Abstract
Introduction
One of the main current challenges in model checking is to extend its applicability to parameterized systems. The description of such a system is parameterized by the number of components, and the challenge is to check correctness of all instances in one verification step. Most existing methods for model checking of parameterized systems consider the case where each individual component is modelled as a finite-state process.
In this paper we study parameterized systems of timed processes, so called Timed Networks (TNs) . A TN represents a family of systems, each consisting of a finite-state controller, together with finitely, but arbitrarily many timed processes (timed automata). A timed process operates on a finite number of real-valued clocks. This means that a TN operates on an unbounded number of clocks, and therefore its behaviour cannot be captured by that of a timed automaton [AD94] .
In [AJ03] , we show decidability of the controller state reachability problem for TNs: given a state of the controller, is there a computation from an initial configuration leading to that state? This problem is relevant since it can be shown, using standard techniques, that checking large classes of safety properties can be reduced to controller state reachability. The decidability result in [AJ03] is given subject to the restriction that each timed process has a single clock. As an example, this allows automatic verification of a parameterized version of Fischer's protocol (see e.g. [KLL · 97] ).
This protocol achieves mutual exclusion by defining timing constraints on an arbitrary set of processes each with one clock. We can show correctness of the protocol regardless of the number of participating processes. The paper [AJ03] leaves open the case of multi-clock TNs, i.e., TNs where each timed process may have several clocks.
In the literature, there are many applications where a number of timed automata [AD94] run in parallel and where each of the timed automata has more than one clock. For instance, the Phillips audio control protocol with bus collision [BGK · 96] has two clocks per sender of audio signals. Also, the system described in [MT01] consists of an arbitrary number of nodes, each of which is connected to a set of LANs. Each node maintains timers to keep track of sending and receiving of messages from other nodes connected to the same set of LANs. In a similar way to Fischer's protocol, it is clearly relevant to ask whether we can verify correctness of the protocol in [BGK · 96] regardless of the number of senders, or the protocol in [MT01] regardless of the number of nodes.
The question is then whether the decidability result of [AJ03] can be extended to multi-clock systems. In this paper we answer this question negatively. In fact, we show that it is sufficient to allow two clocks per process in order to get undecidability. The undecidability result is shown through a reduction from the classical reachability problem for 2-counter machines. The main ingredient in the undecidability proof is an encoding of counters which allows testing for zero. The encoding represents each counter by a linked list of processes, where ordering on elements of the list is reflected by ordering on clock values of the relevant processes, and where the link between two elements in the list is encoded by whether two clocks belong to the same process. The value of a counter is reflected by the length of the corresponding list.
We also consider Discrete Timed Networks (DTNs): a variant of timed networks where clocks are interpreted over a discrete time domain rather than a dense one. Surprisingly, it turns out that the controller state reachability problem now becomes decidable. The decidability result holds regardless of the number of clocks allowed inside each timed process. We show decidability using the theory introduced in [AČJYK00] for verification of transition systems which are monotonic with respect to a well quasi-ordering. More precisely, we define a counter abstraction for DTNs. This is an exact abstraction of the system where we only count the number of processes which have certain states and certain clock values. We show that such an abstraction induces a well quasi-ordering, and that the behaviour of a DTN is monotonic with respect to that ordering. In [AMC02] a method is given for translating a timed automaton with several clocks into the parallel composition of a finite number of automata each operating on a single clock. This may give the impression that reachability problems for multi-clock TNs can in a similar way be reduced to corresponding problems for single-clock TNs. However, the construction given in [AMC02] will not work in our case. The reason is that, due to the unbounded number of timed processes, it is not possible to keep track of clocks belonging to the same process.
Related
The works in [AAB00, AHV93] consider timed automata which are parameterized in the the following sense: transitions are guarded with predicates which compare clocks (and counters) with parameters possibly ranging over infinite domains. The models used in these papers assume a finite number of clocks and are therefore orthogonal to the models considered in this paper.
A work related to our result on DTNs is [GS92] where counter abstraction is used to obtain a Petri net model for parameterized systems. However, a process in [GS92] is assumed to be finite-state. Furthermore, counter abstraction in the case of DTNs yields a model with a different behaviour than that of Petri nets.
Outline. Section 2 gives the definition of timed networks. Section 3 recalls the classical model of 2-counter machines. Section 4 shows how a configuration of a 2-counter machine can be encoded by a configuration of a timed network, while Section 5 shows how the transitions of a 2-counter machine can be simulated by transitions of a timed network. We give an overview of the correctness proof for our encoding in Section 6. In Section 7 we give an algorithm for deciding the controller-state reachability problem for DTNs. Finally in Section 8, we conclude and give some directions for future work.
