Abstract. We establish a relationship between reachability problems in timed automata and spacebounded counter automata. We show that reachability in timed automata with three or more clocks is logarithmic-space inter-reducible with reachability in space-bounded counter automata with two counters. We moreover show the logarithmic-space equivalence of reachability in two-clock timed automata and space-bounded one-counter automata. This last reduction has recently been employed by Fearnley and Jurdziński to settle the computational complexity of reachability in two-clock timed automata.
Introduction
Timed automata [2] and counter automata [23] are prominent infinite-state formalisms for modeling and reasoning about quantitative behavior of systems. Timed automata comprise a finite-state controller with a finite number of clocks that can be compared to constants and reset along a transition between two control locations. Counter automata on the other hand extend finite-state machines with a finite number of counters ranging over the natural numbers that can be incremented, decremented or tested for zero along a transition. Reachability, the problem of deciding whether there is a path connecting two given configurations in the corresponding induced transition system, is the central decision problem for both timed and counter automata. In this paper, we establish a natural correspondence between reachability in timed automata and a restricted class of counter automata, namely bounded counter automata. In the latter class, counters are restricted to take values from an arbitrary but fixed finite interval over the naturals, and hence bounded counter automata posses an a priori finite state space. However, due to binary encoding of numbers, bounded counter automata succinctly encode a state space which is exponential in the size of their description.
The main contribution of this paper is to show how runs in transition systems of timed automata can naturally be simulated in bounded counter automata, and vice versa. From this we show in Section 3 that reachability in k-clock timed automata with k ≥ 3 is logarithmic-space inter-reducible with reachability in bounded two-counter automata. The emphasis and the most interesting part in this section is on the naturalness of the simulation of timed automata in bounded counter automata. A more elaborate reduction is required in Section 4, where we show that reachability in two-clock timed automata is logarithmic-space inter-reducible with reachability in bounded one-counter automata. An interesting class of bounded one-counter automata for which the precise complexity of reachability remains open is discussed in Section 5.
An extended abstract of this paper [14] appeared in the proceedings of the 6th International Workshop on Reachability Problems held in September 2012 in Bordeaux, France. Prior to this the precise computational complexity of reachability in two-clock timed automata and in bounded one-counter automata were both long-standing open problems. One of the contributions of [14] was to show that these two problems are essentially equivalent. At the 40th International Colloquium on Automata, Languages and Programming held in July 2013 in Riga, Latvia, Fearnley and Jurdziński gave a PSPACE-hardness proof, finally showing that reachability in bounded one-counter automata is PSPACE-complete. By application of our inter-reducibility result it follows that reachability in two-clock timed automata is PSPACEcomplete as well [9] .
A brief survey of work on reachability problems in timed and counter automata is presented in the next section. Even though Fearnley and Jurdziński's result only requires showing that reachability in bounded one-counter automata can be reduced to reachability in two-clock timed automata, we believe that the relationships established in [14] are interesting in their own right since they provide insight into the structure of reachability problems of two prominent classes of automata. Similarly, a related technical characterisation of timed automata via channel machines has proved useful in the study of robustness problems for timed automata [1, 6] . It is conceivable that our reductions may in future assist in tackling problems of a similar nature as well.
The present paper extends [14] by including all proofs omitted from [14] for reasons of space, as well as additional details at various points. In addition, we show how bounded one-counter automata relate to automata with a single integer-valued counter sign tests: a model considered by Demri and Gascon [8] . We conclude by discussing an open problem concerning one-dimensional vector addition systems.
A short account of the complexity of reachability in timed and counter automata
In this section, we give a brief account of the history of the study of the computational complexity of reachability in timed and counter automata. There is a rich body of literature on this topic; the present treatment is not meant to be exhaustive.
Reachability in timed automata was shown to be decidable and PSPACE-complete in Alur and Dill's seminal paper [2] . Subsequently, a multi-parameter analysis of this problem was conducted by Courcoubetis and Yannakakis [7] , who showed that reachability is PSPACE-hard already in the presence of three clocks when numbers are encoded in binary, and also PSPACE-hard when the number of clocks is unbounded and numbers are encoded in unary. The cases with fewer than three clocks were considered by Laroussinie, Markey and Schnoebelen [18] , who showed that reachability for one-clock timed automata is NL-complete, and NP-hard in the presence of two clocks. However, no matching upper bound for the latter problem was given in [18] . Naves showed in his Master's thesis [24] that reachability becomes PSPACE-hard when allowing for modulo tests on clocks under the assumption that numbers are encoded in binary. This result was later refined by Göller and Lohrey [11] , who showed that reachability is also PSPACE-hard when all numbers, in particular those occurring in modulo tests, are encoded in unary.
For counter automata, the earliest result is that reachability is undecidable in the presence of at least two counters [23] . For that reason, restrictions on counter automata that lead to decidable reachability problems have been widely studied in the literature. Examples include the restriction to one counter [26, 13] , restricting zero-tests [21, 17, 25, 19, 4] , reversal-boundedness [16, 10] or flatness [20] , all of which lead to a decidable reachability problem, with complexity dropping to NP in certain cases. The complexity of reachability in the presence of one unbounded counter is NL-complete when numbers are encoded in unary, see e.g. [8] , and NP-complete when numbers are encoded in binary [13] . To the best of our knowledge, the class of bounded counter automata introduced in this paper have nowhere been studied in full generality. The complexity of reachability in bounded counter automata with only one counter was investigated by Bouyer et al. in [5] in the context of weighted timed automata, where the problem was shown to be NP-hard and in PSPACE. The reduction we established in [14] trivially entails that reachability in bounded two-counter automata is PSPACE-complete in the presence of two counters. Finally, Fearnley and Jurdziński showed in [9] that reachability in bounded one-counter automata is PSPACE-hard, which established PSPACE-completeness of the whole class of bounded counter automata and of two-clock timed automata.
Preliminaries
In this section, we give some of the definitions that we use in the remainder of this paper. The definitions of timed automata and bounded counter automata are tailored to our needs and as simplified as possible in order to ease the reductions provided in the main text of the paper. In the case of bounded counter automata, for technical convenience we additionally introduce some syntactic sugar and observe as a side note the log-space inter-reducibility between reachability in bounded one-counter automata and one-counter automata with sign tests which have been introduced by Demri and Gascon [8] .
