Pushdown timed automata: a binary reachability characterization and safety verification  by Dang, Zhe
Theoretical Computer Science 302 (2003) 93–121
www.elsevier.com/locate/tcs
Pushdown timed automata: a binary reachability
characterization and safety veri%cation
Zhe Dang
School of Electrical Engineering and Computer Science, Washington State University, Pullman,
WA 99164, USA
Received 15 October 2001; received in revised form 19 July 2002; accepted 27 September 2002
Communicated by D. Perrin
Abstract
We consider pushdown timed automata (PTAs) that are timed automata (with dense clocks)
augmented with a pushdown stack. A con%guration of a PTA includes a state, dense clock values
and a stack word. By using the pattern technique, we give a decidable characterization of the
binary reachability (i.e., the set of all pairs of con%gurations such that one can reach the other)
of a PTA. Since a timed automaton can be treated as a PTA without the pushdown stack, we
can show that the binary reachability of a timed automaton is de%nable in the additive theory
of reals and integers. The results can be used to verify a class of properties containing linear
relations over both dense variables and unbounded discrete variables. The properties previously
could not be veri%ed using the classic region technique nor expressed by timed temporal logics
for timed automata and CTL∗ for pushdown systems. The results are also extended to other
generalizations of timed automata.
c© 2002 Elsevier Science B.V. All rights reserved.
Keywords: Model-checking; Timed automata; Pushdown timed automata; Binary reachability; Presburger;
Real-time systems
1. Introduction
A timed automaton [3] can be considered as a %nite automaton augmented with a
number of dense (either real or rational) clocks. Clocks can be reset or progress at
 A short version [19] of this paper appears in the Proceedings of the 13th International Conference on
Computer-aided Veri%cation (CAV’01), Lecture Notes in Computer Science, Vol. 2102, Springer, Berlin,
pp. 506–517.
E-mail address: zdang@eecs.wsu.edu (Zhe Dang).
0304-3975/03/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(02)00743 -0
94 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
rate 1 depending upon the truth values of a number of clock constraints in the form of
clock regions (i.e., comparisons of a clock or the diDerence of two clocks against an
integer constant). Due to their ability to model and analyze a wide range of real-time
systems, timed automata have been extensively studied in recent years (see [1,36] for
recent surveys). In particular, by using the standard region technique, it has been shown
that region reachability for timed automata is decidable [3]. This fundamental result and
the technique help researchers, both theoretically and practically, in formulating various
timed temporal logics [2,4–6,26,30,34,35] and developing veri%cation tools [12,27,32].
Region reachability is useful but has intrinsic limitations. In many real-world ap-
plications [14], we might also want to know whether a timed automaton satis%es a
non-region property; e.g., for two given states s and s′,
x1 − 2x2 + x′3 ¿ x′1 + 4x′2 − 3x3
holds whenever clock values (x1; x2; x3) at s can reach (x′1; x
′
2; x
′
3) at s
′. Comon and
Jurski [17] have shown that the binary reachability of a timed automaton is de%nable
in the additive theory of reals augmented with an integral predicate that tells whether
a term is an integer, by Fattening a timed automaton into a real-valued counter ma-
chine without nested cycles [16]. The result immediately paves the way for automatic
veri%cation of a class of nonregion properties that previously were not possible using
the region technique.
On the other hand, a strictly more powerful system, called a pushdown timed au-
tomaton (PTA), can be obtained by augmenting a timed automaton with a pushdown
stack. PTAs are particularly interesting because they contain both dense clocks and
unbounded discrete structures. They can be used to study, for instance, a timed version
of pushdown processes [11,24] or real-time programs with procedure calls. A con%g-
uration of a PTA is a tuple of a state, dense clock values, and a stack word. The
binary reachability of a PTA is the set of all pairs of con%gurations such that one can
reach the other. Comon and Jurski’s result for timed automata inspires us to look for
a similar result for PTAs. Is there a decidable binary reachability characterization for
PTAs such that a class of non-region properties can be veri%ed ? The main result in
this paper answers this question positively.
There are several potential ways to approach the question. The %rst straightforward
approach would be to treat a PTA as a Cartesian product of a timed automaton and a
pushdown automaton. In this way, the binary reachability of a PTA can be formulated
by simply combining Comon and Jurski’s result and the fact that pushdown automata
accept context-free languages. Obviously, this is wrong, since stack operations depend
on clock values and thus cannot be simply separated. The second approach is to closely
look at the Fattening technique of Comon and Jurski’s to see whether the technique
can be adapted by adding a pushdown stack. However, the second approach has an
inherent diIculty: the Fattening technique, as pointed out in their paper, destroys the
structure of the original timed automaton, and thus, the sequences of stack operations
cannot be maintained after Fattening.
Recently, the question has been answered positively, but only for integer-valued
clocks (i.e., for discrete PTAs). It has been shown in [20] that the binary reacha-
bility of a discrete PTA can be accepted by a nondeterministic pushdown automaton
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 95
augmented with reversal-bounded counters (NPCA), whose emptiness problem is known
to be decidable [28]. However, as far as dense clocks are concerned, the automata-based
technique used in [20] does not immediately apply. The reason is that traditional au-
tomata theories do not provide tools to deal with machines containing both real-valued
counters (for dense clocks) and unbounded discrete data structures.
In order to handle dense clocks, inspired by Alur and Dill’s region technique [3], we
separate a dense clock into an integral part and a fractional part. Consider a pair (C0; C1)
of two tuples of clock values. We de%ne (see Section 3 for details) an ordering, called
the pattern of (C0; C1), on the fractional parts of C0 and C1. The de%nition guarantees
that there are only a %nite number of distinct patterns. An equivalent relation “≈” is
de%ned such that (C0; C1)≈ (C′0; C′1) iD C0 and C′0(C1 and C′1 will also) have the same
integral parts, and both (C0; C1) and (C′0; C′1) have the same pattern. The “≈” essentially
de%nes an equivalent relation with a countable number of equivalent classes such that
the integral parts of C0 and C1 together with the pattern of the fractional parts of C0 and
C1 determine the equivalent class of (C0; C1). A good property of “≈” is that it preserves
the binary reachability: C0 can reach C1 by a sequence of transitions iD C′0 can reach C′1
by the (almost) same sequence of transitions, whenever (C0; C1)≈ (C′0; C′1). Therefore,
the fractional parts can be abstracted away from the dense clocks by using a pattern. In
this way, by preserving the (almost) same control structure, a PTA can be transformed
into a discrete transition system (called a pattern graph) containing discrete clocks (for
the integral parts of the dense clocks) and a %nite variable over patterns. By translating
a pattern back to a relation over the fractional parts of the clocks, the decidable binary
reachability characterization of the pattern graph derives the decidable characterization
(namely, (D + NPCA)-de%nable) for the PTA, since the relation is de%nable in the
additive theory of reals. With this characterization, it can be shown that the particular
class of safety properties that contain mixed linear relations over both dense variables
(e.g., clock values) and discrete variables (e.g., word counts) can be automatically
veri%ed for PTAs. An example property is as follows: for two given states s and s′,
whenever con%guration (s; x1; x2; w) can reach con%guration (s′; x′1; x
′
2; w
′), the following
condition holds:
x1 + 2x′2 − x2 ¿ #a(w)− #b(w′);
where #a(w) is the number of symbol a’s in the stack word w. The results can be
easily extended to PTAs augmented with reversal-bounded counters. In particular, we
can show that the binary reachability of a timed automaton is de%nable in the %rst-order
additive theory over reals and integers with ¿ and +, i.e. (R;Z;+;¿; 0). Essentially,
for timed automata, Comon and Jurski’s characterization (the additive theory of reals
augmented with an integral predicate) is equivalent to ours (the additive theory of reals
and integers). The additive theory over reals and integers is decidable, for instance, by
the Buchi-automata based decision procedure presented in [9].
Fractional orderings are an eDective way to abstract the fractional parts of dense
clocks. The idea of using fractional orderings can be traced back to the pioneering
work of Alur and Dill in inventing the region technique [3]. Essentially, the region
technique makes a %nite partition of the clock space such that clock values in the same
region give the same answer to each clock constraint in the system (i.e., the automaton
96 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
of interest). Comon and Jurski [17] notice that Alur and Dill’s partition is too coarse
in establishing the binary reachability of a timed automata. They move one step further
by bringing in the clock values before a transition was made. But Comon and Jurski’s
partition is still %nite, since their partition, though %ner than Alur and Dill’s, is still
based on answers to all the clock constraints (there are %nitely many of them) in the
system. In this paper, ≈ deduces an in.nite partition of both the initial values C0 and
the current values C1 of the clocks. Essentially, this partition is based on answers to all
clock constraints (not just the ones in the system). That is, ≈ is %ner than Comon and
Jurski’s partition as well as Alur and Dill’s. This is why, when a PTA is concerned, the
Fattening technique [17] preserves the binary reachability of clock values but not stack
words while the technique presented in this paper preserves the binary reachability of
both. A class of Pushdown Timed Systems was discussed in [10]. However, that paper
focuses on region reachability instead of binary reachability.
This paper is organized as follows. Section 2 reviews a number of de%nitions and,
in particular, de%nes a decidable formalism in which the binary reachability of PTAs
is expressed. Sections 3 and 4 give the de%nition of patterns and show the correctness
of using patterns as an abstraction for fractional clock values. Sections 5 and 6 de%ne
PTAs and show that the pattern graph of a PTA has a decidable binary reachability
characterization. Section 7 states the main results of the paper. In Section 8, we point
out that the results in this paper can be extended to many other in%nite state machine
models augmented with dense clocks.
2. Preliminaries
A nondeterministic multicounter automaton is a nondeterministic automaton with a
%nite number of states, a one-way input tape, and a %nite number of integer counters.
Each counter can be incremented by 1, decremented by 1, or stay unchanged. Besides,
a counter can be tested against an integer constant. It is well-known that counter
machines with two counters have an undecidable halting problem [33], and obviously
the undecidability holds for machines augmented with a pushdown stack. Thus, we
have to restrict the behaviors of the counters. One such restriction is to limit the
number of reversals a counter can make. A counter is n-reversal-bounded if it changes
mode between nondecreasing and nonincreasing for at most n times. For instance, the
following sequence of counter values:
0; 0; 1; 1; 2; 2; 3; 3; 4; 4; 3; 2; 1; 1; 1; 1; : : :
demonstrates only one counter reversal. A counter is reversal-bounded if it is n-reversal-
bounded for some %xed number n independent of computations. A reversal-bounded
nondeterministic multicounter automaton (NCA) is a nondeterministic multicounter
automaton in which each counter is reversal-bounded. A reversal-bounded nondeter-
ministic pushdown multicounter automaton (NPCA) is an NCA augmented with a
pushdown stack. In addition to counter operations, an NPCA can pop the top symbol
from the stack or push a word onto the top of the stack. It is known that the emptiness
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 97
problem (i.e., whether a machine accepts some words?) for NPCAs (and hence NCAs)
is decidable [28].
