• aij :=m if 
xi − 
xj¿m,
• aij := − m if 
xi − 
xj¡− m,
and, noticing that clocks are nonnegative,
• bi := 
xi if 
xi6m,
• bi :=m if 
xi¿m.
C simulates A exactly except that it uses aij # c for the test xi − xj # c and bi # c for
the test xi # c, with −m¡c¡m. One can prove (by induction) that doing this is valid:
Each time after C updates the entries by executing a transition, xi − xj # c iI aij # c,
and xi # c iI bi # c, for all 16i; j6k and for each integer c∈ [m− 1].
200 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
Thus clock-counter comparisons are replaced by 0nite table look-up and, therefore,
nonstandard tests are not present in C. Finally, we show how nonstandard assignments
of the form xi := 0 (clock resets) in machine C can be avoided.
Clearly after eliminating the clock comparisons, the clock-counters in C do not
participate in any tests except:
• at the beginning of the simulation when the initial values of the xi’s are used to
compute the initial values of the aij’s and the bi’s as described above;
• at the end of the simulation when the 0nal values of the xi’s are compared with the
second input tape to check whether they match those in .
Thus, for each xi, during the simulation of A but before the last reset of xi, the ac-
tual value of xi is irrelevant. We describe how to construct a 2-tape PCA D from
C such that in the simulation of A, no nonstandard assignment is used. For each
clock xi in A, there are two cases. The 0rst case is when xi will not be reset dur-
ing the entire simulation of C. The second case is when xi will be reset. D guesses
the case for each xi. For the 0rst case, xi is already reversal-bounded, since the non-
standard assignment xi := 0 is not used. For the second case, D 0rst decrements xi
to 0. Then D simulates C. Whenever a clock progress xi := xi + 1 or a clock reset
xi := 0 is being executed by A, D keeps xi as 0. But, at some point when a clock
reset xi := 0 is being executed by A, D guesses that this is the last clock reset for xi.
After this point, D faithfully simulates a clock progress xi := xi + 1 executed by A,
and a later execution of a clock reset xi := 0 in A will cause D to abort abnormally
(since the guess of the last reset of xi was wrong). Thus D uses only standard assign-
ments xi := xi + 1; xi := xi, and xi := xi − 1 initially to bring xi to 0 (for the second
case).
From the above lemmas, we have:
Theorem 8. We can e4ectively construct; given a discrete timed automaton A and a
PCM M; a 2-tape PCA accepting Reach(A⊕M).
One can generalize Theorem 8. Extend a PCA acceptor by allowing the machine to
have multiple pushdown stacks. Thus the machine will have multiple reversal-bounded
counters and multiple stacks (ordered by name, say S1; : : : ; Sm). The operation of the
machine is restricted in that it can only read the topmost symbol of the 5rst nonempty
stack. Thus a move of the machine would depend only on the current state, the input
symbol (or #), the status of each counter (zero or nonzero), and the topmost symbol
of the 0rst stack, say Si, that is not empty (initially, all stacks are set to some starting
top symbol). The action taken in the move consists of the input being consumed, each
counter being updated (+1;−1; 0), the topmost symbol of Si being popped and a string
(possibly empty) being pushed onto each stack, and the next state being entered. This
acceptor, call it MPCA, was studied in [6] as a generalization of a PCA [8] and a
generalization of a multipushdown acceptor [3]. Thus an MPCA with only one stack
reduces to a PCA.
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 201
By combining the techniques in [8] and [3], it was shown in [6] that the emptiness
problem for MPCAs is decidable. An MPCA without an input tape will be called an
MPCM. By a construction similar to that of Theorem 8, we can prove the next result.
Note that checking that the contents of the stacks at the end of the simulation are the
same as the stack words in the target con0guration does not require the latter to be
in reverse (or need special handling), since we can 0rst reverse the stack contents by
using another set of pushdown stacks and then check that they match the stack words
in the target con0guration.
Theorem 9. We can e4ectively construct; given a discrete timed automaton A and an
MPCM M; a 2-tape MPCA accepting Reach(A⊕M).
Other examples of classes C that can be shown to have a decidable emptiness
problem are given below. Thus, the results in Section 2 apply.
1. Nondeterministic machines with reversal-bounded counters and a two-way read=write
worktape that is restricted in that the number of times the head crosses the boundary
between any two adjacent cells of the worktape is bounded by a constant, indepen-
dent of the computation (thus, the worktape is 0nite-crossing). There is no bound
on how long the head can remain on a cell [9].
2. Nondeterministic machines with reversal-bounded counters and a queue that is re-
stricted in that the number of alternations between nondeletion phase and noninser-
tion phase is bounded by a constant [9]. A nondeletion (noninsertion) phase is a
period consisting of insertions (deletions) and no-changes, i.e., the queue is idle.
Without the restriction emptiness is undecidable since it is known that a 0nite-state
machine with an unrestricted queue can simulate a Turing machine.
