Pushdown Timed Automata: a Binary Reachability Characterization and
  Safety Verification by Dang, Zhe
ar
X
iv
:c
s/0
11
00
10
v1
  [
cs
.L
O]
  2
 O
ct 
20
01
Pushdown Timed Automata:
a Binary Reachability Characterization
and Safety Verification⋆
Zhe Dang
School of Electrical Engineering and Computer Science
Washington State University
Pullman, WA 99164, USA
zdang@eecs.wsu.edu
Abstract. We consider pushdown timed automata (PTAs) that are timed au-
tomata (with dense clocks) augmented with a pushdown stack. A configuration of
a PTA includes a control state, dense clock values and a stack word. By using the
pattern technique, we give a decidable characterization of the binary reachability
(i.e., the set of all pairs of configurations such that one can reach the other) of
a PTA. Since a timed automaton can be treated as a PTA without the pushdown
stack, we can show that the binary reachability of a timed automaton is definable
in the additive theory of reals and integers. The results can be used to verify a
class of properties containing linear relations over both dense variables and un-
bounded discrete variables. The properties previously could not be verified using
the classic region technique nor expressed by timed temporal logics for timed au-
tomata and CTL∗ for pushdown systems. The results are also extended to other
generalizations of timed automata.
1 Introduction
A timed automaton [3] can be considered as a finite automaton augmented with a num-
ber of dense (either real or rational) clocks. Clocks can be reset or progress at rate
1 depending upon the truth values of a number of clock constraints in the form of
clock regions (i.e., comparisons of a clock or the difference of two clocks against an
integer constant). Due to their ability to model and analyze a wide range of real-time
systems, timed automata have been extensively studied in recent years (see [1,35] for
recent surveys). In particular, by using the standard region technique, it has been shown
that region reachability for timed automata is decidable [3]. This fundamental result
and the technique help researchers, both theoretically and practically, in formulating
various timed temporal logics [2,4,5,6,27,32,33,34] and developing verification tools
[11,26,30].
Region reachability is useful but has intrinsic limitations. In many real-world ap-
plications [14], we might also want to know whether a timed automaton satisfies a
⋆ A short version [18] of this paper appears in the Proceedings of the 13th International Con-
ference on Computer-aided Verification (CAV’01), Lecture Notes in Computer Science 2102,
pp. 506-517, Springer.
2non-region property, e.g.,
x1 − 2x2 + x
′
3 > x
′
1 + 4x
′
2 − 3x3
holds whenever clock values (x1, x2, x3) can reach (x′1, x′2, x′3). Recently, Comon and
Jurski [16] have shown that the binary reachability of a timed automaton is definable
in the additive theory of reals augmented with an integral predicate that tells whether a
term is an integer, by flattening a timed automaton into a real-valued counter machine
without nested cycles [15]. The result immediately paves the way for automatic veri-
fication of a class of non-region properties that previously were not possible using the
region technique.
On the other hand, a strictly more powerful system, called a pushdown timed au-
tomaton (PTA), can be obtained by augmenting a timed automaton with a pushdown
stack. PTAs are particularly interesting because they contain both dense clocks and un-
bounded discrete structures. They can be used to study, for instance, a timed version of
pushdown processes [9,23] or real-time programs with procedure calls. A configuration
of a PTA is a tuple of a control state, dense clock values, and a stack word. The binary
reachability of a PTA is the set of all pairs of configurations such that one can reach
the other. Comon and Jurski’s result for timed automata inspires us to look for a sim-
ilar result for PTAs. Is there a decidable binary reachability characterization for PTAs
such that a class of non-region properties can be verified ? The main result in this paper
answers this question positively.
There are several potential ways to approach the question. The first straightforward
approach would be to treat a PTA as a Cartesian product of a timed automaton and a
pushdown automaton. In this way, the binary reachability of a PTA can be formulated
by simply combining Comon and Jurski’s result and the fact that pushdown automata
accept context-free languages. Obviously, this is wrong, since stack operations depend
on clock values and thus can not be simply separated. The second approach is to closely
look at the flattening technique of Comon and Jurski’s to see whether the technique can
be adapted by adding a pushdown stack. However, the second approach has an inherent
difficulty: the flattening technique, as pointed out in their paper, destroys the structure
of the original timed automaton, and thus, the sequences of stack operations can not be
maintained after flattening.
Very recently, the question has been answered positively, but only for integer-valued
clocks (i.e., for discrete PTAs). It has been shown in [19] that the binary reachability
of a discrete PTA can be accepted by a nondeterministic pushdown automaton aug-
mented with reversal-bounded counters (NPCA), whose emptiness problem is known
to be decidable [28]. However, as far as dense clocks are concerned, the automata-based
technique used in [19] does not apply. The reason is that traditional automata theories
do not provide tools to deal with machines containing both real-valued counters (for
dense clocks) and unbounded discrete data structures.
In order to handle dense clocks, we introduce a new technique, called the pattern
technique, by separating a dense clock into an integral part and a fractional part. Con-
sider a pair (v0,v1) of two tuples of clock values. We define (see Section 3 for details)
an ordering, called the pattern of (v0,v1), on the fractional parts of v0 and v1. The
definition guarantees that there are only a finite number of distinct patterns. An equiva-
lent relation “≈” is defined such that (v0,v1)≈(v′0,v′1) iff v0 and v′0 (v1 and v′1 will
3also) have the same integral parts, and both (v0,v1) and (v′0,v′1) have the same pattern.
The “≈” essentially defines an equivalent relation with a countable number of equiv-
alent classes such that the integral parts of v0 and v1 together with the pattern of the
fractional parts of v0 and v1 determine the equivalent class of (v0,v1). A good prop-
erty of “≈” is that it preserves the binary reachability: v0 can reach v1 by a sequence
of transitions iff v′0 can reach v′1 by the (almost) same sequence of transitions, when-
ever (v0,v1)≈(v′0,v
′
1). Therefore, the fractional parts can be abstracted away from the
dense clocks by using a pattern. In this way, by preserving the (almost) same control
structure, a PTA can be transformed into a discrete transition system (called a pattern
graph) containing discrete clocks (for the integral parts of the dense clocks) and a finite
variable over patterns. By translating a pattern back to a relation over the fractional parts
of the clocks, the decidable binary reachability characterization of the pattern graph de-
rives the decidable characterization (namely, (D+NPCA)-definable) for the PTA,
since the relation is definable in the additive theory of reals. With this characterization,
it can be shown that the particular class of safety properties that contain mixed linear
relations over both dense variables (e.g., clock values) and discrete variables (e.g., word
counts) can be automatically verified for PTAs. For instance,
whenever configuration α can reach configuration β, αx1 + 2βx2 − αx2 >
#a(αw)−#b(βw) holds.
can be verified, where αx1 is the dense value for clock x1 in α, #a(αw) is the num-
ber of symbols a in the stack word of α. The results can be easily extended to PTAs
augmented with reversal-bounded counters. In particular, we can show that the binary
reachability of a timed automaton is definable in the first-order additive theory over re-
als and integers with ≥ and +, i.e., (R,N,+,≥, 0). Essentially, for timed automata,
Comon and Jurski’s characterization (the additive theory of reals augmented with an
integral predicate) is equivalent to ours (the additive theory of reals and integers). The
additive theory over reals and integers is decidable, for instance, by the Buchi-automata
based decision procedure presented in [12].
Fractional orderings are an effective way to abstract the fractional parts of dense
clocks. The idea of using fractional orderings can be traced back to the pioneering work
of Alur and Dill in inventing the region technique [3]. Essentially, the region technique
makes a finite partition of the clock space such that clock values in the same region
give the same answer to each clock constraint in the system (i.e., the automaton of
interest). Comon and Jurski [16] notice that Alur and Dill’s partition is too coarse in
establishing the binary reachability of a timed automata. They move one step further
by bringing in the clock values before a transition was made. But Comon and Jurski’s
partition is still finite, since their partition, though finer than Alur and Dill’s, is still
based on answers to all the clock constraints (there are finitely many of them) in the
system. In this paper, ≈ deduces an infinite partition of both the initial values v0 and
the current values v1 of the clocks. Essentially, this partition is based on answers to all
clock constraints (not just the ones in the system). That is, ≈ is finer than Comon and
Jurski’s partition as well as Alur and Dill’s. This is why the flattening technique [16]
destroys the transition structure of a timed automaton but the technique presented in this
paper is able to preserve the transition structure. A class of Pushdown Timed Systems
4was discussed in [10]. However, that paper focuses on region reachability instead of
binary reachability.
This paper is organized as follows. Section 2 reviews a number of definitions and,
in particular, defines a decidable formalism in which the binary reachability of PTAs
are expressed. Section 3 and Section 4 give the definition of patterns and show the
correctness of using patterns as an abstraction for fractional clock values. Section 5 and
Section 6 define PTAs and show that the pattern graph of a PTA has a decidable binary
reachability characterization. Section 7 states the main results of the paper. In Section
8, we point out that the results in this paper can be extended to many other infinite state
machine models augmented with dense clocks.
2 Preliminaries
A nondeterministic multicounter automaton is a nondeterministic automaton with a fi-
nite number of states, a one-way input tape, and a finite number of integer counters.
Each counter can be incremented by 1, decremented by 1, or stay unchanged. Besides,
a counter can be tested against 0. It is well-known that counter machines with two
counters have an undecidable halting problem, and obviously the undecidability holds
for machines augmented with a pushdown stack. Thus, we have to restrict the behaviors
of the counters. One such restriction is to limit the number of reversals a counter can
make. A counter is n-reversal-bounded if it changes mode between nondecreasing and
nonincreasing at most n times. For instance, the following sequence of counter values:
0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 3, 2, 1, 1, 1, 1, · · ·
demonstrates only one counter reversal. A counter is reversal-bounded if it is n-reversal-
bounded for some fixed number n independent of computations. A reversal-bounded
nondeterministic multicounter automaton (NCA) is a nondeterministic multicounter au-
tomaton in which each counter is reversal-bounded. A reversal-bounded nondeterminis-
tic pushdown multicounter automaton (NPCA) is an NCA augmented with a pushdown
stack. In addition to counter operations, an NPCA can pop the top symbol from the
stack or push a word onto the top of the stack. It is known that the emptiness prob-
lem (i.e., whether a machine accepts some words?) for NPCAs (and hence NCAs) is
decidable.
Lemma 1. The emptiness problem for reversal-bounded nondeterministic pushdown
multicounter automata is decidable. [28]
When an automaton does not have an input tape, we call it a machine. In this case,
we are interested in the behaviors generated by the machine rather than the language
accepted by the automaton. We shall use NPCM (resp. NCM) to stand for NCPA (resp.
NCA) without an input tape.