Lemma 1. The emptiness problem for reversal-bounded nondeterministic pushdown
multicounter automata is decidable.
When an automaton does not have an input tape, we call it a machine. In this case,
we are interested in the behaviors generated by the machine rather than the language
accepted by the automaton. We shall use NPCM (resp. NCM) to stand for NCPA
(resp. NCA) without an input tape.
Let Z be integers, N be nonnegative integers, D=Q (rationals) or R (reals) be a
dense domain, and 
 be an alphabet. D+ is used to denote nonnegative values in D.
Each value v ∈ D can be uniquely expressed as the sum of v+ v, where v ∈ Z
is the integral part of v, and 06v¡1 is the fractional part of v. A dense variable
is a variable over D. An integer variable is a variable over Z. A word variable is
a variable over 
∗. Let m¿1. For each 16i6m, we use xi, yi, and wi to denote a
dense variable, an integer variable, and a word variable, respectively. We use #a(wi)
to denote a count variable representing the number of symbol a∈
 in wi. A linear
term t is de%ned as follows:
t ::= n | xi |yi | #a(wi) | t − t | t + t;
where n∈Z; a∈
 and 16i6m. A mixed linear relation l is de%ned as follows:
l ::= t ¿ 0 | t = 0 | tdiscretemod n = 0 | ¬l | l ∧ l;
where t is a linear term, 0 = n∈N, and tdiscrete is a linear term not containing dense
variables. Notice that a mixed linear relation could contain dense variables, integer
variables and count variables. A dense linear relation is a mixed linear relation that
contains dense variables only. A discrete linear relation is a mixed linear relation that
does not contain dense variables. Obviously, any discrete linear relation is a Presburger
formula over integer variables and count variables.
Each integer can be represented as a unary string, e.g., string “00000” (resp. “11111”)
for integer +5 (resp. −5). In this way, a tuple of integers and words can be encoded as
a string by concatenating the unary representations of the integers and the words, with
a separator $ ∈
. For instance, (2;−4; w) is encoded as string “00$1111$w”. Consider
a predicate H over integer variables and word variables. The domain of H is the set
of tuples of integers and words that satisfy H . Under the encoding, the domain of H
can be treated as a set of strings, i.e., a language. A predicate H over integer variables
and word variables is an NPCA predicate (or simply NPCA) if there is an NPCA
accepting the domain of H . A (D+NPCA)-formula f is de%ned as follows:
f ::= ldense ∧ H | ldense ∨ H |f ∨ f;
where ldense is a dense linear relation and H is an NPCA predicate. Therefore, a
(D + NPCA) formula is a %nite disjunction of formulas in the form of ldense ∧ H or
ldense ∨H , where dense variables (contained only in each ldense) and discrete variables
98 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
(contained only in each H) are separated. Let p; q; r¿0. A predicate A on tuples in
Dp×Zq× (
∗)r is (D+NPCA)-de.nable if there is a (D+NPCA)-formula f with
p dense variables, p + q integer variables, and r word variables, such that, for all
x1; : : : ; xp in D, for all y1; : : : ; yq in Z, and for all w1; : : : ; wr in 
∗,
(x1; : : : ; xp; y1; : : : ; yq; w1; : : : ; wr) ∈ A
iD f(x1; : : : ; xp; x1; : : : ; xp; y1; : : : ; yq; w1; : : : ; wr) holds:
Lemma 2. (1) Both ldiscrete ∧ H and ldiscrete ∨ H are NPCA predicates, if ldiscrete is a
discrete linear relation and H is an NPCA predicate.
(2) NPCA predicates are closed under existential quanti.cations (over integer vari-
ables and word variables).
(3) If A is (D+NPCA)-de.nable and l is a mixed linear relation, then both l∧A
and l ∨ A are (D+NPCA)-de.nable.
(4) The emptiness (or satis.ability) problem for (D+NPCA)-de.nable predicates
is decidable.
Proof. (1) ldiscrete is a Presburger formula. (The domain of) ldiscrete can therefore be
accepted by a deterministic NCA [28]. Hence, ldiscrete ∧ H and ldiscrete ∨ H can be
accepted by NPCAs by “intersecting” and “joining” the deterministic NCA and the
NPCA that accepts H , respectively.
(2) Let H be an NPCA predicate containing variable z (either an integer variable
or a word variable). Assume that H is accepted by NPCA M . An NPCA M ′ can be
constructed to accept ∃zH by guessing each symbol in the encoding of z (on the input
tape of M) and simulating M .
(3) We %rst show that any mixed linear relation l is de%nable by a separately
mixed linear relation l′ (i.e., l′ is a Boolean combination of dense linear relations and
discrete linear relations. So, l′ does not have a term containing both dense variables
and discrete variables.). That is, for all x1; : : : ; xp ∈ D; y1; : : : ; yq ∈Z,
l(x1; : : : ; xp; y1; : : : ; yq) iD l′(x1; : : : ; xp; x1; : : : ; xp; y1; : : : ; yq):
Instead of giving a lengthy proof, we look at an example of l: x1 − x2 + y1¿2. This
can be rewritten as: x1−x2+y1−2+ x1−x2¿0: Term x1−x2 is the only
part containing dense variables. Since x1− x2 is bounded, separating cases for this
term being at (and between) −1; 0; 1 will give a separately mixed linear relation l′.
This separation idea can be applied for any mixed linear relation l. If A is de%nable
by a (D + NPCA)-formula f, then l ∧ A (resp. l ∨ A) is de%nable by l′ ∧ f (resp.
l′ ∨ f). By re-organizing the dense linear relations (in l′ and in f) and the discrete
linear relations (in l′) such that the discrete linear relations are grouped with the NPCA
predicates in f, l′ ∧ f and l′ ∨ f can be made (D+NPCA)-formulas using Lemma
2(1).
(4) The emptiness problem for ldense∧H and ldense∨H is decidable, noticing that the
emptiness for ldense, which is expressible in the additive theory of reals (or rationals), is
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 99
decidable, and the emptiness of NPCA predicate H is decidable (Lemma 1). Therefore,
the emptiness of any (D + NPCA) formulas, as well as, from Lemma 2(3), any
(D+NPCA)-de%nable predicates, is decidable.
3. Clock patterns and their changes
A dense clock is simply a dense variable over D+. Now we %x a k¿0 and consider
k+1 clocks x= x0; : : : ; xk . For technical reasons, x0 is an auxiliary clock indicating the
current time now. Let K = {0; : : : ; k}, and K+ = {1; : : : ; k}. A subset K ′ of K is abused
as a set of clocks; i.e., we say xi ∈K ′ if i∈K ′. A (clock) valuation C is a function
K → D+ that assigns a value in D+ to each clock in K . A discrete (clock) valuation u
is a function K → N that assigns a value in N to each clock in K . For each valuation
C and ∈D+; C, C and C+ are valuations satisfying C(i)= C(i), C(i)= C(i)
and (C+ )(i)= C(i) + , respectively, for each i∈K . The relative representation Cˆ of
a valuation C is a valuation satisfying:
• Cˆ= C,
• Cˆ(0)= 1− C(0),
• Cˆ(i)= C(i) + Cˆ(0), for each i ∈ K+.
A valuation C0 is initial if the auxiliary clock x0 has value 0 in C0.
Example 1. Let k =4 and C1 = (4:296; 1:732; 1:414; 5:289; 3:732). It can be calculated
that Cˆ1 = (4:704; 1:436; 1:118; 5:993; 3:436): Let C2 = C1 + 0:268= (4:564; 2; 1:682; 5:557;
4). Then, Cˆ2 = (4:436; 2:436; 1:118; 5:993; 4:436). Notice that all the fractional parts (ex-
cept for Cˆ1(0) and Cˆ2(0)) are the same in Cˆ1 and Cˆ2. It is easy to show that a clock
progress (i.e., x0; : : : ; xk progress by the same amount such as 0.268) will not change
the fractional parts of clock values (for clocks x1; : : : ; xk) in a relative representation.
3.1. Clock patterns
We distinguish two disjoint sets, K0 = {00; : : : ; k0} and K1 = {01; : : : ; k1}, of indices.
A pattern, =p0; : : : ; pn with 06n¡2(k + 1), is a partition of K0 ∪ K1 satisfying:
• 00 ∈ p0 and
• ⋃06i6n pi =K0 ∪ K1.
In pattern , pi is called the i-position. A pair of valuations (C0; C1) is initialized if C0
is initial. The pattern of (C0; C1) characterizes the ordering between elements in Cˆ0
and Cˆ1 (where K0 is for indices of C0 and K1 is for indices of C1). Formally, an
initialized pair (C0; C1) has pattern =p0; : : : ; pn, written (C0; C1) ∈ , or [(C0; C1)]= ,
if, for each 06m;m′6n, each b; b′ ∈ {0; 1}, and each i; i′ ∈ K , ib ∈ pm and i′b′ ∈ pm′
imply that
Cˆb(i) ∼ Cˆb′(i′)⇔ m ∼ m′; with ∼∈ {¡;=}:
Though this de%nition of a pattern is quite complex, a pattern can be easily visualized
after looking at the following example.
100 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
Fig. 1. A graphical representation of Cˆ0 and Cˆ1 in Example 2.
Example 2. Consider C1 in Example 1 and an initial valuation C0 = (0; 3:118; 5:118;
2; 1:876). Since C0 is initial, Cˆ0 = C0. The fractional parts of Cˆ0 and Cˆ1 can be put
on a big circle representing the interval [0; 1) as shown in Fig. 1. Each fractional
value Cˆ0(i) for C0 is represented by an oval; each fractional value Cˆ1(i) for C1 is
represented by a box. The pattern of (C0; C1) can be drawn by collecting clockwisely
(from the top, i.e., Cˆ0(0)= 0) the indices (superscripted with 0, e.g., 30 for Cˆ0(3)) for
each component in Cˆ0 and the indices (superscripted with 1, e.g., 31 for Cˆ1(3)) for each
component in Cˆ1; i.e., the pattern is
 = p0; : : : ; p5
with p0 = {00; 30}; p1 = {10; 20; 21}; p2 = {11; 41}; p3 = {01}; p4 = {40}; p5 = {31}.
Notice that 01 ∈ K1 stands for the index for the value of clock x0 (representing
now) in C1. If 01 ∈ pi, then pi is the now-position of . A pattern is a merge-pattern
if the now-position is a singleton set (i.e., 01 is the only element). A pattern is a
split-pattern if it is not a merge-pattern, i.e., the now-position contains more than one
element. (“Merge” and “split” will be made clear in a moment.) There are at most
26(k+1)
2
distinct patterns. Let  denote the set of all the patterns (for the %xed k).
