Verification in loosely synchronous queue-connected discrete timed automata  by Ibarra, Oscar H. et al.
Theoretical Computer Science 290 (2003) 1713–1735
www.elsevier.com/locate/tcs
Veri!cation in loosely synchronous
queue-connected discrete timed automata
Oscar H. Ibarraa ;∗, Zhe Dangb , Pierluigi San Pietroc
aDepartment of Computer Science, University of California, 93106-5110 Santa Barbara,
CA 93106, USA
bSchool of Electrical Engineering and Computer Science, Washington State University,
Pullman, WA 99164, USA
cDipartimento di Elettronica e Informazione, Politecnico di Milano, Italy
Received 15 May 2001; received in revised form 6 December 2001; accepted 16 January 2002
Communicated by A. Salomaa
Abstract
We look at a model of a queue system that consists of the following components:
1. Two discrete timed automata W (the “writer”) and R (“the reader”).
2. One unrestricted queue that can be used to send messages from W to R. There is no bound
on the length of the queue.
W and R do not share a global clock and operate in a loosely synchronous way. That is, the
absolute value of the di;erence between the local time of W and the local time of R is always
bounded by a positive constant. We show that the binary reachability for these systems is e;ec-
tively computable, and this result is generalized to the case when there are two queues (one from
W to R and the other from R to W ) that operate in half-duplex. We then present some proper-
ties (e.g., safety, invariance, etc.) that can be veri!ed for loosely synchronous queue-connected
discrete timed automata and give an example of a system composed of a sensor and a controller
that is veri!able using our results. c© 2002 Elsevier Science B.V. All rights reserved.
Keywords: Discrete timed automata; Queue-connected; Reachability; Safety; Invariance
1. Introduction
Model checking techniques [29] have received much attention in recent years, due
to the success of automatic techniques for verifying !nite-state systems describing
 Supported in part by NSF grants IRI-9700370 and IIS-0101134.
∗ Corresponding author. Tel.: +1-805-893-41; Fax: +1-805-893-85.
E-mail address: ibarra@cs.ucsb.edu (O.H. Ibarra).
0304-3975/02/$ - see front matter c© 2002 Elsevier Science B.V. All rights reserved.
PII: S0304 -3975(02)00076 -2
1714 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
protocols, hardware devices, and reactive systems [12]. The limited expressiveness of
!nite automata has recently sparked much research to de!ne and study in!nite-state
models that can verify “interesting” properties such as reachability, safety, liveness,
etc. The in!nite-state models that have been investigated include timed automata [2],
pushdown automata [8,18], various versions of counter machines [13,17], and process
calculi [28,6].
A timed automaton is basically a !nite automaton with !nitely many unbounded
clocks that can be tested and reset. Since their introduction and the development of
appropriate model checking algorithms [4,3,21], timed automata have become a stan-
dard model for investigating veri!cation problems of real-time systems (see [1,31] for
surveys). However, the expressive power of timed automata has many limitations in
modeling, since many real-time systems are simply not !nite-state, even when time is
ignored.
One of the ways to extend a timed automaton is to augment it with an unbounded
storage device, e.g., a pushdown stack. It has been shown very recently that the binary
reachability of a timed pushdown automaton is decidable [16] when clocks are discrete.
This result immediately implies that a number of nonregion properties (e.g., a Pres-
burger formula over clocks) can be veri!ed. This is in contrast to the classical result [2]
that region reachability of timed automata is decidable. However, queues, not stacks,
are a good model for many interesting systems, such as protocols and schedulers.
Queues are usually regarded hopeless for veri!cation, since it is well known that
a !nite-state automaton equipped with one unbounded queue can simulate a Turing
Machine. However, there are restricted models with queues for which reachability is
decidable. These models mostly focus on restricted versions of communicating !nite
state machines (connecting !nite state machines with a number of FIFO queues) [7,9],
such as a version when the queues contain only one type of message and form a
single cycle [30], and a version when the queues are lossy [5]. In this paper, instead
of considering !nite state machines, we consider discrete timed automata (i.e., clocks
are discrete). That is, we study a new queue system, called queue-connected timed au-
tomaton, by connecting two discrete timed automata (one “writer” W and one “reader”
R) with a FIFO queue. The queue is unrestricted and it is used to send messages
from W to R. This model is inspired by the recent work [23] that considers systems
with two reversal-bounded counter machines (thus, each counter can be incremented
or decremented by 1 and tested for zero, but the number of alternations between non-
decreasing mode and nonincreasing mode is bounded by a !xed constant) connected
by a FIFO queue. It was shown in [23] that (binary, forward, backward) reachabil-
ity, safety, and invariance for these systems are solvable when the machines operate
synchronously. In this paper, we present similar results for a more complex system of
queue-connected discrete timed automata that do not share a global clock and oper-
ate in a loosely synchronous way. Our results remain valid when the discrete timed
automata are augmented with reversal-bounded counters.
We treat the reader and the writer as running in a distributed environment. Even
though our technique is still valid in dealing with the case when the reader and the
writer share a global clock, we prefer to consider a harder and more reasonable case.
That is, the reader and the writer do not share a global clock.
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1715
We also allow the reader and the writer to be loosely independent. This means that
the local time of the reader and the local time of the writer always stay close: the
variation between them is bounded by a constant. This assumption is reasonable. For
instance, in a distributed network, time protocols can be used to control clock drifting,
even though a global clock is not usually assumed. Notice that if the reader and the
writer are completely independent instead of loosely independent (i.e., synchronizations
are made only at queue operations), the technique presented in this paper can still be
used (and more easily).
In our model, the queue is essentially one-way: the model can describe, for instance,
a time-dependent communication protocol such that party A can only send messages
(through a queue) to party B. In this case, A is the writer and B is the reader. Of course,
many protocols involve two-way communications instead of only one-way communica-
tions. However, it can be easily shown that adding another queue to our model (from
B to A) gives it the power of a Turing machine, even when A and B are !nite-state
machines (not timed automata). But one-way protocols do exist. For instance, there is
a number of well-known producer=consumer models such as the modeling of TCP us-
ing an unbounded bu;er [10], where the producer (the writer) and the consumer (the
reader) operate on an unbounded bu;er. There is no pre-assumption on the relative
speed of the reader and the writer—they can be synchronous, asynchronous, or loosely
synchronous. The results presented in this paper can be easily used to automatically
verify safety properties expressed as Presburger formulas over the clock readings in
both the consumer and the producer, as well as over the number of symbols in the
bu;er.
Our model can also handle two-way communications by adding a second queue under
some restrictions. One of the restrictions is to make the two queues half-duplex [11].
That is, at any moment, at least one of the queues is empty. It is known that two !nite
automata connected by two half-duplex queues have a recognizable reachable set [11].
In this paper, we show that our veri!cations results still hold for loosely synchronous
QTAs with two half-duplex queues. This result opens the door for verifying a restricted
class of two-way timed communication protocols.
Another point that needs mentioning is that, since we are characterizing binary reach-
ability and doing veri!cation over a class of Presburger properties, the traditional region
technique [11] is not applicable; i.e., discrete clocks here cannot be simply treated as
bounded counters [14]). Therefore, constructing the region graph of the model of in-
terest is not enough to deduce the binary reachability [14,16].
The paper has seven sections, in addition to this section. Section 2 brieKy recalls the
de!nition of a discrete timed automaton and its extensions. Section 3 discusses some
results in [22,23] that are used in the paper and cites some recent results in [16,26]
concerning the binary reachability of discrete timed automata (including those with a
pushdown stack and=or reversal-bounded counters). Section 4 formally de!nes queue-
connected timed automata and shows that binary reachability is e;ectively computable.
Section 5 extends the veri!cation results to loosely synchronous QTAs with two half-
duplex queues. Section 6 presents some properties that can be veri!ed for queue-
connected timed automata, including safety and invariance. Section 7 gives an example
of a system composed of a sensor and a controller. Section 8 is a brief conclusion.