Let N be integers, D = Q (rationals) or R (reals), Γ be an alphabet. We use N+
and D+ to denote non-negative values in N and D, respectively. Each value v ∈ D+
can be uniquely expressed as the sum of ⌈v⌉+ ⌊v⌋, where ⌈v⌉ ∈ N is the integral part
of v, and 0 ≤ ⌊v⌋ < 1 is the fractional part of v. A dense variable is a variable over
5D. An integer variable is a variable over N. A word variable is a variable over Γ ∗. Let
m ≥ 1. For each 1 ≤ i ≤ m, we use xi, yi, andwi to denote a dense variable, an integer
variable, and a word variable, respectively. We use #a(wi) to denote a count variable
representing the number of symbol a ∈ Γ in wi. A linear term t is defined as follows:
t ::= n | xi | yi | #a(wi) | t− t | t+ t,
where n ∈ N, a ∈ Γ and 1 ≤ i ≤ m. A mixed linear relation l is defined as follows:
l ::= t > 0 | t = 0 | tdiscrete mod n = 0 | ¬l | l ∧ l,
where t is a linear term, 0 6= n ∈ N, and tdiscrete is a linear term not containing dense
variables. Notice that a mixed linear relation could contain dense variables, integer vari-
ables and word count variables. A dense linear relation is a mixed linear relation that
contains dense variables only. A discrete linear relation is a mixed linear relation that
does not contain dense variables. Obviously, any discrete linear relation is a Presburger
formula over integer variables and word count variables.
Each integer can be represented as a unary string, e.g., string “00000” (resp. “11111”)
for integer +5 (resp.−5). In this way, a tuple of integers and words can be encoded as a
string by concatenating the unary representations of each integer and each of the words,
with a separator # 6∈ Γ . For instance, (2,−4, w) is encoded as string “00#1111#w”.
Consider a predicate H over integer variables and word variables. The domain of H is
the set of tuples of integers and words that satisfy H . Under the encoding, the domain
of H can be treated as a set of strings, i.e., a language. A predicate H over integer vari-
ables and word variables is an NPCA predicate (or simply NPCA) if there is an NPCA
accepting the domain of H . A (D+NPCA)-formula f is defined as follows:
f ::= ldense ∧H | ldense ∨H | f ∨ f,
where ldense is a dense linear relation and H is an NPCA predicate. Therefore, a
(D+NPCA) formula is a finite disjunction of formulas in the form of ldense ∧ H
or ldense ∨H , where dense variables (contained only in each ldense) and discrete vari-
ables (contained only in each H) are separated. Let p, q, r ≥ 0. A predicate A on tuples
in Dp ×Nq × (Γ ∗)r is (D+NPCA)-definable if there is a (D+NPCA)-formula
f with p dense variables, p+ q integer variables, and r word variables, such that, for all
x1, · · · , xp in D, for all y1, · · · , yq in N, and for all w1, · · · , wr in Γ ∗,
(x1, · · · , xp, y1, · · · , yq, w1, · · · , wr) ∈ A
iff f(⌊x1⌋, · · · , ⌊xp⌋, ⌈x1⌉, · · · , ⌈xp⌉, y1, · · · , yq, w1, · · · , wr) holds.
Lemma 2. (1). Both ldiscrete ∧ H and ldiscrete ∨H are NPCA predicates, if ldiscrete
is a discrete linear relation and H is an NPCA predicate.
(2). NPCA predicates are closed under existential quantifications (over integer vari-
ables and word variables).
(3). IfA is (D+NPCA)-definable and l is a mixed linear relation, then both l∧A
and l ∨ A are (D+NPCA)-definable.
(4). The emptiness (or satisfiability) problem for (D+NPCA)-definable predi-
cates is decidable.
6Proof. (1). ldiscrete is a Presburger formula. (The domain of) ldiscrete can therefore
be accepted by a deterministic NCA [28]. Hence, ldiscrete ∧ H and ldiscrete ∨ H can
be accepted by NPCAs by “intersecting” and “joining” the deterministic NCA and the
NPCA that accepts H , respectively.
(2). Let H be an NPCA predicate containing variable z (either an integer variable or
a word variable). AssumeH is accepted by NPCAM . An NPCAM ′ can be constructed
to accept ∃zH by guessing each symbol in the encoding of z (on the input tape of M )
and simulating M .
(3). We first show that any mixed linear relation l is definable by a separately mixed
linear relation l′ (i.e., l′ is a Boolean combination of dense linear relations and discrete
linear relations. So, l′ does not have a term containing both dense variables and discrete
variables.). That is, for all x1, · · · , xp ∈ D, y1, · · · , yq ∈ N,
l(x1, · · · , xp, y1, · · · , yq) iff l′(⌊x1⌋, · · · , ⌊xp⌋, ⌈x1⌉, · · · , ⌈xp⌉, y1, · · · , yq).
Instead of giving a lengthy proof, we look at an example of l: x1 − x2 + y1 > 2. This
can be rewritten as: ⌈x1⌉− ⌈x2⌉+ y1− 2+ ⌊x1⌋− ⌊x2⌋ > 0. Term ⌊x1⌋− ⌊x2⌋ is the
only part containing dense variables. Since ⌊x1⌋−⌊x2⌋ is bounded, separating cases for
this term being at (and between) -1, 0, 1 will give a separately mixed linear relation l′.
This separation idea can be applied for any mixed linear relation l. If A is definable by
a (D+NPCA)-formula f , then l∧A (resp. l∨A) is definable by l′∧ f (resp. l′∨ f ).
By re-organizing the dense linear relations (in l′ and f ) and the discrete linear relations
(in l′) such that the discrete linear relations are grouped with the NPCA predicates in f ,
l′ ∧ f and l′ ∨ f can be made (D+NPCA)-formulas using Lemma 2 (1).
(4). The emptiness problem for ldense ∧ H and ldense ∨ H is decidable, noticing
that the emptiness for ldense, which is expressible in the additive theory of reals (or
rationals), is decidable, and the emptiness of NPCA predicate H is decidable (Lemma
1). Therefore, the emptiness of any (D+NPCA) formulas, as well as, from Lemma
2 (3), any (D+NPCA)-definable predicates, is decidable.
3 Clock Patterns and Their Changes
A dense clock is simply a dense variable taking non-negative values in D+. Now we
fix a k > 0 and consider k + 1 clocks x = x0, · · · , xk. For technical reasons, x0 is
an auxiliary clock indicating the current time now. Let K = {0, · · · , k}, and K+ =
{1, · · · , k}. A subset K ′ of K is abused as a set of clocks; i.e., we say xi ∈ K ′ if
i ∈ K ′. A (clock) valuation v is a function K → D+ that assigns a value in D+ to
each clock in K . A discrete (clock) valuation u is a function K → N+ that assigns a
value in N+ to each clock in K . For each valuation v and δ ∈ D+, ⌈v⌉, ⌊v⌋ and v+ δ
are valuations satisfying ⌈v⌉(i) = ⌈v(i)⌉, ⌊v⌋(i) = ⌊v(i)⌋ and (v + δ)(i) = v(i) + δ
for each i ∈ K . The relative representation v̂ of a valuation v is a valuation satisfying:
– ⌈v̂⌉ = ⌈v⌉,
– ⌊v̂⌋(0) = ⌊1− ⌊v⌋(0)⌋,
– ⌊v̂⌋(i) = ⌊⌊v⌋(i) + ⌊v̂⌋(0)⌋, for each i ∈ K+.
A valuation v0 is initial if the auxiliary clock x0 has value 0 in v0.
7Example 1. Let k = 4 and v1 = (4.296, 1.732, 1.414, 5.289, 3.732). It can be calcu-
lated that v̂1 = (4.704, 1.436, 1.118, 5.993, 3.436). Let v2 = v1 + .268 = (4.564, 2,
1.682, 5.557, 4). Then, v̂2 = (4.436, 2.436, 1.118, 5.993, 4.436). It is noticed that all
the fractional parts (except for v̂1(0) and v̂2(0)) are the same in v̂1 and v̂2. It is easy to
show that a clock progress (i.e., x0, · · · , xk progress by the same amount such as .268)
will not change the fractional parts of clock values (for clocks x1, · · · , xk) in a relative
representation.
3.1 Clock Patterns
We distinguish two disjoint sets, K0 = {00, · · · , k0} and K1 = {01, · · · , k1}, of in-
dices. A pattern η is a sequence
p0, · · · , pn,
for some 0 ≤ n < 2(k + 1), of nonempty and disjoint subsets of K0 ∪K1 such that
– 00 ∈ p0 and
– ∪0≤i≤npi = K0 ∪K1.
In pattern η, pi is called the i-position. A pair of valuations (v0,v1) is initialized if
v0 is initial. The pattern of (v0,v1) characterizes the fractional ordering between ele-
ments in ⌊v̂0⌋ and ⌊v̂1⌋ (where K0 is for indices of v0 and K1 is for indices of v1).
Formally, an initialized pair (v0,v1) has pattern η = p0, · · · , pn, written (v0,v1) ∈ η,
or [(v0,v1)] = η, if, for each 0 ≤ m,m′ ≤ n, each b, b′ ∈ {0, 1}, and each i, i′ ∈ K ,
ib ∈ pm and i′b
′
∈ pm′ imply that
⌊v̂b⌋(i) = ⌊v̂b′⌋(i
′) (resp. <) iff m = m′ (resp. m < m′).
Though this definition of a pattern is quite complex, a pattern can be easily visualized
after looking at the following example.
Example 2. Consider v1 in Example 1 and an initial valuation v0 = (0, 3.118, 5.118,
2, 1.876). Since v0 is initial, v̂0 = v0. The fractional parts of v0 and v1, in the relative
representation, can be put on a big circle representing the interval [0, 1) as shown in
Figure 1. Each fractional value ⌊v̂0⌋(i) for v0 is represented by an oval; each fractional
value ⌊v̂1⌋(i) for v1 is represented by a box. The pattern of (v0,v1) can be drawn by
collecting clockwisely (from the top, i.e., v̂0(0) = 0) the indices (superscripted with 0,
e.g., 30 for v̂0(3)) for each component in v̂0 and the indices (superscripted with 1, e.g.,
31 for v̂1(3)) for each component in v̂1; i.e., the pattern is
η = p0, · · · , p5
with p0 = {00, 30}, p1 = {10, 20, 21}, p2 = {11, 41}, p3 = {01}, p4 = {40}, p5 =
{31}.
There are at most 26(k+1)2 distinct patterns. Let Φ denote the set of all the patterns
(for the fixed k). A pattern is initial if it is the pattern of (v0,v0) for some initial
valuation v0. If η is the pattern of (v0,v1), we use init(η) to denote the pattern of
8.0
.118
.436
.704
.876
.993 v_0(1),v_0(2),v_1(2)
v_1(0)
v_0(4)
v_1(3) v_0(0),v_0(3)
v_1(1), v_1(4)
Fig. 1. A graphical representation of the fractional parts of v0 and v1 in a relative
representation in Example 2. That is, ⌊v̂0⌋ = (0, .118, .118, 0, .876) and ⌊v̂1⌋ =
(.704, .436, .118, .993, .436) as in Example 2 and 1. Ovals are for components in ⌊v̂0⌋
and boxes are for components in ⌊v̂1⌋. For instance, the oval labeled by v̂0(4) corre-
sponds to ⌊v̂0⌋(4) = .876.
(v0,v0). init(η) is unique for each η. Given two initialized pairs (v10,v1) and (v20,v2),
we write (v10,v1)≈(v20,v2), if (v10,v1) and (v20,v2) have the same pattern, and have
the same integral parts (i.e., ⌈v10⌉ = ⌈v20⌉, ⌈v1⌉ = ⌈v2⌉). The following lemma can be
observed.
