Revisiting Reachability in Timed Automata by Quaas, Karin et al.
ar
X
iv
:1
70
2.
03
45
0v
2 
 [c
s.L
O]
  1
8 A
pr
 20
17
Revisiting Reachability in Timed Automata
Karin Quaas˚, Mahsa Shirmohammadi:, James Worrell:
˚Universita¨t Leipzig, Germany
:University of Oxford, UK
Abstract—We revisit a fundamental result in real-time veri-
fication, namely that the binary reachability relation between
configurations of a given timed automaton is definable in linear
arithmetic over the integers and reals. In this paper we give a
new and simpler proof of this result, building on the well-known
reachability analysis of timed automata involving difference
bound matrices. Using this new proof, we give an exponential-
space procedure for model checking the reachability fragment
of the logic parametric TCTL. Finally we show that the latter
problem is NEXPTIME-hard.
Index Terms—Timed automata, Reachability, Difference
Bound Matrices, Linear Arithmetic, Model Checking
I. INTRODUCTION
The PSPACE-completeness of the reachability problem for
timed automata is arguably the most fundamental result in
real-time verification. This theorem was established by Alur
and Dill in paper [1] for which they were awarded the Alonzo
Church award in 2016. The reachability problem has been
intensively studied in the intervening 20 years, leading to
practical algorithms and generalisations to more expressive
models. As of now, [1] is the most cited paper that has
appeared in the journal Theoretical Computer Science.
Properly speaking, Alur and Dill considered reachability
between control states (also called locations). The problem of
computing the binary reachability relation over configurations
(both control states and clock valuations) is more involved.
Here the main result is due to Comon and Jurski [2], who
showed that the reachability relation of a given timed automa-
ton is effectively definable by a formula of first-order linear
arithmetic over the reals augmented with a unary predicate
denoting the integers. Importantly, this fragment of mixed
linear arithmetic has a decidable satisfiability problem, e.g.,
by translation to S1S.
Despite its evident utility, particularly for parametric verifi-
cation, it is fair to say that the result of Comon and Jurski has
proven less influential than that of Alur and Dill. We believe
that this is due both to the considerable technical complexity
of the proof, which runs to over 40 pages in [3], as well as
the implicit nature of their algorithm, making it hard to extract
complexity bounds.
In this paper we revisit the result of Comon and Jurski. Our
two main contributions as follows:
‚ We give a new and conceptually simpler proof that
generalises the classical reachability algorithm for timed
automata involving difference bound matrices and stan-
dard operations thereon. The key new idea is to carry out
the algorithm on a symbolically presented initial config-
uration. This approach is fundamentally different from
that of [2], the main part of which involves a syntactic
transformation showing that every timed automaton can
be effectively emulated by a flat timed automaton, i.e.,
one that does not contain nested loops in its control graph.
‚ We apply our strengthened formulation of the Comon-
Jurski result to parametric model checking. We show that
the formula representing the reachability relation can be
computed in time singly exponential in the size of the
timed automaton. Using this bound on the formula size
and utilising results of [4], [5] on quantifier-elimination
for first-order logic over the reals and integers, we show
that the model checking problem for the reachability frag-
ment of the temporal logic parametric TCTL is decidable
in exponential space. We show in the main body of the
paper that this problem is NEXPTIME-hard and sketch in
the conclusion how to obtain matching upper and lower
bounds.
There are two main steps in our approach to computing a
formula representing the reachability relation. First, given a
timed automaton A and a configuration xℓ, νy of A, we con-
struct a version of the region automaton of [1] that represents
all configurations reachable from xℓ, νy. Unlike [1] we do not
identify all clock values above the maximum clock constant;
so our version of the region automaton is a counter machine
rather than a finite state automaton. The counters are used to
store the integer parts of clock valuations of reachable config-
urations, while the fractional parts of the clock valuations are
aggregated into zones that are represented within the control
states of the counter machine by difference bound matrices.
Since the counters mimic clocks they are monotonic and so the
reachability relation on such a counter machine is definable in
a weak fragment of Presburger arithmetic.
The second step of our approach is to make the previous
construction parametric: we show that the form of the counter
machine does not depend on the precise numerical values
of the clocks in the initial valuation ν, just on a suitable
logical type of ν. Given such a type, we develop a parametric
version of the counter-machine construction. Combining this
construction with the fact that the reachability relation for the
considered class of counter machines is definable in a fragment
of Presburger arithmetic, we obtain a formula that represents
the full reachability relation of the timed automaton A.
A. Related Work
Dang [6] has generalised the result of Comon and Jurski,
showing that the binary reachability relation for pushdown
timed automata is definable in linear arithmetic. The approach
in [6] relies on a finite partition of the fractional parts of clock
valuations into so-called patterns, which play a role analogous
to types in our approach. The notion of pattern is ad-hoc and,
as remarked by Dang, relatively complicated. In particular,
patterns lack the simple characterisation in terms of difference
constraints that is possessed by types. The latter is key to
our result that the reachability relation can be expressed by a
Boolean combination of difference constraints.
Dima [7] gives an automata theoretic representation of the
reachability relation of a timed automaton. To this end he
introduces a class of automata whose runs encode tuples in
such a relation. The main technical result of [7] is to show
that this class of automata is effectively closed under relational
reflexive-transitive closure.
The model checking problem for parametric TCTL was
studied by Bruye`re et al. [8], [9] in the case of integer-valued
parameters. Here we allow real-valued parameters, which leads
to a strictly more expressive semantics.
Parametric DBMs have been used in [10], [11] to analyse
reachability in parametric timed automata. These are related
to but different from the parametric DBMs occurring in
Subsection III-C.
B. Organisation
We introduce and state our main results in the body of the
paper. The central constructions underlying our proofs are also
given in the body, along with illustrative examples. Many of
the proof details are relegated to the appendix.
II. MAIN DEFINITIONS AND RESULTS
A. Timed Automata
Given a set X “ tx1, . . . , xnu of clocks, the set ΦpX q of
clock constraints is generated by the grammar
ϕ ::“ true | x ă k | x “ k | x ą k | ϕ^ ϕ ,
where k P N is a natural number and x P X . A clock valuation
is a mapping ν : X Ñ Rě0, where Rě0 is the set of non-
negative real numbers. We denote by 0 the valuation such
that 0pxq “ 0 for all x P X . Let RXě0 be the set of all clock
valuations. We write ν |ù ϕ to denote that ν satisfies the
constraint ϕ. Given t P Rě0, we let ν`t be the clock valuation
such that pν ` tqpxq “ νpxq ` t for all clocks x P X . Given
λ Ď X , let νrλÐ 0s be the clock valuation such that νrλÐ
0spxq “ 0 if x P λ, and νrλ Ð 0spxq “ νpxq if x R λ. We
typically write νi as shorthand for νpxiq, and by convention we
define ν0 “ 0. For all r P R, let fracprq be the fractional part
of r, and tru be the integer part. Denote by fracpνq and tνu the
valuations such that pfracpνqqpxiq “ fracpνiq and tνupxiq “
tνiu for all clocks xi P X .
A timed automaton is a tuple A “ xL,X , Ey, where L
is a finite set of locations, X is a finite set of clocks and
E Ď Lˆ ΦpX q ˆ 2X ˆ L is the set of edges.
The semantics of a timed automaton A “ xL,X , Ey is
given by a labelled transition system xQ,ñy with set of
configurations Q “ LˆRXě0 and set of transition labels Rě0.
A configuration xℓ, νy consists of a location ℓ and a clock
valuation ν. Given two configurations xℓ, νy and xℓ1, ν1y, we
postulate:
‚ a delay transition xℓ, νy
d
ñ xℓ1, ν1y for some d ě 0,
if ν1 “ ν ` d and ℓ “ ℓ1;
‚ a discrete transition xℓ, νy
0
ñ xℓ1, ν1y, if there is an edge
xℓ, ϕ, λ, ℓ1y of A such that ν |ù ϕ and ν1 “ νrλÐ 0s.
A run ρ “ q0
d1
ñ q1
d2
ñ q2
d3
ñ . . . of A is a (finite or infinite)
sequence of delay and discrete transitions in xQ,ñy. We
require infinite runs to have infinitely many discrete transitions
and to be non-zeno, that is, we require
ř8
i“1 di to diverge.
Henceforth we assume that in any given timed automaton
with set X of clocks, xn is a special reference clock that
is never reset. Clearly this assumption is without loss of
generality for encoding the reachability relation.
Note that we consider timed automata without diagonal
constraints, that is, guards of the form xi ´ xj „ k, for k
an integer. It is known that such constraints can be removed
without affecting the reachability relation (see [1], [12]).
B. Linear Arithmetic
In this section we introduce a first-order language LR,Z
in which to express the reachability relation of a timed
automaton.
Language LR,Z has two sorts: a real-number sort and an
integer sort. The collection TR of terms of real-number sort is
specified by the grammar
t ::“ c | r | t` t | t´ t ,
where c P Q is a constant and r P tr0, r1, . . .u is a real-valued
variable. Given terms t, t1 P TR, we have an atomic formula
t ď t1. The collection TZ of terms of integer sort is specified
by the grammar
t ::“ c | z | t` t | t´ t ,
where c P Z is a constant and z P tz0, z1, . . .u is an integer
variable. Given terms t, t1 P TZ, we have atomic formulas t ď
t1 and t ” t1 pmod mq, where m P Z. Formulas of LR,Z are
constructed from atomic formulas using Boolean connectives
and first-order quantifiers.
Throughout the paper we consider a fixed semantics for
LR,Z over the two-sorted structure in which the real-number
sort is interpreted by R, the integer sort by Z, and with the
natural interpretation of addition and order on each sort.
The sublanguage LR of LR,Z involving only terms of real-
number sort is called real arithmetic. The sublanguage LZ
involving only terms of integer sort is called Presburger arith-
metic. Optimal complexity bounds for deciding satisfiability
of sentences of real arithmetic and Presburger arithmetic are
given in [13] with, roughly speaking, real arithmetic requiring
single exponential space and Presburger arithmetic double
exponential space.
Proposition 1. Deciding the truth of a sentence in the exis-
tential fragment of LR,Z can be done in NP.
Proof. The respective decision problems for the existential
fragment of real arithmetic and the existential fragment of
Presburger arithmetic are in NP [14], [15]. Deciding the truth
of a sentence in the existential fragment of LR,Z is therefore
also in NP, since we can guess truth values for the Pres-
burger and real-arithmetic subformulas, and separately check
realisability of the guessed truth values in non-deterministic
polynomial time.
For the purpose of model checking, it will be useful to
establish complexity bounds for a language L˚
R,Z, intermediate
between LR and the full language LR,Z. The language L
˚
R,Z
arises from LR,Z by restricting the atomic formulas over terms
of integer sort to have the form
z ´ z1 ď c | z ď c | z ´ z1 ” c pmod dq (1)
for integer variables z, z1 and integers c, d.
Proposition 2. Deciding the truth of a prenex-form sentence
Q1x1 . . . Qnxn ϕ in L
˚
R,Z can be done in space exponential in
n and polynomial in ϕ.
Proof. The proposition is known to hold separately for LR [4]
and for the fragment of LZ in which atomic formulas have the
form shown in (1) [5, Section 4]. The respective arguments
of [4] and [5] can be straightforwardly combined to prove the
proposition; see Section A for details.
C. Definability of the Reachability Relation
Given a timed automaton A with n clock variables, we
express the reachability relation between every pair of loca-
tions ℓ, ℓ1 by a formula
ϕℓ,ℓ1pz1, . . . , zn, r1, , . . . , rn, z
1
1, . . . , z
1
n, r
1
1, , . . . , r
1
nq,
in the existential fragment of LR,Z where z1, z
1
1, . . . , zn, z
1
n
are integer variables and r1, r
1
1, . . . , rn, r
1
n are real variables
ranging over the interval r0, 1s. Our main result, Theorem 10,
shows that there is a finite run in A from configuration xℓ, νy
to configuration xℓ1, ν1y just in case
xtν1u, . . . , tνnu, fracpν1q, . . . , fracpνnq,
tν11u, . . . , tν
1
nu, fracpν
1
1q, ¨ ¨ ¨ , fracpν
1
nqy |ù ϕℓ,ℓ1 .