Definitions
In this section, we define timed networks: families of (infinitely many) systems each consisting of a controller and an arbitrary number of identical timed processes. The controller is a finite state automaton while each process is a timed automaton [AD94] gives the value of clock Ü in the process with index .
We use to denote the number of processes in , i.e., Á . Also, we shall use to denote the mapping Á Ê ¼ such that ´ µ ´ µ´ µ. Figure 1 shows graphical representation of a configuration in a timed network with two clocks, given bý 
Example 1
½ ¾ ¿ Õ É µ where É´½µ Õ ½ É´¾µ Õ ¾ É´¿µ Õ ¿ and ½´½ µ ¼ ½ ½´¾ µ ¼ ½´¿ µ ¼ ¾´½ µ ¾ ¿ ¾´¾ µ ½ ¾´¿ µ ¼ .
If
In other words, a clock is reset to ¼ if it occurs in the corresponding set Ê . Otherwise its value remains unchanged. 
Controller State Reachability Problem (TN´Ãµ-Reach)
Instance A timed network´É Êµ with Ã clocks and a con-
Controller state reachability is relevant, since it can be shown, using standard techniques [VW86] , that checking safety properties (expressed as regular languages) can be translated into instances of the problem. In [AJ03] we show that TN´½µ-Reach is decidable. In this paper we show Theorem 1 TN´¾µ-Reach is undecidable.
2-Counter Machines
In this section we recall the standard definition of counter machines. Here, we assume that such a machine operates on two counters which we call ½ and ¾ .
A two-counter machine is a tuple´Ë Áµ where Ë is a finite set of local states with a distinguished initial local state × Ò Ø ¾ Ë, and Á is a finite set of instructions. An instruction is a triple´× ½ ÓÔ × ¾ µ, where × ½ × ¾ ¾ Ë and
two-counter machine is a triple´× Ñ ½ Ñ ¾ µ, where × ¾ Ë represents the local state, and Ñ ½ Ñ ¾ ¾ AE represent the values of the counters ½ and ¾ respectively. The counter machine induces a transition relation on the set of configurations, which is defined as usual using the standard interpretations of counter operations. We use £ to denote the reflexive transitive closure of . In a similar manner to timed networks, we use ¬ £ × to denote that there is a con-
We define the initial configuration ¬ Ò Ø to be´× Ò Ø ¼ ¼µ.
The control state reachability problem for a 2-counter machines (CM-Reach) is: given local state × check whether 
Encoding of Configurations
We show undecidability of TN´¾µ-Reach through a reduction from CM-Reach. Given a counter machine ´Ë Áµ, we shall derive a timed network AE ´É Ê µ with two clocks. In this section, we perform the first step in the reduction; namely we describe how to construct the set É . Also, we describe how configurations of are encoded as configurations of AE . Finally, we introduce a special type of encodings, called proper encodings, which we use in our simulation of .
States. According to the model described in Section 2, the set É will consist of two disjoint sets of states: the set 
The first condition states that the processes which are part of a ½ -encoding are in one of the local states 
Encoding of Transitions
In this section, we perform the second step in deriving the timed network AE ´É Ê µ from the counter machine ´Ë Áµ. More precisely, we describe the set of rules Ê . The set Ê contains the following rules:
Incrementing Rule Ò ¾ resets clock Ü ½ of the process which is now in state ×Ø ½ and clock Ü ¾ of the process which is last in the list. This is done in order to maintain (i) the invariant that clock Ü ½ of a process (here the first process) is smaller than clock Ü ½ of the next process; and (ii) the invariant that clock Ü ¾ of the last process is equal to clock Ü ½ of the first process. The result of applying rule Ò ¾ is shown in Figure 3(c) . Some remarks about rules Ò ½ and Ò ¾ :
After execution of Ò ½ , the controller will be in state ØÑÔ and therefore Ò ¾ is the only rule which may eventually be enabled after execution of Ò ½ .
¯The guard ¼ Ü ½ in the definition of Ò ½ is to guarantee that all clocks have positive values before the rule is applied. This makes sure that we avoid the scenario where we "accidentally" equate some clocks with the ones which are reset during the application of Ò ½ . The same reasoning applies to the guard ¼ Ü ¾ in the definition of the rule Ò ¾ . Similar guards exist in the rest of the rules described in this section.
After application of Ò ¾ , the resulting encoding will not be proper, since clocks have just been reset and their values are now zero. We can re-create a proper encoding by letting time pass through a timed transition. Again, a similar reasoning is applicable to the rest of the rules described in this section.
