Liveness in L/U-Parametric Timed Automata by André, Étienne & Lime, Didier
Liveness in L/U-Parametric Timed Automata
E´tienne Andre´, Didier Lime
To cite this version:
E´tienne Andre´, Didier Lime. Liveness in L/U-Parametric Timed Automata. 2016. <hal-
01304232>
HAL Id: hal-01304232
https://hal.archives-ouvertes.fr/hal-01304232
Submitted on 19 Apr 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Distributed under a Creative Commons Attribution 4.0 International License
Liveness in L/U-Parametric Timed Automata∗1
Étienne André and Didier Lime2
École Centrale de Nantes, IRCCyN, CNRS, UMR 6597, France3
Abstract4
We study timed systems in which some timing features are unknown parameters. Parametric5
timed automata are a classical formalism for such systems but for which most interesting problems6
are undecidable. Lower-bound/upper-bound parametric timed automata (L/U-PTAs) achieve7
decidability for reachability properties by enforcing a separation of parameters used as upper8
bounds in the automaton constraints, and those used a lower bounds.9
We further study L/U-PTAs by considering liveness related problems. We prove that: (1)10
the existence of at least one parameter valuation for which there exists an infinite run in the11
automaton is PSPACE-complete; (2) the existence of a parameter valuation such that the system12
has a deadlock is however undecidable; (3) the existence of a valuation for which a run remains13
in a given set of locations exhibits a very thin border between decidability and undecidability.14
1998 ACM Subject Classification D.2.4 Software/Program Verification: Formal methods15
Keywords and phrases L/U-PTA, EG-emptiness, deadlock-freeness, infinite run16
Digital Object Identifier 10.4230/LIPIcs.CVIT.1942.2317
1 Introduction18
Following Lamport, properties of systems are often characterized as safety properties (“some-19
thing bad will never happen”) and liveness properties (“something good will eventually hap-20
pen”) [11]. Safety generally reduces to reachability, while liveness is more complex. The21
“good” behavior may not be reached for two main reasons: either there is a deadlock, a state22
in which the system cannot evolve anymore, or there is a livelock, an infinite path never23
reaching the “good” behavior. Both situations are captured by the CTL operator EG [7].24
We study here those behaviors in the context of parametric timed systems, in which some25
timing features (e. g., the duration of a task, a transmission delay in a network, the delay to26
trigger a watchdog, etc.) are not known and replaced by symbolic constants, called param-27
eters. The objective of verification on such partially defined systems, is then to synthesize28
the possible valuations of parameters such that some properties are satisfied.29
Parametric timed automata (PTAs) [2] have been introduced to deal with such paramet-30
ric timed systems. They consist in finite automata equipped with real-valued clocks that31
can be compared with constants or parameters in constraints restricting if and when the32
edges can be taken.33
The simple problem of whether there exists a valuation for each parameter such that some34
control location is reachable in the timed automaton obtained by replacing the parameters35
with those valuations (also called EF-emptiness) is undecidable for PTAs for both integer-36
and rational-valued parameters. Several alternative proofs refine this result in terms of the37
number of parameters, number of clocks compared to parameters, types of constraints, etc.38
(see, e. g., [12, 8, 5, 3]).39
∗ This work is partially supported by the ANR national research program “PACS” (ANR-14-CE28-0002).
© Étienne André and Didier Lime;
licensed under Creative Commons License CC-BY
42nd Conference on Very Important Topics (CVIT 1942).
Editors: John Q. Open and Joan R. Acces; Article No. 23; pp. 23:1–23:19
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
23:2 Liveness in L/U-Parametric Timed Automata
In order to overcome these disappointing results, lower-bound/upper-bound parametric1
timed automata (L/U-PTAs) are introduced as a subclass of PTAs where each parameter2
either always appears as an upper bound when compared to a clock, or always as a lower3
bound [9]. The EF-emptiness problem, and also the EF-universality problem (“Can we reach4
a given location, regardless of what valuations we give to the parameters?”) are decidable5
for L/U-PTAs.6
In [6], infinite acceptance properties are considered: the emptiness and the universality7
of the valuation set for which a given location is infinitely often traversed are decidable for8
integer-valued parameters. In [10], it is shown that the AF-emptiness problem (“Does there9
exist a valuation of the parameters, such that the system reaches a given location for all10
runs?”) is undecidable for L/U-PTAs with integer- and rational-valued parameters.11
Contribution12
With the notable exception of [10], and to some extent of [6] which addresses the existence13
of cycles, all the works cited above focus on safety properties, through the basic problem of14
reachability. This is maybe not so surprising given that most results related to this simpler15
problem are already negative.16
We nonetheless address here the problem of liveness in PTAs, and more precisely, with17
the negative result of [10] on AF-emptiness in mind, we start from L/U-PTAs with rational-18
valued parameters and further refine both the model and the properties. We prove that:19
1. deciding the existence of at least one parameter valuation for which there exists an20
infinite run in the automaton is PSPACE-complete;21
2. deciding the existence of a parameter valuation such that the system has a deadlock is22
however undecidable;23
3. the problem of the existence of a valuation for which a run remains in a given set of24
locations exhibits a very thin border between decidability and undecidability: while25
this problem is decidable for L/U-PTAs with a bounded parameter domain with closed26
bounds, it becomes undecidable if either the assumption of boundedness or of closed27
bounds is lifted. This result confirms that L/U-PTAs stand at the border between28
decidability and undecidability.29
Outline30
We recall the necessary preliminaries in Section 2. We then consider the problem of the31
existence of at least one parameter valuation for which there exists an infinite run (Section 3),32
for which there exists a deadlock (Section 4), and for which a run remains in a given set of33
locations (Section 5). We conclude and discuss perspectives in Section 6.34
2 Preliminaries35