Given two initialized pairs (C10; C1) and (C20; C2), we write (C10; C1)≈ (C20; C2), if (C10; C1)
and (C20; C2) have the same pattern, and have the same integral parts (i.e., C10= C20;
C1= C2). A valuation C1 has pattern  if there is an initial C0 such that (C0; C1) has
pattern . C1 may have a number of patterns, by diDerent choices of C0. Observe that
a pattern of C1 tells the truth values of all the fractional orderings C1(i) ∼ C1(j)
and C1(i) ∼ 0 with ∼∈ {〈; 〉;6;¿; = }, for all i; j ∈ K+.
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 101
3.2. Clock progresses
For each 0¡ ∈ D+, C +  is the result of a clock progress from C by an amount
of . How does a pattern change according to the progress? Let us %rst look at an
example.
Example 3. Consider C1; C2 (= C1 + 0:268) in Example 1, and C0 in Example 2. In
Example 2, we indicated that the pattern 1 of (C0; C1) is
{00; 30}; {10; 20; 21}; {11; 41}; {01}; {40}; {31}:
Similar steps can be followed to show that the pattern 2 of (C0; C2) is
{00; 30}; {10; 20; 21}; {11; 41; 01}; {40}; {31}:
A helpful way to see the relationship between 1 and 2 is by looking at Fig. 1. Holding
the box labeled by Cˆ1(0) (for the current time) and sliding counter-clockwisely along
the big circle for an amount of 0.268 will stop at the box labeled by Cˆ1(1) and
Cˆ1(4). Thus, the pattern 2 (after sliding) is exactly 1 (before sliding) except that
01 in the 3-position in 1 is merged into the 2-position in 2. Notice that 1 is a
merge-pattern and the resulting 2 is a split-pattern. The integral parts C1(1) and
C1(4) change to C2(1)= C1(1) + 1 and C2(4)= C1(4) + 1. But all the other
components of C1 do not change. The reason is that, after merging 01 with 11 and
41 in 2, the fractional parts C2(1) and C2(4) are “rounded” (i.e., become 0). What
if we further make a clock progress from C2 for an amount of ′=0:12? The resulting
pattern 3 of (C0; C3) with C3 = C2 + ′ is the result of splitting 01 from the 2-position
{11; 41; 01}. That is, 3 is
{00; 30}; {10; 20; 21}; {01}; {11; 41}; {40}; {31};
which is a merge-pattern again. This process of merging and splitting can be formally
de%ned as the following function next.
Function next:  × (N)k+1 →  × (N)k+1 describes how a pattern changes upon
a clock progress. Given any discrete valuation u and pattern =p0; : : : ; pn with the
now-position being pi for some i, next(; u) is de%ned to be (′; u′) such that,
• (the case when  is a merge-pattern) if |pi|=1 and hence i¿0, then ′ is
p0; : : : ; pi−1 ∪ {01}; pi+1; : : : ; pn
(that is, ′ is the result of merging the now-position to the previous position), and
for each j ∈ K+, if j1 ∈ pi−1, then u′(j)= u(j) + 1 else u′(j)= u(j). Besides, if
i=1 (i.e., the now-position is merged to p0), then u′(0)= u(0)+1 else u′(0)= u(0),
• (the case when  is a split pattern) if |pi|¿1, then ′ is the result of splitting 01
from the now-position. That is, if i¿0, ′ is
p0; : : : ; pi−1; {01}; pi − {01}; pi+1; : : : ; pn:
102 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
Fig. 2. A graphical representation of the Next(·) operator.
However, if i=0, ′ is
p0 − {01}; p1; : : : ; pn; {01}:
In either case, u′= u.
If next(; u)= (′; u′), ′ is called the next pattern of , written Next().
To better understand Next(·), we visualize pattern  as a circle shown in Fig. 2.
Applications of Next(·) can be regarded as moving the index 01 along the circle, by
performing merge-operations (Fig. 2(a)) and split-operations (Fig. 2(b)) alternatively.
After enough number of applications of Next(·), 01 will return to the original now-
position after moving through the entire circle. That is, for each pattern , there is
a smallest positive integer m such that Nextm()= ; i.e., there are 0; : : : ; m satisfy-
ing 0 = m=  and Next(i)= i+1 for each 06i¡m. More precisely, by looking at
Fig. 2, if  is a merge-pattern, m=2n; if  is a split-pattern, m=2(n+1). Notice that
nextm(; u)= (; u + 1) for each u. The sequence 0; : : : ; m is called a pattern ring.
Fix any initialized pair (C0; C) and 0¡ ∈ D+. Assume that the patterns of (C0; C) and
(C0; C+) are  and ′, respectively. C has no pattern change for  if, for all 06′6,
(C0; C+′) has the same pattern. C has one pattern change for  if Next()= ′ (hence
 = ′) and,
• (when  is a merge-pattern) for all 06′¡, (C0; C+ ′) has pattern , or,
• (when  is a split-pattern) for all 0¡′6, (C0; C+ ′) has pattern ′.
The following lemma can be observed.
Lemma 3. For any initialized pair (C0; C) and any 0¡ ∈ D+, the following state-
ments are equivalent:
(1) next([(C0; C)]; C)= ([(C0; C+ )]; C+ );
(2) C has one pattern change for .
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 103
C has n pattern changes for  with n¿1, if there are positive 1; : : : ; n in D+
with $16i6ni =  such that C + $16i6ji has one pattern change for j+1, for each
j=0; : : : ; n−1. It is noticed that for any 61, C has at most m pattern changes, where
m is the length of the pattern ring starting from the pattern  of (C0; C). This m is
uniformly bounded by 4(k + 1).
3.3. Clock resets
In addition to clock progresses, clock resets are the other form of clock behaviors.
Let r ⊆ K+ be (a set of) clock resets. C ↓r denotes the result of resetting each clock
xi ∈ r (i.e., i ∈ r). That is, for each i ∈ K ,
(C ↓r)(i) =
{
0 if i ∈ r;
C(i) otherwise:
Example 4. Consider C0 and C1 given in Examples 1 and 2. Assume r= {4}. By
de%nition, C1 ↓r =(4:296; 1:732; 1:414; 5:289; 0). It can be calculated that the relative
representation of C1 ↓r is (4:704; 1:436; 1:118; 5:993; 0:704). The pattern of (C0; C1 ↓r)
can be %gured out again by looking at Fig. 1. The reset of clock x4 can be conceptually
regarded as moving the label Cˆ1(4) from the box of Cˆ1(1) and Cˆ1(4) to the box
of Cˆ1(0) (the current time). Therefore, the pattern after the reset changes from
{00; 30}; {10; 20; 21}; {11; 41}; {01}; {40}; {31}
of (C0; C1) to
{00; 30}; {10; 20; 21}; {11}; {01; 41}; {40}; {31}
of (C0; C1 ↓r) by moving 41 into the position containing 01.
Functions resetr : × (N)k+1 →  × (N)k+1 for r ⊆ K+ describe how a pattern
changes after clock resets. Given any discrete valuation u and any pattern =p0; : : : ; pn
with the now-position being pi for some i, resetr(; u) is de%ned to be (′; u′) such
that,
• ′ is p0−r1; : : : ; pi−1−r1; pi∪r1; pi+1−r1; : : : ; pn−r1, where r1 = {j1: j ∈ r} ⊆ K1.
Therefore, ′ is the result of bringing every index in r1 into the now-position. Notice
that some of pm− r1 may be empty after moving indices in r1 out of pm, for m = i.
In this case, these empty elements are removed from ′ (to guarantee that ′ is well
de%ned.),
• for each j ∈ K , if j ∈ r, then u′(j)= 0 else u′(j)= u(j).
If resetr(; u)= (′; u′), ′ is written as Resetr(). The following lemma can be ob-
served.
Lemma 4. For any initialized pair (C0; C) and any r ⊆ K+,
resetr([(C0; C)]; C) = ([(C0; C ↓r)]; C ↓r):
104 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
4. Clock constraints and patterns
An atomic clock constraint (over clocks x1; : : : ; xk , excluding x0) is a formula in the
form of xi−xj ∼ d or xi ∼ d where d ∈ Z and ∼∈ {〈; 〉;6;¿;=}. A clock constraint
c is a Boolean combination of atomic clock constraints. Let C be the set of all clock
constraints (over clocks x1; : : : ; xk). We say C ∈ c if clock valuation C (for x0; : : : ; xk)
satis%es clock constraint c.
Any clock constraint c can be written as a Boolean combination I(c) of clock
constraints over discrete clocks x1; : : : ; xk and fractional orderings xi ∼ xj and
xi ∼ 0. For instance, xi − xj¡d is equivalent to xi − xj¡d ∨ (xi − xj=d ∧
xi¡xj). xi¿d is equivalent to xi¿d ∨ (xi=d ∧ xi¿0). Therefore, testing
C ∈ c is equivalent to testing C and the fractional orderings on C satisfying I(c).
Assume that C ∈  (i.e., C has pattern ). As we mentioned earlier, the truth value
for each fractional ordering on C can be told from . We use I(c), or simply c, to
denote the result of replacing fractional orderings in I(c) by the truth values given by
. c, without containing fractional orderings, is just a clock constraint (over discrete
clocks). Notice that the pattern space  is %nite, therefore, C ∈ c is equivalent to∨
∈ 
(C ∈  ∧ C ∈ c):
Hence, the truth value of C ∈ c only depends on a pattern of C and the integral parts
of C.
Now, we consider two initialized pairs (C10; C1) and (C20; C2) such that
(C10; C1) ≈ (C20; C2):
Assume that C1 can be reached from a valuation C1 via a clock progress by an amount
of 1, i.e., C1 + 1 = C1. We would like to know whether C2 can be reached from some
valuation C2 also via a clock progress but probably by a slightly diDerent amount of 2
such that (C10; C1) and (C20; C2) are still equivalent(≈). We also expect that for any test
c, if during the progress of C1, c is consistently satis%ed, then so is c for the progress
of C2. The following lemma concludes that these, as well as the parallel case for clock
resets, can be done. This result will be used later to show that if C1 is reached from C10
by a sequence of transitions that repeatedly perform clock progresses and clock resets,
then C2 can be also reached from C20 via a very similar sequence such that no test c
can distinguish the two sequences.
Lemma 5. For any initialized pairs (C10; C1) and (C20; C2) with (C10; C1) ≈ (C20; C2),
(1) for any positive 1 ∈ D+, for any clock valuation C1, if C1 + 1 = C1, then there
exist a positive 2 ∈ D+ and clock valuation C2 such that
(1.1) C2 + 2 = C2 and (C10; C1)≈ (C20; C2),
(1.2) C1 is initial i9 C2 is initial, C1 = C10 i9 C2 = C20, and, for any clock constraint
c ∈ C, C1 ∈ c (resp. C1 ∈ c) i9 C2 ∈ c (resp. C2 ∈ c),
(1.3) for any clock constraint c ∈ C, ∀0661(C1 +  ∈ c) i9 ∀0662
(C2 +  ∈ c).