Lemma 3. For any two initialized pairs (v10,v1) and (v20,v2) with (v10,v1)≈(v20,v2),
the following statements hold:
(1). the pattern of (v10,v1) is initial iff ⌊v1⌋ = ⌊v10⌋,
(2). v1 is initial (i.e., v1(0) = 0) iff v2 is initial,
(3). v1 = v10 iff v2 = v20.
A valuation v1 has pattern η if there is an initial v0 such that (v0,v1) has pattern
η. v1 may have a number of patterns, by different choices of v0. A pattern of v1 tells
the truth values of all the fractional orderings ⌊v1⌋(i)#⌊v1⌋(j) and ⌊v1⌋(i)#0 (where
# stands for <,>,≤,≥,=.), for all i, j ∈ K+, as shown in the following lemma.
Lemma 4. Let η = p0, · · · , pn be a pattern of a valuation v. Assume 01 ∈ pi for some
0 ≤ i ≤ n. Then, for any m1 and m2 (with 0 ≤ m1,m2 ≤ n), for any j1 and j2 in K+
(with j11 ∈ pm1 and j12 ∈ pm2), the following statements hold.
(1). ⌊v⌋(j1) > ⌊v⌋(j2) iff one of the following conditions holds:
m1 < i ≤ m2,
m2 < m1 < i,
i ≤ m2 < m1.
(2). ⌊v⌋(j1) = ⌊v⌋(j2) iff m1 = m2.
(3). ⌊v⌋(j1) > 0 iff m1 6= i.
9(4). ⌊v⌋(j1) = 0 iff m1 = i.
Proof. Directly from the definition of a pattern.
Recall 01 ∈ K1 stands for the index for the value of clock x0 (representing now)
in v1. Let η = p0, · · · , pn be a pattern. pi is the now-position of η if 01 ∈ pi. A pattern
η is regulated if the now-position of η is p0. Note that the pattern of an initialized pair
(v0,v1) is regulated if and only if the auxiliary clock x0 takes an integral value in v1
(i.e., ⌊v1⌋(0) = 0). A pattern is a merge-pattern if the now-position is a singleton set
(i.e., 01 is the only element). A pattern is a split-pattern if it is not a merge-pattern,
i.e., the now-position contains more than one element. (“Merge” and “split” will be
made clear in a moment.) Obviously, a regulated pattern is always a split-pattern. This
is because the now-position of a regulated pattern, which is p0, contains at least two
elements 00 and 01.
3.2 Clock Progresses
For each 0 < δ ∈ D+, v+ δ is the result of a clock progress from v by an amount of δ.
How does a pattern change according to the progress? Let us first look at an example.
Example 3. Consider v1,v2 (= v1 + .268) in Example 1, and v0 in Example 2. In
Example 2, we indicated that the pattern η1 of (v0,v1) is
{00, 30}, {10, 20, 21}, {11, 41}, {01}, {40}, {31}.
Similar steps can be followed to show that the pattern η2 of (v0,v2) is
{00, 30}, {10, 20, 21}, {11, 41, 01}, {40}, {31}.
A helpful way to see the relationship between η1 and η2 is by looking at Figure 1.
Holding the box labeled by v̂1(0) (for the current time) and sliding counter-clockwisely
along the big circle for an amount of .268 will stop at the box labeled by v̂1(1) and
v̂1(4). Thus, the pattern η2 (after sliding) is exactly η1 (before sliding) except that 01 in
the 3-position in η1 is merged into the 2-position in η2. Notice that η1 is a merge-pattern
and the resulting η2 is a split-pattern. The integral parts ⌈v1⌉(1) and ⌈v1⌉(4) change
to ⌈v2⌉(1) = ⌈v1⌉(1) + 1 and ⌈v2⌉(4) = ⌈v1⌉(4) + 1. But all the other components
of ⌈v1⌉ do not change. The reason is that, after merging 01 with 11 and 41 in η2, the
fractional parts ⌊v2⌋(1) and ⌊v2⌋(4) are “rounded” (i.e., become 0). What if we further
make a clock progress from v2 for an amount of δ′ = .12? The resulting pattern η3 of
(v0,v3) with v3 = v2 + δ′ is the result of splitting 01 from the 2-position {11, 41, 01}.
That is, η3 is
{00, 30}, {10, 20, 21}, {01}, {11, 41}, {40}, {31},
which is a merge-pattern again. This process of merging and splitting can be formally
defined as the following function next.
Function next : Φ × (N+)k+1 → Φ × (N+)k+1 describes how a pattern changes
upon a clock progress. Given any discrete valuation u and pattern η = p0, · · · , pn with
the now-position being pi for some i, next(η,u) is defined to be (η′,u′) such that,
10
– (the case when η is a merge-pattern) if i > 0 and |pi| = 1 (that is, the now-position
pi = {01}), then η′ is
p0, · · · , pi−1 ∪ {0
1}, pi+1, · · · , pn
(that is, η′ is the result of merging the now-position to the previous position), and
for each j ∈ K+, if j1 ∈ pi−1, then u′(j) = u(j) + 1 else u′(j) = u(j). Besides,
if i = 1 (i.e., the now-position is merged to p0; in this case, η′ is a regulated pattern),
then u′(0) = u(0) + 1 else u′(0) = u(0),
– (the case when η is a split pattern) if i ≥ 0 and |pi| > 1, then η′ is the result of
splitting 01 from the now-position. That is, if i > 0, η′ is
p0, · · · , pi−1, {0
1}, pi − {0
1}, pi+1, · · · , pn.
However, if i = 0, η′ is
p0 − {0
1}, p1, · · · , pn, {0
1}.
In either case, u′ = u.
If next(η,u) = (η′,u′), (1). η′ is called the next pattern of η, written Next(η), (2).
∆η ∈ {0, 1}k+1 is called the increment vector of η with ∆η = u′ − u. Obviously,
Next(η) 6= η and Next(·) is total and 1-1.
To better understand Next(·), we visualize pattern η as a circle shown in Figure 2.
Applications of Next(·) can be regarded as moving the index 01 along the circle, by
performing merge-operations (Figure 2 (a)) and split-operations (Figure 2 (b)) alterna-
tively. After enough number of applications of Next(·), 01 will return to the original
now-position after moving through the entire circle. That is, for each pattern η, there
is a smallest positive integer m such that Nextm(η) = η; i.e., η0, · · · , ηm satisfies
η0 = ηm = η, and Next(ηi) = ηi+1 for each 0 ≤ i < m. More precisely, by looking at
Figure 2, if η is a merge-pattern,m = 2n; if η is a split-pattern,m = 2(n+1). Further-
more, elements η0, · · · , ηm−1 are distinct. The sequence η0, · · · , ηm is called a pattern
ring. The pattern ring is unique for each fixed η0. Notice that nextm(η,u) = (η,u+1)
for each u. Since the next pattern Next(η) is a merge-pattern (resp. split-pattern) if η is
a split-pattern (resp. merge-pattern), on a pattern ring, merge-patterns and split-patterns
appear alternately.
Fix any initialized pair (v0,v) and 0 < δ ∈ D+. Assume the patterns of (v0,v)
and (v0,v + δ) are η and η′, respectively. We say v has no pattern change for δ if, for
all 0 ≤ δ′ ≤ δ, (v0,v + δ′) has the same pattern. We say v has one pattern change
for δ if Next(η) = η′ and, for all 0 < δ′ < δ, (v0,v + δ′) has pattern η, or, for all
0 < δ′ < δ, (v0,v + δ
′) has pattern η′. The following lemma on the correctness of
next can be observed.
Lemma 5. For any initialized pair (v0,v) and any 0 < δ ∈ D+, the following state-
ments are equivalent:
(1). next([(v0,v)], ⌈v⌉) = ([(v0,v + δ)], ⌈v + δ⌉),
(2). v has one pattern change for δ.
11
p0
p1
p2
.
.
.
pn
.
.
.
pi-1
now-position
pi+1
merge 
now-position
pi+1
pi-1 U  {0^1}
p2
p1
p0
pn
.
.
.
.
.
.
now-position
pi = {0^1}
pi-1
p2
p1
p0
pn
.
.
.
.
.
pi+1 pi
split
p0
p1
p2
pi-1
pi+1
.
.
.
pn
now-position
{0^1}
pi-{0^1}
(a)
(b)
Fig. 2. A graphical representation of a pattern η = p0, · · · , pn. Operator Next(·) has
the same effect as moving the now-position counter-clockwisely. In case (a), the now-
position is merged to the previous position. In case (b), index 01 is split from the now-
position.
We say v has n pattern changes for δ with n ≥ 1, if there are positive δ1, · · · , δn in
D+ with Σ1≤i≤nδi = δ such that v + Σ1≤i≤jδi has one pattern change for δj+1, for
each j = 0, · · · , n−1. It is noticed that for any δ ≤ 1, v has at most m pattern changes,
where m is the length of the pattern ring starting from the pattern η of (v0,v). This m
is uniformly bounded by 4(k + 1).
Lemma 6. For any initialized pair (v0,v) and any δ ∈ D+, (1) v has at most 4(k+1)
pattern changes for δ if δ ≤ 1, (2) v has at least one pattern change for δ if δ ≥ 1, (3)
if v has no pattern change for δ then ⌈v⌉ = ⌈v + δ⌉.
3.3 Clock Resets
In addition to clock progresses, clock resets are the other form of clock behaviors. Let
r ⊆ K+ be (a set of) clock resets. v ↓r denotes the result of resetting each clock xi ∈ r
(i.e., i ∈ r). That is, for each i ∈ K ,
(v ↓r)(i) =
{
0 if i ∈ r
v(i) otherwise.
Example 4. Consider v0 and v1 given in Example 2 and Example 1. Assume r =
{4}. By definition, v1 ↓r= (4.296, 1.732, 1.414, 5.289, 0). It can be calculated that the
relative representation of v1 ↓r is (4.704, 1.436, 1.118, 5.993, 0.704). The pattern of
(v0,v1 ↓r) can be figured out again by looking at Figure 1. The reset of clock x4 can
12
be conceptually regarded as moving the label v̂1(4) from the box of v̂1(1) and v̂1(4) to
the box of v̂1(0) (the current time). Therefore, the pattern after the reset changes from
{00, 30}, {10, 20, 21}, {11, 41}, {01}, {40}, {31}
of (v0,v1) to
{00, 30}, {10, 20, 21}, {11}, {01, 41}, {40}, {31}
of (v0,v1 ↓r) by moving 41 into the position containing 01.
Functions resetr : Φ × (N+)k+1 → Φ × (N+)k+1 for r ⊆ K+ describe how
a pattern changes after clock resets. Given any discrete valuation u and any pattern
η = p0, · · · , pn with the now-position being pi for some i, resetr(η,u) is defined to be
(η′,u′) such that,
– η′ is p0 − r1, · · · , pi−1 − r1, pi ∪ r1, pi+1 − r1, · · · , pn − r1, where r1 = {j1 :
j ∈ r} ⊆ K1. Therefore, η′ is the result of bringing every index in r1 into the
now-position. Notice that some of pm − r1 may be empty after moving indices in
r1 out of pm, for m 6= i. In this case, these empty elements are removed from η′
(to guarantee that η′ is well defined.),
– for each j ∈ K , if j ∈ r, then u′(j) = 0 else u′(j) = u(j).
If resetr(η,u) = (η′,u′), η′ is written as Resetr(η). Note that Resetr(η) is unique
for each η and r, and is independent of u. The following lemma states that reset is
correct.
