On The Reachability Problem for Recursive Hybrid Automata with One and
  Two Players by Krishna, Shankara Narayanan et al.
ar
X
iv
:1
40
6.
72
89
v2
  [
cs
.L
O]
  1
5 A
ug
 20
14
On The Reachability Problem for Recursive Hybrid
Automata with One and Two Players
Shankara Narayanan Krishna, Lakshmi Manasa, and Ashutosh Trivedi
Indian Institute of Technology Bombay, India,
krishnas,manasa,trivedi@cse.iitb.ac.in
Abstract. Motivated by the success of bounded model checking framework for
finite state machines, Ouaknine and Worrell proposed a time-bounded theory of
real-time verification by claiming that restriction to bounded-time recovers de-
cidability for several key decision problem related to real-time verification. In
support of this theory, the list of undecidable problems recently shown decid-
able under time-bounded restriction is rather impressive: language inclusion for
timed automata, emptiness problem for alternating timed automata, and empti-
ness problem for rectangular hybrid automata. The objective of our study was
to recover decidability for general recursive timed automata—and perhaps for
recursive hybrid automata—under time-bounded restriction in order to provide
an appealing verification framework for powerful modeling environments such
as Stateflow/Simulink. Unfortunately, however, we answer this question in neg-
ative by showing that time-bounded reachability problem stays undecidable for
recursive timed automata with five or more clocks. While the bad news continues
even when one considers well-behaved subclasses of recursive hybrid automata,
we recover decidability by considering recursive hybrid automata with bounded
context using a pass-by-reference mechanism, or by restricting the number of
variables to two, with rates in {0, 1}.
1 Introduction
Recursive state machines (RSMs), as introduced by Alur, Etessami, and Yannakakis [6],
are a variation on various visual notations to represent hierarchical state machines,
notably Harel’s statecharts [15] and Object Management Group supported UML dia-
grams [19], that permits recursion while disallowing concurrency. RSMs closely corre-
spond [6] to pushdown systems [9], context-free grammars, and Boolean programs [7],
and provide a natural specification and verification framework to reason with sequential
programs with recursive procedure calls. The two fundamental verification questions for
RSM, namely reachability and Bu¨chi emptiness checking, are known to be decidable in
polynomial time [6,13].
Hybrid automata [4,3] extend finite state machines with continuous variables that
permit a natural modeling of hybrid systems. In a hybrid automaton the variables con-
tinuously flow according to a given set of ordinary differential equations within each
discrete states, while they are allowed to have discontinuous jumps during transitions
between states that are guarded by constraints over variables. In this paper we study
the reachability problem for recursive hybrid automata that generalize recursive state
machines with continuous variables, or equivalently hybrid automata with recursion.
M1
u1
u2
u3b1 : M2(x)
x=1
x<1
x=0
M2
v1 v2
b2 : M2
x=1
x<1, {x}
Fig. 1. An example of recursive timed automata with one clock and two components
In this paper we restrict our attention to so-called singular hybrid automata where
the dynamics of every variable is restricted to state-dependent constant rates. A variable
is often called a clock if its rate over all the states is 1, while it is called a stopwatch if
its rate is either 0 (clock is stopped) or 1 (clock is ticking) in different states. A timed
automaton [4] is a hybrid automaton where all the variables are clocks, while a stop-
watch automaton [16] is a hybrid automaton where all the variables are stopwatches. It
is well known that the reachability problem is decidable (PSPACE-complete) for timed
automata [4] and undecidable for stopwatch automata with 3 stopwatches [11].
Trivedi and Wojtczak [20] introduced recursive timed automata (RTAs) as an exten-
sion of timed automata with recursion to model real-time software systems. Formally,
an RTA is a finite collection of components where each component is a timed automa-
ton that in addition to making transitions between various states, can have transitions
to “boxes” that are mapped to other components modeling a potentially recursive call
to a subroutine. During such invocation a limited information can be passed through
clock values from the “caller” component to the “called” component via two different
mechanism: a) pass-by-value, where upon returning from the called component a clock
assumes the value prior to the invocation, and b) pass-by-reference, where upon return
clocks reflect any changes to the value inside the invoked procedure.
Example 1. The visual presentation of a recursive timed automaton with two com-
ponents M1 and M2, and one clock variable x is shown in Figure 1 (example taken
from [20]), where component M1 calls component M2 via box b1 and component M2
recursively calls itself via box b2. Components are shown as thinly framed rectangles
with their names written next to upper right corner. Various control states, or “nodes”,
of the components are shown as circles with their labels written inside them, e.g. see
node u1. Entry nodes of a component appear on the left of the component (see u1),
while exit nodes appear on the right (see u3). Boxes are shown as thickly framed rect-
angles inside components labeled b : M(C), where b is the label of the box, M is the
component it is mapped to, and C is the set of clocks passed to M by value and the rest
of the variables are passed by reference. When the set C is empty, we just write b : M
for b : M(∅). Each transition is labelled with a guard and the set of reset variables, (e.g.
transition from node v1 to v2 can be taken only when variable x<1, and after taking
this transition, variable x is reset). To minimize clutter we omit empty reset sets.
Trivedi and Wojtczak [20] showed that the reachability and termination (reachabil-
ity with empty calling context) problem is undecidable for RTAs with three or more
clocks. Moreover, they considered the so-called glitch-free restriction of RTAs—where
at each invocation either all clocks are passed by value or all clocks are passed by
reference— and showed that the reachability (and termination) is EXPTIME-complete
for RTAs with two or more clocks. In the model of [20] it is compulsory to pass all
Recursive Timed Automata Recursive Hybrid Automata
TUB TB TUB TB
Pass by reference D D U (≥ 3 sw)[11] D(Bounded
context)
Pass by value D D U (≥ 3 sw) U (≥ 14 sw)
Glitch free D D U (≥ 3 sw) U(≥ 14 sw)
D (≤ 2 sw) D (≤ 2 sw)
Unrestricted U (≥ 3 clocks) U (≥ 5 clocks) U (≥ 2 sw) U (≥ 5 sw)
Table 1. Summary of results related to RHA - single player game. Results shown in
bold are contributions form this paper, while results shown in gray color are contribu-
tions from [20]. Here TUB and TB stand for time-unbounded and time-bounded reach-
ability problems, respectively. U stands for undecidable, D for decidable, and sw for
stopwatches.
Recursive Timed Automata Recursive Stopwatch Automata
TUB TB TUB TB
Glitch free D D U (≥ 3 sw) U(≥ 4 sw)
D (≤ 2 sw) D (≤ 2 sw)
Unrestricted U (≥ 2 clocks) U (≥ 3 clocks) U (≥ 2 sw) U (≥ 3 sw)
Table 2. Summary of results for two-player games. Results shown in bold are contribu-
tions form this paper, while results shown in gray color are from [20].
the clocks at every invocation with either mechanism. Abdulla, Atig, and Stenman [1]
studied a related model called timed pushdown automata where they disallowed passing
clocks by value. On the other hand, they allowed clocks to be passed either by refer-
ence or not passed at all (in that case they are stored in the call context and continue
to tick with the uniform rate). It is shown in [1] that the reachability problem for this
class remains decidable (EXPTIME-complete). In this paper we restrict ourselves to the
recursive timed automata model as introduced in [20].
Contributions. In this paper we consider time-bounded reachability problem for RTA
and show that the problem stays undecidable for RTA with 5 or more clocks. We also
consider the extension of RTAs to recursive hybrid automata (RHAs) and show that the
reachability problem stays undecidable even for glitch-free RHAs with 3 or more stop-
watches (clocks that can be paused), while we show decidability of glitch-free RHAs
with 2 stopwatches. We also show that the reachability problem is undecidable for un-
restricted RHA with two or more stopwatches. For the time-bounded reachability case,
we show that the problem stays undecidable even for glitch-free variant of RHAs with
14 or more stopwatches. On the positive side, we show decidability of time-bounded
reachability in glitch-free RHAs where with pass-by-reference only mechanism. Our
results are summarized and compared with known results in Table 1.
We study these problems for two player games on RTA and RHA also. The undecid-
ability saga continues even for games with lesser number of clocks than single-player
case. The results for games have been summarized in Table 2.
Related work. For a survey of models related to recursive timed automata and dense-
time pushdown automata we refer the reader to [20]and [1]. Another closely related
model is introduced by Benerecetti, Minopoli, and Peron [8] where pushdown automata
is extended with an additional stack used to store clock valuations. The reachability
problem is known to be undecidable for this model. We do not consider this model in
the current paper, but we conjecture that time-bounded reachability problem for this
model is also undecidable.
Two special kinds of RSMs with restricted recursion are hierarchical RSMs and
bounded stack RSMs [12]. [12] gives efficient algorithms for the reachability analysis
of hierarchical and bounded stack RSMs, and algorithms for the latter might be useful
in the analysis of programs without infinite recursion. The language theory of bounded
context recursion has been studied recently [17]. Hierarchical hybrid systems studied
by Alur et al. [5] are a restriction of recursive hybrid automata where recursion is disal-
lowed but concurrency is allowed. A number of case-studies with the tool CHARON [5]
demonstrate the benefit of hierarchical modeling of hybrid systems.
Organization. In the next section, we begin by reviewing the definition of recursive
state machines followed by a formal definition of recursive (singular) hybrid automata.
We also formally define the termination and the reachability problems for two players
on this model, and present our main results. Finally, Sections 4 and 5 details our main
undecidability results while Sections 6 and 7 discuss our decidability results.
2 Preliminaries
2.1 Reachability Games on Labelled Transition Systems.
A labeled transition system (LTS) is a tuple L = (S,A,X) where S is the set of states,
A is the set of actions, and X : S×A → S is the transition function. We say that an
LTS L is finite (discrete) if both S and A are finite (countable). We write A(s) for the
set of actions available at s ∈ S, i.e., A(s) = {a : X(s, a) 6= ∅}. A game arena G is
a tuple (L, SAch, STor), where L = (S,A,X) is an LTS, SAch ⊆ S is the set of states
controlled by player Achilles, and STor ⊆ S is the set of states controlled by Tortoise.
Moreover, sets SAch and STor form a partition of the set S. In a reachability game on
G rational players—Achilles and Tortoise—take turns to move a token along the states
of L. The decision to choose the successor state is made by the player controlling the
current state. The objective of Achilles is to eventually reach certain states, while the
objective of Tortoise is to avoid them forever.
We say that (s, a, s′) ∈ S×A×S is a transition of L if s′ = X(s, a) and a run of
L is a sequence 〈s0, a1, s1, . . .〉 ∈ S×(A×S)∗ such that (si, ai+1, si+1) is a transition
of L for all i ≥ 0. We write RunsL (FRunsL) for the sets of infinite (finite) runs and
RunsL(s) (FRunsL(s)) for the sets of infinite (finite) runs starting from state s. For a
set F ⊆ S and a run r = 〈s0, a1, . . .〉 we define Stop(F )(r) = inf {i ∈ N : si ∈ F}.
Given a state s ∈ S and a set of final states F ⊆ S we say that a final state is reachable
from s0 if there is a run r ∈ RunsL(s0) such that Stop(F )(r) < ∞. A strategy of
Achilles is a partial function α : FRunsL → A such that for a run r ∈ FRunsL we
have that α(r) is defined if last(r) ∈ SAch, and α(r) ∈ A(last(r)) for every such r. A
M1
u1
u2
u4
b1 :M2
b2 :M3 u3
M2
v1
v2
v3
v4
c1 : M2
c2 : M3
M3
w1 w2
d : M1
Fig. 2. Example recursive state machine taken from [2]
strategy of Tortoise is defined analogously. Let ΣLAch and ΣLTor be the set of strategies
of Achilles and Tortoise, respectively. The unique run Run(s, α, τ) from a state s when
players use strategies α ∈ ΣLAch and τ ∈ ΣLTor is defined in a straightforward manner.
For an initial state s and a set of final states F , the lower value ValLF (s) of the reach-
ability game is defined as the upper bound on the number of transitions that Tortoise
can ensure before the game visits a state in F irrespective of the strategy of Achilles,
and is equal to supτ∈ΣLTor infα∈ΣLAch Stop(F )(Run(s, α, τ)). The concept of upper value
is ValLF (s) is analogous and defined as infα∈ΣLAch supτ∈ΣLTor Stop(F )(Run(s, α, τ)). If
ValLF (s) = Val
L
F (s) then we say that the reachability game is determined, or the value
ValLF (s) of the reachability game exists and it is such that ValLF (s) = ValLF (s) = Val
L
F (s).
We say that Achilles wins the reachability game if ValLF (s) <∞. A reachability game
problem is to decide whether in a given game arenaG, an initial state s and a set of final
states F , Achilles has a strategy to win the reachability game.
2.2 Reachability Games on Recursive state machines
A recursive state machine [2] M is a tuple (M1,M2, . . . ,Mk) of components, where
each componentMi = (Ni, ENi, EXi, Bi, Yi, Ai, Xi) for each 1 ≤ i ≤ k is such that:
– Ni is a finite set of nodes including a distinguished set ENi of entry nodes and a
set EXi of exit nodes such that EXi and ENi are disjoint sets;
– Bi is a finite set of boxes;
– Yi : Bi → {1, 2, . . . , k} is a mapping that assigns every box to a component. We
associate a set of call ports Call(b) and return ports Ret(b) to each box b ∈ Bi:
Call(b) =
{
(b, en) : en ∈ ENYi(b)
}
and Ret(b) =
{
(b, ex) : ex ∈ EXYi(b)
}
.
Let Calli = ∪b∈BiCall(b) and Reti = ∪b∈BiRet(b) be the set of call and return
ports of componentMi. We define the set of locations Qi of componentMi as the
union of the set of nodes, call ports and return ports, i.e. Qi = Ni ∪ Calli ∪ Reti;
– Ai is a finite set of actions; and
– Xi : Qi×Ai → Qi is the transition function with a condition that call ports and
exit nodes do not have any outgoing transitions.
For the sake of simplicity, we assume that the set of boxes B1, . . . , Bk and set of nodes
N1, N2, . . . , Nk are mutually disjoint. We use symbols N,B,A,Q,X , etc. to denote
the union of the corresponding symbols over all components.
An example of a RSM is shown in Figure 2 (taken from [20]). An execution of a
RSM begins at the entry node of some component and depending upon the sequence
of input actions the state evolves naturally like a labeled transition system. However,
when the execution reaches an entry port of a box, this box is stored on a stack of
pending calls, and the execution continues naturally from the corresponding entry node
of the component mapped to that box. When an exit node of a component is encoun-
tered, and if the stack of pending calls is empty then the run terminates; otherwise, it
pops the box from the top of the stack and jumps to the exit port of the just popped
box corresponding to the just reached exit of the component. We formalize the seman-
tics of a RSM using a discrete LTS, whose states are pairs consisting of a sequence
of boxes, called the context, mimicking the stack of pending calls and the current
location. Let M = (M1,M2, . . . ,Mk) be an RSM where the component Mi is
(Ni, Eni, Exi, Bi, Yi, Ai, Xi). The semantics of M is the discrete labelled transition
system [[M]] = (SM, AM, XM) where:
– SM ⊆ B∗×Q is the set of states;
– AM = ∪ki=1Ai is the set of actions;
– XM : SM×AM → SM is the transition function such that for s = (〈κ〉, q) ∈ SM
and a ∈ AM, we have that s′ = XM(s, a) if and only if one of the following holds:
1. the location q is a call port, i.e. q = (b, en) ∈ Call, and s′ = (〈κ, b〉, en);
2. the location q is an exit node, i.e. q = ex ∈ EX and s′ = (〈κ′〉, (b, ex)) where
(b, ex) ∈ Ret(b) and κ = (κ′, b);
3. the location q is any other kind of location, and s′ = (〈κ〉, q′) and q′ ∈ X(q, a).
GivenM and a subsetQ′ ⊆ Q of its nodes we define [[Q′]]M as {(〈κ〉, v′) : κ ∈ B∗ and v′ ∈ Q′}.
We define the terminal configurations TermM as the set {(〈ε〉, ex) : ex ∈ EX} with
the empty context 〈ε〉. Given a recursive state machine M, an initial node v, and a set
of final locations F ⊆ Q the reachability problem on M is defined as the reachability
problem on the LTS [[M]] with the initial state (〈ε〉, v) and final states [[F ]]. We define
termination problem as the reachability of one of the exits with the empty context. The
reachability and the termination problem for recursive state machines can be solved in
polynomial time [2].
A partition (QAch, QTor) of locations Q of an RSM M (between Achilles and Tor-
toise) gives rise to recursive game arena G = (M, QAch, QTor). Given an initial state,
v, and a set of final states, F , the reachability game on M is defined as the reachability
game on the game arena ([[M]], [[QAch]]M, [[QTor]]M) with the initial state (〈ε〉, v) and
the set of final states [[F ]]M. Also, the termination gameM is defined as the reachability
game on the game arena ([[M]], [[QAch]]M, [[QTor]]M) with the initial state (〈ε〉, v) and
the set of final states TermM. It is a well known result (see, e.g. [21],[14]) that reachabil-
ity games and termination games on RSMs are determined and decidable (EXPTIME-
complete).
3 Recursive Hybrid Automata
Recursive hybrid automata (RHAs) extend classical hybrid automata (HAs) with recur-
sion in a similar way RSMs extend LTSs. We study a rather simpler subclass of HA
known as singular hybrid automata where all variables grow with constant-rates.
3.1 Syntax
Let R be the set of real numbers. Let X be a finite set of real-valued variables. A
valuation on X is a function ν : X → R. We assume an arbitrary but fixed ordering on
the variables and write xi for the variable with order i. This allows us to treat a valuation
ν as a point (ν(x1), ν(x2), . . . , ν(xn)) ∈ R|X |. Abusing notations slightly, we use a
valuation on X and a point in R|X | interchangeably. For a subset of variables X ⊆ X
and a valuation ν′ ∈ X , we write ν[X :=ν′] for the valuation where ν[X :=ν′](x) =
ν′(x) if x ∈ X , and ν[X :=ν′](x) = ν(x) otherwise. The valuation 0 ∈ R|X | is a
special valuation such that 0(x) = 0 for all x ∈ X .
We define a constraint over a set X as a subset of R|X |. We say that a constraint
is rectangular if it is defined as the conjunction of a finite set of constraints of the
form x ⊲⊳ k, where k ∈ Z, x ∈ X , and ⊲⊳∈ {<,≤,=, >,≥}. For a constraint G,
we write [[G]] for the set of valuations in R|X | satisfying the constraint G. We write ⊤
( resp., ⊥) for the special constraint that is true (resp., false) in all the valuations, i.e.
[[⊤]] = R|X | (resp., [[⊥]] = ∅). We write rect(X ) for the set of rectangular constraints
over X including⊤ and ⊥.
Definition 1 (Recursive Hybrid Automata). A recursive hybrid automatonH = (X , (H1,H2, . . . ,Hk))
is a pair made of a set of variablesX and a collection of components (H1,H2, . . . ,Hk)
where every component Hi = (Ni, ENi, EXi, Bi, Yi, Ai, Xi, Pi, Inv i, Ei, Ji, Fi) is
such that:
– Ni is a finite set of nodes including a distinguished set ENi of entry nodes and a
set EXi of exit nodes such that EXi and ENi are disjoint sets;
– Bi is a finite set of boxes;
– Yi : Bi → {1, 2, . . . , k} is a mapping that assigns every box to a component. (Call
ports Call(b) and return ports Ret(b) of a box b ∈ Bi, and call ports Calli and
return ports Reti of a component Hi are defined as before. We set Qi = Ni ∪
Calli ∪ Reti and refer to this set as the set of locations of Hi.)