Finally, as mentioned in the paragraph preceeding Theorem 7, we can provide the
machine A⊕M with an input tape. The language accepted by such an acceptor can
be shown to be accepted by an acceptor M ′ which belongs to the same class as M
(the simulation is similar to the one described in Lemmas 1 and 2). Thus, Theorem 7
follows.
4. Applications
In this section we exhibit some properties of timed automata that can be veri0ed
using the results above.
Example 1. (Real-time) pushdown timed systems with “observation” counters were
studied in [2]. The purpose of these counters is to record information about the evolu-
tion of the system and to reason about certain properties (e.g., number of occurrences
of certain events in some computation). The counters do not participate in the dynamic
of the system, i.e., they are never tested by the system. A transition edge speci0es for
each observation counter an integral value (positive, negative, zero) to be added to the
202 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
counter. Of interest are the values of the counters when the system reaches a speci-
0ed con0guration. It was shown in [2] that “region” reachability is decidable for these
systems.
Clearly, for the discrete case, such a system can be simulated by the machine A⊕M
described in the previous section. We associate in M two counters for each observation
counter: one counter keeps track of the positive increases and the other counter keeps
track of the negative increases. When the target con0guration is reached, the diIerence
can be computed in one of the counters. Note that the sign of the diIerence can be
speci0ed in another counter, which is set to 0 for negative and 1 for positive. Thus,
from Theorems 2–6, (binary, forward, backward) reachability, safety, and invariance
are solvable for these systems.
Example 2. Let A be a discrete timed automaton and M be a nondeterministic push-
down machine with reversal-bounded counters. For a given computation of A⊕M , let
ri be the number of times clock xi resets. Suppose we are interested in computations
in which the ri’s satisfy a Presburger formula f, i.e., we are interested in (
; ) in
Reach(A⊕M) such that 
 can reach  in a computation in which the clock resets
satisfy f. It is known that a set of k-tuples is de0nable by a Presburger formula f if
and only if it is de0nable by a reversal-bounded multicounter machine [8]. (Thus, a
machine Mf with no input tape but with reversal-bounded counters can be eIectively
constructed from f such that when the values of the 0rst k counters are set to the
k-tuple and all the other counters are initially zero, Mf enters an accepting state if and
only if the k-tuple satis0es f. In fact, Mf can be made deterministic [8].) It follows
that we can construct a 2-tape pushdown acceptor with reversal-bounded counters M ′
accepting the set Q of pairs of con0gurations (
; ) in Reach(A⊕M) such that 
 can
reach  in a computation in which the clock resets satisfy f. One can also put other
constraints, like introducing a parameter ti for each clock i, and consider computations
where the 0rst time i resets to zero is before (or after) time ti. We can construct a
3-tape acceptor M ′′ from M ′ accepting Q(t1; : : : ; tk). M ′′ 0rst reads the parameters ti’s
(which are given on the third input tape) and then simulates M ′, checking that the
constraint on the 0rst time clock i resets is satis0ed. Note that if M has no pushdown
stack, then Q and Q(t1; : : : ; tk) are Presburger.
Example 3. As another example, suppose we are interested in the set S of pairs of
con0gurations (
; ) of a discrete timed automaton A such that there is a computation
path (i.e., sequence of states) from 
 to  that satis0es a property that can be veri0ed by
an acceptor in a class C. If C has a decidable emptiness problem, then S is eIectively
computable. For example, suppose that the property is for the path to contain three
nonoverlapping subpaths (i.e., segments of computation) which go through the same
sequence of states, and the length of the subpath is no less than 15 of the length of the
entire path. Thus if p is the computation path, there exist subpaths p1; : : : ; p7 (some
may be null) such that p=p1p2p3p4p5p6p7, where p2; p4, and p6 go through the
O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204 203
same sequence of states, and length of p2 = length of p4 = length of p6 is no less than
1
5 of the length of p. We can check this property by incorporating a 0nite-crossing
read-write tape to the machine (actually, the head need only make 5 crossings on the
read-write tape).
Example 4. We can equip A⊕M with one-way write-only tapes which the machine
can use to record certain information about the computation of the system (and perhaps
even requiring that the strings appearing in these tapes satisfy some properties). From
Corollary 1, such systems can eIectively be analyzed.
5. Reachability in parallel discrete timed automata
The technique of using the reversal-bounded counters to record and compare various
integers (like the running times of the machines) in the proofs in Section 3 can be
used to decide some reachability questions concerning machines operating in parallel.
We give two examples below.
