Abstract We introduce the class of Interrupt Timed Automata (ITA), a subclass of hybrid automata well suited to the description of timed multi-task systems with interruptions in a single processor environment.
Introduction

Context
The model of timed automata (TA), introduced in [4] , has proved very successful due to the decidability of several important verification problems including reachability and model checking. A timed automaton consists of a finite automaton equipped with real valued variables, called clocks, which evolve synchronously with time, during the sojourn in states. When a discrete transition occurs, clocks can be tested by guards, which compare their values with constants, and reset. The decidability results were obtained through the construction of a finite partition of the state space into regions, leading to a finite graph which is time-abstract bisimilar to the original transition system, thus preserving reachability.
Consider several tasks executing on a single processor (possibly scheduled beforehand, although this step is beyond the scope of this paper). As a result, tasks are intertwined and may interrupt one another [37] . Since the behaviour of such systems may depend on the current execution times of the tasks, a timed model should measure these execution times, which involves clock suspension in case of interruptions. Unfortunately, timed automata lack this feature of clock suspension, hence more expressive models should be considered.
Hybrid automata (HA) have subsequently been proposed as an extension of timed automata [30] , with the aim to increase the expressive power of the model. In this model, clocks are replaced by variables which evolve according to a differential equation. Furthermore, guards consist of more general constraints on the variables and resets are extended into (possibly non deterministic) updates. This model is very expressive, but reachability is undecidable in HA. The simpler model obtained by allowing clocks to be stopped and resumed, stopwatch automata (SWA), would be sufficient to model task interruptions in a processor. However, reachability is also undecidable for SWA [18] . Many classes have been defined, between timed and hybrid automata, to obtain the decidability of this problem.
Task automata [23] and suspension automata [31] model explicitly the scheduling of processes. Some classes restrict the use of variation of clock rate in hybrid automata to achieve decidability. Examples of such classes are systems with piece-wise constant derivatives [6] , controlled real-time automata [21] . Guards may also be restricted, as in multi-rate or rectangular automata [3] , some integration graphs [26] , or polygonal hybrid systems [7] . Restricting reset may also lead to decidability as in the hybrid automata with strong resets [13] or initialized stopwatch automata [24] . O-minimal hybrid systems [28, 29] provide algebraic constraints on hybrid systems to yield decidability. Extensions of timed automata to release some constraints were also considered, as in some updatable timed automata [12] .
While untimed properties like reachability and LTL [33, 38] or CTL model checking [22, 34, 19] , are useful for such models, real time verification consider more precise requirements, for instance quantitative response time properties. Therefore, timed extensions of these logics have been defined. In the case of linear time logics, verification of the most natural extension MTL [27] is undecidable on TA. However, several decidable fragments such as MITL [5] and SCL [35] have subsequently been defined. In the case of timed variants of branching time logics, different versions of Timed CTL (TCTL) [2, 25] have been defined. Model checking procedures on TA for both versions of TCTL have been developed and implemented in several tools [8, 15] .
Contributions
In this paper, we define a subclass of hybrid automata, called Interrupt Timed Automata (ITA), well suited to the description of multi-task systems with interruptions in a single processor environment.
The ITA model. In an ITA, the finite set of control states is organized according to interrupt levels, ranging from 1 to n, with exactly one active clock for a given level. The clocks from lower levels are suspended and those from higher levels are not yet defined (thus have arbitrary value 0). On the transitions, guards are linear constraints using only clocks from the current level or the levels below and the relevant clocks can be updated by linear expressions, using clocks from lower levels. Finally, each state has a policy (lazy, urgent or delayed) that rules the sojourn time. This model is rather expressive since it combines variables with rate 1 or 0 (usually called stopwatches) and linear expressions for guards or updates. The ITA model is formally defined in Section 2.
Reachability problem. As said before, the reachability problem is undecidable for automata with stopwatches [24, 18, 16] . However, we prove that it is decidable for ITA.
More precisely, we first show that the untimed language of an ITA is effectively regular (Section 3). The corresponding procedure significantly extends the classical region construction of [4] by associating with each state a family of orderings over linear expressions. This construction yields a decision algorithm for reachability in 2-EXPTIME, and PTIME when the number of clocks is fixed. This should be compared to TA with 3 clocks for which reachability is PSPACE complete [20] .
We define a slight restriction of the model, namely ITA − , which forbids updates of clocks other than the one of the current level. We prove that for any ITA one can build an equivalent ITA − w.r.t. language equivalence, whose size is at most exponential w.r.t. the size of the ITA and polynomial when the number of clocks is fixed. Based on the existence of a bound for the length of the minimal reachability path, we then show that reachability on ITA − can be decided in NEXPTIME without any class graph construction. This yields a NEXPTIME procedure for reachability in ITA (Section 4).
Model checking over ITA. We then focus on the verification of real time properties for ITA (Section 5), expressed in timed extensions of LTL and CTL.
First we show that the model checking of timed (linear time) logic MITL [5] is undecidable. Actually, even the fragment SCL [35] cannot be verified on ITA, while the corresponding verification problem over TA is PSPACE-complete.
We then consider two fragments of the timed (branching time) logic TCTL, introduced in [25] and also studied later from the expressiveness point of view [14] . The first one, TCTL int c , contains formulas involving comparisons of model clocks as atomic propositions. In this logic, it is possible to express properties like: (P1) a safe state is reached before spending 3 t.u. in handling some interruption. Decidability is obtained by a generalized class graph construction in 2-EXPTIME (PTIME if the number of clocks is fixed). Since the corresponding fragment cannot refer to global time, we consider a second fragment, TCTLp, in which we can reason on minimal or maximal delays. Properties like (P2) the system is error free for at least 50 t.u. or (P3) the system will reach a safe state within 7 t.u. can be expressed. In this case, the decidability procedure has a complexity in NEXPTIME for the existential fragment and 2-EXPTIME for the universal fragment (respectively NP and co-NP if the number of clocks is fixed).
Expressiveness. We also study the expressive power of the class ITA (Section 6), in comparison with the original model of timed automata and the more general controlled real-time automata (CRTA) proposed in [21] . In CRTA, clocks and states are colored and a time rate is associated with every state. During the visit of a state, all clocks colored by the color of the state evolve with the state rate while the others do not evolve. We prove that the corresponding families of languages ITL and TL, as well as ITL and CRTL, are incomparable. Additionally we show that ITL is neither closed under complementation nor under intersection.
Extensions. We finally investigate compositions of ITA and other timed models (Section 7). In the first composition, a synchronous product of an ITA and a TA, we prove that the reachability problem becomes undecidable. We then define a more appropriate product of ITA and CRTA. The CRTA part describes a basic task at an implicit additional level 0. For this extended model denoted by ITA + , we show that reachability is still decidable with the same complexity and in PSPACE when the number of clocks is fixed.
Interrupt Timed Automata
Notations
The sets of natural, rational and real numbers are denoted respectively by N, Q and R. A timed word over an alphabet Σ is a finite sequence w = (a 1 , τ 1 ) . . . (an, τn) where a i is in Σ and (τ i ) 1≤i≤n is a non-decreasing sequence of real numbers. The length of w is n and the duration of w is τn. For a finite set X of clocks, a linear expression over X is a term of the form x∈X ax·x+b where b and (ax) x∈X are in Q. We denote by C(X) the set of constraints obtained by conjunctions of atomic propositions of the form C ⊲⊳ 0, where C is a linear expression over X and ⊲⊳ ∈ {>, ≥, =, ≤, <}. The subset C 0 (X) of C(X) contains constraints of the form x + b ⊲⊳ 0. An update over X is a conjunction (over X) of assignments of the form x := Cx, where x is a clock and Cx is a linear expression over X. The set of all updates over X is written U(X), with U 0 (X) for the subset containing only assignments of the form x := 0 (reset) or of the form x := x (no update). For a linear expression C and an update u, the expression C[u] is obtained by "applying" u to C, i.e. substituting each x by Cx in C, if x := Cx is the update for x in u. For instance, for the set of two clocks X = {x 1 , x 2 }, expression C = x 2 − 2x 1 + 3 and update u defined by x 1 := 1 ∧ x 2 := 2x 1 + 1, applying u to C yields the expression C[u] = 2x 1 + 2.
A clock valuation is a mapping v : X → R, with 0 the valuation where all clocks have value 0. The set of all clock valuations is R X and we write v |= ϕ when valuation v satisfies the clock constraint ϕ ∈ C(X). For a valuation v, a linear expression C and an update u, the value v(C) is obtained by replacing each x in C by v(x) and the valuation v[u] is defined by v[u](x) = v(Cx) for x in X if x := Cx is the update for x in u. Observe that an update is performed simultaneously on all clocks. For instance, let X = {x 1 , x 2 , x 3 } be a set of three clocks. For valuation v = (2, 1.5, 3) and update u defined by x 1 := 1 ∧ x 2 := x 2 ∧ x 3 := 3x 2 − x 1 , applying u to v yields the valuation v[u] = (1, 1.5, 2.5).
Models of timed systems
The model of ITA is based on the principle of multi-task systems with interruptions, in a single processor environment. We consider a set of tasks with different priority levels, where a higher level task represents an interruption for a lower level task. At a given level, exactly one clock is active (rate 1), while the clocks for tasks of lower levels are suspended (rate 0), and the clocks for tasks of higher levels are not yet activated and thus contain value 0. The mechanism is illustrated in Fig. 1 , where irrelevant clock values are greyed. An example of such behavior can be produced by the ITA depicted in Fig. 2 , which describes a system that answer requests according to their priority. It starts by receiving a request for a main task of priority 1. The treatment of this task can be interrupted by tasks of priority 2 or 3, depending on how far the system is in the execution of the main task. Tasks of priority 2 and 3 may generate errors (modeled by an interruption of higher level), after which the system recovers. On this system, deciding if it is possible -or always the case -that the main task is executed in less than a certain amount of time would give an insight on the quality of service of the system. Enabling of a transition depends on the clocks valuation. The enabling conditions, called guards, are linear constraints on the clock values of levels lower than or equal to the current level: the ones that are relevant before the firing of the transition. Additionally, a transition can update the values of the clocks. If the transition decreases (resp. increases) the level, then each clock which is relevant after (resp. before) the transition can either be left unchanged or take a linear expression of clocks of strictly lower level.