Lemma 7. For any initialized pair (v0,v) and any r ⊆ K+,
resetr([(v0,v)], ⌈v⌉) = ([(v0,v ↓r)], ⌈v ↓r⌉).
4 Clock Constraints and Patterns
An atomic clock constraint (over clocks x1, · · · , xk, excluding x0) is a formula in the
form of xi − xj#d or xi#d where 0 ≤ d ∈ N+ and # stands for <,>,≤,≥,=. A
clock constraint c is a Boolean combination of atomic clock constraints. Let C be the
set of all clock constraint (over clocks x1, · · · , xk). We say v ∈ c if clock valuation v
(for x0, · · · , xk) satisfies clock constraint c.
Any clock constraint c can be written as a Boolean combination I(c) of clock con-
straints over discrete clocks ⌈x1⌉, · · · , ⌈xk⌉ and fractional orderings ⌊xi⌋#⌊xj⌋ and
⌊xi⌋#0. For instance, xi−xj < d is equivalent to: ⌈xi⌉−⌈xj⌉ < d, or, ⌈xi⌉−⌈xj⌉ = d
and ⌊xi⌋ < ⌊xj⌋. xi > d is equivalent to: ⌈xi⌉ > d, or, ⌈xi⌉ = d and ⌊xi⌋ > 0. There-
fore, testing v ∈ c is equivalent to testing ⌈v⌉ and the fractional orderings on ⌊v⌋
satisfying I(c).
Assume v has a pattern η = p0, · · · , pn. A fractional ordering on ⌊v⌋ is equivalent
to a Boolean condition on η, as shown in Lemma 4. Whenever η is fixed, each fractional
ordering in I(c) has a specific truth value (either 0 or 1). In this case, we use I(c)η, or
simply cη, to denote the result of replacing fractional orderings in I(c) by the truth
values given by η. cη, without containing fractional orderings, is just a clock constraint
13
(over discrete clocks). Notice that the pattern space Φ is finite, therefore, v ∈ c is
equivalent to ∨
η∈Φ
(v has pattern η ∧ ⌈v⌉ ∈ cη).
Hence, the truth value of v ∈ c only depends on a pattern of v and the integral parts
of v. These observations conclude the following results. In particular, Lemma 8 (2)
indicates that it is sufficient to test the two end points v ∈ c and v + δ ∈ c in order to
make sure that c is consistently satisfied on each v+ δ′, 0 ≤ δ′ ≤ δ, if from v to v+ δ,
there is at most one pattern change.
Lemma 8. (1). For any initialized pair (v0,v), any pattern η ∈ Φ, if (v0,v) has pat-
tern η, then, for any clock constraint c ∈ C, v ∈ c iff ⌈v⌉ ∈ cη .
(2). For any initialized pair (v0,v) and any 0 < δ ∈ D+, if v has at most one
pattern change for δ, then, for any clock constraint c ∈ C,
∀0 ≤ δ′ ≤ δ(v + δ′ ∈ c) iff v ∈ c and v + δ ∈ c.
(3). For any initialized pairs (v10,v1) and (v20,v2), if (v10,v1)≈(v20,v2), then, for
any c ∈ C, v1 ∈ c iff v2 ∈ c.
Proof. (1) is from the observations made before this lemma in this section. (2) is from
(1) and Lemma 5. (3) is directly from (1).
Now, we consider two initialized pairs (v10,v1) and (v20,v2) such that
(v10,v1)≈(v
2
0,v2).
That is, from the definition of ≈, v10 (resp. v1) has the same integral parts as v20 (resp.
v2). Besides, the two pairs have the same pattern. From Lemma 8(3), any test c ∈ C will
not tell the difference between v1 and v2. Assume v1 can be reached from a valuation
v
1 via a clock progress by an amount of δ1, i.e., v1 + δ1 = v1. We would like to
know whether v2 can be reached from some valuation v2 also via a clock progress
but probably by a slightly different amount of δ2 such that (v10,v1) and (v20,v2) are
still equivalent(≈). We also expect that for any test c, if during the progress of v1,
c is consistently satisfied, then so is c for the progress of v2. The following lemma
concludes that these, as well as the parallel case for clock resets, can be done. This result
can be used later to show that if v1 is reached from v10 by a sequence of transitions that
repeatedly perform clock progresses and clock resets, then v2 can be also reached from
v
2
0 via a very similar sequence such that no test c can distinguish the two sequences.
Lemma 9. For any initialized pairs (v10,v1) and (v20,v2) with (v10,v1) ≈(v20,v2),
(1). for any 0 ≤ δ1 ∈ D+, for any clock valuation v1, if v1 + δ1 = v1, then there
exist 0 ≤ δ2 ∈ D+ and clock valuation v2 such that
(1.1). v2 + δ2 = v2 and (v10,v1)≈(v20,v2),
(1.2). v1 is initial iff v2 is initial,
v
1 = v10 iff v2 = v20, and
for any c ∈ C, v1 ∈ c (resp. v1 ∈ c) iff v2 ∈ c (resp. v2 ∈ c),
14
(1.3). for any clock constraint c ∈ C, ∀0 ≤ δ′ ≤ δ1(v1 + δ ∈ c) iff ∀0 ≤ δ′ ≤
δ2(v
2 + δ ∈ c).
(2). for any r ⊆ K+, for any clock valuation v1, if v1 ↓r= v1, then there exists a
valuation v2 such that
(2.1). v2 ↓r= v2 and (v10,v1)≈(v20,v2),
(2.2). same as (1.2).
Proof. (1). Assume δ1 is “small”, i.e., from v1 to v1 = v1 + δ1, there is at most one
pattern change. Let η = p0, · · · , pn be the pattern for (v20,v2) (and, hence, for (v10,v1)).
Assume 01 ∈ pi for some i. If δ1 causes no pattern change for v1, then simply take
δ2 = 0. If δ1 causes one pattern change for v1, then we put (v20,v2) on a circle (e.g.
Figure 1). If η is a split-pattern (i.e., |pi| > 1), then we separate a new box (only labeled
by ⌊v̂2⌋(0)) from the original box labeled by ⌊v̂2⌋(0) and slide the new box backwards
(i.e., clockwisely) for a small positive amount (taken as δ2) without hitting any box or
oval. If η is a merge-pattern (i.e., |pi| = 1), then we slide the box labeled by ⌊v̂2⌋(0)
(this is the only label) backwards (i.e., clockwisely) for a positive amount (taken as δ2)
until a box or an oval is hit. Take v2 = v2 − δ2. Obviously, (v10,v1)≈(v20,v2). It can
be checked that (1.2) and (1.3) hold using Lemma 8 and Lemma 3.
Any larger δ1 that causes multiple pattern changes for v1 can be split into a finite
(Lemma 6) sequence of small δ’s that causes exactly one pattern change. In this case, δ2
can be calculated by working on each small δ (the last one first) as in the above proof.
(2). The case when r = ∅ is obvious. Assume r contains only one element j ∈ K+.
Assume η is the pattern of (v10,v1). A desired v2 is picked as follows. The integral
parts of v2 are exactly those of v1; i.e., ⌈v2⌉ = ⌈v1⌉. The fractional parts of v2 are
exactly those of v2, except that, in the relative representation, ⌊v̂2⌋(j) may be different
from ⌊v̂2⌋(j). Then what is ⌊v̂2⌋(j)? It is chosen such that the pattern of (v20,v2) is
η. For instance, if ⌊v̂1⌋(j) equals to, say, ⌊v̂1⌋(j1) (resp. ⌊v̂10⌋(j1)), for some j1, then
⌊v̂2⌋(j) is picked as ⌊v̂2⌋(j1) (resp. ⌊v̂20⌋(j1)). If ⌊v̂1⌋(j) lies strictly between, say,
⌊v̂1⌋(j1) (or, ⌊v̂10⌋(j1)) and ⌊v̂1⌋(j2) (or, ⌊v̂10⌋(j2)), for some j1 and j2, such that no
other component in ⌊v̂1⌋ and ⌊v̂10⌋ lies strictly between these two values, then ⌊v̂2⌋(j)
is picked as any value lies strictly between ⌊v̂2⌋(j1) (or, ⌊v̂20⌋(j1)) and ⌊v̂2⌋(j2) (or,
⌊v̂20⌋(j2)) accordingly. Since (v10,v1)≈(v20,v2), we can show ⌊v̂2⌋(j) can always be
picked. The choice of ⌊v̂2⌋(j) guarantees that the pattern of (v10,v1) is the same as the
pattern of (v20,v2). The rest of conditions in (2) can be checked easily.
For the case when r contains more than one element, the above proof can be gener-
alized by resetting clocks in r one by one.
5 Pushdown Timed Automata
A pushdown timed automaton (PTA) A is a tuple
〈S, {x1, · · · , xk}, Inv,R, Γ, PD〉,
where
15
– S is a finite set of states,
– x1, · · · , xk are (dense) clocks,
– Inv : S → C assigns a clock constraint over clocks x1, · · · , xk, called an invariant,
to each state,
– R : S × S → C × 2{x1,···,xk} assigns a clock constraint over clocks x1, · · · , xk,
called a reset condition, and a subset of clocks, called clock resets, to a (directed)
edge in S × S,
– Γ is the stack alphabet. PD : S × S → Γ × Γ ∗ assigns a pair (a, γ) with a ∈ Γ
and γ ∈ Γ ∗, called a stack operation, to each edge in S × S. A stack operation
(a, γ) replaces the top symbol a of the stack with a string (possibly empty) in Γ ∗.
A timed automaton is a PTA without the pushdown stack.
The semantics of A is defined as follows. A configuration is a triple (s,v, w) of a
state s, a clock valuation v on x0, · · · , xk (where x0 is the auxiliary clock), and a stack
word w ∈ Γ ∗. (s1,v1, w1) →A (s2,v2, w2) denotes a one-step transition of A if one
of the following conditions is satisfied:
– (a progress transition) s1 = s2, w1 = w2, and ∃0 < δ ∈ D+, v2 = v1 + δ and for
all δ′ satisfying 0 ≤ δ′ ≤ δ, v1+δ′ ∈ Inv(s1). That is, a progress transition makes
all the clocks synchronously progress by amount δ > 0, during which the invariant
is consistently satisfied, while the state and the stack content remain unchanged.