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 105
(2) for any r ⊆ K+, for any clock valuation C1, if C1 ↓r = C1, then there exists a
valuation C2 such that
(2.1) C2 ↓r = C2 and (C10; C1)≈ (C20; C2),
(2.2) same as (1.2).
Proof. (1) Assume that 1 is “small”; i.e., from C1 to C1 = C1+1, there is at most one
pattern change. Let =p0; : : : ; pn be the pattern for (C20; C2) (and, hence, for (C10; C1)).
Assume 01 ∈ pi for some i. If 1 causes one pattern change for C1, then we put
(C20; C2) on a circle (e.g., Fig. 1). If  is a split-pattern (i.e. |pi|¿1), then we separate
a new box (only labeled by Cˆ2(0)) from the original box labeled by Cˆ2(0) and
slide the new box backwards (i.e., clockwisely) for a small positive amount (taken as
2) without hitting any box or oval. If  is a merge-pattern (i.e. |pi|=1), then we
slide the box labeled by Cˆ2(0) (this is the only label) backwards (i.e., clockwisely)
for a positive amount ( (taken as 2) until a box or an oval is hit. If 1 causes no
pattern change for C1, then  must be a merge-pattern. In this case, 2 is any positive
amount less than (. Take C2 = C2− 2. Obviously, (C10; C1)≈ (C20; C2). It can be checked
that (1.2) and (1.3) hold.
Any larger 1 that causes multiple pattern changes for C1 can be split into a %nite
sequence of small ’s such that each  causes exactly one pattern change. This is
because, as we mentioned earlier, C1 has at most 4(k + 1) pattern changes for any
61. In this case, 2 can be calculated by working on each small  (the last one %rst)
as in the above proof.
(2) The case when r= ∅ is obvious. Assume that r contains only one element j ∈ K+
and  is the pattern of (C10; C1). A desired C2 is picked as follows. The integral parts
of C2 are exactly those of C1; i.e. C2= C1. The fractional parts of C2 are exactly
those of C2, except that Cˆ2(j) in the relative representation of C2 may be diDerent
from Cˆ2(j). Then what is Cˆ2(j)? It is chosen such that the pattern of (C20; C2) is
. For instance, if Cˆ1(j) equals to, say, Cˆ1(j1) (resp. Cˆ10(j1)), for some j1, then
Cˆ2(j) is picked as Cˆ2(j1) (resp. Cˆ20(j1)). If Cˆ1(j) lies strictly between, say,
Cˆ1(j1) (or, Cˆ10(j1)) and Cˆ1(j2) (or, Cˆ10(j2)), for some j1 and j2, such that no
other component in Cˆ1 and Cˆ10 lies strictly between these two values, then Cˆ2(j)
is picked as any value lies strictly between Cˆ2(j1) (or, Cˆ20(j1)) and Cˆ2(j2) (or,
Cˆ20(j2)) accordingly. Since (C10; C1)≈ (C20; C2), one can show that Cˆ2(j) can always
be picked. The choice of Cˆ2(j) guarantees that the pattern of (C10; C1) is the same as
the pattern of (C20; C2). The rest of the conditions in (2) can be checked easily.
For the case when r contains more than one element, the above proof can be gen-
eralized by resetting clocks in r one by one.
5. Pushdown timed automata
A pushdown timed automaton (PTA) A is a tuple
〈S; {x1; : : : ; xk}; Inv; R; 
; PD〉;
106 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
where
• S is a %nite set of states,
• x1; : : : ; xk are (dense) clocks,
• Inv : S → C assigns a clock constraint over clocks x1; : : : ; xk , called an invariant, to
each state,
• R : S × S → C × 2{x1 ;:::;xk} assigns a clock constraint over clocks x1; : : : ; xk , called a
reset condition, and a subset of clocks, called clock resets, to a directed edge in
S × S,
• 
 is the stack alphabet. PD : S × S → 
 × 
∗ assigns a pair (a; ,) with a ∈ 
 and
, ∈ 
∗, called a stack operation, to each edge in S × S. A stack operation (a; ,)
replaces the top symbol a of the stack with a string (possibly empty) in 
∗.
A timed automaton is a PTA without the pushdown stack.
The semantics of A is de%ned as follows. A con.guration is a triple (s; C; w) of a
state s, a clock valuation C on x0; : : : ; xk (where x0 is the auxiliary clock), and a stack
word w ∈ 
∗. (s1; C1; w1)→A (s2; C2; w2) denotes a one-step transition of A if one of
the following conditions is satis%ed:
• (a progress transition) s1 = s2, w1 =w2, and ∃0¡ ∈ D+, C2 = C1 +  and for all
′ satisfying 06′6, C1 + ′ ∈ Inv(s1). That is, a progress transition makes all
the clocks synchronously progress by amount ¿0, during which the invariant is
consistently satis%ed, while the state and the stack content remain unchanged.
• (a reset transition) C1 ∈ Inv(s1) ∧ c, C1 ↓r = C2 ∈ Inv(s2), and w1 = aw; w2 = ,w for
some w ∈ 
∗, where R(s1; s2)= (c; r) for some clock constraint c and clock resets
r, and PD(s1; s2)= (a; ,) for some stack symbol a ∈ 
 and string , ∈ 
∗. That is, a
reset transition, by moving from state s1 to state s2, resets every clock in r to 0 and
keeps all the other clocks unchanged. The stack content is modi%ed according to the
stack operation (a; ,) given on (s1; s2). Clock values before the transition satisfy the
invariant Inv(s1) and the reset condition c; clock values after the transition satisfy
the invariant Inv(s2). 1
We write →∗A to be the transitive closure of →A. Given two valuations C10 and C1,
two states s0 and s1, and two stack words w0 and w1, assume the auxiliary clock x0
starts from 0, i.e., C10 is initial. The following result is surprising. It states that, for any
initialized pair (C20; C2) with (C10; C1)≈ (C20; C2), (s0; C10; w0) →∗A (s1; C1; w1) if and only
if (s0; C20; w0) →∗A (s1; C2; w1): This result implies that, from the de%nition of ≈, for
any %xed s0; s1; w0 and w1, the pattern of (C10; C1) (instead of the actual values of
C10 and C1), the integral values C10, and the integral values C1 are suIcient to
determine whether (s0; C10; w0) can reach (s1; C1; w1) in A.
Lemma 6. Let A be a PTA. For any states s0 and s1, any two initial clock valuations
C10 and C20, any two clock valuations C1 and C2, and any two stack words w0 and w1,
1 In the de%nition, we do not have a stack operation on a progress transition. In fact, a translation can
be worked out by expressing any PTA with stack operations on progress transitions in a PTA de%ned in
this paper. Since we focus on the clock/stack behaviors of a PTA, instead of the !-language accepted by
it, input symbols are not considered in our de%nition.
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 107
Fig. 3. An example timed automaton A.
if (C10; C1)≈ (C20; C2), then,
(s0; C10; w0)→∗A (s1; C1; w1) i9 (s0; C20; w0)→∗A (s1; C2; w1):
Proof. Lemma 5 already gives the result, but for →A instead of →∗A, noticing that
Lemma 5 guarantees that tests (and obviously stack operations) are consistent in (s0; C10;
w0) →A (s1; C1; w1) and in (s0; C20; w0) →A (s1; C2; w1). An induction (on the length of
→∗A) can be used to show the lemma, by working from (s1; C1; w1) back to (s0; C10; w0).
Example 5. It is the time to show an example to convince the reader that Lemma
6 indeed works. Consider a timed automaton A shown in Fig. 3. Let C10 = (0; 4:98;
2:52); C13 = (5:36; 2:89; 7:88). (s1; C10)→∗A (s2; C13) is witnessed by: (s1; C10)→A (progress
by 2.47 at s1) (s1; C11) →A (reset x1 and transit to s2) (s2; C12) →A (progress by 2.89
at s2) (s2; C13). Take a new pair C20 = (0; 4:89; 2:11) and C23 = (5:28; 2:77; 7:39): It is easy
to check (C10; C13)≈ (C20; C23). From Lemma 6, (s1; C20) →∗A (s2; C23). Indeed, this is wit-
nessed by (s1; C20) →A (progress by 2.51 at s1) (s1; C21) →A (reset x1 and transit to
s2) (s2; C22) →A (progress by 2.77 at s2) (s2; C23). These two witnesses diDer slightly
(2.47 and 2.89, vs. 2.51 and 2.77). We choose 2.77 and 2.51 by looking at the %rst
witness backwardly. That is, C22 is picked such that (C20; C22)≈ (C10; C12). Then, C21 is picked
such that (C20; C21)≈ (C10; C11). The existence of C22 and C21 is guaranteed by Lemma 5. Fi-
nally, according to Lemma 5 again, C21 is able to go back to C20. This is because C11
goes back to C10 through a one-step transition and C10 is initial.
Now, we express →∗A in a form treating the integral parts and the fractional parts
of clock values separately. For any pattern  ∈  , any discrete valuations u0 and u1,
and any stack words w0 and w1, de%ne (s0; u0; w0)→∗A; (s1; u1; w1) to be
∃C0∃C1(C0(0) = 0 ∧ C0 = u0 ∧ C1 = u1
∧(C0; C1) ∈  ∧ (s0; C0; w0)→∗A (s1; C1; w1)):
Lemma 7. Let A be a PTA. For any states s0 and s1, any initialized pair (C0; C1),
and any stack words w0 and w1; (s0; C0; w0)→∗A (s1; C1; w1) i9∨
∈ 
((C0; C1) ∈  ∧ (s0; C0; w0)→∗A; (s1; C1; w1)):
108 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
Proof. (⇒) is immediate.
(⇐) uses the following observation (from the de%nition of →∗A; and Lemma 6): for
any pattern , (C0; C1) ∈ ∧ (s0; C0; w0)→∗A; (s1; C1; w1) implies (C0; C1) ∈
 ∧ (s0; C0+ C0; w0)→∗A (s1; C1+ C1; w1).
Once we give a characterization of →∗A;, Lemma 7 immediately gives a characteri-
zation for →∗A. Fortunately, the characterization of →∗A; is a decidable one, as shown
in the next section.
6. The pattern graph of a timed pushdown automaton
Let A= 〈S; {x1; : : : ; xk}; Inv; R; 
; PD〉 be a PTA speci%ed in the previous section.