2.1 Clocks, Parameters and Constraints36
Let N, Z, Q+ and R+ denote the sets of non-negative integers, integers, non-negative ra-37
tional numbers and non-negative real numbers respectively. Let I(N) denote the set of38
non-necessarily closed intervals on N, i. e., of the form [a, b], (a, b], [a, b) or (a, b) where39
a, b ∈ N and a ≤ b.40
Throughout this paper, we assume a set X = {x1, . . . , xH} of clocks, i. e., real-valued41
variables that evolve at the same rate. A clock valuation is a function w : X → R+. We42
É. André and D. Lime 23:3
identify a clock valuation w with the point (w(x1), . . . , w(xH)) of RH+ . We write ~0 for the1
clock valuation that assigns 0 to all clocks. Given d ∈ R+, w+ d denotes the valuation such2
that (w+d)(x) = w(x)+d, for all x ∈ X. Given R ⊆ X, we define the reset of a valuation w,3
denoted by [w]R, as follows: [w]R(x) = 0 if x ∈ R, and [w]R(x) = w(x) otherwise.4
We assume a set P = {p1, . . . , pM} of parameters, i. e., unknown constants. A param-5
eter valuation v is a function v : P → Q+. We identify a valuation v with the point6
(v(p1), . . . , v(pM )) of QM+ . An integer parameter valuation is such that ∀p ∈ P, v(p) ∈ N.7
In the following, we assume ∼ ∈ {<,≤,≥, >}. Throughout this paper, lt denotes a linear8
term over X ∪ P of the form ∑1≤i≤H αixi +∑1≤j≤M βjpj + d, with xi ∈ X, pj ∈ P , and9
αi, βj , d ∈ Z. A constraint C (i. e., a convex polyhedron) over X ∪ P is a conjunction of10
inequalities of the form lt ∼ 0. Given a parameter valuation v, v(C) denotes the constraint11
over X obtained by replacing each parameter p in C with v(p). Likewise, given a clock12
valuation w, w(v(C)) denotes the expression obtained by replacing each clock x in v(C)13
with w(x). We say that v satisfies C, denoted by v |= C, if the set of clock valuations14
satisfying v(C) is nonempty. Given a parameter valuation v and a clock valuation w, we15
denote by w|v the valuation over X ∪ P such that for all clocks x, w|v(x) = w(x) and for16
all parameters p, w|v(p) = v(p). We use the notation w|v |= C to indicate that w(v(C))17
evaluates to true. We say that C is satisfiable if ∃w, v s.t. w|v |= C.18
A guard g is a constraint overX∪P defined by inequalities of the form x ∼∑1≤j≤M βjpj+19
d, with βj ∈ {0, 1} and d ∈ Z.20
2.2 Parametric Timed Automata21
I Definition 1. A PTA A is a tuple A = (Σ, L, l0, X, P, I, E), where: i) Σ is a finite set of22
actions, ii) L is a finite set of locations, iii) l0 ∈ L is the initial location, iv) X is a finite set23
of clocks, v) P is a finite set of parameters, vi) I is the invariant, assigning to every l ∈ L a24
guard I(l), vii) E is a finite set of edges e = (l, g, σ,R, l′) where l, l′ ∈ L are the source and25
target locations, σ ∈ Σ, R ⊆ X is a set of clocks to be reset, and g is a guard.26
Given a parameter valuation v, we denote by v(A) the non-parametric timed automaton27
where all occurrences of a parameter pi have been replaced by v(pi).28
I Definition 2 (Concrete semantics of a TA). Given a PTA A = (Σ, L, l0, X, P, I, E), and29
a parameter valuation v, the concrete semantics of v(A) is given by the timed transition30
system (S, s0,→), with31
S = {(l, w) ∈ L× RH+ | w|v |= I(l)} , s0 = (l0,~0)32
→ consists of the discrete and (continuous) delay transition relations:33
discrete transitions: (l, w) e→ (l′, w′), if (l, w), (l′, w′) ∈ S, there exists e = (l, g, σ,R, l′) ∈34
E, w′ = [w]R, and w|v |= g.35
delay transitions: (l, w) d→ (l, w + d), with d ∈ R+, if ∀d′ ∈ [0, d], (l, w + d′) ∈ S.36
Moreover we write (l, w) e7→ (l′, w′) for a sequence of delay and discrete transitions where37
((l, w), e, (l′, w′)) ∈ 7→ if ∃d,w′′ : (l, w) d→ (l, w′′) e→ (l′, w′).38
Given a TA v(A) with concrete semantics (S, s0,→), we refer to the states of S as the39
concrete states of v(A). A concrete run (or simply a run) of v(A) is an alternating sequence40
of concrete states of v(A) and edges starting from the initial concrete state s0 of the form41
s0
e07→ s1 e17→ · · · em−17→ sm, such that for all i = 0, . . . ,m − 1, ei ∈ E, and (si, ei, si+1) ∈ 7→.42
Given a state s = (l, w), we say that s is reachable (or that v(A) reaches s) if s belongs43
to a run of v(A). By extension, we say that l is reachable in v(A), if there exists a state44
CVIT 1942
23:4 Liveness in L/U-Parametric Timed Automata
(l, w) that is reachable. Given a set of locations G ⊆ L, we say that a run stays in G if1
all of its states (l, w) are such that l ∈ G. A maximal run is a run that is either infinite2
(i. e., contains an infinite number of discrete transitions), or that cannot be extended by a3
discrete transition. A maximal run is deadlocked if it is finite, i. e., contains a finite number4
of discrete transitions. By extension, we say that a TA is deadlocked if it contains at least5
one deadlocked run.6
2.3 Subclasses of PTAs7
I Definition 3 (L/U-PTA). An L/U-PTA is a PTA where the set of parameters is partitioned8
into lower-bound parameters and upper-bound parameters, where an upper-bound (resp.9
lower-bound) parameter pi is such that, whenever it appears in a guard or an invariant10
x ∼∑1≤j≤M βjpj + d (where βi = 1) then necessarily ∼ ∈ {≤, <} (resp. ∼ ∈ {≥, >}).11
L/U-PTAs enjoy a well-known monotonicity property recalled in the following lemma12
(that corresponds to a reformulation of [9, Prop 4.2]), stating that increasing upper-bound13
parameters or decreasing lower-bound parameters can only add behaviors.14
I Lemma 4. Let A be an L/U-PTA and v be a parameter valuation. Let v′ be a valuation15
such that for each upper-bound parameter p+, v′(p+) ≥ v(p+) and for each lower-bound16
parameter p−, v′(p−) ≤ v(p−). Then any run of v(A) is a run of v′(A).17
In this paper, we will consider bounded PTAs, i. e., PTAs with a bounded parameter18
domain that assigns to each parameter an infimum and a supremum, both integers.19
I Definition 5 (bounded PTA). A bounded PTA is A|bounds, where A is a PTA, and bounds :20
P → I(N) assigns to each parameter p an interval [inf, sup], (inf, sup], [inf, sup), or (inf, sup),21
with inf, sup ∈ N. We use inf(p, bounds) and sup(p, bounds) to denote the infimum and the22
supremum of p, respectively. (Note that we rule out ∞ as a supremum.)23
We say that a bounded PTA is a closed bounded PTA if, for each parameter p, its ranging24
interval bounds(p) is of the form [inf, sup]; otherwise it is an open bounded PTA.25
We define similarly bounded L/U-PTAs.26
2.4 Decision Problems27
Let P be a given a class of decision problems.28
P-emptiness problem:
Input: A PTA A and an instance φ of P
Problem: Is the set of parameter valuations v such that v(A) satisfies φ empty?