– (a reset transition) v1 ∈ Inv(s1) ∧ c, v1 ↓r= v2 ∈ Inv(s2), and w1 = aw,w2 =
γw for some w ∈ Γ ∗, where R(s1, s2) = (c, r) for some clock constraint c and
clock resets r, and PD(s1, s2) = (a, γ) for some stack symbol a ∈ Γ and string
γ ∈ Γ ∗. That is, a reset transition, by moving from state s1 to state s2, resets
every clock in r to 0 and keeps all the other clocks unchanged. The stack content
is modified according to the stack operation (a, γ) given on edge (s1, s2). Clock
values before the transition satisfy the invariant Inv(s1) and the reset condition c;
clock values after the transition satisfy the invariant Inv(s2). 1
We write →∗A to be the transitive closure of →A. Given two valuations v10 and v1,
two states s0 and s1, and two stack words w0 and w1, assume the auxiliary clock x0
starts from 0, i.e., v10 is initial. The following result is surprising. It states that, for any
initialized pair (v20,v2) with (v10,v1)≈(v20,v2), (s0,v10, w0) →∗A (s1,v1, w1) if and
only if (s0,v20, w0)→∗A (s1,v2, w1). This result implies that, from the definition of ≈,
for any fixed s0, s1, w0 and w1, the pattern of (⌊v10⌋, ⌊v1⌋) (instead of the actual values
1 A reader might wonder why we don’t have a stack operation for a progress transition. That is,
a state s can also be assigned with a stack operation (a, γ) such that each progress transition
by an amount δ > 0 on state s also modifies the stack content according to (a, γ). However,
this progress transition can be treated as a sequence of three transitions: a progress transition
(without a stack operation) by δ1 > 0, a clock reset transition (by adding a dummy clock)
performing stack operation (a, γ), followed by a progress transition (without a stack operation)
by δ2 > 0, whenever δ = δ1+δ2. A translation can be worked out by expressing any PTA with
a stack operation for each progress transition by a PTA defined in this paper. Since we focus
on the clock/stack behaviors of a PTA, instead of the ω-language accepted by it, input symbols
are not considered in our definition. (The input to a timed automaton is always one-way. Thus,
input symbols can always be built into states.)
16
of ⌊v10⌋ and ⌊v1⌋), the integral values ⌈v10⌉, and the integral values ⌈v1⌉ are sufficient
to determine whether (s0,v10, w0) can reach (s1,v1, w1) in A.
Lemma 10. Let A be a PTA. For any states s0 and s1, any two initial clock valuations
v
1
0 and v20, any two clock valuations v1 and v2, and any two stack words w0 and w1, if
(v10,v1)≈(v
2
0,v2), then,
(s0,v
1
0, w0) →
∗
A (s1,v1, w1) iff (s0,v20, w0) →∗A (s1,v2, w1).
Proof. Lemma 9 and Lemma 8 already give the result, but for →A instead of →∗A,
noticing that Lemma 8 guarantees that tests (and obviously stack operations) are con-
sistent in (s0,v10, w0) →A (s1,v1, w1) and in (s0,v20, w0) →A (s1,v2, w1). An in-
duction (on the length of →∗A) can be used to show the lemma, by working from
(s1,v1, w1) back to (s0,v10, w0).
Example 5. It is the time to show an example to convince the reader that Lemma 10 in-
deed works. Consider a timed automatonA shown in Figure 3. Let v10 = (0, 4.98, 2.52),
s1
s2
x1-x2>2
/\  x2<5
x2-x1>4
/\  x1<3
x1-x2<3
{x1}
Fig. 3. An example timed automaton A.
v
1
3 = (5.36, 2.89, 7.88). (s1,v
1
0) →
∗
A (s2,v
1
3) is witnessed by: (s1,v10) →A (progress
by 2.47 at s1) (s1,v11) →A (reset x1 and transit to s2) (s2,v12) →A (progress by 2.89
at s2) (s2,v13). Take a new pair v20 = (0, 4.89, 2.11), v23 = (5.28, 2.77, 7.39). It is easy
to check (v10,v13)≈(v20,v23). From Lemma 10, (s1,v20) →∗A (s2,v23). Indeed, this is
witnessed by (s1,v20)→A (progress by 2.51 at s1) (s1,v21)→A (reset x1 and transit to
s2) (s2,v22) →A (progress by 2.77 at s2) (s2,v23). These two witnesses differ slightly
(2.47 and 2.89, vs. 2.51 and 2.77). We choose 2.77 and 2.51 by looking at the first wit-
ness backwardly. That is, v22 is picked such that (v20,v22)≈(v10,v12). Then, v21 is picked
such that (v20,v21)≈(v10,v11). The existence of v22 and v21 is guaranteed by Lemma 9.
Finally, according to Lemma 9 again, v21 is able to go back to v20. This is because v11
goes back to v10 through a one-step transition and v10 is initial.
Now, we express→∗A in a form treating the integral parts and the fractional parts of
clock values separately. For any pattern η ∈ Φ, any discrete valuations u0 and u1, and
any stack words w0 and w1, define (s0,u0, w0) →∗A,η (s1,u1, w1) to be
∃v0∃v1(v0(0) = 0 ∧ ⌈v0⌉ = u0 ∧ ⌈v1⌉ = u1
∧(v0,v1) ∈ η ∧ (s0,v0, w0) →
∗
A (s1,v1, w1)).
17
Lemma 11. Let A be a PTA. For any states s0 and s1, any initialized pair (v0,v1),
and any stack words w0 and w1, (s0,v0, w0)→∗A (s1,v1, w1) iff∨
η∈Φ
((⌊v0⌋, ⌊v1⌋) ∈ η ∧ (s0, ⌈v0⌉, w0)→
∗
A,η (s1, ⌈v1⌉, w1)).
Proof. (⇒) is immediate.
(⇐) uses the following observation (from the definition of →∗A,η and Lemma 10):
for any pattern η, (⌊v0⌋, ⌊v1⌋) ∈ η ∧ (s0, ⌈v0⌉, w0) →∗A,η (s1, ⌈v1⌉, w1) implies
(⌊v0⌋, ⌊v1⌋) ∈ η ∧ (s0, ⌈v0⌉+ ⌊v0⌋, w0) →∗A (s1, ⌈v1⌉+ ⌊v1⌋, w1).
Once we give a characterization of →∗A,η, Lemma 11 immediately gives a char-
acterization for →∗A. Fortunately, the characterization of →∗A,η is a decidable one, as
shown in the next section.
6 The Pattern Graph of a Timed Pushdown Automaton
Let A = 〈S, {x1, · · · , xk}, Inv,R, Γ, PD〉 be a PTA specified in the previous section.
The pattern graph G of A is a tuple
〈S × Φ, {y0, · · · , yk}, E, Γ 〉
where
– S is the states in A,
– Φ is the set of all patterns. A node is an element in S × Φ,
– Discrete clocks y0, · · · , yk are the integral parts of the clocks x0, · · · , xk in A,
– E is a finite set of (directed) edges that connect between nodes. An edge can be
a progress edge, a stay edge, or a reset edge. A progress edge corresponds to
progress transitions in A that cause one pattern change. A stay edge corresponds
to progress transitions in A that cause no pattern change. Since a progress transi-
tion can cause no pattern change only from a merge-pattern, a stay edge connects
a merge-pattern to itself. A reset edge corresponds to a reset transition in A. For-
mally, a progress edge es,η,η′ that connects node (s, η) to node (s, η′) is in the form
of 〈(s, η), c, (s, η′)〉 such that c = Inv(s), η′ = Next(η) (thus η 6= η′). A stay
edge es,η,η, with η being a merge-pattern, that connects node (s, η) to itself is in
the form of 〈(s, η), c, (s, η)〉 such that c = Inv(s). A reset edge es,s′,r,(a,γ) that
connects node (s, η) to node (s′, η′) is in the form of
〈(s, η), c, r, a, γ, (s′, η′)〉
where R(s, s′) = (c, r) and PD(s, s′) = (a, γ). E is the set of all progress edges,
stay edges, and reset edges wrt A. Obviously, E is finite.
A configuration of G is a tuple (s, η,u, w) of state s ∈ S, pattern η ∈ Φ, discrete
valuation u ∈ (N+)k+1 and stack word w ∈ Γ ∗. (s, η,u, w) →e (s′, η′,u′, w′) de-
notes a one-step transition through edge e of G if the following conditions are satisfied:
18
– if e is a progress edge, then e takes the form 〈(s, η), c, (s, η′)〉 and s′ = s, u ∈ cη,
u
′ ∈ cη
′
, next(η,u) = (η′,u′) and w = w′. Here cη and cη′ are called the pre-
and the post- (progress) tests on edge e, respectively.
– if e is a stay edge, then e takes the form 〈(s, η), c, (s, η)〉 and s = s′,u ∈ cη,u =
u
′, η = η′ and w = w′. Here cη is called the pre- and the post- (stay ) tests on edge
e.
– if e is a reset edge, then e takes the form 〈(s, η), c, r, a, γ, (s′, η′)〉 and u ∈ (c ∧
Inv(s))η , u′ ∈ Inv(s′)η
′
, resetr(η,u) = (η
′,u′) and w = aw′′, w′ = γw′′
for some w′′ ∈ Γ ∗ (i.e., w changes to w′ according to the stack operation). Here
(c ∧ Inv(s))η and Inv(s′)η
′
are called the pre- and the post- (reset) tests on edge
e, respectively.
We write (s, η,u, w) →G (s′, η′,u′, w′) if (s, η,u, w) →e (s′, η′,u′, w′) for some e.
The binary reachability →∗G of G is the transitive closure of →G.
The pattern graph G simulates A in a way that the integral parts of the dense clocks
are kept but the fractional parts are abstracted as a pattern. Edges in G indicate how the
pattern and the discrete clocks change when a clock progress or a clock reset occurs
in A. However, a progress transition in A could cause more than one pattern change.
In this case, this big progress transition is treated as a sequence of small progress tran-
sitions such that each causes one pattern change (and therefore, each small progress
transition in A can be simulated by a progress edge in G). We first show that the bi-
nary reachability →∗G of G is NPCA. Observe that discrete clocks y0, · · · , yk are the
integral values of dense clocks x0, · · · , xk. Even though the dense clocks progress syn-
chronously, the discrete clocks may not be synchronous (i.e., that one discrete clock is
incremented by 1 does not necessarily cause all the other discrete clocks incremented
by the same amount.). The proof has two parts. In the first part of the proof, a technique
is used to translate y0, · · · , yk into another array of discrete clocks that are synchronous.
In the second part of the proof, G can be treated as a discrete PTA [19] by replacing
y0, · · · , yk with the synchronous discrete clocks. Therefore, Lemma 12 is obtained from
the fact [19] that the binary reachability of discrete PTA is NPCA.2
Lemma 12. For any PTA A, the binary reachability →∗G of the pattern graph G of A
is NPCA. In particular, if A is a timed automaton, then the binary reachability →∗G is
Presburger.
Proof. We start with a technique that makes discrete clocks y0, · · · , yk (i.e., the integral
parts of dense clocks) synchronous on any path of G.
A pattern ordering graph P is a directed graph on Φ. For each (ordered) pair (η, η′)
in Φ × Φ, (η, η′) is a progress edge, written η →p η′, if Next(η) = η′. In this case,
we say the edge has label p (stands for “progress”) and η′ is called the p-successor of
η. (η, η′) is a reset edge with r ⊆ K+, written η →r η′, if Resetr(η) = η′. In this
case, we say the edge has label r and η′ is called the r-successor of η. An edge can have
multiple labels.
2 For the purpose of this paper, we assume in Lemma 12 →∗G is restricted in such a way that η
is a regulated pattern whenever (s, η,u, w) →∗G (s′, η′,u′, w′). This is because the auxiliary
clock x0 in A starts from 0.
19
A path τ on P is a sequence of edges
η0 →l1 · · · →lm ηm
such that each li is a label (either p or some r ⊆ K+). j ∈ K+ is reset on path τ if
j ∈ li ⊆ K+ for some 1 ≤ i ≤ m. Path τ is a p-path if each edge on the path is a
progress edge; i.e., label li is p for all 1 ≤ i ≤ m. Path τ is a regulated path if η0 is a
regulated pattern. Path τ is a p-ring of η0 if τ is a p-path, and η0, · · · , ηm is the pattern
ring of η0.