General notation
By R we denote the set of reals, by Q the set of rationals, by Z the set of integers, by N def = {n ∈ Z : n ≥ 0} the set of naturals, by N >0 def = {n ∈ N : n > 0} the set of strictly positive naturals, and by R ≥0 def = {r ∈ R : r ≥ 0} the set of positive reals. For i, j ∈ Z, [i, j] denotes the interval {z ∈ Z : i ≤ z ≤ j}, and [i] is an abbreviation for [1, i] . Otherwise, interval definitions are used in the standard way over subsets of R, e.g., (i, j) defines the interval {r ∈ R : i < r < j}. The floor function on the reals is defined in the standard way, i.e., ⌊r⌋ def = max{z ∈ Z : z ≤ r}. Given M ⊆ R and r ∈ R, we denote by rM the set {rm : m ∈ M }, and M + r is the set {m + r : m ∈ M }. Throughout this paper, we assume integers to be encoded in their natural binary encoding, and for any z ∈ Z denote by size(z) the number of symbols required to represent z.
Transition systems
A transition system is a tuple T = (S, →), where S is the set of states and → ⊆ S × S is the transition relation. Given s, t ∈ S, we write s → t whenever (s, t) ∈ → and denote by → * the reflexive transitive closure of →. An s-t path π in T is a sequence of states π : s 1 , . . . , s n such that s 1 = s, s n = t and s i → s i+1 for all i ∈ [n − 1]. Given s, t ∈ S, reachability is to decide the existence of an s-t path in T , i.e., whether s → * t.
Timed automata
Let X be a finite set of clock variables. A clock valuation is a mapping ϑ : X → R ≥0 ; we denote by CV (X) the set of all clock valuations. Given r ∈ R ≥0 , we denote by ϑ + r the clock valuation defined by (ϑ + r)(x) = ϑ(x) + r for all x ∈ X. An atomic clock constraint is a term of the form x ∼ n, where x ∈ X, ∼ ∈ {<, ≤, =, =, ≥, >} and n ∈ N. A clock constraint φ is a finite conjunction of atomic clock constraints φ = x 1 ∼ n 1 ∧ . . . ∧ x m ∼ n m . The set of all clock constraints over clocks X is denoted by CC(X). A clock valuation ϑ maps x ∼ n to a Boolean value ϑ(x) ∼ n and hence a clock constraint φ to a Boolean value. We write ϑ |= φ whenever ϑ evaluates φ to true.
In this paper, a k-clock timed automaton is a tuple A = (Q, X, ∆, ξ), where Q is a finite set of control locations, X is a set of k clock variables, ∆ ⊆ Q×Q is the transition relation, and ξ : ∆ → CC(X)×2 X is the transition labeling function. The map ξ assigns to each transition a clock constraint representing a pre-condition of the transition and a set of clocks to be reset to zero when the transition is taken. Given x ∈ X, the set of x-constants C x comprises 0 and those n ∈ N such that an atomic clock constraint x ∼ n occurs as a conjunct in a clock constraint of some transition of A. The set C(A) of configurations of A is Q × CV (X). For brevity we write q(θ) for a configuration (q, ϑ). The size of a timed automaton is |A| def = |Q| + |∆| max{size(n) + 1 : n ∈ C x , x ∈ X}. A timed automaton induces a transition system T (A) = (S A , → A ) where S A = C(A) and q(ϑ) → A q ′ (ϑ ′ ) iff one of the following conditions holds:
Reachability for a k-clock timed automaton A is to decide C → * A C ′ for given configurations C, C ′ ∈ C(A) ∩ (Q × N k ) with integer-valued clocks.
Bounded counter automata
Let k ∈ N and Op
k is a vector of bounds, and ξ : ∆ → Op is the transition
again we write q(n 1 , . . . , n k ) or q(n) to denote individual configurations. We call b i the bound of counter i. The size of a bounded k-counter automaton is |A|
, where S A = C(A) and there is a transition q(n 1 , . . . , n k ) → A q ′ (n ′ 1 , . . . , n ′ k ) iff both of the following hold: (i) (q, q ′ ) ∈ ∆; and (ii) if ξ(q, q ′ ) = add i (z) then n ′ i = n i + z and n ′ j = n j for all j = i. The Reachability Problem for bounded k-counter automata is to decide whether C → * A C ′ for given configurations C, C ′ ∈ C(A).
We conclude this section by noting that bounded counter automata can be viewed as bounded vector addition systems with states (VASS) [22] .
Syntactic extensions of bounded counter automata
Without loss of generality we may assume that transitions of k-counter automata are endowed with guards which compare the counters to natural numbers. Formally, we can extend the set of operations to additionally contain operations counter i ∼ n, where ∼ ∈ {<, ≤, =, ≥, >}, with the following semantics: for every transition (q,
. It is not difficult to see that reachability in any such bounded k-counter automaton with an extended set of operations can be reduced in logarithmic space to reachability in a bounded k-counter automaton. For example, a transition (q, q ′ ) ∈ ∆ with label ξ(q, q ′ ) = counter i < n can be simulated as follows:
• replace (q, q ′ ) with two new transitions (q, q ′′ ) and (q ′′ , q ′ ), where q ′′ is a fresh control location; and
• label (q, q ′′ ) with add i (b i − n + 1) and (q ′′ , q ′ ) with add i (−b i + n − 1), where b i is the bound of counter i.
The construction for the remaining relational symbols follows analogously. Finally, we define a further generalisation that allows for the counters of a bounded counter automaton to take values from bounded intervals (1/n)Z ⊆ Q, n ∈ N >0 . Moreover, this generalisation allows for adding and subtracting integer multiples of 1/n to and from the counters. Formally, for n ∈ N >0 , such a bounded counter automaton is a tuple A = (Q, ∆, b, n, ξ) as above with
k , and its set of operations consists of operations add i (r) such that r ∈ (1/n)Z. The set of
is defined in the obvious way. An instance of a reachability problem in such a bounded counter automaton A can then be reduced in logarithmic space to reachability in a bounded counter automaton A ′ by the following procedure:
• replace each bound b i with 2nb i ; and
• replace each operation add i (r) with add i (nr).