Along with its level, each state has a timing policy which indicates whether time may (Lazy, default), may not (Urgent) or must (Delayed) elapse in a state. Note that in TA, this kind of policy can be enforced by an additional clock while this is not possible here because there is a single clock per level. This additional feature is needed for the definition and further use of the model of ITA − (see Section 4) . Note that the class graph construction of Section 3 is still valid without them.
3 ≤ x 1 ≤ 5, answer prio1 request prio1, x 1 := 0 We also add a labeling of states with atomic propositions, in view of interpreting logic formulas on these automata. In the sequel, the level of a transition is the level of its source state. We also say that a transition is lazy (resp. urgent, delayed) if the policy of its source state is lazy (resp. urgent, delayed).
Definition 1 An interrupt timed automaton is a tuple A = Σ, AP, Q, q 0 , F, pol, X, λ, lab, ∆ , where:
-Σ is a finite alphabet, AP is a set of atomic propositions -Q is a finite set of states, q 0 is the initial state, F ⊆ Q is the set of final states, -pol : Q → {Lazy, U rgent, Delayed} is the timing policy of states, -X = {x 1 , . . . , xn} consists of n interrupt clocks, -the mapping λ : Q → {1, . . . , n} associates with each state its level and we call x λ(q) the active clock in state q. The mapping lab : Q → 2 AP labels each state with a subset of AP of atomic propositions,
∆ be a transition with k = λ(q) and k ′ = λ(q ′ ). The guard ϕ is a conjunction of constraints k j=1 a j x j + b ⊲⊳ 0 (involving only clocks from levels less than or equal to k). The update u is of the form ∧ n i=1 x i := C i with:
A configuration (q, v, β) of the associated transition system consists of a state q of the ITA, a clock valuation v and a boolean value β expressing whether time has elapsed since the last discrete transition. This third component is needed to define the semantics according to the policies.
Definition 2
The semantics of an ITA A is defined by the (timed) transition system T A = (S, s 0 , →). The set S of configurations is (q, v, β) | q ∈ Q, v ∈ R X , β ∈ {⊤, ⊥} , with initial configuration s 0 = (q 0 , 0, ⊥). The relation → on S consists of two types of steps:
Time steps: Only the active clock in a state can evolve, all other clocks are suspended.
For a state q with active clock x λ(q) , a time step of duration d > 0 is defined by
for any other clock x. A time step of duration 0 leaves the system T A in the same configuration. When pol(q) = U rgent, only time steps of duration 0 are allowed from q. Discrete steps: A discrete step (q, v, β)
. When pol(q) = Delayed and β = ⊥, discrete steps are forbidden.
The labeling function lab is naturally extended to configurations by lab(q, v, β) = lab(q).
An ITA A 1 is depicted in Fig. 3 (a), with two interrupt levels (and two interrupt clocks). A geometric view is given in figure 3(b) , with a possible trajectory: first the value of x 1 increases from 0 in state q 0 (horizontal line) and, after transition a occurs, its value is frozen in state q 1 while x 2 increases (vertical line) until reaching the line
corresponds to the set of valuations reachable in state q 1 and from which state q 2 is reachable. We now briefly recall the classical model of Timed Automata (TA) [4] as well as the model of Controlled Real-Time Automata (CRTA) [21] . Note that in both models, timing policies can be enforced by clock constraints.
Definition 3 A timed automaton is a tuple A = Σ, Q, q 0 , F, X, ∆ , where Σ, Q, q 0 , F are defined as in an ITA, X is a set of clocks and the set of transitions is ∆ ⊆ Q × C 0 (X) × (Σ ∪ {ε}) × U 0 (X) × Q, with guards in C 0 (X) and updates in U 0 (X).
The semantics of a timed automaton is also defined as a timed transition system, with the set Q × R X of configurations (no additional boolean value). Discrete steps are similar to those of ITA but in time steps, all clocks evolve with same rate 1:
Controlled Real-Time Automata extend TA with the following features: the clocks and the states are partitioned according to colors belonging to a set Ω and with every state is associated a rational velocity. When time elapses in a state, the set of active clocks (i.e. with the color of the state) evolve with rate equal to the velocity of the state while other clocks remain unchanged. For sake of clarity, we now propose a slightly simplified version of CRTA.
Definition 4 A CRTA A = (Σ, Q, q 0 , F, X, up, low, vel, λ, ∆) on a finite set Ω of colors is defined by:
-Σ, the alphabet of actions, -Q, the set of states, with q 0 ∈ Q the initial state and F ⊆ Q the set of final states, -X the set of clocks, -mappings up and low associate with each clock respectively an upper and a lower bound,
-vel : Q → Q the velocity mapping,
-λ : X ⊎ Q → Ω the coloring mapping and
× Q the set of transitions, with guards in C 0 (X) and updates in U 0 (X).
Moreover, the lower and upper bound mappings satisfy low(x) ≤ 0 ≤ up(x) for each clock x ∈ X, and low(x) ≤ b ≤ up(x) for each constant b such that x ⊲⊳ b is a constraint in A.
The original semantics of CRTA is rather involved in order to obtain decidability of the reachability problem. It ensures that entering a state q in which clock x is active, the following conditions on the clock bounds hold : if vel(q) > 0 then x ≥ low(x) and if vel(q) < 0 then x ≤ up(x). Instead (and equivalently) we add a syntactical restriction which ensures this behavior. For instance, if a transition with guard ϕ and reset u enters state q with vel(q) < 0 and if x is the only clock such that λ(x) = λ(q), then we replace this transition by two other transitions: the first one has guard ϕ ∧ x > up(x) and adds x := 0 to the reset condition u, the other has guard ϕ ∧ x ≤ up(x) and reset u. In the general case where k clocks have color λ(q), this leads to 2 k transitions. With this syntactical condition, again the only difference from ITA concerns a time step of
A run of an automaton A in ITA, TA or CRTA is a finite or infinite path in the associated timed transition system T A , where (possibly null) time steps and discrete steps alternate. An accepting run is a finite run starting in s 0 and ending in a configuration associated with a state of F . For such a run with label d 1 a 1 d 2 . . . dnan, we say that the word ( For instance, the language L 1 accepted by the ITA A 1 in Fig. 3(a) is
Languages of infinite timed words accepted by Büchi or Muller conditions could be studied but this analysis should address technical issues such as Zeno runs and infinite sequences of ε-transitions.
In the context of model-checking, we also consider maximal runs which are either infinite or such that no discrete step is possible from the last configuration. The set of maximal runs starting from configuration s is denoted by Exec(s). Since maximal runs can be finite or infinite, we do not exclude Zeno behaviors. We use the notion of (totally ordered) positions (which allow to consider several discrete actions simultaneously) along a maximal run [25] : for a run ρ, we denote by <ρ the strict order over positions. For position π along ρ, the corresponding configuration is denoted by sπ, the prefix of ρ up to π is written ρ ≤π and its duration, Dur ρ ≤π , is the sum of all delays along the finite run ρ ≤π . Similarly, the suffix of ρ starting from π is denoted by ρ ≥π . For two positions π ≤ρ π ′ , the subrun of ρ between these positions is written
The length of ρ, denoted by |ρ|, is the number of discrete transitions occurring in ρ.
Regularity of untimed ITL
We prove in this section that the untimed language of an ITA is regular. Similarly to TA (and to CRTA), the proof is based on the construction of a (finite) class graph which is time abstract bisimilar to the transition system T A . This result also holds for infinite words with standard Büchi conditions. As a consequence, we obtain decidability of the reachability problem, as well as decidability for plain CTL * model-checking.
The construction of classes is much more involved than in the case of TA. More precisely, it depends on the expressions occurring in the guards and updates of the automaton (while in TA it depends only on the maximal constant occurring in the guards). We associate with each state q a set of expressions Exp(q) with the following meaning. The values of clocks giving the same ordering of these expressions correspond to a class. In order to define Exp(q), we first build a family of sets {E k } 1≤k≤n . Then Exp(q) = k≤λ(q) E k (recall that λ(q) is the index of the active clock in state q). Finally in Theorem 1 we show how to build the class graph which proves the regularity of the untimed language. This immediately yields a reachability procedure given in Proposition 1.
Construction of {E k } k≤n
We first introduce an operation, called normalization, on expressions relative to some level. As explained in the construction below, this operation will be used to order expression values at a given level.
Since guards are linear expressions with rational constants, we can assume that in a guard C ⊲⊳ 0 occurring in a transition outgoing from a state q with level k, the expression C is either x k + i<k a i x i + b (by k-normalizing the expression and if necessary changing the comparison operator) or i<k a i x i + b. It is thus written as αx k + i<k a i x i + b, with α ∈ {0, 1}.
The construction of {E k } k≤n proceeds top down from level n to level 1 after initializing E k = {x k , 0} for all k. As we shall see below, when handling the level k, we add new terms to E i for 1 ≤ i ≤ k. These expressions are the ones needed to compute a (pre)order on the expressions in E k .