Now we augment P with counters y (= y0, · · · , yk) taking values in (N+)k+1.
Values of counters y change along a path in P . For each progress edge η →p η′,
counters y change to y′ as follows: y′ := y + ∆η (recall ∆η is the increment vector
for η), consistent to the definition that next(η,y) = (η′,y +∆η). For each reset edge
η →r η
′
, counters y change to y′ as follows: y′ := y ↓r, consistent to the definition
that resetr(η,y) = (η′,y ↓r). For a p-path τ = η0, · · · , ηm, ∆τ = Σ0≤i≤m−1∆ηi is
the net increment for counters y after walking through the path. In particular, ∆τ = 1
for each p-ring τ .
A progress edge η →p η′ is add-1 if η′ is a regulated pattern. A path is short if it is
a regulated path and, it does not contain an add-1 edge or it contains an add-1 edge but
only at the end of the path. A path is add-1 if it is a short path containing an add-1 edge.
By definition, an add-1 path starts and ends with regulated patterns and each pattern in
between along the path is not a regulated pattern. The following lemma is directly from
the definitions of reset and next.
Lemma 13. For any path τ , (1). if τ is a short path, then for each i ∈ K+ that is reset
on τ , yi has value 0 at the end of τ , (2). if τ is an add-1 path, then for each i ∈ K+
that is not reset on τ , yi has progressed by exactly 1 at the end of τ .
When walking along a path in P , a counter in y is always nondecreasing except
sometimes it resets. However, counters y are not synchronous: that one counter’s ad-
vancing by 1 at some progress edge does not always cause all the other counters to
advance by the same amount.
Now we are going to show that, on any regulated path, y can be simulated by a set of
synchronous counters z = z0, · · · , zk. The ideas are as follows. Let τ be any regulated
path of P . τ then can be concatenated by segments: a number of add-1 paths followed
by a short path. We introduce an increment vector ∆ ∈ {0, 1}k+1 to denote how much
a counter in y progresses on a segment. Besides, we use I ⊆ K+ to remember the
indices i ∈ K+ that are reset on each segment. Assume counters y walk through τ and
change counter values from u to u′. Then, in the simulation, counters z starts from u
with ∆ = 0 and I = ∅. After walking through τ (while updating ∆ and I along the
path), counters z have values satisfying u′ = (z+∆) ↓I . The simulation is defined by
the following translation. For each progress edge η →p η′, the instruction y′ := y+∆η
is replaced by:
– if η′ is a regulated pattern (hence the edge is an add-1 edge), i.e., the end of the
current segment, then z′ := (z+ 1) ↓I (synchronous progress followed by resets);
I ′ := ∅; ∆′ := 0;
20
– else, z′ := z; I ′ := I; ∆′ := ∆+∆η.
For each reset edge η →r η′, the instruction y′ := y ↓r is replaced by:
– z
′ := z ↓r; ∆′ := ∆ ↓r; I ′ := I ∪ r.
Obviously z are synchronous. The correctness of the algorithm is stated as follows.
Claim. For any regulated path τ , y = (z +∆) ↓I at the end of τ .
Proof. Given a regulated path τ . Since τ can be split into a number of segments as
mentioned before, and by looking at the translation, at the end of each add-1 path,
∆ = 0 and I = ∅ (i.e., the initial values for ∆ and I). Therefore, it suffices to show the
claim for a segment, i.e., a short path τ , by induction on the length of τ . Notice that,
from the translation, I stands for the set of indices that has been reset on the short path;
∆ stands for the increment that has been made on the short path for counters y. The
relationship between I and ∆ is established in Lemma 13, which will be used in the
proof.
Case 1. The claim trivially holds for τ with length 1.
Case 2. Assume the claim holds for short paths with length ≤ m. Now consider a
short path with length m+ 1. This path can be written as a short path τ followed by an
edge e of (η, η′). Note that, by the induction hypothesis, y = (z +∆) ↓I at η (the end
of τ ). Now we are going to show y′ = (z′ +∆′) ↓I′ where primed values are for node
η′.
Case 2.1. If edge e is a progress edge and η′ is a regulated pattern, then, from the
translation, z′ = (z + 1) ↓I , I ′ = ∅, ∆′ = 0, Therefore,
y
′ = y +∆η = (induction)
(z +∆) ↓I +∆η = (Lemma 13(1))
(z +∆+∆η) ↓I= (Lemma 13(2))
(z + 1) ↓I= z′ = (since I ′ = ∅, ∆′ = 0)
(z′ +∆′) ↓I′ .
Case 2.2. If the edge is a progress edge and η′ is not a regulated pattern, then, from
the translation, z′ = z, I ′ = I , and ∆′ = ∆+∆η . Therefore,
y
′ = y +∆η = (induction)
(z +∆) ↓I +∆η = (Lemma 13(1))
(z +∆+∆η) ↓I= (since I ′ = I , and ∆′ = ∆+∆η)
(z′ +∆′) ↓I′ .
Case 2.3. If the edge is a reset edge η →r η′, then, from the translation, z′ = z ↓r,
∆′ = ∆ ↓r, and I ′ = I ∪ r. Therefore,
y
′ = y ↓r= (induction)
(z +∆) ↓I↓r=
(z′ +∆′) ↓I′ .
Hence, the claim holds.
Now we continue the proof of Lemma 12. Let G be the pattern graph of a timed
automaton A. A path in G witnessing
(s, η,u, w) →∗G (s
′, η′,u′, w′)
21
(with η being a regulated pattern) between two configurations corresponds to a regulated
path (by properly adding stack operations) in the pattern ordering graph P . In above,
we have demonstrated a technique such that counters y = y0, · · · , yk can be simulated
by synchronous counters z = z0, · · · , zk using an increment vector ∆ ∈ {0, 1}k+1
and a reset set I ⊆ K+. The relationship between y and z is y = (z + ∆) ↓I .
Tests in G (including all the pre- and post- (progress, stay and reset) tests) are in the
form of Boolean combinations of yi − yj#d, yi#d with i, j ∈ K+ and d ∈ N+
(Section 4). Since there are only a finite number of choices for I and ∆, these tests
can be accordingly translated to tests on z0, · · · , zk, using the relationship y = (z +
∆) ↓I . Observe that the translated tests are still in the form of Boolean combinations
of zi − zj#d, zi#d with i, j ∈ K+ and with probably larger or smaller d. Since z
are synchronous, G, with y simulated by z, is a discrete PTA [19]. In that paper, these
synchronized discrete clocks z can be further translated into reversal-bounded counters.
Hence, the binary reachability of a discrete PTA is NPCA as shown in [19]. Therefore,
the lemma follows by translating back from z to y using y = (z +∆) ↓I at the initial
and at the end of the simulation (this requires only a finite number of counter reversals).
Thus, →∗G is NPCA.
In particular, when A is a timed automaton, G, with y simulated by z, is a discrete
timed automaton [19]. Using the fact [19] that the binary reachability of a discrete timed
automaton is Presburger, →∗G is also Presburger after the translation from z back to y.
The following lemma states that G faithfully simulates A when the fractional parts
of dense clocks are abstracted away by a pattern.
Lemma 14. Let A be a PTA with pattern graph G. For any states s0 and s1 in S, any
pattern η ∈ Φ, any stack words w0 and w1 in Γ ∗, and any discrete valuation pairs
(u0,u1) with u0(0) = 0, we have,
(s0,u0, w0)→
∗
A,η (s1,u1, w1) iff (s0, init(η),u0, w0) →∗G (s1, η,u1, w1).
Proof. Fix any states s0, s1 ∈ S, any pattern η ∈ Φ, any stack words w0 and w1 in Γ ∗,
and any discrete valuation pairs (u0,u1) with u0(0) = 0.
(⇒). By the definition of (s0,u0, w0) →∗A,η (s1,u1, w1), there exists an initialized
pair (v0,v1) such that
– (v0,v1) has pattern η,
– ⌈v0⌉ = u0, ⌈v1⌉ = u1,
– (s0,v0, w0) →∗A (s1,v1, w1).
In order to show that (s0, [(v0,v0)], ⌈v0⌉, w0) →∗G (s1, [(v0,v1)], ⌈v1⌉, w1) (notice
that init(η) = [(v0,v0)]), it suffices to show that each one-step transition in A can
be simulated by →∗G properly: for any valuations v,v′, any states s and s′, and any
stack words w and w′, if (s,v, w) →A (s′,v′, w′) then (s, [(v0,v)], ⌈v⌉, w) →∗G
(s′, [(v0,v
′)], ⌈v′⌉, w′).
Case 1. For any valuation v and state s, consider a progress transition inA, (s,v, w)
→A (s,v + δ, w′), δ > 0, such that (by definition) w = w′, and ∀0 ≤ δ′ ≤ δ, v + δ′ ∈
Inv(s). Let η0 be the pattern of (v0,v). If v has no pattern change for δ, then η0 must
22
be a merge-pattern. This progress transition in A can therefore be simply simulated
by the stay edge in G at state s. If, however, v has at least one pattern change for δ,
then assume the p-ring of η0 is η0, · · · , ηm = η0. This progress transition in A can
be simulated by the following path consisting of progress edges in G: looping along
the p-ring for ⌈δ⌉ times on state s in G, followed by a prefix of the p-ring ended with
the pattern ηi, for some i, of (v0,v + δ). From Lemma 5 and Lemma 6, it can be
established (s, η0, ⌈v⌉, w) →∗G (s, ηi, ⌈v + δ⌉, w) through the path in G, noticing that
tests for Inv(s) are consistent in A and G (Lemma 8), and the stack word does not
change for progress transitions in both A and G.
Case 2. For any valuation v and states s and s′, consider a reset transition (s,v, w)
→A (s′,v ↓r, w′) inA such that (by definition)w = aw′′, w′ = γw′′ for somew′′ with
PD(s, s′) = (a, γ), R(s, s′) = (c, r) and v ∈ Inv(s) ∧ c, v ↓r∈ Inv(s′). Assume
the pattern of (v0,v) is η0 and the pattern of (v0,v ↓r) is η′0. This reset transition in A
corresponds to the reset edge in G: 〈(s, η0), c, r, a, γ, (s′, η′0)〉. From Lemma 7, it can
be established (s, η0, ⌈v⌉, w) →∗G (s′, η′0, ⌈v ↓r⌉, w′) through this edge, noticing that
tests for Inv(s) ∧ c and Inv(s′) are consistent in A and G (Lemma 8), and the stack
operations are the same in A and G.
(⇐). Suppose (s0, init(η),u0, w0) →∗G (s1, η,u1, w1). We would like to show
(s0,u0, w0)→
∗
A,η (s1,u1, w1).
Pick any initial valuation v0 such that (v0,v0) has pattern init(η) and ⌈v0⌉ = u0.
Suppose (s0, η0,u0, w0) →e1 · · · →em (sm, ηm,um, wm) is a path (in G) witnessing
(s0, init(η),u0, w0) →∗G (s1, η,u1, w1) through edges e1, · · · , em such that
(s0, η0,u
0, w0) = (s0, init(η),u0, w0)
and
(sm, ηm,u
m, wm) = (s1, η,u1, w1).