– Ai is a finite set of actions.
– Xi : Qi×Ai → Qi is the transition function with a condition that call ports and
exit nodes do not have any outgoing transitions.
– Pi : Bi → 2X is pass-by-value mapping that assigns every box the set of variables
that are passed by value to the component mapped to the box; (The rest of the
variables are assumed to be passed by reference.)
– Inv i : Qi → rect(X ) is the invariant condition;
– Ei : Qi×Ai → rect(X ) is the action enabledness function;
– Ji : Ai → 2
X is the variable reset function; and
– Fi : Qi → N|X | is the flow function characterizing the rate of each variable in
each location.
We assume that the sets of boxes, nodes, locations, etc. are mutually disjoint across
components and we write (N,B, Y,Q, P,X , etc.) to denote corresponding union over
all components.
We say that a recursive hybrid automaton is glitch-free if for every box either all vari-
ables are passed by value or none is passed by value, i.e. for each b ∈ B we have that
either P (b) = X or P (b) = ∅. Any general recursive hybrid automaton with one vari-
able is trivially glitch-free. We say that a RHA is hierarchical if there exists an ordering
over components such that a component never invokes another component of higher
order or same order.
We say that a variable x ∈ X is a clock (resp., a stopwatch) if for every location
q ∈ Q we have that F (q)(x) = 1 (resp., F (q)(x) ∈ {0, 1}). A recursive timed automa-
ton (RTA) is simply a recursive hybrid automata where all variables x ∈ X are clocks.
Similarly, we define a recursive stopwatch automaton (RSA) as a recursive hybrid au-
tomaton where all variables x ∈ X are stopwatches. Since all of our results pertaining
to recursive hybrid automata are shown in the context of recursive stopwatch automata,
we often confuse RHA with RSA.
3.2 Semantics
A configuration of an RHA H is a tuple (〈κ〉, q, ν), where κ ∈ (B×R|X |)∗ is sequence
of pairs of boxes and variable valuations, q ∈ Q is a location and ν ∈ R|X | is a variable
valuation over X such that ν ∈ Inv(q). The sequence 〈κ〉 ∈ (B×R|X |)∗ denotes the
stack of pending recursive calls and the valuation of all the variables at the moment
that call was made, and we refer to this sequence as the context of the configuration.
Technically, it suffices to store the valuation of variables passed by value, because other
variables retain their value after returning from a call to a box, but storing all of them
simplifies the notation. We denote the the empty context by 〈ǫ〉. For any t ∈ R, we let
(〈κ〉, q, ν)+t equal the configuration (〈κ〉, q, ν+F (q) · t). Informally, the behaviour of
an RHA is as follows. In configuration (〈κ〉, q, ν) time passes before an available action
is triggered, after which a discrete transition occurs. Time passage is available only if the
invariant condition Inv(q) is satisfied while time elapses, and an action a can be chosen
after time t elapses only if it is enabled after time elapse, i.e., if ν+F (q) · t ∈ E(q, a).
If the action a is chosen then the successor state is (〈κ〉, q′, ν′) where q′ ∈ X(q, a) and
ν′ = (ν + t)[J(a) := 0]. Formally, the semantics of an RHA is given by an LTS which
has both an uncountably infinite number of states and transitions.
Definition 2 (RHA semantics). Let H = (X , (H1,H2, . . . ,Hk)) be an RHA where
each component is of the formHi = (Ni, ENi, EXi, Bi, Yi, Ai, Xi, Pi, Inv i, Ei, Ji, Fi).
The semantics of H is a labelled transition system [[H]] = (SH, AH, XH) where:
– SH ⊆ (B×R|X |)∗×Q×R|X |, the set of states, is s.t. (〈κ〉, q, ν)∈SH if ν∈Inv(q).
– AH = R⊕×A is the set of timed actions, where R⊕ is the set of non-negative reals;
– XH : SH×AH → SH is the transition function such that for (〈κ〉, q, ν) ∈ SH
and (t, a) ∈ AH, we have (〈κ′〉, q′, ν′) = XH((〈κ〉, q, ν), (t, a)) if and only if the
following condition holds:
1. if the location q is a call port, i.e. q = (b, en) ∈ Call then t = 0, the context
〈κ′〉 = 〈κ, (b, ν)〉, q′ = en, and ν′ = ν.
2. if the location q is an exit node, i.e. q = ex ∈ Ex, 〈κ〉 = 〈κ′′, (b, ν′′)〉, and let
(b, ex) ∈ Ret(b), then t = 0; 〈κ′〉 = 〈κ′′〉; q′=(b, ex); and ν′=ν[P (b):=ν′′].
3. if location q is any other kind of location, then 〈κ′〉 = 〈κ〉, q′ ∈ X(q, a), and
(a) ν+F (q) · t′ ∈ Inv(q) for all t′ ∈ [0, t];
(b) ν+F (q) · t ∈ E(q, a);
(c) ν′ = (ν + F (q)·t)[J(a) := 0].
3.3 Reachability and Time-Bounded Reachability Game Problems
For a subsetQ′ ⊆ Q of states of RHAHwe define the set [[Q′]]H as the set {(〈κ〉, q, ν) ∈ SH : q ∈ Q′}.
We define the terminal configurations as TermH = {(〈ε〉, q, ν) ∈ SH : q ∈ EX}. Given
a recursive hybrid automaton H, an initial node q and valuation ν ∈ R|X |, and a set of
final locations F ⊆ Q, the reachability problem onH is to decide the existence of a run
in the LTS [[H]] staring from the initial state (〈ε〉, q, ν) to some state in [[F ]]H. As with
RSMs, we also define termination problem as reachability of one of the exits with the
empty context. Hence, given an RHA H and an initial node q and a valuation ν ∈ R|X |,
the termination problem on H is to decide the existence of a run in the LTS [[H]] from
initial state (〈ε〉, q, ν) to a final state in TermH.
Given a run r = 〈s0, (t1, a1), s2, (t2, a2), . . . , (sn, tn)〉 of an RHA, its time dura-
tion time(r) is defined as
∑n
i=1 ti. Given a recursive hybrid automaton H, an initial
node q, a bound T ∈ N, and valuation ν ∈ R|X |, and a set of final locations F ⊆ Q,
the time-bounded reachability problem on H is to decide the existence of a run r in
the LTS [[H]] staring from the initial state (〈ε〉, q, ν) to some state in [[F ]]H such that
time(r) ≤ T . Time-bounded termination problem is defined in an analogous manner.
A partition (QAch, QTor) of locationsQ of an RHAH gives rise to a recursive hybrid
game arena Γ = (H, QAch, QTor). Given an initial location q, a valuation ν ∈ V and a
set of final states F , the reachability game on Γ is defined as the reachability game on
the game arena ([[H]], [[QAch]]T , [[QTor]]T ) with the initial state (〈ε〉, (q, ν)) and the set of
final states [[F ]]T . Also, termination game on T is defined as the reachability game on
the game arena ([[T ]], [[QAch]]T , [[QTor]]T ) with the initial state (〈ε〉, (q, ν)) and the set of
final states TermT .
We prove the following key theorem about reachability games on various subclasses
of recursive hybrid automata in Section 5.
Theorem 1. The reachability game problem is undecidable for:
1. Unrestricted RSA with 2 stopwatches,
2. Glitchfree RSA with 3 stopwatches,
3. Unrestricted RTA with 3 clocks under bounded time, and
4. Glitchfree RSA with 4 stopwatches under bounded time.
Moreover, all of these results hold even under hierarchical restriction.
On a positive side, we observe that for glitch-free RSA with two stopwatches reach-
ability games are decidable by exploiting the existence of finite bisimulation for hybrid
automata with 2 stopwatches. Details are given in Appendix 7.1
Theorem 2. The reachability games are decidable for glitch-free RSA with atmost two
stopwatches.
We study the above mentioned problems when studied for a single player game.
These problems have been detailed in Section 4.
Theorem 3. The reachability problem is undecidable for
1. Unrestricted RHA with 2 stopwatches,
2. Glitchfree RHA with 3 stopwatches,
3. Unrestricted RTA with 5 clocks under bounded time, and
4. Glitchfree RHA with 14 stopwatches under bounded time.
Moreover, all of these results hold even under hierarchical restriction.
On a positive side, we observe the following decidability results.
Theorem 4. The reachability and the termination problems are decidable for
1. Glitch-free RHA with atmost two stopwatches
2. Bounded context RHA under bounded time, where variables are always passed-by-
reference.
The result for Glitch-free RHA with two stopwatches follows from the decidability of
two stopwatch hybrid automata.
4 Undecidability Results with one player
In this section, we provide a proof sketch of our undecidability results by reducing the
halting problem for two counter machines to the reachability problem in an RHA/RTA.
A two-counter machine M is a tuple (L,C) where L = {ℓ0, ℓ1, . . . , ℓn} is the set of
instructions including a distinguished terminal instruction ℓn called HALT, and the set
C = {c1, c2} of two counters. The instructions L are of the type:
1. (increment c) ℓi : c := c+ 1; goto ℓk,
2. (decrement c) ℓi : c := c− 1; goto ℓk,
3. (zero-check c) ℓi : if (c > 0) then goto ℓk else goto ℓm,
where c ∈ C, ℓi, ℓk, ℓm ∈ L. A configuration of a two-counter machine is a tuple
(l, c, d) where l ∈ L is an instruction, and c, d ∈ N is the value of counters c1 and c2,
resp. A run of a two-counter machine is a (finite or infinite) sequence of configurations
〈k0, k1, . . .〉 where k0 = (ℓ0, 0, 0) and the relation between subsequent configurations
is governed by transitions between respective instructions. The halting problem for a
two-counter machine asks whether its unique run ends at the terminal instruction ℓn. It
is well known ([18]) that the halting problem for two-counter machines is undecidable.
In order to prove four results of Theorem 3, we construct a recursive (timed/hybrid)
automaton whose main components simulate various instructions. In these construc-
tions the reachability of the exit node of each component corresponding to an instruc-
tion is linked to a faithful simulation of various increment, decrement and zero check in-
structions of the machine by choosing appropriate delays to adjust the clocks/variables,
to reflect changes in counter values. We specify a main component for each instruction
of the two counter machine. The entry node and exit node of a main component corre-
sponding to an instruction ℓi : c := c+ 1; goto ℓk are respectively ℓi and ℓk. Similarly,
a main component corresponding to a zero check instruction li: if (c > 0) then goto
ℓk else goto ℓm, has a unique entry node ℓi, and two exit nodes corresponding to ℓk
and ℓm respectively. We get the complete RHA for the two-counter machines when we
connect these main components in the same sequence as the corresponding machine.
The halting problem of the two counter machine now reduces to the reachability (or
termination) of an exit (HALT) node ℓn in some component.
For the correctness proofs, we represent runs in the RSA using three different forms
of transitions s g,J−→
t
s′, s s′ and s ∗−→
M(V )
s′ defined in the following way:
1. The transitions of the form s g,J−→
t
s′, where s = (〈κ〉, n, ν), s′ = (〈κ〉, n′, ν′)
are configurations of the RHA, g is a constraint or guard on variables that enables
the transition, J is a set of variables, and t is a real number, holds if there is a
transition in the RHA from vertex n to n′ with guard g and reset set J . Also,
ν′ = ν + rt[J := 0], where r is the rate vector of state s.
2. The transitions of the form s  s′ where s = (〈κ〉, n, ν), s′ = (〈κ′〉, n′, ν′)
correspond to the following cases:
– transitions from a call port to an entry node. That is, n = (b, en) for some box
b ∈ B and κ′ = 〈κ, (b, ν)〉 and n′ = en ∈ EN while ν′ = ν.
– transitions from an exit node to a return port which restores values of the
variables passed by value, that is, 〈κ〉 = 〈κ′′, (b, ν′′)〉, n = ex ∈ EX and
n′ = (b, ex) ∈ Ret(b) and κ′ = κ′′, while ν′ = ν[P (b) := ν′′].
3. The transitions of the form s t−→
M(V )
s′, called summary edges, where s = (〈κ〉, n, ν),
s′ = (〈κ〉, n′, ν′) are such that n = (b, en) and n′ = (b, ex) are call and return
ports, respectively, of a box b mapped to M which passes by value to M , the vari-
ables in V . t is the time elapsed between the occurences of (b, en) and (b, ex). In
other words, t is the time elapsed in the component M .
A configuration (〈κ〉, n, ν) is also written as (〈κ〉, n, (ν(x), ν(y))).
4.1 Unrestricted RHA with 2 stopwatches
For all the four undecidability results, we construct a recursive automaton (timed/hybrid)
as per the case, whose main components are the modules for the instructions and the
counters are encoded in the variables of the automaton. In these reductions, the reach-
ability of the exit node of each component corresponding to an instruction is linked
to a faithful simulation of various increment, decrement and zero check instructions
of the machine by choosing appropriate delays to adjust the clocks/variables, to reflect
changes in counter values. We specify a main component for each type instruction of
the two counter machine, for exampleHinc for increment. The entry node and exit node
of a main component Hinc corresponding to an instruction [ℓi : c := c + 1; goto ℓk]
are respectively ℓi and ℓk. Similarly, a main component corresponding to a zero check
instruction [li: if (c > 0) then goto ℓk] else goto ℓm, has a unique entry node ℓi, and two
exit nodes corresponding to ℓk and ℓm respectively. The various main components cor-
responding to the various instructions, when connected appropriately, gives the higher
level component HM and this completes the RHA H. The entry node of HM is the
entry node of the main component for the first instruction of M and the exit node is
Halt. Suppose each main component for each type of instruction correctly simulates
the instruction by accurately updating the counters encoded in the variables ofH. Then,
DB
en
y
exB1:CDB
(x, y)
y>0 {x}
CDB
en1 ex1B2:M1
(x)
B3:M1
(x)
y=2
M1
en2 ex2
x, y
x=1
HF
en
y
exB4:CHF
(x, y)
y>0 {x}
CHF
en3 ex3B5:M2
(y)
B6:M2
(y)
x=2
M2
en4 ex4
x, y
x=1
zero check
en
ex
ex′
B1:Po2
(x, y)
y=0
y=0
y=0
Po2
en5
ex5
ex′5
B7:DB B8:DB′
y=0 y<2y
=2
y>2
x=
2
x>2
x<2
Fig. 3. RHA : 2 stopwatch : Decrement c is DB, increment c is HF and zero check d
the unique run in M corresponds to an unique run in HM . The halting problem of the
two counter machine now boils down to the reachability of an exit node Halt in HM .
Lemma 1. The reachability problem is undecidable for recursive hybrid automata with
at least two stopwatches.
Proof. We prove that the reachability and termination problems are undecidable for
2 stopwatch unrestricted RHA. In order to obtain the undecidability result, we use a
reduction from the halting problem for two counter machines. Our reduction uses a
RHA with stopwatches x, y.
We specify a main component for each instruction of the two counter machine. On
entry into a main component for increment/decrement/zero check, we have x = 1
2c3d
,
y = 0 or x = 0, y = 1
2c3d
, where c, d are the current values of the counters. Given
a two counter machine, we build a 2 stopwatch RHA whose building blocks are the
main components for the instructions. The purpose of the components is to simulate
faithfully the counter machine by choosing appropriate delays to adjust the variables
to reflect changes in counter values. On entering the entry node en of a main compo-
nent corresponding to an instruction li, we have the configuration (〈ǫ〉, en, ( 12c3d , 0)) or
(〈ǫ〉, en, (0, 1
2c3d
)) of the two stopwatch RHA.
We shall now present the components for increment/decrement and zero check in-
structions. In all the components, the ticking variables are written below respective
locations in grey, while the variables passed by value are written below the boxes.
Simulate decrement instruction: Lets consider the decrement instruction ℓi: c = c−1;
goto ℓk. Figure 3 gives the component DB which decrements counter c, by doubling
1
2c3d
. Assume that x = 1
2c3d
and y = 0 on entering DB. Lets denote by xold the value
1
2c3d
. A non-deterministic amount of time t is spent at the entry node en of DB. This
makes x = xold and y = t, at the call port of B1 : CDB . Both x, y are passed by value
to CDB .
At the entry node of CDB , the rates of x, y are zero. At sometime, the call port of
B2 : M1 is reached with x = xold and y = t. M1 is called by passing x by value. At the
entry node of M1, a time 1−xold is spent, obtaining x = 1, y = t+1−xold. We return
from the exit node of M1 to the return port ofB2 : M1, with x = xold, y = 1+ t−xold.
The rates of x, y are both zero here. After some time, we are at the call port of B3 : M1.
Here again, M1 is called by passing x by value. Going through M1 again gives us x =
1, y = 2−2xold+ t. At the return port of B3, we thus have x = xold, y = 2−2xold+ t.
Again since the rates of x, y are both zero at the return port of B3, to get to the exit
node of CDB , y must be exactly equal to 2. That is, 2xold = t. In that case, when we
get back to the return port of B1 : CDB , we have x = xold, y = t, with the guarantee
that t = 2xold. The rates of x, y are both zero here, so we get to the exit node ex of DB
resetting x. Thus, when we reach ex, we have x = 0, y = 1
2c−13d
.
Simulate increment instruction: The instruction [ℓi: c = c + 1; goto ℓk] is handled
by the component HF in Figure 3. The main component HF , when entered with x =
1
2c3d
, y = 0 will halve the value of x, and return x = 0, y = 1
2c+13d
. The working of
the component HF can be explained in a similar way as that of DB.
Zero check instruction: The component zerocheck simulating [ℓi : if (d > 0) then
goto ℓk else goto lm] can be found in Figure 3. Assume we are at en with x = 12c3d =
xold and y = 0. The rates of both x, y are zero, so we reach the callport of B1:Po2
with the same values of x, y. Po2 is called by passing both x, y by value. No time is
spent at the entry node en5 of Po2, so with y = 0, we reach the call port of B7:DB.
Recall that DB is the component that doubles the value of x and stores it in y; DB
is called by passing both x, y by reference; when we return to the return port of B7,
we have x = 0, y = 2xold. If y = 2, then we go straightaway to the exit node ex5 of
Po2. If x < 2, then we goto the callport of B8:DB′ from the return port of B7. The
component DB′ is similar to DB, with the roles of x, y reversed as compared to DB,
and entry to DB′ happens with x = 0, y = 2xold. At the exit node of DB′, we obtain
y = 0, x = 4xold. Now, if x = 2, then we goto the exit node ex5 of Po2. If x < 2,
then we goto the callport of B7:DB. In this way, we alternate between DB,DB′ until
we have multiplied xold by some number k such that k.xold is exactly 2. If we obtain
k.xold = 2 at the return port of B7, then we have y = 2 and x = 0, while if we obtain
k.xold = 2 at the return port of B8, then we have x = 2 and y = 0. If this happens,
then d = 0. If d > 0, then we will never obtain k.xold as 2. In this case, we go to the
exit node ex′5 when x (or y) exceeds 2. If we reach the exit node ex5 of Po2, then we
goto the exit node ex of the zerocheck component, and if we reach the exit node ex′5 of
Po2, then we goto the exit node ex′ of the zerocheck component.