-At level k, first for every expression αx k + i<k a i x i +b (with α ∈ {0, 1}) occurring in a guard of an edge leaving a state of level k, we add − i<k a i x i − b to E k . -Then we iterate the following procedure until no new term is added to any
is the expression obtained by applying update u to C).
arbitrary order between C and C ′ in order to avoid redundancy. Let us write
We illustrate this construction of expressions for the automaton A 1 of Fig. 3(a) . Initially, we have E 1 = {0, x 1 } and E 2 = {0, x 2 }. When treating level 2, first, expression − 1 2 x 1 + 1 is added to E 2 as normalization of the guard x 1 + 2x 2 = 2. Then transition labeled by a updates x 2 (by reseting it to 0). As a result, we have to add to E 1 all differences of expressions of E 2 updated by x 2 := 0. This only produces expression − 1 2 x 1 + 1 − 0 which is normalized into x 1 − 2; thus expression 2 is added to E 1 . When treating level 1, expression 1 from the guard of transition a is added to E 1 . As a result, we obtain E 1 = {x 1 , 0, 1, 2} and E 2 = {x 2 , 0, − Proof Given some k, we prove the termination of the stage relative to k. Observe that the second step only adds new expressions to E k ′ for k ′ < k. Thus the two steps can be ordered. Let us prove the termination of the first step of the saturation procedure. We define E 0 k as the set E k at the beginning of this stage and E i k as this set after insertion of the i th item in it. With each added item C[u] can be associated its father C. Thus we can view E k as an increasing forest with finite degree (due to the finiteness of the edges) and finitely many roots. Assume that this step does not terminate. Then we have an infinite forest and by König lemma, it has an infinite branch C 0 , C 1 , . . . where
Observe that the number of updates that change the variable x k is either 0 or 1 since once x k disappears it cannot appear again. We split the branch into two parts before and after this update or we still consider the whole branch if there is no such update. In these (sub)branches, we conclude with the same reasoning that there is at most one update that change the variable x k−1 . Iterating this process, we conclude that the number of updates is at most 2 k − 1 and the length of the branch is at most 2 k .
For the sake of readability, we set B = E + 2. The final size of E k is thus at most E 0 k × B 2 k since the width of the forest is bounded by B.
In the second step, we add at most B × (|E k | × (|E k | − 1))/2 to E i for every i < k. This concludes the proof of termination.
We now prove by a painful backward induction that as soon as n ≥ 2, |E k | ≤ B 2 n(n−k+1) +1 . The doubly exponential size of En (proved above) is propagated downwards by the saturation procedure. We define p k = |E k |.
n where p 0 n is the number of guards of the outgoing edges from states of level n.
which is the claimed bound.
Inductive case. Assume that the bound holds for k < j ≤ n. Due to all executions of the second step of the procedure at strictly higher levels, p 0 k expressions were added to E k , with:
Taking into account the first step of the procedure for level k, we have:
Let us consider the term δ = 2
2 n(n−k+1) +1 which is the claimed bound. ⊓ ⊔
Construction of the class automaton
In order to analyze the size of the class automaton defined below, we recall and adapt a classical result about partitions of n-dimensional Euclidian spaces. Proof Observe that an extended region is a region belonging to an intersection of at most n hyperplanes (by removing redundant hyperplanes). Thus counting the number of such intersections and applying the previous proposition yields the following formula:
The untimed language of an ITA is regular.
Proof First, we assume that the policy of every state is lazy. At the end of the proof, we explain how to adapt the construction for states with urgent or delayed policies.
Class definition. Let A be an ITA with E transitions and n clocks, the decision algorithm is based on the construction of a (finite) class graph which is time abstract bisimilar to the transition system T A . A class is a syntactical representation of a subset of reachable configurations. More precisely, it is defined as a pair R = (q, { k } 1≤k≤λ(q) ) where q is a state and k is a total preorder over
The class R describes the set of configurations:
The initial state of this graph is defined by the class R 0 with R 0 containing (q 0 , 0, ⊥) which can be straightforwardly determined. For example, for ITA A 1 of Fig. 3(a) , the initial class is R 0 = (q 0 , Z 0 ) with Z 0 :
Observe that fixing a state, the set of configurations R of a non empty class R is exactly an extended region associated with the hyperplanes defined by the comparison of two expressions of some E k . Since (E + 2) 2 n 2 +1 is an upper bound of the number of expressions of any level, m = (E + 2) 2 n 2 +1 +2 is an upper bound of the number of hyperplanes. So using Corollary 1, the number of semantically different classes for a given state is bounded by:
Since one can test semantical equality between classes in polynomial time w.r.t. their size [36] , we implicitely consider in the sequel of the proof classes modulo the semantical equivalence.
As usual, there are two kinds of transitions in the graph, corresponding to discrete steps and time steps.
. This can be decided as follows.
Firability condition. Write ϕ = j∈J C j ⊲⊳ j 0. Since we assumed normalized guards, for every j,
By definition of · ,
-If the firability condition is fulfilled then for each (q, v) ∈ R there exists (q
, the time successor of R, which is defined as follows. For every i < λ(q)
induced by the preorder. On equivalence classes, this (total) preorder becomes a (total) order. Let V be the equivalence class containing x λ(q) .
1. Either V = x λ(q) and it is the greatest equivalence class. Then
and it is not the greatest equivalence class. Let V ′ be the next equivalence class. Then ′ λ(q) is obtained by merging V and V ′ , and preserving λ(q) elsewhere. 3. Either V is not a singleton. Then we split V into V \ x λ(q) and x λ(q) and "extend"
We now explain how the policy is handled. Given a state q such that pol(q) = U , for every class R = (q, { k } 1≤k≤λ(q) ) we delete the time steps outgoing from R. The case of a state q such that pol(q) = D, is a little bit more involved. First we partition classes between time open classes, where for every every configuration of the class there exists a small amount of time elapse that let the new configuration in the same class, and time closed classes. The partition is performed w.r.t. the equivalence class V of x λ(q) for the relation ∼ (see above in the proof). The class R is time open iff V = {x λ(q) }. Then we successively replace every time closed class R by two copies R − and R + , which capture wether time has elapsed since the last last discrete step. Thus, a time edge entering R is redirected towards R + while a discrete edge entering R is redirected
Time open classes allow time elapsing, hence no splitting is required for these classes.
Since there is at most one time edge outgoing from a class, the number of edges of the new graph is at most twice the number of edges in the original graph. ⊓ ⊔ Proposition 2 The reachability problem for Interrupt Timed Automata is decidable and belongs to 2-EXPTIME and PTIME when the number of clocks is fixed.
Proof The reachability problem is solved by building the class graph and applying standard reachability algorithm. Since the number of semantically different classes is at most doubly exponential in the size of the model and the semantical equivalence can be checked in polynomial time w.r.t. the size of the class (also doubly exponential) this leads to a 2-EXPTIME complexity. When the number of clocks is fixed the size of the graph is at most polynomial w.r.t. the size of the problem leading to a PTIME procedure. No complexity gain can be obtained by a non deterministic search without building the graph since the size of the graph is only polynomial w.r.t. the size of a class. ⊓ ⊔ Remarks. This result should be contrasted with the similar one for TA. The reachability problem for TA is PSPACE-complete and thus less costly to solve than for ITA. However, fixing the number of clocks does not reduce the complexity for TA (when this number is greater than or equal to 3) while this problem belongs now to PTIME for ITA. Summarizing, the main source of complexity for ITA is the number of clocks, while in TA it is the binary encoding of the constants [20] .
Since the construction of the graph depends on a set of expressions, there is no notion of granularity as in Timed Automata. When the only guards are comparisons to constants and the only updates resets of clocks (as in Timed Automata), the abstraction obtained is coarser than the region abstraction of [4] : it consists only in products of intervals.
Example
We illustrate this construction of a class automaton for the automaton A 1 of Fig. 3(a) . The resulting class automaton is depicted on Fig. 4 , where dashed lines indicate time steps.
Recall that we obtained
In state q 0 , the only relevant clock is x 1 and the initial class is R 0 = (q 0 , Z 0 ) with Z 0 :
Transition a leading to q 1 can be taken from both classes, but not from the next time successors On the geometric view of figure 3(b), the displayed trajectory corresponds to the following path in the class automaton:
We introduce a restricted version of ITA, called ITA − , which is interesting both from a theoretical and a practical point of view. When modeling interruptions in real-time systems, the clock associated with some level measures the time spent in this level or more generally the time spent by some tasks at this level. Thus when going to a higher level, this clock is not updated until returning to this level. The ITA − model takes this feature into account. Moreover, it turns out that the reachability problem for ITA − can be solved more efficiently. This also provides a better complexity upper-bound for the reachability problem on ITA (in the general case).
Definition 7
The subclass ITA − of ITA is defined by the following restriction on updates. For a transition q ϕ,a,u
updates are the resets of now irrelevant clocks;
Thus, complex updates appear only in transitions increasing the level, and only for the active clock of the transition level.
The proof of the following result is based on Propositions 3 and 5 proved in the next two sections.
Theorem 2
The reachability problem for IT A belongs to NEXPTIME.
Proof Given an ITA A with transitions of size E and constants coded over b bits, we build the ITA − A ′ of Proposition 3. Then we apply on A ′ the reachability procedure of Proposition 5. In this procedure, we consider paths of length bounded by (
where E ′ is the number of transitions of
2 (as shown in the proof of Proposition 3), the length of the paths considered is bounded by Proof Starting from ITA A = Σ, AP, Q, q 0 , F, pol, X, λ, lab, ∆ , the construction of automaton A ′ relies on memorizing at a given level i, for every clock x j at a lower level, an expression depending on x 1 , . . . , x j−1 , corresponding to the delayed update of x j . This expression is used later to replace the value of x j in guards and to restore its correct value by update after decreasing to level j.
To this aim we associate with every pair of levels i ≥ j, a set of expressions F i,j inductively defined by:
| e is the expression of an update of x j by an edge of level i and ∀k, e k ∈ F i,k }
We write F j = F n,j = n i=j F i,j . The set F j thus contains all expressions of updates of x j that appear at higher levels.
Although the number of expressions is syntactically doubly exponential w.r.t. the number of clocks, one can show that the number of distinct expressions is only singly exponential.
First we assume that ITA A has only integral constants, the case of rational constants is handled at the end of the proof. It can be shown that every expression e k of F k can be written
with the convention that x 0 is the constant 1, and where sub(k) is the set of all (ordered) subsequences of 0, . . . , k − 1 and α j,i is the coefficient of x i in some update of x j .