It is then easily shown by induction on the length of the path that for all z 1 , . . . ,
Relationship to one-Z-counter automata with sign tests
In [8] , Demri and Gascon consider reachability in one-Z-counter automata with sign tests, for which they show that reachability is NP-hard and in PSPACE provided numbers are encoded in binary [8, Thm. 6 and the remarks below]. Formally, a one-Z-counter automaton with sign tests is a tuple A = (Q, ∆, ξ, τ ), where Q and ∆ are defined as for bounded counter automata above, ξ : ∆ → {add (z) : z ∈ Z}, and τ : ∆ → {<, ≤, =, =, ≥, >} ∪ {true} is a transition guard which allows the counter value to be compared to zero. The set of configurations of A is C(A) = Q × Z, and q(z)
In particular note that the state space of a bounded one-Z-counter automaton is infinite.
Here, we show that reachability in bounded one-counter automata is logarithmic-space reducible to reachability in one-Z-counter automata with sign tests. This observation together with the PSPACE lower bound obtained by Fearnley and Jurdziński [9] for reachability in bounded one-counter automata then allows us to observe the PSPACE-completeness of reachability in one-Z-counter automata.
Lemma 2.1. Reachability in bounded one-counter automata is logarithmic-space reducible to reachability in one-Z-counter automata with sign tests.
Proof:
The idea is straightforward: we use transition guards in order to ensure that for a given bounded onecounter automaton A = (Q, ∆, b, ξ), the counter always stays in the interval [0, b]. Formally, a one-Z-counter automaton A ′ = (Q ′ , ∆ ′ , ξ ′ , τ ′ ) can be obtained from A as follows: replace each transition (q, q ′ ) ∈ ∆ labeled with add (z) by three consecutive transitions with fresh intermediate control locations that perform the following sequence of actions:
• add z to the counter and test that resulting value is non-negative;
• subtract b from the counter and test that the resulting value is at most zero;
• add b to the counter.
It is then easily established by induction on the length of a run that
Reachability in one-Z-counter automata with sign tests is PSPACE-complete.
Remark 2.3. Note that in [8] it is also shown that if there is a run between two configurations of a one-Z-counter automaton with sign tests A then there is one for which the maximum absolute value of the counter occurring along the run can be bounded by p(|A|) for some fixed polynomial p that is independent of A. Hence, an adaptation of the construction provided in Section 2.4.1 can be used in order to reduce reachability in one-Z-counter automata with sign tests to reachability in bounded onecounter automata.
The general case
In this section we prove the following theorem.
Theorem 3.1. Reachability in k-clock timed automata with k ≥ 3 is logarithmic-space inter-reducible with reachability in bounded two-counter automata.
The proof of the theorem comprises three parts. We show that (i) reachability in bounded k-counter automata with k ≥ 3 can be reduced to reachability in bounded two-counter automata;
(ii) reachability in bounded two-counter automata can be reduced to reachability in three-clock timed automata; and (iii) reachability in k-clock timed automata with k ≥ 3 can be reduced to reachability in bounded (2k + 2)-counter automata, which by (i) implies that this problem is reducible to reachability in bounded two-counter automata.
We describe each reduction in a separate section below.
Reduction (i)
In this section, we how that reachability in bounded k-counter automata with k ≥ 3 can be reduced to reachability in bounded two-counter automata. Let A = (Q, ∆, b, ξ) be a bounded k-counter automaton with k ≥ 3 and b = (b 1 , . . . , b k ). Our first observation is that we may assume all bounds of b to be identical, i.e., for anyb ≥ max{b i : i ∈ [k]}, reachability in A can be reduced in logarithmic space to reachability in a bounded k-counter automaton
We can obtain A ′ from A by the following procedure:
• replace each transition (q, q ′ ) labeled with add i (z) with two consecutive transitions (q, q ′′ ), (q ′′ , q ′ ), where q ′′ is a fresh control location; and
We can now establish the main lemma of this section.
There is a bounded two-counter automaton A ′ and a function f :
Proof:
Without loss of generality, let b = 2 r − 1 be the uniform bound of A, so that r bits are sufficient to represent a counter value. The idea behind our reduction is to simulate counters two up to k of A in the (most significant) bits of the first counter of A ′ , and to use the second counter of A ′ as temporary storage.
The control locations of A ′ contain those of A as a subset, however the transitions of A will be replaced with gadgets in A ′ . We set the bound on the counters of A ′ to be 2 kr − 1. In order to formalise our intuition about the relationship between configurations of A and A ′ , we define
Our aim is to construct
To this end, the transitions of A are replaced by gadgets in A ′ that, informally speaking, ensure that we do not underflow or overflow. Formally, any transition (q, q ′ ) labeled with add i (z), z ∈ Z in A gets replaced in A ′ with a gadget that performs the following sequence of actions on the first and second counters of A ′ :
(i) move all bits with index ir up to kr − 1 from the first to the second counter 1 ;
(ii) add 2 (i−1)r z to the first counter; (iii) test that the value of the second counter is less than 2 ir ; (iv) move the bits with index ir up to kr − 1 from the second to the first counter; and (v) switch to control location q ′ . 1 In this paper we start indexing from zero.
• Figure 1 . Generic gadget A mov (i, j) used for moving the bits with index i up to j from the first to the second counter.
A generic gadget A mov (i, j) that enables moving bits with index i up to j is graphically depicted in Figure 1 . The idea is to non-deterministically subtract the relevant bits from the first counter while at the same time adding them to the second counter, and to finally check that all bits were transferred. Note that the test in (iii) ensures that the simulation of adding z to the i-th counter does not result in an overflow which could occur since A and A ′ do not have the same bound.