1716 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
2. Discrete timed automata and extensions
A timed automaton [2] is a !nite-state machine augmented with a number of real-
valued clocks. All the clocks progress synchronously with rate 1, except that a clock
can be reset to 0 at some transition. Here, we only consider integer-valued clocks. A
clock constraint is a Boolean combination of atomic clock constraints in the following
form: x#c; x−y#c where # denotes 6 ;¿;¡ ;¿ ; or =, c is an integer, x; y are integer-
valued clocks. Let LX be the set of all clock constraints on clocks X . Let Z be the
set of integers and N be the set of nonnegative integers. Formally, a discrete timed
automaton (TA) A is a tuple 〈S; X; E〉 where S is a !nite set of (control) states, X is a
!nite set of clocks with values in N, and E⊆ S × 2X ×LX × S is a !nite set of edges
or transitions. Each edge 〈q; ; l; q′〉 in E denotes a transition from state q to state q′
with an enabling condition l∈LX and a set of clock resets ⊆X . Note that  may
be empty. A con!guration is a tuple (q;X) where q is a state and X is an array of
clock values (we use Xi to denote the clock value of xi). The meaning of a one-step
transition along an edge 〈q; ; l; q′〉 that sends a con!guration (q;X) to (q′;X′) is as
follows:
• The enabling condition l is satis!ed on the con!guration (q;X); i.e., l(X) holds.
• The state q is set to a new state q′.
• Each clock changes according to the following: If there are no clock resets on the
edge, i.e., = ∅, then each clock xi ∈X progresses by one time unit; i.e., X′i =Xi+1.
If  	= ∅, then each clock xi ∈  is reset to 0 (X′i =0), while each xj 	∈  remains
unchanged (X′j =Xj). Thus, clock resets do not take time.
Timed automata have been extended with various unbounded memory structures,
such as stacks and reversal-bounded counters. When a TA is augmented with an un-
restricted pushdown stack, the one-step transition will be of the form 〈q; ; l; q′; Z; w〉,
where Z denotes the top of the stack, and w is the string that replaces Z (w=  means
pop=erase). We call this model a (discrete) pushdown timed automaton
(PTA).
A PTA can further be generalized by equipping it with k reversal-bounded counters
(i.e., each counter can be incremented or decremented by one and tested for zero,
but the number of times it changes mode from nondecreasing to nonincreasing and
vice-versa is bounded by a constant, independent of the computation). The one-step
transition is of the form 〈q; ; l; q′; Z; w; b1; : : : ; bk ; d1; : : : ; dk〉, where bi is the status of
counter i (zero or nonzero), and di is 1, 0, or −1 (representing increasing by 1, staying
unchanged, or decreasing by 1, respectively). This model is called a reversal-bounded
multicounter pushdown timed automaton (CPTA). A CPTA without a pushdown will
be called a CTA. Note that TAs, PTAs, CPTAs, and CTAs have no input tapes.
A con!guration of a CPTA A is a 4-tuple =(q;X;Y; w), where q is the state (from
a !nite set), X is the array of clock values, Y is the array of counter values, and w is
the content of the pushdown stack. Note that  can be represented as a string where
the components of the tuple are separated by markers and the state clock values, and
counter values are written in unary. Note also that Y (resp. w) is not present in the con-
!guration if there are no reversal-bounded counters (resp. no stack). The binary reacha-
bility of A is the set R(A)={(; ) : con!guration  can reach  in 0 or moreone− step
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1717
transitions}. Section 3 reports on the main decidability results for PTAs, CPTAs and
CTAs.
3. Pushdown acceptors with reversal-bounded counters and reachability
A pushdown acceptor with reversal-bounded counters (PCA), !rst studied in [22], is
a nondeterministic one-way (input) pushdown automaton augmented with !nitely many
reversal-bounded counters. Without loss of generality, we assume that the counters can
only store nonnegative integers, since the !nite-state control can remember the signs of
the numbers. Though not necessary (since it is one-way), we assume, for convenience,
that the one-way read-only input to the PCA has left and right delimiters. A PCA
without a pushdown stack is called a CA. PCAs, even CAs, are quite powerful and
can recognize rather complex languages. Decidability=complexity results concerning
PCAs (CAs) have been obtained in [22,20]. Some of the results were recently used to
show the decidability=complexity of some decision problems (containment, equivalence,
disjointness, etc.) for database queries with linear constraints [25,27]. A fundamental
result in [22] is the following:
Theorem 1. The emptiness problem for PCAs (i.e., given a PCA M , is the language,
L(M), accepted by M empty?) is decidable.
PCAs can be generalized to have multiple one-way input tapes (one head per tape).
Thus, a k-tape PCA M accepts a set L(M) of k-tuples of strings. A 1-tape PCA will
simply be called a PCA. The following corollary is easily shown using the above
theorem (see [23]).
Corollary 1. The emptiness problem for multitape PCAs is decidable.
The decision questions (reachability, safety, etc.) investigated in this paper are
reducible to the emptiness problem for multitape PCAs.
Theorem 2. (i) Let A be a TA. Then R(A) is Presburger [14,16] and can be accepted
by a 2-tape CA [16]. (This means that we can e;ectively construct from A a 2-tape
CA that, when given (; ) on its two input tapes, accepts if and only if (; ) is in
R(A)).
(ii) Let A be a PTA. Then R(A) can be accepted by a 2-tape PCA [16].
(iii) Let A be a CPTA. Then R(A) can be accepted by a 2-tape PCA [26].
(iv) Let A be a CTA. Then R(A) is Presburger and can be accepted by a 2-tape
CA [26].
4. Queue-connected timed automata
The model of a synchronized queue-connected reversal-bounded multicounter ma-
chines was introduced and investigated in [23]. We now study the model in which the
two machines connected by the queue are discrete timed automata that operate in a
1718 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
loosely synchronous manner. Intuitively, a queue-connected discrete timed automaton
(QTA) M can be described as follows.
• Two TAs W (the “writer”) and R (“the reader”).
• One unrestricted queue that can be used to send messages from W to R. There is
no bound on the length of the queue.
• Each transition of the timed automaton W (resp. R) is augmented by a write (resp.
read) operation to (resp. from) the queue.
Formally, a QTA M is a tuple 〈SR ; SW; X; Y; ER ; EW;  ; d〉 where
• SR and SW are two !nite sets of (control) states of the reader R and the writer W ,
respectively.
• X and Y are two sets of clocks for the reader R and the writer W , respectively,
with X ∩Y = ∅.
•  is a queue alphabet, and  and # are two special symbols not in  .
• ER ⊆ SR × 2X ×LX × SR × ({; #}∪ ) is a !nite set of transitions for the reader R.
We use TR = 〈q; ; l; q′; a〉 to denote a transition. A transition TR is progressable if
= ∅ (i.e, all the clocks in X must progress along the edge).
• EW⊆ SW× 2Y ×LY × SW× ({}∪ ) is a !nite set of transitions for the writer W .
We use TW = 〈p; ; l; p′; a〉 ∈EW to denote a transition. TW is progressable if = ∅.
• d¿0, an integer constant, will be made clear in a moment.
A con!guration of a QTA is a tuple =(q;X; p;Y; w) where q is a state of R and X
is an array of clock values of R, p is a state of W , Y is an array of clock values of
W , and w∈ ∗ is the content of the queue (the leftmost is the head, i.e., the reader
end, and the rightmost is the tail, i.e., the writer end).
