Presburger liveness verification of discrete timed automata  by Dang, Zhe et al.
Theoretical Computer Science 299 (2003) 413–438
www.elsevier.com/locate/tcs
Presburger liveness veri#cation of discrete
timed automata
Zhe Danga ;∗ , Pierluigi San Pietrob , Richard A. Kemmererc
aSchool of Electrical Engineering and Computer Science, Washington State University,
Pullman, WA 99164, USA
bDipartimento di Elettronica e Informazione, Politecnico di Milano, Italy
cDepartment of Computer Science, University of California at Santa Barbara, CA 93106, USA
Received 4 May 2001; received in revised form 11 February 2002; accepted 10 April 2002
Communicated by O.H. Ibarra
Abstract
Using an automata-theoretic approach, we investigate the decidability of liveness properties
(called Presburger liveness properties) for timed automata when Presburger formulas on con-
#gurations are allowed. While the general problem of checking a temporal logic such as TPTL
augmented with Presburger clock constraints is undecidable, we show that there are various
classes of Presburger liveness properties which are decidable for discrete timed automata. For
instance, it is decidable, given a discrete timed automaton A and a Presburger property P,
whether there exists an !-path of A where P holds in#nitely often. We also show that other
classes of Presburger liveness properties are indeed undecidable for discrete timed automata, e.g.,
whether P holds in#nitely often for each !-path of A. These results might give insights into
the corresponding problems for timed automata over dense domains, and help in the de#nition
of a fragment of linear temporal logic, augmented with Presburger conditions on con#gurations,
which is decidable for model checking timed automata.
c© 2002 Elsevier Science B.V. All rights reserved.
Keywords: Model-checking; Timed automata; Temporal logic; Liveness
 A preliminary version [13] of this paper appeared in the Proceedings of the 18th International Symposium
on Theoretical Aspects of Computer Science (STACS 2001), Lecture Notes in Computer Science 2010,
Springer-Verlag, 2001, pp. 132–143.
∗ Corresponding author.
E-mail addresses: zdang@eecs.wsu.edu (Zhe Dang), sanpietr@elet.polimi.it (P.S. Pietro), kemm@
cs.ucsb.edu (R.A. Kemmerer).
0304-3975/03/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(02)00485 -1
414 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
1. Introduction
Timed automata [3] are widely regarded as a standard model for real-time systems,
because of their ability to express quantitative time requirements. A timed automaton
can be considered as a #nite automaton augmented with a number of clocks. Clocks
can either progress (synchronously) at rate 1, or some of them may be reset to 0
when a transition is #red. Transitions may #re when their enabling conditions hold.
In particular, the enabling condition of a transition is in the form of clock regions: a
clock, or the diFerence of two clocks, is compared against an integer constant, e.g.,
x − y¿5, where x and y are clocks.
A fundamental result in the theory of timed automata is that region reachability
is decidable. This has been proved by using the region technique [3]. This result
is very useful since in principle it allows some forms of automatic veri#cation of
timed automata. In particular, it helps in developing a number of temporal logics [2–
6,17,20,22,24], in investigating the model-checking problem and in building model-
checking tools [18,25,21] (see [1,26] for surveys).
In real-world applications [8], clock constraints represented as clock regions are
useful but often not powerful enough. For instance, we might want to argue whether a
non-region property such as x1− x2¿x3− x4 (i.e., the diFerence of clocks x1 and x2 is
larger than that of x3 and x4) always holds when a timed automaton starts from clock
values satisfying another non-region property. Therefore, it would be useful to consider
Presburger formulas as clock constraints, such as the example given in Section 5. Even
though a temporal logic like TPTL [6] is undecidable when augmented with Presburger
clock constraints [6], recent work [10–12] has found decidable characterizations of the
binary reachability of timed automata, giving hope that some important classes of non-
region temporal properties are still decidable for timed automata.
In this paper, we look at discrete timed automata (dta), i.e., timed automata where
clocks are integer-valued. Discrete time makes it possible to apply, as underlying the-
oretical tools, a good number of automata-theoretic techniques and results. In addition
to the fact that discrete clocks are usually easier for practitioners to handle than dense
clocks and that dtas are useful by themselves as a model of real-time systems [5], re-
sults on dtas may give insights into corresponding properties of dense timed automata
[16].
The study of safety properties and liveness properties is of course of the utmost
importance for real-life applications [7]. In [10,12], it has been shown that the Pres-
burger safety analysis problem is decidable for discrete timed automata. That is, it
is decidable whether, given a discrete timed automaton A and two sets I and P of
con#gurations of A (tuples of control state and clock values) de#nable by Presburger
formulas, A always reaches a con#guration in P when starting from a con#guration
in I .
In this paper we concentrate on the Presburger liveness problem, by systematically
formulating a number of Presburger liveness properties and investigating their decid-
ability. For instance, we consider the ∃-Presburger-i.o. problem: whether, given two
Presburger sets P and I as above, there exists an !-path p for A such that p starts
from I and P is satis#ed on p in#nitely often. Another example is the ∀-Presburger-
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 415
eventual problem: whether for all !-paths p that start from I , P is eventually satis#ed
on p.
The main results of this paper show that (using an obvious notation, once it is clear
that ∃ and ∀ are path quanti#ers):
• The ∃-Presburger-i.o. problem and the ∃-Presburger-eventual problem are both de-
cidable. So are their duals, the ∀-Presburger-almost-always problem and the ∀-
Presburger-always problem.
• The ∀-Presburger-i.o. problem and the ∀-Presburger-eventual problem are both un-
decidable. So are their duals, the ∃-Presburger-almost-always problem and the ∃-
Presburger-always problem.
These results can be helpful in formulating a weak form of a Presburger linear temporal
logic and in de#ning a fragment thereof that is decidable for model-checking dtas. The
proofs are based on the de#nition of a version of dtas, called static dtas, which do
not have enabling conditions on transitions. The approach used is to #rst translate the
problem for generalized dtas to an equivalent problem for static dtas. The results are
then proved for the static dtas. Static dtas are much simpler to deal with than dtas;
therefore, the proofs are easier.
This paper is organized as follows. Section 2 introduces the main de#nitions, such
as discrete timed automata and the Presburger liveness properties. Section 3 shows
the decidability of the ∃-Presburger-i.o. problem and the ∃-Presburger-eventual prob-
lem. Section 4 shows the undecidability of the ∀-Presburger-i.o. problem and the
∀-Presburger-eventual problem. Section 5 discusses some aspects related to the intro-
duction of Presburger conditions in temporal logic and to the extension of our results
to dense time domains.
2. Preliminaries
A timed automaton [3] is a #nite state machine augmented with a number of clocks.
All the clocks progress synchronously with rate 1, except when a clock is reset to 0 at
some transition. In this paper, we consider integer-valued clocks. A clock constraint
(or a region) is a Boolean combination of atomic clock constraints in the following
form:
x#c; x − y#c;
where # denotes 6;¿;¡;¿, or =; c is an integer, and x; y are integer-valued clocks.
Let LX be the set of all clock constraints on clocks X . Let N be the set of nonnegative
integers.
Denition 1. A discrete timed automaton (dta) is a tuple
A = 〈S; X; E〉
where S is a #nite set of (control) states, X is a #nite set of clocks with values in
N, and E⊆ S × 2X ×LX × S is a #nite set of edges or transitions.
416 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
Each edge 〈s; ; l; s′〉 denotes a transition from state s to state s′ with enabling
condition l∈LX and a set of clock resets ⊆X . Note that  may be empty: in this
case, the edge is called a clock progress transition. Also note that since a state may
be connected to more than one state through multiple edges with the same enabling
condition, A is, in general, nondeterministic.
The semantics of dtas is de#ned as follows. We use A;B;V ;W ;X ;Y to denote
clock vectors (i.e., vectors of clock values) with Vx being the value of clock x in V .
1 denotes the identity vector in N|X |; i.e., 1x =1 for each x∈X .
Denition 2. A con6guration 〈s;V〉 ∈ S×N|X | is a pair of a control state s and a clock
vector V .