Example 1. Consider the following timed automaton:
ℓ0 ℓ1 ℓ2 ℓ3
x2 ă 1 x2 “ 1 x1 ă 1
x1 Ð 0
A brief inspection reveals that location ℓ3 can be reached
from a configuration xℓ0, p
ν1
ν2 qy if and only if ν1 ă ν2 ă 1. The
reachability relation between locations ℓ0 and ℓ3 is expressed
by the formula
ϕℓ0,ℓ3pz1, z2,r1, r2, z
1
1, z
1
2, r
1
1, r
1
2q
def
“ pz1 “ z2 “ 0q
^ pr1 ă r2 ă 1q
^ ppz12 ´ z
1
1 “ 1^ 0 ď r
1
2 ´ r
1
1 ă r2 ´ r1q
_ pz12 ´ z
1
1 “ 2^ 0 ď 1` r
1
2 ´ r
1
1 ă r2 ´ r1qq,
where the real-valued variables r1, r2, r
1
1, r
1
2 range over the
interval r0, 1s.
Example 2. Consider the following timed automaton:
ℓ0 ℓ1 ℓ2
x1 “ 2x1 Ð 0
x1 “ x2 “ 0 x1 “ 0
We have
ϕℓ0,ℓ3pz1, z2, r1, r2,z
1
1, z
1
2, r
1
1, r
1
2q
def
“
pr1 “ r2 “ 0q ^ pr
1
1 “ r
1
2q^
pz1 “ z2 “ 0q ^ pz
1
2 ´ z
1
1 ” 0 pmod 2qq.
D. Parametric Timed Reachability Logic
Timed computation tree logic (TCTL) is an extension of
computation tree logic for specifying real-time properties [16].
In [8] TCTL was generalised to allow parameters within timing
constraints, yielding the logic parametric TCTL. In this paper
we consider the fragment of parametric TCTL generated by
the reachability modality D♦, which we call parametric timed
reachability logic (PTRL).
Let AP be a set of atomic propositions and Θ a set of
parameters. Formulas of PTRL of the first type are given by
the grammar
ϕ ::“ p | ϕ^ ϕ |  ϕ | D♦„α ϕ , (2)
where p P AP ,„ P tă,ď,“,ě,ąu, and α P QYΘ. Formulas
of PTRL of the second type are given by grammar
ψ ::“ ϕ | θ ´ θ1 „ c | ψ1 ^ ψ2 |  ψ | Dθ ψ , (3)
where ϕ is a formula of the first type, θ, θ1 P Θ, „ P tă
,ď,“,ě,ąu, and c P Q. In the sequel we use @ „α ϕ as
abbreviation for  D♦„α ϕ.
Formulas of PTRL are interpreted with respect to a timed
automaton A “ xL,X , Ey and labelling function LB : L Ñ
2AP . A parameter valuation is a function ξ : Θ Ñ Rě0.
Such a function is extended to the rational numbers by writing
ξpcq “ c for c P Q. Given a parameter valuation ξ, we define
a satisfaction relation |ùξ between configurations of A and
PTRL formulas by induction over the structure of formulas.
The Boolean connectives are handled in the expected way, and
we define
q |ùξ θ ´ θ
1 „ c iff ξpθq ´ ξpθ1q „ c.
q |ùξ D♦„α ϕ iff there exists some infinite non-zeno
run ρ “ q0
d1
ñ q1
d2
ñ q2
d3
ñ . . . of A and i P N such
that q0 “ q, d1 ` . . .` di „ ξpαq, and qi |ù ϕ.
q |ùξ Dθ ψ iff there exists a parameter valuation ξ
1 such
that q |ùξ1 ψ and ξ, ξ
1 agree on Θztθu.
Example 3. The PTRL-formula @θpD♦ăθp1 Ñ D♦ăθp2q
expresses that some p2-state is reachable in at most the same
time as any p1-state is reachable.
The paper [8] considered a semantics for parametric TCTL
in which parameters range over naturalsN. Here we have given
dummyℓ0 ℓ1
p1
ℓ2 ℓ3
p2
ℓ4
0 ă x1 ă 1
x1 Ð 0
x1 “ 0 x2 “ 1 x2 “ 1
x1 Ð 0
x1 Ð 0
Fig. 1. A timed automaton where the satisfaction relation of PTRL with parameters ranging
over non-negative real numbers is different from the relation when parameters are restricted to
naturals. The locations ℓ1 and ℓ3 are labelled by propositions p1 and p2, respectively. The set
λ of clocks that are reset by a transitions are shown by λ Ð 0; for example, the transition
from ℓ3 to ℓ4 is guarded by x2 “ 1 and resets x1. For all 0 ă θ ă 1, we have pℓ0,0q |ù
D♦pp1 ^D♦“θ p2q, whereas there exists no n P N such that pℓ0, 0q |ù D♦pp1 ^D♦“n p2q.
x1
x2
»–
x0 x1 x2
x0 pď, 0q pď,´0.6q pď, 0q
x1 pď, 1q pď, 0q pď, 0.6q
x2 pď, 0.4q pď,´0.6q pď, 0q
fifl
Fig. 2. A DBM M with a zone Z “ JMK.
a more general semantics in which parameters range over non-
negative real numbers Rě0. The following example shows that
the satisfaction relation changes under this extension.
Example 4. Consider the timed automaton in Figure 1 with
two clocks x1, x2. Clock valuations ν are denoted by vec-
tors p ν1ν2 q. Let ϕ “ D♦pp1 ^ D♦“θ p2q. All non-zeno infinite
runs of the timed automaton, from configuration xℓ0,0y, start
with the following prefix
pℓ0, p 00 qq
t
ñ pℓ1, p 0t qq
0
ñ pℓ2, p 0t qq
1´t
ñ pℓ3,
`
1´t
1
˘
q
0
ñ pℓ4, p 01 qq
where 0 ă t ă 1. Now we have that pℓ1, p 0t qq |ù pp1 ^
D♦“1´t p2q. As a result, pℓ0,0q |ù D♦pp1^@♦“θ p2q only for
0 ă θ ă 1. Thus pℓ0,0q |ù Dθ ϕ when the parameter θ ranges
over Rě0 but not when θ ranges over N.
Let A “ xL,X , Ey be a timed automaton augmented with
a labelling function LB : L Ñ 2AP . Let ϕ be a PTRL
formula in which all occurrences of parameters are bound.
The model checking problem of A against ϕ asks, given a
configuration xℓ, νy of A, whether xℓ, νy |ù ϕ.
The model checking procedure for parametric TCTL with
integer-valued parameters, developed in [8], relies on the
region abstraction. In particular, formulas in this logic have
the same truth value for all configurations in a given region.
However, as the following example shows, region invariance
fails when parameters range over the set of real numbers.
Example 5. Consider the timed automaton in Figure 1. Let
ϕ “ Dθ D♦“θpp1 ^ D♦“θp2q. Then a configuration pℓ0,
`
t1
t2
˘
q
satisfies ϕ just in case t1, t2 ă 1 and 2t1 ´ t2 ă 1, for θ “
p1´ t2q{2.
In Section V we show that model checking PTRL over
real-valued parameters is decidable in EXPSPACE and it is
NEXPTIME-hard.
III. DIFFERENCE BOUND MATRICES
A. Basic Definitions
In this section we review the notions of clock zones and
difference bound matrices; see [17], [18] for further details.
Let X “ tx1, . . . , xnu be a set of clock variables. A zone
Z Ď RXě0 is a set of valuations defined by a conjunction of
difference constraints xj ´ xi ă c for c P R and ă P tă
,ďu. Note that we allow real-valued constants in difference
constraints.
Zones and operations thereon can be efficiently represented
using difference bound matrices (DBMs). A DBM is an pn`
1q ˆ pn` 1q matrix M with entries in the set
V “ ptă,ďuˆ Rq Y tpă,8qu .
A DBM M “ păi,j ,mi,jq can be interpreted as a conjunction
of constraints xi ´ xj ăi,j mi,j , where x0 is a special clock
that symbolically represents zero. Formally, the semantics of
DBM M is the zone
JMK “
!
ν P RXě0 :
ľ
0ďi,jďn
νi ´ νj ăi,j mi,j
)
,
where ν0 “ 0. Figure 2 depicts a zone Z Ď r0, 1s
2 containing
a line segment and a DBM M with JMK “ Z .
An atomic DBM M 1 is one that represents a single con-
straint xi ´ xj „ c, where „ P tă,ďu and c P R.
Note that all but one entry of an atomic DBM is the trivial
constraint pă,8q. We often denote DBMs by the constraints
that they represent.
Define a total orderďV on V by writing pă,mq ďV pă
1,m1q
if m ă m1 or if m “ m1 and either ă “ă or ă1 “ ď. Define
addition on V by pă,mq ` pă1,m1q “ pă2,m`m1q, where
ă2 “
#
ď if ă “ ď and ă1 “ ď,
ă otherwise.
Here we adopt the convention that m ` 8 “ 8 ` m “ 8
for all m P R. A DBM M “ pMi,jq is in canonical form
if Mi,k ďV Mi,j ` Mj,k for all 0 ď i, j, k ď n. One can
transform an arbitrary DBM into an equivalent canonical-form
DBM using the Floyd-Warshall algorithm. For all non-empty
clock zones Z , there is a unique DBM M in canonical form
with JMK “ Z . A DBM M is said to be consistent if JMK ‰
H. If M is in canonical form, then it is consistent if and only
if pď, 0q ďV Mi,i for all 0 ď i ď n.
We now define operations on DBMs that correspond to time
elapse, projection, and intersection on zones.
Time Elapse. The image of a DBM M under time elapse
is the DBM
ÝÑ
M defined by
ÝÑ
M i,j “
"
pă,8q if i ‰ 0, j “ 0
Mi,j otherwise.
If M is canonical, then
ÝÑ
M is also canonical and we have
J
ÝÑ
MK “ tν ` t : ν P JMK and t ě 0u.
Reset. The image of a DBM M under resetting clock xℓ
is M rxℓ Ð 0s, given by M rxℓ Ð 0si,j “ Miℓ,jℓ , where for
any index k,
kℓ “
"
k if k ‰ ℓ
0 otherwise.
If M is canonical, then M rxℓ Ð 0s is also canonical and
JMK “ tνrxℓ Ð 0s : ν P JMKu.
Intersection. Our presentation of intersection of DBMs
is slightly non-standard. First, we only consider intersection
with atomic DBMs. (Clearly this is without loss of generality
since any DBM can be written as an intersection of atomic
DBMs.) Under this restriction we combine intersection and
canonisation, so that our intersection operation yields a DBM
in canonical form if the input DBM is in canonical form.
Specifically, let M 1 be an atomic DBM with non-trivial
constraint M 1p,q. The DBM M
2 “M XM 1 is given by
M2i,j “ minpMi,j ,Mi,p `M
1
p,q `Mq,jq
for all i, j. Then M2 is canonical and JM2K “ JMKX JM 1K.
B. Closure of a DBM
We will use zones to represent the fractional parts of
clocks in a given set of valuations. For this reason we are
solely interested in zones contained in r0, 1sn. We say that
a DBM M is 1-bounded if for all entries pă,mq of M we
have ´1 ď m ď 1. It is clear that if M is 1-bounded then
JMK Ď r0, 1sn. Conversely the unique DBM in canonical form
that represents a zone Z Ď r0, 1sn is necessarily 1-bounded
since the constraints in a canonical DBM cannot be tightened.
Given a 1-bounded DBMM , define the closureM to be the
smallest set closurepMq of DBMs such thatM P closurepMq,
and if N P closurepMq then
‚ N XM 1 P closurepMq for all atomic DBMs M 1 with
numerical entries in ZY t8u.