It is now not difficult to verify that q(n)
, which concludes the proof of the lemma. ⊓ ⊔
Reduction (ii)
We now show that reachability in bounded two-counter automata can be reduced to reachability in threeclock timed automata with clocks x, y, z. By the observation made in Section 3.1, we may assume that A has a uniform bound b. We encode counter values as follows: for any clock valuation ϑ, whenever ϑ(x) = b the value of the first counter of A is encoded in ϑ(x) − ϑ(y) and ϑ(x) − ϑ(z) encodes the second counter of A. A similar encoding has also been used in [3] in order to show undecidability of reachability in parametric three-clock timed automata.
Lemma 3.3. Let A be a bounded two-counter automaton and q(n), q ′ (n ′ ) ∈ C(A). Then there is a three-clock timed automaton A ′ and a function f :
, and f (q ′ (n ′ )) are computable from A, q(n), and q ′ (n ′ ) in logarithmic space.
Proof:
Let b be the uniform bound of A. The function f required in the lemma is defined as follows:
which is clearly computable in logarithmic space.
We now sketch how A ′ can be obtained from A. The timed automaton A ′ contains all control locations of A as a subset. However, the transitions from A are replaced by gadgets that manipulate the clocks in a way that simulates the action of the replaced transitions. As an invariant, we ensure that at any time A ′ reaches a control location that exists in A, the value of the clock x is b. is a transition from A such that ξ(q, q ′ ) = add 1 (n) for some n ∈ N. In A ′ , we replace this transition by the gadget shown in Figure 2 . There, clock constraints are written as e.g. x = b and clock resets as e.g.
Since we want to simulate that the first counter of A increases, we need to increase the difference between the value of the clock x and the value of the clock y by n. To this end, the gadget first resets the clock x. It then non-deterministically guesses the order of the simulated counter values: it branches upwards if the value of the first counter is no greater than that of the second counter, i.e., n 1 ≤ n 2 , and downwards otherwise. We only discuss the first case here. The gadget waits until clock y has value b. Then we aim at waiting for n time units in order to increase the difference of x and y by n. However, clock z could reach value b in the meantime, which occurs when n 2 ≤ n 1 + n. Thus, again, a non-deterministic choice is performed to handle the two cases. If z reaches b before y reaches n, the downward branch can be taken, which first resets z as it reaches clock value b and then y when it reaches clock value n. The converse case can be shown analogously, see below. Finally, the gadget waits until clock x reaches clock value b in order to establish our agreed invariant when it reaches q ′ . Note that if the increment would result in a counter value larger than b, the automaton A ′ would block, as expected. It is easily checked that an analogous gadget can be constructed for the simulation of incrementing the second counter.
We demonstrate the correctness of our construction by determining the intermediate values of the clocks along the path labelled by (i)-(v), which, as discussed above, is traversed when n 1 and n 2 are such that n 2 > n 1 + n:
Finally, the same approach can be used in order to simulate decrementing a counter. The main difference is that if we, say, wish to simulate decrementing the first counter by n, instead of waiting for the clock y to reach b and then n, as it is done in Figure 2 , we wait instead for the clock y to reach b − n. ⊓ ⊔
Reduction (iii)
It remains to reduce reachability in k-clock timed automata to reachability in bounded (2k + 2)-counter automata. Let A = (Q, X, ∆, ξ) be a timed automaton with clocks X = {x 1 , . . . , x k }. Recall that a configuration of a timed automaton is a tuple consisting of a control state and a clock valuation. In order to abstract away from the a priori infinite state space, we employ the region abstraction as a reachabilitypreserving equivalence relation on the set of configurations of a timed automaton. Recall that for a clock x ∈ X, C x denotes the maximum value of the constants occurring in the guards of A involving x. As defined in [2] , the region abstraction relates two configurations q(ϑ) ∼ q ′ (ϑ ′ ) whenever (a) their control locations are the same, i.e., q = q ′ ;
(b) the integral parts of the value of each clock with a value below the maximum constant appearing in A are the same, i.e., for any x ∈ X, ⌊ϑ(x)⌋ = ⌊ϑ ′ (x)⌋, or both ϑ(x) and ϑ ′ (x) are greater than C x ;
(c) the relative order of the fractional parts of the values of all relevant clocks are the same, i.e., for any two different x, y ∈ X such that ϑ(x) ≤ C x and ϑ(y) 
Given a k-clock timed automaton A, we sketch how to construct a bounded (2k + 2)-counter automaton A ′ such that any reachability problem for A translates into an instance of a reachability problem in A ′ . The idea is to encode each ∼-equivalence class of a configuration of a timed automaton as a single configuration of A ′ . The main difficulty is that conditions (b) -(d) allow for an exponential number of possibilities in |A|, and in order to achieve a logarithmic-space reduction, the conditions (b) -(d) thus cannot directly be hard-wired into the control locations of A ′ , but will instead be encoded into the 2k + 2 counters.
Lemma 3.4. Let A be a k-clock timed automaton and q(ϑ), q ′ (ϑ ′ ) ∈ C(A). Then there is a bounded (2k + 2)-counter automaton A ′ and a function f :
, and f (q ′ (ϑ ′ )) are computable from A, q(ϑ), and q ′ (ϑ ′ ) in logarithmic space.
Proof:
Let m ∈ N be chosen such that m bits are sufficient to represent one plus the maximum integer constant appearing in A. The bounded counter automaton A ′ has bounded counters f 1 , . . . , f k+1 , i 1 , . . . , i k and t, where the maximum value for the counters f 1 , . . . , f k+1 and t is 2 k − 1 and 2 m − 1 for the counters i 1 , . . . , i k . The bit representation of the counters is illustrated in Figure 3 , where the least significant bit of each counter is at the bottom and the most significant bit on top.