The pattern graph G of A is a tuple
〈S × ; {y0; : : : ; yk}; E;A〉;
where
• S is the states in A and  is the set of all patterns,
• Discrete clocks y0; : : : ; yk are the integral parts of the clocks x0; : : : ; xk in A,
• E ⊆ S ×  × {STAY; PROG; RESET} × S ×  is a set of (labeled) edges. For
all (s; ); (s′; ′) ∈ S × ; l ∈ {STAY; PROG; RESET}, 〈(s; ); l; (s′; ′)〉 is in E iD
one of the followings is true:
◦ (a stay edge) l is STAY, s= s′, and, ′=  is a merge pattern.
◦ (a progress edge) l=PROG, s= s′, and ′=Next().
◦ (a reset edge) l=RESET, and ′=Resetr(), where R(s; s′)= (c; r) for some c
and r.
A stay edge corresponds to progress transitions in A that cause no pattern change.
(Notice that a progress transition in A causes no pattern change only from a merge
pattern.) A progress edge corresponds to progress transitions in A that cause one
pattern change. A reset edge corresponds to a reset transition in A.
A con%guration of G is a tuple (s; ; u; w) of state s ∈ S, pattern  ∈  , discrete
valuation u ∈ Nk+1 and stack word w ∈ 
∗: (s; ; u; w) →e (s′; ′; u′; w′) denotes a
one-step transition through edge e ∈ E of G if one of the followings is true:
• e is a stay edge 〈(s; ), STAY, (s; )〉; s′= s; ′= ; u′= u ∈ Inv(s), and w′=w.
• e is a progress edge 〈(s; ), PROG, (s; ′)〉; s′= s; (′; u′)= next(; u), u ∈ Inv(s);
u′ ∈ Inv(s)′ , and w′=w. We say that yi; 06i6k, progresses on e if u′(i)= u(i)+1.
• e is a reset edge 〈(s; ), RESET, (s′; ′)〉; u ∈ (c ∧ Inv(s)); u′ ∈ Inv(s′)′ ,
resetr(; u)= (′; u′) and w= aw′′; w′= ,w′′ for some w′′ ∈ 
∗, where R(s; s′)= (c; r)
and PD(s; s′)= (a; ,) for some c; r; a and ,. Hence, w changes to w′ according to
the stack operation.
In above, Inv(s); Inv(s)
′
; (c ∧ Inv(s)), and Inv(s′)′ are called tests in G. From
Section 4, the tests are clock constraints over discrete clocks y1; : : : ; yk . We write
(s; ; u; w) →G (s′; ′; u′; w′) if (s; ; u; w) →e (s′; ′; u′; w′) for some e. The binary
reachability →∗G of G is the transitive closure of →G.
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 109
If  is the pattern of (C0; C1), we use init() to denote the pattern of (C0; C0). init()
is unique for each . We %rst show that G faithfully simulates A when the fractional
parts of dense clocks are abstracted away by a pattern.
Lemma 8. Let A be a PTA with pattern graph G. For any states s0 and s1 in S,
any pattern  ∈  , any stack words w0 and w1 in 
∗, and any discrete valuation
pairs (u0; u1) with u0(0)= 0, we have,
(s0; u0; w0)→∗A; (s1; u1; w1) i9 (s0; init(); u0; w0)→∗G (s1; ; u1; w1):
Proof. Fix any states s0; s1 ∈ S, any pattern  ∈  , any stack words w0 and w1 in 
∗,
and any discrete valuation pairs (u0; u1) with u0(0)= 0.
(⇒). By the de%nition of (s0; u0; w0) →∗A; (s1; u1; w1), there exists an initialized pair
(C0; C1) such that
• (C0; C1) has pattern ,
• C0= u0; C1= u1,
• (s0; C0; w0)→∗A (s1; C1; w1).
In order to show that (s0; [(C0; C0)]; C0; w0) →∗G (s1; [(C0; C1)]; C1; w1) (notice that
init()= [(C0; C0)]), it suIces to show that each one-step transition in A can be sim-
ulated by →∗G properly: for any valuations C; C′, any states s and s′, and any stack
words w and w′, if (s; C; w) →A (s′; C′; w′) then (s; [(C0; C)]; C; w) →∗G (s′; [(C0; C′)];
C′; w′).
Case 1: For any valuation C and state s, consider a progress transition in A, (s; C; w)
→A (s; C+; w′), ¿0, such that (by de%nition) w=w′, and ∀06′6; C+′ ∈ Inv(s).
Let 0 be the pattern of (C0; C). If C has no pattern change for , then 0 must be a
merge-pattern. This progress transition in A can therefore be simply simulated by the
stay edge 〈(s; 0);STAY; (s; 0)〉 in G. If, however, C has at least one pattern change
for , let the pattern ring of 0 be 0; : : : ; m= 0. This progress transition in A can
be simulated by the following path of progress edges in G: looping along
〈(s; 0);PROG; (s; 1)〉; : : : ; 〈(s; m−1);PROG; (s; m = 0)〉
for  times, followed by a pre%x of the loop ended with (s; i), for some i, with i
being the pattern of (C0; C+). From Lemma 3, it is not hard to show (s; 0; C; w)→∗G
(s; i; C+ ; w) through the path in G, noticing that tests for Inv(s) are consistent in
A and in G, and the stack word does not change for progress transitions in both A
and G.
Case 2: For any valuation C and states s and s′, consider a reset transition (s; C; w)
→A (s′; C ↓r ; w′) in A such that (by de%nition) w= aw′′; w′= ,w′′ for some w′′ with
PD(s; s′)= (a; ,), R(s; s′)= (c; r) and C ∈ Inv(s) ∧ c, C ↓r∈ Inv(s′). Assume that the
pattern of (C0; C) is 0 and the pattern of (C0; C ↓r) is ′0. This reset transition in A
corresponds to the reset edge in G: 〈(s; 0);RESET; (s′; ′0)〉. From Lemma 4, it can
be established (s; 0; C; w)→∗G (s′; ′0; C ↓r; w′) through this edge, noticing that tests
for Inv(s) ∧ c and Inv(s′) are consistent in A and G, and the stack operations are the
same in A and G.
110 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
(⇐). Suppose that (s0; init(); u0; w0)→∗G (s1; ; u1; w1). We would like to show
(s0; u0; w0)→∗A; (s1; u1; w1):
Pick any initial valuation C0 such that (C0; C0) has pattern init() and C0= u0. Sup-
pose that (s0; 0; u0; w0) →e1 · · · →em (sm; m; um; wm) is a path (in G) witnessing
(s0; init(); u0; w0)→∗G (s1; ; u1; w1) through edges e1; : : : ; em such that
(s0; 0; u0; w0) = (s0; init(); u0; w0)
and
(sm; m; um; wm) = (s1; ; u1; w1):
A path in A
(s0; C0; w0)→t1 · · · →tm (sm; Cm; wm)
is constructed as follows, where C0 = C0 and each transition ti in A corresponds to each
edge ei in G. From i=1 to m, each ei belongs to one of the following three cases:
Case 1: ei is a progress edge in G. Then, next(i−1; ui−1)= (i; ui), wi =wi−1, and
si−1 = si. We pick ti to be a progress transition (at state si−1) in A from Ci−1 with an
amount of ¿0 that causes exactly one pattern change. Take Ci = Ci−1 + . Notice that
both the progress edge and the progress transition do not change the stack content, i.e.,
wi =wi−1.
Case 2: ei is a stay edge in G. Then, i−1 = i: i−1 must be a merge-pattern with
wi =wi−1 and si−1 = si. We pick ti to be a progress transition (at state si−1) in A
from Ci−1 with an amount of ¿0 that causes no pattern change. This  always exists
since the pattern i−1 of (C0; Ci−1) is a merge-pattern. Similarly to Case 1, wi =wi−1.
Case 3: ei is a reset edge from state si−1 to state si with clock resets r in G. Then,
ti is the reset transition from state si−1 to state si with clock resets r in A. Notice that
both ei and ti have the same stack operation. Take Ci = Ci−1 ↓ r and wi is the result of
the stack operation on wi−1.
Notice that, for each i=1 · · ·m,
• (C0; Ci) has pattern i,
• Ci= ui.
This can be shown using Lemma 3 for Case 1, the de%nition of “no pattern change”
for Case 2, and Lemma 4 for Case 3. Therefore, this constructed path of A keeps the
exactly the same patterns and integral parts of clocks as well as the stack word as in
the path for G. Clock tests (and obviously the stack operations) are consistent between
the path in G and the constructed path in A. Hence, (s0; u0; w0)→∗A; (s1; u1; w1) since,
by taking C1 = Cm,
• (C0; C1) has pattern ,
• C0= u0; C1= u1,
• (s0; C0; w0)→∗A (s1; C1; w1).
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 111
Before we proceed further to show that the binary reachability →∗G of G is NPCA, we
point out a property of G. Let yi and yj (16i; j6k) be two discrete clocks. Suppose
that (s; ; u; w) →∗G (s′; ′; u′; w′) through a sequence 0 of one-step transitions during
which yi and yj do not reset. Then, the absolute value of the diDerence between
the net increment made toward yi on 0 and the one toward yj is bounded by 1;
i.e.,
|(u′(i)− u(i))− (u′(j)− u(j))|6 1: (*)
The reason is as follows. According to the de%nition of G, if i1 and j1 are in the
same position in , then yi and yj progress (i.e., yi := yi +1 and yj := yj +1) at the
same time on 0. If i1 and j1 are in diDerent positions in , then yi and yj progress
alternately on 0. Either case will give (*).
Recall that, in an NPCA, each counter can add 1, subtract 1, or stay unchanged.
Those counter assignments are called standard assignments. The NPCA can also test
whether a counter is equal to, greater than, or less than an integer constant. Those
tests are called standard tests. G can be considered as an NPCA where discrete clocks
y0; : : : ; yk are treated as counters. However, carefully looking at the de%nition of G,
we notice that, in addition to standard assignments yi := yi +1 (06i6k), G also has
nonstandard assignments yi := 0 (16i6k). Moreover, the tests in G are in the form
of Boolean combinations of yi ∼ d and yi − yj ∼ d (wlog; 16i6j6k), which are
not standard tests. A special case of G is that y1; : : : ; yk always progress at the same
time (hence, in (*), the bound is 0 instead of 1). Under this special case, a technique
presented in [20,22] can be directly used to replace the tests in G with %nite table
look-ups. In the following proof, the technique is modi%ed to handle the general case
of G. That is, →∗G can be accepted by a reversal-bounded NPCA using standard tests
and nonstandard assignments. Then, we show that the nonstandard assignments can be
made standard and the counters are reversal-bounded.
Lemma 9. For any PTA A, the binary reachability →∗G of the pattern graph G of
A is NPCA. In particular, if A is a timed automaton, then the binary reachability
→∗G is Presburger.