〈s;V〉 →A 〈s′;V ′〉
denotes a one-step transition from con#guration 〈s;V〉 to con#guration 〈s′;V ′〉 satis-
fying all the following conditions:
• There is an edge 〈s; ; l; s′〉 in A connecting state s to state s′,
• The enabling condition of the edge is satis#ed; i.e., l(V) is true,
• Each clock changes according to the edge. If there are no clock resets on the edge,
i.e., = ∅, then clocks progress by one time unit, i.e., V ′=V + 1. If  = ∅, then for
each x∈ , V ′x =0 while for each x =∈ , V ′x =Vx.
A con#guration 〈s;V〉 is a deadlock con6guration if there is no con#guration 〈s′;V ′〉
such that 〈s;V〉 →A 〈s′;V ′〉. A is total if every con#guration is not a deadlock
con#guration. A path is a #nite sequence
〈s0;V 0〉 · · · 〈sk ;V k〉
for some k¿1 such that 〈si;V i〉 →A 〈si+1;V i+1〉 for each 06i6k − 1. A path is a
progress path if there is at least one clock progress transition, i.e., with = ∅, on the
path. An !-path is an in#nite sequence
〈s0;V 0〉 · · · 〈sk ;V k〉 · · ·
such that each pre#x 〈s0;V 0〉 · · · 〈sk ;V k〉 is a path. An !-path is divergent if there is
an in#nite number of clock progress transitions on the !-path. It is noticed that an
“invariant” associated with a control state in a standard discrete timed automaton [3]
can be modeled with a self-looping transition in our model [12]. Since we focus on the
clock behaviors of a dta, instead of the !-language accepted by it, input symbols (or
event labels) [3] are not considered in our de#nition. The input to a timed automaton
is always one-way. Thus, input symbols can always be built into control states.
Fig. 1 shows a simple discrete timed automaton with one clock x. It models a
system with two states down and up, in which each down time is bounded by 4 and
the system has been up for at least 100 time units before the next down time. The
following sequence of con#gurations is a path: 〈down; x=0〉; 〈down; x=1〉, 〈up; x=0〉,
〈up; x=1〉, 〈up; x=2〉; : : : ; 〈up; x=150〉; 〈down; x=0〉.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 417
updown
x>0
{x}
true
∅
x>=100
{x}
x<=4
∅
Fig. 1. An example of a discrete timed automaton.
Let Y be a #nite set of variables over integers. For all integers ay, with y∈Y , b
and c (with b¿0),∑
y∈Y
ayy ¡ c
is an atomic linear relation on Y and∑
y∈Y
ayy ≡b c
is a linear congruence on Y . A linear relation on Y is a Boolean combination (using
¬ and ∧) of atomic linear relations on Y . A Presburger formula on Y is the Boolean
combination of atomic linear relations on Y and linear congruences on Y . A set P
is Presburger-de6nable if there exists a Presburger formula F on Y such that P is
exactly the set of the solutions for Y that make F true. Since Presburger formulas are
closed under quanti#cation, we will allow quanti#ers over integer variables.
Write
〈s;V〉❀A 〈s′;V ′〉
if 〈s;V〉 reaches 〈s′;V ′〉 through a path in A. The binary relation ❀A can be consid-
ered as a subset of con#guration pairs and called binary reachability. It has recently
been shown that,
Theorem 1. The binary reachability ❀A is Presburger-de6nable [10,12].
The Presburger safety analysis problem is to decide whether A can only reach
con#gurations in P starting from any con#guration in I , given two Presburger-de#nable
sets I and P of con#gurations. For example, an instance of this problem is:
“Given a discrete timed automaton A and a state s0, starting from any con#g-
uration 〈s;V〉 with Vx1 + Vx2 − Vx3¡5 ∧ s= s0, A can only reach con#gurations
〈s′;V ′〉 with V ′x1 − 2V ′x2¿1.”
Because of Theorem 1, the Presburger safety analysis problem is decidable for dtas.
In this paper, we consider Presburger liveness analysis problems for dtas, obtained
by combining a path-quanti#er with various modalities of satisfaction on an !-path.
Let I and P be two Presburger-de#nable sets of con#gurations, and let p be an !-
418 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
path 〈s0;V 0〉; 〈s1;V 1〉 : : : . De#ne the following modalities of satisfactions of P and I
over p:
• p is P-i.o. if P is satis#ed in#nitely often on the !-path, i.e., there are in#nitely
many k such that 〈sk ;V k〉 ∈P.
• p is P-always if for each k, 〈sk ;V k〉 ∈P.
• p is P-eventual if there exists k such that 〈sk ;V k〉 ∈P.
• p is P-almost-always if there exists k such that for all k ′¿k, 〈sk′ ;V k′〉 ∈P.
• p starts from I if 〈s0;V 0〉 ∈ I .
Denition 3. Let A be a dta and let I and P be two Presburger-de#nable sets of
con#gurations of A. The ∃-Presburger-i.o. (resp. always, eventual and almost-always)
problem is to decide whether the following statement holds:
there is an !-path p starting from I that is P-i.o. (resp. P-always, P-eventual and
P-almost-always).
The ∀-Presburger-i.o. (resp. always, eventual and almost-always) problem is to decide
whether the following statement holds:
for every !-path p, if p starts from I , then p is P-i.o. (resp. always, eventual
and almost-always).
3. Decidability results
In this section, we show that the ∃-Presburger-i.o. problem is decidable for dtas.
Proofs of an in#nitely-often property usually involve analysis of cycles in the transition
system. However, for dtas this is diNcult because of the enabling conditions on edges.
The diNculty is that because the clock values may be changed in a cycle, the enabling
condition on the edge that starts the cycle may no longer be satis#ed. Therefore, the
cycle cannot be repeated. Our approach is to introduce static discrete timed automata
(i.e., dtas with all the enabling conditions being simply true). Since the enabling
condition for every cycle is now true, every cycle can be repeated. We #rst show
that an ∃-Presburger-i.o. problem for a dta can be translated into an ∃-Presburger-i.o.
problem for a static dta. Then, we prove that the ∃-Presburger-i.o. problem is decidable
for static dtas.
3.1. A translation from dtas to static dtas
In this subsection, we use a technique modi#ed from [12] to show that the tests in
a dta A can be eliminated. That is, A can be eFectively transformed into a static dta
A′′ where all the tests are simply true and A′′ has (almost) the same static transition
graph as A. This is based on an encoding of the tests of A into the #nite state control
of A′′.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 419
Let X = {x1; : : : ; xk} be the clocks in A and V be the clock vector that A starts
with. Tests, which are the enabling conditions on edges, are Boolean combinations
of xi#c, xi − xj#c with c an integer. Here we demonstrate a technique to eliminate
these tests, based on the de#nition of a #nite table lookup aij#c and bi#c to re-
place tests xi − xj#c and xi#c. Let m be one plus the maximal absolute value of
all the integer constants that appear in the tests in A. Denote the #nite set [m] =def
{−m; : : : ; 0; : : : ; m}. We have entries aij and bi for 16i; j6k. Each entry can be re-
garded as a #nite state variable with states in [m]. Intuitively, aij is used to record
the diFerence between two clock values of xi and xj, and bi is used to record the
clock value of xi. During the computation of A, when the diFerence xi − xj (or
the value xi) goes beyond m or below −m, aij (or bi) keeps the value m or −m,
respectively.
The procedure for updating the entries is given below, in which “⊕1” means adding
one if the result does not exceed m, otherwise it keeps the same value. “1” means
subtracting one if the result is not less than −m, otherwise it keeps the same value.
We modify A as follows. Let e be an edge of A. If the set of clock resets on e is
= ∅, then the entries are updated by adding the following instructions to e, for each
16i6k:
• aij := aij for each 16j6k. Recall that all the clocks progress after this edge, thus
the diFerence between any two clocks is unchanged.
• bi := bi ⊕ 1. That is, clocks progress by one time unit.
If the set of clock resets is  = ∅, the entries are updated by adding the following
instructions to e, for each 16i; j6k:
• aij := 0 if i∈  and j∈ . In this case, both the clocks xi and xj reset to 0.
• aij := −bj if i∈  and j =∈ . In this case, xi resets but xj does not. So the diFerence
should be −xj.