For the family α of all integers α j,i , assume that these constants are coded over bα bits each (including the sign of the coefficient). The expression x i0 can also be coded into an integer of log 2 (n) bits (with a special symbol to indicate that it is the expression of a clock rather than a constant). Let b = max(bα, log 2 (n) + 1) be the (maximal) number of bits used to code a coefficient. Then each term of the sum is a product of at most k such coefficients, therefore can be coded with kb bits. Summing at most 2 k such products yields an integer that can be coded over kb + k bits. Thus there can be at most 2
Automaton A ′ is then defined as follows.
-The set of states is
with pol(q + , e 1 , . . . , e i−1 ) = pol(q) and pol(q − , e 1 , . . . , e i ) = U .
Note that the sequence is empty if i = 1. Moreover:
the states with first component q + for q ∈ F .
-Let q ϕ,a,u 
′ then for every (q + , e 1 , . . . , e i−1 ) there is a transition (q + , e 1 , . . . , e i−1 )
, update u ′ contains only the trivial updates
true,ε,xi:=ei
In words, given a transition, the guard is modified according to these expressions. The modification of the update consists only in applying the update at the current level and taking into account the other updates in the expressions labeling the destination state. When the transition increases the level, the expression associated with a new "frozen" clock (x j for i ≤ j < i ′ ) is the clock itself. The urgent states (q − , −) are introduced for handling the case of a transition that decreases the level. In this case, one reaches such a state that memorizes also the expression of the clock at the current level. Note that the memorized expressions can correspond to an update proceeded at any (higher) level. From this state a single transition must be (immediately) taken whose effect is to perform the update corresponding to the memorized expression. It is routine to check that the languages of the two automata are identical. Each transition in A is replaced by several transitions in A ′ , which number is bounded by the number of expressions that can be attached to the source of the original transition. In addition, transitions decreasing level are further "split" through states (q − , −). Thus the number E ′ of transitions in A ′ is bounded by
. This yields the exponential complexity for the number of transitions.
The case of the number of states is similar. In the case when there are rational constants, assume each constant is coded with a pair (r, d) of numerator and denominator. Assume each r and d can be coded over b bits. We compute the lcm δ of all denominators: since there are at most E constants (E, the size of ∆ contains the number of guards and updates), δ can be coded over Eb bits. We consider ITA A δ which is A where all constants are multiplied by δ. Thus a constant of A δ is an integer that can be coded over
The above bound on the number of expressions applies on A δ . Note that after the construction of A The translation above of an ITA into an equivalent ITA − induces an exponential blowup. The proposition below shows that the bound is reached.
Proposition 4 There exist a family {An} n∈N of ITA with two states, n clocks and constants coded over b bits, where b is polynomial in n, such that the equivalent ITA − built by the procedure above has a number of states greater than or equal to 2 n .
ε, x 2 := 5 Proof For n ∈ N, let An be the ITA with n clocks and two states q init (initial) and q (final) both of level n (and lazy policy) built as follows. There is a transition from q init to q with update n k=1 x k := 1 that sets all clocks to 1. For 1 ≤ k ≤ n there are two loops on q with updates x k := x k−1 and x k := α k x k−1 respectively, where α k is the kth prime number (and with the convention that x 0 is the constant 1).
When building the sets of expressions, no expressions are added until level n, since all updates occur at this level. At level k, F n,k contains (at least) 2 k expressions: all possible products of the first k prime numbers, namely
Indeed, at level 1, F n,1 = {x 1 , 1, 2}. Now assume that F n,k−1 contains all products i∈I α i where I ⊆ {1, . . . , k − 1}. By update
The expressions thus built are distinct, since they are products of distinct prime numbers. Remark that the set of expression for level k is in bijection with a sequence of updates x 1 := . . . , x 2 := . . . , . . . , x k := . . . , the choice of the update depending on the choice of the set I.
Therefore all expressions of Fn,n are reached (in association with state q) and the set of states in A ′ n is at least of size 2 n . In addition, it should be noted that the nth prime number is in O(n log 2 (n)), therefore can be coded over O(log 2 (n) 2 ) bits. So the size of the constants appearing in the updates (and the size of the representation of An) is polynomial in n while the representation of A ′ n is exponential in n.
Reachability on ITA −
In this section we use counting arguments to obtain an upper bound for the reachability problem on ITA − . The following counting lemma does not depend on the effect of the updates but only on the timing constraints induced by the policies.
Lemma 2 (Counting Lemma) Let A be an ITA − with E transitions and n clocks, then in a sequence (e 1 , . . . , e l ) of transitions of A where l > (E + n) 3n , there exist i < j with e i = e j such that the level of any transition e k with i ≤ k ≤ j is greater than or equal to the level of e i , say p, and:
-either e i updates xp, -either no e k with i ≤ k ≤ j updates xp and e i is delayed or lazy.
-or no e k with i ≤ k ≤ j updates xp and no time elapses for clock xp between e i and e j .
Proof Assume that the conclusions of the lemma are not satisfied, we claim that l ≤ (E + 2n) 3n .
First we prove that the number of transitions of level m that occur between two occurrences of transitions of strictly lower level is less than or equal to (E + 2)
3 . Indeed there can be no more than E occurrences of transitions that update xm. Then between two such transitions (or before the first or after the last) there can be no more than E lazy or delayed transitions of level m that do not update xm. Finally between any kind of previous transitions (or before the first or after the last), there can be no more than E urgent transitions that do not update xm, since they prevent time from elapsing at level m. Summing up, there can be no more than E +E(E +1)+E(E(E +1)+1) ≤ (E +1) 3 transitions of level m that occur between two occurrence of transitions of strictly lower level. Now we prove by induction that the number of transitions at level less than or equal to m is at most (E + m)
3m . This is true for m = 1 by the previous proof.
Assume the formula valid for m, then grouping the transitions of level m + 1 between the occurrences of transition of lower level (or before the first or after the last), we obtain that the number of transitions at levels less than or equal to m + 1 is at most: Proof Let A = (Σ, Q, q 0 , F, pol, X, λ, ∆) be an ITA − with n clocks. Let E = |∆| be the number of transitions of A. Assume that there is a run of minimal length ρ from (q 0 , v 0 ) to some configuration (q f , v f ). Suppose now that |ρ| > B = (E + n) 3n . We will build a run ρ ′ from (q 0 , v 0 ) to (q f , v f ) that is strictly smaller, hence contradicting the minimality hypothesis. Since |ρ| > B, then one of the three cases of Lemma 2 applies. Therefore there is a transition e at level k repeated twice, from positions π and π ′ and separated by a subrun σ containing only transitions of level higher than or equal to k. Moreover:
- The decision procedure is as follows. It non deterministically guesses a path in the ITA − whose length is less than or equal to the bound. In order to check that this path yields a run, it builds a linear program whose variables are x j i , where x j i is the value of clock x i after the jth step, and {d j } where d j is the amount of time elapsed during the jth step, when j corresponds to a time step. The equations and inequations are deduced from the guards and updates of discrete transitions in the path and the delay of the time steps. The size of this linear program is exponential w.r.t. the size of the ITA − . As a linear program can be solved in polynomial time [36] , we obtain a procedure in NEXPTIME. ⊓ ⊔ One could wonder whether the class graph construction would lead to a better complexity when applied on ITA − . Unfortunately, the number of expressions occurring in the class graph while being smaller than for ITA is still doubly exponential w.r.t. the size of the model.
Timed model-checking
First observe that model-checking CTL * formulas on ITA can be done with classical procedures on the class graph previously built. We now consider verification of real time formulas.
In the case of linear time, the logic LTL has been extended into the Metric Temporal Logic (MTL) [27] , by adding time intervals as constraints to the U modality. However, MTL suffers from undecidability of the model-checking problem on TA. Hence decidable fragments have been proposed, such as Metric Interval Temporal Logic (MITL) [5] , which prohibits the use of point intervals (of the form [a, a]). Later, MITL was restricted into State Clock Logic (SCL) [35] , in order to obtain more efficient verification procedures. Model-checking MITL (thus SCL) on TA is decidable. Unfortunately, we show here that model-checking SCL (thus MITL) on ITA is undecidable. For this, we reduce the halting problem on a two counter machine into model-checking an SCL formula on an ITA.
Concerning branching time logics, at least two different timed extensions of CTL have been proposed. The first one [2] also adds time intervals to the U modality while the (more expressive) second one considers formula clocks [25] . Model-checking timed automata was proved decidable in both cases and compared expressiveness was revisited later on [14] .
We conjecture that model-checking of TCTL is undecidable when using two (or more) formula clocks. Indeed, as shown in Section 7.1, the reachability problem in a product of an ITA and a TA with two clocks is undecidable, thus prohibiting modelchecking techniques through automaton product and reachability testing as in [1] . However, contrary to what is claimed in [10] , this is not enough to yield an undecidability proof.
Two fragments for which model-checking is decidable on ITA have nonetheless been identified. The first one, TCTL int c , accepts only internal clocks (from the automaton on which the formulas will be evaluated) as formula clocks. The second one, TCTLp, restricts the nesting of U modalities. We provide verification procedures in both cases.
Undecidability of State Clock Logic
We first consider the timed extension of linear temporal logic, and more particularly the SCL fragment [35] .
Definition 8 Formulas of the timed logic SCL are defined by the following grammar:
where p ∈ AP is an atomic proposition, ⊲⊳ ∈ {>, ≥, =, ≤, <}, and a is a rational number.
We use the usual shorthands t for ¬(p ∧ ¬p), Fψ for t U ψ, Gψ for ¬(F¬ψ) and ϕ ⇒ ψ for ¬(ϕ ∧ ¬ψ).
The semantics are defined in the usual manner for boolean operators and U . The S modality is the past version of U . Modality ⊲⊳aψ is true if the next time ψ is true will occur in a delay that respects the condition ⊲⊳ a. Similarly, ¾⊲⊳aψ is true if the last time ψ was true occurred in a (past) delay that respects the condition ⊲⊳ a. More formally, for an execution ρ, we inductively define (ρ, π) |= ϕ by:
Given an ITA A and an SCL formula ϕ, A |= ϕ if for all executions ρ of A, (ρ, π 0 ) |= ϕ, where π 0 = 0 is the initial position of ρ. Proof We build an ITA and an SCL formula that together simulate a deterministic two counter machine. More specifically, we define a formula ϕ 2cm such that given a two counter machine M, we can build an ITA A M with three clocks such that A M |= ϕ 2cm if and only if M does not halt.