The counter t serves as temporary storage space. In order to represent a configuration q(ϑ) of A, f 1 , . . . , f k+1 are used as slots that encode the relative order of the clocks with respect to their fractional parts induced by ϑ. The counter f 1 additionally indicates those clocks that have fractional part 0. Since there are k clocks, k + 1 different slots are sufficient. The encoding is such that a clock j is in slot l if the j-th bit of the counter f l is set, and for the encoding to be faithful, consequently the j-th bit must not be set for any other counter f l ′ for l ′ = l. For l < l ′ ∈ [k], whenever clock j is in slot l and clock j ′ in l ′ , i.e., the j-th bit of the counter f l and the j ′ -th bit of the counter f l ′ are set, this indicates that clock j has a value whose fractional part is strictly smaller than the fractional part of the value of clock j ′ . If the j-th and the j ′ -th bit of a counter f l are both set, this indicates that clocks x j and x j ′ have the same fractional part. Finally, the counters i 1 , . . . , i k are used to store the integral parts of the clocks induced by ϑ in binary, i.e., the counter i 1 encodes the integral part of the first clock, the counter i 2 the integral part of the second clock, etc..
As an example, consider a clock valuation ϑ with ϑ(x 1 ) = 4.1, ϑ(x 2 ) = 2.0, ϑ(x 3 ) = 0.8, ϑ(x k−1 ) = 0.0 and ϑ(x k ) = 3.8 whose encoding is illustrated in Figure 3 . Both clocks x 2 and x k−1 have fractional parts 0, hence the second and the (k − 1)-th bit of counter f 1 are set. The fractional part of clock x 1 is greater than the fractional parts of x 2 and x k−1 , hence clock x 1 "resides" in the encoding in a slot to the right of the slot of x 2 and x k−1 , i.e., in this example in counter f 2 whose first bit is set. Finally, the value of counter i 2 is 2 which corresponds to the integral part of clock x 2 , the value of i k is 3 which corresponds to the integral part of clock x k , etc..
Let us now describe how to simulate A and let us first consider delay transitions. The effect of a delay transition is that as time increases, clocks with the highest fractional part increase their integral part by one and have their fractional part set to zero. All other clocks do not change their integral parts and the relative order of their fractional parts, but are now in the relative order of their fractional parts to the right of those clocks that changed their integral part. Hence, delay transitions can be simulated by a gadget as follows: first, the value of the counter f k+1 is moved to the temporary counter t and the value of f k+1 is set to zero. Then, we rotate the values of the counters f 1 up to f k by one, i.e., move the value of f 1 to f 2 , the value of f 2 to f 3 until eventually we move the value of the counter f k to f k+1 . All clocks x j that previously "resided" in f k+1 must now have a fractional part equal to zero and their integral part needs to be incremented by one. Setting the fractional part equal to zero corresponds to moving the value that was stored on the temporary counter t to f 1 . Incrementing the integral part of x j corresponds to incrementing the value of the counter i j by one, provided that it has not yet reached its maximum value. If the maximum value has already been reached, no action is performed. In order to simulate A, any control location of A is present in A ′ and has a loop which simulates an elapse of time as described above.
We now describe how to simulate discrete transitions of A. To this end, checking the truth value of a guard of a transition against the currently abstracted clock valuation and resetting of clocks need to be simulated. We illustrate the reduction with the help of an example. Suppose the guard is (x 1 < 6 ∧ x 2 = 4, {x 1 }). The constraint x 1 < 6 can be checked in A ′ with an edge that is labeled with counter i 1 < 6, checking x 2 = 4 can also be simulated with an edge counter i 2 = 4, but we additionally need to check that clock x 2 has fractional part zero, i.e., is in the first slot, meaning that the second bit of f 1 is set. Simulating a reset of x 1 is also relatively straightforward: we non-deterministically choose the fractional class j of x 1 , i.e., the counter f j whose first bit is set. We then set this bit to zero, i.e., remove 2 0 from f j , add 2 0 to the counter f 1 and set i 1 to zero. The latter can be implemented with the help of a loop that subtracts 1 from i 1 until a zero-test on i 1 is successful.
It remains to briefly discuss some further technical details left out so far. The task of moving contents between counters of A ′ can easily be realised by a slight adaptation of the gadget presented in Figure 1 . Testing whether a particular bit of a counter, say the j-th bit of f l , is set can also be realised in similar fashion: we first copy the value of counter f l to counter t. Next, we run through a gadget which first subtracts 2 j from t and then non-deterministically subtracts all other powers of two. If a subsequent zero test is successful, the j-th bit of f l had been set, otherwise we get stuck at some point.
In summary, in order to check q(ϑ) → * A q ′ (ϑ ′ ), we construct A ′ in logarithmic space, compute counter values n, n ′ ∈ N 2k+2 that represent the abstraction of the clock valuations ϑ, ϑ ′ and check q(n) → * A ′ q ′ (n ′ ). The converse direction follows straightforwardly by defining a bijection between configurations q(n) and the region abstraction of A; we omit further details.
⊓ ⊔
The case of two clocks and one bounded counter
We now consider the special case of two-clock timed automata and show that reachability for this class of timed automata is logarithmic-space inter-reducible with reachability in bounded one-counter automata. Our first observation is that the direction from bounded one-counter automata to two-clock timed automata can be obtained as a trivial adaptation of the construction given in Lemma 3.3, from which we obtain the following lemma.
Lemma 4.1. Let A be a bounded one-counter automaton and q(n), q ′ (n ′ ) ∈ C(A). There exists a twoclock timed automaton A ′ and a function f :
The remainder of this section is devoted to a reduction in the converse direction, which is slightly more involved. We first formally define two gadgets that will be used in this reduction. The first gadget adds a number to the counter that is non-deterministically selected from an interval whose endpoints are given in binary. This is formalised in the following lemma. Lemma 4.2. Let a < b ∈ N. There exists a logarithmic-space computable bounded one-counter automaton A with control locations q, q ′ such that for all n, n ′ ∈ N, q(n) → * A q ′ (n ′ ) iff n ′ − n ∈ [a, b].
Proof:
The main idea is that any natural number can be expressed as a sum of powers of two minus one, and that we can construct a gadget which allows for adding any number between zero and a power of two minus one.
Let us first show how a natural number b ∈ N can be written as a sum of powers of two minus one. For any m ∈ N, define
We Next, a gadget A i that allows for adding a value in the interval [0, 2 i − 1] can be constructed straightforwardly:
Now for the construction of A from a, b ∈ N required in the lemma, we first consider the case a = 0 and proceed as follows. For the sequence of (k i ) i>0 as defined above, we construct the above gadgets
In the general case where a takes an arbitrary values from N, we construct a one-counter automaton A as above that allows for representing any number in the interval [0, b − a] and add a new initial location that has a transition to the initial control location of A that adds a to the counter.