29
In this paper, we mainly focus on the following three decision problems:30
deadlock-existence: given a TA v(A), is there at least one run of v(A) that is deadlocked,31
i. e., has no discrete successor (possibly after some delay)?32
cycle-existence: given a TA v(A), is there at least one run of v(A) with an infinite number33
of discrete transitions?34
EG: given a TA v(A) and a subset G of its locations, is there at least one maximal run35
of v(A) along which the location always remain in G?36
For example, given a PTA A, deadlock-existence-emptiness asks: “does there exist a37
valuation v of the parameters such that at least one run of v(A) is deadlocked, i. e., has no38
discrete successor”. In the following, we often abbreviate deadlock-existence-emptiness and39
cycle-existence-emptiness as ED-emptiness and EC-emptiness, respectively.40
É. André and D. Lime 23:5
l0
y ≤ p
l1
x = 1
x := 0 x = 0 ∧ y ≤ p
(a)
l0
x = 1 ∧ y ≤ p
(b)
l0
x ≥ p ∧ y ≤ 1
(c)
Figure 1 Examples of L/U-PTAs
Note that ED-emptiness is equivalent to AC-universality, where AC-universality asks1
whether all parameter valuations are such that all runs contain an infinite number of discrete2
transitions. Conversely, EC-emptiness is equivalent to AD-universality (for all valuations,3
all runs are deadlocked). In addition, EG-emptiness is also close to both former problems:4
EG is true if there exists either a finite run with a deadlock staying in G, or an infinite run5
staying in G.6
3 Cycle-Existence-Emptiness7
I Theorem 6. The cycle-existence-emptiness problem is decidable for closed bounded L/U-8
PTAs.9
Proof (sketch). From Lemma 4, this problem is equivalent to testing the TA obtained by10
valuating upper-bound (resp. lower-bound) parameters with their maximal (resp. minimum)11
value in bounds. See Appendix A for a detailed proof. J12
The above result cannot be used as such for non-bounded L/U-PTAs as a cycle that13
exists for an infinite parameter valuation may not exist for any finite parameter valuation:14
consider the L/U-PTA in Figure 1a. This L/U-PTA has an infinite run for p =∞, but for15
any parameter valuation (i. e., different from ∞), the number of self-loops in l0 is bounded16
by p, and hence finite. However, extending to rational-valued parameters a result from [6],17
we can still prove decidability.18
I Lemma 7. Given an L/U-PTA A and a subset of its locations G, the problem of the19
existence of at least one parameter valuation v such that v(A) has a run passing infinitely20
often through G is PSPACE-complete.21
Proof (sketch). We show that there exists a rational-valued valuation yielding such an22
infinite run iff there exists an integer-valued valuation yielding such an infinite run. We can23
then apply [6, Theorem 8], that proves that the existence of such a valuation is PSPACE-24
complete. See Appendix B for a detailed proof. J25
I Theorem 8. The cycle-existence-emptiness problem is PSPACE-complete for L/U-PTAs.26
Proof. Let A be an L/U-PTA. The set of parameter valuations for which A has an infinite27
run is empty iff the set of parameter valuations for which A has an infinite run passing28
infinitely often through L (where L denotes all locations of A) is empty. Hence we can29
directly apply our intermediate Lemma 7 to conclude that this problem is decidable and30
PSPACE-complete. J31
Without surprise, this problem becomes undecidable for general PTAs, even when bounded.32
I Theorem 9. The cycle-existence-emptiness problem is undecidable for (bounded) PTAs33
with 3 clocks and 1 parameter.34
CVIT 1942
23:6 Liveness in L/U-Parametric Timed Automata
l0 l1 q0
x = a ∧ x > 0
x = 1
x := 0
(a) Initial gadget
qi li1
li2
l′i2
li3 qj
x = 0
z = 1
z := 0
y = a+ 1
y := 0
y = a+ 1
y := 0
z = 1
z := 0
x = 1
x := 0
(b) Increment gadget
Figure 2 EC-emptiness: gadgets
Proof. We reduce from the boundedness problem of a 2-counter machine, which is undecid-1
able [13]. Recall that a deterministic 2-counter machine has two non-negative counters C12
and C2, a finite number of states and a finite number of transitions, which can be of the3
form:4
when in state qi, increment Ck and go to qj ;5
when in state qi, decrement Ck and go to qj ;6
when in state qi, if Ck = 0 then go to qj , otherwise block.7
The machine starts in state q0; by definition, it halts when it reaches a specific state8
called qhalt. The boundedness problem for 2-counter machines asks whether the value of the9
counters remains smaller than some bound, and is undecidable [13].10
Given such a machineM, we encode it as a PTA A(M); our encoding is adapted from11
an existing encoding of a 2-counter machine, used to (re)prove the EF-emptiness problem for12
bounded PTAs and then further related results, and found in [4]. We describe it in details,13
as we will modify it in the subsequent proofs.14
Each state qi of the machine is encoded as a location of the automaton, which we call qi.15
The counters are encoded using clocks x, y and z and one parameter a, with the following16
relations with the values c1 and c2 of counters C1 and C2: when x = 0, we have y = 1− ac117
and z = 1− ac2. All three clocks are parametric, i. e., are compared with a in some guard18
or invariant of the encoding. We will see that a is a rational-valued bounded parameter,19
typically in [0, 1] (although not bounding a has no impact on the proof).20
We initialize the clocks with the gadget in Figure 2a (that also blocks the case where21
a = 0). Clearly, when in q0 with x = 0, we have y = z = 1, which indeed corresponds to22
counter values 0.23
We now present the gadget encoding the increment instruction of C1 in Figure 2b. The24
transition from qi to li1 only serves to clearly indicate the entry in the increment gadget and25
is done in 0 time unit. Since we use only equalities, there are really only two paths that go26
through the gadget: one going through li2 and one through l′i2. Let us begin with the former.27
We start from some encoding configuration: x = 0, y = 1− ac1 and z = 1− ac2 in qi (and28
therefore the same in li1). We can enter li2 (after elapsing enough time) if 1− ac2 ≤ 1, i. e.,29
ac2 ≥ 0, which implies that a ≥ 0, and when entering li2 we have x = ac2, y = 1− ac1 + ac230
and z = 0. Then we can enter li3 if 1 − ac1 + ac2 ≤ 1 + a, i. e., a(c1 + 1) ≥ ac2. When31
entering li3, we then have x = a(c1 + 1), y = 0 and z = a(c1 + 1)− ac2. Finally, we can go32
to qj if a(c1 + 1) ≤ 1 and when entering qj we have x = 0, y = 1−a(c1 + 1) and z = 1−ac2,33
as expected.34
We now examine the second path. We can enter l′i2 if 1−ac1 ≤ a+ 1, i. e., a(c1 + 1) ≥ 0,35
and when entering l′i2 we have x = a(c1 + 1), y = 0 and z = 1 − ac2 + a(c1 + 1). Then we36
É. André and D. Lime 23:7
can go to li3 if 1− ac2 + a(c1 + 1) ≤ 1 + a, i. e., a(c1 + 1) ≤ ac2. When entering li3, we then1
have x = ac2, y = ac2 − a(c1 + 1) and z = 0. Finally, we can go to qj if ac2 ≤ 1 and when2
entering qj we have x = 0, y = 1− a(c1 + 1) and z = 1− ac2, as expected.3
Remark that exactly one path can be taken depending on the respective order of c1 + 14
and c2, except when both are equal or a = 0, in which cases both paths lead to the same5
configuration anyway (and the case a = 0 is excluded by Figure 2a anyway).6
Decrement is done similarly by replacing guards y = a+ 1 with y = 1, and guards x = 17
and z = 1 with x = a+ 1 and z = a+ 1, respectively.8
From qi, to encode zero-testing C1 and going to qj , we only need to add a transition9
from qi to qj with guard y = 1 ∧ x = 0.10
All those gadgets also work for C2 by swapping y and z.11
The action associated with the transitions do not matter; we can assume a single action σ12
on all transitions (omitted in all figures).13
Finally, we add a self-loop (with no guard) on the location qhalt, ensuring that whenever14
qhalt is reachable then there exists an infinite run in the PTA.15
We now prove that the value of the counters remains bounded iff there exists a parameter16
valuation v such that v(A) yields an infinite run. First note that if a = 0 the initial gadget17
cannot be passed, and there is no infinite run. Assume a > 0. Consider two cases:18