Proof. We construct the NPCA M that accepts →∗G. M is given a pair of string
encodings of con%gurations (s; ; u; w) and (s′; ′; u′; w′) (separated by a delimiter not
in the stack alphabet) on its one-way input tape. In the encodings, s; s′, , and ′ are
treated as integers in a bounded range. In particular, the stack word w′ is reversed in
the encoding (the reason will be made clear in a moment). On reading (s; ; u; w), M
remembers s and  in its %nite control, and copies u and w into its k + 1 counters
(we still use y0; : : : ; yk to denote them) and the stack, respectively. Thus, M ’s input
head stops at the beginning of (s′; ′; u′; w′). M starts simulating G from con%guration
(s; ; u; w) as follows with the stack operations in G being exactly simulated on its
own stack.
Tests in G are Boolean combinations of yi ∼ d and yi − yj ∼ d for 16i6j6k.
Assume that m is two plus the maximal absolute value of all the d’s that appear in
the tests of G. For each 16i6j6k, let entry aij (resp. bi) be a %nite state variable in
112 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
{−m; : : : ; 0; : : : ; m} (resp. in {0; : : : ; m}). In the following, we demonstrate a technique
to eliminate the tests in G, based on the de%nition of a %nite table lookup aij ∼ d and
bi ∼ d to replace tests yi − yj ∼ d and yi ∼ d.
The initial values of the entries are constructed directly from the values u in con-
%guration (s; ; u; w) on the input tape, for each 16i6j6k:
• aij := u(i)− u(j) if |u(i)− u(j)|¡m,
• aij := m if u(i)− u(j)¿m,
• aij := −m if u(i)− u(j)6− m,
• bi := u(i) if u(i)¡m,
• bi := m if u(i)¿m.
The procedure for updating the entries is given below, in which “⊕1” means adding
one if the result does not exceed m, else it keeps the same value. “!1” means sub-
tracting one if the result is not less than −m, else it keeps the same value. We modify
G as follows. Let e be an edge of G. If e is a stay edge, the entries remain unchanged
on e. If e is a progress edge, we use 1 to denote all the yi’s that progress on e. In
the case, the entries are updated by adding the following instructions to e, for each
16i6j6k:
• aij := aij if yi ∈ 1 and yj ∈ 1, or, yi ∈ 1 and yj ∈ 1,
• aij := aij ⊕ 1 if yi ∈ 1 and yj ∈ 1,
• aij := aij ! 1 if yi ∈ 1 and yj ∈ 1,
• bi := bi if yi ∈ 1,
• bi := bi ⊕ 1 if yi ∈ 1.
If e is a reset edge, we use r to denote all the yi’s that are reset on e. In the case, the
entries are updated by adding the following instructions to e, for each 16i6j6k:
• aij := 0 if yi ∈ r and yj ∈ r,
• aij := −bj if yi ∈ r and yj ∈ r,
• aij := bi if yi ∈ r and yj ∈ r,
• aij := aij if yi ∈ r and yj ∈ r,
followed by adding the following instructions, for each 16i6k:
• bi := bi if yi ∈ r,
• bi := 0 if yi ∈ r.
By adding the above entry updating instructions to G, a con%guration of G is now
augmented with entry values. The con%guration is valid if its counter values and entry
values satisfy,
(1) For all 16i6j6k and for each integer −(m− 2)6d6m− 2,
yi − yj ∼ d iD aij ∼ d;
(2) For all 16i6k and for each integer −(m− 1)6d6m− 1,
yi ∼ d iD bi ∼ d:
That is, tests yi − yj ∼ d and yi ∼ d can be replaced by aij ∼ d and bi ∼ d,
respectively. (Recall that m is chosen such that m − 2 is greater than or equal to the
absolute value of any constant d in the tests of G.) Consider an execution of length t,
20 →G · · · →G 2t; in which 20 is the initial con%guration (s; ; u; w) (on the input tape)
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 113
augmented with the initial entry values. The execution is valid if each 2i (16i6t) is
valid. We will show:
Claim. After adding the above entry updating instructions to G, any execution of G
from 20 is valid.
Proof. We prove it by induction on length t. Obviously, 20 is valid; i.e., the Claim
holds for t=0. Suppose that the Claim holds for t. Now, consider an execution of
length t+1 : 20 →G · · · →G 2t →G 2t+1, in which 20; : : : ; 2t are all valid. It suIces for
us to show that 2t+1 is valid. Assume that e is the edge witnessing 2t →G 2t+1. We only
deal with four special cases that would make 2t+1 violate (1); the rest cases, which are
omitted here, are completely analogous to a similar proof presented in [18,20]. Fix any
16i¡j6k. e is a progress edge with 1 being the set of discrete clocks that progress
on e. The cases are:
Case 1: On e, yi ∈ 1 and yj ∈ 1. In 2t , aij =m− 1 and yi − yj¿m.
Case 2: On e, yi ∈ 1 and yj ∈ 1. In 2t ; aij =m and yi − yj =m− 1.
Case 3: On e, yi ∈ 1 and yj ∈ 1. In 2t ; aij = − (m− 1) and yi − yj6− m.
Case 4: On e, yi ∈ 1 and yj ∈ 1. In 2t ; aij = − m and yi − yj = − (m− 1).
Each of the cases makes 2t+1 invalid. For instance, under Case 1, according to the
entry updating instructions, aij =m − 2 and yi − yj¿m − 1 in 2t+1. Take d=m − 2,
we have aij =d but yi − yj = d, which contradicts (1). Fortunately, none of the four
cases is possible. We only show Case 1; the rest are similar. Suppose that Case 1
is true. For convenience, we shall use atij; b
t
i ; y
t
i to denote the values of aij; bi; yi in
con%guration 2t . t0 denotes a number such that either yi or yj resets when G reaches
2t0 on the execution (if t0 does not exist, take t0 = 0). In addition, from 2t0 to 2t+1, yi
and yj do not reset. Since, from the conditions of Case 1, yj progresses but yi does
not progress on edge e that leads from 2t to 2t+1, one of the following items is true:
(a) There is a t1 with t06t1¡t such that, from 2t1 to 2t , yi progresses but yj does
not progress,
(b) From 2t0 to 2t , yi and yj do not progress.
This is because, from property (*) mentioned earlier, yi and yj must progress alter-
nately. For (a), it is observed that yt1i − yt1j =(yti − 1)− ytj and atij = at1ij ⊕ 1. From the
conditions in Case 1, we have yt1i −yt1j ¿m−1 and at1ij =m−2. This contradicts to (1)
for 2t1 . For (b), we have yt0i − yt0j =yti − ytj¿m and at0ij = atij =m− 1. From these two
facts and the de%nition of t0, if t0 = 0, then yt0j =0 and at0ij = bt0i . Therefore, yt0i ¿m
but bt0i =m− 1. This contradicts to (2) for 2t0 . If, however, t0 = 0, then the above two
facts yt0i −yt0j ¿m and at0ij =m− 1 already contradicts the de%nition of the initial value
for aij.
This ends the proof of the Claim. Thus, it is valid for M to use aij ∼ d to do
test yi − yj ∼ d and to use bi ∼ d to do test yi ∼ d. At some point, M guesses
that it has reached the con%guration (s′; ′; u′; w′) by comparing the counter values
and the stack content with (s′; ′; u′; w′) on the rest of the input tape. M accepts iD
such a comparison succeeds. Clearly M accepts →∗G. There is a slight problem when
M compares its own stack content with (s′; ′; u′; w′) on the one-way input tape by
114 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
popping the stack. The reason is that popping the stack contents reads the reverse of
the stack content. However, recall that the encoding of the stack word in (s′; ′; u′; w′)
on the input tape is reversed. Thus, such a comparison can be proceeded.
Now, M only uses standard tests. However, assignments in M , in the form of
yi :=yi+1 (06i6k) and yi := 0 (16i6k), are still not standard. We now show that
these assignments can be made standard, while the machine is still reversal-bounded.
Let M ′ be an NPCA that is exactly the same as M . M ′ simulates M ’s computation
from the con%guration (s; ; u; w). Initially, each yi takes the value of u(i) and M ′
calculates the initial values for all entries aij and bi from u. The calculations can be
implemented under the help of a number of auxiliary reversal-bounded counters. How-
ever, for each 16i6k, each time that M executes an assignment yi := yi + 1 or
yi := 0, M ′ does nothing to yi. The stack operations in M are faithfully simulated by
M ′ on its own stack. For each 16i6k, at some point, either initially or at a moment
yi := 0 is being executed by M , M ′ guesses (only once for each i) that yi will not
reset afterward. When the guess for i happens at yi := 0, M ′ decrements yi to 0.
After such a guess for i, an execution of yi := yi + 1 will also cause yi incremented
by 1. However, a later execution of yi := 0 in M will cause M ′ to abort abnormally
(without accepting the input). At some point after all 16i6k have been guessed, M ′
guesses that it has reached the con%guration (s′; ′; u′; w′). Then, M ′ compares its cur-
rent con%guration with (s′; ′; u′; w′) as M does. Clearly, M ′ accepts →∗G and each yi
in M ′ is reversal-bounded. Hence, →∗G is NPCA.
In particular, when A is a timed automaton, →∗G de%nes a set of integer tuples
(without stack words). It is known that the set is NPCA iD it is Presburger [28].
Therefore, if A is a timed automaton, →∗G is Presburger.
Now, we conclude this section by claiming that →∗A; is NPCA by combining Lem-
mas 8 and 9.
Lemma 10. For any PTA A and any .xed pattern  ∈  ; →∗A; is NPCA. In
particular, if A is a timed automaton, then →∗A; is Presburger.
7. A decidable binary reachability characterization and automatic veri0cation
Recall that PTA A actually has clocks x1; : : : ; xk . x0 is the auxiliary clock. The
binary reachability ❀∗BA of A is the set of tuples
〈s; v1; : : : ; vk ; w; s′; v′1; : : : ; v′k ; w′〉
such that there exist v0 = 0; v′0 ∈D+ satisfying
(s; v0; : : : ; vk ; w)❀∗A (s
′; v′0; : : : ; v
′
k ; w
′):
The main theorem of this paper gives a decidable characterization for the binary reach-
ability as follows.
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 115
Theorem 1. The binary reachability ❀∗BA of a PTA A is (D + NPCA)-de.nable.
In particular, if A is a timed automaton, then the binary reachability ❀∗BA can be
expressed in the additive theory of reals (or rationals) and integers.