Recall that such a machine M consists of a finite sequence of labeled instructions, which handle two counters c and d, and ends at a special instruction with label Halt. The other instructions have one of the two forms below, where e ∈ {c, d} represents one of the two counters:
-e := e + 1; goto ℓ ′ -if e > 0 then (e := e − 1; goto ℓ ′ ) else goto ℓ
′′
Without loss of generality, we may assume that the counters have initial value zero. The behavior of the machine is described by a (possibly infinite) sequence of configurations: ℓ 0 , 0, 0 ℓ 1 , n 1 , p 1 . . . ℓ i , n i , p i . . ., where n i and p i are the respective counter values and ℓ i is the label, after the i th instruction. The problem of termination for such a machine ("is the Halt label reached?") is known to be undecidable [32] . The idea of the encoding is that, provided the execution satisfies the formula, clocks of level 1 and 2 keep the values of c and d indifferently, by x i = 1 2 n if n is the value of a counter e. Level 3 will be used as the working level. Transmitting the value of clocks to lower levels, prohibited in the ITA model, will be enforced by SCL formulas. In the sequel, we will define: -a module A↔ and a formula ϕ↔ such that the values contained in clocks x 1 and x 2 at the beginning of an execution ρ are swapped if and only if (ρ, 0) |= ϕ↔, -a module A + and a formula ϕ + such that if the value of x 2 is 1 2 n at the beginning of an execution ρ, then x 2 has value Swapping module. The module A↔ that swaps the values of x 1 and x 2 is depicted in Fig. 7 . Note that this module does not actually swap the values of x 1 and x 2 for every execution. However, by imposing that state q end is reached exactly 2 time units after q 0 (or q ′ 0 ) was left, and that q 4 (resp. q ′ 4 ) is reached exactly 1 t.u. after q 1 (resp. q ′ 1 ) was left, the values of x 1 and x 2 will be swapped. This requirement can be expressed in SCL by ϕ↔ = G (Span 1 ∧ Span 2 ). Let w i be the time elapsed in state q i , for an execution ρ of A↔ that satisfies ϕ↔. Note that q start and q = end are all urgent, hence no time can elapse in these states. We shall therefore consider only what happens in the swapping submodules. We detail only the case when x 2 > x 1 , the case when x 2 < x 1 is analogous. The ITA constraints provide:
(update x 3 := x 1 and guard
The time spent between the last instant q was satisfied (upon leaving q 1 ) and the only instant when q ′ is true (upon entering q 4 ) is exactly the time spent in states q 2 and q 3 . Similarly, the time between the last instant p was satisfied (leaving q 0 ) and the instant p ′ is true (when reaching q = end ) is the total amount of time spent in q 1 , q 2 , q 3 , q 4 , and q 5 . Hence, if ϕ↔ is satisfied then: Incrementation module. The same idea applies for the incrementation module A + of Fig. 8 . We force the time spent in total in r 1 and r 2 is one, expressed in SCL by ϕ + = G Span 1 . The guards and updates in A + ensure that, with the same notation as above, time spent in r 1 will be 1 − 2 n+1 , thus coding a value n + 1 for the same counter. Decrementation module. Decrementation, for which the corresponding module is depicted on Fig. 9 , is handled in a similar manner (with ϕ − = ϕ + = G Span 1 ). The only difference is that x 2 has to be compared to 1 in order to test if the value of the counter encoded by x 2 is 0.
x 3 = 1 x 1 := 0
(c) Swapping submodule (x 2 < x 1 ). Since the constraints in Span 1 (and Span 2 ) are equalities, they can be satisfied only if q ′ (and p ′ ) are true at a single point in time.
Fig. 7 Swapping module A↔. Submodules are connected through identical states (q
Automaton A M is then defined as the concatenation of modules according to M. For clarity, a state (q, ℓ) denotes state q in a module corresponding to instruction ℓ.
Namely, an instruction ℓ incrementing c and going to ℓ ′ is an incrementation module with a transition from (r 3 , ℓ) to the first state of the module corresponding to ℓ The Halt instruction is encoded in a single state h labeled with {h}. The initial state of the automaton is a new state Init of level 3. It has urgent policy and satisfies no atomic proposition. State Init is linked to the first state of the module corresponding to ℓ 0 , the initial instruction of M, by a transition that updates both x 1 and x 2 to 1, simulating the initialization of both counters to 0.
Let us define formula ϕ 2cm = F(¬Span 1 ∨ ¬Span 2 ) ∨ G¬h. An execution ρ of A M satisfies ϕ 2cm if either it violates at some point a constraint Span i , which means ρ does not correspond to an execution of M, or ρ never reaches state h, which means the execution of M is not halting.
If M has a halting execution, then it can be converted into an execution ρ that complies to the Span i constraints and reaches the final state h. Hence ρ |= ϕ 2cm and A M |= ϕ 2cm .
Conversely, if A M |= ϕ 2cm , then consider an execution ρ that does not verify ϕ 2cm . Execution ρ both reaches h and complies to the Span i constraints, hence encodes a halting execution of M.
As a result, M has no halting execution if and only if
Remark that this formula does not have nested history or prediction modalities (¾⊲⊳a and ⊲⊳a). Hence SCL with a discrete semantics (evaluating the subformulas only upon entering a state) would also be undecidable. ⊓ ⊔
Model-checking branching time properties with internal clocks
In this section we consider the extension of CTL with model clocks, the corresponding fragment being denoted by TCTL int c . Such a logic allows to reason about the sojourn times in different levels which is quite useful when designing real-time operating systems. For example, formula A (x 2 ≤ 3) U safe expresses that all executions reach a safe state while spending less than 3 time units in level 2 (assuming x 2 is not updated during the execution). Model-checking is achieved by adapting a class graph construction for untiming ITA (Section 3) and adding information relevant to the formula. The problem is thus reduced to a CTL model checking problem on this graph.
Definition 9
Formulas of the timed logic TCTL int c are defined by the following grammar:
where p ∈ AP is an atomic proposition, x i are model clocks, a i and b are rational numbers such that (a i ) i≥1 has finite domain, and ⊲⊳ ∈ {>, ≥, =, ≤, <}.
As before we use the classical shorthands F, G, and boolean operators. Let A = Σ, AP, Q, q 0 , F, pol, X, λ, lab, ∆ be an interrupt timed automaton and is defined as follows on the transition system T A associated with A. For atomic propositions and a configuration s = (q, v, β), with lab(s) = lab(q):
and inductively:
The automaton A satisfies ψ if the initial configuration s 0 of T A satisfies ψ.
Theorem 4 Model checking TCTL
int c on interrupt timed automata can be done in 2-EXPTIME, and in PTIME when the number of clocks is fixed.
The proof relies on a refinement of the class graph according to the comparisons in the formula to model-check. It is detailed in Appendix A and we show the resulting graph on an example below.
Example. Consider the ITA A 1 (Fig. 3(a) ) and the formula ϕ 1 = E F(q 1 ∧ (x 2 > x 1 ). We assume that q 1 is a propositional property true only in state q 1 . Initially, the set of expressions are E 1 = {x 1 , 0} and E 2 = {x 2 , 0}. First the expression − 1 2 x 1 + 1 is added into E 2 since x 1 + 2x 2 = 2 appears on the guard in the transition from q 1 to q 2 . Then expression 1 is added to E 1 because x 1 − 1 < 0 appears on the guard in the transition from q 0 to q 1 . Finally expression x 1 is added to E 2 since x 2 − x 1 > 0 appears in ϕ 1 . The iterative part of the procedure goes as follows. Since there is a transition from q 0 of level 1 to state q 1 of level 2, we compute all differences between expressions of E 2 , then normalize them: • x 1 − 0 and x 2 − 0 yield no new expression.
• x 2 − (− 1 and x 1 . The class graph G corresponding to A 1 and ϕ 1 is depicted in Fig. 10 . Note that we replaced x 1 by its value, since it is not changed by any update at level 2. Some time zone notations used in G are displayed in Table 2 . In the class graph, states where the comparison x 2 > x 1 is true are greyed. Among these, the ones in which the class corresponds to state q 1 are doubly circled, i.e. states in which q 1 ∧ (x 2 > x 1 ) is true. Applying standard CTL model checking procedure on this graph, one can prove that one of these states is reachable, hence proving that ϕ 1 is true on A 1 .
Model-checking TCTL with subscript
Note that in TCTL int c , it is not possible to reason about time evolution independently of the level in which actions are performed. For example, properties (P2) the system is error free for at least 50 t.u. or (P3) the system will reach a safe state within 7 t.u. involve global time. In order to verify such properties, we introduce the fragment TCTLp. This fragment is expressive enough to state constraints on earliest (and latest) execution time of particular sequences, like those reaching a recovery state after a crash. TCTLp is the set of formulas where satisfaction of an until modality over propositions can be parameterized by a restricted form of time intervals. The properties given in introduction can be expressed by TCTLp formulas as follows. Property P 2 : the system is error free for at least 50 t.u. corresponds to A (¬error ) U ≥50 t, while property P 3 : the system will reach a safe state within 7 t.u. is expressed by A F ≤7 safe.
Formulas of TCTLp are again interpreted over configurations of the transition system associated with an ITA. For configuration s = (q, v, β), with lab(s) = lab(q), the inductive definition is as follows:
iff s |= ϕ and s |= ψ s |= ¬ϕ iff s |= ϕ s |= A ϕp U⊲⊳a ψp iff any execution ρ ∈ Exec(s) is such that ρ |= ϕp U⊲⊳a ψp s |= E ϕp U⊲⊳a ψp iff there exists an execution ρ ∈ Exec(s) such that ρ |= ϕp U⊲⊳a ψp where ρ |= ϕp U⊲⊳a ψp iff there exists a position π along ρ such that Dur(ρ ≤π ) ⊲⊳ a, sπ |= ψp, and for any position π ′ <ρ π, s π ′ |= ϕp
We now prove that:
Theorem 5 Model checking TCTLp on ITA is decidable.