1. either the value of the counters is not bounded. Then, for any parameter valuation, at19
some point during an incrementation of, say, C1 we will have a(c1 + 1) > 1 when taking20
the transition from li2 to li3 and the PTA will be blocked. Therefore, there exists no21
parameter valuation for which there exists an infinite run.22
2. or the value of the counters remains bounded. Let c be their maximal value. Let us23
consider two subcases:24
a. either the machine reaches qhalt: in that case, if c = 0 and 0 < a ≤ 1 or c > 0 and25
ca < 1, then the PTA valuated with such parameter valuations correctly simulates26
the machine, yielding a (unique) run reaching location qhalt. From there, this run is27
infinite thanks to the self-loop on qhalt. The set of such valuations for a is certainly28
non-empty: a = 12 belongs to it if c = 0 and a =
1
c does otherwise.29
b. or the machine does not halt. Then again, for a sufficiently small parameter valuation30
(i. e., a < 1 if c = 0 and a ≤ 1c otherwise), the machine is properly simulated, and since31
the machine does not halt, then the run simulating the infinite execution is infinite32
too. For other values of a, the machine will block at some point in an increment33
gadget, because a is not small enough and the guard to qj cannot be satisfied.34
In both subcases, there exist parameter valuations for which there exists an infinite run.35
Hence the value of the counters remains bounded iff there exists a parameter valuation v36
such that v(A) contains an infinite run. J37
I Remark. Throughout this paper, we allow guards and invariants of the form x ∼38 ∑
1≤j≤M βjpj + d, which is more restrictive than [6] (that allows parametric coefficients39
different from 0 and 1, as well as diagonal constraints), but more permissive than [2], that40
only allows a syntax x ∼ p. In fact, most papers in the literature define their own syntax41
(see [3] for a survey). We can adapt our proof to fit in the most restrictive syntax (x ∼ p)42
as follows: transitions with y = a + 1 guards and y := 0 reset can be equivalently replaced43
by one transition with a y = 1 guard and a reset of some additional clock w, followed by44
a transition with a w = a guard and the y := 0 reset (and similarly for x and z is the45
CVIT 1942
23:8 Liveness in L/U-Parametric Timed Automata
qi li1
li2
l′i2
li3 qj
x = 0
z = 1
z := 0
a− + 1 ≤ y ≤ a+ + 1
y := 0
a− + 1 ≤ y ≤ a+ + 1
y := 0
z = 1
z := 0
x = 1
x := 0
Figure 3 ED-emptiness for bounded L/U-PTAs: increment gadget
l0 l1 q0
a− ≤ x ≤ a+
x, y, z := 0
x = 1
x := 0
(a) Initial gadget
qhalt q′halt
a− ≤ x < a+
a− ≤ x ∧ x = 0
(b) Final gadget
Figure 4 ED-emptiness for bounded L/U-PTAs: initial and final gadgets
decrement gadget). This also allows the proof to work without complex parametric expres-1
sions in guards, using three additional clocks (we conjecture that a smarter encoding can be2
exhibited to factor these additional clocks, so as to use a single additional clock). A similar3
modification can be applied to all subsequent undecidability proofs.4
4 Deadlock-Existence-Emptiness5
I Theorem 10. The deadlock-existence-emptiness problem is undecidable for closed bounded6
L/U-PTAs, with 3 clocks and 2 parameters.7
Proof. We will use a reduction from the halting problem of a 2-counter machine.8
Let us consider the encoding used in the proof of Theorem 9, that we transform into an9
L/U-PTA by replacing any comparison of a clock with a (say x = a) into x ≤ a+ ∧ x ≥ a−,10
where a− (resp. a+) is a lower-bound (resp. upper-bound) parameter. We give the modified11
increment gadget in Figure 3 (other gadgets are modified in a similar fashion).12
We replace the initial gadget (Figure 2a) with the new one in Figure 4a. Before initializing13
the values of the counters, this gadget first ensures that a− ≤ a+.14
We also add a new location q′halt reachable from qhalt as shown in the final gadget in15
Figure 4b. Finally, we add an unguarded transition (i. e., a transition the guard of which16
is true) from any location of the encoding (including that of the initial gadget, but exclud-17
ing qhalt) to location q′halt. That is, it is always possible to reach q′halt from any location18
without condition, except from qhalt. From that particular location, q′halt is reachable if and19
only if a− < a+ or a− = 0.20
We assume the following bounds for the parameters: a−, a+ ∈ [0, 1].21
Let us show that there exists a parameter valuation for which the system contains at22
least one deadlock iff the 2-counter machine halts, which is undecidable [13]. Let us reason23
by cases on the valuations of a− and a+.24
1. If a− > a+, the initial gadget cannot be passed, but thanks to the unguarded transitions25
to q′halt, all runs eventually end in q′halt, from which the absence of deadlock is guaranteed26
by the unguarded self-loop.27
É. André and D. Lime 23:9
2. If a− < a+, the machine may not be properly simulated because some transitions do not1
occur at the right time and some run could reach qhalt while the machine does not halt.2
Let us consider a run in the TA obtained with such a parameter valuation.3
a. either this run is infinite and remains in the machine (e. g., it loops infinitely through4
the increment, decrement and 0-test gadgets of our encoding). Then there is no5
deadlock.6
b. or this run would block in a gadget (were it not for the unguarded transitions to7
q′halt, due to a guard that cannot be satisfied); in that case, thanks to the unguarded8
transitions to q′halt, this run can go to q′halt, from which it is deadlock-free.9
c. or this run reaches qhalt; from there, thanks to the upper transition in Figure 4b, it10
can reach q′halt, from which it is again deadlock-free.11
3. If a− = a+ = 0, the machine may again not be properly simulated: again we could12
reach qhalt while the machine does not halt. The situation is similar to the previous case13
(a− < a+) except that in qhalt a run has to take the lower transition in Figure 4b to14
reach q′halt, from which it is again deadlock-free.15
4. If a− = a+ > 0:16
a. Either the machine does not halt:17
i. . . . and the counters remain bounded: for some parameter valuations small enough18
to encode the value of the counters (typically a− = a+ ≤ 1c , where c is the maximum19
value of both C1 and C2) then the PTA correctly simulates the infinite execution20
of the machine, and the system is deadlock-free. (Note that such valuations can21
also lead to q′halt anytime, but this is harmless since this location guarantees the22
absence of deadlocks.) For other valuations, at some point we have a−c1 > 1; more23
specifically, there is an incrementation of C1 such that a−c1 ≤ 1 and a−(c1+1) > 1.24
Hence, the run cannot continue in the encoding, but can reach q′halt, from where25
the run is non-blocking.26
ii. . . . and the counters are unbounded. Then whatever the value of a− > 0, at27
some point we have a−c1 > 1. Then, when executing the corresponding increment28
gadget, q′halt can be reached from li2, from where the run is non-blocking.29
Hence if the machine does not halt, the system is deadlock-free for all parameter30
valuations.31
b. Or the machine halts. In this case, if c is the maximum value of both C1 and C232
over the (necessarily finite) halting execution of the machine, and if c > 0, then33
for valuations such that a− = a+ ≤ 1c , then there exists one run that correctly34
simulates the machine (beside plenty of runs that will go to q′halt due to the unguarded35
transitions); this run that correctly simulates the machine eventually reaches qhalt.36
From qhalt, for such valuations, the system is deadlocked: indeed, the transitions37
from qhalt to q′halt can only be taken if a− < a+ or a− = 0. The set of such valuations38
for which there exists a run that correctly simulates the machine is certainly non-39
empty: a− = a+ = 1c belongs to it (if c = 0 then we choose, e. g., a− = a+ =
1
2 ).40
Hence, if the 2-counter machine halts, there exist parameter valuations for which a41
run has no discrete successor, and hence the system is not deadlock-free.42
Hence the 2-counter machine halts iff the set of valuations for which the automaton has43