‚
ÝÑ
N X
Şn
i“1pxi ď 1q P closurepMq,
‚ N rxi Ð 0s P closurepMq for 0 ď i ď n´ 1,
‚ pN X pxn “ 1qqrxn Ð 0s P closurepMq.
We make three observations about this definition. First, notice
that in the first item we only require closure with respect to
intersection with constraints with integer constants. Observe
also that in the second item the time elapse operation has
been relativized to r0, 1sn. This ensures that every DBM N P
closurepMq denotes a subset of r0, 1sn. It follows that any
consistent DBM in closurepMq is 1-bounded. Finally, note
that the clock xn is treated in a special way (in keeping with
our assumptions about timed automata in Section II-A): it is
only reset when it reaches 1.
Let ν P r0, 1sn be a clock valuation, and recall that, by
convention, ν0 “ 0. We write Mν for the 1-bounded DBM
Mν “ păi,j ,mi,jq, where ăi,j “ ď and mi,j “ νj´νi for all
0 ď i, j ď n. Then Mν is in canonical form and JMνK “ tνu.
We say a DBM M “ păi,j ,mi,jq P closurepMνq is well-
supported, if each entry mi,j can be written in the form c`
νj1 ´ νi1 for some c P t´1, 0, 1u and indices 0 ď i
1, j1 ď n.
Clearly Mν is well-supported.
The following is the main technical result in this section.
See Appendix B for the full proof.
Lemma 3. Let ν P r0, 1sn be a clock valuation. Then every
consistent DBM lying in closurepMνq is well-supported.
Proof Sketch. We show by induction on the structure
of closurepMνq that any consistent DBM M P closurepMνq
is well-supported. The key case is for intersection (see
Section III-A), which does not immediately preserve well-
supportedness due to the possibility that M2i,j “ Mi,p `
M 1p,q `Mq,j . However we show that in this case at least one
of mi,p or mq,j lies in Z, which ensures well-supportedness
of M2.
C. Parametric DBMs
In this subsection we observe that the construction of
closurepMνq can be carried out parametrically, based on the
logical type of the clock valuation ν P r0, 1sn (to be defined
below). In particular, if ν, ν1 P r0, 1sn have the same type, then
closurepMνq and closurepMν1q can both be seen as instances
of a common parametric construction.
Recall from Subsection II-B the definition of the set of
terms TR of real arithmetic. Given n P N, let us further
write TRpnq for the set of terms in variables r0, . . . , rn. A
valuation ν P r0, 1sn extends in a natural way to a function
ν : TRpnq Ñ R mapping ri to νi (recalling the convention
that ν0 “ 0).
Given a clock valuation ν P r0, 1sn, the type of ν is the set of
atomic LR-formulas t ď t
1, with t, t1 P TRpnq that are satisfied
by the valuation ν. A collection of atomic formulas τ is said
to be an n-type if it is the type of some clock valuation ν P
r0, 1sn. Note that every type contains the inequalities r0 ď 0
and 0 ď r0.
Given an n-type τ , we define an equivalence relation on
the set of terms TRpnq that relates terms t and t
1 just in case
the formulas t ď t1 and t1 ď t both lie in τ . We write rts for
the equivalence class of term t and denote by TRpτq the set
of equivalence classes of TRpnq. We can define a linear order
on TRpτq by writing rts ď rt
1s if and only if formula t ď t1
lies in τ . We define an addition operation on TRpτq by writing
rts ` rt1s “ rt` t1s.
Given an n-type τ , a parametric DBM of dimension n
over TRpτq is an pn` 1q ˆ pn` 1q matrix with entries in
ptă,ďuˆ TRpτqq Y tpă,8qu .
We use letters in calligraphic font to denote parametric DBMs,
and roman font for concrete DBMs. Given a parametric DBM
M, we obtain a concrete DBM νpMq by applying ν pointwise
to the entries of M.
The time elapse and reset operations on DBMs, defined
in Section III-A, formally carry over to parametric DBMs.
Since the notions of addition and minimum are well-defined
on TRpτq, we can also formally carry over the definition of
intersection to parametric DBMs.
Proposition 4. Let ν P r0, 1sn be a clock valuation with type τ
and let M be a parametric DBM over TRpτq. Then
1) νp
ÝÑ
Mq “
ÝÝÝÑ
νpMq.
2) νpMrxi Ð 0sq “ νpMqrxi Ð 0s.
3) νpMXNq “ νpMq XN for all atomic DBMs N .
Proof. Suppose that ν has type τ . Then ν : TRpτq Ñ R is an
order embedding (rts ď rt1s if and only if νptq ď νpt1q) and a
homomorphism (νprts`rt1sq “ νprtsq`νprtsq). In particular, ν
preserves all operations used to define time elapse, projection,
and intersection of DBMs. The result follows.
Since the basic operations on DBMs are all defined for para-
metric DBMs, we can also formally carry over the definition
of the closure of a DBM to parametric DBMs. In particular,
given an n-type τ , we consider the closure of the parametric
DBM Mτ “ păi,j ,mi,jq over TRpτq, where ăi,j “ ď and
mi,j “ rri ´ rj s. Note that νpMτ q “ Mν for any clock
valuation ν P r0, 1sn. Then, by Proposition 4, we have the
following result:
Proposition 5. Let ν P r0, 1sn be a clock valuation with
type τ . Then
tνpMq : M P closurepMτ qu “ closurepMνq .
Define the set DT Rpnq of difference terms to be the subset
of TRpnq comprising those terms of the form c ` ri ´ rj ,
where c P t´1, 0, 1u is a constant and ri, rj are variables with
0 ď i, j ď n. From Lemma 3 and Proposition 5 we now have:
Corollary 6. Fix an n-type τ . Then every DBM in
closurepMτ q has all its entries of the form pă, rtsq, where
ă P tă,ďu and t P DT Rpnq.
The significance of Corollary 6 is that the only part of
the type τ required to determine closurepMτ q is the finite
collection of formulas t ď t1 in τ such that t, t1 P DT Rpnq.
Thus closurepMτ q is finite. Indeed it is not hard to see from
Corollary 6 that |closurepMτ q| ď 2
polypnq.
IV. A FAMILY OF REGION AUTOMATA
Let A be a timed automaton. Our aim in this section is to
define a finite collection of counter machines that represents
the reachability relation on A. Intuitively the counters in
these machines are used to store the integer parts of clock
valuations of reachable configurations, while the fractional
parts of the clock valuations are aggregated into zones which
are represented by difference bound matrices encoded within
control states.
A. Monotonic Counter Machine
In this subsection we introduce the class of monotonic
counter machines and show that the reachability relation for
a machine in this class is definable in Presburger arithmetic.
The proof is straightforward, and is related to the fact that
the reachability relation of every reversal-bounded counter
machine is Presburger definable [19].
Let C “ tc1, . . . , cnu be a finite set of counters. The
collection of guards, denoted ΦpCq, is given by the grammar
ϕ ::“ true | c ă k | c “ k | c ą k | ϕ^ ϕ ,
where c P C and k P Z. The set of counter operations is
OppCq “ tresetpcq, incpcq : c P Cu Y tnopu .
A monotonic counter machine is a tuple C “ xS,C,∆y, where
S is a finite set of states, C is a finite set of counters, and
∆ Ď S ˆ ΦpCq ˆOppCq ˆ S is a set of edges.
The set of configurations of C is S ˆ Nn. A configuration
xs, υy consists of a state s P S and a counter valuation υ P Nn,
where υi represents the value of counter ci for i “ 1, . . . , n.
The satisfaction relation |ù between counter valuations and
guards is defined in the obvious way. The transition relation
Ñ Ď pS ˆ Nnq ˆ pS ˆ Nnq
is specified by writing xs, υy Ñ xs1, υ1y just in case at least
one of the following holds:
‚ there is an edge xs, ϕ, nop, s1y P ∆ such that υ |ù ϕ and
υ “ υ1;
‚ there is an edge xs, ϕ, resetpciq, s
1y P ∆ such that υ |ù ϕ,
υ1i “ 0, and υ
1
j “ υj for i ‰ j;
‚ there is an edge xs, ϕ, incpciq, s
1y P ∆ such that υ |ù ϕ,
υ1i “ υi ` 1, and υ
1
j “ υj for i ‰ j.
The reachability relation on C is the reflexive transitive closure
of Ñ.
The proof of the following result is given in Appendix C.
Proposition 7. Let C be a monotonic counter machine with n
counters. Given states s, s1 of C, the reachability relation
txυ, υ1y P N2n : xs, υy ÝÑ˚ xs1, υ1yu
is definable by a formula in the existential fragment of Pres-
burger arithmetic that has size exponential in C.
B. Concrete Region Automata
Let A “ xL,X , Ey be a timed automaton and xℓ, νy a con-
figuration of A. We define a monotonic counter machine Cxℓ,νy
whose configuration graph represents all configurations of A
that are reachable from xℓ, νy.
Let X “ tx1, . . . , xnu be the set of clocks in A. Recall
from Section II-A the assumption that clock xn is never reset
by the timed automaton. To simplify the construction, we also
assume that each transition in A resets at most one clock. This
is without loss of generality with respect to reachability.
Given a clock constraint ϕ P ΦpX q, we decompose ϕ into
an integer constraint ϕint P ΦpCq and a real constraint ϕfrac P
ΦpX q such that for every clock valuation ν1 P RXě0,
ν1 |ù ϕ iff tν1u |ù ϕinc and fracpν
1q |ù ϕfrac
The definition of ϕint and ϕfrac is by induction on the structure
of ϕ. The details are given in Figure 4.
counter machine Cxℓ0,νy:
xℓ0,M0y xℓ0,M1y xℓ1,M2y xℓ1,M3y
xℓ1,M4yxℓ1,M5y
nop
(delay)
resetpc1q
c1 “ 0
(discrete)
nop
(delay)
incpc2q
(wrapping)
nop
(delay)
incpc1q
(wrapping)
ℓ0
timed automaton A :
ℓ1
0 ă x1 ă 1
x1 Ð 0
Fig. 3. A timed automaton A together with the fragment of counter machine Cxℓ0,νy relevant to expressing the reachability relation of ℓ0 and ℓ1. The
valuation ν is such that ν1 “ 0.6 and ν2 “ 0. States xℓ,My of the counter machine are illustrated by ℓ and the zone that M represents. The initial state is
xℓ0,M0y, where M0 “ Mν .
ϕ x ă k x “ k k ă x ă k ` 1 x ě k
ϕint c ď k ´ 1 c “ k c “ k c ě k
ϕfrac x ă 1 x “ 0 0 ă x ă 1 x ě 0
Fig. 4. Base cases of the inductive definition of ϕinc and ϕfrac, where x is
a clock variable and c is a counter variable. (Note any guard ϕ P ΦpXq can
be expressed as a Boolean combination of the basic guards in the table.) For
the inductive step we have pϕ ^ ϕ1qint “ ϕint ^ ϕ
1
int
and pϕ ^ ϕ1qfrac “
ϕfrac ^ ϕ
1
frac
.
The construction of the counter machine Cxℓ,νy “ xS,C,∆y
is such that the set S of states comprises all pairs xℓ1,My such
that ℓ1 P L is a location of A and M P closurepMfracpνqq is
a consistent DBM. The set of counters is C “ tc1, . . . , cnu,
where n is the number of clocks in A. Intuitively the purpose
of counter ci is to store the integer part of clock xi, for i “
1, . . . , n.
We classify the transitions of Cxℓ,νy into three different
types: From all states xℓ1,M1y to a state xℓ1,M2y, there is
‚ a delay transition if M2 “
ÝÑ
M1 X
Şn
i“1pxi ď 1q. Such a
transition has guard true and operation nop;
‚ a wrapping transition if M2 “ pM1Xpxi “ 1qqrxi Ð 0s
for some clock xi. Such a transition has guard true and
operation incpciq.
Suppose that pℓ, ϕ, txiu, ℓ
1q is a transition of A. Decompose
the guard ϕ into ϕint and ϕfrac. Then from all states xℓ1,M1y
to a state xℓ2,M2y, there is
‚ a discrete transition if M2 “ pM1Xϕfracqrxi Ð 0s. Such
a transition has guard ϕint and operation resetpciq.