The proof consists in establishing procedures dedicated to the four different subcases:
-E p U ≤a r and E p U<a r (Proposition 6), -E p U ≥a r and E p U>a r (Proposition 7), -A p U ≥a r and A p U>a r (Proposition 8), -A p U ≤a r and A p U<a r (Proposition 9), where p and r are boolean combinations of atomic propositions.
Proposition 6 Model checking formulas E p U ≤a r and E p U<a r over ITA is decidable in NEXPTIME and in NP if the number of clocks is fixed.
Proof First consider the case of ITA − . Both formulas are variants of reachability, with the addition of a time bound. Therefore, the proof is similar to the one of Proposition 5. Again using Lemma 2 on an ITA − with E transitions, we can look for a run satisfying one of these formulas and bounded by B = (E + n) 3n , because shortening longer runs can be can be done while preserving the property. Thus, the decision procedure again consists in guessing a path and building a linear program. The satisfaction of the formula is then checked by separately verifying on one side that the run satisfies p U r, and on the other side, that the sum of all delays d j satisfies the constraint in the formula. The complexity is the same as in Proposition 5.
In the case of ITA, the exponential blowup of the transformation into an equivalent ITA − does not affect the complexity of the model-checking procedure above, as in Theorem 2. ⊓ ⊔ Note that this problem can be compared with bounded reachability as studied in [17] . However, the models seem incomparable: while the variables (that have fixed nonnegative rates in a state) are more powerful than interrupt clocks, the guards and updates are rectangular, which in particular forbids additive and diagonal constraints.
Proposition 7
Model checking a formula E p U ≥a r and E p U>a r on an ITA is decidable in NEXPTIME and in NP if the number of clocks is fixed.
Proof Let A be an ITA − with n interrupt clocks and E transitions, and B = (E + n)
3n . The algorithm to decide whether E p U ≥a r (or E p U>a r) works as follows. It nondeterministically guesses a path of length smaller than or equal to B and builds the associated linear program (as in the proof of Proposition 5), then checks that:
-this path yields a run, which can be done by solving the linear program; -there is a position π in this run at which r holds and before which p holds continuously; -the sum of delays before π exceeds a (or strictly exceed in the case of E p U>a r).
If this first procedure fails, the algorithm nondeterministically guesses a path of length smaller or equal to 2B + 1 and checks that:
-this path yields a run, which can be checked by a linear program as before, -p holds on this path, but not necessarily in the last state reached, -r holds in the last state of this path, -either there is a transition e of level k that updates x k appearing twice and separated by a sequence σ of transitions of level higher than k during which time elapses (globally) ; this last part can be checked with a linear program on the delays corresponding to this subrun. -or there is a transition e of level k that does not update x k appearing twice and separated by a sequence σ of transitions of level higher than k not updating x k during which time elapses at levels strictly higher than k but not at level k.
The algorithm returns true if one of the previous procedure succeeds, and false otherwise. We shall now prove that this algorithm is both sound and complete.
Soundness. If the first procedure succeeds, then the path guessed is trivially a witness of E p U ≥a r (or E p U>a r, accordingly). If the second procedure succeeds, then a witness for the formula can be built from the path guessed. Indeed, the path guessed satisfies p U r, but not necessarily p U ≥a r. Assume the sequence σ lets elapse δ time units (δ > 0), by repeating ⌈ a δ ⌉ times 2 the sequence σe, we obtain a run satisfying p U ≥a r.
Note that since either e updates the clock x k or there are no updates nor time elapsing at level k, and σ happens at higher levels, the clock values in each instance of σe will be identical, hence this repetition will always be possible.
Completeness. Now consider a minimal witness ρ of length h for E p U ≥a r. Since ρ is minimal, r holds in the last state of ρ and p holds (at least) in every position before. If h ≤ B, then the first procedure will consider ρ. Otherwise, h > B, it means that one of the following cases of Lemma 2 happens:
-The same transition e of level k leaving x k unchanged appears twice separated by lazy or delayed transitions between states of level greater than or equal to k. In that case, the corresponding subrun can be replaced by a time step of the same duration, not changing the truth value of p U ≥a r on this new smaller run, thus violating the minimality hypothesis. -The same transition e of level k updating clock x k appears twice on the subrun e 1 . . . e B+1 , at positions i and j. In that case we have to distinguish two subcases either some time has elapsed between the two occurrences e i and e j of e, or the transitions were all instantaneous.
-If no time has elapsed, the subrun between e i and e j can be removed without altering the truth value of p U ≥a r on this new run, which is smaller than ρ.
Hence there is a contradiction with the minimality hypothesis. -Or some time elapsed during this subrun. Let ρ be decomposed into ρ 0 e i σe j ρ j .
Then by applying Lemma 2 to ρ j there exists a run ρ ′ j of length smaller or equal to B such that ρ ′ = ρ 0 e i σe j ρ ′ j is also a run. Note that |ρ
that the last state of ρ ′ will be the same as the last state of ρ hence will satisfy r, and that p will also hold along ρ ′ . As a result ρ ′ will be considered by the second procedure. -The same transition e of level k leaving x k unchanged appears twice, with no time elapsing at level k between these occurrences. In that case, we again distinguish two subcases: -either no time elapsed (globally) the corresponding subrun can be removed, not changing anything to the rest of the execution nor to the satisfaction of p U ≥a r, thus violating the hypothesis of minimality of ρ; -or time elapsed at higher levels and, by minimizing the subrun after the second occurrence as above, we deduce that the run will be considered by the second procedure.
The completeness proof is similar in the case of E p U>a r. When A is an ITA, the exponential blowup of the transformation from ITA to ITA − does not affect the above complexity. ⊓ ⊔ While a witness is a finite path in the previous cases, it is potentially infinite for A p U ≥a r or A p U>a r. The generation of an infinite run relies on the (nondeterministic) exploration of the class graph built in Section 3, thus has a much greater computational complexity.
Proposition 8 Model checking a formula A p U ≥a r and A p U>a r on an ITA is decidable in 2-EXPTIME and in co-NP if the number of clocks is fixed.
Proof We consider an ITA A with n interrupt clocks, E transitions and the bound B = (n + 2)
where b is the number of bits coding the constants in A. The algorithm to verify A p U ≥a r (or A p U>a r) works as follows. It nondeterministically guesses a path of length smaller than or equal to B, builds its associated linear program, and checks that:
-this path yields a run ρ (by solving the linear program); -this path is maximal, that means no transition can be fired from the last configuration of the run; -there is a position π in ρ occurring at a time stricly less than 3 a such that Case 1: either r does not hold from π (see Fig. 11 ) Case 2: or there is a position π ′ where neither p not r hold, and r does not hold between π and π ′ (see Fig. 12 ).
If this first procedure fails, then the algorithm guesses:
-a class K and a cycle C starting from K in the class graph (without building neither the graph nor the cycle), such that C contains at least a discrete step and only traverses classes where ¬r holds; -a path in the automaton of length smaller than or equal to the bound B;
and checks that:
-the path does yield a run ρ, that reaches a configuration (q, v, β) in class K (through a linear program); -there is a position π in ρ occurring at time strictly less than 4 a after which r no longer holds.
Remark that the procedure cannot use solely the class graph, since the abstraction is not precise enough to check the existence of position π.
Soundness. We prove that the algorithm is sound: when one of the procedures succeeds, there exists a counterexample for formula A p U ≥a r (or A p U>a r). In the case of the first procedure, it is trivial that the guessed run does not satisfy p U ≥a r (or p U>a r).
In the case of the second one, we show that there exists an infinite counterexample. Consider configuration (q, v, β), which is reachable by ρ. Since (q, v, β) belongs to class K, for any path σ starting from K in the class graph, there is a run in the automaton starting from (q, v, β) traversing configurations which belong to the classes traversed by σ. Since there is a cycle in the class graph, there is an infinite path in the class graph (iterating on this cycle), so there exists an infinite run in the ITA. Also, since ¬r holds in the infinite path of the class graph, it holds in the run of the ITA, and the run is a counterexample for the formula. If there exists an infinite counterexample ρ, consider its counterpart σ in the class graph. This counterpart is also infinite. More precisely, σ contains an infinite number of discrete transitions. Since σ traverses a finite number of classes, it contains a cycle C with at least one discrete transition. Choose any class K of this cycle and consider the prefix ρ 0 of ρ leading to a configuration in K. As in the case of a finite counterexample, there exists ρ ′ 0 of length smaller than B reaching the same configuration. All C, K and ρ ′ 0 can be guessed by the second procedure, which will therefore succeed.
Procedure 1 operates in NEXPTIME (guessing a path of length B and solving a linear program of size polynomial w.r.t. B). Procedure 2 consists in looking for a specific cycle in the class graph which in can be done in time polynomial w.r.t. the size of the graph thus in 2-EXPTIME. The case where the clocks are fixed, is handled as usual. ⊓ ⊔ For formulas in case 4, a specific procedure can be avoided, since the algorithms of cases 2 and 3 can be reused:
Proposition 9 Model checking a formula A p U ≤a r and A p U<a r on an ITA is decidable in 2-EXPTIME and in co-NP if the number of clocks is fixed.
Proof Notice that A p U ≤a r = (A p U ≥0 r)∧¬(E ¬r U>a t), and A p U<a r = (A p U ≥0 r)∧ ¬(E ¬r U ≥a t). ⊓ ⊔
Language properties
In this section, we compare the expressive power of the previous models with respect to language acceptance. Recall that TL is strictly contained in CRTL. We prove that:
The families TL and ITL are incomparable. The families CRTL and ITL are incomparable.
ITL is not contained in TL, nor in CRTL
The next proposition shows that ITA cannot be reduced to TA or CRTA. Observe that the automata used in the proof belong to ITA − . Also, the language given for the first point of the proposition is very simple since it contains only words of length 2.
Proposition 10 1. There exists a language in ITL whose words have bounded length which is not in TL.