at least one deadlock is not empty. J44
I Corollary 11. The deadlock-existence-emptiness problem is undecidable for open bounded45
L/U-PTAs, L/U-PTAs, bounded PTAs and PTAs, with 3 clocks and 2 parameters.46
CVIT 1942
23:10 Liveness in L/U-Parametric Timed Automata
Proof. Let us consider each formalism:1
open bounded L/U-PTAs In the above construction, we can assume, e. g., a− ∈ (0, 1],2
which does not impact the proof.3
L/U-PTAs The bounds on the parameters are not required in the above construction: for4
valuations larger than 1 (that necessarily do not simulate correctly the machine), a5
gadget may block, therefore leading to q′halt, from which the system is deadlock-free,6
hence without impacting the spirit of the proof.7
bounded PTAs From the fact that a bounded L/U-PTA is a bounded PTA.8
PTAs From the fact that an L/U-PTA is a PTA.9
Observe that the number of parameters can be reduced to 1 for (possibly bounded) PTAs10
by merging a− and a+ into a single parameter a. J11
5 EG-Emptiness12
In this section, we prove that the EG-emptiness problem is decidable for closed bounded13
L/U-PTAs, and that lifting either closedness or boundedness leads to undecidability.14
I Theorem 12. The EG-emptiness problem is decidable for closed bounded L/U-PTAs.15
Symbolic Semantics16
Let us first recall the symbolic semantics of PTAs (see, e. g., [10]).17
We define the time elapsing of a constraint C, denoted by C↗, as the constraint over X18
and P obtained from C by delaying all clocks by an arbitrary amount of time. We define19
the past of C, denoted by C↙, as the constraint over X and P obtained from C by letting20
time pass backward by an arbitrary amount of time (see [10]). Given R ⊆ X, we define the21
reset of C, denoted by [C]R, as the constraint obtained from C by resetting the clocks in R,22
and keeping the other clocks unchanged. We denote by C↓P the projection of C onto P ,23
i. e., obtained by eliminating the clock variables (e. g., using Fourier-Motzkin).24
A parametric zone is a convex polyhedron over X∪P in which all constraints on variables25
are of the form x ∼ plt, (parametric rectangular constraints) or xi − xj ∼ plt (parametric26
diagonal constraints), where xi ∈ X, xj ∈ X and plt is a parametric linear term over P ,27
i. e., a linear term without clocks (αi = 0 for all i).28
A symbolic state is a pair s = (l, C) where l ∈ L is a location, and C its associated29
parametric zone. The initial symbolic state of A is s0 =
(
l0, ({~0} ∧ I(l0))↗ ∧ I(l0)
)
.30
The symbolic semantics relies on the Succ operation. Given a symbolic state s = (l, C)31
and an edge e = (l, g, σ,R, l′), Succ(s, e) = (l′, C ′), with C ′ =
(
[(C ∧ g)]R ∧ I(l′)
)↗ ∧ I(l′).32
The Succ operation is effectively computable, using polyhedra operations: note that the33
successor of a parametric zone C is a parametric zone (see e. g., [10]).34
A symbolic run of a PTA is an alternating sequence of symbolic states and edges starting35
from the initial symbolic state, of the form s0
e0⇒ s1 e1⇒ · · · em−1⇒ sm, such that for all36
i = 0, . . . ,m − 1, ei ∈ E, and si+1 belongs to Succ(si, e). In the following, we simply refer37
to symbolic states belonging to a run of A as symbolic states of A.38
We can now come back to the proof of Theorem 12.39
Proof. Let A|bounds be a closed bounded L/U-PTA and G be a subset of its locations. Since40
A is closed and bounded, for each parameter p, bounds(p) is a closed interval [m−(p),m+(p)].41
Lemma 4 ensures that the TA vinf/sup(A), where vinf/sup is obtained by valuating lower-42
bound parameters p− by m−(p) and upper-bound parameters p+ by m+(p), includes all the43
runs that could be produced with other parameter valuations. In vinf/sup(A), it is decidable44
É. André and D. Lime 23:11
to find an infinite path staying in G, or conclude that none exist [1]. If we do find such a1
path, we can terminate by answering yes to the EG-emptiness problem.2
If we do not, then, in vinf/sup(A), all paths staying in G are finite. If we keep only discrete3
actions and locations, which are in finite number, those paths therefore form a finite tree.4
Let us recall again that, thanks to Lemma 4, all the discrete paths that stay in G and can5
be obtained with any parameter valuation, belong to that tree.6
We can now explicitly compute the symbolic states (following the symbolic semantics7
recalled above) for all the paths in the finite tree (not only those that are maximal). Recall8
that each symbolic state s is a pair (l, C), where l is a location and C a convex polyhedron9
representing all parameter valuations and clock valuations that can be reached by the given10
discrete path. In each of these polyhedra, we can explicitly check for the existence of a11
deadlock: i) remove all parts that are in the past of the guard of an outgoing transition12
in A (using operation C↙), and that would satisfy the target location invariant; ii) test for13
emptiness. Both operations can be performed using classical polyhedral operations.14
If we find a deadlock, then we can terminate and answer yes to the EG-emptiness prob-15
lem. Otherwise, we can terminate and answer no, because we have checked all the potential16
discrete paths staying in G for any parameter valuation. J17
Note that this proof fails when the L/U-PTA is not bounded or closed: consider the18
L/U-PTA in Figure 1b. As p grows, there are more and more discrete behaviors, but there19
is no cycle for any parameter valuation. In [6], the authors provide a finite upper bound NA20
for the upper-bound parameters such that if there exists a valuation such that the valuated21
L/U-PTA has an accepting run, then the valuation giving 0 to lower bound parameters and22
NA to upper-bound parameters also ensures the existence of an accepting run. That bound23
used in this example would indeed prove the non-existence of a cycle for any parameter24
value, but it does not in turn allow us to derive a finite tree containing all the discrete25
behaviors, for any possible parameter value (a larger bound would still give more runs).26
Similarly, now consider the L/U-PTA in Figure 1c. If 0 is excluded from the domain27
of p, we have a behavior similar to the previous example: as p gets closer and closer to 0, we28
have more and more discrete behaviors. And even if we could derive a lower bound à la [6]29
ensuring the non-existence of a cycle here, it would not give a finite tree of all the possible30
discrete behaviors, for any parameter value.31
We can actually exhibit a very thin border between decidability and undecidability of32
L/U-PTAs by proving that, given a bounded L/U-PTA A|bounds with a single open bound33
in bounds or an unbounded L/U-PTA, the EG-emptiness problem becomes undecidable.34
I Theorem 13. The EG-emptiness problem is undecidable for open bounded L/U-PTAs,35
with 4 clocks and 4 parameters.36
Proof (sketch). The proof reduces from the halting problem of a 2-counter machine. We37
reuse the encoding of Theorem 10, and modify it so that the 2-counter machine executes in38
a constant 1-time unit duration. This is achieved by replacing any occurrence of “1” in the39
encoding with a (new) parameter, either b− or b+ (depending on whether the occurrence40
of 1 occurs as a lower-bound or an upper-bound); hence the duration of an increment or41
decrement gadget is now at least b− and at most b+ (by modifying a bit the construction42
for the zero-test). Then, we add a global invariant w ≤ 1 (where w is a new clock) to all43
locations. Now that the duration of any gadget is at least b−, we therefore have that, for44
any valuation b− > 0, the number of operations the machine can perform is finite due to45
the global invariant w ≤ 1. We assume a−, a+, b+ ∈ [0, 1] and b− ∈ (0, 1].46
CVIT 1942
23:12 Liveness in L/U-Parametric Timed Automata
We prove that the 2-counter machine halts iff the set of valuations satisfying EG(L \1
{q′halt}) is not empty. We rule out valuations such that a− > a+ or b− > b+ by sending2
them directly to q′halt. For valuations a− < a+ or b− < b+, the machine may not be3
correctly simulated: either the encoding loops, and then blocks after some operations (due4