The following proposition describes how the set of reach-
able configurations in Cxℓ,νy represents the set of config-
urations reachable from xℓ, νy in the timed automaton A.
The proposition is a straightforward variant of the soundness
and completeness of the DBM-based forward reachability
algorithm for timed automata, as shown, e.g., in [20, Theorem
1]. We give a proof in Appendix D.
Proposition 8. Configuration xℓ1, ν1y is reachable from xℓ, νy
in A if and only if there exists some DBM M 1 P
closurepMfracpνqq such that the configuration xxℓ
1,M 1y, tν1uy
is reachable from xxℓ,Mfracpνqy, tνuy in the counter ma-
chine Cxℓ,νy and fracpν
1q P JM 1K.
We illustrate the translation from timed automata to counter
machines with the following example.
Example 6. Consider the timed automaton A in Figure 3
with clocks X “ tx1, x2u, where x2 is the reference clock.
Let the configuration xℓ0, νy be such that ν “ p 0.60 q. Also
shown in Figure 3 is the counter machine Cxℓ0,νy that is
constructed from A and xℓ0, νy in the manner described above.
The control states of this machine are pairs xℓ,My, where ℓ is
a location of A and M is a consistent DBM in closurepMνq.
The machine Cxℓ0,νy has two counters, respectively denoted by
c1 and c2.
The initial state of Cxℓ0,νy is xℓ0,M0y, where M0 “
Mν . Note that JM0K “ tp 0.60 qu. The counter-machine
state xℓ0,M0y in tandem with counter valuation p 00 q represents
the configuration xℓ0, νy of A.
There is a delay edge in Cxℓ0,νy from xℓ0,M0y to xℓ0,M1y,
where M1 “
ÝÑ
M0 X
Ş2
i“1pxi ď 1q. We then have JM1K “
tp 0.60 q ` t : 0 ď t ď 0.4u.
The single transition of A yields a discrete edge in Cxℓ0,νy
from xℓ0,M1y to xℓ1,M2y. This transition in A has guard
ϕ
def
“ 0 ă x1 ă 1. This decomposes into separate constraints
on the integer and fractional parts, respectively given by
ϕint
def
“ pc1 “ 0q and ϕfrac
def
“ p0 ă x1 ă 1q.
The integer part ϕint becomes the guard of the corresponding
edge in Cxℓ0,νy. The fractional part ϕfrac is incorporated into
the DBM M2, which is defined as
M2 “ pM1 X p0 ă x1 ă 1qqrx1 Ð 0s,
where JM2K “
 `
0
y
˘
: 0 ď y ă 0.4
(
. There is a further delay
edge in Cxℓ0,νy from xℓ1,M2y to xℓ1,M3y.
There is a wrapping edge from xℓ1,M3y to xℓ1,M4y, where
M4 “ pM3 X px2 “ 1qqrx2 Ð 0s. The counter c2 is
incremented along this edge, corresponding to the integer part
of clock x2 increasing by 1 as time progresses.
The remaining states and edges of Cxℓ0,νy are illustrated in
Figure 3. Note that we only represent states that are relevant
to expressing reachability from ℓ0 to ℓ1.
An important fact about the collection of counter ma-
chines Cxℓ,νy, as fracpνq varies over r0, 1s
X , is that there
are only finitely many such machines up to isomorphism.
This essentially follows from Proposition 5, which shows that
closurepMfracpνqq is determined by the type of fracpνq. In
the next section we develop this intuition to build a symbolic
counter machine that embodies Cxℓ,νy for all valuations ν of
the same type.
C. Parametric Region Automata
Consider a timed automaton A with n clocks, a location ℓ
of A, and an n-type τ . In this section we define a monotonic
counter machine Cxℓ,τy that can be seen as a parametric version
of the counter machine Cxℓ,νy from the previous section, where
valuation ν has type τ .
First recall that Mτ “ păi,j ,mi,jq is the parametric DBM
over TRpτq such that ăi,j“ď and mi,j “ rri ´ rjs for 0 ď
i, j ď n.
The construction of the counter machine Cxℓ,τy is formally
very similar to that of Cxℓ,νy. Specifically, the set S of states of
Cxℓ,τy comprises all pairs xℓ
1,M1y such that ℓ1 P L is a location
in A and M1 P closurepMτ q is a consistent parametric DBM.
The set of counters is C “ tc1, . . . , cnu, where n is the
number of clocks in A. The transitions of Cxℓ,τy are defined
in a formally identical way to those of Cxℓ,νy; we simply
replace operations on concrete DBMs with the corresponding
operations on parametric DBMs.
With the above definition, it follows from Proposition 4 that
the counter machine Cxℓ,τy and Cxℓ,νy are isomorphic via the
map sending a control state xℓ,My of Cxℓ,τy to the control
state xℓ, νpMqy of Cxℓ,νy. Proposition 8 then yields:
Theorem 9. Consider states xℓ, νy and xℓ1, ν1y of a timed
automaton A such that fracpνq has type τ . Then xℓ1, ν1y
is reachable from xℓ, νy in A if and only if there exists
some DBM M1 P closurepMτ q such that the configura-
tion xxℓ1,M1y, tν1uy is reachable from xxℓ,Mτy, tνuy in the
counter machine Cxℓ,τy and fracpν
1q P JfracpνqpM1qK.
D. Reachability Formula
We are now in a position to state our main result.
Theorem 10. Given a timed automaton A with n clocks and
locations ℓ, ℓ1, we can compute in exponential time a formula
ϕℓ,ℓ1pz1, . . . , zn, r1, , . . . , rn, z
1
1, . . . , z
1
n, r
1
1, , . . . , r
1
nq
in the existential fragment1 of LR,Z such that there is a finite
1We claim that this result can be strengthened to state that the reachability
relation can be expressed by a quantifier-free formula, again computable in
exponential time. To do this one can exploit structural properties of the class of
monotonic counter machine that arise from timed automata. We omit details.
run in A from state xℓ, νy to state xℓ1, ν1y just in case
xtνu, fracpνq, tν1u, fracpν1qy |ù ϕℓ,ℓ1 .
Proof. We give the definition of ϕℓ,ℓ1 below and justify the
complexity bound in Appendix E.
For simplicity we write formula ϕℓ,ℓ1 as a disjunction over
the collection Tpn of all n-types. However each disjunct only
depends on the restriction of the type τ to the (finite) set of
atomic formulas t ď t1 with t, t1 P DT Rpnq; so ϕℓ,ℓ1 can
equivalently be written as a finite disjunction. We define
ϕℓ,ℓ1
def
“
ł
τPTpn
ατ ^ χτℓ,ℓ1 (4)
where the subformulas ατ and χτℓ,ℓ1 are defined below.
The Hintikka formula ατ pr1, . . . , rnq
2 is defined by
ατ
def
“
ľ
t,t1PDT Rpnq
ptďt1qPτ
t ď t1 ^
ľ
t,t1PDT Rpnq
ptďt1qRτ
 pt ď t1q .
Given a valuation ν P RXě0, fracpνq |ù α
τ just in case the set
of difference formulas satisfied by fracpνq is identical to the
set of difference formulas in τ .
Formula χτℓ,ℓ1 is defined by writing
χτℓ,ℓ1
def
“
ł
MPclosurepMτ q
M“păi,j ,mi,jq
´
ψxℓ,Mτ y,xℓ1,Mypz1, . . . , zn, z
1
1, . . . , z
1
nq
^
ľ
0ďi,jďn
r1i ´ r
1
j ăi,j mi,j
¯
.
Here the subformula ψxℓ,Mτ y,xℓ1,My, expresses the reachability
relation in the counter machine Cxℓ,τy between control states
xℓ,Mτy and xℓ
1,My, as per Proposition 7. Recall from
Corollary 6 that each mi,j is a difference term involving
variables r0, . . . , rn. The correctness of ϕℓ,ℓ1 is immediate
from Proposition 7 and Theorem 9.
Example 7. Consider the timed automaton A in Figure 3.
Fix the type τ1 for the valuation p 0.60 q. We illustrate the
relevant part of the counter machine Cxℓ0,τ1y in Figure 5.
States xℓ,My of the machine comprise a location ℓ and
parametric DBM M. Moreover, M0 “ Mτ1 . The placement
of a transition between xℓ1,M5y and xℓ1,M2y relies on the
fact that terms ´r2 and 0 are equivalent with respect to the
equivalence relation on terms induced by τ1.
Let ατ1 be the Hintikka formula of the type τ1. Clearly,
x0.6, 0y |ù ατ1 . We define χτℓ0,ℓ1 as follows:
χτ1ℓ0,ℓ1
def
“pz1 “ 0q^”
rpz12 ´ z
1
1 “ z2 ´ z1q ^ pψ2 _ ψ3qs_
rpz12 ´ z
1
1 “ ´1` z2 ´ z1q ^ pψ4 _ ψ5qs
ı
,
2Recall that by convention rr0s “ r0s, thus we treat variable r0 as
synonymous with the constant 0.
ˆ
pď,0q pď,´r1q pď,´r2q
pď,r1q pď,0q pď,r1´r2q
pď,r2q pď,r2´r1q pď,0q
˙
counter machine Cxℓ0,τ1y
xℓ0,M0y ˆ
pď,0q pď,´r1q pď,´r2q
pď,1q pď,0q pď,r1´r2q
pď,r2´r1`1q pď,r2´r1q pď,0q
˙xℓ0,M1y
ˆ
pď,0q pď,0q pď,´r2q
pď,0q pď,0q pď,´r2q
pă,r2´r1`1q pă,r2´r1`1q pď,0q
˙xℓ1,M2y ˆ
pď,0q pă,0q pď,´r2q
pď,1q pď,0q pď,´r2q
pď,1q pă,r2´r1`1q pď,0q
˙xℓ1,M3y
ˆ
pď,0q pă,r2´r1q pď,0q
pď,1q pď,0q pď,1q
pď,0q pă,r2´r1q pď,0q
˙xℓ1,M4yˆ
pď,0q pă,r2´r1q pď,0q
pď,1q pď,0q pď,1q
pă,r2´r1`1q pă,r2´r1q pď,0q
˙xℓ1,M5y
nop
resetpc1q
c1 “ 0
nop
incpc2q
nop
incpc1q
Fig. 5. The (relevant part of the) counter machine Cxℓ,τ1y constructed from the timed automaton in Figure 3, where τ1 is the type of the valuation ν with
ν1 “ 0.6 and ν2 “ 0. The placement of a transition between xℓ1,M5y and xℓ1,M2y relies on the fact that terms ´r2 and 0 are equivalent under the
preorder induced by τ1.
where ψ1, ψ2, ψ3 and ψ4 are given in the following:
ψ2 ” pr
1
1 “ 0q ^ pr2 ď r
1
2 ă r2 ´ r1 ` 1q,
ψ3 ” p0 ă r
1
1q ^ pr2 ď r
1
2q
^ pr2 ď r
1
2 ´ r
1
1 ă r2 ´ r1 ` 1q,
ψ4 ” pr2 ´ r1 ă r
1
1q ^ pr
1
2 “ 0q,
ψ5 ” pr2 ´ r1 ă r
1
1q ^ pr
1
2 ă r2 ´ r1 ` 1q
^ p´1 ď r12 ´ r
1
1 ă r2 ´ r1q.
The formulae ψi (with i P t2, 3, 4, 5u) summarise the
constraints placed on r11 and r
1
2 by the parametric DBMs Mi
in the counter machine Cxℓ0,τ1y. See Figure 5 for the given
constraints in the parametric DBMs Mi. Recall that real-
valued variables ri, r
1
i range over the interval r0, 1s.
Let τ2 be the type for the valuation p 00.2 q. In comparison
with Cxℓ0,τ1y, we present the counter machine Cxℓ0,τ2y in
Figure 6 in Appendix F.