The following propositions show the correctness of the increment, decrement and
zero check components. For the correctness proofs, we represent runs in the RHA using
three different forms of transitions s g,J−→
t
s′, s  s′ and s ∗−→
M(V )
s′ defined in the
following way:
1. The transitions of the form s g,J−→
t
s′, where s = (〈κ〉, n, ν), s′ = (〈κ〉, n′, ν′)
are configurations of the RHA, g is a constraint or guard on variables that enables
the transition, J is a set of variables, and t is a real number, holds if there is a
transition in the RHA from vertex n to n′ with guard g and reset set J . Also,
ν′ = ν + rt[J := 0], where r is the rate vector of state s.
2. The transitions of the form s  s′ where s = (〈κ〉, n, ν), s′ = (〈κ′〉, n′, ν′)
correspond to the following cases:
– transitions from a call port to an entry node. That is, n = (b, en) for some box
b ∈ B and κ′ = 〈κ, (b, ν)〉 and n′ = en ∈ EN while ν′ = ν.
– transitions from an exit node to a return port which restores values of the
variables passed by value, that is, 〈κ〉 = 〈κ′′, (b, ν′′)〉, n = ex ∈ EX and
n′ = (b, ex) ∈ Ret(b) and κ′ = κ′′, while ν′ = ν[P (b) := ν′′].
3. The transitions of the form s ∗−→
M(V )
s′, called summary edges, where s = (〈κ〉, n, ν),
s′ = (〈κ′〉, n′, ν′) are such that n = (b, en) and n′ = (b, ex) are call and return
ports, respectively, of a box b mapped to M which passes by value to M , the vari-
ables in V .
A configuration (〈κ〉, n, ν) is also written as (〈κ〉, n, (ν(x), ν(y))).
Proposition 1. For any context κ, any box b ∈ B, and x ∈ [0, 1], we have that
(〈κ〉, (b, en), (x, 0))
∗
−→
DB
(〈κ〉, (b, ex), (0, 2x))
Proof. Component DB uses components CDB and M1. The following is a unique run
starting from (〈κ〉, (b, en), (x, 0)) terminating in (〈κ〉, (b, ex), (2x, 0)).
(〈κ〉, (b, en), (x0, 0)) (〈κ, b〉, en, (x0, 0))
y>0,∅
−→
t
(〈κ, b〉, (B1, en1), (x0, t)) (〈κ, b, (B1, (x0, t))〉, en1, (x0, t))
true,∅
−→
any
(〈κ, b, (B1, (x0, t))〉, (B2, en2), (x0, t)) (〈κ, b, (B1, (x0, t)), (B2, x0)〉, en2, (x0, t))
x=1,∅
−→
1−x0
(〈κ, b, (B1, (x0, t)), (B2, x0)〉, ex2, (1, 1− x0 + t))
 (〈κ, b, (B1, (x0, t))〉, (B2, ex2), (x0, 1− x0 + t))
true,∅
−→
any
(〈κ, b, (B1, (x0, t))〉, (B3, en2), (x0, 1− x0 + t))
 (〈κ, b, (B1, (x0, t)), (B3, x0)〉, en2, (x0, 1− x0 + t))
x=1,∅
−→
1−x0
(〈κ, b, (B1, (x0, t)), (B3, x0)〉, ex2, (1, 2− 2x0 + t))
 (〈κ, b, (B1, (x0, t))〉, (B3, ex2), (x0, 2− 2x0 + t))
y=2,∅
−→
any
(〈κ, b, (B1, (x0, t))〉, ex1, (x0, 2)) (2− 2x0 + t = 2↔ t = 2x0)
 (〈κ, b〉, (B1, ex1), (x0, 2x0))
true,{x}
−→
any
(〈κ, b〉, ex, (0, 2x0))  (〈κ〉, (b, ex), (0, 2x0)). The transitions above easily
follow from the descriptions given in the decrement section. ⊓⊔
Proposition 2 proves the correctness of the componentHF .
Proposition 2. For any context κ, any box b ∈ B, and x ∈ [0, 1], we have that
(〈κ〉, (b, en), (x, 0))
∗
−→
HF
(〈κ〉, (b, ex), (0, x2 ))
Proof. Similar to Proposition 1.
Proposition 3 proves the correctness of the component Po2 that checks if x is a power
of 2:
Proposition 3. For any context κ, any box b ∈ B, and x ∈ [0, 1], we have that starting
from (〈κ〉, (b, en), (x, 0)), zerocheck terminates at (〈κ〉, (b, ex), (x, 0)) iff x = 12i ,
i ∈ N. Otherwise, it terminates in (〈κ〉, (b, ex′), (x, 0)).
Proof. The proof of this follows from the correctness of the component DB shown
above. Indeed, if DB doubles the variable, clearly, 12c3d will become 2 eventually after
c+ 1 invocations of DB iff d = 0. ⊓⊔
Note that the components for incrementing, decrementing and zero check for counter
d can be obtained in a manner similar to DB,HF . The only difference is that we have
to multiply and divide by 3; these gadgets can be obtained straightforwardly by adapting
DB,HF appropriately.
We now show that the two counter machine halts iff a vertex Halt correspond-
ing to the halting instruction is reached in the RHA. Clearly, all the main components
discussed above ensure that all instructions are simulated correctly. Assume the two
counter machine halts. Then clearly, after going through all the main components corre-
sponding to relevant instructions, we reach the component that leads to the Halt vertex.
TheDB,HF, zerocheck subcomponents again ensure that simulation is done correctly
to reach the vertex Halt. Conversely, assume that the two counter machine does not halt.
Then there are two possibilities: (1) the RHA proceeds component by component, for-
ever, simulating all instructions faithfully, or (2) the RHA is unable to take a transition,
due to an error in the simulation of instructions. In either case, the vertex Halt is never
reached.
4.2 GlitchFree RHA with 3 stopwatches
Lemma 2. The reachability problem is undecidable for recursive hybrid automata with
at least three stopwatches.
Proof. The proof of this Lemma is a straightforward adaptation of the techniques used
in Lemma 4.1. The main difference here is that, at all times, we have to pass all variables
either by value, or by reference. This necessitates the need for an extra variable. In
particular, we always pass all variables only by value. Thus, our result holds for the
case of “pass by value” RHAs with 3 stopwatches.
We specify a main component for each instruction of the two counter machine. On
entry into a main component for increment/decrement/zero check, we have x = 1
2c3d
,
y = z = 0 where c, d are the current values of the counters. Given a two counter
machine, we build a 3 stopwatch RHA whose building blocks are the main components
DB
en1
x, y
l
x
A1:CDB
(x, y, z)
ex1
x=1
{x}
x>0 {y}
CDB
en2
y, z
l1
x, y, z
l2
y, z
l3
x, y, z
ex2
y=1
{y}
z=1
{z}
y=1
{y}
z=1
x=2
HF
en3
x, y
m
x
A2:CHF
(x, y, z)
ex3
x=1
{x}
x>0 {y}
CHF
en4
x, z
m1
x, y, z
m2
x, z
m3
x, y, z
ex4
x=1
{x}
z=1
{z}
x=1
{x}
z=1
y=1
Po2
en5
ex5
ex′5
A3 : DB
y=0
y=0 ∧ x>2
y=0 ∧ x = 2
y=0 ∧ x<2
Po3
en6
ex6
ex′6
A4 : TR
y=0
y=0 ∧ x>3
y=0 ∧ x = 3
y=0 ∧ x<3
Fig. 4. Glitch-free RSA 3 stopwatch : Decrement c, Increment c and Po2, Po3
for the instructions. The purpose of the components is to simulate faithfully the counter
machine by choosing appropriate delays to adjust the variables to reflect changes in
counter values. On entering the entry node en of a main component corresponding to
an instruction ℓi, we have the configuration (〈ǫ〉, en, ( 12c3d , 0, 0)) of the three stopwatch
RHA. We shall now present the components for increment/decrement and zero check
instructions. In all the components, the ticking variables are written below respective
locations in grey.
Simulate decrement instruction: Lets consider the decrement instruction ℓi: c = c−1;
goto ℓk. Figure 5 gives the component DB which decrements counter c, by doubling
1
2c3d
. Assume that x = 1
2c3d
and y = z = 0 on entering DB. Lets denote by xold
the value 1
2c3d
. A time 1 − xold is spent at the entry node en1 of DB, resulting in
x = 0, y = 1− xold, z = 0 at location l. A non-deterministic amount of time t is spent
at l. This makes x = t and y = 1 − xold, z = 0, at the call port of A1 : CDB . All
variables x, y, z are passed by value to CDB .
At the entry node en2 of CDB , the rates of y, z are one. A time xold is spent at
en2, obtaining y = 0, x = t and z = xold at l1. At l1, a time 1 − xold is spent,
obtaining x = 1 + t − xold, y = 1 − xold and z = 0 at l2. A time xold is spent at l2
obtaining x = 1+t−xold, y = 0, z = xold at l3. A time 1−xold is spent at l3, obtaining
z = 1, x = 2+t−2xold and y = 1−xold. To move out of l3, xmust be 2; that is possible
iff t = 2xold. In this case, from the return port of A1 : CDB (rates are all 0 here), we
reach the exit node ex1 of DB resetting y, obtaining x = t = 2xold, y = z = 0,
thereby successfully decrementing c.
Simulate increment instruction: The instruction ℓi: c = c + 1; goto ℓk is handled by
the component HF in Figure 5. A time 1 − xold is spent at entry node en3 of HF ,
reaching location m with x = 0, y = 1 − xold and z = 0. A non-deterministic time
t is spent in m, reaching the entry node en4 of CHF with x = t, y = 1 − xold and
z = 0. The exit node ex4 of CHF can be reached iff t = xold2 . The working of these
components are similar to DB,CDB .
Zero check instruction: The component zerocheck simulating ℓi : if (d > 0) then goto
ℓk is the same as the zerocheck component in Figure 3, where the subcomponent Po2
is called, passing all variables by value. The subcomponent Po2 called can be found in
Figure 5. At the entry node of Po2, no time is spent, and we are at the call port of DB.
We have drawn DB here like a box to avoid clutter, but it is actually a transition that
goes from en5 on y = 0 to a location called en1. Continue with the transitions drawn
inside DB (treat them like normal transitions), and we have the sequence of transitions
from en1 to ex1, whereCDB is called in between. The edge x < 2∧y = 0 is a transition
from ex1 to en1. In the figure, to avoid clutter, we have drawn it from the return port to
the call port of DB. This loop from ex1 to en1 is invoked repeatedly, until we obtain x
exactly equal to 2. If this happens, then we know that d = 0 in 12c3d = xold. If this does
not happen, then at some point of time, we will obtain x as more than 2. In this case,
d 6= 0. In the former case, we go the exit node ex′ of Po2 from ex1, and in the latter
case, we go to the exit node ex of Po2 from ex1. Note that, whenever a box is called,
we have always passed all the variables only by value.
The propositions proving correctness of the main and sub components is similar to
Lemma 4.1. Also, it is clear that the node Halt is reached iff the two counter machine
halts. ⊓⊔
4.3 GlitchFree RHA with 2 clocks and 1 stopwatch
Lemma 3. The reachability problem is undecidable for recursive hybrid automata with
at least two clocks and one stopwatch.
Proof. The proof of this Lemma is a straightforward adaptation of the techniques used
in Lemma 4.1. The main difference here is that, at all times, we have to pass all variables
either by value, or by reference. This necessitates the need for an extra variable. In par-
ticular, we pass all variables by reference in all except the zero check module. Note that
all the calls with pass by reference can be removed by expanding the sub-component
(callee) in the main component (caller). Thus, our result holds for the case of “pass by
value” RHAs with 2 clocks and 1 stopwatch.
We specify a main component for each instruction of the two counter machine.
On entry into a main component for increment/decrement/zero check, we have two
clocks x = 1
2c3d
, y = 0 and one stopwatch s = 0. where c, d are the current values
of the counters. Given a two counter machine, we build a 3 stopwatch RHA whose
building blocks are the main components for the instructions. The purpose of the com-
ponents is to simulate faithfully the counter machine by choosing appropriate delays
to adjust the variables to reflect changes in counter values. On entering the entry node
en of a main component corresponding to an instruction ℓi, we have the configuration
(〈ǫ〉, en, ( 1
2c3d
, 0, 0)) of the three stopwatch RHA. We shall now present the compo-
nents for increment/decrement and zero check instructions. In all the components, the
ticking variables are written below respective locations in grey.
Instruction
en1 A1:Get l A2:Check ex1
y=0 y=0
{x}
{y} y=0
{s}
Decrement i : Get
en3
x, y
m
x
A2:CHF
(x, y, z)
ex3
x=1
{x}
x>0 {y}
CHF
en4
x, z
m1
x, y, z
m2
x, z
m3
x, y, z
ex4
x=1
{x}
z=1
{z}
x=1
{x}
z=1
y=1
Po2
en5
ex5
ex′5
A3 : DB
y=0
y=0 ∧ x>2
y=0 ∧ x = 2
y=0 ∧ x<2
Fig. 5. Glitch-free RSA 3 stopwatch : Decrement c, Increment c and Po2, Po3
Simulate decrement instruction: Lets consider the decrement instruction ℓi: c = c−1;
goto ℓk. Figure 5 gives the component DB which decrements counter c, by doubling
1
2c3d . Assume that x =
1
2c3d and y = z = 0 on entering DB. Lets denote by xold
the value 12c3d . A time 1 − xold is spent at the entry node en1 of DB, resulting in
x = 0, y = 1− xold, z = 0 at location l. A non-deterministic amount of time t is spent
at l. This makes x = t and y = 1 − xold, z = 0, at the call port of A1 : CDB . All
variables x, y, z are passed by value to CDB .
At the entry node en2 of CDB , the rates of y, z are one. A time xold is spent at
en2, obtaining y = 0, x = t and z = xold at l1. At l1, a time 1 − xold is spent,
obtaining x = 1 + t − xold, y = 1 − xold and z = 0 at l2. A time xold is spent at l2
obtaining x = 1+t−xold, y = 0, z = xold at l3. A time 1−xold is spent at l3, obtaining
z = 1, x = 2+t−2xold and y = 1−xold. To move out of l3, xmust be 2; that is possible
iff t = 2xold. In this case, from the return port of A1 : CDB (rates are all 0 here), we
reach the exit node ex1 of DB resetting y, obtaining x = t = 2xold, y = z = 0,
thereby successfully decrementing c.
Simulate increment instruction: The instruction ℓi: c = c + 1; goto ℓk is handled by
the component HF in Figure 5. A time 1 − xold is spent at entry node en3 of HF ,
reaching location m with x = 0, y = 1 − xold and z = 0. A non-deterministic time
t is spent in m, reaching the entry node en4 of CHF with x = t, y = 1 − xold and
z = 0. The exit node ex4 of CHF can be reached iff t = xold2 . The working of these
components are similar to DB,CDB .
Zero check instruction: The component zerocheck simulating ℓi : if (d > 0) then goto
ℓk is the same as the zerocheck component in Figure 3, where the subcomponent Po2
is called, passing all variables by value. The subcomponent Po2 called can be found in
Figure 5. At the entry node of Po2, no time is spent, and we are at the call port of DB.
We have drawn DB here like a box to avoid clutter, but it is actually a transition that
goes from en5 on y = 0 to a location called en1. Continue with the transitions drawn
inside DB (treat them like normal transitions), and we have the sequence of transitions
from en1 to ex1, whereCDB is called in between. The edge x < 2∧y = 0 is a transition
from ex1 to en1. In the figure, to avoid clutter, we have drawn it from the return port to
the call port of DB. This loop from ex1 to en1 is invoked repeatedly, until we obtain x
exactly equal to 2. If this happens, then we know that d = 0 in 1
2c3d
= xold. If this does
not happen, then at some point of time, we will obtain x as more than 2. In this case,
d 6= 0. In the former case, we go the exit node ex′ of Po2 from ex1, and in the latter
case, we go to the exit node ex of Po2 from ex1. Note that, whenever a box is called,
we have always passed all the variables only by value.
The propositions proving correctness of the main and sub components is similar to
Lemma 4.1. Also, it is clear that the node Halt is reached iff the two counter machine
halts. ⊓⊔
4.4 Unrestricted RTA over bounded time
Lemma 4. The time bounded reachability problem is undecidable for recursive timed
automata with at least 5 clocks.
Proof. We prove that the problem of reaching a chosen vertex in an RTA within 18
units of total elapsed time is undecidable. In order to get the undecidability result, we
use a reduction from the halting problem for two counter machines. Our reduction uses
an RTA with atleast 5 clocks.
We specify a main component for each instruction of the two counter machine. We
maintain 3 sets of clocks. The first set X = {x} encodes correctly the current value
of counter c; the second set Y = {y} encodes correctly the current value of counter
d; the third set Z = {z1, z2} of 2 clocks helps in zero-check. An extra clock b is
used to enforce urgency in some locations. b is zero at the entry nodes of all the main
components. Let X denote the set of all 5 clocks. The tuple of variables written below
each box denotes variables passed by value.
To be precise, on entry into a main component simulating the (k+1)th instruction,
we have the values of z1, z2 as 1 − 12k , the value of x as 1 −
1
2c+k , and the value of
y as 1 − 1
2d+k
, where c, d are the current values of the counters after simulating the
first k instructions. We will denote this by saying that at the beginning of the (k + 1)th
instruction, we have ν(Z) = 1 − 1
2k
, ν(x) = 1 − 1
2c+k
and ν(y) = 1 − 1
2d+k
. If the
(k+1)th instruction ℓk+1 is an increment counter c instruction, then after the simulation
of ℓk+1, we need ν(Z) = 1 − 12k+1 , ν(x) = 1 −
1
2c+k+2
and ν(y) = 1 − 1
2d+k+1
.
Similarly, if ℓk+1 is a decrement c instruction, then after the simulation of ℓk+1, we
need ν(Z) = 1− 12k+1 , ν(x) = 1−
1
2c+k and ν(y) = 1 −
1
2d+k+1 . Likewise, if ℓk+1 is
a zero check instruction, then after the simulation of ℓk+1, we need ν(Z) = 1 − 12k+1 ,
ν(x) = 1− 1
2c+k+1
and ν(y) = 1− 1
2d+k+1
.
Simulate Increment Instruction: Let us discuss the case of simulating an increment
instruction for counter c. Assume that this is the (k + 1)th instruction. Figure 6 gives
the figure for incrementing counter c. At the entry node en1 of the component Inc c,
we have ν(x) = 1− 1
2c+k
, ν(y) = 1− 1
2d+k
and ν(Z) = 1− 1
2k
, and ν(b) = 0.
The component Inc c has three subcomponents sequentially lined up one after the
other: Let β = 1
2k
, βc =
1
2c+k
, and βd = 12d+k .
1. The first subcomponent is Upy2 . If Up
y
2 is entered with ν(y) = 1−βd, then on exit,
we have ν(y) = 1 − βd2 . The values of X,Z are unchanged. Also, the total time
elapsed in Upy2 is ≤
5β
2 .
2. The next subcomponent is Upx4 . If Upx4 is entered with ν(x) = 1−βc, then on exit,
we have ν(x) = 1 − βc4 . The values of Z, Y are unchanged. Also, the total time
elapsed in Upx4 is ≤ 11β4 .
3. The next subcomponent is UpZ2 updates the value of Z . If UpZ2 is entered with
ν(Z) = 1 − β, then on exit, we have ν(Z) = 1 − β2 . The values of X,Y are
unchanged. Also, the total time elapsed in UpZ2 is ≤
5β
2 .