Before we formally de!ne the semantics of a QTA M , we !rst intuitively describe
what the intended executions of M are. The writer (resp. the reader) can be thought
of as a timed automaton with an output (resp. input) tape. In fact, the queue can be
regarded as an output tape when writing, and as an input tape when reading from
it. The writer and the reader operate independently—the only restriction is that, when
the reader reads a symbol a from the queue, a must have been “previously” written
by the writer. Therefore, we should have some way to de!ne a (casual) ordering of
read=write events in M . We introduce two special clocks nowW (for the writer) and
nowR (for the reader). They measure the local time for the reader and the writer,
i.e., the total amount of progressable transitions executed so far. Initially, they both
start from 0. Clocks nowW and nowR are not necessarily synchronous (imagining that
the reader and the writer are located in a distributed environment), but they will not
stay away too far from each other. That is, we assume nowW and nowR are loosely
synchronous, i.e., the di;erence between them is bounded: |nowW − nowR|6d for
some pre-assigned constant d¿0 in the de!nition of M . With the two local times in-
cluded, a con!guration =(q;X; p;Y; w) is then expanded to an extended con!guration
Q=(q;X; p;Y; w; nowR ; nowW). Such Q is initial if nowR = nowW =0, and it is consis-
tent if |nowW − nowR|6d. Now, the semantics is de!ned on extended con!gurations,
as follows.
Let =(q;X; p;Y; w) and =(q′;X′; p′;Y′; w′) be two con!gurations with their ex-
tended con!gurations Q=(q;X; p;Y; w; nowR ; nowW) and Q=(q′;X′; p′;Y′; w′; now′R ;
now′W).
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1719
A read-transition TR ∈ER sends Q to Q, written Q TR→ Q; if
• TR = 〈q; ; l; q′; a〉 for some ⊆X , l∈LX , and a∈{; #}∪ .
• The state and the clock values of the writer are una;ected. That is, p=p′, Y=Y′
and nowW = now′W.
• When R is regarded as a TA with queue operations ignored, con!guration (q;X)
reaches con!guration (q′;X′) along the edge 〈q; ; l; q′〉. In particular, if the edge is
progressable, then now′R = nowR + 1, else now
′
R = nowR.
• The queue is updated according to symbol a in TR. That is,
◦ If a= , then R does not read from the queue; i.e., w=w′. In this case, the
transition is called internal.
◦ If a∈ , then a is the head of the queue and R reads from the queue; i.e., w= aw′.
The result is that a is deleted from the queue.
◦ If a=#, then both w and w′ must be the empty string, i.e., the queue is empty. In
this case, the transition is called an empty-queue transition, which is also internal.
Similarly, a write-transition TW ∈EW sends Q to Q, written Q TW→ Q; if
• TW = 〈p; ; l; p′; a〉 for some ⊆Y , l∈LY , and a∈{}∪ .
• The state and the clock values of the reader are una;ected. That is, q= q′, X=X′
and nowR = now′R.
• When W is regarded as a TA with queue operations ignored, con!guration (p;Y)
reaches con!guration (p′;Y′) along the edge 〈p; ; l; p′〉. In particular, if the edge
is progressable, then now′W = nowW + 1, else now
′
W = nowW.
• The queue is updated according to symbol a in TW. That is,
◦ If a= , then W does not write on the queue; i.e., w=w′. In this case, the
transition is called internal.
◦ If a∈ , then W writes a on the queue; i.e., w′=wa.
Notice that internal transitions do not change the queue content. Both TR→ and TW→ only
characterize local changes with respect to the reader and the writer. The global changes
of M are de!ned through interleavings of TR→ and TW→. M sends Q to Q in a one-step
transition, written Q→M Q; if both Q and Q are consistent and, either Q TR→ Q for some TR
or Q
TW→ Q for some TW. De!ne →∗M to be the transitive closure of →M . The notation
Q→∗M Q says that Q can reach Q through a sequence of read-transitions and write-
transitions such that each intermediate con!guration is consistent (i.e., the local times
do not stay too far away from each other). In particular, we write ❀M  if there
are extended con!gurations Q and Q such that Q is initial and Q→∗M Q. The binary
reachability R(M) of M is the set {(; ) : ❀M }. This paper will show a language
property for the binary reachability (when the components of  (resp. ) are represented
as strings, separated by markers with the states and the clock values written in unary).
From now on, we assume that Q and Q are consistent, with Q being the initial.
Suppose Q can reach Q through a sequence & of read- and write-transitions. This
particular sequence may not satisfy the condition that each intermediate con!guration is
consistent, i.e., the sequence is witnessing Q→∗M Q. However, it can be easily observed
that, if the sequence is internal, i.e., it contains only internal transitions (thus, the
queue content will not change by !ring the sequence of transitions), then the sequence
can be re-organized such that Q→∗M Q.
1720 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
Lemma 1. If Q can reach Q through an internal sequence of read- and write-
transitions, then Q→∗M Q.
Assume &= &1 · · · &m and (i &i+1→ (i+1, for each 06i6m−1 with (0 = Q and (m= Q. For
now, we assume that, for each i, &i is not an empty-queue transition. Later we shall see
how to incorporate empty-queue transitions into the sequence &. Let &k1 ; : : : ; &kn be all
external (i.e., not internal) transitions in &, with 16k1¡ · · ·¡kn6m. From Lemma 1,
if, for all 16i6n, (ki−1 and (ki are both consistent, then Q→∗M Q. The reason is that
transitions between &ki and &ki+1 can be re-organized such that the intermediate con!g-
urations are consistent. Therefore, we will focus on considering the external sequence
&k1 ; : : : ; &kn . For simplicity, we write this sequence as )1; : : : ; )n.
If, for all 16i6n, the con!guration of M immediately before !ring )i and the con-
!guration of M immediately after !ring )i are both consistent, then obviously Q→∗M Q.
Each )i may be associated with a number, or timestamp:
• If )i is a write-transition writing a symbol a (to the queue), then its timestamp is
the value of the local time of the writer after )i. This timestamp is also called the
write-timestamp for the symbol a.
• If )i is a read-transition reading a symbol a (from the queue), then its timestamp
is the value of the local time of the reader before )i. This timestamp is also called
the read-timestamp for the symbol a.
Each individual symbol that appears in the queue during the sequence of transitions
&= &1 · · · &m is associated with a pair of a read-timestamp and a write-timestamp (the
read-timestamp is ∞ if the symbol is not read from the queue before reaching Q; the
write-timestamp is 0 if the symbol is originally in the starting con!guration Q). In
the following, we will deduce a condition on these timestamp pairs. This condition is
equivalent to the existence of the required sequence of external transitions )1; : : : ; )n
witnessing Q→∗M Q. The condition will later allow us to use an alternating simulation
technique to show that Q→∗M Q.
To derive this condition, we may look at the sequence & in a di;erent way. Let w
be the queue content in  and v be the queue content in . Consider a string wuv in
 ∗. The string wu consists of all the symbols that will be read by the reader from the
queue; while uv consists of all the symbols that will be written by the writer to the
queue. wuv is associated with two sequences of (nonnegative) numbers: tW and tR.
The ith symbol a in wuv is therefore associated with tW(i) (the write-timestamp) and
tR(i) (the read-timestamp). When the index is clear, we simply write tW(a) and tR(a).
Given w; u; v and tW, tR, we assume that:
• Each symbol in w has write-timestamp 0.
• Each tR(i); tW(i)¡∞ except that each symbol in v has read-timestamp ∞ (indicating
that these symbols will not be read).
• tW(i)6tW(i + 1) and tR(i)6tR(i + 1), for all 16i6|wuv| − 1.
Now the QTA can be thought of working in the following way. The reader scans
the string wu from left to right while executing its transitions and updating its clocks.
Each symbol read from the queue by the reader is exactly the symbol currently being
scanned: the reader will make sure that its local time is the same as the read-timestamp
of the symbol (provided by tR). The writer, on the other hand, scans the string uv
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1721
from left to right. While executing its transitions and updating its clocks, the writer
may write a symbol into the queue. The writing is simulated by reading the symbol
currently being scanned (by the writer). The writer makes sure that its local time (after
the write) is the same as the write-timestamp of the symbol provided by tW. The reader
R and the writer W work independently. Each reading (writing) of R (resp. W ) corre-
sponds to an external read-transition (resp. write-transition) )i. We have to make sure
that (1)
• R and W start from clock values indicated in Q.
• R and W stop at the end of wu and uv, respectively, with clock values indicated in
Q.
and (2) the loosely-synchronous conditions hold:
• Each symbol currently being scanned by R must be already scanned by W . That is,
by looking at the positions of R and W , R is never ahead of W .