Also, for each instruction of the form´× ½ ¾ · · × ¾ µ, there are two rules similar to the rules described above (replacing the states ×Ø ½ , Ñ ½ , and Ð ×Ø ½ by ×Ø ¾ , Ñ ¾ and Ð ×Ø ¾ , respectively). 
¿
The rule decrements the value of a ½ -encoding by removing the last process of the list. More precisely, it changes the state of the last process to Ð Ô (i.e. removes that process from the list), and changes the state of the process which is next last from Ñ ½ to Ð ×Ø ½ . In order to do that, we have to be able to identify the process which is next last in the list. Since all processes in the middle of the list are in state Ñ ½ , we cannot identify the next last process simply by checking process states. Instead, we wait to one is the next last process. Also, the rule resets (and therefore equates) clock Ü ½ of the first process and clock Ü ¾ of the next last process (which will now become last in the list). Figure 4 shows the effect of applying the rule to a ½ -encoding. Some remarks about the rule :
Identifying the next last process (by waiting until some clocks are equal to one) uses the assumption that we start from a proper encoding. This implies that clocks of processes participating in the encoding have all values which are less than one. If this property is violated then the rule is not enabled (and will not become enabled through passage of time).
The rule is not enabled in case the value of the ½ -encoding is equal to zero, since there will be no processes in state Ñ ½ .
Waiting for clock Ü ½ of the last process in the ½ -encoding to become equal to one may enforce clocks of processes in the ¾ -encoding to become greater than one. More precisely, this happens if some clock in a process which is part of the ¾ -encoding has a greater value than clock Ü ½ of the process which is currently in state Ð ×Ø ½ . After applying , the value of such clocks will be greater than one, and therefore the resulting configuration will not be a proper encoding. Figure 5 illustrates this scenario.
We consider a proper encoding (shown in Figure 5 In order, to maintain the possibility of maintaining proper encodings in our simulation, we combine the rule with the rotation rules described below.
In a similar way to incrementing, there is also a rule corresponding to an instruction of the form´× ½ ¾ × ¾ µ.
Rotation. To make it always possible to obtain a proper encoding after decrementing the value of a ½ -or a ¾ -encoding (see the decrementing rule above), we add a set of rotation rules. More precisely, for each state × ¾ Ë, the set Ê contains the following two rules 
Figure 6. Decrementing preceded by rotation
We illustrate the role of ÖÓØ × ¾ through Figure 6 . In a similar manner to Figure 5 we are interested in simulating a decrement instruction. However, instead of following the scenario of Figure 5 , we now perform the following steps:
1. Wait for clock Ü ½ of the process in state Ð ×Ø ¾ to become equal to one (Figure 6(b) ).
Apply the rule
3. Wait until clock Ü ½ of the process in state Ð ×Ø ½ becomes one (Figure 6(d) ).
4. Apply the decrementing rule. Notice that the resulting encoding (shown in Figure 6 (e)) has all clock values less than one.
After the last step, we can perform a timed transition and obtain a proper encoding. Also if, before applying , there is a clock in the ¾ -encoding of the same value as clock Ü ½ of the process in state Ð ×Ø ½ , then we need to apply ÖÓØ ×¾ ¾ once more after decrementing (this scenario does not occur in Figure 6 , but is considered in the correctness proof).
Notice that we cannot apply the rotation rule in case the value of the ¾ -encoding is zero. This is due to the fact that the rule requires at least one process in state Ñ ¾ . The rule The rule checks that the value of the encoding is zero by testing that there are no processes in state Ñ ½ . This is done by verifying that the process which is next last in the list is the same as the process which is first in the list. We identify the next last process in a similar manner to the case with decrementing. More precisely, we wait until the value of clock Ü ½ of the last process is equal to one. At that moment, we check the process with clock Ü ¾ equal to one, and check whether that process has a state equal to ×Ø ½ . Notice that, clock Ü ¾ of the first process and clock Ü ½ of the last process are now both equal to one and the encoding is no more proper. In order to be able to obtain a proper encoding again, we reset both these clocks and interchange the states of the processes in states ×Ø ½ and Ð ×Ø ½ respectively. Notice the similarity between the rules Ø×Ø and ÖÓØÞ ¯Sometimes the rule Ø×Ø must be combined with the rotation rules according to the same scenarios explained for the decrementing rule.