There exists a language in ITL which is not in CRTL.
Proof To prove the first point, consider the ITA A 3 in Fig. 13 . Suppose, by contradiction, that L 3 = L(A 3 ) is accepted by some timed automaton B (possibly with ε-transitions). Note that since we consider timed languages, we cannot assume that the granularity of B is 1. ′′ is d, the ⊲⊳ operator cannot be = otherwise the constraint would be x = 1/2d or x = 1 − 1/2d. If the constraint is x < c, x ≤ c, x > c, or x ≥ c, the path will also accept some word (a, 1 − 1/d)(b, t) for some t = 1 − 1/2d. This is also the case if the constraint ϕ 2 is true. We thus obtain a contradiction with L(B ′′ ) ⊆ L 3 , which ends the proof.
To prove the second point, consider the language:
accepted by the ITA A 4 in Fig. 14. This language cannot be accepted by a CRTA (see [21] ). ⊓ ⊔
TL is not contained in ITL
We now prove that there exists a language in TL that does not belong to ITL. Let L 5 be the language defined by
Hence, the untimed language of L 5 is (ab) * , there is an occurrence of a at each time unit and the successive occurrences of b come each time closer to the occurrence of a than previously. This language is in TL as can be checked on the TA A 5 of Fig. 15 (first proposed in [4] ). Proof Assume, by contradiction, that L 5 belongs to ITL. Then L 5 is accepted by an ITA − A with n clocks and E transitions. Let B = (E + n) 3n and consider the timed
Word w is accepted by a run ρ of A, which can be assumed of minimal size. However, we know that |ρ| > B, so one of the three cases of Lemma 2 occurs in the B first transitions.
-Suppose a transition e of level k that updates x k appears twice, separated by a subrun σ of level greater than or equal to k. Remark that the valuations after the first and the second occurrence of e are identical. We distinguish several subcases, depending on the word read along σe.
-If σe reads the empty word ε, we write δ for the time spent during σe. If δ = 0, then σe can be deleted without affecting neither the remainder of the run nor the accepted word, which contradicts the minimality of ρ. If δ ≥ 1, then some interval [i, i + 1] does not contain any b, which contradicts the definition of L 5 . Otherwise, 0 < δ < 1. By deleting σe, we obtain an execution ρ ′ (accepted by A) in which the suffix after e is shifted by δ. Therefore the following occurrence of letter a, which appeared in ρ at date i ∈ N \ {0}, appears in ρ ′ at date i − δ which is not integral. So the word accepted by ρ ′ is not in L 5 , which is a contradiction. -If σe reads more as than bs or more bs than as, by deleting σe we obtain a run accepting a word whose untiming is not in (ab) * thus does not belong to L 5 .
-If σe reads as many as as bs (and both letters at least once), by duplicating σe we obtain a run accepting a word where a same duration separates an a from the following b is repeated, thus violating the definition of L 5 . -Suppose a transition e of level k delayed or lazy occurs twice, separated by a subrun σ of level greater than or equal to k, such that σe does not update x k . Then we can replace eσ by a time step of the same duration and obtain a new run ρ ′ , accepted by A.
-If eσ reads ε, then ρ ′ contradicts the minimality of ρ.
-If eσ reads the word b, then ρ ′ accepts a word where a and b do not alternate, thus not in L 5 . -If eσ reads at least an a, then ρ ′ accepts a word with no a at a given integral date, therefore not in L 5 .
-Otherwise, a transition e of level k appears twice separated by a subrun σ of level greater than or equal to k, such that σe does not update x k nor lets time elapse at level k. The same disjunction as in the case of an update of x k can be applied, since σe can either be deleted or duplicated.
Note that the feature preventing L 5 to be in ITL lies in the decreasing delays between the a's and their immediately following b. A language in ITL can record k different constant delays, using k + 1 clocks. For instance on the alphabet Σ = {a 1 , . . . , a k }, the language a 1 , τ 1 ) . . . (a k , τ k )(a 1 , τ 1 + 1) . . . (a k , τ k + 1) . . . (a 1 , τ 1 + n 
is accepted by an ITA − with k + 1 clocks. Fig. 16 illustrates the case where k = 3, with all states lazy. We conjecture that M k cannot be accepted by an ITA with k clocks. 6. There is an occurrence of abab such that the time difference between the two first occurrences is smaller than or equal to the time difference between the two last occurrences.
Since ITL is trivially closed under union, it is enough to prove that each assertion from the set above can be expressed by an ITA. The five first assertions are straightforwardly modeled by an ITA with a single clock (and ε-transitions) and we present in Fig. 17 an ITA with two clocks corresponding to the last one. ⊓ ⊔ In the previous section, we proved that the class of languages defined by ITA and CRTA are incomparable. Here we provide a class containing both ITL and CRTL. In order to do so, we combine the models of ITA with CRTA.
An undecidable product
The first kind of combination possible is through synchronized product between an ITA and a CRTA. However, this turns out to be a too powerful model, since combining even a TA with an ITA yields the undecidability of the reachability problem. 
ϕ∧ψ,a,u∧v
The semantics of an ITA×TA is a transition system over configurations
Discrete steps are defined analogously as in ITA (see Definition 2) . In time steps, clocks of X evolve as in an ITA and clocks of Y as in a TA. More precisely, a time step of
for any other clock x ∈ X, and w For example, the submodule incrementing c when c ≥ d is depicted in Fig. 18 . In this module, the value 5 of classical clocks is copied into interrupt clocks, updated thanks to linear updates allowed by ITA. the new values are copied into classical clocks by resetting them at the appropriate moment. The valuations of clocks during an execution of this module are given in Table 3 . Note that the policies are used in this product but they could be replaced by classical clocks.
The detailed proof can be found in Appendix B.
Other proofs of undecidability for hybrid systems mixing clocks and stopwatches have been developed (see for instance [24, Theorem 4 .1] for a construction with a single stopwatch and 5 clocks). While this construction could have been adapted to -Q is a finite set of states, q 0 is the initial state and F ⊆ Q is the set of final states.
-pol : Q → {L, U, D} is the timing policy of states.
-X = {x 1 , . . . , xn} consists of n interrupt clocks and Y is a set of basic clocks, -Σ is a finite alphabet, -Ω is a set of colors, the mapping λ : Q ⊎ Y → {1, . . . , n} ⊎ Ω associates with each state its level or its color, with x λ(q) the active clock in state q for λ(q) ∈ N and λ(y) ∈ Ω for y ∈ Y . For every state q ∈ λ −1 (Ω), the policy is pol(q) = L.
-up and low are mappings from Y to Q with the same constraints as CRTA (see Definition 4), and vel : Q → Q is the clock rate with λ(q) /
1. The guard ϕ is of the form ϕ 1 ∧ ϕ 2 with the following conditions. If λ(q) ∈ N, ϕ 1 is an ITA guard on X and otherwise ϕ 1 = true. Constraint ϕ 2 is a CRTA guard on Y (also possibly equal to true).
2. The update u is of the form u 1 ∧ u 2 fullfilling the following conditions. Assignments from u 1 update the clocks in X with the constraints of ITA when λ(q) and λ(q ′ ) belong to N. Otherwise it is a global reset of clocks in X. Assignments from u 2 update clocks from Y , like in CRTA.
Any ITA can be viewed as an ITA + with Y empty and λ(Q) ⊆ {1, . . . , n}, and any CRTA can be viewed as an ITA + with X empty and λ(Q) ⊆ Ω. Class ITA + combines both models in the following sense. When the current state q is such that λ(q) ∈ Ω, the ITA part is inactive. Otherwise, it behaves as an ITA but with additional constraints about clocks of the CRTA involved by the extended guards and updates. The semantics of ITA + is defined as usual but now takes into account the velocity of CRTA clocks.
Definition 13 (Semantics of ITA + ) The semantics of an automaton A in ITA + is defined by the transition system T A = (S, s 0 , →). The set S of configurations is
X∪Y , β ∈ {⊤, ⊥} , with initial configuration (q 0 , 0, ⊥). An accepting configuration of T A is a pair (q, v) with q in F . The relation → on S consists of time steps and discrete steps, the definition of the latter being the same as before:
Time steps: Only the active clocks in a state can evolve, all other clocks are suspended.
For a state q with λ(q) ∈ N (the active clock is x λ(q) ), a time step of duration d > 0 is defined by (q, v, β)
for any other clock x. For a state q with λ(q) ∈ Ω (the active clocks are In order to illustrate the interest of the combined models, an example of a (simple) login procedure is described in Fig. 19 as a TA with interruptions at a single level.
First it immediately displays a prompt and arms a time-out of 1 t.u. handled by clock y (transition init We first consider the reachability problem for two states q i and q f on the CRTA level (with λ(q i ) ∈ Ω and λ(q f ) ∈ Ω). The procedure consists in performing a non deterministic search along an elementary path where the vertices are graph classes of the CRTA. Let (q, Z) be the current class, the procedure chooses non deterministically the next class (q ′ , Z ′ ) and checks that there exists a configuration of (q, Z) and an execution only through states q ′′ with λ(q ′′ ) ∈ N that leads to a configuration of (q ′ , Z ′ ). This is solved as previously by non deterministically choosing an execution path, building a linear program related to the path (of exponential size) and solving it. Let us prove that such a path can be chosen whose length is in O(p(E + 2n) 3n ).
Assume that there is a run π from (q, v) ∈ (q, Z) to some configuration (q
We say that a transition e of π usefully resets a clock y ∈ Y if it is the first transition of π that resets y. Observe that there are at most p useful resetting transitions and that between two such successive transitions (or before the first one or after the last one) the value of the clocks of Y are unchanged when transitions are fired. We consider a subrun ρ between two such successive transitions (or before the first one or after the last one) from (q 1 , v 1 ) to (q 2 , v 2 ), with m k the number of transitions of level k.