• aij := bi if i =∈  and j∈ .
• aij := aij if i =∈  and j =∈ 
followed by adding the following instructions:
• bi := bi if xi =∈ .
• bi := 0 if xi ∈ .
The initial values of aij and bi can be constructed directly from the values Vxi of
clocks xi, for each 16i; j6k:
• aij :=Vxi − Vxj if |Vxi − Vxj |6m,
• aij :=m if Vxi − Vxj¿m,
• aij := − m if Vxi − Vxj¡− m,
and, noticing that clocks are nonnegative,
• bi :=Vxi if Vxi6m,
• bi :=m if Vxi¿m.
The correctness of using aij#c for a test xi − xj#c and using bi#c for xi#c is shown
by the following statement: by adding the above entry updating instructions to A, after
A executes any transition, the following conditions hold for all 16i; j6k and for
each integer c, −m¡c¡m:
(1) xi − xj#c iF aij#c,
(2) xi#c iF bi#c.
420 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
The proof of this statement (omitted here) is a variant of the one in [12]. Thus, each
edge in A is modi#ed so that:
• Each test xi−xj#c and xi#c is replaced by a replaced test aij#c and bi#c, respectively,
• the entry updating instructions are added.
The resulting automaton is denoted by A′.
The replaced tests and the entry updating instructions inA′ can be further eliminated
by expanding the states S. The resulting automaton is called A′′ with states S ′′⊆ S ×
[m](k
2+k). In short, each expanded state in S ′′ is a tuple of the original state s∈ S
and values (totally, k2 + k many) of all entries aij and bi, 16i; j6k. Each edge e
(connecting a pair of states s1; s2 in S) in A′ is thus split into a #nite number of edges
in A′′. Each split edge in A′′ connects two expanded states s′′1 ; s
′′
2 in S
′′, corresponding
to the original states s1 and s2, respectively, such that: (a) the values of the entries in
s′′1 satisfy the replaced test on e (thus, the replaced tests are eliminated in A
′′); (b) the
values of the entries in s′′1 and s
′′
2 are consistent with the entry updating instructions on
e (thus the entry updating instructions are eliminated in A′′). Each enabling condition
in A′′ is simply true. Thus, A′′ is a static dta.
It should be clear that A′′ simulates A. That is, an !-path in A corresponds to an
!-path in A′′ (and vice versa) while preserving the exact sequence of clock values.
This can be precisely stated in the following theorem:
Theorem 2. Given a dta A and a static dta A′′ constructed as above,
〈s0;V 0〉 · · · 〈sk ;V k〉 · · ·
is a !-path of A i9 there exists an !-path
〈s′′0 ;V 0〉 · · · 〈s′′k ;V k〉 · · ·
of A′′ such that:
• For each i¿0, the original state of the extended state s′′i is equal to si.
• The entry values aij and bi in the extended state s′′0 are the initial entry values
constructed from V 0.
Now we look at the ∃-Presburger-i.o. problem for A. Recall that the problem is to
determine, given two Presburger-de#nable sets I and P of con#gurations of A, whether
there exists a P-i.o. !-path p starting from I (p is called a witness). We relate the
instance of the ∃-Presburger-i.o. problem for A to an instance of the ∃-Presburger-i.o.
problem for the static dta A′′:
Lemma 1. Given a dta A, and two Presburger-de6nable sets I and P of con6gura-
tions of A, there exist a static dta A′′ and two Presburger de6nable sets I ′′ and P′′
of con6gurations of A′′ such that: the existence of a witness to the ∃-Presburger-i.o.
for A, given I and P, is equivalent to the existence of a witness to the ∃-Presburger-
i.o. for A′′, given I ′′ and P′′.
Proof. De#ne I ′′ and P′′ to be two sets of con#gurations of A′′ as follows. A con#g-
uration of A′′ is in I ′′ if and only if the con#guration is in I (when the entry values
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 421
aij and bi are ignored) and the entry values are the initial entry values constructed
from clock values in the con#guration. That is,
〈s; a11; : : : ; a1k ; : : : ; ak1; : : : ; akk ; b1; : : : ; bk ;V〉 ∈ I ′′
iF
• 〈s;V〉 ∈ I ,
• For each 16i; j6k, aij and bi are the initial entry values constructed from clock
values V as we mentioned before. That is, for each 16i; j6k:
◦ aij =Vi − Vj if |Vi − Vj|6m,
◦ aij =m if Vi − Vj¿m,
◦ aij = − m if Vi − Vj¡− m,
◦ bi =Vi if Vi6m,
◦ bi =m if Vi¿m.
Obviously, I ′′ is Presburger-de#nable. A con#guration of A′′ is in P′′ if and only
if the con#guration is in P when the entry values aij and bi are ignored. That is,
〈s; a11; : : : ; a1k ; : : : ; ak1; : : : ; akk ; b1; : : : ; bk ;X〉 ∈ P′′
iF 〈s;X〉 ∈P. It is also obvious that P′′ is Presburger-de#nable.
Notice that, in Theorem 2, 〈s′′0 ;V 0〉 ∈ I ′′ if 〈s0;V 0〉 ∈ I . Also notice that 〈s0;V 0〉 · · ·
〈sk ;V k〉 · · · and 〈s′′0 ;V 0〉 · · · 〈s′′k ;V k〉 · · · have exactly the same sequence of clock values.
Therefore, in Theorem 2, 〈s0;V 0〉 · · · 〈sk ;V k〉 · · ·, with 〈s0;V 0〉 ∈ I , is a P-i.o. !-path
of A iF 〈s′′0 ;V 0〉 · · · 〈s′′k ;V k〉 · · · is a P′′-i.o. !-path of A′′ with 〈s′′0 ;V 0〉 ∈ I ′′. Thus,
the existence of a witness to the ∃-Presburger-i.o. for A, given I and P, is equivalent
to the existence of a witness to the ∃-Presburger-i.o. for A′′, given I ′′ and P′′.
Due to Lemma 1, it suNces for us to consider static dtas in showing the decidability
of the ∃-Presburger-i.o. problems.
3.2. The ∃-Presburger-i.o. problem for static dtas
In this subsection we show that the ∃-Presburger-i.o. problem for static dtas is
decidable. Let A be a static dta throughout this subsection. Recall that, given two
sets I and P of con#gurations of A de#nable by Presburger formulas, an !-path
p= 〈s0;V 0〉 · · · 〈sk ;V k〉 · · · is a witness to the ∃-Presburger-i.o. problem if p is P-i.o.
and p starts from I (i.e., 〈s0;V 0〉 ∈ I). There are two cases to consider: (1) p is not
divergent; (2) p is divergent. For the #rst case, the following lemma can be easily
established from the binary reachability of A.
Lemma 2. The existence of a non-divergent witness is decidable.
Proof. Let A′ be the automaton obtained by dropping all the clock progress transitions
from A (thus, each path included in an !-path of A′ is a non-progress path). Observe
that there exists a nondivergent witness iF there are s and V such that
• there exists 〈s0;V 0〉 ∈ I such that 〈s0;V 0〉❀A 〈s;V〉. That is, 〈s;V〉 is reachable
from a con#guration in I ,
422 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
• 〈s;V〉 ∈P, and
• 〈s;V〉 can reach itself (i.e., a cycle) in A′.
The statement of the lemma follows immediately from the fact that each item above
is Presburger-de#nable (Theorem 1).
The remainder of this subsection is devoted to the proof that the existence of a
divergent witness is decidable. In order to do this, we need the following de#nition of
a progress cycle (in contrast to the cycle de#ned in the previous proof).
Denition 4. Let s be a control state, Xr ⊆X be a set of clocks, 1 and V and V ′ be
clock vectors. We write 〈s;V〉❀AXr 〈s;V ′〉 if
1. 〈s;V〉 is reachable from a con#guration in I ,
2. 〈s;V ′〉 ∈P,
3. 〈s;V〉❀A 〈s;V ′〉 through a progress path where all the clocks in Xr are reset at
least once and all the clocks not in Xr are not reset.
The proof proceeds as follows. Since A has #nitely many control states, there exists
a P-i.o. !-path p iF there is a state s such that P holds in#nitely often on p at state s.