The formula ϕℓ0,ℓ1 , expressing the set of valuations ν and
ν1 such that xℓ1, ν
1y is reachable from xℓ0, νy, is then the
disjunction of all formulas ατ ^ χτℓ0,ℓ1 for types τ P Tpn:
ϕℓ0,ℓ1 “ pα
τ1 ^ χτ1ℓ0,ℓ1q _ pα
τ2 ^ χτ2ℓ0,ℓ1q _ ¨ ¨ ¨ .
V. PARAMETRIC TIMED REACHABILITY LOGIC
Let A “ xL,X , Ey be a timed automaton augmented with
a labelling function LB : L Ñ 2AP . Let ϕ be a sentence of
PTRL. Recall that the model checking problem of A against ϕ
asks, given a state xℓ, νy of A, whether xℓ, νy |ù ϕ.
In this section we prove the following result.
Theorem 11. The model-checking problem for PTRL is de-
cidable in EXPSPACE and is NEXPTIME-hard.
For membership in EXPSPACE, given a timed automa-
ton A, a configuration xℓ, νy of A, and a sentence ψ of PTRL,
we construct in exponential time a sentence rψ of L˚
R,Z that
is true if and only if xℓ, νy |ù ψ. We thereby obtain an
exponential space algorithm for the model checking problem.
We then prove NEXPTIME-hardness by a reduction from
SUCCINCT 3-SAT.
A. Reduction of Model Checking to Satisfiability
The model checking procedure for PTRL relies on a “cut-
down” version of Theorem 10, concerning the logical defin-
ability of the reachability relation. In this version, given as
Lemma 12 below, we do not represent the full reachability
relation, but instead abstract the integer parts of all clocks
except the reference clock xn. This abstraction is sufficient
for model-checking PTRL, and moreover allows us to obtain
a formula that lies in the sub-logic L˚
R,Z, which has better
complexity bounds than the full logic LR,Z.
Given N P N, define the set RN of regions to be RN “
t0, . . . , Nu Y t8u. A counter valuation υ P Nn is abstracted
to Regpυq P RnN , where
Regpυqi “
"
υi if υi ď N
8 otherwise
The following lemma is proved in Appendix C.
Lemma 12. Let A be a timed automaton with n clocks and
maximum clock constantN . Given two locations ℓ, ℓ1 of A and
R,R1 P RnN , we can compute in exponential time a quantifier-
free L˚
R,Z-formula
ϕℓ,R,ℓ1,R1pz, r1, . . . , rn, z
1, r11, . . . , r
1
nq
such that there is a finite run in A from state xℓ, νy to
state xℓ1, ν1y, where Regptνuq “ R and Regptν1uq “ R1 ,
just in case
xtνnu, fracpνq, tν
1
nu, fracpν
1qy |ù ϕℓ,R,ℓ1,R1 .
Let ψ be a formula of PTRL of the first type, involving the
set of parameters θ1, . . . , θk, and let A be a timed automaton
with n clocks and maximum clock constant N . For each
location ℓ of A and R P RnN such that Rn “ 0, we obtain a
L˚
R,Z-formula
rψℓ,Rpr1, . . . , rn, w1, . . . , wk, s1, . . . , skq
in real variables r “ pr1, . . . , rnq and s “ ps1, . . . , skq and
integer variables w “ pw1, . . . , wkq such that
xfracpνq, tξu, fracpξqy |ù rψℓ,R iff xℓ, νy |ùξ ψ
for all parameter valuations ξ P Rkě0 and all clock valua-
tions ν P Rně0 such that Regptνuq “ R and νn “ 0.
To keep things simple, we assume that every configuration
of A can generate an infinite non-zeno run. It is not difficult
to drop this assumption since the collection of configurations
from which there exists such a run is a union of clock regions
and hence is definable in L˚
R,Z. We also assume, without loss
of generality, that the reference clock xn is not mentioned in
any guard of A.
The construction of rψℓ,R is by induction on the structure
of ψ. The induction cases for the Boolean connectives are
straightforward and we concentrate on the induction step for
the connective D♦„θ. In fact we only consider the case that „
is the equality relation “, the cases for ă and ą being very
similar.
Suppose that ψ ” D♦“θiψ
1 for some PTRL-formula ψ1 and
i P t1, . . . , ku. Then we define
rψℓ,Rpr,w, sq def“ ł
ℓ1,R1
Dr1Dz1 ϕℓ,R,ℓ1,R1p0, r, z
1, r1q
^ pr1n “ si ^ z
1 “ wiq ^ rψ1ℓ1,R1pr11 . . . , r1n´1, 0,w, sq
where ϕℓ,R,ℓ1,R1 is the reachability formula defined in
Lemma 12. Note that this definition relies on the assumption
that the clock xn is never reset by the timed automaton and
hence can be used to keep track of global time.
This completes the translation of PTRL-formulas of the first
type to formulas of L˚
R,Z. Extending this inductive translation
to PTRL-formulas of the second type is straightforward,
bearing in mind that we represent each parameter θi by a
variable wi for its integer part and a variable si for its
fractional part. Thus, e.g., the PTRL-formula Dθiψ is translated
as DwiDsip0 ď si ă 1^ rψq.
Given a sentence ψ of PTRL, location ℓ of A, and R P RN ,
our translation yields a formula rψℓ,Rpr1, . . . , rnq such that for
any valuation ν with Regptνuq “ R we have xℓ, νy |ù ψ if and
only if fracpνq |ù rψℓ,R. By Lemma 12, formula rψℓ,R has size
singly exponential in the size of ψ and A and quantifier-depth
linear in the size of ψ.
The model checking problem then reduces to determining
the truth of rψℓ,R on fracpνq, where Regptνuq “ R. Since sat-
isfiability for sentences of L˚
R,Z can be decided in polynomial
space in the formula size and exponential space in the number
of quantifiers (by Proposition 2), the model checking problem
of PTRL lies in EXPSPACE.
B. NEXPTIME-Hardness
In this section we show that model checking timed automata
against the fixed PTRL sentence Dθ @“θ p is NEXPTIME-
hard. We remark that, due to the punctual constraint “θ, the
above formula expresses a synchronization property—there
exists a duration θ such that all runs are in a p-state after
time exactly θ.
Recall that a Boolean circuit is a finite directed acyclic
graph, whose nodes are called gates. An input gate is a node
with indegree 0. All other gates have label either _, ^, or  .
An output gate is a node with outdegree 0.
We show NEXPTIME-hardness by reduction from the SUC-
CINCT 3-SAT problem. The input of SUCCINCT 3-SAT is
a Boolean circuit C, representing a 3-CNF formula ϕC , and
the output is whether or not ϕC is satisfiable. Specifically, C
has 2 output gates, and the input gates are partitioned into
two nonempty sets of respective cardinalities n and m. The
formula ϕC has 2
n variables and 2m clauses (in particular, the
number of variables and clauses in ϕC can be exponential in
the size of C). The first n inputs of C represent the binary
encoding of the index i of a variable, and the remaining m
inputs of C represent the binary encoding of the index j
of a clause in ϕC . The output of C indicates whether the
i-th variable occurs positively, negatively, or not at all in
the j-th clause of ϕC . The SUCCINCT 3-SAT problem is
NEXPTIME-complete [21].
Given an instance of SUCCINCT 3-SAT, that is, a Boolean
circuit C as described above, we construct a timed automaton
A augmented with a labelling function LB such that the 3-
CNF formula ϕC encoded by circuit C is satisfiable if and
only if pℓ,0q |ù Dθ@“θ p for some designated location ℓ.
There are two ideas behind the reduction. First we construct
a linear bounded automaton B from the circuit C such that,
roughly speaking, the 3-CNF formula ϕC is satisfiable if and
only if there exists an integer N such that, starting from an
initial configuration, all length-N paths in the configuration
graph of B end in a configuration with label p. The second
part of the reduction is to simulate encode the configuration
graph of B as the configuration graph of a timed automaton
A.
We construct B such that its number of control states
is polynomial in the size of C, and we fix an initial tape
configuration of B of length likewise bounded by a polynomial
in the size of C. We designate certain transitions of B as X-
transitions. In every computation of B, the sequence of steps
between the i-th and pi ` 1q-st X-transitions, for i P N, is
referred to as the i-th phase of the computation. We design B
so that the number of steps in the i-th phase is independent
of the nondeterministic choices along the run.
The definition of B is predicated on a numerical encoding
of propositional valuations. Suppose that X1, . . . , X2n are the
variables occurring in ϕC , and write p1, . . . , p2n for the first
2n prime numbers in increasing order. Given a positive integer
N , we obtain a Boolean valuation of X1, . . . , X2n in which
Xj is false if, and only if, N mod pj “ 0. With this encoding
in hand, we proceed to define B:
1) In the first phase, B guesses three n-bit numbers 1 ď
i1, i2, i3 ď 2
n and a single m-bit number 1 ď j ď 2m
and writes them on its tape.
2) In the second phase, B computes the three prime num-
bers pi1 , pi2 , pi3 and writes them on its tape.
3) In the third phase, by simulating the circuit C, B deter-
mines whether the propositional variables Xi1 , Xi2 , Xi3
appear in the j-th clause of ϕC , henceforth denoted ψj .
If one of them does not appear at all, then B moves
into an accepting self-loop. Otherwise, B remembers
in its state whether Xi1 , Xi2 , Xi3 appear positively or
negatively in ψj , and then B proceeds to the next phase.
4) From phase four onwards, B maintains on its tape three
counters, respectively counting modulo pi1 , pi2 , pi3 . In
every successive phase, each of these counters is incre-
mented by one. At the end of each phase, B checks
whether the values of the counters encode a satisfying
valuation of clause ψj . If this is the case, then B moves
into an accepting state. Otherwise B proceeds to the next
phase.
By construction, N P N encodes a satisfying valuation of ϕC
if and only if all computation paths of B reach an accepting
state at the end of the pN ` 3q-rd phase.
It remains to explain how from B one can define a timed
automaton A whose configuration graph embeds the config-
uration graph of B. The construction is adapted from the
PSPACE-hardness proof for reachability in timed automata [1].
We refer to Appendix G for details of this construction. In the
end, the initial configuration pℓ,0q of A satisfies Dθ‘,@“θ p
if and only if ϕC is satisfiable.
VI. CONCLUSION
We have given a new proof of the result of Comon and
Jurski that the reachability relation of a timed automaton
is definable in linear arithmetic. In addition to making the
result more accessible, our main motivations in revisiting this
result concerned potential applications and generalisations.
With regard to applications, we have already put the new proof
to work in deriving complexity bounds for model checking the
reachability fragment of parametric TCTL. In future work we
would like to see whether ideas from this paper can be applied
to give a more fine-grained analysis of extensions of timed
automata, such as timed games and priced timed automata.
We claim that a finer analysis of the complexity of our deci-
sion procedure for model checking PTRL yields membership
of the problem in the complexity class STAp˚, 2Opnq, nq, i.e.,
the class of languages accepted by alternating Turing machines
running in time 2Opnq and making at most n alternations on
an input of length n. This improved upper bound follows
from a refinement of the statement of Proposition 2, on the
complexity of the decision problem for L˚
R,Z, to state that the
truth of a prenex-form sentences of size n and with k quantifier
alternations can decided by a polynomial time alternating
Turing machine, making at most k alternations.
We claim also that our NEXPTIME-hardness result can be
strengthened to match the new upper bound. The idea here
would be to reduce a version of SUCCINCT 3-SAT with
quantifier alternation to model checking PTRL formulas of
the form Q1θ1 . . .Qkθk@“θ1 . . .@“θk p for Q1, . . . , Qk a
sequence of quantifiers with k alternations.
Details of the improved upper and lower complexity bound
will appear in a subsequent version of this paper.
Acknowledgements. This work was partially supported by
the EPSRC through grants EP/M012298/1 and EP/M003795/1
and by the German Research Foundation (DFG), project QU
316/1-2.
REFERENCES
[1] R. Alur and D. L. Dill, “A theory of timed automata,” Theor.