• The local time di;erence between R and W is bounded by d. That is, R and W are
loosely synchronous.
It is clear that the existence of a sequence of transitions of R and W satisfying the above
two conditions will guarantee that Q→∗M Q, since this is equivalent to the existence of
an external sequence )1; : : : ; )n mentioned before. But we are interested in !nding a
condition on tR and tW such that, whenever there is a sequence of moves for which
condition (1) holds, then the sequence can be modi!ed such that both (1) and (2)
hold, i.e., Q→∗M Q. That is, we could use the condition on tR and tW to control the
pace of R and W to make them loosely synchronous. The condition is:
(3) for each index i in string wu, tW(i)− tR(i)6d:
That is, at each position in string wu, the write-timestamp cannot be larger than the
read-timestamp by more than d.
Before we justify condition (3), we need a technical lemma.
Lemma 2. For any two nondecreasing sequences n1; : : : ; nk and m1; : : : ; mk , k¿1, of
nonnegative integers, the following conditions (A) and (B) are equivalent:
(A) mi − ni6d for each i,








(a) m′i6ni, for each i,
(b) mi6n′i , for each i, and
(c) |m′i − mi|6d and |n′i − ni|6d, for each i.
Proof. (A)⇒ (B). Take m′i = min(ni; mi) and n′i = max(ni; mi). Both m′1; : : : ; m′k and
n′1; : : : ; n
′
k are two nondecreasing sequences. Clearly, (a) and (b) hold. (A) implies either
mi6ni or mi¿ ni with |mi − ni|6d. Both of the cases imply |min(ni; mi) − mi|6d
and |max(ni; mi)− ni|6d (i.e. (c)). Hence, (A)⇒ (B).
(B)⇒ (A). If mi¡ni, (A) trivially holds. If ni6mi, then, from (a) and (b), we have
m′i6ni6mi6n
′
i . From (c), we have (A).
Lemma 3. Conditions (1) and (3) are equivalent to the existence of a sequence of
transitions of R and W satisfying conditions (1) and (2).
1722 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
Proof. In order to use Lemma 2, let k be the length of string wu. Values n1; : : : ; nk are
for read-timestamps tR, and values m1; : : : ; mk are for write-timestamps tW. The integer
m′i stands for the local time of the reader when the ith symbol in wu is written by the
writer; n′i stands for the local time of the writer when the ith symbol in wu is read by
the reader. Conditions (1) and (2) imply conditions (a), (b) and (c). This is because
• condition (a) requires that this writing is ahead of reading this symbol by the reader,
• condition (b) requires that this reading is after this symbol was written, and
• condition (c) guarantees that the reader and the writer are loosely synchronous at
each external transition (i.e., a read or a write of a symbol).
Therefore, from Lemma 2, conditions (1) and (2) also imply conditions (1) and (3).
The other direction (i.e., from (1) + (3) to (1) + (2)) of the lemma is obvious, by
choosing a proper interleaving of R and W such that m′i and n
′
i are min(mi; ni) and
max(mi; ni), respectively, according to the proof of Lemma 2.
Hence, in order to show Q→∗M Q, we need only to show there is a sequence of tran-
sitions such that (3) and (1) are satis!ed. This essentially says we need only construct
two sequences tR and tW satisfying (3). This will greatly simplify our discussions,
since the construction can be realized by simulating the reader and writer alternately
and by checking whether (3) holds, as shown in the following proof. The simulation
itself does not guarantee that the reader and the writer are loosely synchronous. How-
ever, it will guarantee that there is a sequence of transitions that makes them loosely
synchronous.
Let =(q;X; p;Y; w) and =(q′;X′; p′;Y′; w′) be two con!gurations. Suppose we
want to check if  is reachable from ; i.e., (; )∈R(M). The pair of con!gurations
(; ) is a tuple (q;X; p;Y; w; q′;X′; p′;Y′; w′). For now, to simplify the proofs, we use
an equivalent representation of the two con!gurations:
(q;X; p;Y; w; q′;X′; p′;Y′; i; u);
where (q;X; p;Y; w) is con!guration ; q′;X′; p′;Y′ are the states and clock values of
con!guration ; u is the string W wrote during the computation from  to ; i is the
length of the pre!x of wu that was read by R in reaching . Thus, w′ is the suSx of
wu starting at position i + 1. In (q′;X′; p′;Y′; i; u), we shall refer to (q′;X′; i) as the
R-component of con!guration  and (p′;Y′) as the W -component of .
Based on the discussion of condition (3), we now show that if M is a QTA, then
the binary reachability R(M) is computable and can be accepted by a 2-tape PCA.
First we note that we can view the clocks in R and W of a QTA M as counters,
which we shall also refer to as clock-counters. In a reversal-bounded multicounter
machine, only standard tests (comparing a counter against 0) and standard assignments
(increment or decrement a counter by 1, or simply nochange) are allowed. But clock-
counters in either R or W do not have standard tests nor standard assignments, for
the following reasons. A clock constraint allows comparison between two clocks like
x1−x2¿5. Note that using only standard tests we cannot directly compare the di;erence
of two clock-counter values against an integer constant such as 5 just by storing x1−x2
in another counter, since each time this “storing” is done, it will cause at least a counter
reversal, and the number of such tests during a computation can be unbounded. On
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1723
the other hand, a clock progress x := x+ 1 is standard, but a clock reset x := 0 is not.
Since there is no bound on the number of clock resets, clock-counters may not be
reversal-bounded (each reset causes a counter reversal). Besides this obvious obstacle
in relating clock-counters to reversal-bounded counters, we have another diSculty in
handling the queue in QTA M . It is well known that a !nite-state machine augmented
with a queue has already the computing power of a Turing machine. In the following
intermediate result, we will show an alternating simulation technique to simulate the
queue using two one-way input tapes.
De!ne a semi-PCA as a PCA that, in addition to a stack and reversal-bounded
counters, has clock-counters that use nonstandard tests and assignments as described
in the above paragraph. The proof of the following theorem uses ideas in [23].
Theorem 3. We can e;ectively construct, given a loosely synchronous QTA M , a
2-tape semi-PCA A accepting R(M).
Proof. Let d be an integer constant associated with M . Suppose that A is given a pair
of con!gurations (; ) represented by
(q;X; p;Y; w; q′;X′; p′;Y′; i; u);
where (q;X; p;Y; w) is on tape1 and (q′;X′; p′, Y′; i; u) is on tape2. A !rst reads
q;X; p;Y from tape1 and q′;X′; p′;Y′; i from tape2, using counters to record these
values. At this point, tape1 head is at the beginning of w and tape2 head is at the
beginning of u. There are two cases to consider. The !rst case is when R reads only
symbols from w and does not read any symbol from u during the computation from 
to . The second case is when R reads past w. The PCA A begins by guessing which
case to simulate. We describe only the operation of A for the latter case (which is
harder).
The technique is that A alternately simulates R and W with the following procedure.
Note that when R (resp. W ) is being simulated, W (resp. R) is suspended (without
changing state and clock values). The PCA A simulates the computation of R starting
in state q and with counter values X, and using tape1 (which contains w). Also, A uses
a counter nowR to keep track of the running time of R (i.e., nowR, initially being 0,
counts the number of progressable transitions that R has executed so far; note that nowR
is nondecreasing.) When R attempts to read past w on tape1, A suspends the simulation
(A records the current values) and begins the simulation of W starting in state p and
counter values Y. Moreover, A uses a nondecreasing counter nowW to keep track of the
running time of W (i.e., nowW counts the number of progressable transitions W has
executed so far). When W writes the !rst symbol, say a, of u (writing is simulated by
reading a symbol of u on tape2), A continues the simulation until W attempts to write
the next symbol. When this happens, A then suspends the simulation of W and resumes
the simulation of R until R attempts to read past a. Then A resumes the simulation
of W . The process of switching the simulations between W and R continues, while a
pushdown stack is used to keep track of the di;erence between the time tR(j), when
the jth symbol of u was read by R, and the time tW(j), when the jth symbol of u
was written by W . The stack makes sure that tW(j)− tR(j)6d. This is possible since
1724 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
the pushdown stack can be used as an unrestricted counter (i.e., there is no bound on
the reversal). As we assumed before, empty-queue transitions of the reader were not
allowed in the process of →∗M . This assumption is not necessary, since whenever an
empty-queue transition is executed in the simulation of R, the emptiness of the queue
can be justi!ed by |tW(j) − tR(j)|6d: At some point during the simulation, after R
has read the kth symbol of u (for some k), A guesses that R has read its last symbol
from the queue. A continues the simulation of R and at some point guesses that R has
reached the R-component of con!guration : A can verify this (also by checking that
i is equal to the length of w + k, and that the current state and counter values are
equal to what were recorded before the start of the simulations). Then A resumes the
simulation of W until at some point it guesses that W has reached the W -component
of : again, A can verify this (by checking that W has written the last symbol of u,
etc.). The PCA A accepts if and only if |nowR − nowW|6d.