to the invariant) which leads to q′halt; or it reaches qhalt, and goes to q′halt thanks to an5
appropriate gadget. Finally, valuations a− = a+ and b− = b+ > 0 may simulate correctly6
the machine: if these valuations are not small enough, an increment will block, leading to7
q′halt; otherwise, for some valuations sufficiently small, and only if the machine halts, then8
qhalt is reached, and from there no transition leads to q′halt, ensuring EG(L \ {q′halt}).9
See Appendix C for a detailed proof. J10
I Remark. The above construction works over 1 time unit (an invariant can be added to q′halt11
too), so this gives an undecidability result over bounded time as well.12
We now prove that EG-emptiness is also undecidable for unbounded L/U-PTAs. When13
not considering L/U-PTAs, proving an undecidability result for bounded PTAs usually gives14
the undecidability for unbounded PTAs, as a bounded PTA can be simulated using a PTA15
(by, e. g., adding the bounds as a guard between a fresh location prior to the initial location16
and the initial location, e. g., p ∈ [inf, sup] becomes inf ≤ x ≤ sup∧p = x). This may not be17
true for L/U-PTAs, as such a construction requires to compare the clock and the parameter18
using an equality. In addition, our proof for unbounded L/U-PTAs uses one parameter less19
than for open bounded L/U-PTAs.20
I Theorem 14. The EG-emptiness problem is undecidable for L/U-PTAs with 4 clocks and21
3 parameters.22
Proof (sketch). We again use a reduction from the halting problem of a 2-counter machine.23
Our proof essentially relies on a mechanism similar to the proof of Theorem 13; however, we24
must use a different PTA encoding (the encoding used in the proof of Theorem 13 does not25
work for unbounded L/U-PTAs, as it strongly relies on the fact that b− be strictly positive).26
Instead, we propose an encoding inspired by that of a 2-counter machine proposed in [5] to27
prove the undecidability of the EF-emptiness problem for PTAs with a single integer-valued28
parameter (that can also be rational-valued). We modify the encoding of [5] to obtain an29
L/U-PTA, by splitting the single parameter a into a lower-bound parameter a− and an30
upper-bound parameter a+, in the spirit of previous undecidability results for L/U-PTAs31
in this paper (Theorems 10 and 13). Then, we add a global invariant w ≤ b+ (where w is32
a fresh clock never reset, and b+ a fresh upper-bound parameter), to ensure that, for any33
valuation of b+ > 0, the number of operations the machine can perform is finite (which34
requires some modifications of the gadgets to ensure that they require at least 1 time unit).35
The proof then follows a reasoning similar to that of Theorem 13.36
See Appendix D for a detailed proof. J37
I Remark. The above construction works also for integer-valued parameters, so this gives an38
undecidability result for integer-valued parameters too. The proof also works over discrete39
time (with integer-valued parameters).40
6 Conclusion41
Despite the vast number of undecidability results linked to the formalism of parametric42
timed automata, and to which we also contribute here, we have achieved some decidability43
for the existential parametric problem on the EG liveness property. This could be done44
É. André and D. Lime 23:13
by imposing original constraints to the classical subclass of L/U-PTAs, pertaining to the1
topology of the domain of the parameter values. This domain should be a closed and2
bounded hyperrectangle of the rational space.3
The subclass together with the EG property really lies on the boundary of decidability:4
on the one hand, we have proved that considering unbounded, or bounded but open domains5
leads again to undecidability for EG. On the other hand, if we consider — instead of the6
EG property which asks for the existence of a maximal finite or infinite path staying in7
some locations — only infinite maximal paths (existence of discrete cycles), then we have8
proved that the problem becomes consistently decidable (with bounded domains or not).9
And finally, if we consider only finite maximal paths (existence of deadlocks), then we have10
proved that the problem becomes consistently undecidable.11
Future work includes extending the EG decidability result to shapes other than hy-12
perrectangles and studying actual synthesis. In addition, the decidability of problems we13
proved undecidable for L/U-PTAs should be studied for two subclasses of L/U-PTAs, where14
all parameters are upper bounds (U-PTAs) or all lower bounds (L-PTAs).15
Acknowledgements. The authors thank Olivier H. Roux for fruitful discussions on the16
topic of parametric timed automata.17
References18
1 Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer Science,19
126(2):183–235, 1994.20
2 Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. Parametric real-time reasoning.21
In STOC, pages 592–601. ACM, 1993.22
3 Étienne André. What’s decidable about parametric timed automata? In FTSCS, volume23
596 of Communications in Computer and Information Science, pages 1–17. Springer, 2015.24
4 Étienne André, Didier Lime, and Olivier H. Roux. Decision problems for parametric timed25
automata. Technical report, 2016. URL: www.lipn13.fr/t/PTAs.pdf.26
5 Nikola Beneš, Peter Bezděk, Kim G. Larsen, and Jiří Srba. Language emptiness of27
continuous-time parametric timed automata. In ICALP, Part II, volume 9135 of LNCS,28
pages 69–81. Springer, 2015.29
6 Laura Bozzelli and Salvatore La Torre. Decision problems for lower/upper bound paramet-30
ric timed automata. Formal Methods in System Design, 35(2):121–151, 2009.31
7 Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Automatic verification of32
finite-state concurrent systems using temporal logic specifications. ACM Transactions on33
Programming Languages and Systems, 8(2):244–263, 1986.34
8 Laurent Doyen. Robust parametric reachability for timed automata. Information Process-35
ing Letters, 102(5):208–213, 2007.36
9 Thomas Hune, Judi Romijn, Mariëlle Stoelinga, and Frits W. Vaandrager. Linear para-37
metric model checking of timed automata. JLAP, 52-53:183–220, 2002.38
10 Aleksandra Jovanović, Didier Lime, and Olivier H. Roux. Integer parameter synthesis for39
timed automata. IEEE TSE, 41(5):445–461, 2015.40
11 Leslie Lamport. Proving the correctness of multiprocess programs. IEEE TSE, 3(2):125–41
143, 1977.42
12 Joseph S. Miller. Decidability and complexity results for timed automata and semi-linear43
hybrid automata. In HSCC, volume 1790 of LNCS, pages 296–309. Springer, 2000.44
13 Marvin L. Minsky. Computation: finite and infinite machines. Prentice-Hall, Inc., 1967.45
CVIT 1942
23:14 Liveness in L/U-Parametric Timed Automata
A Proof of Theorem 61
Theorem 6 (recalled). The cycle-existence-emptiness problem is decidable for closed
bounded L/U-PTAs.2
Proof. Recall that, thanks to the monotonicity property of L/U-PTAs (recalled in Lemma 4),3
any run possible for a valuation v of the parameters is also possible for any valuation of the4
parameters for which the upper-bound (resp. lower-bound) parameters are larger (resp.5
smaller) than or equal to that of v.6
Let A|bounds be a closed bounded L/U-PTA. Let vinf/sup be the valuation such that, for7
each lower-bound parameter p−, vinf/sup(p−) = inf(p−, bounds) and, for each upper-bound8
parameter p+, vinf/sup(p+) = sup(p+, bounds).9
1. If vinf/sup(A) contains an infinite run (which can be checked in PSPACE [1]), then since10
A|bounds is closed, vinf/sup belongs to bounds, and hence the set of parameter valuations11
that yield an infinite run is not empty.12
2. On the contrary, if vinf/sup(A) contains no infinite run, then from the monotonicity13
property of L/U-PTAs (Lemma 4), no other valuation in bounds gives a TA with an14
infinite run, as such a TA could only contain less runs. Hence the set of parameter15
valuations that yield an infinite run is empty.16
J17
B Proof of Lemma 718
Theorem 7 (recalled). Given an L/U-PTA A and a subset of its locations G, the
problem of the existence of at least one parameter valuation v such that v(A) has a run
passing infinitely often through G is PSPACE-complete.