Comput. Sci., vol. 126, no. 2, pp. 183–235, 1994. [Online]. Available:
http://dx.doi.org/10.1016/0304-3975(94)90010-8
[2] H. Comon and Y. Jurski, “Timed automata and the theory of real
numbers,” in CONCUR ’99: Concurrency Theory, 10th International
Conference, Eindhoven, The Netherlands, August 24-27, 1999, Proceed-
ings, ser. Lecture Notes in Computer Science, vol. 1664. Springer,
1999, pp. 242–257.
[3] ——, “Timed automata and the theory of real numbers,” LSV, ENS
Cachan, Tech. Rep. LSV-99-6, July 1999.
[4] J. Ferrante and C. Rackoff, “A decision procedure for the first order
theory of real addition with order,” SIAM J. Comput., vol. 4, no. 1, pp.
69–76, 1975. [Online]. Available: http://dx.doi.org/10.1137/0204006
[5] A. W. To, “Model checking FO(R) over one-counter processes and
beyond,” in Computer Science Logic, 23rd international Workshop,
CSL, Proceedings, ser. Lecture Notes in Computer Science, vol. 5771.
Springer, 2009, pp. 485–499.
[6] Z. Dang, “Pushdown timed automata: a binary reachability characteri-
zation and safety verification,” Theor. Comput. Sci., vol. 302, no. 1-3,
pp. 93–121, 2003.
[7] C. Dima, “Computing reachability relations in timed automata,” in
17th IEEE Symposium on Logic in Computer Science (LICS 2002),
Proceedings. IEEE Computer Society, 2002, p. 177.
[8] V. Bruye`re, E. Dall’Olio, and J. Raskin, “Durations and
parametric model-checking in timed automata,” ACM Trans.
Comput. Log., vol. 9, no. 2, 2008. [Online]. Available:
http://doi.acm.org/10.1145/1342991.1342996
[9] ——, “Durations, parametric model-checking in timed automata with
presburger arithmetic,” in STACS 2003, 20th Annual Symposium on
Theoretical Aspects of Computer Science, Berlin, Germany, February 27
- March 1, 2003, Proceedings, ser. Lecture Notes in Computer Science,
vol. 2607. Springer, 2003, pp. 687–698.
[10] A. Annichini, E. Asarin, and A. Bouajjani, “Symbolic techniques for
parametric reasoning about counter and clock systems,” in Computer
Aided Verification, 12th International Conference, CAV 2000, Proceed-
ings, ser. Lecture Notes in Computer Science, vol. 1855. Springer,
2000, pp. 419–434.
[11] T. Hune, J. Romijn, M. Stoelinga, and F. W. Vaandrager, “Linear
parametric model checking of timed automata,” J. Log. Algebr. Program.,
vol. 52-53, pp. 183–220, 2002.
[12] B. Be´rard, A. Petit, V. Diekert, and P. Gastin, “Characterization of
the expressive power of silent transitions in timed automata,” Fundam.
Inform., vol. 36, no. 2-3, pp. 145–182, 1998.
[13] L. Berman, “The complexitiy of logical theories,” Theor.
Comput. Sci., vol. 11, pp. 71–77, 1980. [Online]. Available:
http://dx.doi.org/10.1016/0304-3975(80)90037-7
[14] E. D. Sontag, “Real addition and the polynomial hierarchy,” INFORMA-
TION PROCESSING LETTERS, vol. 20, pp. 115–120, 1985.
[15] V. Weispfenning, “The complexity of linear problems in fields,” J. Symb.
Comput., vol. 5, no. 1-2, pp. 3–27, Feb. 1988.
[16] R. Alur, C. Courcoubetis, and D. L. Dill, “Model-checking in dense
real-time,” Inf. Comput., vol. 104, no. 1, pp. 2–34, 1993. [Online].
Available: http://dx.doi.org/10.1006/inco.1993.1024
[17] E. M. Clarke, Jr., O. Grumberg, and D. A. Peled, Model Checking.
Cambridge, MA, USA: MIT Press, 1999.
[18] P. Bouyer, “Untameable timed automata!” in STACS 2003, 20th Annual
Symposium on Theoretical Aspects of Computer Science, Berlin, Ger-
many, February 27 - March 1, 2003, Proceedings, ser. Lecture Notes in
Computer Science, vol. 2607. Springer, 2003, pp. 620–631.
[19] A. Finkel and A. Sangnier, “Reversal-bounded counter machines revis-
ited,” in Mathematical Foundations of Computer Science 2008, 33rd
International Symposium, MFCS 2008, Proceedings, ser. Lecture Notes
in Computer Science, vol. 5162. Springer, 2008, pp. 323–334.
[20] J. Bengtsson and W. Yi, “Timed automata: Semantics, algorithms and
tools,” ser. Lecture Notes in Computer Science, vol. 3098. Springer,
2003, pp. 87–124.
[21] C. H. Papadimitriou and M. Yannakakis, “A note on succinct represen-
tations of graphs,” Information and Control, vol. 71, no. 3, pp. 181–185,
1986.
[22] D. C. Kozen, Automata and Computability, 1st ed. Secaucus, NJ, USA:
Springer-Verlag New York, Inc., 1997.
[23] M. Chrobak, “Finite automata and unary languages,” Theor. Comput.
Sci., vol. 47, no. 3, pp. 149–158, 1986. [Online]. Available:
http://dx.doi.org/10.1016/0304-3975(86)90142-8
[24] A. Martinez, “Efficient computation of regular expressions from unary
nfas,” in Fourth International Workshop on Descriptional Complexity of
Formal Systems - DCFS 2002, vol. Report No. 586. Department of
Computer Science, The University of Western Ontario, Canada, 2002,
pp. 174–187.
APPENDIX
A. Proof of Proposition 2
We first recall that the language L˚
R,Z has terms of both real-number sort and integer sort, where the atomic formulas:
‚ if integer sort, have form
z ´ z1 ď c | z ď c | z ´ z1 ” c pmod dq (5)
for integer variables z, z1 and integers c, d.
‚ if real-number sort, have form t ď t1 where t, t1 are derived by the grammar
t ::“ c | r | t` t | t´ t ,
where c P Q is a constant and r P tr0, r1, . . .u is a real-valued variable.
One can prove Proposition 2 by combining the quantifier-elimination procedures of Ferante and Rackoff [4], [22] for LR
and To [5, Section 4] for the fragment of Presburger arithmetic in which atomic formulas have the form shown in (5).
To eliminate quantifiers in formulas of real arithmetic, Ferante and Rackoff [4] define an equivalence relationRkm on k-tuples
of real numbers. The relation is such that Rkm-equivalent k-tuples agree on all quantifier-free formulas in which all constants
have the largest (absolute) constant at most m. We refer the reader to [22] for the definition of Rkm; here we just recall the
key results.
Let Akm be the set of all affine functions f : R
k Ñ R with integer coefficients, where all constants and coefficients have the
largest (absolute) constant at most m.
Lemma 13 (Lemma 22.3 and 22.4 from [22]). Given two k-tuples a “ pa1, ¨ ¨ ¨ , akq and b “ pb1, ¨ ¨ ¨ , bkq of real numbers
such that a Rk
2m2
b for some m P Zą0, then for all c P R there exists d P R such that pa, cq R
k`1
m pb, dq. Moreover, d can
be chosen to have the form fpbq{e where f P Ak
2m2
and |e| ď 2m2.
To eliminate quantifiers in formulas of the above fragment of Presburger arithmetic, analogue to the relation Rkm, To [5,
Definition 6] has defined an equivalence relation Zkp,m on k-tuples of integers, where p,m P Zą0. The relation is such
that Zkp,m-equivalent k-tuples agree on all quantifier-free formulas, where all constants have the largest (absolute) constant at
most m and the period of the formula is p. The period of the formula is the least common multiple of the periods e of each
atomic term z ´ z1 ” c pmod eq. We refer the reader to [5] for the definition of Zkp,m; here we just recall the key results.
Lemma 14 (Lemma 7 and 8 from [5]). Given two pk` 1q-tuples a “ pa0, ¨ ¨ ¨ , akq and b “ pb0, ¨ ¨ ¨ , bkq of integers such that
a0 “ b0 “ 0 and a Z
k
p,3m b for some p,m ą 0, then for all c P N there exists b P N such that pa, cq Z
k`1
p,m pb, dq. Moreover,
d can be chosen such that 0 ď d ď maxpb0, ¨ ¨ ¨ , bkq ` pm` p.
Fix m P Zą0. For all n P N, define gp0,mq
def
“ m and gpn ` 1,mq
def
“ 2gpn,mq2, moreover, define hp0,mq
def
“ m and
hpn` 1,mq
def
“ 3hpn,mq.
Lemma 15. Let ϕpr1, ¨ ¨ ¨ , rk, z0, ¨ ¨ ¨ , zk1q be a formula in L
˚
R,Z, with k free real-valued variables ri and k
1 free integer
variables zi, and with n quantifiers over real-valued variables and n
1 quantifiers over integer-valued variables, where m is
the largest (absolute) constant and p is the period of the formula. Suppose a, b P Rk are k-tuples of real numbers such that
a Rk
gpn,mq b. Suppose a
1, b1 P Nk
1
are k1-tuples of integers such that a1 Zk
1
p,hpn1,mq b
1. Then, we have
ϕpa,a1q holdsô ϕpb, b1q holds.
Proof. The proof is by an induction on the structure of the formula. For atomic formulas, each sort, the result is immediate
from the definition of equivalence relations Rkm and Z
k
p,m. For the Boolean connectives, the result is straightforward using the
induction hypothesis for each subformula.
‚ For formulas Dr ϕpa,a1, rq, where r is a real-valued variable: suppose Dr ϕpa,a1, rq holds, and let c P R be such that
ϕpa,a1, cq holds. Since a Rk
gpn,mq b, by Lemma 13, there exists some d such that pa, cq R
k`1
gpn´1,mq pb, dq. Applying the
induction hypothesis, Dr ϕpb, b1, rq holds, too.
‚ For formulas Dz ϕpa,a1, zq, where z is a integer-valued variable: suppose Dz ϕpa,a1, zq holds, and let c1 P R be such
that ϕpa,a1, c1q holds. Since a1 Zk
p,hpn1,mq b
1, by Lemma 13, there exists some d1 such that pa1, c1q Zk`1
p,hpn1´1,mq pb
1, d1q.
Applying the induction hypothesis, Dz ϕpb, b1, zq holds, too.
The step of induction for formulas @r ϕpa, a1, rq and @z ϕpa, a1, zq are similar.
Given a prenex-form sentence ϕ of L˚
R,Z, using Lemma 15 we derive an equivalent formula in which all quantifiers range
over finite domains. Specifically, if ϕ has n quantifiers over real variables and n1 quantifiers over integer variables, maximum
constant m, and period p, then the real-valued quantifiers can be restricted to range over rationals whose numerator and
denominator is at most gpn,mq “ 22
n´1m2
n
“ 22
Opn`log logmq
and the integer quantifiers can be restricted to range over
numbers of the largest (absolute) constant at most ppn1 ` 1qhpn1,mq ` ppn1 ` 1q “ ppn1 ` 1q3n
1
pm` 1q “ 2Opn
1`logm`log pq.
Thus the truth of ϕ can be established by an alternating Turing machine using space exponential in n` n1 and polynomial in
the size of the quantifier-free part of ϕ. This concludes the proof of Proposition 2.
B. Proof of Lemma 3
In this section we prove Lemma 3 from Subsection III-B.
Recall that DBMs have entries in V “ ptă,ďuˆRq Y tpă,8qu. In this section we denote the order ďV simply by ď (and
the corresponding strict order by ă). Recall that a DBM is atomic if all but at most one entry is the trivial constraint pă,8q.
Recall also that DBM M is consistent if pď, 0q ďMi,i for all 0 ď i ď n. Write Z8 for ZY t8u.
1) Tightness: In order to prove Lemma 3, we first introduce the concept of tightness for DBMs and prove that, for a clock
valuation ν P r0, 1sn, every DBM in closurepMνq is tight.