4. Thus, at the end of the Inc c, we obtain ν(Z) = 1 − 1
2k+1
, ν(x) = 1 − 1
2c+k+2
,
ν(y) = 1− 1
2d+k+1
. Also, the total time elapsed in Inc c is ≤ [ 52 +
11
4 +
5
2 ]β < 8β.
On calling Upan, for a ∈ {x, y}, the clock a is passed by reference; likewise, on calling
UpZn , clocks in Z are passed by reference. Here, n ∈ {2, 4}. Next, we describe the
structure of the components Upan for a ∈ {x, y}. At the entry node en2 of Upan, we
have the invariant b = 0. Thus, no time is elapsed in the entry node en1 of Inc c also.
Upan is made up of subcomponents D,Ca=z2 , D and Chk
a
n lined sequentially. Let us
discuss the details of Upy2 , the others have similar functionality.
1. On entry into the first subcomponent F4:D, we have ν(Z) = 1 − β, ν(b) = 0,
ν(x) = 1−βc, ν(y) = 1−βd. D is called, and clock z2 is passed by reference and
the rest by value. A non-deterministic amount of time t1 elapses at the entry node
en3 of D. Back at the return port of F4:D, we have clock z2 added by t1.
2. We are then at the entry node of the subcomponent F5:Cy=z2 with values ν(z2) =
1 − β + t1, and ν(z1) = 1 − β, ν(x) = 1 − βc, ν(y) = 1 − βd and ν(b) = 0.
Cy=z2 is called by passing all clocks by value. The subcomponentC
y=
z2 ensures that
t1 = β − βd.
3. To ensure t1 = β − βd, at the entry node en4 of Cy=z2 , a time βd elapses. This
makes y = 1. If z2 must be 1, then we need 1 − β + t1 + βd = 1, or the time
t1 elapsed is β − βd. That is, Cy=z2 ensures that z2 has grown to be equal to y by
calling F4:D. Back at the return port of F5:Cy=z2 , we next enter the call port of
F6:D with ν(z2) = ν(y) = 1 − βd and ν(z1) = 1 − β. D is called by passing
y by reference, and all others by value. A non-deterministic amount of time t2 is
elapsed in D. At the return port of F6:D, we get ν(z1) = 1 − β, ν(z2) = 1 − βd,
and ν(y) = 1− βd + t2.
4. At the call port of F7:Chky2 , we have the same values, since b = 0 has to be
satisfied at the exit node ex7 ofChky2 . That is, at the call port of F7:Chk
y
2 , we have
ν(z1) = 1−β, ν(z2) = 1−βd, and ν(y) = 1−βd+ t2. F7 calls Chky2 , and passes
all clocks by value. Chky2 checks that t2 =
βd
2 .
5. At the entry port en7 of Chky2 , no time elapses. Chk
y
2 sequentially calls M twice,
each time passing z2 by reference, and all others by value. In the first invocation
of M , we want y to reach 1; thus a time βd − t2 is spent at en6. This makes z2 =
1−βd+βd− t2 = 1− t2. After the second invocation, we obtain z2 = 1+βd−2t2
Inc c
en1
[b=0]
F1:Up
y
2
y
F2:Up
x
4
x
F3:Up
Z
2
{z1, z2}
ex1
[b=0]
D
en3 ex3
Ca=z2
en4 ex4
a=1
z2=1
Upan:a ∈ {x, y} ;n ∈ {2, 4}
en2
[b=0]
F4:D
({z2})
F5:C
a=
z2
(X )
F6:D
({a})
F7:Chk
a
n
(X )
ex2
[b=0]
Chka2
en7
[b=0]
F8:M
({z2})
F9:M
({z2})
ex7
[b=0]
z2=1
M
en6 ex6
a=1
UpZ2 :Z= {z1, z2}
en5
[b=0]
F10:D
({z1})
F11:Chk
z1
2
(X )
F12:D
({z2})
F13:C
z1=
z2
(X )
ex5
[b=0]
Fig. 6. TB Term in RTA: Increment c. Note that S = X − S and a ∈ {x, y}. Cz1=z2 is
obtained by instantiating a = z1 in Ca=z2 . The component Chk
a
4 is similar to Chka2 . It
has 4 calls toM inside it each time passing only z2 by reference. Zero Check component
follows the same pattern as Inc c calling Upa2 , for all a ∈ {x, y}, followed by UpZ2 ,
and then calls ZC passing all variables by value. ZC checks if z1 = x (with guard
z1=1 ∧ x = 1) to check if counter c is 0 and z1 = y to check if d is 0.
at the return port of F9:M . No time can elapse at the return port of F9:M ; for z2 to
be 1, we need t2 = βd2 .
6. No time elapses in the return port of F7:Chky2 , and we are at the exit node ex2 of
Upy2 .
7. Thus, at the exit node of Upy2 , we have ν(z1) = 1 − β, ν(z2) = 1 − βd and
ν(y) = 1− βd + t2 = 1−
βd
2 .
8. The time elapsed in Upy2 is the sum of t1, t2 and the times elapsed in Cy=z2 and
Chky2 . That is, (β − βd) +
βd
2 + βd + 2(βd − t2) =β +
3βd
2 ≤
5β
2 since βd ≤ β.
At the return port of F1 : Upy2 , we thus have ν(Z) = 1 − β (ν(z) restored to 1 − β as
it was passed by value to Upy2), ν(x) = 1 − βc, and ν(y) = 1 − βd2 . No time elapses
here, and we are at the call port of F2 : Upx4 . The componentChkx4 is similar to Chk
y
2 .
It has 4 calls to M inside it, each passing respectively, z2 by reference to M and x
by value. An analysis similar to the above gives that the total time elapsed in Upx4 is
≤ 11β4 , and at the return port of F2 : Up
x
4 , we get ν(x) = 1 −
βc
4 , ν(y) = 1 −
βd
2 and
ν(Z) = 1− β. This is followed by entering F3 : UpZ2 , with these values. At the return
port of F3 : UpZ2 , we obtain ν(x) = 1 −
βc
4 , ν(y) = 1 −
βd
2 and ν(Z) = 1 −
β
2 , with
the total time elapsed in UpZ2 being ≤
5β
2 .
From the explanations above, the following propositions can be proved. The same
arguments given above will apply to prove this.
Proposition 4. For any box B and context 〈κ〉, and ν(Z) = 1 − β, we have that
(〈κ〉, (B, en), (ν(x), ν(y), 1 − β, ν(b)))
∗
−→
UpZ
2
(〈κ〉, (B, ex), (ν(x), ν(y), 1 − β2 , ν(b))).
Proposition 5. For any box B and context 〈κ〉, and ν(x) = 1 − βc, we have that
(〈κ〉, (B, en), (1−βc, ν(y), ν(Z), ν(b)))
∗
−→
Upx
4
(〈κ〉, (B, ex), 1− βc4 , ν(y), ν(Z), ν(b))).
Proposition 6. For any box B and context 〈κ〉, and ν(y) = 1 − βd, we have that
(〈κ〉, (B, en), (ν(x), 1−βd, ν(Z), ν(b)))
∗
−→
Upy
2
(〈κ〉, (B, ex), (ν(x), 1−βd2 , ν(Z), ν(b))).
Simulate Decrement Instruction: Assume that the (k +1)st instruction is decrement-
ing counter c. Then we construct the main component Dec c similar to the component
Inc c above. The main change is the following:
– The main component Dec c will have the subcomponents Upy2 and UpZ2 lined up
sequentially. There is no need for any Upxn subcomponent here, since the value of
x stays unchanged on decrementing c. Also, the subcomponents Upy2 and UpZ2 do
not alter the value of x : the functionality UpZ2 and Up
y
2 are the same as the one in
Inc c. The total time spent in Dec c is also, less than 8β.
Zero Check Instruction: The main component for Zero Check follows the same pat-
tern as Inc c. The main change is the following:
– The main componentZeroCheck will have the subcomponentsUpy2 and Upx2 and
UpZ2 lined up sequentially. The functionality UpZ2 , Upx2 and Up
y
2 are the same as
the one in Inc c. After these three, we invoke a subcomponentZC. ZC is called by
passing all clocks by value. At the entry node en of ZC, we have two transitions,
one on z1 = 1∧x = 1 leading to an exit node ex, and another one on z1 = 1∧x 6= 1
leading to ex′. Recall that z1 = 12k . Thus, for z1 to reach 1, a time elapse
β
2 =
1
2k+1
is needed. If this also makes makes x = 1, then we know that x on entry was
1− 1
2c+k+1
= 1− 1
2k+1
impying that c = 0. Likewise, if z1 attains 1, but x does not,
then c 6= 0. Since all clocks are passed by value, at the return port of ZC within
the main component ZeroCheck, we regain back the clock values obtained after
going through UpZ2 , Upx2 and Up
y
2 : that is, ν(Z) = 1 −
β
2 , ν(x) = 1 −
βc
2 and
ν(y) = 1− βd2 . The time elapsed in ZC is
β
2 . The times elapsed in Up
Z
2 and Upx2
and Upy2 are same as calculated in the case of Increment c. Thus, the total time
elapsed here is < 8β + β = 9β.
We conclude by calculating the total time elapsed during the entire simulation. We
have established so far that for the (k + 1)th instruction, the time elapsed is no more
than 9β, for β = 12k . For the first instruction, the time elapsed is at most 9, for the
second instruction it is 92 , for the third it is
9
22 and so on.
Total time duration =


9(1 + 12 +
1
4 +
1
8 +
1
16 + · · · )
= 9(1 + (< 1))
< 18
(1)
Note that the components for incrementing, decrementing and zero check of counter
d can be obtained in a manner similar to the above.
The proof that we reach the vertex Halt of the RTA iff the two counter machine
halts follows: Clearly, the exit node of each main component is reached iff the corre-
sponding instruction is simulated correctly. Thus, if the counter machine halts, we will
indeed reach the exit node of the main component corresponding to the last instruction.
However, if the machine does not halt, then we keep going between the various main
components simulating each instruction, and never reach Halt. ⊓⊔
4.5 Glitchfree RHA with 14 stopwatches
Lemma 5. The time bounded reachability problem is undecidable for recursive hybrid
automata with at least 14 stopwatches.
Proof. We prove that the problem of reaching a chosen vertex in an RHA within 18
units of total elapsed time is undecidable. In order to get the undecidability result, we
use a reduction from the halting problem for two counter machines. Our reduction uses
an RHA with atleast 14 stopwatches.
We specify a main component for each instruction of the two counter machine.
We maintain 3 sets of stopwatches. The first set X = {x1, · · ·x5} encodes correctly the
current value of counter c; the second set Y = {y1, · · · y5} encodes correctly the current
value of counter d; and third set Z = {z1, z2, z3} encodes the end of (k)th instruction.
An extra stopwatch b is used to enforce urgency in some locations. b is zero at the
entry nodes of all the main components. Let X denote the set of all 14 stopwatches.
To be precise, on entry into a main component simulating the (k+1)th instruction,
we have the values of z1, z2, z3 as 1− 12k , the values of x1, . . . , x5 as 1−
1
2c+k
, and the
values of y1, . . . , y5 as 1− 12d+k , where c, d are the current values of the counters after
simulating the first k instructions. We will denote this by saying that at the beginning
of the (k + 1)th instruction, we have ν(Z) = 1 − 1
2k
, ν(X) = 1 − 1
2c+k
and ν(Y ) =
1 − 1
2d+k
. If the (k + 1)th instruction ℓk+1 is an increment counter c instruction, then
after the simulation of ℓk+1, we need ν(Z) = 1 − 12k+1 , ν(X) = 1 −
1
2c+k+2
and
ν(Y ) = 1 − 12d+k+1 . Similarly, if lk+1 is a decrement c instruction, then after the
simulation of ℓk+1, we need ν(Z) = 1− 12k+1 , ν(X) = 1−
1
2c+k and ν(Y ) = 1−
1
2d+k+1 .
Likewise, if ℓk+1 is a zero check instruction, then after the simulation of ℓk+1, we need
ν(Z) = 1− 1
2k+1
, ν(X) = 1− 1
2c+k+1
and ν(Y ) = 1− 1
2d+k+1
.
Simulate Increment Instruction: Let us discuss the case of simulating an increment
instruction for counter c. Assume that this is the (k + 1)th instruction. Figure 7 gives
the figure for incrementing couner c. At the entry node en1 of the component Inc c, we
have ν(X) = 1− 1
2c+k
, ν(Y ) = 1− 1
2d+k
and ν(Z) = 1− 1
2k
, and ν(b) = 0.
The component Inc c has three subcomponents sequentially lined up one after the
other: Let β = 12k , βc =
1
2c+k , and βd =
1
2d+k .
1. The first subcomponent UpZ2 (component UPAn in the figure 7 with A as Z and
n = 2) updates the value of Z . If UpZ2 is entered with ν(Z) = 1− β, then on exit,
we have ν(Z) = 1 − β2 . The values of X,Y are unchanged as their rate of growth
is 0 throughout the component UPZ2 and they are always passed by value to the
subcomponents. Also, the total time elapsed in UpZ2 is ≤
5β
2 .
Inc c
en1
[b=0]
F1:Up
Z
2 F2:Up
X
4 F3:Up
Y
2
ex1
[b=0]
Chk=
en4
a1, a2
¬b
ex4
a1=1
a2=1
UpAn :A ∈ {X,Y, Z} ;n ∈ {2, 4}
en2
[b=0]
m1
A−{a2}
¬b
F5:Chk
A
n
(X )
m2
a2
¬b
F7:Chk
=
(X )
ex2
[b=0]
ChkA2
en7
[b=0]
n1
a1, a2
¬b
n2
a3, a2
¬b
ex7
[b=0]
a3=1
a1=a2=1
ZC:c = 0?
en5
z1, x1
¬b ex5
ex′5
z1 = 1
∧ x1 =
1
z1 = 1 ∧ x1 6= 1
Fig. 7. Time bounded reachability in 14 stopwatch RSA: Increment c. Note that the
variables which tick in a location are indicated below it. b ticks everywhere except in
locations where it is specified as ¬b. Also S denoted stopwatches X − S.
2. The next subcomponent is UpX4 . If UpX4 is entered with ν(X) = 1 − βc, then on
exit, we have ν(X) = 1 − βc4 . The values of Z, Y are unchanged. Also, the total
time elapsed in UpX4 is ≤
11β
4 .
3. The next subcomponent is UpY2 . If UpY2 is entered with ν(Y ) = 1 − βd, then on
exit, we have ν(Y ) = 1 − βd2 . The values of X,Z are unchanged. Also, the total
time elapsed in UpY2 is ≤ 5β2 .
4. Thus, at the end of the Inc c, we obtain ν(Z) = 1 − 1
2k+1
, ν(X) = 1 − 1
2c+k+2
,
ν(Y ) = 1− 1
2d+k+1
. Also, the total time elapsed in Inc c is≤ [ 52 +
11
4 +
5
2 ]β < 8β.
To avoid clutter, We have drawn UpZ2 like a box inside Inc c; actually, think of it as
the sequence of transitions from en2 to ex2, with 2 boxes called in between. The same
holds for “boxes” UpX4 and UpY2 .
Next, we describe the structure of the components UpAn . At the entry node en2 of
UpAn , we have the invariant b = 0. Thus, no time is elapsed in the entry node en1 of
Inc c also. UpAn is made up of subcomponents ChkAn and Chk=. Let us discuss the
details of UpZ2 , the others have similar functionality.
1. On entry into the location m1, we have ν(Z) = 1− β, ν(b) = 0, ν(X) = 1 − βc,
ν(Y ) = 1 − βd. In m1 only stopwatches z1, z3 are grow. A non-deterministic
amount of time t1 elapses here. Thus when leaving m1, we have stopwatches z1, z3
added by t1.
2. We are then at the entry node of the subcomponent F5:ChkZ2 with values ν(z2) =
1 − β, and ν(zi) = 1 − β + t1 for i = 1, 3, ν(X) = 1 − βc, ν(Y ) = 1 − βd and
ν(b) = 0. ChkZ2 is called by passing all stopwatches by value. The subcomponent
ChkZ2 ensures that t1 =
β
2 .
3. To ensure t1 = β2 , at the entry node en7 of Chk
Z
2 , no time can elapse. If t2 and
t3 are times elapsed in n1 and n2 then, upon reaching exit node en7, we have
z1 = 1− β+ t1+ t2, z2 = 1− β+ t2+ t3 and z3 = 1− β+ t1+ t3. Additionally,
z1 = z2 = z3 = 1 implies t1 + t2 = β = t2 + t3 = t1 + t3. Thus, we get
t1 = t2 = t3 =
β
2 . Thus, the total time spent in Chk
Z
2 is t2 + t3 = β.
4. At the return port of F5:ChkZ2 , we restore all values to what they were, at the call
port of F5:ChkZ2 . That is, ν(z2) = 1−β, and ν(zi) = 1−β+ t1 for i = 1, 3, with
the guarantee that t1 = β2 .
A time t4 is elapsed in location m2 affecting only z2 to become z2 = 1− β + t4.
5. Finally, we call the subcomponent Chk= with z1 = 1 − β2 and z2 = 1 − β + t4.
All stopwatches are passed by value. Chk= ensures that z1 = z2; that is, t4 = β2 .
A time t5 = β2 is spent at the entry node en4 of Chk
= to ensure this. Thus, at
the return port of F7:Chk=, we have z1 = z2 = z3 = 1 − β2 , and the rest of the
stopwatches unchanged. No time can elapse at the exit node ex2 of UpZ2 . Thus, at
the return port of F1 : UpZ2 , we get ν(Z) = 1− 12k+1 .
6. The total time elapsed in F1 : UpZ2 is t1+ t2+ t3+ t4+ t5 =
β
2 +β+
β
2 +
β
2 =
5β
2 .
At the return port of F2 : UpZ2 , we thus have ν(Z) = 1 −
β
2 , ν(X) = 1 − βc, and
ν(Y ) = 1 − βd. No time elapses here, and we are at the call port of F2 : UpX4 . The
componentChkX4 is similar to ChkZ2 . It has 4 locations h1, h3, h4, h5 inside it, each hi
has stopwatches x2 and xi ticking. An analysis similar to the above gives that the total
time elapsed in UpX4 is
11β
4 , and at the return port of F2 : Up
X
4 , we get ν(X) = 1−
βc
4 ,
ν(Y ) = 1 − βd and ν(Z) = 1− β2 . This is followed by entering F3 : Up
Y
2 , with these
values. At the return port of F3 : UpY2 , we obtain ν(X) = 1− βc4 , ν(Y ) = 1−
βd
2 and
ν(Z) = 1− β2 , with the total time elapsed in Up
Y
2 being
5βd
4 .
From the explanations above, the following propositions can be proved. The same
arguments given above will apply to prove this.
Proposition 7. For any box B and context 〈κ〉, and ν(Z) = 1 − β, we have that
(〈κ〉, (B, en), (ν(X), ν(Y ), 1−β, ν(b)))
∗
−→
UpZ
2
(〈κ〉, (B, ex), (ν(X), ν(Y ), 1−β2 , ν(b))).