⊓ ⊔
The second gadget allows for checking that the current counter value lies in a certain interval without destroying it. Lemma 4.3. Let a < b ∈ N. There exists a logarithmic-space computable bounded one-counter automaton A with control locations q, q ′ such that for all n ∈ N, q(n) → * A q ′ (n ′ ) iff n ∈ [a, b].
Proof:
The automaton A consists of two consecutive transitions, the first checks that the counter is greater or equal to a and the second that it is less or equal to b. As defined in Section 2.4.1, those test to not alter the value of the counter.
⊓ ⊔
For the remainder of this section, fix a two-clock timed automaton A = (Q, X, ∆, ξ) such that X = {x, y}. In the following, we describe how to construct in logarithmic space a bounded one-counter automaton A ′ = (Q ′ , ∆ ′ , b, ξ ′ ) that simulates A. For technical convenience we assume that the counter of A ′ takes values from an interval in (1/2)Z, cf. Section 2.4.1. The set of control locations Q ′ of A ′ contains as a subset the control locations of Q paired with abstractions of clock valuations. We first define these abstractions.
Let C x = {x 1 , . . . , x a } be the ordered set of x-constants in A, i.e., x i < x i+1 for i ∈ [a − 1], and let C y = {y 1 , . . . , y b } the ordered set of y-constants, where x 1 = y 1 = 0. We define the augmented sets C ∞ x and C ∞ y as C ∞
, where x a+1 and y b+1 identify ∞ in C ∞ x and C ∞ y , respectively. The set of regions R of A is defined as
which is a subset of
and that R is computable in logarithmic space. Subsequently, we will write r to identify a region from R. With each region r ∈ R, we associate a set of clock valuations ϑ(r) in the obvious way, i.e.,
Hence R partitions the set of all clock valuations. Moreover, any two clock valuations in the same region r cannot be distinguished by the clock constraints of A, i.e., for any two ϑ, ϑ ′ ∈ ϑ(r) and any clock constraint φ occurring as a label of a transition of A, we have ϑ |= φ iff ϑ ′ |= φ. The left-hand side of Figure 4 depicts the regions of a two-clock timed automaton A with C x = {0, 1, 5} and C y = {0, 1, 3}. The stroked lines in the first quadrant indicate the regions of A, e.g., (1, 1, 5, 3 ) and (5, 3, ∞, ∞) are regions of A.
A further abstraction that we use builds upon the set of clock differences D ⊆ Z of A, which is defined as D def = {c x − c y : c x ∈ C x , c y ∈ C y }. We write D as the ordered set D = {d 1 , . . . , d c }. Our abstraction is the set of clock difference zones Z of A, which is a set of symbolic intervals on Z defined as
Here, we also have |Z| = O(|A| 2 ). We subsequently write z to identify a clock difference zone from Z. With each z ∈ Z, we associate a set of clock valuations
which gives us an abstraction. For instance, [0, 0], (−1, 0) and (2, 4) are clock difference zones in the example illustrated in the right-hand side of Figure 4 , where the dashed lines and the space between them indicate clock difference zones. Note that the set of clock difference zones Z partitions the set of all clock valuations as well. Informally speaking, suppose we know that a clock valuation ϑ is in some region r, then the clock difference zone adds additional information that allows for determining where the clock is located with respect to the corner points of r.
Applying the previous definitions, we now define those control locations of A ′ that we employ for simulating time delay transitions of A. To this end, we pair each q ∈ Q with a region and a clock difference zone:
The whole set Q ′ of control locations of A ′ will be defined subsequently and in addition contain control locations which simulate discrete transitions. Each tuple (q, (r, z)) represents a set {q(ϑ) : ϑ ∈ ϑ(r) ∩ ϑ(z)} of configurations of A, and we can associate with every configuration q(ϑ) of A a control location
where r, z are uniquely chosen such that ϑ ∈ ϑ(r) ∩ ϑ(z). Referring to the example given in Figure 4 , we have q({x → 3.5,
Given r ∈ R and z ∈ Z such that ϑ(r) ∩ ϑ(z) = ∅, in order to discretely simulate delay transitions of A, we define the successor succ(r, z) of r with respect to z. Informally speaking, elapse of time can be simulated by moving from region to region along the dashed lines in Figure 4 . Let us first consider the case z = [d, d] and suppose in the following that r ∈ C x × C y × C x × C y :
, we only sketch the definition of succ(r, z), it can be extended in the obvious way. Again, suppose in the following that x i+1 = ∞ and y j+1 = ∞, we define
Regions which involve clocks whose value is ∞ can be handled analogously, e.g. as:
• if r = (x, y, ∞, ∞) then succ(r, z) def = (∞, ∞, ∞, ∞);
The definition of the remaining cases follows analogously. It is not difficult to check that succ(r, z) can be computed in logarithmic space. As an example, referring to Figure 3, 5, 3) . Notice that the successor region in particular depends on the clock difference zone. In order to simulate time delay steps, A ′ contains transitions from each (q, (r, z)) to (q, (succ(r, z), z)) which perform no action on the counter. Note that the clock difference zone remains unaffected by those transitions and only the region is changed. The following lemma now establishes the faithfulness of the simulation of delay transitions of A by A ′ .
Proof:
Let q(ϑ) † = (q, (r, z)) and first observe that
This in particular implies that for any d ∈ R ≥0 we have q(ϑ + d) † = (q, (r ′ , z)) for some region r ′ ; however the clock difference zone is always z. (r i , z) ) for regions r 1 , . . . , r k such that succ(r i , z) = r i+1 . But then by the construction of A ′ , we have:
The converse direction follows analogously.