A path in A
(s0,v0, w0) →t1 · · · →tm (sm,vm, wm)
is constructed as follows, where v0 = v0 and each transition ti in A corresponds to
each edge ei in G. From i = 1 to m, each ei belongs to one of the following three
cases:
Case 1. ei is a progress edge in G. In this case, next(ηi−1,ui−1) = (ηi,ui), wi =
wi−1, and si−1 = si. We pick ti to be a progress transition (at state si−1) in A from
v
i−1 with an amount of δ that causes exactly one pattern change (Lemma 6 and Lemma
5). Take vi = vi−1 + δ. Notice that both the progress edge and the progress transition
do not change the stack content, i.e., wi = wi−1.
Case 2. ei is a stay edge in G. In this case, ηi−1 = ηi must be a merge-pattern with
wi = wi−1 and and si−1 = si. We pick ti to be a progress transition (at state si−1) in
A from vi−1 with an amount of δ that causes no pattern change (Lemma 6). Similarly
to Case 1, wi = wi−1.
Case 3. ei is a reset edge from state si−1 to state si with clock resets r in G, then
ti is the reset transition from state si−1 to state si with clock resets r in A. Notice that
23
both ei and ti have the same stack operation. Take vi = vi−1 ↓ r and wi is the result
of the stack operation on wi−1.
Notice that, for each i = 1 · · ·m,
– (v0,v
i) has pattern ηi,
– ⌈vi⌉ = ui.
This can be shown using Lemma 5 for Case 1, Lemma 6 for Case 2, and Lemma 7 for
Case 3. Therefore, this constructed path of A keeps the exactly the same patterns and
integral parts of clocks as well as the stack word as in the path for G. From Lemma 8,
clock tests (and obviously the stack operations) are consistent between the path in G
and the constructed path in A. Hence, (s0,u0, w0) →∗A,η (s1,u1, w1) since, by taking
v1 = v
m
,
– (v0,v1) has pattern η,
– ⌈v0⌉ = u0, ⌈v1⌉ = u1,
– (s0,v0, w0) →∗A (s1,v1, w1).
Now, we conclude this section by claiming that →∗A,η is NPCA by combining
Lemma 12 and Lemma 14.
Lemma 15. For any PTAA and any fixed pattern η ∈ Φ, →∗A,η is NPCA. In particular,
if A is a timed automaton, then →∗A,η is Presburger.
7 A Decidable Binary Reachability Characterization and
Automatic Verification
Recall that PTA A actually has clocks x1, · · · , xk . x0 is the auxiliary clock. The binary
reachability❀∗BA of A is the set of tuples
〈s, v1, · · · , vk, w, s
′, v′1, · · · , v
′
k, w
′〉
such that there exist v0 = 0, v′0 ∈ D+ satisfying
(s, v0, · · · , vk, w)❀
∗
A (s
′, v′0, · · · , v
′
k, w
′).
The main theorem of this paper gives a decidable characterization for the binary reach-
ability as follows.
Theorem 1. The binary reachability ❀∗BA of a PTA A is (D+NPCA)-definable.
In particular, if A is a timed automaton, then the binary reachability ❀∗BA can be
expressed in the additive theory of reals (or rationals) and integers.
Proof. From Lemma 11,❀∗BA is definable by the following formula:
∃u′0 ∈ N
+∃v′0 ∈ D̂
+(
∨
η∈Φ
((0, v1, · · · , vk), (v
′
0, · · · , v
′
k)) ∈ η∧
24
(s, (0, u1, · · · , uk), w)❀
∗
A,η (s
′, (u′0, · · · , u
′
k), w
′))
on integer variables s, u1, · · · , uk, s′, u′1, · · · , u′k (overN+), and dense variables v1, · · · ,
vk, v
′
1, · · · , v
′
k (over D̂+ = D+∩ [0, 1)), and on word variables w and w′. This formula
is equivalent to∨
η∈Φ
PD
+
η (v1, · · · , vk, v
′
1, · · · , v
′
k) ∧Q
N
η (s, u1, · · · , uk, w, s
′, u′1, · · · , u
′
k, w
′)
where PD+η (v1, · · · , vk, v′1, · · · , v′k) stands for
∃v′0 ∈ D̂
+(((0, v1, · · · , vk), (v
′
0, · · · , v
′
k)) ∈ η)
and QNη (s, u1, · · · , uk, w, s′, u′1, · · · , u′k, w′) stands for
∃u′0((s, (0, u1, · · · , uk), w)❀
∗
A,η (s
′, (u′0, · · · , u
′
k), w
′)).
From the definition of patterns, PD+η , after eliminating the existential quantification, is
a dense linear relation. On the other hand,QNη (after eliminating the existential quantifi-
cation, from Lemma 15 and Lemma 2) is NPCA. Therefore,❀∗BA is (D+NPCA)-
definable.
In particular, if A is a timed automaton, ❀∗BA is (D+NPCA)-definable by a
formula in the additive theory of reals (or rationals) and integers. Hence, ❀∗BA itself
can be expressed in the same theory.
The importance of the above characterization for ❀∗BA is that, from Lemma 2, the
emptiness of (D+NPCA)-definable predicates is decidable. From Theorem 1 and
Lemma 2 (3)(4), we have,
Theorem 2. The emptiness of l ∩ ❀∗BA with respect to a PTA A for any mixed linear
relation l is decidable.
The emptiness of l ∩ ❀∗BA is called a mixed linear property of A. Many interesting
safety properties (or their negations) for PTAs can be expressed as a mixed linear prop-
erty. For instance, consider the following property of a PTA A with three dense clocks
x1, x2 and x3:
“for any two configurations α and β with α ❀∗BA β, if the difference between βx3
(the value of clock x3 in β) and αx1 +αx2 (the sum of clocks x1 and x2 in α) is greater
than the difference between #a(αw) (the number of symbol a appearing in the stack
word in α) and #b(βw) (the number of symbol b appearing in the stack word in β),
then #a(αw)− 2#b(βw) is greater than 5.”
The negation of this property can be expressed as the emptiness of
(s, x1, x2, x3, w)❀
∗B
A (s
′, x′1, x
′
2, x
′
3, w
′) ∧ l
where l is the negation of a mixed linear relation (hence l itself is also a mixed linear
relation):
x′3 − (x1 + x2) > #a(w)−#b(w
′) → #a(w) − 2#b(w
′) > 5.
25
Thus, from Theorem 2, this property can be automatically verified. We need to point
out that
– x′3 − (x1 + x2) > #a(w) − #b(w
′) is a linear relation on both dense variables
and discrete variables. Thus, this property can not be verified by using the decid-
able characterization for discrete PTAs [19], where only integer-valued clocks are
considered.
– Even without clocks, #a(w) − 2#b(w′) > 5 expresses a non-regular set of stack
word pairs. Therefore, this property can not be verified by the model-checking pro-
cedures for pushdown systems [9,23].
– Even without the pushdown stack, x′3− (x1+x2) > 0 (by taking #a(w)−#b(w′)
as a constant such as 0) is not a clock region, therefore, the classical region-based
techniques can not verify this property. This is also pointed out in [16].
– With both dense clocks and the pushdown stack, this property can not be verified
by using the region-based techniques for Timed Pushdown Systems [10].
When A is a timed automaton, by Theorem 1, the binary reachability ❀∗BA can be
expressed in the additive theory of reals (or rationals) and integers. Notice that our
characterization is essentially equivalent to the one given by Comon and Jurski [16] in
which❀∗BA can be expressed in the additive theory of reals augmented with a predicate
telling whether a term is an integer. Because the additive theory of reals and integers is
decidable [8,12], we have,
Theorem 3. The truth value for any closed formula expressible in the (first-order) ad-
ditive theory of reals (or rationals) augmented with a predicate❀∗BA for a timed au-
tomaton A is decidable. (also shown in [16])
For instance, consider the following property for a timed automaton A with two real
clocks:
“there are states s and s′ such that, for any x1, x2, x′2, there exists x′1 such that if
(s, x1, x2) can reach (s′, x′1, x′2) in A, then x1 − x2 > x′1 − x′2.”
It can be expressed as
∃s, s′∀x1, x2, x
′
2∃x
′
1((s, x1, x2)❀
∗B
A (s
′, x′1, x
′
2) → x1 − x2 > x
′
1 − x
′
2),
and thus can be verified according to Theorem 3.
8 Conclusions, Discussions and Future Work
In this paper, we consider PTAs that are timed automata augmented with a pushdown
stack. A configuration of a PTA includes a control state, finitely many dense clock
values and a stack word. By introducing the concept of a clock pattern and using an
automata-theoretic approach, we give a decidable characterization of the binary reacha-
bility of a PTA. Since a timed automaton can be treated as a PTA without the pushdown
stack, we can show that the binary reachability of a timed automaton is definable in the
additive theory of reals and integers. The results can be used to verify a class of safety
26
properties containing linear relations over both dense variables and unbounded discrete
variables.
A PTA studied here can be regarded as the timed version of a pushdown machine.
Carefully looking at the proofs of the decidable binary reachability characterization,
we find out that the underlying untimed machine (e.g., the pushdown machine) is not
essential. We can replace it with many other kinds of machines and the resulting timed
system still has a decidable binary reachability characterization. We will summarize
some of these machines in this section.
Consider a class of machines X. We use XCM to denote machines in X augmented
with reversal-bounded counters. We are looking at the binary reachability characteriza-
tion of the timed version of machines in X. The characterization is established in the
previous sections when X represents pushdown machines. In the proofs, a dense clock
is separated into a fractional part and an integral part. The fractional parts of dense
clocks are abstracted as a pattern and the integral parts are translated into synchronous
discrete clocks, which are further translated into reversal-bounded counters [19]. The
result of the translation is the underlying untimed machine in X augmented with these
reversal-bounded counters, i.e., a machine in XCM. Suppose a class of automata Y ac-
cept the binary reachability of machines in XCM. In the case of X being pushdown
machines, XCM represents NPCMs and Y can be chosen as NPCAs (it is known that
the binary reachability of NPCMs can be accepted by NPCAs [19].). The fact that this
Y (i.e., NPCA) satisfies Lemma 2 is the only condition we need in order to obtain
the decidable reachability characterization in Theorem 1. Definitions like NPCA pred-
icates and (D+NPCA)-definability can be accordingly modified into Y predicates
and (D+Y)-definability once Y is clear. The above discussions give the following result.
Theorem 4. Let Y be a class of automata, X be a class of machines and XCM be the
class of machines in X augmented with reversal-bounded counters. If, for each machine
in XCM, an automaton in Y can be constructed that accepts the binary reachability of
the machine, and Lemma 2 holds (replacing NPCA with Y), then the binary reachability
of the timed version of X is (D+Y)-definable.
Notice that Lemma 2 (4) requires that the emptiness problem for Y in Theorem 4
be decidable. Theorem 2 can be immediately followed from Theorem 4 for the timed
version of X.
According to Theorem 4, the timed version of the following machines X has a de-
cidable (D+Y)-definable characterization for binary reachability by properly choosing
Y:
– NPCM. Here Y=NPCA;
– NCM with an unrestricted counter. Notice that the counter is a special case of a
pushdown stack (when the stack alphabet is unary). Here, Y=NPCA;
– Finite-crossing NCM [28] (i.e., NCM augmented with a finite-crossing read-only
worktape. The head on the worktape is two-way, but for each cell of the tape, the
head crosses only a bounded number of times.). Here, Y is finite-crossing NCAs
[28] that are NCM augmented with a finite-crossing input tape.