19
Proof. Let us prove that there exists a rational-valued valuation satisfying the property iff20
there exists an integer-valued valuation doing so.21
⇐ Considering an integer valuation is also a rational-valued valuation, the result trivially22
holds.23
⇒ Assume there exists a rational-valued parameter valuation v for which v(A) contains
an infinite run passing infinitely often through locations of G. Let v′ be the integer
parameter valuation obtained from v as follows:
v′(p) =

v(p) if v(p) ∈ N
dv(p)e if p is an upper-bound parameter
bv(p)c if p is a lower-bound parameter
From the monotonicity property of L/U-PTAs (Lemma 4), if v(A) yields an infinite run24
passing infinitely often through locations of G, then v′(A) does too.25
Now, in [6, Theorem 8], it is proved that the problem of the the emptiness of the set of26
integer parameter valuations for which there exists an infinite run passing infinitely often27
through G is PSPACE-complete. This concludes the proof. J28
É. André and D. Lime 23:15
qi li1
li2
l′i2
li3 qj
x = 0
b− ≤ z ≤ b+
z := 0
a− + b− ≤ y
y := 0
a− + b− ≤ y
y := 0
b− ≤ z ≤ b+
z := 0
b− ≤ x ≤ b+
x := 0
Figure 5 EG-emptiness for bounded L/U-PTAs: increment gadget
C Proof of Theorem 131
Theorem 13 (recalled). The EG-emptiness problem is undecidable for open bounded
L/U-PTAs, with 4 clocks and 4 parameters.2
Proof. We will use a reduction from the halting problem of a 2-counter machine.3
Let us consider the encoding used in the proof of Theorem 10, to which we will perform4
several modifications.5
First, we force the 2-counter machine to execute in a constant 1-time unit duration as6
follows:7
1. We replace any occurrence of “1” in the encoding with a parameter, either b− or b+8
(depending on whether the occurrence of 1 occurs as a lower-bound or an upper-bound);9
hence the duration of an increment or decrement gadget is now at least b− and at most b+.10
We give the increment gadget in Figure 5. The encoding of a counter is as follows: when11
x = 0, then y = b − ac1 and z = b − ac2, where a = a− = a+ and b = b− = b+ (for12
other parameter valuations, the machine is not properly simulated). Typically, b will13
need to be sufficiently small compared to 1 to encode the required number of steps of the14
machine, and a will need to be sufficiently small compared to b to encode the maximum15
value of the counters.16
2. We modify the zero-test so that its duration is within [b−, b+], as in Figure 6: only17
the first transition encodes the zero-test, the two other transitions forcing [b−, b+] time18
units to elapse while keeping the values of the clocks unchanged, assuming a− = a+ and19
b− = b+ (we will see later that other valuations do not matter). Let a = a− = a+ and20
b = b− = b+. The zero-test requires here that b = y ∧ x = 0; in addition, z encodes c2 as21
follows: z = b − ac2. After reaching li1 and waiting enough time to take the transition22
to li2 (i. e., a duration in ac2) we have: z = b and x = y = ac2. After reaching li2 and23
waiting enough time to take the transition to qj (i. e., a duration in b − ac2) we have:24
z = b−ac2 and x = y = b. Resetting x gives x = 0, y = b and z = b−ac2, which was the25
value when performing the 0-test. So the value of the clocks remains unchanged when26
b− = b+, and [b−, b+] time units have elapsed in any case.27
3. We add to any location in the entire system an invariant w ≤ 1, where w is a fresh clock28
that is never reset in the increment/decrement/zero-test gadgets. (These invariants are29
omitted in Figure 5.)30
Hence, the duration of any gadget is at least b− and therefore for any valuation b− > 0 the31
number of operations the machine can perform is finite due to the global invariant w ≤ 1.32
Then, before starting the 2-counter machine encoding, we add an initial gadget given33
in Figure 7. This gadget constrains a− ≤ a+, b− ≤ b+, and is such that when leaving the34
CVIT 1942
23:16 Liveness in L/U-Parametric Timed Automata
qi li1 li2 qj
b− ≤ y ≤ b+ ∧ x = 0
y := 0
b− ≤ z ≤ b+
z := 0
b− ≤ x ≤ b+
x := 0
Figure 6 EG-emptiness for bounded L/U-PTAs: zero-test gadget
l0 l1 q0
a− ≤ x ≤ a+
x, y, z, w := 0
b− ≤ x ≤ b+
x,w := 0
Figure 7 EG-emptiness for bounded L/U-PTAs: initial gadget
gadget then y, z ∈ [b− ≤ b+] while x,w are 0. When b− = b+, this correctly encodes that1
the value of both counters is 0.2
Then, we add a new q′halt location (without any invariant, i. e., not requiring w ≤ 1),3
with two transitions from qhalt as depicted in Figure 8. We then add a transition (with no4
guard) from any location of the encoding (except qhalt) to q′halt. That is, for any increment5
gadget, if the value of the parameters is not small enough to correctly simulate the machine,6
then the system is not deadlocked, and can lead instead to q′halt. (If the value is small7
enough, the system can either lead to q′halt or continue in the 2-counter machine encoding.)8
We also add a transition to q′halt (with no guard) from all locations in the initial gadget in9
Figure 7.10
We assume the following bounds for the parameters: a−, a+, b+ ∈ [0, 1] and b− ∈ (0, 1].11
Let us show that the 2-counter machine halts iff the set of valuations satisfying EG(L \12
{q′halt}) is not empty.13
1. If a− > a+ or b− > b+, the initial gadget cannot be passed, and thanks to the transitions14
to q′halt, all runs eventually reach q′halt, hence EG(L \ {q′halt}) does not hold.15
2. If a− < a+ and b− ≤ b+, then the machine may not be correctly simulated: a given16
run will either reach qhalt, in which case it will also reach q′halt (as the guard from17
qhalt to q′halt does not forbid this run), or it will loop in the machine until it eventually18
gets blocked (since b− > 0 and because of the invariant w ≤ 1, for any value of b−,19
the maximal number of steps is 1b− ); when being blocked, it has no other option than20
going to q′halt, thanks to the unguarded transitions from any location to q′halt. Hence if21
a− < a+, EG(L \ {q′halt}) does not hold.22
3. If b− < b+ (and a− ≤ a+), again the machine may not be correctly simulated, and23
following a similar reasoning, EG(L \ {q′halt}) again does not hold.24
4. If a− = a+ and b− = b+ > 0:25
a. Either the machine does not halt: in this case, after a maximum number of steps26
(typically 1b− ), a gadget will be blocked due to the invariant w ≤ 1, and the run will27
end in q′halt. Hence if the 2-counter machine does not halt, EG(L \ {q′halt}) does not28
hold.29
qhaltw ≤ 1 q′halt
a− ≤ x < a+
b− ≤ x < b+
Figure 8 EG-emptiness for bounded L/U-PTAs: final gadget
É. André and D. Lime 23:17
b. Or the machine halts: in this case, if c is the maximum value of both C1 and C2 over1
the (necessarily finite) halting execution of the machine, and if m is the length of this2
execution, and if c > 0, then for valuations such that a− = a+ ≤ b−c and b− = b+ ≤3
1
m , then there exists one run that correctly simulates the machine (beside plenty of4
runs that will go to q′halt due to the unguarded transitions); this run that correctly5
simulates the machine eventually reaches qhalt. From qhalt, for such valuations, the6
system is deadlocked: indeed, the transitions from qhalt to q′halt can only be taken7