Proof. From Lemma 7, ❀∗BA is de%nable by the following formula:
∃u′0 ∈ N∃v′0 ∈ D̂+
( ∨
∈ 
((0; v1; : : : ; vk); (v′0; : : : ; v
′
k)) ∈ ∧ ;
(s; (0; u1; : : : ; uk); w)❀∗A; (s
′; (u′0; : : : ; u
′
k); w
′)
)
on integer variables s; u1; : : : ; uk ; s′; u′1; : : : ; u
′
k (over N), and dense variables v1; : : : ;
vk ; v′1; : : : ; v
′
k (over D̂+ =D
+ ∩ [0; 1)), and on word variables w and w′. This formula
is equivalent to∨
∈ 
PD
+
 (v1; : : : ; vk ; v
′
1; : : : ; v
′
k) ∧ QZ (s; u1; : : : ; uk ; w; s′; u′1; : : : ; u′k ; w′)
where PD
+
 (v1; : : : ; vk ; v
′
1; : : : ; v
′
k) stands for
∃v′0 ∈ D̂+(((0; v1; : : : ; vk); (v′0; : : : ; v′k)) ∈ )
and QZ (s; u1; : : : ; uk ; w; s
′; u′1; : : : ; u
′
k ; w
′) stands for
∃u′0((s; (0; u1; : : : ; uk); w)❀∗A; (s′; (u′0; : : : ; u′k); w′)):
From the de%nition of patterns, PD
+
 , after eliminating the existential quanti%cation,
is a dense linear relation. On the other hand, QZ (after eliminating the existential
quanti%cation, from Lemmas 10 and 2) is NPCA. Therefore, ❀∗BA is (D + NPCA)-
de%nable.
In particular, if A is a timed automaton, ❀∗BA is (D+NPCA)-de%nable by a formula
in the additive theory of reals (or rationals) and integers. Hence, ❀∗BA itself can be
expressed in the same theory.
The importance of the above characterization for ❀∗BA is that, from Lemma 2, the
emptiness of (D + NPCA)-de%nable predicates is decidable. From Theorem 1 and
Lemma 2(3)(4), we have,
Theorem 2. The emptiness of l∩ ❀∗BA with respect to a PTA A for any mixed
linear relation l is decidable.
The emptiness of l∩ ❀∗BA is called a mixed linear property of A. Many interesting
safety properties (or their negations) for PTAs can be expressed as a mixed linear
116 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
property. For instance, consider the following property of a PTA A with three dense
clocks x1, x2 and x3:
“for any two con%gurations 2 and 5 with 2 ❀∗BA 5, if the diDerence between 5x3
(the value of clock x3 in 5) and 2x1 +2x2 (the sum of clocks x1 and x2 in 2) is greater
than the diDerence between #a(2w) (the number of symbol a appearing in the stack
word in 2) and #b(5w) (the number of symbol b appearing in the stack word in 5),
then #a(2w)− 2#b(5w) is greater than 5.”
The negation of this property can be expressed as the emptiness of
(s; x1; x2; x3; w)❀∗BA (s
′; x′1; x
′
2; x
′
3; w
′) ∧ l
where l is the negation of a mixed linear relation (hence l itself is also a mixed linear
relation):
x′3 − (x1 + x2) ¿ #a(w)− #b(w′)→ #a(w)− 2#b(w′) ¿ 5:
Thus, from Theorem 2, this property can be automatically veri%ed. We need to point
out that
• x′3 − (x1 + x2)¿#a(w) − #b(w′) is a linear relation on both dense variables and
discrete variables. Thus, this property cannot be veri%ed by using the decidable
characterization for discrete PTAs [20], where only integer-valued clocks are con-
sidered.
• Even without clocks, #a(w)− 2#b(w′)¿5 expresses a nonregular set of stack word
pairs. Therefore, this property cannot be veri%ed by the model-checking procedures
for pushdown systems [9,24].
• Even without the pushdown stack, x′3 − (x1 + x2)¿0 (by taking #a(w) − #b(w′) as
a constant such as 0) is not a clock region, therefore, the classical region-based
techniques cannot verify this property. This is also pointed out in [17].
• With both dense clocks and the pushdown stack, this property cannot be veri%ed by
using the region-based techniques for Timed Pushdown Systems [10].
When A is a timed automaton, by Theorem 1, the binary reachability ❀∗BA can be
expressed in the additive theory of reals (or rationals) and integers. Notice that our
characterization is essentially equivalent to the one given by Comon and Jurski [17] in
which ❀∗BA can be expressed in the additive theory of reals augmented with a predicate
telling whether a term is an integer. Because the additive theory of reals and integers
is decidable [8,9], we have,
Theorem 3. The truth value for any closed formula expressible in the (.rst-order)
additive theory of reals (or rationals) augmented with a predicate ❀∗BA for a timed
automaton A is decidable (also shown in [17]).
For instance, consider the following property for a timed automaton A with two
real clocks:
“there are states s and s′ such that, for any x1; x2; x′2, there exists x
′
1 such that if
(s; x1; x2) can reach (s′; x′1; x
′
2) in A, then x1 − x2¿x′1 − x′2.”
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 117
It can be expressed as
∃s; s′∀x1; x2; x′2∃x′1((s; x1; x2)❀∗BA (s′; x′1; x′2)→ x1 − x2 ¿ x′1 − x′2);
and thus can be veri%ed according to Theorem 3.
8. Conclusions, discussions and future work
In this paper, we consider PTAs that are timed automata augmented with a pushdown
stack. A con%guration of a PTA includes a state, %nitely many dense clock values and
a stack word. By introducing the concept of a clock pattern and using an automata-
theoretic approach, we give a decidable characterization of the binary reachability of a
PTA. Since a timed automaton can be treated as a PTA without the pushdown stack,
we can show that the binary reachability of a timed automaton is de%nable in the
additive theory of reals and integers. The results can be used to verify a class of safety
properties containing linear relations over both dense variables and unbounded discrete
variables.
A PTA studied here can be regarded as the timed version of a pushdown machine.
Carefully looking at the proofs of the decidable binary reachability characterization,
we %nd out that the underlying untimed machine (e.g., the pushdown machine) is not
essential. We can replace it with many other kinds of machines and the resulting timed
system still has a decidable binary reachability characterization. We will summarize
some of these machines in this section.
Consider a class of machines X. We use XCM to denote machines in X augmented
with reversal-bounded counters. We are looking at the binary reachability characteri-
zation of the timed version of machines in X. The characterization is established in
the previous sections when X represents pushdown machines. In the proofs, the pattern
technique is used, in which (1) a dense clock is separated into a fractional part and
an integral part and (2) the fractional parts of dense clocks are abstracted as a pattern
and the integral parts are translated into reversal-bounded counters. The result of the
translation is the underlying untimed machine in X augmented with these reversal-
bounded counters, i.e., a machine in XCM. Suppose that a class of automata Y accept
the binary reachability of machines in XCM. In the case of X being pushdown ma-
chines, XCM represents NPCAs and Y can be chosen as NPCAs (it is known that
the binary reachability of NPCAs can be accepted by NPCAs [20].). The fact that this
Y (i.e., NPCA) satis%es Lemma 2 is the only condition we need in order to obtain
the decidable reachability characterization in Theorem 1. De%nitions like NPCA predi-
cates and (D+NPCA)-de%nability can be accordingly modi%ed into Y predicates and
(D+Y)-de%nability once Y is clear. The above discussions give the following result.
Theorem 4. Let Y be a class of automata, X be a class of machines and XCM be
the class of machines in X augmented with reversal-bounded counters. If, for each
machine in XCM, an automaton in Y can be constructed that accepts the binary
reachability of the machine, and Lemma 2 holds (replacing NPCA with Y), then the
binary reachability of the timed version of X is (D+ Y)-de.nable.
118 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
Notice that Lemma 2(4) requires that the emptiness problem for Y in Theorem 4
be decidable. Theorem 2 can be immediately followed from Theorem 4 for the timed
version of X.
According to Theorem 4, the timed version of the following machines X has a decid-
able (D+Y)-de%nable characterization for binary reachability by properly choosing Y:
• NPCA. Here (Y=NPCA);
• NCM with an unrestricted counter. Notice that the counter is a special case of a
pushdown stack (when the stack alphabet is unary). Here, (Y=NPCA);
• Finite-crossing NCM [28] (i.e., NCM augmented with a %nite-crossing read-only
worktape. The head on the worktape is two-way, but for each cell of the tape, the
head crosses only a bounded number of times.). Here, Y is %nite-crossing NCAs
[28] that are NCM augmented with a %nite-crossing input tape.
• Reversal-bounded multipushdown machines [18] that are multipushdown machines
[13] augmented with reversal-bounded counters. Here, Y is reversal-bounded multi-
pushdown automata [18].
Let X be a class of machines. The pattern technique tells us that, for a decidable
binary reachability characterization of the timed version of X, the density of clocks
(and even clocks themselves) is not the key issue. This is because, using the technique,
these dense clocks can be reduced to reversal-bounded integer counters. The key issue is
whether X and its reversal-bounded version XCM have a decidable binary reachability
characterization (i.e., the binary reachability can be accepted by a class Y of automata
with a decidable emptiness problem). In particular, when the binary reachability of
X is eDectively semilinear (and hence the binary reachability is decidable), in most
cases, the binary reachability of XCM is also eDectively semilinear. Such X includes
all the machines mentioned above. In this case, once we can show that the untimed
machines in X have a decidable binary reachability characterization, we are getting
really close to the decidable characterization for their timed version. But, we do have
exceptions. For instance, consider X to be a %nite state machine with a two-way read
only worktape. X has a decidable binary reachability characterization (witnessed by
one-way multitape %nite automata). However, augmenting X with reversal-bounded
counters makes the binary reachability undecidable. The pitfall here is that a two-way
tape makes reversal-bounded counters too powerful. In fact, the emptiness problem
is undecidable for two-way automata augmented with reversal-bounded counters. In
the case when there is only one reversal-bounded counter, the emptiness problem is
decidable if the machines are deterministic. The nondeterministic case is still open [29].
In practice, augmenting timed automata with other unbounded data structures allows
us to study more complex real-time applications. For instance, the decidable charac-
terization of PTAs makes it possible to implement a tool verifying recursive real-time
programs containing %nite-state variables against safety properties containing linear
constraints over dense clocks and stack word counts. This tool will be a good comple-
ment to available tools for recursive %nite state programs (for regular safety properties,
e.g., termination) [7,23]. On the other hand, the pattern technique is not intended to
replace the traditional region-based technique used in the existing tools analyzing real-
time systems (such as UPPAAL [32] and its extensions [31], TREX [31], HyTECH
[27], Kronos [12]). In fact, the pattern technique is also a good complement to the
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 119
region technique. When verifying timing requirements in the form of clock regions,
the region technique is employed. However, when verifying some complex timing re-
quirements that may not be in the form of clock regions, one might %nd the pattern
technique useful. Therefore, the tools may be enhanced with the pattern technique. The
results in this paper can also be used to implement a model-checker for a subset of the
real-time speci%cation language ASTRAL [14]. The subset includes history-independent
ASTRAL speci%cations containing both dense clocks and unbounded discrete control
variables.