– Reversal-bounded multipushdown machines [17] that are multipushdown machines
[13] augmented with reversal-bounded counters. Here, Y is reversal-bounded mul-
tipushdown automata [17].
27
Let X be a class of machines. The pattern technique tells us that, for a decidable
binary reachability characterization of the timed version of X, the density of clocks
(and even clocks themselves) is not the key issue. This is because, using the technique,
these dense clocks can be reduced to reversal-bounded integer counters. The key issue is
whether X and its reversal-bounded version XCM have a decidable binary reachability
characterization (i.e., the binary reachability can be accepted by a class Y of automata
with a decidable emptiness problem). In particular, when the binary reachability of X
is effectively semilinear (and hence the binary reachability is decidable), in most cases,
the binary reachability of XCM is also effectively semilinear. Such X includes all the
machines mentioned above. In this case, once we can show the untimed machines in
X have a decidable binary reachability characterization, we are getting really close to
the decidable characterization for their timed version. But, we do have exceptions. For
instance, consider X to be a finite state machine with a two-way read only worktape. X
has a decidable binary reachability characterization (witnessed by two-way multitape
finite automata). However, augmenting X with reversal-bounded counters makes the
binary reachability undecidable. The pitfall here is that a two-way tape makes reversal-
bounded counters too powerful. In fact, the emptiness problem is undecidable for two-
way automata augmented with reversal-bounded counters. In the case when there is
only one reversal-bounded counter, the emptiness problem is decidable if the machines
are deterministic. The nondeterministic case is still open [29].
In practice, augmenting timed automata with other unbounded data structures al-
lows us to study more complex real-time applications. For instance, the decidable char-
acterization of PTAs makes it possible to implement a tool verifying recursive real-time
programs containing finite-state variables against safety properties containing linear
constraints over dense clocks and stack word counts. This tool will be a good comple-
ment to available tools for recursive finite state programs (for regular safety properties,
e.g., termination) [22,7]. On the other hand, for the existing tools analyzing real-time
systems (such as UPPAAL [30] and its extensions [31], TREX [31], HyTECH [26],
Kronos [11]), the traditional region-based technique used in the tools may be enhanced
with the pattern technique. Doing this makes it possible for the tools to verify complex
timing requirements that may not be in the form of clock regions. The results in this
paper can also be used to implement a model-checker for a subset of the real-time spec-
ification language ASTRAL [14]. The subset includes history-independent ASTRAL
specifications containing both dense clocks and unbounded discrete control variables.
As mentioned in this section, the timed version of NPCM (i.e., PTAs further aug-
mented with reversal-bounded counters) also has a decidable characterization. This
timed model has many important applications. For instance, a real-time recursive pro-
gram (containing unbounded integer variables) can be automatically debugged using
the reversal-bounded approximation (i.e., assign a reversal-bound to the variables). Ad-
ditionally, a free counter (i.e., an unrestricted counter) is a special case for a pushdown
stack (when the stack alphabet is unary). Therefore, this model can also be used to spec-
ify real-time systems containing a free counter and many reversal-bounded counters.
It seems that “reversal-bounded counters” appear unnatural and therefore their appli-
cations in practice are remote. However, a non-decreasing counter is also a reversal-
bounded counter (with zero reversal-bound). This kind of counters have a lot of appli-
28
cations. For instance, a non-decreasing counter can be used to count digital time elapse,
the number of external events, the number of a particular branch taken by a nonde-
terministic program (this is important, when fairness is taken into account), etc. For
instance, consider a timed automaton with input symbols (i.e., a transition is triggered
by an external event as well as the enabling condition). We use #a to denote the num-
ber of event a occurred so far. The enabling condition of a transition, besides clock
constraints, may also include comparisons of the counts #a against an integer constant
and comparisons of one specific linear term T (on all #a) against an integer constant.
For instance, a transition may look like this (in pseudo-code):
s: if event(a) and x2−x1 > 10 and #b > 21 and 2#c− 3#b < 5,
then progress(); goto s′
where x1 and x2 are dense clocks. Notice that comparisons of the linear term 2#c−3#b
against an integer constant may show up in other transitions. But this term is unique in
the automaton: a comparison like 4#a− 3#b > 8 that involves a different term 4#a−
3#b can not be used in the enabling conditions of the automaton. This timed automaton
is a standard timed automaton augmented with reversal-bounded counters #a (which
are non-decreasing) and a free counter (representing the linear term 2#c−3#b). Hence,
the following property can be automatically verified:
“It is always true that whenever x1 − 7#b + 3x2 > 2#a holds, x1 must be greater
#c −#a.”
A future research issue is to investigate whether the decidable results [21] for Pres-
burger liveness of discrete timed automata can be extended to timed automata (with
dense clocks) using the technique in this paper. We are also going to look at the pos-
sibility of extending the approximation approaches for parameterized discrete timed
automata [20] to the dense clocks. This is particularly interesting, since the reachability
set presented in [20] is not necessarily semilinear. Another issue is on the complexity
analysis of the decision procedure presented in this paper. However, the complexity for
the emptiness problem of NPCAs is still unknown, though it is believed that it can be
derived along Gurari and Ibarra [24].
The author would like to thank H. Comon and O. H. Ibarra for discussions on the
topic of dense timed pushdown automata during CAV’00 in Chicago, B. Boigelot, P.
San Pietro and J. Su for recent discussions on [12], J. Nelson, F. Sheldon and G. Xie for
reading an earlier draft of this paper. Thanks also go to T. Bultan, H. Comon, J. Esparza
and K. Larsen for comments on the short version of this paper presented in CAV’01 in
Paris.
References
1. R. Alur, “Timed automata”, CAV’99, LNCS 1633, pp. 8-22
2. R. Alur, C. Courcoibetis, and D. Dill, “Model-checking in dense real time,” Information and
Computation, 104 (1993) 2-34
3. R. Alur and D. Dill, “A theory of timed automata,” Theoretical Computer Science, 126 (1994)
183-236
4. R. Alur, T. Feder, and T. A. Henzinger, “The benefits of relaxing punctuality,” J. ACM, 43
(1996) 116-146
29
5. R. Alur, T. A. Henzinger, “Real-time logics: complexity and expressiveness,” Information
and Computation, 104 (1993) 35-77
6. R. Alur, T. A. Henzinger, “A really temporal logic,” J. ACM, 41 (1994) 181-204
7. T. Ball and S. K. Rajamani, “Bebop: a symbolic model-checker for Boolean programs,” Spin
Workshop’00, LNCS 1885, pp. 113-130.
8. J. R. Buchi, “On a decision method in restricted second order arithmetic,” Proceedings of the
International Congress on Logic, Method, and Philosophy of Sciences, Stanford University
Press, pp. 1-12, 1962
9. A. Bouajjani, J. Esparza, and O. Maler, “Reachability Analysis of Pushdown Automata:
Application to Model-Checking,”, CONCUR’97, LNCS 1243, pp. 135-150
10. A. Bouajjani, R. Echahed, and R. Robbana, “On the automatic verification of systems with
continuous variables and unbounded discrete data structures,” Hybrid System II, LNCS 999,
1995, pp. 64-85
11. M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine, “Kronos: A model-
checking tool for real-time systems,” CAV’98, LNCS 1427, pp. 546-550
12. B. Boigelot, S. Rassart and P. Wolper, “On the expressiveness of real and integer arithmetic
automata,” ICALP’98, LNCS 1443, pp. 152-163
13. A. Cherubini, L. Breveglieri, C. Citrini, and S. Crespi Reghizzi. “Multi-push-down languages
and grammars,” International Journal of Foundations of Computer Science, 7(3): 253-291,
1996
14. A. Coen-Porisini, C. Ghezzi and R. Kemmerer, “Specification of real-time systems using
ASTRAL,” IEEE Transactions on Software Engineering, 23 (1997) 572-598
15. H. Comon and Y. Jurski, “Multiple counters automata, safety analysis and Presburger arith-
metic,” CAV’98, LNCS 1427, pp. 268-279.
16. H. Comon and Y. Jurski, “Timed automata and the theory of real numbers,” CONCUR’99,
LNCS 1664, pp. 242-257
17. Z. Dang, “Debugging and verification of infinite state real-time systems,” PhD Dissertation,
University of California, Santa Barbara, August 2000
18. Z. Dang, “Binary reachability analysis of pushdown timed automata with dense clocks,”
CAV’01, LNCS 2102, pp. 506-517
19. Z. Dang, O. H. Ibarra, T. Bultan, R. A. Kemmerer, and J. Su, “Binary reachability analysis
of discrete pushdown timed automata,” CAV’00, LNCS 1855, pp. 69-84
20. Z. Dang, O. H. Ibarra and R. A. Kemmerer, “Decidable approximations on generalized and
parameterized discrete timed automata,” COCOON’01, LNCS 2108, pp. 529-539
21. Z. Dang, P. San Pietro and R. A. Kemmerer, “On Presburger liveness of discrete timed au-
tomata,” STACS’01, LNCS 2010, pp. 132-143
22. J. Esparza and S. Schwoon, “A BDD-based model-checker for recursive programs,” CAV’01,
LNCS 2102, pp. 324-336
23. A. Finkel, B. Willems and P. Wolper, “A direct symbolic approach to model checking push-
down systems,” INFINITY’97.
24. E. Gurari and O. Ibarra, “The complexity of decision problems for finite-turn multicounter
machines,” J. Computer and System Sciences, 22 (1981) 220-229
25. T. A. Henzinger, Z. Manna, and A. Pnueli, “What good are digital clocks?,” ICALP’92,
LNCS 623, pp. 545-558
26. T. A. Henzinger and Pei-Hsin Ho, “HyTech: the Cornell hybrid technology tool,” Hybrid
Systems II, LNCS 999, pp. 265-294
27. T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. “Symbolic model checking for real-
time systems,” Information and Computation, 111 (1994) 193-244
28. O. H. Ibarra, “Reversal-bounded multicounter machines and their decision problems,” J.
ACM, 25 (1978) 116-133
30
29. O. H. Ibarra, T. Jiang, N. Tran and H. Wang, “New decidability results concerning two-way
counter machines,” SIAM J. Comput., 24 (1995) 123-137
30. K. G. Larsen, P. Pattersson, and W. Yi, “UPPAAL in a nutshell,” International Journal on
Software Tools for Technology Transfer, 1 (1997): 134-152
31. K. G. Larsen, G. Behrmann, Ed Brinksma, A. Fehnker, T. Hune, P. Pettersson, and J.
Romijn, “As cheap as possible: efficient cost-optimal reachability for priced timed automata,”
CAV’01, LNCS 2102, pp. 493-505
32. F. Laroussinie, K. G. Larsen, and C. Weise, “From timed automata to logic - and back,”
MFCS’95, LNCS 969, pp. 529-539
33. J. Raskin and P. Schobben, “State clock logic: a decidable real-time logic,” HART’97, LNCS
1201, pp. 33-47
34. T. Wilke, “Specifying timed state sequences in powerful decidable logics and timed au-
tomata,” LNCS 863, pp. 694-715, 1994
35. S. Yovine, “Model checking timed automata,” Embedded Systems’98, LNCS 1494, pp. 114-
152