Let M be a DBM of dimension pn` 1q ˆ pn` 1q. We say that M is tight if Mi,j “Mi,n`Mn,j for every pair of indices
i, j with mi,j R Z8.
Proposition 16. If M is tight, then
ÝÑ
M is tight.
Proof. Write M 1 “
ÝÑ
M and assume that m1i,j R Z8 for some 0 ď i, j ď n. We show that M
1
i,j “M
1
i,n `M
1
n,j . Indeed, since
m1i,j R Z8 we have j ‰ 0 and thus
M 1i,j “ Mi,j
“ Mi,n `Mn,j (M is tight)
“ M 1i,n `M
1
n,j (since n, j ‰ 0).
Proposition 17. Suppose that M is tight and M 1 is atomic. Then M2 “M XM 1 is tight.
Proof. Suppose that m2i,j R Z8. We show that M
2
i,j “M
2
i,n`M
2
n,j . There are two main cases. First suppose that M
2
i,j “Mi,j .
Then
M2i,j ď M
2
i,n `M
2
n,j (M
2 canonical)
ď Mi,n `Mn,j (M
2 ďM pointwise)
“ Mi,j (mi,j R Z8, M tight) .
Since we assume that M2i,j “Mi,j , all the inequalities above are tight and we conclude that M
2
i,j “M
2
i,n `M
2
n,j .
The second case is that M2i,j ăMi,j . Then by definition of M
2 we have M2i,j “Mi,p`M
1
p,q`Mq,j . Since m
2
i,j R Z8, we
must have either mi,p R Z8 or mq,j R Z8. We will handle the first of these two subcases; the second follows by symmetric
reasoning.
If mi,p R Z8 then
M2i,j “ Mi,p `M
1
p,q `Mq,j (definition of M
2)
“ Mi,n `Mn,p `M
1
p,q `Mq,j (mi,p R Z8, M tight)
ě M2i,n `M
2
n,p `M
2
p,q `M
2
q,j (M
2 ďM,M 1 pointwise)
ě M2i,n `M
2
n,j (M
2 canonical)
But M2i,j ďM
2
i,n `M
2
n,j by canonicity of M
2. Hence M2i,j “M
2
i,n `M
2
n,j .
Proposition 18. Suppose that M is tight.
1) If ℓ ‰ n then M rxℓ Ð 0s is tight.
2) pM X pxn “ 1qqrxn Ð 0s is tight.
Proof. 1) Write M 1 “M rxℓ Ð 0s, where ℓ ‰ n, and assume that m
1
i,j R Z8. We show that M
1
i,j “M
1
i,n `M
1
n,j .
Indeed we have
M 1i,j “ Miℓ,jℓ (definition of M
1)
“ Miℓ,n `Mn,jℓ (M is tight, miℓ,jℓ “ m
1
i,j R Z8)
“ Miℓ,nℓ `Mnℓ,jℓ (nℓ “ n)
“ M 1i,n `M
1
n,j (definition of M
1).
2) Write M 1 “ M X pxn “ 1q. We know from Proposition 17 that M
1 is tight. Moreover we have M 1n,0 “ pď, 1q and
M 10,n “ pď,´1q. Now write M
2 “M 1rxn Ð 0s and assume that m
2
i,j R Z8. We show that M
2
i,j “ M
2
i,n `M
2
n,j . The
equality is trivial if i “ n or j “ n, so we may suppose that i, j ‰ n.
Then we have
M2i,j “ M
1
i,j (definition of M
2 and i, j ‰ n)
“ M 1i,n `M
1
n,j (M
1 is tight, m1i,j R Z8)
“ M 1i,n `M
1
n,0 `M
1
0,n `M
1
n,j (M
1
n,0 “ pď, 1q and M
1
0,n “ pď,´1q)
“ M 1i,0 `M
1
0,j (M tight)
“ M2i,n `M
2
n,j (definition of M
2).
Proposition 19. Let ν P r0, 1sn be a valuation. Then every DBM M P closurepMνq is tight.
Proof. Mν is obviously tight. Then by induction, using Propositions 16, 17, and 18, every DBM in closurepMνq is tight.
2) DBM Operators Preserve Well-Supportedness:
Proof of Lemma 3. Assume that ν P r0, 1sn is a clock valuation. We prove that all consistent DBMs M P closurepMνq are
well-supported. To this end, define
Suppν “ tc` νi ´ νj | c P Z, 0 ď i, j ď nu Y t8u .
It suffices to show that every consistent DBM in closurepMνq has entries in Suppν . Indeed we have already noted that all
consistent DBMs in closurepMνq are 1-bounded; but an entry of Suppν lies in the interval r´1, 1s only if it has the form
c` νi ´ νj for c P t´1, 0, 1u and 0 ď i, j ď n.
We prove that every consistent DBM in closurepMνq has entries in Suppν by induction on the sequence of operations
producing such a DBM.
Base case. The DBM Mν is obviously well-supported, since its pi, jq-th entry is νi ´ νj P Suppν for all 0 ď i, j ď n.
Induction step. Let Mpăi,j,mi,jq P closurepMνq be a DBM and assume that each entry mi,j lies in Suppν . We prove
that all entries of the DBMs
ÝÑ
M X
Şn
i“1pxi ď 1q, M rxℓ Ð 0s, and M XM
1, for M 1 atomic, also lie in Suppν provided that
these DBMs are consistent.
It is clear that each entry of M rxℓ Ð 0s lies in Suppν since reset only permutes the entries of a DBM and introduces 0 as a
new entry. Likewise it is clear that each entry of
ÝÑ
M also lies in Suppν . Thus to complete the inductive argument it suffices to
show that for any DBM M with entries in Suppν and any atomic DBM M
1, all entries of M XM 1 are contained in Supppνq
if M XM 1 is consistent.
Let M 1 “ tpă1i,j ,m
1
i,jqu be an atomic DBM whose single non-trivial constraint is M
1
p,q for some indices p, q (i.e., all other
entries are pă,8q). Then m1p,q P Z by definition of atomic DBMs. Recall that the DBM M
2 “M XM 1 is given by
M2i,j “ minpMi,j ,Mi,p `M
1
p,q `Mq,jq
for all indices i, j. Suppose M2 “M XM 1 is consistent and recall by Proposition 19 that M is tight.
Fix indices 0 ď i, j ď n. We show that m2i,j P Suppν . If M
2
i,j “ Mi,j then m
2
i,j P Suppν by the induction hypothesis. So
we may suppose that
M2i,j “Mi,p `M
1
p,q `Mq,j ăMi,j (6)
By the induction hypothesis, mi,p,mq,j P Suppν . From (6) we must have mi,p,mq,j ă 8. We now consider three cases.
1) Suppose that mi,p P Z. Then m
2
i,j has the form d`mq,j for some integer d, and hence m
2
i,j P Suppν by the induction
hypothesis.
2) Suppose that mq,j P Z. Then m
2
i,j has the form d`mi,p for some integer d, and hence m
2
i,j P Suppν by the induction
hypothesis.
3) The final case is that mi,p,mq,j R Z8. Then
Mi,p `M
1
p,q `Mq,j “ Mi,n `Mn,p `M
1
p,q `Mq,n `Mn,j (M tight)
ě Mi,n `M
2
n,p `M
2
p,q `M
2
q,n `Mn,j (M,M
1 ěM2 pointwise)
ě Mi,n `M
2
n,n `Mn,j (M
2 canonical)
ě Mi,n `Mn,j (M
2 consistent)
ě Mi,j (M canonical).
But this contradicts (6) and so this case cannot hold.
C. Proof of Propositions 7 and Lemma 12
Let Σ “ ta1, . . . , anu be a finite alphabet. Define a function π : Σ
˚ Ñ Nn such that πpwqi is the number of occurrences
of letter ai in w for i “ 1, . . . , n. The image of a language L Ď Σ
˚ under π is called the Parikh image (or commutative
image) of L. It is well known that the Parikh image of any regular language (indeed any context-free language) is definable in
Presburger arithmetic. In particular, the Parikh image of the language of an NFA over a unary alphabet is a union of arithmetic
progressions. Chrobak and Martinez [23], [24] show that the Parikh image of the language of an n-state NFA A over a unary
alphabet comprises Opn2q many arithmetic progressions which can be explicitly computed from A in polynomial time.
Consider a monotonic counter machine C “ pS,C,∆q. Let N be the maximum constant appearing in a transition guard.
Define the set RN of regions to be RN “ t0, . . . , Nu Y t8u. A counter valuation υ P N
n defines a tuple Regpυq P RnN by
Regpυqi “
"
υi if υi ď N
8 otherwise
Intuitively 8 represents any counter value strictly greater than N . The satisfaction relation |ù between regions and guards is
defined in the obvious way. Below we define a finite automaton rCs that simulates C.
The alphabet of rCs is Σ “ tinc1, . . . , incnu. Intuitively rCs performs an inci-transition when simulating an increment on
counter ci. A state of rCs is a tuple xs,R, λy, where s P S, R P R
n
N is a region of C, and λ Ď C. With a configuration xs, υy
in a run ρ of C we associate a state xs,Regpυq, λy of rCs. Intuitively, λ represents the set of counters that will be reset along
the suffix of the run ρ starting from xs, υy.
The transition relation of rCs is defined as follows:
‚ For each edge xs, ϕ, resetpciq, s
1y P ∆ we add a transition xs,R, λy
ε
ÝÑ xs1, R1, λ1y if R |ù ϕ, R1i “ 0, R
1
j “ Rj for
j ‰ i, and λ1 Y tciu “ λ.
‚ For each edge xs, ϕ, nop, s1y P ∆ we add a transition xs,R, λy
ε
ÝÑ xs1, R, λy if R |ù ϕ.
‚ For each edge xs, ϕ, incpciq, s
1y P ∆ we add a transition xs,R, λy
σ
ÝÑ xs1, R1, λy if R |ù ϕ, R1i “ Ri ` 1, and R
1
j “ Rj
for j ‰ i. The label σ is inci if ci R λ and otherwise σ is ε.
By construction of rCs, there is a run of C from xs, υy to xs1, υ1y along which the collection of counters that are reset is
λ “ tc1, . . . , cmu only if there is a run of rCs from xs,Regpυq, λy to xs
1, Regpυ1q,Hy. If w P Σ˚ is the word read along such
a run then we have
υ1i “ πpwqi i “ 1, . . . ,m
υ1i ´ υi “ πpwqi i “ m` 1, . . . , n .
(7)
Fix states xs,R, λy and xs1, R1,Hy of rCs. Let Lxs,R,λy,xs1,R1,Hy be the set of words w on which rCs has a run from xs,R, λy
to xs1, R1,Hy. Then the Parikh image πpLxs,R,λy,xs1,R1,Hyq is expressible by a formula ψpz1, . . . , znq of Presburger arithmetic.
Returning to the counter machine C, we wish to express the reachability relation of C between two controls states s and s1.
The idea is that for each initial counter valuation υ and each run of C from xs, υy to s1, we need to specify the total number
of increments for each counter that is never reset along the run and the total number of increments since the last reset for all
other counters. With this in mind, using Equation (7), the LZ-formula
ϕpυ, υ1q
def
“ pRegpυq “ Rq ^ ψpυ11, . . . , υ
1
m, υ
1
m`1 ´ υm`1, . . . , υ
1
n ´ υnq
describes the subset of the reachability relation arising from the runs of C whose projection on rCs goes from state xs,R, λy
to xs1, R1,Hy, for λ “ tc1, . . . , cmu. The reachability relation of C can clearly be described as a finite disjunction of such
formulas. This concludes the proof of Proposition 7.
The following specialisation of Proposition 7 is used in the proof of Lemma 12.
Proposition 20. Let C be a monotonic counter machine with n counters and with N the maximum integer constant appearing
in a transition guard. Given states s, s1 of C and R,R1 P RnN , the set
tpu, u1q P N2 : D xs, υy ÝÑ˚ xs1, υ1y s.t.