⊓ ⊔
Note that, informally speaking, we only simulate delay steps between regions but not inside regions. However, elapse of time inside regions only needs to be considered when resetting clocks. In order to handle clock resets, we define a further abstraction that establishes a correspondence between clock valuations and counter values of A ′ . For our construction, we allow the counter to take values from a bounded interval in 0.5Z and define the set of counter values as
We use the counter to partition the set of clock valuations. For n ∈ V , we define
We use the definition of ϑ(n) to map configurations of A to configurations of A ′ . For any clock valuation ϑ, let ϑ ‡ denote the unique n ∈ V such that ϑ ∈ ϑ(n). We define
Referring to the example in Figure 4 , we have V = {−3.5, 3, −2.5, . . . , 4.5, 5, 5.5}, and, for instance, ((1, 1, 5, 3 ), [2, 2] )) (2) q(x → 3.75, y → 1, 5}) ‡ = (q, ((1, 1, 5, 3 ), (2, 4)))(2.5).
The partitioning of the clock valuations through the counter value is less coarse than through clock difference zones. It classifies clock valuations according to whether the difference between the clocks is a fixed integer, lies strictly in a unit interval between two consecutive fixed integers, or lies outside the "relevant" integers. That, however, leads to a number of partitions which is exponential in the size of A due to binary encoding of numbers, which is the reason why we store this abstraction of clock valuations in the counter value and do not encode it into the control states as we did for the other abstractions discussed above. While simulating A through A ′ , via the gadget defined in Lemma 4.3 we can always ensure that if we are in a configuration (q, (r, z))(n) of A ′ then n is consistent with z, i.e., n ∈ z and a fortiori n ∈ r. In particular, this gadget allows for non-deterministically choosing the correct clock difference zone with respect to the current counter value.
The key point of this additional abstraction of the difference of the two clocks into the counter together with the abstraction of regions and clock difference zones provides sufficient information in order to faithfully simulate clock resets. In the general case, this is most relevant to regions of the form r = (x i , y i , x i+1 , y i+1 ). Depending on the clock difference zone z, knowing that ϑ ∈ ϑ(r) ∩ ϑ(z) and the difference ϑ(x) − ϑ(y) allows for deriving bounds on ϑ(x) and ϑ(y), as shown by the following lemma.
Lemma 4.5. Let ϑ be such that ϑ(x) − ϑ(y) = d. Then the following hold:
(ii) if y 1 < ϑ(y) < y 2 then d + y 1 < x < d + y 2 ; (iii) if ϑ(x) < x 2 and y 1 < ϑ(y) then d + y 1 < ϑ(x) < x 2 and d − x 2 < −ϑ(y) < −y 1 ; and (iv) if x 1 < ϑ(x) and ϑ(y) < y 2 then x 1 < ϑ(x) < d + y 2 and −y 2 < −ϑ(y) < d − x 1 .
Proof:
Immediate.
⊓ ⊔ Each case in Lemma 4.5 is induced by the boundaries of the intersection of r with a possible a clock difference zone. The benefit of the lemma is that in order to, for instance, faithfully simulate a reset of clock x in Case (i), we only have to subtract some value from the counter (which stores an abstraction of the difference between the clocks) that lies in the interval [x 1 , x 2 ], which can be achieved by an appropriate adaptation of the gadget constructed in Lemma 4.2.
We are now ready to describe the technical particularities of how to simulate discrete transitions and clock resets. Throughout the remainder of this section, whenever we consider a configuration (q, (r, z))(n) of A ′ that corresponds to some configuration q(ϑ) of A, it is helpful to think of ϑ to lie, if possible, at or, otherwise, infinitesimally close to the bottom left corner of ϑ(r) ∩ ϑ(n). In addition to the control locations mentioned above, q ′ contains control locations that we use to initiate the simulation of clock resets:
If (q, q ′ ) ∈ ∆, ξ(q, q ′ ) = (φ, Y ) and ϑ |= ξ(q, q ′ ) for all ϑ ∈ ϑ(r) ∩ ϑ(z) then, depending on which clocks are required to be reset by Y , ∆ ′ contains a transition from (q, (r, z)) to (q ′ , (r, z), reset x ), (q ′ , (r, z), reset y ) or (q ′ , (r, z), reset x ,y ), which perform no action on the counter. If no clock is required to be reset, i.e., Y = ∅, then (q, (r, z)) directly connects to (q ′ , (r, z)). Note that checking whether ϑ |= φ for all ϑ ∈ ϑ(r) ∩ ϑ(z) can be performed in logarithmic space, since ϑ |= φ for all ϑ ∈ ϑ(r) ∩ ϑ(z) iff ϑ |= φ for any ϑ ∈ ϑ(r) ∩ ϑ(z).
As discussed above, the way we deal with simulating clock resets through A ′ requires a change of the counter value A ′ . The simplest case is the simulation a reset of both clocks x, y. This can easily be realised by a gadget which sets the counter to 0, changes r to (0, 0, 0, 0) and z to [0, 0]. Thus we are left with the case of resetting one clock where things become slightly more complicated, in particular when we simulate a reset on a clock valuation ϑ such that ϑ ∈ ϑ(r) for r = (x i , y j , x i+1 , y j+1 ). As described above, so far we have only abstracted from delay transitions which change regions, but now we are confronted with also taking delays into account which happen inside regions. Informally speaking, when resetting a clock, those delays determine where we land on the x-respectively y-axis, cf. Figure 4 .
In the following, we consider two representative cases that show how to simulate resetting a single clock of A in A ′ , the other cases can be derived analogously.
and we wish to reset clock y of a clock valuation ϑ ∈ ϑ(r) ∩ ϑ(z). Consequently, the value of the counter is d. When region zone r the value of clock y can take any value in the interval (y i , y j+1 ), which corresponds to Case (ii) in Lemma 4.5. Consequently, after resetting y the value of clock x lies in the interval (d + y 1 , d + y 2 ). Such a counter value can be achieved as follows:
• connect (q, (r, z), reset y ) to a gadget that non-deterministically adds some value from the interval [y j + 0.5, y j+1 − 0.5] to the counter, as defined in Lemma 4.2; • then non-deterministically guess z ′ ∈ Z and verify with the gadget defined in Lemma 4.3 that z ′ is consistent with the new counter value before switching to the control location
Let us illustrate this case with the help of Figure 4 , for example with r = (1, 1, 5, 3) and z = [1, 1] . In this example, if we consider a clock valuation ϑ infinitesimally close to (2, 1), if we let time elapse while staying inside r and then reset clock y, we obtain a new clock valuation ϑ ′ such that ϑ ′ (x) ∈ (2, 4) and hence q(ϑ ′ ) ‡ = (q, (r ′ , z ′ ))(n ′ ), where r ′ = (1, 0, 5, 0), z ′ ∈ {(2, 3), [3, 3] , (3, 4)} and n ′ ∈ {2.5, 3, 3.5} such that z ′ and n ′ are consistent. In particular, the new value of the counter is obtained by non-deterministically adding a value from the interval between the y-boundaries 1 and 3 of r to the counter.