Proposition 8. For any box B and context 〈κ〉, and ν(X) = 1 − βc, we have that
(〈κ〉, (B, en), (1−βc, ν(Y ), ν(Z), ν(b)))
∗
−→
UpX
4
(〈κ〉, (B, ex), (1−βc4 , ν(Y ), ν(Z), ν(b))).
Proposition 9. For any box B and context 〈κ〉, and ν(Y ) = 1 − βd, we have that
(〈κ〉, (B, en), (ν(X), 1−βd, ν(Z), ν(b)))
∗
−→
UpY
2
(〈κ〉, (B, ex), (ν(X), 1−βd2 , ν(Y ), ν(b))).
Simulate Decrement Instruction: Assume that the (k +1)st instruction is decrement-
ing counter c. Then we construct the main component Dec c similar to the component
Inc c above. The main change is the following:
– The main component Dec c will have the subcomponents UpZ2 and UpY2 lined up
sequentially. The functionality UpZ2 and UpY2 are the same as the one in Inc c. The
total time spent in Dec c is also, less than 8β.
Zero Check Instruction: The main component for Zero Check follows the same pat-
tern as Inc c. The main change is the following:
– The main componentZeroCheck will have the subcomponentsUpZ2 andUpX2 and
UpY2 lined up sequentially. The functionality UpZ2 , UpX2 and UpY2 are the same as
the one in Inc c. After these three, we invoke the subcomponent ZC : c = 0?
shown in Figure 7. ZC : c = 0? is called by passing all stopwatches by value. At
the entry node en5 of ZC, z1 and x1 are ticking. At en5 if a time elapse β2 =
1
2k+1
makes z1 = x1 = 1, then we know that x1 on entry was 1 − 12c+k+1 = 1 −
1
2k+1
impying that c = 0. Likewise, if z1 attains 1, but x1 does not, then c 6= 0.
Since all stopwatches are passed by value, at the return port of ZC within the
main component ZeroCheck, we regain back the stopwatch values obtained after
going through UpZ2 , UpX2 and UpY2 : that is, ν(Z) = 1 −
β
2 , ν(X) = 1 −
βc
2 and
ν(Y ) = 1− βd2 . The time elapsed in ZC is
β
2 . The times elapsed in Up
Z
2 and UpX2
and UpY2 are same as calculated in the case of Increment c. Thus, the total time
elapsed here is < 8β + β = 9β.
We conclude by calculating the total time elapsed during the entire simulation. We
have established so far that for the (k + 1)th instruction, the time elapsed is no more
than 9β, for β = 12k . For the first instruction, the time elapsed is at most 9, for the
second instruction it is 92 , for the third it is
9
22 and so on.
Total time duration =


9(1 + 12 +
1
4 +
1
8 +
1
16 + · · · )
9(1 + (< 1))
< 18 t.u
(2)
The proof that we reach the vertex Halt of the RHA iff the two counter machine
halts follows: Clearly, the exit node of each main component iff the corresponding in-
struction is simulated correctly. Thus, if the counter machine halts, we will indeed reach
the exit node of the main component corresponding to the last instruction. However, if
the machine does not halt, then we keep going between the various main components
simulating each instruction, and never reach Halt.
⊓⊔
5 Undecidability Resuls with two players
For the undecidability results for reachability games, we construct a recursive automa-
ton (timed/hybrid) as per the case, whose main components are the modules for the in-
structions and the counters are encoded in the variables of the automaton. In these reduc-
tions, the reachability of the exit node of each component corresponding to an instruc-
tion is linked to a faithful simulation of various increment, decrement and zero check in-
structions of the machine by choosing appropriate delays to adjust the clocks/variables,
to reflect changes in counter values. We specify a main component for each type instruc-
tion of the two counter machine, for example Hinc for increment. The entry node and
exit node of a main component Hinc corresponding to an instruction [ℓi : c := c + 1;
goto ℓk] are respectively ℓi and ℓk. Similarly, a main component corresponding to a
zero check instruction [li: if (c > 0) then goto ℓk] else goto ℓm, has a unique entry
node ℓi, and two exit nodes corresponding to ℓk and ℓm respectively. The various main
components corresponding to the various instructions, when connected appropriately,
gives the higher level component HM and this completes the RHA H. The entry node
of HM is the entry node of the main component for the first instruction of M and the
exit node is Halt. Achilles simulates the machine while Tortoise verifies the simula-
tion. Suppose in each main component for each type of instruction correctly Achilles
simulates the instruction by accurately updating the counters encoded in the variables
of H. Then, the unique run in M corresponds to an unique run in HM . The halting
problem of the two counter machine now boils down to existence of a Achilles strategy
to ensure the reachability of an exit node Halt (and ⌣¨) in HM .
5.1 Time Bounded Reachability games in Unrestricted RTA with 3 clocks
Lemma 6. The time bounded reachability game problem is undecidable for recursive
timed automata with at least 3 clocks.
Proof. We prove that the reachability problem is undecidable for unrestricted RTA with
3 clocks. In order to obtain the undecidability result, we use a reduction from the halting
problem for two counter machines. Our reduction uses a RTA with three clocks x, y, z.
We specify a main component for each instruction of the two counter machine.
On entry into a main component for increment/decrement/zero check, we have x =
1
2k+c3k+d
, y = 1
2k
and z = 0, where c, d are the current values of the counters and k is
the current instruction. Note that z is used only to enforce urgency in several vertices.
Given a two counter machine, we build a 3 clock RTA whose building blocks are the
main components for the instructions. The purpose of the components is to simulate
faithfully the counter machine by choosing appropriate delays to adjust the variables to
reflect changes in counter values. On entering the entry node en of a main component
corresponding to an instruction li, we have the configuration (〈ǫ〉, en, ( 12k+c3k+d ,
1
2k
, 0))
of the three clock RTA.
We shall now present the components for increment/decrement and zero check in-
structions. In all the components, the variables passed by value are written below the
boxes and the invaraints of the locations are indicated below them.
Simulate increment instruction: Lets consider the increment instruction ℓi: c = c+1;
goto ℓk. The component for this instruction is component Inc c given in Figure 8.
Assume that x = 1
2k+c3k+d
, y = 1
2k
and z = 0 at the entry node en1 of the component
Inc c. To correctly simulate the increment of counter c, the clock values at the exit node
ex1 should be x = 12k+c+23k+d+1 , y =
1
2k+1 and z = 0.
Let α = 1
2k+c3k+d
and β = 1
2k
. We want x = α12 and y =
β
2 at ex1. We utilise
the component Div{a, n} (with a = x, n = 12 and a = y, n = 2) to perform these
divisions. Lets walk through the working of the component Inc c. As seen above, at the
entry node en1, we have x = 12k+c3k+d , y =
1
2k
and z = 0.
1. No time is spent at en1 due to the invariant z = 0. Div{y, 2} is called, passing x, z
by value. At the call port of A1 : Div{y, 2}, we have the same values of x, y, z. Let
us examine the component Div{y, 2}. We instantiate Div{a, n} with a = y, n =
2. Thus, the clock referred to as b in Div{a, n} is x after the instantiation. At the
entry node en2 of Div{y, 2}, no time is spent due to the invariant z = 0; we have
a = y = β, b = x = α, z = 0. Resetting b = x, we are at the call port of A3 : D.
A3 is called, passing a, z by value. A nondeterministic time t is spent at the entry
node en3 of D. Thus, at the return port of A3, we have a = y = β, b = x = t, z =
0. The return port of A3 is a node belongining to Tortoise; for Achilles to reach
⌣¨, t must be β2 . Tortoise has two choices to make at the return port of A3: he can
continue the simulation, by resetting a = y and going to the call port of A5 : D, or
he can verify if t is indeed β2 , by going to the call port of A4.
– Assume Tortoise goes to the call port of A4 : Cx=y/2 (recall, that by the in-
stantiation, b = x, a = y and n = 2). z is passed by value. At the entry
node en5 of Cx=y/2, no time elapses due to the invariant z = 0. Thus, we have
x = b = t, a = y = β, z = 0 at en5. The component A7 : Mx is invoked,
passing x, z by value. At the entry node en6 ofMb, a time 1− t is spent, giving
a = y = β +1− t, b = x = t and z = 0 at the return port of A7. Since n = 2,
one more invocation of A7 : Mx is made, obtaining a = y = β + 2(1 − t),
b = x = t and z = 0 at the return port of A7 after the second invocation. To
reach the exit node ex5 ofCx=y/2, a must be exactly 2, since no time can be spent
at the return port of A7; this is so since the invariant z = 0 at the exit node ex5
of Cx=y/2 is satisfied only when no time is spent at the return port of A7. If a is
exactly 2, we have β = 2t. In this case, from the return port of A4, ⌣¨ can be
reached.
– Now consider the case that Tortoise moves ahead from the return port of A3,
resetting a = y to the call port of A5 : D. The values are a = y = 0, b =
x = t = β2 and z = 0. A5 : D is invoked passing b = x and z by value. A
non-deterministic amount of time t′ is spent at the entry node en3 of D, giving
a = y = t′, b = x = β2 and z = 0 at the return port of A5. Again, the return
port ofA5 is a node belonging to Tortoise. Here Tortoise, thus has two choices:
he can continue with the simulation going to ex2, or can verify that t′ = β2 by
going to the call port of A6 : Cy=x . Cy=x is a component that checks if y has
“caught up” with x; that is, whether t′ = t = β2 . At the entry node en4 of C
y=
x ,
a and b can simultaneeously reach 1 iff t = t′; that is, t′ = β2 . Then, from the
return port of A6, we can reach ⌣¨.
– Thus, we reach ex2 with x = y = β2 , z = 0. At the return port of A1 :
Div{y, 2}, we thus have x = α, y = β2 , z = 0.
2. From the return port of A1 : Div{y, 2}, we reach the call port of A2 : Div{x, 12}.
y, z are passed by value. The functioning of A2 is similar to that of A1: at the return
port of A1, we obtain x = α12 , y =
β
2 and z = 0.
Time taken: Now we discuss the total time to reach a ⌣¨ node or the exit node ex1 of
the component Inc c while simulating the increment instruction. At the entry node en1,
clock values are x = 1
2k+c3k+d
, y = 1
2k
and z = 0. Let α = 1
2k+c3k+d
and β = 1
2k
. The
invaraint z = 0 at the entry and the exit nodes en1 and ex1 ensures that no time elapses
in these nodes and also in the return ports of A1 and A2. From the analysis above, it
follows that at the return port of A1 : Div{y, 2}, x = α, y = β2 and z = 0. Similarly
Inc c
en1
[z=0]
A1:Div{y, 2}
(x, z)
A2:Div{x, 12}
(y, z)
ex1
[z=0]
Div{a, n} : a, b ∈ {x, y}
en2
[z=0]
A3:D
(a, z)
A4:C
b=
a/n
(z)
A5:D
(b, z)
A6:C
a=
b
(z)
ex2
[z=0]
⌣¨
[z=0]
{b} {a}
D
en3 ex3
Ca=b
en4 ex4
a=1
b=1
Cb=a/n : a, b ∈ {x, y}
en5
[z=0]
A7:Mb
(b, z)
n−1 calls to Mb
(b, z) pass by value
ex5
[z=0]
a=n
Mb
en6 ex6
b=1
Fig. 8. Games on RTA with 3 clocks : Increment c.
at the return port of A2 : Div{x, 12}, the clock values are x = α12 , y =
β
2 and z = 0.
Thus, counter c has been incremented and the end of instruction k has been recorded
in x and y. The time spent along the path from en1 to ex1 is the sum of times spent in
A1 : Div{y, 2} and A2 : Div{x, 12}.
– Time spent in A1 : Div{y, 2}. The time spent in A3 : D, as well as A5 : D is both
β
2 . Recall that Tortoise can verify that the times t, t
′ spent in A3, A5 are both β2 . If
Tortoise enters A4 to verify t = β2 , then the time taken is 2(1− t). In this case, the
time taken to reach ⌣¨ from the return port of A4 is t+2(1− t) = 2− β2 . Likewise,
if Tortoise continued from A3 to A5, and goes on to verify that the time t′ spent in
A5 is also β2 , then the total time spent before reaching the ⌣¨ from the return port
of A6 is t+ t′ + (1 − t′) = 1 + t = 1 + β2 . Thus, if we are back at the return port
of A1, the time spent in A1 is t+ t′ = β.
– Time spent in A2 : Div{x, 12}. Here, the time spent in A3 : D as well as A5 : D
is α12 . In case Tortoise verifies that the time t spent in A3 : D is indeed
α
12 , then he
invokes A4. The time elapsed in Cy=x/12 is 12(1− t) = 12(1−
α
12 ) < 12. Likewise,
if Tortoise continued from A3 to A5, and goes on to verify that the time t′ spent in
A5 is also α12 , then the total time spent before reaching the ⌣¨ from the return port
of A6 is t+ t′ + (1− t′) = 1 + t = 1+ α12 . Thus, if we are back at the return port
of A2, the time spent in A2 is t+ t′ = 2α12 .
– In general, the componentDiv{a, n} divides the value in clock a by n. If a = ζ on
entering Div{a, n}, then upon exit, its value is a = ζn . The time taken to reach the
exit ex2 is 2 ∗ ( ζn ). The time taken to reach the node ⌣¨ in Div{a, n} is < n (due
to n calls to Mb component).
– Total time spent in Inc c. Thus, if we come back to the return port of A2, the total
time spent is β + 2α12 < 2β, on entering with y = β. Recall that x = α =
1
2k+c3k+d
and y = β = 12k and thus α ≤ β always.
From the analysis above, the following propositions are easy to see.
Proposition 10. For any context κ ∈ (B×V )∗, any box b ∈ B, and x, y ∈ [0, 1], there
exists a unique strategy of Achilles such that
(〈κ〉, (b, en2), (x, y = β, 0))
β
−→
Div{y,2}
(〈κ〉, (b, ex2), (x,
β
2 , 0)),
or (〈κ〉, (b, en2), (x, y, 0))
2− β
2−→
Div{y,2}
(〈κ, (b, (x, y, 0))〉, ⌣¨, (β2 , y, 0)),
or (〈κ〉, (b, en2), (x, y, 0))
1+ β
2−→
Div{y,2}
(〈κ, (b, (x, y, 0))〉, ⌣¨, (β2 ,
β
2 , 0)).
(3)
Proposition 11. For any context κ ∈ (B × V )∗, any box b ∈ B, and x, y ∈ [0, 1], we
have that
(〈κ〉, (b, en1), (x, y, 0))
<2β
−→
Inc c
(〈κ〉, (b, ex1), (
x
12 ,
y
2 , 0)).
The proof essentially relies on the argument given above. Using summary edges,
we can easily obtain the result.
Simulate Zero check instruction: Let us now simulate the instruction li: if (d > 0)
then goto ℓk, else goto ℓj . Figure 9 describes this. The component for this instruction is
component Zero Check : d = 0?. Starting with x = 12k+c3k+d = α, y =
1
2k = β and
z = 0 at the entry node en1, we want to reach the node corresponding to ℓk if d > 0,
with x = 12k+c+13k+d+1 =
α
6 , y =
1
2k+1 =
β
2 and z = 0, and to the node corresponding
to ℓj if d = 0, with the same clock values. The nodes d = 0 and d > 0 are respectively
the exit nodes of the component Zero Check : d = 0?. In the following, we analyse
the zero check component in detail.
1. The first component invoked on entry is A : Div{y, 2} that records the k + 1th
instruction by dividing y by 2. Clocks x, z are passed by value. This component
is the same as seen in the Inc c component. As seen there, at the return port of
A : Div{y, 2}, we obtain x = α, y = β2 , z = 0. A time of β is spent in the process.
Similarly, at the return port of B : Div{x, 6}, we obtain x = α6 , y =
β
2 and z = 0.
A total time of 2α6 is elapsed in B : Div{x, 6}. Thus, the total time spent on coming
to the return port of B : Div{x, 6} is β + 2α6 < 2β.
2. At the return port of B, we goto the node m, elapsing no time. This is needed since
the exit nodes of the zero check component have the invariant z = 0. Atm, Achilles
guesses whether d = 0 or not, and goes to one of m1,m2. Both these nodes belong
to Tortoise. At both m1,m2, Tortoise has two choices: he can go to an exit node
of the zero check component, or choose to verify the correctness of the guess of
Achilles. The ⌣¨ node is reachable from the upper componentB1 : ZCd=0 if d = 0,
while ⌣¨ node is reachable from the lower component B1 : ZCd=0 if d > 0. Lets
now look at the component ZCd=0.
3. At the entry node en2, we have x = α6 , y =
β
2 and z = 0. To check if d = 0, we first
eliminate the k from x, y, obtaining x = 6k+1.α6 =
1
2c3d
and y = 2k+1. 1
2k+1
= 1.
The component B3 multiplies y by 2 once, and invokes B4, which multiplies x by
6; this is repeated until y becomes 1. B3 is invoked passing x, z by value, while B4
is invoked passing y, z by value. Lets examine the functioning of Mul{y, 2}, the
functioning of Mul{x, 6} is similar.
4. At the entry node en3 of Mul{a, n}, with a = y, n = 2 and b = x, we have
z = 0, x = α6 , y =
β
2 . Resetting b = x, we goto the call port of B6 : D. D is called
passing y, z by value. A non-deterministic time t is spent at the entry node en5 of
D; thus, at the return port of B6, we have b = x = t, a = y = β2 , z = 0. The time
t must be β; Tortoise can verify this by invoking B7 : Cx=2∗y . Cx=2∗y invokes My two
times, passing y, z by value. Each time, in My, a time of 1 − β2 is spent. After the
two invoctions, we obtain b = x = t + 2(1 − β2 ), a = y =
β
2 and z = 0. This
b must be exactly 2 to reach the exit node ex4 of Cx=2∗y; this is possible iff t = β.
In this case, Tortoise will allow Achilles to goto the ⌣¨ node from the return port
of B6 : D. If Tortoise skips the verification and goes directly to B8 : D, then at
the call port of B8 : D, we have b = x = β, a = y = 0 and z = 0. D is called
by passing b = x, z by value. A time t′ is elapsed in D, obtaining b = x = β,
a = y = t′ and z = 0. This t′ must be exactly β; Tortoise can verify this by
invoking B9 : Cy=x , at the return port of B8. Cy=x checks if y has “caught up” with
x; that is, if y is also β. Clearly, the exit node ex6 is reached iff a = b; that is,
t′ = β. At the return port of B8, we thus have a = b = β, z = 0. Back at the return
port of B3, we thus obtain x = α6 , y = β, z = 0.
5. In a similar way, Mul{x, 6} multiplies x by 6. This, at the return port of B4, y is
mutiplied by 2 and x by 6, once. The process repeats until we obtain y = 1 at the
return port of B4. At this time, we know that the loop has happened k + 1 times,
that is, y = 1 and x = 1
2c3d
.
6. Now we can check if d is zero or not, by multiplyingx by 2 c+1 times. If x becomes
exactly 2 at sometime, then clearly d is zero; otherwise, xwill never become exactly
2. Then the only option is to goto the exit node d > 0 of ZCd=0. If Achilles had
guessed corerctly that d = 0 and gone to node m1, in the zero check component,
then ZCd=0 will reach the upper exit node d = 0; From this return port of B1, ⌣¨ is
reachable. Similar is the case when Achilles guesses correctly that d > 0 at m.
Time taken:
– The total time taken to reach the return port of B : Div{x, 6} is β + α3 < 2β, on
entering en1 with y = β, x = α, z = 0.