Regpυq “ R,Regpυ1q “ R1, υn “ u, υ
1
n “ u
1u
is definable by a quantifier-free formula of L˚
R,Z (involving only integer terms) that is computable in time polynomial in (the
largest (absolute) constant of) N and the number of states and counters of C.
Proof. We start by defining an NFA B, over a singleton alphabet tincnu. Automaton B can be seen as a “sub-automaton” of
the NFA rCs from the proof of Proposition 7. Specifically the states of B are those states xs2, R2, λy of rCs such that either
λ “ C or λ “ Cztcnu. (This last condition means that all increments of counters other than cn are represented in B by
ε-transitions.) For the fixed states and regions s,R, s1, R1, as in the statement of the proposition, the initial states of B are
those of the form xs,R, λy, where λ “ C or λ “ Cztcnu, and the accepting states those of the form xs
1, R1, Cztcnuy.
Then the Parikh image of the language of B is equal to
tpυn, υ
1
nq P N
2 : Regpυq “ R,Regpυ1q “ R1, xs, υy pÝÑq˚ xs1, υ1yu . (8)
We can now appeal to the above-mentioned result of Chrobak and Martinez [23], [24] to get that the set (8) is definable by
a quantifier-free formula of Presburger arithmetic that is computable in time polynomial in the number of states of B, that is,
polynomial in the largest (absolute) constant of N and the number of states and counters of C.
The proof of Lemma 12 is exactly the same as the proof Theorem 10, except that we replace the use of Proposition 7 by
Proposition 20, so as to obtain a quantifier-free formula in L˚
R,Z.
D. Proof of Proposition 8
We first give the “soundness” direction of the proof, that is, from runs of the counter machine Cxℓ,νy to runs of A.
Suppose that
xxℓ0,M0y, υ
p0qy ÝÑ xxℓ1,M1y, υ
p1qy ÝÑ . . . ÝÑ xxℓk,Mky, υ
pkqy
is a run of Cxℓ,νy with ℓ0 “ ℓ, υ
0 “ tνu and JM0K “ tfracpνqu. Given any valuation ν
pkq P JMkK, we construct a sequence of
valuations νp0q, . . . , νpk´1q, with νpjq P JMjK for j “ 0, . . . , k ´ 1, such that
xℓ0, υ
p0q ` νp0qy ùñ xℓ1, υ
p1q ` νp1qy ùñ . . . ùñ xℓk, υ
pkq ` νpkqy
is a run of A. Note that then we must have νp0q “ fracpνq.
The construction of νpjq is by backward induction on j. The base step, valuation νpkq, is given. The induction step divides
into three cases according to the nature of the transition xxℓj´1,Mj´1y, υ
pj´1qy ÝÑ xxℓj,Mjy, υ
pjqy. (Recall the classification
of transitions in the definition of Cxℓ,νy.)
‚ xxℓj´1,Mj´1y, υ
pj´1qy ÝÑ xxℓj,Mjy, υ
pjqy is a delay transition. Then we have Mj “
ÝÝÝÑ
Mj´1 X r0, 1s
n, ℓj “ ℓj´1, and
υpjq “ υpj´1q. Thus we can pick νpj´1q P JMj´1K such that ν
pjq “ νpj´1q ` d for some d ě 0. Thus there is a delay
transition
xℓj´1, υ
pj´1q ` νpj´1qy
d
ùñ xℓj, υ
pjq ` νpjqy
in A.
‚ xxℓj´1,Mj´1y, υ
pj´1qy ÝÑ xxℓj,Mjy, υ
pjqy is a wrapping transition. Then we have Mj “ pMj´1 X pxi “ 1qqrxi Ð 0s
for some index i. Thus we can pick νpj´1q P JMj´1 X pxi “ 1qK such that ν
pjq “ νpj´1qrxi Ð 0s. In this case we have
xℓj´1, υ
pj´1q ` νpj´1qy “ xℓj, υ
pjq ` νpjqy .
‚ xxℓj´1,Mj´1y, υ
pj´1qy ÝÑ xxℓj,Mjy, υ
pjqy is a discrete transition. Let the corresponding edge of A be xℓj´1, ϕ, txiu, ℓjy.
Then we haveMj “ pMj´1Xϕfracqrxi Ð 0s. Thus we may pick ν
pj´1q P JMj´1XϕfracK such that ν
pj´1qrxi Ð 0s “ ν
pjq.
Since υpj´1q |ù ϕint we have that υ
pj´1q ` νpj´1q |ù ϕ. Thus there is a discrete transition
xℓj´1, υ
pj´1q ` νpj´1qy
0
ùñ xℓj, υ
pjq ` νpjqy
in A.
We now give the “completeness” direction of the proof: from runs of the timed automaton A to runs of the counter machine
Cxℓ,νy.
Suppose that we have a run
xℓ0, ν
p0qy
d1
ùñ xℓ1, ν
p1qy
d2
ùñ . . .
dk
ùñ xℓk, ν
pkqy
of A, where xℓ0, ν
p0qy “ xℓ, νy. We can transform such a run, while keeping the same initial and final configurations, by
decomposing each delay step into a sequence of shorter delays, so that for all 0 ď j ď k ´ 1 and all x P X the open
interval pνpjqpxq, νpj`1qpxqq contains no integer. In other words, we break a delay step at any point at which some clock
crosses an integer boundary. We can now obtain a corresponding run of Cxℓ,νy that starts from state xxℓ0,M0y, υ
p0qy, where
JM0K “ tfracpνqu and υ
p0q “ tνp0qu, and ends in state xxℓk,Mky, υ
pkqy such that νpkq P υpkq ` JMkK.
We build such a run of Cxℓ,νy by forward induction. In particular, we construct a sequence of intermediate states
xxℓi,Miy, υ
piqy, 0 ď i ď k, such that νpiq P υpiq ` JMiK for each such i. Each discrete transition of A is simulated by
a discrete transition of Cxℓ,νy. A delay transition of A that ends with set of clocks λ Ď tx1, . . . , xnu being integer valued is
simulated by a delay transition of Cxℓ,νy, followed by wrapping transitions for all counters ci for which xi P λ.
ˆ
pď,0q pď,´r1q pď,´r2q
pď,r1q pď,0q pď,r1´r2q
pď,r2q pď,r2´r1q pď,0q
˙
counter machine Cxℓ0,τ2y
xℓ0,M
1
0y ˆ
pď,0q pď,´r1q pď,´r2q
pď,r1´r2`1q pď,0q pď,r1´r2q
pď,1q pď,r2´r1q pď,0q
˙xℓ0,M11y
ˆ
pď,0q pď,0q pď,´r2q
pď,0q pď,0q pď,´r2q
pď,1q pď,1q pď,0q
˙xℓ1,M12y ˆ
pď,0q pă,0q pď,´r2q
pď,1´r2q pď,0q pď,´r2q
pď,1q pď,1q pď,0q
˙xℓ1,M13y
ˆ
pď,0q pď,0q pď,0q
pď,1´r2q pď,0q pď,1´r2q
pď,0q pď,0q pď,0q
˙xℓ1,M14yˆ
pď,0q pď,0q pď,0q
pď,1q pď,0q pď,1´r2q
pď,1q pď,0q pď,0q
˙xℓ1,M15y
nop
resetpc1q
c1 “ 0
nop
incpc2q
nop
incpc1q
Fig. 6. The counter machine Cxℓ,τ2y constructed from the timed automaton in Figure 3, where τ2 is the type of the valuation ν with ν1 “ 0 and ν2 “ .2.
E. Proof of Theorem 10
Let A “ xL,X , Ey be a timed automaton with maximum clock constant N . We first transform A so that all guards are
conjunctions of atoms of the type appearing in Figure 4. This transformation may lead to an exponential blow-up in the number
of edges. In any case, it can be accomplished in time at most 2polypnq ¨ polypLq.
Let τ be an n-type. Following Corollary 6 we have observed that |closurepMτ q| ď 2
polypnq. It follows that for a location
ℓ P L and n-type τ , the monotonic counter automaton Cxℓ,τy can be computed in time at most 2
polypnq ¨ polyp|L|q.
Applying Proposition 7, we get that the formula χτℓ,ℓ1 can be computed in time at most 2
polypnq ¨polyp|L|, Nnq. Furthermore,
given τ , the formula ατ can be computed in time polypnq.
Finally, the number of disjuncts in (4), i.e., the number of different n-types when restricting to formulas t ď t1 for t, t1 P
DT Rpnq, is bounded by 2
polypnq.
Putting everything together, the formula ϕℓ,ℓ1 can be computed in time at most 2
polypnq ¨ polyp|L|, Nnq, that is, exponential
in the size of the original timed automaton A.
F. Symbolic Counter Machines
In this section we illustrate Figure 6 used in Example 7.
G. Proof of Theorem 11
This section we continue the argument of Section V-B showing that model checking parametric timed reachablity logic is
NEXPTIME-hard.
It remains to explain how from linear bounded automaton B one can define a timed automaton A whose configuration graph
embeds the configuration graph of B. The construction is adapted from the PSPACE-hardness proof for reachability in timed
automata [1]. We assume that B uses a binary input alphabet and a fixed tape length of k. The main idea is as follows: A
uses 2k ` 1 clocks: one clock yi and zi for each tape cell i, and one extra clock x. The clocks yi and zi, respectively, are
used to encode the current tape content and the position of the pointer of B, respectively. The clock x is an auxiliary clock
that helps to encode this information correctly into the other clocks. Technically, x is used to measure out cycles of two time
units, i.e., x is reset to 0 whenever it reaches 2. The construction is such that the values of yi and zi obey the following policy:
whenever x takes value 0, yi takes value 1 (0, respectively) if there is a 1 (0, respectively) in the i-th cell of the tape; and zi
takes value 1 if the position of the pointer is the i-th cell, otherwise, zi takes value 0. We can set these bits appropriately by
resetting clocks yi and zi either when x “ 1 or x “ 2, and we can preserve the values of a clock yi or zi between successive
cycles by resetting it when it reaches value 2, see below for more details. Using this idea, A can be defined such that it only
takes transitions at integer times and such that a configuration of A after 2t time steps encodes a configuration of B after t
computation steps for each t P N.
More formally, the set of locations of A contains one copy location q for each state q of B, plus some additional
auxiliary locations, one of which being an initial location ℓ0. In the initialization phase, we encode the initial configuration
pq0, σ1qσ2 . . . σk of B, where q0 is the initial state of B, and σi P t0, 1u. For this, we define a transition from ℓ0 to q0, with
guard x “ 1, and resetting x, z2, . . . , zk, and we further reset clock yi iff σi “ 0. One can easily observe that if A reaches
q0 with clock value x “ 0, then z1 “ 1, and yi “ 1 iff the i-th cell contains a 1, while all other clocks have value 0. This
correctly encodes the initial configuration of B. We now proceed with the simulation phase. From locations q that correspond
to states of B, we simulate the computation steps from B. Assume, for instance, that the transition relation of B contains the
tuple pq, 0, q1, 0, Rq, i.e., when reading letter 0 in state q, B goes to state q1, leaves the symbol on the tape as it is, and moves
the pointer one position to the right. According to the encoding described above, this means that if A reaches q with x “ 0,
we need to test whether yi “ 0 for the unique 1 ď i ď k such that zi “ 1, and whether i ă k (because we want to move the
position of the pointer one cell to the right). If this is the case, A should go to location q1 and the bit of zi should be reset to
zi`1. We thus define for every 1 ď i ă k a transition as shown in the following, where the loops in the auxiliary location in
the middle are defined for every 1 ď j ď k.
q q1
x “ 1^ yi “ 1^ zi “ 2
zi`1 Ð 0
x “ 2^
Ź
1ďjďkpyj ă 2 ^ zj ă 2q
tx, ziu Ð 0
yj “ 2, yj Ð 0
zj “ 2, zj Ð 0
Transitions of B of other forms can be simulated in a similar way. We finally augment A with a label function LB that
assigns p to a location q iff q is an accepting state of B.
This finishes the proof for NEXPTIME-hardness.