This is equivalent to saying (Lemma 3) that there exist clock vectors V 1;V 2; : : : such
that 〈s;V i〉❀AXr 〈s;V i+1〉 for each i¿0. We then show (Lemma 4) that the relation ❀AXr
is Presburger-de#nable. Since the actual values of the clocks in Xr may be abstracted
away (Lemma 5 and De#nition 5) and the clocks in X − Xr progress synchronously,
this is equivalent to saying that there exist V ; d1¿0; d2¿0; : : : such that V ix =Vx + di
for all x∈X −Xr (Lemma 6). The set {di} may be de#ned with a Presburger formula,
as shown in Lemma 7, since each di may always be selected to be of the form
ci + f(ci), where the set {ci} is a periodic set (hence, Presburger-de#nable) and f is
a Presburger-de#nable function. This is based on the fact that static automata have no
edge conditions, allowing us to increase the length d of a progress cycle to a length
nd (Lemma 8), for every n¿0. The decidability result on the existence of a divergent
witness follows directly from Lemma 8.
Lemma 3. There is a divergent witness p i9 there are s, Xr and clock vectors
V 1;V 2; : : : such that
〈s;V i〉❀AXr 〈s;V i+1〉
for each i¿0.
Proof. Immediate from De#nition 4.
Lemma 4. ❀AXr is Presburger-de6nable. That is, given s∈ S,
〈s;V〉❀AXr 〈s;V ′〉
1 We assume X − Xr = ∅. This can be achieved by adding a dummy clock now that never resets and that
indicates the current time.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 423
is a Presburger formula, when the clock vectors V ;V ′ are regarded as integer vari-
ables.
Proof. Let R denote all tuples 〈s;V〉; 〈s;V ′〉 such that condition (3) of De#nition
4 holds. A reversal-bounded multicounter machine [19] is a one-way (input) #nite
automaton augmented with #nitely many reversal-bounded counters (i.e., each counter
can be incremented or decremented by one and tested for zero, but the number of
times it changes mode from nondecreasing to nonincreasing and vice versa is bounded
by a constant, independent of the computation). In [12], we have shown that ❀A can
be accepted by a reversal-bounded multicounter machine M (i.e., Theorem 1, since
reversal-bounded counter machines accept only Presburger-de#nable sets when the input
is of integer tuples [19].). M can be easily modi#ed to a machine M ′ accepting R
as follows. M ′, with 〈s;V〉 and 〈s;V ′〉 on its input tape, simulates A starting from
con#guration 〈s;V〉 exactly as M . But during the simulation, M ′ makes sure, using its
own #nite control, that
• each clock in Xr resets at least once,
• each clock not in Xr does not reset,
• there is at least one clock progress cycle executed.
At some moment, M ′ guesses that the con#guration 〈s;V ′〉 has been reached and
compares it with the current con#guration of A on the input tape (see [12] for details).
Thus, R can be accepted by M ′. Therefore, R is Presburger-de#nable.
Now, 〈s;V〉❀AXr 〈s;V ′〉 can be rewritten as
∃〈s0;V 0〉 ∈ I(〈s0;V 0〉❀A 〈s;V〉 ∧ 〈s;V ′〉 ∈ P ∧ (〈s;V〉; 〈s;V ′〉) ∈ R):
Clearly, this is a Presburger formula on V and V ′, since I; P and R are Presburger,
and it is known that Presburger formulas are closed under quanti#cation.
〈s;V〉 ❀AXr 〈s;W〉 denotes the following scenario. Starting from some con#guration
in I , A can reach 〈s;V〉 and return to s again with clock values W . The cycle at s
is a progress such that each clock in Xr resets at least once and all clocks not in Xr
do not reset. Since A is static, the cycle can be represented by a sequence s0s1 · · · st
of control states, with s0 = st = s, and such that, for each 06i¡t, there is an edge in
A connecting si and si+1. Observe that, since each x∈Xr is reset in the cycle, the
starting clock values Vx for x∈Xr at s0 = s are insensitive to the ending clock values
Wx with x∈Xr at st = s (these values of Wx only depend on the sequence of control
states). We write V =X−Xr U if V and U agree on the values of the clocks not in Xr ,
i.e., Vx =Ux, for each x∈X − Xr . The insensitivity property for static dtas is stated in
the following lemma.
Lemma 5. For all clock vectors U ;V ;W , if
〈s;V〉❀AXr 〈s;W〉
and 〈s;U〉 is reachable from some con6guration in I with V =X−Xr U , then
〈s;U〉❀AXr 〈s;W〉:
424 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
Also note that, since all clocks not in Xr do not reset and progress synchronously on
the cycle, the diFerences Wx −Vx for each x∈X − Xr are equal to the duration of the
cycle (i.e., the number of progress transitions in the cycle). The following technical
de#nition allows us to “abstract” clock values for Xr away in 〈s;V〉❀AXr 〈s;W〉.
Denition 5. For all clock vectors Y and Y ′, we write
Y ❀A〈s;Xr〉 Y
′
if there exist two clock vectors V and W such that 〈s;V〉❀AXr 〈s;W〉 with Y =X−Xr V
and Y ′ =X−Xr W .
Obviously, the relation ❀A〈s; Xr〉 is Presburger-de#nable.
Lemma 6. There exists a divergent witness for A if and only if there are s; Xr; Y ; d1;
d2; : : : such that
06 d1 ¡ d2 ¡ · · ·
and
Y + di1❀A〈s;Xr〉 Y + di+11;
for each i¿1.
Proof (if-part). By De#nition 5, for each i¿1,
Y + di1❀A〈s;Xr〉 Y + di+11
if there exist Ai ;Bi, such that 〈s;Ai〉 ❀AXr 〈s;Bi〉 with a cycle of duration
di+1−di, and with Ai =X−Xr Y +di1 and Bi =X−Xr Y +di+11. By Lemma 5, for each
i¿1,
〈s;Bi〉❀AXr 〈s;Bi+1〉:
From Lemma 3, there is a divergent witness.
(only-if-part). Conversely, assume the existence of a divergent witness, i.e., by
Lemma 3, there are clock vectors B1;B2; : : : such that for each i¿1,
〈s;Bi〉❀AXr 〈s;Bi+1〉:
Let Y =B1. For each i¿1, let di such that
di1 =X−Xr B
i − Y :
Therefore, for each i¿1, Bi =X−Xr Y + di1: by De#nition 5,
Y + di1❀A〈s;Xr〉 Y + di+11:
The following lemma uses the fact that a cycle in a static dta can be repeated.
It will be used in the proof of Lemma 8.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 425
Lemma 7. For all Y ;Y ′, d¿0, if Y ❀A〈s; Xr〉 Y + d1 and, for some n¿1; Y +
nd1❀A〈s; Xr〉 Y
′, then Y + d1❀A〈s; Xr〉 Y
′.
Proof. By De#nition 5, since Y ❀A〈s; Xr〉 Y + d1, there are clock vectors A;B such
that Y =X−Xr A, Y + d1 =X−Xr B, and 〈s;A〉 ❀AXr 〈s;B〉 with a progress cycle of
duration d. Moreover, again by De#nition 5, since Y + nd1 ❀A〈s; Xr〉 Y
′, there exist
C ;E such that 〈s;C〉 ❀AXr 〈s;E〉 with C =X−Xr Y + nd1 and E =X−Xr Y ′. Since A
is static, a cycle from state s to state s may be repeated any number of times starting
from 〈s;B〉. That is, there exists 〈s;B′〉 such that from 〈s;B〉 we may reach 〈s;B′〉
with a cycle of duration (n − 1)d, which veri#es condition (3) of De#nition 4. But
B′ =X−Xr C , and 〈s;B′〉 is reachable from 〈s;A〉 and hence from I . By Lemma 5,
〈s;B′〉❀AXr 〈s;E〉. Therefore, 〈s;B〉 can reach 〈s;E〉 through a progress cycle on which
all and only the clocks in Xr are reset at least once, 〈s;B〉 is reachable from I and
〈s;E〉 ∈P: by De#nition 5, 〈s;B〉❀AXr 〈s;E〉, i.e., Y + d1❀A〈s; Xr〉 Y ′.