Let A1; A2 be discrete timed automata and M1; M2 be PCMs. Recall from Section 3
that a con0guration of Ai⊕Mi is a 5-tuple 
i =(si; Ui; qi; Vi; wi). Suppose we are given
a pair of con0gurations (
1; 1) of A1⊕M1 and a pair of con0gurations (
2; 2) of
A2⊕M2, and we want to know if Ai⊕Mi when started in con0guration 
i can reach
con0guration i at some time ti, with t1 and t2 satisfying a given linear relation L(t1; t2)
de0nable by a Presburger formula. (Thus, e.g., if the linear relation is t1 = t2, then
we want to determine if A1⊕M1 when started in con0guration 
1 reaches 1 at the
same time that A2⊕M2 when started in 
2 reaches 2.) This reachability question is
decidable. The idea is the following. First note that we can incorporate a counter in
Mi that records the running time ti of Ai⊕Mi. Let Zi be a 2-tape PCA accepting
R(Ai⊕Mi). We construct a 4-tape PCA Z which, when given 
1; 1; 
2; 2 in its 4
tapes, 0rst simulates the computation of Z1 to check that 
1 can reach 1, recording the
running time t1 (which is in con0guration 1) of A1⊕M1 in a counter. Z then simulates
Z2. Finally, Z checks that the running times t1 and t2 satisfy the given linear relation
(which can be veri0ed since Presburger formulas can be evaluated by nondeterministic
reversal-bounded multicounter machines). Since the emptiness problem for PCAs is
decidable, decidability of reachability follows.
We can allow the machines A1⊕M1 and A2⊕M2 to share a common input tape,
i.e., each machine has a one-way read-only input head (see the paragraph preceding
Theorem 7). A con0guration 
i will now be a 7-tuple 
i =(si; Ui; qi; Vi; wi; hi), hi is the
position of the input head on the common input x. One can show that if both A1⊕M1
and A2⊕M2 have a one-turn stack (or an unrestricted counter), then reachability is
undecidable, even if they have no reversal-bounded counters and the linear relation is
t1 = t2. However, if only one of A1⊕M1 and A2⊕M2 has an unrestricted pushdown
stack, then reachability is decidable. Again, the idea is to construct a 5-tape PCA
which, when given 
1; 1; 
2; 2; x, 0rst simulates M1 and M2 in parallel on the input x.
204 O.H. Ibarra, J. Su / Theoretical Computer Science 289 (2002) 191–204
If one of the machines, e.g., M1 advances its input head to the next input symbol, but
M2 has not yet read the current input symbol, M does not advance its input head and
“suspends” the simulation of M1 until M2 has read the current symbol or M guesses
that M2 will not be reading further on the input to reach the target con0guration.
Note that the above results generalize to any number, k, of machines Ai⊕Mi
(i=1; : : : ; k) operating in parallel.
6. Conclusions
We showed that a discrete timed automaton augmented with a machine with reversal-
bounded counters and possibly other data structures from a class C of machines can
be eIectively analyzed with respect to reachability, safety, and other properties if C
has a decidable emptiness problem. We gave examples of such C’s and examples of
new properties of discrete timed automata that can be veri0ed. We also showed that
reachability in parallel machines can be eIectively decided. It would be interesting to
look for other classes of C’s with decidable emptiness problem.
References
[1] R. Alur, D. Dill, Automata for modeling real-time systems, Theoret. Comput. Sci. 126 (2) (1994)
83–236.
[2] A. Bouajjani, R. Echahed, R. Robbana, in: P.J. Antsalilis, W. Kohn, M.O. Lemmon, A.N. Nerode,
S. Sastry (Eds.) On the Automatic Veri0cation of Systems with Continuous Variables and Unbounded
Discrete Data Structures, In Hybrid Systems II, Lecture Notes in Computer Science, Vol. 999, Springer,
Berlin, 1995.
[3] A. Cherubini, L. Breveglieri, C. Citrini, S. Crespi Reghizzi, Multi-push-down languages and grammars,
Int. J. Foundations Comput. Sci. 7 (3) (1996) 253–291.
[4] H. Comon, Y. Jurski, Multiple counters automata, safety analysis and Presburger arithmetic, Proc. 10th
Int. Conf. on Computer Aided Veri0cation, 1998, pp. 268–279.
[5] H. Comon, Y. Jurski, Timed automata and the theory of real numbers, Proc. 10th Int. Conf. on
Concurrency Theory, 1999, pp. 242–257.
[6] Z. Dang, Veri0cation and Debugging of In0nite State Real-time Systems, Ph.D. Thesis, University of
California, Santa Barbara, 2000.
[7] Z. Dang, O.H. Ibarra, T. Bultan, R.A. Kemmerer, J. Su, Binary reachability analysis of discrete
pushdown timed automata, Int. Conf. on Computer Aided Veri0cation, 2000, pp. 69–84.
[8] O.H. Ibarra, Reversal-bounded multicounter machines and their decision problems, J. Assoc. Comput.
Machin. 25 (1) (1978) 116–133.
[9] O.H. Ibarra, T. Bultan, J. Su, Reachability analysis for some models of in0nite-state transition systems,
Proc. 10th Int. Conf. on Concurrency Theory, 2000, pp. 183–198.
[10] O.H. Ibarra, Z. Dang, P. San Pietro, Queue-Connected Discrete Timed Automata, Theoret. Comput.
Sci., submitted for publication.
[11] M. Minsky, Recursive unsolvability of Post’s problem of Tag and other topics in the theory of Turing
machines, Ann. Math. 74 (1961) 437–455.