Theorem 4. We can e;ectively construct, given a loosely synchronous QTA M , a
2-tape PCA M ′ accepting R(M).
Proof. We now show that the 2-tape semi-PCA A above can be converted to a
2-tape PCA M ′ accepting R(M), the emptiness problem for the latter being decid-
able by Corollary 1.
First we show that a 2-tape PCA B can simulate A without using nonstandard tests,
but still uses the nonstandard assignments like clock resets (we shall show how to
handle this later). In the construction above, A simulates R and W alternately. Each
of these machines has clock-counters. We show how B can simulate R without using
nonstandard tests. B can then be modi!ed (using a similar construction) to remove
nonstandard tests in the simulation of W . The following technique is a modi!cation
from the one in [16].
Let R have clock-counters x1; : : : ; xk . Let m be one plus the maximal absolute value
of all the integer constants that appear in the tests (i.e., the clock constraints on the
edges of R in the form of Boolean combinations of xi#c, xi − xj#c with c an integer).
Denote the !nite set [m] = {−m; : : : ; 0; : : : ; m}. De!ne two !nite tables with entries aij
and bi for 16i; j6k. Each entry can be regarded as a !nite state variable with states
in [m]. Intuitively, aij is used to record the di;erence between two clock values of xi
and xj, and bi is used to record the clock value of xi. During the computation of R,
when the di;erence xi − xj (or the value xi) goes above m or below −m, aij (or bi)
stays the same as m or −m. The procedure for updating the entries is given below,
where “⊕1” means adding one if the result does not exceed m, else it keeps the same
value. “1” means subtracting one if the result is not less than −m, else it keeps the
same value. We will modify R as follows. Let TR be an edge in ER. If on the edge the
set of clock resets = ∅, the entries are updated by adding the following instructions
to TR, for each 16i6k:
• aij := aij for each 16j6k. Recall that all the clocks progress after this edge; thus,
the di;erence is unchanged.
• bi := bi⊕ 1. That is, clocks progress by one time unit.
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1725
If the set of clock resets is  	= ∅, the entries are updated by adding the following
instructions to TR, for each 16i; j6k:
• aij := 0 if i∈  and j∈ . In this case, both the clocks xi and xj reset to 0.
• aij :=−bj if i∈  and j 	∈ . In this case, xi resets but xj does not. So the di;erence
should be −xj.
• aij := bi if i 	∈  and j∈ .
• aij := aij if i 	∈  and j 	∈ .
followed by adding the following instructions:
• bi := bi if xi 	∈ .
• bi := 0 if xi ∈ .
The initial values of aij and bi can be constructed directly from the values xi of clocks
xi in con!guration , for each 16i; j6k:
• aij := xi − xj if |xi − xj |6m,
• aij :=m if xi − xj¿m,
• aij := − m if xi − xj¡− m,
and, noticing that clocks are nonnegative,
• bi := xi if xi6m,
• bi :=m if xi¿m.
B then simulates R exactly except using aij#c for a test xi − xj#c and using bi#c for
xi#c, with −m¡c¡m. Completely analogous to the proof in [16], one can prove that
doing this is valid:
Claim. Each time after B updates the entries by executing a transition, then the
following two conditions hold, for all 16i; j6k and for each integer c∈ [m− 1]:
xi − xj#c i; aij#c;
and
xi#c i; bi#c:
Thus, clock counter comparisons are replaced by !nite table look-up and, therefore,
nonstandard tests are eliminated in B. Finally, we show how nonstandard assignments
of the form xi := 0 (clock resets) in machine B can be avoided. We only show how
these assignments can be avoided in the simulation of R (the same construction applies
for W ).
After eliminating the clock comparisons, the clock counters in B become blind, i.e.,
they do not participate in any test except when:
• using the initial values of xi to compute the initial values of aij and bi as shown in
the entry update procedure above,
• using the !nal value of xi to check whether they match those in .
Thus, the actual value of each xi is useless during the simulation of R, but before the
very last reset of xi, since xi is blind. We describe how to construct a 2-tape PCA C
from B such that in the simulation of R, no nonstandard assignment is used. For each
clock xi in R, there are two cases. The !rst case is that xi will not be reset during the
entire simulation of B. The second case is that xi will be reset. C guesses the correct
1726 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
case for each xi. In the !rst case, xi is already reversal-bounded and without using
nonstandard assignment xi := 0. In the second case, C !rst decrements xi to 0. Then
C simulates B. Whenever a clock progress xi := xi +1 or a clock reset xi := 0 is being
executed by R, C keeps xi as 0. But, at some point when a clock reset xi := 0 is being
executed by R, C guesses that this is the last clock reset for xi. After this point, C
faithfully simulates a clock progress xi := xi + 1 executed by R, and a later execution
of a clock reset xi := 0 in R will cause C to abort abnormally (since the guess of the
last reset of xi was wrong.). Thus C uses only standard assignments xi := xi+1; xi := xi
and xi := xi − 1 (initially bring xi to 0 for the second case above).
It follows from the constructions of A, B, and C above that we can e;ectively
construct, given a QTA M , a 2-tape PCA M ′ accepting R(M).
Recall that a pair of con!gurations (; ) is represented by
(q;X; p;Y; w; q′;X′; p′;Y′; i; u);
where (q;X; p;Y; w) is on tape1 of M ′ and (q′;X′; p′;Y′; i; u) is on tape2. Thus tape2 is
not the original (but equivalent) representation of . We can easily construct from M ′, a
3-tape PCA M ′′ which when given (q;X; p;Y; w) on tape1, (q′;X′; p′;Y′; i; u) on tape2,
and (q′;X′; p′;Y′; w′) on tape3, accepts if and only if M ′ accepts (q;X; p;Y; w; q′;X′;
p′;Y′; i; u), and w′ is the suSx of wu starting at position i + 1. Clearly, the third
tape of M ′′ is the “original” representation of . Then from M ′′, we can construct a
2-tape PCA M ′′′ without the second tape (M ′′′ simulates M ′′ by guessing the string
on tape2 symbol-by-symbol). M ′′′ then accepts R(M), where =(q;X; p;Y; w) is on
tape1 and =(q′;X′; p′;Y′; w′) on the other tape. Thus, we can assume that the original
representations of the con!gurations appear on the tapes.
We can augment the W and R of a QTA with a !nite number of reversal-bounded
counters. Since the counters can be incremented or decremented by 1 and tested for 0,
the QTA now have richer enabling conditions in addition to clock constraints, i.e., tests
on the counters. (Note that a con!guration  will now have the values of the counters.)
Clearly, these counters can be faithfully simulated by extra reversal-bounded counters
in the 2-tape semi-PCA and 2-tape PCA in the proofs of Theorems 3 and 4. Hence,
we have:
Corollary 2. We can e;ectively construct, given a loosely synchronous QTA with
reversal-bounded counters M , a 2-tape PCA M ′ accepting R(M).