Lemma 8. The existence of a divergent witness is decidable for a static dta A.
Proof. We claim that, there are s; Xr such that the Presburger formula
(∗) ∃Y∀m ¿ 0∃D1 ¿ m∃D2 ¿ 0 (Y + D11❀A〈s;Xr〉 Y + (D1 + D2)1)
holds if and only if there is a divergent witness for A. The statement of the lemma
then follows immediately.
Assume there is a divergent witness. Then, by Lemma 3, there exist V 1;V 2; : : : and
d1; d2; : : : such that, for each i¿1,
〈s;V i〉❀AXr 〈s;V i+1〉
with a progress cycle of duration di¿0. Let Y =V 1. By De#nition 5,
Y +
(
i−1∑
j=1
dj
)
1❀A〈s;Xr〉 Y +
(
i∑
j=1
dj
)
1
for each i¿1. For each m¿0, let
D1 =
m∑
j=1
dj
and D2 =dm+1. It is immediate that (*) holds.
Conversely, let Y0 be one of the vectors Y such that (∗) holds. Since Y0 is #xed,
the formula H (D1), de#ned as
∃D2 ¿ 0(Y0 + D11❀A〈s;Xr〉 Y0 + (D1 + D2)1);
is Presburger-de#nable. Apply skolemization to the above formula by introducing a
function f(D1) to replace the variable D2:
Y0 + D11❀A〈s;Xr〉 Y0 + (D1 + f(D1))1:
426 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
Since (*) holds, then H (D1) holds for in#nitely many values of D1. Combining the
fact that H (D1) is Presburger-de#nable, there is a periodic set included in the in#nite
domain of H , i.e., there exist n¿1; k¿0 such that for all d¿0 if d≡n k then H (d)
holds. Let c0 be any value in the periodic set, and let
ci = ci−1 + nf(ci−1);
for every i¿1. Obviously, every ci satis#es the periodic condition: ci≡n k, and there-
fore H (ci) holds. Hence, for every i¿1,
Y0 + ci1❀A〈s;Xr〉 Y0 + (ci + f(ci))1:
Since
Y0 + ci+11 = Y0 + ci1+ nf(ci)1❀A〈s;Xr〉 Y0 + (ci+1 + f(ci+1))1;
we may apply Lemma 7, with: Y =Y0 + ci1, d=f(ci), and
Y ′ = Y0 + (ci+1 + f(ci+1))1:
Lemma 7 then gives Y + d1❀A〈s; Xr〉 Y
′, i.e.,
Y0 + (ci + f(ci))1❀A〈s;Xr〉 Y0 + (ci+1 + f(ci+1))1;
for every i¿1. By Lemma 6, with di = ci + f(ci), there is a divergent witness.
By Lemmas 2 and 8, we have:
Theorem 3. The ∃-Presburger-i.o. problem is decidable for static dtas.
Since A′′ in Lemma 1 is a static dta, the decidability of the ∃-Presburger-i.o. prob-
lem for dtas follows from Lemma 1 and Theorem 3. Also notice that deciding the
∃-Presburger-i.o. problem is equivalent to deciding the negation of the ∀-Presburger-
almost-always problem. Thus,
Theorem 4. The ∃-Presburger-i.o. problem and the ∀-Presburger-almost-always prob-
lem are decidable for dtas.
Since the length of the Presburger formula for the binary reachability of a dta is
unknown, we cannot give an accurate complexity bound for the decision procedure
of the ∃-Presburger-i.o. problem. However, if we assume that L is the maximum of
the length of the binary reachability (written in a quanti#er-free linear relation) for
the static dta translated from the given dta, the length of the initial condition I , and
the property P, the complexity bound is exp(L(cn)
3
) for some constant c, where n is
the number of clocks in the dta. This can be obtained by looking at the complexity
for eliminating the quanti#ers in formula (*) in the proof of Lemma 8 and using the
result in [23]. Hence, the complexity bound for the ∃-Presburger-i.o. problem is at least
double exponential in the number of clocks.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 427
3.3. Decidability of the ∃-Presburger-eventual problem
Given a dta A, and two Presburger-de#nable sets I and P of con#gurations, the
∃-Presburger-eventual problem is to decide whether there exists a P-eventual !-path p
starting from I . De#ne I ′ to be the set of all con#gurations in P that can be reached
from a con#guration in I . From Theorem 1, I ′ is Presburger-de#nable. One can see
that
p = 〈s0;V 0〉 · · · 〈si;V i〉 · · ·
is P-eventual and 〈s0;V 0〉 ∈ I iF there exists i such that 〈si;V i〉 ∈ I ′ and the !-path
〈si;V i〉 · · · is true-i.o. Therefore, the existence of a witness for the ∃-Presburger-
eventual problem (given I and P) is equivalent to the existence of a witness for
the ∃-Presburger-i.o. problem (given I ′ and true). From Theorem 4, we have:
Theorem 5. The ∃-Presburger-eventual problem and the ∀-Presburger-always problem
are decidable for dtas.
It should be noted that, for dtas, there is a slight diFerence between the ∀-Presburger-
always problem and the Presburger safety analysis problem mentioned before. The
diFerence is that the Presburger safety analysis problem considers (#nite) paths while
the ∀-Presburger-always problem considers !-paths.
4. Undecidability results
The next three subsections show that the undecidability of the ∀-Presburger-eventual
problem and of the ∀-Presburger-i.o. problem. We start by demonstrating the fact that
a two-counter machine can be implemented by a generalized version of a dta. This
fact is then used in the following two subsections to show the undecidability results.
4.1. Counter machines and generalized discrete timed automata
Consider a counter machine M with counters x1; : : : ; xk over nonnegative integers
and with a #nite set of locations {l1; : : : ; ln}. M can increment, decrement and test
against 0 the values of the counters. It is well-known that a two-counter machine can
simulate a Turing machine.
We now de#ne generalized discrete timed automata. They are de#ned similarly to
dtas but for each edge 〈s; ; l; s′〉 the enabling condition l is of the form ∑i aixi#c,
where ai and c are integers. The following lemma states that generalized dtas are
Turing-complete, since they can simulate any counter machine. The proof can be found
in the appendix.
Lemma 9. Given a deterministic counter machine M , there exists a deterministic gen-
eralized dta that can simulate M .
428 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
From now on, let M be a deterministic counter machine and let A be a deterministic
generalized dta that implements M . We may assume that A is total (i.e., there are no
deadlock con#gurations), since A can be made total by adding a new self-looped state
sf, and directing every deadlock con#guration to this new state. Now we de#ne the
static version A−, to which A can be modi#ed as follows. A− is a discrete timed
automaton with the enabling condition on each edge being simply true. Each state in
A− is a pair of states in A.
〈〈s1; s′1〉; 1; true; 〈s2; s′2〉〉
is an edge of A− iF there are edges 〈s1; 1; l1; s′1〉 and 〈s2; 2; l2; s′2〉 in A with s′1 = s2.
We de#ne a set P, called the path restriction of A, of con#gurations of A− as
follows. For each con#guration 〈〈s; s′〉;V〉 of A−, 〈〈s; s′〉;V〉 ∈P iF there exists an
edge e= 〈s; ; l; s′〉 in A such that the clock values V satisfy the linear relation l in e.
Clearly, P is Presburger-de#nable. Since A is total and deterministic, the above edge
e always exists and is unique for each con#guration 〈s;V〉 of A. Using this fact, we
have:
Theorem 6. Let A be a total and deterministic generalized dta with path restriction
P, and let A− be the static version of A. An !-sequence
〈s0;V 0〉 · · · 〈sk ;V k〉 · · ·
is an !-path of A i9
〈〈s0; s1〉;V 0〉 · · · 〈〈sk ; sk+1〉;V k〉 · · ·
is an !-path of A− with 〈〈sk ; sk+1〉;V k〉 ∈P for each k.
4.2. Undecidability of the ∀-Presburger-eventual problem
We consider the negation of the ∀-Presburger-eventual problem, i.e., the ∃-Presb-
urger-always problem, which can be formulated as follows: given a discrete timed
automaton A and two Presburger-de#nable sets I and P of con#gurations, decide
whether there exists a ¬P-always !-path of A starting from I .