In a similar way to the previous rules, there is also a rule corresponding to an instruction of the form
Initialization. The initial phase consists of the following two rules. . It also picks four processes such that two processes become the first and last processes in the ½ -encoding (with value zero) and the other two processes become the first and last processes in the ¾ -encoding (also with value zero). Clock Ü ¾ of the first process and clock Ü ½ of the last process are reset. Rule Ò Ø ¾ changes the controller state to × Ò Ø and completes the creation of the ½ -encoding and ¾ -encoding. This is done by first checking that some time has passed (through the guard ¼ Ü ¾ ), and then resetting both clock Ü ½ of the process which is now in state ×Ø ½ ( ×Ø ¾ ), and clock Ü ¾ of the process which is now in state Ð ×Ø ½ (Ð ×Ø ¾ ).
Correctness
In this section we show the correctness of the construction described in Section 4 and Section 5. Let ´Ë Áµ be a counter machine and let AE ´É Ê µ be a timed network derived from as described in Section 4 and Section 5. Let and be the transition relations induced by and AE respectively.
If × is a control state in then the following holds.
The if-direction follows immediately from the the following lemma. The lemma then states that the initial configuration, from which we start the simulation of the path from ¬ Ò Ø to × , should be sufficiently large to incorporate all counter values which arise along that path.
Discrete Timed Networks
In this section, we show decidability of the controller state reachability problem for Discrete Timed Networks (DTNs): timed networks in which the clocks assume values from the set of natural numbers. The idea of the proof is to define an ordering on configurations of the DTN. The ordering amounts to counter abstraction: for each configuration we count the number of processes which are in a given state and whose clocks are equal to some given values.
Discrete Timed Networks (DTN)
The syntax of a DTN is the same as that of a TN (see Section 2). A configuration is also of the same form as in a TN. The behaviour of a DTN differs from that of a TN in two aspects, namelȳ
In a configuration´Á Õ É µ, the type of is ½ Ã Á AE, i.e., clocks have values which are natural numbers rather than reals.
Timed transitions take only discrete steps, i.e., The Problem DTN´Ãµ-Reach is defined in the same manner as TN´Ãµ-Reach except that the timed network AE in the definition of the problem is now given a discrete interpretation as described above.
In this section we show Theorem 6 DTN´Ãµ-Reach is decidable for each Ã ¾ AE.
To prove Theorem 6, we rely on the theory introduced in [AČJYK00] . Since is a wqo, it follows that each minor set is finite. However, for the same set, there may be several minor sets. We use Ñ Ò to denote a function which, given ½ , returns a minor set of ½ . We use Ñ ÒÔÖ ´µ to denote the set Ñ Ò´ÈÖ ´ µµ.
Monotonic Transition Systems (MTS)
In [AČJYK00] we show that the following conditions are sufficient for decidability of MTS-Reach. This means that a DTN indeed induces an MTS. Notice that it is trivial to check whether a given configuration is initial. The following lemma states that the induced transition system also satisfies the second sufficient condition for decidability (see Theorem 7).
Theorem 7 MTS-

Lemma 9 Consider the MTS induced by a DTN. Then, for each configuration we can compute Ñ ÒÔÖ ´µ as a finite set of configurations.
This, together with Theorem 7, proves Theorem 6.
Conclusions, Discussion, and Future Work
We have shown undecidability of controller state reachability for multi-clock timed networks. We have also shown decidability of the problem when clocks are interpreted over a discrete time domain.
In this paper, we assume a lazy behaviour for TNs. This means that we may choose to let time pass instead of performing discrete transitions, even if that makes these transitions disabled, due to some of the clocks becoming "too old". In fact, we can use the techniques in [JLL77] to show that, in the case of urgent behaviour, the controller state reachability is undecidable even for single-clock TNs. Also, in this paper we only consider safety properties. Liveness properties have been shown to be undecidable for singleclock TNs in [AJ03] .
The ordering we provide for proving decidability of DTN corresponds to an abstraction of configurations where we count the number of processes which are in a certain state and which have certain clock values. In a similar manner to [GS92] we can view this abstraction as a "Petri net"-like model where each place corresponds to one combination of process states and clock values. In contrast to [GS92] , the transitions in the abstract model do not correspond to those of a Petri net. The main difference is that a timed transition simultaneously moves all tokens from each place, corresponding to a certain clock value, to the place corresponding to the next clock value. Comparing to the model of Transfer Nets [FRSB02] , a timed transition here corresponds to "parallel transfers", i.e. a set of transfers which are performed simultaneously. An alternative way to prove our decidability result would be to simulate a DTN by a transfer net. One ingredient in such a simulation is to simulate parallel transfers by sequences of transfer operations.
There are several classes of protocols which can be modelled as multi-clock TNs, such as the parameterized versions of the protocols in [BGK · 96] and [MT01] . This means that, despite our undecidability result, it is interesting to design semi-algorithms for multi-clock TNs. One direction for future work is to design acceleration techniques which are sufficiently powerful to handle such classes of protocols.