5. Loosely synchronous QTA with two queues
A QTA M can be easily modi!ed to add a second queue from the reader back to
the writer. That is, M consists of two timed automata A and B working on two queues
queue1 and queue2. More precisely, A is able to write to queue1 and read from queue2;
B is able to write to queue2 and read from queue1, as shown in Fig. 1.
Obviously, with two queues, M is able to simulate any Turing machine. Therefore,
we have to restrict the behavior of M in order to get decidable veri!cation results.




Fig. 1. A QTA with two queues.
One restriction is to make M half-duplex [11]. That is, each intermediate con!gura-
tion during an execution must satisfy: at least one of the two queues is empty. [11]
shows that the reachable set of a half-duplex system with two !nite state machines is
recognizable. Now, we point out that the binary reachability of loosely synchronous
half-duplex QTAs still satis!es Theorem 4.
We use A⇒B to indicate that A is taking the role of a writer and B is of a reader,
and both of them working on queue1. The notation B⇒A is de!ned symmetrically. In
other words, M ’s execution can be considered as a sequence of phases
A⇒ B⇒ A⇒ B · · ·
such that when M is engaged in phase A⇒B (i.e., A is the writer and B is the reader)
using queue1, the other queue (queue2 from B to A) is always empty; when M is
engaged in phase B⇒A (i.e., A is the reader and B is the writer) using queue2, the
other queue (queue1 from A to B) is always empty. We use AW to denote the result
of dropping all read-transitions from A, i.e., AW is a writer. We use AR to denote the
result of dropping all write-transitions from A, i.e., AW is a reader. BW and BR are
de!ned similarly. Therefore, an execution of M is considered as an alternation between
running a QTA MA⇒B (which consists of writer AW and reader BR) on queue1, when
queue2 is empty, and running a QTA MB⇒A (which consists of writer BW and reader
AR) on queue2, when queue1 is empty. Obviously, both R(MA⇒B) and R(MB⇒A) can
be accepted by 2-tape PCAs, as shown in Theorem 4.
Let  and  be two half-duplex con!gurations i.e., one of the two queues in each
con!guration is empty. Without loss of generality, we assume that queue2 in  and
queue1 in  are empty. A sequence of transitions witnessing ❀M  therefore consists
of phases
A⇒ B⇒ A · · · ⇒ B⇒ A:
Hence, we have an execution sequence
(0 ❀MA⇒B (1 ❀MB⇒A (2 · · ·❀MB⇒A (m
for some m such that (0 =  and (m= , and, queue1 and queue2 are both empty in
each (i with 0¡i¡m. According to Theorem 4, (0❀MA⇒B (1 can be simulated by
the 2-tape PCA for R(MA⇒B); (1❀MB⇒A (2 can be simulated by the 2-tape PCA for
R(MB⇒A). The simulations continue for the rest of the execution sequence. Doing this
1728 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
shows that the above execution sequence can be simulated by a “concatenation” of the
two 2-tape PCAs running alternately. This is because:
• both queues in each intermediate con!guration (i are empty, for 0¡i¡m.
• When a phase is switched to the other one, clock values in both A and B do not
change.
The result of the concatenation is still a 2-tape PCA. Therefore, Theorem 4 still holds
for M .
Theorem 5. We can e;ectively construct, given a loosely synchronous half-duplex
QTA M , a 2-tape PCA M ′ accepting R(M).
As in Corollary 2, we have:
Corollary 3. We can e;ectively construct, given a loosely synchronous half-duplex
QTA with reversal-bounded counters M , a 2-tape PCA M ′ accepting R(M).
6. Veri*cation of safety properties
The results of Theorems 4 and 5 allow us to formulate a set of Presburger safety
properties that can be automatically veri!ed for loosely synchronous (half-duplex)
QTAs as follows.
Given a loosely synchronous (half-duplex) QTA M , let ;  : : : denote variables rang-
ing over con!gurations. Let q, xi , p, yj and w be the state variable (understood
as a bounded integer variable) for R, the clock value variables for xi in R, the state
variable for W , the clock value variables for yj in W , and the queue content variable
(when M is half-duplex, this is for the queue other than the empty one), respectively.
We use a count variable #/(w) to denote the number of occurrences of a symbol /∈ 
in the content of the queue. A QTA-term t is de!ned as follows:
t ::= n | q | xi | p | yj | #/(w) | t − t | t + t;
where n is an integer, /∈ , xi ∈X and yj ∈Y . A QTA-formula f is de!ned as follows:
f ::= t ¿ 0 | tmod n = 0 | ¬f |f ∨ f;
where n 	=0 is an integer. Thus, f is a quanti!er-free Presburger formula over state
variables, clock value variables and count variables.
For m¿ 1, let F be a formula in the following format:
∨
16i6m(fi ∧ i❀M i),
where each fi is a QTA-formula and all i, i and i are con!guration variables. Let
∃F be a closed formula such that each free variable in F is existentially quanti!ed.
The following theorem states that ∃F is veri!able.
Theorem 6. The truth value of ∃F with respect to a loosely synchronous (half-duplex)
QTA M is decidable for any QTA-formula F .
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1729
Proof. Without loss of generality, we assume F is f∧ ❀M . The solutions to f
can be accepted by a deterministic CA [22], since f is Presburger. On the other hand,
from Theorems 4 and 5, R(M) (i.e., the solutions to formula ❀M  when  and  are
understood as con!guration variables) can be accepted by a 2-tape PCA. Therefore,
the solutions to F can be accepted by a PCA by intersecting the two machines. The
theorem follows from Theorem 1.
From Theorem 6, the following property:
for all con!gurations  and  with ❀M , clock x2 in  is the sum of clocks
y1 and x2 in , and symbol /1 appears in the queue in  twice as many times as
symbol /2 does in the queue in .
can be veri!ed. This is because it can be expressed as,
∀∀(❀M  → (x2 = y1 + x2 ∧ #/1 (w) = 2#/2 (w))):
The negation of this property is equivalent to ∃F for some QTA-formula F . Thus, it
can be veri!ed.
Forward reachability and backward reachability are also useful in analyzing safety
properties. More precisely, we de!ne the forward reachability set
ForwardM (P)= {: ∃ ∈ P❀M }
with respect to a set of con!guration P. Similarly, the backward reachability set is
BackM (P)= {: ∃ ∈ P❀M }:
When P can be accepted by a CA (for instance, P is de!nable by a QTA-formula),
we can show that both the forward and the backward reachability sets can be accepted
by PCAs.
Theorem 7. Let M be a loosely synchronous (half-duplex) QTA and P be a set of
con>gurations accepted by a CA. Then, both ForwardM (P) and BackM (P) can be
accepted by PCAs.
Proof. We only prove the case for ForwardM (P). The case for BackM (P) is similar.
We construct a PCA M ′ that accepts ForwardM (P). Given a con!guration  on the
input tape, M ′ guesses a con!guration  while it simulates the CA accepting P. At
the end of the simulation, M ′ veri!es that  is accepted (i.e., ∈P). In parallel to
this simulation, M ′ also simulates the PCA M ′′ accepting R(M) (Theorems 4 and 5)
using another set of counters (sharing the same starting values in ) and the pushdown
stack. When M ′′ accesses the second tape, M ′ guesses the tape content for it. At the
end, M ′ also veri!es con!guration  is reached when M ′′ does so. Clearly, M ′ accepts
ForwardM (P).
We conclude this section by noting that Theorems 6 and 7 remain valid when M
has reversal-bounded counters.
1730 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
7. An example
In this section, we illustrate the use of loosely synchronous half-duplex QTAs with
reversal-bounded counters (see Corollary 3). Consider a system used in a physics
experiment, composed of a set of actuators (for controlling the experiment) and of
a set of sensors (for measuring and recording various experimental data such as the
speed and number of subatomic particles). A controller is in charge of controlling
the actuators and the sensors, and of elaborating the data detected by the sensors. It
is crucial for the experiment that the sensors collect data only in a precise interval,
which may vary depending on various conditions, and send the data to the controller
upon request.
We model only one sensor and one controller, and ignore all other components.