Consider a deterministic counter machine M with the initial values of the counters
being 0 and the #rst instruction labeled l0. Let A be the deterministic generalized
dta implementing M , as de#ned by Lemma 9, with P being the path restriction of
A. As before, A is total. Let A− be the static version of A. It is well known that
the halting problem for (deterministic) counter machines is undecidable. That is, it is
undecidable, given M and an instruction label l, whether M executes the instruction l.
De#ne P′ to be the set of con#gurations 〈〈s; s′〉;V〉 ∈P with s = l. Let I be the set
of initial con#gurations of A− with all the clocks being 0 and the #rst component of
the state (note that each state in A− is a state pair of A) being l0. I is #nite, thus
Presburger-de#nable. From Theorem 6 and the fact that A implements M , we have:
M does not halt at l iF A− has a P′-always !-path starting from a con#guration
in I .
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 429
Thus, we reduce the negation of the halting problem to the ∃-Presburger-always
problem for dtas with con#guration sets P′ and I . Therefore,
Theorem 7. The ∃-Presburger-always problem and the ∀-Presburger-eventual problem
are undecidable for discrete timed automata.
4.3. Undecidability of the ∀-Presburger-i.o. problem
The ∀-Presburger-i.o. problem for discrete timed automata is to decide, given a dis-
crete timed automaton A and two Presburger-de#nable sets I and P of con#gurations,
whether p is P-i.o. for every !-path p starting from I . The negation of the problem,
i.e., the ∃-Presburger-almost-always problem, can be formulated as follows: whether
there exists a ¬P-almost-always !-path of A starting from I . In this subsection, we
show that the ∃-Presburger-almost-always problem is also undecidable. Therefore, the
∀-Presburger-i.o. problem is also undecidable.
In the previous subsection we have shown that the existence of a P-always !-path
of A is undecidable. But this result does not directly imply that the existence of a
P-almost-always !-path is also undecidable.
Let A− be the static version of a deterministic generalized discrete timed automaton
A that implements a deterministic counter machine M , let P be the path restriction
of A, and let p be an !-path of A−. In the previous subsection we argued that the
existence of a P′-always !-path p is undecidable where P′ is P ∩{〈〈s; s′〉;V〉 : s = l}
with l being a given instruction label in M . But when considering a P′-almost-always
path p, the situation is diFerent: p may have a pre#x that does not necessarily satisfy
P′ (i.e., it does not obey the exact enabling conditions on the edges in A).
Consider a deterministic two-counter machine M with an input tape, and denote
with M (i) the result of the computation of M when given i∈N as input. It is known
that the #niteness problem for deterministic two-counter machines (i.e., #nitely many
i such that M (i) halts) is undecidable. Now we reduce the #niteness problem to the
∃-Presburger-almost-always problem for dtas.
We can always assume that M halts when and only when it executes an operation
labeled halt. Let M ′ be a counter machine (without input tape) that enumerates all the
computations of M on every i∈N. M ′ works as follows. We use Mj(i) to denote the
jth step of the computation of M (i). If M (i) halts in less than j steps, then we assume
that Mj(i) is a special null operation that does nothing. Thus, the entire computation of
M (i) is an !-sequence M1(i); : : : ; Mj(i); : : : (when M (i) halts, the sequence is composed
of a #nite pre#x, followed by the halt operation and then by in#nitely many occurrences
of the special null operation). Each step of the computation may or may not execute
the instruction labeled halt, but of course a halt may be executed only at most once
for each input value i. M ′ implements the following program:
k := 0; z := 0;
while true do
k := k + 1;
for i := 0 to k − 1 do
430 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
z := 1
simulate M (i) for the 6rst k steps M1(i); M2(i); : : : ; Mk(i);
if Mk(i) executes the instruction labeled halt, then z := 0;
M ′ is still a deterministic counter machine (with various additional counters to be able
to simulate M and keep track of k; i; z). In the enumeration, whenever Mk(i) executes
the instruction labeled halt (at most once for each i, by the de#nition of M ′ as above),
M ′ sets the counter z to 0, bringing it back to 1 immediately afterwards—M ′ resets z
to 0 for only #nitely many times iF the domain of M (i.e., the set of i such that M (i)
halts) is #nite. Let A− be the static version of a generalized discrete timed automaton
A that implements M ′. Let P be the path restriction of A. P′ is P ∩{〈〈s; s′〉;V〉 :
Vz =0}. Then:
there are only #nitely many i such that M (i) halts
⇔
there are only #nitely many con#gurations with z=0 in the computation of M ′
⇔
in the (unique) !-path 〈s0;V 0〉〈s1;V 1〉 · · · of M ′,
there are only #nitely many i such that V iz =0
⇔ (Lemma 9 and Theorem 6)
there is an !-path p of A− such that p is P′-almost-always and p starts from the
initial con#guration with all clocks being 0 (since all counters in M ′ start from 0)
⇔
A− is ∃-Presburger-almost-always against P′ and I contains only the initial con#g-
uration.
Therefore,
Theorem 8. The ∃-Presburger-almost-always problem and the ∀-Presburger-i.o. prob-
lem are undecidable for discrete timed automata.
5. A verication example
In this section, we illustrate how the paper’s results on decidability of
Presburger safety and liveness properties may help in the veri#cation of real-time
systems.
We consider a traditional benchmark in real-time speci#cations: the railroad crossing
problem, following the description given in [15]. The system to be developed operates
a gate at a railroad crossing. We assume that there is only one track, and the train
may cross only in one direction. The behavior of the train is shown by the nonde-
terministic timed automaton whose transition graph is given in Fig. 2. A train may
be far from the critical region around the crossing; when it enters the region, it is
approaching the gate, until it enters the crossing. The train then exits and another train
may enter, after a suitable delay, starting another cycle of far/approaching/crossing.
Signals on the railroad ensure that at any time only one train may be approaching or
crossing.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 431
{ t1, t2, t3}
approachingfar
crossing 
t1>50
 {t2} 
t2<200
∅
50<t3<=200
{t1}
 ∅
50<t2<=200
t3<200
∅
{t3}
Fig. 2. The train.
∅
∅
open closing
closed
true
{x1}
x1<50
∅
{x2} 
opening {x3} 
true
{ x1, x2, x3, x4}
40<=x3<50
{x4} 
40<x1<=50
Fig. 3. The controller.
The transition graph of the train has a few integer delays: we assume that it takes
50 time units for another train to enter the critical region after a crossing (this time is
measured by clock t1, which is reset whenever entering state far). The train stays in
the approaching region at least 50 but at most 200 time units (i.e., there are bounds
on the minimum and maximum speed of the train). This is measured by the clock t2,
which is reset whenever entering state approaching. Then the train crosses the gate,
again for an interval lasting between 50 and 200 time units, as measured by clock
t3, which is reset when entering state crossing. Notice that time passes only when the
automaton is in a self-loop, since all other transitions reset a clock (and hence are
zero-time by de#nition).
The behavior of the railroad crossing, composed of a controller, two sensors and a
gate is shown by the nondeterministic timed automaton whose transition graph is given
in Fig. 3. At start, the gate is open and no train is inside the critical region. When a
train is approaching the gate, a sensor, placed at a suitable distance from the railroad
crossing, determines the train’s entering the critical region. The gate is then closed
by the controller. The closing action takes a certain time, slightly variable with the
particular plant (between 40 and 50 time units in the #gure, as measured by clock x1,
which is reset when entering state closing). By construction the distance of the sensor
from the gate is such that the fastest train cannot cross before the gate is completely
closed, allowing the system to be safe.
432 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
Another sensor determines when the last car of the train leaves the crossing, and
correspondingly the gate is opened. The action of opening the gate takes again a slightly
variable delay depending on the plant (between 40 and 50 time units in the #gure, as
measured by clock x3, which is reset when entering state opening).
The two above timed automata may be combined in a unique synchronous model M ,
with one global clock, by taking the cartesian product of the two automata and syn-
chronizing a few transitions: the transition from open to closing of the controller must
be synchronized with the transition from far to approaching of the train model; the
transition from closed to opening of the controller must be synchronized with the tran-
sition from crossing to far of the train model (in both cases, we suppose that sensors
react instantaneously). Hence, not every pair of states is possible in M .