– The total time taken to reach the return port of B3, having entered the call port of
B3 with y = β2 is 2β = 4
β
2 . Likewise, the total time taken to reach the return port
of B4, having entered the call port of B4 with x = α6 is 2α = 12
α
6 . Thus, the
total time to reach the return port of B4 after one round of multiplication of x, y is
4β2 + 12
α
6 < 4β + 12β = 16β. The second time B3, B4 loop is invoked is with
y = β, x = α, the times taken respectively will be 4.β and 12.α, and so on. Thus,
the total time taken until y becomes 1 is < 16(β + 2β + 22β + · · · + 1) < 16.
Recall that x = α = 1
2k+c3k+d
and y = β = 1
2k
and thus α ≤ β always.
Zero Check : d = 0?
en1
[z=0]
A:Div{y, 2}
(x, z)
B:Div{x, 6}
(y, z)
m
m1 B1:ZC
d
=0
(z)
m2 B2:ZC
d
=0
(z)
d=0
[z=0]
⌣¨
[z=0]
d>0
[z=0]
ZCd=0
en2
[z=0]
B3:Mul{y, 2}
(x, z)
B4:Mul{x, 6}
(y, z)
B5:Mul{x, 2}
(y, z)
d=0
[z=0]
d>0
[z=0]
y<1
y=1
x<2
x=2
x>2
Mul{a, n} : a, b ∈ {x, y}
en3
[z=0]
B6:D
(a, z)
B7:C
b=
n∗a
(z)
B8:D
(b, z)
B9:C
a=
b
(z)
ex3
[z=0]
⌣¨
[z=0]
{b} {a}
Cb=n∗a : a, b ∈ {x, y}
en4
[z=0]
A7:Ma
(a, z)
n−1 calls to Ma
(a, z) pass by value
ex4
[z=0]
b=n
D
en5 ex5
Ca=b
en6 ex6
a=1
b=1
Ma
en7 ex7
a=1
Fig. 9. Games on RTA with 3 clocks : Zero check c = 0?.
– Once y becomes 1, the B5 : Mul{x, 2} loop is taken until x reaches 2 or beyond.
B5 is entered with x = 12c3d = γ, and B5 is invoked c + 1 times. The first time
Mul{x, 2} is invoked with x = γ, the time elapsed is 2γ; the next time Mul{x, 2}
is invoked with x = 2γ, the time elapsed is 4γ and so on. Thus, the total time
elapsed in B5 loop is 2γ + 22γ + · · · + 2c+1γ < 2, where 2c+1γ = 13d . If d = 0,
then after c + 1 steps, the exit node d = 0 of ZCd=0 is reached; if d > 0, then the
loop is taken d + 2 more times; in this case also, the total time elapsed to reach
the exit node d > 0 is < 2. Thus the total time taken in ZCd=0 component is < 16
from the B3−B4 loop and < 2 fromB5 loop. Thus time to reach either exit of this
component is < 18.
– In general, the componentMul{a, n}multiplies the value in clock a by n. If a = ζ
on entering Mul{a, n}, then upon exit, its value is a = n ∗ ζ. The functioning of
this component is very similar to that of Div{a, n} described earlier. The time
taken to reach the exit ex3 is 2 ∗ (n ∗ ζ). The time taken to reach the node ⌣¨ in
Mul{a, n} is < n (due to n calls to Ma component in Cb=n∗a).
– Total time taken in Zero Check : d = 0?. Time taken to come to the return port
of B is < 2β. No time is spent at the return port of B, at node m,m1,m2. No
time is thus spent on reaching the exit nodes d = 0 or d > 0 from the return port
of B. Thus, total time taken to reach an exit node of Zero Check : d = 0? is
< 2β, on entering with y = β. The time taken to reach ⌣¨ node in this component
is < 18 + 2β where < 18 t.u is the time elapsed in component ZCd=0.
Other instructions: The main component to simulate other instructions are as follows.
– Decrement c : In main component Inc c of Figure 11, the second call Div{x, 12}
is replaced by Div{x, 3} thus updating x from 1
2k+c3k+d
to 1
2k+c3k+d+1
to record
end of k instruction.
– Increment d : Div{x, 12} is replaced by Div{x, 18} to update x to 1
2k+c+13k+d+2
.
– Decrement d : Div{x, 2} is used to update x to 1
2k+c+13k+d
recording end of k
instruction.
– Zero check c = 0? : Call B5 : Mul{x, 2} is replaced by B5 : Mul{x, 3} and the
time taken to reach the exits remains the same.
In all these cases, the time taken to reach ⌣¨ would be < 18 time units(in Div{x, 18}).
Also, on entering any of the main components with y = β, an exit node is reached in
< 2β units of time.
Complete RTA : We obtain the full RTA simulating the two counter machine by con-
necting the entry and exit of main components of instructions according to the ma-
chine’s sequence of instructions. If the machine halts, then the RTA has an exit node
corresponding to HALT . Anytime Tortoise embarks on a check, a ⌣¨ is reachable if
Achilles has simulated the instruction correctly. As observed above, on entering any
component corresponding to an instruction with y = β, the exit node of that compo-
nent can be reached in time < 2β, and a ⌣¨ node can be reached in time < 18. Now
the time to reach the exit node HALT is the time taken for the entire simulation of
the machine. As Tortoise can enter any of the check components, Achilles is bound to
choose the correct delays to update the counters accurately. We conclude by calculating
the total time elapsed during the entire simulation. We have established so far that for
the (k)th instruction, the time elapsed is no more than 2β, for β = 1
2k
. For the first
instruction, the time elapsed is at most 2, for the second instruction it is 22 , for the third
it is 222 and so on.
Total time duration =


2(1 + 12 +
1
4 +
1
8 +
1
16 + · · · )
= 2(1 + (< 1))
< 4
(4)
We now show that the two counter machine halts iff Achilles has a strategy to reach
HALT or ⌣¨. Suppose the machine halts. Then the strategy for Achilles is to choose
the appropriate delays to update the counters in each main component. Now if Tortoise
does not verify (by entering check components) in any of the main components, then
the exit ex1 of the main component is reached. If Tortoise decides to verify then the
node ⌣¨ (follows from Proposition 10 and 11) is reached. Thus, if Achilles simulates
the machine correctly then either the HALT exit or ⌣¨ is reached if the machine halts.
Conversely, assume that the two counter machine does not halt. Then we show
that Achilles has no strategy to reach either HALT or ⌣¨. Consider a strategy of
Achilles which correctly simulates all the instructions. Then ⌣¨ is reached only if Tor-
toise chooses to verify. But if Tortoise does not choose to verify then ⌣¨ can not be
reached. The simulation continues and as the machine does not halt, the exit node
HALT is never reached. Now, consider any other strategy of Achilles which does an
error in simulation (in a hope to reach HALT ). Tortoise could verify this, and in this
case, the node ⌣¨ will not be reached as the delays are incorrect. Thus Achilles can not
ensure reaching HALT or ⌣¨ with a simulation error.
5.2 Time bounded reachability games in RSA
Lemma 7. The time bounded reachability game problem is undecidable for glitchfree
recursive stopwatch automata with at least 4 stopwatches.
Proof. We outline quickly the changes as compared to Lemma 6. The proof proceeds
by the simulation of a two counter machine. Figure 10 gives the component for incre-
menting counter c. There are 4 stopwatches x, y, z, u. The encoding of the counters in
the variables is similar to Lemma 6: at the entry node of each main component simulat-
ing the kth instruction, we have x = 12c+k3d+k = α, y =
1
2k = β and z = 0, where c, d
are the current values of the counters. We use the extra stopwatch u for rough work and
hence we do not ensure that u = 0 when a component is entered.
Simulate increment instruction: As was the case in Lemma 6, simulation of the (k +
1)th instruction, incrementing c amounts to dividing y by 2 and x by 12. In Lemma
6, it was possible to pass some clocks by value, and some by reference, but here, all
variables must be either passed by value or by reference.
TheDiv{a, n}module here is similar to that in Lemma 6: the box A3 : D in Figure
8 is replaced by the node l1, where only u ticks and accumulates a time t. (Recall that u
is the stopwatch used for rough work and has no bearing on the encoding.) In node l2,
only z ticks. l2 is a node belonging to Tortoise. The time t spent at l1 must be exactly
t = β2 , where β =
1
2k is the value of a = y on enteringDiv{y, 2}. In this case, Tortoise,
even if he enters the check module Cu=y/2, will reach ⌣¨.
Again, note that the moduleCu=y/2 is similar to the one in Figure 8. We use b = x for
rough work in this component. Due to this the earlier value of x is lost. However, this
does not affect the machine simulation as only ⌣¨ of Div{y, 2} is reached and not the
exit node and the simulation does not continue. At en5 (of Mu), we have b = x = 0,
u = t and a = y = β. a, b, u tick at en5. A time 1 − t is spent at en5, obtaining
b = 1 − t, u = 0, a = β + (1 − t) at l. At l, only b, u tick obtaining b = 0, u = t, a =
β + (1− t) at ex5. A second invocation of Cu=y/2 gives b = 0, u = t, a = β + 2(1− t).
For a = 2, to reach ex3, we thus need t = β2 . The time elapsed in one invocation of Mu
is 1 time unit; thus a total of 2+t time units is elapsed before reaching ⌣¨ (via module
Cu=y/2in Div{a, n}).
If Tortoise skips the check at l2 and proceeds to l3 resetting a = y, we have at l3,
z = 0, u = t = β2 and a = 0. Only a ticks at l3, a is supposed to “catch up” with u at l3,
by elapsing t = β2 in l3. Again, at l4, only z ticks. Tortoise can verify whethere a = u
by going to Ca=u . The component Ca=u is exactly same as that in Figure 8. A time of
1−t is elapsed inCa=u . Thus, the time taken to reach ⌣¨ fromCa=u is t+t+1−t = 1+t.
Thus, ex2 is reached in time 2t = 2β2 = β. As was the case in Lemma 6, the time taken
to reach the exit node of Inc c, starting with y = β, x = α, z = 0 is β + 2 α12 < 2β.
Also, the time taken by Div{a, n} on entering with a = ζ is 2 ζn .
To summarize, the time taken to reach the exit node of the Inc c component is< 2β,
on entering with y = β. Also, the componentDiv{a, n} divides the value in clock a by
n. If a = ζ on entering Div{a, n}, then upon exit, its value is a = ζn . The time taken
to reach the exit ex2 is 2 ∗ ( ζn ). The time taken to reach the node ⌣¨ in Div{a, n} is
< n+ 1 (due to n calls to Mu component).
Simulate Zero check instruction: Here again, we illustrate the changes as compared
to the zero check done in Lemma 6. Figure 11 describes the zero check module. As in
the case of Figure 9, on entering en1 with x = α, y = β, z = 0, we divide y by 2 and
x by 6, to record the (k + 1)th instruction in x, y. These modules are already discussed
in the increment instruction above. We only discuss the module Mul{a, n} here. This
is similar to the Div{a, n} module seen above. If we enter Mul{a, n} with a = ζ, at
location l1, a time t = ζ.n should be spent. This makes u = ζ.n, the values of a, z
are unchanged. Tortoise can verify that t = ζ.n using Cu=n∗a. It can be seen that the
Mul{a, n}module here is similar to the Mul{a, n}module in Figure 9.
Complete RSA: As in the case of Lemma 6, the complete RSA is constructed by con-
necting components according to the machine instructions. The time elapses in the
components are exactly the same as those in Lemma 6. Thus the total time duration
for machine simulation is < 4. Along the same lines, we can also prove that Achilles
has a strategy to reach HALT or ⌣¨ iff the machine halts.
Lemma 8. The time bounded reachability game problem is undecidable for unrestricted
recursive stopwatch automata with at least 3 stopwatches.
This follows from Lemma 6.
5.3 Reachability games on RSA
Reachability problem in recursive stopwatch automata with a single player is studied
in Section 4. The problem is undecidable for unrestricted recursive stopwatch automata
Inc c
en1
[z=0]
z
A1:Div{y, 2}
z
A2:Div{x, 12}
z
ex1
[z=0]
Div{a, n} : a ∈ {x, y}
en2
[z=0]
z
l1
u
l2
z
A3:C
u=
a/n
z
l3
a
l4
z
A4:C
a=
u
z
ex2
[z=0]
⌣¨
[z=0]
z
{u} {a}
Ca=u
en4
a, u
ex4
a=1
u=1
Cu=a/n : a, b ∈ {x, y}
en3
[z=0]
z
A5:Mu
z
n−1 calls to Mu ex3
[z=0]
{b} a=n
Mu : a, b ∈ {x, y}
en5
a, b, u
l
b, u
ex5
u=1
{u}
b=1
{b}
Fig. 10. Games on Glitchfree-RSA with 4 stopwatches : Increment c. Note that the
variables that tick in a location are indicated above it. Due to semantics of RHA, no time
elapses in the call ports and exit nodes and hence no variables ticking is not mentioned
for these locations.
Zero Check : d = 0?
en1
[z=0]
z
A:Div{y, 2}
z
B:Div{x, 6}
z
m
z m1
z
B1:ZC
d
=0
z
m2
z
B2:ZC
d
=0
d=0
[z=0]
⌣¨
[z=0]
z
d>0
[z=0]
ZCd=0
en2
[z=0]
z
B3:Mul{y, 2}
z
B4:Mul{x, 6}
z
B5:Mul{x, 2}
z
d=0
[z=0]
d>0
[z=0]
y<1
y=1
x<2
x=2
x>2
Mul{a, n} : a ∈ {x, y}
en3
[z=0]
z
l1
u
l2
z
B6:C
u=
n∗a
z
l3
a
l4
z
B7:C
a=
u
z
ex3
[z=0]
⌣¨
[z=0]
z
{u} {a}
Cu=n∗a : a, b ∈ {x, y}
en4
[z=0]
z
B8:Ma
z
n−1 calls to Ma ex4
[z=0]
{b} u=n
Ca=u
en5
a, u
ex5
a=1
u=1
Ma
en6
a, b, u
l
a, b
ex6
a=1
{a}
b=1
{b}
Fig. 11. Games on Glitchfree-RSA with 4 stopwatches : Zero check c = 0?. Note that
the variables that tick in a location are indicated above it. z is ticking in all return ports
of boxes B1 : ZCd=0 and B2 : ZCd=0 but not indicated above all of them, to avoid
clutter. Due to semantics of RHA, no time elapses in the call ports and exit nodes and
hence no variables ticking is not mentioned for these locations.
with atleast two stopwatches. Further, it is undecidable for the glitchfree variant with
atleast 3 stopwatches. The details of these results in Sections 4.1 and 2. Due to these,
following results in two player games on RSA are easy to see.
Lemma 9. The reachability game problem is undecidable for glitchfree recursive stop-
watch automata with at least 3 stopwatches.
Lemma 10. The reachability game problem is undecidable for unrestricted recursive
stopwatch automata with at least 2 stopwatches.
6 Decidability with one player : Bounded Context RHA using only
pass-by-reference
We mainly discuss the results of Theorem 4 here;
6.1 Hybrid automata : Time bounded reachability [10]
Time bounded reachability was shown to be decidable for hybrid automata with no
negative rates and no diagonal constraints [10]. The main idea here is that if there is
a run ρ between two configurations (q1, ν1) and (q2, ν2) in a hybrid automata H such
that duration (ρ) ≤ T (called T−time bounded run), then there exists a contracted run
ρ′ between the same configurations, such that duration (ρ′) ≤ T , length of ρ′ is atmost
C, a constant exponential in H and linear in T , and is dependent on rmax (maximal
rate in H) and cmax (largest constant in the constraints of H). The construction of ρ′
from ρ relies on a contraction operator. This operator identifies positions i < j in ρ,
such that all locations between i and j are visited before i in ρ and locations li = lj and
ei+1 = ej+1 the outgoing edges from li and lj respectively. The operator then deletes
all the locations i + 1, . . . , j and adds their time to the other occurrences before i. It
then connects li
ej+1
→ lj+1 with sum of time delays accompanying ei+1 and ej+1. This
operator is used as many times as required until a fixpoint is reached. Care should be
taken to ensure that the contracted run is a valid run : it should satisfy the constraints.
To ensure this, the run ρ is first carefully partitioned into exponentially many pieces, so
that contracting the pieces and concatenating them yields a valid run.
Firstly, to help track whether the valuations resulting from contraction satisfy con-
straints, the region information is stored in the locations to form another hybrid automa-
ton R(H). Given cmax, the set of regions is {(a − 1, a), [a, a]|a ∈ {1, · · · cmax}} ∪
{0=,0+, (cmax,+∞)}. It differs from the classical region notion due to lack of frac-
tional part ordering (no diagonal constraints) and special treatment of valuations which
are 0. R(H) checks whether a variable x never changes from 0 before the next transi-
tion, or if it becomes > 0 before the next transition. This helps bound the number of
sub-runs that are constructed later, and prevents the contraction operator from merging
locations where x remains 0 with those where x becomes> 0. The construction ensures
that H admits a run between two states of duration T iff R(H) admits a run between
the same states and for the same time T .
As the rest of the automaton is untouched, the equivalent of run ρ in R(H) is a run
same as ρ, but having region information along with locations. Let us continue to call
the run in R(H) as ρ. ρ is called a type-0 run. ρ is chopped into fragments of duration
≤ 1rmax , each of which is called a type-1 run. There will be atmost T.rmax+1 type-1
runs. Additionally, as rmax is the maximal rate of growth of any variable, a variable
changes its region atmost 3 times such that, when starting in (b, b+ 1) region, growing
through [b + 1, b + 1], (b + 1, b + 2), gets reset and stays in [0, 1). Each type-1 run
is further split into type-2 runs based on region changes which is atmost 3 times per
variable. Thus each type-1 run is split into atmost 3.|X | type-2 runs. Respecting region
changes ensures that constraints continue to be satisfied post contraction. Type-2 runs
are again split into type-3 runs based on the first and last reset of a variable. This is to
enable concatenation of consecutive contracted fragments by ensuring the valuations in
the start configuration and end configuration of each fragment are compatible with their
neighbors. Each type-2 run is split into atmost 2.|X |+1 type-3 runs. The contraction is
applied to type-3 runs, removing second occurrences of loops. Hence, each contracted
type-3 run will be atmost |Loc′|2 + 1 long (Lemma 7 of [10]), where Loc′ is the set of
locations ofR(H). Note that |Loc′| = |Loc|.(2.cmax+1)|X | whereLoc is the set of lo-
cations ofH . After concatenating these contracted type-3 runs, we get contracted type-2
runs with the same start and end states. These contracted type-2 runs are then concate-
nated to obtain a run ρ′ of that has the same start and end states as ρ, duration (ρ′) =
duration (ρ) and |ρ′| ≤ C = 24.(T.rmax + 1).|X |2.|Loc|2.(2.cmax + 1)2.|X |. To
solve time-bounded reachability, we nondeterministically guess a run of length at most
C, and solve an LP to check if there are time delays and valuations for each step to
make the run feasible.
6.2 Bounded-Context RHA with pass-by-reference only mechanism : Time
bounded reachability
Along the lines of contraction operator, we define a context-sensitive contraction oper-
ator cnt for a run in the bounded context RHA. As seen in Section 6.1, we convert the
bounded context RHA H into R(H), where we remember the respective regions along
with the vertices of H . In the rest of this discussion, when we say H , we mean R(H).