Data are read by the sensor with a variable speed, depending on the environment. We
assume that the sensor needs one time unit is needed to read a datum and another time
unit to communicate it to the controller. Hence, incoming data have a maximum rate
of one datum The sensor is associated with a cheap embedded processor, with small
computation power and very little memory; hence, it cannot store the data it reads, but
it must send them immediately to the controller.
The controller is a powerful processor, with a large memory. However, it has
other tasks to perform and it cannot continuously elaborate the data coming from
the sensor. Incoming data are then put in a queue and read when the controller is
ready to make use of them. The protocol in charge of correctly exchanging data
between the sensor and the controller (such as the acknowledgement of packet ar-
rival, etc.) is considered to be at a lower level and is not modeled here. We just
assume that when data are sent from one end to another, they are correctly put in the
queue.
The sensor is required to read data only within a precise time interval, whose integer
length k¿0 is communicated by the controller at the beginning of the experiment.
After this, the controller may decide nondeterministically when it is the moment to
start reading data, by sending a signal “begin” to the sensor. Upon receipt of the
signal, the sensor must read data for exactly k time units. Only data read after the
“begin”, but before the end of the interval of length k, may be sent to the controller.
The clocks of the controller and of the sensor are allowed not to be perfectly syn-
chronized: they may drift away within a small positive integer constant d. Hence, the
actual reading interval, measured in the local time of the sensor, may end earlier or
later than the instant intended by the controller. To reduce this e;ect, it is required
that k¿d.
The problem is modeled with a loosely synchronous QTA M with two queues and
reversal-bounded (r.b.) counters. M is composed of two timed automata with r.b. coun-
ters, S (the sensor) and C (the controller). The property to be veri!ed is that all and
only the data communicated to the controller are read in the correct time interval. We
model only the case of just one session, i.e., a stream of data is collected only once by
S upon request from C, and then both subsystems halt. However, a one-session system
is also a model of a multi-session system where all sessions are far apart enough so
as not to interfere with each other.






















Fig. 2. The controller.
S may write to queue1 and C to queue2. The alphabet of queue1 is: {data; end},
and the alphabet of queue2 is: {count; begin; abort}.
The length of the interval, communicated by C to S, is stored in a one-reversal
counter kS of S. This is a value k¿d, nondeterministically chosen by C and also
stored in a counter kC of C. In S, there is another counter jS , introduced only for the
purpose of veri!cation, which is used to count the data read by S and subsequently
sent to C. In C (and in S as well), there is just one clock, tC (resp. tS), which is
incremented by one at each transition, unless it is explicitly reset.
The automaton C can be in one of the states:
{start; prepare; wait; consume; end}
and has a clock tC . Its transition graph is described in Fig. 2. Each label of an edge
has four components: the !rst is the symbol read from the queue, the second is the
enabling condition on both clocks and reversal-bounded counters, the third (denoted
after a slash) is the symbol written on the other queue, and the fourth is the set of
assignments to clocks and counters. For the sake of readability, the set of clock resets
of an edge is denoted by assigning the value 0 to each clock in the set (e.g. tC := 0).
For instance, the edge labeled ; true=count; {kC := kC+1; tC := 0} can be taken with-
out reading from the queue and with the enabling condition being just true; the result
of taking that edge is that count is written on the other queue, the clock tC is reset
and the counter kC is incremented by 1.
The automaton S can be in one of the states:
{start; load; wait; sense; write; last; end}:
Its transition graph is described in Fig. 3.
A run of the system begins with both automata in state start, with all clocks and
r.b. counters starting at 0. Both may stay in start as long as the queues are empty (i.e.,
they read the special symbol #). Nondeterministically, C may decide to move to state
prepare (causing S to move to state load), where a self-loop increases kC and sends































Fig. 3. The sensor.
a count signal to S, that in response increments kS . The !nal value k of kC (hence,
also of kS) is chosen nondeterministically beyond the constant d. In both automata, the
clocks tS and tC are initialized to zero at each transition: hence, both self-loops are
in zero-time. This zero-time assumption is reasonable, since we may imagine that the
time it takes to transfer the interval length is much smaller than the time to transfer
data packets.
When kC¿d, C may keep increasing kC or nondeterministically go to state wait
(imitated by S), where time passes until C decides that S must start reading. When the
latter case occurs, a signal begin is sent to S and C enters state consume. However,
the controller has only a limited time to send a begin: a timeout transition, going from
state wait to state end, aborts operations if the controller stays in state wait longer
than, say, 600 instants, sending an abort signal to the sensor. Correspondingly, S waits
in state load until the queue is empty: if S receives an abort in state load, it goes to
state end.
In state consume, time may progress while C is idle or reading, at any speed, data
coming from S. Upon receipt of event begin, S immediately goes to state sense and
starts reading data: when a datum is detected, counter jS is increased, counter kS is
decreased and S goes to state write to send data to C. As already remarked, the actions
of reading a datum and sending a datum take one time unit each. The counter kS must
be decremented whenever time progresses. Hence, it is decremented while S is waiting
for data in the state sense and also when a datum is read and then written to C. Notice
that, since there can be at most one datum each two time units, no data are lost while
making the transitions from sense to write and back. When kS reaches zero, the reading
interval is over and S goes to its !nal state end, emitting a signal end towards C. The
automaton S may also go through state last, in order to write also data that arrived at
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1733
the very last instant, again followed by an end signal. When an end signal is found
on the queue, C goes to its !nal state.
Veri>cation of the example: In what follows, ; ; /, and 6 represent con!gurations.
Let initial() be a formula stating that  is the initial con!guration, i.e. a con!guration
where both S and C are in the initial state and each clock and each counter is set to 0;
let state(C; ) and state(S; ) be the state of C and the state of S, respectively, in a con-
!guration ; let begin() be the formula state(C; ) is consume) ∧tC =0, i.e., C has
just made the transition signaling that data reading should start; let expired(; /) be the
formula /nowS − nowS = kC ∧d¡kC , which holds if in / exactly kC¿d instants have
passed since ; let newData(/; 6) be the formula 6nowS¿/nowS ∧ 6j¿/j, which holds if
in 6 time has progressed since / and more data were read. Then let P1 be the formula:
∀; ; /; 6(❀M ❀M /❀M 6 ∧ initial() ∧ begin() ∧ expired(; /)
→ ¬newData(/; 6))
Formula P1 states that no data are read after the interval has expired. The negation of
P1 is a formula where all variables are quanti!ed existentially, which can be decided
automatically. If ¬P1 is true, then the above speci!cation does not enforce the basic
requirement on the system, since a “wrong” con!guration 6 is reachable.
If ¬P1 is false, we may erroneously be con!dent that the system behaves correctly.
However, ¬P1 may be false not only when no con!guration 6 as above is reachable,
but also when there are no reachable con!gurations  or / as above. In the latter case,
there would be a di;erent modeling error, namely the two automata are not even able
to reach a con!guration where S can start reading data. Let P2 be the formula
∃; ; /(❀M ❀M / ∧ initial() ∧ begin() ∧ expired(; /)):
It is not necessary to verify whether P2 holds when ¬P1 is true, but it is enough to
execute the veri!cation of P2 only when ¬P1 is false.
If both P1 and P2 hold, the veri!cation is not complete yet, since we also need the
property P3 that no data is read before the reading interval has started. Since jS¿0 if
some data have been read, and since the reading interval may only start when C has
gone through the state consume, the negation of P3 can be written as:
∃; (❀M  ∧ initial() ∧ jS ¿ 0 ∧ state(C; ) 	= consume
∧ state(C; ) 	= end):
Again, this is a formula whose truth can be decided: if it does not hold, then property
P3 is violated.