Typical properties studied for a railroad crossing problem are safety and utility.
Safety means that it never happens that the train is in the state crossing while the
controller is not in the state closed.
Utility is a kind of liveness property, formalizable in diFerent ways, representing
the intuitive fact that the crossing must be crossed also by cars and people, without
making them wait longer than is necessary. Notice that, in a sense, utility has the same
level of importance as safety. For example, safety could be easily veri#ed by building
a gate that is always closed, but obviously this would be considered useless.
The kind of utility property we are considering here is a constraint on the total time
Tclosed that a gate is not open compared with the time Ttrain that the corresponding train
spends inside the critical region. More precisely, we want to state that Tclosed must not
exceed Ttrain by more than 20%, which may be acceptable as a safety margin.
In what follows, +; , represent con#gurations. Let I(+) be a formula stating that + is
the initial con#guration, i.e. a con#guration where M is in the initial state (far, open)
and each clock is set to 0. Let statetrain(,) and statecontroller(,) be, respectively, the
train component and the controller component of the state of M in con#guration ,;
Let P(,) be the following Presburger formula:
statetrain(,) = far ∧ statecontroller(,) = open→ x1 − x4 6 1:2(t2 − t1):
The term x1 − x4, when in state open, measures exactly the time Tclosed spent by the
controller in state diFerent from open during the arrival of the last train. Similarly,
t2 − t1, when in state far, measures exactly the total time Ttrain spent by the last train
inside the critical region. Notice that x1 − x461:2(t2 − t1) in P is not a clock region
(because of the ratio 1.2).
Utility is an instance of the ∀-Presburger-always problem of M concerning I and P,
since it must always be true during the (supposedly in#nite) lifetime of the system.
The problem is decidable as we have shown.
6. Discussions and future work
It is important to provide a uniform framework to clarify what kind of temporal
Presburger properties can be automatically checked for timed automata. Given a dta
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 433
A, the set of linear temporal logic formulas LA with respect to A is de#ned by the
following grammar:
. := P|¬.|. ∧ .| © .|.U.;
where P is a Presburger-de#nable set of con#gurations of A, © denotes “next”, and
U denotes “until”. Formulas in LA are interpreted on !-sequences p of con#gurations
of A in the usual way. We use pi to denote the !-sequence resulting from the deletion
of the #rst i con#gurations from p. We use pi to indicate the ith element in p. The
satis#ability relation |= is recursively de#ned as follows, for each !-sequence p and
for each formula .∈LA (written p |= .):
p |= P if p1 ∈P,
p |= ¬. if not p |= .,
p |= .1 ∧ .2 if p |= .1 and p |= .2,
p |=©. if p1 |= .,
p |= .1U.2 if ∃j(pj |= .2 and ∀k¡j(pk |= .1)).
where the variables i; j; k range over N.
We adopt the convention that ✸. (eventual) abbreviates (trueU.) and . (always)
abbreviates (¬✸¬.).
Given A and a formula .∈LA, the model-checking problem is to check whether
each !-path p of A satis#es p |= .. The satis#ability-checking problem is to check
whether there is an !-path p of A satisfying p |= .. It is obvious that the model-
checking problem on the formula . is equivalent to the negation of the satis#ability-
checking problem on the formula ¬. (and thus it is its “dual”).
The results of this paper show that:
• The satis#ability-checking problem is decidable for formulas in LA in the form
I ∧✷✸P and I ∧✸P, where I and P are Presburger sets of con#gurations.
• The model-checking problem is undecidable for formulas in LA, even when the
formulas are in the form ✷✸P and ✸P.
• Therefore, both the satis#ability-checking problem and the model-checking problem
are undecidable for the entire LA, even when the “next” operator © is excluded
from the logic LA.
Future work may include investigating a fragment of LA that has a decidable
satis#ability-checking=model-checking problem following the work of Comon and
Cortier [9]. There are problems that are still open. For instance, we do not know
whether the satis#ability-checking problem is decidable for I ∧ ✸P ∧ ✸Q (i.e., #nd
an !-path that is both P-i.o. and Q-i.o).
In [6], an extension of TPTL, called Presburger TPTL, is proposed and it is shown
to be undecidable for discrete time. The proof in [6] does not imply (at least, not in an
obvious way) the undecidability of the ∀-Presburger-i.o. problem and the ∀-Presburger-
eventual problem in this paper. In that proof, the semantics of Presburger TPTL (over
discrete time domain) is interpreted on timed state sequences (i.e., an in#nite sequence
of tuples of a control state and of a timestamp satisfying monotonicity and progress
conditions [6]). TPTL provides © and U , as well as freeze quanti#ers. Using a freeze
quanti#er, a timestamp can be “remembered”. In this way, the transition relation of
a two-counter machine can be encoded into Presburger TPTL by using ©; U and
434 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
the freeze quanti#er. This gives the undecidability of the logic [6]. On the other hand,
✷✸P and ✸P in this paper are interpreted on sequences of con#gurations (in contrast to
timed state sequences). Formulas like ✷✸P and ✸P are state formulas. That is, without
using © and without introducing freeze quanti#ers, we have no way to remember clock
values in one con#guration and use them to compare those in another con#guration
along p. Therefore, the transition relation of a two-counter machine cannot be encoded
in our logic LA. But we are able to show in this paper that computations of a two-
counter machine can be encoded by !-paths, restricted under ✷✸P or ✸P, of a dta,
leading to the undecidability results of the paper.
We are also interested in considering the same set of liveness problems for a dense
time domain. However, special attention must be paid in order to de#ne the concepts
of “in#nitely often” and !-paths under a dense time domain. We believe that the de-
cidability results (for the ∃-Presburger-i.o. problem and the ∃-Presburger-eventual prob-
lem) also hold for dense time when the semantics of a timed automaton are carefully
de#ned. We may look at Comon and Jurski’s Tattening construction [10] in arguing
about the binary reachability of timed automata over a dense domain. We may also
look at the recent generalization [11] of the work in [12] to the dense time domain
and the dissertation of Dima [14], which addresses the issue of discretizing timed au-
tomata with dense clocks. On the other hand, the undecidability results in this paper
can be naturally extended to the dense time domain when the !-paths in this paper
are properly rede#ned for dense time.
Acknowledgements
Thanks go to the anonymous referees for many useful suggestions.
Appendix A. Proof of Lemma 9
Let M be a deterministic counter machine. M has a #nite number of instructions
with each instruction chosen from the following three types (x is one of the counters
x1; : : : ; xk):
• (addition)
li →x:=x+1 lj:
M transits from location li to location lj with counter x incremented by 1 and the
other counters unchanged.
• (subtraction)
li →x:=x−1 lj:
M transits from location li to location lj (if x is positive) with counter x decremented
by 1 and the other counters unchanged.
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 435
s3s2
x1>0
{z}
y1+y2 x1-1
∅
y1=x2-x1+1
{ y1}
y1 x2-x1+1
∅
s5s4
y1+y2=x1-1
y2=x2-x1-1
{ y2}
∅
y2 x1-x2-1
s1
s6li
{x1,x2}
x2>=x1
{x1,x2}
{z}
∅
y1+y2 x2
x2<x1{z}
y1+y2=x2
≠ ≠
≠≠
Fig. 4. The generalized dta implementing the mapping from 〈x1 = a1; x2 = a2; y1 = 0; y2 = 0〉 to 〈x1 = 0;
x2 = 0; y1 = a1 − 1; y2 = a2〉 for all nonnegative integers a1 and a2.
• (testing against zero)
li →x=0 lj:
M transits from location li to location lj if counter x is zero.