In order to reset clock x, we observe that for a faithful simulation the new counter value has to lie in the interval [−y j+1 + 0.5, −y j − 0.5], which can easily be achieved by a gadget that nondeterministically guesses a counter value in that interval and then proceeds as in the case of resetting y.
(ii) Case: r = (x i , y j , x i+1 , y j+1 ), z = (d k , d k+1 ) and the boundaries of the intersection of ϑ(z) and ϑ(r) lie at (x i , y j , x i , y j+1 ) and (x i , y j+1 , x i+1 , y j+1 ), and suppose that we wish to reset the clock y. When entering zone r, in this case when time elapses we always know that x i < ϑ(x) and ϑ(y) < y 2 , which corresponds to Case (iv) in Lemma 4.5. By application of the lemma, resetting clock y formally boils down to the following procedure:
• connect (q, (r, z), reset y ) to a gadget that adds y j+1 − 0.5 to the counter;
• then non-deterministically subtract 0.5 from the counter and check that the newly guessed counter value n ′ is strictly above x i ;
• and finally non-deterministically guess z ′ ∈ Z and verify with the gadget defined in Lemma 4.3 that z ′ is consistent with the new configuration (q ′ , (x i , 0, x i+1 , 0), z ′ )(n ′ ).
In Figure 4 , this case can be illustrated with r = (1, 1, 5, 3) and z = (−1, 0).
In order to simulate resetting clock x, we proceed analogously according to Lemma 4.5 and subtract x i from the counter, non-deterministically subtract 0.5 and verify that the counter is strictly above −y j+1 .
All remaining cases have a symmetric counterpart that we discussed before, and it is not difficult to check that all constructions can be performed in logarithmic space. Dealing with resets in regions of the form (x i , y i , x i , y i ), (x i , y i , x i+1 , y i ) and (x i , y i , x i , y i+1 ) can be simulated in the obvious way, since no elapse of time inside those regions can occur.
In order to reduce an arbitrary instance q(ϑ) → * A q ′ (ϑ ′ ) of a reachability problem in a two-clock timed automaton A to a reachability problem in a bounded one-counter automaton, we construct A ′ as described above, but use the sets C x ∪{ϑ(x), ϑ ′ (x)} and C y ∪{ϑ(y), ϑ ′ (y)} in order to construct the regions and clock difference zones of A ′ . Summing up, in this section we have demonstrated how to construct in logarithmic space from A, q(ϑ) and q ′ (ϑ ′ ) a bounded one-counter automaton A ′ and compute in logarithmic space configurations q(ϑ) ‡ , q ′ (ϑ ′ ) ‡ ∈ C(A ′ ) such that q(ϑ) → * A q ′ (ϑ ′ ) iff q(ϑ) ‡ → * A ′ q ′ (ϑ ′ ) ‡ . In summary, we have thus shown the following theorem. Theorem 4.6. Reachability in two-clock timed automata is logarithmic-space inter-reducible with reachability in bounded one-counter automata.
An open problem
Here, we wish to discuss a particular subclass of bounded one-counter automata for which the precise computational complexity of reachability remains an open problem. This class is called one-dimensional bounded vector addition systems (1-dim bounded VAS), which are essentially bounded one-counter automata consisting of a single state with a finite number of self loops. Formally, a 1-dimensional bounded VAS is a tuple A = (b, ∆) with b ∈ N >0 being a bound and ∆ ⊆ {z ∈ Z : |z| ∈ [0, b]} being a finite set of transitions. As expected, their size is defined as |A| = |∆|size(b), and the induced finite transition system is T (A) = ([0, b], → A ) such that n → A n ′ iff n ′ = n + z for some z ∈ ∆ and all n, n ′ ∈ [0, b]. Despite their simplicity, the shortest run between two given configurations can have length exponential in the size of A. Of course, the PSPACE upper bound for reachability trivially carries over to 1-dim bounded VAS. Moreover, by a reduction from a variant of the subset sum problem, it is not difficult to show that reachability is NP-hard despite the lack of a control structure in 1-dim bounded VAS, cf. [12, Prop. 4.1.2]. However, the PSPACE lower bound for reachability in bounded one-counter automata from [9] does not obviously carry over to the setting of 1-dim bounded VAS. Moreover, when restricting to only two transitions, it is shown in [12, Lemma 4.3.2] that reachability can be decided in NP via the computation of the discrete volume of a certain polytope that can be associated with a reachability instance of a 1-dim bounded VAS. We thus have the following open problem:
Is the reachability problem for 1-dim bounded VAS NP-complete?
As a final remark, note that the reachability problem for 4-dim bounded VAS becomes PSPACE-complete, since the construction of Hopcroft and Pansiot [15, Lemma 2.1] can be applied in order to simulate control states with three additional bounded counters.
Conclusion
In this paper, we have established relationships between reachability problems in timed automata and counter automata. For reachability problems in timed automata with k ≥ 3 clocks, we have provided a logarithmic-space reduction to reachability in bounded (2k + 2)-counter automata (whose reachability problem can in turn be reduced to reachability in two-counter automata). In the special case of twoclock timed automata we showed that the reachability problem can, in a more elaborate way, be reduced to reachability in bounded one-counter automata. We closed the circle by showing that reachability in bounded one-and two-counter automata reduces to reachability in two-and three-clock timed automata, respectively. Finally, we discussed reachability in 1-dim bounded VAS, for which the precise complexity remains an interesting open problem.