8. Conclusions
We introduced a generalization of a discrete timed automaton, i.e., two TAs
connected by a unidirectional queue (each of the TAs may also be augmented with
reversal-bounded counters) and analyzed the solvability of veri!cation problems such as
(binary, forward, and backward) reachability. The two automata operate in a loosely
1734 O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735
synchronous way, though our results also hold for the case when they are synchronous
(i.e., sharing a global clock with d=0) and the case when they are asynchronous (i.e.,
d=∞). Using an easier (but slightly di;erent) argument, we can show that the proof
of Theorem 3 still holds when
• if the QTA is synchronous, the test tW(j) − tR(j)6d in the proof is replaced by
tW(j)− tR(j)60;
• if the QTA is asynchronous, the test tW(j) − tR(j)6d in the proof is replaced by
true (i.e., no tests).
Under both cases, all the results for the QTAs still hold. The QTA models can be used
to reason about a number of timed producer=consumer applications involving only one-
way communications. We are able to extend the results to a restricted form of QTA
with two half-duplex queues. This opens the door for veri!cation of a restricted form
of two-way timed communication protocols.
A special case of a QTA is one where W and R have no clocks and no reversal-
bounded counters, i.e., they are nondeterministic !nite-state machines connected by a
queue. We call such a model !nite-state QTA. It has been shown in [23] that binary
reachability is not computable (i.e., not recursive) for the following models: (i) Finite-
state QTA with another (second) queue that can be used to send messages from W
to R; (ii) Finite-state QTA with a second queue that can be used to send messages
from R to W (thus, there is now two-way communication between the machines); (iii)
Finite-state QTA where each of R and W is augmented with a one-turn pushdown
stack (i.e., after popping, the stack can no longer push); (iv) Finite-state QTA where
each of R and W is augmented with an unrestricted counter.
It would be interesting to further consider the QTA model with dense time. However,
the technical diSculties forbidding us to do so are the lack of theoretical tool to
handle both dense variables and unbounded discrete data structures in one system.
Recent results in [15] show some hope in this direction, by introducing an in!nite
partition on the dense clock space. We may investigate the dense time version of
QTAs in the future. We also leave the work of complexity analysis of the decision
procedures presented in this paper as future work. We note, however, that by using
recent techniques developed in [24], we can, in fact, strengthen our results in that the
2-tape PCA in Theorems 4 and 5 and their corollaries can be reduced to a 2-tape CA
(i.e., the stack is not necessary).
References
[1] R. Alur, Timed automata. CAV’99, Lecture Notes in Computer Science, Vol. 1633, Springer, Berlin,
pp. 8–22.
[2] R. Alur, D. Dill, A theory of timed automata, Theoret. Comput. Sci. 126 (2) (1994) 183–236.
[3] R. Alur, T.A. Henzinger, A really temporal logic, J. Assoc. Comput. Mach. 41 (1) (1994) 181–204.
[4] R. Alur, C. Courcoibetis, D. Dill, Model-checking in dense real time, Informat. Comput. 104 (1) (1993)
2–34.
[5] P. Abdulla, B. Jonsson, Verifying programs with unreliable channels, Inform. Comput. 127 (2) (1996)
91–101.
[6] D. Beauquier, A. Slissenko, The railroad crossing problem: towards semantics of timed algorithms and
their model-checking in high-level languages, Lecture Notes in Computer Science, Vol. 1214, Springer,
Berlin, 1997, pp. 202–212.
O.H. Ibarra et al. / Theoretical Computer Science 290 (2003) 1713–1735 1735
[7] G. von Bochman, Finite state descriptions of communicating protocols, Comput. Networks 2 (1978)
361–372.
[8] A. Bouajjani, J. Esparza, O. Maler, Reachability analysis of pushdown automata: application to model—
Checking, CONCUR’97, Lecture Notes in Computer Science, Vol. 1243, Springer, Berlin, pp. 135–150.
[9] D. Brand, P. Za!ropulo, On communicating !nite-state machines, J. Assoc. Comput. Mach. 30 (2)
(1983) 323–342.
[10] T. Bultan, R. Gerber, W. Pugh, Model-checking concurrent systems with unbounded integer variables:
symbolic representations, approximations, and experimental results, TOPLAS 21 (4) (1999) 747–789.
[11] G. Cece, A. Finkel, Programs with quasi-stable channels are e;ectively recognizable, CAV’97, Lecture
Notes in Computer Science, Vol. 1254, Springer, Berlin, pp. 304–315.
[12] E. Clarke, J. Wing, Formal methods: state of the art and future directions, Assoc. Comput. Mach.
Comput. Surveys 28 (4) (1996) 626–643.
[13] H. Comon, Y. Jurski, Multiple counters automata, safety analysis and Presburger arithmetic, CAV’98,
Lecture Notes in Computer Science, Vol. 1427, Springer, Berlin, pp. 268–279.
[14] H. Comon, Y. Jurski, Timed automata and the theory of real numbers, CONCUR’99, Lecture Notes in
Computer Science, Vol. 1664, Springer, Berlin, pp. 242–257.
[15] Z. Dang, Binary reachability analysis of pushdown timed automata with dense clocks, CAV’01, Lecture
Notes in Computer Science, Vol. 2102, Springer, Berlin, pp. 506–517.
[16] Z. Dang, O.H. Ibarra, T. Bultan, R.A. Kemmerer, J. Su, Binary reachability analysis of discrete
pushdown timed automata, CAV’00, Lecture Notes in Computer Science, Vol. 1855, Springer, Berlin,
pp. 69–84.
[17] A. Finkel, G. Sutre, Decidability of reachability problems for classes of two counter automata,
STACS’00, Lecture Notes in Computer Science, Vol. 1770, Springer, Berlin, pp. 346–357.
[18] A. Finkel, B. Willems, P. Wolper, A direct symbolic approach to model checking pushdown systems,
Proceedings of the INFINITY’97.
[19] S. Ginsburg, E. Spanier, Bounded algol-like languages, Trans. Amer. Math. Soc. 113 (1964) 333–368.
[20] E.M. Gurari, O.H. Ibarra, The complexity of decision problems for !nite-turn multicounter machines,
J. Comput. System Sci. 22 (1981) 220–229.
[21] T.A. Henzinger, X. Nicollin, J. Sifakis, S. Yovine, Symbolic model checking for real-time systems,
Inform. Comput. 111 (2) (1994) 193–244.
[22] O.H. Ibarra, Reversal-bounded multicounter machines and their decision problems, J. Assoc. Comput.
Mach. 25 (1978) 116–133.
[23] O.H. Ibarra, Reachability and safety in queue systems with counters and pushdown stack, Proceedings
of the International Conference on Implementation and Application of Automata, 2000.
[24] O.H. Ibarra, Z. Dang, On removing the pushdown stack in reachability constructions. Proceedings of
the International Symposium on Algorithms and Computation (ISAAC), 2001.
[25] O.H. Ibarra, J. Su, A technique for the containment and equivalence of linear constraint queries,
J. Comput. System Sci. 59 (1) (1999) 1–28.
[26] O.H. Ibarra, J. Su, Generalizing the discrete timed automaton, Proceedings of the International
Conference on Implementation and Application of Automata, 2000.
[27] O.H. Ibarra, J. Su, C. Bartzis, Counter machines and the safety and disjointness problems for database
queries with linear constraints, in: C. Martin-Vide, V. Mitrana (Eds.), Words, Sequences, Languages:
Where Computer Science, Biology and Linguistics Meet, Kluwer Academic Publishers, Dordrecht, 2000,
pp. 127–137.
[28] R. Mayr, Decidability and complexity of model-checking problems for in!nite state systems, Ph.D.
Thesis, Inst. fYur Informatik, Techn. UniversitYat MYunchen, 1998.
[29] K.L. McMillan, Symbolic model-checking—an approach to the state explosion problem, Ph.D. Thesis,
Department of Computer Science, Carnegie Mellon University, 1992.
[30] W. Peng, S. Purushothaman, Analysis of a class of communicating !nite state machines, Acta Informat.
29 (6=7) (1992) 499–522.
[31] S. Yovine, Model-checking timed automata, Embedded Systems, Lecture Notes in Computer Science,
Vol. 1494, Springer, Berlin, 1998, pp. 114–152.