We construct a generalized dta to simulate each instruction in M . Without loss of
generality, we consider only the instruction li →x1 := x1−1 lj. In order to simulate it, we
regard the two counters x1 and x2 as two clocks and also introduce two other clocks
y1 and y2, and a dummy clock z. De#ne two generalized dtas (illustrated in Figs. 4
and 5), whose sequential composition simulates the above instruction as follows, for
all nonnegative integers a1 and a2:
• the #rst automaton (Fig. 4), when in state li with clock values 〈x1 = a1; x2 = a2; y1 =
0; y2 = 0〉 and a1¿0, sends the clock values to 〈x1 = 0; x2 = 0; y1 = a1 − 1; y2 = a2〉,
and goes, through a sequence of steps, into a state denoted by s6.
• the second automaton (Fig. 5), when in state s6, sends the clock values 〈x1 = 0; x2 = 0;
y1 = a1; y2 = a2〉 to 〈x1 = a1; x2 = a2; y1 = 0; y2 = 0〉, ending at state lj.
Let us see how the automaton in Fig. 4 works. Given
〈x1 = a1; x2 = a2; y1 = 0; y2 = 0〉
at state li, if a2¿a1, the automaton walks along the path s1; s2; s3, ending at s6. After
the loop at s2, the clock values are
〈x1 = a2 + 1; x2 = 2a2 − a1 + 1; y1 = a2 − a1 + 1; y2 = a2 − a1 + 1〉:
436 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
s8s7
x1+x2 y1
∅
x1=y1-y2
{x2}
x1 y1-y2
∅
s10s9
x1+x2=y1
x2=y2-y1
{ x1}
∅
x2 y2-y1
s6
lj
{y1,y2}
y1>=y2
{y1,y2}
{z}
∅ 
x1+x2 y2
y1<y2{z}
x1+x2=y2
≠ ≠
≠≠
Fig. 5. The generalized dta implementing the mapping from 〈x1 = 0; x2 = 0; y1 = a1; y2 = a2〉 to 〈x1 = a1;
x2 = a2; y1 = 0; y2 = 0〉 for all nonnegative integers a1 and a2.
After #ring the edge from s2 to s3, the clock values are
〈x1 = a2 + 1; x2 = 2a2 − a1 + 1; y1 = 0; y2 = a2 − a1 + 1〉:
It is easy to check that the loop at s3 will be #red exactly a1 − 1 times. When the
automaton exits the loop, the clock values are
〈x1 = a2 + a1; x2 = 2a2; y1 = a1 − 1; y2 = a2〉:
After x1 and x2 are reset on the edge from s3 to s6, the clock values are
〈x1 = 0; x2 = 0; y1 = a1 − 1; y2 = a2〉;
which is exactly what we expected. It is also easy to check the case when a2¡a1 and
the automaton walks along the path s1; s4; s5 and ending at s6.
Similarly, it can be argued that the automaton shown in Fig. 5 implements the
mapping from
〈x1 = 0; x2 = 0; y1 = a1; y2 = a2〉
to
〈x1 = a1; x2 = a2; y1 = 0; y2 = 0〉
for all nonnegative integers a1 and a2.
The sequential composition of the two automata results in a generalized dta imple-
menting the instruction li →x1 := x1−1 lj. Similar constructions can be worked out to
implement the other two kinds of instructions for the counter machine, using general-
ized dtas. Therefore, a generalized discrete timed automaton A can now be constructed
Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438 437
to implement the entire counter machine M . The construction can be extended to im-
plement counter machines with more than two counters. It should be noted that if M
is deterministic, the resulting automaton A is also deterministic.
References
[1] R. Alur, Timed automata, in: CAV’99, Lecture Notes in Computer Science, Vol. 1633, Springer, Berlin,
1999, pp. 8–22.
[2] R. Alur, C. Courcoubetis, D. Dill, Model-checking in dense real time, Inform. Comput. 104 (1) (1993)
2–34.
[3] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (2) (1994) 183–236.
[4] R. Alur, T. Feder, T.A. Henzinger, The bene#ts of relaxing punctuality, J. ACM 43 (1) (1996)
116–146.
[5] R. Alur, T.A. Henzinger, Real-time logics: complexity and expressiveness, Inform. Comput. 104 (1)
(1993) 35–77.
[6] R. Alur, T.A. Henzinger, A really temporal logic, J. ACM 41 (1) (1994) 181–204.
[7] A. Bouajjani, S. Tripakis, S. Yovine, On-the-Ty symbolic model-checking for real-time systems, in:
Proc. 18th Real Time Systems Symposium (RTSS’97), IEEE Computer Society Press, Silver Spring,
MD, 1997, pp. 25–35.
[8] A. Coen-Porisini, C. Ghezzi, R. Kemmerer, Speci#cation of real-time systems using ASTRAL, IEEE
Trans. Software Eng. 23 (9) (1997) 572–598.
[9] H. Comon, V. Cortier, Flatness is not a weakness, in: CSL’00, Lecture Notes in Computer Science,
Vol. 1862, Springer, Berlin, 2000, pp. 262–276.
[10] H. Comon, Y. Jurski, Timed automata and the theory of real numbers, in: CONCUR’99, Lecture Notes
in Computer Science, Vol. 1664, Springer, Berlin, 1999, pp. 242–257.
[11] Z. Dang, Binary reachability analysis of pushdown timed automata with dense clocks, in: CAV’01,
Lecture Notes in Computer Science, Vol. 2102, Springer, Berlin, 2001, pp. 506–517.
[12] Z. Dang, O.H. Ibarra, T. Bultan, R.A. Kemmerer, J. Su, Binary reachability analysis of discrete
pushdown timed automata, in: CAV’00, Lecture Notes in Computer Science, Vol. 1855, Springer,
Berlin, 2000, pp. 69–84.
[13] Z. Dang, P. San Pietro, R.A. Kemmerer, On Presburger liveness of discrete timed automata, in:
STACS’01, Lecture Notes in Computer Science, Vol. 2010, Springer, Berlin, 2001, pp. 132–143.
[14] C. Dima, An algebraic theory of real-time formal languages, Ph.D. Dissertation, Verimag, Grenoble,
2001.
[15] C. Heitmeyer, N. Lynch, The generalized railroad crossing: a case study in formal veri#cation of
real-time systems, in: Proc. 15th Real-time Systems Symposium (RTSS’94), IEEE Computer Society
Press, Silver Spring, MD, 1994, pp. 120–131.
[16] T. A. Henzinger, Z. Manna, A. Pnueli, What good are digital clocks?, in: ICALP’92, Lecture Notes in
Computer Science, Vol. 623, Springer, Berlin, 1992, pp. 545–558.
[17] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inform. Comput. 111 (2) (1994) 193–244.
[18] T.A. Henzinger, Pei-Hsin Ho, HyTech: the Cornell hybrid technology tool, in: Hybrid Systems II,
Lecture Notes in Computer Science, Vol. 999, Springer, Berlin, 1995, pp. 265–294.
[19] O.H. Ibarra, Reversal-bounded multicounter machines and their decision problems, J. ACM 25 (1)
(1978) 116–133.
[20] F. Laroussinie, K.G. Larsen, C. Weise, From timed automata to logic—and back, in: MFCS’95, Lecture
Notes in Computer Science, Vol. 969, Springer, Berlin, 1995, pp. 529–539.
[21] K.G. Larsen, P. Pattersson, W. Yi, UPPAAL in a nutshell, Internat. J. Software Tools Technol. Transfer
1 (1–2) (1997) 134–152.
[22] J. Raskin, P. Schobben, State clock logic: a decidable real-time logic, in: HART’97, Lecture Notes
in Computer Science, Vol. 1201, Springer, Berlin, 1997, pp. 33–47.
438 Z. Dang et al. / Theoretical Computer Science 299 (2003) 413–438
[23] V. Weispfenning, The complexity of almost linear Diophantine problems, J. Symb. Comp. 10 (5) (1990)
395–403.
[24] T. Wilke, Specifying timed state sequences in powerful decidable logics and timed automata, Lecture
Notes in Computer Science, Vol. 863, Springer, Berlin, 1994, pp. 694–715.
[25] S. Yovine, Kronos: a veri#cation tool for real-time systems, Internat. J. Software Tools Technol. Transfer
1 (1–2) (1997) 123–133.
[26] S. Yovine, Model checking timed automata, in: Embedded Systems, Lecture Notes in Computer Science,
Vol. 1494, Springer, Berlin, 1998, pp. 114–152.