The contraction operator in [10] matches locations in the run while we match the
(context, location) pairs of the configurations in the run. The context matching ensures
that we do not alter the sequence of recursive calls made in the contracted run, thus
maintaining validity w.r.t recursion. The second occurence is then deleted and the time
delays are added to the first occurence of the loop. Let us denote the (context, location)
pair to be used for matching as cl = (〈κ〉, q). Ignoring the valuations, we denote a
context as κ ∈ B∗ since all the variables are passed by reference and hence need not
be stored in the context. Henceforth, we shall denote a run as ρ = (〈κ0〉, q0, ν0)
t1,e1
→
(〈κ1〉, q1, ν1)
t2,e2
→ · · · (〈κn−1〉, qn−1, νn−1)
tn,en
→ (〈κn〉, qn, νn) where ei is the dis-
crete transition enabled after the time delay ti in the vertex qi−1.
Definition 3 (Context-sensitive contraction cnt). Consider a run ρ = (〈κ0〉, q0, ν0) t1,e1→
(〈κ1〉, q1, ν1)
t2,e2
→ · · · (〈κn−1〉, qn−1, νn−1)
tn,en
→ (〈κn〉, qn, νn). Assume there are two
positions 0 ≤ i < j < n and a function h : {i+ 1, · · · , j} → {0, · · · , i− 1} such that
(i) (〈κi〉, qi) = (〈κj〉, qj) and (ii) for all i < p < j : (〈κp〉, qp) = (〈κh(p)〉, qh(p)).
Then cnt(ρ) = (〈κ′0〉, q′0, ν′0)
t′1,e
′
1→ (〈κ′1〉, q
′
1, ν
′
1)
t′2,e
′
2→ · · · (〈κ′m−1〉, q
′
m−1, ν
′
m−1)
t′m,e
′
m→
(〈κ′m〉, q
′
m, ν
′
m) where
1. m = n− (j − i)
2. for all 0 ≤ p < i, (〈κ′p〉, q′p) = (〈κp〉, qp)
3. for all 1 ≤ p < i, e′p = ep and t′p = tp +Σk∈h−1(p−1)tk+1
4. e′i+1 = ej+1 and t′i+1 = ti+1 + tj+1
5. for all i+ 1 < p ≤ m, (〈κ′p〉, q′p) = (〈κp+j−i〉, qp+j−i)
Given a run ρ, cnt0(ρ) = ρ, cnt1(ρ) = cnt(ρ), cnti(ρ) = cnt(cnti−1(ρ)). The
fixpoint cnt∗(ρ) = cntn(ρ) such that cntn(ρ) = cntn−1(ρ). We shall prove in the
following lemmas that the length of cnt∗(ρ) is independent of ρ.
Lemma 11. Given a type-3 run ρ in the bounded context RHAH , |cnt∗(ρ)| ≤ (α.|Q|.(2.cmax+
1)|X |)2+1, where α =
K∑
i=1
ni,K is the bound on the context length, and n is the number
of boxes in H .
Proof. Contraction of [10], matches the locations in a type-3 run. Thus the size of a
contracted type-3 run is |Loc|2+1 (Lemma 7 of [10]) whereLoc is the set of locations in
the region hybrid automata. However, we match (context,location) pairs in our context-
sensitive contraction.
Suppose ρ is a type-3 run. Let ρ′ = cnt∗(ρ) haveM unique (context, location) pairs.
Highlighting the first occurrences of these M unique pairs and ignoring the valuations,
we have in ρ′, (〈κ1〉, q1)w1(〈κ2〉, q2)w2 . . . (〈κM−1〉, qM−1)wM−1(〈κM 〉, qM )wM where
wi are strings over (context,location) pairs, which does not have any first occurrence of
a (context,location) pair. Clearly, there are M first occurences of (context, location)
pairs ((〈κi〉, qi) for 1 ≤ i ≤ M . Let a portion be a part of ρ′ between two such first
occurences (〈κi−1〉, qi−1) and (〈κi〉, qi), 2 ≤ i ≤ M + 1. In a portion, contraction
cannot be applied anymore. If it could be, then cnt∗(ρ) is not a fixpoint. There could
be a cl pair such that its first occurrence is at index i, and second occurrence is at index
j, i < j; that is, cli = (〈κi〉, qi) = (〈κj〉, qj) = clj , and the index j is part of a later
portion (cli is thus underlined, but clj is not). We cannot contract the pairs at indices
i, j, since all pairs between cli and clj would not occur prior to cli (if they occur, then
ρ′ 6= cnt∗(ρ)). Thus the number of unique pairs in a portion could be more than 1 and
can be atmost M . Thus the maximum length of ρ′ ≤M2 + 1.
There are atmost α =
K∑
i=1
ni different contexts of size atmost K with any sequence
of the n boxes including a box being called more than once. We know that M is the
number of unique (context, location) pairs. Clearly,M ≤ α.|Q|.(2.cmax+1)|X |, where
Q =
⋃n
i=1Qi is the union of the set of vertices Qi of all the n components of the RHA,
|Q|.(2.cmax+ 1)|X | is the number of vertices in the region RHA and K is the context
bound. Thus, the length of a type-3 contracted run is ≤ (α.|Q|.(2.cmax+ 1)|X |)2 + 1.
Thus proved.
Let us illustrate with an example why a contracted type-3 run |cnt∗(ρ)| could be
of length > α.|Q|.(2.cmax + 1)|X |. Let CL be a set of unique (context, location)
pairs (|CL| ≤ α.|Q|.(2.cmax + 1)|X |). Assume CL = {a, b, c, d, e, f}. Let us abuse
notation of a run for a short while and depict it to be only a sequence of pairs ignoring
the valuations. Now let cnt∗(ρ) = ρ′ = a→ b→ c→ d→ a→ e→ b→ f . Here the
portions are ǫ (between a and b, between b and c, and between c and d) and a (between
d and e) and b (between e and f ). Note that each of these portions themselves can not be
contracted any further. Additionally although there are two occurences of a (position
0 and 4) itself, the pairs between the first and second occurence of a (these pairs are
b, c, d) do not appear prior to a at position 0. Thus contraction can not be applied to
ρ′. Thus |cnt∗(ρ)| could be > α.|Q|.(2.cmax + 1)|X |. However, each portion itself
could be atmost α.|Q|.(2.cmax + 1)|X | (number of unique pairs). Thus |cnt∗(ρ)| ≤
(α.|Q|.(2.cmax+ 1)|X |)2 + 1.
Lemma 12. Given a run ρ in the bounded context RHA H , |cnt∗(ρ)| ≤ 24(T.rmax+
1)|X |2(α|Q|)2.(2.cmax+ 1)2|X |.
Proof. Recall the splitting of a given run prior to contraction detailed in Section 6.1.
The given run ρ (type-0) yields (T.rmax + 1) type-1 runs each of which is further
split into (3.|X |) type-2 runs. Each type-2 run is split into 2.|X |+ 1 type-3 runs. Each
contracted type-3 run is atmost (α.|Q|.(2.cmax+1)|X |)2+1 long (Lemma 11 above).
Thus length of each contracted type-2 run is
≤ [2.|X |+ 1].[(α.|Q|.(2.cmax+ 1)|X |)2 + 1]
≤ 2.(|X |+ 1).((α.|Q|.(2.cmax+ 1)|X |)2 + 1)
≤ 2.(2.|X |).(2.(α.|Q|.(2.cmax+ 1)|X |)2) = 8.|X |.(α.|Q|.(2.cmax+ 1)|X |)2
SThus the length of cnt∗(ρ) ≤ [(T.rmax + 1).(3.|X |)] . [8.|X |.(α.|Q|.(2.cmax +
1)|X |)2]
l = 24(T.rmax+ 1).|X |2.(α.|Q|)2.(2.cmax+ 1)2.|X |.
Lemma 13. Given a run ρ in the bounded context RHA H , cnt∗(ρ) is a valid run in H .
Proof. To prove that the contracted run ρ′ = cnt∗(ρ) is valid in the given bounded
context RHA H , we need to ensure two conditions :
– the constraints appearing along the transitions of ρ′ are still satisfied and
– the sequence of boxes (and mapping of call, return, entry, exit vertices) is valid w.r.t
recursive calls in the given RHA. This means call port and appropriate entry node
should be consecutive in the contracted run, exit node-return ports are matched and
the contexts in configurations of ρ′ should be valid successors of the preceeding
contexts.
The first condition is satisfied as we consider a variant of RHA where all the vari-
ables are always passed by reference. Thus the context has no valuations but only a
sequence of boxes. The constraints are guaranteed to be satisfied as the run is same as
a hybrid automata run if the context is ignored. Thus the precautions (in carefully split-
ting from type-0 to type-3 runs) taken in [10] for hybrid automata suffice with regards
to constraints.
The second condition is satisfied due to context-sensitive contraction where in the
context is also matched in the loop detection. Due to this, a context in the contracted run
will be a valid successor of the preceeding context. We shall prove by contradiction that
there exists no invalid pair of consecutive configurations in the contracted run ρ′. There
are several ways in which a pair of configurations can be invalid predecessor/successor
w.r.t recursion:
– the call port and entry node are mismatched (either of them is missing or matched
to another box’s entry node)
– the return node and exit port are mismatched
– the consecutive contexts are incorrect/invalid (the sequences of boxes in the two
contexts are such that it is not possible in the RHA semantics to get one sequence
from another via a valid RHA move.)
Let ρ denote a run in the RHA, and let ρ′ be its contraction. For ease of explanation,
lets call the successor of a configuration c in ρ as succ(c) and its predecessor as pred(c).
Suppose there exists a pair of consecutive configurations in ρ′ which are invalid w.r.t
recursive call. Abusing notation, we henceforth consider the context as κ ∈ B∗, ignor-
ing valuations, as all variables are always passed by reference and hence need not be
stored in the context.
Let us assume that the contracted run ρ′ has a pair of consecutive configurations
c′
t,e
→ d′ which are invalid as the call port configuration c′ is not succeeded by the
appropriate entry node configuration in the contracted run i.e; c′ = (〈κ〉, (b, en), ν′)
and d′ 6= (〈κ, b〉, en, ν′) (t = 0 by RHA semantics). Consider configurations c =
(〈κ〉, (b, en), ν) and succ(c) = (〈κ, b〉, en, ν) in the given run ρ such that c′ corre-
sponds to c. As d′ 6= (〈κ, b〉, en, ν′), the configuration succ(c) was deleted during
contraction. Thus it must be the case that in ρ, c was at position i while the repeated
(context,location) pairs were from position i + 1 to j and d (corresponding to d′ in ρ′)
was at position j+1. But, the configuration at i+1 is succ(c) and this was matched with
a configuration, say e occuring prior to c in ρ : recall the contraction operator deletes
repeating occurrences of (location, context) pairs; to delete succ(c) at position i+1, we
have to match the (location, context) pair of succ(c) at position i+ 1 with that of some
e, occurring at a position m < i. Due to the semantics of RHA, pred(e) has (context,
location) pair (〈κ〉, (b, en)) which is the same as c. Thus even c would be matched to
pred(e) and deleted. This contradicts our assumption that c′ (equivalent of c) exists in
ρ′.
In essence, the call port-entry node configurations always appear consecutive to
each other in a given run ρ. Thus, matching a call-port configuration to a configuration
cwill invariably match the corresponding entry-node configuration to the succ(c) which
will also be the same entry-node configuration. Similarly, exit-node and corresponding
return-port configurations always appear consecutive to each other.
Now, lets consider another pair of invalid consecutive configurations c′1
t,e
→ c′2 in
ρ′ such that c′1 = (〈b1〉, q1, ν′1) and c′2 = (〈b1b2b3〉, q2, ν′2). Clearly, such a sequence
is invalid under the RHA semantics (even if q1 is a call port). During context-sensitive
contraction, we match the (context,location) pairs and do not alter the contexts. Now
consider two configurations c1 and c2 in ρ which correspond to c′1 and c′2 respectively.
Hence c1 = (〈b1〉, q1, ν1) and c2 = (〈b1b2b3〉, q2, ν2) (valuations would differ in the
two paths due to contraction). Obviously c2 is not successor of c1 in ρ, as ρ is the given
run (hence valid) and hence cant have such a pair of consecutive configurations. For
c′1
t,e
→ c′2 in ρ′, it must be the case that in ρ, c1 is the ith configuration and the repeated
(context,location) pairs are from i+1 to j and c2 is the j+1 configuration. Let pred(c2)
be the predecessor of c2 in ρ, i.e; the configuration appearing at position j. Contraction
deletes the configurations from i+1 to j, after matching the (location, context) pairs of
positions i, j, and hence c′2 ends up as successor of c′1. By definition 3 of contraction,
since we verify (li, contexti) = (lj , contextj), we know that the (context, location)
pair of c1 is the same as that of pred(c2) (recall c2 occurs at position j + 1, hence
pred(c2) is at position j). But then the context of pred(c2) is 〈b1〉 which can not be
followed by 〈b1b2b3〉 of c2 in ρ. This contradicts our assumption that c′2 succeeds c′1 in
ρ′.
Similar proof by contradiction can be given for any pair of configurations invalid
w.r.t recursion.
Theorem 5. Time bounded reachability is decidable for bounded context RHA using
only pass-by-reference mechanism.
Proof. Contraction of a given run ρ yields a smaller run ρ′ whose length is independent
of ρ. From Lemma 12, we know that |ρ′| ≤ C = 24(T.rmax+1)|X |2(α|Q|)2(2.cmax+
1)2|X |. Additionally, from Lemma 13, ρ′ is a valid run in the RHA. Thus a non-deterministic
algorithm (as in the case of Hybrid automata [10]) can be used to guess a run of length
atmost C and then solve an LP to check if there are time values and valuations for each
step that make such a run feasible.
6.3 Unbounded context RHA with pass-by-reference only mechanism
We show that our adaptation of contraction does not work on RHAs with unbounded
context, as in figure 12. We can not apply context-sensitive contraction as the context
might grow unboundedly and matching pairs may not be found within a type-3 run.
B1
en1 a1:B2 ex1
x<1
B2
en2 a2:B1 ex2
x<1
x=1
Fig. 12. RHA with unbounded context
Consider the run ρ = (〈ε〉, en1, 0)
0.1
→ (〈ε〉, (a1, en2), 0.1)
0
→ (〈a1〉, en2, 0.1)
0.1
→
(〈a1〉, (a2, en1), 0.2)
0
→ (〈a1a2〉, en1, 0.2)
0.1
→ (〈a1a2〉, (a1, en2), 0.3)
0
→
(〈a1a2a1〉, en2, 0.3)
0.1
→ (〈a1a2a1〉, (a2, en1), 0.4)
0
→ (〈a1a2a1a2〉, en1, 0.4)
0.1
→
(〈a1a2a1a2〉, (a1, en2), 0.5)
0
→ (〈a1a2a1a2a1〉, en2, 0.5)
0.5
→ (〈a1a2a1a2a1〉, ex2, 1)
0
→
(〈a1a2a1a2〉, (a1, ex2), 1)
0
→ (〈a1a2a1a2〉, ex1, 1)
0
→ (〈a1a2a1〉, (a2, ex1), 1)
0
→
(〈a1a2a1〉, ex2, 1)
0
→ (〈a1a2〉, (a1, ex2), 1)
0
→ (〈a1a2〉, ex1, 1)
0
→ (〈a1〉, (a2, ex1), 1)
0
→
(〈a1〉, ex2, 1)
0
→ (〈ε〉, (a1, ex2), 1)
0
→ (〈ε〉, ex1, 1). duration (ρ) = 1.
Now consider another run
ρ′ = (〈ε〉, en1, 0)
0.1
→ (〈ε〉, (a1, en2), 0.1)
0
→ (〈a1〉, en2, 0.1)
0.9
→ (〈a1〉, ex2, 1)
0
→
(〈ε〉, (a1, en2), 1)
0
→ (〈ε〉, ex1, 1).
Note that the start and end configurations of both the runs are the same and
duration (ρ′) = 1. However, we can not apply context-sensitive contraction in this case.
There can be several other runs like ρ which can have unbounded contexts but have the
same effect as ρ′. To be able to obtain ρ′ from ρ, we would need to apply contraction to
the contexts too and shorten them in a sensible manner. Our context-sensitive contrac-
tion studied earlier does not alter the contexts and hence does not readily extend to this
class of RHA. We conjecture this to be decidable with a double layered contraction -
one altering the contexts and the other altering the valuations (as seen in [10]).
7 Decidability with one player : Glitch-free RHA with 2
stopwatches
7.1 Region Abstraction of Hybrid Automata with 2 Stopwatch Variables
We first show that the reachability problem is decidable for stopwatch automata (hybrid
automata with only stopwatches) with 2 stopwatch variables.
Definition 4 (Singular Hybrid Automata). A Singular Hybrid automaton is a tuple
H = (Q,Q0, Σ,X,∆, I, F ) where
– Q is a finite set of control modes including a distinguished initial set of control
modes Q0 ⊆ Q,
– Σ is a finite set of actions,
– V is an (ordered) set of variables,
– ∆ ⊆ Q× rect(V )×Σ × 2X ×Q is the transition relation,
– I : Q→ rect(V ) is the mode-invariant function, and
– F : Q→ Q|V | is the mode-dependent flow function characterizing the rate of each
variable in each mode.
Recollect that, rect(V ) is the set of rectangular constraints over V .
Let H be a singular hybrid automata with two stopwatch variables V = {x, y}
and as both variables are stopwatches, F : Q → {0, 1}2. Let cmax be the maximum
constant used in any of the guards of H . For simplicity, we assume that the hybrid
automata does not have location invariants.
Regions and Region Automaton We consider a finite partitioning R of R2. For each
valuation ν = (ν(x), ν(y)) ∈ R2, the unique element of R that contains ν is called a
region, denoted [ν]. We define the successors of a region R, Succ(rx,ry)(R) ⊆ R, in
the following natural way: For rx, ry ∈ {0, 1},
R′ ∈ Succ(rx,ry)(R) if ∃ν ∈ R, ∃t ∈ R such that [ν + (rx, ry)t] = R
′
Denote by ν+(rx, ry)t, the valuation (ν(x)+rxt, ν(y)+ryt). We say that such a finite
partition is a set of regions whenever the following condition holds:
R′ ∈ Succ(rx,ry)(R) iff ∀ν ∈ R, ∃t ∈ R such that [ν + (rx, ry)t] = R
′
The only kind of updates we consider are those where we reset variables to 0. A
reset res maps a region R to the region res(R) obtained from R by assigning value 0
to all variables which were reset to 0. The set of regions R is compatible with resets
res if whenever a valuation ν′ ∈ R′ is reachable from a valuation ν ∈ R after a reset,
then R′ is reachable from any ν ∈ R by the same reset. Formally, we have
R′ ∈ res(R)→ ∀ν ∈ R, ∃ν′ ∈ R′ such that ν′ ∈ res(ν)
The guardsϕ considered in H are boolean combinations of x ⊲⊳ c where x ∈ V and
c ∈ N and ⊲⊳∈ {<,>,≤,≥,=}. A region R is compatible with ϕ iff for all valuations
ν ∈ R, either ν |= ϕ or ν |= ¬ϕ.