Using Lemma 2, we build a subrun ρ ′ from (q 1 , v 1 ) to (q 2 , v 2 ) of length smaller than (E + 2n) 3n . Concatenating the subruns, the useful resetting transitions and the initial transition, one obtains a run π
The key point ensuring correctness of the procedure is that the existence of a solution depends only on the starting class (q, Z) and not on the configuration inside this class. This is due to the separation of guards and updates between the two kinds of clocks on the transitions.
When state q i (resp. q f ) is not at the basis level, the procedure adds an initial (resp. final) guess also checked by a linear program. When the number of clocks is fixed the dominant factor is the path search in the class graph and PSPACE hardness follows from the result in TA. 
Conclusion
In this paper, we introduced and studied the model of Interrupt Timed Automata. This model is useful to represent timed systems with tasks organized over priority levels.
While ITA fall into the more general class of hybrid systems, the reachability problem is proved decidable for this subclass. For ITA, the reachability is in NEXPTIME, and PTIME when the number of clocks is fixed by building a class graph. Similar constructions yield decidability of the reachability problem on an extension of ITA where the lowest priority level can behave as a Controlled Real-Timed Automata. It also yields procedure for model checking CTL * formulas and timed CTL formulas constraining only the clocks of the system. Another fragment of interest was identified in timed CTL as decidable: the one where the only time constraints concern global earliest or latest execution times. On the other hand, model checking the linear time logic SCL is proved undecidable on ITA, implying that this is also the case for MITL.
On the expressiveness point of view, the class ITL is proved incomparable with both TL and CRTL, and is neither closed under complementation nor intersection. The expressiveness results are summed up in Fig. 20 , where the grey zone represents undecidability of the reachability problem. Several problems remain open on the class of ITA. First of all, the effect of having both (limited) stopwatches and linear expressions in guards is combined in ITA, and it is not known which is the cause of the undecidability results presented in this paper. For instance, the undecidability of SCL may not hold without the possibility of complex updates. More generally, the expressive power of the subclass of ITA restricted with rectangular guards (x + b ⊲⊳ 0) and only resets (x := 0) should be investigated. Also, it is conjectured that the class of ITA with n + 1 clocks is strictly more expressive than the class of ITA with n clocks. Regarding model-checking, the undecidability of full TCTL remains to be established. Finally, complexity bounds presented in this paper are only upper-bounds, and matching lower-bounds are still missing.
A Proof of Theorem 4
Let ϕ be a formula in TCTL int c and A an ITA with n levels and E transitions. Like in Section 3, the proof relies on the construction of a finite class graph. The main difference is in the computation of the n sets of expressions E 1 , . . . , En. Like before, each set E k is initialized to {x k , 0} and expressions in this set are those which are relevant for comparisons with the current clock at level k. In this case, they include not only guards but also comparisons with the constraints from the formula. Recall that the sets are computed top down from n to 1, using the normalization operation.
-At level k, we may assume that expressions in guards of an edge leaving a state are of the form αx k + i<k a i x i + b with α ∈ {0, 1}. We add − i<k a i x i − b to E k . -To take into account the constraints of formula ϕ, we add the following step: For each comparison C ⊲⊳ 0 in ϕ, and for each k, with norm(C, k) = αx k + i<k a i x i +b (α ∈ {0, 1}), we also add expression − i<k a i x i − b to E k . -Then we iterate the following procedure until no new term is added to any E i for 1 ≤ i ≤ k.
1. Let q ϕ,a,u − −−− → q ′ with λ(q ′ ) ≥ k and λ(q) ≥ k. If C ∈ E k , then we add C[u] to E k . 2. Let q ϕ,a,u − −−− → q ′ with λ(q ′ ) ≥ k and λ(q) < k. For C, C ′ ∈ E k , we compute C ′′ = norm(C[u] − C ′ [u], λ(q)). If C ′′ = αx λ(q) + i<λ(q) a i x i + b with α ∈ {0, 1}, then we add − i<λ(q) a i x i − b to E λ(q) .
The proof of termination for this construction is similar to the one in Section 3.
We now consider the transition system G A whose set of configurations are the classes R = (q, { k } 1≤k≤λ(q) ), where q is a state and k is a total preorder over E k . The class R describes the set of valuations R = {(q, v) | ∀k ≤ λ(q) ∀(g, h)
The set of transitions is defined as in Section 3. The transition system G A is again finite and time abstract bisimilar to T A . Moreover, the truth value of each comparison C = i≥1 a i · x i + b ⊲⊳ 0 appearing in ϕ can be set for each class R. Indeed, since for every k, both 0 and k−1 i≥1 a i · x i + b are in the set of expressions E k , the truth value of C ⊲⊳ 0 does not change inside a class. Therefore, introducing a fresh propositional variable q C for the constraint C ⊲⊳ 0, each class R can be labelled with a truth value for each q C . Deciding the truth value of ϕ can then be done by a classical CTL model-checking algorithm on G A .
The complexity of the procedure is obtained by bounding the number of expressions for each level k by (E + |ϕ| + 2) 2 n(n−k+1) +1 , and applying the same reasoning as for proposition 2.
B Proof of Theorem 7
We build an automaton in ITA×TA which simulates a deterministic two counter machine M (as in proof of Theorem 3). Let L M be the set of labels of M. The automaton A M = Σ, Q, q 0 , F, pol, X ∪ Y, λ, ∆ is built to reach its final location Halt if and only if M stops. It is defined as follows:
-Σ consists of one letter per transition. {k 1 , k 2 , r 1 , . . . , r 5 } × {>, <}), q 0 = ℓ 0 (the initial instruction of M) and F = {Halt}. -pol : Q → {U rgent, Lazy, Delayed} is such that pol(q) = U rgent iff either q ∈ L M or q = (ℓ, q 2 , ⊲⊳), and pol(q) = Lazy in most other cases: some states (ℓ, k i , ⊲⊳) are Delayed, as shown on Fig. 21 and 22. -X = {x 1 , x 2 , x 3 } is the set of interrupt clocks and Y = {yc, y d } is the set of standard clocks with rate 1. -λ : Q → {1, 2, 3} is the interrupt level of each state. All states in L M and L M ×{k 0 , k 1 , k 2 } are at level 1; so do all states corresponding to r 1 . States corresponding to r 2 and r 3 are in level 2, while the ones corresponding to r 4 and r 5 are in level 3. -∆ is defined through basic modules in the sequel.
The transitions of A M are built within small modules, each one corresponding to one instruction of M. The value n of c (resp. p of d) in a state of L M is encoded by the value 1 − 1 2 n of clock yc (resp. 1 − 1 2 p of y d ). The idea behind this construction is that for any standard clock y, it is possible to "copy" the value of k − y in an interrupt clock x i , for some constant k, provided the value of y never exceeds k. To achieve this, we start and reset the interrupt clock, then stop it when y = k. Note that by the end of the copy, the value of y has changed. Conversely, in order to copy the content of an interrupt clock x i into a clock y, we switch from level i to level i + 1 and reset y at the same time. When x i+1 = x i , the value of y is equal to the value of x i . Remark that the form of the guards on x i+1 allows us to copy the value of a linear expression on {x 1 , . . . , x i } in y.
For instance, consider an instruction labeled by ℓ incrementing c then going to ℓ ′ , with the respective values n of c and p of d, from a configuration where n ≥ p. The corresponding module A c++ c≥d (ℓ, ℓ ′ ) is depicted on Fig. 18 (see main text) . In this module, interrupt clock x 1 is used to record the value Table 3 (see main text).
The module on Fig. 18 can be adapted for the case of decrementing c by just changing the linear expressions in guards for x 3 , provided that the final value of c is still greater than the one of d. It is however also quite easy to adapt the same module when n < p: in that case we store 1 2 p in x 1 and 1 2 n in x 2 , since y d will reach 1 before yc. We also need to start y d before yc when copying the adequate values in the clocks. The case of decrementing c while n ≤ p is handled similarly. In order to choose which module to use according to the ordering between the values of the counters, we use the modules of Fig. 21 and 22 . Fig. 21 represents the case when at label ℓ we have an increment of c whereas Fig. 22 represents the case when ℓ corresponds to decrementing c. In that last case the value of c is compared not only to the one of d, but also to 0, in order to know which branch of the if instruction is taken. Note that only one of the branches can be taken until the end 6 . Instructions involving d are handled in a symmetrical way.
Automaton A M is obtained by joining the modules described above through the states of L M . Let us prove that automaton A M simulates the two counter machine M, so that M halts iff A M reaches the Halt state.
Let ℓ 0 , 0, 0 ℓ 1 , n 1 , p 1 . . . ℓ i , n i , p i . . . be a run of M. We show that this run is simulated in A M by the run l 0 , 0 ρ 0 l 1 , v 1 ρ 1 . . . where ρ i is either empty or a subrun through states in {(ℓ i , r j , ⊲⊳) | j ∈ {1, . . . , 5}, ⊲⊳∈ {>, <}} (i.e. subruns in modules like A c++ c≥d of Fig. 18 ). Moreover, it will be the case that and goes to ℓ ′ if c is greater than 0 and goes to ℓ ′′ otherwise, the other ones being similar. We are therefore in the case of Fig. 22 . If n i = 0, the next configuration of M will be ℓ ′′ , n i , p i . Conversely, in A M , if n i = 0 then yc = 0, and there is no choice but to enter ℓ ′′ , leaving all clock values unchanged (because ℓ i is an Urgent state). The configuration of A M thus satisfies the property. If n i > 0, the next configuration of M will be ℓ ′ , n i − 1, p i . In A M , the transition chosen is the one that corresponds to the ordering between n i and p i . In both cases, similarly to the example of A c++ c≥d (ℓ, ℓ ′ ), the run reaches state ℓ ′ with yc = 1 − 1 2 n i −1 and y d as before, thus preserving the property. Hence M halts iff A M reaches the Halt state.
The automaton A M is indeed the product of an ITA I and a TA T , synchronized on actions. Observe that in all the modules described above, guards never mix a standard clock with an interrupt one. Since each transition has a unique label, keeping only guards and resets on either the clocks of X or on those of Y yields an ITA and a TA whose product is A M . ⊓ ⊔