if a− < a+ or b− < b+. Hence EG(L \ {q′halt}) holds. The set of such valuations is8
certainly non-empty: a− = a+ = 1m×c and b− = b+ =
1
m belongs to it (if c = 0 then9
we choose, e. g., b− = b+ = 1 and a− = a+ = 12 ). Hence, if the 2-counter machine10
halts, there exist parameter valuations for which EG(L \ {q′halt}) holds.11
Hence the 2-counter machine halts iff the set of valuations for which EG(L \ {q′halt}) holds12
is not empty. J13
D Proof of Theorem 1414
Theorem 14 (recalled). The EG-emptiness problem is undecidable for L/U-PTAs
with 4 clocks and 3 parameters.15
Proof. We will again use a reduction from the halting problem of a 2-counter machine. Our16
proof essentially relies on a mechanism similar to the proof of Theorem 13; however, we17
must use a different PTA encoding (the encoding used in the proof of Theorem 13 does not18
work for unbounded L/U-PTAs, as it strongly relies on the fact that b− be strictly positive),19
which prevents us to factor the proof as much as we would have wished.20
We propose here an encoding inspired by that of a 2-counter machine proposed in [5] to21
prove the undecidability of the EF-emptiness problem for PTAs with a single integer-valued22
parameter used to encode the maximum value of the two counters (although not considered23
in [5], the proof also works identically with a rational-valued parameter). The model of24
the 2-counter machine slightly differs from that considered in the rest of this paper. Two25
different instructions are considered:26
when in state qi, increment Ck and go to qj ;27
when in state qi, if Ck = 0 then go to qk, otherwise decrement Ck and go to qj ;28
Starting from the initial configuration (q0, C1 = 0, C2 = 0) the machine either reaches qhalt29
and halts, or loops forever. Knowing whether the machine halts is undecidable [13].30
The encoding uses a single parameter a. Two clocks x and y are used to encode the value31
of the counters, while a third clock z is used as an auxiliary clock. Whenever z = 0, then32
x = c1 and y = c2.33
We modify this encoding by splitting the single parameter a into a lower-bound param-34
eter a− and an upper-bound parameter a+, in the spirit of previous undecidability results35
for L/U-PTAs in this paper (Theorems 10 and 13).36
In addition, we request that the entire execution takes a time less than b+, where b+37
is a fresh upper-bound parameter; this is achieved by adding an invariant w ≤ b+ to all38
locations (with w a fresh clock never reset after the initial gadget).39
We give the modified increment gadget for the first counter in Figure 9 (invariants are40
omitted). Note that, if z = 0 when entering qi then the time to pass this gadget is in41
[a− + 1, a+ + 1].42
The test and decrement gadget is similar, and given in Figure 10. We performed a43
slight modification to the zero-test of [5], that was executed in 0-time; we require in our44
CVIT 1942
23:18 Liveness in L/U-Parametric Timed Automata
qi li1 li4
li2
li2′
li3
li3′
qj
z = 1
z := 0
a− ≤ x ≤ a+
x := 0
a− ≤ y ≤ a+
y := 0 y = 1
y := 0
a− ≤ y ≤ a+
y := 0 y = 1
y := 0
a− ≤ x ≤ a+
x := 0
a− ≤ z ≤ a+
z := 0
Figure 9 EG-emptiness for L/U-PTAs: increment gadget
qi li1 li4
li2
li2′
li3
li3′
qj
li1′′ li2′′ qk
z = 0 ∧ x > 0
a− ≤ x ≤ a+
x := 0
x = 1
x := 0 a
− ≤ y ≤ a+
y := 0
a− ≤ y ≤ a+
y := 0 a− ≤ x ≤ a+
x := 0
x = 1
x := 0
a− ≤ z ≤ a+
z := 0
z = 0 ∧ x = 0
a− + 1 ≤ y ≤ a+ + 1
y := 0
a− + 1 ≤ x ≤ a+ + 1
x, z := 0
Figure 10 EG-emptiness for L/U-PTAs: test and decrement gadget
construction that each gadget takes at least one time unit. Hence, we rewrote it in Figure 101
so as to force at least one time unit to elapse after the clocks are tested, and so that the2
final value of the clock is not changed, when a− = a+ (in the spirit of the same operation3
in the proof of Theorem 13): when performing the zero-test, we have x = z = 0 and y = c2.4
Then after a − c2 + 1 time units (with a = a+ = a−), we have x = z = a + 1 − c2 and5
y = a+ 1, and we can take the transition to li2′′ , resetting y. Then after c2 time units, we6
have x = z = a+1 and y = c2 and we can take the transition to li2′′ , resetting x and z. This7
gives finally x = z = 0 and y = c2 and the time spent in the gadget is in [a− + 1, a+ + 1],8
and therefore is more than one time unit. Gadgets for the second counter are symmetric.9
We add before the first instruction the initial gadget given in Figure 11, constraining10
a− ≤ a+ and b+ > 0, and resetting all clocks.11
In addition, just as in Theorem 13, we add unguarded transitions from any location12
l0 l1 q0
a− ≤ x ≤ a+
x := 0
0 < x ≤ b+
x, y, z, w := 0
Figure 11 EG-emptiness for L/U-PTAs: initial gadget
É. André and D. Lime 23:19
qhaltw ≤ b+ q′halt
a− ≤ x < a+
Figure 12 EG-emptiness for L/U-PTAs: final gadget
(including that of the initial gadget, but excluding qhalt) to a new location q′halt. We also1
add two transitions from qhalt to q′halt given in the final gadget in Figure 12.2
Let us show that the 2-counter machine halts iff the set of valuations for which EG(L \3
{q′halt}) holds is not empty. We reason on the parameter valuations.4
1. If a− > a+ or b+ = 0, the initial gadget cannot be passed: any run is sent to q′halt5
because of the transitions to q′halt, and therefore EG(L \ {q′halt}) does not hold.6
2. If a− < a+ and b+ > 0, then the machine may not be correctly simulated: a given7
run will either reach qhalt, in which case it will also reach q′halt (as the guard from qhalt8
to q′halt in Figure 12 does not forbid this run), or it will loop in the machine until it9
eventually gets blocked: since b+ > 0, since all gadgets require at least 1 time unit, for10
any value of b+ the invariant z ≤ b+ will eventually block a transition after at most11
b+ steps. When being blocked, a run has no other option than going to q′halt, because12
of the unguarded transitions from any location to q′halt. Hence if a− < a+ and b+ > 0,13
EG(L \ {q′halt}) does not hold.14
3. Now, assume a− = a+ and b+ > 0.15
a. Either the machine does not halt: in this case, after a maximum number of steps16
(typically at most b+), a gadget will be blocked due to the invariant z ≤ b+, and the17
run will end in q′halt because of the unguarded transitions from any location to q′halt.18
Hence if the 2-counter machine does not halt, EG(L \ {q′halt}) does not hold.19
b. Or the machine halts: in this case, if c is the maximum value of both C1 and C2 over20
the (necessarily finite) halting execution of the machine, and if m is the length of this21
execution, and if c > 0, then for valuations such that a− = a+ ≤ c and sufficiently22
large valuations of b+ (typically b+ ≥ m× (a+ + 1) as a gadget can take up to a+ + 123
time units), then there exists one run that correctly simulates the machine; this run24
eventually reaches qhalt. From qhalt, for such values, the system is deadlocked. Hence,25
if the 2-counter machine halts, there exist parameter valuations for which a run does26
not reach q′halt, i. e., for which EG(L \ {q′halt}) holds.27
Hence the 2-counter machine halts iff the set of valuations for which EG(L \ {q′halt})28
holds is not empty. J29
CVIT 1942