As mentioned in this section, the timed version of NPCA (i.e., PTAs further aug-
mented with reversal-bounded counters) also has a decidable characterization. This
timed model has many important applications. For instance, a real-time recursive pro-
gram (containing unbounded integer variables) can be automatically debugged using
the reversal-bounded approximation (i.e., assign a reversal-bound to the variables). Ad-
ditionally, a free counter (i.e., an unrestricted counter) is a special case for a pushdown
stack (when the stack alphabet is unary). Therefore, this model can also be used to spec-
ify real-time systems containing a free counter and many reversal-bounded counters. It
seems that “reversal-bounded counters” appear unnatural and therefore their applications
in practice are remote. However, a nondecreasing counter is also a reversal-bounded
counter (with zero reversal-bound). This kind of counters have a lot of applications.
For instance, a nondecreasing counter can be used to count digital time elapse, the
number of external events, the number of a particular branch taken by a nondetermin-
istic program (this is important, when fairness is taken into account), etc. For instance,
consider a timed automaton with input symbols (i.e., a transition is triggered by an
external event as well as the enabling condition). We use #a to denote the number
of event a occurred so far. The enabling condition of a transition, besides clock con-
straints, may also include comparisons of the counts #a against an integer constant and
comparisons of one speci%c linear term T (on all #a) against an integer constant. For
instance, a transition may look like this (in pseudo-code):
s: if event(a) and x2−x1¿10 and #b¿21 and 2#c−3#b¡5, then progress();
goto s′
where x1 and x2 are dense clocks. Notice that comparisons of the linear term 2#c−3#b
against an integer constant may show up in other transitions. But this term is unique in
the automaton: a comparison like 4#a−3#b¿8 that involves a diDerent term 4#a−3#b
cannot be used in the enabling conditions of the automaton. This timed automaton is
a standard timed automaton augmented with reversal-bounded counters #a (which are
nondecreasing) and a free counter (representing the linear term 2#c − 3#b). Hence, the
following property can be automatically veri%ed:
“It is always true that whenever x1 − 7#b + 3x2¿2#a holds, x1 must be greater
#c − #a.”
A future research issue is to investigate whether the decidable results [22] for Pres-
burger liveness of discrete timed automata can be extended to timed automata (with
dense clocks) using the technique in this paper. We are also going to look at the
possibility of extending the approximation approaches for parameterized discrete timed
automata [21] to the dense clocks. This is particularly interesting, since the reachability
set presented in [21] is not necessarily semilinear. Another issue is on the complexity
120 Zhe Dang / Theoretical Computer Science 302 (2003) 93–121
analysis of the decision procedure presented in this paper. However, the complexity
for the emptiness problem of NPCAs is still unknown, though it is believed that it can
be derived along Gurari and Ibarra [25]. Future work may also include investigating
a fragment of a dense time linear temporal logic that has a decidable model-checking
problem for PTAs, following the work of Comon and Cortier [15].
Acknowledgements
The author would like to thank H. Comon and O. H. Ibarra for discussions on the
topic of dense timed pushdown automata during CAV’00 in Chicago, B. Boigelot, P.
San Pietro and J. Su for recent discussions on [9], J. Nelson, F. Sheldon and G. Xie
for reading an earlier draft of this paper, and T. Bultan, H. Comon, J. Esparza and K.
Larsen for comments on the short version of this paper presented in CAV’01 in Paris.
Thanks also go to the anonymous referee for many useful suggestions.
References
[1] R. Alur, Timed automata, CAV’99, Lecture Notes in Computer Science, Vol. 1633, Springer, Berlin,
1999, pp. 8–22.
[2] R. Alur, C. Courcoibetis, D. Dill, Model-checking in dense real time, Inform. Comput. 104 (1993)
2–34.
[3] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (1994) 183–236.
[4] R. Alur, T. Feder, T.A. Henzinger, The bene%ts of relaxing punctuality, J. ACM 43 (1996) 116–146.
[5] R. Alur, T.A. Henzinger, Real-time logics: complexity and expressiveness, Inform. Comput. 104 (1993)
35–77.
[6] R. Alur, T.A. Henzinger, A really temporal logic, J. ACM 41 (1994) 181–204.
[7] T. Ball, S.K. Rajamani, Bebop: a symbolic model-checker for Boolean programs, Spin Workshop’00,
Lecture Notes in Computer Science, Vol. 1885, Springer, Berlin, 2000, pp. 113–130.
[8] J.R. Buchi, On a decision method in restricted second order arithmetic, Proc. Internat. Congress on
Logic, Method, and Philosophy of Sciences, Stanford University Press, Stanford, CA, 1962, pp. 1–12.
[9] B. Boigelot, S. Rassart, P. Wolper, On the expressiveness of real and integer arithmetic automata,
ICALP’98, Lecture Notes in Computer Science, Vol. 1443, Springer, Berlin, 1998, pp. 152–163.
[10] A. Bouajjani, R. Echahed, R. Robbana, On the automatic veri%cation of systems with continuous
variables and unbounded discrete data structures, in: P.J. Antsaklis, W. Kohn, A. Nerode, S. Sastry
(Eds.), Hybrid System II, Lecture Notes in Computer Science, Vol. 999, Springer, Berlin, 1995,
pp. 64–85.
[11] A. Bouajjani, J. Esparza, O. Maler, Reachability Analysis of Pushdown Automata: Application to
Model-Checking, CONCUR’97, Lecture Notes in Computer Science, Vol. 1243, Springer, Berlin. 1997,
pp. 135–150.
[12] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, S. Yovine, Kronos: A model-checking tool
for real-time systems, CAV’98, Lecture Notes in Computer Science, Vol. 1427, Springer, Berlin,
1998, pp. 546–550.
[13] A. Cherubini, L. Breveglieri, C. Citrini, S. Crespi Reghizzi, Multi-push-down languages and grammars,
Internat. J. Foundations Comput. Sci. 7 (3) (1996) 253–291.
[14] A. Coen-Porisini, C. Ghezzi, R. Kemmerer, Speci%cation of real-time systems using ASTRAL, IEEE
Trans. Software Eng. 23 (1997) 572–598.
[15] H. Comon, V. Cortier, Flatness is not a weakness, CSL’00, Lecture Notes in Computer Science, Vol.
1862, Springer, Berlin, 2000, pp. 262–276.
Zhe Dang / Theoretical Computer Science 302 (2003) 93–121 121
[16] H. Comon, Y. Jurski, Multiple counters automata, safety analysis and Presburger arithmetic, CAV’98,
Lecture Notes in Computer Science, Vol. 1427, Springer, Berlin, 1998, pp. 268–279.
[17] H. Comon, Y. Jurski, Timed automata and the theory of real numbers, CONCUR’99, Lecture Notes in
Computer Science, Vol. 1664, Springer, Berlin, 1999, pp. 242–257.
[18] Z. Dang, Debugging and veri%cation of in%nite state real-time systems, Ph.D. Dissertation, University
of California, Santa Barbara, August 2000.
[19] Z. Dang, Binary reachability analysis of pushdown timed automata with dense clocks, CAV’01, Lecture
Notes in Computer Science, Vol. 2102, Springer, Berlin, 2001, pp. 506–517.
[20] Z. Dang, O.H. Ibarra, T. Bultan, R.A. Kemmerer, J. Su, Binary reachability analysis of discrete
pushdown timed automata, CAV’00, Lecture Notes in Computer Science, Vol 1855, Springer, Berlin,
2000, pp. 69–84.
[21] Z. Dang, O.H. Ibarra, R.A. Kemmerer, Decidable approximations on generalized and parameterized
discrete timed automata, COCOON’01, Lecture Notes in Computer Science, Vol. 2108, Springer, Berlin,
2001, pp. 529–539.
[22] Z. Dang, P. San Pietro, R.A. Kemmerer, On Presburger liveness of discrete timed automata, STACS’01,
Lecture Notes in Computer Science, Vol. 2010, Springer, Berlin, 2001, pp. 132–143.
[23] J. Esparza, S. Schwoon, A BDD-based model-checker for recursive programs, CAV’01, Lecture Notes
in Computer Science, Vol. 2102, Springer, Berlin, 2001, pp. 324–336.
[24] A. Finkel, B. Willems, P. Wolper, A direct symbolic approach to model checking pushdown systems,
Electronic Notes in Theoretical Computer Science, Vol. 9, Elsevier, Amsterdam, 2000.
[25] E. Gurari, O. Ibarra, The complexity of decision problems for %nite-turn multicounter machines,
J. Comput. System Sci. 22 (1981) 220–229.
[26] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inform. Comput. 111 (1994) 193–244.
[27] T.A. Henzinger, Pei-Hsin Ho, HyTech: the Cornell hybrid technology tool, in: P.J. Antsaklis, W. Kohn,
A. Nerode, S. Sastry (Eds.), Hybrid Systems II, Lecture Notes in Computer Science, Vol. 999, Springer,
Berlin, 1995, pp. 265–294.
[28] O.H. Ibarra, Reversal-bounded multicounter machines and their decision problems, J. ACM 25 (1978)
116–133.
[29] O.H. Ibarra, T. Jiang, N. Tran, H. Wang, New decidability results concerning two-way counter machines,
SIAM J. Comput. 24 (1995) 123–137.
[30] F. Laroussinie, K.G. Larsen, C. Weise, From timed automata to logic—and back, MFCS’95, Lecture
Notes in Computer Science, Vol. 969, Springer, Berlin, 1995, pp. 529–539.
[31] K.G. Larsen, G. Behrmann, Ed Brinksma, A. Fehnker, T. Hune, P. Pettersson, J. Romijn, As cheap
as possible: eIcient cost-optimal reachability for priced timed automata, CAV’01, Lecture Notes in
Computer Science, Vol. 2102, Springer, Berlin, 2001, pp. 493–505.
[32] K.G. Larsen, P. Pattersson, W. Yi, UPPAAL in a nutshell, Internat. J. Software Tools Technol. Transfer
1 (1997) 134–152.
[33] M.L. Minsky, Computation: Finite and In%nite Machines, Prentice-Hall, Englewood CliDs, NJ, 1967.
[34] J. Raskin, P. Schobben, State clock logic: a decidable real-time logic, HART’97, Lecture Notes in
Computer Science, Vol. 1201, Springer, Berlin, 1997, pp. 33–47.
[35] T. Wilke, Specifying timed state sequences in powerful decidable logics and timed automata, Lecture
Notes in Computer Science, Vol. 863, Springer, Berlin, 1994, pp. 694–715.
[36] S. Yovine, Model checking timed automata, in: G. Rozenberg, F.W. Vaandrager (Eds.), Embedded
Systems’98, Lecture Notes in Computer Science, Vol. 1494, Springer, Berlin, 1998, pp. 114–152.