We first construct a set of regions for 2 stopwatch automata that are compatible with
resets and guards. For z ∈ {x, y}, we define the set of intervals
Iz = {[c] | 0 ≤ c ≤ cmax} ∪ {(c, c+ 1) | 0 ≤ c < cmax} ∪ {(cmax,∞)}
Define α = ((Ix, Iy),≺), where ≺ is a total preorder on V0 = {x ∈ V | Ix is an
interval of the form (c, c + 1)}. The region associated with α denoted Rα is the set of
valuations
{ν ∈ R2 | ν(x) ∈ Ix, ν(y) ∈ Iy and [(x, y ∈ V0, x ≺ y)↔ (frac(ν(x)) ≤ frac(ν(y))]}
The finite set R of all such regions Rα forms a partition of R2.
Lemma 14. R as defined above, is a set of regions.
Proof. In the sequel, we show that R is a set of regions. Consider α = ((Ix, Iy),≺).
If Ix = ((cmax,∞), (cmax,∞)), then for all ν ∈ Rα, for all t ∈ R, ν + (rx, ry)t ∈
Rα for rx, ry ∈ {0, 1}. Hence Succ(rx,ry)(Rα) = Rα. If Succ(rx,ry)(Rα) 6= Rα,
then there is atleast one another region in Succ(rx,ry)(Rα) different from Rα. Let Cα
denote the region that is closest to region to Rα. Such a closest region is such that
Cα ∈ Succ(rx,ry)(Rα), and for all ν ∈ Rα, for all t ∈ R, if ν + (rx, ry)t /∈ Rα,
then ∃t′ ≤ t such that ν + (rx, ry)t′ ∈ Cα. Such a region Cα = ((I ′x, I ′y),≺′) is
characterized as follows: Let Z = {z ∈ V | Iz is of the form [c]}.
1. If Z 6= ∅ and rx = ry = 1. Then
–
I ′z =


Iz if z /∈ Z,
(c, c+ 1) if z ∈ Z and 0 ≤ c < cmax
(cmax,∞) if z ∈ Z and Iz = [cmax]
– x ≺′ y if Ix = [c] with 0 ≤ c < cmax and I ′y is of the form (d, d+ 1).
2. If Z 6= ∅ and atleast one of rx, ry is 0. Then
–I ′z =


Iz if rz = 0,
[c+ 1] if z /∈ Z and rz = 1
(c, c+ 1) if z ∈ Z, rz = 1 and 0 ≤ c < cmax
(cmax,∞) if z ∈ Z, rz = 1 and Ix = [cmax]
– x ≺′ y if rx = 1 and x ∈ Z, y /∈ Z . If (rx = 0 and x ∈ Z) or (rx = 1 and
x /∈ Z) or if x, y ∈ Z , then V ′0 = ∅.
3. If Z = ∅ and rx = ry = 1. Let M denote the set of variables with the maximum
fractional part, whose interval is of the form (c, c+ 1) for 0 ≤ c < cmax. Then
–
I ′z =
{
Iz if z /∈M,
[c+ 1] if z ∈M and Iz = (c, c+ 1) with 0 ≤ c < cmax
– One variable moves to an integer value, or both variables are in (cmax,∞).
Hence V ′0 = ∅.
4. If Z = ∅ and atleast one of rx, ry is 0. Then
–
I ′z =


Iz if rz = 0,
[c+ 1] if z ∈M, rz = 1 and Iz = (c, c+ 1) with 0 ≤ c < cmax
[c+ 1] if z /∈M and rz = 1 and Iz = (c, c+ 1) with 0 ≤ c < cmax
– x ≺′ y is same as x ≺ y when rx = ry = 0. Otherwise, one of the variables
gets an integer value, and hence V ′0 = ∅.
We now claim that
∀ν ∈ α, ∃t ∈ R such that ν + t ∈ Cα
Let ν be a valuation in α. Then let frac(ν(x)) denote the fractional part of ν(x). Sim-
ilarly for ν(y).
1. If Z 6= ∅ and rx = ry = 1. Let τ = min{1 − frac(ν(z)) | Iz is of the form
(c, c+ 1)}. Then ν + (1, 1) τ2 is in the region Cα.
2. If Z 6= ∅ and atleast one of rx, ry is 0.
– If x ∈ Z, y /∈ Z and rx = 1, then pick τ = frac(ν(y)). Then ν +(1, 0) τ2 is in
the region Cα.
– If rx = 0 and x ∈ Z , then pick τ = 1− frac(ν(y)). Then ν+(0, 1)τ is in the
region Cα.
– If rx = 1 and x /∈ Z , then pick τ = 1 − frac(ν(x)). ν + (1, 0)τ is in the
region Cα.
– If x, y ∈ Z , and rx = 1, then pick τ = 0.5. Then ν + (1, 0)τ is in the region
Cα.
3. If Z = ∅ and rx = ry = 1.
– Pick the variable z ∈ M . Let τ = 1 − frac(ν(z)). Then ν + (1, 1)τ is in the
region Cα.
4. If Z = ∅ and atleast one of rx, ry is 0.
– If rx = 1 and ry = 0. Pick τ = 1 − frac(ν(x)). Then ν + (1, 0)τ is in the
region Cα.
Thus we obtain that Cα ∈ Succ(rx,ry)(Rα) is the closest successor of Rα. Inducting
on Cα, we get the closest successor of Cα, which is the successor of Rα, 2 steps away,
and so on. We write Rα →n Rnα if Rnα is the nth closest successor of Rα with respect
to some choice of rates (rx, ry). This clearly means that there is a sequence of regions
R0α, R
1
α, R
2
α, . . . , R
n
α such that R0α = Rα, and Ri+1α is the closest successor of Riα for
all 1 ≤ i < n.
In this way, we can find all successors R′α of Rα such that R′α ∈ Succ(rx,ry)(Rα)
iff for all ν ∈ Rα there exists some t ∈ R such that ν + (rx, ry)t ∈ R′α. Hence, R is
indeed a set of regions partitioning R2. ⊓⊔
Given two valuations ν1, ν2 ∈ Rα for some region Rα, we say that ν1 and ν2 are
equivalent if they lie in the same region, i.e, [ν1] = [ν2].
Lemma 15. R is compatible with the guards ϕ and with the resets res.
Proof. 1. Let R′ ∈ res(R). Consider ν1, ν2 ∈ R, i.e, [ν1] = [ν2]. Clearly, ν1(x) and
ν2(x) lie in the same interval; same with ν1(y) and ν2(y). If the operation res resets
x, then res(ν1) = (0, ν1(y)) and res(ν2) = (0, ν2(y)). Since ν1(y) and ν2(y) are
in the same interval, we have [res(ν1)] = [res(ν2)]. Similar results are obtained
when y is reset, or when both x, y are reset.
2. Let [ν1] = [ν2] be valuations in the same region R. Let ϕ be a guard. The result
can be proved by structural induction on |ϕ|. If ϕ is atomic of the form x ∼ c,
clearly, ν1 |= ϕ iff ν2 |= ϕ, since ν1 and ν2 are equivalent. Assume for guards of
size ≤ n− 1. It can be seen that the inductive hypothesis can be easily extended to
guards of size n.
Thus, R is a finite set of regions compatible with guards and resets, partitioning
R2. ⊓⊔
Hence, we can use the region abstraction for the above set of regions to obtain a
region automaton HR capturing the untimed language of H . The set of states of such
a region automaton is the set Q × R, where Q is the set of modes of H . The initial
location of HR is (q0, (0, 0)) where q0 is the initial mode of H. The transitions of HR
are defined as (q, R)→a (q′, R′) iff there is a region Rˆ and a transition from q to q′ on
(ϕ, a, res) in H such that
– Rˆ ∈ Succ(rx,ry)(R). Here rx, ry are the rates of variables x, y at the state q of H,
– For all ν ∈ Rˆ, ν |= ϕ, and
– res(Rˆ) = R′
The final states of the region automaton are the states (f,R) such that f is a final state
of H. It can be seen that the language accepted by this region automaton is indeed the
untimed counterpart of L(H). We thus have, the following result.
Theorem 6. The reachability problem for hybrid automata with two stopwatch vari-
ables is decidable.
The decidability result above extends when we consider hybrid automata with location
invariants as well.
7.2 Region Abstraction for Glitchfree RHA with two stopwatch variables
Given an RHA H with two stopwatch variables x, y, we define the regional equiva-
lence relation ΥR ⊆ SH × SH in the following way: For configurations s = (〈κ〉, q, ν)
and s′ = (〈κ′〉, q′, ν′), we have (s, s′) ∈ ΥR, or equivalently, [s] = [s′] if q =
q′, [ν] = [ν′] and [κ] = [κ′] such that κ = (b1, ν1)(b2, ν2) . . . (bn, νn) and κ′ =
(b′1, ν
′
1)(b
′
2, ν
′
2) . . . (b
′
n, ν
′
n) are such that b=b′i and [νi] = [ν′i].
A relation B ⊆ SH × SH defined over the set of configurations of a recursive
stopwatch automaton is called a time abstract bisimulation if for every pair of con-
figurations s1, s2 ∈ SH such that (s1, s2) ∈ B, for every timed action (t, a) ∈ AH
such that XH(s1, (t, a)) = s′1, there exists a timed action (t′, a) ∈ AH such that
XH(s2, (t
′, a)) = s′2, and (s′1, s′2) ∈ B.
Lemma 16. Regional equivalence relation for 2 stopwatch glitch-free recursive au-
tomata is a time abstract bisimulation.
Proof. Let us fix two configurations s = (〈κ〉, q, ν) and s′ = (〈κ′〉, q′, ν′) such that
[s] = [s′] and a timed action (t, a) ∈ AH such thatXH(s, (t, a)) = sa = (〈κa〉, qa, νa).
We have to find a (t′, a) such that XH(s′, (t′, a)) = s′a = ((〈κ′a〉, q′a, ν′a) such that
[sa] = [s
′
a]. There are three cases:
1. The state q is a call port. That is, q = (b, en) ∈ Call. In this case, t = 0, the context
〈κa〉 = 〈κ, (b, ν)〉, qa = en and νa = ν. Since [s] = [s′], we know q′ = (b, en)
is also a call port. For t′ = 0, and 〈κ′a〉 = 〈κ′, (b, ν′)〉, q′a = en and ν′a = νa. It is
clear that [sa] = [s′a].
2. The state q is an exit node. That is, q = ex ∈ EX. Let 〈κ〉 = 〈κ∗, (b, ν∗)〉 and let
(b, ex) ∈ Ret. In this case, t = 0, the context 〈κa〉 = 〈κ∗〉 and qa = (b, ex) and
νa = ν[P (b) := ν∗]. Now let 〈κ′〉 = 〈κ′∗, (b, ν′∗)〉. Again, since [s] = [s′], we have
q = q′ = ex, [κ∗] = [κ
′
∗] and hence t′ = 0, 〈κ′a〉 = 〈κ′∗〉 and ν′a = ν′[P (b) := ν′∗].
We have to show that [νa] = [ν′a].
– P (b) = V . In thus case, νa = ν∗ and ν′a = ν′∗. Since we know that [ν∗] = [ν′∗],
we obtain [νa] = [ν′a].
– P (b) = ∅. In this case, νa = ν and ν′a = ν′ and since [ν] = [ν′], we obtain
[νa] = [ν
′
a].
3. If state q is of any other kind, then the result follows by the region equivalence of 2
stopwatch automata (Theorem 6).
The proof is now complete. ⊓⊔
Lemma 16 allows us to extend the concept of regions abstraction to two stopwatch
glitch free recursive automata.
Region Abstraction for 2 StopWatch Glitchfree RHA Let H = (V, (H1, . . . ,H1))
be a glitch-free two stopwatch RHA, where eachHi is a tuple (Ni, ENi, EXi, Bi, Yi, Ai, Xi, Pi, Invi, Ei, Ji, Fi).
The region abstraction ofH is a finite RSMHRG = (HRG1 ,HRG2 , . . . ,HRGk ) where for
each 1 ≤ i ≤ k, component HRGi = (NRGi , ENRGi , EXRGi , BRGi , Y RGi , ARGi , XRGi )
consists of:
– a finite set of NRGi ⊆ (Ni×R) of nodes such that (n,R) ∈ NRGi if R |= Inv(n).
Moreover,NRGi includes the set of entry nodes ENRGi ⊆ ENi ×R and exit nodes
EXRGi ⊆ EXi ×R;
– a finite set BRGi = Bi ×R of boxes;
– boxes-to-components mappingY RGi : BRGi → {1, 2, . . . , k} is such that Y RGi (b, R) =
Yi(b). To each (b, R) ∈ BRGi , we associate a set of call ports Call
RG(b, R) and a
set of return ports RetRG(b, R):
• CallRG(b, R) = {(((b, R), en), R′) | R′ ∈ R and en ∈ ENYi(b)}, and
• RetRG(b, R) = {(((b, R), ex), R′) | R′ ∈ R and ex ∈ EXYi(b)}
Let CallRGi and RetRGi be the set of call and return ports of component HRGi . We
write QRGi = NRGi ∪ Call
RG
i ∪ Ret
RG
i for the vertices of the componentHRGi .
– ARGi ⊆ N × Ai is the set of actions such that if (h, a) ∈ ARGi , (h is the number
of region hops before taking a), then h ≤ 4cmax , where cmax is the maximum
constant appearing in the guards;
– a transition function XRGi : QRGi × ARGi → QRGi with the natural condition that
call ports and exit nodes do not have any outgoing transitions. Also, for q, q′ ∈
QRGi , (h, a) ∈ A
RG
i , we have that q′ = XRGi (q, (h, a)) if one of the following is
true:
• q = (n,R) ∈ NRGi , there is a region Ra such that R→h Ra, Ra |= Ei(n, a),
and
∗ If q′ = (n′, R′), then R′ = Ra[Ji(a) := 0] and Xi(n, a) = n′.
∗ If q′ = (((b, R′), en), R′′), then R = R′ = R′′ = Ra[Ji(a) := 0] and
Xi(n, a) = (b, en)
• q = (((b, Rold), ex), Rnow) is a return port of HRGi . Let R = Rold if Pi(b) =
V and R = Rnow otherwise. There exists a region Ra such that R→h Ra and
Ra |= Ei((b, ex), a) and
∗ If q′ = (n′, R′), then R′ = Ra[Ji(a) := 0] and Xi(n, a) = n′
∗ If q′ = (((b, R′), en), R′′), thenR′ = R′′ = Ra[Ji(a) := 0] andXi(n, a) =
(b, en).
The following lemma is a direct consequence of Lemma 16 and the region abstraction
for 2 stopwatch glitchfree RHAs.
Lemma 17. Reachability (termination) problems and games on glitch-free two stop-
watch RHA can be reduced to solving reachability (termination) problems and games,
respectively, on the corresponding region abstraction HRG.
7.3 Computational Complexity
The complexity for 2 stopwatch glitch free RHAs is the same as those of 2 clock glitch
free RTAs.
8 Conclusion
The main result of this paper is that time-bounded reachability problem for recursive
timed automata is undecidable for automata with five or more clocks. We also showed
that for recursive hybrid automata the reachability problem turns undecidable even for
glitch-free variant with three stopwatches, and the corresponding time-bounded prob-
lem is undecidable for automata with 14 stopwatches. Using the similar proof tech-
niques we have also studied reachability games on recursive hybrid automata, and
showed that time-bounded reachability games are undecidable over recursive timed au-
tomata with three clocks. Similarly, for glitch-free recursive hybrid automata with three
stopwatches time-bounded reachability games are undecidable.
References
1. Parosh Aziz Abdulla, Mohamed Faouzi Atig, and Jari Stenman. Dense-timed pushdown
automata. In LICS, pages 35–44, 2012.
2. R. Alur, M. Benedikt, K. Etessami, P. Godefroid, T. Reps, and M. Yannakakis. Analysis
of recursive state machines. ACM Transactions on Programming Languages and Systems,
27:786–818, July 2005.
3. R. Alur, C. Courcoubetis, T. A. Henzinger, and P.-H. Ho. Hybrid automata: An algorithmic
approach to the specification and verification of hybrid systems. In Hybrid Systems I, volume
736 of Lecture Notes in Computer Science, pages 209–229. Springer-Verlag, 1993.
4. R. Alur and D. Dill. Automata for modeling real-time systems. In Proc. ICALP’90, volume
443 of LNCS. Springer, 1990.
5. Rajeev Alur, Thao Dang, Joel Esposito, Rafael Fierro, Yerang Hur, F Ivancˇic´, Vijay Kumar,
Insup Lee, Pradyumna Mishra, George Pappas, and Oleg Sokolsky. Hierarchical hybrid
modeling of embedded systems. In Embedded Software, pages 14–31. Springer, 2001.
6. Rajeev Alur, Kousha Etessami, and Mihalis Yannakakis. Analysis of recursive state ma-
chines. In Computer Aided Verification, volume 2102 of Lecture Notes in Computer Science,
pages 207–220. Springer Berlin Heidelberg, 2001.
7. Thomas Ball and Sriram K. Rajamani. Bebop: A symbolic model checker for boolean pro-
grams. In SPIN, pages 113–130. Springer-Verlag, 2000.
8. M. Benerecetti, S. Minopoli, and A. Peron. Analysis of timed recursive state machines. In
Temporal Representation and Reasoning (TIME), pages 61–68, Sept 2010.
9. Ahmed Bouajjani, Javier Esparza, and Oded Maler. Reachability analysis of pushdown au-
tomata: Application to model-checking. In CONCUR’97, pages 135–150, 1997.
10. Thomas Brihaye, Laurent Doyen, Gilles Geeraerts, Joe¨l Ouaknine, Jean-Franc¸ois Raskin,
and James Worrell. Time-bounded reachability for monotonic hybrid automata: Complexity
and fixed points. In ATVA, pages 55–70, 2013.
11. K. Cerans. Algorithmic Problems in Analysis of Real-time System Specifications. PhD thesis,
University of Latvia, 1992.
12. S. Chaudhari. Subcubic algorithms for recursive state machines. In POPL, pages 159–169,
2008.
13. Javier Esparza, David Hansel, Peter Rossmanith, and Stefan Schwoon. Efficient algorithms
for model checking pushdown systems. In Computer Aided Verification, volume 1855 of
Lecture Notes in Computer Science, pages 232–247. Springer Berlin Heidelberg, 2000.
14. Kousha Etessami. Analysis of recursive game graphs using data flow equations. In VM-
CAI’04, pages 282–296, 2004.
15. David Harel. Statecharts: A visual formalism for complex systems. Science of Computer
Programming, 8(3):231–274, 1987.
16. T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya. What’s decidable about hybrid au-
tomata? Journal of Computer and System Sciences, 57(1):94 – 124, 1998.
17. Salvatore La Torre, P. Madhusudan, and G. Parlato. The language theory of bounded context-
switching. LATIN, pages 96–107, 2010.
18. Marvin L. Minsky. Computation: finite and infinite machines. Prentice-Hall, Inc., 1967.
19. James Rumbaugh, Ivar Jacobson, and Grady Booch, editors. The Unified Modeling Language
Reference Manual. Addison-Wesley Longman Ltd., Essex, UK, UK, 1999.
20. Ashutosh Trivedi and Dominik Wojtczak. Recursive timed automata. In Automated Technol-
ogy for Verification and Analysis, volume 6252 of Lecture Notes in Computer Science, pages
306–324. Springer Berlin Heidelberg, 2010.
21. Igor Walukiewicz. Pushdown processes: Games and model checking. In International Con-
ference on Computer Aided Verification, CAV 1996, pages 62–74, 1996.
